X509 public key certificate (PKC) interface. More...
#include <x509cert.hpp>
Static Public Member Functions | |
| static void | free (X509 *cert) |
| Free / clean an X509 object. More... | |
| static std::string | getFingerPrint (const X509 *cert, const std::string hashname="shake256") |
| Get the certificate fingerprint (a hash on the public key modulus) in string format, multiple hexadecimal bytes values separated by a colon. More... | |
| static X509Common::Identity | getIssuer (const X509 *cert) |
| Get the certificate issuer. More... | |
| static std::string | getSerial (const X509 *cert) |
| Get the certificate serial number as concatenated hex bytes. More... | |
| static X509Common::Identity | getSubject (const X509 *cert) |
| Get the certificate subject identity. More... | |
| static std::list< X509Common::SAN > | getSubjectAltNames (const X509 *cert) |
| Get the SAN (subject alternate name) list for the certificate, which may be empty. More... | |
| static X509 * | loadPEM (const std::string file) |
| Load a public key certificate (aka 'certificate') from a PEM file. More... | |
| static bool | verifySAN (const X509 *cert, const SAN &san, bool wildcards=false) |
| Verify a peer name against this certificate's CN and SubjectAltnames. More... | |
 Static Public Member Functions inherited from dodo::network::X509Common | |
| static X509Type | detectX509Type (const std::string file, std::string &tag) |
| Detects a X509 document type from a PEM file. More... | |
| static std::string | SANTypeAsString (const SANType &san_type) |
| Convert the SANType name to a string. More... | |
Private Member Functions | |
| X509Certificate ()=delete | |
| Never construct, interface class. More... | |
| ~X509Certificate ()=delete | |
| Never destruct, interface class. More... | |
Static Private Member Functions | |
| static bool | verifyIP (const std::string &peer, const std::string &san) |
| Verify a peer IP matches a SAN of type stIP. More... | |
| static bool | verifyName (const std::string &peer, const std::string &san, bool wildcards=false) |
| Verify a peer name matches a SAN. More... | |
Additional Inherited Members | |
| Public Types inherited from dodo::network::X509Common | |
| enum | SANType { SANType::stDNS = GEN_DNS, SANType::stURI = GEN_URI, SANType::stEMAIL = GEN_EMAIL, SANType::stIP = GEN_IPADD } |
| The SubjectAltName type. More... | |
| enum | X509Type { X509Type::Unknown, X509Type::PrivateKey, X509Type::PublicKey, X509Type::CertificateSigningRequest, X509Type::Certificate } |
| Enumeration of X509 document types. More... | |
| Static Protected Member Functions inherited from dodo::network::X509Common | |
| static Identity | parseIdentity (const std::string src) |
| Parse a subject or issuer string into an Identity. More... | |
Detailed Description
X509 public key certificate (PKC) interface.
Note that this is an interface class, it does not manage ownership of X509 structures.
See Secure sockets for details on the role of this class.
Definition at line 265 of file x509cert.hpp.
Constructor & Destructor Documentation
◆ X509Certificate()
|
privatedelete |
Never construct, interface class.
◆ ~X509Certificate()
|
privatedelete |
Never destruct, interface class.
Member Function Documentation
◆ free()
|
inlinestatic |
Free / clean an X509 object.
- Parameters
-
cert A pointer to the X509 certificate.
Definition at line 285 of file x509cert.hpp.
Referenced by getSerial().
◆ getFingerPrint()
|
static |
Get the certificate fingerprint (a hash on the public key modulus) in string format, multiple hexadecimal bytes values separated by a colon.
openssl list -digest-algorithms shows a full list of hash (digest) names. Stick to newer hash algorithms from the SHA-3 family.
- Exceptions
-
common::Exception if the digest name is invalid.
- Parameters
-
cert A pointer to the X509 certificate. hashname The name of the hash algorithm to use. Defaults to 'shake256'. Names are case-insensitive.
- Returns
- A string representation of the fingerprint.
Definition at line 230 of file x509cert.cpp.
References dodo::common::getSSLErrors(), and throw_Exception.
◆ getIssuer()
|
static |
Get the certificate issuer.
- Parameters
-
cert A pointer to the X509 certificate.
- Returns
- the issuer string.
Definition at line 163 of file x509cert.cpp.
References dodo::common::bio2String(), and dodo::network::X509Common::parseIdentity().
◆ getSerial()
|
static |
Get the certificate serial number as concatenated hex bytes.
Note that the serial number is only supposed to be unique among certificates signed by a single CA. To truly identify certificates, use getFingerPrint().
- Parameters
-
cert The source PKC / X509.
- Returns
- the serial string.
Definition at line 172 of file x509cert.cpp.
References free().
◆ getSubject()
|
static |
Get the certificate subject identity.
- Parameters
-
cert A pointer to the X509 certificate.
- Returns
- the subject identity.
Definition at line 182 of file x509cert.cpp.
References dodo::common::bio2String(), and dodo::network::X509Common::parseIdentity().
Referenced by verifySAN().
◆ getSubjectAltNames()
|
static |
Get the SAN (subject alternate name) list for the certificate, which may be empty.
- Parameters
-
cert A pointer to the X509 certificate.
- Returns
- A list of SAN.
Definition at line 192 of file x509cert.cpp.
Referenced by verifySAN().
◆ loadPEM()
|
static |
Load a public key certificate (aka 'certificate') from a PEM file.
The X509 object pointed to gets owned by the caller and must be freed when done with free( X509* cert ). Note that the call will fail if the file is not a public key certificate, even though it is a valid PEM file. Also note that the call will return ony the first certificate if the PEM file contains multiple certificates.
- Parameters
-
file The PEM file to load from.
- Exceptions
-
common::Exception when the openSSL BIO fails to create. common::Exception when the file cannot be read. common::Exception when the file is not a valid PEM file.
- Returns
- Pointer to the X509 document.
Definition at line 143 of file x509cert.cpp.
References dodo::common::getSSLErrors(), and throw_Exception.
◆ verifyIP()
|
staticprivate |
Verify a peer IP matches a SAN of type stIP.
The strings are converted to IP addresses, both must be valid IP addresses and they must be equal ( Address::operator==( const Address &) ).
- Parameters
-
peer The ipv4 or ipv6 of the peer (as a string). san The ipv4 or ipv6 SubjectAltname of the peer (as a string).
- Returns
- true when the IP matches.
Definition at line 269 of file x509cert.cpp.
References dodo::network::Address::isValid().
◆ verifyName()
|
staticprivate |
Verify a peer name matches a SAN.
- Parameters
-
peer The name of the peer. san The SubjectAltname of the peer. wildcards If true, allow wildcards.
- Returns
- true when the name matches.
Definition at line 248 of file x509cert.cpp.
◆ verifySAN()
|
static |
Verify a peer name against this certificate's CN and SubjectAltnames.
The name is always matched against the CN, regardless of the X509Common::SANType. The name is matched against SubjectAltNames that match the X509Common::SANType.
- Parameters
-
cert A pointer to the X509 certificate. san The SAN structure to compare against. wildcards If true, allow wildcards.
- Returns
- true if the name matches.
Definition at line 278 of file x509cert.cpp.
References dodo::network::X509Common::Identity::commonName, getSubject(), getSubjectAltNames(), dodo::network::X509Common::SAN::san_type, dodo::network::X509Common::stDNS, dodo::network::X509Common::stEMAIL, dodo::network::X509Common::stIP, and dodo::network::X509Common::stURI.
Referenced by dodo::network::TLSSocket::connect().
The documentation for this class was generated from the following files:
- src/include/network/x509cert.hpp
- src/lib/network/x509cert.cpp
