libcamgm
Public Member Functions | Static Public Member Functions | Private Member Functions | Private Attributes | List of all members
ca_mgm::CA Class Reference

Managing a CA repository. More...

#include <CA.hpp>

Public Member Functions

 CA (const std::string &caName, const std::string &caPasswd, const std::string &repos=REPOSITORY)
 
 ~CA ()
 
std::string createSubCA (const std::string &newCaName, const std::string &keyPasswd, const RequestGenerationData &caRequestData, const CertificateIssueData &caIssueData)
 
std::string createRequest (const std::string &keyPasswd, const RequestGenerationData &requestData, Type requestType)
 
std::string issueCertificate (const std::string &requestName, const CertificateIssueData &issueData, Type certType)
 
std::string createCertificate (const std::string &keyPasswd, const RequestGenerationData &requestData, const CertificateIssueData &certificateData, Type type)
 
void revokeCertificate (const std::string &certificateName, const CRLReason &crlReason=CRLReason())
 
void createCRL (const CRLGenerationData &crlData)
 
std::string importRequestData (const ca_mgm::ByteBuffer &request, FormatType formatType=E_PEM)
 
std::string importRequest (const std::string &requestFile, FormatType formatType=E_PEM)
 
CertificateIssueData getIssueDefaults (Type type)
 
RequestGenerationData getRequestDefaults (Type type)
 
CRLGenerationData getCRLDefaults ()
 
void setIssueDefaults (Type type, const CertificateIssueData &defaults)
 
void setRequestDefaults (Type type, const RequestGenerationData &defaults)
 
void setCRLDefaults (const CRLGenerationData &defaults)
 
std::vector< std::map< std::string, std::string > > getCertificateList ()
 
std::vector< std::map< std::string, std::string > > getRequestList ()
 
CertificateData getCA ()
 
RequestData getRequest (const std::string &requestName)
 
CertificateData getCertificate (const std::string &certificateName)
 
CRLData getCRL ()
 
ca_mgm::ByteBuffer exportCACert (FormatType exportType)
 
ca_mgm::ByteBuffer exportCAKeyAsPEM (const std::string &newPassword)
 
ca_mgm::ByteBuffer exportCAKeyAsDER ()
 
ca_mgm::ByteBuffer exportCAasPKCS12 (const std::string &p12Password, bool withChain=false)
 
ca_mgm::ByteBuffer exportCertificate (const std::string &certificateName, FormatType exportType)
 
ca_mgm::ByteBuffer exportCertificateKeyAsPEM (const std::string &certificateName, const std::string &keyPassword, const std::string &newPassword)
 
ca_mgm::ByteBuffer exportCertificateKeyAsDER (const std::string &certificateName, const std::string &keyPassword)
 
ca_mgm::ByteBuffer exportCertificateAsPKCS12 (const std::string &certificateName, const std::string &keyPassword, const std::string &p12Password, bool withChain=false)
 
ca_mgm::ByteBuffer exportCRL (FormatType exportType)
 
void deleteRequest (const std::string &requestName)
 
void deleteCertificate (const std::string &certificateName, bool requestToo=true)
 
void updateDB ()
 
bool verifyCertificate (const std::string &certificateName, bool crlCheck=true, const std::string &purpose=std::string("any"))
 
CAConfiggetConfig ()
 

Static Public Member Functions

static void createRootCA (const std::string &caName, const std::string &caPasswd, const RequestGenerationData &caRequestData, const CertificateIssueData &caIssueData, const std::string &repos=REPOSITORY)
 
static void importCA (const std::string &caName, const ca_mgm::ByteBuffer &caCertificate, const ca_mgm::ByteBuffer &caKey, const std::string &caPasswd=std::string(), const std::string &repos=REPOSITORY)
 
static std::vector< std::string > getCAList (const std::string &repos=REPOSITORY)
 
static std::list< std::vector< std::string > > getCATree (const std::string &repos=REPOSITORY)
 
static CertificateIssueData getRootCAIssueDefaults (const std::string &repos=REPOSITORY)
 
static RequestGenerationData getRootCARequestDefaults (const std::string &repos=REPOSITORY)
 
static void deleteCA (const std::string &caName, const std::string &caPasswd, bool force=false, const std::string &repos=REPOSITORY)
 

Private Member Functions

 CA ()
 
 CA (const CA &)
 
CAoperator= (const CA &)
 
void checkDNPolicy (const DNObject &dn, Type type)
 
std::string initConfigFile ()
 
void commitConfig2Template ()
 
void removeDefaultsFromConfig ()
 

Private Attributes

ca_mgm::RWCOW_pointer< CAImpl > m_impl
 

Detailed Description

Managing a CA repository.

This class provides methods for managing a CA repository. If you want to know how to use these methods and functions have a look at the example page

Constructor & Destructor Documentation

ca_mgm::CA::CA ( const std::string &  caName,
const std::string &  caPasswd,
const std::string &  repos = REPOSITORY 
)

Construct a CA object.

Parameters
caNamethe name of this CA.
caPasswdthe password of this CA.
reposdirectory path to the repository root
ca_mgm::CA::~CA ( )

Destructor of CA.

ca_mgm::CA::CA ( )
private
ca_mgm::CA::CA ( const CA )
private

Member Function Documentation

void ca_mgm::CA::checkDNPolicy ( const DNObject dn,
Type  type 
)
private

Check if the given dn matches the policy defined in the configuration file On error this method throws exceptions.

Parameters
dnthe DN object
typethe Type of the certificate which should be signed
void ca_mgm::CA::commitConfig2Template ( )
private

Copy Config file to template On error this method throws exceptions.

std::string ca_mgm::CA::createCertificate ( const std::string &  keyPasswd,
const RequestGenerationData requestData,
const CertificateIssueData certificateData,
Type  type 
)

Create a certificate in the specified CA On error this method throws exceptions.

Parameters
keyPasswdthe password for the private key
requestDatathe data for the request
certificateDatathe data of the certificate
typethe type of the certificate
Returns
the name of the certificate
void ca_mgm::CA::createCRL ( const CRLGenerationData crlData)

Create a new CRL with the specified data. On error this method throws exceptions.

Parameters
crlDatathe data for the new CRL
std::string ca_mgm::CA::createRequest ( const std::string &  keyPasswd,
const RequestGenerationData requestData,
Type  requestType 
)

Create a certificate request in the specified CA On error this method throws exceptions.

Parameters
keyPasswdthe password for the private key
requestDatathe data for the request
requestTypethe type of the request
Returns
the name of the new request
static void ca_mgm::CA::createRootCA ( const std::string &  caName,
const std::string &  caPasswd,
const RequestGenerationData caRequestData,
const CertificateIssueData caIssueData,
const std::string &  repos = REPOSITORY 
)
static

Create a new selfsigned root CA plus the whole needed infrastructure. On error this function throws exceptions.

Parameters
caNamethe name for this CA
caPasswdthe password for this CA
caRequestDatathe data for the request
caIssueDatathe data to signing the CA
reposthe path to the repository root directory
std::string ca_mgm::CA::createSubCA ( const std::string &  newCaName,
const std::string &  keyPasswd,
const RequestGenerationData caRequestData,
const CertificateIssueData caIssueData 
)

Create a new Sub CA and with the whole needed infrastructure. On error this method throws exceptions.

Parameters
newCaNamethe name for the new CA
keyPasswdthe password for the private key
caRequestDatadata for the request generation
caIssueDatathe required data to sign the request
Returns
The name of the certificate file
static void ca_mgm::CA::deleteCA ( const std::string &  caName,
const std::string &  caPasswd,
bool  force = false,
const std::string &  repos = REPOSITORY 
)
static

Delete a Certificate Authority infrastructure

Normaly you can only delete a CA if the CA certificate is expired or you have never signed a certificate with this CA. In all other cases you have to set the force parameter to "true" if you realy want to delete the CA and you know what you do. On error this function throws exceptions.

Parameters
caNamethe name of the CA to delete
caPasswdthe password of the CA
forceno checks, simply delete the CA
reposthe path to the repository root directory
void ca_mgm::CA::deleteCertificate ( const std::string &  certificateName,
bool  requestToo = true 
)

Delete the specified certificate together with the corresponding request and private key if requestToo is set to true. This function works only for revoked or expired certificates. On error this method throws exceptions.

Parameters
certificateNamethe certificate to delete
requestTooif set to true also request and key file will be deleted if they exists
void ca_mgm::CA::deleteRequest ( const std::string &  requestName)

Delete a Request. This function removes also the private key if one is available. On error this method throws exceptions.

Parameters
requestNamethe name of the request
ca_mgm::ByteBuffer ca_mgm::CA::exportCAasPKCS12 ( const std::string &  p12Password,
bool  withChain = false 
)

Return the CA certificate in PKCS12 format. If withChain is true, all issuer certificates will be included. On error this method throws exceptions.

Parameters
p12Passwordthe password for the private key
withChainshould the certificate chain be included set this to true, otherwise set this to false
Returns
the data in PKCS12 format
ca_mgm::ByteBuffer ca_mgm::CA::exportCACert ( FormatType  exportType)

Return the CA certificate in PEM or DER format. On error this method throws exceptions.

Parameters
exportTypethe type in which the CA should be exported
Returns
this CA certificate
ca_mgm::ByteBuffer ca_mgm::CA::exportCAKeyAsDER ( )

Return the CA private key in DER format. The private Key is decrypted. On error this method throws exceptions.

Returns
the private key of the CA in DER format
ca_mgm::ByteBuffer ca_mgm::CA::exportCAKeyAsPEM ( const std::string &  newPassword)

Return the CA private key in PEM format. If a new Password is given, the key will be encrypted using the newPassword. If newPassword is empty the returned key is decrypted. On error this method throws exceptions.

Parameters
newPasswordthe password to encrypt the private key. If newPassword is empty, the key will be returned decrypted.
Returns
the private key of the CA in PEM format
ca_mgm::ByteBuffer ca_mgm::CA::exportCertificate ( const std::string &  certificateName,
FormatType  exportType 
)

Return the specified certificate in PEM or DER format On error this method throws exceptions.

Parameters
certificateNamethe name of the certificate
exportTypethe format in which the certificate should be exported
Returns
the certificate data
ca_mgm::ByteBuffer ca_mgm::CA::exportCertificateAsPKCS12 ( const std::string &  certificateName,
const std::string &  keyPassword,
const std::string &  p12Password,
bool  withChain = false 
)

Return the certificate in PKCS12 format. If withChain is true, all issuer certificates will be included. On error this method throws exceptions.

Parameters
certificateNamethe name of the certificate
keyPasswordthe current password of the key.
p12Passwordthe password for the private key
withChainshould the certificate chain be included set this to true, otherwise set this to false
Returns
the data in PKCS12 format
ca_mgm::ByteBuffer ca_mgm::CA::exportCertificateKeyAsDER ( const std::string &  certificateName,
const std::string &  keyPassword 
)

Return the certificate private key in DER format. The private Key is decrypted. On error this method throws exceptions.

Parameters
certificateNamethe name of the certificate
keyPasswordthe current password of the key.
Returns
the private key in DER format
ca_mgm::ByteBuffer ca_mgm::CA::exportCertificateKeyAsPEM ( const std::string &  certificateName,
const std::string &  keyPassword,
const std::string &  newPassword 
)

Return the certificate private key in PEM format. If a new Password is given, the key will be encrypted using the newPassword. If newPassword is empty the returned key is decrypted. On error this method throws exceptions.

Parameters
certificateNamethe name of the certificate
keyPasswordthe current password of the key.
newPasswordthe password to encrypt the private key. If newPassword is empty, the key will be returned decrypted.
Returns
the private key of the certificate in PEM format
ca_mgm::ByteBuffer ca_mgm::CA::exportCRL ( FormatType  exportType)

Export the CRL of this CA in the requested format type. On error this method throws exceptions.

Parameters
exportTypethe format type
Returns
the CRL in the requested format
CertificateData ca_mgm::CA::getCA ( )

Parse this CA and return the data. On error this method throws exceptions.

Returns
the CA data
static std::vector<std::string> ca_mgm::CA::getCAList ( const std::string &  repos = REPOSITORY)
static

Get a list of available CAs On error this function throws exceptions.

Parameters
reposthe path to the repository root directory
Returns
Array of std::strings of available CAs
static std::list<std::vector<std::string> > ca_mgm::CA::getCATree ( const std::string &  repos = REPOSITORY)
static

Return a table of the available CAs and its issuer. If the CA is self-signed the issuer field is empty.

caNameissuer caName
RootCA 
UserCARootCA
IPSecCAUserCA

On error this function throws exceptions.

Parameters
reposthe path to the repository root directory
Returns
a list of lists of the available CAs
CertificateData ca_mgm::CA::getCertificate ( const std::string &  certificateName)

Parse a certificate and return the data. On error this method throws exceptions.

Parameters
certificateNamethe name of the certificate
Returns
the certificate data
std::vector<std::map<std::string, std::string> > ca_mgm::CA::getCertificateList ( )

Get an Array of maps with all certificates of the defined CA. On error this method throws exceptions.

Returns
a list of maps with all certificates in this CA. the map keys are:
  • certificate (the name of the certificate)
  • commonName
  • emailAddress
  • countryName
  • stateOrProvinceName
  • localityName
  • organizationName
  • organizationalUnitName
  • status (The status of the certificate: "valid", "revoked", "expired")
CAConfig* ca_mgm::CA::getConfig ( )

Return the current config object

Returns
the config object
CRLData ca_mgm::CA::getCRL ( )

Parse the current CRL of this CA and return the data. On error this method throws exceptions.

Returns
the CRL data
CRLGenerationData ca_mgm::CA::getCRLDefaults ( )

Get a CRLGenerationData object with current default settings for this CA. On error this method throws exceptions.

Returns
a CRLGenerationData object with the current defaults
CertificateIssueData ca_mgm::CA::getIssueDefaults ( Type  type)

Get a CertificateIssueData object with current signing default settings for this CA and the specific type. On error this method throws exceptions.

Parameters
typethe requested certificate type
Returns
a CertificateIssueData object with the current defaults
RequestData ca_mgm::CA::getRequest ( const std::string &  requestName)

Parse a request and return the data. On error this method throws exceptions.

Parameters
requestNamethe name of the Request
Returns
the request data
RequestGenerationData ca_mgm::CA::getRequestDefaults ( Type  type)

Get a RequestGenerationData object with current request default settings for this CA and the specific type. On error this method throws exceptions.

Parameters
typethe requested certificate type
Returns
a RequestGenerationData object with the current defaults
std::vector<std::map<std::string, std::string> > ca_mgm::CA::getRequestList ( )

Get an Array of maps with all requests of the defined CA. On error this method throws exceptions.

Returns
a list of maps with all requests in this CA. the map keys are:
  • request (the name of the request)
  • commonName
  • emailAddress
  • countryName
  • stateOrProvinceName
  • localityName
  • organizationName
  • organizationalUnitName
  • date
static CertificateIssueData ca_mgm::CA::getRootCAIssueDefaults ( const std::string &  repos = REPOSITORY)
static

Get a CertificateIssueData object with current signing default settings for a Root CA. On error this function throws exceptions.

Parameters
reposthe path to the repository root directory
Returns
a CertificateIssueData object with the current defaults
static RequestGenerationData ca_mgm::CA::getRootCARequestDefaults ( const std::string &  repos = REPOSITORY)
static

Get a RequestGenerationData object with current request default settings for a Root CA. On error this function throws exceptions.

Parameters
reposthe path to the repository root directory
Returns
a RequestGenerationData object with the current defaults
static void ca_mgm::CA::importCA ( const std::string &  caName,
const ca_mgm::ByteBuffer caCertificate,
const ca_mgm::ByteBuffer caKey,
const std::string &  caPasswd = std::string(),
const std::string &  repos = REPOSITORY 
)
static

Import a CA certificate and private key and creates a infrastructure. On error this function throws exceptions.

Parameters
caNamethe name of the CA
caCertificatethe CA certificate data in PEM format
caKeythe private key in PEM format
caPasswdpassword of the private key or a new password if the key is unencrypted
reposthe path to the repository root directory
std::string ca_mgm::CA::importRequest ( const std::string &  requestFile,
FormatType  formatType = E_PEM 
)

Import a request in a CA repository. On error this method throws exceptions.

Parameters
requestFilethe request file
formatTypethe input format type
Returns
the name of the request
std::string ca_mgm::CA::importRequestData ( const ca_mgm::ByteBuffer request,
FormatType  formatType = E_PEM 
)

Import a request in a CA repository. On error this method throws exceptions.

Parameters
requestthe request data
formatTypethe input format type
Returns
the name of the request
std::string ca_mgm::CA::initConfigFile ( )
private

Initialize the config file On error this method throws exceptions.

Copy the template to a configfile and create the config object

Returns
the name of the config file
std::string ca_mgm::CA::issueCertificate ( const std::string &  requestName,
const CertificateIssueData issueData,
Type  certType 
)

Issue a certificate in the specified CA On error this method throws exceptions.

Parameters
requestNamethe name of the request which sould be signed
issueDatathe issuing data
certTypethe type of the certificate
Returns
the name of the certificate
CA& ca_mgm::CA::operator= ( const CA )
private
void ca_mgm::CA::removeDefaultsFromConfig ( )
private

remove _default values from configfile

void ca_mgm::CA::revokeCertificate ( const std::string &  certificateName,
const CRLReason crlReason = CRLReason() 
)

Revoke a certificate. On error this method throws exceptions.

Note
This function does not create a new CRL.
Parameters
certificateNamethe name of the certificate to revoke
crlReasona crlReason object which describes the reason why this certificate is revoked.
void ca_mgm::CA::setCRLDefaults ( const CRLGenerationData defaults)

Set CRL defaults for this CA On error this method throws exceptions.

Parameters
defaultsthe new CRL defaults
void ca_mgm::CA::setIssueDefaults ( Type  type,
const CertificateIssueData defaults 
)

Set the signing defaults for this CA and the specific certType On error this method throws exceptions.

Parameters
typethe requested certificate type
defaultsthe new certificate defaults
void ca_mgm::CA::setRequestDefaults ( Type  type,
const RequestGenerationData defaults 
)

Set the request defaults for this CA and the specific certType On error this method throws exceptions.

Parameters
typethe requested certificate type
defaultsthe new certificate defaults
void ca_mgm::CA::updateDB ( )

Update the internal openssl database. On error this method throws exceptions.

bool ca_mgm::CA::verifyCertificate ( const std::string &  certificateName,
bool  crlCheck = true,
const std::string &  purpose = std::string("any") 
)

Verify a certificate. On error this method throws exceptions.

Parameters
certificateNamethe name of the certificate
crlCheckverify against the CRLs
purposecheck for a specific certificate purpose valid purpose string are:
  • sslclient
  • sslserver
  • nssslserver
  • smimesign
  • smimeencrypt
  • crlsign
  • ocsphelper
  • any (default)
Returns
true if the certificate is valid, otherwise false.

Member Data Documentation

ca_mgm::RWCOW_pointer<CAImpl> ca_mgm::CA::m_impl
private

The documentation for this class was generated from the following file: