NAME

Crypt::NSS::X509::Certificate - NSS Certificate functions

SYNOPSIS

use 5.10.1;
use Perl6::Slurp;

use Crypt::NSS::X509;

my $cert = Crypt::NSS::X509::Certificate->new(slurp('derfile'));

say $cert->subject();
say $cert->issuer();

my $valid = $cert->verify_cert();

if ( ! $cert->match_name('www.testdomain') ) {
  # Domain does not match certificate information
  exit(1);
}

ABSTRACT

Perl interface for the certificate access parts of the NSS API.

DESCRIPTION

This class gives access to most of the certificate handling functions of NSS. For information on how to load and initialize the NSS library, please refer to Crypt::NSS::X509.

FUNCTIONS

CONSTRUCTORS

new ( DERSTRING )

Creates a new NSS::Certificate object from the provided der-encoded certificate string.

The function croaks with the NSS error in case NSS cannot parse or import the certificate

new_from_pem ( STRING )

Creates a new NSS::Certificate object from the pem-encoded certificate string. Behaves exactly as new ( ).

new_from_nick ( STRING )

Creates a new NSS::Certificate object from the certificate database given a certificate nickname. Returns undef if no fitting certificate could be found.

ACCESSORS

subject

Returns the certificate subject as string.

issuer

Returns the certificate issuer as string.

serial

Returns the hex-encoded serial number of the certificate.

notBefore

Returns the not before time as a string.

notAfter

Returns the notAfter tine as a string.

subj_alt_name

Returns the certificate subject alternative name (if present). May croak if the extension field in the certificate is invalid.

version

Returns the certificate version number.

common_name

Returns the most specific common name specified in the certificate subject.

is_root

Returns true if NSS thinks that the certificate is a root (selfsigned) certificate and false otherwise.

sig_alg_name

Returns the name of the signature algorithm.

key_alg_name

Returns the name of the encryption algorithm.

bit_length

Bit length of the certificate key

public_key

Hex representation of the public key of the certificate (also available under the name modulus, for historical reasons

modulus

Alias for public_key.

nickname

Return the NSS certificate nickname.

dbnickname

Return the NSS certificate database nickname.

raw_spki

Return the encoded subject public key info part of the certificate. Can be used for uniquely identifying a public key (after hashing).

exponent

RSA exponent of the public key of the certificate. Croaks, if the certificate does not contain an RSA key, so check first using key_alg_name.

curve

Name of the EC-curve used in the certificate. Croaks if the certificate is not an EC-certificate.

fingerprint_md5

Hex-encoded md5 fingerprint of the certificate

fingerprint_sha1

Hex-encoded sha1 fingerprint of the certificate

fingerprint_sha256

Hex-encoded sha256 fingerprint of the certificate

der

Return the der-encoded certificate

VERIFICATION FUNCTIONS

These functions allow verification of certificate chains. Please note that for most of them a database has to be used and a root-certificate list has to be loaded. See Crypt::NSS::X509.

There are several different verification functions, because the NSS library offers a variety of methods to validate certificates. You probably want to either use verify_certificate or verify_pkix.

match_name ( HOSTNAME )

Return true is NSS considers the hostname to be valid for the certificate. Returns false otherwise.

verify_certificate( [TIME], [USAGE] )

Returns 1 if the certificate can be validated up to a root-certificate. Otherwise returns the numeric NSS error code. Time can contain the unix timestamp of the verification time. Usage can contain a the certificate usage - usually certUsageSSLServer is assumed.

verify_cert ( [TIME], [USAGE] )

Same as verify_certificate, just using the verify_cert NSS function instead of the verify_certificate NSS function.

This is (basically) the verification function that is used by Firefox at the moment (they add a few more special checks in the Firefox codebase).

verify_certificate_pkix( [TIME], [USAGE] )

Same as verify_certificate, just using the PKIX library for validation by using CERT_SetUsePKIXForValidation.

verify_certificate_log( [TIME], [USAGE] )

Same verification as in verify_certificate; however this function returns an empty list in case of success. In case of error, a list of hashes is returned. The hash contains the certificate that generated the error and the error code.

This allows to see which certificate in a certificate chain was responsible for preventing the validation of the chain. If several errors occur, the list may contain several hashes with differing error codes.

verify_certificate_pkix_log( [TIME], [USAGE] )

Like verify_certificate_log, just using the PKIX library for validation by using CERT_SetUsePKIXForValidation.

verify_cert_log ( [TIME], [USAGE] )

Same as verify_certificate_log, just using the verify_cert NSS function instead of the verify_certificate NSS function.

verify_pkix ( [TIME], [USAGE], [TRUSTED CERT LIST )

Returns 1 if the certificate can be validated up to a root-certificate using the CERT_PKIXVerifyCert function. Otherwise returns the numeric NSS error code. This function is (basically) used by Chrome to validate certificates.

Trusted cert list can contain a NSS::CertList, of trusted certificates. Please note that it is not a good idea to just load all root-certificates into a NSS::CertList and try to validate using this function, without using a NSS database backend; chain validation does not work correctly in that case.

verify_pkix_aia ( [TIME], [USAGE], [TRUSTED CERT LIST )

Same as verify_pkix, but tries to retrieve missing intermediate certificates using the Authority Information Access (AIA) field in the certificate (if present).

get_cert_chain_from_cert( [TIME], [USAGE] )

Get a Crypt::NSS::X509::CertList containing the certificate chain up to a root-certificate for the current certificate.

AUTHOR

Bernhard Amann, <bernhard@icsi.berkeley.edu>

COPYRIGHT AND LICENSE

Copyright 2012 by Bernhard Amann

This Library Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

The library contains source code of the Mozilla Network Security Services; for NSS license information please see http://www.mozilla.org/projects/security/pki/ nss/.