NAME
Crypt::PKCS10 - parse PKCS #10 certificate requests
VERSION
version 1.7
SYNOPSIS
use Crypt::PKCS10;
Crypt::PKCS10->setAPIversion( 1 );
my $decoded = Crypt::PKCS10->new( $csr ) or die Crypt::PKCS10->error;
print $decoded;
@names = $decoded->extensionValue('subjectAltName' );
@names = $decoded->subject unless( @names );
%extensions = map { $_ => $decoded->extensionValue( $_ ) } $decoded->extensions
DESCRIPTION
Crypt::PKCS10
parses PKCS #10 certificate requests (CSRs) and provides accessor methods to extract the data in usable form.
Common object identifiers will be translated to their corresponding names. Additionally, accessor methods allow extraction of single data fields. The format of returned data varies by accessor.
The access methods return the value corresponding to their name. If called in scalar context, they return the first value (or an empty string). If called in array context, they return all values.
true values should be specified as 1 and false values as 0. Future API changes may provide different functions when other values are used.
NAME
Crypt::PKCS10 - parse PKCS #10 certificate requests
METHODS
Access methods may exist for subject name components that are not listed here. To test for these, use code of the form:
$locality = $decoded->localityName if( $decoded->can('localityName') );
If a name component exists in a CSR, the method will be present. The converse is not (always) true.
class method setAPIversion( $version )
Selects the API version (0 or 1) expected.
Must be called before calling any other method.
- Version 0 - DEPRECATED
-
Some OID names have spaces and descriptions
This is the format used for
Crypt::PKCS10
version 1.3 and lower. The attributes method returns legacy data. - Version 1
-
OID names from RFCs - or at least compatible with OpenSSL and ASN.1 notation. The attributes method conforms to version 1.
If not called, a warning will be generated and the API will default to version 0.
In a future release, the warning will be changed to a fatal exception.
To ease migration, both old and new names are accepted by the API.
Every program should call setAPIversion(1)
.
class method new( $csr, %options )
Constructor, creates a new object containing the parsed PKCS #10 certificate request.
$csr
may be a scalar containing the request, a file name, or a file handle from which to read it.
If a file name is specified, the readFile
option must be specified.
If a file handle is supplied, the caller should specify acceptPEM => 0
if the contents are DER.
The request may be PEM or binary DER encoded. Only one request is processed.
If PEM, other data (such as mail headers) may precede or follow the CSR.
my $decoded = Crypt::PKCS10->new( $csr ) or die Crypt::PKCS10->error;
Returns undef
if there is an I/O error or the request can not be parsed successfully.
Call error()
to obtain more detail.
options
The options are specified as name => value
.
If the first option is a HASHREF, it is expanded and any remaining options are added.
- acceptPEM
-
If false, the input must be in DER format.
binmode
will be called on a file handle.If true, the input is checked for a PEM certificate request. If not found, the csr is assumed to be in DER format.
Default is true.
- escapeStrings
-
If true, strings returned for extension and attribute values are '\'-escaped when formatted. This is compatible with OpenSSL configuration files.
The special characters are: '\', '$', and '"'
If false, these strings are not '\'-escaped. This is useful when they are being displayed to a human.
The default is true.
- ignoreNonBase64
-
If true, most invalid base64 characters in PEM data will be ignored. For example, this will accept CSRs prefixed with '> ', as e-mail when the PEM is inadvertently quoted. Note that the BEGIN and END lines may not be corrupted.
If false, invalid base64 characters in PEM data will cause the CSR to be rejected.
The default is false.
- readFile
-
If true,
$csr
is the name of a file containing the CSR.If false,
$csr
contains the CSR or is an open file handle.The default is false.
- verifySignature
-
If true, the CSR's signature is checked. If verification fails,
new
will fail.If false, the CSR's signature is not checked.
The default is true for API version 1 and false for API version 0.
No exceptions are generated.
The object will stringify to a human-readable representation of the CSR. This is useful for debugging and perhaps for displaying a request. However, the format is not part of the API and may change. It should not be parsed by automated tools.
Exception: The public key and extracted request are PEM blocks, which other tools can extract.
class method error
Returns a string describing the last error encountered;
class method name2oid( $oid )
Returns the OID corresponding to a name returned by an access method.
Not in API v0;
csrRequest( $format )
Returns the binary (ASN.1) request (after conversion from PEM and removal of any data beyond the length of the ASN.1 structure.
If $format is true, the request is returned as a PEM CSR. Otherwise as a binary string.
certificationRequest
Returns the binary (ASN.1) section of the request that is signed by the requestor.
The caller can verify the signature using signatureAlgorithm, certificationRequest and signature(1).
Access methods for the subject's distinguished name
Note that subjectAltName is prefered, and that modern certificate users will ignore the subject if subjectAltName is present.
subject( $format )
Returns the entire subject of the CSR.
In scalar context, returns the subject as a string in the form /componentName=value,value
. If format is true, long component names are used. By default, abbreviations are used when they exist.
e.g. /countryName=AU/organizationalUnitName=Big org/organizationalUnitName=Smaller org
or /C=AU/OU=Big org/OU=Smaller org
In array context, returns an array of (componentName, [values])
pairs. Abbreviations are not used.
Note that the order of components in a name is significant.
commonName
Returns the common name(s) from the subject.
my $cn = $decoded->commonName();
organizationalUnitName
Returns the organizational unit name(s) from the subject
organizationName
Returns the organization name(s) from the subject.
emailAddress
Returns the email address from the subject.
stateOrProvinceName
Returns the state or province name(s) from the subject.
countryName
Returns the country name(s) from the subject.
subjectAltName( $type )
Convenience method.
When $type is specified: returns the subject alternate name values of the specified type in list context, or the first value of the specified type in scalar context.
Returns undefined/empty list if no values of the specified type are present, or if the subjectAltName extension is not present.
Types can be any of:
otherName
* rfc822Name
* dNSName
x400Address
directoryName
ediPartyName
* uniformResourceIdentifier
* iPAddress
* registeredID
The types marked with '*' are the most common.
If $type
is not specified: In list context returns the types present in the subjectAlternate name. In scalar context, returns the SAN as a string.
version
Returns the structure version as a string, e.g. "v1" "v2", or "v3"
pkAlgorithm
Returns the public key algorithm according to its object identifier.
subjectPublicKey( $format )
If $format
is true, the public key will be returned in PEM format.
Otherwise, the public key will be returned in its hexadecimal representation
subjectPublicKeyParams
Returns a hash describing the public key. The contents vary depending on the public key type.
Standard items:
keytype
- ECC, RSA, DSA
keylen
- Approximate length of the key in bits.
Other items include:
For RSA, modulus
and publicExponent
.
For DSA, G, P and Q
.
For ECC, curve
, pub_x
and pub_y
. curve
is an OID name.
Additional detail
subjectPublicKeyParams(1)
returns the standard items, and may also return detail
, which is a hashref.
For ECC, the detail
hash includes the curve definition constants.
signatureAlgorithm
Returns the signature algorithm according to its object identifier.
signatureParams
Returns the parameters associated with the signatureAlgorithm as binary. Returns undef if none, or if NULL.
Note: In the future, some signatureAlgorithms may return a hashref of decoded fields.
Callers are advised to check for a ref before decoding...
signature( $format )
The CSR's signature is returned.
If $format
is 1, in binary.
If $format
is 2, decoded as an ECDSA signature - returns hashref to r
and s
.
Otherwise, in its hexadecimal representation.
attributes( $name )
A request may contain a set of attributes. The attributes are OIDs with values. The most common is a list of requested extensions, but other OIDs can also occur. Of those, challengePassword is typical.
For API version 0, this method returns a hash consisting of all attributes in an internal format. This usage is deprecated.
For API version 1:
If $name is not specified, a list of attribute names is returned. The list does not include the requestedExtensions attribute. For that, use extensions();
If no attributes are present, the empty list (undef
in scalar context) is returned.
If $name is specified, the value of the extension is returned. $name can be specified as a numeric OID.
In scalar context, a single string is returned, which may include lists and labels.
cspName="Microsoft Strong Cryptographic Provider",keySpec=2,signature=("",0)
Special characters are escaped as described in options.
In array context, the value(s) are returned as a list of items, which may be references.
print( " $_: ", scalar $decoded->attributes($_), "\n" )
foreach ($decoded->attributes);
See the Table of known OID names below for a list of names.
extensions
Returns an array containing the names of all extensions present in the CSR. If no extensions are present, the empty list is returned.
The names vary depending on the API version; however, the returned names are acceptable to extensionValue
, extensionPresent
, and name2oid
.
The values of extensions vary, however the following code fragment will dump most extensions and their value(s).
print( "$_: ", $decoded->extensionValue($_,1), "\n" ) foreach ($decoded->extensions);
The sample code fragment is not guaranteed to handle all cases. Production code needs to select the extensions that it understands and should respect the critical boolean. critical can be obtained with extensionPresent.
extensionValue( $name, $format )
Returns the value of an extension by name, e.g. extensionValue( 'keyUsage' )
. The name SHOULD be an API v1 name, but API v0 names are accepted for compatibility. The name can also be specified as a numeric OID.
If $format
is 1, the value is a formatted string, which may include lists and labels. Special characters are escaped as described in options;
If $format
is 0 or not defined, a string, or an array reference may be returned. The array many contain any Perl variable type.
To interpret the value(s), you need to know the structure of the OID.
See the Table of known OID names below for a list of names.
extensionPresent( $name )
Returns true if a named extension is present: If the extension is critical, returns 2. Otherwise, returns 1, indicating not critical, but present.
If the extension is not present, returns undef
.
The name can also be specified as a numeric OID.
See the Table of known OID names below for a list of names.
registerOID( )
Class method.
Register a custom OID, or a public OID that has not been added to Crypt::PKCS10 yet.
The OID may be an extension identifier or an RDN component.
The oid is specified as a string in numeric form, e.g. '1.2.3.4'
registerOID( $oid )
Returns true if the specified OID is registered, false otherwise.
registerOID( $oid, $longname, $shortname )
Registers the specified OID with the associated long name. This enables the OID to be translated to a name in output.
The long name should be Hungarian case (commonName), but this is not currently enforced.
Optionally, specify the short name used for extracting the subject. The short name should be upper-case (and will be upcased).
E.g. built-in are $oid => '2.4.5.3', $longname => 'commonName', $shortname => 'CN'
To register a shortname for an existing OID without one, specify $longname
as undef
.
E.g. To register /E for emailAddress, use: Crypt::PKCS10->registerOID( '1.2.840.113549.1.9.1', undef, 'e' )
Generates an exception if any argument is not valid, or is in use.
Returns true otherwise.
checkSignature
Verifies the signature of a CSR. (Useful if new() specified verifySignature => 0
.)
Returns true if the signature is OK.
Returns false if the signature is incorrect. Crypt::PKCS10->error
returns the reason.
Returns undef if there was an error in the verification process (e.g. a required Perl module could not be loaded.)
certificateTemplate
CertificateTemplate
returns the certificateTemplate attribute.
Equivalent to extensionValue( 'certificateTemplate' )
, which is prefered.
Table of known OID names
The following OID names are known. They are used in returned strings and structures, and as names by methods such as extensionValue.
Unknown OIDs are returned in numeric form, or can be registered with registerOID.
OID Name (API v1) Old Name (API v0)
-------------------------- -------------------------- ---------------------------
0.9.2342.19200300.100.1.1 userID
0.9.2342.19200300.100.1.25 domainComponent
1.2.840.10040.4.1 dsa (DSA)
1.2.840.10040.4.3 dsaWithSha1 (DSA with SHA1)
1.2.840.10045.2.1 ecPublicKey
1.2.840.10045.3.1.1 secp192r1
1.2.840.10045.3.1.7 secp256r1
1.2.840.10045.4.3.1 ecdsa-with-SHA224
1.2.840.10045.4.3.2 ecdsa-with-SHA256
1.2.840.10045.4.3.3 ecdsa-with-SHA384
1.2.840.10045.4.3.4 ecdsa-with-SHA512
1.2.840.113549.1.1.1 rsaEncryption (RSA encryption)
1.2.840.113549.1.1.2 md2WithRSAEncryption (MD2 with RSA encryption)
1.2.840.113549.1.1.3 md4WithRSAEncryption
1.2.840.113549.1.1.4 md5WithRSAEncryption (MD5 with RSA encryption)
1.2.840.113549.1.1.5 sha1WithRSAEncryption (SHA1 with RSA encryption)
1.2.840.113549.1.1.6 rsaOAEPEncryptionSET
1.2.840.113549.1.1.7 RSAES-OAEP
1.2.840.113549.1.1.11 sha256WithRSAEncryption (SHA-256 with RSA encryption)
1.2.840.113549.1.1.12 sha384WithRSAEncryption
1.2.840.113549.1.1.13 sha512WithRSAEncryption (SHA-512 with RSA encryption)
1.2.840.113549.1.1.14 sha224WithRSAEncryption
1.2.840.113549.1.9.1 emailAddress
1.2.840.113549.1.9.2 unstructuredName
1.2.840.113549.1.9.7 challengePassword
1.2.840.113549.1.9.14 extensionRequest
1.2.840.113549.1.9.15 smimeCapabilities (SMIMECapabilities)
1.3.6.1.4.1.311.2.1.14 CERT_EXTENSIONS
1.3.6.1.4.1.311.2.1.21 msCodeInd
1.3.6.1.4.1.311.2.1.22 msCodeCom
1.3.6.1.4.1.311.10.3.1 msCTLSign
1.3.6.1.4.1.311.10.3.2 msTimeStamping
1.3.6.1.4.1.311.10.3.3 msSGC
1.3.6.1.4.1.311.10.3.4 msEFS
1.3.6.1.4.1.311.10.3.4.1 msEFSRecovery
1.3.6.1.4.1.311.10.3.5 msWHQLCrypto
1.3.6.1.4.1.311.10.3.6 msNT5Crypto
1.3.6.1.4.1.311.10.3.7 msOEMWHQLCrypto
1.3.6.1.4.1.311.10.3.8 msEmbeddedNTCrypto
1.3.6.1.4.1.311.10.3.9 msRootListSigner
1.3.6.1.4.1.311.10.3.10 msQualifiedSubordination
1.3.6.1.4.1.311.10.3.11 msKeyRecovery
1.3.6.1.4.1.311.10.3.12 msDocumentSigning
1.3.6.1.4.1.311.10.3.13 msLifetimeSigning
1.3.6.1.4.1.311.10.3.14 msMobileDeviceSoftware
1.3.6.1.4.1.311.13.1 RENEWAL_CERTIFICATE
1.3.6.1.4.1.311.13.2.1 ENROLLMENT_NAME_VALUE_PAIR
1.3.6.1.4.1.311.13.2.2 ENROLLMENT_CSP_PROVIDER
1.3.6.1.4.1.311.13.2.3 OS_Version
1.3.6.1.4.1.311.20.2 certificateTemplateName
1.3.6.1.4.1.311.20.2.2 msSmartCardLogon
1.3.6.1.4.1.311.21.7 certificateTemplate
1.3.6.1.4.1.311.21.10 ApplicationCertPolicies
1.3.6.1.4.1.311.21.20 ClientInformation
1.3.6.1.5.2.3.5 keyPurposeKdc (KDC Authentication)
1.3.6.1.5.5.7.2.1 CPS
1.3.6.1.5.5.7.2.2 userNotice
1.3.6.1.5.5.7.3.1 serverAuth
1.3.6.1.5.5.7.3.2 clientAuth
1.3.6.1.5.5.7.3.3 codeSigning
1.3.6.1.5.5.7.3.4 emailProtection
1.3.6.1.5.5.7.3.8 timeStamping
1.3.6.1.5.5.7.3.9 OCSPSigning
1.3.6.1.5.5.7.3.21 sshClient
1.3.6.1.5.5.7.3.22 sshServer
1.3.6.1.5.5.7.9.5 countryOfResidence
1.3.14.3.2.29 sha1WithRSAEncryption (SHA1 with RSA signature)
1.3.36.3.3.2.8.1.1.1 brainpoolP160r1
1.3.36.3.3.2.8.1.1.2 brainpoolP160t1
1.3.36.3.3.2.8.1.1.3 brainpoolP192r1
1.3.36.3.3.2.8.1.1.4 brainpoolP192t1
1.3.36.3.3.2.8.1.1.5 brainpoolP224r1
1.3.36.3.3.2.8.1.1.6 brainpoolP224t1
1.3.36.3.3.2.8.1.1.7 brainpoolP256r1
1.3.36.3.3.2.8.1.1.8 brainpoolP256t1
1.3.36.3.3.2.8.1.1.9 brainpoolP320r1
1.3.36.3.3.2.8.1.1.10 brainpoolP320t1
1.3.36.3.3.2.8.1.1.11 brainpoolP384r1
1.3.36.3.3.2.8.1.1.12 brainpoolP384t1
1.3.36.3.3.2.8.1.1.13 brainpoolP512r1
1.3.36.3.3.2.8.1.1.14 brainpoolP512t1
1.3.132.0.1 sect163k1
1.3.132.0.15 sect163r2
1.3.132.0.16 sect283k1
1.3.132.0.17 sect283r1
1.3.132.0.26 sect233k1
1.3.132.0.27 sect233r1
1.3.132.0.33 secp224r1
1.3.132.0.34 secp384r1
1.3.132.0.35 secp521r1
1.3.132.0.36 sect409k1
1.3.132.0.37 sect409r1
1.3.132.0.38 sect571k1
1.3.132.0.39 sect571r1
2.5.4.3 commonName
2.5.4.4 surname (Surname)
2.5.4.5 serialNumber
2.5.4.6 countryName
2.5.4.7 localityName
2.5.4.8 stateOrProvinceName
2.5.4.9 streetAddress
2.5.4.10 organizationName
2.5.4.11 organizationalUnitName
2.5.4.12 title (Title)
2.5.4.13 description (Description)
2.5.4.14 searchGuide
2.5.4.15 businessCategory
2.5.4.16 postalAddress
2.5.4.17 postalCode
2.5.4.18 postOfficeBox
2.5.4.19 physicalDeliveryOfficeName
2.5.4.20 telephoneNumber
2.5.4.23 facsimileTelephoneNumber
2.5.4.41 name (Name)
2.5.4.42 givenName
2.5.4.43 initials
2.5.4.44 generationQualifier
2.5.4.45 uniqueIdentifier
2.5.4.46 dnQualifier
2.5.4.51 houseIdentifier
2.5.4.65 pseudonym
2.5.29.14 subjectKeyIdentifier (SubjectKeyIdentifier)
2.5.29.15 keyUsage (KeyUsage)
2.5.29.17 subjectAltName
2.5.29.19 basicConstraints (Basic Constraints)
2.5.29.32 certificatePolicies
2.5.29.32.0 anyPolicy
2.5.29.37 extKeyUsage (EnhancedKeyUsage)
2.16.840.1.101.3.4.2.1 sha256 (SHA-256)
2.16.840.1.101.3.4.2.2 sha384 (SHA-384)
2.16.840.1.101.3.4.2.3 sha512 (SHA-512)
2.16.840.1.101.3.4.2.4 sha224 (SHA-224)
2.16.840.1.101.3.4.3.1 dsaWithSha224
2.16.840.1.101.3.4.3.2 dsaWithSha256
2.16.840.1.101.3.4.3.3 dsaWithSha384
2.16.840.1.101.3.4.3.4 dsaWithSha512
2.16.840.1.113730.1.1 netscapeCertType
2.16.840.1.113730.1.2 netscapeBaseUrl
2.16.840.1.113730.1.4 netscapeCaRevocationUrl
2.16.840.1.113730.1.7 netscapeCertRenewalUrl
2.16.840.1.113730.1.8 netscapeCaPolicyUrl
2.16.840.1.113730.1.12 netscapeSSLServerName
2.16.840.1.113730.1.13 netscapeComment
2.16.840.1.113730.4.1 nsSGC
EXAMPLES
In addition to the code snippets contained in this document, the examples/ directory of the distribution contains some sample utilitiles.
Also, the t/ directory of the distribution contains a number of tests that exercise the API. Although artificial, they are another good source of examples.
Note that the type of data returned when extracting attributes and extensions is dependent on the specific OID used.
Also note that some functions not listed in this document are tested. The fact that they are tested does not imply that they are stable, or that they will be present in any future release.
The test data was selected to exercise the API; the CSR contents are not representative of realistic certificate requests.
ACKNOWLEDGEMENTS
Martin Bartosch contributed preliminary EC support: OIDs and tests.
Timothe Litt made most of the changes for V1.4+
Crypt::PKCS10
is based on the generic ASN.1 module by Graham Barr and on the x509decode example by Norbert Klasen. It is also based upon the works of Duncan Segrest's Crypt-X509-CRL
module.
AUTHORS
Gideon Knocke <gknocke@cpan.org>
Timothe Litt <tlhackque@cpan.org>
COPYRIGHT AND LICENSE
This software is copyright (c) 2014, 2016 by Gideon Knocke, Timothe Litt.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.
BUG REPORTS
Please report any bugs or feature requests on the bugtracker website https://rt.cpan.org/Public/Dist/Display.html?Name=Crypt-PKCS10 or by email to bug-crypt-pkcs10@rt.cpan.org.
When submitting a bug or request, please include a test-file or a patch to an existing test-file that illustrates the bug or desired feature.