Arc::Credential Class Reference

Class for handling X509 credentials. More...

#include <arc/credential/Credential.h>

Public Member Functions
	Credential ()
	Credential (int keybits)
	Credential (const std::string &CAfile, const std::string &CAkey, const std::string &CAserial, const std::string &extfile, const std::string &extsect, const std::string &passphrase4key)
	Credential (const std::string &CAfile, const std::string &CAkey, const std::string &CAserial, const std::string &extfile, const std::string &extsect, PasswordSource &passphrase4key)
	Credential (Time start, Period lifetime=Period("PT12H"), int keybits=2048, std::string proxyversion="rfc", std::string policylang="inheritAll", std::string policy="", int pathlength=-1)
	Credential (const std::string &cert, const std::string &key, const std::string &cadir, const std::string &cafile, const std::string &passphrase4key="", const bool is_file=true)
	Credential (const std::string &cert, const std::string &key, const std::string &cadir, const std::string &cafile, PasswordSource &passphrase4key, const bool is_file=true)
	Credential (const UserConfig &usercfg, const std::string &passphrase4key="")
	Credential (const UserConfig &usercfg, PasswordSource &passphrase4key)
void	SetSigningAlgorithm (Signalgorithm signing_algorithm=SIGN_DEFAULT)
	Set signing algorithm. More...
void	SetKeybits (int keybits=0)
	Set key bits. More...
void	LogError (void) const
bool	GetVerification (void) const
EVP_PKEY *	GetPrivKey (void) const
EVP_PKEY *	GetPubKey (void) const
X509 *	GetCert (void) const
X509_REQ *	GetCertReq (void) const
	STACK_OF (X509) *GetCertChain(void) const
int	GetCertNumofChain (void) const
Credformat	getFormat_BIO (BIO *in, const bool is_file=true) const
Credformat	getFormat_str (const std::string &source) const
std::string	GetDN (void) const
std::string	GetIdentityName (void) const
ArcCredential::certType	GetType (void) const
std::string	GetIssuerName (void) const
std::string	GetCAName (void) const
Signalgorithm	GetSigningAlgorithm (void) const
int	GetKeybits (void) const
std::string	GetProxyPolicy (void) const
void	SetProxyPolicy (const std::string &proxyversion, const std::string &policylang, const std::string &policy, int pathlength)
bool	OutputPrivatekey (std::string &content, bool encryption=false, const std::string &passphrase="")
bool	OutputPrivatekey (std::string &content, bool encryption, PasswordSource &passphrase)
bool	OutputPublickey (std::string &content)
bool	OutputCertificate (std::string &content, bool is_der=false)
bool	OutputCertificateChain (std::string &content, bool is_der=false)
Period	GetLifeTime (void) const
Time	GetStartTime () const
Time	GetEndTime () const
void	SetLifeTime (const Period &period)
void	SetStartTime (const Time &start_time)
bool	IsValid (void)
bool	AddExtension (const std::string &name, const std::string &data, bool crit=false, int type=-1)
bool	AddExtension (const std::string &name, char **binary)
std::string	GetExtension (const std::string &name)
bool	GenerateEECRequest (BIO *reqbio, BIO *keybio, const std::string &dn="")
bool	GenerateEECRequest (std::string &reqcontent, std::string &keycontent, const std::string &dn="")
bool	GenerateEECRequest (const char *request_filename, const char *key_filename, const std::string &dn="")
bool	GenerateRequest (BIO *bio, bool if_der=false)
bool	GenerateRequest (std::string &content, bool if_der=false)
bool	GenerateRequest (const char *filename, bool if_der=false)
bool	InquireRequest (BIO *reqbio, bool if_eec=false, bool if_der=false)
bool	InquireRequest (std::string &content, bool if_eec=false, bool if_der=false)
bool	InquireRequest (const char *filename, bool if_eec=false, bool if_der=false)
bool	SignRequest (Credential *proxy, BIO *outputbio, bool if_der=false)
bool	SignRequest (Credential *proxy, std::string &content, bool if_der=false)
bool	SignRequest (Credential *proxy, const char *filename, bool if_der=false)
bool	SelfSignEECRequest (const std::string &dn, const char *extfile, const std::string &extsect, const char *certfile)
bool	SignEECRequest (Credential *eec, const std::string &dn, BIO *outputbio)
bool	SignEECRequest (Credential *eec, const std::string &dn, std::string &content)
bool	SignEECRequest (Credential *eec, const std::string &dn, const char *filename)

Static Public Member Functions
static void	InitProxyCertInfo (void)
static bool	IsCredentialsValid (const UserConfig &usercfg)
static void	AddCertExtObj (std::string &sn, std::string &oid)
static std::string	NoPassword (void)

Detailed Description

Class for handling X509 credentials.

Credential class covers the functionality about general processing about certificate/key files, including:

1. certificate/key parsing, information extracting (such as subject name, issuer name, lifetime, etc.), chain verifying, extension processing about proxy certinfo, extension processing about other general certificate extension (such as voms attributes, it should be the extension-specific code itself to create, parse and verify the extension, not the Credential class. For voms, it is some code about writing and parsing voms-implementing Attribute Certificate/ RFC3281, the voms-attribute is then be looked as a binary part and embedded into extension of X509 certificate/proxy certificate);
2. certificate request, extension embedding and certificate signing, for both proxy certificate and EEC (end entity certificate) certificate.

The Credential class supports PEM, DER PKCS12 credentials.

Constructor & Destructor Documentation

Credential() [1/9]

Arc::Credential::Credential

(

)

Default constructor, only acts as a container for inquiring certificate request, is meaningless for any other use.

Credential() [2/9]

Arc::Credential::Credential

(

int

keybits

)

Constructor with user-defined keylength. Needed for creation of EE certs, since some applications will only support keys with a certain minimum length > 1024

Credential() [3/9]

Arc::Credential::Credential	(	const std::string &	CAfile,
		const std::string &	CAkey,
		const std::string &	CAserial,
		const std::string &	extfile,
		const std::string &	extsect,
		const std::string &	passphrase4key
	)

Constructor, specific constructor for CA certificate is meaningless for any other use.

Credential() [4/9]

Arc::Credential::Credential	(	const std::string &	CAfile,
		const std::string &	CAkey,
		const std::string &	CAserial,
		const std::string &	extfile,
		const std::string &	extsect,
		PasswordSource &	passphrase4key
	)

Same as previuos constructor but allows password to be supplied from different sources.

Since

Added in 4.0.0.

Credential() [5/9]

Arc::Credential::Credential	(	Time	start,
		Period	lifetime = Period("PT12H"),
		int	keybits = 2048,
		std::string	proxyversion = "rfc",
		std::string	policylang = "inheritAll",
		std::string	policy = "",
		int	pathlength = -1
	)

Constructor, specific constructor for proxy certificate, only acts as a container for constraining certificate signing and/or generating certificate request (only keybits is useful for creating certificate request), is meaningless for any other use.

The proxyversion and policylang is for specifying the proxy certificate type and the policy language inside proxy. The definition of proxyversion and policy language is based on http://dev.globus.org/wiki/Security/ProxyCertTypes#RFC_3820_Proxy_Certificates The code is supposed to support proxy version:

• GSI2 (legacy proxy)
• GSI3 (Proxy draft)
• RFC (RFC3820 proxy)

and corresponding policy languages

• GSI2 (GSI2, GSI2_LIMITED)
• GSI3
• RFC
  • IMPERSONATION_PROXY–1.3.6.1.5.5.7.21.1
  • INDEPENDENT_PROXY–1.3.6.1.5.5.7.21.2
  • LIMITED_PROXY–1.3.6.1.4.1.3536.1.1.1.9
  • RESTRICTED_PROXY–policy language undefined

In openssl>=098, there are three types of policy languages:

• id-ppl-inheritAll–1.3.6.1.5.5.7.21.1
• id-ppl-independent–1.3.6.1.5.5.7.21.2
• id-ppl-anyLanguage-1.3.6.1.5.5.7.21.0

Parameters

start	start time of proxy certificate
lifetime	lifetime of proxy certificate
keybits	modulus size for RSA key generation, it should be greater than 1024 if 'this' class is used for generating X509 request; it should be '0' if 'this' class is used for constraining certificate signing.
proxyversion	proxy certificate version (see above for values)
policylang	policy language of the proxy (see above for values)
policy	path to file with policy content
pathlength	path length constraint

Credential() [6/9]

Arc::Credential::Credential	(	const std::string &	cert,
		const std::string &	key,
		const std::string &	cadir,
		const std::string &	cafile,
		const std::string &	passphrase4key = "",
		const bool	is_file = true
	)

Constructor, specific constructor for usual certificate, constructing from credential files. only acts as a container for parsing the certificate and key files, is meaningless for any other use. this constructor will parse the credential information, and put them into "this" object

Parameters

cert	path to certificate file
key	path to key file
cadir	path to directory of CA certificates
cafile	path to file with CA certificate
passphrase4key	specifies the password for decrypting private key (if needed). If value is empty then password will be asked interactively. To avoid asking for password use value provided by NoPassword() method.
is_file	specifies if the cert/key are from file, otherwise they are supposed to be from string. default is from file

Credential() [7/9]

Arc::Credential::Credential	(	const std::string &	cert,
		const std::string &	key,
		const std::string &	cadir,
		const std::string &	cafile,
		PasswordSource &	passphrase4key,
		const bool	is_file = true
	)

Same as previuos constructor but allows password to be supplied from different sources.

Since

Added in 4.0.0.

Credential() [8/9]

Arc::Credential::Credential	(	const UserConfig &	usercfg,
		const std::string &	passphrase4key = ""
	)

Constructor, specific constructor for usual certificate, constructing from information in UserConfig object. Only acts as a container for parsing the certificate and key files, is meaningless for any other use. this constructor will parse the credential information, and put them into "this" object.

Parameters

usercfg	UserConfig object from which certificate information is obtained
passphrase4key	passphrase for private key

Credential() [9/9]

Arc::Credential::Credential	(	const UserConfig &	usercfg,
		PasswordSource &	passphrase4key
	)

Same as previuos constructor but allows password to be supplied from different sources.

Since

Added in 4.0.0.

Member Function Documentation

AddCertExtObj()

static void Arc::Credential::AddCertExtObj ( std::string &  sn, std::string &  oid  )

static

General method for adding a new nid into openssl's global const

AddExtension() [1/2]

bool Arc::Credential::AddExtension	(	const std::string &	name,
		const std::string &	data,
		bool	crit = false,
		int	type = -1
	)

Add an extension to the extension part of the certificate

Parameters

name	the name of the extension, there OID related with the name should be registered into openssl firstly
data	the data which will be inserted into certificate extension
crit	critical

AddExtension() [2/2]

bool Arc::Credential::AddExtension	(	const std::string &	name,
		char **	binary
	)

Add an extension to the extension part of the certificate

Parameters

name

the name of the extension, there OID related with the name should be registered into openssl firstly

binary

the data which will be inserted into certificate extension part as a specific extension there should be specific methods defined inside specific X509V3_EXT_METHOD structure to parse the specific extension format. For example, VOMS attribute certificate is a specific extension to proxy certificate. There is specific X509V3_EXT_METHOD defined in VOMSAttribute.h and VOMSAttribute.c for parsing attribute certificate. In openssl, the specific X509V3_EXT_METHOD can be got according to the extension name/id, see X509V3_EXT_get_nid(ext_nid)

GenerateEECRequest() [1/3]

bool Arc::Credential::GenerateEECRequest	(	BIO *	reqbio,
		BIO *	keybio,
		const std::string &	dn = ""
	)

Generate an EEC request, based on the keybits and signing algorithm information inside this object output the certificate request to output BIO

The user will be asked for a private key password

GenerateEECRequest() [2/3]

bool Arc::Credential::GenerateEECRequest	(	std::string &	reqcontent,
		std::string &	keycontent,
		const std::string &	dn = ""
	)

Generate an EEC request, output the certificate request to a string

GenerateEECRequest() [3/3]

bool Arc::Credential::GenerateEECRequest	(	const char *	request_filename,
		const char *	key_filename,
		const std::string &	dn = ""
	)

Generate an EEC request, output the certificate request and the key to a file

GenerateRequest() [1/3]

bool Arc::Credential::GenerateRequest	(	BIO *	bio,
		bool	if_der = false
	)

Generate a proxy request, base on the keybits and signing algorithm information inside this object output the certificate request to output BIO

GenerateRequest() [2/3]

bool Arc::Credential::GenerateRequest	(	std::string &	content,
		bool	if_der = false
	)

Generate a proxy request, output the certificate request to a string

GenerateRequest() [3/3]

bool Arc::Credential::GenerateRequest	(	const char *	filename,
		bool	if_der = false
	)

Generate a proxy request, output the certificate request to a file

GetCAName()

std::string Arc::Credential::GetCAName

(

void

)

const

Get CA of the certificate attached to this object, if the certificate is an EEC, GetCAName get the same value as GetIssuerName

GetCert()

X509* Arc::Credential::GetCert

(

void

)

const

Get the certificate attached to this object

GetCertNumofChain()

int Arc::Credential::GetCertNumofChain

(

void

)

const

Get the number of certificates in the certificate chain attached to this object

GetCertReq()

X509_REQ* Arc::Credential::GetCertReq

(

void

)

const

Get the certificate request, if there is any

GetDN()

std::string Arc::Credential::GetDN

(

void

)

const

Get the DN of the certificate attached to this object

GetEndTime()

Time Arc::Credential::GetEndTime

(

)

const

Returns validity end time of certificate or proxy

GetExtension()

std::string Arc::Credential::GetExtension

(

const std::string &

name

)

Get the specific extension (named by the parameter) in a certificate this function is only supposed to be called after certificate and key are loaded by the constructor for usual certificate

Parameters

name	the name of the extension to get

getFormat_BIO()

Credformat Arc::Credential::getFormat_BIO	(	BIO *	in,
		const bool	is_file = true
	)		const

Get the certificate format, PEM PKCS12 or DER BIO could be memory or file, they should be processed differently.

GetIdentityName()

std::string Arc::Credential::GetIdentityName

(

void

)

const

Get the Identity name of the certificate attached to this object, the result will not include proxy CN

GetIssuerName()

std::string Arc::Credential::GetIssuerName

(

void

)

const

Get issuer of the certificate attached to this object

GetKeybits()

int Arc::Credential::GetKeybits

(

void

)

const

Get key size of the certificate attached to this object

Since

Added in 4.0.0.

GetLifeTime()

Period Arc::Credential::GetLifeTime

(

void

)

const

Returns lifetime of certificate or proxy

GetPrivKey()

EVP_PKEY* Arc::Credential::GetPrivKey

(

void

)

const

Get the private key attached to this object

GetProxyPolicy()

std::string Arc::Credential::GetProxyPolicy

(

void

)

const

Get the proxy policy attached to the "proxy certificate information" extension of the proxy certificate

GetPubKey()

EVP_PKEY* Arc::Credential::GetPubKey

(

void

)

const

Get the public key attached to this object

GetSigningAlgorithm()

Signalgorithm Arc::Credential::GetSigningAlgorithm

(

void

)

const

Get signing algorithm used to sign the certificate attached to this object

Since

Added in 4.0.0.

GetStartTime()

Time Arc::Credential::GetStartTime

(

)

const

Returns validity start time of certificate or proxy

GetType()

ArcCredential::certType Arc::Credential::GetType

(

void

)

const

Get type of the certificate attached to this object

GetVerification()

bool Arc::Credential::GetVerification ( void  ) const

inline

Get the verification result about certificate chain checking

InitProxyCertInfo()

static void Arc::Credential::InitProxyCertInfo ( void  )

static

Initiate nid for proxy certificate extension

InquireRequest() [1/3]

bool Arc::Credential::InquireRequest	(	BIO *	reqbio,
		bool	if_eec = false,
		bool	if_der = false
	)

Inquire the certificate request from BIO, and put the request information to X509_REQ inside this object, and parse the certificate type from the PROXYCERTINFO of request' extension

Parameters

reqbio	the BIO containing the certificate request
if_eec	true if EEC request
if_der	false for PEM; true for DER

InquireRequest() [2/3]

bool Arc::Credential::InquireRequest	(	std::string &	content,
		bool	if_eec = false,
		bool	if_der = false
	)

Inquire the certificate request from a string

InquireRequest() [3/3]

bool Arc::Credential::InquireRequest	(	const char *	filename,
		bool	if_eec = false,
		bool	if_der = false
	)

Inquire the certificate request from a file

IsCredentialsValid()

static bool Arc::Credential::IsCredentialsValid ( const UserConfig &  usercfg )

static

Returns true if credentials are valid. Credentials are read from locations specified in UserConfig object. This method is deprecated. User per-instance method IsValid() instead.

IsValid()

bool Arc::Credential::IsValid

(

void

)

Returns true if credentials are valid

LogError()

void Arc::Credential::LogError

(

void

)

const

Log error information related with openssl

OutputCertificate()

bool Arc::Credential::OutputCertificate	(	std::string &	content,
		bool	is_der = false
	)

Output the certificate into string

Parameters

content	Filled with certificate content
is_der	false for PEM, true for DER

OutputCertificateChain()

bool Arc::Credential::OutputCertificateChain	(	std::string &	content,
		bool	is_der = false
	)

Output the certificate chain into string

Parameters

content	Filled with certificate chain content
is_der	false for PEM, true for DER

OutputPrivatekey() [1/2]

bool Arc::Credential::OutputPrivatekey	(	std::string &	content,
		bool	encryption = false,
		const std::string &	passphrase = ""
	)

Output the private key into string

Parameters

content	Filled with private key content
encryption	whether encrypt the output private key or not
passphrase	the passphrase to encrypt the output private key

OutputPrivatekey() [2/2]

bool Arc::Credential::OutputPrivatekey	(	std::string &	content,
		bool	encryption,
		PasswordSource &	passphrase
	)

Output the private key into string

Parameters

content	Filled with private key content
encryption	whether encrypt the output private key or not
passphrase	the source for passphrase to encrypt the output private key

Since

Added in 4.0.0.

OutputPublickey()

bool Arc::Credential::OutputPublickey

(

std::string &

content

)

Output the public key into string

SelfSignEECRequest()

bool Arc::Credential::SelfSignEECRequest	(	const std::string &	dn,
		const char *	extfile,
		const std::string &	extsect,
		const char *	certfile
	)

Self sign a certificate. This functionality is specific for creating a CA credential by using this Credential class.

Parameters

dn	the DN for the subject
extfile	the configuration file which includes the extension information, typically the openssl.cnf file
extsect	the section/group name for the extension, e.g. in openssl.cnf, usr_cert and v3_ca
certfile	the certificate file, which contains the signed certificate

SetKeybits()

void Arc::Credential::SetKeybits

(

int

keybits = 0

)

Set key bits.

Since

Added in 4.0.0.

SetLifeTime()

void Arc::Credential::SetLifeTime

(

const Period &

period

)

Set lifetime of certificate or proxy

SetProxyPolicy()

void Arc::Credential::SetProxyPolicy	(	const std::string &	proxyversion,
		const std::string &	policylang,
		const std::string &	policy,
		int	pathlength
	)

Set the proxy policy attached to the "proxy certificate information" extension of the proxy certificate

SetSigningAlgorithm()

void Arc::Credential::SetSigningAlgorithm

(

Signalgorithm

signing_algorithm = SIGN_DEFAULT

)

Set signing algorithm.

Since

Added in 4.0.0.

SetStartTime()

void Arc::Credential::SetStartTime

(

const Time &

start_time

)

Set start time of certificate or proxy

SignEECRequest() [1/3]

bool Arc::Credential::SignEECRequest	(	Credential *	eec,
		const std::string &	dn,
		BIO *	outputbio
	)

Sign eec request, and output the signed certificate to output BIO

SignEECRequest() [2/3]

bool Arc::Credential::SignEECRequest	(	Credential *	eec,
		const std::string &	dn,
		std::string &	content
	)

Sign request and output the signed certificate to a string

SignEECRequest() [3/3]

bool Arc::Credential::SignEECRequest	(	Credential *	eec,
		const std::string &	dn,
		const char *	filename
	)

Sign request and output the signed certificate to a file

SignRequest() [1/3]

bool Arc::Credential::SignRequest	(	Credential *	proxy,
		BIO *	outputbio,
		bool	if_der = false
	)

Sign request based on the information inside proxy, and output the signed certificate to output BIO

Parameters

proxy	Credential object holding proxy information
outputbio	BIO to hold the signed certificate
if_der	false for PEM, true for DER

SignRequest() [2/3]

bool Arc::Credential::SignRequest	(	Credential *	proxy,
		std::string &	content,
		bool	if_der = false
	)

Sign request and output the signed certificate to a string

Parameters

proxy	Credential object holding proxy information
content	string to hold the signed certificate
if_der	false for PEM, true for DER

SignRequest() [3/3]

bool Arc::Credential::SignRequest	(	Credential *	proxy,
		const char *	filename,
		bool	if_der = false
	)

Sign request and output the signed certificate to a file

Parameters

proxy	Credential object holding proxy information
filename	path to file where certificate will be written
if_der	false for PEM, true for DER

STACK_OF()

Arc::Credential::STACK_OF

(

X509

)

const

Get the certificate chain attached to this object

---

The documentation for this class was generated from the following file:

• Credential.h