doxygen/x509self_8cpp_source.html

/*

* PKCS #10/Self Signed Cert Creation

* (C) 1999-2008,2018 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/x509self.h>


#include <botan/assert.h>

#include <botan/pubkey.h>

#include <botan/x509_ca.h>

#include <botan/x509_ext.h>

#include <botan/x509_key.h>

#include <botan/internal/fmt.h>

#include <botan/internal/parsing.h>


namespace Botan {


namespace {


/*

* Load information from the X509_Cert_Options

*/

X509_DN load_dn_info(const X509_Cert_Options& opts) {

   X509_DN subject_dn;


   subject_dn.add_attribute("X520.CommonName", opts.common_name);

   subject_dn.add_attribute("X520.Country", opts.country);

   subject_dn.add_attribute("X520.State", opts.state);

   subject_dn.add_attribute("X520.Locality", opts.locality);

   subject_dn.add_attribute("X520.Organization", opts.organization);

   subject_dn.add_attribute("X520.OrganizationalUnit", opts.org_unit);

   subject_dn.add_attribute("X520.SerialNumber", opts.serial_number);


   for(const auto& extra_ou : opts.more_org_units) {

      subject_dn.add_attribute("X520.OrganizationalUnit", extra_ou);

   }


   return subject_dn;

}


auto create_alt_name_ext(const X509_Cert_Options& opts, const Extensions& extensions) {

   AlternativeName subject_alt;


   /*

   If the extension was already created in opts.extension we need to

   merge the values provided in opts with the values set in the extension.

   */

   if(const auto* ext = extensions.get_extension_object_as<Cert_Extension::Subject_Alternative_Name>()) {

      subject_alt = ext->get_alt_name();

   }


   subject_alt.add_dns(opts.dns);

   for(const auto& nm : opts.more_dns) {

      subject_alt.add_dns(nm);

   }

   subject_alt.add_uri(opts.uri);

   subject_alt.add_email(opts.email);

   if(!opts.ip.empty()) {

      if(auto ipv4 = string_to_ipv4(opts.ip)) {

         subject_alt.add_ipv4_address(*ipv4);

      } else {

         throw Invalid_Argument(fmt("Invalid IPv4 address '{}'", opts.ip));

      }

   }


   if(!opts.xmpp.empty()) {

      subject_alt.add_other_name(OID::from_string("PKIX.XMPPAddr"), ASN1_String(opts.xmpp, ASN1_Type::Utf8String));

   }


   return std::make_unique<Cert_Extension::Subject_Alternative_Name>(subject_alt);

}


}  // namespace


namespace X509 {


/*

* Create a new self-signed X.509 certificate

*/


X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts,

                                         const Private_Key& key,

                                         std::string_view hash_fn,

                                         RandomNumberGenerator& rng) {

   const std::vector<uint8_t> pub_key = X509::BER_encode(key);

   auto signer = X509_Object::choose_sig_format(key, rng, hash_fn, opts.padding_scheme);

   const AlgorithmIdentifier sig_algo = signer->algorithm_identifier();

   BOTAN_ASSERT_NOMSG(sig_algo.oid().has_value());


   const auto subject_dn = load_dn_info(opts);


   Extensions extensions = opts.extensions;


   const auto constraints = opts.is_CA ? Key_Constraints::ca_constraints() : opts.constraints;


   if(!constraints.compatible_with(key)) {

      throw Invalid_Argument("The requested key constraints are incompatible with the algorithm");

   }


   extensions.add_new(std::make_unique<Cert_Extension::Basic_Constraints>(opts.is_CA, opts.path_limit), true);


   if(!constraints.empty()) {

      extensions.add_new(std::make_unique<Cert_Extension::Key_Usage>(constraints), true);

   }


   auto skid = std::make_unique<Cert_Extension::Subject_Key_ID>(pub_key, signer->hash_function());


   extensions.add_new(std::make_unique<Cert_Extension::Authority_Key_ID>(skid->get_key_id()));

   extensions.add_new(std::move(skid));


   extensions.replace(create_alt_name_ext(opts, extensions));


   extensions.add_new(std::make_unique<Cert_Extension::Extended_Key_Usage>(opts.ex_constraints));


   return X509_CA::make_cert(*signer, rng, sig_algo, pub_key, opts.start, opts.end, subject_dn, subject_dn, extensions);

}


/*

* Create a PKCS #10 certificate request

*/


PKCS10_Request create_cert_req(const X509_Cert_Options& opts,

                               const Private_Key& key,

                               std::string_view hash_fn,

                               RandomNumberGenerator& rng) {

   const auto subject_dn = load_dn_info(opts);


   const auto constraints = opts.is_CA ? Key_Constraints::ca_constraints() : opts.constraints;


   if(!constraints.compatible_with(key)) {

      throw Invalid_Argument("The requested key constraints are incompatible with the algorithm");

   }


   Extensions extensions = opts.extensions;


   extensions.add_new(std::make_unique<Cert_Extension::Basic_Constraints>(opts.is_CA, opts.path_limit));


   if(!constraints.empty()) {

      extensions.add_new(std::make_unique<Cert_Extension::Key_Usage>(constraints));

   }


   extensions.replace(create_alt_name_ext(opts, extensions));


   if(!opts.ex_constraints.empty()) {

      extensions.add_new(std::make_unique<Cert_Extension::Extended_Key_Usage>(opts.ex_constraints));

   }


   return PKCS10_Request::create(key, subject_dn, extensions, hash_fn, rng, opts.padding_scheme, opts.challenge);

}


}  // namespace X509


}  // namespace Botan

BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75

Botan::ASN1_String
Definition asn1_obj.h:430

Botan::AlgorithmIdentifier
Definition asn1_obj.h:464

Botan::AlgorithmIdentifier::oid
const OID & oid() const
Definition asn1_obj.h:479

Botan::AlternativeName
Definition pkix_types.h:128

Botan::AlternativeName::add_dns
void add_dns(std::string_view dns)
Add a DNS name to this AlternativeName.
Definition alt_name.cpp:30

Botan::Cert_Extension::Subject_Alternative_Name
Definition x509_ext.h:164

Botan::Extensions
Definition pkix_types.h:475

Botan::Extensions::replace
void replace(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
Definition x509_ext.cpp:178

Botan::Extensions::add_new
bool add_new(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
Definition x509_ext.cpp:156

Botan::Invalid_Argument
Definition exceptn.h:131

Botan::Key_Constraints::ca_constraints
static Key_Constraints ca_constraints()
Definition pkix_enums.h:161

Botan::OID::has_value
bool has_value() const
Definition asn1_obj.h:271

Botan::OID::from_string
static OID from_string(std::string_view str)
Definition asn1_oid.cpp:86

Botan::PKCS10_Request
Definition pkcs10.h:28

Botan::PKCS10_Request::create
static PKCS10_Request create(const Private_Key &key, const X509_DN &subject_dn, const Extensions &extensions, std::string_view hash_fn, RandomNumberGenerator &rng, std::string_view padding_scheme="", std::string_view challenge="")
Definition pkcs10.cpp:53

Botan::Private_Key
Definition pk_keys.h:291

Botan::RandomNumberGenerator
Definition rng.h:30

Botan::X509_CA::make_cert
static X509_Certificate make_cert(PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
Definition x509_ca.cpp:109

Botan::X509_Cert_Options
Definition x509self.h:23

Botan::X509_Cert_Options::ex_constraints
std::vector< OID > ex_constraints
Definition x509self.h:132

Botan::X509_Cert_Options::constraints
Key_Constraints constraints
Definition x509self.h:127

Botan::X509_Cert_Options::is_CA
bool is_CA
Definition x509self.h:112

Botan::X509_Cert_Options::extensions
Extensions extensions
Definition x509self.h:137

Botan::X509_Cert_Options::end
X509_Time end
Definition x509self.h:107

Botan::X509_Cert_Options::start
X509_Time start
Definition x509self.h:103

Botan::X509_Cert_Options::path_limit
size_t path_limit
Definition x509self.h:117

Botan::X509_Cert_Options::challenge
std::string challenge
Definition x509self.h:98

Botan::X509_Cert_Options::padding_scheme
std::string padding_scheme
Definition x509self.h:122

Botan::X509_Certificate
Definition x509cert.h:36

Botan::X509_DN
Definition pkix_types.h:41

Botan::X509_DN::add_attribute
void add_attribute(std::string_view key, std::string_view val)
Definition x509_dn.cpp:100

Botan::X509_Object::choose_sig_format
static std::unique_ptr< PK_Signer > choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
Definition x509_obj.cpp:208

Botan::X509
Definition x509_key.cpp:16

Botan::X509::create_cert_req
PKCS10_Request create_cert_req(const X509_Cert_Options &opts, const Private_Key &key, std::string_view hash_fn, RandomNumberGenerator &rng)
Definition x509self.cpp:122

Botan::X509::BER_encode
std::vector< uint8_t > BER_encode(const Public_Key &key)
Definition x509_key.h:24

Botan::X509::create_self_signed_cert
X509_Certificate create_self_signed_cert(const X509_Cert_Options &opts, const Private_Key &key, std::string_view hash_fn, RandomNumberGenerator &rng)
Definition x509self.cpp:82

Botan
Definition alg_id.cpp:13

Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

Botan::ASN1_Type::Utf8String
@ Utf8String
Definition asn1_obj.h:55

Botan::string_to_ipv4
std::optional< uint32_t > string_to_ipv4(std::string_view str)
Definition parsing.cpp:156