diff options
author | lloyd <[email protected]> | 2008-04-10 04:39:58 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2008-04-10 04:39:58 +0000 |
commit | fd717509a0547faa4384b351635a85f7315f2eaa (patch) | |
tree | 1abd16dc7dba49bd9b52f76e8351e5eac9f1a96e | |
parent | 4e9d101a1b18316fe14829a52c1e4df20208aa5d (diff) |
Change the interface of X509_CA::sign_request as follows:
- The allow_ca policy value is no longer checked. Callers should check
if the request is for a CA cert and treat it accordingly; this makes
it simpler to to case-by-case decisions (expecially among multiple
threads)
- Instead of a single time value, a u32bit representing the number of
seconds from now the certificate should expire, the start and end times
are passed explicitly as two X509_Time values.
-rw-r--r-- | checks/x509.cpp | 9 | ||||
-rw-r--r-- | include/x509_ca.h | 6 | ||||
-rw-r--r-- | src/x509_ca.cpp | 21 |
3 files changed, 15 insertions, 21 deletions
diff --git a/checks/x509.cpp b/checks/x509.cpp index c07aaf761..6e6dad60c 100644 --- a/checks/x509.cpp +++ b/checks/x509.cpp @@ -96,9 +96,14 @@ void do_x509_tests() /* Sign the requests to create the certs */ std::cout << '.' << std::flush; - X509_Certificate user1_cert = ca.sign_request(user1_req); + X509_Certificate user1_cert = + ca.sign_request(user1_req, X509_Time("2008-01-01"), + X509_Time("2100-01-01")); + std::cout << '.' << std::flush; - X509_Certificate user2_cert = ca.sign_request(user2_req); + X509_Certificate user2_cert = ca.sign_request(user2_req, + X509_Time("2008-01-01"), + X509_Time("2100-01-01")); std::cout << '.' << std::flush; X509_CRL crl1 = ca.new_crl(); diff --git a/include/x509_ca.h b/include/x509_ca.h index 4a7cb22ca..3c2610d7f 100644 --- a/include/x509_ca.h +++ b/include/x509_ca.h @@ -1,6 +1,6 @@ /************************************************* * X.509 Certificate Authority Header File * -* (C) 1999-2007 Jack Lloyd * +* (C) 1999-2008 Jack Lloyd * *************************************************/ #ifndef BOTAN_X509_CA_H__ @@ -21,7 +21,9 @@ namespace Botan { class X509_CA { public: - X509_Certificate sign_request(const PKCS10_Request&, u32bit = 0) const; + X509_Certificate sign_request(const PKCS10_Request& req, + const X509_Time& not_before, + const X509_Time& not_after); X509_Certificate ca_certificate() const; diff --git a/src/x509_ca.cpp b/src/x509_ca.cpp index e0e42f14f..30983d89f 100644 --- a/src/x509_ca.cpp +++ b/src/x509_ca.cpp @@ -1,6 +1,6 @@ /************************************************* * X.509 Certificate Authority Source File * -* (C) 1999-2007 Jack Lloyd * +* (C) 1999-2008 Jack Lloyd * *************************************************/ #include <botan/x509_ca.h> @@ -41,11 +41,9 @@ X509_CA::X509_CA(const X509_Certificate& c, * Sign a PKCS #10 certificate request * *************************************************/ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req, - u32bit expire_time) const + const X509_Time& not_before, + const X509_Time& not_after) { - if(req.is_CA() && !global_config().option_as_bool("x509/ca/allow_ca")) - throw Policy_Violation("X509_CA: Attempted to sign new CA certificate"); - Key_Constraints constraints; if(req.is_CA()) constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN); @@ -70,19 +68,8 @@ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req, extensions.add( new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name())); - /* - extensions.add( - new Cert_Extension::Issuer_Alternative_Name(issuer_alt)); - */ - - if(expire_time == 0) - expire_time = global_config().option_as_time("x509/ca/default_expire"); - - const u64bit current_time = system_time(); - return make_cert(signer, ca_sig_algo, req.raw_public_key(), - X509_Time(current_time), - X509_Time(current_time + expire_time), + not_before, not_after, cert.subject_dn(), req.subject_dn(), extensions); } |