Botan 3.8.1
Crypto and TLS for C&
x509self.cpp
Go to the documentation of this file.
1/*
2* PKCS #10/Self Signed Cert Creation
3* (C) 1999-2008,2018 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/x509self.h>
9
10#include <botan/assert.h>
11#include <botan/der_enc.h>
12#include <botan/hash.h>
13#include <botan/pubkey.h>
14#include <botan/x509_ca.h>
15#include <botan/x509_ext.h>
16#include <botan/x509_key.h>
17#include <botan/internal/fmt.h>
18#include <botan/internal/parsing.h>
19
20namespace Botan {
21
22namespace {
23
24/*
25* Load information from the X509_Cert_Options
26*/
27X509_DN load_dn_info(const X509_Cert_Options& opts) {
28 X509_DN subject_dn;
29
30 subject_dn.add_attribute("X520.CommonName", opts.common_name);
31 subject_dn.add_attribute("X520.Country", opts.country);
32 subject_dn.add_attribute("X520.State", opts.state);
33 subject_dn.add_attribute("X520.Locality", opts.locality);
34 subject_dn.add_attribute("X520.Organization", opts.organization);
35 subject_dn.add_attribute("X520.OrganizationalUnit", opts.org_unit);
36 subject_dn.add_attribute("X520.SerialNumber", opts.serial_number);
37
38 for(const auto& extra_ou : opts.more_org_units) {
39 subject_dn.add_attribute("X520.OrganizationalUnit", extra_ou);
40 }
41
42 return subject_dn;
43}
44
45auto create_alt_name_ext(const X509_Cert_Options& opts, const Extensions& extensions) {
46 AlternativeName subject_alt;
47
48 /*
49 If the extension was already created in opts.extension we need to
50 merge the values provied in opts with the values set in the extension.
51 */
52 if(auto ext = extensions.get_extension_object_as<Cert_Extension::Subject_Alternative_Name>()) {
53 subject_alt = ext->get_alt_name();
54 }
55
56 subject_alt.add_dns(opts.dns);
57 for(const auto& nm : opts.more_dns) {
58 subject_alt.add_dns(nm);
59 }
60 subject_alt.add_uri(opts.uri);
61 subject_alt.add_email(opts.email);
62 if(!opts.ip.empty()) {
63 if(auto ipv4 = string_to_ipv4(opts.ip)) {
64 subject_alt.add_ipv4_address(*ipv4);
65 } else {
66 throw Invalid_Argument(fmt("Invalid IPv4 address '{}'", opts.ip));
67 }
68 }
69
70 if(!opts.xmpp.empty()) {
71 subject_alt.add_other_name(OID::from_string("PKIX.XMPPAddr"), ASN1_String(opts.xmpp, ASN1_Type::Utf8String));
72 }
73
74 return std::make_unique<Cert_Extension::Subject_Alternative_Name>(subject_alt);
75}
76
77} // namespace
78
79namespace X509 {
80
81/*
82* Create a new self-signed X.509 certificate
83*/
85 const Private_Key& key,
86 std::string_view hash_fn,
88 const std::vector<uint8_t> pub_key = X509::BER_encode(key);
89 auto signer = X509_Object::choose_sig_format(key, rng, hash_fn, opts.padding_scheme);
90 const AlgorithmIdentifier sig_algo = signer->algorithm_identifier();
91 BOTAN_ASSERT_NOMSG(sig_algo.oid().has_value());
92
93 const auto subject_dn = load_dn_info(opts);
94
95 Extensions extensions = opts.extensions;
96
97 const auto constraints = opts.is_CA ? Key_Constraints::ca_constraints() : opts.constraints;
98
99 if(!constraints.compatible_with(key)) {
100 throw Invalid_Argument("The requested key constraints are incompatible with the algorithm");
101 }
102
103 extensions.add_new(std::make_unique<Cert_Extension::Basic_Constraints>(opts.is_CA, opts.path_limit), true);
104
105 if(!constraints.empty()) {
106 extensions.add_new(std::make_unique<Cert_Extension::Key_Usage>(constraints), true);
107 }
108
109 auto skid = std::make_unique<Cert_Extension::Subject_Key_ID>(pub_key, signer->hash_function());
110
111 extensions.add_new(std::make_unique<Cert_Extension::Authority_Key_ID>(skid->get_key_id()));
112 extensions.add_new(std::move(skid));
113
114 extensions.replace(create_alt_name_ext(opts, extensions));
115
116 extensions.add_new(std::make_unique<Cert_Extension::Extended_Key_Usage>(opts.ex_constraints));
117
118 return X509_CA::make_cert(*signer, rng, sig_algo, pub_key, opts.start, opts.end, subject_dn, subject_dn, extensions);
119}
120
121/*
122* Create a PKCS #10 certificate request
123*/
125 const Private_Key& key,
126 std::string_view hash_fn,
128 const auto subject_dn = load_dn_info(opts);
129
130 const auto constraints = opts.is_CA ? Key_Constraints::ca_constraints() : opts.constraints;
131
132 if(!constraints.compatible_with(key)) {
133 throw Invalid_Argument("The requested key constraints are incompatible with the algorithm");
134 }
135
136 Extensions extensions = opts.extensions;
137
138 extensions.add_new(std::make_unique<Cert_Extension::Basic_Constraints>(opts.is_CA, opts.path_limit));
139
140 if(!constraints.empty()) {
141 extensions.add_new(std::make_unique<Cert_Extension::Key_Usage>(constraints));
142 }
143
144 extensions.replace(create_alt_name_ext(opts, extensions));
145
146 if(!opts.ex_constraints.empty()) {
147 extensions.add_new(std::make_unique<Cert_Extension::Extended_Key_Usage>(opts.ex_constraints));
148 }
149
150 return PKCS10_Request::create(key, subject_dn, extensions, hash_fn, rng, opts.padding_scheme, opts.challenge);
151}
152
153} // namespace X509
154
155} // namespace Botan
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:61
const OID & oid() const
Definition asn1_obj.h:472
void add_dns(std::string_view dns)
Add a DNS name to this AlternativeName.
Definition alt_name.cpp:30
void replace(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
Definition x509_ext.cpp:172
bool add_new(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
Definition x509_ext.cpp:150
static Key_Constraints ca_constraints()
Definition pkix_enums.h:155
bool has_value() const
Definition asn1_obj.h:272
static OID from_string(std::string_view str)
Definition asn1_oid.cpp:86
static PKCS10_Request create(const Private_Key &key, const X509_DN &subject_dn, const Extensions &extensions, std::string_view hash_fn, RandomNumberGenerator &rng, std::string_view padding_scheme="", std::string_view challenge="")
Definition pkcs10.cpp:53
static X509_Certificate make_cert(PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
Definition x509_ca.cpp:109
std::vector< OID > ex_constraints
Definition x509self.h:129
Key_Constraints constraints
Definition x509self.h:124
std::string challenge
Definition x509self.h:98
std::string padding_scheme
Definition x509self.h:119
void add_attribute(std::string_view key, std::string_view val)
Definition x509_dn.cpp:93
static std::unique_ptr< PK_Signer > choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
Definition x509_obj.cpp:209
PKCS10_Request create_cert_req(const X509_Cert_Options &opts, const Private_Key &key, std::string_view hash_fn, RandomNumberGenerator &rng)
Definition x509self.cpp:124
std::vector< uint8_t > BER_encode(const Public_Key &key)
Definition x509_key.h:24
X509_Certificate create_self_signed_cert(const X509_Cert_Options &opts, const Private_Key &key, std::string_view hash_fn, RandomNumberGenerator &rng)
Definition x509self.cpp:84
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
std::optional< uint32_t > string_to_ipv4(std::string_view str)
Definition parsing.cpp:156