diff options
Diffstat (limited to 'src/cert')
| -rw-r--r-- | src/cert/x509/x509_ca.cpp | 52 | ||||
| -rw-r--r-- | src/cert/x509/x509_ca.h | 44 | ||||
| -rw-r--r-- | src/cert/x509/x509self.cpp | 6 | ||||
| -rw-r--r-- | src/cert/x509/x509self.h | 4 |
4 files changed, 75 insertions, 31 deletions
diff --git a/src/cert/x509/x509_ca.cpp b/src/cert/x509/x509_ca.cpp index f0eb9c3e5..48ec0bd1c 100644 --- a/src/cert/x509/x509_ca.cpp +++ b/src/cert/x509/x509_ca.cpp @@ -9,9 +9,10 @@ #include <botan/x509stor.h> #include <botan/der_enc.h> #include <botan/ber_dec.h> -#include <botan/look_pk.h> #include <botan/bigint.h> #include <botan/parsing.h> +#include <botan/lookup.h> +#include <botan/look_pk.h> #include <botan/oids.h> #include <botan/timer.h> #include <algorithm> @@ -20,22 +21,33 @@ #include <memory> #include <set> +#include <stdio.h> + namespace Botan { /* * Load the certificate and private key */ X509_CA::X509_CA(const X509_Certificate& c, - const Private_Key& key) : cert(c) + const Private_Key& key, + const std::string& hash_fn) : cert(c) { - const Private_Key* key_pointer = &key; - if(!dynamic_cast<const PK_Signing_Key*>(key_pointer)) + // Use pointer dynamic_cast to avoid exception if cast fails + if(!dynamic_cast<const PK_Signing_Key*>(&key)) throw Invalid_Argument("X509_CA: " + key.algo_name() + " cannot sign"); if(!cert.is_CA_cert()) throw Invalid_Argument("X509_CA: This certificate is not for a CA"); - signer = choose_sig_format(key, ca_sig_algo); + signer = choose_sig_format(key, hash_fn, ca_sig_algo); + } + +/* +* X509_CA Destructor +*/ +X509_CA::~X509_CA() + { + delete signer; } /* @@ -70,7 +82,8 @@ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req, extensions.add( new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name())); - return make_cert(signer, rng, ca_sig_algo, req.raw_public_key(), + return make_cert(signer, rng, ca_sig_algo, + req.raw_public_key(), not_before, not_after, cert.subject_dn(), req.subject_dn(), extensions); @@ -231,17 +244,10 @@ X509_Certificate X509_CA::ca_certificate() const } /* -* X509_CA Destructor -*/ -X509_CA::~X509_CA() - { - delete signer; - } - -/* * Choose a signing format for the key */ PK_Signer* choose_sig_format(const Private_Key& key, + const std::string& hash_fn, AlgorithmIdentifier& sig_algo) { std::string padding; @@ -249,24 +255,36 @@ PK_Signer* choose_sig_format(const Private_Key& key, const std::string algo_name = key.algo_name(); + const HashFunction* proto_hash = retrieve_hash(hash_fn); + if(!proto_hash) + throw Algorithm_Not_Found(hash_fn); + + if(key.max_input_bits() < proto_hash->OUTPUT_LENGTH*8) + { + printf("%d %d\n", key.max_input_bits(), proto_hash->OUTPUT_LENGTH*8); + throw Invalid_Argument("Key is too small for chosen hash function"); + } + if(algo_name == "RSA") { - padding = "EMSA3(SHA-160)"; + padding = "EMSA3"; format = IEEE_1363; } else if(algo_name == "DSA") { - padding = "EMSA1(SHA-160)"; + padding = "EMSA1"; format = DER_SEQUENCE; } else if(algo_name == "ECDSA") { - padding = "EMSA1_BSI(SHA-160)"; + padding = "EMSA1_BSI"; format = IEEE_1363; } else throw Invalid_Argument("Unknown X.509 signing key type: " + algo_name); + padding = padding + '(' + proto_hash->name() + ')'; + sig_algo.oid = OIDS::lookup(algo_name + "/" + padding); std::auto_ptr<X509_Encoder> encoding(key.x509_encoder()); diff --git a/src/cert/x509/x509_ca.h b/src/cert/x509/x509_ca.h index ef2a8d134..6eb4bbbef 100644 --- a/src/cert/x509/x509_ca.h +++ b/src/cert/x509/x509_ca.h @@ -50,7 +50,8 @@ class BOTAN_DLL X509_CA * as the offset from the current time * @return the new CRL */ - X509_CRL new_crl(RandomNumberGenerator& rng, u32bit = 0) const; + X509_CRL new_crl(RandomNumberGenerator& rng, + u32bit next_update = 0) const; /** * Create a new CRL by with additional entries. @@ -65,27 +66,45 @@ class BOTAN_DLL X509_CA RandomNumberGenerator& rng, u32bit next_update = 0) const; - static X509_Certificate make_cert(PK_Signer*, - RandomNumberGenerator&, - const AlgorithmIdentifier&, - const MemoryRegion<byte>&, - const X509_Time&, const X509_Time&, - const X509_DN&, const X509_DN&, - const Extensions&); + /** + * Interface for creating new certificates + * @param signer a signing object + * @param rng a random number generator + * @param sig_algo the signature algorithm identifier + * @param not_before the start time of the certificate + * @param not_after the end time of the certificate + * @param issuer_dn the DN of the issuer + * @param subject_dn the DN of the subject + * @param extensions an optional list of certificate extensions + * @returns newly minted certificate + */ + static X509_Certificate make_cert(PK_Signer* signer, + RandomNumberGenerator& rng, + const AlgorithmIdentifier& sig_algo, + const MemoryRegion<byte>& pub_key, + const X509_Time& not_before, + const X509_Time& not_after, + const X509_DN& issuer_dn, + const X509_DN& subject_dn, + const Extensions& extensions); /** * Create a new CA object. * @param ca_certificate the certificate of the CA * @param key the private key of the CA */ - X509_CA(const X509_Certificate& ca_certificate, const Private_Key& key); + X509_CA(const X509_Certificate& ca_certificate, + const Private_Key& key, + const std::string& hash_fn); + ~X509_CA(); private: X509_CA(const X509_CA&) {} X509_CA& operator=(const X509_CA&) { return (*this); } - X509_CRL make_crl(const std::vector<CRL_Entry>&, - u32bit, u32bit, RandomNumberGenerator&) const; + X509_CRL make_crl(const std::vector<CRL_Entry>& entries, + u32bit crl_number, u32bit next_update, + RandomNumberGenerator& rng) const; AlgorithmIdentifier ca_sig_algo; X509_Certificate cert; @@ -96,13 +115,14 @@ class BOTAN_DLL X509_CA * Choose the default signature format for a certain public key signature * scheme. * @param key will be the key to choose a padding scheme for +* @param hash_fn is the desired hash function * @param alg_id will be set to the chosen scheme * @return A PK_Signer object for generating signatures */ BOTAN_DLL PK_Signer* choose_sig_format(const Private_Key& key, + const std::string& hash_fn, AlgorithmIdentifier& alg_id); - } #endif diff --git a/src/cert/x509/x509self.cpp b/src/cert/x509/x509self.cpp index 8afb22a7e..f915c6ff5 100644 --- a/src/cert/x509/x509self.cpp +++ b/src/cert/x509/x509self.cpp @@ -65,6 +65,7 @@ namespace X509 { */ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, const Private_Key& key, + const std::string& hash_fn, RandomNumberGenerator& rng) { AlgorithmIdentifier sig_algo; @@ -72,7 +73,7 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, AlternativeName subject_alt; MemoryVector<byte> pub_key = shared_setup(opts, key); - std::auto_ptr<PK_Signer> signer(choose_sig_format(key, sig_algo)); + std::auto_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo)); load_info(opts, subject_dn, subject_alt); Key_Constraints constraints; @@ -103,6 +104,7 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, */ PKCS10_Request create_cert_req(const X509_Cert_Options& opts, const Private_Key& key, + const std::string& hash_fn, RandomNumberGenerator& rng) { AlgorithmIdentifier sig_algo; @@ -110,7 +112,7 @@ PKCS10_Request create_cert_req(const X509_Cert_Options& opts, AlternativeName subject_alt; MemoryVector<byte> pub_key = shared_setup(opts, key); - std::auto_ptr<PK_Signer> signer(choose_sig_format(key, sig_algo)); + std::auto_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo)); load_info(opts, subject_dn, subject_alt); const u32bit PKCS10_VERSION = 0; diff --git a/src/cert/x509/x509self.h b/src/cert/x509/x509self.h index bd3e29179..741350067 100644 --- a/src/cert/x509/x509self.h +++ b/src/cert/x509/x509self.h @@ -172,12 +172,14 @@ namespace X509 { * @param opts the options defining the certificate to create * @param key the private key used for signing, i.e. the key * associated with this self-signed certificate +* @param hash_fn the hash function to use * @param rng the rng to use * @return the newly created self-signed certificate */ BOTAN_DLL X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, const Private_Key& key, + const std::string& hash_fn, RandomNumberGenerator& rng); /** @@ -185,10 +187,12 @@ create_self_signed_cert(const X509_Cert_Options& opts, * @param opts the options defining the request to create * @param key the key used to sign this request * @param rng the rng to use +* @param hash_fn the hash function to use * @return the newly created PKCS#10 request */ BOTAN_DLL PKCS10_Request create_cert_req(const X509_Cert_Options& opts, const Private_Key& key, + const std::string& hash_fn, RandomNumberGenerator& rng); } |