#include <Credential.h>
Public Member Functions | |
Credential () | |
Credential (int keybits) | |
Credential (const std::string &CAfile, const std::string &CAkey, const std::string &CAserial, const std::string &extfile, const std::string &extsect, const std::string &passphrase4key) | |
Credential (Time start, Period lifetime=Period("PT12H"), int keybits=1024, std::string proxyversion="rfc", std::string policylang="inheritAll", std::string policy="", int pathlength=-1) | |
Credential (const std::string &cert, const std::string &key, const std::string &cadir, const std::string &cafile, const std::string &passphrase4key="", const bool is_file=true) | |
Credential (const UserConfig &usercfg, const std::string &passphrase4key="") | |
void | AddCertExtObj (std::string &sn, std::string &oid) |
void | LogError (void) const |
bool | GetVerification (void) const |
EVP_PKEY * | GetPrivKey (void) const |
EVP_PKEY * | GetPubKey (void) const |
X509 * | GetCert (void) const |
X509_REQ * | GetCertReq (void) const |
STACK_OF (X509)*GetCertChain(void) const | |
int | GetCertNumofChain (void) const |
Credformat | getFormat_BIO (BIO *in, const bool is_file=true) const |
std::string | GetDN (void) const |
std::string | GetIdentityName (void) const |
ArcCredential::certType | GetType (void) const |
std::string | GetIssuerName (void) const |
std::string | GetCAName (void) const |
std::string | GetProxyPolicy (void) const |
void | SetProxyPolicy (const std::string &proxyversion, const std::string &policylang, const std::string &policy, int pathlength) |
bool | OutputPrivatekey (std::string &content, bool encryption=false, const std::string &passphrase="") |
bool | OutputPublickey (std::string &content) |
bool | OutputCertificate (std::string &content, bool is_der=false) |
bool | OutputCertificateChain (std::string &content, bool is_der=false) |
Period | GetLifeTime (void) const |
Time | GetStartTime () const |
Time | GetEndTime () const |
void | SetLifeTime (const Period &period) |
void | SetStartTime (const Time &start_time) |
bool | IsValid (void) |
bool | AddExtension (const std::string &name, const std::string &data, bool crit=false) |
bool | AddExtension (const std::string &name, char **binary) |
std::string | GetExtension (const std::string &name) |
bool | GenerateEECRequest (BIO *reqbio, BIO *keybio, const std::string &dn="") |
bool | GenerateEECRequest (std::string &reqcontent, std::string &keycontent, const std::string &dn="") |
bool | GenerateEECRequest (const char *request_filename, const char *key_filename, const std::string &dn="") |
bool | GenerateRequest (BIO *bio, bool if_der=false) |
bool | GenerateRequest (std::string &content, bool if_der=false) |
bool | GenerateRequest (const char *filename, bool if_der=false) |
bool | InquireRequest (BIO *reqbio, bool if_eec=false, bool if_der=false) |
bool | InquireRequest (std::string &content, bool if_eec=false, bool if_der=false) |
bool | InquireRequest (const char *filename, bool if_eec=false, bool if_der=false) |
bool | SignRequest (Credential *proxy, BIO *outputbio, bool if_der=false) |
bool | SignRequest (Credential *proxy, std::string &content, bool if_der=false) |
bool | SignRequest (Credential *proxy, const char *filename, bool foamat=false) |
bool | SelfSignEECRequest (const std::string &dn, const char *extfile, const std::string &extsect, const char *certfile) |
bool | SignEECRequest (Credential *eec, const std::string &dn, BIO *outputbio) |
bool | SignEECRequest (Credential *eec, const std::string &dn, std::string &content) |
bool | SignEECRequest (Credential *eec, const std::string &dn, const char *filename) |
Static Public Member Functions | |
static void | InitProxyCertInfo (void) |
static bool | IsCredentialsValid (const UserConfig &usercfg) |
Credential class covers the functionality about general processing about certificate/key files, including: 1. cerficate/key parsing, information extracting (such as subject name, issuer name, lifetime, etc.), chain verifying, extension processing about proxy certinfo, extension processing about other general certificate extension (such as voms attributes, it should be the extension-specific code itself to create, parse and verify the extension, not the Credential class. For voms, it is some code about writing and parsing voms-implementing Attibute Certificate/ RFC3281, the voms-attibute is then be looked as a binary part and embeded into extension of X509 certificate/proxy certificate); 2. certificate request, extension emeding and certificate signing, for both proxy certificate and EEC (end entity certificate) certificate The Credential class support PEM, DER PKCS12 credential.
Arc::Credential::Credential | ( | ) |
Default constructor, only acts as a container for inquiring certificate request, is meaningless for any other use.
Arc::Credential::Credential | ( | int | keybits | ) |
Constructor with user-defined keylength. Needed for creation of EE certs, since some applications will only support keys with a certain minimum length > 1024
Arc::Credential::Credential | ( | const std::string & | CAfile, | |
const std::string & | CAkey, | |||
const std::string & | CAserial, | |||
const std::string & | extfile, | |||
const std::string & | extsect, | |||
const std::string & | passphrase4key | |||
) |
Constructor, specific constructor for CA certificate is meaningless for any other use.
Arc::Credential::Credential | ( | Time | start, | |
Period | lifetime = Period("PT12H") , |
|||
int | keybits = 1024 , |
|||
std::string | proxyversion = "rfc" , |
|||
std::string | policylang = "inheritAll" , |
|||
std::string | policy = "" , |
|||
int | pathlength = -1 | |||
) |
Constructor, specific constructor for proxy certificate, only acts as a container for constraining certificate signing and/or generating certificate request(only keybits is useful for creating certificate request), is meaningless for any other use. The proxyversion and policylang is for specifying the proxy certificate type and the policy language inside proxy. The definition of proxyversion and policy language is based on http://dev.globus.org/wiki/Security/ProxyCertTypes#RFC_3820_Proxy_Certificates The code is supposed to support proxy version: GSI2(legacy proxy), GSI3(Proxy draft) and RFC(RFC3820 proxy), and correspoding policy language. GSI2(GSI2, GSI2_LIMITED) GSI3 and RFC (IMPERSONATION_PROXY--1.3.6.1.5.5.7.21.1, INDEPENDENT_PROXY--1.3.6.1.5.5.7.21.2, LIMITED_PROXY--1.3.6.1.4.1.3536.1.1.1.9, RESTRICTED_PROXY--policy language undefined) In openssl>=098, there are three types of policy languages: id-ppl-inheritAll--1.3.6.1.5.5.7.21.1, id-ppl-independent--1.3.6.1.5.5.7.21.2, and id-ppl-anyLanguage-1.3.6.1.5.5.7.21.0
start,start | time of proxy certificate | |
lifetime,lifetime | of proxy certificate | |
keybits,modulus | size for RSA key generation, it should be greater than 1024 if 'this' class is used for generating X509 request; it should be '0' if 'this' class is used for constraing certificate signing. |
Arc::Credential::Credential | ( | const std::string & | cert, | |
const std::string & | key, | |||
const std::string & | cadir, | |||
const std::string & | cafile, | |||
const std::string & | passphrase4key = "" , |
|||
const bool | is_file = true | |||
) |
Constructor, specific constructor for usual certificate, constructing from credential files. only acts as a container for parsing the certificate and key files, is meaningless for any other use. this constructor will parse the credential information, and put them into "this" object
passphrase4key,specifies | the password for descrypting private key (if needed). If value is empty then password will be asked interrctively. To avoid askig for password use value provided by NoPassword() method. | |
is_file,specifies | if the cert/key are from file, otherwise they are supposed to be from string. default is from file |
Arc::Credential::Credential | ( | const UserConfig & | usercfg, | |
const std::string & | passphrase4key = "" | |||
) |
Constructor, specific constructor for usual certificate, constructing from information in UserConfig object. Only acts as a container for parsing the certificate and key files, is meaningless for any other use. this constructor will parse the credential * information, and put them into "this" object
is_file,specify | if the cert/key are from file, otherwise they are supposed to be from string. default is from file |
void Arc::Credential::AddCertExtObj | ( | std::string & | sn, | |
std::string & | oid | |||
) |
General method for adding a new nid into openssl's global const
bool Arc::Credential::AddExtension | ( | const std::string & | name, | |
char ** | binary | |||
) |
Add an extension to the extension part of the certificate
binary,the | data which will be inserted into certificate extension part as a specific extension there should be specific methods defined inside specific X509V3_EXT_METHOD structure to parse the specific extension format. For example, VOMS attribute certificate is a specific extension to proxy certificate. There is specific X509V3_EXT_METHOD defined in VOMSAttribute.h and VOMSAttribute.c for parsing attribute certificate. In openssl, the specific X509V3_EXT_METHOD can be got according to the extension name/id, see X509V3_EXT_get_nid(ext_nid) |
bool Arc::Credential::AddExtension | ( | const std::string & | name, | |
const std::string & | data, | |||
bool | crit = false | |||
) |
Add an extension to the extension part of the certificate
name,the | name of the extension, there OID related with the name should be registered into openssl firstly | |
data,the | data which will be inserted into certificate extension |
bool Arc::Credential::GenerateEECRequest | ( | const char * | request_filename, | |
const char * | key_filename, | |||
const std::string & | dn = "" | |||
) |
Generate an EEC request, output the certificate request and the key to a file
bool Arc::Credential::GenerateEECRequest | ( | std::string & | reqcontent, | |
std::string & | keycontent, | |||
const std::string & | dn = "" | |||
) |
Generate an EEC request, output the certificate request to a string
bool Arc::Credential::GenerateEECRequest | ( | BIO * | reqbio, | |
BIO * | keybio, | |||
const std::string & | dn = "" | |||
) |
Generate an EEC request, based on the keybits and signing algorithm information inside this object output the certificate request to output BIO
The user will be asked for a private key password
bool Arc::Credential::GenerateRequest | ( | const char * | filename, | |
bool | if_der = false | |||
) |
Generate a proxy request, output the certificate request to a file
bool Arc::Credential::GenerateRequest | ( | std::string & | content, | |
bool | if_der = false | |||
) |
Generate a proxy request, output the certificate request to a string
bool Arc::Credential::GenerateRequest | ( | BIO * | bio, | |
bool | if_der = false | |||
) |
Generate a proxy request, base on the keybits and signing algorithm information inside this object output the certificate request to output BIO
std::string Arc::Credential::GetCAName | ( | void | ) | const |
Get CA of the certificate attached to this object, if the certificate is an EEC, GetCAName get the same value as GetIssuerName
X509* Arc::Credential::GetCert | ( | void | ) | const |
Get the certificate attached to this object
int Arc::Credential::GetCertNumofChain | ( | void | ) | const |
Get the number of certificates in the certificate chain attached to this object
X509_REQ* Arc::Credential::GetCertReq | ( | void | ) | const |
Get the certificate request, if there is any
std::string Arc::Credential::GetDN | ( | void | ) | const |
Get the DN of the certificate attached to this object
Time Arc::Credential::GetEndTime | ( | ) | const |
Returns validity end time of certificate or proxy
std::string Arc::Credential::GetExtension | ( | const std::string & | name | ) |
Get the specific extension (named by the parameter) in a certificate this function is only supposed to be called after certificate and key are loaded by the constructor for usual certificate
name,the | name of the extension to get |
Credformat Arc::Credential::getFormat_BIO | ( | BIO * | in, | |
const bool | is_file = true | |||
) | const |
Get the certificate format, PEM PKCS12 or DER BIO could be memory or file, they should be processed differently.
std::string Arc::Credential::GetIdentityName | ( | void | ) | const |
Get the Identity name of the certificate attached to this object, the result will not include proxy CN
std::string Arc::Credential::GetIssuerName | ( | void | ) | const |
Get issuer of the certificate attached to this object
Period Arc::Credential::GetLifeTime | ( | void | ) | const |
Returns lifetime of certificate or proxy
EVP_PKEY* Arc::Credential::GetPrivKey | ( | void | ) | const |
Get the private key attached to this object
std::string Arc::Credential::GetProxyPolicy | ( | void | ) | const |
Get the proxy policy attached to the "proxy certificate information" extension of the proxy certicate
EVP_PKEY* Arc::Credential::GetPubKey | ( | void | ) | const |
Get the public key attached to this object
Time Arc::Credential::GetStartTime | ( | ) | const |
Returns validity start time of certificate or proxy
ArcCredential::certType Arc::Credential::GetType | ( | void | ) | const |
Get type of the certificate attached to this object
bool Arc::Credential::GetVerification | ( | void | ) | const [inline] |
Get the verification result about certificate chain checking
static void Arc::Credential::InitProxyCertInfo | ( | void | ) | [static] |
Initiate nid for proxy certificate extension
bool Arc::Credential::InquireRequest | ( | const char * | filename, | |
bool | if_eec = false , |
|||
bool | if_der = false | |||
) |
Inquire the certificate request from a file
bool Arc::Credential::InquireRequest | ( | std::string & | content, | |
bool | if_eec = false , |
|||
bool | if_der = false | |||
) |
Inquire the certificate request from a string
bool Arc::Credential::InquireRequest | ( | BIO * | reqbio, | |
bool | if_eec = false , |
|||
bool | if_der = false | |||
) |
Inquire the certificate request from BIO, and put the request information to X509_REQ inside this object, and parse the certificate type from the PROXYCERTINFO of request' extension
if_der | false for PEM; true for DER |
static bool Arc::Credential::IsCredentialsValid | ( | const UserConfig & | usercfg | ) | [static] |
Returns true if credentials are valid. Credentials are read from locations specified in UserConfig object. This method is deprecated. User per-instance method IsValid() instead.
bool Arc::Credential::IsValid | ( | void | ) |
Returns true if credentials are valid
void Arc::Credential::LogError | ( | void | ) | const |
Log error information related with openssl
bool Arc::Credential::OutputCertificate | ( | std::string & | content, | |
bool | is_der = false | |||
) |
Output the certificate into string
is_der | false for PEM, true for DER |
bool Arc::Credential::OutputCertificateChain | ( | std::string & | content, | |
bool | is_der = false | |||
) |
Output the certificate chain into string
is_der | false for PEM, true for DER |
bool Arc::Credential::OutputPrivatekey | ( | std::string & | content, | |
bool | encryption = false , |
|||
const std::string & | passphrase = "" | |||
) |
Output the private key into string
encryption,whether | encrypt the output private key or not | |
passphrase,the | passphrase to encrypt the output private key |
bool Arc::Credential::OutputPublickey | ( | std::string & | content | ) |
Output the public key into string
bool Arc::Credential::SelfSignEECRequest | ( | const std::string & | dn, | |
const char * | extfile, | |||
const std::string & | extsect, | |||
const char * | certfile | |||
) |
Self sign a certificate. This functionality is specific for creating a CA credential by using this Credential class.
dn | the DN for the subject | |
extfile | the configration file which includes the extension information, typically the openssl.cnf file | |
extsect | the section/group name for the extension, e.g. in openssl.cnf, usr_cert and v3_ca | |
certfile | the certificate file, which contains the signed certificate |
void Arc::Credential::SetLifeTime | ( | const Period & | period | ) |
Set lifetime of certificate or proxy
void Arc::Credential::SetProxyPolicy | ( | const std::string & | proxyversion, | |
const std::string & | policylang, | |||
const std::string & | policy, | |||
int | pathlength | |||
) |
Set the proxy policy attached to the "proxy certificate information" extension of the proxy certicate
void Arc::Credential::SetStartTime | ( | const Time & | start_time | ) |
Set start time of certificate or proxy
bool Arc::Credential::SignEECRequest | ( | Credential * | eec, | |
const std::string & | dn, | |||
const char * | filename | |||
) |
Sign request and output the signed certificate to a file
bool Arc::Credential::SignEECRequest | ( | Credential * | eec, | |
const std::string & | dn, | |||
std::string & | content | |||
) |
Sign request and output the signed certificate to a string
bool Arc::Credential::SignEECRequest | ( | Credential * | eec, | |
const std::string & | dn, | |||
BIO * | outputbio | |||
) |
Sign eec request, and output the signed certificate to output BIO
bool Arc::Credential::SignRequest | ( | Credential * | proxy, | |
const char * | filename, | |||
bool | foamat = false | |||
) |
Sign request and output the signed certificate to a file
if_der | false for PEM, true for DER |
bool Arc::Credential::SignRequest | ( | Credential * | proxy, | |
std::string & | content, | |||
bool | if_der = false | |||
) |
Sign request and output the signed certificate to a string
if_der | false for PEM, true for DER |
bool Arc::Credential::SignRequest | ( | Credential * | proxy, | |
BIO * | outputbio, | |||
bool | if_der = false | |||
) |
Sign request based on the information inside proxy, and output the signed certificate to output BIO
if_der | false for PEM, true for DER |
Arc::Credential::STACK_OF | ( | X509 | ) | const |
Get the certificate chain attached to this object