NAME

OpenCA::OpenSSL - Perl Crypto Extention to OpenSSL

SYNOPSIS

use OpenCA::OpenSSL;

DESCRIPTION

This Perl Module implements an interface to the openssl backend program. It actually uses the openssl command and it is not fully integrated as PERL/C mixture.

Passing parameters to functions should be very simple as them have no particular order and have, often, self-explaining name. Each parameter should be passed to the function like this:

... ( NAME=>VALUE, NAME=>VALUE, ... );

FUNCTIONS

sub new () - Creates a new Class instance.

This functions creates a new instance of the class. It accepts
only one parameter: the path to the backend command (openssl).
This is due because if it cannot find the openssl command it
will return an uninitialized class (default value is /usr/bin/
openssl which may not fit many distributions/OSs)

EXAMPLE:

	my $openssl->new OpenCA::OpenSSL( $path );

sub setParams () - Set internal module variables.

This function can handle the internal module data such as the
backend path or the tmp dir. Accepted parameters are:

	SHELL   - Path to the openssl command.
	CONFIG  - Path to the openssl config file.
	TMPDIR  - Temporary files directory.
	STDERR  - Where to redirect the STDERR file.

(*) - Optional parameters;

EXAMPLE:

	$openssl->setParams( SHELL=>'/usr/local/ssl/bin/openssl',
			     CONFIG=>$ca/stuff/openssl.cnf,
			     TMPDIR=>'/tmp',
			     STDERR=>'/dev/null' );

sub errno () - Get last command errno value.

	This functions returns last operation's errno value. Non
        zero value means there has been an error.

	EXAMPLE:

		print $openssl->errno;

sub errval () - Get last command errval value.

	This functions returns last operation's errval value. This
        value usually has a brief error description.

	EXAMPLE:

		print $openssl->errval;

sub genKey () - Generate a private Key.

This functions let you generate a new private key. Accepted
parameters are:

	BITS      - key lengh in bits(*);
	OUTFILE   - Output file name(*);
	ALGORITHM - Encryption Algorithm to be used(*);
	PASSWD    - Password to be used when encrypting(*);

(*) - Optional parameters;

EXAMPLE:

	my $key = $openssl->genKey( BITS=>1024 );

sub genReq () - Generate a new Request.

	This function generate a new certificate request. Accepted
	parameters are:

		OUTFILE  - Output file(*);
		KEYFILE  - File containing the key;
		PASSWD   - Password to decript key (if needed) (*);
		DN       - Subject list (as required by openssl, see
			   the openssl.cnf doc on policy);
		SUBJECT  - DN string (use this instead of passing separate
                           attributes list)(*);

	(*) - Optional parameters;

	EXAMPLE:

		my $req = $openssl->genReq( KEYFILE=>"00_key.pem",
			DN => [ "madwolf@openca.org","Max","","","" ] );

		my $req = $openssl->genReq( KEYFILE=>"00_key.pem",
			SUBJECT => "CN=Madwolf, O=OpenCA, C=IT" );

sub genCert () - Generate a certificate from a request.

This function let you generate a new certificate starting
from the request file. It is used for self-signed certificate
as it simply converts the request into a x509 structure.
Accepted parameters are:

	OUTFILE   - Output file(*);
	KEYFILE   - File containing the private key;
	REQFILE   - Request File;
	PASSWD    - Password to decrypt private key(*);
	DAYS      - Validity days(*);

(*) - Optional parameters;

EXAMPLE:

	$cert = $openssl->genCert( KEYFILE=>"priv_key.pem",
		REQFILE=>"req.pem",
		DAYS=>"720" );

sub dataConvert () - Convert data to different format.

This functions will convert data you pass to another format. Ir
requires you to provide with the data's type and IN/OUT format.
Accepted parameters are:

	DATA    - Data to be processed;
	INFILE  - Data file to be processed (one of DATA and
	  	  INFILE are required and exclusive);
	KEYFILE  - file with the priv. key (* PEM to PKCS12 only).
	           Not needed if key is presented in DATA or INFILE too.
	DATATYPE - Data type ( CRL | CERTIFICATE | REQUEST );
	OUTFORM  - Output format (PEM|DER|NET|TXT)(*);
	INFORM   - Input format (PEM|DER|NET|TXT)(*);
	OUTFILE  - Output file(*);
	PASSWD   - priv. key password (* PKCS12 to PEM only)
		   omitting the PASSWD leads into an unencrypted priv. key 
	ALGO     - des,des3 or idea. Default is des3 encryption for priv. key
	P12PASSWD - PKCS12 export password (* only needed for PKCS12)
	NOKEYS   - extract only the certificate (* PKCS12 to PEM only)
	           No need for the PASSWD parameter with this option.

(*) - Optional parameters;

EXAMPLES:
	# PEM file to TXT format
	print $openssl->dataConvert( INFILE=>"crl.pem",
		OUTFORM=>"TXT" );

	# PEM file to PKCS12 format, priv key will be des3 encrypted
	print $openssl->dataConvert( INFILE=>"crl.pem",
		DATATYPE=>'CERTIFICATE',
		OUTFORM=>"PKCS12",
		PASSWD=>$pem_pass,
		P12PASSWD=>$export_pass );

	# PKCS12 data to PEM formated certificate (no key)
	print $openssl->dataConvert( DATA=>$pkcs12_cert,
		DATATYPE=>'CERTIFICATE',
		INFORM=>"PKCS12",
		NOKEYS=>1,
		P12PASSWD=>$export_pass );

sub issueCert () - Issue a certificate.

This function should be used when you have a CA certificate and
a request (either DER|PEM|SPKAC) and want to issue the certificate.
Parameters used will override the configuration values (remember
to set to appropriate value the CONFIG with the setParams func).
Accepted parameters are:

	REQDATA       - Request;
	REQFILE       - File containing the request (one of
			REQDATA, REQFILE or REQFILES are required);
	REQFILES      - An array ref to an array of files that
			contain the request.
	OUTDIR        - What directory to put the files from 
			REQFILES. (This is required iff 
			you use REQFILES.)
	INFORM        - Input format (PEM|DER|NET|SPKAC)(*);
	PRESERVE_DN   - Preserve DN order (Y|N)(*);
	CA_NAME	      - CA sub section to be used (take a
			look at the OpenSSL docs for adding
			support of multiple CAs to the conf
			file)(*);
	CAKEY	      - CA key file;
	CACERT	      - CA certificate file;
	DAYS	      - Days the certificate will be valid(*);
	START_DATE    - Starting validity date (YYMMDDHHMMSSZ)(*);
	END_DATE      - Ending validity date (YYMMDDHHMMSSZ)(*);
	PASSWD	      - Password to decrypt priv. CA key(*);
	EXTS	      - Extentions to be used (configuration
			section of the openssl.cnf file)(*);
	REQTYPE	      - Request type (NETSCAPE|MSIE)(*);

(*) - Optional parameters;

EXAMPLE:

	$openssl->issueCert( REQFILE=>"myreq",
		INFORM=>SPKAC,
		PRESERVE_DN=>Y,
		CAKEY=>$ca/private/cakey.pem,
		CACERT=>$ca/cacert.pem,
		PASSWD=>$passwd,
		REQTYPE=>NETSCAPE );

sub revoke () - Revoke a certificate.

This function is used to revoke a certificate. Accepted parameters
are:

	CAKEY   - CA private key file(*);
	CACERT  - CA certificate file(*);
	PASSWD  - Password to decrypt priv. CA key(*);
	INFILE  - Input PEM formatted certificate filename(*);

(*) - Optional parameters;

EXAMPLE:

	if( not $openssl->revoke( INFILE=>$certFile ) ) {
		print "Error while revoking certificate!";
	}

sub issueCrl () - Issue a CRL.

This function is used to issue a CRL. Accepted parameters
are:

	CAKEY   - CA private key file;
	CACERT  - CA certificate file;
	PASSWD  - Password to decrypt priv. CA key(*);
	DAYS    - Days the CRL will be valid for(*);
	EXTS    - Extentions to be added ( see the openssl.cnf
		  pages for more help on this )(*);
	EXTFILE - Extensions file to be used (*);
	OUTFILE - Output file(*);
	OUTFORM - Output format (PEM|DER|NET|TXT)(*);

(*) - Optional parameters;

EXAMPLE:

	print $openssl->issueCrl( CAKEY=>"$ca/private/cakey.pem",
				  CACERT=>"$ca/cacert.pem",
				  DAYS=>7,
				  OUTFORM=>TXT );

sub SPKAC () - Get SPKAC infos.

This function returns a text containing all major info
about an spkac structure. Accepted parameters are:

	SPKAC     - spkac data ( SPKAC = .... ) (*);
	INFILE	  - An spkac request file (*);
	OUTFILE   - Output file (*);
	
(*) - Optional parameters;

EXAMPLE:

	print $openssl->SPKAC( SPKAC=>$data, OUTFILE=>$target );

sub pkcs7Certs () - Get PKCS7 structure certificate(s).

This function returns a PEM formatted (file or ret value)
contained in the pkcs7 structure. Accepted parameters are:

	PKCS7     - pkcs7 data (*);
	INFILE	  - A pkcs7 (signature?) file (*);
	OUTFILE   - Output file (*);
	
(*) - Optional parameters;

EXAMPLE:

	print $openssl->pkcs7Cert( PKCS7=>$data, OUTFILE=>$target );

sub getDigest () - Get a message digest.

This function returns a message digest. Default digest
algorithm used is MD5. Accepted parameters are:

	DATA      - Data on which to perform digest;
	ALGORITHM - Algorithm to be used(*);
	
(*) - Optional parameters;

EXAMPLE:

	print $openssl->getDigest( DATA=>$data,
				   ALGORITHM=>sha1);

AUTHOR

Massimiliano Pala <madwolf@openca.org>

SEE ALSO

OpenCA::X509, OpenCA::CRL, OpenCA::REQ, OpenCA::TRIStateCGI, OpenCA::Configuration