WvStreams
Public Types | Public Member Functions | Static Public Member Functions | Protected Member Functions
WvX509Mgr Class Reference
Inheritance diagram for WvX509Mgr:
Inheritance graph
[legend]

List of all members.

Public Types

enum  DumpMode {
  CertPEM = 0, CertDER, CertHex, CertFilePEM,
  CertFileDER
}
 Type for the encode() and decode() methods. More...
enum  FprintMode { FingerMD5 = 0, FingerSHA1 }

Public Member Functions

 WvX509Mgr ()
 Constructor to create a blank certificate + keypair (useful if, for example, you were going to load the appropriate values in later).
 WvX509Mgr (WvStringParm _dname, WvRSAKey *_rsa, bool ca=false)
 Constructor to create a self-signed certificate for the given dn and RSA key.
 WvX509Mgr (WvStringParm _dname, int bits, bool ca=false)
 Constructor to create a new self-signed certificate for the given dn and number of bits.
 WvX509Mgr (const WvX509Mgr &mgr)
 Copy Constructor.
virtual ~WvX509Mgr ()
 Destructor.
virtual bool isok () const
 Says if this certificate+key pair is good for use.
virtual WvString errstr () const
 Says what the error is, if isok() is not true.
bool operator! () const
 The not operator returns true if !isok()
WvRSAKeyget_rsa ()
 Allow us access to the RSA member.
void set_rsa (WvRSAKey *_rsa)
bool bind_ssl (SSL_CTX *ctx)
 Avoid a lot of ugliness by having it so that we are binding to the SSL context, and not the other way around, since that would make ownership of the cert and rsa keys ambiguous.
WvString signreq (WvStringParm pkcs10req) const
 Take the PKCS#10 request in the string pkcs10req, sign it with the private key in rsa, and then spit back a new X509 Certificate in PEM format.
bool signcert (WvX509 &unsignedcert) const
 Sign the certificate with the rsa key associated with this class.
bool signcrl (WvCRL &unsignedcrl) const
 Sign the CRL with the rsa key associated with this class.
bool test () const
 Test to make sure that a certificate and a keypair go together.
WvString sign (WvBuf &data) const
 Sign the contents of data and return the signature as a BASE64 string.
WvString sign (WvStringParm data) const
virtual WvString encode (const WvX509::DumpMode mode) const
 Encodes the information requested by mode into a buffer.
virtual WvString encode (const WvRSAKey::DumpMode mode) const
virtual void encode (const WvX509::DumpMode mode, WvBuf &buf) const
virtual void encode (const WvRSAKey::DumpMode mode, WvBuf &buf) const
virtual void decode (const WvX509::DumpMode mode, WvStringParm encoded)
 Load the information from the format requested by mode into the class - this overwrites the certificate, and possibly the key - and to enable two stage loading (the certificate first, then the key), it DOES NOT call test() - that will be up to the programmer.
virtual void decode (const WvRSAKey::DumpMode mode, WvStringParm encoded)
virtual void decode (const WvX509::DumpMode mode, WvBuf &encoded)
virtual void decode (const WvRSAKey::DumpMode mode, WvBuf &encoded)
bool write_p12 (WvStringParm _fname, WvStringParm _pkcs12pass) const
 This writes the certificate and RSA keys in PKCS12 format to the file specified by filename, setting the password to "_pkcs12pass".
void read_p12 (WvStringParm _fname, WvStringParm _pkcs12pass)
 And this reads from the file specified in filename using the password "_pkcs12pass", and fills the RSA and cert members with the decoded information.
X509 * get_cert ()
 Allow us to access the certificate member - this will be going away eventually, but for now, it gets us out of a couple of issues :/.
void set_pubkey (WvRSAKey &rsa_pubkey)
 Set the public key of the certificate to the public key rsa_pubkey.
bool validate (WvX509 *cacert=NULL) const
 Function to verify the validity of a certificate that has been placed in cert.
bool signedbyca (WvX509 &cacert) const
 Check the certificate in cert against the CA certificate in cacert.
bool issuedbyca (WvX509 &cacert) const
 Check to see if the certificate in cert was issued by the CA certificate in cacert.
bool verify (WvBuf &original, WvStringParm signature) const
 Verify that the contents of data were signed by the certificate currently in cert.
bool verify (WvStringParm original, WvStringParm signature) const
WvString get_issuer () const
 Get and set the Certificate Issuer (usually the CA who signed the certificate).
void set_issuer (WvStringParm name)
void set_issuer (const WvX509 &cacert)
WvString get_subject () const
 get and set the Subject field of the certificate
void set_subject (WvStringParm name)
void set_subject (X509_NAME *name)
WvString get_serial (bool hex=false) const
 get and set the serialNumber field of the certificate
void set_serial (long serial_no)
WvString get_nscomment () const
 get and set the Netscape Comment extension
void set_nscomment (WvStringParm comment)
WvString get_nsserver () const
 get and set the Netscape SSL Server extension
void set_nsserver (WvStringParm server_fqdn)
WvString get_crl_dp () const
 get the CRL Distribution points if they exist, WvString::null if they don't.
bool get_policies (WvStringList &policy_oids) const
 Get any certificate Policy OIDs.
void set_policies (WvStringList &policy_oids)
 Set the Certificate Policy OIDs in the certificate to that of the input array.
void set_version ()
 Set the Certificate to use X509v3, since that's all modern PKI uses anyways :)
WvString get_key_usage () const
 Get and set the keyUsage field.
void set_key_usage (WvStringParm values)
WvString get_ext_key_usage () const
 Get and set the extendedKeyUsage field.
void set_ext_key_usage (WvStringParm values)
WvString get_altsubject () const
 Return the Subject alt name if it exists, and WvString::null if it doesn't.
void set_altsubject (WvStringParm name)
 Set the Subject Alt Name.
bool get_basic_constraints (bool &ca, int &pathlen) const
 Get the values in the basic constraints extension.
void set_basic_constraints (bool ca, int pathlen)
 Set the values in the basic constraints extension.
bool get_policy_constraints (int &require_explicit_policy, int &inhibit_policy_mapping) const
 Get the values in the policy constraints extension.
void set_policy_constraints (int require_explicit_policy, int inhibit_policy_mapping)
 Set the values in the policy constraints extension.
 DeclareWvList (PolicyMap)
bool get_policy_mapping (PolicyMapList &list) const
 Get the policy mappings for this certificate.
void set_policy_mapping (PolicyMapList &list)
 Set the policy mappings for this certificate.
time_t get_notvalid_before () const
 Return the not before and not after in a format we're more able to easily use.
time_t get_notvalid_after () const
void set_lifetime (long seconds)
 Set the lifetime to be used for this certificate...
WvString get_aia () const
 Get the authority info access information.
void set_aia (WvStringList &ca_urls, WvStringList &responders)
 Set a list of urls that have the Certificate of the CA that issued this certificate, as well as the list of OCSP responders for this certificate.
void get_ocsp (WvStringList &responders) const
 Get a list of OCSP Responders for this certificate.
void get_ca_urls (WvStringList &urls) const
 Get a list of urls that have the Certificate of the CA that issued this certificate.
void get_crl_urls (WvStringList &urls) const
 Get a list of URLs that are valid CRL distribution points for this certificate.
void set_crl_urls (WvStringList &urls)
 Set the list of URLs that are valid CRL distribution points for this certificate.
WvString get_ski () const
 Get the Subject Key Info.
WvString get_aki () const
 Get the Authority key Info.
WvString get_fingerprint (const FprintMode mode=FingerSHA1) const
 Get the certHash (fingerprint) of the certificate.
virtual unsigned int addRef ()=0
 Indicate you are using this object.
virtual unsigned int release ()=0
 Indicate that you are finished using this object.
virtual IObjectgetInterface (const UUID &)=0
 Returns the requested XPLC interface.
virtual IWeakRefgetWeakRef ()=0
 Return a weak reference to this object.

Static Public Member Functions

static WvString certreq (WvStringParm subject, const WvRSAKey &rsa)
 Create a certificate request (PKCS#10) using this function.

Protected Member Functions

void create_selfissued (WvStringParm dname, bool is_ca=false)
 Given the Distinguished Name dname and an already generated keypair in rsa, return a Self Signed Certificate in cert.

Detailed Description

Definition at line 14 of file wvx509mgr.h.


Member Enumeration Documentation

enum WvX509::DumpMode [inherited]

Type for the encode() and decode() methods.

CertPEM = PEM Encoded X.509 Certificate CertDER = DER Encoded X.509 Certificate CertHex = DER Encoded X.509 Certificate in hexified form CertFilePEM = PEM Encoded X.509 Certificate from file CertFileDER = DER Encoded X.509 Certificate from file

CertFilePEM and CertFileDER are only valid modes for decode(), calling encode with these modes will result in no effect.

Definition at line 56 of file wvx509.h.


Constructor & Destructor Documentation

WvX509Mgr::WvX509Mgr ( WvStringParm  _dname,
WvRSAKey _rsa,
bool  ca = false 
)

Constructor to create a self-signed certificate for the given dn and RSA key.

If you don't already have a WvRSAKey, try the other constructor, below, which creates one automatically. If 'ca' is true, the certificate will be created as a certificate authority.

For SSL Servers, the dname must contain a "cn=" section in order to validate correctly with some clients, particularly web browsers. For example, if your domain name is nit.ca, you can try this for _dname: "cn=nit.ca,o=Net Integration,c=CA", or maybe this instead: "cn=nit.ca,dc=nit,dc=ca"

We don't check automatically that your _dname complies with these restrictions, since non-SSL certificates may be perfectly valid without this. If you want to generate invalid certs, that's up to you.

Definition at line 52 of file wvx509mgr.cc.

References create_selfissued(), and signcert().

WvX509Mgr::WvX509Mgr ( WvStringParm  _dname,
int  bits,
bool  ca = false 
)

Constructor to create a new self-signed certificate for the given dn and number of bits.

See the previous constructor for details on how to choose _dname. 'bits' is the number of bits in the auto-generated RSA key; 1024 or 2048 are good values for this. If 'ca' is true, the certificate will be created as a certificate authority.

Definition at line 70 of file wvx509mgr.cc.

References create_selfissued(), and signcert().


Member Function Documentation

void WvX509Mgr::create_selfissued ( WvStringParm  dname,
bool  is_ca = false 
) [protected]

Given the Distinguished Name dname and an already generated keypair in rsa, return a Self Signed Certificate in cert.

If is_ca, it will generate a self-issued certificate with the appropriate values for a certificate authority (or at least the most common ones). Note that a certificate created in this way will not be signed:

Definition at line 89 of file wvx509mgr.cc.

References WvX509::set_lifetime(), WvX509::set_pubkey(), and WvX509::set_version().

Referenced by WvX509Mgr().

bool WvX509Mgr::isok ( ) const [virtual]

Says if this certificate+key pair is good for use.

Checks to make sure that both are present and that they match.

Reimplemented from WvX509.

Definition at line 172 of file wvx509mgr.cc.

References test().

Referenced by operator!(), signcert(), signcrl(), signreq(), and WvSSLStream::WvSSLStream().

bool WvX509Mgr::signcrl ( WvCRL unsignedcrl) const

Sign the CRL with the rsa key associated with this class.

This method will also update the lastUpdate time, and set the CRL's validity period to 30 days.

Definition at line 391 of file wvx509mgr.cc.

References WvCRL::getcrl(), isok(), and WvCRL::isok().

Referenced by WvCRL::WvCRL().

bool WvX509Mgr::test ( ) const

Test to make sure that a certificate and a keypair go together.

You can call it if you want to test a certificate yourself. (Such as after a decode)

Definition at line 217 of file wvx509mgr.cc.

References WvRSAKey::encode().

Referenced by errstr(), isok(), and read_p12().

bool WvX509Mgr::write_p12 ( WvStringParm  _fname,
WvStringParm  _pkcs12pass 
) const

This writes the certificate and RSA keys in PKCS12 format to the file specified by filename, setting the password to "_pkcs12pass".

Returns true if the operation was successful, false otherwise.

Definition at line 491 of file wvx509mgr.cc.

References WvString::edit().

WvString WvX509::certreq ( WvStringParm  subject,
const WvRSAKey rsa 
) [static, inherited]

Create a certificate request (PKCS#10) using this function.

. this request is what you would send off to Verisign, or Entrust.net (or any other CA), to get your real certificate. It leaves the RSA key pair in rsa, where you MUST save it for the certificate to be AT ALL valid when you get it back. Returns a PEM Encoded PKCS#10 certificate request, and leaves the RSA keypair in rsa.

Definition at line 266 of file wvx509.cc.

References WvBufBase< unsigned char >::getstr().

Referenced by signreq().

bool WvX509::validate ( WvX509 cacert = NULL) const [inherited]

Function to verify the validity of a certificate that has been placed in cert.

It checks and make sure that it was signed by the CA certificate cacert, as well as that it is not expired (or not yet valid).

Definition at line 359 of file wvx509.cc.

References WvX509::issuedbyca(), and WvX509::signedbyca().

Referenced by WvSSLStream::post_select().

bool WvX509::signedbyca ( WvX509 cacert) const [inherited]

Check the certificate in cert against the CA certificate in cacert.

  • returns true if cert was signed by that CA certificate.

Definition at line 393 of file wvx509.cc.

References WvX509::get_subject().

Referenced by WvX509::validate().

bool WvX509::issuedbyca ( WvX509 cacert) const [inherited]

Check to see if the certificate in cert was issued by the CA certificate in cacert.

Note: You are going on the certificate's say-so by using this function. You may also want to use signedbyca to check if the certificate is actually signed by who it claims to be issued by.

Definition at line 422 of file wvx509.cc.

Referenced by WvX509::validate().

bool WvX509::verify ( WvBuf original,
WvStringParm  signature 
) const [inherited]

Verify that the contents of data were signed by the certificate currently in cert.

This only checks the signature, it doesn't check the validity of the certificate.

Definition at line 1313 of file wvx509.cc.

References WvEncoder::flushstrmem(), WvBufBaseCommonImpl< T >::peek(), and WvBufBaseCommonImpl< T >::used().

bool WvX509::get_policies ( WvStringList policy_oids) const [inherited]

Get any certificate Policy OIDs.

Returns true if the policy oids extension is present, false otherwise.

Definition at line 1080 of file wvx509.cc.

bool WvX509::get_basic_constraints ( bool &  ca,
int &  pathlen 
) const [inherited]

Get the values in the basic constraints extension.

Returns true if the basic constraints extension exists and is valid, false otherwise.

Definition at line 788 of file wvx509.cc.

bool WvX509::get_policy_constraints ( int &  require_explicit_policy,
int &  inhibit_policy_mapping 
) const [inherited]

Get the values in the policy constraints extension.

Returns true if the policy constraints extension exists, false otherwise.

bool WvX509::get_policy_mapping ( PolicyMapList &  list) const [inherited]

Get the policy mappings for this certificate.

Returns true if there were any policy mappings to be found.

void WvX509::set_lifetime ( long  seconds) [inherited]

Set the lifetime to be used for this certificate...

the lifetime starts from the minute that the certificate is signed...

Definition at line 744 of file wvx509.cc.

Referenced by create_selfissued(), and signreq().

WvString WvX509::get_aia ( ) const [inherited]

Get the authority info access information.

Usually includes a list of URLs where the issuer's CA certificate may be fetched, as well as a list of OCSP responders. Note that this function returns this information in a giant string: get_ca_urls and get_ocsp may return this information in a more useful format.

Definition at line 1006 of file wvx509.cc.

Referenced by WvX509::get_ca_urls(), and WvX509::get_ocsp().

virtual unsigned int IObject::addRef ( ) [pure virtual, inherited]

Indicate you are using this object.

This increases the reference count of the object by one. Usually, when the reference count reaches zero, the object is freed automatically.

This called a "strong reference", because they will prevent the object from being destroyed. They should thus be used carefully, as they control the lifetime of the object. For example, you do not need to call addRef() on object passed as parameters, unless you intend on keeping them.

addRef() is often called automatically for you in XPLC, but you'll have to call release() by hand sometimes unless you use xplc_ptr.

Referenced by WvIStreamList::execute(), IObjectImplInternal::getInterface(), StaticServiceHandler::getObject(), WeakRef::getObject(), WvIStreamList::post_select(), WvQtStreamClone::WvQtStreamClone(), and WvSSLStream::WvSSLStream().

virtual unsigned int IObject::release ( ) [pure virtual, inherited]

Indicate that you are finished using this object.

This decreases the reference count of the object by one. Usually, when the reference count reaches zero, the object is freed automatically.

You will usually need to manually release() any object given to you by any other XPLC function, unless you give the object to someone else who will call release.

If you use xplc_ptr, it will do this for you.

Referenced by WvIStreamList::execute(), mutate(), NewMoniker::resolve(), and MonikerService::resolve().

virtual IObject* IObject::getInterface ( const UUID ) [pure virtual, inherited]

Returns the requested XPLC interface.

Will return NULL if the interface is not supported. The returned interface has been addRef()ed, so you will need to release() it when done. Note that the interface returned may be a pointer to the same object or a different one - that's none of your business. Asking for the IObject interface should always return the same pointer for a given logical object, so this can be used for comparison by identity.

You should probably use the convenient mutate() and get() functions instead of this, or use an xplc_ptr, which mutates the object for you.

Referenced by mutate().

virtual IWeakRef* IObject::getWeakRef ( ) [pure virtual, inherited]

Return a weak reference to this object.

A weak reference points at the object, but does not control the lifetime of the object. An object can thus still be deleted while someone holds a weak reference. You will still need to release() the weak reference when you are done with it.

See also:
IWeakRef

The documentation for this class was generated from the following files: