aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/cert/x509/x509_ca.cpp52
-rw-r--r--src/cert/x509/x509_ca.h44
-rw-r--r--src/cert/x509/x509self.cpp6
-rw-r--r--src/cert/x509/x509self.h4
4 files changed, 75 insertions, 31 deletions
diff --git a/src/cert/x509/x509_ca.cpp b/src/cert/x509/x509_ca.cpp
index f0eb9c3e5..48ec0bd1c 100644
--- a/src/cert/x509/x509_ca.cpp
+++ b/src/cert/x509/x509_ca.cpp
@@ -9,9 +9,10 @@
#include <botan/x509stor.h>
#include <botan/der_enc.h>
#include <botan/ber_dec.h>
-#include <botan/look_pk.h>
#include <botan/bigint.h>
#include <botan/parsing.h>
+#include <botan/lookup.h>
+#include <botan/look_pk.h>
#include <botan/oids.h>
#include <botan/timer.h>
#include <algorithm>
@@ -20,22 +21,33 @@
#include <memory>
#include <set>
+#include <stdio.h>
+
namespace Botan {
/*
* Load the certificate and private key
*/
X509_CA::X509_CA(const X509_Certificate& c,
- const Private_Key& key) : cert(c)
+ const Private_Key& key,
+ const std::string& hash_fn) : cert(c)
{
- const Private_Key* key_pointer = &key;
- if(!dynamic_cast<const PK_Signing_Key*>(key_pointer))
+ // Use pointer dynamic_cast to avoid exception if cast fails
+ if(!dynamic_cast<const PK_Signing_Key*>(&key))
throw Invalid_Argument("X509_CA: " + key.algo_name() + " cannot sign");
if(!cert.is_CA_cert())
throw Invalid_Argument("X509_CA: This certificate is not for a CA");
- signer = choose_sig_format(key, ca_sig_algo);
+ signer = choose_sig_format(key, hash_fn, ca_sig_algo);
+ }
+
+/*
+* X509_CA Destructor
+*/
+X509_CA::~X509_CA()
+ {
+ delete signer;
}
/*
@@ -70,7 +82,8 @@ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req,
extensions.add(
new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name()));
- return make_cert(signer, rng, ca_sig_algo, req.raw_public_key(),
+ return make_cert(signer, rng, ca_sig_algo,
+ req.raw_public_key(),
not_before, not_after,
cert.subject_dn(), req.subject_dn(),
extensions);
@@ -231,17 +244,10 @@ X509_Certificate X509_CA::ca_certificate() const
}
/*
-* X509_CA Destructor
-*/
-X509_CA::~X509_CA()
- {
- delete signer;
- }
-
-/*
* Choose a signing format for the key
*/
PK_Signer* choose_sig_format(const Private_Key& key,
+ const std::string& hash_fn,
AlgorithmIdentifier& sig_algo)
{
std::string padding;
@@ -249,24 +255,36 @@ PK_Signer* choose_sig_format(const Private_Key& key,
const std::string algo_name = key.algo_name();
+ const HashFunction* proto_hash = retrieve_hash(hash_fn);
+ if(!proto_hash)
+ throw Algorithm_Not_Found(hash_fn);
+
+ if(key.max_input_bits() < proto_hash->OUTPUT_LENGTH*8)
+ {
+ printf("%d %d\n", key.max_input_bits(), proto_hash->OUTPUT_LENGTH*8);
+ throw Invalid_Argument("Key is too small for chosen hash function");
+ }
+
if(algo_name == "RSA")
{
- padding = "EMSA3(SHA-160)";
+ padding = "EMSA3";
format = IEEE_1363;
}
else if(algo_name == "DSA")
{
- padding = "EMSA1(SHA-160)";
+ padding = "EMSA1";
format = DER_SEQUENCE;
}
else if(algo_name == "ECDSA")
{
- padding = "EMSA1_BSI(SHA-160)";
+ padding = "EMSA1_BSI";
format = IEEE_1363;
}
else
throw Invalid_Argument("Unknown X.509 signing key type: " + algo_name);
+ padding = padding + '(' + proto_hash->name() + ')';
+
sig_algo.oid = OIDS::lookup(algo_name + "/" + padding);
std::auto_ptr<X509_Encoder> encoding(key.x509_encoder());
diff --git a/src/cert/x509/x509_ca.h b/src/cert/x509/x509_ca.h
index ef2a8d134..6eb4bbbef 100644
--- a/src/cert/x509/x509_ca.h
+++ b/src/cert/x509/x509_ca.h
@@ -50,7 +50,8 @@ class BOTAN_DLL X509_CA
* as the offset from the current time
* @return the new CRL
*/
- X509_CRL new_crl(RandomNumberGenerator& rng, u32bit = 0) const;
+ X509_CRL new_crl(RandomNumberGenerator& rng,
+ u32bit next_update = 0) const;
/**
* Create a new CRL by with additional entries.
@@ -65,27 +66,45 @@ class BOTAN_DLL X509_CA
RandomNumberGenerator& rng,
u32bit next_update = 0) const;
- static X509_Certificate make_cert(PK_Signer*,
- RandomNumberGenerator&,
- const AlgorithmIdentifier&,
- const MemoryRegion<byte>&,
- const X509_Time&, const X509_Time&,
- const X509_DN&, const X509_DN&,
- const Extensions&);
+ /**
+ * Interface for creating new certificates
+ * @param signer a signing object
+ * @param rng a random number generator
+ * @param sig_algo the signature algorithm identifier
+ * @param not_before the start time of the certificate
+ * @param not_after the end time of the certificate
+ * @param issuer_dn the DN of the issuer
+ * @param subject_dn the DN of the subject
+ * @param extensions an optional list of certificate extensions
+ * @returns newly minted certificate
+ */
+ static X509_Certificate make_cert(PK_Signer* signer,
+ RandomNumberGenerator& rng,
+ const AlgorithmIdentifier& sig_algo,
+ const MemoryRegion<byte>& pub_key,
+ const X509_Time& not_before,
+ const X509_Time& not_after,
+ const X509_DN& issuer_dn,
+ const X509_DN& subject_dn,
+ const Extensions& extensions);
/**
* Create a new CA object.
* @param ca_certificate the certificate of the CA
* @param key the private key of the CA
*/
- X509_CA(const X509_Certificate& ca_certificate, const Private_Key& key);
+ X509_CA(const X509_Certificate& ca_certificate,
+ const Private_Key& key,
+ const std::string& hash_fn);
+
~X509_CA();
private:
X509_CA(const X509_CA&) {}
X509_CA& operator=(const X509_CA&) { return (*this); }
- X509_CRL make_crl(const std::vector<CRL_Entry>&,
- u32bit, u32bit, RandomNumberGenerator&) const;
+ X509_CRL make_crl(const std::vector<CRL_Entry>& entries,
+ u32bit crl_number, u32bit next_update,
+ RandomNumberGenerator& rng) const;
AlgorithmIdentifier ca_sig_algo;
X509_Certificate cert;
@@ -96,13 +115,14 @@ class BOTAN_DLL X509_CA
* Choose the default signature format for a certain public key signature
* scheme.
* @param key will be the key to choose a padding scheme for
+* @param hash_fn is the desired hash function
* @param alg_id will be set to the chosen scheme
* @return A PK_Signer object for generating signatures
*/
BOTAN_DLL PK_Signer* choose_sig_format(const Private_Key& key,
+ const std::string& hash_fn,
AlgorithmIdentifier& alg_id);
-
}
#endif
diff --git a/src/cert/x509/x509self.cpp b/src/cert/x509/x509self.cpp
index 8afb22a7e..f915c6ff5 100644
--- a/src/cert/x509/x509self.cpp
+++ b/src/cert/x509/x509self.cpp
@@ -65,6 +65,7 @@ namespace X509 {
*/
X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts,
const Private_Key& key,
+ const std::string& hash_fn,
RandomNumberGenerator& rng)
{
AlgorithmIdentifier sig_algo;
@@ -72,7 +73,7 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts,
AlternativeName subject_alt;
MemoryVector<byte> pub_key = shared_setup(opts, key);
- std::auto_ptr<PK_Signer> signer(choose_sig_format(key, sig_algo));
+ std::auto_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo));
load_info(opts, subject_dn, subject_alt);
Key_Constraints constraints;
@@ -103,6 +104,7 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts,
*/
PKCS10_Request create_cert_req(const X509_Cert_Options& opts,
const Private_Key& key,
+ const std::string& hash_fn,
RandomNumberGenerator& rng)
{
AlgorithmIdentifier sig_algo;
@@ -110,7 +112,7 @@ PKCS10_Request create_cert_req(const X509_Cert_Options& opts,
AlternativeName subject_alt;
MemoryVector<byte> pub_key = shared_setup(opts, key);
- std::auto_ptr<PK_Signer> signer(choose_sig_format(key, sig_algo));
+ std::auto_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo));
load_info(opts, subject_dn, subject_alt);
const u32bit PKCS10_VERSION = 0;
diff --git a/src/cert/x509/x509self.h b/src/cert/x509/x509self.h
index bd3e29179..741350067 100644
--- a/src/cert/x509/x509self.h
+++ b/src/cert/x509/x509self.h
@@ -172,12 +172,14 @@ namespace X509 {
* @param opts the options defining the certificate to create
* @param key the private key used for signing, i.e. the key
* associated with this self-signed certificate
+* @param hash_fn the hash function to use
* @param rng the rng to use
* @return the newly created self-signed certificate
*/
BOTAN_DLL X509_Certificate
create_self_signed_cert(const X509_Cert_Options& opts,
const Private_Key& key,
+ const std::string& hash_fn,
RandomNumberGenerator& rng);
/**
@@ -185,10 +187,12 @@ create_self_signed_cert(const X509_Cert_Options& opts,
* @param opts the options defining the request to create
* @param key the key used to sign this request
* @param rng the rng to use
+* @param hash_fn the hash function to use
* @return the newly created PKCS#10 request
*/
BOTAN_DLL PKCS10_Request create_cert_req(const X509_Cert_Options& opts,
const Private_Key& key,
+ const std::string& hash_fn,
RandomNumberGenerator& rng);
}