Mike Jones > VOMS-Lite-0.20 > VOMS::Lite::CertKeyHelper



Annotate this POD


Open  0
View/Report Bugs
Module Version: 0.20   Source  


VOMS::Lite::CertKeyHelper - Perl extension for parsing DER encoded X509 certificates for the VOMS::Lite module.


  use VOMS::Lite::CertKeyHelper qw (x509rsasign buildchain OIDtoDNattrib DNattribToOID);

  # Call x509rsasign with three hex encoded arguments: Data, Exponent and Modulus.

  # Call buildchain to construct the chain of a certificate given any 
  # unverified supplied certs, trusted cert and directories containing 
  # certicates stored by hash name.
  # The returned hash contains references to arrays with DER encoded 
  # certificates and other information see DESCRIPTION.  
  my %Chain = %{ buildchain(trustedCAdirs => \@CAdirs, 
                            suppliedcerts => \@certs, 
                               trustedCAs => \@CAcerts }) };

  # Convert OID string to DN Attribute e.g. '1.2.840.113549.1.9.1' => 'Email' (yes we do use Email here!)
  my $Attribkey=OIDtoDNattrib('1.2.840.113549.1.9.1');

  # Convert DN Attribute e.g. 'Email' to it's OID '1.2.840.113549.1.9.1' 
  my $Attribkey=DNattribToOID('1.2.840.113549.1.9.1'); #Note the Case change DNattribToOID not DNattribtoOID!


VOMS::Lite::CertKeyHelper is primarily for internal use.

buildchain:- Takes an array of directories conatining "hash.[0-9]+" encoded Certificates an array of a supplied certificate chain (1st ELEMENT ASSUMED TO BE LAST IN CHAIN), and an array of DER encoded CA certificates. Returns a hash of array references and scalars: The Arrays are ordered such that the first element is the leaf the next is its signer and so on to the last which will be the root certificate (if found). The return hash contains the following keys: Certs -- Reference to Array (chain) of certificates. IssuerHashes -- Reference to Array of OpenSSL style Name hash of Issuer SubjectHashes -- Reference to Array of OpenSSL style Name Hash SubjectKeyIdentifiers -- Reference to Array of Subject key identifiers AuthorityKeyIdentifiersSKIDs -- Reference to Array of Authority's Subject key identifiers DistinguishedNames -- Reference to Array: certificate N's Subject DN '/' seperated IssuerDistinguishedNames -- Reference to Array: certificate N's Issuer DN '/' seperated TrustedCA -- Reference to Array of whether certificate N is trusted i.e. there's a local copy SelfSignedInChain -- Scalar: True if there is a selfsigned certificate in the chain. GSIType -- Reference to Array of strings containing type of certificate certificate N is. EndEntityDN -- Scalar: DN of End entity certificate '/' seperated EndEntityIssuerDN -- Scalar: DN of EEC's Issuer '/' seperated EndEntityCert -- Scalar: End Entitie's DER encoded certificate Lifetimes -- Reference to Array of lifetimes Errors -- Reference to Array errors

  buildchain does do some rudementry certificate validation but 
  currently does not handle CRLs

x509rsasign:- return the ASN1 encoded signature of an MD5 string passed as first argument (as per RFC2313)

OIDtoDNattrib :- convert an OID to a DN string representation attribute type. Where OIDtoDNattrib is handed an OID it does not recognise it will return the OID. OIDtoDNattrib knows about: DN, UID, DC, Email, CN, SN, serialNumber, C, L, ST, street, title, postalAddress, postalCode, postOfficeBox, registeredAddress, OU, name, O, givenName, initials, locality, organization

DNattribToOID:- convert a DN string representation attribute type to an OID. Where DNattribToOID does not recognise an Attribute it will return undef. DNattribToOID knows the same attributes as OIDtoDNattrib and will also accept: commonName, serialNumber, countryName, localityName, stateOrProvinceName, organizationName, organizationalUnitName, emailAddress, UserID, and domainComponent.

Notes on DNs

The slash representation of a DN is a really bad way to express the contents of a certificate issuer or subject field. This implementation recognises only a handful of OIDs and, especially, translates 0.9.2342.19200300.100.1.1 into UID and 1.2.840.113549.1.9.1 into Email.


None by default.

The following functions can be imported: buildchain digestSign OIDtoDNattrib DNattribToOID.


Add CRL checking functionality to the verifychain internal function called by buildchain.



This module was originally designed for the SHEBANGS project at The University of Manchester.

http://www.mc.manchester.ac.uk/projects/shebangs/ now http://www.rcs.manchester.ac.uk/research/shebangs/

Mailing list, shebangs@listserv.manchester.ac.uk

Mailing list, voms-lite@listserv.manchester.ac.uk


Mike Jones <mike.jones@manchester.ac.uk>


Copyright (C) 2006 by Mike Jones

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.3 or, at your option, any later version of Perl 5 you may have available.

syntax highlighting: