include/wvx509mgr.h

   1 /* -*- Mode: C++ -*-
   2  *
   3  * X.509 certificate management class: This class builds upon the
   4  * functionality provided by the WvX509 class, adding operations that are
   5  * made possible with the addition of a private key (e.g. signing certificates
   6  * and CRLs).
   7  */
   8 #ifndef __WVX509MGR_H
   9 #define __WVX509MGR_H
  10
  11 #include "wvx509.h"
  12 #include "wvcrl.h"
  13
  14 class WvX509Mgr : public WvX509
  15 {
  16   public:
  17     /**
  18      * Constructor to create a blank certificate + keypair (useful if, for
  19      * example, you were going to load the appropriate values in later).
  20      */
  21     WvX509Mgr();
  22
  23     /**
  24      * Constructor to create a self-signed certificate for the given dn and
  25      * RSA key.  If you don't already have a WvRSAKey, try the other
  26      * constructor, below, which creates one automatically. If 'ca' is true,
  27      * the certificate will be created as a certificate authority.
  28      *
  29      * For SSL Servers, the dname must contain a "cn=" section in order to
  30      * validate correctly with some clients, particularly web browsers.
  31      * For example, if your domain name is nit.ca, you can try this for
  32      * _dname: "cn=nit.ca,o=Net Integration,c=CA", or maybe this instead:
  33      * "cn=nit.ca,dc=nit,dc=ca"
  34      *
  35      * We don't check automatically that your _dname complies with these
  36      * restrictions, since non-SSL certificates may be perfectly valid
  37      * without this.  If you want to generate invalid certs, that's up to
  38      * you.
  39      */
  40     WvX509Mgr(WvStringParm _dname, WvRSAKey *_rsa, bool ca = false);
  41
  42     /**
  43      * Constructor to create a new self-signed certificate for the given dn
  44      * and number of bits.  See the previous constructor for details on how
  45      * to choose _dname.  'bits' is the number of bits in the auto-generated
  46      * RSA key; 1024 or 2048 are good values for this. If 'ca' is true, the
  47      * certificate will be created as a certificate authority.
  48      */
  49     WvX509Mgr(WvStringParm _dname, int bits, bool ca=false);
  50
  51     /**
  52      * Copy Constructor.
  53      */
  54     WvX509Mgr(const WvX509Mgr &mgr);
  55
  56   protected:
  57     /**
  58      * Given the Distinguished Name dname and an already generated keypair in
  59      * rsa, return a Self Signed Certificate in cert.
  60      * If is_ca, it will generate a self-issued certificate with the
  61      * appropriate values for a certificate authority (or at least the most
  62      * common ones). Note that a certificate created in this way will not be
  63      * signed:
  64      */
  65     void create_selfissued(WvStringParm dname, bool is_ca = false);
  66
  67 public:
  68     /** Destructor */
  69     virtual ~WvX509Mgr();
  70
  71     /**
  72      * Says if this certificate+key pair is good for use. Checks to make sure
  73      * that both are present and that they match.
  74      */
  75     virtual bool isok() const;
  76
  77     /**
  78      * Says what the error is, if isok() is not true.
  79      */
  80     virtual WvString errstr() const;
  81
  82     /**
  83      * The not operator returns true if !isok()
  84      */
  85     bool operator! () const;
  86
  87     /**
  88      * Allow us access to the RSA member.
  89      */
  90     WvRSAKey *get_rsa() { return rsa; }
  91     void set_rsa(WvRSAKey *_rsa) { WVDELETE(rsa); rsa = new WvRSAKey(*_rsa); }
  92
  93     /**
  94      * Avoid a lot of ugliness by having it so that we are binding to the SSL
  95      * context, and not the other way around, since that would make ownership
  96      * of the cert and rsa keys ambiguous.
  97      */
  98     bool bind_ssl(SSL_CTX *ctx);
  99
 100     /**
 101      * Take the PKCS#10 request in the string pkcs10req, sign it with the
 102      * private key in rsa, and then spit back a new X509 Certificate in
 103      * PEM format.
 104      */
 105     WvString signreq(WvStringParm pkcs10req) const;
 106
 107     /**
 108      * Sign the certificate with the rsa key associated with this class.
 109      */
 110     bool signcert(WvX509 &unsignedcert) const;
 111
 112     /**
 113      * Sign the CRL with the rsa key associated with this class. This method
 114      * will also update the lastUpdate time, and set the CRL's validity period
 115      * to 30 days.
 116      */
 117     bool signcrl(WvCRL &unsignedcrl) const;
 118
 119     /**
 120      * Test to make sure that a certificate and a keypair go together.
 121      * You can call it if you want to test a certificate yourself.
 122      * (Such as after a decode)
 123      */
 124     bool test() const;
 125
 126     /**
 127      * Sign the contents of data and return the signature as a BASE64
 128      * string.
 129      */
 130     WvString sign(WvBuf &data) const;
 131     WvString sign(WvStringParm data) const;
 132
 133     /**
 134      * Encodes the information requested by mode into a buffer.
 135      */
 136     virtual WvString encode(const WvX509::DumpMode mode) const;
 137     virtual WvString encode(const WvRSAKey::DumpMode mode) const;
 138     virtual void encode(const WvX509::DumpMode mode, WvBuf &buf) const;
 139     virtual void encode(const WvRSAKey::DumpMode mode, WvBuf &buf) const;
 140
 141     /**
 142      * Load the information from the format requested by mode into
 143      * the class - this overwrites the certificate, and possibly the
 144      * key - and to enable two stage loading (the certificate first, then the
 145      * key), it DOES NOT call test() - that will be up to the programmer
 146      */
 147     virtual void decode(const WvX509::DumpMode mode, WvStringParm encoded);
 148     virtual void decode(const WvRSAKey::DumpMode mode, WvStringParm encoded);
 149     virtual void decode(const WvX509::DumpMode mode, WvBuf &encoded);
 150     virtual void decode(const WvRSAKey::DumpMode mode, WvBuf &encoded);
 151
 152     /**
 153      * This writes the certificate and RSA keys in PKCS12 format to the file
 154      * specified by filename, setting the password to "_pkcs12pass". Returns
 155      * true if the operation was successful, false otherwise.
 156      */
 157     bool write_p12(WvStringParm _fname, WvStringParm _pkcs12pass) const;
 158
 159     /**
 160      * And this reads from the file specified in filename using the password
 161      * "_pkcs12pass", and fills the RSA and cert members with the decoded
 162      * information.
 163      */
 164     void read_p12(WvStringParm _fname, WvStringParm _pkcs12pass);
 165
 166   private:
 167     /**
 168      * The Public and Private RSA keypair associated with the certificate
 169      * Make sure that you save this somewhere!!! If you don't, then you won't
 170      * really be able to use the certificate for anything...
 171      */
 172     mutable WvRSAKey *rsa;
 173
 174     mutable WvLog debug;
 175 };
 176 #endif