NAME

OpenCA::OpenSSL - Perl Crypto Extention to OpenSSL

SYNOPSIS

use OpenCA::OpenSSL;

DESCRIPTION

This Perl Module implements an interface to the openssl backend program. It actually uses the openssl command and it is not fully integrated as PERL/C mixture.

Passing parameters to functions should be very simple as them have no particular order and have, often, self-explaining name. Each parameter should be passed to the function like this:

... ( NAME=>VALUE, NAME=>VALUE, ... );

FUNCTIONS

sub new () - Creates a new Class instance.

This functions creates a new instance of the class. It accepts
only one parameter: the path to the backend command (openssl).
This is due because if it cannot find the openssl command it
will return an uninitialized class (default value is /usr/bin/
openssl which may not fit many distributions/OSs)

EXAMPLE:

	my $openssl->new OpenCA::OpenSSL( $path );

sub setParams () - Set internal module variables.

This function can handle the internal module data such as the
backend path or the tmp dir. Accepted parameters are:

	SHELL   - Path to the openssl command.
	CONFIG  - Path to the openssl config file.
	TMPDIR  - Temporary files directory.
	STDERR  - Where to redirect the STDERR file.

(*) - Optional parameters;

EXAMPLE:

	$openssl->setParams( SHELL=>'/usr/local/ssl/bin/openssl',
			     CONFIG=>$ca/stuff/openssl.cnf,
			     TMPDIR=>'/tmp',
			     STDERR=>'/dev/null' );

sub errno () - Get last command errno value.

	This functions returns last operation's errno value. Non
        zero value means there has been an error.

	EXAMPLE:

		print $openssl->errno;

sub errval () - Get last command errval value.

	This functions returns last operation's errval value. This
        value usually has a brief error description.

	EXAMPLE:

		print $openssl->errval;

sub genKey () - Generate a private Key.

This functions let you generate a new private key. Accepted
parameters are:

	BITS      - key lengh in bits(*);
	OUTFILE   - Output file name(*);
	ALGORITHM - Encryption Algorithm to be used(*);
	PASSWD    - Password to be used when encrypting(*);

(*) - Optional parameters;

EXAMPLE:

	my $key = $openssl->genKey( BITS=>1024 );

sub genReq () - Generate a new Request.

	This function generate a new certificate request. Accepted
	parameters are:

		OUTFILE  - Output file(*);
		KEYFILE  - File containing the key;
		PASSWD   - Password to decript key (if needed) (*);
		DN       - Subject list (as required by openssl, see
			   the openssl.cnf doc on policy);
		SUBJECT  - DN string (use this instead of passing separate
                           attributes list)(*);

	(*) - Optional parameters;

	EXAMPLE:

		my $req = $openssl->genReq( KEYFILE=>"00_key.pem",
			DN => [ "madwolf@openca.org","Max","","","" ] );

		my $req = $openssl->genReq( KEYFILE=>"00_key.pem",
			SUBJECT => "CN=Madwolf, O=OpenCA, C=IT" );

sub genCert () - Generate a certificate from a request.

This function let you generate a new certificate starting
from the request file. It is used for self-signed certificate
as it simply converts the request into a x509 structure.
Accepted parameters are:

	OUTFILE   - Output file(*);
	KEYFILE   - File containing the private key;
	REQFILE   - Request File;
	PASSWD    - Password to decrypt private key(*);
	DAYS      - Validity days(*);

(*) - Optional parameters;

EXAMPLE:

	$cert = $openssl->genCert( KEYFILE=>"priv_key.pem",
		REQFILE=>"req.pem",
		DAYS=>"720" );

sub crl2pkcs7 () - Convert a crl and/or certs into pkcs7 structure.

	This function converts certificates (optional) and a crl
	(also optional) into a pkcs7 structure. It is used to build
	strucutures to load certificates/crls into some browsers.
	Accepted parameters are:

		DATA      - PEM|DER formatted CRL(*);
		INFORM    - Input crl format (DER|PEM) (*);
		OUTFORM   - Output pkcs7 structure format (DER|PEM) (*);
		INFILE    - Input crl file (*);
		OUTFILE   - Output pkcs7 file (*);
		CERTSLIST - List of files containing certificates to
                            be added to the pkcs7 structure (*);

	(*) - Optional parameters;

	EXAMPLE:

		$pkcs7 = $openssl->crl2pkcs7( DATA=>$crl->getPEM(),
				CERTSLIST=>[ "cert1.pem", "cert2.pem" ]);

sub dataConvert () - Convert data to different format.

This functions will convert data you pass to another format. Ir
requires you to provide with the data's type and IN/OUT format.
Accepted parameters are:

	DATA    - Data to be processed;
	INFILE  - Data file to be processed (one of DATA and
	  	  INFILE are required and exclusive);
	KEYFILE  - file with the priv. key (* PEM to PKCS12 only).
	           Not needed if key is presented in DATA or INFILE too.
	DATATYPE - Data type ( CRL | CERTIFICATE | REQUEST );
	OUTFORM  - Output format (PEM|DER|NET|TXT)(*);
	INFORM   - Input format (PEM|DER|NET|TXT)(*);
	OUTFILE  - Output file(*);
	PASSWD   - priv. key password (* PKCS12 to PEM only)
		   omitting the PASSWD leads into an unencrypted priv. key 
	ALGO     - des,des3 or idea. Default is des3 encryption for priv. key
	P12PASSWD - PKCS12 export password (* only needed for PKCS12)
	NOKEYS   - extract only the certificate (* PKCS12 to PEM only)
	           No need for the PASSWD parameter with this option.
	CACERT	- CA-certificate to add if OUTFORM is PKCS#12

(*) - Optional parameters;

EXAMPLES:
	# PEM file to TXT format
	print $openssl->dataConvert( INFILE=>"crl.pem",
		OUTFORM=>"TXT" );

	# PEM file to PKCS12 format, priv key will be des3 encrypted
	print $openssl->dataConvert( INFILE=>"crl.pem",
		DATATYPE=>'CERTIFICATE',
		OUTFORM=>"PKCS12",
		PASSWD=>$pem_pass,
		P12PASSWD=>$export_pass );

	# PKCS12 data to PEM formated certificate (no key)
	print $openssl->dataConvert( DATA=>$pkcs12_cert,
		DATATYPE=>'CERTIFICATE',
		INFORM=>"PKCS12",
		NOKEYS=>1,
		P12PASSWD=>$export_pass );

sub issueCert () - Issue a certificate.

This function should be used when you have a CA certificate and
a request (either DER|PEM|SPKAC) and want to issue the certificate.
Parameters used will override the configuration values (remember
to set to appropriate value the CONFIG with the setParams func).
Accepted parameters are:

	REQDATA       - Request;
	REQFILE       - File containing the request (one of
			REQDATA, REQFILE or REQFILES are required);
	REQFILES      - An array ref to an array of files that
			contain the request.
	OUTDIR        - What directory to put the files from 
			REQFILES. (This is required iff 
			you use REQFILES.)
	INFORM        - Input format (PEM|DER|NET|SPKAC)(*);
	PRESERVE_DN   - Preserve DN order (Y|N)(*);
	CA_NAME	      - CA sub section to be used (take a
			look at the OpenSSL docs for adding
			support of multiple CAs to the conf
			file)(*);
	CAKEY	      - CA key file;
	CACERT	      - CA certificate file;
	DAYS	      - Days the certificate will be valid(*);
	START_DATE    - Starting validity date (YYMMDDHHMMSSZ)(*);
	END_DATE      - Ending validity date (YYMMDDHHMMSSZ)(*);
	PASSWD	      - Password to decrypt priv. CA key(*);
	EXTS	      - Extentions to be used (configuration
			section of the openssl.cnf file)(*);
	REQTYPE	      - Request type (NETSCAPE|MSIE)(*);

(*) - Optional parameters;

EXAMPLE:

	$openssl->issueCert( REQFILE=>"myreq",
		INFORM=>SPKAC,
		PRESERVE_DN=>Y,
		CAKEY=>$ca/private/cakey.pem,
		CACERT=>$ca/cacert.pem,
		PASSWD=>$passwd,
		REQTYPE=>NETSCAPE );

sub revoke () - Revoke a certificate.

This function is used to revoke a certificate. Accepted parameters
are:

	CAKEY   - CA private key file(*);
	CACERT  - CA certificate file(*);
	PASSWD  - Password to decrypt priv. CA key(*);
	INFILE  - Input PEM formatted certificate filename(*);

(*) - Optional parameters;

EXAMPLE:

	if( not $openssl->revoke( INFILE=>$certFile ) ) {
		print "Error while revoking certificate!";
	}

sub issueCrl () - Issue a CRL.

This function is used to issue a CRL. Accepted parameters
are:

	CAKEY   - CA private key file;
	CACERT  - CA certificate file;
	PASSWD  - Password to decrypt priv. CA key(*);
	DAYS    - Days the CRL will be valid for(*);
	EXTS    - Extentions to be added ( see the openssl.cnf
		  pages for more help on this )(*);
	EXTFILE - Extensions file to be used (*);
	OUTFILE - Output file(*);
	OUTFORM - Output format (PEM|DER|NET|TXT)(*);

(*) - Optional parameters;

EXAMPLE:

	print $openssl->issueCrl( CAKEY=>"$ca/private/cakey.pem",
				  CACERT=>"$ca/cacert.pem",
				  DAYS=>7,
				  OUTFORM=>TXT );

sub SPKAC () - Get SPKAC infos.

This function returns a text containing all major info
about an spkac structure. Accepted parameters are:

	SPKAC     - spkac data ( SPKAC = .... ) (*);
	INFILE	  - An spkac request file (*);
	OUTFILE   - Output file (*);
	
(*) - Optional parameters;

EXAMPLE:

	print $openssl->SPKAC( SPKAC=>$data, OUTFILE=>$target );

sub pkcs7Certs () - Get PKCS7 structure certificate(s).

This function returns a PEM formatted (file or ret value)
contained in the pkcs7 structure. Accepted parameters are:

	PKCS7     - pkcs7 data (*);
	INFILE	  - A pkcs7 (signature?) file (*);
	OUTFILE   - Output file (*);
	
(*) - Optional parameters;

EXAMPLE:

	print $openssl->pkcs7Cert( PKCS7=>$data, OUTFILE=>$target );

sub getDigest () - Get a message digest.

This function returns a message digest. Default digest
algorithm used is MD5. Accepted parameters are:

	DATA      - Data on which to perform digest;
	ALGORITHM - Algorithm to be used(*);
	
(*) - Optional parameters;

EXAMPLE:

	print $openssl->getDigest( DATA=>$data,
				   ALGORITHM=>sha1);

sub updateDB () - Updates the OpenSSL index.txt

This functions updates the index.txt file and returns the
output of the command in the form:

	<SER>=Expired

Accepted parameters are:

	CAKEY   - CA private key file;
	CACERT  - CA certificate file;
	PASSWD  - Password to decrypt priv. CA key(*);
	OUTFILE - Output file(*);

(*) - Optional parameters;

EXAMPLE:

	$ret = $openssl->updateDB();

Exportable constants

CTX_TEST
EXFLAG_BCONS
EXFLAG_CA
EXFLAG_INVALID
EXFLAG_KUSAGE
EXFLAG_NSCERT
EXFLAG_SET
EXFLAG_SS
EXFLAG_V1
EXFLAG_XKUSAGE
GEN_DIRNAME
GEN_DNS
GEN_EDIPARTY
GEN_EMAIL
GEN_IPADD
GEN_OTHERNAME
GEN_RID
GEN_URI
GEN_X400
KU_CRL_SIGN
KU_DATA_ENCIPHERMENT
KU_DECIPHER_ONLY
KU_DIGITAL_SIGNATURE
KU_ENCIPHER_ONLY
KU_KEY_AGREEMENT
KU_KEY_CERT_SIGN
KU_KEY_ENCIPHERMENT
KU_NON_REPUDIATION
NS_OBJSIGN
NS_OBJSIGN_CA
NS_SMIME
NS_SMIME_CA
NS_SSL_CA
NS_SSL_CLIENT
NS_SSL_SERVER
X509V3_EXT_CTX_DEP
X509V3_EXT_DYNAMIC
X509V3_EXT_MULTILINE
X509V3_F_COPY_EMAIL
X509V3_F_COPY_ISSUER
X509V3_F_DO_EXT_CONF
X509V3_F_DO_EXT_I2D
X509V3_F_HEX_TO_STRING
X509V3_F_I2S_ASN1_ENUMERATED
X509V3_F_I2S_ASN1_INTEGER
X509V3_F_I2V_AUTHORITY_INFO_ACCESS
X509V3_F_NOTICE_SECTION
X509V3_F_NREF_NOS
X509V3_F_POLICY_SECTION
X509V3_F_R2I_CERTPOL
X509V3_F_S2I_ASN1_IA5STRING
X509V3_F_S2I_ASN1_INTEGER
X509V3_F_S2I_ASN1_OCTET_STRING
X509V3_F_S2I_ASN1_SKEY_ID
X509V3_F_S2I_S2I_SKEY_ID
X509V3_F_STRING_TO_HEX
X509V3_F_SXNET_ADD_ASC
X509V3_F_SXNET_ADD_ID_INTEGER
X509V3_F_SXNET_ADD_ID_ULONG
X509V3_F_SXNET_GET_ID_ASC
X509V3_F_SXNET_GET_ID_ULONG
X509V3_F_V2I_ACCESS_DESCRIPTION
X509V3_F_V2I_ASN1_BIT_STRING
X509V3_F_V2I_AUTHORITY_KEYID
X509V3_F_V2I_BASIC_CONSTRAINTS
X509V3_F_V2I_CRLD
X509V3_F_V2I_EXT_KU
X509V3_F_V2I_GENERAL_NAME
X509V3_F_V2I_GENERAL_NAMES
X509V3_F_V3_GENERIC_EXTENSION
X509V3_F_X509V3_ADD_VALUE
X509V3_F_X509V3_EXT_ADD
X509V3_F_X509V3_EXT_ADD_ALIAS
X509V3_F_X509V3_EXT_CONF
X509V3_F_X509V3_EXT_I2D
X509V3_F_X509V3_GET_VALUE_BOOL
X509V3_F_X509V3_PARSE_LIST
X509V3_F_X509_PURPOSE_ADD
X509V3_R_BAD_IP_ADDRESS
X509V3_R_BAD_OBJECT
X509V3_R_BN_DEC2BN_ERROR
X509V3_R_BN_TO_ASN1_INTEGER_ERROR
X509V3_R_DUPLICATE_ZONE_ID
X509V3_R_ERROR_CONVERTING_ZONE
X509V3_R_ERROR_IN_EXTENSION
X509V3_R_EXPECTED_A_SECTION_NAME
X509V3_R_EXTENSION_NAME_ERROR
X509V3_R_EXTENSION_NOT_FOUND
X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED
X509V3_R_EXTENSION_VALUE_ERROR
X509V3_R_ILLEGAL_HEX_DIGIT
X509V3_R_INVALID_BOOLEAN_STRING
X509V3_R_INVALID_EXTENSION_STRING
X509V3_R_INVALID_NAME
X509V3_R_INVALID_NULL_ARGUMENT
X509V3_R_INVALID_NULL_NAME
X509V3_R_INVALID_NULL_VALUE
X509V3_R_INVALID_NUMBER
X509V3_R_INVALID_NUMBERS
X509V3_R_INVALID_OBJECT_IDENTIFIER
X509V3_R_INVALID_OPTION
X509V3_R_INVALID_POLICY_IDENTIFIER
X509V3_R_INVALID_SECTION
X509V3_R_INVALID_SYNTAX
X509V3_R_ISSUER_DECODE_ERROR
X509V3_R_MISSING_VALUE
X509V3_R_NEED_ORGANIZATION_AND_NUMBERS
X509V3_R_NO_CONFIG_DATABASE
X509V3_R_NO_ISSUER_CERTIFICATE
X509V3_R_NO_ISSUER_DETAILS
X509V3_R_NO_POLICY_IDENTIFIER
X509V3_R_NO_PUBLIC_KEY
X509V3_R_NO_SUBJECT_DETAILS
X509V3_R_ODD_NUMBER_OF_DIGITS
X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS
X509V3_R_UNABLE_TO_GET_ISSUER_KEYID
X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT
X509V3_R_UNKNOWN_EXTENSION
X509V3_R_UNKNOWN_EXTENSION_NAME
X509V3_R_UNKNOWN_OPTION
X509V3_R_UNSUPPORTED_OPTION
X509V3_R_USER_TOO_LONG
X509_PURPOSE_ANY
X509_PURPOSE_CRL_SIGN
X509_PURPOSE_DYNAMIC
X509_PURPOSE_DYNAMIC_NAME
X509_PURPOSE_MAX
X509_PURPOSE_MIN
X509_PURPOSE_NS_SSL_SERVER
X509_PURPOSE_SMIME_ENCRYPT
X509_PURPOSE_SMIME_SIGN
X509_PURPOSE_SSL_CLIENT
X509_PURPOSE_SSL_SERVER
XKU_CODE_SIGN
XKU_SGC
XKU_SMIME
XKU_SSL_CLIENT
XKU_SSL_SERVER

AUTHOR

Massimiliano Pala <madwolf@openca.org> Julio Sanchez, <j_sanchez@localdomain>

SEE ALSO

OpenCA::X509, OpenCA::CRL, OpenCA::REQ, OpenCA::TRIStateCGI, OpenCA::Configuration

cpanm OpenCA::OpenSSL

perl -MCPAN -e shell
install OpenCA::OpenSSL