{"id":7385,"date":"2022-12-20T19:37:54","date_gmt":"2022-12-20T22:37:54","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/iosocketsslutils-man3\/"},"modified":"2022-12-20T19:37:54","modified_gmt":"2022-12-20T22:37:54","slug":"iosocketsslutils-man3","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/iosocketsslutils-man3\/","title":{"rendered":"IO::Socket::SSL::Utils (man3)"},"content":{"rendered":"

IO::Socket::SSL::Utils<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
FUNCTIONS<\/a>
AUTHOR<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

IO::Socket::SSL::Utils \u2212\u2212 loading, storing, creating certificates and keys<\/p>\n

SYNOPSIS <\/a> <\/h2>\n

use IO::Socket::SSL::Utils;
my $cert = PEM_file2cert(‘cert.pem’); # load certificate from file
my $string = PEM_cert2string($cert); # convert certificate to PEM string
CERT_free($cert); # free memory within OpenSSL
my $key = KEY_create_rsa(2048); # create new 2048\u2212bit RSA key
PEM_string2file($key,”key.pem”); # and write it to file
KEY_free($key); # free memory within OpenSSL<\/p>\n

DESCRIPTION <\/a> <\/h2>\n

This module provides various utility functions to work with certificates and private keys, shielding some of the complexity of the underlying Net::SSLeay and OpenSSL.<\/p>\n

FUNCTIONS <\/a> <\/h2>\n\n\n
<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n\n

Functions converting between string or file and certificates and keys. They croak if the operation cannot be completed.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

PEM_file2cert(file) \u2212> cert
PEM_cert2file(cert,file)
PEM_string2cert(string) \u2212> cert
PEM_cert2string(cert) \u2212> string
PEM_file2key(file) \u2212> key
PEM_key2file(key,file)
PEM_string2key(string) \u2212> key
PEM_key2string(key) \u2212> string<\/p>\n\n\n
<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n\n

Functions for cleaning up. Each loaded or created cert and key must be freed to not leak memory.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

CERT_free(cert)
KEY_free(key)<\/p>\n\n\n
<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n\n

KEY_create_rsa(bits) \u2212> key<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

Creates an RSA<\/small> key pair, bits defaults to 2048.<\/p>\n\n\n
<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n\n

KEY_create_ec(curve) \u2212> key<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

Creates an EC<\/small> key, curve defaults to “prime256v1”.<\/p>\n\n\n
<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n\n

CERT_asHash(cert,[digest_algo]) \u2212> hash<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

Extracts the information from the certificate into a hash and uses the given digest_algo (default: SHA\u2212256<\/small> ) to determine digest of pubkey and cert. The resulting hash contains:<\/p>\n\n\n
<\/td>\n\n

subject<\/p>\n<\/td>\n

<\/td>\n\n

Hash with the parts of the subject, e.g. commonName, countryName, organizationName, stateOrProvinceName, localityName.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

subjectAltNames<\/p>\n

Array with list of alternative names. Each entry in the list is of “[type,value]”, where “type” can be OTHERNAME, EMAIL, DNS, X400, DIRNAME, EDIPARTY, URI, IP<\/small> or RID.<\/small><\/p>\n\n\n
<\/td>\n\n

issuer<\/p>\n<\/td>\n

<\/td>\n\n

Hash with the parts of the issuer, e.g. commonName, countryName, organizationName, stateOrProvinceName, localityName.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

not_before, not_after<\/p>\n

The time frame, where the certificate is valid, as time_t, e.g. can be converted with localtime or similar functions.<\/p>\n\n\n\n
<\/td>\n\n

serial<\/p>\n<\/td>\n

<\/td>\n\n

The serial number<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

crl_uri<\/p>\n<\/td>\n

<\/td>\n\n

List of URIs for CRL<\/small> distribution.<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

ocsp_uri<\/p>\n

List of URIs for revocation checking using OCSP.<\/small><\/p>\n

keyusage<\/p>\n

List of keyUsage information in the certificate.<\/p>\n

extkeyusage<\/p>\n

List of extended key usage information from the certificate. Each entry in this list consists of a hash with oid, nid, ln and sn.<\/p>\n

pubkey_digest_xxx<\/p>\n

Binary digest of the pubkey using the given digest algorithm, e.g. pubkey_digest_sha256 if (the default) SHA\u2212256<\/small> was used.<\/p>\n

x509_digest_xxx<\/p>\n

Binary digest of the X.509 certificate using the given digest algorithm, e.g. x509_digest_sha256 if (the default) SHA\u2212256<\/small> was used.<\/p>\n

fingerprint_xxx<\/p>\n

Fingerprint of the certificate using the given digest algorithm, e.g. fingerprint_sha256 if (the default) SHA\u2212256<\/small> was used. Contrary to digest_* this is an ASCII<\/small> string with a list if hexadecimal numbers, e.g. “73:59:75:5C:6D…”.<\/p>\n

signature_alg<\/p>\n

Algorithm used to sign certificate, e.g. “sha256WithRSAEncryption”.<\/p>\n\n\n\n\n
<\/td>\n\n

ext<\/p>\n<\/td>\n

<\/td>\n\n

List of extensions. Each entry in the list is a hash with oid, nid, sn, critical flag (boolean) and data (string representation given by X509V3_EXT_print).<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

version<\/p>\n<\/td>\n

<\/td>\n\n

Certificate version, usually 2 (x509v3)<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n<\/table>\n

CERT_create(hash) \u2212> (cert,key)<\/p>\n

Creates a certificate based on the given hash. If the issuer is not specified the certificate will be self-signed. The following keys can be given:<\/p>\n\n\n
<\/td>\n\n

subject<\/p>\n<\/td>\n

<\/td>\n\n

Hash with the parts of the subject, e.g. commonName, countryName, … as described in “CERT_asHash”. Default points to IO::Socket::SSL.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

not_before<\/p>\n

A time_t value when the certificate starts to be valid. Defaults to current time.<\/p>\n

not_after<\/p>\n

A time_t value when the certificate ends to be valid. Defaults to current time plus one 365 days.<\/p>\n\n\n\n
<\/td>\n\n

serial<\/p>\n<\/td>\n

<\/td>\n\n

The serial number. If not given a random number will be used.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

version<\/p>\n<\/td>\n

<\/td>\n\n

The version of the certificate, default 2 (x509v3).<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

CA<\/small> true|false<\/p>\n

If true declare certificate as CA,<\/small> defaults to false.<\/p>\n

purpose string|array|hash<\/p>\n

Set the purpose of the certificate. The different purposes can be given as a string separated by non-word character, as array or hash. With string or array each purpose can be prefixed with \u2019+\u2019 (enable) or \u2019\u2212\u2019 (disable) and same can be done with the value when given as a hash. By default enabling the purpose is assumed.<\/p>\n

If the CA<\/small> option is given and true the defaults “ca,sslca,emailca,objca” are assumed, but can be overridden with explicit purpose. If the CA<\/small> option is given and false the defaults “server,client” are assumed. If no CA<\/small> option and no purpose is given it defaults to “server,client”.<\/p>\n

Purpose affects basicConstraints, keyUsage, extKeyUsage and netscapeCertType. The following purposes are defined (case is not important):<\/p>\n

client
server
email
objsign
CA
sslCA
emailCA
objCA
emailProtection
codeSigning
timeStamping
digitalSignature
nonRepudiation
keyEncipherment
dataEncipherment
keyAgreement
keyCertSign
cRLSign
encipherOnly
decipherOnly<\/p>\n

Examples:<\/p>\n

# root\u2212CA for SSL certificates
purpose => ‘sslCA’ # or CA => 1
# server certificate and CA (typically self\u2212signed)
purpose => ‘sslCA,server’
# client certificate
purpose => ‘client’,<\/p>\n

ext [{ sn => .., data => … }, … ]<\/p>\n

List of extensions. The type of the extension can be specified as name with “sn” or as NID<\/small> with “nid” and the data with “data”. These data must be in the same syntax as expected within openssl.cnf, e.g. something like “OCSP;URI=http:\/\/…”. Additionally the critical flag can be set with “critical =” 1>.<\/p>\n\n\n
<\/td>\n\n

key key<\/p>\n<\/td>\n

<\/td>\n\n

use given key as key for certificate, otherwise a new one will be generated and returned<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

issuer_cert cert<\/p>\n

set issuer for new certificate<\/p>\n

issuer_key key<\/p>\n

sign new certificate with given key<\/p>\n

issuer [ cert, key ]<\/p>\n

Instead of giving issuer_key and issuer_cert as separate arguments they can be given both together.<\/p>\n

digest algorithm<\/p>\n

specify the algorithm used to sign the certificate, default SHA\u2212256.<\/small><\/p>\n

AUTHOR <\/a> <\/h2>\n

Steffen Ullrich<\/p>\n

\n","protected":false},"excerpt":{"rendered":"

IO::Socket::SSL::Utils \u2212\u2212 loading, storing, creating certificates and keys <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[3699,3007],"class_list":["post-7385","post","type-post","status-publish","format-standard","hentry","category-sin-categoria","tag-iosocketsslutils","tag-man3"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/7385","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=7385"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/7385\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=7385"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=7385"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=7385"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}