WvStreams
|
Public Types | |
enum | DumpMode { CertPEM = 0, CertDER, CertHex, CertFilePEM, CertFileDER } |
Type for the encode() and decode() methods. More... | |
enum | FprintMode { FingerMD5 = 0, FingerSHA1 } |
Public Member Functions | |
WvX509Mgr () | |
Constructor to create a blank certificate + keypair (useful if, for example, you were going to load the appropriate values in later). | |
WvX509Mgr (WvStringParm _dname, WvRSAKey *_rsa, bool ca=false) | |
Constructor to create a self-signed certificate for the given dn and RSA key. More... | |
WvX509Mgr (WvStringParm _dname, int bits, bool ca=false) | |
Constructor to create a new self-signed certificate for the given dn and number of bits. More... | |
WvX509Mgr (const WvX509Mgr &mgr) | |
Copy Constructor. | |
virtual | ~WvX509Mgr () |
Destructor. | |
virtual bool | isok () const |
Says if this certificate+key pair is good for use. More... | |
virtual WvString | errstr () const |
Says what the error is, if isok() is not true. | |
bool | operator! () const |
The not operator returns true if !isok() | |
WvRSAKey * | get_rsa () |
Allow us access to the RSA member. | |
void | set_rsa (WvRSAKey *_rsa) |
bool | bind_ssl (SSL_CTX *ctx) |
Avoid a lot of ugliness by having it so that we are binding to the SSL context, and not the other way around, since that would make ownership of the cert and rsa keys ambiguous. | |
WvString | signreq (WvStringParm pkcs10req) const |
Take the PKCS#10 request in the string pkcs10req, sign it with the private key in rsa, and then spit back a new X509 Certificate in PEM format. | |
bool | signcert (WvX509 &unsignedcert) const |
Sign the certificate with the rsa key associated with this class. | |
bool | signcrl (WvCRL &unsignedcrl) const |
Sign the CRL with the rsa key associated with this class. More... | |
bool | test () const |
Test to make sure that a certificate and a keypair go together. More... | |
WvString | sign (WvBuf &data) const |
Sign the contents of data and return the signature as a BASE64 string. | |
WvString | sign (WvStringParm data) const |
virtual WvString | encode (const WvX509::DumpMode mode) const |
Encodes the information requested by mode into a buffer. | |
virtual WvString | encode (const WvRSAKey::DumpMode mode) const |
virtual void | encode (const WvX509::DumpMode mode, WvBuf &buf) const |
virtual void | encode (const WvRSAKey::DumpMode mode, WvBuf &buf) const |
virtual void | decode (const WvX509::DumpMode mode, WvStringParm encoded) |
Load the information from the format requested by mode into the class - this overwrites the certificate, and possibly the key - and to enable two stage loading (the certificate first, then the key), it DOES NOT call test() - that will be up to the programmer. | |
virtual void | decode (const WvRSAKey::DumpMode mode, WvStringParm encoded) |
virtual void | decode (const WvX509::DumpMode mode, WvBuf &encoded) |
virtual void | decode (const WvRSAKey::DumpMode mode, WvBuf &encoded) |
bool | write_p12 (WvStringParm _fname, WvStringParm _pkcs12pass) const |
This writes the certificate and RSA keys in PKCS12 format to the file specified by filename, setting the password to "_pkcs12pass". More... | |
void | read_p12 (WvStringParm _fname, WvStringParm _pkcs12pass) |
And this reads from the file specified in filename using the password "_pkcs12pass", and fills the RSA and cert members with the decoded information. | |
X509 * | get_cert () |
Allow us to access the certificate member - this will be going away eventually, but for now, it gets us out of a couple of issues :/. | |
void | set_pubkey (WvRSAKey &rsa_pubkey) |
Set the public key of the certificate to the public key rsa_pubkey. | |
bool | validate (WvX509 *cacert=NULL) const |
Function to verify the validity of a certificate that has been placed in cert. More... | |
bool | signedbyca (WvX509 &cacert) const |
Check the certificate in cert against the CA certificate in cacert. More... | |
bool | issuedbyca (WvX509 &cacert) const |
Check to see if the certificate in cert was issued by the CA certificate in cacert. More... | |
bool | verify (WvBuf &original, WvStringParm signature) const |
Verify that the contents of data were signed by the certificate currently in cert. More... | |
bool | verify (WvStringParm original, WvStringParm signature) const |
WvString | get_issuer () const |
Get and set the Certificate Issuer (usually the CA who signed the certificate). | |
void | set_issuer (WvStringParm name) |
void | set_issuer (const WvX509 &cacert) |
WvString | get_subject () const |
get and set the Subject field of the certificate | |
void | set_subject (WvStringParm name) |
void | set_subject (X509_NAME *name) |
WvString | get_serial (bool hex=false) const |
get and set the serialNumber field of the certificate | |
void | set_serial (long serial_no) |
WvString | get_nscomment () const |
get and set the Netscape Comment extension | |
void | set_nscomment (WvStringParm comment) |
WvString | get_nsserver () const |
get and set the Netscape SSL Server extension | |
void | set_nsserver (WvStringParm server_fqdn) |
WvString | get_crl_dp () const |
get the CRL Distribution points if they exist, WvString::null if they don't. | |
bool | get_policies (WvStringList &policy_oids) const |
Get any certificate Policy OIDs. More... | |
void | set_policies (WvStringList &policy_oids) |
Set the Certificate Policy OIDs in the certificate to that of the input array. | |
void | set_version () |
Set the Certificate to use X509v3, since that's all modern PKI uses anyways :) | |
WvString | get_key_usage () const |
Get and set the keyUsage field. | |
void | set_key_usage (WvStringParm values) |
WvString | get_ext_key_usage () const |
Get and set the extendedKeyUsage field. | |
void | set_ext_key_usage (WvStringParm values) |
WvString | get_altsubject () const |
Return the Subject alt name if it exists, and WvString::null if it doesn't. | |
void | set_altsubject (WvStringParm name) |
Set the Subject Alt Name. | |
bool | get_basic_constraints (bool &ca, int &pathlen) const |
Get the values in the basic constraints extension. More... | |
void | set_basic_constraints (bool ca, int pathlen) |
Set the values in the basic constraints extension. | |
bool | get_policy_constraints (int &require_explicit_policy, int &inhibit_policy_mapping) const |
Get the values in the policy constraints extension. More... | |
void | set_policy_constraints (int require_explicit_policy, int inhibit_policy_mapping) |
Set the values in the policy constraints extension. | |
DeclareWvList (PolicyMap) | |
bool | get_policy_mapping (PolicyMapList &list) const |
Get the policy mappings for this certificate. More... | |
void | set_policy_mapping (PolicyMapList &list) |
Set the policy mappings for this certificate. | |
time_t | get_notvalid_before () const |
Return the not before and not after in a format we're more able to easily use. | |
time_t | get_notvalid_after () const |
void | set_lifetime (long seconds) |
Set the lifetime to be used for this certificate... More... | |
WvString | get_aia () const |
Get the authority info access information. More... | |
void | set_aia (WvStringList &ca_urls, WvStringList &responders) |
Set a list of urls that have the Certificate of the CA that issued this certificate, as well as the list of OCSP responders for this certificate. | |
void | get_ocsp (WvStringList &responders) const |
Get a list of OCSP Responders for this certificate. | |
void | get_ca_urls (WvStringList &urls) const |
Get a list of urls that have the Certificate of the CA that issued this certificate. | |
void | get_crl_urls (WvStringList &urls) const |
Get a list of URLs that are valid CRL distribution points for this certificate. | |
void | set_crl_urls (WvStringList &urls) |
Set the list of URLs that are valid CRL distribution points for this certificate. | |
WvString | get_ski () const |
Get the Subject Key Info. | |
WvString | get_aki () const |
Get the Authority key Info. | |
WvString | get_fingerprint (const FprintMode mode=FingerSHA1) const |
Get the certHash (fingerprint) of the certificate. | |
virtual unsigned int | addRef ()=0 |
Indicate you are using this object. More... | |
virtual unsigned int | release ()=0 |
Indicate that you are finished using this object. More... | |
virtual IObject * | getInterface (const UUID &)=0 |
Returns the requested XPLC interface. More... | |
virtual IWeakRef * | getWeakRef ()=0 |
Return a weak reference to this object. More... | |
Static Public Member Functions | |
static WvString | certreq (WvStringParm subject, const WvRSAKey &rsa) |
Create a certificate request (PKCS#10) using this function. More... | |
Protected Member Functions | |
void | create_selfissued (WvStringParm dname, bool is_ca=false) |
Given the Distinguished Name dname and an already generated keypair in rsa, return a Self Signed Certificate in cert. More... | |
Definition at line 14 of file wvx509mgr.h.
|
inherited |
Type for the encode() and decode() methods.
CertPEM = PEM Encoded X.509 Certificate CertDER = DER Encoded X.509 Certificate CertHex = DER Encoded X.509 Certificate in hexified form CertFilePEM = PEM Encoded X.509 Certificate from file CertFileDER = DER Encoded X.509 Certificate from file
CertFilePEM and CertFileDER are only valid modes for decode(), calling encode with these modes will result in no effect.
WvX509Mgr::WvX509Mgr | ( | WvStringParm | _dname, |
WvRSAKey * | _rsa, | ||
bool | ca = false |
||
) |
Constructor to create a self-signed certificate for the given dn and RSA key.
If you don't already have a WvRSAKey, try the other constructor, below, which creates one automatically. If 'ca' is true, the certificate will be created as a certificate authority.
For SSL Servers, the dname must contain a "cn=" section in order to validate correctly with some clients, particularly web browsers. For example, if your domain name is nit.ca, you can try this for _dname: "cn=nit.ca,o=Net Integration,c=CA", or maybe this instead: "cn=nit.ca,dc=nit,dc=ca"
We don't check automatically that your _dname complies with these restrictions, since non-SSL certificates may be perfectly valid without this. If you want to generate invalid certs, that's up to you.
Definition at line 52 of file wvx509mgr.cc.
References create_selfissued(), and signcert().
WvX509Mgr::WvX509Mgr | ( | WvStringParm | _dname, |
int | bits, | ||
bool | ca = false |
||
) |
Constructor to create a new self-signed certificate for the given dn and number of bits.
See the previous constructor for details on how to choose _dname. 'bits' is the number of bits in the auto-generated RSA key; 1024 or 2048 are good values for this. If 'ca' is true, the certificate will be created as a certificate authority.
Definition at line 70 of file wvx509mgr.cc.
References create_selfissued(), and signcert().
|
protected |
Given the Distinguished Name dname and an already generated keypair in rsa, return a Self Signed Certificate in cert.
If is_ca, it will generate a self-issued certificate with the appropriate values for a certificate authority (or at least the most common ones). Note that a certificate created in this way will not be signed:
Definition at line 89 of file wvx509mgr.cc.
References WvX509::set_lifetime(), WvX509::set_pubkey(), and WvX509::set_version().
Referenced by WvX509Mgr().
|
virtual |
Says if this certificate+key pair is good for use.
Checks to make sure that both are present and that they match.
Reimplemented from WvX509.
Definition at line 172 of file wvx509mgr.cc.
References WvX509::isok(), and test().
Referenced by operator!(), signcert(), signcrl(), signreq(), and WvSSLStream::WvSSLStream().
bool WvX509Mgr::signcrl | ( | WvCRL & | unsignedcrl | ) | const |
Sign the CRL with the rsa key associated with this class.
This method will also update the lastUpdate time, and set the CRL's validity period to 30 days.
Definition at line 393 of file wvx509mgr.cc.
References WvCRL::getcrl(), isok(), and WvCRL::isok().
Referenced by WvCRL::WvCRL().
bool WvX509Mgr::test | ( | ) | const |
Test to make sure that a certificate and a keypair go together.
You can call it if you want to test a certificate yourself. (Such as after a decode)
Definition at line 217 of file wvx509mgr.cc.
References WvRSAKey::encode().
Referenced by errstr(), isok(), and read_p12().
bool WvX509Mgr::write_p12 | ( | WvStringParm | _fname, |
WvStringParm | _pkcs12pass | ||
) | const |
This writes the certificate and RSA keys in PKCS12 format to the file specified by filename, setting the password to "_pkcs12pass".
Returns true if the operation was successful, false otherwise.
Definition at line 496 of file wvx509mgr.cc.
References WvString::edit().
Create a certificate request (PKCS#10) using this function.
. this request is what you would send off to Verisign, or Entrust.net (or any other CA), to get your real certificate. It leaves the RSA key pair in rsa, where you MUST save it for the certificate to be AT ALL valid when you get it back. Returns a PEM Encoded PKCS#10 certificate request, and leaves the RSA keypair in rsa.
Definition at line 266 of file wvx509.cc.
References WvBufBase< unsigned char >::getstr().
Referenced by signreq().
|
inherited |
Function to verify the validity of a certificate that has been placed in cert.
It checks and make sure that it was signed by the CA certificate cacert, as well as that it is not expired (or not yet valid).
Definition at line 359 of file wvx509.cc.
References WvX509::issuedbyca(), and WvX509::signedbyca().
Referenced by WvSSLStream::post_select().
|
inherited |
Check the certificate in cert against the CA certificate in cacert.
Definition at line 393 of file wvx509.cc.
References WvX509::get_subject().
Referenced by WvX509::validate().
|
inherited |
Check to see if the certificate in cert was issued by the CA certificate in cacert.
Note: You are going on the certificate's say-so by using this function. You may also want to use signedbyca to check if the certificate is actually signed by who it claims to be issued by.
Definition at line 422 of file wvx509.cc.
Referenced by WvX509::validate().
|
inherited |
Verify that the contents of data were signed by the certificate currently in cert.
This only checks the signature, it doesn't check the validity of the certificate.
Definition at line 1314 of file wvx509.cc.
References WvEncoder::flushstrmem(), WvBufBaseCommonImpl< T >::peek(), and WvBufBaseCommonImpl< T >::used().
|
inherited |
|
inherited |
|
inherited |
Get the values in the policy constraints extension.
Returns true if the policy constraints extension exists, false otherwise.
|
inherited |
Get the policy mappings for this certificate.
Returns true if there were any policy mappings to be found.
|
inherited |
Set the lifetime to be used for this certificate...
the lifetime starts from the minute that the certificate is signed...
Definition at line 744 of file wvx509.cc.
Referenced by create_selfissued(), and signreq().
|
inherited |
Get the authority info access information.
Usually includes a list of URLs where the issuer's CA certificate may be fetched, as well as a list of OCSP responders. Note that this function returns this information in a giant string: get_ca_urls and get_ocsp may return this information in a more useful format.
Definition at line 1006 of file wvx509.cc.
Referenced by WvX509::get_ca_urls(), and WvX509::get_ocsp().
|
pure virtualinherited |
Indicate you are using this object.
This increases the reference count of the object by one. Usually, when the reference count reaches zero, the object is freed automatically.
This called a "strong reference", because they will prevent the object from being destroyed. They should thus be used carefully, as they control the lifetime of the object. For example, you do not need to call addRef() on object passed as parameters, unless you intend on keeping them.
addRef() is often called automatically for you in XPLC, but you'll have to call release() by hand sometimes unless you use xplc_ptr.
Referenced by WvIStreamList::execute(), IObjectImplInternal::getInterface(), StaticServiceHandler::getObject(), WeakRef::getObject(), WvIStreamList::post_select(), WvQtStreamClone::WvQtStreamClone(), and WvSSLStream::WvSSLStream().
|
pure virtualinherited |
Indicate that you are finished using this object.
This decreases the reference count of the object by one. Usually, when the reference count reaches zero, the object is freed automatically.
You will usually need to manually release() any object given to you by any other XPLC function, unless you give the object to someone else who will call release.
If you use xplc_ptr, it will do this for you.
Referenced by WvIStreamList::execute(), mutate(), NewMoniker::resolve(), and MonikerService::resolve().
Returns the requested XPLC interface.
Will return NULL if the interface is not supported. The returned interface has been addRef()ed, so you will need to release() it when done. Note that the interface returned may be a pointer to the same object or a different one - that's none of your business. Asking for the IObject interface should always return the same pointer for a given logical object, so this can be used for comparison by identity.
You should probably use the convenient mutate() and get() functions instead of this, or use an xplc_ptr, which mutates the object for you.
|
pure virtualinherited |