Convert::X509 - interface module to help analizing X509 data
use Convert::X509; use Data::Dumper; my $d; local $/; open (F,'<', 'request.req'); # binmode(F); # recommended for DER encoding, doesn't for BASE64 $d = Convert::X509::Request->new(<F>); print 'Dumping request object:',Dumper ($d); # ! scalar context my $subj = $d->subject('cp1251','cp866') ; # localized Cyrillic print "\n",'CN: ', $subj->{'CN'}[0]; open (F,'<', 'certificate.cer'); # binmode(F); $d = Convert::X509::Certificate->new(<F>,1); #debug flag print "\n\n",'Dumping certificate object:',Dumper ($d); # ! list context; UTF -> KOI8-R convertion print 'Issuer: ',join(',',$d->issuer('','koi8-r')), "\n", 'valid from ',[$d->from()]->[0], ' to (exactly) ', scalar($d->to); open (F,'<', 'crl.crl'); # binmode(F); $d = Convert::X509::CRL->new(<F>); print "\n",'Dumping CRL object:',Dumper ($d); my ($s) = sort {$d->{'crl'}{$a}{'date'}{'utcTime'} <=> $d->{'crl'}{$b}{'date'}{'utcTime'}} keys %{$d->{'crl'}}; # example, take "first" serial print 'Revocation reason for the earliest revoked certificate N ',$s,' : ',$d->reason($s),"\n", 'Get next CRL update ', scalar($d->next), ' from', "\n", join("\n or\n", $d->cdp);
Convert::X509 really consists of six parts.
1) Convert::X509 itself just for convinient usage.
2) Convert::X509::Parser for internal usage (contains almost everything - ASN.1 sructure, OIDs "database", base data-processing, most logic and code).
3,4,5) Request, Certificate and CRL to parse respectively requests, certificates and crl-s. Almost any valueble data could be easely extracted directly from returned object (look in Dumper output). For some convinience, there are a few methods with self-explaining names.
6) Take a look on Convert::X509::minipkcs7 - it gets serials/oids from PKCS7 (encrypted/signed) messages.
Constructor, creates a new object. It takes a parameter which contains req/cert/crl itself - both DER and BASE64 encoding supported.
FYI: be careful with binary and ASCII Base64 data been readed from file. For binary form (DER) you must do "binmode", for Base64 - have NOT. Check if returned object is defined.
You can set debug parameter to get a bit more debugging information ...->new(<DATA>,1);
Applicable to Request and Certificate.
Result of method differs for scalar and list context: - a hash-reference like {'C'=>['org'], 'OU'=>['cpan','search']}; values list often contains only one element, but many in general - a list like ('CN=Name Surname','C=RU','L=Moscow')
X509 data may contains unicode strings, so in general we have to decode it to localized one-byte oriented string. It is the _second_ parameter (result codepage) subject method could accept.
But sometimes X509 data contains already "localized" one-byte string. And its codepage (_first_ param accepted by subject) can be different for console.
That's why subject can get up to two codepages subject(cp_from,cp_to) (look Encode.pm). And pretty print subject with russian strings may looks like subject('cp1251','cp866') for Windows (R) console and subject('','koi8-r') for FreeBSD console.
Applicable to Certificate and CRL.
See 'subject' for details (i.e. localization, scalar/list context)
Return a date-time (pure ANSI format) object is valid from. Result differs for scalar and list context: - a string like '2008-02-29 09:00:01' - a 2 elements list like ('2008-02-29', '09:00:01');
!Important note! It deals only with utcTime-formatted value (no GeneralizedTime support)
Return a date-time (pure ANSI format) object is valid to. See 'from' for details.
Applicable to CRL only.
Return a date-time (pure ANSI format) next CRL publish. See 'from' for details.
Does object have been expired ? Simply return (TNOW or FROMNOW)
Returns a list with EKU OIDs (their descriptions if they are in OIDs hash i.e. wellknown).
Returns a list with descriptions for installed bits.
Returns serial in hexadecimal view.
Returns a revocation description for certificate with given serial. If reason totally hasn't been specified - returns 'Unspecified' anyway.
Returns list of CRL distribution point
Applicable to Certificate only.
Returns list of Authority Information Access locations
More supplemental functions.
More documentation.
More tests.
More OIDs/ASN structures.
These modules were created with initial ideas on the Crypt::X509 package. Thanks to its authors Mike Jackson <mj@sci.fi>, Alexander Jung <alexander.w.jung@gmail.com>, Duncan Segrest <duncan@gigageek.info>;
And also Norbert Klasen (author of x509decode script, which was contributed to Convert::ASN1 in 2002) and Graham Barr <gbarr@pobox.com> (author of Convert::ASN1 package).
Your PKCS#xx structures may contain many unusual things, which I haven't ever seen. Mail me any suggestions. And do not afraid to look inside modules! I hope they are quite simple.
Leonid Cherepanov <grey.leo/gmail.com>
1 POD Error
The following errors were encountered while parsing the POD:
Deleting unknown formatting code O<>
To install Convert::X509, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Convert::X509
CPAN shell
perl -MCPAN -e shell install Convert::X509
For more information on module installation, please visit the detailed CPAN module installation guide.