1 | /* |
2 | * qca_cert.h - Qt Cryptographic Architecture |
3 | * Copyright (C) 2003-2007 Justin Karneges <justin@affinix.com> |
4 | * Copyright (C) 2004-2006 Brad Hards <bradh@frogmouth.net> |
5 | * |
6 | * This library is free software; you can redistribute it and/or |
7 | * modify it under the terms of the GNU Lesser General Public |
8 | * License as published by the Free Software Foundation; either |
9 | * version 2.1 of the License, or (at your option) any later version. |
10 | * |
11 | * This library is distributed in the hope that it will be useful, |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
14 | * Lesser General Public License for more details. |
15 | * |
16 | * You should have received a copy of the GNU Lesser General Public |
17 | * License along with this library; if not, write to the Free Software |
18 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
19 | * 02110-1301 USA |
20 | * |
21 | */ |
22 | |
23 | /** |
24 | \file qca_cert.h |
25 | |
26 | Header file for PGP key and X.509 certificate related classes |
27 | |
28 | \note You should not use this header directly from an |
29 | application. You should just use <tt> \#include \<QtCrypto> |
30 | </tt> instead. |
31 | */ |
32 | |
33 | #ifndef QCA_CERT_H |
34 | #define QCA_CERT_H |
35 | |
36 | #include "qca_core.h" |
37 | #include "qca_publickey.h" |
38 | #include <QDateTime> |
39 | |
40 | namespace QCA { |
41 | |
42 | class CertContext; |
43 | class CSRContext; |
44 | class CRLContext; |
45 | class Certificate; |
46 | class CRL; |
47 | class CertificateCollection; |
48 | class CertificateChain; |
49 | |
50 | /** |
51 | Certificate Request Format |
52 | */ |
53 | enum CertificateRequestFormat |
54 | { |
55 | PKCS10, ///< standard PKCS#10 format |
56 | SPKAC ///< Signed Public Key and Challenge (Netscape) format |
57 | }; |
58 | |
59 | /** |
60 | Known types of information stored in certificates |
61 | |
62 | This enumerator offers a convenient way to work with common types. |
63 | */ |
64 | enum CertificateInfoTypeKnown |
65 | { |
66 | CommonName, ///< The common name (eg person), id = "2.5.4.3" |
67 | Email, ///< Email address, id = "GeneralName.rfc822Name" |
68 | EmailLegacy, ///< PKCS#9 Email field, id = "1.2.840.113549.1.9.1" |
69 | Organization, ///< An organisation (eg company), id = "2.5.4.10" |
70 | OrganizationalUnit, ///< An part of an organisation (eg a division or branch), id = "2.5.4.11" |
71 | Locality, ///< The locality (eg city, a shire, or part of a state), id = "2.5.4.7" |
72 | IncorporationLocality, ///< The locality of incorporation (EV certificates), id = "1.3.6.1.4.1.311.60.2.1.1" |
73 | State, ///< The state within the country, id = "2.5.4.8" |
74 | IncorporationState, ///< The state of incorporation (EV certificates), id = "1.3.6.1.4.1.311.60.2.1.2" |
75 | Country, ///< The country, id = "2.5.4.6" |
76 | IncorporationCountry, ///< The country of incorporation (EV certificates), id = "1.3.6.1.4.1.311.60.2.1.3" |
77 | URI, ///< Uniform Resource Identifier, id = "GeneralName.uniformResourceIdentifier" |
78 | DNS, ///< DNS name, id = "GeneralName.dNSName" |
79 | IPAddress, ///< IP address, id = "GeneralName.iPAddress" |
80 | XMPP ///< XMPP address (see http://www.ietf.org/rfc/rfc3920.txt), id = "1.3.6.1.5.5.7.8.5" |
81 | }; |
82 | |
83 | /** |
84 | \class CertificateInfoType qca_cert.h QtCrypto |
85 | |
86 | Certificate information type |
87 | |
88 | This class represents a type of information being stored in |
89 | a certificate. It can be created either using a known type |
90 | (from the Known enumerator) or an identifier string (usually |
91 | an OID). Types created either way are interchangeable. |
92 | |
93 | Types also have the notion of a Section. Some types may |
94 | reside in the Distinguished Name field of a certificate, and |
95 | some types may reside in the Subject Alternative Name field. |
96 | This class is capable of representing a type from either |
97 | section. |
98 | |
99 | In the general case, applications will want to use the |
100 | CertificateInfoTypeKnown enumerator types. These are from RFC3280 |
101 | (http://www.ietf.org/rfc/rfc3280.txt) except where shown. |
102 | |
103 | The entries for IncorporationLocality, IncorporationState |
104 | and IncorporationCountry are the same as Locality, State |
105 | and Country respectively, except that the Extended |
106 | Validation (EV) certificate guidelines (published by the |
107 | %Certificate Authority / Browser Forum, see |
108 | http://www.cabforum.org) distinguish between the place of |
109 | where the company does business (which is the Locality / |
110 | State / Country combination) and the jurisdiction where the |
111 | company is legally incorporated (the IncorporationLocality |
112 | / IncorporationState / IncorporationCountry combination). |
113 | |
114 | \sa Certificate::subjectInfo() and Certificate::issuerInfo() |
115 | \sa CRL::issuerInfo() |
116 | |
117 | \ingroup UserAPI |
118 | */ |
119 | class QCA_EXPORT CertificateInfoType |
120 | { |
121 | public: |
122 | /** |
123 | Section of the certificate that the information belongs in |
124 | */ |
125 | enum Section |
126 | { |
127 | DN, ///< Distinguished name (the primary name) |
128 | AlternativeName ///< Alternative name |
129 | }; |
130 | |
131 | /** |
132 | Standard constructor |
133 | */ |
134 | CertificateInfoType(); |
135 | |
136 | /** |
137 | Construct a new type |
138 | |
139 | The section will be derived by \a known. |
140 | |
141 | \param known the type as part of the CertificateInfoTypeKnown |
142 | enumerator |
143 | */ |
144 | CertificateInfoType(CertificateInfoTypeKnown known); |
145 | |
146 | /** |
147 | Construct a new type |
148 | |
149 | \param id the type as an identifier string (OID or internal) |
150 | \param section the section this type belongs in |
151 | |
152 | \sa id |
153 | */ |
154 | CertificateInfoType(const QString &id, Section section); |
155 | |
156 | /** |
157 | Standard copy constructor |
158 | |
159 | \param from the certificate information to copy from |
160 | */ |
161 | CertificateInfoType(const CertificateInfoType &from); |
162 | |
163 | ~CertificateInfoType(); |
164 | |
165 | /** |
166 | Standard assignment operator |
167 | |
168 | \param from the certificate information to assign from |
169 | */ |
170 | CertificateInfoType &operator=(const CertificateInfoType &from); |
171 | |
172 | /** |
173 | The section the type is part of |
174 | */ |
175 | Section section() const; |
176 | |
177 | /** |
178 | The type as part of the CertificateInfoTypeKnown enumerator |
179 | |
180 | This function may return a value that does not exist in the |
181 | enumerator. In that case, you may use id() to determine the |
182 | type. |
183 | */ |
184 | CertificateInfoTypeKnown known() const; |
185 | |
186 | /** |
187 | The type as an identifier string |
188 | |
189 | For types that have OIDs, this function returns an OID in string |
190 | form. For types that do not have OIDs, this function returns an |
191 | internal identifier string whose first character is not a digit |
192 | (this allows you to tell the difference between an OID and an |
193 | internal identifier). |
194 | |
195 | It is hereby stated that General Names (of the X.509 Subject |
196 | Alternative Name) shall use the internal identifier format |
197 | "GeneralName.[rfc field name]". For example, the rfc822Name |
198 | field would have the identifier "GeneralName.rfc822Name". |
199 | |
200 | Applications should not store, use, or compare against internal |
201 | identifiers unless the identifiers are explicitly documented |
202 | (e.g. GeneralName). |
203 | */ |
204 | QString id() const; |
205 | |
206 | /** |
207 | Comparison operator |
208 | |
209 | \param other the certificate information to compare with this |
210 | certificate information. |
211 | */ |
212 | bool operator<(const CertificateInfoType &other) const; |
213 | |
214 | /** |
215 | Comparison operator |
216 | |
217 | \param other the certificate information to compare with this |
218 | certificate information. |
219 | */ |
220 | bool operator==(const CertificateInfoType &other) const; |
221 | |
222 | /** |
223 | Inequality operator |
224 | |
225 | \param other the certificate information to compare with this |
226 | certificate information. |
227 | */ |
228 | inline bool operator!=(const CertificateInfoType &other) const |
229 | { |
230 | return !(*this == other); |
231 | } |
232 | |
233 | private: |
234 | class Private; |
235 | QSharedDataPointer<Private> d; |
236 | }; |
237 | |
238 | /** |
239 | \class CertificateInfoPair qca_cert.h QtCrypto |
240 | |
241 | One entry in a certificate information list |
242 | |
243 | \ingroup UserAPI |
244 | */ |
245 | class QCA_EXPORT CertificateInfoPair |
246 | { |
247 | public: |
248 | /** |
249 | Standard constructor |
250 | */ |
251 | CertificateInfoPair(); |
252 | |
253 | /** |
254 | Construct a new pair |
255 | |
256 | \param type the type of information stored in this pair |
257 | \param value the value of the information to be stored |
258 | */ |
259 | CertificateInfoPair(const CertificateInfoType &type, const QString &value); |
260 | |
261 | /** |
262 | Standard copy constructor |
263 | |
264 | \param from the information pair to copy from |
265 | */ |
266 | CertificateInfoPair(const CertificateInfoPair &from); |
267 | |
268 | ~CertificateInfoPair(); |
269 | |
270 | /** |
271 | Standard assignment operator |
272 | |
273 | \param from the information pair to assign from |
274 | */ |
275 | CertificateInfoPair &operator=(const CertificateInfoPair &from); |
276 | |
277 | /** |
278 | The type of information stored in the pair |
279 | */ |
280 | CertificateInfoType type() const; |
281 | |
282 | /** |
283 | The value of the information stored in the pair |
284 | */ |
285 | QString value() const; |
286 | |
287 | /** |
288 | Comparison operator |
289 | |
290 | \param other the certificate information pair to compare with this |
291 | certificate information pair. |
292 | */ |
293 | bool operator==(const CertificateInfoPair &other) const; |
294 | |
295 | /** |
296 | Inequality operator |
297 | |
298 | \param other the certificate information pair to compare with this |
299 | certificate information pair. |
300 | */ |
301 | inline bool operator!=(const CertificateInfoPair &other) const |
302 | { |
303 | return !(*this == other); |
304 | } |
305 | |
306 | private: |
307 | class Private; |
308 | QSharedDataPointer<Private> d; |
309 | }; |
310 | |
311 | /** |
312 | Known types of certificate constraints |
313 | |
314 | This enumerator offers a convenient way to work with common types. |
315 | */ |
316 | enum ConstraintTypeKnown |
317 | { |
318 | // KeyUsage |
319 | DigitalSignature, ///< %Certificate can be used to create digital signatures, id = "KeyUsage.digitalSignature" |
320 | NonRepudiation, ///< %Certificate can be used for non-repudiation, id = "KeyUsage.nonRepudiation" |
321 | KeyEncipherment, ///< %Certificate can be used for encrypting / decrypting keys, id = "KeyUsage.keyEncipherment" |
322 | DataEncipherment, ///< %Certificate can be used for encrypting / decrypting data, id = "KeyUsage.dataEncipherment" |
323 | KeyAgreement, ///< %Certificate can be used for key agreement, id = "KeyUsage.keyAgreement" |
324 | KeyCertificateSign, ///< %Certificate can be used for key certificate signing, id = "KeyUsage.keyCertSign" |
325 | CRLSign, ///< %Certificate can be used to sign %Certificate Revocation Lists, id = "KeyUsage.crlSign" |
326 | EncipherOnly, ///< %Certificate can only be used for encryption, id = "KeyUsage.encipherOnly" |
327 | DecipherOnly, ///< %Certificate can only be used for decryption, id = "KeyUsage.decipherOnly" |
328 | |
329 | // ExtKeyUsage |
330 | ServerAuth, ///< %Certificate can be used for server authentication (e.g. web server), id = "1.3.6.1.5.5.7.3.1". |
331 | ///< This is an extended usage constraint. |
332 | ClientAuth, ///< %Certificate can be used for client authentication (e.g. web browser), id = "1.3.6.1.5.5.7.3.2". |
333 | ///< This is an extended usage constraint. |
334 | CodeSigning, ///< %Certificate can be used to sign code, id = "1.3.6.1.5.5.7.3.3". This is an extended usage |
335 | ///< constraint. |
336 | EmailProtection, ///< %Certificate can be used to sign / encrypt email, id = "1.3.6.1.5.5.7.3.4". This is an |
337 | ///< extended usage constraint. |
338 | IPSecEndSystem, ///< %Certificate can be used to authenticate a endpoint in IPSEC, id = "1.3.6.1.5.5.7.3.5". This is |
339 | ///< an extended usage constraint. |
340 | IPSecTunnel, ///< %Certificate can be used to authenticate a tunnel in IPSEC, id = "1.3.6.1.5.5.7.3.6". This is an |
341 | ///< extended usage constraint. |
342 | IPSecUser, ///< %Certificate can be used to authenticate a user in IPSEC, id = "1.3.6.1.5.5.7.3.7". This is an |
343 | ///< extended usage constraint. |
344 | TimeStamping, ///< %Certificate can be used to create a "time stamp" signature, id = "1.3.6.1.5.5.7.3.8". This is an |
345 | ///< extended usage constraint. |
346 | OCSPSigning ///< %Certificate can be used to sign an Online %Certificate Status Protocol (OCSP) assertion, id = |
347 | ///< "1.3.6.1.5.5.7.3.9". This is an extended usage constraint. |
348 | }; |
349 | |
350 | /** |
351 | \class ConstraintType qca_cert.h QtCrypto |
352 | |
353 | Certificate constraint |
354 | |
355 | X.509 certificates can be constrained in their application - that is, some |
356 | certificates can only be used for certain purposes. This class is used to |
357 | identify an approved purpose for a certificate. |
358 | |
359 | \note It is common for a certificate to have more than one purpose. |
360 | |
361 | \ingroup UserAPI |
362 | */ |
363 | class QCA_EXPORT ConstraintType |
364 | { |
365 | public: |
366 | /** |
367 | Section of the certificate that the constraint belongs in |
368 | */ |
369 | enum Section |
370 | { |
371 | KeyUsage, ///< Stored in the key usage section |
372 | ExtendedKeyUsage ///< Stored in the extended key usage section |
373 | }; |
374 | |
375 | /** |
376 | Standard constructor |
377 | */ |
378 | ConstraintType(); |
379 | |
380 | /** |
381 | Construct a new constraint |
382 | |
383 | The section will be derived by \a known. |
384 | |
385 | \param known the type as part of the ConstraintTypeKnown |
386 | enumerator |
387 | */ |
388 | ConstraintType(ConstraintTypeKnown known); |
389 | |
390 | /** |
391 | Construct a new constraint |
392 | |
393 | \param id the type as an identifier string (OID or internal) |
394 | \param section the section this type belongs in |
395 | |
396 | \sa id |
397 | */ |
398 | ConstraintType(const QString &id, Section section); |
399 | |
400 | /** |
401 | Standard copy constructor |
402 | |
403 | \param from the constraint type to copy from |
404 | */ |
405 | ConstraintType(const ConstraintType &from); |
406 | |
407 | ~ConstraintType(); |
408 | |
409 | /** |
410 | Standard assignment operator |
411 | |
412 | \param from the constraint type to assign from |
413 | */ |
414 | ConstraintType &operator=(const ConstraintType &from); |
415 | |
416 | /** |
417 | The section the constraint is part of |
418 | */ |
419 | Section section() const; |
420 | |
421 | /** |
422 | The type as part of the ConstraintTypeKnown enumerator |
423 | |
424 | This function may return a value that does not exist in the |
425 | enumerator. In that case, you may use id() to determine the |
426 | type. |
427 | */ |
428 | ConstraintTypeKnown known() const; |
429 | |
430 | /** |
431 | The type as an identifier string |
432 | |
433 | For types that have OIDs, this function returns an OID in string |
434 | form. For types that do not have OIDs, this function returns an |
435 | internal identifier string whose first character is not a digit |
436 | (this allows you to tell the difference between an OID and an |
437 | internal identifier). |
438 | |
439 | It is hereby stated that the KeyUsage bit fields shall use the |
440 | internal identifier format "KeyUsage.[rfc field name]". For |
441 | example, the keyEncipherment field would have the identifier |
442 | "KeyUsage.keyEncipherment". |
443 | |
444 | Applications should not store, use, or compare against internal |
445 | identifiers unless the identifiers are explicitly documented |
446 | (e.g. KeyUsage). |
447 | */ |
448 | QString id() const; |
449 | |
450 | /** |
451 | Comparison operator |
452 | |
453 | \param other the constraint type to compare with this constraint |
454 | */ |
455 | bool operator<(const ConstraintType &other) const; |
456 | |
457 | /** |
458 | Comparison operator |
459 | |
460 | \param other the constraint type to compare with this constraint |
461 | */ |
462 | bool operator==(const ConstraintType &other) const; |
463 | |
464 | /** |
465 | Inequality operator |
466 | |
467 | \param other the constraint type to compare with this constraint |
468 | */ |
469 | inline bool operator!=(const ConstraintType &other) const |
470 | { |
471 | return !(*this == other); |
472 | } |
473 | |
474 | private: |
475 | class Private; |
476 | QSharedDataPointer<Private> d; |
477 | }; |
478 | |
479 | /** |
480 | Specify the intended usage of a certificate |
481 | */ |
482 | enum UsageMode |
483 | { |
484 | UsageAny = 0x00, ///< Any application, or unspecified |
485 | UsageTLSServer = 0x01, ///< server side of a TLS or SSL connection |
486 | UsageTLSClient = 0x02, ///< client side of a TLS or SSL connection |
487 | UsageCodeSigning = 0x04, ///< code signing certificate |
488 | UsageEmailProtection = 0x08, ///< email (S/MIME) certificate |
489 | UsageTimeStamping = 0x10, ///< time stamping certificate |
490 | UsageCRLSigning = 0x20 ///< certificate revocation list signing certificate |
491 | }; |
492 | |
493 | /** |
494 | The validity (or otherwise) of a certificate |
495 | */ |
496 | enum Validity |
497 | { |
498 | ValidityGood, ///< The certificate is valid |
499 | ErrorRejected, ///< The root CA rejected the certificate purpose |
500 | ErrorUntrusted, ///< The certificate is not trusted |
501 | ErrorSignatureFailed, ///< The signature does not match |
502 | ErrorInvalidCA, ///< The Certificate Authority is invalid |
503 | ErrorInvalidPurpose, ///< The purpose does not match the intended usage |
504 | ErrorSelfSigned, ///< The certificate is self-signed, and is not found in the list of trusted certificates |
505 | ErrorRevoked, ///< The certificate has been revoked |
506 | ErrorPathLengthExceeded, ///< The path length from the root CA to this certificate is too long |
507 | ErrorExpired, ///< The certificate has expired, or is not yet valid (e.g. current time is earlier than notBefore |
508 | ///< time) |
509 | ErrorExpiredCA, ///< The Certificate Authority has expired |
510 | ErrorValidityUnknown = 64 ///< Validity is unknown |
511 | }; |
512 | |
513 | /** |
514 | The conditions to validate for a certificate |
515 | */ |
516 | enum ValidateFlags |
517 | { |
518 | ValidateAll = 0x00, // Verify all conditions |
519 | ValidateRevoked = 0x01, // Verify the certificate was not revoked |
520 | ValidateExpired = 0x02, // Verify the certificate has not expired |
521 | ValidatePolicy = 0x04 // Verify the certificate can be used for a specified purpose |
522 | }; |
523 | |
524 | /** |
525 | Certificate properties type |
526 | |
527 | With this container, the information is not necessarily stored |
528 | in the same sequence as the certificate format itself. Use this |
529 | container if the order the information is/was stored does not |
530 | matter for you (this is the case with most applications). |
531 | |
532 | Additionally, the EmailLegacy type should not be used with this |
533 | container. Use Email instead. |
534 | */ |
535 | typedef QMultiMap<CertificateInfoType, QString> CertificateInfo; |
536 | |
537 | /** |
538 | \class CertificateInfoOrdered qca_cert.h QtCrypto |
539 | |
540 | Ordered certificate properties type |
541 | |
542 | This container stores the information in the same sequence as |
543 | the certificate format itself. |
544 | |
545 | \ingroup UserAPI |
546 | */ |
547 | class CertificateInfoOrdered : public QList<CertificateInfoPair> |
548 | { |
549 | public: |
550 | /** |
551 | Convert to RFC 1779 string format |
552 | */ |
553 | inline QString toString() const; |
554 | |
555 | /** |
556 | Return a new CertificateInfoOrdered that only contains |
557 | the Distinguished Name (DN) types found in this object. |
558 | */ |
559 | inline CertificateInfoOrdered dnOnly() const; |
560 | }; |
561 | |
562 | /** |
563 | Convert to RFC 1779 string format |
564 | |
565 | \param in the certificate info to convert |
566 | */ |
567 | QCA_EXPORT QString orderedToDNString(const CertificateInfoOrdered &in); |
568 | |
569 | /** |
570 | Return a new CertificateInfoOrdered that only contains |
571 | the Distinguished Name (DN) types found in the input object. |
572 | |
573 | \param in the certificate info to extract from |
574 | */ |
575 | QCA_EXPORT CertificateInfoOrdered orderedDNOnly(const CertificateInfoOrdered &in); |
576 | |
577 | inline QString CertificateInfoOrdered::toString() const |
578 | { |
579 | return orderedToDNString(in: *this); |
580 | } |
581 | |
582 | inline CertificateInfoOrdered CertificateInfoOrdered::dnOnly() const |
583 | { |
584 | return orderedDNOnly(in: *this); |
585 | } |
586 | |
587 | /** |
588 | %Certificate constraints type |
589 | */ |
590 | typedef QList<ConstraintType> Constraints; |
591 | |
592 | /** |
593 | Create a list of unique friendly names among a list of certificates |
594 | |
595 | \param list the list of certificates for which a friendly name is required. |
596 | |
597 | */ |
598 | QCA_EXPORT QStringList makeFriendlyNames(const QList<Certificate> &list); |
599 | |
600 | /** |
601 | \class CertificateOptions qca_cert.h QtCrypto |
602 | |
603 | %Certificate options |
604 | |
605 | \note In SPKAC mode, all options are ignored except for challenge |
606 | |
607 | \ingroup UserAPI |
608 | */ |
609 | class QCA_EXPORT CertificateOptions |
610 | { |
611 | public: |
612 | /** |
613 | Create a Certificate options set |
614 | |
615 | \param format the format to create the certificate request in |
616 | */ |
617 | CertificateOptions(CertificateRequestFormat format = PKCS10); |
618 | |
619 | /** |
620 | Standard copy constructor |
621 | |
622 | \param from the Certificate Options to copy into this object |
623 | */ |
624 | CertificateOptions(const CertificateOptions &from); |
625 | ~CertificateOptions(); |
626 | |
627 | /** |
628 | Standard assignment operator |
629 | |
630 | \param from the Certificate Options to copy into this object |
631 | */ |
632 | CertificateOptions &operator=(const CertificateOptions &from); |
633 | |
634 | /** |
635 | test the format type for this certificate |
636 | */ |
637 | CertificateRequestFormat format() const; |
638 | |
639 | /** |
640 | Specify the format for this certificate |
641 | |
642 | \param f the format to use |
643 | */ |
644 | void setFormat(CertificateRequestFormat f); |
645 | |
646 | /** |
647 | Test if the certificate options object is valid |
648 | |
649 | \return true if the certificate options object is valid |
650 | */ |
651 | bool isValid() const; |
652 | |
653 | /** |
654 | The challenge part of the certificate |
655 | |
656 | For CertificateRequest only |
657 | |
658 | \sa setChallenge |
659 | */ |
660 | QString challenge() const; |
661 | |
662 | /** |
663 | Information on the subject of the certificate |
664 | |
665 | \sa setInfo |
666 | */ |
667 | CertificateInfo info() const; |
668 | |
669 | /** |
670 | Information on the subject of the certificate, in the |
671 | exact order the items will be written |
672 | |
673 | \sa setInfoOrdered |
674 | */ |
675 | CertificateInfoOrdered infoOrdered() const; |
676 | |
677 | /** |
678 | List the constraints on this certificate |
679 | */ |
680 | Constraints constraints() const; |
681 | |
682 | /** |
683 | list the policies on this certificate |
684 | */ |
685 | QStringList policies() const; |
686 | |
687 | /** |
688 | list of URI locations for CRL files |
689 | |
690 | each URI refers to the same CRL file |
691 | |
692 | For Certificate creation only |
693 | */ |
694 | QStringList crlLocations() const; |
695 | |
696 | /** |
697 | list of URI locations for issuer certificate files |
698 | |
699 | each URI refers to the same issuer file |
700 | |
701 | For Certificate creation only |
702 | */ |
703 | QStringList issuerLocations() const; |
704 | |
705 | /** |
706 | list of URI locations for OCSP services |
707 | |
708 | For Certificate creation only |
709 | */ |
710 | QStringList ocspLocations() const; |
711 | |
712 | /** |
713 | test if the certificate is a CA cert |
714 | |
715 | \sa setAsCA |
716 | \sa setAsUser |
717 | */ |
718 | bool isCA() const; |
719 | |
720 | /** |
721 | return the path limit on this certificate |
722 | */ |
723 | int pathLimit() const; |
724 | |
725 | /** |
726 | The serial number for the certificate |
727 | |
728 | For Certificate creation only |
729 | */ |
730 | BigInteger serialNumber() const; |
731 | |
732 | /** |
733 | the first time the certificate will be valid |
734 | |
735 | For Certificate creation only |
736 | */ |
737 | QDateTime notValidBefore() const; |
738 | |
739 | /** |
740 | the last time the certificate is valid |
741 | |
742 | For Certificate creation only |
743 | */ |
744 | QDateTime notValidAfter() const; |
745 | |
746 | /** |
747 | Specify the challenge associated with this |
748 | certificate |
749 | |
750 | \param s the challenge string |
751 | |
752 | \sa challenge() |
753 | */ |
754 | void setChallenge(const QString &s); |
755 | |
756 | /** |
757 | Specify information for the subject associated with the |
758 | certificate |
759 | |
760 | \param info the information for the subject |
761 | |
762 | \sa info() |
763 | */ |
764 | void setInfo(const CertificateInfo &info); |
765 | |
766 | /** |
767 | Specify information for the subject associated with the |
768 | certificate |
769 | |
770 | \param info the information for the subject |
771 | |
772 | \sa info() |
773 | */ |
774 | void setInfoOrdered(const CertificateInfoOrdered &info); |
775 | |
776 | /** |
777 | set the constraints on the certificate |
778 | |
779 | \param constraints the constraints to be used for the certificate |
780 | */ |
781 | void setConstraints(const Constraints &constraints); |
782 | |
783 | /** |
784 | set the policies on the certificate |
785 | |
786 | \param policies the policies to be used for the certificate |
787 | */ |
788 | void setPolicies(const QStringList &policies); |
789 | |
790 | /** |
791 | set the CRL locations of the certificate |
792 | |
793 | each location refers to the same CRL. |
794 | |
795 | \param locations a list of URIs to CRL files |
796 | */ |
797 | void setCRLLocations(const QStringList &locations); |
798 | |
799 | /** |
800 | set the issuer certificate locations of the certificate |
801 | |
802 | each location refers to the same issuer file. |
803 | |
804 | \param locations a list of URIs to issuer certificate files |
805 | */ |
806 | void setIssuerLocations(const QStringList &locations); |
807 | |
808 | /** |
809 | set the OCSP service locations of the certificate |
810 | |
811 | \param locations a list of URIs to OCSP services |
812 | */ |
813 | void setOCSPLocations(const QStringList &locations); |
814 | |
815 | /** |
816 | set the certificate to be a CA cert |
817 | |
818 | \param pathLimit the number of intermediate certificates allowable |
819 | */ |
820 | void setAsCA(int pathLimit = 8); // value from Botan |
821 | |
822 | /** |
823 | set the certificate to be a user cert (this is the default) |
824 | */ |
825 | void setAsUser(); |
826 | |
827 | /** |
828 | Set the serial number property on this certificate |
829 | |
830 | \param i the serial number to use |
831 | */ |
832 | void setSerialNumber(const BigInteger &i); |
833 | |
834 | /** |
835 | Set the validity period for the certificate |
836 | |
837 | \param start the first time this certificate becomes valid |
838 | \param end the last time this certificate is valid |
839 | */ |
840 | void setValidityPeriod(const QDateTime &start, const QDateTime &end); |
841 | |
842 | private: |
843 | class Private; |
844 | Private *d; |
845 | }; |
846 | |
847 | /** |
848 | \class Certificate qca_cert.h QtCrypto |
849 | |
850 | Public Key (X.509) certificate |
851 | |
852 | This class contains one X.509 certificate |
853 | |
854 | \ingroup UserAPI |
855 | */ |
856 | class QCA_EXPORT Certificate : public Algorithm |
857 | { |
858 | public: |
859 | /** |
860 | Create an empty Certificate |
861 | */ |
862 | Certificate(); |
863 | |
864 | /** |
865 | Create a Certificate from a PEM encoded file |
866 | |
867 | \param fileName the name (and path, if required) |
868 | of the file that contains the PEM encoded certificate |
869 | */ |
870 | Certificate(const QString &fileName); |
871 | |
872 | /** |
873 | Create a Certificate with specified options and a specified private |
874 | key |
875 | |
876 | \param opts the options to use |
877 | \param key the private key for this certificate |
878 | \param provider the provider to use to create this key, if a |
879 | particular provider is required |
880 | */ |
881 | Certificate(const CertificateOptions &opts, const PrivateKey &key, const QString &provider = QString()); |
882 | |
883 | /** |
884 | Standard copy constructor |
885 | |
886 | \param from the certificate to copy from |
887 | */ |
888 | Certificate(const Certificate &from); |
889 | |
890 | ~Certificate() override; |
891 | |
892 | /** |
893 | Standard assignment operator |
894 | |
895 | \param from the Certificate to assign from |
896 | */ |
897 | Certificate &operator=(const Certificate &from); |
898 | |
899 | /** |
900 | Test if the certificate is empty (null) |
901 | \return true if the certificate is null |
902 | */ |
903 | bool isNull() const; |
904 | |
905 | /** |
906 | The earliest date that the certificate is valid |
907 | */ |
908 | QDateTime notValidBefore() const; |
909 | |
910 | /** |
911 | The latest date that the certificate is valid |
912 | */ |
913 | QDateTime notValidAfter() const; |
914 | |
915 | /** |
916 | Properties of the subject of the certificate, as a QMultiMap |
917 | |
918 | This is the method that provides information on the |
919 | subject organisation, common name, DNS name, and so |
920 | on. The list of information types (i.e. the key to |
921 | the multi-map) is a CertificateInfoType. The values |
922 | are a list of QString. |
923 | |
924 | An example of how you can iterate over the list is: |
925 | \code |
926 | foreach( QString dns, info.values(QCA::DNS) ) |
927 | { |
928 | std::cout << " " << qPrintable(dns) << std::endl; |
929 | } |
930 | \endcode |
931 | */ |
932 | CertificateInfo subjectInfo() const; |
933 | |
934 | /** |
935 | Properties of the subject of the certificate, as |
936 | an ordered list (QList of CertificateInfoPair). |
937 | |
938 | This allows access to the certificate information |
939 | in the same order as they appear in a certificate. |
940 | Each pair in the list has a type and a value. |
941 | |
942 | For example: |
943 | \code |
944 | CertificateInfoOrdered info = cert.subjectInfoOrdered(); |
945 | // info[0].type == CommonName |
946 | // info[0].value == "example.com" |
947 | \endcode |
948 | |
949 | \sa subjectInfo for an unordered version |
950 | \sa issuerInfoOrdered for the ordered information on the issuer |
951 | \sa CertificateInfoPair for the elements in the list |
952 | */ |
953 | CertificateInfoOrdered subjectInfoOrdered() const; |
954 | |
955 | /** |
956 | Properties of the issuer of the certificate |
957 | |
958 | \sa subjectInfo for how the return value works. |
959 | */ |
960 | CertificateInfo issuerInfo() const; |
961 | |
962 | /** |
963 | Properties of the issuer of the certificate, as |
964 | an ordered list (QList of CertificateInfoPair). |
965 | |
966 | This allows access to the certificate information |
967 | in the same order as they appear in a certificate. |
968 | Each pair in the list has a type and a value. |
969 | |
970 | \sa issuerInfo for an unordered version |
971 | \sa subjectInfoOrdered for the ordered information on the subject |
972 | \sa CertificateInfoPair for the elements in the list |
973 | */ |
974 | CertificateInfoOrdered issuerInfoOrdered() const; |
975 | |
976 | /** |
977 | The constraints that apply to this certificate |
978 | */ |
979 | Constraints constraints() const; |
980 | |
981 | /** |
982 | The policies that apply to this certificate |
983 | |
984 | Policies are specified as strings containing OIDs |
985 | */ |
986 | QStringList policies() const; |
987 | |
988 | /** |
989 | List of URI locations for CRL files |
990 | |
991 | Each URI refers to the same CRL file |
992 | */ |
993 | QStringList crlLocations() const; |
994 | |
995 | /** |
996 | List of URI locations for issuer certificate files |
997 | |
998 | Each URI refers to the same issuer file |
999 | */ |
1000 | QStringList issuerLocations() const; |
1001 | |
1002 | /** |
1003 | List of URI locations for OCSP services |
1004 | */ |
1005 | QStringList ocspLocations() const; |
1006 | |
1007 | /** |
1008 | The common name of the subject of the certificate |
1009 | |
1010 | Common names are normally the name of a person, company or |
1011 | organisation |
1012 | */ |
1013 | QString commonName() const; |
1014 | |
1015 | /** |
1016 | The serial number of the certificate |
1017 | */ |
1018 | BigInteger serialNumber() const; |
1019 | |
1020 | /** |
1021 | The public key associated with the subject of the certificate |
1022 | */ |
1023 | PublicKey subjectPublicKey() const; |
1024 | |
1025 | /** |
1026 | Test if the Certificate is valid as a %Certificate Authority |
1027 | |
1028 | \return true if the Certificate is valid as a %Certificate Authority |
1029 | */ |
1030 | bool isCA() const; |
1031 | |
1032 | /** |
1033 | Test if the Certificate is self-signed |
1034 | |
1035 | \return true if the certificate is self-signed |
1036 | */ |
1037 | bool isSelfSigned() const; |
1038 | |
1039 | /** |
1040 | Test if the Certificate has signed another Certificate |
1041 | object and is therefore the issuer |
1042 | |
1043 | \param other the certificate to test |
1044 | |
1045 | \return true if this certificate is the issuer of the argument |
1046 | */ |
1047 | bool isIssuerOf(const Certificate &other) const; |
1048 | |
1049 | /** |
1050 | The upper bound of the number of links in the certificate |
1051 | chain, if any |
1052 | */ |
1053 | int pathLimit() const; |
1054 | |
1055 | /** |
1056 | The signature algorithm used for the signature on this certificate |
1057 | */ |
1058 | SignatureAlgorithm signatureAlgorithm() const; |
1059 | |
1060 | /** |
1061 | The key identifier associated with the subject |
1062 | */ |
1063 | QByteArray subjectKeyId() const; |
1064 | |
1065 | /** |
1066 | The key identifier associated with the issuer |
1067 | */ |
1068 | QByteArray issuerKeyId() const; |
1069 | |
1070 | /** |
1071 | Check the validity of a certificate |
1072 | |
1073 | \param trusted a collection of trusted certificates |
1074 | \param untrusted a collection of additional certificates, not |
1075 | necessarily trusted |
1076 | \param u the use required for the certificate |
1077 | \param vf the conditions to validate |
1078 | |
1079 | \note This function may block |
1080 | */ |
1081 | Validity validate(const CertificateCollection &trusted, |
1082 | const CertificateCollection &untrusted, |
1083 | UsageMode u = UsageAny, |
1084 | ValidateFlags vf = ValidateAll) const; |
1085 | |
1086 | /** |
1087 | Export the Certificate into a DER format |
1088 | */ |
1089 | QByteArray toDER() const; |
1090 | |
1091 | /** |
1092 | Export the Certificate into a PEM format |
1093 | */ |
1094 | QString toPEM() const; |
1095 | |
1096 | /** |
1097 | Export the Certificate into PEM format in a file |
1098 | |
1099 | \param fileName the name of the file to use |
1100 | */ |
1101 | bool toPEMFile(const QString &fileName) const; |
1102 | |
1103 | /** |
1104 | Import the certificate from DER |
1105 | |
1106 | \param a the array containing the certificate in DER format |
1107 | \param result a pointer to a ConvertResult, which if not-null will |
1108 | be set to the conversion status |
1109 | \param provider the provider to use, if a specific provider is |
1110 | required |
1111 | |
1112 | \return the Certificate corresponding to the certificate in the |
1113 | provided array |
1114 | */ |
1115 | static Certificate |
1116 | fromDER(const QByteArray &a, ConvertResult *result = nullptr, const QString &provider = QString()); |
1117 | |
1118 | /** |
1119 | Import the certificate from PEM format |
1120 | |
1121 | \param s the string containing the certificate in PEM format |
1122 | \param result a pointer to a ConvertResult, which if not-null will |
1123 | be set to the conversion status |
1124 | \param provider the provider to use, if a specific provider is |
1125 | required |
1126 | |
1127 | \return the Certificate corresponding to the certificate in the |
1128 | provided string |
1129 | */ |
1130 | static Certificate fromPEM(const QString &s, ConvertResult *result = nullptr, const QString &provider = QString()); |
1131 | |
1132 | /** |
1133 | Import the certificate from a file |
1134 | |
1135 | \param fileName the name (and path, if required) of the file |
1136 | containing the certificate in PEM format |
1137 | \param result a pointer to a ConvertResult, which if not-null will |
1138 | be set to the conversion status |
1139 | \param provider the provider to use, if a specific provider is |
1140 | required |
1141 | |
1142 | \return the Certificate corresponding to the certificate in the |
1143 | provided string |
1144 | */ |
1145 | static Certificate |
1146 | fromPEMFile(const QString &fileName, ConvertResult *result = nullptr, const QString &provider = QString()); |
1147 | |
1148 | /** |
1149 | Test if the subject of the certificate matches a specified host |
1150 | name |
1151 | |
1152 | This will return true (indicating a match), if the specified host |
1153 | name meets the RFC 2818 validation rules with this certificate. |
1154 | |
1155 | If the host is an internationalized domain name, then it must be |
1156 | provided in unicode format, not in IDNA ACE/punycode format. |
1157 | |
1158 | \param host the name of the host to compare to |
1159 | */ |
1160 | bool matchesHostName(const QString &host) const; |
1161 | |
1162 | /** |
1163 | Test for equality of two certificates |
1164 | |
1165 | \param a the certificate to compare this certificate with |
1166 | |
1167 | \return true if the two certificates are the same |
1168 | */ |
1169 | bool operator==(const Certificate &a) const; |
1170 | |
1171 | /** |
1172 | Inequality operator |
1173 | |
1174 | \param other the certificate to compare this certificate with |
1175 | */ |
1176 | inline bool operator!=(const Certificate &other) const |
1177 | { |
1178 | return !(*this == other); |
1179 | } |
1180 | |
1181 | /** |
1182 | \internal |
1183 | |
1184 | \param c context (internal) |
1185 | */ |
1186 | void change(CertContext *c); |
1187 | |
1188 | private: |
1189 | class Private; |
1190 | friend class Private; |
1191 | QSharedDataPointer<Private> d; |
1192 | |
1193 | friend class CertificateChain; |
1194 | Validity chain_validate(const CertificateChain &chain, |
1195 | const CertificateCollection &trusted, |
1196 | const QList<CRL> &untrusted_crls, |
1197 | UsageMode u, |
1198 | ValidateFlags vf) const; |
1199 | CertificateChain |
1200 | chain_complete(const CertificateChain &chain, const QList<Certificate> &issuers, Validity *result) const; |
1201 | }; |
1202 | |
1203 | /** |
1204 | \class CertificateChain qca_cert.h QtCrypto |
1205 | |
1206 | A chain of related Certificates |
1207 | |
1208 | CertificateChain is a list (a QList) of certificates that are related by |
1209 | the signature from one to another. If Certificate C signs Certificate B, |
1210 | and Certificate B signs Certificate A, then C, B and A form a chain. |
1211 | |
1212 | The normal use of a CertificateChain is from a end-user Certificate (called |
1213 | the primary, equivalent to QList::first()) through some intermediate |
1214 | Certificates to some other Certificate (QList::last()), which might be a |
1215 | root %Certificate Authority, but does not need to be. |
1216 | |
1217 | You can build up the chain using normal QList operations, such as |
1218 | QList::append(). |
1219 | |
1220 | \sa QCA::CertificateCollection for an alternative way to represent a group |
1221 | of Certificates that do not necessarily have a chained relationship. |
1222 | |
1223 | \ingroup UserAPI |
1224 | */ |
1225 | class CertificateChain : public QList<Certificate> |
1226 | { |
1227 | public: |
1228 | /** |
1229 | Create an empty certificate chain |
1230 | */ |
1231 | inline CertificateChain() |
1232 | { |
1233 | } |
1234 | |
1235 | /** |
1236 | Create a certificate chain, starting at the specified certificate |
1237 | |
1238 | \param primary the end-user certificate that forms one end of the |
1239 | chain |
1240 | */ |
1241 | inline CertificateChain(const Certificate &primary) |
1242 | { |
1243 | append(t: primary); |
1244 | } |
1245 | |
1246 | /** |
1247 | Return the primary (end-user) Certificate |
1248 | */ |
1249 | inline const Certificate &primary() const |
1250 | { |
1251 | return first(); |
1252 | } |
1253 | |
1254 | /** |
1255 | Check the validity of a certificate chain |
1256 | |
1257 | \param trusted a collection of trusted certificates |
1258 | \param untrusted_crls a list of additional CRLs, not necessarily |
1259 | trusted |
1260 | \param u the use required for the primary certificate |
1261 | \param vf the conditions to validate |
1262 | |
1263 | \note This function may block |
1264 | |
1265 | \sa Certificate::validate() |
1266 | */ |
1267 | inline Validity validate(const CertificateCollection &trusted, |
1268 | const QList<CRL> &untrusted_crls = QList<CRL>(), |
1269 | UsageMode u = UsageAny, |
1270 | ValidateFlags vf = ValidateAll) const; |
1271 | |
1272 | /** |
1273 | Complete a certificate chain for the primary certificate, using the |
1274 | rest of the certificates in the chain object, as well as those in |
1275 | \a issuers, as possible issuers in the chain. If there are issuers |
1276 | missing, then the chain might be incomplete (at the worst case, if |
1277 | no issuers exist for the primary certificate, then the resulting |
1278 | chain will consist of just the primary certificate). Use the |
1279 | \a result argument to find out if there was a problem during |
1280 | completion. A result of ValidityGood means the chain was completed |
1281 | successfully. |
1282 | |
1283 | The newly constructed CertificateChain is returned. |
1284 | |
1285 | If the certificate chain is empty, then this will return an empty |
1286 | CertificateChain object. |
1287 | |
1288 | \param issuers a pool of issuers to draw from as necessary |
1289 | \param result the result of the completion operation |
1290 | |
1291 | \note This function may block |
1292 | |
1293 | \sa validate |
1294 | */ |
1295 | inline CertificateChain complete(const QList<Certificate> &issuers = QList<Certificate>(), |
1296 | Validity *result = nullptr) const; |
1297 | }; |
1298 | |
1299 | inline Validity CertificateChain::validate(const CertificateCollection &trusted, |
1300 | const QList<CRL> &untrusted_crls, |
1301 | UsageMode u, |
1302 | ValidateFlags vf) const |
1303 | { |
1304 | if (isEmpty()) |
1305 | return ErrorValidityUnknown; |
1306 | return first().chain_validate(chain: *this, trusted, untrusted_crls, u, vf); |
1307 | } |
1308 | |
1309 | inline CertificateChain CertificateChain::complete(const QList<Certificate> &issuers, Validity *result) const |
1310 | { |
1311 | if (isEmpty()) |
1312 | return CertificateChain(); |
1313 | return first().chain_complete(chain: *this, issuers, result); |
1314 | } |
1315 | |
1316 | /** |
1317 | \class CertificateRequest qca_cert.h QtCrypto |
1318 | |
1319 | %Certificate Request |
1320 | |
1321 | A CertificateRequest is a unsigned request for a Certificate |
1322 | |
1323 | \ingroup UserAPI |
1324 | */ |
1325 | class QCA_EXPORT CertificateRequest : public Algorithm |
1326 | { |
1327 | public: |
1328 | /** |
1329 | Create an empty certificate request |
1330 | */ |
1331 | CertificateRequest(); |
1332 | |
1333 | /** |
1334 | Create a certificate request based on the contents of a file |
1335 | |
1336 | \param fileName the file (and path, if necessary) containing a PEM |
1337 | encoded certificate request |
1338 | */ |
1339 | CertificateRequest(const QString &fileName); |
1340 | |
1341 | /** |
1342 | Create a certificate request based on specified options |
1343 | |
1344 | \param opts the options to use in the certificate request |
1345 | \param key the private key that matches the certificate being |
1346 | requested |
1347 | \param provider the provider to use, if a specific provider is |
1348 | required |
1349 | */ |
1350 | CertificateRequest(const CertificateOptions &opts, const PrivateKey &key, const QString &provider = QString()); |
1351 | |
1352 | /** |
1353 | Standard copy constructor |
1354 | |
1355 | \param from the request to copy from |
1356 | */ |
1357 | CertificateRequest(const CertificateRequest &from); |
1358 | |
1359 | ~CertificateRequest() override; |
1360 | |
1361 | /** |
1362 | Standard assignment operator |
1363 | |
1364 | \param from the request to assign from |
1365 | */ |
1366 | CertificateRequest &operator=(const CertificateRequest &from); |
1367 | |
1368 | /** |
1369 | test if the certificate request is empty |
1370 | |
1371 | \return true if the certificate request is empty, otherwise false |
1372 | */ |
1373 | bool isNull() const; |
1374 | |
1375 | /** |
1376 | Test if the certificate request can use a specified format |
1377 | |
1378 | \param f the format to test for |
1379 | \param provider the provider to use, if a specific provider is |
1380 | required |
1381 | |
1382 | \return true if the certificate request can use the specified |
1383 | format |
1384 | */ |
1385 | static bool canUseFormat(CertificateRequestFormat f, const QString &provider = QString()); |
1386 | |
1387 | /** |
1388 | the format that this Certificate request is in |
1389 | */ |
1390 | CertificateRequestFormat format() const; |
1391 | |
1392 | /** |
1393 | Information on the subject of the certificate being requested |
1394 | |
1395 | \note this only applies to PKCS#10 format certificate requests |
1396 | |
1397 | \sa subjectInfoOrdered for a version that maintains order |
1398 | in the subject information. |
1399 | */ |
1400 | CertificateInfo subjectInfo() const; |
1401 | |
1402 | /** |
1403 | Information on the subject of the certificate being requested, as |
1404 | an ordered list (QList of CertificateInfoPair). |
1405 | |
1406 | \note this only applies to PKCS#10 format certificate requests |
1407 | |
1408 | \sa subjectInfo for a version that does not maintain order, but |
1409 | allows access based on a multimap. |
1410 | \sa CertificateInfoPair for the elements in the list |
1411 | */ |
1412 | CertificateInfoOrdered subjectInfoOrdered() const; |
1413 | |
1414 | /** |
1415 | The constraints that apply to this certificate request |
1416 | |
1417 | \note this only applies to PKCS#10 format certificate requests |
1418 | */ |
1419 | Constraints constraints() const; |
1420 | |
1421 | /** |
1422 | The policies that apply to this certificate request |
1423 | |
1424 | \note this only applies to PKCS#10 format certificate requests |
1425 | */ |
1426 | QStringList policies() const; |
1427 | |
1428 | /** |
1429 | The public key belonging to the issuer |
1430 | */ |
1431 | PublicKey subjectPublicKey() const; |
1432 | |
1433 | /** |
1434 | Test if this %Certificate Request is for a %Certificate Authority |
1435 | certificate |
1436 | |
1437 | \note this only applies to PKCS#10 format certificate requests |
1438 | */ |
1439 | bool isCA() const; |
1440 | |
1441 | /** |
1442 | The path limit for the certificate in this %Certificate Request |
1443 | |
1444 | \note this only applies to PKCS#10 format certificate requests |
1445 | */ |
1446 | int pathLimit() const; |
1447 | |
1448 | /** |
1449 | The challenge associated with this certificate request |
1450 | */ |
1451 | QString challenge() const; |
1452 | |
1453 | /** |
1454 | The algorithm used to make the signature on this certificate |
1455 | request |
1456 | */ |
1457 | SignatureAlgorithm signatureAlgorithm() const; |
1458 | |
1459 | /** |
1460 | Test for equality of two certificate requests |
1461 | |
1462 | \param csr the certificate request to be compared to this certificate request |
1463 | |
1464 | \return true if the two certificate requests are the same |
1465 | */ |
1466 | bool operator==(const CertificateRequest &csr) const; |
1467 | |
1468 | /** |
1469 | Inequality operator |
1470 | |
1471 | \param other the certificate request to be compared to this certificate request |
1472 | */ |
1473 | inline bool operator!=(const CertificateRequest &other) const |
1474 | { |
1475 | return !(*this == other); |
1476 | } |
1477 | |
1478 | /** |
1479 | Export the %Certificate Request into a DER format |
1480 | |
1481 | \note this only applies to PKCS#10 format certificate requests |
1482 | */ |
1483 | QByteArray toDER() const; |
1484 | |
1485 | /** |
1486 | Export the %Certificate Request into a PEM format |
1487 | |
1488 | \note this only applies to PKCS#10 format certificate requests |
1489 | */ |
1490 | QString toPEM() const; |
1491 | |
1492 | /** |
1493 | Export the Certificate into PEM format in a file |
1494 | |
1495 | \param fileName the name of the file to use |
1496 | |
1497 | \note this only applies to PKCS#10 format certificate requests |
1498 | */ |
1499 | bool toPEMFile(const QString &fileName) const; |
1500 | |
1501 | /** |
1502 | Import the certificate request from DER |
1503 | |
1504 | \param a the array containing the certificate request in DER format |
1505 | \param result a pointer to a ConvertResult, which if not-null will |
1506 | be set to the conversion status |
1507 | \param provider the provider to use, if a specific provider is |
1508 | required |
1509 | |
1510 | \return the CertificateRequest corresponding to the certificate |
1511 | request in the provided array |
1512 | |
1513 | \note this only applies to PKCS#10 format certificate requests |
1514 | */ |
1515 | static CertificateRequest |
1516 | fromDER(const QByteArray &a, ConvertResult *result = nullptr, const QString &provider = QString()); |
1517 | |
1518 | /** |
1519 | Import the certificate request from PEM format |
1520 | |
1521 | \param s the string containing the certificate request in PEM |
1522 | format |
1523 | \param result a pointer to a ConvertResult, which if not-null will |
1524 | be set to the conversion status |
1525 | \param provider the provider to use, if a specific provider is |
1526 | required |
1527 | |
1528 | \return the CertificateRequest corresponding to the certificate |
1529 | request in the provided string |
1530 | |
1531 | \note this only applies to PKCS#10 format certificate requests |
1532 | */ |
1533 | static CertificateRequest |
1534 | fromPEM(const QString &s, ConvertResult *result = nullptr, const QString &provider = QString()); |
1535 | |
1536 | /** |
1537 | Import the certificate request from a file |
1538 | |
1539 | \param fileName the name (and path, if required) of the file |
1540 | containing the certificate request in PEM format |
1541 | \param result a pointer to a ConvertResult, which if not-null will |
1542 | be set to the conversion status |
1543 | \param provider the provider to use, if a specific provider is |
1544 | required |
1545 | |
1546 | \return the CertificateRequest corresponding to the certificate |
1547 | request in the provided string |
1548 | |
1549 | \note this only applies to PKCS#10 format certificate requests |
1550 | */ |
1551 | static CertificateRequest |
1552 | fromPEMFile(const QString &fileName, ConvertResult *result = nullptr, const QString &provider = QString()); |
1553 | |
1554 | /** |
1555 | Export the CertificateRequest to a string |
1556 | |
1557 | \return the string corresponding to the certificate request |
1558 | |
1559 | \note this only applies to SPKAC format certificate requests |
1560 | */ |
1561 | QString toString() const; |
1562 | |
1563 | /** |
1564 | Import the CertificateRequest from a string |
1565 | |
1566 | \param s the string containing to the certificate request |
1567 | \param result a pointer to a ConvertResult, which if not-null will |
1568 | be set to the conversion status |
1569 | \param provider the provider to use, if a specific provider is |
1570 | required |
1571 | |
1572 | \return the CertificateRequest corresponding to the certificate |
1573 | request in the provided string |
1574 | |
1575 | \note this only applies to SPKAC format certificate requests |
1576 | */ |
1577 | static CertificateRequest |
1578 | fromString(const QString &s, ConvertResult *result = nullptr, const QString &provider = QString()); |
1579 | |
1580 | /** |
1581 | \internal |
1582 | |
1583 | \param c context (internal) |
1584 | */ |
1585 | void change(CSRContext *c); |
1586 | |
1587 | private: |
1588 | class Private; |
1589 | friend class Private; |
1590 | QSharedDataPointer<Private> d; |
1591 | }; |
1592 | |
1593 | /** |
1594 | \class CRLEntry qca_cert.h QtCrypto |
1595 | |
1596 | Part of a CRL representing a single certificate |
1597 | |
1598 | \ingroup UserAPI |
1599 | */ |
1600 | class QCA_EXPORT CRLEntry |
1601 | { |
1602 | public: |
1603 | /** |
1604 | The reason why the certificate has been revoked |
1605 | */ |
1606 | enum Reason |
1607 | { |
1608 | Unspecified, ///< reason is unknown |
1609 | KeyCompromise, ///< private key has been compromised |
1610 | CACompromise, ///< certificate authority has been compromised |
1611 | AffiliationChanged, |
1612 | Superseded, ///< certificate has been superseded |
1613 | CessationOfOperation, |
1614 | CertificateHold, ///< certificate is on hold |
1615 | RemoveFromCRL, ///< certificate was previously in a CRL, but is now valid |
1616 | PrivilegeWithdrawn, |
1617 | AACompromise ///< attribute authority has been compromised |
1618 | }; |
1619 | |
1620 | /** |
1621 | create an empty CRL entry |
1622 | */ |
1623 | CRLEntry(); |
1624 | |
1625 | /** |
1626 | create a CRL entry |
1627 | |
1628 | \param c the certificate to revoke |
1629 | \param r the reason that the certificate is being revoked |
1630 | */ |
1631 | explicit CRLEntry(const Certificate &c, Reason r = Unspecified); |
1632 | |
1633 | /** |
1634 | create a CRL entry |
1635 | |
1636 | \param serial the serial number of the Certificate being revoked |
1637 | \param time the time the Certificate was revoked (or will be |
1638 | revoked) |
1639 | \param r the reason that the certificate is being revoked |
1640 | */ |
1641 | CRLEntry(const BigInteger serial, const QDateTime &time, Reason r = Unspecified); |
1642 | |
1643 | /** |
1644 | Copy constructor |
1645 | |
1646 | \param from the CRLEntry to copy from |
1647 | */ |
1648 | CRLEntry(const CRLEntry &from); |
1649 | |
1650 | ~CRLEntry(); |
1651 | |
1652 | /** |
1653 | Standard assignment operator |
1654 | |
1655 | \param from the CRLEntry to copy from |
1656 | */ |
1657 | CRLEntry &operator=(const CRLEntry &from); |
1658 | |
1659 | /** |
1660 | The serial number of the certificate that is the subject of this CRL entry |
1661 | */ |
1662 | BigInteger serialNumber() const; |
1663 | |
1664 | /** |
1665 | The time this CRL entry was created |
1666 | */ |
1667 | QDateTime time() const; |
1668 | |
1669 | /** |
1670 | Test if this CRL entry is empty |
1671 | */ |
1672 | bool isNull() const; |
1673 | |
1674 | /** |
1675 | The reason that this CRL entry was created |
1676 | |
1677 | Alternatively, you might like to think of this as the reason that |
1678 | the subject certificate has been revoked |
1679 | */ |
1680 | Reason reason() const; |
1681 | |
1682 | /** |
1683 | Test if one CRL entry is "less than" another |
1684 | |
1685 | CRL entries are compared based on their serial number |
1686 | |
1687 | \param a the CRL entry to be compared to this CRL entry. |
1688 | */ |
1689 | bool operator<(const CRLEntry &a) const; |
1690 | |
1691 | /** |
1692 | Test for equality of two CRL Entries |
1693 | |
1694 | \param a the CRL entry to be compared to this CRL entry. |
1695 | |
1696 | \return true if the two certificates are the same |
1697 | */ |
1698 | bool operator==(const CRLEntry &a) const; |
1699 | |
1700 | /** |
1701 | Inequality operator |
1702 | |
1703 | \param other the CRL entry to be compared to this CRL entry. |
1704 | */ |
1705 | inline bool operator!=(const CRLEntry &other) const |
1706 | { |
1707 | return !(*this == other); |
1708 | } |
1709 | |
1710 | private: |
1711 | BigInteger _serial; |
1712 | QDateTime _time; |
1713 | Reason _reason; |
1714 | |
1715 | class Private; |
1716 | Private *d; |
1717 | }; |
1718 | |
1719 | /** |
1720 | \class CRL qca_cert.h QtCrypto |
1721 | |
1722 | %Certificate Revocation List |
1723 | |
1724 | A %CRL is a list of certificates that are special in some |
1725 | way. The normal reason for including a certificate on a %CRL |
1726 | is that the certificate should no longer be used. For |
1727 | example, if a key is compromised, then the associated |
1728 | certificate may no longer provides appropriate |
1729 | security. There are other reasons why a certificate may be |
1730 | placed on a %CRL, as shown in the CRLEntry::Reason |
1731 | enumeration. |
1732 | |
1733 | \sa CertificateCollection for a way to handle Certificates |
1734 | and CRLs as a single entity. |
1735 | \sa CRLEntry for the %CRL segment representing a single Certificate. |
1736 | |
1737 | \ingroup UserAPI |
1738 | */ |
1739 | class QCA_EXPORT CRL : public Algorithm |
1740 | { |
1741 | public: |
1742 | CRL(); |
1743 | |
1744 | /** |
1745 | Standard copy constructor |
1746 | |
1747 | \param from the revocation list to copy from |
1748 | */ |
1749 | CRL(const CRL &from); |
1750 | |
1751 | ~CRL() override; |
1752 | |
1753 | /** |
1754 | Standard assignment operator |
1755 | |
1756 | \param from the revocation list to assign from |
1757 | */ |
1758 | CRL &operator=(const CRL &from); |
1759 | |
1760 | /** |
1761 | Test if the CRL is empty |
1762 | |
1763 | \return true if the CRL is empty, otherwise return false |
1764 | */ |
1765 | bool isNull() const; |
1766 | |
1767 | /** |
1768 | Information on the issuer of the CRL as a QMultiMap. |
1769 | |
1770 | \sa issuerInfoOrdered for a version that maintains the order |
1771 | of information fields as per the underlying CRL. |
1772 | */ |
1773 | CertificateInfo issuerInfo() const; |
1774 | |
1775 | /** |
1776 | Information on the issuer of the CRL as an ordered list |
1777 | (QList of CertificateInfoPair). |
1778 | |
1779 | \sa issuerInfo for a version that allows lookup based on |
1780 | a multimap. |
1781 | \sa CertificateInfoPair for the elements in the list |
1782 | */ |
1783 | CertificateInfoOrdered issuerInfoOrdered() const; |
1784 | |
1785 | /** |
1786 | The CRL serial number. Note that serial numbers are a |
1787 | CRL extension, and not all certificates have one. |
1788 | |
1789 | \return the CRL serial number, or -1 if there is no serial number |
1790 | */ |
1791 | int number() const; |
1792 | |
1793 | /** |
1794 | the time that this CRL became (or becomes) valid |
1795 | */ |
1796 | QDateTime thisUpdate() const; |
1797 | |
1798 | /** |
1799 | the time that this CRL will be obsoleted |
1800 | |
1801 | you should obtain an updated CRL at this time |
1802 | */ |
1803 | QDateTime nextUpdate() const; |
1804 | |
1805 | /** |
1806 | a list of the revoked certificates in this CRL |
1807 | */ |
1808 | QList<CRLEntry> revoked() const; |
1809 | |
1810 | /** |
1811 | The signature algorithm used for the signature on this CRL |
1812 | */ |
1813 | SignatureAlgorithm signatureAlgorithm() const; |
1814 | |
1815 | /** |
1816 | The key identification of the CRL issuer |
1817 | */ |
1818 | QByteArray issuerKeyId() const; |
1819 | |
1820 | /** |
1821 | Test for equality of two %Certificate Revocation Lists |
1822 | |
1823 | \param a the CRL to be compared to this CRL |
1824 | |
1825 | \return true if the two CRLs are the same |
1826 | */ |
1827 | bool operator==(const CRL &a) const; |
1828 | |
1829 | /** |
1830 | Inequality operator |
1831 | |
1832 | \param other the CRL to be compared to this CRL |
1833 | */ |
1834 | inline bool operator!=(const CRL &other) const |
1835 | { |
1836 | return !(*this == other); |
1837 | } |
1838 | |
1839 | /** |
1840 | Export the %Certificate Revocation List (CRL) in DER format |
1841 | |
1842 | \return an array containing the CRL in DER format |
1843 | */ |
1844 | QByteArray toDER() const; |
1845 | |
1846 | /** |
1847 | Export the %Certificate Revocation List (CRL) in PEM format |
1848 | |
1849 | \return a string containing the CRL in PEM format |
1850 | */ |
1851 | QString toPEM() const; |
1852 | |
1853 | /** |
1854 | Export the %Certificate Revocation List (CRL) into PEM format in a |
1855 | file |
1856 | |
1857 | \param fileName the name of the file to use |
1858 | */ |
1859 | bool toPEMFile(const QString &fileName) const; |
1860 | |
1861 | /** |
1862 | Import a DER encoded %Certificate Revocation List (CRL) |
1863 | |
1864 | \param a the array containing the CRL in DER format |
1865 | \param result a pointer to a ConvertResult, which if not-null will |
1866 | be set to the conversion status |
1867 | \param provider the provider to use, if a specific provider is |
1868 | required |
1869 | |
1870 | \return the CRL corresponding to the contents of the array |
1871 | */ |
1872 | static CRL fromDER(const QByteArray &a, ConvertResult *result = nullptr, const QString &provider = QString()); |
1873 | |
1874 | /** |
1875 | Import a PEM encoded %Certificate Revocation List (CRL) |
1876 | |
1877 | \param s the string containing the CRL in PEM format |
1878 | \param result a pointer to a ConvertResult, which if not-null will |
1879 | be set to the conversion status |
1880 | \param provider the provider to use, if a specific provider is |
1881 | required |
1882 | |
1883 | \return the CRL corresponding to the contents of the string |
1884 | */ |
1885 | static CRL fromPEM(const QString &s, ConvertResult *result = nullptr, const QString &provider = QString()); |
1886 | |
1887 | /** |
1888 | Import a PEM encoded %Certificate Revocation List (CRL) from a file |
1889 | |
1890 | \param fileName the name (and path, if required) of the file |
1891 | containing the certificate in PEM format |
1892 | \param result a pointer to a ConvertResult, which if not-null will |
1893 | be set to the conversion status |
1894 | \param provider the provider to use, if a specific provider is |
1895 | required |
1896 | |
1897 | \return the CRL in the file |
1898 | */ |
1899 | static CRL |
1900 | fromPEMFile(const QString &fileName, ConvertResult *result = nullptr, const QString &provider = QString()); |
1901 | |
1902 | /** |
1903 | \internal |
1904 | |
1905 | \param c context (internal) |
1906 | */ |
1907 | void change(CRLContext *c); |
1908 | |
1909 | private: |
1910 | class Private; |
1911 | friend class Private; |
1912 | QSharedDataPointer<Private> d; |
1913 | }; |
1914 | |
1915 | /** |
1916 | \class CertificateCollection qca_cert.h QtCrypto |
1917 | |
1918 | Bundle of Certificates and CRLs |
1919 | |
1920 | CertificateCollection provides a bundle of Certificates and Certificate |
1921 | Revocation Lists (CRLs), not necessarily related. |
1922 | |
1923 | \sa QCA::CertificateChain for a representation of a chain of Certificates |
1924 | related by signatures. |
1925 | |
1926 | \ingroup UserAPI |
1927 | */ |
1928 | class QCA_EXPORT CertificateCollection |
1929 | { |
1930 | public: |
1931 | /** |
1932 | Create an empty Certificate / CRL collection |
1933 | */ |
1934 | CertificateCollection(); |
1935 | |
1936 | /** |
1937 | Standard copy constructor |
1938 | |
1939 | \param from the CertificateCollection to copy from |
1940 | */ |
1941 | CertificateCollection(const CertificateCollection &from); |
1942 | |
1943 | ~CertificateCollection(); |
1944 | |
1945 | /** |
1946 | Standard assignment operator |
1947 | |
1948 | \param from the CertificateCollection to copy from |
1949 | */ |
1950 | CertificateCollection &operator=(const CertificateCollection &from); |
1951 | |
1952 | /** |
1953 | Append a Certificate to this collection |
1954 | |
1955 | \param cert the Certificate to add to this CertificateCollection |
1956 | */ |
1957 | void addCertificate(const Certificate &cert); |
1958 | |
1959 | /** |
1960 | Append a CRL to this collection |
1961 | |
1962 | \param crl the certificate revokation list to add to this |
1963 | CertificateCollection |
1964 | */ |
1965 | void addCRL(const CRL &crl); |
1966 | |
1967 | /** |
1968 | The Certificates in this collection |
1969 | */ |
1970 | QList<Certificate> certificates() const; |
1971 | |
1972 | /** |
1973 | The CRLs in this collection |
1974 | */ |
1975 | QList<CRL> crls() const; |
1976 | |
1977 | /** |
1978 | Add another CertificateCollection to this collection |
1979 | |
1980 | \param other the CertificateCollection to add to this collection |
1981 | */ |
1982 | void append(const CertificateCollection &other); |
1983 | |
1984 | /** |
1985 | Add another CertificateCollection to this collection |
1986 | |
1987 | \param other the CertificateCollection to add to this collection |
1988 | */ |
1989 | CertificateCollection operator+(const CertificateCollection &other) const; |
1990 | |
1991 | /** |
1992 | Add another CertificateCollection to this collection |
1993 | |
1994 | \param other the CertificateCollection to add to this collection |
1995 | */ |
1996 | CertificateCollection &operator+=(const CertificateCollection &other); |
1997 | |
1998 | /** |
1999 | test if the CertificateCollection can be imported and exported to |
2000 | PKCS#7 format |
2001 | |
2002 | \param provider the provider to use, if a specific provider is |
2003 | required |
2004 | |
2005 | \return true if the CertificateCollection can be imported and |
2006 | exported to PKCS#7 format |
2007 | */ |
2008 | static bool canUsePKCS7(const QString &provider = QString()); |
2009 | |
2010 | /** |
2011 | export the CertificateCollection to a plain text file |
2012 | |
2013 | \param fileName the name (and path, if required) to write the |
2014 | contents of the CertificateCollection to |
2015 | |
2016 | \return true if the export succeeded, otherwise false |
2017 | */ |
2018 | bool toFlatTextFile(const QString &fileName); |
2019 | |
2020 | /** |
2021 | export the CertificateCollection to a PKCS#7 file |
2022 | |
2023 | \param fileName the name (and path, if required) to write the |
2024 | contents of the CertificateCollection to |
2025 | \param provider the provider to use, if a specific provider is |
2026 | required |
2027 | |
2028 | \return true if the export succeeded, otherwise false |
2029 | */ |
2030 | bool toPKCS7File(const QString &fileName, const QString &provider = QString()); |
2031 | |
2032 | /** |
2033 | import a CertificateCollection from a text file |
2034 | |
2035 | \param fileName the name (and path, if required) to read the |
2036 | certificate collection from |
2037 | \param result a pointer to a ConvertResult, which if not-null will |
2038 | be set to the conversion status |
2039 | \param provider the provider to use, if a specific provider is |
2040 | required |
2041 | |
2042 | \return the CertificateCollection corresponding to the contents of |
2043 | the file specified in fileName |
2044 | */ |
2045 | static CertificateCollection |
2046 | fromFlatTextFile(const QString &fileName, ConvertResult *result = nullptr, const QString &provider = QString()); |
2047 | |
2048 | /** |
2049 | import a CertificateCollection from a PKCS#7 file |
2050 | |
2051 | \param fileName the name (and path, if required) to read the |
2052 | certificate collection from |
2053 | \param result a pointer to a ConvertResult, which if not-null will |
2054 | be set to the conversion status |
2055 | \param provider the provider to use, if a specific provider is |
2056 | required |
2057 | |
2058 | \return the CertificateCollection corresponding to the contents of |
2059 | the file specified in fileName |
2060 | */ |
2061 | static CertificateCollection |
2062 | fromPKCS7File(const QString &fileName, ConvertResult *result = nullptr, const QString &provider = QString()); |
2063 | |
2064 | private: |
2065 | class Private; |
2066 | QSharedDataPointer<Private> d; |
2067 | }; |
2068 | |
2069 | /** |
2070 | \class CertificateAuthority qca_cert.h QtCrypto |
2071 | |
2072 | A %Certificate Authority is used to generate Certificates and |
2073 | %Certificate Revocation Lists (CRLs). |
2074 | |
2075 | \ingroup UserAPI |
2076 | */ |
2077 | class QCA_EXPORT CertificateAuthority : public Algorithm |
2078 | { |
2079 | public: |
2080 | /** |
2081 | Create a new %Certificate Authority |
2082 | |
2083 | \param cert the CA certificate |
2084 | \param key the private key associated with the CA certificate |
2085 | \param provider the provider to use, if a specific provider is |
2086 | required |
2087 | */ |
2088 | CertificateAuthority(const Certificate &cert, const PrivateKey &key, const QString &provider); |
2089 | |
2090 | /** |
2091 | Copy constructor |
2092 | |
2093 | \param from the CertificateAuthority to copy from |
2094 | */ |
2095 | CertificateAuthority(const CertificateAuthority &from); |
2096 | |
2097 | ~CertificateAuthority() override; |
2098 | |
2099 | /** |
2100 | Standard assignment operator |
2101 | |
2102 | \param from the CertificateAuthority to copy from |
2103 | */ |
2104 | CertificateAuthority &operator=(const CertificateAuthority &from); |
2105 | |
2106 | /** |
2107 | The Certificate belonging to the %CertificateAuthority |
2108 | |
2109 | This is the Certificate that was passed as an argument to the |
2110 | constructor |
2111 | */ |
2112 | Certificate certificate() const; |
2113 | |
2114 | /** |
2115 | Create a new Certificate by signing the provider CertificateRequest |
2116 | |
2117 | \param req the CertificateRequest to sign |
2118 | \param notValidAfter the last date that the Certificate will be |
2119 | valid |
2120 | */ |
2121 | Certificate signRequest(const CertificateRequest &req, const QDateTime ¬ValidAfter) const; |
2122 | |
2123 | /** |
2124 | Create a new Certificate |
2125 | |
2126 | \param key the Public Key to use to create the Certificate |
2127 | \param opts the options to use for the new Certificate |
2128 | */ |
2129 | Certificate createCertificate(const PublicKey &key, const CertificateOptions &opts) const; |
2130 | |
2131 | /** |
2132 | Create a new %Certificate Revocation List (CRL) |
2133 | |
2134 | \param nextUpdate the date that the CRL will be updated |
2135 | |
2136 | \return an empty CRL |
2137 | */ |
2138 | CRL createCRL(const QDateTime &nextUpdate) const; |
2139 | |
2140 | /** |
2141 | Update the CRL to include new entries |
2142 | |
2143 | \param crl the CRL to update |
2144 | \param entries the entries to add to the CRL |
2145 | \param nextUpdate the date that this CRL will be updated |
2146 | |
2147 | \return the update CRL |
2148 | */ |
2149 | CRL updateCRL(const CRL &crl, const QList<CRLEntry> &entries, const QDateTime &nextUpdate) const; |
2150 | |
2151 | private: |
2152 | class Private; |
2153 | Private *d; |
2154 | }; |
2155 | |
2156 | /** |
2157 | \class KeyBundle qca_cert.h QtCrypto |
2158 | |
2159 | Certificate chain and private key pair |
2160 | |
2161 | KeyBundle is essentially a convience class that holds a |
2162 | certificate chain and an associated private key. This class |
2163 | has a number of methods that make it particularly suitable |
2164 | for accessing a PKCS12 (.p12) format file, however it can |
2165 | be used as just a container for a Certificate, its |
2166 | associated PrivateKey and optionally additional |
2167 | X.509 Certificate that form a chain. |
2168 | |
2169 | For more information on PKCS12 "Personal Information |
2170 | Exchange Syntax Standard", see <a |
2171 | href="ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf">ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf</a>. |
2172 | |
2173 | \ingroup UserAPI |
2174 | */ |
2175 | class QCA_EXPORT KeyBundle |
2176 | { |
2177 | public: |
2178 | /** |
2179 | Create an empty KeyBundle |
2180 | */ |
2181 | KeyBundle(); |
2182 | |
2183 | /** |
2184 | Create a KeyBundle from a PKCS12 (.p12) encoded |
2185 | file |
2186 | |
2187 | This constructor requires appropriate plugin (provider) |
2188 | support. You must check for the "pkcs12" feature |
2189 | before using this constructor. |
2190 | |
2191 | \param fileName the name of the file to read from |
2192 | \param passphrase the passphrase that is applicable to the file |
2193 | |
2194 | \sa fromFile for a more flexible version of the |
2195 | same capability. |
2196 | |
2197 | \note This synchronous operation may require event handling, and so |
2198 | it must not be called from the same thread as an EventHandler. |
2199 | */ |
2200 | explicit KeyBundle(const QString &fileName, const SecureArray &passphrase = SecureArray()); |
2201 | |
2202 | /** |
2203 | Standard copy constructor |
2204 | |
2205 | \param from the KeyBundle to use as source |
2206 | */ |
2207 | KeyBundle(const KeyBundle &from); |
2208 | |
2209 | ~KeyBundle(); |
2210 | |
2211 | /** |
2212 | Standard assignment operator |
2213 | |
2214 | \param from the KeyBundle to use as source |
2215 | */ |
2216 | KeyBundle &operator=(const KeyBundle &from); |
2217 | |
2218 | /** |
2219 | Test if this key is empty (null) |
2220 | */ |
2221 | bool isNull() const; |
2222 | |
2223 | /** |
2224 | The name associated with this key. |
2225 | |
2226 | This is also known as the "friendly name", and if |
2227 | present, is typically suitable to be displayed to |
2228 | the user. |
2229 | |
2230 | \sa setName |
2231 | */ |
2232 | QString name() const; |
2233 | |
2234 | /** |
2235 | The public certificate part of this bundle |
2236 | |
2237 | \sa setCertificateChainAndKey |
2238 | */ |
2239 | CertificateChain certificateChain() const; |
2240 | |
2241 | /** |
2242 | The private key part of this bundle |
2243 | |
2244 | \sa setCertificateChainAndKey |
2245 | */ |
2246 | PrivateKey privateKey() const; |
2247 | |
2248 | /** |
2249 | Specify the name of this bundle |
2250 | |
2251 | \param s the name to use |
2252 | */ |
2253 | void setName(const QString &s); |
2254 | |
2255 | /** |
2256 | Set the public certificate and private key |
2257 | |
2258 | \param c the CertificateChain containing the public part of the |
2259 | Bundle |
2260 | \param key the private key part of the Bundle |
2261 | |
2262 | \sa privateKey, certificateChain for getters |
2263 | */ |
2264 | void setCertificateChainAndKey(const CertificateChain &c, const PrivateKey &key); |
2265 | |
2266 | /** |
2267 | Export the key bundle to an array in PKCS12 format. |
2268 | |
2269 | This method requires appropriate plugin (provider) |
2270 | support - you must check for the "pkcs12" feature, |
2271 | as shown below. |
2272 | |
2273 | \code |
2274 | if( QCA::isSupported("pkcs12") ) |
2275 | { |
2276 | // can use I/O |
2277 | byteArray = bundle.toArray( "pass phrase" ); |
2278 | } |
2279 | else |
2280 | { |
2281 | // not possible to use I/O |
2282 | } |
2283 | \endcode |
2284 | |
2285 | \param passphrase the passphrase to use to protect the bundle |
2286 | \param provider the provider to use, if a specific provider is |
2287 | required |
2288 | */ |
2289 | QByteArray toArray(const SecureArray &passphrase, const QString &provider = QString()) const; |
2290 | |
2291 | /** |
2292 | Export the key bundle to a file in PKCS12 (.p12) format |
2293 | |
2294 | This method requires appropriate plugin (provider) |
2295 | support - you must check for the "pkcs12" feature, |
2296 | as shown below. |
2297 | |
2298 | \code |
2299 | if( QCA::isSupported("pkcs12") ) |
2300 | { |
2301 | // can use I/O |
2302 | bool result = bundle.toFile( filename, "pass phrase" ); |
2303 | } |
2304 | else |
2305 | { |
2306 | // not possible to use I/O |
2307 | } |
2308 | \endcode |
2309 | |
2310 | \param fileName the name of the file to save to |
2311 | \param passphrase the passphrase to use to protect the bundle |
2312 | \param provider the provider to use, if a specific provider is |
2313 | required |
2314 | */ |
2315 | bool toFile(const QString &fileName, const SecureArray &passphrase, const QString &provider = QString()) const; |
2316 | |
2317 | /** |
2318 | Import the key bundle from an array in PKCS12 format |
2319 | |
2320 | This method requires appropriate plugin (provider) |
2321 | support - you must check for the "pkcs12" feature, |
2322 | as shown below. |
2323 | |
2324 | \code |
2325 | if( QCA::isSupported("pkcs12") ) |
2326 | { |
2327 | // can use I/O |
2328 | bundle = QCA::KeyBundle::fromArray( array, "pass phrase" ); |
2329 | } |
2330 | else |
2331 | { |
2332 | // not possible to use I/O |
2333 | } |
2334 | \endcode |
2335 | |
2336 | \param a the array to import from |
2337 | \param passphrase the passphrase for the encoded bundle |
2338 | \param result pointer to the result of the import process |
2339 | \param provider the provider to use, if a specific provider is |
2340 | required |
2341 | |
2342 | \sa QCA::KeyLoader for an asynchronous loader approach. |
2343 | |
2344 | \note This synchronous operation may require event handling, and so |
2345 | it must not be called from the same thread as an EventHandler. |
2346 | */ |
2347 | static KeyBundle fromArray(const QByteArray &a, |
2348 | const SecureArray &passphrase = SecureArray(), |
2349 | ConvertResult *result = nullptr, |
2350 | const QString &provider = QString()); |
2351 | |
2352 | /** |
2353 | Import the key bundle from a file in PKCS12 (.p12) format |
2354 | |
2355 | This method requires appropriate plugin (provider) |
2356 | support - you must check for the "pkcs12" feature, |
2357 | as shown below. |
2358 | |
2359 | \code |
2360 | if( QCA::isSupported("pkcs12") ) |
2361 | { |
2362 | // can use I/O |
2363 | bundle = QCA::KeyBundle::fromFile( filename, "pass phrase" ); |
2364 | } |
2365 | else |
2366 | { |
2367 | // not possible to use I/O |
2368 | } |
2369 | \endcode |
2370 | |
2371 | \param fileName the name of the file to read from |
2372 | \param passphrase the passphrase for the encoded bundle |
2373 | \param result pointer to the result of the import process |
2374 | \param provider the provider to use, if a specific provider is |
2375 | required |
2376 | |
2377 | \sa QCA::KeyLoader for an asynchronous loader approach. |
2378 | |
2379 | \note This synchronous operation may require event handling, and so |
2380 | it must not be called from the same thread as an EventHandler. |
2381 | */ |
2382 | static KeyBundle fromFile(const QString &fileName, |
2383 | const SecureArray &passphrase = SecureArray(), |
2384 | ConvertResult *result = nullptr, |
2385 | const QString &provider = QString()); |
2386 | |
2387 | private: |
2388 | class Private; |
2389 | QSharedDataPointer<Private> d; |
2390 | }; |
2391 | |
2392 | /** |
2393 | \class PGPKey qca_cert.h QtCrypto |
2394 | |
2395 | Pretty Good Privacy key |
2396 | |
2397 | This holds either a reference to an item in a real PGP keyring, |
2398 | or a standalone item created using the from*() functions. |
2399 | |
2400 | Note that with the latter method, the key is of no use besides |
2401 | being informational. The key must be in a keyring |
2402 | (that is, inKeyring() == true) to actually do crypto with it. |
2403 | |
2404 | \ingroup UserAPI |
2405 | */ |
2406 | class QCA_EXPORT PGPKey : public Algorithm |
2407 | { |
2408 | public: |
2409 | /** |
2410 | Create an empty PGP key |
2411 | */ |
2412 | PGPKey(); |
2413 | |
2414 | /** |
2415 | Create a PGP key from an encoded file |
2416 | |
2417 | \param fileName the name (and path, if required) of the file |
2418 | that the PGP key is to be loaded from. |
2419 | |
2420 | \sa fromFile for a version that allows better error checking / validation |
2421 | \sa toFile for a method to write out the key. |
2422 | */ |
2423 | PGPKey(const QString &fileName); |
2424 | |
2425 | /** |
2426 | Standard copy constructor |
2427 | |
2428 | \param from the PGPKey to use as the source |
2429 | */ |
2430 | PGPKey(const PGPKey &from); |
2431 | |
2432 | ~PGPKey() override; |
2433 | |
2434 | /** |
2435 | Standard assignment operator |
2436 | |
2437 | \param from the PGPKey to use as the source |
2438 | */ |
2439 | PGPKey &operator=(const PGPKey &from); |
2440 | |
2441 | /** |
2442 | Test if the PGP key is empty (null) |
2443 | |
2444 | \return true if the PGP key is null |
2445 | */ |
2446 | bool isNull() const; |
2447 | |
2448 | /** |
2449 | The Key identification for the PGP key |
2450 | */ |
2451 | QString keyId() const; |
2452 | |
2453 | /** |
2454 | The primary user identification for the key |
2455 | */ |
2456 | QString primaryUserId() const; |
2457 | |
2458 | /** |
2459 | The list of all user identifications associated with the key |
2460 | */ |
2461 | QStringList userIds() const; |
2462 | |
2463 | /** |
2464 | Test if the PGP key is the secret key |
2465 | |
2466 | \return true if the PGP key is the secret key |
2467 | */ |
2468 | bool isSecret() const; |
2469 | |
2470 | /** |
2471 | The creation date for the key |
2472 | */ |
2473 | QDateTime creationDate() const; |
2474 | |
2475 | /** |
2476 | The expiration date for the key |
2477 | */ |
2478 | QDateTime expirationDate() const; |
2479 | |
2480 | /** |
2481 | The key fingerpint |
2482 | |
2483 | This will return the PGP fingerprint as a string. It comprises 40 |
2484 | hex digits, without spaces. |
2485 | */ |
2486 | QString fingerprint() const; |
2487 | |
2488 | /** |
2489 | Test if this key is in a keyring |
2490 | |
2491 | \return true if the key is in a keyring |
2492 | |
2493 | \note keys that are not in a keyring cannot be used for encryption, |
2494 | decryption, signing or verification |
2495 | */ |
2496 | bool inKeyring() const; |
2497 | |
2498 | /** |
2499 | Test if the key is trusted |
2500 | |
2501 | \return true if the key is trusted |
2502 | */ |
2503 | bool isTrusted() const; |
2504 | |
2505 | /** |
2506 | Export the key to an array. |
2507 | |
2508 | This will export the key in a binary format (that is, not in an |
2509 | "ascii armoured" form). |
2510 | |
2511 | \sa fromArray for a static import method. |
2512 | \sa toString for an "ascii armoured" export method. |
2513 | */ |
2514 | QByteArray toArray() const; |
2515 | |
2516 | /** |
2517 | Export the key to a string |
2518 | |
2519 | This will export the key in an "ascii armoured" form. |
2520 | |
2521 | \sa fromString for a static import method. |
2522 | \sa toArray for a binary format export method. |
2523 | */ |
2524 | QString toString() const; |
2525 | |
2526 | /** |
2527 | Export the key to a file |
2528 | |
2529 | \param fileName the name of the file to save the key to |
2530 | */ |
2531 | bool toFile(const QString &fileName) const; |
2532 | |
2533 | /** |
2534 | Import the key from an array |
2535 | |
2536 | \param a the array to import from |
2537 | \param result if not null, this will be set to the result of the |
2538 | import process |
2539 | \param provider the provider to use, if a particular provider is |
2540 | required |
2541 | */ |
2542 | static PGPKey fromArray(const QByteArray &a, ConvertResult *result = nullptr, const QString &provider = QString()); |
2543 | |
2544 | /** |
2545 | Import the key from a string |
2546 | |
2547 | \param s the string to import from |
2548 | \param result if not null, this will be set to the result of the |
2549 | import process |
2550 | \param provider the provider to use, if a particular provider is |
2551 | required |
2552 | */ |
2553 | static PGPKey fromString(const QString &s, ConvertResult *result = nullptr, const QString &provider = QString()); |
2554 | |
2555 | /** |
2556 | Import the key from a file |
2557 | |
2558 | \param fileName string containing the name of the file to import |
2559 | from |
2560 | \param result if not null, this will be set to the result of the |
2561 | import process |
2562 | \param provider the provider to use, if a particular provider is |
2563 | required |
2564 | */ |
2565 | static PGPKey |
2566 | fromFile(const QString &fileName, ConvertResult *result = nullptr, const QString &provider = QString()); |
2567 | |
2568 | private: |
2569 | class Private; |
2570 | Private *d; |
2571 | }; |
2572 | |
2573 | /** |
2574 | \class KeyLoader qca_cert.h QtCrypto |
2575 | |
2576 | Asynchronous private key loader |
2577 | |
2578 | GUI applications generally must use KeyLoader to load private keys. This |
2579 | is because the synchronous private key loading functions, for example |
2580 | QCA::PrivateKey::fromPEMFile(), cannot be used within the same thread as an |
2581 | EventHandler, and most GUI applications will use EventHandler from the main |
2582 | thread. KeyLoader does not have this problem. It can be used from any |
2583 | thread, including the same thread as EventHandler. |
2584 | |
2585 | The KeyLoader class allows you to asynchronously load stand-alone private |
2586 | keys (QCA::PrivateKey) or private keys with a certificate (QCA::KeyBundle) |
2587 | with a signal that advises of completion. |
2588 | |
2589 | To use this class to load a PrivateKey, you create a KeyLoader object then |
2590 | use one of the loadPrivateKeyFrom...() functions, depending on the format |
2591 | for your key. These functions return immediately. When you get the |
2592 | finished() signal, you can check that the loading operation succeeded |
2593 | (using convertResult()) and then obtain the PrivateKey using the |
2594 | privateKey() function. |
2595 | |
2596 | The same process applies for loading a KeyBundle, except that you use |
2597 | either loadKeyBundleFromFile() or loadKeyBundleFromArray() instead of the |
2598 | loadPrivateKeyFrom...() function, and use keyBundle() instead of |
2599 | privateKey(). |
2600 | |
2601 | The loader may need a passphrase to complete the loading of the key or key |
2602 | bundle. You should use the QCA::EventHandler class to ensure that you deal |
2603 | with this correctly. |
2604 | |
2605 | \note %QCA also provides synchronous private key loading using |
2606 | QCA::PrivateKey::fromPEMFile(), QCA::PrivateKey::fromPEM() and |
2607 | QCA::PrivateKey::fromDER(). %QCA provides synchronous key bundle loading |
2608 | using QCA::KeyBundle::fromArray() and QCA::KeyBundle::fromFile(). |
2609 | |
2610 | \ingroup UserAPI |
2611 | */ |
2612 | class QCA_EXPORT KeyLoader : public QObject |
2613 | { |
2614 | Q_OBJECT |
2615 | public: |
2616 | /** |
2617 | Create a KeyLoader object. |
2618 | |
2619 | \param parent the parent object for this object |
2620 | */ |
2621 | KeyLoader(QObject *parent = nullptr); |
2622 | ~KeyLoader() override; |
2623 | |
2624 | /** |
2625 | Initiate an asynchronous loading of a PrivateKey from a PEM format |
2626 | file. |
2627 | |
2628 | This function will return immediately. |
2629 | |
2630 | \param fileName the name of the file (and path, if necessary) to |
2631 | load the key from |
2632 | */ |
2633 | void loadPrivateKeyFromPEMFile(const QString &fileName); |
2634 | |
2635 | /** |
2636 | Initiate an asynchronous loading of a PrivateKey from a PEM format |
2637 | string. |
2638 | |
2639 | This function will return immediately. |
2640 | |
2641 | \param s the string containing the PEM formatted key |
2642 | */ |
2643 | void loadPrivateKeyFromPEM(const QString &s); |
2644 | |
2645 | /** |
2646 | Initiate an asynchronous loading of a PrivateKey from a DER format |
2647 | array. |
2648 | |
2649 | This function will return immediately. |
2650 | |
2651 | \param a the array containing the DER formatted key |
2652 | */ |
2653 | void loadPrivateKeyFromDER(const SecureArray &a); |
2654 | |
2655 | /** |
2656 | Initiate an asynchronous loading of a KeyBundle from a file |
2657 | |
2658 | This function will return immediately. |
2659 | |
2660 | \param fileName the name of the file (and path, if necessary) to |
2661 | load the key bundle from |
2662 | */ |
2663 | void loadKeyBundleFromFile(const QString &fileName); |
2664 | |
2665 | /** |
2666 | Initiate an asynchronous loading of a KeyBundle from an array |
2667 | |
2668 | This function will return immediately. |
2669 | |
2670 | \param a the array containing the key bundle |
2671 | */ |
2672 | void loadKeyBundleFromArray(const QByteArray &a); |
2673 | |
2674 | /** |
2675 | The result of the loading process. |
2676 | |
2677 | This is not valid until the finished() signal has been emitted. |
2678 | */ |
2679 | ConvertResult convertResult() const; |
2680 | |
2681 | /** |
2682 | The private key that has been loaded. |
2683 | |
2684 | This is only valid if loadPrivateKeyFromPEMFile(), |
2685 | loadPrivateKeyFromPEM() or loadPrivateKeyFromDER() has been used, |
2686 | the load has completed (that is, finished() has been emitted), and |
2687 | the conversion succeeded (that is, convertResult() returned |
2688 | ConvertGood). |
2689 | */ |
2690 | PrivateKey privateKey() const; |
2691 | |
2692 | /** |
2693 | The key bundle that has been loaded. |
2694 | |
2695 | This is only valid if loadKeyBundleFromFile() or |
2696 | loadKeyBundleFromArray() has been used, the load has completed |
2697 | (that is, finished() has been emitted), and the conversion |
2698 | succeeded (that is, convertResult() returned ConvertGood). |
2699 | */ |
2700 | KeyBundle keyBundle() const; |
2701 | |
2702 | Q_SIGNALS: |
2703 | /** |
2704 | Signal that is emitted when the load process has completed. |
2705 | |
2706 | \note The load process may not have completed successfully - check |
2707 | the result of convertResult() to confirm this before using the |
2708 | privateKey() or keyBundle() results. |
2709 | */ |
2710 | void finished(); |
2711 | |
2712 | private: |
2713 | Q_DISABLE_COPY(KeyLoader) |
2714 | |
2715 | class Private; |
2716 | friend class Private; |
2717 | Private *d; |
2718 | }; |
2719 | |
2720 | } |
2721 | |
2722 | #endif |
2723 | |