X.509 Certificate Functions. More...

Public Types
enum	CertOptions : unsigned int
	Options to create X.509 certificate [BitFlags]. More...

enum	CrlOptions : unsigned int
	Options to create Certificate Revocation List (CRL) [BitFlags]. More...

enum	CsrOptions : unsigned int
	Options to create PKCS#10 certificate signing request (CSR) [BitFlags]. More...

enum class	HashAlg
	Digest algorithms for hashes. More...

enum	KeyUsageOptions : unsigned int
	Options for key usage in certificate [BitFlags]. More...

enum	OutputOpts : unsigned int
	Options to format or re-encode output [BitFlags]. More...

enum class	SigAlg
	Signature algorithm. More...

Static Public Member Functions
static bool	CertIsRevoked (const std::string &certFile, const std::string &crlFile, const std::string &issuerCert="", const std::string &dateStr="")
	Check whether an X.509 certificate has been revoked in a given Certificate Revocation List (CRL). More...

static bool	CertIsValidNow (const std::string &certFile)
	Verify that an X.509 certificate is currently valid as per system clock. More...

static bool	CertIsVerified (const std::string &certFile, const std::string &issuerCert)
	Verify that an X.509 certificate has been signed by its issuer. More...

static bool	CertPathIsValid (const std::string &certListOrP7File, const std::string &trustedCert="", bool noTimeCheck=false)
	Validate a certificate path. More...

static int	CertRequest (const std::string &newFile, const std::string &priKeyFile, const std::string &password, const std::string distName, const std::string extns="", SigAlg sigAlg=SigAlg::Default, CsrOptions opts=CsrOptions::Default_CsrOpt)
	Create a PKCS #10 certificate signing request (CSR). More...

static std::string	CertThumb (const std::string &certFile, HashAlg hashAlg=HashAlg::Sha1)
	Calculate the thumbprint (message digest hash) of an X.509 certificate. More...

static int	GetCertCountInP7Chain (const std::string &inputFile)
	Return number of certificates in a PKCS-7 "certs-only" certificate chain file. More...

static bool	GetCertFromP7Chain (const std::string &outputFile, const std::string &inputFile, int index)
	Extract an X.509 certificate from a PKCS-7 "certs-only" certificate chain file, saving the output directly as a new file. More...

static bool	GetCertFromPFX (const std::string &outputFile, const std::string &inputFile, const std::string &password)
	Extract an X.509 certificate from a PKCS-12 PFX/.p12 file, saving the output directly as a new file. More...

static bool	GetP7ChainFromPFX (const std::string &outputFile, const std::string &inputFile, const std::string &password)
	Extract all X.509 certificates from a PKCS-12 PFX/.p12 file, saving the output directly as a new PKCS-7 "certs-only" certificate chain file. More...

static std::string	HashIssuerAndSN (const std::string &certFile, HashAlg hashAlg=HashAlg::Sha1)
	Return the hash of the issuer and serial number. More...

static int	MakeCert (const std::string &newCertFile, const std::string &issuerCert, const std::string &subjectPubKeyFile, const std::string &issuerPriKeyFile, const std::string &password, int certNum, int yearsValid, const std::string distName, const std::string extns="", KeyUsageOptions keyUsageOptions=KeyUsageOptions::NoKeyUsageOption, SigAlg sigAlg=SigAlg::Default, CertOptions opts=CertOptions::Default_CertOpt)
	Create an X.509 certificate using subject's public key and issuer's private key. More...

static int	MakeCertSelf (const std::string &newCertFile, const std::string &priKeyFile, const std::string &password, int certNum, int yearsValid, const std::string distName, const std::string extns="", KeyUsageOptions keyUsageOptions=KeyUsageOptions::NoKeyUsageOption, SigAlg sigAlg=SigAlg::Default, CertOptions opts=CertOptions::Default_CertOpt)
	Create a self-signed X.509 certificate. More...

static int	MakeCRL (const std::string &newFile, const std::string &issuerCert, const std::string &priKeyFile, const std::string &password, const std::string revokedCertList, const std::string extns="", SigAlg sigAlg=SigAlg::Default, CrlOptions opts=CrlOptions::Default_CrlOpt)
	Create an X.509 Certificate Revocation List (CRL). More...

static std::string	QueryCert (const std::string &certFile, const std::string &query, OutputOpts outOpts=OutputOpts::Default_OutputOpt)
	Query an X.509 certificate file for selected information. More...

static std::string	ReadCertStringFromP7Chain (const std::string &inputFile, int index)
	Read an X.509 certificate into a base64 string from a PKCS-7 "certs-only" certificate chain file. More...

static std::string	ReadCertStringFromPFX (const std::string &inputFile, const std::string &password)
	Read an X.509 certificate into a base64 string from PKCS-12 PFX/.p12 data. More...

static std::string	ReadStringFromFile (const std::string &certFile)
	Read an X.509 certificate into its base64 string representation. More...

static int	SaveFileFromString (const std::string &newCertFile, const std::string &certString, bool inPEMFormat=false)
	Create an X.509 certificate file from its base64 string representation. More...

static std::string	TextDumpToString (const std::string &certFile, OutputOpts outOpts=OutputOpts::Default_OutputOpt)
	Dump details of an X.509 certificate or a X.509 certificate revocation list (CRL) or a PKCS-10 certificate signing request (CSR) to a string. More...

Detailed Description

X.509 Certificate Functions.

Create, analyze, extract and reformat X.509 certificates.

Member Enumeration Documentation

◆ CertOptions

enum dipki::X509::CertOptions : unsigned int

Options to create X.509 certificate [BitFlags].

Enumerator
Default_CertOpt	Use default options.
FormatPem	Create in PEM-encoded text file [default = binary DER-encoded].
UTF8String	Encode distinguished name as UTF8String [default = PrintableString].
NoBasicConstraints	Disable the BasicConstraints extension [default = include]
SetAsCA	Set the BasicConstraints subject type to be a CA [default = End Entity].
VersionOne	Create a Version 1 certificate; that is, no extensions [default = Version 3].
AuthKeyId	Add the issuer's KeyIdentifier, if present, as an AuthorityKeyIdentifer [default = do not add]
Pss_SaltLenZero	Use a zero-length salt in an RSA-PSS signature [default = `hLen` the length of the digest output].
Ecdsa_Deterministic	Use the deterministic digital signature generation procedure of RFC6979 for an ECDSA signature.

◆ CrlOptions

enum dipki::X509::CrlOptions : unsigned int

Options to create Certificate Revocation List (CRL) [BitFlags].

Enumerator
Default_CrlOpt	Use default options.
FormatPem_Crl	Create in binary format [default = PEM-encoded text file].
Pss_SaltLenZero_Crl	Use a zero-length salt in an RSA-PSS signature [default = `hLen` the length of the digest output].
Ecdsa_Deterministic_Crl	Use the deterministic digital signature generation procedure of RFC6979 for an ECDSA signature.

◆ CsrOptions

enum dipki::X509::CsrOptions : unsigned int

Options to create PKCS#10 certificate signing request (CSR) [BitFlags].

Enumerator
Default_CsrOpt	Use default options.
FormatBinary_Csr	Create in binary format [default = PEM-encoded text file].
UTF8String_Csr	Encode distinguished name as UTF8String [default = PrintableString].
RequestKludge	Create a request with the "kludge" that omits the strictly mandatory attributes completely [default = include attributes with zero-length field].
Pss_SaltLenZero_Csr	Use a zero-length salt in an RSA-PSS signature [default = `hLen` the length of the digest output].
Ecdsa_Deterministic_Csr	Use the deterministic digital signature generation procedure of RFC6979 for an ECDSA signature.

◆ HashAlg

enum dipki::X509::HashAlg

strong

Digest algorithms for hashes.

Enumerator
Default	Use default hash algorithm [SHA-1].
Sha1	SHA-1 (default)
Sha224	SHA-224.
Sha256	SHA-256.
Sha384	SHA-384.
Sha512	SHA-512.
Md5	MD5 [legacy, not recommended].

◆ KeyUsageOptions

enum dipki::X509::KeyUsageOptions : unsigned int

Options for key usage in certificate [BitFlags].

Remarks: Reference: RFC5280 s4.2.1.3 Key Usage.; Use the bitwise OR operator | to combine options. Example:
dipki::X509::KeyUsageOptions kuo = dipki::X509::KeyUsageOptions::DigitalSignature | dipki::X509::KeyUsageOptions::NonRepudiation;

// Key Usage[!]:

// digitalSignature,nonRepudiation

dipki::X509::KeyUsageOptions
KeyUsageOptions
Options for key usage in certificate [BitFlags].
Definition: dipki.hpp:1801

Enumerator
NoKeyUsageOption	Key usage extension is not included.
DigitalSignature	subject public key is used for verifying digital signatures
NonRepudiation	subject public key is used to verify digital signatures used to provide a non-repudiation service
KeyEncipherment	subject public key is used for enciphering private or secret keys, i.e., for key transport
DataEncipherment	subject public key is used for directly enciphering raw user data (uncommon)
KeyAgreement	subject public key is used for key agreement
KeyCertSign	subject public key is used for verifying signatures on public key certificates
CrlSign	subject public key is used for verifying signatures on certificate revocation lists
EncipherOnly	subject public key may be used only for enciphering data while performing key agreement (only if keyAgreement bit is also set)
DecipherOnly	subject public key may be used only for deciphering data while performing key agreement (only if keyAgreement bit is also set)

◆ OutputOpts

enum dipki::X509::OutputOpts : unsigned int

Options to format or re-encode output [BitFlags].

Enumerator
Default_OutputOpt	Use default options.
Latin1	Output with Unicode or UTF-8 string re-encoded as Latin-1, if possible.
UTF8	Output distinguished name encoded in UTF-8.
Ldap	Output distinguished name in LDAP string representation.
Decimal	Output serial number in decimal format [default = hex].

◆ SigAlg

enum dipki::X509::SigAlg

strong

Signature algorithm.

Enumerator
Default	Use default signature algorithm [rsa-sha1/`sha1WithRSAEncryption`].
Rsa_Sha1	Use `sha1WithRSAEncryption` (rsa-sha1) signature algorithm [default - CAUTION]
Rsa_Sha224	Use `sha224WithRSAEncryption` (rsa-sha224) signature algorithm
Rsa_Sha256	Use `sha256WithRSAEncryption` (rsa-sha256) signature algorithm [minimum recommended].
Rsa_Sha384	Use `sha384WithRSAEncryption` (rsa-sha384) signature algorithm.
Rsa_Sha512	Use `sha512WithRSAEncryption` (rsa-sha512) signature algorithm.
Rsa_Md5	Use md5WithRSAEncryption (rsa-md5) signature algorithm [legacy, not recommended]
Rsa_Pss_Sha1	Use RSA-PSS signature algorithm with SHA-1.
Rsa_Pss_Sha224	Use RSA-PSS signature algorithm with SHA-224.
Rsa_Pss_Sha256	Use RSA-PSS signature algorithm with SHA-256.
Rsa_Pss_Sha384	Use RSA-PSS signature algorithm with SHA-384.
Rsa_Pss_Sha512	Use RSA-PSS signature algorithm with SHA-512.
Ecdsa_Sha1	Use `ecdsaWithSHA1` (ecdsa-sha1) signature algorithm
Ecdsa_Sha224	Use `ecdsaWithSHA224` (ecdsa-sha224) signature algorithm
Ecdsa_Sha256	Use `ecdsaWithSHA256` (ecdsa-sha256) signature algorithm
Ecdsa_Sha384	Use `ecdsaWithSHA384` (ecdsa-sha384) signature algorithm
Ecdsa_Sha512	Use `ecdsaWithSHA512` (ecdsa-sha512) signature algorithm
Ed25519	Use Ed25519 signature algorithm [RFC8032].
Ed448	Use Ed448 signature algorithm [RFC8032]

Member Function Documentation

◆ CertIsRevoked()

static bool dipki::X509::CertIsRevoked	(	const std::string &	certFile,
		const std::string &	crlFile,
		const std::string &	issuerCert = `""`,
		const std::string &	dateStr = `""`
	)

static

Check whether an X.509 certificate has been revoked in a given Certificate Revocation List (CRL).

Parameters

certFile	Name of certificate file (or a string with its base64 or PEM representation).
crlFile	Name of CRL file, or a string containing its PEM textual representation.
issuerCert	(optional) Name of X.509 certificate file for the entity that issued the CRL (or its base64 or PEM representation)
dateStr	(optional) Date in ISO format (`yyyy-mm-dd[Thh[:nn:ss]][Z]`) on or after you wish to check for revocation. Leave empty `""` for any date. The time must be in GMT (UTC, Zulu time).

Returns: true if certificate has been revoked, false if not found in the revoked list.

Exceptions

std::runtime_error Exception with error code if an input certificate is invalid.

◆ CertIsValidNow()

static bool dipki::X509::CertIsValidNow ( const std::string & certFile )

static

Verify that an X.509 certificate is currently valid as per system clock.

Parameters

certFile Filename of certificate (or a string with its base64 or PEM representation).

Returns: true if certificate is currently valid, otherwise false.

Exceptions

std::runtime_error Exception with error code if certificate is invalid.

◆ CertIsVerified()

static bool dipki::X509::CertIsVerified	(	const std::string &	certFile,
		const std::string &	issuerCert
	)

static

Verify that an X.509 certificate has been signed by its issuer.

Parameters

certFile	Filename of certificate (or CRL or CSR) to verify, or a string containing its PEM textual representation.
issuerCert	Filename of purported issuer's certificate, or a string containing its PEM textual representation. Leave empty `""` for a PKCS#10 CSR.

Returns: true if the certificate's signature is verified, or false if the verification fails.

Exceptions

std::runtime_error Exception with error code if input is invalid X.509.

◆ CertPathIsValid()

static bool dipki::X509::CertPathIsValid	(	const std::string &	certListOrP7File,
		const std::string &	trustedCert = `""`,
		bool	noTimeCheck = `false`
	)

static

Validate a certificate path.

Parameters

certListOrP7File	Either a list of certificate filenames (or base64 representations) separated by a semicolon, or the name of a PKCS-7 "certs-only" file containing the certificates to be validated (or a string containing its PEM textual representation).
trustedCert	Name of the trusted certificate (or its base64 representation). Required unless the self-signed trust anchor is included in the list.
noTimeCheck	Set `true` to avoid checking if the certificates are valid now [default = check validity dates against system clock].

Returns: true if the certification path is valid, false if path is invalid.

Exceptions

std::runtime_error Exception with error code if an input certificate is invalid.

◆ CertRequest()

static int dipki::X509::CertRequest	(	const std::string &	newFile,
		const std::string &	priKeyFile,
		const std::string &	password,
		const std::string	distName,
		const std::string	extns = `""`,
		SigAlg	sigAlg = `SigAlg::Default`,
		CsrOptions	opts = `CsrOptions::Default_CsrOpt`
	)

static

Create a PKCS #10 certificate signing request (CSR).

Parameters

newFile	Name of new file to be created.
priKeyFile	File containing issuer's private key data, or a string containing its PEM textual representation.
password	Password for issuer's encrypted private key file. Specify the empty string "" if key not encrypted.
distName	Distinguished name string. See Distinguished Names in the main manual.
extns	Extensions: a list of attribute-value pairs separated by semicolons (;). See X.509 Extensions Parameter in the main manual.
sigAlg	Signature algorithm to use when signing [default=rsa-sha1].
opts	Option flags.

Returns: Zero if successful.

◆ CertThumb()

static std::string dipki::X509::CertThumb	(	const std::string &	certFile,
		HashAlg	hashAlg = `HashAlg::Sha1`
	)

static

Calculate the thumbprint (message digest hash) of an X.509 certificate.

Parameters

certFile	Filename of certificate file (or a string with its base64 or PEM representation).
hashAlg	Hash algorithm [default=SHA-1].

Returns: String containing the message digest in hexadecimal format.

◆ GetCertCountInP7Chain()

static int dipki::X509::GetCertCountInP7Chain ( const std::string & inputFile )

static

Return number of certificates in a PKCS-7 "certs-only" certificate chain file.

Parameters

inputFile Name of the PKCS-7 "certs-only" file, or a string containing its PEM textual representation.

Returns: Number of X.509 certificates found or a negative error code.

◆ GetCertFromP7Chain()

static bool dipki::X509::GetCertFromP7Chain	(	const std::string &	outputFile,
		const std::string &	inputFile,
		int	index
	)

static

Extract an X.509 certificate from a PKCS-7 "certs-only" certificate chain file, saving the output directly as a new file.

Parameters

outputFile	Name of output file to be created.
inputFile	Name of the PKCS-7 "certs-only" file, or a string containing its PEM textual representation.
index	specifying which certificate (1,2,...) in the chain to extract.

Returns: true if successful or false if no certificate found at the given index.

Remarks: To find the number of certificates in the chain, use X509::GetCertCountInP7Chain.

◆ GetCertFromPFX()

static bool dipki::X509::GetCertFromPFX	(	const std::string &	outputFile,
		const std::string &	inputFile,
		const std::string &	password
	)

static

Extract an X.509 certificate from a PKCS-12 PFX/.p12 file, saving the output directly as a new file.

Parameters

outputFile	Name of output file to be created.
inputFile	Name of the PKCS-12 file, or a string containing its PEM textual representation.
password	Password or `""` if not encrypted.

Returns: true if successful.

Remarks: This will attempt to find a matching certificate for any private key, otherwise it will save the first pkcs-12-certBag found in the PFX file containing a x509Certificate object. Only weak 40-bit RC2 encryption is supported for the certificate.

◆ GetP7ChainFromPFX()

static bool dipki::X509::GetP7ChainFromPFX	(	const std::string &	outputFile,
		const std::string &	inputFile,
		const std::string &	password
	)

static

Extract all X.509 certificates from a PKCS-12 PFX/.p12 file, saving the output directly as a new PKCS-7 "certs-only" certificate chain file.

Parameters

outputFile	Name of output file to be created.
inputFile	Name of the PKCS-12 file, or a string containing its PEM textual representation.
password	Password or `""` if not encrypted.

Returns: true if successful.

Remarks: Only weak 40-bit RC2 encryption is supported for the certificate.

◆ HashIssuerAndSN()

static std::string dipki::X509::HashIssuerAndSN	(	const std::string &	certFile,
		HashAlg	hashAlg = `HashAlg::Sha1`
	)

static

Return the hash of the issuer and serial number.

Parameters

certFile	Filename of certificate file (or a string with its base64 or PEM representation).
hashAlg	Hash algorithm [default=SHA-1].

Returns: String containing the message digest in hexadecimal format.

Remarks: This should give a unique identifier for any certificate

◆ MakeCert()

static int dipki::X509::MakeCert	(	const std::string &	newCertFile,
		const std::string &	issuerCert,
		const std::string &	subjectPubKeyFile,
		const std::string &	issuerPriKeyFile,
		const std::string &	password,
		int	certNum,
		int	yearsValid,
		const std::string	distName,
		const std::string	extns = `""`,
		KeyUsageOptions	keyUsageOptions = `KeyUsageOptions::NoKeyUsageOption`,
		SigAlg	sigAlg = `SigAlg::Default`,
		CertOptions	opts = `CertOptions::Default_CertOpt`
	)

static

Create an X.509 certificate using subject's public key and issuer's private key.

Parameters

newCertFile	Name of new certificate file to be created.
issuerCert	Name of issuer's certificate file (or its base64 or PEM representation).
subjectPubKeyFile	Name of subject's public key file or a PEM string containing the key.
issuerPriKeyFile	Name of issuer's private key file (encrypted or unencrypted) or a PEM string containing the key.
password	Password for issuer's encrypted private key file. Specify the empty string "" if key not encrypted.
certNum	Serial number for new certificate. Ignored if `serialNumber` is set in the `extns` parameter.
yearsValid	Number of years certificate is to be valid from current date and hour (can be changed using `notBefore` and `notAfter` in the `extns` parameter).
distName	Distinguished name string. See Distinguished Names in the main manual.
extns	Extensions: a list of attribute-value pairs separated by semicolons (;). See X.509 Extensions Parameter in the main manual.
keyUsageOptions	Bit flags to set Key Usage extension.
sigAlg	Signature algorithm to use when signing [default=rsa-sha1].
opts	Option flags.

Returns: Zero if successful.

◆ MakeCertSelf()

static int dipki::X509::MakeCertSelf	(	const std::string &	newCertFile,
		const std::string &	priKeyFile,
		const std::string &	password,
		int	certNum,
		int	yearsValid,
		const std::string	distName,
		const std::string	extns = `""`,
		KeyUsageOptions	keyUsageOptions = `KeyUsageOptions::NoKeyUsageOption`,
		SigAlg	sigAlg = `SigAlg::Default`,
		CertOptions	opts = `CertOptions::Default_CertOpt`
	)

static

Create a self-signed X.509 certificate.

Parameters

newCertFile	Name of new certificate file to be created.
priKeyFile	File containing issuer's private key data, or a string containing its PEM textual representation.
password	Password for issuer's encrypted private key file. Specify the empty string "" if key not encrypted.
certNum	Serial number for new certificate. Ignored if `serialNumber` is set in the `extns` parameter.
yearsValid	Number of years certificate is to be valid from current date and hour (can be changed using `notBefore` and `notAfter` in the `extns` parameter).
distName	Distinguished name string. See Distinguished Names in the main manual.
extns	Extensions: a list of attribute-value pairs separated by semicolons (;). See X.509 Extensions Parameter in the main manual.
keyUsageOptions	Bit flags to set Key Usage extension.
sigAlg	Signature algorithm to use when signing [default=rsa-sha1].
opts	Option flags.

Returns: Zero if successful.

◆ MakeCRL()

static int dipki::X509::MakeCRL	(	const std::string &	newFile,
		const std::string &	issuerCert,
		const std::string &	priKeyFile,
		const std::string &	password,
		const std::string	revokedCertList,
		const std::string	extns = `""`,
		SigAlg	sigAlg = `SigAlg::Default`,
		CrlOptions	opts = `CrlOptions::Default_CrlOpt`
	)

static

Create an X.509 Certificate Revocation List (CRL).

Parameters

newFile	Name of new file to be created.
issuerCert	Name of issuer's certificate file (or its base64 or PEM representation).
priKeyFile	File containing issuer's private key data, or a string containing its PEM textual representation.
password	Password for issuer's encrypted private key file. Specify the empty string "" if key not encrypted.
revokedCertList	List of revoked certificates in format `serialNumber,revocationDate; ...` or the empty string `""` for no revoked certificates. See the Remarks section below for more details.
extns	Extensions: a list of attribute-value pairs separated by semicolons (;). Valid attribute-value pairs are: `lastUpdate`=<iso-date-string> `nextUpdate`=<iso-date-string>
sigAlg	Signature algorithm to use when signing [default=rsa-sha1].
opts	Option flags.

Returns: Zero if successful.

Remarks: This creates a version 1 CRL file with no extensions or cRLReason's. The parameter revokedCertList must be in the form serialNumber,revocationDate;serialNumber,revocationDate; .... The serial number must either be a positive decimal integer (e.g. 123) or the number in hex format preceded by #x (e.g. #x0102deadbeef). The revocation date must be in ISO date format (e.g. 2009-12-31T12:59:59Z). For example:
"1,2007-12-31; 2, 2009-12-31T12:59:59Z; 66000,2066-01-01; #x0102deadbeef,2010-02-28T01:01:59"; By default, the lastUpdate time in the CRL is set to the time given by the system clock, and nextUpdate time is left empty. You can specify your own times using the lastUpdate and nextUpdate attributes in the extensions parameter. Times, if specified, must be in ISO 8601 format and are always interpreted as GMT times whether or not you add a "Z".

◆ QueryCert()

static std::string dipki::X509::QueryCert	(	const std::string &	certFile,
		const std::string &	query,
		OutputOpts	outOpts = `OutputOpts::Default_OutputOpt`
	)

static

Query an X.509 certificate file for selected information.

Parameters

certFile	Filename of certificate file (or a string with its base64 or PEM representation).
query	Query string (case insensitive). See remarks.
outOpts	Option flags for output formatting, e.g. `X509::OutputOpts::Ldap`.

Returns: String containing the result, or an empty string if not found.

Remarks

An integer result is returned as a string, e.g. "1". Use std::stoi(s) to convert to an integer.

Valid queries are:

Query String	Returns
`version`	X.509 version number as a string, e.g. `"1"` or `"3"`.
`serialNumber`	Serial number in hex-encoded format
`signatureAlgorithm`	Signature algorithm used, e.g. `"sha1WithRSAEncryption"`.
`sigAlgId`	ID of signature algorithm used, see X509::SigAlg.
`signatureValue`	Signature value in hex-encoded format
`notBefore`	Date on which the certificate validity period begins in format `yyyy-mm-ddThh:nn:ssZ`
`notAfter`	Date on which the certificate validity period ends in format `yyyy-mm-ddThh:nn:ssZ`
`issuerName`	Distinguished name (DN) of entity who has signed and issued the certificate
`subjectName`	Distinguished name (DN) of the subject
`subjectPublicKeyAlgorithm`	Algorithm used in subject's public key, e.g. `"dsa"` or `"rsaEncryption"`.
`subjectKeyIdentifier`	The subject key identifier extension, if present, in hex-encoded format
`authorityKeyIdentifier`	The authority key identifier extension, if present, in hex-encoded format
`rfc822Name`	First internet mail address found contained in a subjectAltName extension, if present
`isCA`	Returns `"1"` if the subject type is a CA, otherwise returns `"0"`.
`keyUsageString`	`keyUsage` flags in text format, e.g. `"digitalSignature,nonRepudiation"`
`extKeyUsageString`	`extKeyUsage` purposes in text format, e.g. `"codeSigning,timeStamping"`
`cRLDistributionPointsURI`	First URI found in `cRLDistributionPoints`, if any
`authorityInfoAccessURI`	First URI found in `authorityInfoAccess`, if any
`subjectAltName`	Subject alternative name extension, if present.
`hashAlgorithm`	Hash algorithm used in signature, e.g. `"sha256"`.
`pssParams`	Parameters used for RSA-PSS (if applicable).

Exceptions

std::runtime_error Exception with error code if certificate or query is invalid.

◆ ReadCertStringFromP7Chain()

static std::string dipki::X509::ReadCertStringFromP7Chain	(	const std::string &	inputFile,
		int	index
	)

static

Read an X.509 certificate into a base64 string from a PKCS-7 "certs-only" certificate chain file.

Parameters

inputFile	Name of the PKCS-7 "certs-only" file, or a string containing its PEM textual representation.
index	specifying which certificate (1,2,...) in the chain to extract.

Returns: String in continuous base64 format, or empty string if no certificate found at the given index.

Remarks: To find the number of certificates in the chain, use X509::GetCertCountInP7Chain.

Exceptions

std::runtime_error Exception with error code if input file is invalid.

◆ ReadCertStringFromPFX()

static std::string dipki::X509::ReadCertStringFromPFX	(	const std::string &	inputFile,
		const std::string &	password
	)

static

Read an X.509 certificate into a base64 string from PKCS-12 PFX/.p12 data.

Parameters

inputFile	Filename of a PFX file, or a string containing its PEM textual representation.
password	Password for PFX or `""` if certificate is not encrypted.

Returns: String in continuous base64 format, or empty string if no certificate found.

Remarks: This will extract one certificate from the PFX file. It will attempt to find a matching certificate for any private key, otherwise it will save the first pkcs-12-certBag found in the PFX file containing a x509Certificate object.

Exceptions

std::runtime_error Exception with error code if input file is invalid.

◆ ReadStringFromFile()

static std::string dipki::X509::ReadStringFromFile ( const std::string & certFile )

static

Read an X.509 certificate into its base64 string representation.

Parameters

certFile Filename of certificate file (or a string with its base64 or PEM representation).

Returns: String in continuous base64 format.

Remarks: This is the reverse of X509::SaveFileFromString.

Exceptions

std::runtime_error Exception with error code if certificate is invalid.

◆ SaveFileFromString()

static int dipki::X509::SaveFileFromString	(	const std::string &	newCertFile,
		const std::string &	certString,
		bool	inPEMFormat = `false`
	)

static

Create an X.509 certificate file from its base64 string representation.

Parameters

newCertFile	Name of new certificate file to be created.
certString	String containing certificate data in base64 format.
inPEMFormat	`true` to save in PEM textual format, or `false` to save in binary DER format [default]. A PEM format file starts with `-----BEGIN CERTIFICATE-----`.

Returns: Zero if successful.

Remarks: This is the reverse of X509::ReadStringFromFile.

Exceptions

std::runtime_error Exception with error code if certString is invalid or if new file cannot be created.

◆ TextDumpToString()

static std::string dipki::X509::TextDumpToString	(	const std::string &	certFile,
		OutputOpts	outOpts = `OutputOpts::Default_OutputOpt`
	)

static

Dump details of an X.509 certificate or a X.509 certificate revocation list (CRL) or a PKCS-10 certificate signing request (CSR) to a string.

Parameters

certFile	Filename of certificate file (or a string with its base64 or PEM representation).
outOpts	Option flags for output formatting, e.g. `X509::OutputOpts::Ldap`.

Returns: String containing the result, or an empty string if not found.

Exceptions

std::runtime_error Exception with error code if certificate is invalid.

Public Types

Static Public Member Functions

Detailed Description

Member Enumeration Documentation

◆ CertOptions

◆ CrlOptions

◆ CsrOptions

◆ HashAlg

◆ KeyUsageOptions

◆ OutputOpts

◆ SigAlg

Member Function Documentation

◆ CertIsRevoked()

◆ CertIsValidNow()

◆ CertIsVerified()

◆ CertPathIsValid()

◆ CertRequest()

◆ CertThumb()

◆ GetCertCountInP7Chain()

◆ GetCertFromP7Chain()

◆ GetCertFromPFX()

◆ GetP7ChainFromPFX()

◆ HashIssuerAndSN()

◆ MakeCert()

◆ MakeCertSelf()

◆ MakeCRL()

◆ QueryCert()

◆ ReadCertStringFromP7Chain()

◆ ReadCertStringFromPFX()

◆ ReadStringFromFile()

◆ SaveFileFromString()

◆ TextDumpToString()