WvStreams
wvx509.h
1 /* -*- Mode: C++ -*-
2  *
3  * X.509 certificate class: This class abstracts some of the common operations
4  * performed on basic X.509 certificates (signature verification, public
5  * key identification, etc.). If you want to perform operations with
6  * a certificate and its corresponding private key, consider using WvX509Mgr
7  * instead.
8  */
9 #ifndef __WVX509_H
10 #define __WVX509_H
11 
12 #include "wvlog.h"
13 #include "wverror.h"
14 #include "wvrsa.h"
15 #include "wvstringlist.h"
16 
17 // Structures to make the compiler happy so we don't have to include x509v3.h ;)
18 struct x509_st;
19 typedef struct x509_st X509;
20 struct ssl_ctx_st;
21 typedef struct ssl_ctx_st SSL_CTX;
22 
23 struct X509_name_st;
24 typedef struct X509_name_st X509_NAME;
25 
26 struct asn1_string_st;
27 typedef struct asn1_string_st ASN1_TIME;
28 
29 
30 // workaround for the fact that OpenSSL initialization stuff must be called
31 // only once.
32 void wvssl_init();
33 void wvssl_free();
34 WvString wvssl_errstr();
35 
36 
41 class WvX509 : public IObject
42 {
43  IMPLEMENT_IOBJECT(WvX509);
44 public:
56  enum DumpMode { CertPEM = 0, CertDER, CertHex, CertFilePEM, CertFileDER };
57 
58  enum FprintMode { FingerMD5 = 0, FingerSHA1 };
64  WvX509();
65 
74  WvX509(X509 *_cert);
75 
79  WvX509(const WvX509 &x509);
80 
81 public:
83  virtual ~WvX509();
84 
89  X509 *get_cert() { return cert; }
90 
94  void set_pubkey(WvRSAKey &rsa_pubkey);
95 
104  static WvString certreq(WvStringParm subject, const WvRSAKey &rsa);
105 
112  bool validate(WvX509 *cacert = NULL) const;
113 
118  bool signedbyca(WvX509 &cacert) const;
119 
127  bool issuedbyca(WvX509 &cacert) const;
128 
135  bool verify(WvBuf &original, WvStringParm signature) const;
136  bool verify(WvStringParm original, WvStringParm signature) const;
137 
141  WvString encode(const DumpMode mode) const;
142  void encode(const DumpMode mode, WvBuf &buf) const;
143 
148  virtual void decode(const DumpMode mode, WvStringParm str);
149  virtual void decode(const DumpMode mode, WvBuf &encoded);
150 
155  WvString get_issuer() const;
156  void set_issuer(WvStringParm name);
157  void set_issuer(const WvX509 &cacert);
158 
162  WvString get_subject() const;
163  void set_subject(WvStringParm name);
164  void set_subject(X509_NAME *name);
165 
169  WvString get_serial(bool hex = false) const;
170  void set_serial(long serial_no);
171 
175  WvString get_nscomment() const;
176  void set_nscomment(WvStringParm comment);
177 
181  WvString get_nsserver() const;
182  void set_nsserver(WvStringParm server_fqdn);
183 
188  WvString get_crl_dp() const;
189 
194  bool get_policies(WvStringList &policy_oids) const;
195 
200  void set_policies(WvStringList &policy_oids);
201 
206  void set_version();
207 
211  WvString get_key_usage() const;
212  void set_key_usage(WvStringParm values);
213 
217  WvString get_ext_key_usage() const;
218  void set_ext_key_usage(WvStringParm values);
219 
224  WvString get_altsubject() const;
225 
229  void set_altsubject(WvStringParm name);
230 
235  bool get_basic_constraints(bool &ca, int &pathlen) const;
236 
240  void set_basic_constraints(bool ca, int pathlen);
241 
246  bool get_policy_constraints(int &require_explicit_policy,
247  int &inhibit_policy_mapping) const;
251  void set_policy_constraints(int require_explicit_policy,
252  int inhibit_policy_mapping);
253 
254  struct PolicyMap {
255  PolicyMap(WvStringParm _issuer_domain, WvStringParm _subject_domain)
256  {
257  issuer_domain = _issuer_domain;
258  subject_domain = _subject_domain;
259  }
260  WvString issuer_domain;
261  WvString subject_domain;
262  };
263  DeclareWvList(PolicyMap);
264 
269  bool get_policy_mapping(PolicyMapList &list) const;
270 
274  void set_policy_mapping(PolicyMapList &list);
275 
279  time_t get_notvalid_before() const;
280  time_t get_notvalid_after() const;
281 
286  void set_lifetime(long seconds);
287 
295  WvString get_aia() const;
296 
302  void set_aia(WvStringList &ca_urls, WvStringList &responders);
303 
307  void get_ocsp(WvStringList &responders) const;
308 
313  void get_ca_urls(WvStringList &urls) const;
314 
319  void get_crl_urls(WvStringList &urls) const;
320 
325  void set_crl_urls(WvStringList &urls);
326 
330  WvString get_ski() const;
331 
335  WvString get_aki() const;
336 
340  WvString get_fingerprint(const FprintMode mode = FingerSHA1) const;
341 
345  virtual bool isok() const;
346 
350  virtual WvString errstr() const;
351 
355  bool operator! () const;
356 
357 
358 private:
359  friend class WvCRL;
360  friend class WvX509Mgr;
361  friend class WvOCSPReq;
362  friend class WvOCSPResp;
363 
365  X509 *cert;
366 
367  mutable WvLog debug;
368 
373  WvString get_extension(int nid) const;
374  void set_extension(int nid, WvStringParm values);
375 
379  void set_ski();
380 
385  void set_aki(const WvX509 &cacert);
386 
391  void warningset(WvStringParm var);
392 
397  WvRSAKey *get_rsa_pub() const;
398 };
399 
400 #endif // __WVX509_H
WvX509::get_notvalid_before
time_t get_notvalid_before() const
Return the not before and not after in a format we're more able to easily use.
Definition: wvx509.cc:1378
WvX509::set_lifetime
void set_lifetime(long seconds)
Set the lifetime to be used for this certificate...
Definition: wvx509.cc:744
WvX509::get_ski
WvString get_ski() const
Get the Subject Key Info.
Definition: wvx509.cc:1394
WvX509::verify
bool verify(WvBuf &original, WvStringParm signature) const
Verify that the contents of data were signed by the certificate currently in cert.
Definition: wvx509.cc:1314
WvX509::set_altsubject
void set_altsubject(WvStringParm name)
Set the Subject Alt Name.
WvX509::get_fingerprint
WvString get_fingerprint(const FprintMode mode=FingerSHA1) const
Get the certHash (fingerprint) of the certificate.
Definition: wvx509.cc:1416
WvX509::get_policy_mapping
bool get_policy_mapping(PolicyMapList &list) const
Get the policy mappings for this certificate.
WvX509::get_basic_constraints
bool get_basic_constraints(bool &ca, int &pathlen) const
Get the values in the basic constraints extension.
Definition: wvx509.cc:788
WvX509::set_basic_constraints
void set_basic_constraints(bool ca, int pathlen)
Set the values in the basic constraints extension.
Definition: wvx509.cc:825
WvX509
X509 Class to handle certificates and their related functions.
Definition: wvx509.h:41
WvX509::decode
virtual void decode(const DumpMode mode, WvStringParm str)
Load the information from the format requested by mode into the class - this overwrites the certifica...
Definition: wvx509.cc:499
WvX509::set_policies
void set_policies(WvStringList &policy_oids)
Set the Certificate Policy OIDs in the certificate to that of the input array.
Definition: wvx509.cc:1108
WvX509::DumpMode
DumpMode
Type for the encode() and decode() methods.
Definition: wvx509.h:56
WvX509::certreq
static WvString certreq(WvStringParm subject, const WvRSAKey &rsa)
Create a certificate request (PKCS#10) using this function.
Definition: wvx509.cc:266
WvX509::get_policy_constraints
bool get_policy_constraints(int &require_explicit_policy, int &inhibit_policy_mapping) const
Get the values in the policy constraints extension.
WvX509::get_altsubject
WvString get_altsubject() const
Return the Subject alt name if it exists, and WvString::null if it doesn't.
Definition: wvx509.cc:782
WvX509::get_cert
X509 * get_cert()
Allow us to access the certificate member - this will be going away eventually, but for now,...
Definition: wvx509.h:89
WvX509::signedbyca
bool signedbyca(WvX509 &cacert) const
Check the certificate in cert against the CA certificate in cacert.
Definition: wvx509.cc:393
WvX509::set_policy_mapping
void set_policy_mapping(PolicyMapList &list)
Set the policy mappings for this certificate.
WvX509::get_ocsp
void get_ocsp(WvStringList &responders) const
Get a list of OCSP Responders for this certificate.
Definition: wvx509.cc:1030
WvX509::get_nsserver
WvString get_nsserver() const
get and set the Netscape SSL Server extension
Definition: wvx509.cc:698
WvX509::get_ext_key_usage
WvString get_ext_key_usage() const
Get and set the extendedKeyUsage field.
Definition: wvx509.cc:776
WvX509::PolicyMap
Definition: wvx509.h:254
WvX509::validate
bool validate(WvX509 *cacert=NULL) const
Function to verify the validity of a certificate that has been placed in cert.
Definition: wvx509.cc:359
WvX509::isok
virtual bool isok() const
Is the certificate object valid?
Definition: wvx509.cc:1285
WvX509::errstr
virtual WvString errstr() const
Returns an error string if isok() is not true.
Definition: wvx509.cc:1297
WvX509::get_aia
WvString get_aia() const
Get the authority info access information.
Definition: wvx509.cc:1006
WvRSAKey
An RSA public key or public/private key pair that can be used for encryption.
Definition: wvrsa.h:26
WvString
WvString is an implementation of a simple and efficient printable-string class.
Definition: wvstring.h:329
WvLog
A WvLog stream accepts log messages from applications and forwards them to all registered WvLogRcv's.
Definition: wvlog.h:56
WvCRL
CRL Class to handle certificate revocation lists and their related functions.
Definition: wvcrl.h:28
WvX509::set_pubkey
void set_pubkey(WvRSAKey &rsa_pubkey)
Set the public key of the certificate to the public key rsa_pubkey.
Definition: wvx509.cc:653
WvX509::set_version
void set_version()
Set the Certificate to use X509v3, since that's all modern PKI uses anyways :)
Definition: wvx509.cc:722
WvX509::~WvX509
virtual ~WvX509()
Destructor.
Definition: wvx509.cc:150
WvX509::WvX509
WvX509()
Initialize a completely empty X509 Object with an X509 certificate that doesn't have anything it it....
Definition: wvx509.cc:131
WvOCSPReq
Definition: wvocsp.h:23
WvBufBase< unsigned char >
Specialization of WvBufBase for unsigned char type buffers intended for use with raw memory buffers.
Definition: wvbuf.h:22
WvOCSPResp
Definition: wvocsp.h:39
WvX509::get_serial
WvString get_serial(bool hex=false) const
get and set the serialNumber field of the certificate
Definition: wvx509.cc:704
WvX509Mgr
Definition: wvx509mgr.h:14
IObject
Definition: IObject.h:65
WvX509::get_crl_urls
void get_crl_urls(WvStringList &urls) const
Get a list of URLs that are valid CRL distribution points for this certificate.
Definition: wvx509.cc:1042
WvX509::get_issuer
WvString get_issuer() const
Get and set the Certificate Issuer (usually the CA who signed the certificate).
Definition: wvx509.cc:594
WvX509::get_nscomment
WvString get_nscomment() const
get and set the Netscape Comment extension
WvX509::issuedbyca
bool issuedbyca(WvX509 &cacert) const
Check to see if the certificate in cert was issued by the CA certificate in cacert.
Definition: wvx509.cc:422
WvX509::get_policies
bool get_policies(WvStringList &policy_oids) const
Get any certificate Policy OIDs.
Definition: wvx509.cc:1080
WvX509::get_aki
WvString get_aki() const
Get the Authority key Info.
Definition: wvx509.cc:1402
WvX509::get_crl_dp
WvString get_crl_dp() const
get the CRL Distribution points if they exist, WvString::null if they don't.
Definition: wvx509.cc:738
WvX509::operator!
bool operator!() const
The not operator returns true if !isok()
Definition: wvx509.cc:1291
WvStringList
This is a WvList of WvStrings, and is a really handy way to parse strings.
Definition: wvstringlist.h:27
WvX509::get_subject
WvString get_subject() const
get and set the Subject field of the certificate
Definition: wvx509.cc:624
WvX509::get_key_usage
WvString get_key_usage() const
Get and set the keyUsage field.
Definition: wvx509.cc:764
WvX509::set_policy_constraints
void set_policy_constraints(int require_explicit_policy, int inhibit_policy_mapping)
Set the values in the policy constraints extension.
WvX509::get_ca_urls
void get_ca_urls(WvStringList &urls) const
Get a list of urls that have the Certificate of the CA that issued this certificate.
Definition: wvx509.cc:1036
WvX509::set_crl_urls
void set_crl_urls(WvStringList &urls)
Set the list of URLs that are valid CRL distribution points for this certificate.
Definition: wvx509.cc:1048
WvX509::set_aia
void set_aia(WvStringList &ca_urls, WvStringList &responders)
Set a list of urls that have the Certificate of the CA that issued this certificate,...
Definition: wvx509.cc:984
WvX509::encode
WvString encode(const DumpMode mode) const
Return the information requested by mode.
Definition: wvx509.cc:441