aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlloyd <[email protected]>2008-04-10 04:39:58 +0000
committerlloyd <[email protected]>2008-04-10 04:39:58 +0000
commitfd717509a0547faa4384b351635a85f7315f2eaa (patch)
tree1abd16dc7dba49bd9b52f76e8351e5eac9f1a96e
parent4e9d101a1b18316fe14829a52c1e4df20208aa5d (diff)
Change the interface of X509_CA::sign_request as follows:
- The allow_ca policy value is no longer checked. Callers should check if the request is for a CA cert and treat it accordingly; this makes it simpler to to case-by-case decisions (expecially among multiple threads) - Instead of a single time value, a u32bit representing the number of seconds from now the certificate should expire, the start and end times are passed explicitly as two X509_Time values.
-rw-r--r--checks/x509.cpp9
-rw-r--r--include/x509_ca.h6
-rw-r--r--src/x509_ca.cpp21
3 files changed, 15 insertions, 21 deletions
diff --git a/checks/x509.cpp b/checks/x509.cpp
index c07aaf761..6e6dad60c 100644
--- a/checks/x509.cpp
+++ b/checks/x509.cpp
@@ -96,9 +96,14 @@ void do_x509_tests()
/* Sign the requests to create the certs */
std::cout << '.' << std::flush;
- X509_Certificate user1_cert = ca.sign_request(user1_req);
+ X509_Certificate user1_cert =
+ ca.sign_request(user1_req, X509_Time("2008-01-01"),
+ X509_Time("2100-01-01"));
+
std::cout << '.' << std::flush;
- X509_Certificate user2_cert = ca.sign_request(user2_req);
+ X509_Certificate user2_cert = ca.sign_request(user2_req,
+ X509_Time("2008-01-01"),
+ X509_Time("2100-01-01"));
std::cout << '.' << std::flush;
X509_CRL crl1 = ca.new_crl();
diff --git a/include/x509_ca.h b/include/x509_ca.h
index 4a7cb22ca..3c2610d7f 100644
--- a/include/x509_ca.h
+++ b/include/x509_ca.h
@@ -1,6 +1,6 @@
/*************************************************
* X.509 Certificate Authority Header File *
-* (C) 1999-2007 Jack Lloyd *
+* (C) 1999-2008 Jack Lloyd *
*************************************************/
#ifndef BOTAN_X509_CA_H__
@@ -21,7 +21,9 @@ namespace Botan {
class X509_CA
{
public:
- X509_Certificate sign_request(const PKCS10_Request&, u32bit = 0) const;
+ X509_Certificate sign_request(const PKCS10_Request& req,
+ const X509_Time& not_before,
+ const X509_Time& not_after);
X509_Certificate ca_certificate() const;
diff --git a/src/x509_ca.cpp b/src/x509_ca.cpp
index e0e42f14f..30983d89f 100644
--- a/src/x509_ca.cpp
+++ b/src/x509_ca.cpp
@@ -1,6 +1,6 @@
/*************************************************
* X.509 Certificate Authority Source File *
-* (C) 1999-2007 Jack Lloyd *
+* (C) 1999-2008 Jack Lloyd *
*************************************************/
#include <botan/x509_ca.h>
@@ -41,11 +41,9 @@ X509_CA::X509_CA(const X509_Certificate& c,
* Sign a PKCS #10 certificate request *
*************************************************/
X509_Certificate X509_CA::sign_request(const PKCS10_Request& req,
- u32bit expire_time) const
+ const X509_Time& not_before,
+ const X509_Time& not_after)
{
- if(req.is_CA() && !global_config().option_as_bool("x509/ca/allow_ca"))
- throw Policy_Violation("X509_CA: Attempted to sign new CA certificate");
-
Key_Constraints constraints;
if(req.is_CA())
constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN);
@@ -70,19 +68,8 @@ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req,
extensions.add(
new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name()));
- /*
- extensions.add(
- new Cert_Extension::Issuer_Alternative_Name(issuer_alt));
- */
-
- if(expire_time == 0)
- expire_time = global_config().option_as_time("x509/ca/default_expire");
-
- const u64bit current_time = system_time();
-
return make_cert(signer, ca_sig_algo, req.raw_public_key(),
- X509_Time(current_time),
- X509_Time(current_time + expire_time),
+ not_before, not_after,
cert.subject_dn(), req.subject_dn(),
extensions);
}