#include <x509_ca.h>

Public Member Functions
X509_Certificate	ca_certificate () const
X509_CRL	new_crl (RandomNumberGenerator &rng, u32bit next_update=0) const
X509_CA &	operator= (const X509_CA &)
X509_Certificate	sign_request (const PKCS10_Request &req, RandomNumberGenerator &rng, const X509_Time &not_before, const X509_Time &not_after)
X509_CRL	update_crl (const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, u32bit next_update=0) const
	X509_CA (const X509_Certificate &ca_certificate, const Private_Key &key, const std::string &hash_fn)
	X509_CA (const X509_CA &)
	~X509_CA ()
Static Public Member Functions
static X509_Certificate	make_cert (PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< byte > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)

Detailed Description

This class represents X.509 Certificate Authorities (CAs).

Definition at line 23 of file x509_ca.h.

Constructor & Destructor Documentation

Botan::X509_CA::X509_CA	(	const X509_Certificate &	ca_certificate,
		const Private_Key &	key,
		const std::string &	hash_fn
	)

Create a new CA object.

Parameters:

ca_certificate	the certificate of the CA
key	the private key of the CA
hash_fn	name of a hash function to use for signing

Definition at line 28 of file x509_ca.cpp.

References Botan::choose_sig_format(), and Botan::X509_Certificate::is_CA_cert().

                                           : cert(c)
   {
   if(!cert.is_CA_cert())
      throw Invalid_Argument("X509_CA: This certificate is not for a CA");

   signer = choose_sig_format(key, hash_fn, ca_sig_algo);
   }

Botan::X509_CA::X509_CA ( const X509_CA & )

Botan::X509_CA::~X509_CA ( )

Definition at line 41 of file x509_ca.cpp.

   {
   delete signer;
   }

Member Function Documentation

X509_Certificate Botan::X509_CA::ca_certificate ( ) const

Get the certificate of this CA.

Returns:: CA certificate

Definition at line 210 of file x509_ca.cpp.

   {
   return cert;
   }

X509_Certificate Botan::X509_CA::make_cert	(	PK_Signer *	signer,
		RandomNumberGenerator &	rng,
		const AlgorithmIdentifier &	sig_algo,
		const std::vector< byte > &	pub_key,
		const X509_Time &	not_before,
		const X509_Time &	not_after,
		const X509_DN &	issuer_dn,
		const X509_DN &	subject_dn,
		const Extensions &	extensions
	)		`[static]`

Interface for creating new certificates

Parameters:

signer	a signing object
rng	a random number generator
sig_algo	the signature algorithm identifier
pub_key	the serialized public key
not_before	the start time of the certificate
not_after	the end time of the certificate
issuer_dn	the DN of the issuer
subject_dn	the DN of the subject
extensions	an optional list of certificate extensions

Returns:: newly minted certificate

Definition at line 90 of file x509_ca.cpp.

References Botan::PEM_Code::encode(), Botan::X509_Object::make_signed(), and Botan::SEQUENCE.

Referenced by sign_request().

   {
   const size_t X509_CERT_VERSION = 3;
   const size_t SERIAL_BITS = 128;

   BigInt serial_no(rng, SERIAL_BITS);

   return X509_Certificate(X509_Object::make_signed(
      signer, rng, sig_algo,
      DER_Encoder().start_cons(SEQUENCE)
         .start_explicit(0)
            .encode(X509_CERT_VERSION-1)
         .end_explicit()

         .encode(serial_no)

         .encode(sig_algo)
         .encode(issuer_dn)

         .start_cons(SEQUENCE)
            .encode(not_before)
            .encode(not_after)
         .end_cons()

         .encode(subject_dn)
         .raw_bytes(pub_key)

         .start_explicit(3)
            .start_cons(SEQUENCE)
               .encode(extensions)
             .end_cons()
         .end_explicit()
      .end_cons()
      .get_contents()
      ));;
   }

X509_CRL Botan::X509_CA::new_crl	(	RandomNumberGenerator &	rng,
		u32bit	next_update = `0`
	)		const

Create a new and empty CRL for this CA.

Parameters:

rng	the random number generator to use
next_update	the time to set in next update in seconds as the offset from the current time

Returns:: new CRL

Definition at line 138 of file x509_ca.cpp.

   {
   std::vector<CRL_Entry> empty;
   return make_crl(empty, 1, next_update, rng);
   }

X509_CA& Botan::X509_CA::operator= ( const X509_CA & )

X509_Certificate Botan::X509_CA::sign_request	(	const PKCS10_Request &	req,
		RandomNumberGenerator &	rng,
		const X509_Time &	not_before,
		const X509_Time &	not_after
	)

Sign a PKCS#10 Request.

Parameters:

req	the request to sign
rng	the rng to use
not_before	the starting time for the certificate
not_after	the expiration time for the certificate

Returns:: resulting certificate

Definition at line 49 of file x509_ca.cpp.

References Botan::Extensions::add(), Botan::PKCS10_Request::constraints(), Botan::CRL_SIGN, Botan::PKCS10_Request::ex_constraints(), Botan::find_constraints(), Botan::PKCS10_Request::is_CA(), Botan::KEY_CERT_SIGN, make_cert(), Botan::PKCS10_Request::path_limit(), Botan::PKCS10_Request::raw_public_key(), Botan::PKCS10_Request::subject_alt_name(), Botan::PKCS10_Request::subject_dn(), Botan::X509_Certificate::subject_dn(), Botan::X509_Certificate::subject_key_id(), and Botan::PKCS10_Request::subject_public_key().

   {
   Key_Constraints constraints;
   if(req.is_CA())
      constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN);
   else
      {
      std::unique_ptr<Public_Key> key(req.subject_public_key());
      constraints = find_constraints(*key, req.constraints());
      }

   Extensions extensions;

   extensions.add(
      new Cert_Extension::Basic_Constraints(req.is_CA(), req.path_limit()),
      true);

   extensions.add(new Cert_Extension::Key_Usage(constraints), true);

   extensions.add(new Cert_Extension::Authority_Key_ID(cert.subject_key_id()));
   extensions.add(new Cert_Extension::Subject_Key_ID(req.raw_public_key()));

   extensions.add(
      new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name()));

   extensions.add(
      new Cert_Extension::Extended_Key_Usage(req.ex_constraints()));

   return make_cert(signer, rng, ca_sig_algo,
                    req.raw_public_key(),
                    not_before, not_after,
                    cert.subject_dn(), req.subject_dn(),
                    extensions);
   }

X509_CRL Botan::X509_CA::update_crl	(	const X509_CRL &	last_crl,
		const std::vector< CRL_Entry > &	new_entries,
		RandomNumberGenerator &	rng,
		u32bit	next_update = `0`
	)		const

Create a new CRL by with additional entries.

Parameters:

last_crl	the last CRL of this CA to add the new entries to
new_entries	contains the new CRL entries to be added to the CRL
rng	the random number generator to use
next_update	the time to set in next update in seconds as the offset from the current time

Definition at line 148 of file x509_ca.cpp.

References Botan::X509_CRL::crl_number(), and Botan::X509_CRL::get_revoked().

   {
   std::vector<CRL_Entry> revoked = crl.get_revoked();

   std::copy(new_revoked.begin(), new_revoked.end(),
             std::back_inserter(revoked));

   return make_crl(revoked, crl.crl_number() + 1, next_update, rng);
   }

The documentation for this class was generated from the following files:

src/lib/cert/x509/x509_ca.h
src/lib/cert/x509/x509_ca.cpp

Public Member Functions

Static Public Member Functions

Detailed Description

Constructor & Destructor Documentation

Member Function Documentation