diff options
Diffstat (limited to 'src/cert/x509ca')
-rw-r--r-- | src/cert/x509ca/info.txt | 6 | ||||
-rw-r--r-- | src/cert/x509ca/x509_ca.cpp | 253 | ||||
-rw-r--r-- | src/cert/x509ca/x509_ca.h | 130 |
3 files changed, 0 insertions, 389 deletions
diff --git a/src/cert/x509ca/info.txt b/src/cert/x509ca/info.txt deleted file mode 100644 index d412c3070..000000000 --- a/src/cert/x509ca/info.txt +++ /dev/null @@ -1,6 +0,0 @@ -define X509_CA - -<requires> -pkcs10 -x509cert -</requires> diff --git a/src/cert/x509ca/x509_ca.cpp b/src/cert/x509ca/x509_ca.cpp deleted file mode 100644 index 40f2e3b3a..000000000 --- a/src/cert/x509ca/x509_ca.cpp +++ /dev/null @@ -1,253 +0,0 @@ -/* -* X.509 Certificate Authority -* (C) 1999-2010 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/x509_ca.h> -#include <botan/pubkey.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> -#include <botan/bigint.h> -#include <botan/parsing.h> -#include <botan/lookup.h> -#include <botan/oids.h> -#include <botan/time.h> -#include <algorithm> -#include <typeinfo> -#include <iterator> -#include <memory> -#include <set> - -namespace Botan { - -/* -* Load the certificate and private key -*/ -X509_CA::X509_CA(const X509_Certificate& c, - const Private_Key& key, - const std::string& hash_fn) : cert(c) - { - if(!cert.is_CA_cert()) - throw Invalid_Argument("X509_CA: This certificate is not for a CA"); - - signer = choose_sig_format(key, hash_fn, ca_sig_algo); - } - -/* -* X509_CA Destructor -*/ -X509_CA::~X509_CA() - { - delete signer; - } - -/* -* Sign a PKCS #10 certificate request -*/ -X509_Certificate X509_CA::sign_request(const PKCS10_Request& req, - RandomNumberGenerator& rng, - const X509_Time& not_before, - const X509_Time& not_after) - { - Key_Constraints constraints; - if(req.is_CA()) - constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN); - else - { - std::auto_ptr<Public_Key> key(req.subject_public_key()); - constraints = X509::find_constraints(*key, req.constraints()); - } - - Extensions extensions; - - extensions.add( - new Cert_Extension::Basic_Constraints(req.is_CA(), req.path_limit()), - true); - - extensions.add(new Cert_Extension::Key_Usage(constraints), true); - - extensions.add(new Cert_Extension::Authority_Key_ID(cert.subject_key_id())); - extensions.add(new Cert_Extension::Subject_Key_ID(req.raw_public_key())); - - extensions.add( - new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name())); - - extensions.add( - new Cert_Extension::Extended_Key_Usage(req.ex_constraints())); - - return make_cert(signer, rng, ca_sig_algo, - req.raw_public_key(), - not_before, not_after, - cert.subject_dn(), req.subject_dn(), - extensions); - } - -/* -* Create a new certificate -*/ -X509_Certificate X509_CA::make_cert(PK_Signer* signer, - RandomNumberGenerator& rng, - const AlgorithmIdentifier& sig_algo, - const MemoryRegion<byte>& pub_key, - const X509_Time& not_before, - const X509_Time& not_after, - const X509_DN& issuer_dn, - const X509_DN& subject_dn, - const Extensions& extensions) - { - const size_t X509_CERT_VERSION = 3; - const size_t SERIAL_BITS = 128; - - BigInt serial_no(rng, SERIAL_BITS); - - DataSource_Memory source(X509_Object::make_signed(signer, rng, sig_algo, - DER_Encoder().start_cons(SEQUENCE) - .start_explicit(0) - .encode(X509_CERT_VERSION-1) - .end_explicit() - - .encode(serial_no) - - .encode(sig_algo) - .encode(issuer_dn) - - .start_cons(SEQUENCE) - .encode(not_before) - .encode(not_after) - .end_cons() - - .encode(subject_dn) - .raw_bytes(pub_key) - - .start_explicit(3) - .start_cons(SEQUENCE) - .encode(extensions) - .end_cons() - .end_explicit() - .end_cons() - .get_contents() - )); - - return X509_Certificate(source); - } - -/* -* Create a new, empty CRL -*/ -X509_CRL X509_CA::new_crl(RandomNumberGenerator& rng, - u32bit next_update) const - { - std::vector<CRL_Entry> empty; - return make_crl(empty, 1, next_update, rng); - } - -/* -* Update a CRL with new entries -*/ -X509_CRL X509_CA::update_crl(const X509_CRL& crl, - const std::vector<CRL_Entry>& new_revoked, - RandomNumberGenerator& rng, - u32bit next_update) const - { - std::vector<CRL_Entry> revoked = crl.get_revoked(); - - std::copy(new_revoked.begin(), new_revoked.end(), - std::back_inserter(revoked)); - - return make_crl(revoked, crl.crl_number() + 1, next_update, rng); - } - -/* -* Create a CRL -*/ -X509_CRL X509_CA::make_crl(const std::vector<CRL_Entry>& revoked, - u32bit crl_number, u32bit next_update, - RandomNumberGenerator& rng) const - { - const size_t X509_CRL_VERSION = 2; - - if(next_update == 0) - next_update = timespec_to_u32bit("7d"); - - // Totally stupid: ties encoding logic to the return of std::time!! - const u64bit current_time = system_time(); - - Extensions extensions; - extensions.add( - new Cert_Extension::Authority_Key_ID(cert.subject_key_id())); - extensions.add(new Cert_Extension::CRL_Number(crl_number)); - - DataSource_Memory source(X509_Object::make_signed(signer, rng, ca_sig_algo, - DER_Encoder().start_cons(SEQUENCE) - .encode(X509_CRL_VERSION-1) - .encode(ca_sig_algo) - .encode(cert.issuer_dn()) - .encode(X509_Time(current_time)) - .encode(X509_Time(current_time + next_update)) - .encode_if(revoked.size() > 0, - DER_Encoder() - .start_cons(SEQUENCE) - .encode_list(revoked) - .end_cons() - ) - .start_explicit(0) - .start_cons(SEQUENCE) - .encode(extensions) - .end_cons() - .end_explicit() - .end_cons() - .get_contents() - )); - - return X509_CRL(source); - } - -/* -* Return the CA's certificate -*/ -X509_Certificate X509_CA::ca_certificate() const - { - return cert; - } - -/* -* Choose a signing format for the key -*/ -PK_Signer* choose_sig_format(const Private_Key& key, - const std::string& hash_fn, - AlgorithmIdentifier& sig_algo) - { - std::string padding; - - const std::string algo_name = key.algo_name(); - - const HashFunction* proto_hash = retrieve_hash(hash_fn); - if(!proto_hash) - throw Algorithm_Not_Found(hash_fn); - - if(key.max_input_bits() < proto_hash->output_length()*8) - throw Invalid_Argument("Key is too small for chosen hash function"); - - if(algo_name == "RSA") - padding = "EMSA3"; - else if(algo_name == "DSA") - padding = "EMSA1"; - else if(algo_name == "ECDSA") - padding = "EMSA1_BSI"; - else - throw Invalid_Argument("Unknown X.509 signing key type: " + algo_name); - - Signature_Format format = - (key.message_parts() > 1) ? DER_SEQUENCE : IEEE_1363; - - padding = padding + '(' + proto_hash->name() + ')'; - - sig_algo.oid = OIDS::lookup(algo_name + "/" + padding); - sig_algo.parameters = key.algorithm_identifier().parameters; - - return new PK_Signer(key, padding, format); - } - -} diff --git a/src/cert/x509ca/x509_ca.h b/src/cert/x509ca/x509_ca.h deleted file mode 100644 index 97be6a415..000000000 --- a/src/cert/x509ca/x509_ca.h +++ /dev/null @@ -1,130 +0,0 @@ -/* -* X.509 Certificate Authority -* (C) 1999-2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_X509_CA_H__ -#define BOTAN_X509_CA_H__ - -#include <botan/x509cert.h> -#include <botan/x509_crl.h> -#include <botan/x509_ext.h> -#include <botan/pkcs8.h> -#include <botan/pkcs10.h> -#include <botan/pubkey.h> - -namespace Botan { - -/** -* This class represents X.509 Certificate Authorities (CAs). -*/ -class BOTAN_DLL X509_CA - { - public: - - /** - * Sign a PKCS#10 Request. - * @param req the request to sign - * @param rng the rng to use - * @param not_before the starting time for the certificate - * @param not_after the expiration time for the certificate - * @return resulting certificate - */ - X509_Certificate sign_request(const PKCS10_Request& req, - RandomNumberGenerator& rng, - const X509_Time& not_before, - const X509_Time& not_after); - - /** - * Get the certificate of this CA. - * @return CA certificate - */ - X509_Certificate ca_certificate() const; - - /** - * Create a new and empty CRL for this CA. - * @param rng the random number generator to use - * @param next_update the time to set in next update in seconds - * as the offset from the current time - * @return new CRL - */ - X509_CRL new_crl(RandomNumberGenerator& rng, - u32bit next_update = 0) const; - - /** - * Create a new CRL by with additional entries. - * @param last_crl the last CRL of this CA to add the new entries to - * @param new_entries contains the new CRL entries to be added to the CRL - * @param rng the random number generator to use - * @param next_update the time to set in next update in seconds - * as the offset from the current time - */ - X509_CRL update_crl(const X509_CRL& last_crl, - const std::vector<CRL_Entry>& new_entries, - RandomNumberGenerator& rng, - u32bit next_update = 0) const; - - /** - * Interface for creating new certificates - * @param signer a signing object - * @param rng a random number generator - * @param sig_algo the signature algorithm identifier - * @param pub_key the serialized public key - * @param not_before the start time of the certificate - * @param not_after the end time of the certificate - * @param issuer_dn the DN of the issuer - * @param subject_dn the DN of the subject - * @param extensions an optional list of certificate extensions - * @returns newly minted certificate - */ - static X509_Certificate make_cert(PK_Signer* signer, - RandomNumberGenerator& rng, - const AlgorithmIdentifier& sig_algo, - const MemoryRegion<byte>& pub_key, - const X509_Time& not_before, - const X509_Time& not_after, - const X509_DN& issuer_dn, - const X509_DN& subject_dn, - const Extensions& extensions); - - /** - * Create a new CA object. - * @param ca_certificate the certificate of the CA - * @param key the private key of the CA - * @param hash_fn name of a hash function to use for signing - */ - X509_CA(const X509_Certificate& ca_certificate, - const Private_Key& key, - const std::string& hash_fn); - - ~X509_CA(); - private: - X509_CA(const X509_CA&) {} - X509_CA& operator=(const X509_CA&) { return (*this); } - - X509_CRL make_crl(const std::vector<CRL_Entry>& entries, - u32bit crl_number, u32bit next_update, - RandomNumberGenerator& rng) const; - - AlgorithmIdentifier ca_sig_algo; - X509_Certificate cert; - PK_Signer* signer; - }; - -/** -* Choose the default signature format for a certain public key signature -* scheme. -* @param key will be the key to choose a padding scheme for -* @param hash_fn is the desired hash function -* @param alg_id will be set to the chosen scheme -* @return A PK_Signer object for generating signatures -*/ -BOTAN_DLL PK_Signer* choose_sig_format(const Private_Key& key, - const std::string& hash_fn, - AlgorithmIdentifier& alg_id); - -} - -#endif |