NAME

Crypt::NSS::X509::Certificate - NSS Certificate functions

SYNOPSIS

use 5.10.1;
use Perl6::Slurp;

use Crypt::NSS::X509;

my $cert = Crypt::NSS::X509::Certificate->new(slurp('derfile'));

say $cert->subject();
say $cert->issuer();

my $valid = $cert->verify_cert();

if ( ! $cert->match_name('www.testdomain') ) {
  # Domain does not match certificate information
  exit(1);
}

ABSTRACT

Perl interface for the certificate access parts of the NSS API.

DESCRIPTION

This class gives access to most of the certificate handling functions of NSS. For information on how to load and initialize the NSS library, please refer to Crypt::NSS::X509.

FUNCTIONS

CONSTRUCTORS

new ( DERSTRING )

Creates a new NSS::Certificate object from the provided der-encoded certificate string.

The function croaks with the NSS error in case NSS cannot parse or import the certificate

new_from_pem ( STRING )

Creates a new NSS::Certificate object from the pem-encoded certificate string. Behaves exactly as new ( ).

new_from_nick ( STRING )

Creates a new NSS::Certificate object from the certificate database given a certificate nickname. Returns undef if no fitting certificate could be found.

ACCESSORS

subject: Returns the certificate subject as string.
issuer: Returns the certificate issuer as string.
serial: Returns the hex-encoded serial number of the certificate.
notBefore: Returns the not before time as a string.
notAfter: Returns the notAfter tine as a string.
subj_alt_name: Returns the certificate subject alternative name (if present). May croak if the extension field in the certificate is invalid.
version: Returns the certificate version number.
common_name: Returns the most specific common name specified in the certificate subject.
is_root: Returns true if NSS thinks that the certificate is a root (selfsigned) certificate and false otherwise.
sig_alg_name: Returns the name of the signature algorithm.
key_alg_name: Returns the name of the encryption algorithm.
bit_length: Bit length of the certificate key
public_key: Hex representation of the public key of the certificate (also available under the name modulus, for historical reasons
modulus: Alias for public_key.
nickname: Return the NSS certificate nickname.
dbnickname: Return the NSS certificate database nickname.
raw_spki: Return the encoded subject public key info part of the certificate. Can be used for uniquely identifying a public key (after hashing).
exponent: RSA exponent of the public key of the certificate. Croaks, if the certificate does not contain an RSA key, so check first using key_alg_name.
curve: Name of the EC-curve used in the certificate. Croaks if the certificate is not an EC-certificate.
fingerprint_md5: Hex-encoded md5 fingerprint of the certificate
fingerprint_sha1: Hex-encoded sha1 fingerprint of the certificate
fingerprint_sha256: Hex-encoded sha256 fingerprint of the certificate
der: Return the der-encoded certificate

VERIFICATION FUNCTIONS

These functions allow verification of certificate chains. Please note that for most of them a database has to be used and a root-certificate list has to be loaded. See Crypt::NSS::X509.

There are several different verification functions, because the NSS library offers a variety of methods to validate certificates. You probably want to either use verify_certificate or verify_pkix.

match_name ( HOSTNAME )

Return true is NSS considers the hostname to be valid for the certificate. Returns false otherwise.

verify_certificate( [TIME], [USAGE] )

Returns 1 if the certificate can be validated up to a root-certificate. Otherwise returns the numeric NSS error code. Time can contain the unix timestamp of the verification time. Usage can contain a the certificate usage - usually certUsageSSLServer is assumed.

verify_cert ( [TIME], [USAGE] )

Same as verify_certificate, just using the verify_cert NSS function instead of the verify_certificate NSS function.

This is (basically) the verification function that is used by Firefox at the moment (they add a few more special checks in the Firefox codebase).

verify_certificate_pkix( [TIME], [USAGE] )

Same as verify_certificate, just using the PKIX library for validation by using CERT_SetUsePKIXForValidation.

verify_certificate_log( [TIME], [USAGE] )

Same verification as in verify_certificate; however this function returns an empty list in case of success. In case of error, a list of hashes is returned. The hash contains the certificate that generated the error and the error code.

This allows to see which certificate in a certificate chain was responsible for preventing the validation of the chain. If several errors occur, the list may contain several hashes with differing error codes.

verify_certificate_pkix_log( [TIME], [USAGE] )

Like verify_certificate_log, just using the PKIX library for validation by using CERT_SetUsePKIXForValidation.

verify_cert_log ( [TIME], [USAGE] )

Same as verify_certificate_log, just using the verify_cert NSS function instead of the verify_certificate NSS function.

verify_pkix ( [TIME], [USAGE], [TRUSTED CERT LIST )

Returns 1 if the certificate can be validated up to a root-certificate using the CERT_PKIXVerifyCert function. Otherwise returns the numeric NSS error code. This function is (basically) used by Chrome to validate certificates.

Trusted cert list can contain a NSS::CertList, of trusted certificates. Please note that it is not a good idea to just load all root-certificates into a NSS::CertList and try to validate using this function, without using a NSS database backend; chain validation does not work correctly in that case.

verify_pkix_aia ( [TIME], [USAGE], [TRUSTED CERT LIST )

Same as verify_pkix, but tries to retrieve missing intermediate certificates using the Authority Information Access (AIA) field in the certificate (if present).

get_cert_chain_from_cert( [TIME], [USAGE] )

Get a Crypt::NSS::X509::CertList containing the certificate chain up to a root-certificate for the current certificate.

AUTHOR

Bernhard Amann, <bernhard@icsi.berkeley.edu>

COPYRIGHT AND LICENSE

This Library Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

The library contains source code of the Mozilla Network Security Services; for NSS license information please see http://www.mozilla.org/projects/security/pki/ nss/.

To install Crypt::NSS::X509, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Crypt::NSS::X509

CPAN shell

perl -MCPAN -e shell
install Crypt::NSS::X509

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)