diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/manual/cli.rst | 23 | ||||
| -rw-r--r-- | doc/manual/x509.rst | 24 |
2 files changed, 41 insertions, 6 deletions
diff --git a/doc/manual/cli.rst b/doc/manual/cli.rst index 85b93d5e1..ecebe74e5 100644 --- a/doc/manual/cli.rst +++ b/doc/manual/cli.rst @@ -95,23 +95,34 @@ Public Key Cryptography X.509 ---------------------------------------------- -``gen_pkcs10 key CN --country= --organization= --email= --key-pass= --hash=SHA-256`` +<<<<<<< HEAD +``gen_pkcs10 key CN --country= --organization= --email= --key-pass= --hash=SHA-256 --emsa=`` Generate a PKCS #10 certificate signing request (CSR) using the passed PKCS #8 private key *key*. If the private key is encrypted, the decryption passphrase - *key-pass* has to be passed. + *key-pass* has to be passed.*emsa* specifies the padding scheme to be used + when calculating the signature. + + - For RSA keys EMSA4 (RSA-PSS) is the default scheme. + - For ECDSA, DSA, ECGDSA, ECKCDSA and GOST-34.10 keys *emsa* defaults to EMSA1. -``gen_self_signed key CN --country= --dns= --organization= --email= --key-pass= --ca --hash=SHA-256`` +``gen_self_signed key CN --country= --dns= --organization= --email= --key-pass= --ca --hash=SHA-256 --emsa=`` Generate a self signed X.509 certificate using the PKCS #8 private key *key*. If the private key is encrypted, the decryption passphrase *key-pass* has to be passed. If *ca* is passed, the certificate is marked for certificate - authority (CA) usage. + authority (CA) usage. *emsa* specifies the padding scheme to be used when + calculating the signature. -``sign_cert --ca-key-pass= --hash=SHA-256 --duration=365 ca_cert ca_key pkcs10_req`` + - For RSA keys EMSA4 (RSA-PSS) is the default scheme. + - For ECDSA, DSA, ECGDSA, ECKCDSA and GOST-34.10 keys *emsa* defaults to EMSA1. + +``sign_cert --ca-key-pass= --hash=SHA-256 --duration=365 --emsa= ca_cert ca_key pkcs10_req`` Create a CA signed X.509 certificate from the information contained in the PKCS #10 CSR *pkcs10_req*. The CA certificate is passed as *ca_cert* and the respective PKCS #8 private key as *ca_key*. If the private key is encrypted, the decryption passphrase *ca-key-pass* has to be passed. The created - certificate has a validity period of *duration* days. + certificate has a validity period of *duration* days. *emsa* specifies the + padding scheme to be used when calculating the signature. *emsa* defaults to + the padding scheme used in the CA certificate. ``ocsp_check subject issuer`` Verify an X.509 certificate against the issuers OCSP responder. Pass the diff --git a/doc/manual/x509.rst b/doc/manual/x509.rst index daf154c9a..f9431c362 100644 --- a/doc/manual/x509.rst +++ b/doc/manual/x509.rst @@ -531,6 +531,21 @@ The private ``key`` is the private key corresponding to the public key in the CA's certificate. ``hash_fn`` is the name of the hash function to use for signing, e.g., `SHA-256`. ``rng`` is queried for random during signing. +There is an alternative constructor that lets you set additional options, namely +the padding scheme that will be used by the X509_CA object to sign certificates +and certificate revocation lists. If the padding is not set explicitly, the CA +will use the padding scheme that was used when signing the CA certificate. + +.. cpp:function:: X509_CA::X509_CA(const X509_Certificate& cert, \ + const Private_Key& key, \ + const std::map<std::string,std::string>& opts, \ + const std::string& hash_fn, \ + RandomNumberGenerator& rng) + +The only option valid at this moment is "padding". The supported padding schemes +can be found in src/lib/pubkey/padding.cpp. Some alternative names for the +padding schemes are understood, as well. + Requests for new certificates are supplied to a CA in the form of PKCS #10 certificate requests (called a ``PKCS10_Request`` object in Botan). These are decoded in a similar manner to @@ -668,6 +683,15 @@ to want to use is to create (or request) a CA certificate, which can be done by calling the member function ``CA_key``. This should only be used when needed. +Moreover, you can specify the padding scheme to be used when digital signatures +are computed by calling function ``set_padding_scheme`` with a string +representing the padding scheme. This way, you can control the padding scheme +for self-signed certificates and PKCS #10 requests. The padding scheme used by +a CA when building a certificate or a certificate revocation list can be set in +the ``X509_CA`` constructor. The supported padding schemes can be found in +src/lib/pubkey/padding.cpp. Some alternative names for the padding schemes are +understood, as well. + Other constraints can be set by calling the member functions ``add_constraints`` and ``add_ex_constraints``. The first takes a ``Key_Constraints`` value, and replaces any previously set value. If |