Crypt-X509
view release on metacpan or search on metacpan
lib/Crypt/X509.pm view on Meta::CPAN
my $asn = undef;
my $error = undef;
our %oid2enchash = (
'1.2.840.113549.1.1.1' => { 'enc' => 'RSA' },
'1.2.840.113549.1.1.2' => { 'enc' => 'RSA', 'hash' => 'MD2' },
'1.2.840.113549.1.1.3' => { 'enc' => 'RSA', 'hash' => 'MD4' },
'1.2.840.113549.1.1.4' => { 'enc' => 'RSA', 'hash' => 'MD5' },
'1.2.840.113549.1.1.5' => { 'enc' => 'RSA', 'hash' => 'SHA1' },
'1.2.840.113549.1.1.6' => { 'enc' => 'OAEP' },
'1.2.840.113549.1.1.11' => { 'enc' => 'RSA', 'hash' => 'SHA256' },
'1.2.840.113549.1.1.12' => { 'enc' => 'RSA', 'hash' => 'SHA384' },
'1.2.840.113549.1.1.13' => { 'enc' => 'RSA', 'hash' => 'SHA512' },
'1.2.840.113549.1.1.14' => { 'enc' => 'RSA', 'hash' => 'SHA224' },
'1.2.840.10045.2.1' => { 'enc' => 'EC' },
);
our %oid2attr = (
"2.5.4.3" => "CN",
"2.5.4.4" => "SN",
"2.5.4.42" => "GN",
"2.5.4.5" => "serialNumber",
"2.5.4.6" => "C",
"2.5.4.7" => "L",
"2.5.4.8" => "ST",
'2.5.4.9' => 'streetAddress',
"2.5.4.10" => "O",
"2.5.4.11" => "OU",
"1.2.840.113549.1.9.1" => "emailAddress",
'1.2.840.113549.1.9.2' => 'unstructuredName',
'1.2.840.113549.1.9.8' => 'unstructuredAddress',
"0.9.2342.19200300.100.1.1" => "UID",
"0.9.2342.19200300.100.1.25" => "DC",
"0.2.262.1.10.7.20" => "nameDistinguisher",
'2.5.4.12' => 'title',
'2.5.4.13' => 'description',
'2.5.4.14' => 'searchGuide',
'2.5.4.15' => 'businessCategory',
'2.5.4.16' => 'postalAddress',
'2.5.4.17' => 'postalCode',
'2.5.4.18' => 'postOfficeBox',
'2.5.4.19' => 'physicalDeliveryOfficeName',
'2.5.4.20' => 'telephoneNumber',
'2.5.4.23' => 'facsimileTelephoneNumber',
'2.5.4.41' => 'name',
'2.5.4.43' => 'initials',
'2.5.4.44' => 'generationQualifier',
'2.5.4.45' => 'uniqueIdentifier',
'2.5.4.46' => 'dnQualifier',
'2.5.4.51' => 'houseIdentifier',
'2.5.4.65' => 'pseudonym',
);
=head1 NAME
Crypt::X509 - Parse a X.509 certificate
=head1 SYNOPSIS
use Crypt::X509;
$decoded = Crypt::X509->new( cert => $cert );
$subject_email = $decoded->subject_email;
print "do not use after: ".gmtime($decoded->not_after)." GMT\n";
=head1 REQUIRES
Convert::ASN1
=head1 DESCRIPTION
B<Crypt::X509> parses X.509 certificates. Methods are provided for accessing most
certificate elements.
It is based on the generic ASN.1 module by Graham Barr, on the F<x509decode>
example by Norbert Klasen and contributions on the perl-ldap-dev-Mailinglist
by Chriss Ridd.
=head1 CONSTRUCTOR
=head2 new ( OPTIONS )
Creates and returns a parsed X.509 certificate hash, containing the parsed
contents. The data is organised as specified in RFC 2459.
By default only the first ASN.1 Layer is decoded. Nested decoding
is done automagically through the data access methods.
=over 4
=item cert =E<gt> $certificate
A variable containing the DER formatted certificate to be parsed
(eg. as stored in C<usercertificate;binary> attribute in an
LDAP-directory).
=back
use Crypt::X509;
use Data::Dumper;
$decoded= Crypt::X509->new(cert => $cert);
print Dumper($decoded);
=cut back
sub new {
my ( $class, %args ) = @_;
if ( !defined($parser) || $parser->error ) {
$parser = _init();
}
my $self = $parser->decode( $args{'cert'} );
$self->{"_error"} = $parser->error;
bless( $self, $class );
return $self;
}
=head1 METHODS
=head2 error
Returns the last error from parsing, C<undef> when no error occured.
This error is updated on deeper parsing with the data access methods.
$decoded= Crypt::X509->new(cert => $cert);
if ($decoded->error) {
warn "Error on parsing Certificate:".$decoded->error;
}
=cut back
sub error {
my $self = shift;
return $self->{"_error"};
}
=head1 DATA ACCESS METHODS
You can access all parsed data directly from the returned hash. For convenience
the following methods have been implemented to give quick access to the most-used
certificate attributes.
=head2 version
Returns the certificate's version as an integer. NOTE that version is defined as
an Integer where 0 = v1, 1 = v2, and 2 = v3.
=cut back
sub version {
my $self = shift;
return $self->{tbsCertificate}{version};
}
=head2 version_string
Returns the certificate's version as a string value.
=cut back
sub version_string {
my $self = shift;
my $v = $self->{tbsCertificate}{version};
return "v1" if $v == 0;
return "v2" if $v == 1;
return "v3" if $v == 2;
}
=head2 serial
returns the serial number (integer or Math::BigInt Object, that gets automagic
evaluated in scalar context) from the certificate
$decoded= Crypt::X509->new(cert => $cert);
print "Certificate has serial number:".$decoded->serial."\n";
=cut back
sub serial {
my $self = shift;
return $self->{tbsCertificate}{serialNumber};
}
=head2 not_before
returns the GMT-timestamp of the certificate's beginning date of validity.
If the Certificate holds this Entry in utcTime, it is guaranteed by the
RFC to been correct.
As utcTime is limited to 32-bit values (like unix-timestamps) newer certificates
hold the timesamps as "generalTime"-entries. B<The contents of "generalTime"-entries
are not well defined in the RFC and
are returned by this module unmodified>, if no utcTime-entry is found.
$decoded= Crypt::X509->new(cert => $cert);
if ($decoded->notBefore < time()) {
warn "Certificate: not yet valid!";
}
=cut back
sub not_before {
my $self = shift;
if ( $self->{tbsCertificate}{validity}{notBefore}{utcTime} ) {
return $self->{tbsCertificate}{validity}{notBefore}{utcTime};
} elsif ( $self->{tbsCertificate}{validity}{notBefore}{generalTime} ) {
return $self->{tbsCertificate}{validity}{notBefore}{generalTime};
} else {
return undef;
}
}
=head2 not_after
returns the GMT-timestamp of the certificate's ending date of validity.
If the Certificate holds this Entry in utcTime, it is guaranteed by the
RFC to been correct.
As utcTime is limited to 32-bit values (like unix-timestamps) newer certificates
hold the timesamps as "generalTime"-entries. B<The contents of "generalTime"-entries
are not well defined in the RFC and
are returned by this module unmodified>, if no utcTime-entry is found.
$decoded= Crypt::X509->new(cert => $cert);
print "Certificate expires on ".gmtime($decoded->not_after)." GMT\n";
=cut back
sub not_after {
my $self = shift;
if ( $self->{tbsCertificate}{validity}{notAfter}{utcTime} ) {
return $self->{tbsCertificate}{validity}{notAfter}{utcTime};
} elsif ( $self->{tbsCertificate}{validity}{notAfter}{generalTime} ) {
return $self->{tbsCertificate}{validity}{notAfter}{generalTime};
} else {
return undef;
}
}
=head2 signature
Return's the certificate's signature in binary DER format.
=cut back
sub signature {
my $self = shift;
return $self->{signature}[0];
}
=head2 pubkey
Returns the certificate's public key in binary DER format.
=cut back
sub pubkey {
my $self = shift;
return $self->{tbsCertificate}{subjectPublicKeyInfo}{subjectPublicKey}[0];
}
=head2 pubkey_size
Returns the certificate's public key size.
=cut back
sub pubkey_size {
my $self = shift;
return $self->{tbsCertificate}{subjectPublicKeyInfo}{subjectPublicKey}[1];
}
=head2 pubkey_algorithm
Returns the algorithm as OID string which the public key was created with.
=cut back
sub pubkey_algorithm {
my $self = shift;
return $self->{tbsCertificate}{subjectPublicKeyInfo}{algorithm}{algorithm};
}
=head2 PubKeyAlg
returns the subject public key encryption algorithm (e.g. 'RSA') as string.
$decoded= Crypt::X509->new(cert => $cert);
print "Certificate public key is encrypted with:".$decoded->PubKeyAlg."\n";
Example Output: Certificate public key is encrypted with: RSA
=cut back
sub PubKeyAlg {
my $self = shift;
return $oid2enchash{ $self->{tbsCertificate}{subjectPublicKeyInfo}{algorithm}{algorithm} }->{'enc'};
}
=head2 pubkey_components
If this certificate contains an RSA key, this function returns a
hashref { modulus => $m, exponent => $e) from that key; each value in
the hash will be an integer scalar or a Math::BigInt object.
For other pubkey types, it returns undef (implementations welcome!).
=cut back
sub pubkey_components {
my $self = shift;
if ($self->PubKeyAlg() eq 'RSA') {
my $parser = _init('RSAPubKeyInfo');
my $values = $parser->decode($self->{tbsCertificate}{subjectPublicKeyInfo}{subjectPublicKey}[0]);
return $values;
} else {
return undef;
}
}
=head2 sig_algorithm
Returns the certificate's signature algorithm as OID string
$decoded= Crypt::X509->new(cert => $cert);
print "Certificate signature is encrypted with:".$decoded->sig_algorithm."\n";>
Example Output: Certificate signature is encrypted with: 1.2.840.113549.1.1.5
=cut back
sub sig_algorithm {
my $self = shift;
return $self->{tbsCertificate}{signature}{algorithm};
}
=head2 SigEncAlg
returns the signature encryption algorithm (e.g. 'RSA') as string.
$decoded= Crypt::X509->new(cert => $cert);
print "Certificate signature is encrypted with:".$decoded->SigEncAlg."\n";
Example Output: Certificate signature is encrypted with: RSA
=cut back
sub SigEncAlg {
my $self = shift;
return $oid2enchash{ $self->{'signatureAlgorithm'}->{'algorithm'} }->{'enc'};
}
=head2 SigHashAlg
returns the signature hashing algorithm (e.g. 'SHA1') as string.
$decoded= Crypt::X509->new(cert => $cert);
print "Certificate signature is hashed with:".$decoded->SigHashAlg."\n";
Example Output: Certificate signature is encrypted with: SHA1
=cut back
sub SigHashAlg {
my $self = shift;
return $oid2enchash{ $self->{'signatureAlgorithm'}->{'algorithm'} }->{'hash'};
}
#########################################################################
# accessors - subject
#########################################################################
=head2 Subject
returns a pointer to an array of strings containing subject nameparts of the
certificate. Attributenames for the most common Attributes are translated
from the OID-Numbers, unknown numbers are output verbatim.
$decoded= Convert::ASN1::X509->new($cert);
print "DN for this Certificate is:".join(',',@{$decoded->Subject})."\n";
=cut back
sub Subject {
my $self = shift;
my ( $i, $type );
my $subjrdn = $self->{'tbsCertificate'}->{'subject'}->{'rdnSequence'};
$self->{'tbsCertificate'}->{'subject'}->{'dn'} = [];
my $subjdn = $self->{'tbsCertificate'}->{'subject'}->{'dn'};
foreach my $subj ( @{$subjrdn} ) {
foreach my $i ( @{$subj} ) {
if ( $oid2attr{ $i->{'type'} } ) {
$type = $oid2attr{ $i->{'type'} };
} else {
$type = $i->{'type'};
}
my @key = keys( %{ $i->{'value'} } );
push @{$subjdn}, $type . "=" . $i->{'value'}->{ $key[0] };
}
}
return $subjdn;
}
=head2 SubjectRaw
Returns the RDNs as list of hashes, values are stringified but OIDs are
not translated.
If a component contains a SET, the component will become an array of hashes
on the second level.
=cut
sub SubjectRaw {
my $self = shift;
my @subject;
foreach my $rdn (@{$self->{'tbsCertificate'}->{'subject'}->{'rdnSequence'}}) {
my @sequence = map {
$_->{format} = (keys %{$_->{value}})[0];
$_->{value} = (values %{$_->{value}})[0];
$_;
} @{$rdn};
if (scalar @sequence > 1) {
push @subject, \@sequence;
} else {
push @subject, $sequence[0];
}
}
return \@subject;
}
=head2 SubjectSequence
Returns the subject as returned from the ASN1 parser.
=cut
sub SubjectSequence {
lib/Crypt/X509.pm view on Meta::CPAN
Returns the string value for subject's organization (= the value with the
OID 2.5.4.10 or in DN Syntax everything after C<O=>).
Only the first entry is returned. C<undef> if subject contains no organization attribute.
=cut back
sub subject_org {
my $self = shift;
return _subject_part( $self, '2.5.4.10' );
}
=head2 subject_ou
Returns the string value for subject's organizational unit (= the value with the
OID 2.5.4.11 or in DN Syntax everything after C<OU=>).
Only the first entry is returned. C<undef> if subject contains no organization attribute.
=cut back
sub subject_ou {
my $self = shift;
return _subject_part( $self, '2.5.4.11' );
}
=head2 subject_cn
Returns the string value for subject's common name (= the value with the
OID 2.5.4.3 or in DN Syntax everything after C<CN=>).
Only the first entry is returned. C<undef> if subject contains no common name attribute.
=cut back
sub subject_cn {
my $self = shift;
return _subject_part( $self, '2.5.4.3' );
}
=head2 subject_email
Returns the string value for subject's email address (= the value with the
OID 1.2.840.113549.1.9.1 or in DN Syntax everything after C<emailAddress=>).
Only the first entry is returned. C<undef> if subject contains no email attribute.
=cut back
sub subject_email {
my $self = shift;
return _subject_part( $self, '1.2.840.113549.1.9.1' );
}
#########################################################################
# accessors - issuer
#########################################################################
=head2 Issuer
returns a pointer to an array of strings building the DN of the certificate
issuer (= the DN of the CA). Attributenames for the most common Attributes
are translated from the OID-Numbers, unknown numbers are output verbatim.
$decoded= Crypt::X509->new($cert);
print "Certificate was issued by:".join(',',@{$decoded->Issuer})."\n";
=cut back
sub Issuer {
my $self = shift;
my ( $i, $type );
my $issuerdn = $self->{'tbsCertificate'}->{'issuer'}->{'rdnSequence'};
$self->{'tbsCertificate'}->{'issuer'}->{'dn'} = [];
my $issuedn = $self->{'tbsCertificate'}->{'issuer'}->{'dn'};
foreach my $issue ( @{$issuerdn} ) {
foreach my $i ( @{$issue} ) {
if ( $oid2attr{ $i->{'type'} } ) {
$type = $oid2attr{ $i->{'type'} };
} else {
$type = $i->{'type'};
}
my @key = keys( %{ $i->{'value'} } );
push @{$issuedn}, $type . "=" . $i->{'value'}->{ $key[0] };
}
}
return $issuedn;
}
sub _issuer_part {
my $self = shift;
my $oid = shift;
my $issuerrdn = $self->{'tbsCertificate'}->{'issuer'}->{'rdnSequence'};
foreach my $issue ( @{$issuerrdn} ) {
foreach my $i ( @{$issue} ) {
if ( $i->{'type'} eq $oid ) {
my @key = keys( %{ $i->{'value'} } );
return $i->{'value'}->{ $key[0] };
}
}
}
return undef;
}
=head2 issuer_cn
Returns the string value for issuer's common name (= the value with the
OID 2.5.4.3 or in DN Syntax everything after C<CN=>).
Only the first entry is returned. C<undef> if issuer contains no common name attribute.
=cut back
sub issuer_cn {
my $self = shift;
return _issuer_part( $self, '2.5.4.3' );
}
=head2 issuer_country
Returns the string value for issuer's country (= the value with the
OID 2.5.4.6 or in DN Syntax everything after C<C=>).
Only the first entry is returned. C<undef> if issuer contains no country attribute.
=cut back
sub issuer_country {
my $self = shift;
lib/Crypt/X509.pm view on Meta::CPAN
OID 2.5.4.8 or in DN Syntax everything after C<S=>).
Only the first entry is returned. C<undef> if issuer contains no state attribute.
=cut back
sub issuer_state {
my $self = shift;
return _issuer_part( $self, '2.5.4.8' );
}
=head2 issuer_locality
Returns the string value for issuer's locality (= the value with the
OID 2.5.4.7 or in DN Syntax everything after C<L=>).
Only the first entry is returned. C<undef> if issuer contains no locality attribute.
=cut back
sub issuer_locality {
my $self = shift;
return _issuer_part( $self, '2.5.4.7' );
}
=head2 issuer_org
Returns the string value for issuer's organization (= the value with the
OID 2.5.4.10 or in DN Syntax everything after C<O=>).
Only the first entry is returned. C<undef> if issuer contains no organization attribute.
=cut back
sub issuer_org {
my $self = shift;
return _issuer_part( $self, '2.5.4.10' );
}
=head2 issuer_email
Returns the string value for issuer's email address (= the value with the
OID 1.2.840.113549.1.9.1 or in DN Syntax everything after C<E=>).
Only the first entry is returned. C<undef> if issuer contains no email attribute.
=cut back
sub issuer_email {
my $self = shift;
return _issuer_part( $self, '1.2.840.113549.1.9.1' );
}
#########################################################################
# accessors - extensions (automate this)
#########################################################################
=head2 KeyUsage
returns a pointer to an array of strings describing the valid Usages
for this certificate. C<undef> is returned, when the extension is not set in the
certificate.
If the extension is marked critical, this is also reported.
$decoded= Crypt::X509->new(cert => $cert);
print "Allowed usages for this Certificate are:\n".join("\n",@{$decoded->KeyUsage})."\n";
Example Output:
Allowed usages for this Certificate are:
critical
digitalSignature
keyEncipherment
dataEncipherment
=cut back
sub KeyUsage {
my $self = shift;
my $ext;
my $exts = $self->{'tbsCertificate'}->{'extensions'};
if ( !defined $exts ) { return undef; }
; # no extensions in certificate
foreach $ext ( @{$exts} ) {
if ( $ext->{'extnID'} eq '2.5.29.15' ) { #OID for keyusage
my $parsKeyU = _init('KeyUsage'); # get a parser for this
my $keyusage = $parsKeyU->decode( $ext->{'extnValue'} ); # decode the value
if ( $parsKeyU->error ) {
$self->{"_error"} = $parsKeyU->error;
return undef;
}
my $keyu = unpack( "n", ${$keyusage}[0] . ${$keyusage}[1] ) & 0xff80;
$ext->{'usage'} = [];
if ( $ext->{'critical'} ) { push @{ $ext->{'usage'} }, "critical"; } # mark as critical, if appropriate
if ( $keyu & 0x8000 ) { push @{ $ext->{'usage'} }, "digitalSignature"; }
if ( $keyu & 0x4000 ) { push @{ $ext->{'usage'} }, "nonRepudiation"; }
if ( $keyu & 0x2000 ) { push @{ $ext->{'usage'} }, "keyEncipherment"; }
if ( $keyu & 0x1000 ) { push @{ $ext->{'usage'} }, "dataEncipherment"; }
if ( $keyu & 0x0800 ) { push @{ $ext->{'usage'} }, "keyAgreement"; }
if ( $keyu & 0x0400 ) { push @{ $ext->{'usage'} }, "keyCertSign"; }
if ( $keyu & 0x0200 ) { push @{ $ext->{'usage'} }, "cRLSign"; }
if ( $keyu & 0x0100 ) { push @{ $ext->{'usage'} }, "encipherOnly"; }
if ( $keyu & 0x0080 ) { push @{ $ext->{'usage'} }, "decipherOnly"; }
return $ext->{'usage'};
}
}
return undef; # keyusage extension not found
}
=head2 ExtKeyUsage
returns a pointer to an array of ExtKeyUsage strings (or OIDs for unknown OIDs) or
C<undef> if the extension is not filled. OIDs of the following ExtKeyUsages are known:
serverAuth, clientAuth, codeSigning, emailProtection, timeStamping, OCSPSigning
If the extension is marked critical, this is also reported.
$decoded= Crypt::X509->new($cert);
print "ExtKeyUsage extension of this Certificates is: ", join(", ", @{$decoded->ExtKeyUsage}), "\n";
Example Output: ExtKeyUsage extension of this Certificates is: critical, serverAuth
=cut back
our %oid2extkeyusage = (
'1.3.6.1.5.5.7.3.1' => 'serverAuth',
'1.3.6.1.5.5.7.3.2' => 'clientAuth',
'1.3.6.1.5.5.7.3.3' => 'codeSigning',
'1.3.6.1.5.5.7.3.4' => 'emailProtection',
'1.3.6.1.5.5.7.3.8' => 'timeStamping',
'1.3.6.1.5.5.7.3.9' => 'OCSPSigning',
);
sub ExtKeyUsage {
my $self = shift;
my $ext;
my $exts = $self->{'tbsCertificate'}->{'extensions'};
if ( !defined $exts ) { return undef; }
; # no extensions in certificate
foreach $ext ( @{$exts} ) {
if ( $ext->{'extnID'} eq '2.5.29.37' ) { #OID for ExtKeyUsage
return $ext->{'oids'} if defined $ext->{'oids'};
my $parsExtKeyUsage = _init('ExtKeyUsageSyntax'); # get a parser for this
my $oids = $parsExtKeyUsage->decode( $ext->{'extnValue'} ); # decode the value
if ( $parsExtKeyUsage->error ) {
$self->{"_error"} = $parsExtKeyUsage->error;
return undef;
}
$ext->{'oids'} = [ map { $oid2extkeyusage{$_} || $_ } @$oids ];
if ( $ext->{'critical'} ) { unshift @{ $ext->{'oids'} }, "critical"; } # mark as critical, if appropriate
return $ext->{'oids'};
}
}
return undef;
}
=head2 SubjectAltName
returns a pointer to an array of strings containing alternative Subjectnames or
C<undef> if the extension is not filled. Usually this Extension holds the e-Mail
address for person-certificates or DNS-Names for server certificates.
It also pre-pends the field type (ie rfc822Name) to the returned value.
$decoded= Crypt::X509->new($cert);
print "E-Mail or Hostnames in this Certificates is/are:", join(", ", @{$decoded->SubjectAltName}), "\n";
Example Output: E-Mail or Hostnames in this Certificates is/are: rfc822Name=user@server.com
=cut back
sub SubjectAltName {
my $self = shift;
my $ext;
my $exts = $self->{'tbsCertificate'}->{'extensions'};
if ( !defined $exts ) { return undef; }
; # no extensions in certificate
foreach $ext ( @{$exts} ) {
if ( $ext->{'extnID'} eq '2.5.29.17' ) { #OID for SubjectAltName
my $parsSubjAlt = _init('SubjectAltName'); # get a parser for this
my $altnames = $parsSubjAlt->decode( $ext->{'extnValue'} ); # decode the value
if ( $parsSubjAlt->error ) {
$self->{"_error"} = $parsSubjAlt->error;
return undef;
}
$ext->{'names'} = [];
foreach my $name ( @{$altnames} ) {
foreach my $value ( keys %{$name} ) {
push @{ $ext->{'names'} }, "$value=" . $name->{$value};
}
}
return $ext->{'names'};
}
}
return undef;
}
=head2 DecodedSubjectAltNames
Returns a pointer to an array of strings containing all the alternative subject name
extensions.
Each such extension is represented as a decoded ASN.1 value, i.e. a pointer to a list
of pointers to objects, each object having a single key with the type of the alternative
name and a value specific to that type.
Example return value:
[
[
{
'directoryName' => {
'rdnSequence' => [
[
{
'value' => { 'utf8String' => 'example' },
'type' => '2.5.4.3'
}
]
]
}
},
{
'dNSName' => 'example.com'
}
]
]
=cut back
sub DecodedSubjectAltNames {
my $self = shift;
my @sans = ();
my $exts = $self->{'tbsCertificate'}->{'extensions'};
foreach my $ext ( @{$exts} ) {
if ( $ext->{'extnID'} eq '2.5.29.17' ) { #OID for subjectAltName
my $parsSubjAlt = _init('SubjectAltName');
my $altnames = $parsSubjAlt->decode( $ext->{'extnValue'} );
if ( $parsSubjAlt->error ) {
$self->{'_error'} = $parsSubjAlt->error;
return undef;
}
push @sans, $altnames;
}
}
return \@sans;
}
#########################################################################
# accessors - authorityCertIssuer
#########################################################################
sub _AuthorityKeyIdentifier {
my $self = shift;
my $ext;
my $exts = $self->{'tbsCertificate'}->{'extensions'};
if ( !defined $exts ) { return undef; }
; # no extensions in certificate
if ( defined $self->{'tbsCertificate'}{'AuthorityKeyIdentifier'} ) {
return ( $self->{'tbsCertificate'}{'AuthorityKeyIdentifier'} );
}
foreach $ext ( @{$exts} ) {
if ( $ext->{'extnID'} eq '2.5.29.35' ) { #OID for AuthorityKeyIdentifier
my $pars = _init('AuthorityKeyIdentifier'); # get a parser for this
$self->{'tbsCertificate'}{'AuthorityKeyIdentifier'} = $pars->decode( $ext->{'extnValue'} ); # decode the value
if ( $pars->error ) {
$self->{"_error"} = $pars->error;
return undef;
}
return $self->{'tbsCertificate'}{'AuthorityKeyIdentifier'};
}
}
return undef;
}
=head2 authorityCertIssuer
returns a pointer to an array of strings building the DN of the Authority Cert
Issuer. Attributenames for the most common Attributes
are translated from the OID-Numbers, unknown numbers are output verbatim.
undef if the extension is not set in the certificate.
$decoded= Crypt::X509->new($cert);
print "Certificate was authorised by:".join(',',@{$decoded->authorityCertIssuer})."\n";
=cut back
sub authorityCertIssuer {
my $self = shift;
my ( $i, $type );
my $rdn = _AuthorityKeyIdentifier($self);
if ( !defined($rdn) ) {
return (undef); # we do not have that extension
} else {
$rdn = $rdn->{'authorityCertIssuer'}[0]->{'directoryName'};
}
$rdn->{'dn'} = [];
my $dn = $rdn->{'dn'};
$rdn = $rdn->{'rdnSequence'};
foreach my $r ( @{$rdn} ) {
$i = @{$r}[0];
if ( $oid2attr{ $i->{'type'} } ) {
$type = $oid2attr{ $i->{'type'} };
} else {
$type = $i->{'type'};
}
my @key = keys( %{ $i->{'value'} } );
push @{$dn}, $type . "=" . $i->{'value'}->{ $key[0] };
}
return $dn;
}
sub _authcert_part {
my $self = shift;
my $oid = shift;
my $rdn = _AuthorityKeyIdentifier($self);
if ( !defined($rdn) ) {
return (undef); # we do not have that extension
} else {
$rdn = $rdn->{'authorityCertIssuer'}[0]->{'directoryName'}->{'rdnSequence'};
}
foreach my $r ( @{$rdn} ) {
my $i = @{$r}[0];
if ( $i->{'type'} eq $oid ) {
my @key = keys( %{ $i->{'value'} } );
return $i->{'value'}->{ $key[0] };
}
}
return undef;
}
=head2 authority_serial
Returns the authority's certificate serial number.
=cut back
sub authority_serial {
my $self = shift;
return ( $self->_AuthorityKeyIdentifier )->{authorityCertSerialNumber};
}
=head2 key_identifier
lib/Crypt/X509.pm view on Meta::CPAN
# return undef;
}
}
}
return %CDPs;
}
}
return undef;
}
sub my_CRL_rdn {
my $crl_rdn = shift; # this should be the passed in 'rdnSequence' array
my ( $i, $type );
my $crl_dn = [];
for my $part ( @{$crl_rdn} ) {
$i = @{$part}[0];
if ( $oid2attr{ $i->{'type'} } ) {
$type = $oid2attr{ $i->{'type'} };
} else {
$type = $i->{'type'};
}
my @key = keys( %{ $i->{'value'} } );
push @{$crl_dn}, $type . "=" . $i->{'value'}->{ $key[0] };
}
return $crl_dn;
}
=head2 CertificatePolicies
Returns the CertificatePolicies as an array of strings
=cut back
# CertificatePolicies (another extension)
sub CertificatePolicies {
my $self = shift;
my $extension;
my $CertPolicies = [];
my $extensions = $self->{'tbsCertificate'}->{'extensions'};
if ( !defined $extensions ) { return undef; }
; # no extensions in certificate
for $extension ( @{$extensions} ) {
if ( $extension->{'extnID'} eq '2.5.29.32' ) { # OID for CertificatePolicies
my $parser = _init('CertificatePolicies'); # get a parser for this
my $policies = $parser->decode( $extension->{'extnValue'} ); # decode the value
for my $policy ( @{$policies} ) {
for my $key ( keys %{$policy} ) {
push @{$CertPolicies}, "$key=" . $policy->{$key};
}
}
return $CertPolicies;
}
}
return undef;
}
=head2 EntrustVersionInfo
Returns the EntrustVersion as a string
print "Entrust Version: ", $decoded->EntrustVersion, "\n";
Example Output: Entrust Version: V7.0
=cut back
# EntrustVersion (another extension)
sub EntrustVersion {
my $self = shift;
my $extension;
my $extensions = $self->{'tbsCertificate'}->{'extensions'};
if ( !defined $extensions ) { return undef; }
; # no extensions in certificate
for $extension ( @{$extensions} ) {
if ( $extension->{'extnID'} eq '1.2.840.113533.7.65.0' ) { # OID for EntrustVersionInfo
my $parser = _init('EntrustVersionInfo'); # get a parser for this
my $entrust = $parser->decode( $extension->{'extnValue'} ); # decode the value
return $entrust->{'entrustVers'};
# not doing anything with the EntrustInfoFlags BIT STRING (yet)
# $entrust->{'entrustInfoFlags'}
}
}
return undef;
}
=head2 SubjectDirectoryAttributes
Returns the SubjectDirectoryAttributes as an array of key = value pairs, to include a data type
print "Subject Directory Attributes: ", join( ', ' , @{ $decoded->SubjectDirectoryAttributes } ), "\n";
Example Output: Subject Directory Attributes: 1.2.840.113533.7.68.29 = 7 (integer)
=cut back
# SubjectDirectoryAttributes (another extension)
sub SubjectDirectoryAttributes {
my $self = shift;
my $extension;
my $attributes = [];
my $extensions = $self->{'tbsCertificate'}->{'extensions'};
if ( !defined $extensions ) { return undef; }
; # no extensions in certificate
for $extension ( @{$extensions} ) {
if ( $extension->{'extnID'} eq '2.5.29.9' ) { # OID for SubjectDirectoryAttributes
my $parser = _init('SubjectDirectoryAttributes'); # get a parser for this
my $subject_dir_attrs = $parser->decode( $extension->{'extnValue'} ); # decode the value
for my $type ( @{$subject_dir_attrs} ) {
for my $value ( @{ $type->{'values'} } ) {
for my $key ( keys %{$value} ) {
push @{$attributes}, $type->{'type'} . " = " . $value->{$key} . " ($key)";
}
}
}
return $attributes;
}
}
return undef;
}
=head2 BasicConstraints
Returns the BasicConstraints as an array and the criticallity pre-pended.
=cut back
# BasicConstraints (another extension)
sub BasicConstraints {
my $self = shift;
my $extension;
my $constraints = [];
my $extensions = $self->{'tbsCertificate'}->{'extensions'};
if ( !defined $extensions ) { return undef; }
; # no extensions in certificate
for $extension ( @{$extensions} ) {
if ( $extension->{'extnID'} eq '2.5.29.19' ) { # OID for BasicConstraints
if ( $extension->{'critical'} ) { push @{$constraints}, "critical"; } # mark this as critical as appropriate
my $parser = _init('BasicConstraints'); # get a parser for this
my $basic_constraints = $parser->decode( $extension->{'extnValue'} ); # decode the value
for my $key ( keys %{$basic_constraints} ) {
push @{$constraints}, "$key = " . $basic_constraints->{$key};
}
return $constraints;
}
}
return undef;
}
=head2 subject_keyidentifier
Returns the subject key identifier from the extensions.
=cut back
# subject_keyidentifier (another extension)
sub subject_keyidentifier {
my $self = shift;
return $self->_SubjectKeyIdentifier;
}
# _SubjectKeyIdentifier (another extension)
sub _SubjectKeyIdentifier {
my $self = shift;
my $extensions = $self->{'tbsCertificate'}->{'extensions'};
if ( !defined $extensions ) { return undef; }
; # no extensions in certificate
if ( defined $self->{'tbsCertificate'}{'SubjectKeyIdentifier'} ) {
return ( $self->{'tbsCertificate'}{'SubjectKeyIdentifier'} );
}
for my $extension ( @{$extensions} ) {
if ( $extension->{'extnID'} eq '2.5.29.14' ) { # OID for SubjectKeyIdentifier
my $parser = _init('SubjectKeyIdentifier'); # get a parser for this
$self->{'tbsCertificate'}{'SubjectKeyIdentifier'} = $parser->decode( $extension->{'extnValue'} ); # decode the value
if ( $parser->error ) {
$self->{"_error"} = $parser->error;
return undef;
}
return $self->{'tbsCertificate'}{'SubjectKeyIdentifier'};
}
}
return undef;
}
=head2 SubjectInfoAccess
Returns the SubjectInfoAccess as an array of hashes with key=value pairs.
print "Subject Info Access: ";
if ( defined $decoded->SubjectInfoAccess ) {
my %SIA = $decoded->SubjectInfoAccess;
for my $key ( keys %SIA ) {
print "\n\t$key: \n\t";
print join( "\n\t" , @{ $SIA{$key} } ), "\n";
}
} else { print "\n" }
Example Output:
Subject Info Access:
1.3.6.1.5.5.7.48.5:
uniformResourceIdentifier = http://pki.treas.gov/root_sia.p7c
uniformResourceIdentifier = ldap://ldap.treas.gov/ou=US%20Treasury%20Root%20CA,ou=Certification%20Authorities,ou=Department%20of%20the%20Treasury,o=U.S.%20Government,c=US?cACertificate;binary,crossCertificatePair;binary
=cut back
# SubjectInfoAccess (another extension)
sub SubjectInfoAccess {
my $self = shift;
my $extension;
my %SIA;
my $extensions = $self->{'tbsCertificate'}->{'extensions'};
if ( !defined $extensions ) { return undef; }
; # no extensions in certificate
for $extension ( @{$extensions} ) {
if ( $extension->{'extnID'} eq '1.3.6.1.5.5.7.1.11' ) { # OID for SubjectInfoAccess
my $parser = _init('SubjectInfoAccessSyntax'); # get a parser for this
my $subject_info_access = $parser->decode( $extension->{'extnValue'} ); # decode the value
for my $sia ( @{$subject_info_access} ) {
for my $key ( keys %{ $sia->{'accessLocation'} } ) {
push @{ $SIA{ $sia->{'accessMethod'} } }, "$key = " . $sia->{'accessLocation'}{$key};
}
}
return %SIA;
}
}
return undef;
}
=head2 PGPExtension
Returns the creation timestamp of the corresponding OpenPGP key.
(see http://www.imc.org/ietf-openpgp/mail-archive/msg05320.html)
print "PGPExtension: ";
if ( defined $decoded->PGPExtension ) {
my $creationtime = $decoded->PGPExtension;
printf "\n\tcorresponding OpenPGP Creation Time: ", $creationtime, "\n";
}
Example Output:
PGPExtension:
whatever
=cut back
# PGPExtension (another extension)
sub PGPExtension {
my $self = shift;
my $extension;
my $extensions = $self->{'tbsCertificate'}->{'extensions'};
if ( !defined $extensions ) { return undef; }
; # no extensions in certificate
for $extension ( @{$extensions} ) {
if ( $extension->{'extnID'} eq '1.3.6.1.4.1.3401.8.1.1' ) { # OID for PGPExtension
my $parser = _init('PGPExtension'); # get a parser for this
my $pgpextension = $parser->decode( $extension->{'extnValue'} ); # decode the value
if ($pgpextension->{version} != 0) {
$self->{"_error"} = sprintf("got PGPExtension version %d. We only know how to deal with v1 (0)", $pgpextension->{version});
} else {
foreach my $timetype ('generalTime', 'utcTime') {
return $pgpextension->{keyCreation}->{$timetype}
if exists $pgpextension->{keyCreation}->{$timetype};
}
}
}
}
return undef;
}
#######################################################################
# internal functions
#######################################################################
sub _init {
my $what = shift;
if ( ( !defined $what ) || ( '' eq $what ) ) { $what = 'Certificate' }
if ( !defined $asn ) {
$asn = Convert::ASN1->new;
$asn->prepare(<<ASN1);
-- ASN.1 from RFC2459 and X.509(2001)
-- Adapted for use with Convert::ASN1
-- Id: x509decode,v 1.1 2002/02/10 16:41:28 gbarr Exp
-- attribute data types --
Attribute ::= SEQUENCE {
type AttributeType,
values SET OF AttributeValue
-- at least one value is required --
}
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= DirectoryString --ANY
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
( run in 0.481 second using v1.01-cache-2.11-cpan-39bf76dae61 )