1 files changed, 145 insertions, 0 deletions
diff --git a/src/lib/x509/x509_ca.h b/src/lib/x509/x509_ca.h
new file mode 100644
index 000000000..c96a709d5
--- /dev/null
+++ b/src/lib/x509/x509_ca.h
@@ -0,0 +1,145 @@
+/*
+* X.509 Certificate Authority
+* (C) 1999-2008 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#ifndef BOTAN_X509_CA_H__
+#define BOTAN_X509_CA_H__
+
+#include <botan/x509cert.h>
+#include <botan/x509_crl.h>
+#include <botan/x509_ext.h>
+#include <botan/pkcs10.h>
+#include <botan/pubkey.h>
+
+#if defined(BOTAN_HAS_SYSTEM_RNG)
+  #include <botan/system_rng.h>
+#endif
+
+namespace Botan {
+
+/**
+* This class represents X.509 Certificate Authorities (CAs).
+*/
+class BOTAN_DLL X509_CA
+   {
+   public:
+      /**
+      * Sign a PKCS#10 Request.
+      * @param req the request to sign
+      * @param rng the rng to use
+      * @param not_before the starting time for the certificate
+      * @param not_after the expiration time for the certificate
+      * @return resulting certificate
+      */
+      X509_Certificate sign_request(const PKCS10_Request& req,
+                                    RandomNumberGenerator& rng,
+                                    const X509_Time& not_before,
+                                    const X509_Time& not_after);
+
+      /**
+      * Get the certificate of this CA.
+      * @return CA certificate
+      */
+      X509_Certificate ca_certificate() const;
+
+      /**
+      * Create a new and empty CRL for this CA.
+      * @param rng the random number generator to use
+      * @param next_update the time to set in next update in seconds
+      * as the offset from the current time
+      * @return new CRL
+      */
+      X509_CRL new_crl(RandomNumberGenerator& rng,
+                       u32bit next_update = 0) const;
+
+      /**
+      * Create a new CRL by with additional entries.
+      * @param last_crl the last CRL of this CA to add the new entries to
+      * @param new_entries contains the new CRL entries to be added to the CRL
+      * @param rng the random number generator to use
+      * @param next_update the time to set in next update in seconds
+      * as the offset from the current time
+      */
+      X509_CRL update_crl(const X509_CRL& last_crl,
+                          const std::vector<CRL_Entry>& new_entries,
+                          RandomNumberGenerator& rng,
+                          u32bit next_update = 0) const;
+
+      /**
+      * Interface for creating new certificates
+      * @param signer a signing object
+      * @param rng a random number generator
+      * @param sig_algo the signature algorithm identifier
+      * @param pub_key the serialized public key
+      * @param not_before the start time of the certificate
+      * @param not_after the end time of the certificate
+      * @param issuer_dn the DN of the issuer
+      * @param subject_dn the DN of the subject
+      * @param extensions an optional list of certificate extensions
+      * @returns newly minted certificate
+      */
+      static X509_Certificate make_cert(PK_Signer* signer,
+                                        RandomNumberGenerator& rng,
+                                        const AlgorithmIdentifier& sig_algo,
+                                        const std::vector<byte>& pub_key,
+                                        const X509_Time& not_before,
+                                        const X509_Time& not_after,
+                                        const X509_DN& issuer_dn,
+                                        const X509_DN& subject_dn,
+                                        const Extensions& extensions);
+
+      /**
+      * Create a new CA object.
+      * @param ca_certificate the certificate of the CA
+      * @param key the private key of the CA
+      * @param hash_fn name of a hash function to use for signing
+      * @param rng the random generator to use
+      */
+      X509_CA(const X509_Certificate& ca_certificate,
+              const Private_Key& key,
+              const std::string& hash_fn,
+              RandomNumberGenerator& rng);
+
+#if defined(BOTAN_HAS_SYSTEM_RNG)
+      BOTAN_DEPRECATED("Use version taking RNG object")
+      X509_CA(const X509_Certificate& ca_certificate,
+              const Private_Key& key,
+              const std::string& hash_fn) :
+         X509_CA(ca_certificate, key, hash_fn, system_rng())
+         {}
+#endif
+
+      X509_CA(const X509_CA&) = delete;
+      X509_CA& operator=(const X509_CA&) = delete;
+
+      ~X509_CA();
+   private:
+      X509_CRL make_crl(const std::vector<CRL_Entry>& entries,
+                        u32bit crl_number, u32bit next_update,
+                        RandomNumberGenerator& rng) const;
+
+      AlgorithmIdentifier m_ca_sig_algo;
+      X509_Certificate m_cert;
+      PK_Signer* m_signer;
+   };
+
+/**
+* Choose the default signature format for a certain public key signature
+* scheme.
+* @param key will be the key to choose a padding scheme for
+* @param rng the random generator to use
+* @param hash_fn is the desired hash function
+* @param alg_id will be set to the chosen scheme
+* @return A PK_Signer object for generating signatures
+*/
+BOTAN_DLL PK_Signer* choose_sig_format(const Private_Key& key,
+                                       RandomNumberGenerator& rng,
+                                       const std::string& hash_fn,
+                                       AlgorithmIdentifier& alg_id);
+
+}
+
+#endif