/usr/include/wvstreams/wvx509mgr.h is in libwvstreams-dev 4.6.1-2build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 | /* -*- Mode: C++ -*-
*
* X.509 certificate management class: This class builds upon the
* functionality provided by the WvX509 class, adding operations that are
* made possible with the addition of a private key (e.g. signing certificates
* and CRLs).
*/
#ifndef __WVX509MGR_H
#define __WVX509MGR_H
#include "wvx509.h"
#include "wvcrl.h"
class WvX509Mgr : public WvX509
{
public:
/**
* Constructor to create a blank certificate + keypair (useful if, for
* example, you were going to load the appropriate values in later).
*/
WvX509Mgr();
/**
* Constructor to create a self-signed certificate for the given dn and
* RSA key. If you don't already have a WvRSAKey, try the other
* constructor, below, which creates one automatically. If 'ca' is true,
* the certificate will be created as a certificate authority.
*
* For SSL Servers, the dname must contain a "cn=" section in order to
* validate correctly with some clients, particularly web browsers.
* For example, if your domain name is nit.ca, you can try this for
* _dname: "cn=nit.ca,o=Net Integration,c=CA", or maybe this instead:
* "cn=nit.ca,dc=nit,dc=ca"
*
* We don't check automatically that your _dname complies with these
* restrictions, since non-SSL certificates may be perfectly valid
* without this. If you want to generate invalid certs, that's up to
* you.
*/
WvX509Mgr(WvStringParm _dname, WvRSAKey *_rsa, bool ca = false);
/**
* Constructor to create a new self-signed certificate for the given dn
* and number of bits. See the previous constructor for details on how
* to choose _dname. 'bits' is the number of bits in the auto-generated
* RSA key; 1024 or 2048 are good values for this. If 'ca' is true, the
* certificate will be created as a certificate authority.
*/
WvX509Mgr(WvStringParm _dname, int bits, bool ca=false);
/**
* Copy Constructor.
*/
WvX509Mgr(const WvX509Mgr &mgr);
protected:
/**
* Given the Distinguished Name dname and an already generated keypair in
* rsa, return a Self Signed Certificate in cert.
* If is_ca, it will generate a self-issued certificate with the
* appropriate values for a certificate authority (or at least the most
* common ones). Note that a certificate created in this way will not be
* signed:
*/
void create_selfissued(WvStringParm dname, bool is_ca = false);
public:
/** Destructor */
virtual ~WvX509Mgr();
/**
* Says if this certificate+key pair is good for use. Checks to make sure
* that both are present and that they match.
*/
virtual bool isok() const;
/**
* Says what the error is, if isok() is not true.
*/
virtual WvString errstr() const;
/**
* The not operator returns true if !isok()
*/
bool operator! () const;
/**
* Allow us access to the RSA member.
*/
WvRSAKey *get_rsa() { return rsa; }
void set_rsa(WvRSAKey *_rsa) { WVDELETE(rsa); rsa = new WvRSAKey(*_rsa); }
/**
* Avoid a lot of ugliness by having it so that we are binding to the SSL
* context, and not the other way around, since that would make ownership
* of the cert and rsa keys ambiguous.
*/
bool bind_ssl(SSL_CTX *ctx);
/**
* Take the PKCS#10 request in the string pkcs10req, sign it with the
* private key in rsa, and then spit back a new X509 Certificate in
* PEM format.
*/
WvString signreq(WvStringParm pkcs10req) const;
/**
* Sign the certificate with the rsa key associated with this class.
*/
bool signcert(WvX509 &unsignedcert) const;
/**
* Sign the CRL with the rsa key associated with this class. This method
* will also update the lastUpdate time, and set the CRL's validity period
* to 30 days.
*/
bool signcrl(WvCRL &unsignedcrl) const;
/**
* Test to make sure that a certificate and a keypair go together.
* You can call it if you want to test a certificate yourself.
* (Such as after a decode)
*/
bool test() const;
/**
* Sign the contents of data and return the signature as a BASE64
* string.
*/
WvString sign(WvBuf &data) const;
WvString sign(WvStringParm data) const;
/**
* Encodes the information requested by mode into a buffer.
*/
virtual WvString encode(const WvX509::DumpMode mode) const;
virtual WvString encode(const WvRSAKey::DumpMode mode) const;
virtual void encode(const WvX509::DumpMode mode, WvBuf &buf) const;
virtual void encode(const WvRSAKey::DumpMode mode, WvBuf &buf) const;
/**
* Load the information from the format requested by mode into
* the class - this overwrites the certificate, and possibly the
* key - and to enable two stage loading (the certificate first, then the
* key), it DOES NOT call test() - that will be up to the programmer
*/
virtual void decode(const WvX509::DumpMode mode, WvStringParm encoded);
virtual void decode(const WvRSAKey::DumpMode mode, WvStringParm encoded);
virtual void decode(const WvX509::DumpMode mode, WvBuf &encoded);
virtual void decode(const WvRSAKey::DumpMode mode, WvBuf &encoded);
/**
* This writes the certificate and RSA keys in PKCS12 format to the file
* specified by filename, setting the password to "_pkcs12pass". Returns
* true if the operation was successful, false otherwise.
*/
bool write_p12(WvStringParm _fname, WvStringParm _pkcs12pass) const;
/**
* And this reads from the file specified in filename using the password
* "_pkcs12pass", and fills the RSA and cert members with the decoded
* information.
*/
void read_p12(WvStringParm _fname, WvStringParm _pkcs12pass);
private:
/**
* The Public and Private RSA keypair associated with the certificate
* Make sure that you save this somewhere!!! If you don't, then you won't
* really be able to use the certificate for anything...
*/
mutable WvRSAKey *rsa;
mutable WvLog debug;
};
#endif
|