The unified diff between revisions [2d90311d..] and [b773b0a7..] is displayed below. It can also be downloaded as a raw diff.
This diff has been restricted to the following files: 'src/x509_ca.cpp'
#
#
# patch "src/x509_ca.cpp"
# from [3214d3375f3a9f1aa80d1599d70fef44df0302d6]
# to [5a17c13377859c9795b8938592fa9a49281f08db]
#
============================================================
--- src/x509_ca.cpp 3214d3375f3a9f1aa80d1599d70fef44df0302d6
+++ src/x509_ca.cpp 5a17c13377859c9795b8938592fa9a49281f08db
@@ -1,9 +1,10 @@
/*************************************************
* X.509 Certificate Authority Source File *
-* (C) 1999-2007 The Botan Project *
+* (C) 1999-2008 Jack Lloyd *
*************************************************/
#include <botan/x509_ca.h>
+#include <botan/libstate.h>
#include <botan/x509stor.h>
#include <botan/der_enc.h>
#include <botan/ber_dec.h>
@@ -11,10 +12,12 @@
#include <botan/lookup.h>
#include <botan/look_pk.h>
#include <botan/numthry.h>
+#include <botan/parsing.h>
#include <botan/oids.h>
#include <botan/util.h>
#include <algorithm>
#include <typeinfo>
+#include <iterator>
#include <memory>
#include <set>
@@ -40,11 +43,9 @@ X509_Certificate X509_CA::sign_request(c
* Sign a PKCS #10 certificate request *
*************************************************/
X509_Certificate X509_CA::sign_request(const PKCS10_Request& req,
- u32bit expire_time) const
+ const X509_Time& not_before,
+ const X509_Time& not_after)
{
- if(req.is_CA() && !global_config().option_as_bool("x509/ca/allow_ca"))
- throw Policy_Violation("X509_CA: Attempted to sign new CA certificate");
-
Key_Constraints constraints;
if(req.is_CA())
constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN);
@@ -69,19 +70,8 @@ X509_Certificate X509_CA::sign_request(c
extensions.add(
new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name()));
- /*
- extensions.add(
- new Cert_Extension::Issuer_Alternative_Name(issuer_alt));
- */
-
- if(expire_time == 0)
- expire_time = global_config().option_as_time("x509/ca/default_expire");
-
- const u64bit current_time = system_time();
-
return make_cert(signer, ca_sig_algo, req.raw_public_key(),
- X509_Time(current_time),
- X509_Time(current_time + expire_time),
+ not_before, not_after,
cert.subject_dn(), req.subject_dn(),
extensions);
}
@@ -190,8 +180,10 @@ X509_CRL X509_CA::make_crl(const std::ve
const u32bit X509_CRL_VERSION = 2;
if(next_update == 0)
- next_update = global_config().option_as_time("x509/crl/next_update");
+ next_update = timespec_to_u32bit(
+ global_config().option("x509/crl/next_update"));
+ // Totally stupid: ties encoding logic to the return of std::time!!
const u64bit current_time = system_time();
Extensions extensions;
@@ -248,13 +240,35 @@ PK_Signer* choose_sig_format(const Priva
{
std::string padding;
Signature_Format format;
- Config::choose_sig_format(key.algo_name(), padding, format);
- sig_algo.oid = OIDS::lookup(key.algo_name() + "/" + padding);
+ const std::string algo_name = key.algo_name();
+ if(algo_name == "RSA")
+ {
+ std::string hash = global_config().option("x509/ca/rsa_hash");
+
+ if(hash == "")
+ throw Invalid_State("No value set for x509/ca/rsa_hash");
+
+ hash = global_config().deref_alias(hash);
+
+ padding = "EMSA3(" + hash + ")";
+ format = IEEE_1363;
+ }
+ else if(algo_name == "DSA")
+ {
+ std::string hash = global_config().deref_alias("SHA-1");
+ padding = "EMSA1(" + hash + ")";
+ format = DER_SEQUENCE;
+ }
+ else
+ throw Invalid_Argument("Unknown X.509 signing key type: " + algo_name);
+
+ sig_algo.oid = OIDS::lookup(algo_name + "/" + padding);
+
std::auto_ptr<X509_Encoder> encoding(key.x509_encoder());
if(!encoding.get())
- throw Encoding_Error("Key " + key.algo_name() + " does not support "
+ throw Encoding_Error("Key " + algo_name + " does not support "
"X.509 encoding");
sig_algo.parameters = encoding->alg_id().parameters;