Skip to content

Commit faf135d

Browse files
arckoorarckoor
committed
CRLs
1 parent a48acb5 commit faf135d

File tree

10 files changed

+1089
-348
lines changed

10 files changed

+1089
-348
lines changed

doc/api_ref/ffi.rst

Lines changed: 64 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1670,20 +1670,20 @@ X.509 Certificates
16701670

16711671
Return the subject key ID set in the certificate, which may be empty.
16721672

1673-
.. cpp:function::int botan_x509_get_basic_constraints(botan_x509_cert_t cert, int* is_ca, size_t* limit)
1673+
.. cpp:function::int botan_x509_cert_is_ca(botan_x509_cert_t cert, int* is_ca, size_t* limit)
16741674

16751675
Checks whether the certificate is a CA certificate and sets ``is_ca`` to 1 if it is, 0 otherwise.
16761676
If it is a CA certificate, ``limit`` is set to the path limit, otherwise 0.
16771677

1678-
.. cpp:function::int botan_x509_get_key_constraints(botan_x509_cert_t cert, uint32_t* usage)
1678+
.. cpp:function::int botan_x509_cert_get_key_constraints(botan_x509_cert_t cert, uint32_t* usage)
16791679

16801680
Returns the key usage constraints.
16811681

1682-
.. cpp:function::int botan_x509_get_ocsp_responder(botan_x509_cert_t cert, botan_view_ctx ctx, botan_view_str_fn view)
1682+
.. cpp:function::int botan_x509_cert_get_ocsp_responder(botan_x509_cert_t cert, botan_view_ctx ctx, botan_view_str_fn view)
16831683

16841684
Returns the OCSP responder.
16851685

1686-
.. cpp:function::int botan_x509_is_self_signed(botan_x509_cert_t cert, int* out)
1686+
.. cpp:function::int botan_x509_cert_is_self_signed(botan_x509_cert_t cert, int* out)
16871687

16881688
Checks whether the certificate is self signed and sets ``out`` to 1 if it is, 0 otherwise.
16891689

@@ -1800,11 +1800,11 @@ X.509 Certificates
18001800

18011801
Destroy the IP Address Blocks object.
18021802

1803-
.. cpp:function::int botan_x509_ext_create_ip_addr_blocks(botan_x509_ext_ip_addr_blocks_t* ip_addr_blocks)
1803+
.. cpp:function::int botan_x509_ext_ip_addr_blocks_create(botan_x509_ext_ip_addr_blocks_t* ip_addr_blocks)
18041804

18051805
Create a new IP Address Blocks object.
18061806

1807-
.. cpp:function::int botan_x509_ext_create_ip_addr_blocks_from_cert(botan_x509_cert_t cert, \
1807+
.. cpp:function::int botan_x509_ext_ip_addr_blocks_create_from_cert(botan_x509_cert_t cert, \
18081808
botan_x509_ext_ip_addr_blocks_t* ip_addr_blocks)
18091809

18101810
Get an IP Address Blocks object from a certificate. Cannot be mutated.
@@ -1876,11 +1876,11 @@ X.509 Certificates
18761876

18771877
Destroy the AS Blocks object.
18781878

1879-
.. cpp:function::int botan_x509_ext_create_as_blocks(botan_x509_ext_as_blocks_t* as_blocks)
1879+
.. cpp:function::int botan_x509_ext_as_blocks_create(botan_x509_ext_as_blocks_t* as_blocks)
18801880

18811881
Create a new AS Blocks object.
18821882

1883-
.. cpp:function::int botan_x509_ext_create_as_blocks_from_cert(botan_x509_cert_t cert, botan_x509_ext_as_blocks_t* as_blocks)
1883+
.. cpp:function::int botan_x509_ext_as_blocks_create_from_cert(botan_x509_cert_t cert, botan_x509_ext_as_blocks_t* as_blocks)
18841884

18851885
Get an AS Blocks object from a certificate. Cannot be mutated.
18861886

@@ -1919,12 +1919,11 @@ X.509 Certificates
19191919

19201920
.. cpp:function::int botan_x509_cert_params_builder_destroy(botan_x509_cert_params_builder_t builder)
19211921

1922-
Destroy the options object.
1922+
Destroy the Certificate Params Builder object.
19231923

1924-
.. cpp:function::int botan_x509_create_cert_params_builder(botan_x509_cert_params_builder_t* builder_obj);
1924+
.. cpp:function::int botan_x509_cert_params_builder_create(botan_x509_cert_params_builder_t* builder_obj);
19251925

1926-
Create a new certificate builder object. ``opts`` defines the common name (e.g. `common_name/country/organization/organizational_unit`).
1927-
``expire_time`` if given is the expiration time from current clock in seconds.
1926+
Create a new Certificate Params Builder object.
19281927

19291928
.. cpp:function::int botan_x509_cert_params_builder_add_common_name(botan_x509_cert_params_builder_t builder, const char* name);
19301929

@@ -1954,7 +1953,7 @@ X.509 Certificates
19541953

19551954
.. cpp:function::int botan_x509_cert_params_builder_add_allowed_extended_usage(botan_x509_cert_params_builder_t builder, botan_asn1_oid_t oid);
19561955

1957-
.. cpp:function::int botan_x509_cert_params_builder_set_as_ca_certificate(botan_x509_cert_params_builder_t builder, size_t limit);
1956+
.. cpp:function::int botan_x509_cert_params_builder_set_as_ca_certificate(botan_x509_cert_params_builder_t builder, size_t limit=None);
19581957

19591958
Mark the certificate for CA usage.
19601959

@@ -1964,12 +1963,13 @@ X.509 Certificates
19641963
.. cpp:function::int botan_x509_cert_params_builder_add_ext_as_blocks(botan_x509_cert_params_builder_t builder, \
19651964
botan_x509_ext_as_blocks_t as_blocks, int is_critical);
19661965

1967-
.. cpp:function::int botan_x509_create_self_signed_cert(botan_x509_cert_t* cert_obj, \
1966+
.. cpp:function::int botan_x509_cert_create_self_signed(botan_x509_cert_t* cert_obj, \
19681967
botan_privkey_t key, \
19691968
botan_x509_cert_params_builder_t builder, \
19701969
botan_rng_t rng, \
19711970
uint64_t not_before, \
19721971
uint64_t not_after, \
1972+
const botan_mp_t* serial_number, \
19731973
const char* hash_fn, \
19741974
const char* padding)
19751975

@@ -1983,7 +1983,20 @@ X.509 Certificates
19831983

19841984
Destroy the PKCS #10 certificate request object.
19851985

1986-
.. cpp:function::int botan_x509_create_pkcs10_req(botan_x509_pkcs10_req_t* req_obj, \
1986+
.. cpp:function::int botan_x509_pkcs10_req_load_file(botan_x509_pkcs10_req_t* req_obj, const char* req_path)
1987+
1988+
.. cpp:function::int botan_x509_pkcs10_req_load(botan_x509_pkcs10_req_t* req_obj, const uint8_t req_bits[], size_t req_bits_len)
1989+
1990+
.. cpp:function::int int botan_x509_pkcs10_req_get_public_key(botan_x509_pkcs10_req_t req, botan_pubkey_t* key)
1991+
1992+
.. cpp:function::int int botan_x509_pkcs10_req_get_key_constraints(botan_x509_pkcs10_req_t req, uint32_t* usage)
1993+
1994+
.. cpp:function::int int botan_x509_pkcs10_req_is_ca(botan_x509_pkcs10_req_t req, int* is_ca, size_t* limit)
1995+
1996+
.. cpp:function::int int botan_x509_pkcs10_req_verify_signature(botan_x509_pkcs10_req_t req, botan_pubkey_t key, int* result)
1997+
1998+
1999+
.. cpp:function::int botan_x509_pkcs10_req_create(botan_x509_pkcs10_req_t* req_obj, \
19872000
botan_privkey_t key, \
19882001
botan_x509_cert_params_builder_t builder, \
19892002
botan_rng_t rng, \
@@ -1995,13 +2008,16 @@ X.509 Certificates
19952008

19962009
.. cpp:function::int botan_x509_pkcs10_req_view_pem(botan_x509_pkcs10_req_t req, botan_view_ctx ctx, botan_view_str_fn view)
19972010

1998-
.. cpp:function::int botan_x509_sign_req(botan_x509_cert_t* subject_cert, \
2011+
.. cpp:function::int int botan_x509_pkcs10_req_view_der(botan_x509_pkcs10_req_t req, botan_view_ctx ctx, botan_view_bin_fn view)
2012+
2013+
.. cpp:function::int botan_x509_pkcs10_req_sign(botan_x509_cert_t* subject_cert, \
19992014
botan_x509_pkcs10_req_t subject_req, \
20002015
botan_x509_cert_t issuing_cert, \
20012016
botan_privkey_t issuing_key, \
20022017
botan_rng_t rng, \
20032018
uint64_t not_before, \
20042019
uint64_t not_after, \
2020+
const botan_mp_t* serial_number, \
20052021
const char* hash_fn, \
20062022
const char* padding)
20072023

@@ -2023,6 +2039,38 @@ X.509 Certificate Revocation Lists
20232039

20242040
Load a CRL from a file.
20252041

2042+
.. cpp:function:: int botan_x509_crl_create(botan_x509_crl_t* crl_obj, \
2043+
botan_rng_t rng, \
2044+
botan_x509_cert_t ca_cert, \
2045+
botan_privkey_t ca_key, \
2046+
uint64_t issue_time, \
2047+
uint32_t next_update, \
2048+
const char* hash_fn, \
2049+
const char* padding)
2050+
2051+
.. cpp:function:: int botan_x509_crl_update(botan_x509_crl_t* crl_obj, \
2052+
botan_x509_crl_t last_crl, \
2053+
botan_rng_t rng, \
2054+
botan_x509_cert_t ca_cert, \
2055+
botan_privkey_t ca_key, \
2056+
uint64_t issue_time, \
2057+
uint32_t next_update, \
2058+
const botan_x509_cert_t* revoked, \
2059+
size_t revoked_len, \
2060+
uint8_t reason, \
2061+
const char* hash_fn, \
2062+
const char* padding)
2063+
2064+
.. cpp:function:: int botan_x509_crl_get_count(botan_x509_crl_t crl, size_t* count);
2065+
2066+
.. cpp:function:: int botan_x509_crl_get_entry(botan_x509_crl_t crl, size_t i, uint8_t serial[], size_t* serial_len, uint64_t* expire_time, uint8_t* reason)
2067+
2068+
.. cpp:function:: int botan_x509_crl_verify_signature(botan_x509_crl_t crl, botan_pubkey_t key, int* result)
2069+
2070+
.. cpp:function:: int botan_x509_crl_view_pem(botan_x509_crl_t crl, botan_view_ctx ctx, botan_view_str_fn view)
2071+
2072+
.. cpp:function:: int botan_x509_crl_view_der(botan_x509_crl_t crl, botan_view_ctx ctx, botan_view_bin_fn view)
2073+
20262074
.. cpp:function:: int botan_x509_crl_destroy(botan_x509_crl_t crl)
20272075

20282076
Destroy the CRL object.

doc/api_ref/python.rst

Lines changed: 51 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -561,6 +561,14 @@ Multiple Precision Integers (MPI)
561561
Most of the usual arithmetic operators (``__add__``, ``__mul__``, etc) are
562562
defined.
563563
564+
.. py:classmethod:: from_bytes(buf)
565+
566+
Create a new MPI object from the big-endian binary encoding produced by ``to_bytes()``.
567+
568+
.. py:method:: to_bytes()
569+
570+
Return a big-endian binary encoding of the number.
571+
564572
.. py:method:: inverse_mod(modulus)
565573
566574
Return the inverse of ``self`` modulo ``modulus``, or zero if no inverse exists
@@ -755,7 +763,7 @@ X509CertificateBuilder
755763
756764
.. py:method:: add_ext_as_blocks(as_blocks, is_critical)
757765
758-
.. py:method:: create_self_signed(key, rng, not_before, not_after, hash_fn=None, padding=None)
766+
.. py:method:: create_self_signed(key, rng, not_before, not_after, serial_number=None, hash_fn=None, padding=None)
759767
760768
Create a self-signed certificate from the given certificate options.
761769
``not_before`` and ``not_after`` are expected to be the time since the UNIX epoch, in seconds.
@@ -771,12 +779,12 @@ X509ExtIPAddrBlocks
771779
772780
.. py:class:: X509ExtIPAddrBlocks(cert=None)
773781
774-
.. py:method:: add_ip(ip, safi=None)
782+
.. py:method:: add_addr(ip, safi=None)
775783
776784
Add a single IP address to the extension. ``ip`` is expected to be a ``list[int]``
777785
of length 4/16 for IPv4/IPv6.
778786
779-
.. py:method:: add_ip_range(min_, max_, safi=None)
787+
.. py:method:: add_range(min_, max_, safi=None)
780788
781789
Add an IP address range to the extension.
782790
@@ -836,12 +844,26 @@ PKCS10Req
836844
837845
.. py:class:: PKCS10Req()
838846
847+
.. py:method:: public_key()
848+
849+
Get the public key associated with the signing request.
850+
851+
.. py:method:: key_constraints()
852+
853+
Return a list of all the key constraints listed in the signing request.
854+
855+
.. py:method:: verify(key)
856+
857+
Verify the signature of the signing request.
858+
839859
.. py:method:: sign(issuing_cert, issuing_key, rng, not_before, not_after, hash_fn=None, padding=None)
840860
841861
``not_before`` and ``not_after`` are expected to be the time since the UNIX epoch, in seconds.
842862
843863
.. py:method:: to_pem()
844864
865+
.. py:method:: to_der()
866+
845867
X509Cert
846868
-----------------------------------------
847869
@@ -921,7 +943,7 @@ X509Cert
921943
922944
Return True if the certificates Key Usage extension contains all constraints given in ``usage_list``.
923945
Also return True if the certificate doesn't have this extension.
924-
Example usage constraints are: ``"DIGITAL_SIGNATURE"``, ``"KEY_CERT_SIGN"``, ``"CRL_SIGN"``.
946+
Example usage constraints are: ``X509KeyConstraints.DIGITAL_SIGNATURE"``, ``X509KeyConstraints.KEY_CERT_SIGN``, ``X509KeyConstraints.CRL_SIGN``.
925947
926948
.. py:method:: key_constraints()
927949
@@ -995,6 +1017,31 @@ X509CRL
9951017
A CRL in PEM or DER format can be loaded from a file, with the ``filename`` argument,
9961018
or from a bytestring, with the ``buf`` argument.
9971019
1020+
.. py:classmethod:: create(rng, ca_cert, ca_key, issue_time, next_update, hash_fn=None, padding=None)
1021+
1022+
Create a new CRL for the given CA.
1023+
``issue_time`` is expected to be the time since the UNIX epoch, in seconds, ``next_update`` the time in seconds until the next update.
1024+
1025+
1026+
.. py:method:: revoke(rng, ca_cert, ca_key, issue_time, next_update, revoked, reason, hash_fn=None, padding=None)
1027+
1028+
Revoke certificates issued by the CA.
1029+
``issue_time`` is expected to be the time since the UNIX epoch, in seconds, ``next_update`` the time in seconds until the next update.
1030+
Revoked is expected to be a list of certificates you want to revoked, reason should be of instance ``X509CRLReason``.
1031+
This method returns a new CRL, it does not modify the existing one!
1032+
1033+
.. py:method:: revoked()
1034+
1035+
Return entries listed in the CRL.
1036+
1037+
.. py:method:: verify(key)
1038+
1039+
Verify the signature of the CRL.
1040+
1041+
.. py:method:: to_pem()
1042+
1043+
.. py:method:: to_der()
1044+
9981045
9991046
10001047

0 commit comments

Comments
 (0)