VOMS::Lite::CertKeyHelUser3Contributed Perl DocumeVOMS::Lite::CertKeyHelper(3)NAMEVOMS::Lite::CertKeyHelper - Perl extension for parsing DER encoded X509
certificates for the VOMS::Lite module.
SYNOPSIS
use VOMS::Lite::CertKeyHelper qw (x509rsasign buildchain OIDtoDNattrib DNattribToOID);
# Call x509rsasign with three hex encoded arguments: Data, Exponent and Modulus.
$RSAhex=x509rsasign($Dhex,$chex,$nhex);
# Call buildchain to construct the chain of a certificate given any
# unverified supplied certs, trusted cert and directories containing
# certicates stored by hash name.
# The returned hash contains references to arrays with DER encoded
# certificates and other information see DESCRIPTION.
my %Chain = %{ buildchain(trustedCAdirs => \@CAdirs,
suppliedcerts => \@certs,
trustedCAs => \@CAcerts }) };
# Convert OID string to DN Attribute e.g. '1.2.840.113549.1.9.1' => 'Email' (yes we do use Email here!)
my $Attribkey=OIDtoDNattrib('1.2.840.113549.1.9.1');
# Convert DN Attribute e.g. 'Email' to it's OID '1.2.840.113549.1.9.1'
my $Attribkey=DNattribToOID('1.2.840.113549.1.9.1'); #Note the Case change DNattribToOID not DNattribtoOID!
DESCRIPTIONVOMS::Lite::CertKeyHelper is primarily for internal use.
buildchain:- Takes an array of directories conatining "hash.[0-9]+"
encoded Certificates
an array of a supplied certificate chain (1st ELEMENT
ASSUMED TO BE LAST IN CHAIN),
and an array of DER encoded CA certificates.
Returns a hash of array references and scalars:
The Arrays are ordered such that the first element is the
leaf the next is its
signer and so on to the last which will be the root
certificate (if found).
The return hash contains the following keys:
Certs -- Reference to Array (chain) of
certificates.
IssuerHashes -- Reference to Array of OpenSSL style
Name hash of Issuer
SubjectHashes -- Reference to Array of OpenSSL style
Name Hash
SubjectKeyIdentifiers -- Reference to Array of Subject key
identifiers
AuthorityKeyIdentifiersSKIDs -- Reference to Array of Authority's
Subject key identifiers
DistinguishedNames -- Reference to Array: certificate N's
Subject DN '/' seperated
IssuerDistinguishedNames -- Reference to Array: certificate N's
Issuer DN '/' seperated
TrustedCA -- Reference to Array of whether
certificate N is trusted i.e. there's a local copy
SelfSignedInChain -- Scalar: True if there is a selfsigned
certificate in the chain.
GSIType -- Reference to Array of strings
containing type of certificate certificate N is.
EndEntityDN -- Scalar: DN of End entity certificate
'/' seperated
EndEntityIssuerDN -- Scalar: DN of EEC's Issuer '/'
seperated
EndEntityCert -- Scalar: End Entitie's DER encoded
certificate
Lifetimes -- Reference to Array of lifetimes
Errors -- Reference to Array errors
buildchain does do some rudementry certificate validation but
currently does not handle CRLs
x509rsasign:- return the ASN1 encoded signature of an MD5 string passed
as first argument (as per RFC2313)
OIDtoDNattrib :- convert an OID to a DN string representation
attribute type. Where OIDtoDNattrib is handed an OID it does not
recognise it will return the OID. OIDtoDNattrib knows about: DN, UID,
DC, Email, CN, SN, serialNumber, C, L, ST, street, title,
postalAddress, postalCode, postOfficeBox, registeredAddress, OU, name,
O, givenName, initials, locality, organization
DNattribToOID:- convert a DN string representation attribute type to an
OID. Where DNattribToOID does not recognise an Attribute it will
return undef. DNattribToOID knows the same attributes as OIDtoDNattrib
and will also accept: commonName, serialNumber, countryName,
localityName, stateOrProvinceName, organizationName,
organizationalUnitName, emailAddress, UserID, and domainComponent.
Notes on DNs
The slash representation of a DN is a really bad way to express the
contents of a certificate issuer or subject field. This implementation
recognises only a handful of OIDs and, especially, translates
0.9.2342.19200300.100.1.1 into UID and 1.2.840.113549.1.9.1 into Email.
EXPORT
None by default.
The following functions can be imported: buildchain digestSign
OIDtoDNattrib DNattribToOID.
TO DO
Add CRL checking functionality to the verifychain internal function
called by buildchain.
SEE ALSO
RFC3280
This module was originally designed for the SHEBANGS project at The
University of Manchester.
http://www.mc.manchester.ac.uk/projects/shebangs/ now
http://www.rcs.manchester.ac.uk/research/shebangs/
Mailing list, shebangs@listserv.manchester.ac.uk
Mailing list, voms-lite@listserv.manchester.ac.uk
AUTHOR
Mike Jones <mike.jones@manchester.ac.uk>
COPYRIGHT AND LICENSE
Copyright (C) 2006 by Mike Jones
This library is free software; you can redistribute it and/or modify it
under the same terms as Perl itself, either Perl version 5.8.3 or, at
your option, any later version of Perl 5 you may have available.
perl v5.14.1 2011-03-17 VOMS::Lite::CertKeyHelper(3)
