Botan  2.1.0
Crypto and TLS for C++11
Public Member Functions | Static Public Member Functions | List of all members
Botan::X509_CA Class Reference

#include <x509_ca.h>

Public Member Functions

X509_Certificate ca_certificate () const
 
X509_CRL new_crl (RandomNumberGenerator &rng, uint32_t next_update=0) const
 
X509_CAoperator= (const X509_CA &)=delete
 
X509_Certificate sign_request (const PKCS10_Request &req, RandomNumberGenerator &rng, const X509_Time &not_before, const X509_Time &not_after) const
 
X509_CRL update_crl (const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, uint32_t next_update=0) const
 
 X509_CA (const X509_Certificate &ca_certificate, const Private_Key &key, const std::string &hash_fn, RandomNumberGenerator &rng)
 
 X509_CA (const X509_CA &)=delete
 
 ~X509_CA ()
 

Static Public Member Functions

static X509_Certificate make_cert (PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
 

Detailed Description

This class represents X.509 Certificate Authorities (CAs).

Definition at line 27 of file x509_ca.h.

Constructor & Destructor Documentation

Botan::X509_CA::X509_CA ( const X509_Certificate ca_certificate,
const Private_Key key,
const std::string &  hash_fn,
RandomNumberGenerator rng 
)

Create a new CA object.

Parameters
ca_certificatethe certificate of the CA
keythe private key of the CA
hash_fnname of a hash function to use for signing
rngthe random generator to use

Definition at line 27 of file x509_ca.cpp.

References Botan::choose_sig_format(), and Botan::X509_Certificate::is_CA_cert().

30  : m_cert(c)
31  {
32  if(!m_cert.is_CA_cert())
33  throw Invalid_Argument("X509_CA: This certificate is not for a CA");
34 
35  m_signer = choose_sig_format(key, rng, hash_fn, m_ca_sig_algo);
36  }
bool is_CA_cert() const
Definition: x509cert.cpp:252
PK_Signer * choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
Definition: x509_ca.cpp:228
Botan::X509_CA::X509_CA ( const X509_CA )
delete
Botan::X509_CA::~X509_CA ( )

Definition at line 41 of file x509_ca.cpp.

42  {
43  delete m_signer;
44  }

Member Function Documentation

X509_Certificate Botan::X509_CA::ca_certificate ( ) const

Get the certificate of this CA.

Returns
CA certificate

Definition at line 220 of file x509_ca.cpp.

221  {
222  return m_cert;
223  }
X509_Certificate Botan::X509_CA::make_cert ( PK_Signer signer,
RandomNumberGenerator rng,
const AlgorithmIdentifier sig_algo,
const std::vector< uint8_t > &  pub_key,
const X509_Time not_before,
const X509_Time not_after,
const X509_DN issuer_dn,
const X509_DN subject_dn,
const Extensions extensions 
)
static

Interface for creating new certificates

Parameters
signera signing object
rnga random number generator
sig_algothe signature algorithm identifier
pub_keythe serialized public key
not_beforethe start time of the certificate
not_afterthe end time of the certificate
issuer_dnthe DN of the issuer
subject_dnthe DN of the subject
extensionsan optional list of certificate extensions
Returns
newly minted certificate

Definition at line 96 of file x509_ca.cpp.

References Botan::PEM_Code::encode(), Botan::X509_Object::make_signed(), and Botan::SEQUENCE.

Referenced by Botan::X509::create_self_signed_cert(), and sign_request().

105  {
106  const size_t X509_CERT_VERSION = 3;
107  const size_t SERIAL_BITS = 128;
108 
109  BigInt serial_no(rng, SERIAL_BITS);
110 
111  // clang-format off
112  return X509_Certificate(X509_Object::make_signed(
113  signer, rng, sig_algo,
114  DER_Encoder().start_cons(SEQUENCE)
115  .start_explicit(0)
116  .encode(X509_CERT_VERSION-1)
117  .end_explicit()
118 
119  .encode(serial_no)
120 
121  .encode(sig_algo)
122  .encode(issuer_dn)
123 
124  .start_cons(SEQUENCE)
125  .encode(not_before)
126  .encode(not_after)
127  .end_cons()
128 
129  .encode(subject_dn)
130  .raw_bytes(pub_key)
131 
132  .start_explicit(3)
133  .start_cons(SEQUENCE)
134  .encode(extensions)
135  .end_cons()
136  .end_explicit()
137  .end_cons()
138  .get_contents()
139  ));;
140  // clang-format on
141  }
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43
static std::vector< uint8_t > make_signed(class PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
Definition: x509_obj.cpp:214
X509_CRL Botan::X509_CA::new_crl ( RandomNumberGenerator rng,
uint32_t  next_update = 0 
) const

Create a new and empty CRL for this CA.

Parameters
rngthe random number generator to use
next_updatethe time to set in next update in seconds as the offset from the current time
Returns
new CRL

Definition at line 146 of file x509_ca.cpp.

148  {
149  std::vector<CRL_Entry> empty;
150  return make_crl(empty, 1, next_update, rng);
151  }
X509_CA& Botan::X509_CA::operator= ( const X509_CA )
delete
X509_Certificate Botan::X509_CA::sign_request ( const PKCS10_Request req,
RandomNumberGenerator rng,
const X509_Time not_before,
const X509_Time not_after 
) const

Sign a PKCS#10 Request.

Parameters
reqthe request to sign
rngthe rng to use
not_beforethe starting time for the certificate
not_afterthe expiration time for the certificate
Returns
resulting certificate

Definition at line 49 of file x509_ca.cpp.

References Botan::PKCS10_Request::constraints(), Botan::CRL_SIGN, Botan::PKCS10_Request::ex_constraints(), Botan::PKCS10_Request::extensions(), Botan::PKCS10_Request::is_CA(), Botan::KEY_CERT_SIGN, make_cert(), Botan::NO_CONSTRAINTS, Botan::PKCS10_Request::path_limit(), Botan::PKCS10_Request::raw_public_key(), Botan::Extensions::replace(), Botan::PKCS10_Request::subject_alt_name(), Botan::PKCS10_Request::subject_dn(), Botan::X509_Certificate::subject_dn(), Botan::X509_Certificate::subject_key_id(), Botan::PKCS10_Request::subject_public_key(), and Botan::verify_cert_constraints_valid_for_key_type().

53  {
54  Key_Constraints constraints;
55  if(req.is_CA())
56  {
57  constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN);
58  }
59  else
60  {
61  std::unique_ptr<Public_Key> key(req.subject_public_key());
62  verify_cert_constraints_valid_for_key_type(*key, req.constraints());
63  constraints = req.constraints();
64  }
65 
66  Extensions extensions = req.extensions();
67 
68  extensions.replace(
69  new Cert_Extension::Basic_Constraints(req.is_CA(), req.path_limit()),
70  true);
71 
72  if(constraints != NO_CONSTRAINTS)
73  {
74  extensions.replace(new Cert_Extension::Key_Usage(constraints), true);
75  }
76 
77  extensions.replace(new Cert_Extension::Authority_Key_ID(m_cert.subject_key_id()));
78  extensions.replace(new Cert_Extension::Subject_Key_ID(req.raw_public_key()));
79 
80  extensions.replace(
81  new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name()));
82 
83  extensions.replace(
84  new Cert_Extension::Extended_Key_Usage(req.ex_constraints()));
85 
86  return make_cert(m_signer, rng, m_ca_sig_algo,
87  req.raw_public_key(),
88  not_before, not_after,
89  m_cert.subject_dn(), req.subject_dn(),
90  extensions);
91  }
static X509_Certificate make_cert(PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
Definition: x509_ca.cpp:96
void verify_cert_constraints_valid_for_key_type(const Public_Key &pub_key, Key_Constraints constraints)
std::vector< uint8_t > subject_key_id() const
Definition: x509cert.cpp:419
X509_DN subject_dn() const
Definition: x509cert.cpp:449
X509_CRL Botan::X509_CA::update_crl ( const X509_CRL last_crl,
const std::vector< CRL_Entry > &  new_entries,
RandomNumberGenerator rng,
uint32_t  next_update = 0 
) const

Create a new CRL by with additional entries.

Parameters
last_crlthe last CRL of this CA to add the new entries to
new_entriescontains the new CRL entries to be added to the CRL
rngthe random number generator to use
next_updatethe time to set in next update in seconds as the offset from the current time

Definition at line 156 of file x509_ca.cpp.

References Botan::X509_CRL::crl_number(), and Botan::X509_CRL::get_revoked().

160  {
161  std::vector<CRL_Entry> revoked = crl.get_revoked();
162 
163  std::copy(new_revoked.begin(), new_revoked.end(),
164  std::back_inserter(revoked));
165 
166  return make_crl(revoked, crl.crl_number() + 1, next_update, rng);
167  }

The documentation for this class was generated from the following files: