line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Crypt::Perl::X509v3; |
2
|
|
|
|
|
|
|
|
3
|
1
|
|
|
1
|
|
399
|
use strict; |
|
1
|
|
|
|
|
1
|
|
|
1
|
|
|
|
|
23
|
|
4
|
1
|
|
|
1
|
|
3
|
use warnings; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
26
|
|
5
|
|
|
|
|
|
|
|
6
|
|
|
|
|
|
|
=encoding utf-8 |
7
|
|
|
|
|
|
|
|
8
|
|
|
|
|
|
|
=head1 NAME |
9
|
|
|
|
|
|
|
|
10
|
|
|
|
|
|
|
Crypt::Perl::X509v3 - TLS/SSL Certificates |
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
=head1 SYNOPSIS |
13
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
|
my $cert = Crypt::Perl::X509v3->new( |
15
|
|
|
|
|
|
|
key => $crypt_perl_public_key_obj, |
16
|
|
|
|
|
|
|
issuer => [ |
17
|
|
|
|
|
|
|
[ commonName => 'Foo', surname => 'theIssuer' ], |
18
|
|
|
|
|
|
|
[ givenName => 'separate RDNs' ], |
19
|
|
|
|
|
|
|
], |
20
|
|
|
|
|
|
|
subject => \@subject, #same format as issuer |
21
|
|
|
|
|
|
|
|
22
|
|
|
|
|
|
|
not_before => $unixtime, |
23
|
|
|
|
|
|
|
not_after => $unixtime, |
24
|
|
|
|
|
|
|
|
25
|
|
|
|
|
|
|
# The same structure as in Crypt::Perl::PKCS10 … |
26
|
|
|
|
|
|
|
extensions => [ |
27
|
|
|
|
|
|
|
[ keyUsage => 'keyCertSign', 'keyEncipherment' ], |
28
|
|
|
|
|
|
|
[ $extn_name => @extn_args ], |
29
|
|
|
|
|
|
|
# .. |
30
|
|
|
|
|
|
|
], |
31
|
|
|
|
|
|
|
|
32
|
|
|
|
|
|
|
serial_number => 12345, |
33
|
|
|
|
|
|
|
|
34
|
|
|
|
|
|
|
issuer_unique_id => '..', |
35
|
|
|
|
|
|
|
subject_unique_id => '..', |
36
|
|
|
|
|
|
|
); |
37
|
|
|
|
|
|
|
|
38
|
|
|
|
|
|
|
$cert->sign( $crypt_perl_private_key_obj, 'sha256' ); |
39
|
|
|
|
|
|
|
|
40
|
|
|
|
|
|
|
my $pem = $cert->to_pem(); |
41
|
|
|
|
|
|
|
|
42
|
|
|
|
|
|
|
=head1 STATUS |
43
|
|
|
|
|
|
|
|
44
|
|
|
|
|
|
|
This module is B! The API may change between versions. |
45
|
|
|
|
|
|
|
If you’re going to build something off of it, ensure that you check |
46
|
|
|
|
|
|
|
Crypt::Perl’s changelog before updating this module. |
47
|
|
|
|
|
|
|
|
48
|
|
|
|
|
|
|
=head1 DESCRIPTION |
49
|
|
|
|
|
|
|
|
50
|
|
|
|
|
|
|
This module can create TLS/SSL certificates. The caller has full control |
51
|
|
|
|
|
|
|
over all certificate components, and anything not specified is not assumed. |
52
|
|
|
|
|
|
|
|
53
|
|
|
|
|
|
|
There currently is not a parsing interface. Hopefully that can be remedied. |
54
|
|
|
|
|
|
|
|
55
|
|
|
|
|
|
|
=cut |
56
|
|
|
|
|
|
|
|
57
|
1
|
|
|
1
|
|
4
|
use parent qw( Crypt::Perl::ASN1::Encodee ); |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
5
|
|
58
|
|
|
|
|
|
|
|
59
|
1
|
|
|
1
|
|
466
|
use Digest::SHA (); |
|
1
|
|
|
|
|
2237
|
|
|
1
|
|
|
|
|
21
|
|
60
|
|
|
|
|
|
|
|
61
|
1
|
|
|
1
|
|
391
|
use Crypt::Perl::ASN1::Signatures (); |
|
1
|
|
|
|
|
4
|
|
|
1
|
|
|
|
|
15
|
|
62
|
1
|
|
|
1
|
|
348
|
use Crypt::Perl::X509::Extensions (); |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
16
|
|
63
|
1
|
|
|
1
|
|
380
|
use Crypt::Perl::X509::Name (); |
|
1
|
|
|
|
|
1
|
|
|
1
|
|
|
|
|
17
|
|
64
|
|
|
|
|
|
|
|
65
|
1
|
|
|
1
|
|
5
|
use Crypt::Perl::X (); |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
82
|
|
66
|
|
|
|
|
|
|
|
67
|
|
|
|
|
|
|
#TODO: refactor |
68
|
|
|
|
|
|
|
*to_der = __PACKAGE__->can('encode'); |
69
|
|
|
|
|
|
|
|
70
|
|
|
|
|
|
|
sub to_pem { |
71
|
6
|
|
|
6
|
0
|
42
|
my ($self) = @_; |
72
|
|
|
|
|
|
|
|
73
|
6
|
|
|
|
|
37
|
return Crypt::Format::der2pem( $self->to_der(), 'CERTIFICATE' ); |
74
|
|
|
|
|
|
|
} |
75
|
|
|
|
|
|
|
|
76
|
1
|
|
|
1
|
|
5
|
use constant ASN1 => <
|
|
1
|
|
|
|
|
1
|
|
|
1
|
|
|
|
|
845
|
|
77
|
|
|
|
|
|
|
X509v3 ::= SEQUENCE { |
78
|
|
|
|
|
|
|
tbsCertificate ANY, |
79
|
|
|
|
|
|
|
signatureAlgorithm SigIdentifier, |
80
|
|
|
|
|
|
|
signature BIT STRING |
81
|
|
|
|
|
|
|
} |
82
|
|
|
|
|
|
|
|
83
|
|
|
|
|
|
|
SigIdentifier ::= SEQUENCE { |
84
|
|
|
|
|
|
|
algorithm OBJECT IDENTIFIER, |
85
|
|
|
|
|
|
|
parameters ANY OPTIONAL |
86
|
|
|
|
|
|
|
} |
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
TBSCertificate ::= SEQUENCE { |
89
|
|
|
|
|
|
|
version [0] Version, |
90
|
|
|
|
|
|
|
serialNumber INTEGER, |
91
|
|
|
|
|
|
|
signature SigIdentifier, |
92
|
|
|
|
|
|
|
issuer ANY, -- Name |
93
|
|
|
|
|
|
|
validity Validity, |
94
|
|
|
|
|
|
|
subject ANY, -- Name |
95
|
|
|
|
|
|
|
subjectPublicKeyInfo ANY, |
96
|
|
|
|
|
|
|
issuerUniqueID [1] IMPLICIT BIT STRING OPTIONAL, |
97
|
|
|
|
|
|
|
-- If present, version MUST be v2 or v3 |
98
|
|
|
|
|
|
|
subjectUniqueID [2] IMPLICIT BIT STRING OPTIONAL, |
99
|
|
|
|
|
|
|
-- If present, version MUST be v2 or v3 |
100
|
|
|
|
|
|
|
extensions [3] Extensions OPTIONAL |
101
|
|
|
|
|
|
|
-- If present, version MUST be v3 -- |
102
|
|
|
|
|
|
|
} |
103
|
|
|
|
|
|
|
|
104
|
|
|
|
|
|
|
Version ::= SEQUENCE { |
105
|
|
|
|
|
|
|
version INTEGER |
106
|
|
|
|
|
|
|
} |
107
|
|
|
|
|
|
|
|
108
|
|
|
|
|
|
|
Validity ::= SEQUENCE { |
109
|
|
|
|
|
|
|
notBefore Time, |
110
|
|
|
|
|
|
|
notAfter Time |
111
|
|
|
|
|
|
|
} |
112
|
|
|
|
|
|
|
|
113
|
|
|
|
|
|
|
Time ::= CHOICE { |
114
|
|
|
|
|
|
|
-- utcTime UTCTime, -- Y2K problem … wtf?!? |
115
|
|
|
|
|
|
|
generalTime GeneralizedTime |
116
|
|
|
|
|
|
|
} |
117
|
|
|
|
|
|
|
|
118
|
|
|
|
|
|
|
Extensions ::= SEQUENCE { |
119
|
|
|
|
|
|
|
extensions ANY |
120
|
|
|
|
|
|
|
} |
121
|
|
|
|
|
|
|
END |
122
|
|
|
|
|
|
|
|
123
|
|
|
|
|
|
|
sub new { |
124
|
6
|
|
|
6
|
0
|
495
|
my ($class, %opts) = @_; |
125
|
|
|
|
|
|
|
|
126
|
6
|
|
|
|
|
22
|
my @missing = grep { !$opts{$_} } qw( subject key not_after ); |
|
18
|
|
|
|
|
67
|
|
127
|
|
|
|
|
|
|
|
128
|
6
|
50
|
|
|
|
23
|
if (@missing) { |
129
|
0
|
|
|
|
|
0
|
die Crypt::Perl::X::create('Generic', "Missing: @missing"); |
130
|
|
|
|
|
|
|
} |
131
|
|
|
|
|
|
|
|
132
|
6
|
|
33
|
|
|
58
|
$opts{'extensions'} &&= Crypt::Perl::X509::Extensions->new(@{ $opts{'extensions'} }); |
|
6
|
|
|
|
|
147
|
|
133
|
|
|
|
|
|
|
|
134
|
6
|
|
|
|
|
13
|
my $subj = Crypt::Perl::X509::Name->new( @{ $opts{'subject'} } ); |
|
6
|
|
|
|
|
125
|
|
135
|
|
|
|
|
|
|
|
136
|
6
|
|
|
|
|
14
|
my $issuer; |
137
|
6
|
50
|
|
|
|
27
|
if ($opts{'issuer'}) { |
138
|
6
|
|
|
|
|
13
|
$issuer = Crypt::Perl::X509::Name->new( @{ $opts{'issuer'} } ); |
|
6
|
|
|
|
|
47
|
|
139
|
|
|
|
|
|
|
} |
140
|
|
|
|
|
|
|
else { |
141
|
0
|
|
|
|
|
0
|
$issuer = $subj; #self-signed |
142
|
|
|
|
|
|
|
} |
143
|
|
|
|
|
|
|
|
144
|
6
|
|
50
|
|
|
107
|
$opts{'serial_number'} ||= 0; |
145
|
|
|
|
|
|
|
|
146
|
|
|
|
|
|
|
my %self = ( |
147
|
|
|
|
|
|
|
_subject => $subj, |
148
|
|
|
|
|
|
|
_issuer => $issuer, |
149
|
|
|
|
|
|
|
_not_before => $opts{'not_before'} || time, |
150
|
|
|
|
|
|
|
|
151
|
6
|
|
33
|
|
|
69
|
( map { ( "_$_" => $opts{$_} ) } qw( |
|
36
|
|
|
|
|
157
|
|
152
|
|
|
|
|
|
|
key |
153
|
|
|
|
|
|
|
not_after |
154
|
|
|
|
|
|
|
extensions |
155
|
|
|
|
|
|
|
serial_number |
156
|
|
|
|
|
|
|
subject_unique_id |
157
|
|
|
|
|
|
|
issuer_unique_id |
158
|
|
|
|
|
|
|
) ), |
159
|
|
|
|
|
|
|
); |
160
|
|
|
|
|
|
|
|
161
|
6
|
|
|
|
|
49
|
return bless \%self, $class; |
162
|
|
|
|
|
|
|
} |
163
|
|
|
|
|
|
|
|
164
|
|
|
|
|
|
|
sub sign { |
165
|
6
|
|
|
6
|
0
|
59
|
my ($self, $signer_key, $digest_algorithm) = @_; |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
#This validates the digest algorithm. |
168
|
6
|
|
|
|
|
73
|
my $tbs = $self->_encode_tbs_certificate($signer_key, $digest_algorithm); |
169
|
|
|
|
|
|
|
|
170
|
6
|
|
|
|
|
3478
|
my ($sig_alg, $sig_func, $signature); |
171
|
|
|
|
|
|
|
|
172
|
6
|
50
|
|
|
|
84
|
$digest_algorithm =~ m<([0-9]+)\z> or die "huh? ($digest_algorithm)"; |
173
|
6
|
|
|
|
|
50
|
my $digest_length = $1; |
174
|
|
|
|
|
|
|
|
175
|
6
|
100
|
|
|
|
142
|
if ($signer_key->isa('Crypt::Perl::ECDSA::PrivateKey')) { |
|
|
50
|
|
|
|
|
|
176
|
|
|
|
|
|
|
#$sig_alg = $signer_key->get_public_key()->algorithm_identifier_with_curve_name(); |
177
|
3
|
|
|
|
|
10
|
$sig_alg = "ecdsa-with-SHA$digest_length"; |
178
|
|
|
|
|
|
|
|
179
|
3
|
|
|
|
|
142
|
$signature = $signer_key->sign( Digest::SHA->can($digest_algorithm)->($tbs) ); |
180
|
|
|
|
|
|
|
} |
181
|
|
|
|
|
|
|
elsif ($signer_key->isa('Crypt::Perl::RSA::PrivateKey')) { |
182
|
|
|
|
|
|
|
#$sig_alg = $signer_key->get_public_key()->algorithm_identifier(); |
183
|
3
|
|
|
|
|
15
|
$sig_alg = "sha${digest_length}WithRSAEncryption"; |
184
|
|
|
|
|
|
|
|
185
|
3
|
50
|
|
|
|
40
|
my $sign_cr = $signer_key->can("sign_RS$digest_length") or do { |
186
|
0
|
|
|
|
|
0
|
die "Unsupported digest for RSA: $digest_algorithm"; |
187
|
|
|
|
|
|
|
}; |
188
|
|
|
|
|
|
|
|
189
|
3
|
|
|
|
|
21
|
$signature = $sign_cr->($signer_key, $tbs); |
190
|
|
|
|
|
|
|
} |
191
|
|
|
|
|
|
|
else { |
192
|
0
|
|
|
|
|
0
|
die "Key ($signer_key) is not a recognized private key object!"; |
193
|
|
|
|
|
|
|
} |
194
|
|
|
|
|
|
|
|
195
|
|
|
|
|
|
|
$sig_alg = { |
196
|
6
|
|
|
|
|
100858
|
algorithm => $Crypt::Perl::ASN1::Signatures::OID{$sig_alg}, |
197
|
|
|
|
|
|
|
}; |
198
|
|
|
|
|
|
|
|
199
|
6
|
|
|
|
|
52
|
$self->{'_signed'} = { |
200
|
|
|
|
|
|
|
tbsCertificate => $tbs, |
201
|
|
|
|
|
|
|
signatureAlgorithm => $sig_alg, |
202
|
|
|
|
|
|
|
signature => $signature, |
203
|
|
|
|
|
|
|
}; |
204
|
|
|
|
|
|
|
|
205
|
6
|
|
|
|
|
34
|
return $self; |
206
|
|
|
|
|
|
|
} |
207
|
|
|
|
|
|
|
|
208
|
|
|
|
|
|
|
sub _encode_params { |
209
|
6
|
|
|
6
|
|
20
|
my ($self) = @_; |
210
|
|
|
|
|
|
|
|
211
|
6
|
50
|
|
|
|
24
|
if (!$self->{'_signed'}) { |
212
|
0
|
|
|
|
|
0
|
die Crypt::Perl::X::create('Generic', 'Call sign() first!'); |
213
|
|
|
|
|
|
|
} |
214
|
|
|
|
|
|
|
|
215
|
6
|
|
|
|
|
20
|
return $self->{'_signed'}; |
216
|
|
|
|
|
|
|
} |
217
|
|
|
|
|
|
|
|
218
|
|
|
|
|
|
|
sub _encode_tbs_certificate { |
219
|
6
|
|
|
6
|
|
33
|
my ($self, $signing_key, $digest_algorithm) = @_; |
220
|
|
|
|
|
|
|
|
221
|
6
|
50
|
|
|
|
110
|
$digest_algorithm =~ m<\Asha(224|256|384|512)\z> or do { |
222
|
0
|
|
|
|
|
0
|
die Crypt::Perl::X::create('Generic', "Unknown digest algorithm: “$digest_algorithm”"); |
223
|
|
|
|
|
|
|
}; |
224
|
6
|
|
|
|
|
24
|
my $digest_length = $1; |
225
|
|
|
|
|
|
|
|
226
|
6
|
|
|
|
|
21
|
my $sig_alg; |
227
|
|
|
|
|
|
|
|
228
|
|
|
|
|
|
|
my $pubkey_der; |
229
|
|
|
|
|
|
|
|
230
|
6
|
100
|
|
|
|
140
|
if ($self->{'_key'}->isa('Crypt::Perl::ECDSA::PublicKey')) { |
|
|
50
|
|
|
|
|
|
231
|
3
|
|
|
|
|
55
|
$pubkey_der = $self->{'_key'}->to_der_with_curve_name(); |
232
|
|
|
|
|
|
|
#$sig_alg = 'ecPublicKey'; #"ecdsa-with-SHA$digest_length"; |
233
|
3
|
|
|
|
|
951
|
$sig_alg = "ecdsa-with-SHA$digest_length"; |
234
|
|
|
|
|
|
|
} |
235
|
|
|
|
|
|
|
elsif ($self->{'_key'}->isa('Crypt::Perl::RSA::PublicKey')) { |
236
|
3
|
|
|
|
|
35
|
$pubkey_der = $self->{'_key'}->to_subject_der(); |
237
|
|
|
|
|
|
|
#$sig_alg = 'rsaEncryption'; #"sha${digest_length}WithRSAEncryption"; |
238
|
3
|
|
|
|
|
981
|
$sig_alg = "sha${digest_length}WithRSAEncryption"; |
239
|
|
|
|
|
|
|
} |
240
|
|
|
|
|
|
|
else { |
241
|
0
|
|
|
|
|
0
|
die "Key ($self->{'_key'}) is not a recognized public key object!"; |
242
|
|
|
|
|
|
|
} |
243
|
|
|
|
|
|
|
|
244
|
6
|
|
|
|
|
36
|
my $extns_bin; |
245
|
6
|
50
|
|
|
|
48
|
if ($self->{'_extensions'}) { |
246
|
6
|
|
|
|
|
59
|
$extns_bin = $self->{'_extensions'}->encode(); |
247
|
|
|
|
|
|
|
} |
248
|
|
|
|
|
|
|
|
249
|
|
|
|
|
|
|
my $params_hr = { |
250
|
|
|
|
|
|
|
version => { version => 2 }, |
251
|
|
|
|
|
|
|
|
252
|
|
|
|
|
|
|
serialNumber => $self->{'_serial_number'}, |
253
|
|
|
|
|
|
|
|
254
|
|
|
|
|
|
|
issuerUniqueID => $self->{'_issuer_unique_id'}, |
255
|
|
|
|
|
|
|
|
256
|
|
|
|
|
|
|
subjectUniqueID => $self->{'_subject_unique_id'}, |
257
|
|
|
|
|
|
|
|
258
|
|
|
|
|
|
|
subject => $self->{'_subject'}->encode(), |
259
|
|
|
|
|
|
|
issuer => $self->{'_issuer'}->encode(), |
260
|
|
|
|
|
|
|
|
261
|
|
|
|
|
|
|
validity => { |
262
|
|
|
|
|
|
|
notBefore => { generalTime => $self->{'_not_before'} }, |
263
|
|
|
|
|
|
|
notAfter => { generalTime => $self->{'_not_after'} }, |
264
|
|
|
|
|
|
|
}, |
265
|
|
|
|
|
|
|
|
266
|
|
|
|
|
|
|
subjectPublicKeyInfo => $pubkey_der, |
267
|
|
|
|
|
|
|
|
268
|
|
|
|
|
|
|
signature => { |
269
|
6
|
50
|
|
|
|
9965
|
algorithm => $Crypt::Perl::ASN1::Signatures::OID{$sig_alg}, |
270
|
|
|
|
|
|
|
}, |
271
|
|
|
|
|
|
|
|
272
|
|
|
|
|
|
|
( $extns_bin ? ( extensions => { extensions => $extns_bin } ) : () ), |
273
|
|
|
|
|
|
|
}; |
274
|
|
|
|
|
|
|
|
275
|
6
|
|
|
|
|
877
|
my $asn1 = Crypt::Perl::ASN1->new()->prepare($self->ASN1()); |
276
|
6
|
|
|
|
|
38
|
$asn1 = $asn1->find('TBSCertificate'); |
277
|
6
|
|
|
|
|
176
|
$asn1->configure( encode => { time => 'utctime' } ); |
278
|
|
|
|
|
|
|
|
279
|
6
|
|
|
|
|
248
|
return $asn1->encode($params_hr); |
280
|
|
|
|
|
|
|
} |
281
|
|
|
|
|
|
|
|
282
|
|
|
|
|
|
|
#sub _get_GeneralizedTime { |
283
|
|
|
|
|
|
|
# my ($epoch) = @_; |
284
|
|
|
|
|
|
|
# |
285
|
|
|
|
|
|
|
# my @smhdmy = (gmtime $epoch)[0 .. 5]; |
286
|
|
|
|
|
|
|
# $smhdmy[4]++; #month |
287
|
|
|
|
|
|
|
# $smhdmy[5] += 1900; #year |
288
|
|
|
|
|
|
|
# |
289
|
|
|
|
|
|
|
# return sprintf '%04d%02d%02d%02d%02d%02dZ', reverse @smhdmy; |
290
|
|
|
|
|
|
|
#} |
291
|
|
|
|
|
|
|
|
292
|
|
|
|
|
|
|
1; |