1Crypt::X509(3) User Contributed Perl Documentation Crypt::X509(3)
2
3
4
6 Crypt::X509 - Parse a X.509 certificate
7
9 use Crypt::X509;
10
11 $decoded = Crypt::X509->new( cert => $cert );
12
13 $subject_email = $decoded->subject_email;
14 print "do not use after: ".gmtime($decoded->not_after)." GMT\n";
15
17 Convert::ASN1
18
20 Crypt::X509 parses X.509 certificates. Methods are provided for
21 accessing most certificate elements.
22
23 It is based on the generic ASN.1 module by Graham Barr, on the
24 x509decode example by Norbert Klasen and contributions on the perl-
25 ldap-dev-Mailinglist by Chriss Ridd.
26
28 new ( OPTIONS )
29 Creates and returns a parsed X.509 certificate hash, containing the
30 parsed contents. The data is organised as specified in RFC 2459. By
31 default only the first ASN.1 Layer is decoded. Nested decoding is done
32 automagically through the data access methods.
33
34 cert => $certificate
35 A variable containing the DER formatted certificate to be parsed
36 (eg. as stored in "usercertificate;binary" attribute in an LDAP-
37 directory).
38
39 use Crypt::X509;
40 use Data::Dumper;
41
42 $decoded= Crypt::X509->new(cert => $cert);
43
44 print Dumper($decoded);
45
47 error
48 Returns the last error from parsing, "undef" when no error occured.
49 This error is updated on deeper parsing with the data access methods.
50
51 $decoded= Crypt::X509->new(cert => $cert);
52 if ($decoded->error) {
53 warn "Error on parsing Certificate:".$decoded->error;
54 }
55
57 You can access all parsed data directly from the returned hash. For
58 convenience the following methods have been implemented to give quick
59 access to the most-used certificate attributes.
60
61 version
62 Returns the certificate's version as an integer. NOTE that version is
63 defined as an Integer where 0 = v1, 1 = v2, and 2 = v3.
64
65 version_string
66 Returns the certificate's version as a string value.
67
68 serial
69 returns the serial number (integer or Math::BigInt Object, that gets
70 automagic evaluated in scalar context) from the certificate
71
72 $decoded= Crypt::X509->new(cert => $cert);
73 print "Certificate has serial number:".$decoded->serial."\n";
74
75 not_before
76 returns the GMT-timestamp of the certificate's beginning date of
77 validity. If the Certificate holds this Entry in utcTime, it is
78 guaranteed by the RFC to been correct.
79
80 As utcTime is limited to 32-bit values (like unix-timestamps) newer
81 certificates hold the timesamps as "generalTime"-entries. The contents
82 of "generalTime"-entries are not well defined in the RFC and are
83 returned by this module unmodified, if no utcTime-entry is found.
84
85 $decoded= Crypt::X509->new(cert => $cert);
86 if ($decoded->notBefore < time()) {
87 warn "Certificate: not yet valid!";
88 }
89
90 not_after
91 returns the GMT-timestamp of the certificate's ending date of validity.
92 If the Certificate holds this Entry in utcTime, it is guaranteed by the
93 RFC to been correct.
94
95 As utcTime is limited to 32-bit values (like unix-timestamps) newer
96 certificates hold the timesamps as "generalTime"-entries. The contents
97 of "generalTime"-entries are not well defined in the RFC and are
98 returned by this module unmodified, if no utcTime-entry is found.
99
100 $decoded= Crypt::X509->new(cert => $cert);
101 print "Certificate expires on ".gmtime($decoded->not_after)." GMT\n";
102
103 signature
104 Return's the certificate's signature in binary DER format.
105
106 pubkey
107 Returns the certificate's public key in binary DER format.
108
109 pubkey_size
110 Returns the certificate's public key size.
111
112 pubkey_algorithm
113 Returns the algorithm as OID string which the public key was created
114 with.
115
116 PubKeyAlg
117 returns the subject public key encryption algorithm (e.g. 'RSA') as
118 string.
119
120 $decoded= Crypt::X509->new(cert => $cert);
121 print "Certificate public key is encrypted with:".$decoded->PubKeyAlg."\n";
122
123 Example Output: Certificate public key is encrypted with: RSA
124
125 pubkey_components
126 If this certificate contains an RSA key, this function returns a
127 hashref { modulus => $m, exponent => $e) from that key; each value in
128 the hash will be an integer scalar or a Math::BigInt object.
129
130 For other pubkey types, it returns undef (implementations welcome!).
131
132 sig_algorithm
133 Returns the certificate's signature algorithm as OID string
134
135 $decoded= Crypt::X509->new(cert => $cert);
136 print "Certificate signature is encrypted with:".$decoded->sig_algorithm."\n";>
137
138 Example Output: Certificate signature is encrypted with: 1.2.840.113549.1.1.5
139
140 SigEncAlg
141 returns the signature encryption algorithm (e.g. 'RSA') as string.
142
143 $decoded= Crypt::X509->new(cert => $cert);
144 print "Certificate signature is encrypted with:".$decoded->SigEncAlg."\n";
145
146 Example Output: Certificate signature is encrypted with: RSA
147
148 SigHashAlg
149 returns the signature hashing algorithm (e.g. 'SHA1') as string.
150
151 $decoded= Crypt::X509->new(cert => $cert);
152 print "Certificate signature is hashed with:".$decoded->SigHashAlg."\n";
153
154 Example Output: Certificate signature is encrypted with: SHA1
155
156 Subject
157 returns a pointer to an array of strings containing subject nameparts
158 of the certificate. Attributenames for the most common Attributes are
159 translated from the OID-Numbers, unknown numbers are output verbatim.
160
161 $decoded= Convert::ASN1::X509->new($cert);
162 print "DN for this Certificate is:".join(',',@{$decoded->Subject})."\n";
163
164 subject_country
165 Returns the string value for subject's country (= the value with the
166 OID 2.5.4.6 or in DN Syntax everything after "C="). Only the first
167 entry is returned. "undef" if subject contains no country attribute.
168
169 subject_locality
170 Returns the string value for subject's locality (= the value with the
171 OID 2.5.4.7 or in DN Syntax everything after "l="). Only the first
172 entry is returned. "undef" if subject contains no locality attribute.
173
174 subject_state
175 Returns the string value for subject's state or province (= the value
176 with the OID 2.5.4.8 or in DN Syntax everything after "S="). Only the
177 first entry is returned. "undef" if subject contains no state
178 attribute.
179
180 subject_org
181 Returns the string value for subject's organization (= the value with
182 the OID 2.5.4.10 or in DN Syntax everything after "O="). Only the
183 first entry is returned. "undef" if subject contains no organization
184 attribute.
185
186 subject_ou
187 Returns the string value for subject's organizational unit (= the value
188 with the OID 2.5.4.11 or in DN Syntax everything after "OU="). Only
189 the first entry is returned. "undef" if subject contains no
190 organization attribute.
191
192 subject_cn
193 Returns the string value for subject's common name (= the value with
194 the OID 2.5.4.3 or in DN Syntax everything after "CN="). Only the
195 first entry is returned. "undef" if subject contains no common name
196 attribute.
197
198 subject_email
199 Returns the string value for subject's email address (= the value with
200 the OID 1.2.840.113549.1.9.1 or in DN Syntax everything after "E=").
201 Only the first entry is returned. "undef" if subject contains no email
202 attribute.
203
204 Issuer
205 returns a pointer to an array of strings building the DN of the
206 certificate issuer (= the DN of the CA). Attributenames for the most
207 common Attributes are translated from the OID-Numbers, unknown numbers
208 are output verbatim.
209
210 $decoded= Crypt::X509->new($cert);
211 print "Certificate was issued by:".join(',',@{$decoded->Issuer})."\n";
212
213 issuer_cn
214 Returns the string value for issuer's common name (= the value with the
215 OID 2.5.4.3 or in DN Syntax everything after "CN="). Only the first
216 entry is returned. "undef" if issuer contains no common name attribute.
217
218 issuer_country
219 Returns the string value for issuer's country (= the value with the
220 OID 2.5.4.6 or in DN Syntax everything after "C="). Only the first
221 entry is returned. "undef" if issuer contains no country attribute.
222
223 issuer_state
224 Returns the string value for issuer's state or province (= the value
225 with the OID 2.5.4.8 or in DN Syntax everything after "S="). Only the
226 first entry is returned. "undef" if issuer contains no state attribute.
227
228 issuer_locality
229 Returns the string value for issuer's locality (= the value with the
230 OID 2.5.4.7 or in DN Syntax everything after "L="). Only the first
231 entry is returned. "undef" if issuer contains no locality attribute.
232
233 issuer_org
234 Returns the string value for issuer's organization (= the value with
235 the OID 2.5.4.10 or in DN Syntax everything after "O="). Only the
236 first entry is returned. "undef" if issuer contains no organization
237 attribute.
238
239 issuer_email
240 Returns the string value for issuer's email address (= the value with
241 the OID 1.2.840.113549.1.9.1 or in DN Syntax everything after "E=").
242 Only the first entry is returned. "undef" if issuer contains no email
243 attribute.
244
245 KeyUsage
246 returns a pointer to an array of strings describing the valid Usages
247 for this certificate. "undef" is returned, when the extension is not
248 set in the certificate.
249
250 If the extension is marked critical, this is also reported.
251
252 $decoded= Crypt::X509->new(cert => $cert);
253 print "Allowed usages for this Certificate are:\n".join("\n",@{$decoded->KeyUsage})."\n";
254
255 Example Output:
256 Allowed usages for this Certificate are:
257 critical
258 digitalSignature
259 keyEncipherment
260 dataEncipherment
261
262 ExtKeyUsage
263 returns a pointer to an array of ExtKeyUsage strings (or OIDs for
264 unknown OIDs) or "undef" if the extension is not filled. OIDs of the
265 following ExtKeyUsages are known: serverAuth, clientAuth, codeSigning,
266 emailProtection, timeStamping, OCSPSigning
267
268 If the extension is marked critical, this is also reported.
269
270 $decoded= Crypt::X509->new($cert);
271 print "ExtKeyUsage extension of this Certificates is: ", join(", ", @{$decoded->ExtKeyUsage}), "\n";
272
273 Example Output: ExtKeyUsage extension of this Certificates is: critical, serverAuth
274
275 SubjectAltName
276 returns a pointer to an array of strings containing alternative
277 Subjectnames or "undef" if the extension is not filled. Usually this
278 Extension holds the e-Mail address for person-certificates or DNS-Names
279 for server certificates.
280
281 It also pre-pends the field type (ie rfc822Name) to the returned value.
282
283 $decoded= Crypt::X509->new($cert);
284 print "E-Mail or Hostnames in this Certificates is/are:", join(", ", @{$decoded->SubjectAltName}), "\n";
285
286 Example Output: E-Mail or Hostnames in this Certificates is/are: rfc822Name=user@server.com
287
288 authorityCertIssuer
289 returns a pointer to an array of strings building the DN of the
290 Authority Cert Issuer. Attributenames for the most common Attributes
291 are translated from the OID-Numbers, unknown numbers are output
292 verbatim. undef if the extension is not set in the certificate.
293
294 $decoded= Crypt::X509->new($cert);
295 print "Certificate was authorised by:".join(',',@{$decoded->authorityCertIssuer})."\n";
296
297 authority_serial
298 Returns the authority's certificate serial number.
299
300 key_identifier
301 Returns the authority key identifier or undef if it is a rooted cert
302
303 authority_cn
304 Returns the authority's ca.
305
306 authority_country
307 Returns the authority's country.
308
309 authority_state
310 Returns the authority's state.
311
312 authority_locality
313 Returns the authority's locality.
314
315 authority_org
316 Returns the authority's organization.
317
318 authority_email
319 Returns the authority's email.
320
321 CRLDistributionPoints
322 Returns the CRL distribution points as an array of strings (with one
323 value usually)
324
325 CRLDistributionPoints2
326 Returns the CRL distribution points as an array of hashes (allowing for
327 some variations)
328
329 CertificatePolicies
330 Returns the CertificatePolicies as an array of strings
331
332 EntrustVersionInfo
333 Returns the EntrustVersion as a string
334
335 print "Entrust Version: ", $decoded->EntrustVersion, "\n";
336
337 Example Output: Entrust Version: V7.0
338
339 SubjectDirectoryAttributes
340 Returns the SubjectDirectoryAttributes as an array of key = value
341 pairs, to include a data type
342
343 print "Subject Directory Attributes: ", join( ', ' , @{ $decoded->SubjectDirectoryAttributes } ), "\n";
344
345 Example Output: Subject Directory Attributes: 1.2.840.113533.7.68.29 = 7 (integer)
346
347 BasicConstraints
348 Returns the BasicConstraints as an array and the criticallity pre-
349 pended.
350
351 subject_keyidentifier
352 Returns the subject key identifier from the extensions.
353
354 SubjectInfoAccess
355 Returns the SubjectInfoAccess as an array of hashes with key=value
356 pairs.
357
358 print "Subject Info Access: ";
359 if ( defined $decoded->SubjectInfoAccess ) {
360 my %SIA = $decoded->SubjectInfoAccess;
361 for my $key ( keys %SIA ) {
362 print "\n\t$key: \n\t";
363 print join( "\n\t" , @{ $SIA{$key} } ), "\n";
364 }
365 } else { print "\n" }
366
367 Example Output:
368 Subject Info Access:
369 1.3.6.1.5.5.7.48.5:
370 uniformResourceIdentifier = http://pki.treas.gov/root_sia.p7c
371 uniformResourceIdentifier = ldap://ldap.treas.gov/ou=US%20Treasury%20Root%20CA,ou=Certification%20Authorities,ou=Department%20of%20the%20Treasury,o=U.S.%20Government,c=US?cACertificate;binary,crossCertificatePair;binary
372
373 PGPExtension
374 Returns the creation timestamp of the corresponding OpenPGP key. (see
375 http://www.imc.org/ietf-openpgp/mail-archive/msg05320.html)
376
377 print "PGPExtension: ";
378 if ( defined $decoded->PGPExtension ) {
379 my $creationtime = $decoded->PGPExtension;
380 printf "\n\tcorresponding OpenPGP Creation Time: ", $creationtime, "\n";
381 }
382
383 Example Output:
384 PGPExtension:
385 whatever
386
388 See the examples of "Convert::ASN1" and the <perl-ldap@perl.org>
389 Mailing List. An example on how to load certificates can be found in
390 t\Crypt-X509.t.
391
393 This module is based on the x509decode script, which was contributed to
394 Convert::ASN1 in 2002 by Norbert Klasen.
395
397 Mike Jackson <mj@sci.fi>, Alexander Jung <alexander.w.jung@gmail.com>,
398 Duncan Segrest <duncan@gigageek.info>
399
401 Copyright (c) 2005 Mike Jackson <mj@sci.fi>. Copyright (c) 2001-2002
402 Norbert Klasen, DAASI International GmbH.
403
404 All rights reserved. This program is free software; you can
405 redistribute it and/or modify it under the same terms as Perl itself.
406
407
408
409perl v5.32.0 2020-07-28 Crypt::X509(3)