Crypt-X509-CRL
view release on metacpan or search on metacpan
Convert::ASN1
NAME
Crypt::X509::CRL - Parses an X.509 certificate revocation list
SYNOPSIS
use Crypt::X509::CRL;
$decoded = Crypt::X509::CRL->new( crl => $crl );
$subject_email = $decoded->subject_email;
print "do not use after: ".gmtime($decoded->not_after)." GMT\n";
REQUIRES
Convert::ASN1
DESCRIPTION
Crypt::X509::CRL parses X.509 certificate revocation lists. Methods are
provided for accessing most CRL elements.
It is based on the generic ASN.1 module by Graham Barr, on the
NOTE: The use of 'utcTime' in determining the revocation date of a given
certificate is based on RFC 3280 for dates through the year 2049.
Starting with dates in 2050 and beyond the RFC calls for revocation
dates to be listed as 'generalTime'.
CONSTRUCTOR
new ( OPTIONS )
Creates and returns a parsed X.509 CRL hash, containing the parsed
contents. The data is organised as specified in RFC 2459. By default
only the first ASN.1 Layer is decoded. Nested decoding is done
automagically through the data access methods.
crl => $crl
A variable containing the DER formatted crl to be parsed (eg. as
stored in "certificateRevocationList;binary" attribute in an
LDAP-directory).
Example:
use Crypt::X509::CRL;
use Data::Dumper;
$decoded = Crypt::X509::CRL->new( crl => $crl );
print Dumper $decoded;
METHODS
error
Returns the last error from parsing, "undef" when no error occured. This
error is updated on deeper parsing with the data access methods.
Example:
$decoded= Crypt::X509::CRL->new(crl => $crl);
if ( $decoded->error ) {
warn "Error on parsing Certificate Revocation List: ", $decoded->error;
}
DATA ACCESS METHODS
You can access all parsed data directly from the returned hash. For
convenience the following data access methods have been implemented to
give quick access to the most-used crl attributes.
version
Returns the certificate revocation list's version as an integer. Returns
undef if the version is not specified, since it is an optional field in
2 = v3
version_string
Returns the certificate revocation list's version as a string value (ie 'v1', 'v2', or 'v3').
this_update
Returns either the utcTime or generalTime of the certificate revocation
list's date of publication. Returns undef if not defined.
Example:
$decoded = Crypt::X509::CRL->new(crl => $crl);
print "CRL was published at ", gmtime( $decoded->this_update ), " GMT\n";
next_update
Returns either the utcTime or generalTime of the certificate revocation
list's date of expiration. Returns undef if not defined.
Example:
$decoded = Crypt::X509::CRL->new(crl => $crl);
if ( $decoded->next_update > time() ) {
warn "CRL has expired!";
}
signature
Return's the certificate's signature in binary DER format.
signature_length
Return's the length of the certificate's signature.
signature_algorithm
Returns the certificate's signature algorithm as an OID string.
Example:
$decoded = Crypt::X509::CRL->new(crl => $crl);
print "CRL signature is encrypted with:", $decoded->signature_algorithm, "\n";
Example Output: CRL signature is encrypted with: 1.2.840.113549.1.1.5
SigEncAlg
Returns the signature encryption algorithm (e.g. 'RSA') as a string.
Example:
$decoded = Crypt::X509::CRL->new(crl => $crl);
print "CRL signature is encrypted with:", $decoded->SigEncAlg, "\n";
Example Output:
CRL signature is encrypted with: RSA
SigHashAlg
Returns the signature hashing algorithm (e.g. 'SHA1') as a string.
Example:
$decoded = Crypt::X509::CRL->new(crl => $crl);
print "CRL signature is hashed with:", $decoded->SigHashAlg, "\n";
Example Output:
CRL signature is encrypted with: SHA1
Issuer
Returns a pointer to an array of strings building the DN of the
certificate issuer (= the DN of the CA). Attribute names for the most
common Attributes are translated from the OID-Numbers, unknown numbers
are output verbatim.
Example:
$decoded = Crypt::X509::CRL->new( $crl );
print "CRL was issued by: ", join( ', ' , @{ $decoded->Issuer } ), "\n";
issuer_cn
Returns the string value for issuer's common name (= the value with the
OID 2.5.4.3 or in DN Syntax everything after "CN="). Only the first
entry is returned. "undef" if issuer contains no common name attribute.
issuer_country
Returns the string value for issuer's country (= the value with the OID
2.5.4.6 or in DN Syntax everything after "C="). Only the first entry is
returned. "undef" if issuer contains no country attribute.
issuer_email
Returns the string value for issuer's email address (= the value with
the OID 1.2.840.113549.1.9.1 or in DN Syntax everything after "E=").
Only the first entry is returned. "undef" if issuer contains no email
attribute.
key_identifier
Returns the authority key identifier as a bit string.
Example:
$decoded = Crypt::X509::CRL->new( $crl );
my $s = unpack("H*" , $decoded->key_identifier);
print "The Authority Key Identifier in HEX is: $s\n";
Example output:
The Authority Key Identifier in HEX is: 86595f93caf32da620a4f9595a4a935370e792c9
authorityCertIssuer
Returns a pointer to an array of strings building the DN of the
Authority Cert Issuer. Attribute names for the most common Attributes
are translated from the OID-Numbers, unknown numbers are output
verbatim. Returns undef if the extension is not set in the certificate.
Example:
$decoded = Crypt::X509::CRL->new($cert);
print "Certificate was authorised by:", join( ', ', @{ $decoded->authorityCertIssuer } ), "\n";
authority_serial
Returns the authority's certificate serial number.
authority_cn
Returns the authority's ca.
authority_country
Returns the authority's country.
crl_number
Returns the CRL Number as an integer.
IDPs
Returns the Issuing Distribution Points as a hash providing for the
default values.
Example:
print "Issuing Distribution Points:\n";
my $IDPs = $decoded->IDPs;
for my $key ( sort keys %{ $IDPs } ) {
print "$key = ";
if ( defined $IDPs->{ $key } ) {
print $IDPs->{ $key }, "\n";
} else {
print "undef\n";
}
}
Example Output:
indirectCRL = 0 or 1 # default is FALSE
reasonFlags = BIT STRING # default is undef
revocation_list
Returns an array of hashes for the revoked certificates listed on the
given CRL. The keys to the hash are the certificate serial numbers in
decimal format.
Example:
print "Revocation List:\n";
my $rls = $decoded->revocation_list;
my $count_of_rls = keys %{ $rls };
print "Found $count_of_rls revoked certificate(s) on this CRL.\n";
for my $key ( sort keys %{ $rls } ) {
print "Certificate: ", DecimalToHex( $key ), "\n";
for my $extn ( sort keys %{ $rls->{ $key } } ) {
if ( $extn =~ /date/i ) {
print "\t$extn: ", ConvertTime( $rls->{ $key }{ $extn } ), "\n";
} else {
print "\t$extn: ", $rls->{ $key }{ $extn }, "\n";
}
lib/Crypt/X509/CRL.pm view on Meta::CPAN
Convert::ASN1
=head1 NAME
Crypt::X509::CRL - Parses an X.509 certificate revocation list
=head1 SYNOPSIS
use Crypt::X509::CRL;
$decoded = Crypt::X509::CRL->new( crl => $crl );
$subject_email = $decoded->subject_email;
print "do not use after: ".gmtime($decoded->not_after)." GMT\n";
=head1 REQUIRES
Convert::ASN1
=head1 DESCRIPTION
B<Crypt::X509::CRL> parses X.509 certificate revocation lists. Methods are
provided for accessing most CRL elements.
lib/Crypt/X509/CRL.pm view on Meta::CPAN
certificate is based on RFC 3280 for dates through the year 2049. Starting
with dates in 2050 and beyond the RFC calls for revocation dates to be
listed as 'generalTime'.
=head1 CONSTRUCTOR
=head2 new ( OPTIONS )
Creates and returns a parsed X.509 CRL hash, containing the parsed
contents. The data is organised as specified in RFC 2459.
By default only the first ASN.1 Layer is decoded. Nested decoding
is done automagically through the data access methods.
=over 4
=item crl =E<gt> $crl
A variable containing the DER formatted crl to be parsed
(eg. as stored in C<certificateRevocationList;binary> attribute in an
LDAP-directory).
=back
=head3 Example:
use Crypt::X509::CRL;
use Data::Dumper;
$decoded = Crypt::X509::CRL->new( crl => $crl );
print Dumper $decoded;
=cut back
=head1 METHODS
=head2 error
Returns the last error from parsing, C<undef> when no error occured.
This error is updated on deeper parsing with the data access methods.
=head3 Example:
$decoded= Crypt::X509::CRL->new(crl => $crl);
if ( $decoded->error ) {
warn "Error on parsing Certificate Revocation List: ", $decoded->error;
}
=cut back
=head1 DATA ACCESS METHODS
You can access all parsed data directly from the returned hash. For convenience
the following data access methods have been implemented to give quick access to
the most-used crl attributes.
lib/Crypt/X509/CRL.pm view on Meta::CPAN
Returns the certificate revocation list's version as a string value (ie 'v1', 'v2', or 'v3').
=head2 this_update
Returns either the utcTime or generalTime of the certificate revocation list's date
of publication. Returns undef if not defined.
=head3 Example:
$decoded = Crypt::X509::CRL->new(crl => $crl);
print "CRL was published at ", gmtime( $decoded->this_update ), " GMT\n";
=cut back
=head2 next_update
Returns either the utcTime or generalTime of the certificate revocation list's
date of expiration. Returns undef if not defined.
=head3 Example:
$decoded = Crypt::X509::CRL->new(crl => $crl);
if ( $decoded->next_update < time() ) {
warn "CRL has expired!";
}
=cut back
=head2 signature
Return's the certificate's signature in binary DER format.
=cut back
lib/Crypt/X509/CRL.pm view on Meta::CPAN
Return's the length of the certificate's signature.
=cut back
=head2 signature_algorithm
Returns the certificate's signature algorithm as an OID string.
=head3 Example:
$decoded = Crypt::X509::CRL->new(crl => $crl);
print "CRL signature is encrypted with:", $decoded->signature_algorithm, "\n";
Example Output: CRL signature is encrypted with: 1.2.840.113549.1.1.5
=cut back
=head2 SigEncAlg
Returns the signature encryption algorithm (e.g. 'RSA') as a string.
=head3 Example:
$decoded = Crypt::X509::CRL->new(crl => $crl);
print "CRL signature is encrypted with:", $decoded->SigEncAlg, "\n";
Example Output: CRL signature is encrypted with: RSA
=cut back
=head2 SigHashAlg
Returns the signature hashing algorithm (e.g. 'SHA1') as a string.
=head3 Example:
$decoded = Crypt::X509::CRL->new(crl => $crl);
print "CRL signature is hashed with:", $decoded->SigHashAlg, "\n";
Example Output: CRL signature is encrypted with: SHA1
=cut back
=head2 Issuer
Returns a pointer to an array of strings building the DN of the certificate
issuer (= the DN of the CA). Attribute names for the most common Attributes
are translated from the OID-Numbers, unknown numbers are output verbatim.
=head3 Example:
$decoded = Crypt::X509::CRL->new( $crl );
print "CRL was issued by: ", join( ', ' , @{ $decoded->Issuer } ), "\n";
=cut back
=head2 issuer_cn
Returns the string value for issuer's common name (= the value with the
OID 2.5.4.3 or in DN Syntax everything after C<CN=>).
Only the first entry is returned. C<undef> if issuer contains no common name attribute.
=cut back
lib/Crypt/X509/CRL.pm view on Meta::CPAN
Only the first entry is returned. C<undef> if issuer contains no email attribute.
=cut back
=head2 key_identifier
Returns the authority key identifier as a bit string.
=head3 Example:
$decoded = Crypt::X509::CRL->new( $crl );
my $s = unpack("H*" , $decoded->key_identifier);
print "The Authority Key Identifier in HEX is: $s\n";
Example output:
The Authority Key Identifier in HEX is: 86595f93caf32da620a4f9595a4a935370e792c9
=cut back
=head2 authorityCertIssuer
Returns a pointer to an array of strings building the DN of the Authority Cert
Issuer. Attribute names for the most common Attributes are translated from the
OID-Numbers, unknown numbers are output verbatim. Returns undef if the
extension is not set in the certificate.
=head3 Example:
$decoded = Crypt::X509::CRL->new($cert);
print "Certificate was authorised by:", join( ', ', @{ $decoded->authorityCertIssuer } ), "\n";
=cut back
=head2 authority_serial
Returns the authority's certificate serial number.
=cut back
=head2 authority_cn
lib/Crypt/X509/CRL.pm view on Meta::CPAN
=cut back
=head2 IDPs
Returns the Issuing Distribution Points as a hash providing for the default values.
=head3 Example:
print "Issuing Distribution Points:\n";
my $IDPs = $decoded->IDPs;
for my $key ( sort keys %{ $IDPs } ) {
print "$key = ";
if ( defined $IDPs->{ $key } ) {
print $IDPs->{ $key }, "\n";
} else {
print "undef\n";
}
}
=head3 Example Output:
lib/Crypt/X509/CRL.pm view on Meta::CPAN
=cut back
=head2 revocation_list
Returns an array of hashes for the revoked certificates listed on the given CRL. The
keys to the hash are the certificate serial numbers in decimal format.
=head3 Example:
print "Revocation List:\n";
my $rls = $decoded->revocation_list;
my $count_of_rls = keys %{ $rls };
print "Found $count_of_rls revoked certificate(s) on this CRL.\n";
for my $key ( sort keys %{ $rls } ) {
print "Certificate: ", DecimalToHex( $key ), "\n";
for my $extn ( sort keys %{ $rls->{ $key } } ) {
if ( $extn =~ /date/i ) {
print "\t$extn: ", ConvertTime( $rls->{ $key }{ $extn } ), "\n";
} else {
print "\t$extn: ", $rls->{ $key }{ $extn }, "\n";
}
t/01-validate.t view on Meta::CPAN
#!perl
use 5.006;
use strict;
use warnings;
use Test::More qw(no_plan);
use_ok( 'Crypt::X509::CRL' );
my $crl;
my $decoded;
# Load a known good CRL
open FH, "t/good.crl";
binmode FH;
$crl = undef;
while ( <FH> ) {
$crl .= $_;
}
close FH;
note ("Test a known good CRL");
$decoded = undef;
$decoded = Crypt::X509::CRL->new( crl => $crl );
ok ( ! $decoded->error() );
# Load a known bad CRL
open FH, "t/bad.crl";
binmode FH;
$crl = undef;
while ( <FH> ) {
$crl .= $_;
}
close FH;
note ("Test a known bad CRL");
$decoded = undef;
$decoded = Crypt::X509::CRL->new( crl => $crl );
ok ( $decoded->error() );
t/Crypt-X509-CRL.t view on Meta::CPAN
# Before `make install' is performed this script should be runnable with
# `make test'. After `make install' it should work as `perl Crypt-X509-CRL.t'
use Test::More tests => 13;
BEGIN { use_ok('Crypt::X509::CRL') }
$crl = loadcrl('t/crl.crl');
is( length $crl, 8422, 'crl file loaded' );
$decoded = Crypt::X509::CRL->new( crl => $crl );
ok( defined $decoded, 'new() returned something' );
ok( $decoded->isa('Crypt::X509::CRL'), 'and it\'s the right class' );
is( $decoded->error, undef, 'decode successful' );
is( $decoded->this_update, 1167652147, 'this_update got parsed' );
is( $decoded->next_update, 1167716947, 'next_update got parsed' );
is( $decoded->crl_number, 1711, 'crl_number got parsed' );
is( join( ',', reverse @{ $decoded->Issuer } ), 'OU=US Treasury Public CA,OU=Certification Authorities,OU=Department of the Treasury,O=U.S. Government,C=US', 'Issuer parsed' );
is( $decoded->signature_length, 2048, 'signtuare length parsed' );
is( $decoded->signature_algorithm, '1.2.840.113549.1.1.5', 'OID parsed' );
is( $decoded->SigEncAlg, 'RSA', 'Signature encryption parsed' );
is( $decoded->SigHashAlg, 'SHA1', 'Signature hash parsed' );
sub loadcrl {
my $file = shift;
open FILE, $file || die "cannot load test certificate" . $file . "\n";
binmode FILE; # HELLO Windows, dont fuss with this
my $holdTerminator = $/;
undef $/; # using slurp mode to read the DER-encoded binary certificate
my $crl = <FILE>;
$/ = $holdTerminator;
close FILE;
( run in 0.563 second using v1.01-cache-2.11-cpan-49f99fa48dc )