#include <wvx509.h>
Inheritance diagram for WvX509Mgr:
Definition at line 42 of file wvx509.h.
Public Types | |
CertPEM = 0 | |
CertDER | |
RsaPEM | |
RsaPubPEM | |
RsaRaw | |
enum | DumpMode { CertPEM = 0, CertDER, RsaPEM, RsaPubPEM, RsaRaw } |
Type for the encode() and decode() methods. More... | |
Public Member Functions | |
WvX509Mgr () | |
Initialize a completely empty X509 Object with an X509 certificate that doesn't have anything it it. | |
WvX509Mgr (X509 *_cert) | |
Initialize a blank X509 Object with the certificate *cert (used for client side operations. | |
WvX509Mgr (WvStringParm hexcert, WvStringParm hexrsa) | |
Constructor to initialize this object with a pre-existing certificate and key. | |
WvX509Mgr (WvStringParm _dname, WvRSAKey *_rsa) | |
Constructor to create a self-signed certificate for the given dn and RSA key. | |
WvX509Mgr (WvStringParm _dname, int bits) | |
Constructor to create a new self-signed certificate for the given dn and number of bits. | |
virtual | ~WvX509Mgr () |
Destructor. | |
bool | bind_ssl (SSL_CTX *ctx) |
Avoid a lot of ugliness by having it so that we are binding to the SSL context, and not the other way around, since that would make ownership of the cert and rsa keys ambiguous. | |
const WvRSAKey & | get_rsa () |
Accessor for the RSA Keys. | |
X509 * | get_cert () const |
Allow us to access the certificate member - this will be going away eventually, but for now, it gets us out of a couple of issues :/. | |
void | set_pubkey (WvRSAKey *rsa_pubkey) |
Set the public key of the certificate to the public key rsa_pubkey. | |
void | create_selfsigned (bool is_ca=false) |
Given the Distinguished Name dname and an already generated keypair in rsa, return a Self Signed Certificate in cert. | |
WvString | certreq () |
Create a certificate request (PKCS#10) using this function. | |
WvString | signreq (WvStringParm pkcs10req) |
Take the PKCS#10 request in the string pkcs10req, sign it with the private key in rsa, and then spit back a new X509 Certificate in PEM format. | |
bool | signcert (X509 *cert) |
Sign the certificate with our keys. | |
bool | signcrl (WvCRLMgr *crl) |
Take the CRL in crl, and sign it. | |
bool | test () |
Test to make sure that a certificate and a keypair go together. | |
void | unhexify (WvStringParm encodedcert) |
Given a hexified certificate, fill the cert member NOTE: ALWAYS load your RSA Keys before calling this! It is best if you have hexify()'d keys to simply use the proper constructor. | |
WvString | hexify () |
Given the X509 certificate object cert, return a hexified string useful in a WvConf or UniConf file. | |
bool | validate (WvX509Mgr *cacert=NULL, X509_CRL *crl=NULL) |
Function to verify the validity of a certificate that has been placed in cert. | |
bool | signedbyCAindir (WvStringParm certdir) |
Check the certificate in cert against the CA certificates in certdir - returns true if cert was signed by one of the CA certificates. | |
bool | signedbyCAinfile (WvStringParm certfile) |
Check the certificate in cert against the CA certificate in certfile
| |
bool | signedbyCA (WvX509Mgr *cacert) |
Check the certificate in cert against the CA certificate in cacert
| |
WvString | sign (WvBuf &data) |
Sign the contents of data and return the signature as a BASE64 string. | |
WvString | sign (WvStringParm data) |
bool | verify (WvBuf &original, WvStringParm signature) |
Verify that the contents of data were signed by the certificate currently in cert. | |
bool | verify (WvStringParm original, WvStringParm signature) |
WvString | encode (const DumpMode mode) |
Return the information requested by mode as a WvString. | |
void | decode (const DumpMode mode, WvStringParm PemEncoded) |
Load the information from the format requested by mode into the class - this overwrites the certificate, and possibly the key - and to enable two stage loading (the certificate first, then the key), it DOES NOT call test() - that will be up to the programmer. | |
void | write_p12 (WvStringParm filename) |
And of course, since PKCS12 files are in the rediculous DER encoding format, which is binary, we can't use the encode/decode functions, so we deal straight with files. | |
void | read_p12 (WvStringParm filename) |
And this reads from the file specified in filename, and fills the RSA and cert members with the decoded information. | |
void | setPkcs12Password (WvStringParm passwd) |
Sets the PKCS12 password. | |
WvString | get_issuer () |
Get and set the Certificate Issuer (usually the CA who signed the certificate). | |
void | set_issuer (WvStringParm name) |
WvString | get_subject () |
get and set the Subject field of the certificate | |
void | set_subject (WvStringParm name) |
void | set_subject (X509_NAME *name) |
WvString | get_serial () |
get and set the serialNumber field of the certificate | |
void | set_serial (long serial_no) |
WvString | get_nscomment () |
get and set the Netscape Comment extension | |
void | set_nscomment (WvStringParm comment) |
WvString | get_nsserver () |
get and set the Netscape SSL Server extension | |
void | set_nsserver (WvStringParm server_fqdn) |
WvString | get_crl_dp () |
get the CRL Distribution points if they exist, WvString::null if they don't. | |
void | set_crl_dp (WvStringList &list) |
Set a list of CRL Distribution points - can be any valid URI but usually is either LDAP or HTTP. | |
WvString | get_cp_oid () |
Return the Certificate Policy OID if it exists, and WvString::null it if doesn't. | |
void | set_cp_oid (WvStringParm oid, WvStringParm url) |
Set the Certificate Policy OID from the string given by OID i.e: 1.2.3.4.5.6.7.8, and an optional URL that points to it's CPS. | |
void | set_version () |
Set the Certificate to use X509v3, since that's all modern PKI uses anyways :). | |
WvString | get_key_usage () |
Get and set the keyUsage field. | |
void | set_key_usage (WvStringParm values) |
WvString | get_ext_key_usage () |
Get and set the extendedKeyUsage field. | |
void | set_ext_key_usage (WvStringParm values) |
WvString | get_altsubject () |
Return the Subject alt name if it exists, and WvString::null if it doesn't. | |
void | set_altsubject (WvStringParm name) |
Set the Subject Alt Name. | |
WvString | get_constraints () |
Get and Set the Policy Constraints extension. | |
void | set_constraints (WvStringParm constraint) |
ASN1_TIME * | get_notvalid_before () |
Return the not before and not after. | |
ASN1_TIME * | get_notvalid_after () |
void | set_lifetime (long seconds) |
Set the lifetime to be used for this certificate. | |
void | set_aia (WvStringParm identifier) |
Get and Set the Authority Identifier information. | |
WvString | get_aia () |
void | set_dname (WvStringParm _dname) |
void | set_rsakey (WvRSAKey *_rsa) |
virtual bool | isok () const |
Is this certificate Object valid, and in a non-error state. | |
virtual WvString | errstr () const |
virtual int | geterr () const |
If isok() is false, return the system error number corresponding to the error, -1 for a special error string (which you can obtain with errstr()) or 0 on end of file. | |
int | get () const |
WvString | str () const |
void | set (int _errnum) |
void | set (WvStringParm specialerr) |
void | set (WVSTRING_FORMAT_DECL) |
void | set (const WvErrorBase &err) |
void | set_both (int _errnum, WvStringParm specialerr) |
void | reset () |
virtual void | seterr (int _errnum) |
Set the errnum variable -- we have an error. | |
void | seterr (WvStringParm specialerr) |
void | seterr (WVSTRING_FORMAT_DECL) |
void | seterr (const WvErrorBase &err) |
void | seterr_both (int _errnum, WvStringParm specialerr) |
void | noerr () |
Reset our error state - there's no error condition anymore. | |
virtual unsigned int | addRef ()=0 |
Indicate you are using this object. | |
virtual unsigned int | release ()=0 |
Indicate that you are finished using this object. | |
virtual IObject * | getInterface (const UUID &)=0 |
Returns the requested XPLC interface. | |
virtual IWeakRef * | getWeakRef ()=0 |
Return a weak reference to this object. | |
Static Public Member Functions | |
static WvString | strerror (int errnum) |
A replacement for the operating system strerror() function that can map more kinds of error strings (especially in win32). | |
Protected Attributes | |
int | errnum |
WvString | errstring |
enum WvX509Mgr::DumpMode |
Type for the encode() and decode() methods.
CertPEM = PEM Encoded X.509 Certificate CertDER = DER Encoded X.509 Certificate returned in Base64 CertSMIME = SMIME "Certificate" usable for userSMIMECertificate ldap entry again in Base64 RsaPEM = PEM Encoded RSA Private Key RsaPubPEM = PEM Encoded RSA Public Key RsaRaw = Raw form of RSA Key (unused by most programs, FreeS/WAN being the notable exception)
WvX509Mgr::WvX509Mgr | ( | ) |
WvX509Mgr::WvX509Mgr | ( | X509 * | _cert | ) |
Initialize a blank X509 Object with the certificate *cert (used for client side operations.
..)
This either initializes a completely empty object, or takes _cert, and extracts the distinguished name into dname, and the the RSA public key into rsa. rsa->prv is empty.
Definition at line 91 of file wvx509.cc.
References WvErrorBase::errstr(), WvRSAKey::isok(), and WvErrorBase::seterr().
WvX509Mgr::WvX509Mgr | ( | WvStringParm | _dname, | |
WvRSAKey * | _rsa | |||
) |
Constructor to create a self-signed certificate for the given dn and RSA key.
If you don't already have a WvRSAKey, try the other constructor, below, which creates one automatically.
For SSL Servers, the dname must contain a "cn=" section in order to validate correctly with some clients, particularly web browsers. For example, if your domain name is nit.ca, you can try this for _dname: "cn=nit.ca,o=Net Integration,c=CA", or maybe this instead: "cn=nit.ca,dc=nit,dc=ca"
We don't check automatically that your _dname complies with these restrictions, since non-SSL certificates may be perfectly valid without this. If you want to generate invalid certs, that's up to you.
Definition at line 149 of file wvx509.cc.
References create_selfsigned().
WvX509Mgr::WvX509Mgr | ( | WvStringParm | _dname, | |
int | bits | |||
) |
Constructor to create a new self-signed certificate for the given dn and number of bits.
See the previous constructor for details on how to choose _dname. 'bits' is the number of bits in the auto-generated RSA key; 1024 or 2048 are good values for this.
Definition at line 162 of file wvx509.cc.
References create_selfsigned(), and WvErrorBase::seterr().
void WvX509Mgr::set_pubkey | ( | WvRSAKey * | rsa_pubkey | ) |
Set the public key of the certificate to the public key rsa_pubkey.
Does NOT affect the rsa member... (FIXME!)
Definition at line 1079 of file wvx509.cc.
References WvRSAKey::rsa, and WvErrorBase::seterr().
Referenced by create_selfsigned().
void WvX509Mgr::create_selfsigned | ( | bool | is_ca = false |
) |
Given the Distinguished Name dname and an already generated keypair in rsa, return a Self Signed Certificate in cert.
If is_ca, it will generate a self signed certificate with the appropriate values for a certificate authority (or at least the most common ones).
Definition at line 314 of file wvx509.cc.
References WvRSAKey::isok(), set_ext_key_usage(), set_issuer(), set_key_usage(), set_lifetime(), set_nsserver(), set_pubkey(), set_serial(), set_subject(), set_version(), WvErrorBase::seterr(), and signcert().
Referenced by WvX509Mgr().
WvString WvX509Mgr::certreq | ( | ) |
Create a certificate request (PKCS#10) using this function.
. this request is what you would send off to Verisign, or Entrust.net (or any other CA), to get your real certificate. It leaves the RSA key pair in rsa, where you MUST save it for the certificate to be AT ALL valid when you get it back. Returns a PEM Encoded PKCS#10 certificate request, and leaves the RSA keypair in rsa, and a self-signed temporary certificate in cert.
It uses dname as the Distinguished name to create this Request. Make sure that it has what you want in it first.
Definition at line 409 of file wvx509.cc.
References WvRSAKey::isok(), WvFastString::null, WvBufBaseCommonImpl< T >::put(), WvRSAKey::rsa, and WvErrorBase::seterr().
Referenced by signreq().
bool WvX509Mgr::signcert | ( | X509 * | cert | ) |
Sign the certificate with our keys.
.. this is what you want when the signcert above doesn't set up the various parameters that you may need in your environment.
Definition at line 1395 of file wvx509.cc.
References encode(), and WvRSAKey::rsa.
Referenced by create_selfsigned(), and signreq().
bool WvX509Mgr::signcrl | ( | WvCRLMgr * | crl | ) |
Take the CRL in crl, and sign it.
returns true if successfull, and false if not. If false, check crl.err.geterr() for reason.
Definition at line 1534 of file wvx509.cc.
References WvCRLMgr::getcrl(), WvRSAKey::rsa, and WvCRLMgr::setca().
bool WvX509Mgr::test | ( | ) |
Test to make sure that a certificate and a keypair go together.
called internally by unhexify() although you can call it if you want to test a certificate yourself. (Such as after a decode)
Definition at line 588 of file wvx509.cc.
References encode(), WvRSAKey::getpem(), WvRSAKey::rsa, and WvErrorBase::seterr().
Referenced by read_p12(), and unhexify().
WvString WvX509Mgr::hexify | ( | ) |
Given the X509 certificate object cert, return a hexified string useful in a WvConf or UniConf file.
I don't provide a similar function for that for the rsa key, because you can always call get_rsa().private_str() and get_rsa().public_str() for that information.
Definition at line 678 of file wvx509.cc.
References deletev, WvString::edit(), and WvFastString::setsize().
bool WvX509Mgr::validate | ( | WvX509Mgr * | cacert = NULL , |
|
X509_CRL * | crl = NULL | |||
) |
Function to verify the validity of a certificate that has been placed in cert.
It can check and make sure that it was signed by the CA certificate cacert, and is not in the CRL crl, but at the very least, it checks and makes sure that your certificate is not expired
Definition at line 696 of file wvx509.cc.
References WvErrorBase::seterr(), and signedbyCA().
Referenced by WvSSLStream::post_select().
bool WvX509Mgr::verify | ( | WvBuf & | original, | |
WvStringParm | signature | |||
) |
Verify that the contents of data were signed by the certificate currently in cert.
This only checks the signature, it doesn't check the validity of the certificate.
Definition at line 1489 of file wvx509.cc.
References WvBufBaseCommonImpl< T >::peek(), WvErrorBase::seterr(), and WvBufBaseCommonImpl< T >::used().
Referenced by verify().
void WvX509Mgr::write_p12 | ( | WvStringParm | filename | ) |
And of course, since PKCS12 files are in the rediculous DER encoding format, which is binary, we can't use the encode/decode functions, so we deal straight with files.
.. *sigh*
As should be obvious, this writes the certificate and RSA keys in PKCS12 format to the file specified by filename.
Definition at line 911 of file wvx509.cc.
References WvString::edit(), WvRSAKey::rsa, and WvErrorBase::seterr().
void WvX509Mgr::set_lifetime | ( | long | seconds | ) |
Set the lifetime to be used for this certificate.
.. the lifetime starts from the minute that the certificate is signed...
Definition at line 1196 of file wvx509.cc.
Referenced by create_selfsigned(), and signreq().
void WvX509Mgr::set_aia | ( | WvStringParm | identifier | ) |
Get and Set the Authority Identifier information.
..
Definition at line 1251 of file wvx509.cc.
References WvString::edit(), and WvFastString::len().
int WvX509Mgr::geterr | ( | ) | const [virtual] |
If isok() is false, return the system error number corresponding to the error, -1 for a special error string (which you can obtain with errstr()) or 0 on end of file.
If isok() is true, returns an undefined number.
Reimplemented from WvErrorBase.
Definition at line 1382 of file wvx509.cc.
References WvErrorBase::geterr().
void WvErrorBase::seterr | ( | int | _errnum | ) | [virtual, inherited] |
Set the errnum variable -- we have an error.
If called more than once, seterr() doesn't change the error code away from the previous one. That way, we remember the _original_ cause of our problems.
Subclasses may want to override seterr(int) to shut themselves down (eg. WvStream::close()) when an error condition is set.
Note that seterr(WvString) will call seterr(-1).
Reimplemented in WvStream.
Definition at line 144 of file wverror.cc.
References WvErrorBase::errstring.
Referenced by certreq(), create_selfsigned(), decode(), WvCRLMgr::decode(), encode(), WvCRLMgr::encode(), WvRSAKey::getpem(), WvDSAKey::getpem(), read_p12(), WvGlob::set(), WvError::set(), set_pubkey(), WvStream::seterr(), WvErrorBase::seterr(), WvErrorBase::seterr_both(), sign(), signedbyCAinfile(), test(), unhexify(), validate(), verify(), write_p12(), WvCRLMgr::WvCRLMgr(), WvDSAKey::WvDSAKey(), WvMagicCircle::WvMagicCircle(), WvPam::WvPam(), WvRSAKey::WvRSAKey(), WvShmZone::WvShmZone(), and WvX509Mgr().
virtual unsigned int IObject::addRef | ( | ) | [pure virtual, inherited] |
Indicate you are using this object.
This increases the reference count of the object by one. Usually, when the reference count reaches zero, the object is freed automatically.
This called a "strong reference", because they will prevent the object from being destroyed. They should thus be used carefully, as they control the lifetime of the object. For example, you do not need to call addRef() on object passed as parameters, unless you intend on keeping them.
addRef() is often called automatically for you in XPLC, but you'll have to call release() by hand sometimes unless you use xplc_ptr.
Referenced by IObjectImplInternal::getInterface(), WeakRef::getObject(), StaticServiceHandler::getObject(), HandlerNode::HandlerNode(), ObjectNode::ObjectNode(), and WvSSLStream::WvSSLStream().
virtual unsigned int IObject::release | ( | ) | [pure virtual, inherited] |
Indicate that you are finished using this object.
This decreases the reference count of the object by one. Usually, when the reference count reaches zero, the object is freed automatically.
You will usually need to manually release() any object given to you by any other XPLC function, unless you give the object to someone else who will call release.
If you use xplc_ptr, it will do this for you.
Referenced by ModuleManagerFactory::createModuleManager(), Module::Module(), mutate(), NewMoniker::resolve(), MonikerService::resolve(), Category::~Category(), CategoryIterator::~CategoryIterator(), HandlerNode::~HandlerNode(), ModuleNode::~ModuleNode(), and ObjectNode::~ObjectNode().
Returns the requested XPLC interface.
Will return NULL if the interface is not supported. The returned interface has been addRef()ed, so you will need to release() it when done. Note that the interface returned may be a pointer to the same object or a different one - that's none of your business. Asking for the IObject interface should always return the same pointer for a given logical object, so this can be used for comparison by identity.
You should probably use the convenient mutate() and get() functions instead of this, or use an xplc_ptr, which mutates the object for you.
virtual IWeakRef* IObject::getWeakRef | ( | ) | [pure virtual, inherited] |