3 * X.509 certificate management class: This class builds upon the
4 * functionality provided by the WvX509 class, adding operations that are
5 * made possible with the addition of a private key (e.g. signing certificates
14 class WvX509Mgr
: public WvX509
18 * Constructor to create a blank certificate + keypair (useful if, for
19 * example, you were going to load the appropriate values in later).
24 * Constructor to create a self-signed certificate for the given dn and
25 * RSA key. If you don't already have a WvRSAKey, try the other
26 * constructor, below, which creates one automatically. If 'ca' is true,
27 * the certificate will be created as a certificate authority.
29 * For SSL Servers, the dname must contain a "cn=" section in order to
30 * validate correctly with some clients, particularly web browsers.
31 * For example, if your domain name is nit.ca, you can try this for
32 * _dname: "cn=nit.ca,o=Net Integration,c=CA", or maybe this instead:
33 * "cn=nit.ca,dc=nit,dc=ca"
35 * We don't check automatically that your _dname complies with these
36 * restrictions, since non-SSL certificates may be perfectly valid
37 * without this. If you want to generate invalid certs, that's up to
40 WvX509Mgr(WvStringParm _dname
, WvRSAKey
*_rsa
, bool ca
= false);
43 * Constructor to create a new self-signed certificate for the given dn
44 * and number of bits. See the previous constructor for details on how
45 * to choose _dname. 'bits' is the number of bits in the auto-generated
46 * RSA key; 1024 or 2048 are good values for this. If 'ca' is true, the
47 * certificate will be created as a certificate authority.
49 WvX509Mgr(WvStringParm _dname
, int bits
, bool ca
=false);
54 WvX509Mgr(const WvX509Mgr
&mgr
);
58 * Given the Distinguished Name dname and an already generated keypair in
59 * rsa, return a Self Signed Certificate in cert.
60 * If is_ca, it will generate a self-issued certificate with the
61 * appropriate values for a certificate authority (or at least the most
62 * common ones). Note that a certificate created in this way will not be
65 void create_selfissued(WvStringParm dname
, bool is_ca
= false);
72 * Says if this certificate+key pair is good for use. Checks to make sure
73 * that both are present and that they match.
75 virtual bool isok() const;
78 * Says what the error is, if isok() is not true.
80 virtual WvString
errstr() const;
83 * The not operator returns true if !isok()
85 bool operator! () const;
88 * Allow us access to the RSA member.
90 WvRSAKey
*get_rsa() { return rsa
; }
91 void set_rsa(WvRSAKey
*_rsa
) { WVDELETE(rsa
); rsa
= new WvRSAKey(*_rsa
); }
94 * Avoid a lot of ugliness by having it so that we are binding to the SSL
95 * context, and not the other way around, since that would make ownership
96 * of the cert and rsa keys ambiguous.
98 bool bind_ssl(SSL_CTX
*ctx
);
101 * Take the PKCS#10 request in the string pkcs10req, sign it with the
102 * private key in rsa, and then spit back a new X509 Certificate in
105 WvString
signreq(WvStringParm pkcs10req
) const;
108 * Sign the certificate with the rsa key associated with this class.
110 bool signcert(WvX509
&unsignedcert
) const;
113 * Sign the CRL with the rsa key associated with this class. This method
114 * will also update the lastUpdate time, and set the CRL's validity period
117 bool signcrl(WvCRL
&unsignedcrl
) const;
120 * Test to make sure that a certificate and a keypair go together.
121 * You can call it if you want to test a certificate yourself.
122 * (Such as after a decode)
127 * Sign the contents of data and return the signature as a BASE64
130 WvString
sign(WvBuf
&data
) const;
131 WvString
sign(WvStringParm data
) const;
134 * Encodes the information requested by mode into a buffer.
136 virtual WvString
encode(const WvX509::DumpMode mode
) const;
137 virtual WvString
encode(const WvRSAKey::DumpMode mode
) const;
138 virtual void encode(const WvX509::DumpMode mode
, WvBuf
&buf
) const;
139 virtual void encode(const WvRSAKey::DumpMode mode
, WvBuf
&buf
) const;
142 * Load the information from the format requested by mode into
143 * the class - this overwrites the certificate, and possibly the
144 * key - and to enable two stage loading (the certificate first, then the
145 * key), it DOES NOT call test() - that will be up to the programmer
147 virtual void decode(const WvX509::DumpMode mode
, WvStringParm encoded
);
148 virtual void decode(const WvRSAKey::DumpMode mode
, WvStringParm encoded
);
149 virtual void decode(const WvX509::DumpMode mode
, WvBuf
&encoded
);
150 virtual void decode(const WvRSAKey::DumpMode mode
, WvBuf
&encoded
);
153 * This writes the certificate and RSA keys in PKCS12 format to the file
154 * specified by filename, setting the password to "_pkcs12pass". Returns
155 * true if the operation was successful, false otherwise.
157 bool write_p12(WvStringParm _fname
, WvStringParm _pkcs12pass
) const;
160 * And this reads from the file specified in filename using the password
161 * "_pkcs12pass", and fills the RSA and cert members with the decoded
164 void read_p12(WvStringParm _fname
, WvStringParm _pkcs12pass
);
168 * The Public and Private RSA keypair associated with the certificate
169 * Make sure that you save this somewhere!!! If you don't, then you won't
170 * really be able to use the certificate for anything...
172 mutable WvRSAKey
*rsa
;