Botan 2.19.1
Crypto and TLS for C&
x509self.cpp
Go to the documentation of this file.
1/*
2* PKCS #10/Self Signed Cert Creation
3* (C) 1999-2008,2018 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/x509self.h>
9#include <botan/x509_key.h>
10#include <botan/x509_ext.h>
11#include <botan/x509_ca.h>
12#include <botan/der_enc.h>
13#include <botan/pubkey.h>
14#include <botan/hash.h>
15
16namespace Botan {
17
18namespace {
19
20/*
21* Load information from the X509_Cert_Options
22*/
23void load_info(const X509_Cert_Options& opts, X509_DN& subject_dn,
24 AlternativeName& subject_alt)
25 {
26 subject_dn.add_attribute("X520.CommonName", opts.common_name);
27 subject_dn.add_attribute("X520.Country", opts.country);
28 subject_dn.add_attribute("X520.State", opts.state);
29 subject_dn.add_attribute("X520.Locality", opts.locality);
30 subject_dn.add_attribute("X520.Organization", opts.organization);
31 subject_dn.add_attribute("X520.OrganizationalUnit", opts.org_unit);
32 for(auto extra_ou : opts.more_org_units) {
33 subject_dn.add_attribute("X520.OrganizationalUnit", extra_ou);
34 }
35
36 subject_dn.add_attribute("X520.SerialNumber", opts.serial_number);
37 subject_alt = AlternativeName(opts.email, opts.uri, opts.dns, opts.ip);
38 subject_alt.add_othername(OID::from_string("PKIX.XMPPAddr"),
39 opts.xmpp, UTF8_STRING);
40
41 for(auto dns : opts.more_dns)
42 subject_alt.add_attribute("DNS", dns);
43 }
44}
45
46namespace X509 {
47
48/*
49* Create a new self-signed X.509 certificate
50*/
52 const Private_Key& key,
53 const std::string& hash_fn,
55 {
56 AlgorithmIdentifier sig_algo;
57 X509_DN subject_dn;
58 AlternativeName subject_alt;
59
60 // for now, only the padding option is used
61 std::map<std::string,std::string> sig_opts = { {"padding",opts.padding_scheme} };
62
63 const std::vector<uint8_t> pub_key = X509::BER_encode(key);
64 std::unique_ptr<PK_Signer> signer(choose_sig_format(key, sig_opts, rng, hash_fn, sig_algo));
66 load_info(opts, subject_dn, subject_alt);
67
68 Extensions extensions = opts.extensions;
69
70 Key_Constraints constraints;
71 if(opts.is_CA)
72 {
73 constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN);
74 }
75 else
76 {
78 constraints = opts.constraints;
79 }
80
81 extensions.add_new(
83 true);
84
85 if(constraints != NO_CONSTRAINTS)
86 {
87 extensions.add_new(new Cert_Extension::Key_Usage(constraints), true);
88 }
89
90 std::unique_ptr<Cert_Extension::Subject_Key_ID> skid(new Cert_Extension::Subject_Key_ID(pub_key, hash_fn));
91
92 extensions.add_new(new Cert_Extension::Authority_Key_ID(skid->get_key_id()));
93 extensions.add_new(skid.release());
94
95 extensions.add_new(
97
98 extensions.add_new(
100
101 return X509_CA::make_cert(signer.get(), rng, sig_algo, pub_key,
102 opts.start, opts.end,
103 subject_dn, subject_dn,
104 extensions);
105 }
106
107/*
108* Create a PKCS #10 certificate request
109*/
111 const Private_Key& key,
112 const std::string& hash_fn,
114 {
115 X509_DN subject_dn;
116 AlternativeName subject_alt;
117 load_info(opts, subject_dn, subject_alt);
118
119 Key_Constraints constraints;
120 if(opts.is_CA)
121 {
122 constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN);
123 }
124 else
125 {
127 constraints = opts.constraints;
128 }
129
130 Extensions extensions = opts.extensions;
131
132 extensions.add_new(new Cert_Extension::Basic_Constraints(opts.is_CA, opts.path_limit));
133
134 if(constraints != NO_CONSTRAINTS)
135 {
136 extensions.add_new(new Cert_Extension::Key_Usage(constraints));
137 }
139 extensions.add_new(new Cert_Extension::Subject_Alternative_Name(subject_alt));
140
141 return PKCS10_Request::create(key,
142 subject_dn,
143 extensions,
144 hash_fn,
145 rng,
146 opts.padding_scheme,
147 opts.challenge);
148 }
149
150}
151
152}
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
const OID & get_oid() const
Definition: asn1_obj.h:445
bool add_new(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:139
bool has_value() const
Definition: asn1_obj.h:238
static OID from_string(const std::string &str)
Definition: asn1_oid.cpp:62
static PKCS10_Request create(const Private_Key &key, const X509_DN &subject_dn, const Extensions &extensions, const std::string &hash_fn, RandomNumberGenerator &rng, const std::string &padding_scheme="", const std::string &challenge="")
Definition: pkcs10.cpp:59
static X509_Certificate make_cert(PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
Definition: x509_ca.cpp:150
std::vector< OID > ex_constraints
Definition: x509self.h:130
Key_Constraints constraints
Definition: x509self.h:125
std::string challenge
Definition: x509self.h:99
std::string padding_scheme
Definition: x509self.h:120
PKCS10_Request create_cert_req(const X509_Cert_Options &opts, const Private_Key &key, const std::string &hash_fn, RandomNumberGenerator &rng)
Definition: x509self.cpp:110
std::vector< uint8_t > BER_encode(const Public_Key &key)
Definition: x509_key.cpp:19
X509_Certificate create_self_signed_cert(const X509_Cert_Options &opts, const Private_Key &key, const std::string &hash_fn, RandomNumberGenerator &rng)
Definition: x509self.cpp:51
Definition: alg_id.cpp:13
PK_Signer * choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
Definition: x509_ca.cpp:318
@ UTF8_STRING
Definition: asn1_obj.h:45
void verify_cert_constraints_valid_for_key_type(const Public_Key &pub_key, Key_Constraints constraints)
Key_Constraints
Definition: pkix_enums.h:106
@ CRL_SIGN
Definition: pkix_enums.h:114
@ KEY_CERT_SIGN
Definition: pkix_enums.h:113
@ NO_CONSTRAINTS
Definition: pkix_enums.h:107