WvX509Mgr Class Reference

#include <wvx509.h>

Inheritance diagram for WvX509Mgr:

[legend]
List of all members.

Detailed Description

X509 Class to handle certificates and their related functions.

Definition at line 42 of file wvx509.h.

Public Types

 CertPEM = 0
 CertDER
 RsaPEM
 RsaPubPEM
 RsaRaw
enum  DumpMode {
  CertPEM = 0, CertDER, RsaPEM, RsaPubPEM,
  RsaRaw
}
 Type for the encode() and decode() methods. More...

Public Member Functions

 WvX509Mgr ()
 Initialize a completely empty X509 Object with an X509 certificate that doesn't have anything it it.
 WvX509Mgr (X509 *_cert)
 Initialize a blank X509 Object with the certificate *cert (used for client side operations.
 WvX509Mgr (WvStringParm hexcert, WvStringParm hexrsa)
 Constructor to initialize this object with a pre-existing certificate and key.
 WvX509Mgr (WvStringParm _dname, WvRSAKey *_rsa)
 Constructor to create a self-signed certificate for the given dn and RSA key.
 WvX509Mgr (WvStringParm _dname, int bits)
 Constructor to create a new self-signed certificate for the given dn and number of bits.
virtual ~WvX509Mgr ()
 Destructor.
bool bind_ssl (SSL_CTX *ctx)
 Avoid a lot of ugliness by having it so that we are binding to the SSL context, and not the other way around, since that would make ownership of the cert and rsa keys ambiguous.
const WvRSAKeyget_rsa ()
 Accessor for the RSA Keys.
X509 * get_cert () const
 Allow us to access the certificate member - this will be going away eventually, but for now, it gets us out of a couple of issues :/.
void set_pubkey (WvRSAKey *rsa_pubkey)
 Set the public key of the certificate to the public key rsa_pubkey.
void create_selfsigned (bool is_ca=false)
 Given the Distinguished Name dname and an already generated keypair in rsa, return a Self Signed Certificate in cert.
WvString certreq ()
 Create a certificate request (PKCS#10) using this function.
WvString signreq (WvStringParm pkcs10req)
 Take the PKCS#10 request in the string pkcs10req, sign it with the private key in rsa, and then spit back a new X509 Certificate in PEM format.
bool signcert (X509 *cert)
 Sign the certificate with our keys.
bool signcrl (WvCRLMgr *crl)
 Take the CRL in crl, and sign it.
bool test ()
 Test to make sure that a certificate and a keypair go together.
void unhexify (WvStringParm encodedcert)
 Given a hexified certificate, fill the cert member NOTE: ALWAYS load your RSA Keys before calling this! It is best if you have hexify()'d keys to simply use the proper constructor.
WvString hexify ()
 Given the X509 certificate object cert, return a hexified string useful in a WvConf or UniConf file.
bool validate (WvX509Mgr *cacert=NULL, X509_CRL *crl=NULL)
 Function to verify the validity of a certificate that has been placed in cert.
bool signedbyCAindir (WvStringParm certdir)
 Check the certificate in cert against the CA certificates in certdir - returns true if cert was signed by one of the CA certificates.
bool signedbyCAinfile (WvStringParm certfile)
 Check the certificate in cert against the CA certificate in certfile
  • returns true if cert was signed by that CA certificate.

bool signedbyCA (WvX509Mgr *cacert)
 Check the certificate in cert against the CA certificate in cacert
  • returns true if cert was signed by that CA certificate.

WvString sign (WvBuf &data)
 Sign the contents of data and return the signature as a BASE64 string.
WvString sign (WvStringParm data)
bool verify (WvBuf &original, WvStringParm signature)
 Verify that the contents of data were signed by the certificate currently in cert.
bool verify (WvStringParm original, WvStringParm signature)
WvString encode (const DumpMode mode)
 Return the information requested by mode as a WvString.
void decode (const DumpMode mode, WvStringParm PemEncoded)
 Load the information from the format requested by mode into the class - this overwrites the certificate, and possibly the key - and to enable two stage loading (the certificate first, then the key), it DOES NOT call test() - that will be up to the programmer.
void write_p12 (WvStringParm filename)
 And of course, since PKCS12 files are in the rediculous DER encoding format, which is binary, we can't use the encode/decode functions, so we deal straight with files.
void read_p12 (WvStringParm filename)
 And this reads from the file specified in filename, and fills the RSA and cert members with the decoded information.
void setPkcs12Password (WvStringParm passwd)
 Sets the PKCS12 password.
WvString get_issuer ()
 Get and set the Certificate Issuer (usually the CA who signed the certificate).
void set_issuer (WvStringParm name)
WvString get_subject ()
 get and set the Subject field of the certificate
void set_subject (WvStringParm name)
void set_subject (X509_NAME *name)
WvString get_serial ()
 get and set the serialNumber field of the certificate
void set_serial (long serial_no)
WvString get_nscomment ()
 get and set the Netscape Comment extension
void set_nscomment (WvStringParm comment)
WvString get_nsserver ()
 get and set the Netscape SSL Server extension
void set_nsserver (WvStringParm server_fqdn)
WvString get_crl_dp ()
 get the CRL Distribution points if they exist, WvString::null if they don't.
void set_crl_dp (WvStringList &list)
 Set a list of CRL Distribution points - can be any valid URI but usually is either LDAP or HTTP.
WvString get_cp_oid ()
 Return the Certificate Policy OID if it exists, and WvString::null it if doesn't.
void set_cp_oid (WvStringParm oid, WvStringParm url)
 Set the Certificate Policy OID from the string given by OID i.e: 1.2.3.4.5.6.7.8, and an optional URL that points to it's CPS.
void set_version ()
 Set the Certificate to use X509v3, since that's all modern PKI uses anyways :).
WvString get_key_usage ()
 Get and set the keyUsage field.
void set_key_usage (WvStringParm values)
WvString get_ext_key_usage ()
 Get and set the extendedKeyUsage field.
void set_ext_key_usage (WvStringParm values)
WvString get_altsubject ()
 Return the Subject alt name if it exists, and WvString::null if it doesn't.
void set_altsubject (WvStringParm name)
 Set the Subject Alt Name.
WvString get_constraints ()
 Get and Set the Policy Constraints extension.
void set_constraints (WvStringParm constraint)
ASN1_TIME * get_notvalid_before ()
 Return the not before and not after.
ASN1_TIME * get_notvalid_after ()
void set_lifetime (long seconds)
 Set the lifetime to be used for this certificate.
void set_aia (WvStringParm identifier)
 Get and Set the Authority Identifier information.
WvString get_aia ()
void set_dname (WvStringParm _dname)
void set_rsakey (WvRSAKey *_rsa)
virtual bool isok () const
 Is this certificate Object valid, and in a non-error state.
virtual WvString errstr () const
virtual int geterr () const
 If isok() is false, return the system error number corresponding to the error, -1 for a special error string (which you can obtain with errstr()) or 0 on end of file.
int get () const
WvString str () const
void set (int _errnum)
void set (WvStringParm specialerr)
void set (WVSTRING_FORMAT_DECL)
void set (const WvErrorBase &err)
void set_both (int _errnum, WvStringParm specialerr)
void reset ()
virtual void seterr (int _errnum)
 Set the errnum variable -- we have an error.
void seterr (WvStringParm specialerr)
void seterr (WVSTRING_FORMAT_DECL)
void seterr (const WvErrorBase &err)
void seterr_both (int _errnum, WvStringParm specialerr)
void noerr ()
 Reset our error state - there's no error condition anymore.
virtual unsigned int addRef ()=0
 Indicate you are using this object.
virtual unsigned int release ()=0
 Indicate that you are finished using this object.
virtual IObjectgetInterface (const UUID &)=0
 Returns the requested XPLC interface.
virtual IWeakRefgetWeakRef ()=0
 Return a weak reference to this object.

Static Public Member Functions

static WvString strerror (int errnum)
 A replacement for the operating system strerror() function that can map more kinds of error strings (especially in win32).

Protected Attributes

int errnum
WvString errstring


Member Enumeration Documentation

enum WvX509Mgr::DumpMode

Type for the encode() and decode() methods.

CertPEM = PEM Encoded X.509 Certificate CertDER = DER Encoded X.509 Certificate returned in Base64 CertSMIME = SMIME "Certificate" usable for userSMIMECertificate ldap entry again in Base64 RsaPEM = PEM Encoded RSA Private Key RsaPubPEM = PEM Encoded RSA Public Key RsaRaw = Raw form of RSA Key (unused by most programs, FreeS/WAN being the notable exception)

Definition at line 57 of file wvx509.h.


Constructor & Destructor Documentation

WvX509Mgr::WvX509Mgr (  ) 

Initialize a completely empty X509 Object with an X509 certificate that doesn't have anything it it.

.. good for building custom certificates.

Definition at line 113 of file wvx509.cc.

WvX509Mgr::WvX509Mgr ( X509 *  _cert  ) 

Initialize a blank X509 Object with the certificate *cert (used for client side operations.

..)

This either initializes a completely empty object, or takes _cert, and extracts the distinguished name into dname, and the the RSA public key into rsa. rsa->prv is empty.

Definition at line 91 of file wvx509.cc.

References WvErrorBase::errstr(), WvRSAKey::isok(), and WvErrorBase::seterr().

WvX509Mgr::WvX509Mgr ( WvStringParm  _dname,
WvRSAKey _rsa 
)

Constructor to create a self-signed certificate for the given dn and RSA key.

If you don't already have a WvRSAKey, try the other constructor, below, which creates one automatically.

For SSL Servers, the dname must contain a "cn=" section in order to validate correctly with some clients, particularly web browsers. For example, if your domain name is nit.ca, you can try this for _dname: "cn=nit.ca,o=Net Integration,c=CA", or maybe this instead: "cn=nit.ca,dc=nit,dc=ca"

We don't check automatically that your _dname complies with these restrictions, since non-SSL certificates may be perfectly valid without this. If you want to generate invalid certs, that's up to you.

Definition at line 149 of file wvx509.cc.

References create_selfsigned().

WvX509Mgr::WvX509Mgr ( WvStringParm  _dname,
int  bits 
)

Constructor to create a new self-signed certificate for the given dn and number of bits.

See the previous constructor for details on how to choose _dname. 'bits' is the number of bits in the auto-generated RSA key; 1024 or 2048 are good values for this.

Definition at line 162 of file wvx509.cc.

References create_selfsigned(), and WvErrorBase::seterr().


Member Function Documentation

void WvX509Mgr::set_pubkey ( WvRSAKey rsa_pubkey  ) 

Set the public key of the certificate to the public key rsa_pubkey.

Does NOT affect the rsa member... (FIXME!)

Definition at line 1079 of file wvx509.cc.

References WvRSAKey::rsa, and WvErrorBase::seterr().

Referenced by create_selfsigned().

void WvX509Mgr::create_selfsigned ( bool  is_ca = false  ) 

Given the Distinguished Name dname and an already generated keypair in rsa, return a Self Signed Certificate in cert.

If is_ca, it will generate a self signed certificate with the appropriate values for a certificate authority (or at least the most common ones).

Definition at line 314 of file wvx509.cc.

References WvRSAKey::isok(), set_ext_key_usage(), set_issuer(), set_key_usage(), set_lifetime(), set_nsserver(), set_pubkey(), set_serial(), set_subject(), set_version(), WvErrorBase::seterr(), and signcert().

Referenced by WvX509Mgr().

WvString WvX509Mgr::certreq (  ) 

Create a certificate request (PKCS#10) using this function.

. this request is what you would send off to Verisign, or Entrust.net (or any other CA), to get your real certificate. It leaves the RSA key pair in rsa, where you MUST save it for the certificate to be AT ALL valid when you get it back. Returns a PEM Encoded PKCS#10 certificate request, and leaves the RSA keypair in rsa, and a self-signed temporary certificate in cert.

It uses dname as the Distinguished name to create this Request. Make sure that it has what you want in it first.

Definition at line 409 of file wvx509.cc.

References WvRSAKey::isok(), WvFastString::null, WvBufBaseCommonImpl< T >::put(), WvRSAKey::rsa, and WvErrorBase::seterr().

Referenced by signreq().

bool WvX509Mgr::signcert ( X509 *  cert  ) 

Sign the certificate with our keys.

.. this is what you want when the signcert above doesn't set up the various parameters that you may need in your environment.

Definition at line 1395 of file wvx509.cc.

References encode(), and WvRSAKey::rsa.

Referenced by create_selfsigned(), and signreq().

bool WvX509Mgr::signcrl ( WvCRLMgr crl  ) 

Take the CRL in crl, and sign it.

returns true if successfull, and false if not. If false, check crl.err.geterr() for reason.

Definition at line 1534 of file wvx509.cc.

References WvCRLMgr::getcrl(), WvRSAKey::rsa, and WvCRLMgr::setca().

bool WvX509Mgr::test (  ) 

Test to make sure that a certificate and a keypair go together.

called internally by unhexify() although you can call it if you want to test a certificate yourself. (Such as after a decode)

Definition at line 588 of file wvx509.cc.

References encode(), WvRSAKey::getpem(), WvRSAKey::rsa, and WvErrorBase::seterr().

Referenced by read_p12(), and unhexify().

WvString WvX509Mgr::hexify (  ) 

Given the X509 certificate object cert, return a hexified string useful in a WvConf or UniConf file.

I don't provide a similar function for that for the rsa key, because you can always call get_rsa().private_str() and get_rsa().public_str() for that information.

Definition at line 678 of file wvx509.cc.

References deletev, WvString::edit(), and WvFastString::setsize().

bool WvX509Mgr::validate ( WvX509Mgr cacert = NULL,
X509_CRL *  crl = NULL 
)

Function to verify the validity of a certificate that has been placed in cert.

It can check and make sure that it was signed by the CA certificate cacert, and is not in the CRL crl, but at the very least, it checks and makes sure that your certificate is not expired

Definition at line 696 of file wvx509.cc.

References WvErrorBase::seterr(), and signedbyCA().

Referenced by WvSSLStream::post_select().

bool WvX509Mgr::verify ( WvBuf original,
WvStringParm  signature 
)

Verify that the contents of data were signed by the certificate currently in cert.

This only checks the signature, it doesn't check the validity of the certificate.

Definition at line 1489 of file wvx509.cc.

References WvBufBaseCommonImpl< T >::peek(), WvErrorBase::seterr(), and WvBufBaseCommonImpl< T >::used().

Referenced by verify().

void WvX509Mgr::write_p12 ( WvStringParm  filename  ) 

And of course, since PKCS12 files are in the rediculous DER encoding format, which is binary, we can't use the encode/decode functions, so we deal straight with files.

.. *sigh*

As should be obvious, this writes the certificate and RSA keys in PKCS12 format to the file specified by filename.

Definition at line 911 of file wvx509.cc.

References WvString::edit(), WvRSAKey::rsa, and WvErrorBase::seterr().

void WvX509Mgr::set_lifetime ( long  seconds  ) 

Set the lifetime to be used for this certificate.

.. the lifetime starts from the minute that the certificate is signed...

Definition at line 1196 of file wvx509.cc.

Referenced by create_selfsigned(), and signreq().

void WvX509Mgr::set_aia ( WvStringParm  identifier  ) 

Get and Set the Authority Identifier information.

..

Definition at line 1251 of file wvx509.cc.

References WvString::edit(), and WvFastString::len().

int WvX509Mgr::geterr (  )  const [virtual]

If isok() is false, return the system error number corresponding to the error, -1 for a special error string (which you can obtain with errstr()) or 0 on end of file.

If isok() is true, returns an undefined number.

Reimplemented from WvErrorBase.

Definition at line 1382 of file wvx509.cc.

References WvErrorBase::geterr().

void WvErrorBase::seterr ( int  _errnum  )  [virtual, inherited]

Set the errnum variable -- we have an error.

If called more than once, seterr() doesn't change the error code away from the previous one. That way, we remember the _original_ cause of our problems.

Subclasses may want to override seterr(int) to shut themselves down (eg. WvStream::close()) when an error condition is set.

Note that seterr(WvString) will call seterr(-1).

Reimplemented in WvStream.

Definition at line 144 of file wverror.cc.

References WvErrorBase::errstring.

Referenced by certreq(), create_selfsigned(), decode(), WvCRLMgr::decode(), encode(), WvCRLMgr::encode(), WvRSAKey::getpem(), WvDSAKey::getpem(), read_p12(), WvGlob::set(), WvError::set(), set_pubkey(), WvStream::seterr(), WvErrorBase::seterr(), WvErrorBase::seterr_both(), sign(), signedbyCAinfile(), test(), unhexify(), validate(), verify(), write_p12(), WvCRLMgr::WvCRLMgr(), WvDSAKey::WvDSAKey(), WvMagicCircle::WvMagicCircle(), WvPam::WvPam(), WvRSAKey::WvRSAKey(), WvShmZone::WvShmZone(), and WvX509Mgr().

virtual unsigned int IObject::addRef (  )  [pure virtual, inherited]

Indicate you are using this object.

This increases the reference count of the object by one. Usually, when the reference count reaches zero, the object is freed automatically.

This called a "strong reference", because they will prevent the object from being destroyed. They should thus be used carefully, as they control the lifetime of the object. For example, you do not need to call addRef() on object passed as parameters, unless you intend on keeping them.

addRef() is often called automatically for you in XPLC, but you'll have to call release() by hand sometimes unless you use xplc_ptr.

Referenced by IObjectImplInternal::getInterface(), WeakRef::getObject(), StaticServiceHandler::getObject(), HandlerNode::HandlerNode(), ObjectNode::ObjectNode(), and WvSSLStream::WvSSLStream().

virtual unsigned int IObject::release (  )  [pure virtual, inherited]

Indicate that you are finished using this object.

This decreases the reference count of the object by one. Usually, when the reference count reaches zero, the object is freed automatically.

You will usually need to manually release() any object given to you by any other XPLC function, unless you give the object to someone else who will call release.

If you use xplc_ptr, it will do this for you.

Referenced by ModuleManagerFactory::createModuleManager(), Module::Module(), mutate(), NewMoniker::resolve(), MonikerService::resolve(), Category::~Category(), CategoryIterator::~CategoryIterator(), HandlerNode::~HandlerNode(), ModuleNode::~ModuleNode(), and ObjectNode::~ObjectNode().

virtual IObject* IObject::getInterface ( const UUID  )  [pure virtual, inherited]

Returns the requested XPLC interface.

Will return NULL if the interface is not supported. The returned interface has been addRef()ed, so you will need to release() it when done. Note that the interface returned may be a pointer to the same object or a different one - that's none of your business. Asking for the IObject interface should always return the same pointer for a given logical object, so this can be used for comparison by identity.

You should probably use the convenient mutate() and get() functions instead of this, or use an xplc_ptr, which mutates the object for you.

Referenced by get(), and mutate().

virtual IWeakRef* IObject::getWeakRef (  )  [pure virtual, inherited]

Return a weak reference to this object.

A weak reference points at the object, but does not control the lifetime of the object. An object can thus still be deleted while someone holds a weak reference. You will still need to release() the weak reference when you are done with it.

See also:
IWeakRef


The documentation for this class was generated from the following files:
Generated on Sun Sep 24 20:11:25 2006 for WvStreams by  doxygen 1.4.7