Botan 2.19.3
Crypto and TLS for C&
x509_ca.h
Go to the documentation of this file.
1/*
2* X.509 Certificate Authority
3* (C) 1999-2008 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#ifndef BOTAN_X509_CA_H_
9#define BOTAN_X509_CA_H_
10
11#include <botan/x509cert.h>
12#include <botan/x509_crl.h>
13#include <chrono>
14#include <map>
15
16#if defined(BOTAN_HAS_SYSTEM_RNG)
17 #include <botan/system_rng.h>
18#endif
19
20namespace Botan {
21
22class BigInt;
23class Private_Key;
24class PKCS10_Request;
25class PK_Signer;
26
27/**
28* This class represents X.509 Certificate Authorities (CAs).
29*/
31 {
32 public:
33 /**
34 * Sign a PKCS#10 Request.
35 * @param req the request to sign
36 * @param rng the rng to use
37 * @param not_before the starting time for the certificate
38 * @param not_after the expiration time for the certificate
39 * @return resulting certificate
40 */
41 X509_Certificate sign_request(const PKCS10_Request& req,
43 const X509_Time& not_before,
44 const X509_Time& not_after) const;
45
46 /**
47 * Sign a PKCS#10 Request.
48 * @param req the request to sign
49 * @param rng the rng to use
50 * @param serial_number the serial number the cert will be assigned.
51 * @param not_before the starting time for the certificate
52 * @param not_after the expiration time for the certificate
53 * @return resulting certificate
54 */
55 X509_Certificate sign_request(const PKCS10_Request& req,
57 const BigInt& serial_number,
58 const X509_Time& not_before,
59 const X509_Time& not_after) const;
60
61 /**
62 * Get the certificate of this CA.
63 * @return CA certificate
64 */
65 X509_Certificate ca_certificate() const;
66
67 /**
68 * Create a new and empty CRL for this CA.
69 * @param rng the random number generator to use
70 * @param issue_time the issue time (typically system_clock::now)
71 * @param next_update the time interval after issue_data within which
72 * a new CRL will be produced.
73 * @return new CRL
74 */
76 std::chrono::system_clock::time_point issue_time,
77 std::chrono::seconds next_update) const;
78
79 /**
80 * Create a new CRL by with additional entries.
81 * @param last_crl the last CRL of this CA to add the new entries to
82 * @param new_entries contains the new CRL entries to be added to the CRL
83 * @param rng the random number generator to use
84 * @param issue_time the issue time (typically system_clock::now)
85 * @param next_update the time interval after issue_data within which
86 * a new CRL will be produced.
87 */
88 X509_CRL update_crl(const X509_CRL& last_crl,
89 const std::vector<CRL_Entry>& new_entries,
91 std::chrono::system_clock::time_point issue_time,
92 std::chrono::seconds next_update) const;
93
94 /**
95 * Create a new and empty CRL for this CA.
96 * @param rng the random number generator to use
97 * @param next_update the time to set in next update in seconds
98 * as the offset from the current time
99 * @return new CRL
100 */
101 X509_CRL new_crl(RandomNumberGenerator& rng,
102 uint32_t next_update = 604800) const;
103
104 /**
105 * Create a new CRL by with additional entries.
106 * @param last_crl the last CRL of this CA to add the new entries to
107 * @param new_entries contains the new CRL entries to be added to the CRL
108 * @param rng the random number generator to use
109 * @param next_update the time to set in next update in seconds
110 * as the offset from the current time
111 */
112 X509_CRL update_crl(const X509_CRL& last_crl,
113 const std::vector<CRL_Entry>& new_entries,
115 uint32_t next_update = 604800) const;
116
117 /**
118 * Interface for creating new certificates
119 * @param signer a signing object
120 * @param rng a random number generator
121 * @param sig_algo the signature algorithm identifier
122 * @param pub_key the serialized public key
123 * @param not_before the start time of the certificate
124 * @param not_after the end time of the certificate
125 * @param issuer_dn the DN of the issuer
126 * @param subject_dn the DN of the subject
127 * @param extensions an optional list of certificate extensions
128 * @returns newly minted certificate
129 */
130 static X509_Certificate make_cert(PK_Signer* signer,
132 const AlgorithmIdentifier& sig_algo,
133 const std::vector<uint8_t>& pub_key,
134 const X509_Time& not_before,
135 const X509_Time& not_after,
136 const X509_DN& issuer_dn,
137 const X509_DN& subject_dn,
138 const Extensions& extensions);
139
140 /**
141 * Interface for creating new certificates
142 * @param signer a signing object
143 * @param rng a random number generator
144 * @param serial_number the serial number the cert will be assigned
145 * @param sig_algo the signature algorithm identifier
146 * @param pub_key the serialized public key
147 * @param not_before the start time of the certificate
148 * @param not_after the end time of the certificate
149 * @param issuer_dn the DN of the issuer
150 * @param subject_dn the DN of the subject
151 * @param extensions an optional list of certificate extensions
152 * @returns newly minted certificate
153 */
154 static X509_Certificate make_cert(PK_Signer* signer,
156 const BigInt& serial_number,
157 const AlgorithmIdentifier& sig_algo,
158 const std::vector<uint8_t>& pub_key,
159 const X509_Time& not_before,
160 const X509_Time& not_after,
161 const X509_DN& issuer_dn,
162 const X509_DN& subject_dn,
163 const Extensions& extensions);
164
165 /**
166 * Create a new CA object.
167 * @param ca_certificate the certificate of the CA
168 * @param key the private key of the CA
169 * @param hash_fn name of a hash function to use for signing
170 * @param rng the random generator to use
171 */
172 X509_CA(const X509_Certificate& ca_certificate,
173 const Private_Key& key,
174 const std::string& hash_fn,
176
177 /**
178 * Create a new CA object.
179 * @param ca_certificate the certificate of the CA
180 * @param key the private key of the CA
181 * @param opts additional options, e.g. padding, as key value pairs
182 * @param hash_fn name of a hash function to use for signing
183 * @param rng the random generator to use
184 */
185 X509_CA(const X509_Certificate& ca_certificate,
186 const Private_Key& key,
187 const std::map<std::string,std::string>& opts,
188 const std::string& hash_fn,
190
191#if defined(BOTAN_HAS_SYSTEM_RNG)
192 BOTAN_DEPRECATED("Use version taking RNG object")
193 X509_CA(const X509_Certificate& ca_certificate,
194 const Private_Key& key,
195 const std::string& hash_fn) :
196 X509_CA(ca_certificate, key, hash_fn, system_rng())
197 {}
198#endif
199
200 X509_CA(const X509_CA&) = delete;
201 X509_CA& operator=(const X509_CA&) = delete;
202
203 X509_CA(X509_CA&&) = default;
204 X509_CA& operator=(X509_CA&&) = default;
205
206 ~X509_CA();
207
208 private:
209 X509_CRL make_crl(const std::vector<CRL_Entry>& entries,
210 uint32_t crl_number,
212 std::chrono::system_clock::time_point issue_time,
213 std::chrono::seconds next_update) const;
214
215 AlgorithmIdentifier m_ca_sig_algo;
216 X509_Certificate m_ca_cert;
217 std::string m_hash_fn;
218 std::unique_ptr<PK_Signer> m_signer;
219 };
220
221/**
222* Choose the default signature format for a certain public key signature
223* scheme.
224* @param key will be the key to choose a padding scheme for
225* @param rng the random generator to use
226* @param hash_fn is the desired hash function
227* @param alg_id will be set to the chosen scheme
228* @return A PK_Signer object for generating signatures
229*/
232 const std::string& hash_fn,
233 AlgorithmIdentifier& alg_id);
234
235/**
236* @verbatim
237* Choose the default signature format for a certain public key signature
238* scheme.
239*
240* The only option recognized by opts at this moment is "padding"
241* Find an entry from src/build-data/oids.txt under [signature] of the form
242* <sig_algo>/<padding>[(<hash_algo>)] and add {"padding",<padding>}
243* to opts.
244* @endverbatim
245*
246* @param key will be the key to choose a padding scheme for
247* @param opts contains additional options for building the certificate
248* @param rng the random generator to use
249* @param hash_fn is the desired hash function
250* @param alg_id will be set to the chosen scheme
251* @return A PK_Signer object for generating signatures
252*/
254 const std::map<std::string,std::string>& opts,
256 const std::string& hash_fn,
257 AlgorithmIdentifier& alg_id);
258
259}
260
261#endif
X509_CA & operator=(X509_CA &&)=default
X509_CA & operator=(const X509_CA &)=delete
X509_CA(const X509_CA &)=delete
X509_CA(X509_CA &&)=default
int(* final)(unsigned char *, CTX *)
#define BOTAN_PUBLIC_API(maj, min)
Definition compiler.h:31
RandomNumberGenerator & system_rng()
PK_Signer * choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
Definition x509_ca.cpp:318
Definition bigint.h:1143