ARC SDK
|
Class for handling X509 credentials. More...
#include <arc/credential/Credential.h>
Public Member Functions | |
Credential () | |
Credential (int keybits) | |
Credential (const std::string &CAfile, const std::string &CAkey, const std::string &CAserial, const std::string &extfile, const std::string &extsect, const std::string &passphrase4key) | |
Credential (const std::string &CAfile, const std::string &CAkey, const std::string &CAserial, const std::string &extfile, const std::string &extsect, PasswordSource &passphrase4key) | |
Credential (Time start, Period lifetime=Period("PT12H"), int keybits=2048, std::string proxyversion="rfc", std::string policylang="inheritAll", std::string policy="", int pathlength=-1) | |
Credential (const std::string &cert, const std::string &key, const std::string &cadir, const std::string &cafile, const std::string &passphrase4key="", const bool is_file=true) | |
Credential (const std::string &cert, const std::string &key, const std::string &cadir, const std::string &cafile, PasswordSource &passphrase4key, const bool is_file=true) | |
Credential (const UserConfig &usercfg, const std::string &passphrase4key="") | |
Credential (const UserConfig &usercfg, PasswordSource &passphrase4key) | |
void | SetSigningAlgorithm (Signalgorithm signing_algorithm=SIGN_DEFAULT) |
Set signing algorithm. More... | |
void | SetKeybits (int keybits=0) |
Set key bits. More... | |
void | LogError (void) const |
bool | GetVerification (void) const |
EVP_PKEY * | GetPrivKey (void) const |
EVP_PKEY * | GetPubKey (void) const |
X509 * | GetCert (void) const |
X509_REQ * | GetCertReq (void) const |
STACK_OF (X509) *GetCertChain(void) const | |
int | GetCertNumofChain (void) const |
Credformat | getFormat_BIO (BIO *in, const bool is_file=true) const |
Credformat | getFormat_str (const std::string &source) const |
std::string | GetDN (void) const |
std::string | GetIdentityName (void) const |
ArcCredential::certType | GetType (void) const |
std::string | GetIssuerName (void) const |
std::string | GetCAName (void) const |
Signalgorithm | GetSigningAlgorithm (void) const |
int | GetKeybits (void) const |
std::string | GetProxyPolicy (void) const |
void | SetProxyPolicy (const std::string &proxyversion, const std::string &policylang, const std::string &policy, int pathlength) |
bool | OutputPrivatekey (std::string &content, bool encryption=false, const std::string &passphrase="") |
bool | OutputPrivatekey (std::string &content, bool encryption, PasswordSource &passphrase) |
bool | OutputPublickey (std::string &content) |
bool | OutputCertificate (std::string &content, bool is_der=false) |
bool | OutputCertificateChain (std::string &content, bool is_der=false) |
Period | GetLifeTime (void) const |
Time | GetStartTime () const |
Time | GetEndTime () const |
void | SetLifeTime (const Period &period) |
void | SetStartTime (const Time &start_time) |
bool | IsValid (void) |
bool | AddExtension (const std::string &name, const std::string &data, bool crit=false, int type=-1) |
bool | AddExtension (const std::string &name, char **binary) |
std::string | GetExtension (const std::string &name) |
bool | GenerateEECRequest (BIO *reqbio, BIO *keybio, const std::string &dn="") |
bool | GenerateEECRequest (std::string &reqcontent, std::string &keycontent, const std::string &dn="") |
bool | GenerateEECRequest (const char *request_filename, const char *key_filename, const std::string &dn="") |
bool | GenerateRequest (BIO *bio, bool if_der=false) |
bool | GenerateRequest (std::string &content, bool if_der=false) |
bool | GenerateRequest (const char *filename, bool if_der=false) |
bool | InquireRequest (BIO *reqbio, bool if_eec=false, bool if_der=false) |
bool | InquireRequest (std::string &content, bool if_eec=false, bool if_der=false) |
bool | InquireRequest (const char *filename, bool if_eec=false, bool if_der=false) |
bool | SignRequest (Credential *proxy, BIO *outputbio, bool if_der=false) |
bool | SignRequest (Credential *proxy, std::string &content, bool if_der=false) |
bool | SignRequest (Credential *proxy, const char *filename, bool if_der=false) |
bool | SelfSignEECRequest (const std::string &dn, const char *extfile, const std::string &extsect, const char *certfile) |
bool | SignEECRequest (Credential *eec, const std::string &dn, BIO *outputbio) |
bool | SignEECRequest (Credential *eec, const std::string &dn, std::string &content) |
bool | SignEECRequest (Credential *eec, const std::string &dn, const char *filename) |
Static Public Member Functions | |
static void | InitProxyCertInfo (void) |
static bool | IsCredentialsValid (const UserConfig &usercfg) |
static void | AddCertExtObj (std::string &sn, std::string &oid) |
static std::string | NoPassword (void) |
Class for handling X509 credentials.
Credential class covers the functionality about general processing about certificate/key files, including:
The Credential class supports PEM, DER PKCS12 credentials.
Arc::Credential::Credential | ( | ) |
Default constructor, only acts as a container for inquiring certificate request, is meaningless for any other use.
Arc::Credential::Credential | ( | int | keybits | ) |
Constructor with user-defined keylength. Needed for creation of EE certs, since some applications will only support keys with a certain minimum length > 1024
Arc::Credential::Credential | ( | const std::string & | CAfile, |
const std::string & | CAkey, | ||
const std::string & | CAserial, | ||
const std::string & | extfile, | ||
const std::string & | extsect, | ||
const std::string & | passphrase4key | ||
) |
Constructor, specific constructor for CA certificate is meaningless for any other use.
Arc::Credential::Credential | ( | const std::string & | CAfile, |
const std::string & | CAkey, | ||
const std::string & | CAserial, | ||
const std::string & | extfile, | ||
const std::string & | extsect, | ||
PasswordSource & | passphrase4key | ||
) |
Same as previuos constructor but allows password to be supplied from different sources.
Arc::Credential::Credential | ( | Time | start, |
Period | lifetime = Period("PT12H") , |
||
int | keybits = 2048 , |
||
std::string | proxyversion = "rfc" , |
||
std::string | policylang = "inheritAll" , |
||
std::string | policy = "" , |
||
int | pathlength = -1 |
||
) |
Constructor, specific constructor for proxy certificate, only acts as a container for constraining certificate signing and/or generating certificate request (only keybits is useful for creating certificate request), is meaningless for any other use.
The proxyversion and policylang is for specifying the proxy certificate type and the policy language inside proxy. The definition of proxyversion and policy language is based on http://dev.globus.org/wiki/Security/ProxyCertTypes#RFC_3820_Proxy_Certificates The code is supposed to support proxy version:
and corresponding policy languages
In openssl>=098, there are three types of policy languages:
start | start time of proxy certificate |
lifetime | lifetime of proxy certificate |
keybits | modulus size for RSA key generation, it should be greater than 1024 if 'this' class is used for generating X509 request; it should be '0' if 'this' class is used for constraining certificate signing. |
proxyversion | proxy certificate version (see above for values) |
policylang | policy language of the proxy (see above for values) |
policy | path to file with policy content |
pathlength | path length constraint |
Arc::Credential::Credential | ( | const std::string & | cert, |
const std::string & | key, | ||
const std::string & | cadir, | ||
const std::string & | cafile, | ||
const std::string & | passphrase4key = "" , |
||
const bool | is_file = true |
||
) |
Constructor, specific constructor for usual certificate, constructing from credential files. only acts as a container for parsing the certificate and key files, is meaningless for any other use. this constructor will parse the credential information, and put them into "this" object
cert | path to certificate file |
key | path to key file |
cadir | path to directory of CA certificates |
cafile | path to file with CA certificate |
passphrase4key | specifies the password for decrypting private key (if needed). If value is empty then password will be asked interactively. To avoid asking for password use value provided by NoPassword() method. |
is_file | specifies if the cert/key are from file, otherwise they are supposed to be from string. default is from file |
Arc::Credential::Credential | ( | const std::string & | cert, |
const std::string & | key, | ||
const std::string & | cadir, | ||
const std::string & | cafile, | ||
PasswordSource & | passphrase4key, | ||
const bool | is_file = true |
||
) |
Same as previuos constructor but allows password to be supplied from different sources.
Arc::Credential::Credential | ( | const UserConfig & | usercfg, |
const std::string & | passphrase4key = "" |
||
) |
Constructor, specific constructor for usual certificate, constructing from information in UserConfig object. Only acts as a container for parsing the certificate and key files, is meaningless for any other use. this constructor will parse the credential information, and put them into "this" object.
usercfg | UserConfig object from which certificate information is obtained |
passphrase4key | passphrase for private key |
Arc::Credential::Credential | ( | const UserConfig & | usercfg, |
PasswordSource & | passphrase4key | ||
) |
Same as previuos constructor but allows password to be supplied from different sources.
|
static |
General method for adding a new nid into openssl's global const
bool Arc::Credential::AddExtension | ( | const std::string & | name, |
const std::string & | data, | ||
bool | crit = false , |
||
int | type = -1 |
||
) |
Add an extension to the extension part of the certificate
name | the name of the extension, there OID related with the name should be registered into openssl firstly |
data | the data which will be inserted into certificate extension |
crit | critical |
bool Arc::Credential::AddExtension | ( | const std::string & | name, |
char ** | binary | ||
) |
Add an extension to the extension part of the certificate
name | the name of the extension, there OID related with the name should be registered into openssl firstly |
binary | the data which will be inserted into certificate extension part as a specific extension there should be specific methods defined inside specific X509V3_EXT_METHOD structure to parse the specific extension format. For example, VOMS attribute certificate is a specific extension to proxy certificate. There is specific X509V3_EXT_METHOD defined in VOMSAttribute.h and VOMSAttribute.c for parsing attribute certificate. In openssl, the specific X509V3_EXT_METHOD can be got according to the extension name/id, see X509V3_EXT_get_nid(ext_nid) |
bool Arc::Credential::GenerateEECRequest | ( | BIO * | reqbio, |
BIO * | keybio, | ||
const std::string & | dn = "" |
||
) |
Generate an EEC request, based on the keybits and signing algorithm information inside this object output the certificate request to output BIO
The user will be asked for a private key password
bool Arc::Credential::GenerateEECRequest | ( | std::string & | reqcontent, |
std::string & | keycontent, | ||
const std::string & | dn = "" |
||
) |
Generate an EEC request, output the certificate request to a string
bool Arc::Credential::GenerateEECRequest | ( | const char * | request_filename, |
const char * | key_filename, | ||
const std::string & | dn = "" |
||
) |
Generate an EEC request, output the certificate request and the key to a file
bool Arc::Credential::GenerateRequest | ( | BIO * | bio, |
bool | if_der = false |
||
) |
Generate a proxy request, base on the keybits and signing algorithm information inside this object output the certificate request to output BIO
bool Arc::Credential::GenerateRequest | ( | std::string & | content, |
bool | if_der = false |
||
) |
Generate a proxy request, output the certificate request to a string
bool Arc::Credential::GenerateRequest | ( | const char * | filename, |
bool | if_der = false |
||
) |
Generate a proxy request, output the certificate request to a file
std::string Arc::Credential::GetCAName | ( | void | ) | const |
Get CA of the certificate attached to this object, if the certificate is an EEC, GetCAName get the same value as GetIssuerName
X509* Arc::Credential::GetCert | ( | void | ) | const |
Get the certificate attached to this object
int Arc::Credential::GetCertNumofChain | ( | void | ) | const |
Get the number of certificates in the certificate chain attached to this object
X509_REQ* Arc::Credential::GetCertReq | ( | void | ) | const |
Get the certificate request, if there is any
std::string Arc::Credential::GetDN | ( | void | ) | const |
Get the DN of the certificate attached to this object
Time Arc::Credential::GetEndTime | ( | ) | const |
Returns validity end time of certificate or proxy
std::string Arc::Credential::GetExtension | ( | const std::string & | name | ) |
Get the specific extension (named by the parameter) in a certificate this function is only supposed to be called after certificate and key are loaded by the constructor for usual certificate
name | the name of the extension to get |
Credformat Arc::Credential::getFormat_BIO | ( | BIO * | in, |
const bool | is_file = true |
||
) | const |
Get the certificate format, PEM PKCS12 or DER BIO could be memory or file, they should be processed differently.
std::string Arc::Credential::GetIdentityName | ( | void | ) | const |
Get the Identity name of the certificate attached to this object, the result will not include proxy CN
std::string Arc::Credential::GetIssuerName | ( | void | ) | const |
Get issuer of the certificate attached to this object
int Arc::Credential::GetKeybits | ( | void | ) | const |
Get key size of the certificate attached to this object
Period Arc::Credential::GetLifeTime | ( | void | ) | const |
Returns lifetime of certificate or proxy
EVP_PKEY* Arc::Credential::GetPrivKey | ( | void | ) | const |
Get the private key attached to this object
std::string Arc::Credential::GetProxyPolicy | ( | void | ) | const |
Get the proxy policy attached to the "proxy certificate information" extension of the proxy certificate
EVP_PKEY* Arc::Credential::GetPubKey | ( | void | ) | const |
Get the public key attached to this object
Signalgorithm Arc::Credential::GetSigningAlgorithm | ( | void | ) | const |
Get signing algorithm used to sign the certificate attached to this object
Time Arc::Credential::GetStartTime | ( | ) | const |
Returns validity start time of certificate or proxy
ArcCredential::certType Arc::Credential::GetType | ( | void | ) | const |
Get type of the certificate attached to this object
|
inline |
Get the verification result about certificate chain checking
|
static |
Initiate nid for proxy certificate extension
bool Arc::Credential::InquireRequest | ( | BIO * | reqbio, |
bool | if_eec = false , |
||
bool | if_der = false |
||
) |
Inquire the certificate request from BIO, and put the request information to X509_REQ inside this object, and parse the certificate type from the PROXYCERTINFO of request' extension
reqbio | the BIO containing the certificate request |
if_eec | true if EEC request |
if_der | false for PEM; true for DER |
bool Arc::Credential::InquireRequest | ( | std::string & | content, |
bool | if_eec = false , |
||
bool | if_der = false |
||
) |
Inquire the certificate request from a string
bool Arc::Credential::InquireRequest | ( | const char * | filename, |
bool | if_eec = false , |
||
bool | if_der = false |
||
) |
Inquire the certificate request from a file
|
static |
Returns true if credentials are valid. Credentials are read from locations specified in UserConfig object. This method is deprecated. User per-instance method IsValid() instead.
bool Arc::Credential::IsValid | ( | void | ) |
Returns true if credentials are valid
void Arc::Credential::LogError | ( | void | ) | const |
Log error information related with openssl
bool Arc::Credential::OutputCertificate | ( | std::string & | content, |
bool | is_der = false |
||
) |
Output the certificate into string
content | Filled with certificate content |
is_der | false for PEM, true for DER |
bool Arc::Credential::OutputCertificateChain | ( | std::string & | content, |
bool | is_der = false |
||
) |
Output the certificate chain into string
content | Filled with certificate chain content |
is_der | false for PEM, true for DER |
bool Arc::Credential::OutputPrivatekey | ( | std::string & | content, |
bool | encryption = false , |
||
const std::string & | passphrase = "" |
||
) |
Output the private key into string
content | Filled with private key content |
encryption | whether encrypt the output private key or not |
passphrase | the passphrase to encrypt the output private key |
bool Arc::Credential::OutputPrivatekey | ( | std::string & | content, |
bool | encryption, | ||
PasswordSource & | passphrase | ||
) |
Output the private key into string
content | Filled with private key content |
encryption | whether encrypt the output private key or not |
passphrase | the source for passphrase to encrypt the output private key |
bool Arc::Credential::OutputPublickey | ( | std::string & | content | ) |
Output the public key into string
bool Arc::Credential::SelfSignEECRequest | ( | const std::string & | dn, |
const char * | extfile, | ||
const std::string & | extsect, | ||
const char * | certfile | ||
) |
Self sign a certificate. This functionality is specific for creating a CA credential by using this Credential class.
dn | the DN for the subject |
extfile | the configuration file which includes the extension information, typically the openssl.cnf file |
extsect | the section/group name for the extension, e.g. in openssl.cnf, usr_cert and v3_ca |
certfile | the certificate file, which contains the signed certificate |
void Arc::Credential::SetKeybits | ( | int | keybits = 0 | ) |
Set key bits.
void Arc::Credential::SetLifeTime | ( | const Period & | period | ) |
Set lifetime of certificate or proxy
void Arc::Credential::SetProxyPolicy | ( | const std::string & | proxyversion, |
const std::string & | policylang, | ||
const std::string & | policy, | ||
int | pathlength | ||
) |
Set the proxy policy attached to the "proxy certificate information" extension of the proxy certificate
void Arc::Credential::SetSigningAlgorithm | ( | Signalgorithm | signing_algorithm = SIGN_DEFAULT | ) |
Set signing algorithm.
void Arc::Credential::SetStartTime | ( | const Time & | start_time | ) |
Set start time of certificate or proxy
bool Arc::Credential::SignEECRequest | ( | Credential * | eec, |
const std::string & | dn, | ||
BIO * | outputbio | ||
) |
Sign eec request, and output the signed certificate to output BIO
bool Arc::Credential::SignEECRequest | ( | Credential * | eec, |
const std::string & | dn, | ||
std::string & | content | ||
) |
Sign request and output the signed certificate to a string
bool Arc::Credential::SignEECRequest | ( | Credential * | eec, |
const std::string & | dn, | ||
const char * | filename | ||
) |
Sign request and output the signed certificate to a file
bool Arc::Credential::SignRequest | ( | Credential * | proxy, |
BIO * | outputbio, | ||
bool | if_der = false |
||
) |
Sign request based on the information inside proxy, and output the signed certificate to output BIO
proxy | Credential object holding proxy information |
outputbio | BIO to hold the signed certificate |
if_der | false for PEM, true for DER |
bool Arc::Credential::SignRequest | ( | Credential * | proxy, |
std::string & | content, | ||
bool | if_der = false |
||
) |
Sign request and output the signed certificate to a string
proxy | Credential object holding proxy information |
content | string to hold the signed certificate |
if_der | false for PEM, true for DER |
bool Arc::Credential::SignRequest | ( | Credential * | proxy, |
const char * | filename, | ||
bool | if_der = false |
||
) |
Sign request and output the signed certificate to a file
proxy | Credential object holding proxy information |
filename | path to file where certificate will be written |
if_der | false for PEM, true for DER |
Arc::Credential::STACK_OF | ( | X509 | ) | const |
Get the certificate chain attached to this object