QCA

qca_cert.h
Go to the documentation of this file.
1/*
2 * qca_cert.h - Qt Cryptographic Architecture
3 * Copyright (C) 2003-2007 Justin Karneges <justin@affinix.com>
4 * Copyright (C) 2004-2006 Brad Hards <bradh@frogmouth.net>
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
19 * 02110-1301 USA
20 *
21 */
22
23/**
24 \file qca_cert.h
25
26 Header file for PGP key and X.509 certificate related classes
27
28 \note You should not use this header directly from an
29 application. You should just use <tt> \#include <QtCrypto>
30 </tt> instead.
31*/
32
33#ifndef QCA_CERT_H
34#define QCA_CERT_H
35
36#include "qca_core.h"
37#include "qca_publickey.h"
38#include <QDateTime>
39
40namespace QCA {
41
42class CertContext;
43class CSRContext;
44class CRLContext;
45class Certificate;
46class CRL;
47class CertificateCollection;
48class CertificateChain;
49
50/**
51 Certificate Request Format
52*/
54{
55 PKCS10, ///< standard PKCS#10 format
56 SPKAC ///< Signed Public Key and Challenge (Netscape) format
57};
58
59/**
60 Known types of information stored in certificates
61
62 This enumerator offers a convenient way to work with common types.
63*/
65{
66 CommonName, ///< The common name (eg person), id = "2.5.4.3"
67 Email, ///< Email address, id = "GeneralName.rfc822Name"
68 EmailLegacy, ///< PKCS#9 Email field, id = "1.2.840.113549.1.9.1"
69 Organization, ///< An organisation (eg company), id = "2.5.4.10"
70 OrganizationalUnit, ///< An part of an organisation (eg a division or branch), id = "2.5.4.11"
71 Locality, ///< The locality (eg city, a shire, or part of a state), id = "2.5.4.7"
72 IncorporationLocality, ///< The locality of incorporation (EV certificates), id = "1.3.6.1.4.1.311.60.2.1.1"
73 State, ///< The state within the country, id = "2.5.4.8"
74 IncorporationState, ///< The state of incorporation (EV certificates), id = "1.3.6.1.4.1.311.60.2.1.2"
75 Country, ///< The country, id = "2.5.4.6"
76 IncorporationCountry, ///< The country of incorporation (EV certificates), id = "1.3.6.1.4.1.311.60.2.1.3"
77 URI, ///< Uniform Resource Identifier, id = "GeneralName.uniformResourceIdentifier"
78 DNS, ///< DNS name, id = "GeneralName.dNSName"
79 IPAddress, ///< IP address, id = "GeneralName.iPAddress"
80 XMPP ///< XMPP address (see http://www.ietf.org/rfc/rfc3920.txt), id = "1.3.6.1.5.5.7.8.5"
81};
82
83/**
84 \class CertificateInfoType qca_cert.h QtCrypto
85
86 Certificate information type
87
88 This class represents a type of information being stored in
89 a certificate. It can be created either using a known type
90 (from the Known enumerator) or an identifier string (usually
91 an OID). Types created either way are interchangeable.
92
93 Types also have the notion of a Section. Some types may
94 reside in the Distinguished Name field of a certificate, and
95 some types may reside in the Subject Alternative Name field.
96 This class is capable of representing a type from either
97 section.
98
99 In the general case, applications will want to use the
100 CertificateInfoTypeKnown enumerator types. These are from RFC3280
101 (http://www.ietf.org/rfc/rfc3280.txt) except where shown.
102
103 The entries for IncorporationLocality, IncorporationState
104 and IncorporationCountry are the same as Locality, State
105 and Country respectively, except that the Extended
106 Validation (EV) certificate guidelines (published by the
107 %Certificate Authority / Browser Forum, see
108 http://www.cabforum.org) distinguish between the place of
109 where the company does business (which is the Locality /
110 State / Country combination) and the jurisdiction where the
111 company is legally incorporated (the IncorporationLocality
112 / IncorporationState / IncorporationCountry combination).
113
114 \sa Certificate::subjectInfo() and Certificate::issuerInfo()
115 \sa CRL::issuerInfo()
116
117 \ingroup UserAPI
118*/
119class QCA_EXPORT CertificateInfoType
120{
121public:
122 /**
123 Section of the certificate that the information belongs in
124 */
126 {
127 DN, ///< Distinguished name (the primary name)
128 AlternativeName ///< Alternative name
129 };
130
131 /**
132 Standard constructor
133 */
135
136 /**
137 Construct a new type
138
139 The section will be derived by \a known.
140
141 \param known the type as part of the CertificateInfoTypeKnown
142 enumerator
143 */
145
146 /**
147 Construct a new type
148
149 \param id the type as an identifier string (OID or internal)
150 \param section the section this type belongs in
151
152 \sa id
153 */
155
156 /**
157 Standard copy constructor
158
159 \param from the certificate information to copy from
160 */
162
164
165 /**
166 Standard assignment operator
167
168 \param from the certificate information to assign from
169 */
171
172 /**
173 The section the type is part of
174 */
176
177 /**
178 The type as part of the CertificateInfoTypeKnown enumerator
179
180 This function may return a value that does not exist in the
181 enumerator. In that case, you may use id() to determine the
182 type.
183 */
185
186 /**
187 The type as an identifier string
188
189 For types that have OIDs, this function returns an OID in string
190 form. For types that do not have OIDs, this function returns an
191 internal identifier string whose first character is not a digit
192 (this allows you to tell the difference between an OID and an
193 internal identifier).
194
195 It is hereby stated that General Names (of the X.509 Subject
196 Alternative Name) shall use the internal identifier format
197 "GeneralName.[rfc field name]". For example, the rfc822Name
198 field would have the identifier "GeneralName.rfc822Name".
199
200 Applications should not store, use, or compare against internal
201 identifiers unless the identifiers are explicitly documented
202 (e.g. GeneralName).
203 */
204 QString id() const;
205
206 /**
207 Comparison operator
208
209 \param other the certificate information to compare with this
210 certificate information.
211 */
212 bool operator<(const CertificateInfoType &other) const;
213
214 /**
215 Comparison operator
216
217 \param other the certificate information to compare with this
218 certificate information.
219 */
220 bool operator==(const CertificateInfoType &other) const;
221
222 /**
223 Inequality operator
224
225 \param other the certificate information to compare with this
226 certificate information.
227 */
228 inline bool operator!=(const CertificateInfoType &other) const
229 {
230 return !(*this == other);
231 }
232
233private:
234 class Private;
236};
237
238/**
239 \class CertificateInfoPair qca_cert.h QtCrypto
240
241 One entry in a certificate information list
242
243 \ingroup UserAPI
244*/
245class QCA_EXPORT CertificateInfoPair
246{
247public:
248 /**
249 Standard constructor
250 */
252
253 /**
254 Construct a new pair
255
256 \param type the type of information stored in this pair
257 \param value the value of the information to be stored
258 */
260
261 /**
262 Standard copy constructor
263
264 \param from the information pair to copy from
265 */
267
269
270 /**
271 Standard assignment operator
272
273 \param from the information pair to assign from
274 */
276
277 /**
278 The type of information stored in the pair
279 */
281
282 /**
283 The value of the information stored in the pair
284 */
285 QString value() const;
286
287 /**
288 Comparison operator
289
290 \param other the certificate information pair to compare with this
291 certificate information pair.
292 */
293 bool operator==(const CertificateInfoPair &other) const;
294
295 /**
296 Inequality operator
297
298 \param other the certificate information pair to compare with this
299 certificate information pair.
300 */
301 inline bool operator!=(const CertificateInfoPair &other) const
302 {
303 return !(*this == other);
304 }
305
306private:
307 class Private;
309};
310
311/**
312 Known types of certificate constraints
313
314 This enumerator offers a convenient way to work with common types.
315*/
317{
318 // KeyUsage
319 DigitalSignature, ///< %Certificate can be used to create digital signatures, id = "KeyUsage.digitalSignature"
320 NonRepudiation, ///< %Certificate can be used for non-repudiation, id = "KeyUsage.nonRepudiation"
321 KeyEncipherment, ///< %Certificate can be used for encrypting / decrypting keys, id = "KeyUsage.keyEncipherment"
322 DataEncipherment, ///< %Certificate can be used for encrypting / decrypting data, id = "KeyUsage.dataEncipherment"
323 KeyAgreement, ///< %Certificate can be used for key agreement, id = "KeyUsage.keyAgreement"
324 KeyCertificateSign, ///< %Certificate can be used for key certificate signing, id = "KeyUsage.keyCertSign"
325 CRLSign, ///< %Certificate can be used to sign %Certificate Revocation Lists, id = "KeyUsage.crlSign"
326 EncipherOnly, ///< %Certificate can only be used for encryption, id = "KeyUsage.encipherOnly"
327 DecipherOnly, ///< %Certificate can only be used for decryption, id = "KeyUsage.decipherOnly"
328
329 // ExtKeyUsage
330 ServerAuth, ///< %Certificate can be used for server authentication (e.g. web server), id = "1.3.6.1.5.5.7.3.1".
331 ///< This is an extended usage constraint.
332 ClientAuth, ///< %Certificate can be used for client authentication (e.g. web browser), id = "1.3.6.1.5.5.7.3.2".
333 ///< This is an extended usage constraint.
334 CodeSigning, ///< %Certificate can be used to sign code, id = "1.3.6.1.5.5.7.3.3". This is an extended usage
335 ///< constraint.
336 EmailProtection, ///< %Certificate can be used to sign / encrypt email, id = "1.3.6.1.5.5.7.3.4". This is an
337 ///< extended usage constraint.
338 IPSecEndSystem, ///< %Certificate can be used to authenticate a endpoint in IPSEC, id = "1.3.6.1.5.5.7.3.5". This is
339 ///< an extended usage constraint.
340 IPSecTunnel, ///< %Certificate can be used to authenticate a tunnel in IPSEC, id = "1.3.6.1.5.5.7.3.6". This is an
341 ///< extended usage constraint.
342 IPSecUser, ///< %Certificate can be used to authenticate a user in IPSEC, id = "1.3.6.1.5.5.7.3.7". This is an
343 ///< extended usage constraint.
344 TimeStamping, ///< %Certificate can be used to create a "time stamp" signature, id = "1.3.6.1.5.5.7.3.8". This is an
345 ///< extended usage constraint.
346 OCSPSigning ///< %Certificate can be used to sign an Online %Certificate Status Protocol (OCSP) assertion, id =
347 ///< "1.3.6.1.5.5.7.3.9". This is an extended usage constraint.
349
350/**
351 \class ConstraintType qca_cert.h QtCrypto
352
353 Certificate constraint
354
355 X.509 certificates can be constrained in their application - that is, some
356 certificates can only be used for certain purposes. This class is used to
357 identify an approved purpose for a certificate.
358
359 \note It is common for a certificate to have more than one purpose.
360
361 \ingroup UserAPI
362*/
363class QCA_EXPORT ConstraintType
364{
365public:
366 /**
367 Section of the certificate that the constraint belongs in
368 */
370 {
371 KeyUsage, ///< Stored in the key usage section
372 ExtendedKeyUsage ///< Stored in the extended key usage section
373 };
374
375 /**
376 Standard constructor
377 */
379
380 /**
381 Construct a new constraint
382
383 The section will be derived by \a known.
384
385 \param known the type as part of the ConstraintTypeKnown
386 enumerator
387 */
389
390 /**
391 Construct a new constraint
392
393 \param id the type as an identifier string (OID or internal)
394 \param section the section this type belongs in
395
396 \sa id
397 */
398 ConstraintType(const QString &id, Section section);
399
400 /**
401 Standard copy constructor
402
403 \param from the constraint type to copy from
404 */
406
408
409 /**
410 Standard assignment operator
411
412 \param from the constraint type to assign from
413 */
415
416 /**
417 The section the constraint is part of
418 */
420
421 /**
422 The type as part of the ConstraintTypeKnown enumerator
423
424 This function may return a value that does not exist in the
425 enumerator. In that case, you may use id() to determine the
426 type.
427 */
429
430 /**
431 The type as an identifier string
432
433 For types that have OIDs, this function returns an OID in string
434 form. For types that do not have OIDs, this function returns an
435 internal identifier string whose first character is not a digit
436 (this allows you to tell the difference between an OID and an
437 internal identifier).
438
439 It is hereby stated that the KeyUsage bit fields shall use the
440 internal identifier format "KeyUsage.[rfc field name]". For
441 example, the keyEncipherment field would have the identifier
442 "KeyUsage.keyEncipherment".
443
444 Applications should not store, use, or compare against internal
445 identifiers unless the identifiers are explicitly documented
446 (e.g. KeyUsage).
447 */
448 QString id() const;
449
450 /**
451 Comparison operator
452
453 \param other the constraint type to compare with this constraint
454 */
455 bool operator<(const ConstraintType &other) const;
456
457 /**
458 Comparison operator
459
460 \param other the constraint type to compare with this constraint
461 */
462 bool operator==(const ConstraintType &other) const;
463
464 /**
465 Inequality operator
466
467 \param other the constraint type to compare with this constraint
468 */
469 inline bool operator!=(const ConstraintType &other) const
470 {
471 return !(*this == other);
472 }
473
474private:
475 class Private;
477};
478
479/**
480 Specify the intended usage of a certificate
481*/
483{
484 UsageAny = 0x00, ///< Any application, or unspecified
485 UsageTLSServer = 0x01, ///< server side of a TLS or SSL connection
486 UsageTLSClient = 0x02, ///< client side of a TLS or SSL connection
487 UsageCodeSigning = 0x04, ///< code signing certificate
488 UsageEmailProtection = 0x08, ///< email (S/MIME) certificate
489 UsageTimeStamping = 0x10, ///< time stamping certificate
490 UsageCRLSigning = 0x20 ///< certificate revocation list signing certificate
492
493/**
494 The validity (or otherwise) of a certificate
495*/
497{
498 ValidityGood, ///< The certificate is valid
499 ErrorRejected, ///< The root CA rejected the certificate purpose
500 ErrorUntrusted, ///< The certificate is not trusted
501 ErrorSignatureFailed, ///< The signature does not match
502 ErrorInvalidCA, ///< The Certificate Authority is invalid
503 ErrorInvalidPurpose, ///< The purpose does not match the intended usage
504 ErrorSelfSigned, ///< The certificate is self-signed, and is not found in the list of trusted certificates
505 ErrorRevoked, ///< The certificate has been revoked
506 ErrorPathLengthExceeded, ///< The path length from the root CA to this certificate is too long
507 ErrorExpired, ///< The certificate has expired, or is not yet valid (e.g. current time is earlier than notBefore
508 ///< time)
509 ErrorExpiredCA, ///< The Certificate Authority has expired
510 ErrorValidityUnknown = 64 ///< Validity is unknown
512
513/**
514 The conditions to validate for a certificate
515*/
517{
518 ValidateAll = 0x00, // Verify all conditions
519 ValidateRevoked = 0x01, // Verify the certificate was not revoked
520 ValidateExpired = 0x02, // Verify the certificate has not expired
521 ValidatePolicy = 0x04 // Verify the certificate can be used for a specified purpose
522};
523
524/**
525 Certificate properties type
526
527 With this container, the information is not necessarily stored
528 in the same sequence as the certificate format itself. Use this
529 container if the order the information is/was stored does not
530 matter for you (this is the case with most applications).
531
532 Additionally, the EmailLegacy type should not be used with this
533 container. Use Email instead.
534*/
536
537/**
538 \class CertificateInfoOrdered qca_cert.h QtCrypto
539
540 Ordered certificate properties type
541
542 This container stores the information in the same sequence as
543 the certificate format itself.
544
545 \ingroup UserAPI
546*/
547class CertificateInfoOrdered : public QList<CertificateInfoPair>
548{
549public:
550 /**
551 Convert to RFC 1779 string format
552 */
553 inline QString toString() const;
554
555 /**
556 Return a new CertificateInfoOrdered that only contains
557 the Distinguished Name (DN) types found in this object.
558 */
559 inline CertificateInfoOrdered dnOnly() const;
560};
561
562/**
563 Convert to RFC 1779 string format
564
565 \param in the certificate info to convert
566*/
568
569/**
570 Return a new CertificateInfoOrdered that only contains
571 the Distinguished Name (DN) types found in the input object.
572
573 \param in the certificate info to extract from
574*/
576
578{
579 return orderedToDNString(*this);
580}
581
583{
584 return orderedDNOnly(*this);
585}
586
587/**
588 %Certificate constraints type
589*/
591
592/**
593 Create a list of unique friendly names among a list of certificates
594
595 \param list the list of certificates for which a friendly name is required.
596
597*/
599
600/**
601 \class CertificateOptions qca_cert.h QtCrypto
602
603 %Certificate options
604
605 \note In SPKAC mode, all options are ignored except for challenge
606
607 \ingroup UserAPI
608*/
609class QCA_EXPORT CertificateOptions
610{
611public:
612 /**
613 Create a Certificate options set
614
615 \param format the format to create the certificate request in
616 */
618
619 /**
620 Standard copy constructor
621
622 \param from the Certificate Options to copy into this object
623 */
626
627 /**
628 Standard assignment operator
629
630 \param from the Certificate Options to copy into this object
631 */
633
634 /**
635 test the format type for this certificate
636 */
638
639 /**
640 Specify the format for this certificate
641
642 \param f the format to use
643 */
645
646 /**
647 Test if the certificate options object is valid
648
649 \return true if the certificate options object is valid
650 */
651 bool isValid() const;
652
653 /**
654 The challenge part of the certificate
655
656 For CertificateRequest only
657
658 \sa setChallenge
659 */
661
662 /**
663 Information on the subject of the certificate
664
665 \sa setInfo
666 */
668
669 /**
670 Information on the subject of the certificate, in the
671 exact order the items will be written
672
673 \sa setInfoOrdered
674 */
676
677 /**
678 List the constraints on this certificate
679 */
681
682 /**
683 list the policies on this certificate
684 */
686
687 /**
688 list of URI locations for CRL files
689
690 each URI refers to the same CRL file
691
692 For Certificate creation only
693 */
695
696 /**
697 list of URI locations for issuer certificate files
698
699 each URI refers to the same issuer file
700
701 For Certificate creation only
702 */
704
705 /**
706 list of URI locations for OCSP services
707
708 For Certificate creation only
709 */
711
712 /**
713 test if the certificate is a CA cert
714
715 \sa setAsCA
716 \sa setAsUser
717 */
718 bool isCA() const;
719
720 /**
721 return the path limit on this certificate
722 */
723 int pathLimit() const;
724
725 /**
726 The serial number for the certificate
727
728 For Certificate creation only
729 */
731
732 /**
733 the first time the certificate will be valid
734
735 For Certificate creation only
736 */
738
739 /**
740 the last time the certificate is valid
741
742 For Certificate creation only
743 */
745
746 /**
747 Specify the challenge associated with this
748 certificate
749
750 \param s the challenge string
751
752 \sa challenge()
753 */
754 void setChallenge(const QString &s);
755
756 /**
757 Specify information for the subject associated with the
758 certificate
759
760 \param info the information for the subject
761
762 \sa info()
763 */
764 void setInfo(const CertificateInfo &info);
765
766 /**
767 Specify information for the subject associated with the
768 certificate
769
770 \param info the information for the subject
771
772 \sa info()
773 */
775
776 /**
777 set the constraints on the certificate
778
779 \param constraints the constraints to be used for the certificate
780 */
781 void setConstraints(const Constraints &constraints);
782
783 /**
784 set the policies on the certificate
785
786 \param policies the policies to be used for the certificate
787 */
788 void setPolicies(const QStringList &policies);
789
790 /**
791 set the CRL locations of the certificate
792
793 each location refers to the same CRL.
794
795 \param locations a list of URIs to CRL files
796 */
797 void setCRLLocations(const QStringList &locations);
798
799 /**
800 set the issuer certificate locations of the certificate
801
802 each location refers to the same issuer file.
803
804 \param locations a list of URIs to issuer certificate files
805 */
806 void setIssuerLocations(const QStringList &locations);
807
808 /**
809 set the OCSP service locations of the certificate
810
811 \param locations a list of URIs to OCSP services
812 */
813 void setOCSPLocations(const QStringList &locations);
814
815 /**
816 set the certificate to be a CA cert
817
818 \param pathLimit the number of intermediate certificates allowable
819 */
820 void setAsCA(int pathLimit = 8); // value from Botan
821
822 /**
823 set the certificate to be a user cert (this is the default)
824 */
825 void setAsUser();
826
827 /**
828 Set the serial number property on this certificate
829
830 \param i the serial number to use
831 */
833
834 /**
835 Set the validity period for the certificate
836
837 \param start the first time this certificate becomes valid
838 \param end the last time this certificate is valid
839 */
840 void setValidityPeriod(const QDateTime &start, const QDateTime &end);
841
842private:
843 class Private;
844 Private *d;
845};
846
847/**
848 \class Certificate qca_cert.h QtCrypto
849
850 Public Key (X.509) certificate
851
852 This class contains one X.509 certificate
853
854 \ingroup UserAPI
855*/
856class QCA_EXPORT Certificate : public Algorithm
857{
858public:
859 /**
860 Create an empty Certificate
861 */
863
864 /**
865 Create a Certificate from a PEM encoded file
866
867 \param fileName the name (and path, if required)
868 of the file that contains the PEM encoded certificate
869 */
870 Certificate(const QString &fileName);
871
872 /**
873 Create a Certificate with specified options and a specified private
874 key
875
876 \param opts the options to use
877 \param key the private key for this certificate
878 \param provider the provider to use to create this key, if a
879 particular provider is required
880 */
881 Certificate(const CertificateOptions &opts, const PrivateKey &key, const QString &provider = QString());
882
883 /**
884 Standard copy constructor
885
886 \param from the certificate to copy from
887 */
889
890 ~Certificate() override;
891
892 /**
893 Standard assignment operator
894
895 \param from the Certificate to assign from
896 */
898
899 /**
900 Test if the certificate is empty (null)
901 \return true if the certificate is null
902 */
903 bool isNull() const;
904
905 /**
906 The earliest date that the certificate is valid
907 */
909
910 /**
911 The latest date that the certificate is valid
912 */
914
915 /**
916 Properties of the subject of the certificate, as a QMultiMap
917
918 This is the method that provides information on the
919 subject organisation, common name, DNS name, and so
920 on. The list of information types (i.e. the key to
921 the multi-map) is a CertificateInfoType. The values
922 are a list of QString.
923
924 An example of how you can iterate over the list is:
925 \code
926foreach( QString dns, info.values(QCA::DNS) )
927{
928 std::cout << " " << qPrintable(dns) << std::endl;
929}
930 \endcode
931 */
933
934 /**
935 Properties of the subject of the certificate, as
936 an ordered list (QList of CertificateInfoPair).
937
938 This allows access to the certificate information
939 in the same order as they appear in a certificate.
940 Each pair in the list has a type and a value.
941
942 For example:
943 \code
944CertificateInfoOrdered info = cert.subjectInfoOrdered();
945// info[0].type == CommonName
946// info[0].value == "example.com"
947 \endcode
948
949 \sa subjectInfo for an unordered version
950 \sa issuerInfoOrdered for the ordered information on the issuer
951 \sa CertificateInfoPair for the elements in the list
952 */
954
955 /**
956 Properties of the issuer of the certificate
957
958 \sa subjectInfo for how the return value works.
959 */
961
962 /**
963 Properties of the issuer of the certificate, as
964 an ordered list (QList of CertificateInfoPair).
965
966 This allows access to the certificate information
967 in the same order as they appear in a certificate.
968 Each pair in the list has a type and a value.
969
970 \sa issuerInfo for an unordered version
971 \sa subjectInfoOrdered for the ordered information on the subject
972 \sa CertificateInfoPair for the elements in the list
973 */
975
976 /**
977 The constraints that apply to this certificate
978 */
980
981 /**
982 The policies that apply to this certificate
983
984 Policies are specified as strings containing OIDs
985 */
987
988 /**
989 List of URI locations for CRL files
990
991 Each URI refers to the same CRL file
992 */
994
995 /**
996 List of URI locations for issuer certificate files
997
998 Each URI refers to the same issuer file
999 */
1001
1002 /**
1003 List of URI locations for OCSP services
1004 */
1006
1007 /**
1008 The common name of the subject of the certificate
1009
1010 Common names are normally the name of a person, company or
1011 organisation
1012 */
1014
1015 /**
1016 The serial number of the certificate
1017 */
1019
1020 /**
1021 The public key associated with the subject of the certificate
1022 */
1024
1025 /**
1026 Test if the Certificate is valid as a %Certificate Authority
1027
1028 \return true if the Certificate is valid as a %Certificate Authority
1029 */
1030 bool isCA() const;
1031
1032 /**
1033 Test if the Certificate is self-signed
1034
1035 \return true if the certificate is self-signed
1036 */
1037 bool isSelfSigned() const;
1038
1039 /**
1040 Test if the Certificate has signed another Certificate
1041 object and is therefore the issuer
1042
1043 \param other the certificate to test
1044
1045 \return true if this certificate is the issuer of the argument
1046 */
1047 bool isIssuerOf(const Certificate &other) const;
1048
1049 /**
1050 The upper bound of the number of links in the certificate
1051 chain, if any
1052 */
1053 int pathLimit() const;
1054
1055 /**
1056 The signature algorithm used for the signature on this certificate
1057 */
1059
1060 /**
1061 The key identifier associated with the subject
1062 */
1064
1065 /**
1066 The key identifier associated with the issuer
1067 */
1069
1070 /**
1071 Check the validity of a certificate
1072
1073 \param trusted a collection of trusted certificates
1074 \param untrusted a collection of additional certificates, not
1075 necessarily trusted
1076 \param u the use required for the certificate
1077 \param vf the conditions to validate
1078
1079 \note This function may block
1080 */
1082 const CertificateCollection &untrusted,
1083 UsageMode u = UsageAny,
1084 ValidateFlags vf = ValidateAll) const;
1085
1086 /**
1087 Export the Certificate into a DER format
1088 */
1090
1091 /**
1092 Export the Certificate into a PEM format
1093 */
1095
1096 /**
1097 Export the Certificate into PEM format in a file
1098
1099 \param fileName the name of the file to use
1100 */
1101 bool toPEMFile(const QString &fileName) const;
1102
1103 /**
1104 Import the certificate from DER
1105
1106 \param a the array containing the certificate in DER format
1107 \param result a pointer to a ConvertResult, which if not-null will
1108 be set to the conversion status
1109 \param provider the provider to use, if a specific provider is
1110 required
1111
1112 \return the Certificate corresponding to the certificate in the
1113 provided array
1114 */
1115 static Certificate
1116 fromDER(const QByteArray &a, ConvertResult *result = nullptr, const QString &provider = QString());
1117
1118 /**
1119 Import the certificate from PEM format
1120
1121 \param s the string containing the certificate in PEM format
1122 \param result a pointer to a ConvertResult, which if not-null will
1123 be set to the conversion status
1124 \param provider the provider to use, if a specific provider is
1125 required
1126
1127 \return the Certificate corresponding to the certificate in the
1128 provided string
1129 */
1130 static Certificate fromPEM(const QString &s, ConvertResult *result = nullptr, const QString &provider = QString());
1131
1132 /**
1133 Import the certificate from a file
1134
1135 \param fileName the name (and path, if required) of the file
1136 containing the certificate in PEM format
1137 \param result a pointer to a ConvertResult, which if not-null will
1138 be set to the conversion status
1139 \param provider the provider to use, if a specific provider is
1140 required
1141
1142 \return the Certificate corresponding to the certificate in the
1143 provided string
1144 */
1145 static Certificate
1146 fromPEMFile(const QString &fileName, ConvertResult *result = nullptr, const QString &provider = QString());
1147
1148 /**
1149 Test if the subject of the certificate matches a specified host
1150 name
1151
1152 This will return true (indicating a match), if the specified host
1153 name meets the RFC 2818 validation rules with this certificate.
1154
1155 If the host is an internationalized domain name, then it must be
1156 provided in unicode format, not in IDNA ACE/punycode format.
1157
1158 \param host the name of the host to compare to
1159 */
1160 bool matchesHostName(const QString &host) const;
1161
1162 /**
1163 Test for equality of two certificates
1164
1165 \param a the certificate to compare this certificate with
1166
1167 \return true if the two certificates are the same
1168 */
1169 bool operator==(const Certificate &a) const;
1170
1171 /**
1172 Inequality operator
1173
1174 \param other the certificate to compare this certificate with
1175 */
1176 inline bool operator!=(const Certificate &other) const
1177 {
1178 return !(*this == other);
1179 }
1180
1181 /**
1182 \internal
1183
1184 \param c context (internal)
1185 */
1187
1188private:
1189 class Private;
1190 friend class Private;
1192
1193 friend class CertificateChain;
1194 Validity chain_validate(const CertificateChain &chain,
1195 const CertificateCollection &trusted,
1196 const QList<CRL> &untrusted_crls,
1197 UsageMode u,
1198 ValidateFlags vf) const;
1200 chain_complete(const CertificateChain &chain, const QList<Certificate> &issuers, Validity *result) const;
1201};
1202
1203/**
1204 \class CertificateChain qca_cert.h QtCrypto
1205
1206 A chain of related Certificates
1207
1208 CertificateChain is a list (a QList) of certificates that are related by
1209 the signature from one to another. If Certificate C signs Certificate B,
1210 and Certificate B signs Certificate A, then C, B and A form a chain.
1211
1212 The normal use of a CertificateChain is from a end-user Certificate (called
1213 the primary, equivalent to QList::first()) through some intermediate
1214 Certificates to some other Certificate (QList::last()), which might be a
1215 root %Certificate Authority, but does not need to be.
1216
1217 You can build up the chain using normal QList operations, such as
1218 QList::append().
1219
1220 \sa QCA::CertificateCollection for an alternative way to represent a group
1221 of Certificates that do not necessarily have a chained relationship.
1222
1223 \ingroup UserAPI
1224*/
1225class CertificateChain : public QList<Certificate>
1226{
1227public:
1228 /**
1229 Create an empty certificate chain
1230 */
1232 {
1233 }
1234
1235 /**
1236 Create a certificate chain, starting at the specified certificate
1237
1238 \param primary the end-user certificate that forms one end of the
1239 chain
1240 */
1242 {
1243 append(primary);
1244 }
1245
1246 /**
1247 Return the primary (end-user) Certificate
1248 */
1249 inline const Certificate &primary() const
1250 {
1251 return first();
1252 }
1253
1254 /**
1255 Check the validity of a certificate chain
1256
1257 \param trusted a collection of trusted certificates
1258 \param untrusted_crls a list of additional CRLs, not necessarily
1259 trusted
1260 \param u the use required for the primary certificate
1261 \param vf the conditions to validate
1262
1263 \note This function may block
1264
1265 \sa Certificate::validate()
1266 */
1267 inline Validity validate(const CertificateCollection &trusted,
1268 const QList<CRL> &untrusted_crls = QList<CRL>(),
1269 UsageMode u = UsageAny,
1270 ValidateFlags vf = ValidateAll) const;
1271
1272 /**
1273 Complete a certificate chain for the primary certificate, using the
1274 rest of the certificates in the chain object, as well as those in
1275 \a issuers, as possible issuers in the chain. If there are issuers
1276 missing, then the chain might be incomplete (at the worst case, if
1277 no issuers exist for the primary certificate, then the resulting
1278 chain will consist of just the primary certificate). Use the
1279 \a result argument to find out if there was a problem during
1280 completion. A result of ValidityGood means the chain was completed
1281 successfully.
1282
1283 The newly constructed CertificateChain is returned.
1284
1285 If the certificate chain is empty, then this will return an empty
1286 CertificateChain object.
1287
1288 \param issuers a pool of issuers to draw from as necessary
1289 \param result the result of the completion operation
1290
1291 \note This function may block
1292
1293 \sa validate
1294 */
1296 Validity *result = nullptr) const;
1297};
1298
1300 const QList<CRL> &untrusted_crls,
1301 UsageMode u,
1302 ValidateFlags vf) const
1303{
1304 if (isEmpty())
1305 return ErrorValidityUnknown;
1306 return first().chain_validate(*this, trusted, untrusted_crls, u, vf);
1307}
1308
1310{
1311 if (isEmpty())
1312 return CertificateChain();
1313 return first().chain_complete(*this, issuers, result);
1314}
1315
1316/**
1317 \class CertificateRequest qca_cert.h QtCrypto
1318
1319 %Certificate Request
1320
1321 A CertificateRequest is a unsigned request for a Certificate
1322
1323 \ingroup UserAPI
1324*/
1325class QCA_EXPORT CertificateRequest : public Algorithm
1326{
1327public:
1328 /**
1329 Create an empty certificate request
1330 */
1332
1333 /**
1334 Create a certificate request based on the contents of a file
1335
1336 \param fileName the file (and path, if necessary) containing a PEM
1337 encoded certificate request
1338 */
1339 CertificateRequest(const QString &fileName);
1340
1341 /**
1342 Create a certificate request based on specified options
1343
1344 \param opts the options to use in the certificate request
1345 \param key the private key that matches the certificate being
1346 requested
1347 \param provider the provider to use, if a specific provider is
1348 required
1349 */
1350 CertificateRequest(const CertificateOptions &opts, const PrivateKey &key, const QString &provider = QString());
1351
1352 /**
1353 Standard copy constructor
1354
1355 \param from the request to copy from
1356 */
1358
1359 ~CertificateRequest() override;
1360
1361 /**
1362 Standard assignment operator
1363
1364 \param from the request to assign from
1365 */
1367
1368 /**
1369 test if the certificate request is empty
1370
1371 \return true if the certificate request is empty, otherwise false
1372 */
1373 bool isNull() const;
1374
1375 /**
1376 Test if the certificate request can use a specified format
1377
1378 \param f the format to test for
1379 \param provider the provider to use, if a specific provider is
1380 required
1381
1382 \return true if the certificate request can use the specified
1383 format
1384 */
1385 static bool canUseFormat(CertificateRequestFormat f, const QString &provider = QString());
1386
1387 /**
1388 the format that this Certificate request is in
1389 */
1391
1392 /**
1393 Information on the subject of the certificate being requested
1394
1395 \note this only applies to PKCS#10 format certificate requests
1396
1397 \sa subjectInfoOrdered for a version that maintains order
1398 in the subject information.
1399 */
1401
1402 /**
1403 Information on the subject of the certificate being requested, as
1404 an ordered list (QList of CertificateInfoPair).
1405
1406 \note this only applies to PKCS#10 format certificate requests
1407
1408 \sa subjectInfo for a version that does not maintain order, but
1409 allows access based on a multimap.
1410 \sa CertificateInfoPair for the elements in the list
1411 */
1413
1414 /**
1415 The constraints that apply to this certificate request
1416
1417 \note this only applies to PKCS#10 format certificate requests
1418 */
1420
1421 /**
1422 The policies that apply to this certificate request
1423
1424 \note this only applies to PKCS#10 format certificate requests
1425 */
1427
1428 /**
1429 The public key belonging to the issuer
1430 */
1432
1433 /**
1434 Test if this %Certificate Request is for a %Certificate Authority
1435 certificate
1436
1437 \note this only applies to PKCS#10 format certificate requests
1438 */
1439 bool isCA() const;
1440
1441 /**
1442 The path limit for the certificate in this %Certificate Request
1443
1444 \note this only applies to PKCS#10 format certificate requests
1445 */
1446 int pathLimit() const;
1447
1448 /**
1449 The challenge associated with this certificate request
1450 */
1452
1453 /**
1454 The algorithm used to make the signature on this certificate
1455 request
1456 */
1458
1459 /**
1460 Test for equality of two certificate requests
1461
1462 \param csr the certificate request to be compared to this certificate request
1463
1464 \return true if the two certificate requests are the same
1465 */
1466 bool operator==(const CertificateRequest &csr) const;
1467
1468 /**
1469 Inequality operator
1470
1471 \param other the certificate request to be compared to this certificate request
1472 */
1473 inline bool operator!=(const CertificateRequest &other) const
1474 {
1475 return !(*this == other);
1476 }
1477
1478 /**
1479 Export the %Certificate Request into a DER format
1480
1481 \note this only applies to PKCS#10 format certificate requests
1482 */
1484
1485 /**
1486 Export the %Certificate Request into a PEM format
1487
1488 \note this only applies to PKCS#10 format certificate requests
1489 */
1491
1492 /**
1493 Export the Certificate into PEM format in a file
1494
1495 \param fileName the name of the file to use
1496
1497 \note this only applies to PKCS#10 format certificate requests
1498 */
1499 bool toPEMFile(const QString &fileName) const;
1500
1501 /**
1502 Import the certificate request from DER
1503
1504 \param a the array containing the certificate request in DER format
1505 \param result a pointer to a ConvertResult, which if not-null will
1506 be set to the conversion status
1507 \param provider the provider to use, if a specific provider is
1508 required
1509
1510 \return the CertificateRequest corresponding to the certificate
1511 request in the provided array
1512
1513 \note this only applies to PKCS#10 format certificate requests
1514 */
1515 static CertificateRequest
1516 fromDER(const QByteArray &a, ConvertResult *result = nullptr, const QString &provider = QString());
1517
1518 /**
1519 Import the certificate request from PEM format
1520
1521 \param s the string containing the certificate request in PEM
1522 format
1523 \param result a pointer to a ConvertResult, which if not-null will
1524 be set to the conversion status
1525 \param provider the provider to use, if a specific provider is
1526 required
1527
1528 \return the CertificateRequest corresponding to the certificate
1529 request in the provided string
1530
1531 \note this only applies to PKCS#10 format certificate requests
1532 */
1533 static CertificateRequest
1534 fromPEM(const QString &s, ConvertResult *result = nullptr, const QString &provider = QString());
1535
1536 /**
1537 Import the certificate request from a file
1538
1539 \param fileName the name (and path, if required) of the file
1540 containing the certificate request in PEM format
1541 \param result a pointer to a ConvertResult, which if not-null will
1542 be set to the conversion status
1543 \param provider the provider to use, if a specific provider is
1544 required
1545
1546 \return the CertificateRequest corresponding to the certificate
1547 request in the provided string
1548
1549 \note this only applies to PKCS#10 format certificate requests
1550 */
1551 static CertificateRequest
1552 fromPEMFile(const QString &fileName, ConvertResult *result = nullptr, const QString &provider = QString());
1553
1554 /**
1555 Export the CertificateRequest to a string
1556
1557 \return the string corresponding to the certificate request
1558
1559 \note this only applies to SPKAC format certificate requests
1560 */
1562
1563 /**
1564 Import the CertificateRequest from a string
1565
1566 \param s the string containing to the certificate request
1567 \param result a pointer to a ConvertResult, which if not-null will
1568 be set to the conversion status
1569 \param provider the provider to use, if a specific provider is
1570 required
1571
1572 \return the CertificateRequest corresponding to the certificate
1573 request in the provided string
1574
1575 \note this only applies to SPKAC format certificate requests
1576 */
1577 static CertificateRequest
1578 fromString(const QString &s, ConvertResult *result = nullptr, const QString &provider = QString());
1579
1580 /**
1581 \internal
1582
1583 \param c context (internal)
1584 */
1586
1587private:
1588 class Private;
1589 friend class Private;
1591};
1592
1593/**
1594 \class CRLEntry qca_cert.h QtCrypto
1595
1596 Part of a CRL representing a single certificate
1597
1598 \ingroup UserAPI
1599*/
1600class QCA_EXPORT CRLEntry
1601{
1602public:
1603 /**
1604 The reason why the certificate has been revoked
1605 */
1607 {
1608 Unspecified, ///< reason is unknown
1609 KeyCompromise, ///< private key has been compromised
1610 CACompromise, ///< certificate authority has been compromised
1611 AffiliationChanged,
1612 Superseded, ///< certificate has been superseded
1613 CessationOfOperation,
1614 CertificateHold, ///< certificate is on hold
1615 RemoveFromCRL, ///< certificate was previously in a CRL, but is now valid
1616 PrivilegeWithdrawn,
1617 AACompromise ///< attribute authority has been compromised
1619
1620 /**
1621 create an empty CRL entry
1622 */
1624
1625 /**
1626 create a CRL entry
1627
1628 \param c the certificate to revoke
1629 \param r the reason that the certificate is being revoked
1630 */
1631 explicit CRLEntry(const Certificate &c, Reason r = Unspecified);
1632
1633 /**
1634 create a CRL entry
1635
1636 \param serial the serial number of the Certificate being revoked
1637 \param time the time the Certificate was revoked (or will be
1638 revoked)
1639 \param r the reason that the certificate is being revoked
1640 */
1641 CRLEntry(const BigInteger serial, const QDateTime &time, Reason r = Unspecified);
1642
1643 /**
1644 Copy constructor
1645
1646 \param from the CRLEntry to copy from
1647 */
1648 CRLEntry(const CRLEntry &from);
1649
1650 ~CRLEntry();
1651
1652 /**
1653 Standard assignment operator
1654
1655 \param from the CRLEntry to copy from
1656 */
1658
1659 /**
1660 The serial number of the certificate that is the subject of this CRL entry
1661 */
1663
1664 /**
1665 The time this CRL entry was created
1666 */
1668
1669 /**
1670 Test if this CRL entry is empty
1671 */
1672 bool isNull() const;
1673
1674 /**
1675 The reason that this CRL entry was created
1676
1677 Alternatively, you might like to think of this as the reason that
1678 the subject certificate has been revoked
1679 */
1681
1682 /**
1683 Test if one CRL entry is "less than" another
1684
1685 CRL entries are compared based on their serial number
1686
1687 \param a the CRL entry to be compared to this CRL entry.
1688 */
1689 bool operator<(const CRLEntry &a) const;
1690
1691 /**
1692 Test for equality of two CRL Entries
1693
1694 \param a the CRL entry to be compared to this CRL entry.
1695
1696 \return true if the two certificates are the same
1697 */
1698 bool operator==(const CRLEntry &a) const;
1699
1700 /**
1701 Inequality operator
1702
1703 \param other the CRL entry to be compared to this CRL entry.
1704 */
1705 inline bool operator!=(const CRLEntry &other) const
1706 {
1707 return !(*this == other);
1708 }
1709
1710private:
1711 BigInteger _serial;
1712 QDateTime _time;
1713 Reason _reason;
1714
1715 class Private;
1716 Private *d;
1717};
1718
1719/**
1720 \class CRL qca_cert.h QtCrypto
1721
1722 %Certificate Revocation List
1723
1724 A %CRL is a list of certificates that are special in some
1725 way. The normal reason for including a certificate on a %CRL
1726 is that the certificate should no longer be used. For
1727 example, if a key is compromised, then the associated
1728 certificate may no longer provides appropriate
1729 security. There are other reasons why a certificate may be
1730 placed on a %CRL, as shown in the CRLEntry::Reason
1731 enumeration.
1732
1733 \sa CertificateCollection for a way to handle Certificates
1734 and CRLs as a single entity.
1735 \sa CRLEntry for the %CRL segment representing a single Certificate.
1736
1737 \ingroup UserAPI
1738*/
1739class QCA_EXPORT CRL : public Algorithm
1740{
1741public:
1742 CRL();
1743
1744 /**
1745 Standard copy constructor
1746
1747 \param from the revocation list to copy from
1748 */
1749 CRL(const CRL &from);
1750
1751 ~CRL() override;
1752
1753 /**
1754 Standard assignment operator
1755
1756 \param from the revocation list to assign from
1757 */
1758 CRL &operator=(const CRL &from);
1759
1760 /**
1761 Test if the CRL is empty
1762
1763 \return true if the CRL is empty, otherwise return false
1764 */
1765 bool isNull() const;
1766
1767 /**
1768 Information on the issuer of the CRL as a QMultiMap.
1769
1770 \sa issuerInfoOrdered for a version that maintains the order
1771 of information fields as per the underlying CRL.
1772 */
1774
1775 /**
1776 Information on the issuer of the CRL as an ordered list
1777 (QList of CertificateInfoPair).
1778
1779 \sa issuerInfo for a version that allows lookup based on
1780 a multimap.
1781 \sa CertificateInfoPair for the elements in the list
1782 */
1784
1785 /**
1786 The CRL serial number. Note that serial numbers are a
1787 CRL extension, and not all certificates have one.
1788
1789 \return the CRL serial number, or -1 if there is no serial number
1790 */
1791 int number() const;
1792
1793 /**
1794 the time that this CRL became (or becomes) valid
1795 */
1797
1798 /**
1799 the time that this CRL will be obsoleted
1800
1801 you should obtain an updated CRL at this time
1802 */
1804
1805 /**
1806 a list of the revoked certificates in this CRL
1807 */
1809
1810 /**
1811 The signature algorithm used for the signature on this CRL
1812 */
1814
1815 /**
1816 The key identification of the CRL issuer
1817 */
1819
1820 /**
1821 Test for equality of two %Certificate Revocation Lists
1822
1823 \param a the CRL to be compared to this CRL
1824
1825 \return true if the two CRLs are the same
1826 */
1827 bool operator==(const CRL &a) const;
1828
1829 /**
1830 Inequality operator
1831
1832 \param other the CRL to be compared to this CRL
1833 */
1834 inline bool operator!=(const CRL &other) const
1835 {
1836 return !(*this == other);
1837 }
1838
1839 /**
1840 Export the %Certificate Revocation List (CRL) in DER format
1841
1842 \return an array containing the CRL in DER format
1843 */
1845
1846 /**
1847 Export the %Certificate Revocation List (CRL) in PEM format
1848
1849 \return a string containing the CRL in PEM format
1850 */
1852
1853 /**
1854 Export the %Certificate Revocation List (CRL) into PEM format in a
1855 file
1856
1857 \param fileName the name of the file to use
1858 */
1859 bool toPEMFile(const QString &fileName) const;
1860
1861 /**
1862 Import a DER encoded %Certificate Revocation List (CRL)
1863
1864 \param a the array containing the CRL in DER format
1865 \param result a pointer to a ConvertResult, which if not-null will
1866 be set to the conversion status
1867 \param provider the provider to use, if a specific provider is
1868 required
1869
1870 \return the CRL corresponding to the contents of the array
1871 */
1872 static CRL fromDER(const QByteArray &a, ConvertResult *result = nullptr, const QString &provider = QString());
1873
1874 /**
1875 Import a PEM encoded %Certificate Revocation List (CRL)
1876
1877 \param s the string containing the CRL in PEM format
1878 \param result a pointer to a ConvertResult, which if not-null will
1879 be set to the conversion status
1880 \param provider the provider to use, if a specific provider is
1881 required
1882
1883 \return the CRL corresponding to the contents of the string
1884 */
1885 static CRL fromPEM(const QString &s, ConvertResult *result = nullptr, const QString &provider = QString());
1886
1887 /**
1888 Import a PEM encoded %Certificate Revocation List (CRL) from a file
1889
1890 \param fileName the name (and path, if required) of the file
1891 containing the certificate in PEM format
1892 \param result a pointer to a ConvertResult, which if not-null will
1893 be set to the conversion status
1894 \param provider the provider to use, if a specific provider is
1895 required
1896
1897 \return the CRL in the file
1898 */
1899 static CRL
1900 fromPEMFile(const QString &fileName, ConvertResult *result = nullptr, const QString &provider = QString());
1901
1902 /**
1903 \internal
1904
1905 \param c context (internal)
1906 */
1908
1909private:
1910 class Private;
1911 friend class Private;
1913};
1914
1915/**
1916 \class CertificateCollection qca_cert.h QtCrypto
1917
1918 Bundle of Certificates and CRLs
1919
1920 CertificateCollection provides a bundle of Certificates and Certificate
1921 Revocation Lists (CRLs), not necessarily related.
1922
1923 \sa QCA::CertificateChain for a representation of a chain of Certificates
1924 related by signatures.
1925
1926 \ingroup UserAPI
1927*/
1929{
1930public:
1931 /**
1932 Create an empty Certificate / CRL collection
1933 */
1935
1936 /**
1937 Standard copy constructor
1938
1939 \param from the CertificateCollection to copy from
1940 */
1942
1944
1945 /**
1946 Standard assignment operator
1947
1948 \param from the CertificateCollection to copy from
1949 */
1951
1952 /**
1953 Append a Certificate to this collection
1954
1955 \param cert the Certificate to add to this CertificateCollection
1956 */
1957 void addCertificate(const Certificate &cert);
1958
1959 /**
1960 Append a CRL to this collection
1961
1962 \param crl the certificate revokation list to add to this
1963 CertificateCollection
1964 */
1965 void addCRL(const CRL &crl);
1966
1967 /**
1968 The Certificates in this collection
1969 */
1971
1972 /**
1973 The CRLs in this collection
1974 */
1976
1977 /**
1978 Add another CertificateCollection to this collection
1979
1980 \param other the CertificateCollection to add to this collection
1981 */
1982 void append(const CertificateCollection &other);
1983
1984 /**
1985 Add another CertificateCollection to this collection
1986
1987 \param other the CertificateCollection to add to this collection
1988 */
1990
1991 /**
1992 Add another CertificateCollection to this collection
1993
1994 \param other the CertificateCollection to add to this collection
1995 */
1997
1998 /**
1999 test if the CertificateCollection can be imported and exported to
2000 PKCS#7 format
2001
2002 \param provider the provider to use, if a specific provider is
2003 required
2004
2005 \return true if the CertificateCollection can be imported and
2006 exported to PKCS#7 format
2007 */
2008 static bool canUsePKCS7(const QString &provider = QString());
2009
2010 /**
2011 export the CertificateCollection to a plain text file
2012
2013 \param fileName the name (and path, if required) to write the
2014 contents of the CertificateCollection to
2015
2016 \return true if the export succeeded, otherwise false
2017 */
2018 bool toFlatTextFile(const QString &fileName);
2019
2020 /**
2021 export the CertificateCollection to a PKCS#7 file
2022
2023 \param fileName the name (and path, if required) to write the
2024 contents of the CertificateCollection to
2025 \param provider the provider to use, if a specific provider is
2026 required
2027
2028 \return true if the export succeeded, otherwise false
2029 */
2030 bool toPKCS7File(const QString &fileName, const QString &provider = QString());
2031
2032 /**
2033 import a CertificateCollection from a text file
2034
2035 \param fileName the name (and path, if required) to read the
2036 certificate collection from
2037 \param result a pointer to a ConvertResult, which if not-null will
2038 be set to the conversion status
2039 \param provider the provider to use, if a specific provider is
2040 required
2041
2042 \return the CertificateCollection corresponding to the contents of
2043 the file specified in fileName
2044 */
2046 fromFlatTextFile(const QString &fileName, ConvertResult *result = nullptr, const QString &provider = QString());
2047
2048 /**
2049 import a CertificateCollection from a PKCS#7 file
2050
2051 \param fileName the name (and path, if required) to read the
2052 certificate collection from
2053 \param result a pointer to a ConvertResult, which if not-null will
2054 be set to the conversion status
2055 \param provider the provider to use, if a specific provider is
2056 required
2057
2058 \return the CertificateCollection corresponding to the contents of
2059 the file specified in fileName
2060 */
2062 fromPKCS7File(const QString &fileName, ConvertResult *result = nullptr, const QString &provider = QString());
2063
2064private:
2065 class Private;
2067};
2068
2069/**
2070 \class CertificateAuthority qca_cert.h QtCrypto
2071
2072 A %Certificate Authority is used to generate Certificates and
2073 %Certificate Revocation Lists (CRLs).
2074
2075 \ingroup UserAPI
2076*/
2077class QCA_EXPORT CertificateAuthority : public Algorithm
2078{
2079public:
2080 /**
2081 Create a new %Certificate Authority
2082
2083 \param cert the CA certificate
2084 \param key the private key associated with the CA certificate
2085 \param provider the provider to use, if a specific provider is
2086 required
2087 */
2088 CertificateAuthority(const Certificate &cert, const PrivateKey &key, const QString &provider);
2089
2090 /**
2091 Copy constructor
2092
2093 \param from the CertificateAuthority to copy from
2094 */
2096
2097 ~CertificateAuthority() override;
2098
2099 /**
2100 Standard assignment operator
2101
2102 \param from the CertificateAuthority to copy from
2103 */
2105
2106 /**
2107 The Certificate belonging to the %CertificateAuthority
2108
2109 This is the Certificate that was passed as an argument to the
2110 constructor
2111 */
2113
2114 /**
2115 Create a new Certificate by signing the provider CertificateRequest
2116
2117 \param req the CertificateRequest to sign
2118 \param notValidAfter the last date that the Certificate will be
2119 valid
2120 */
2121 Certificate signRequest(const CertificateRequest &req, const QDateTime &notValidAfter) const;
2122
2123 /**
2124 Create a new Certificate
2125
2126 \param key the Public Key to use to create the Certificate
2127 \param opts the options to use for the new Certificate
2128 */
2130
2131 /**
2132 Create a new %Certificate Revocation List (CRL)
2133
2134 \param nextUpdate the date that the CRL will be updated
2135
2136 \return an empty CRL
2137 */
2138 CRL createCRL(const QDateTime &nextUpdate) const;
2139
2140 /**
2141 Update the CRL to include new entries
2142
2143 \param crl the CRL to update
2144 \param entries the entries to add to the CRL
2145 \param nextUpdate the date that this CRL will be updated
2146
2147 \return the update CRL
2148 */
2149 CRL updateCRL(const CRL &crl, const QList<CRLEntry> &entries, const QDateTime &nextUpdate) const;
2150
2151private:
2152 class Private;
2153 Private *d;
2154};
2155
2156/**
2157 \class KeyBundle qca_cert.h QtCrypto
2158
2159 Certificate chain and private key pair
2160
2161 KeyBundle is essentially a convience class that holds a
2162 certificate chain and an associated private key. This class
2163 has a number of methods that make it particularly suitable
2164 for accessing a PKCS12 (.p12) format file, however it can
2165 be used as just a container for a Certificate, its
2166 associated PrivateKey and optionally additional
2167 X.509 Certificate that form a chain.
2168
2169 For more information on PKCS12 "Personal Information
2170 Exchange Syntax Standard", see <a
2171 href="ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf">ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf</a>.
2172
2173 \ingroup UserAPI
2174*/
2175class QCA_EXPORT KeyBundle
2176{
2177public:
2178 /**
2179 Create an empty KeyBundle
2180 */
2182
2183 /**
2184 Create a KeyBundle from a PKCS12 (.p12) encoded
2185 file
2186
2187 This constructor requires appropriate plugin (provider)
2188 support. You must check for the "pkcs12" feature
2189 before using this constructor.
2190
2191 \param fileName the name of the file to read from
2192 \param passphrase the passphrase that is applicable to the file
2193
2194 \sa fromFile for a more flexible version of the
2195 same capability.
2196
2197 \note This synchronous operation may require event handling, and so
2198 it must not be called from the same thread as an EventHandler.
2199 */
2200 explicit KeyBundle(const QString &fileName, const SecureArray &passphrase = SecureArray());
2201
2202 /**
2203 Standard copy constructor
2204
2205 \param from the KeyBundle to use as source
2206 */
2207 KeyBundle(const KeyBundle &from);
2208
2209 ~KeyBundle();
2210
2211 /**
2212 Standard assignment operator
2213
2214 \param from the KeyBundle to use as source
2215 */
2217
2218 /**
2219 Test if this key is empty (null)
2220 */
2221 bool isNull() const;
2222
2223 /**
2224 The name associated with this key.
2225
2226 This is also known as the "friendly name", and if
2227 present, is typically suitable to be displayed to
2228 the user.
2229
2230 \sa setName
2231 */
2232 QString name() const;
2233
2234 /**
2235 The public certificate part of this bundle
2236
2237 \sa setCertificateChainAndKey
2238 */
2240
2241 /**
2242 The private key part of this bundle
2243
2244 \sa setCertificateChainAndKey
2245 */
2247
2248 /**
2249 Specify the name of this bundle
2250
2251 \param s the name to use
2252 */
2253 void setName(const QString &s);
2254
2255 /**
2256 Set the public certificate and private key
2257
2258 \param c the CertificateChain containing the public part of the
2259 Bundle
2260 \param key the private key part of the Bundle
2261
2262 \sa privateKey, certificateChain for getters
2263 */
2265
2266 /**
2267 Export the key bundle to an array in PKCS12 format.
2268
2269 This method requires appropriate plugin (provider)
2270 support - you must check for the "pkcs12" feature,
2271 as shown below.
2272
2273 \code
2274if( QCA::isSupported("pkcs12") )
2275{
2276 // can use I/O
2277 byteArray = bundle.toArray( "pass phrase" );
2278}
2279else
2280{
2281 // not possible to use I/O
2282}
2283 \endcode
2284
2285 \param passphrase the passphrase to use to protect the bundle
2286 \param provider the provider to use, if a specific provider is
2287 required
2288 */
2289 QByteArray toArray(const SecureArray &passphrase, const QString &provider = QString()) const;
2290
2291 /**
2292 Export the key bundle to a file in PKCS12 (.p12) format
2293
2294 This method requires appropriate plugin (provider)
2295 support - you must check for the "pkcs12" feature,
2296 as shown below.
2297
2298 \code
2299if( QCA::isSupported("pkcs12") )
2300{
2301 // can use I/O
2302 bool result = bundle.toFile( filename, "pass phrase" );
2303}
2304else
2305{
2306 // not possible to use I/O
2307}
2308 \endcode
2309
2310 \param fileName the name of the file to save to
2311 \param passphrase the passphrase to use to protect the bundle
2312 \param provider the provider to use, if a specific provider is
2313 required
2314 */
2315 bool toFile(const QString &fileName, const SecureArray &passphrase, const QString &provider = QString()) const;
2316
2317 /**
2318 Import the key bundle from an array in PKCS12 format
2319
2320 This method requires appropriate plugin (provider)
2321 support - you must check for the "pkcs12" feature,
2322 as shown below.
2323
2324 \code
2325if( QCA::isSupported("pkcs12") )
2326{
2327 // can use I/O
2328 bundle = QCA::KeyBundle::fromArray( array, "pass phrase" );
2329}
2330else
2331{
2332 // not possible to use I/O
2333}
2334 \endcode
2335
2336 \param a the array to import from
2337 \param passphrase the passphrase for the encoded bundle
2338 \param result pointer to the result of the import process
2339 \param provider the provider to use, if a specific provider is
2340 required
2341
2342 \sa QCA::KeyLoader for an asynchronous loader approach.
2343
2344 \note This synchronous operation may require event handling, and so
2345 it must not be called from the same thread as an EventHandler.
2346 */
2348 const SecureArray &passphrase = SecureArray(),
2349 ConvertResult *result = nullptr,
2350 const QString &provider = QString());
2351
2352 /**
2353 Import the key bundle from a file in PKCS12 (.p12) format
2354
2355 This method requires appropriate plugin (provider)
2356 support - you must check for the "pkcs12" feature,
2357 as shown below.
2358
2359 \code
2360if( QCA::isSupported("pkcs12") )
2361{
2362 // can use I/O
2363 bundle = QCA::KeyBundle::fromFile( filename, "pass phrase" );
2364}
2365else
2366{
2367 // not possible to use I/O
2368}
2369 \endcode
2370
2371 \param fileName the name of the file to read from
2372 \param passphrase the passphrase for the encoded bundle
2373 \param result pointer to the result of the import process
2374 \param provider the provider to use, if a specific provider is
2375 required
2376
2377 \sa QCA::KeyLoader for an asynchronous loader approach.
2378
2379 \note This synchronous operation may require event handling, and so
2380 it must not be called from the same thread as an EventHandler.
2381 */
2382 static KeyBundle fromFile(const QString &fileName,
2383 const SecureArray &passphrase = SecureArray(),
2384 ConvertResult *result = nullptr,
2385 const QString &provider = QString());
2386
2387private:
2388 class Private;
2390};
2391
2392/**
2393 \class PGPKey qca_cert.h QtCrypto
2394
2395 Pretty Good Privacy key
2396
2397 This holds either a reference to an item in a real PGP keyring,
2398 or a standalone item created using the from*() functions.
2399
2400 Note that with the latter method, the key is of no use besides
2401 being informational. The key must be in a keyring
2402 (that is, inKeyring() == true) to actually do crypto with it.
2403
2404 \ingroup UserAPI
2405*/
2406class QCA_EXPORT PGPKey : public Algorithm
2407{
2408public:
2409 /**
2410 Create an empty PGP key
2411 */
2413
2414 /**
2415 Create a PGP key from an encoded file
2416
2417 \param fileName the name (and path, if required) of the file
2418 that the PGP key is to be loaded from.
2419
2420 \sa fromFile for a version that allows better error checking / validation
2421 \sa toFile for a method to write out the key.
2422 */
2423 PGPKey(const QString &fileName);
2424
2425 /**
2426 Standard copy constructor
2427
2428 \param from the PGPKey to use as the source
2429 */
2430 PGPKey(const PGPKey &from);
2431
2432 ~PGPKey() override;
2433
2434 /**
2435 Standard assignment operator
2436
2437 \param from the PGPKey to use as the source
2438 */
2439 PGPKey &operator=(const PGPKey &from);
2440
2441 /**
2442 Test if the PGP key is empty (null)
2443
2444 \return true if the PGP key is null
2445 */
2446 bool isNull() const;
2447
2448 /**
2449 The Key identification for the PGP key
2450 */
2452
2453 /**
2454 The primary user identification for the key
2455 */
2457
2458 /**
2459 The list of all user identifications associated with the key
2460 */
2462
2463 /**
2464 Test if the PGP key is the secret key
2465
2466 \return true if the PGP key is the secret key
2467 */
2468 bool isSecret() const;
2469
2470 /**
2471 The creation date for the key
2472 */
2474
2475 /**
2476 The expiration date for the key
2477 */
2479
2480 /**
2481 The key fingerpint
2482
2483 This will return the PGP fingerprint as a string. It comprises 40
2484 hex digits, without spaces.
2485 */
2487
2488 /**
2489 Test if this key is in a keyring
2490
2491 \return true if the key is in a keyring
2492
2493 \note keys that are not in a keyring cannot be used for encryption,
2494 decryption, signing or verification
2495 */
2496 bool inKeyring() const;
2497
2498 /**
2499 Test if the key is trusted
2500
2501 \return true if the key is trusted
2502 */
2503 bool isTrusted() const;
2504
2505 /**
2506 Export the key to an array.
2507
2508 This will export the key in a binary format (that is, not in an
2509 "ascii armoured" form).
2510
2511 \sa fromArray for a static import method.
2512 \sa toString for an "ascii armoured" export method.
2513 */
2515
2516 /**
2517 Export the key to a string
2518
2519 This will export the key in an "ascii armoured" form.
2520
2521 \sa fromString for a static import method.
2522 \sa toArray for a binary format export method.
2523 */
2525
2526 /**
2527 Export the key to a file
2528
2529 \param fileName the name of the file to save the key to
2530 */
2531 bool toFile(const QString &fileName) const;
2532
2533 /**
2534 Import the key from an array
2535
2536 \param a the array to import from
2537 \param result if not null, this will be set to the result of the
2538 import process
2539 \param provider the provider to use, if a particular provider is
2540 required
2541 */
2542 static PGPKey fromArray(const QByteArray &a, ConvertResult *result = nullptr, const QString &provider = QString());
2543
2544 /**
2545 Import the key from a string
2546
2547 \param s the string to import from
2548 \param result if not null, this will be set to the result of the
2549 import process
2550 \param provider the provider to use, if a particular provider is
2551 required
2552 */
2553 static PGPKey fromString(const QString &s, ConvertResult *result = nullptr, const QString &provider = QString());
2554
2555 /**
2556 Import the key from a file
2557
2558 \param fileName string containing the name of the file to import
2559 from
2560 \param result if not null, this will be set to the result of the
2561 import process
2562 \param provider the provider to use, if a particular provider is
2563 required
2564 */
2565 static PGPKey
2566 fromFile(const QString &fileName, ConvertResult *result = nullptr, const QString &provider = QString());
2567
2568private:
2569 class Private;
2570 Private *d;
2571};
2572
2573/**
2574 \class KeyLoader qca_cert.h QtCrypto
2575
2576 Asynchronous private key loader
2577
2578 GUI applications generally must use KeyLoader to load private keys. This
2579 is because the synchronous private key loading functions, for example
2580 QCA::PrivateKey::fromPEMFile(), cannot be used within the same thread as an
2581 EventHandler, and most GUI applications will use EventHandler from the main
2582 thread. KeyLoader does not have this problem. It can be used from any
2583 thread, including the same thread as EventHandler.
2584
2585 The KeyLoader class allows you to asynchronously load stand-alone private
2586 keys (QCA::PrivateKey) or private keys with a certificate (QCA::KeyBundle)
2587 with a signal that advises of completion.
2588
2589 To use this class to load a PrivateKey, you create a KeyLoader object then
2590 use one of the loadPrivateKeyFrom...() functions, depending on the format
2591 for your key. These functions return immediately. When you get the
2592 finished() signal, you can check that the loading operation succeeded
2593 (using convertResult()) and then obtain the PrivateKey using the
2594 privateKey() function.
2595
2596 The same process applies for loading a KeyBundle, except that you use
2597 either loadKeyBundleFromFile() or loadKeyBundleFromArray() instead of the
2598 loadPrivateKeyFrom...() function, and use keyBundle() instead of
2599 privateKey().
2600
2601 The loader may need a passphrase to complete the loading of the key or key
2602 bundle. You should use the QCA::EventHandler class to ensure that you deal
2603 with this correctly.
2604
2605 \note %QCA also provides synchronous private key loading using
2606 QCA::PrivateKey::fromPEMFile(), QCA::PrivateKey::fromPEM() and
2607 QCA::PrivateKey::fromDER(). %QCA provides synchronous key bundle loading
2608 using QCA::KeyBundle::fromArray() and QCA::KeyBundle::fromFile().
2609
2610 \ingroup UserAPI
2611*/
2612class QCA_EXPORT KeyLoader : public QObject
2613{
2614 Q_OBJECT
2615public:
2616 /**
2617 Create a KeyLoader object.
2618
2619 \param parent the parent object for this object
2620 */
2621 KeyLoader(QObject *parent = nullptr);
2622 ~KeyLoader() override;
2623
2624 /**
2625 Initiate an asynchronous loading of a PrivateKey from a PEM format
2626 file.
2627
2628 This function will return immediately.
2629
2630 \param fileName the name of the file (and path, if necessary) to
2631 load the key from
2632 */
2633 void loadPrivateKeyFromPEMFile(const QString &fileName);
2634
2635 /**
2636 Initiate an asynchronous loading of a PrivateKey from a PEM format
2637 string.
2638
2639 This function will return immediately.
2640
2641 \param s the string containing the PEM formatted key
2642 */
2644
2645 /**
2646 Initiate an asynchronous loading of a PrivateKey from a DER format
2647 array.
2648
2649 This function will return immediately.
2650
2651 \param a the array containing the DER formatted key
2652 */
2654
2655 /**
2656 Initiate an asynchronous loading of a KeyBundle from a file
2657
2658 This function will return immediately.
2659
2660 \param fileName the name of the file (and path, if necessary) to
2661 load the key bundle from
2662 */
2663 void loadKeyBundleFromFile(const QString &fileName);
2664
2665 /**
2666 Initiate an asynchronous loading of a KeyBundle from an array
2667
2668 This function will return immediately.
2669
2670 \param a the array containing the key bundle
2671 */
2673
2674 /**
2675 The result of the loading process.
2676
2677 This is not valid until the finished() signal has been emitted.
2678 */
2680
2681 /**
2682 The private key that has been loaded.
2683
2684 This is only valid if loadPrivateKeyFromPEMFile(),
2685 loadPrivateKeyFromPEM() or loadPrivateKeyFromDER() has been used,
2686 the load has completed (that is, finished() has been emitted), and
2687 the conversion succeeded (that is, convertResult() returned
2688 ConvertGood).
2689 */
2691
2692 /**
2693 The key bundle that has been loaded.
2694
2695 This is only valid if loadKeyBundleFromFile() or
2696 loadKeyBundleFromArray() has been used, the load has completed
2697 (that is, finished() has been emitted), and the conversion
2698 succeeded (that is, convertResult() returned ConvertGood).
2699 */
2701
2702Q_SIGNALS:
2703 /**
2704 Signal that is emitted when the load process has completed.
2705
2706 \note The load process may not have completed successfully - check
2707 the result of convertResult() to confirm this before using the
2708 privateKey() or keyBundle() results.
2709 */
2710 void finished();
2711
2712private:
2713 Q_DISABLE_COPY(KeyLoader)
2714
2715 class Private;
2716 friend class Private;
2717 Private *d;
2718};
2719
2720}
2721
2722#endif
General superclass for an algorithm.
Definition qca_core.h:1164
Arbitrary precision integer.
Definition qca_tools.h:571
X.509 certificate revocation list provider.
Part of a CRL representing a single certificate.
Definition qca_cert.h:1601
BigInteger serialNumber() const
The serial number of the certificate that is the subject of this CRL entry.
CRLEntry()
create an empty CRL entry
Reason reason() const
The reason that this CRL entry was created.
CRLEntry & operator=(const CRLEntry &from)
Standard assignment operator.
bool operator!=(const CRLEntry &other) const
Inequality operator.
Definition qca_cert.h:1705
Reason
The reason why the certificate has been revoked.
Definition qca_cert.h:1607
@ CACompromise
certificate authority has been compromised
Definition qca_cert.h:1610
@ Unspecified
reason is unknown
Definition qca_cert.h:1608
@ CertificateHold
certificate is on hold
Definition qca_cert.h:1614
@ KeyCompromise
private key has been compromised
Definition qca_cert.h:1609
@ Superseded
certificate has been superseded
Definition qca_cert.h:1612
@ RemoveFromCRL
certificate was previously in a CRL, but is now valid
Definition qca_cert.h:1615
CRLEntry(const CRLEntry &from)
Copy constructor.
bool operator<(const CRLEntry &a) const
Test if one CRL entry is "less than" another.
bool isNull() const
Test if this CRL entry is empty.
bool operator==(const CRLEntry &a) const
Test for equality of two CRL Entries.
CRLEntry(const BigInteger serial, const QDateTime &time, Reason r=Unspecified)
create a CRL entry
CRLEntry(const Certificate &c, Reason r=Unspecified)
create a CRL entry
QDateTime time() const
The time this CRL entry was created.
Certificate Revocation List
Definition qca_cert.h:1740
QList< CRLEntry > revoked() const
a list of the revoked certificates in this CRL
static CRL fromPEMFile(const QString &fileName, ConvertResult *result=nullptr, const QString &provider=QString())
Import a PEM encoded Certificate Revocation List (CRL) from a file.
void change(CRLContext *c)
QByteArray issuerKeyId() const
The key identification of the CRL issuer.
bool isNull() const
Test if the CRL is empty.
static CRL fromPEM(const QString &s, ConvertResult *result=nullptr, const QString &provider=QString())
Import a PEM encoded Certificate Revocation List (CRL)
QDateTime thisUpdate() const
the time that this CRL became (or becomes) valid
QDateTime nextUpdate() const
the time that this CRL will be obsoleted
CRL & operator=(const CRL &from)
Standard assignment operator.
QString toPEM() const
Export the Certificate Revocation List (CRL) in PEM format.
bool toPEMFile(const QString &fileName) const
Export the Certificate Revocation List (CRL) into PEM format in a file.
SignatureAlgorithm signatureAlgorithm() const
The signature algorithm used for the signature on this CRL.
bool operator==(const CRL &a) const
Test for equality of two Certificate Revocation Lists.
CertificateInfoOrdered issuerInfoOrdered() const
Information on the issuer of the CRL as an ordered list (QList of CertificateInfoPair).
int number() const
The CRL serial number.
CertificateInfo issuerInfo() const
Information on the issuer of the CRL as a QMultiMap.
bool operator!=(const CRL &other) const
Inequality operator.
Definition qca_cert.h:1834
QByteArray toDER() const
Export the Certificate Revocation List (CRL) in DER format.
CRL(const CRL &from)
Standard copy constructor.
static CRL fromDER(const QByteArray &a, ConvertResult *result=nullptr, const QString &provider=QString())
Import a DER encoded Certificate Revocation List (CRL)
X.509 certificate request provider.
X.509 certificate provider.
A Certificate Authority is used to generate Certificates and Certificate Revocation Lists (CRLs).
Definition qca_cert.h:2078
CRL createCRL(const QDateTime &nextUpdate) const
Create a new Certificate Revocation List (CRL)
Certificate createCertificate(const PublicKey &key, const CertificateOptions &opts) const
Create a new Certificate.
CRL updateCRL(const CRL &crl, const QList< CRLEntry > &entries, const QDateTime &nextUpdate) const
Update the CRL to include new entries.
CertificateAuthority(const Certificate &cert, const PrivateKey &key, const QString &provider)
Create a new Certificate Authority.
CertificateAuthority(const CertificateAuthority &from)
Copy constructor.
Certificate signRequest(const CertificateRequest &req, const QDateTime &notValidAfter) const
Create a new Certificate by signing the provider CertificateRequest.
Certificate certificate() const
The Certificate belonging to the CertificateAuthority.
CertificateAuthority & operator=(const CertificateAuthority &from)
Standard assignment operator.
A chain of related Certificates.
Definition qca_cert.h:1226
CertificateChain(const Certificate &primary)
Create a certificate chain, starting at the specified certificate.
Definition qca_cert.h:1241
CertificateChain()
Create an empty certificate chain.
Definition qca_cert.h:1231
const Certificate & primary() const
Return the primary (end-user) Certificate.
Definition qca_cert.h:1249
Validity validate(const CertificateCollection &trusted, const QList< CRL > &untrusted_crls=QList< CRL >(), UsageMode u=UsageAny, ValidateFlags vf=ValidateAll) const
Check the validity of a certificate chain.
Definition qca_cert.h:1299
CertificateChain complete(const QList< Certificate > &issuers=QList< Certificate >(), Validity *result=nullptr) const
Complete a certificate chain for the primary certificate, using the rest of the certificates in the c...
Definition qca_cert.h:1309
Bundle of Certificates and CRLs.
Definition qca_cert.h:1929
void addCRL(const CRL &crl)
Append a CRL to this collection.
bool toPKCS7File(const QString &fileName, const QString &provider=QString())
export the CertificateCollection to a PKCS#7 file
CertificateCollection & operator+=(const CertificateCollection &other)
Add another CertificateCollection to this collection.
QList< Certificate > certificates() const
The Certificates in this collection.
static CertificateCollection fromFlatTextFile(const QString &fileName, ConvertResult *result=nullptr, const QString &provider=QString())
import a CertificateCollection from a text file
CertificateCollection()
Create an empty Certificate / CRL collection.
CertificateCollection & operator=(const CertificateCollection &from)
Standard assignment operator.
void append(const CertificateCollection &other)
Add another CertificateCollection to this collection.
static bool canUsePKCS7(const QString &provider=QString())
test if the CertificateCollection can be imported and exported to PKCS#7 format
CertificateCollection(const CertificateCollection &from)
Standard copy constructor.
QList< CRL > crls() const
The CRLs in this collection.
CertificateCollection operator+(const CertificateCollection &other) const
Add another CertificateCollection to this collection.
static CertificateCollection fromPKCS7File(const QString &fileName, ConvertResult *result=nullptr, const QString &provider=QString())
import a CertificateCollection from a PKCS#7 file
bool toFlatTextFile(const QString &fileName)
export the CertificateCollection to a plain text file
void addCertificate(const Certificate &cert)
Append a Certificate to this collection.
Ordered certificate properties type.
Definition qca_cert.h:548
QString toString() const
Convert to RFC 1779 string format.
Definition qca_cert.h:577
CertificateInfoOrdered dnOnly() const
Return a new CertificateInfoOrdered that only contains the Distinguished Name (DN) types found in thi...
Definition qca_cert.h:582
One entry in a certificate information list.
Definition qca_cert.h:246
CertificateInfoPair(const CertificateInfoPair &from)
Standard copy constructor.
bool operator!=(const CertificateInfoPair &other) const
Inequality operator.
Definition qca_cert.h:301
CertificateInfoPair(const CertificateInfoType &type, const QString &value)
Construct a new pair.
QString value() const
The value of the information stored in the pair.
CertificateInfoPair & operator=(const CertificateInfoPair &from)
Standard assignment operator.
bool operator==(const CertificateInfoPair &other) const
Comparison operator.
CertificateInfoPair()
Standard constructor.
CertificateInfoType type() const
The type of information stored in the pair.
Certificate information type.
Definition qca_cert.h:120
bool operator<(const CertificateInfoType &other) const
Comparison operator.
CertificateInfoType & operator=(const CertificateInfoType &from)
Standard assignment operator.
bool operator==(const CertificateInfoType &other) const
Comparison operator.
CertificateInfoTypeKnown known() const
The type as part of the CertificateInfoTypeKnown enumerator.
Section section() const
The section the type is part of.
CertificateInfoType(CertificateInfoTypeKnown known)
Construct a new type.
bool operator!=(const CertificateInfoType &other) const
Inequality operator.
Definition qca_cert.h:228
QString id() const
The type as an identifier string.
CertificateInfoType(const QString &id, Section section)
Construct a new type.
Section
Section of the certificate that the information belongs in.
Definition qca_cert.h:126
@ DN
Distinguished name (the primary name)
Definition qca_cert.h:127
CertificateInfoType()
Standard constructor.
CertificateInfoType(const CertificateInfoType &from)
Standard copy constructor.
Certificate options
Definition qca_cert.h:610
BigInteger serialNumber() const
The serial number for the certificate.
CertificateOptions & operator=(const CertificateOptions &from)
Standard assignment operator.
QDateTime notValidBefore() const
the first time the certificate will be valid
void setInfo(const CertificateInfo &info)
Specify information for the subject associated with the certificate.
void setPolicies(const QStringList &policies)
set the policies on the certificate
bool isCA() const
test if the certificate is a CA cert
CertificateInfoOrdered infoOrdered() const
Information on the subject of the certificate, in the exact order the items will be written.
void setCRLLocations(const QStringList &locations)
set the CRL locations of the certificate
QStringList crlLocations() const
list of URI locations for CRL files
void setOCSPLocations(const QStringList &locations)
set the OCSP service locations of the certificate
void setInfoOrdered(const CertificateInfoOrdered &info)
Specify information for the subject associated with the certificate.
void setChallenge(const QString &s)
Specify the challenge associated with this certificate.
void setIssuerLocations(const QStringList &locations)
set the issuer certificate locations of the certificate
CertificateOptions(const CertificateOptions &from)
Standard copy constructor.
void setValidityPeriod(const QDateTime &start, const QDateTime &end)
Set the validity period for the certificate.
QDateTime notValidAfter() const
the last time the certificate is valid
void setConstraints(const Constraints &constraints)
set the constraints on the certificate
QString challenge() const
The challenge part of the certificate.
void setFormat(CertificateRequestFormat f)
Specify the format for this certificate.
void setAsCA(int pathLimit=8)
set the certificate to be a CA cert
CertificateRequestFormat format() const
test the format type for this certificate
CertificateInfo info() const
Information on the subject of the certificate.
void setSerialNumber(const BigInteger &i)
Set the serial number property on this certificate.
void setAsUser()
set the certificate to be a user cert (this is the default)
QStringList issuerLocations() const
list of URI locations for issuer certificate files
Constraints constraints() const
List the constraints on this certificate.
bool isValid() const
Test if the certificate options object is valid.
QStringList ocspLocations() const
list of URI locations for OCSP services
int pathLimit() const
return the path limit on this certificate
QStringList policies() const
list the policies on this certificate
CertificateOptions(CertificateRequestFormat format=PKCS10)
Create a Certificate options set.
Certificate Request
Definition qca_cert.h:1326
QString toString() const
Export the CertificateRequest to a string.
static CertificateRequest fromPEM(const QString &s, ConvertResult *result=nullptr, const QString &provider=QString())
Import the certificate request from PEM format.
QStringList policies() const
The policies that apply to this certificate request.
CertificateRequest(const CertificateRequest &from)
Standard copy constructor.
CertificateRequest & operator=(const CertificateRequest &from)
Standard assignment operator.
bool isNull() const
test if the certificate request is empty
bool operator==(const CertificateRequest &csr) const
Test for equality of two certificate requests.
QByteArray toDER() const
Export the Certificate Request into a DER format.
static bool canUseFormat(CertificateRequestFormat f, const QString &provider=QString())
Test if the certificate request can use a specified format.
bool toPEMFile(const QString &fileName) const
Export the Certificate into PEM format in a file.
static CertificateRequest fromDER(const QByteArray &a, ConvertResult *result=nullptr, const QString &provider=QString())
Import the certificate request from DER.
bool operator!=(const CertificateRequest &other) const
Inequality operator.
Definition qca_cert.h:1473
QString challenge() const
The challenge associated with this certificate request.
CertificateInfoOrdered subjectInfoOrdered() const
Information on the subject of the certificate being requested, as an ordered list (QList of Certifica...
CertificateRequest(const CertificateOptions &opts, const PrivateKey &key, const QString &provider=QString())
Create a certificate request based on specified options.
CertificateRequest()
Create an empty certificate request.
QString toPEM() const
Export the Certificate Request into a PEM format.
bool isCA() const
Test if this Certificate Request is for a Certificate Authority certificate.
CertificateRequest(const QString &fileName)
Create a certificate request based on the contents of a file.
SignatureAlgorithm signatureAlgorithm() const
The algorithm used to make the signature on this certificate request.
CertificateInfo subjectInfo() const
Information on the subject of the certificate being requested.
int pathLimit() const
The path limit for the certificate in this Certificate Request.
Constraints constraints() const
The constraints that apply to this certificate request.
CertificateRequestFormat format() const
the format that this Certificate request is in
void change(CSRContext *c)
static CertificateRequest fromPEMFile(const QString &fileName, ConvertResult *result=nullptr, const QString &provider=QString())
Import the certificate request from a file.
PublicKey subjectPublicKey() const
The public key belonging to the issuer.
static CertificateRequest fromString(const QString &s, ConvertResult *result=nullptr, const QString &provider=QString())
Import the CertificateRequest from a string.
Public Key (X.509) certificate.
Definition qca_cert.h:857
bool matchesHostName(const QString &host) const
Test if the subject of the certificate matches a specified host name.
SignatureAlgorithm signatureAlgorithm() const
The signature algorithm used for the signature on this certificate.
static Certificate fromPEM(const QString &s, ConvertResult *result=nullptr, const QString &provider=QString())
Import the certificate from PEM format.
Constraints constraints() const
The constraints that apply to this certificate.
QString commonName() const
The common name of the subject of the certificate.
bool isSelfSigned() const
Test if the Certificate is self-signed.
CertificateInfoOrdered subjectInfoOrdered() const
Certificate(const CertificateOptions &opts, const PrivateKey &key, const QString &provider=QString())
Create a Certificate with specified options and a specified private key.
bool isCA() const
Test if the Certificate is valid as a Certificate Authority.
bool operator!=(const Certificate &other) const
Inequality operator.
Definition qca_cert.h:1176
Certificate & operator=(const Certificate &from)
Standard assignment operator.
void change(CertContext *c)
static Certificate fromDER(const QByteArray &a, ConvertResult *result=nullptr, const QString &provider=QString())
Import the certificate from DER.
int pathLimit() const
The upper bound of the number of links in the certificate chain, if any.
QDateTime notValidBefore() const
The earliest date that the certificate is valid.
CertificateInfoOrdered issuerInfoOrdered() const
Properties of the issuer of the certificate, as an ordered list (QList of CertificateInfoPair).
QStringList policies() const
The policies that apply to this certificate.
PublicKey subjectPublicKey() const
The public key associated with the subject of the certificate.
QString toPEM() const
Export the Certificate into a PEM format.
bool operator==(const Certificate &a) const
Test for equality of two certificates.
QStringList issuerLocations() const
List of URI locations for issuer certificate files.
bool toPEMFile(const QString &fileName) const
Export the Certificate into PEM format in a file.
QByteArray issuerKeyId() const
The key identifier associated with the issuer.
BigInteger serialNumber() const
The serial number of the certificate.
Certificate(const Certificate &from)
Standard copy constructor.
static Certificate fromPEMFile(const QString &fileName, ConvertResult *result=nullptr, const QString &provider=QString())
Import the certificate from a file.
Certificate(const QString &fileName)
Create a Certificate from a PEM encoded file.
QDateTime notValidAfter() const
The latest date that the certificate is valid.
Validity validate(const CertificateCollection &trusted, const CertificateCollection &untrusted, UsageMode u=UsageAny, ValidateFlags vf=ValidateAll) const
Check the validity of a certificate.
QByteArray subjectKeyId() const
The key identifier associated with the subject.
CertificateInfo subjectInfo() const
CertificateInfo issuerInfo() const
Properties of the issuer of the certificate.
QStringList ocspLocations() const
List of URI locations for OCSP services.
QStringList crlLocations() const
List of URI locations for CRL files.
bool isNull() const
Test if the certificate is empty (null)
Certificate()
Create an empty Certificate.
QByteArray toDER() const
Export the Certificate into a DER format.
bool isIssuerOf(const Certificate &other) const
Test if the Certificate has signed another Certificate object and is therefore the issuer.
Certificate constraint.
Definition qca_cert.h:364
QString id() const
The type as an identifier string.
bool operator!=(const ConstraintType &other) const
Inequality operator.
Definition qca_cert.h:469
Section section() const
The section the constraint is part of.
Section
Section of the certificate that the constraint belongs in.
Definition qca_cert.h:370
@ KeyUsage
Stored in the key usage section.
Definition qca_cert.h:371
ConstraintType(const ConstraintType &from)
Standard copy constructor.
bool operator<(const ConstraintType &other) const
Comparison operator.
ConstraintTypeKnown known() const
The type as part of the ConstraintTypeKnown enumerator.
ConstraintType(const QString &id, Section section)
Construct a new constraint.
bool operator==(const ConstraintType &other) const
Comparison operator.
ConstraintType & operator=(const ConstraintType &from)
Standard assignment operator.
ConstraintType()
Standard constructor.
ConstraintType(ConstraintTypeKnown known)
Construct a new constraint.
Certificate chain and private key pair.
Definition qca_cert.h:2176
KeyBundle(const KeyBundle &from)
Standard copy constructor.
KeyBundle(const QString &fileName, const SecureArray &passphrase=SecureArray())
Create a KeyBundle from a PKCS12 (.p12) encoded file.
CertificateChain certificateChain() const
The public certificate part of this bundle.
void setName(const QString &s)
Specify the name of this bundle.
void setCertificateChainAndKey(const CertificateChain &c, const PrivateKey &key)
Set the public certificate and private key.
static KeyBundle fromFile(const QString &fileName, const SecureArray &passphrase=SecureArray(), ConvertResult *result=nullptr, const QString &provider=QString())
KeyBundle()
Create an empty KeyBundle.
PrivateKey privateKey() const
The private key part of this bundle.
QString name() const
The name associated with this key.
QByteArray toArray(const SecureArray &passphrase, const QString &provider=QString()) const
KeyBundle & operator=(const KeyBundle &from)
Standard assignment operator.
bool isNull() const
Test if this key is empty (null)
static KeyBundle fromArray(const QByteArray &a, const SecureArray &passphrase=SecureArray(), ConvertResult *result=nullptr, const QString &provider=QString())
bool toFile(const QString &fileName, const SecureArray &passphrase, const QString &provider=QString()) const
Asynchronous private key loader.
Definition qca_cert.h:2613
void loadKeyBundleFromFile(const QString &fileName)
Initiate an asynchronous loading of a KeyBundle from a file.
void loadPrivateKeyFromDER(const SecureArray &a)
Initiate an asynchronous loading of a PrivateKey from a DER format array.
ConvertResult convertResult() const
The result of the loading process.
void loadKeyBundleFromArray(const QByteArray &a)
Initiate an asynchronous loading of a KeyBundle from an array.
void loadPrivateKeyFromPEMFile(const QString &fileName)
Initiate an asynchronous loading of a PrivateKey from a PEM format file.
void loadPrivateKeyFromPEM(const QString &s)
Initiate an asynchronous loading of a PrivateKey from a PEM format string.
KeyBundle keyBundle() const
The key bundle that has been loaded.
PrivateKey privateKey() const
The private key that has been loaded.
void finished()
Signal that is emitted when the load process has completed.
KeyLoader(QObject *parent=nullptr)
Create a KeyLoader object.
Pretty Good Privacy key.
Definition qca_cert.h:2407
QString keyId() const
The Key identification for the PGP key.
QString primaryUserId() const
The primary user identification for the key.
QDateTime creationDate() const
The creation date for the key.
static PGPKey fromFile(const QString &fileName, ConvertResult *result=nullptr, const QString &provider=QString())
Import the key from a file.
bool isTrusted() const
Test if the key is trusted.
static PGPKey fromString(const QString &s, ConvertResult *result=nullptr, const QString &provider=QString())
Import the key from a string.
bool isNull() const
Test if the PGP key is empty (null)
QString fingerprint() const
The key fingerpint.
bool toFile(const QString &fileName) const
Export the key to a file.
QByteArray toArray() const
Export the key to an array.
static PGPKey fromArray(const QByteArray &a, ConvertResult *result=nullptr, const QString &provider=QString())
Import the key from an array.
PGPKey()
Create an empty PGP key.
QString toString() const
Export the key to a string.
PGPKey(const QString &fileName)
Create a PGP key from an encoded file.
PGPKey(const PGPKey &from)
Standard copy constructor.
QStringList userIds() const
The list of all user identifications associated with the key.
QDateTime expirationDate() const
The expiration date for the key.
bool isSecret() const
Test if the PGP key is the secret key.
bool inKeyring() const
Test if this key is in a keyring.
PGPKey & operator=(const PGPKey &from)
Standard assignment operator.
Generic private key.
Generic public key.
Secure array of bytes.
Definition qca_tools.h:317
Q_SCRIPTABLE Q_NOREPLY void start()
QCA - the Qt Cryptographic Architecture.
Definition qca_basic.h:41
UsageMode
Specify the intended usage of a certificate.
Definition qca_cert.h:483
@ UsageTimeStamping
time stamping certificate
Definition qca_cert.h:489
@ UsageEmailProtection
email (S/MIME) certificate
Definition qca_cert.h:488
@ UsageCRLSigning
certificate revocation list signing certificate
Definition qca_cert.h:490
@ UsageTLSServer
server side of a TLS or SSL connection
Definition qca_cert.h:485
@ UsageTLSClient
client side of a TLS or SSL connection
Definition qca_cert.h:486
@ UsageAny
Any application, or unspecified.
Definition qca_cert.h:484
@ UsageCodeSigning
code signing certificate
Definition qca_cert.h:487
CertificateRequestFormat
Certificate Request Format.
Definition qca_cert.h:54
@ SPKAC
Signed Public Key and Challenge (Netscape) format.
Definition qca_cert.h:56
@ PKCS10
standard PKCS#10 format
Definition qca_cert.h:55
QList< ConstraintType > Constraints
Certificate constraints type
Definition qca_cert.h:590
ConstraintTypeKnown
Known types of certificate constraints.
Definition qca_cert.h:317
@ DataEncipherment
Certificate can be used for encrypting / decrypting data, id = "KeyUsage.dataEncipherment"
Definition qca_cert.h:322
@ IPSecUser
Certificate can be used to authenticate a user in IPSEC, id = "1.3.6.1.5.5.7.3.7".
Definition qca_cert.h:342
@ EmailProtection
Certificate can be used to sign / encrypt email, id = "1.3.6.1.5.5.7.3.4".
Definition qca_cert.h:336
@ CRLSign
Certificate can be used to sign Certificate Revocation Lists, id = "KeyUsage.crlSign"
Definition qca_cert.h:325
@ KeyAgreement
Certificate can be used for key agreement, id = "KeyUsage.keyAgreement"
Definition qca_cert.h:323
@ ClientAuth
Certificate can be used for client authentication (e.g.
Definition qca_cert.h:332
@ IPSecEndSystem
Certificate can be used to authenticate a endpoint in IPSEC, id = "1.3.6.1.5.5.7.3....
Definition qca_cert.h:338
@ IPSecTunnel
Certificate can be used to authenticate a tunnel in IPSEC, id = "1.3.6.1.5.5.7.3.6".
Definition qca_cert.h:340
@ ServerAuth
Certificate can be used for server authentication (e.g.
Definition qca_cert.h:330
@ KeyEncipherment
Certificate can be used for encrypting / decrypting keys, id = "KeyUsage.keyEncipherment"
Definition qca_cert.h:321
@ TimeStamping
Certificate can be used to create a "time stamp" signature, id = "1.3.6.1.5.5.7.3....
Definition qca_cert.h:344
@ CodeSigning
Certificate can be used to sign code, id = "1.3.6.1.5.5.7.3.3".
Definition qca_cert.h:334
@ EncipherOnly
Certificate can only be used for encryption, id = "KeyUsage.encipherOnly"
Definition qca_cert.h:326
@ OCSPSigning
Certificate can be used to sign an Online Certificate Status Protocol (OCSP) assertion,...
Definition qca_cert.h:346
@ NonRepudiation
Certificate can be used for non-repudiation, id = "KeyUsage.nonRepudiation"
Definition qca_cert.h:320
@ DecipherOnly
Certificate can only be used for decryption, id = "KeyUsage.decipherOnly"
Definition qca_cert.h:327
@ DigitalSignature
Certificate can be used to create digital signatures, id = "KeyUsage.digitalSignature"
Definition qca_cert.h:319
@ KeyCertificateSign
Certificate can be used for key certificate signing, id = "KeyUsage.keyCertSign"
Definition qca_cert.h:324
Validity
The validity (or otherwise) of a certificate.
Definition qca_cert.h:497
@ ErrorValidityUnknown
Validity is unknown.
Definition qca_cert.h:510
@ ErrorRevoked
The certificate has been revoked.
Definition qca_cert.h:505
@ ErrorUntrusted
The certificate is not trusted.
Definition qca_cert.h:500
@ ErrorExpired
The certificate has expired, or is not yet valid (e.g.
Definition qca_cert.h:507
@ ErrorPathLengthExceeded
The path length from the root CA to this certificate is too long.
Definition qca_cert.h:506
@ ErrorSignatureFailed
The signature does not match.
Definition qca_cert.h:501
@ ErrorInvalidPurpose
The purpose does not match the intended usage.
Definition qca_cert.h:503
@ ErrorExpiredCA
The Certificate Authority has expired.
Definition qca_cert.h:509
@ ErrorSelfSigned
The certificate is self-signed, and is not found in the list of trusted certificates.
Definition qca_cert.h:504
@ ErrorInvalidCA
The Certificate Authority is invalid.
Definition qca_cert.h:502
@ ValidityGood
The certificate is valid.
Definition qca_cert.h:498
@ ErrorRejected
The root CA rejected the certificate purpose.
Definition qca_cert.h:499
QCA_EXPORT QString orderedToDNString(const CertificateInfoOrdered &in)
Convert to RFC 1779 string format.
ValidateFlags
The conditions to validate for a certificate.
Definition qca_cert.h:517
QCA_EXPORT CertificateInfoOrdered orderedDNOnly(const CertificateInfoOrdered &in)
Return a new CertificateInfoOrdered that only contains the Distinguished Name (DN) types found in the...
CertificateInfoTypeKnown
Known types of information stored in certificates.
Definition qca_cert.h:65
@ IncorporationCountry
The country of incorporation (EV certificates), id = "1.3.6.1.4.1.311.60.2.1.3".
Definition qca_cert.h:76
@ CommonName
The common name (eg person), id = "2.5.4.3".
Definition qca_cert.h:66
@ Country
The country, id = "2.5.4.6".
Definition qca_cert.h:75
@ XMPP
XMPP address (see http://www.ietf.org/rfc/rfc3920.txt), id = "1.3.6.1.5.5.7.8.5".
Definition qca_cert.h:80
@ Locality
The locality (eg city, a shire, or part of a state), id = "2.5.4.7".
Definition qca_cert.h:71
@ State
The state within the country, id = "2.5.4.8".
Definition qca_cert.h:73
@ Email
Email address, id = "GeneralName.rfc822Name".
Definition qca_cert.h:67
@ IPAddress
IP address, id = "GeneralName.iPAddress".
Definition qca_cert.h:79
@ IncorporationLocality
The locality of incorporation (EV certificates), id = "1.3.6.1.4.1.311.60.2.1.1".
Definition qca_cert.h:72
@ Organization
An organisation (eg company), id = "2.5.4.10".
Definition qca_cert.h:69
@ DNS
DNS name, id = "GeneralName.dNSName".
Definition qca_cert.h:78
@ EmailLegacy
PKCS#9 Email field, id = "1.2.840.113549.1.9.1".
Definition qca_cert.h:68
@ URI
Uniform Resource Identifier, id = "GeneralName.uniformResourceIdentifier".
Definition qca_cert.h:77
@ IncorporationState
The state of incorporation (EV certificates), id = "1.3.6.1.4.1.311.60.2.1.2".
Definition qca_cert.h:74
@ OrganizationalUnit
An part of an organisation (eg a division or branch), id = "2.5.4.11".
Definition qca_cert.h:70
ConvertResult
Return value from a format conversion.
QCA_EXPORT QStringList makeFriendlyNames(const QList< Certificate > &list)
Create a list of unique friendly names among a list of certificates.
SignatureAlgorithm
Signature algorithm variants.
QMultiMap< CertificateInfoType, QString > CertificateInfo
Certificate properties type.
Definition qca_cert.h:535
Header file for core QCA infrastructure.
Header file for PublicKey and PrivateKey related classes.
void append(QList< T > &&value)
bool isEmpty() const const
This file is part of the KDE documentation.
Documentation copyright © 1996-2024 The KDE developers.
Generated on Fri Jul 12 2024 11:59:17 by doxygen 1.11.0 written by Dimitri van Heesch, © 1997-2006

KDE's Doxygen guidelines are available online.