X509/Certificate.pod - metacpan.org

=head1 NAME

Crypt::NSS::X509::Certificate - NSS Certificate functions

=head1 SYNOPSIS

  use 5.10.1;
  use Perl6::Slurp;

  use Crypt::NSS::X509;

  my $cert = Crypt::NSS::X509::Certificate->new(slurp('derfile'));

  say $cert->subject();
  say $cert->issuer();

  my $valid = $cert->verify_cert();
  
  if ( ! $cert->match_name('www.testdomain') ) {
    # Domain does not match certificate information
    exit(1);
  }

=head1 ABSTRACT

Perl interface for the certificate access parts of the NSS API.

=head1 DESCRIPTION

This class gives access to most of the certificate handling 
functions of NSS. For information on how to load and initialize the
NSS library, please refer to L<Crypt::NSS::X509>.

=head1 FUNCTIONS

=head2 CONSTRUCTORS

=over 4

=item new ( DERSTRING ) 

Creates a new NSS::Certificate object from the provided der-encoded
certificate string. 

The function croaks with the NSS error in case NSS cannot parse or
import the certificate

=item new_from_pem ( STRING )

Creates a new NSS::Certificate object from the pem-encoded certificate
string. Behaves exactly as new ( ).

=item new_from_nick ( STRING )

Creates a new NSS::Certificate object from the certificate database
given a certificate nickname. Returns undef if no fitting certificate
could be found.

=back 

=head2 ACCESSORS

=over 4

=item subject

Returns the certificate subject as string.

=item issuer

Returns the certificate issuer as string.

=item serial

Returns the hex-encoded serial number of the certificate.

=item notBefore

Returns the not before time as a string.

=item notAfter

Returns the notAfter tine as a string.

=begin comment
commented because not supported good by all nss versions.

=item email

Returns the certificate email address (if present).

=end comment

=item subj_alt_name 

Returns the certificate subject alternative name (if present).
May croak if the extension field in the certificate is invalid.

=item version

Returns the certificate version number.

=item common_name

Returns the most specific common name specified in the certificate
subject.

=item is_root

Returns true if NSS thinks that the certificate is a root (selfsigned)
certificate and false otherwise.

=item sig_alg_name

Returns the name of the signature algorithm.

=item key_alg_name

Returns the name of the encryption algorithm.

=item bit_length

Bit length of the certificate key

=item public_key

Hex representation of the public key of the certificate (also available 
under the name C<modulus>, for historical reasons

=item modulus

Alias for public_key.

=item nickname

Return the NSS certificate nickname.

=item dbnickname

Return the NSS certificate database nickname.

=item raw_spki

Return the encoded subject public key info part of the certificate.
Can be used for uniquely identifying a public key (after hashing).

=item exponent

RSA exponent of the public key of the certificate. Croaks, if the certificate
does not contain an RSA key, so check first using C<key_alg_name>.

=item curve

Name of the EC-curve used in the certificate. Croaks if the certificate is
not an EC-certificate.

=item fingerprint_md5

Hex-encoded md5 fingerprint of the certificate

=item fingerprint_sha1

Hex-encoded sha1 fingerprint of the certificate

=item fingerprint_sha256

Hex-encoded sha256 fingerprint of the certificate

=item der

Return the der-encoded certificate

=back

=head2 VERIFICATION FUNCTIONS

These functions allow verification of certificate chains. Please note that
for most of them a database has to be used and a root-certificate list has
to be loaded. See L<Crypt::NSS::X509>.

There are several different verification functions, because the NSS
library offers a variety of methods to validate certificates. You probably
want to either use C<verify_certificate> or C<verify_pkix>.

=over 4

=item match_name ( HOSTNAME ) 

Return true is NSS considers the hostname to be valid for the certificate.
Returns false otherwise.

=item verify_certificate( [TIME], [USAGE] )

Returns 1 if the certificate can be validated up to a root-certificate.
Otherwise returns the numeric NSS error code. Time can contain the unix
timestamp of the verification time. Usage can contain a the certificate
usage - usually certUsageSSLServer is assumed.

=item verify_cert ( [TIME], [USAGE] )

Same as C<verify_certificate>, just using the verify_cert NSS function
instead of the verify_certificate NSS function.

This is (basically) the verification function that is used by Firefox
at the moment (they add a few more special checks in the Firefox codebase).

=item verify_certificate_pkix( [TIME], [USAGE] )

Same as C<verify_certificate>, just using the PKIX library for validation by
using CERT_SetUsePKIXForValidation.

=item verify_certificate_log( [TIME], [USAGE] )

Same verification as in C<verify_certificate>; however this function returns
an empty list in case of success. In case of error, a list of hashes is returned.
The hash contains the certificate that generated the error and the error code.

This allows to see which certificate in a certificate chain was responsible
for preventing the validation of the chain. If several errors occur, the list
may contain several hashes with differing error codes.

=item verify_certificate_pkix_log( [TIME], [USAGE] )

Like verify_certificate_log, just using the PKIX library for validation by
using CERT_SetUsePKIXForValidation.

=item verify_cert_log ( [TIME], [USAGE] )

Same as C<verify_certificate_log>, just using the verify_cert NSS function
instead of the verify_certificate NSS function.

=item verify_pkix ( [TIME], [USAGE], [TRUSTED CERT LIST )

Returns 1 if the certificate can be validated up to a root-certificate using
the CERT_PKIXVerifyCert function. Otherwise returns the numeric NSS error code.
This function is (basically) used by Chrome to validate certificates.

Trusted cert list can contain a L<NSS::CertList>, of trusted certificates.
Please note that it is not a good idea to just load all root-certificates into 
a NSS::CertList and try to validate using this function, without using a NSS
database backend; chain validation does not work correctly in that case.

=item verify_pkix_aia ( [TIME], [USAGE], [TRUSTED CERT LIST )

Same as verify_pkix, but tries to retrieve missing intermediate certificates using 
the Authority Information Access (AIA) field in the certificate (if present).

=item get_cert_chain_from_cert( [TIME], [USAGE] ) 

Get a L<Crypt::NSS::X509::CertList> containing the certificate chain up to a root-certificate
for the current certificate.

=back


=head1 AUTHOR

Bernhard Amann, E<lt>bernhard@icsi.berkeley.eduE<gt>

=head1 COPYRIGHT AND LICENSE

Copyright 2012 by Bernhard Amann

This Library Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.

The library contains source code of the Mozilla Network Security Services; for
NSS license information please see http://www.mozilla.org/projects/security/pki/
nss/.

=cut
	Global
`s`	Focus search bar
`?`	Bring up this help dialog
	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)
	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse
	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)