8#include <botan/x509_ca.h>
9#include <botan/x509_key.h>
10#include <botan/x509self.h>
11#include <botan/x509_ext.h>
12#include <botan/pkix_types.h>
13#include <botan/pubkey.h>
14#include <botan/der_enc.h>
15#include <botan/bigint.h>
16#include <botan/parsing.h>
17#include <botan/oids.h>
18#include <botan/hash.h>
19#include <botan/emsa.h>
20#include <botan/scan_name.h>
31 const std::string& hash_fn,
39 std::map<std::string,std::string> opts;
47 opts.insert({
"padding",pad});
57 const std::map<std::string,std::string>& opts,
58 const std::string& hash_fn,
79 const std::string& hash_fn)
101 extensions.replace(
new Cert_Extension::Key_Usage(constraints),
true);
104 extensions.replace(
new Cert_Extension::Authority_Key_ID(ca_cert.
subject_key_id()));
105 extensions.replace(
new Cert_Extension::Subject_Key_ID(req.
raw_public_key(), hash_fn));
120 const BigInt& serial_number,
124 auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
126 return make_cert(m_signer.get(), rng, serial_number,
128 not_before, not_after,
141 auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
143 return make_cert(m_signer.get(), rng, m_ca_sig_algo,
145 not_before, not_after,
153 const std::vector<uint8_t>& pub_key,
160 const size_t SERIAL_BITS = 128;
161 BigInt serial_no(rng, SERIAL_BITS);
163 return make_cert(signer, rng, serial_no, sig_algo, pub_key,
164 not_before, not_after, issuer_dn, subject_dn, extensions);
174 const std::vector<uint8_t>& pub_key,
181 const size_t X509_CERT_VERSION = 3;
185 signer, rng, sig_algo,
188 .encode(X509_CERT_VERSION-1)
219 uint32_t next_update)
const
222 std::chrono::system_clock::now(),
223 std::chrono::seconds(next_update));
230 const std::vector<CRL_Entry>& new_revoked,
232 uint32_t next_update)
const
235 std::chrono::system_clock::now(),
236 std::chrono::seconds(next_update));
241 std::chrono::system_clock::time_point issue_time,
242 std::chrono::seconds next_update)
const
244 std::vector<CRL_Entry> empty;
245 return make_crl(empty, 1, rng, issue_time, next_update);
249 const std::vector<CRL_Entry>& new_revoked,
251 std::chrono::system_clock::time_point issue_time,
252 std::chrono::seconds next_update)
const
254 std::vector<CRL_Entry> revoked = last_crl.
get_revoked();
256 std::copy(new_revoked.begin(), new_revoked.end(),
257 std::back_inserter(revoked));
259 return make_crl(revoked, last_crl.
crl_number() + 1, rng, issue_time, next_update);
265X509_CRL X509_CA::make_crl(
const std::vector<CRL_Entry>& revoked,
268 std::chrono::system_clock::time_point issue_time,
269 std::chrono::seconds next_update)
const
271 const size_t X509_CRL_VERSION = 2;
273 auto expire_time = issue_time + next_update;
281 m_signer.get(), rng, m_ca_sig_algo,
283 .encode(X509_CRL_VERSION-1)
284 .encode(m_ca_sig_algo)
288 .encode_if(revoked.size() > 0,
291 .encode_list(revoked)
320 const std::string& hash_fn,
327 const std::map<std::string,std::string>& opts,
329 const std::string& hash_fn,
333 if(opts.count(
"padding"))
334 padding = opts.at(
"padding");
const OID & get_oid() const
void replace(Certificate_Extension *extn, bool critical=false)
void add(Certificate_Extension *extn, bool critical=false)
Public_Key * subject_public_key() const
const X509_DN & subject_dn() const
std::vector< OID > ex_constraints() const
size_t path_limit() const
const std::vector< uint8_t > & raw_public_key() const
Key_Constraints constraints() const
const AlternativeName & subject_alt_name() const
const Extensions & extensions() const
std::string cipher_mode() const
X509_CRL new_crl(RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
X509_CRL update_crl(const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
X509_CA(const X509_Certificate &ca_certificate, const Private_Key &key, const std::string &hash_fn, RandomNumberGenerator &rng)
X509_Certificate sign_request(const PKCS10_Request &req, RandomNumberGenerator &rng, const X509_Time ¬_before, const X509_Time ¬_after) const
static X509_Certificate make_cert(PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time ¬_before, const X509_Time ¬_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
X509_Certificate ca_certificate() const
const std::vector< CRL_Entry > & get_revoked() const
uint32_t crl_number() const
const X509_DN & subject_dn() const
const std::vector< uint8_t > & subject_key_id() const
const AlgorithmIdentifier & signature_algorithm() const
static std::unique_ptr< PK_Signer > choose_sig_format(AlgorithmIdentifier &sig_algo, const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, const std::string &padding_algo)
static std::vector< uint8_t > make_signed(class PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
BOTAN_UNSTABLE_API std::string oid2str_or_throw(const OID &oid)
PK_Signer * choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
void verify_cert_constraints_valid_for_key_type(const Public_Key &pub_key, Key_Constraints constraints)