#include <cX509Crt.h>

Inheritance diagram for GrayLib::cX509Crt:

Public Member Functions
	cX509Crt () noexcept

	~cX509Crt ()

void	put_SerialNumber (const cBigUnsigned &serial)

virtual HRESULT	GetDescription (StrBuilder &s, const char *prefix) const override

X509_Verify_t	VerifyKeyUsage (X509_KeyUsage_TYPE usage, bool bEndpointIsServer) const

virtual HRESULT	ReadFromDER (const BYTE *pBuffer, size_t buflen) override

virtual HRESULT	ReadFromUnk (const BYTE *pBuffer, size_t buflen) override

HRESULT	ReadCrtsFromDir (const FILECHAR_t *pszCertDir)

X509_Verify_t	VerifyCrl (const cX509Crt pCrtCA, const cX509Crl pCrl) const

HRESULT	VerifyCrt (const cX509Crt pCrtCA, const cX509Crl pCrl, const char cn, OUT X509_Verify_t &rFlags, IX509VerifyCert pVerifyCert) const

virtual void	SetEmptyX () override

HRESULT	WriteToDER (BYTE pBuffer, size_t size, const cASNSets &extensions2, const cKeyWrap &rIssuerKey, IRandomNoise pRandom)

HRESULT	WriteToPEM (char pOut, StrLen_t size, const cASNSets &extensions2, const cKeyWrap &rIssuerKey, IRandomNoise pRandom)

	UNITTEST_FRIEND (cX509Crt)

Public Member Functions inherited from GrayLib::cX509Common
	cX509Common () noexcept

virtual	~cX509Common ()

bool	isEmptyX () const noexcept

HRESULT	ReadSigAlg (cASNReader &r1, cASNBuf &sig_params)

HRESULT	GetSigAlgStr (StrBuilder &s) const

HRESULT	ReadFromFile (const FILECHAR_t *pszFilePath)

	UNITTEST_FRIEND (cX509Common)

Public Member Functions inherited from Gray::cRefBase
	cRefBase (int iRefCount=0) noexcept

virtual	~cRefBase ()

int	get_RefCount () const noexcept

HASHCODE_t	get_HashCode () const noexcept

	STDMETHOD_ (HASHCODE_t, get_HashCodeX)() const noexcept

virtual void	onFinalRelease ()

bool	isValidObj () const noexcept

	STDMETHOD_ (ULONG, AddRef)(void) override

	STDMETHOD_ (ULONG, Release)(void) override

STDMETHOD()	QueryInterface (const IID &riid, void __RPC_FAR __RPC_FAR ppvObject) override

void	IncRefCount ()

void	DecRefCount ()

bool	isStaticConstruct () const noexcept

void	StaticConstruct ()

void	StaticDestruct ()

bool	isDestructing () noexcept

void	SetDestructing ()

Static Public Member Functions
static HRESULT	GetVerifyStatusText (StrBuilder &s, const char *prefix, X509_Verify_t flags)

Static Public Member Functions inherited from GrayLib::cX509Common
static HRESULT	ReturnError (HRESULT hRes) noexcept

static X509_Verify_t	X509_VerifySet (X509_Verify_t f1, X509_Verify_t f2) noexcept

static StrLen_t GRAYCALL	GetSerialStr (StrBuilder &s, const cASNBuf &serial)

Public Attributes
cASNBufAlloc	m_SerialNumber
	Unique binary id for certificate issued by a specific CA. CertificateSerialNumber (RFC5280 size max = 32) cBigUnsigned ASN_INTEGER. More...

cASNSets	m_issuer
	The parsed issuer (named information object). e.g. "CN=SDF ???". More...

cTimeUnits	m_tValidFrom
	Start time of certificate validity. More...

cTimeUnits	m_tValidTo
	End time of certificate validity. More...

cASNBuf	m_subject_raw
	for use in SSL_CERTIFICATE_REQUEST More...

cASNSets	m_subject
	The parsed m_subject_raw (named information object). More...

cKeyWrap	m_SubjectPublicKey
	Container for the public key context. "SubjectPublicKeyInfo". More...

cASNBuf	m_issuer_id
	Optional X.509 v2/v3 issuer unique identifier. UNUSED. X509_EXT_AUTHORITY_KEY_IDENTIFIER/OID_AUTHORITY_KEY_IDENTIFIER ? More...

cASNBuf	m_subject_id
	Optional X.509 v2/v3 subject unique identifier. UNUSED. X509_EXT_SUBJECT_KEY_IDENTIFIER/OID_SUBJECT_KEY_IDENTIFIER ? More...

cX509CrtExt	m_Ext
	optional extensions. AKA ExtensionList. More...

cRefPtr< cX509Crt >	m_pNextCrt
	Next certificate in the CA-chain. More...

Public Attributes inherited from GrayLib::cX509Common
cHeapBlock	m_raw
	The raw certificate data (ReadFromDer1). cASNBuf pointers can point into this. More...

cASNBuf	m_RawSigned
	The raw certificate body (in m_raw)(ReadFromDer1). The part that is To Be Signed. Precedes m_nVersion. More...

int	m_nVersion
	1,2,3. 0 = unused. X509_CRT_VERSION_TYPE or CRL version More...

cASNBuf	m_SignOID1
	Signature algorithm OID, e.g. "sha1RSA" for ReadSigAlg() More...

cKeySigAlg	m_SigAlg
	How to sign with m_SignOID1. More...

cASNBuf	m_SignBuffer

cNewPtr< cKeyRSASignOptions >	m_pRSASignOptions
	Signature options to be passed to VerifySignatureExt(), e.g. for RSASSA-PSS SSL_Key_RSASSA_PSS. More...

Static Public Attributes
static const char *	k_pszPEM = "CERTIFICATE"
	"CERTIFICATE" More...

Static Public Attributes inherited from GrayLib::cX509Common
static const int	k_MAX_INTERMEDIATE_CA = 8

Detailed Description

Structures and functions for parsing and writing X.509 certificates Container for an X.509 certificate. The certificate may be chained. The raw certificate data (DER). The X.509 CRT version. (1=v1, 2=v2, 3=v3)

Constructor & Destructor Documentation

◆ cX509Crt()

GrayLib::cX509Crt::cX509Crt ( )

inlinenoexcept

◆ ~cX509Crt()

GrayLib::cX509Crt::~cX509Crt ( )

inline

Member Function Documentation

◆ GetDescription()

HRESULT GrayLib::cX509Crt::GetDescription	(	StrBuilder &	s,
		const char *	prefix
	)		const

overridevirtual

Implements GrayLib::cX509Common.

◆ GetVerifyStatusText()

HRESULT GrayLib::cX509Crt::GetVerifyStatusText	(	StrBuilder &	s,
		const char *	prefix,
		X509_Verify_t	flags
	)

static

Returns an informational string about the verification status of a certificate.

s = Buffer to write to
prefix = A line prefix
flags = Verification flags created by VerifyCrt()
Returns
The amount of data written to the buffer, or -1 in case of an error.

Get error description for X509_Verify_t. StrBuilder For unit test.

◆ put_SerialNumber()

void GrayLib::cX509Crt::put_SerialNumber ( const cBigUnsigned & serial )

inline

Set the serial number for a Certificate.

serial = serial number to set

◆ ReadCrtsFromDir()

HRESULT GrayLib::cX509Crt::ReadCrtsFromDir ( const FILECHAR_t * pszCertDir )

Load one or more certificate files from a path and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.

pszCertDir = directory / folder to read the certificate files from
Returns
0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code

◆ ReadFromDER()

HRESULT GrayLib::cX509Crt::ReadFromDER	(	const BYTE *	pBuffer,
		size_t	buflen
	)

overridevirtual

X509_FORMAT_DER Parse one X.509 certificate in DER format from a buffer and add them to a chained list Check for valid input

pBuffer = buffer holding the certificate DER data
buflen = size of the buffer
Returns
0 if successful, or a specific X509 or PEM error code

Implements GrayLib::cX509Common.

◆ ReadFromUnk()

HRESULT GrayLib::cX509Crt::ReadFromUnk	(	const BYTE *	pBuffer,
		size_t	buflen
	)

overridevirtual

Parse one or more PEM (or DER) certificates from a buffer and add them to the chained list .

pBuffer = buffer holding the certificate data
buflen = size of the pBuffer
Returns
0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code If none complete correctly, the first error is returned.

Implements GrayLib::cX509Common.

◆ SetEmptyX()

void GrayLib::cX509Crt::SetEmptyX ( )

overridevirtual

Reimplemented from GrayLib::cX509Common.

◆ UNITTEST_FRIEND()

GrayLib::cX509Crt::UNITTEST_FRIEND ( cX509Crt )

◆ VerifyCrl()

X509_Verify_t GrayLib::cX509Crt::VerifyCrl	(	const cX509Crt *	pCrtCA,
		const cX509Crl *	pCrl
	)		const

Check that the given certificate is valid according to the CRL.

Todo:: if no CRL is present? Revocation state should be unknown ?

◆ VerifyCrt()

HRESULT GrayLib::cX509Crt::VerifyCrt	(	const cX509Crt *	pCrtCA,
		const cX509Crl *	pCrl,
		const char *	cn,
		OUT X509_Verify_t &	rFlags,
		IX509VerifyCert *	pVerifyCert
	)		const

Verify the certificate signature validity. The pVerifyCert callback is a user-supplied callback that can clear / modify / add flags for a certificate. If set, the verification callback is called for each certificate in the chain (from the trust-ca down to the presented crt). The parameters for the callback are: (cX509Crt* crt, int certificate_depth, X509_Verify_t* flags). With the flags representing current flags for that specific certificate and the certificate_depth from the bottom (Peer cert depth = 0).

All flags left after returning from the callback are also returned to the application. The function should return 0 for anything but a fatal error.

Note: In case verification failed, the results can be displayed

pCrtCA = chain of root CA we are testing against.
pCrl = the CRL chain for trusted CA's
pszPeerCN = expected Common Name (can be set to NULL if the CN must not be verified)
rFlags = result of the verification
pVerifyCert = is a user-supplied callback that can clear / modify / add flags for a certificate.

Returns: 0 if successful or <0 = FAIL in which case flags will have one or more X509_Verify_t flags set,

◆ VerifyKeyUsage()

X509_Verify_t GrayLib::cX509Crt::VerifyKeyUsage	(	X509_KeyUsage_TYPE	usage,
		bool	bEndpointIsServer
	)		const

Check usage of a certificate wrt extensions:

Todo:: m_nNSCertType ?

keyUsage = (Default = X509_KeyUsage_DIGITAL_SIGNATURE)
Returns
0 if everything is OK

◆ WriteToDER()

HRESULT GrayLib::cX509Crt::WriteToDER	(	BYTE *	pBuffer,
		size_t	size,
		const cASNSets &	extensions2,
		const cKeyWrap &	rIssuerKey,
		IRandomNoise *	pRandom
	)

built up certificate to a X509 DER structure

Note

data is written at the end of the buffer! Use the return value to determine where you should start using the buffer

pBuffer = buffer to write to
size = size of the buffer
pRandom = RNG function (for signature, see note)

Returns: length of data written if successful, or a specific error code

Note: pRandom may be NULL if RSA is used for signature and the signature is made offline (otherwise pRandom is desirable for countermeasures against timing attacks). ECDSA signatures always require a non-NULL pRandom.

◆ WriteToPEM()

HRESULT GrayLib::cX509Crt::WriteToPEM	(	char *	pOut,
		StrLen_t	size,
		const cASNSets &	extensions2,
		const cKeyWrap &	rIssuerKey,
		IRandomNoise *	pRandom
	)

built up certificate to a X509 PEM string

pOut = buffer to write to
size = size of the buffer
pRandom = RNG function (for signature, see note)
Returns
length if successful, or a <0 = specific error code

Note
pRandom may be nullptr if RSA is used for signature and the signature is made offline (otherwise pRandom is desirable for countermeasures against timing attacks). ECDSA signatures always require a non-NULL pRandom.

Member Data Documentation

◆ k_pszPEM

const char * GrayLib::cX509Crt::k_pszPEM = "CERTIFICATE"

static

"CERTIFICATE"

◆ m_Ext

cX509CrtExt GrayLib::cX509Crt::m_Ext

optional extensions. AKA ExtensionList.

◆ m_issuer

cASNSets GrayLib::cX509Crt::m_issuer

The parsed issuer (named information object). e.g. "CN=SDF ???".

◆ m_issuer_id

cASNBuf GrayLib::cX509Crt::m_issuer_id

Optional X.509 v2/v3 issuer unique identifier. UNUSED. X509_EXT_AUTHORITY_KEY_IDENTIFIER/OID_AUTHORITY_KEY_IDENTIFIER ?

◆ m_pNextCrt

cRefPtr<cX509Crt> GrayLib::cX509Crt::m_pNextCrt

Next certificate in the CA-chain.

◆ m_SerialNumber

cASNBufAlloc GrayLib::cX509Crt::m_SerialNumber

Unique binary id for certificate issued by a specific CA. CertificateSerialNumber (RFC5280 size max = 32) cBigUnsigned ASN_INTEGER.

◆ m_subject

cASNSets GrayLib::cX509Crt::m_subject

The parsed m_subject_raw (named information object).

◆ m_subject_id

cASNBuf GrayLib::cX509Crt::m_subject_id

Optional X.509 v2/v3 subject unique identifier. UNUSED. X509_EXT_SUBJECT_KEY_IDENTIFIER/OID_SUBJECT_KEY_IDENTIFIER ?

◆ m_subject_raw

cASNBuf GrayLib::cX509Crt::m_subject_raw

for use in SSL_CERTIFICATE_REQUEST

◆ m_SubjectPublicKey

cKeyWrap GrayLib::cX509Crt::m_SubjectPublicKey

Container for the public key context. "SubjectPublicKeyInfo".

◆ m_tValidFrom

cTimeUnits GrayLib::cX509Crt::m_tValidFrom

Start time of certificate validity.

◆ m_tValidTo

cTimeUnits GrayLib::cX509Crt::m_tValidTo

End time of certificate validity.

The documentation for this class was generated from the following files:

c:/Dennis/Source/Gray/GrayLib/include/Cert/cX509Crt.h
c:/Dennis/Source/Gray/GrayLib/src/Cert/cX509Crt.cpp
c:/Dennis/Source/Gray/GrayLib/src/Cert/cX509CrtVerify.cpp
c:/Dennis/Source/Gray/GrayLib/src/Cert/cX509CrtWrite.cpp

Public Member Functions

Static Public Member Functions

Public Attributes

Static Public Attributes

Detailed Description

Constructor & Destructor Documentation

◆ cX509Crt()

◆ ~cX509Crt()

Member Function Documentation

◆ GetDescription()

◆ GetVerifyStatusText()

◆ put_SerialNumber()

◆ ReadCrtsFromDir()

◆ ReadFromDER()

◆ ReadFromUnk()

◆ SetEmptyX()

◆ UNITTEST_FRIEND()

◆ VerifyCrl()

◆ VerifyCrt()

◆ VerifyKeyUsage()

◆ WriteToDER()

◆ WriteToPEM()

Member Data Documentation

◆ k_pszPEM

◆ m_Ext

◆ m_issuer

◆ m_issuer_id

◆ m_pNextCrt

◆ m_SerialNumber

◆ m_subject

◆ m_subject_id

◆ m_subject_raw

◆ m_SubjectPublicKey

◆ m_tValidFrom

◆ m_tValidTo