| X509 {PKI} | R Documentation |
Public Key Instraftructure (X509) functions
Description
PKI.load.cert creates a certificate object from a string,
connection or file.
PKI.verifyCA verifies a certificate against a given chain of
trust.
PKI.pubkey extracts public key from a certificate.
PKI.get.subject extracts the subject name from the certificate.
PKI.get.cert.info decodes information from the certificate.
Usage
PKI.load.cert(what, format = c("PEM", "DER"), file)
PKI.verifyCA(certificate, ca, default = FALSE, partial = FALSE)
PKI.pubkey(certificate)
PKI.get.subject(certificate)
PKI.get.cert.info(certificate)
Arguments
what |
string, raw vector or connection to load the certificate from |
format |
format used to encode the certificate |
file |
filename to load the certificate from - |
certificate |
a certificate object (as returned by
|
ca |
a certificate object of the Certificate Authority (CA) or a list of such objects if a chain of certificates is involved |
default |
logical, if |
partial |
logical, if |
Details
PKI.verifyCA is used to verify the validity of a certificate
by following a chain of trust. In the most simple case the
certificate was issued by a certificate authority (CA) directly,
which has a self-signed certificate. This is typically the case when
you (or your organization) have created your own CA for internal use.
In that case you only need to supply that CA's certificate to
ca and that's it. It is also possible that your self-signed
CA issued an intermediate certificate - if that is the case then pass
a list of both certificates (order doesn't matter) to ca.
Another use case is that you have a certificate which has been issued
by publicly trusted CA - this is commonly the case with SSL
certificates used by web servers. In that case, the chain doesn't
end with an internal self-signed certificate, but instead it will
end with a publicly known root CA. OpenSSL manages a list of such
trusted CAs and you can check against them with
default=TRUE. However, in most cases your certificate won't
be issued directly by a root CA, but by an intermetiate authority so
you have to pass the intermediate certificate(s) in the ca
argument.
Finally, it is sometimes possible that the default list of trusted
certificates does not include the root CA that you need. If that is
the case, and you still want to trust that chain, you can set
partial=TRUE and then PKI.verifyCA will trust the
certificates provided in ca unconditinally, even if they
don't lead to a trusted root or are not self-signed. Note, however,
that this is the least secure option and you should only use it if
the certificates are supplied by you and not the user. If you want
to support user-supplied intermediate certificates then you can use
PKI.verifyCA first to verify the integrity of the
user-supplied chain with partial=TRUE and then verify just
the intermediate certificate against your trusted certificate. That
way you won't trust the intermediate certificate inadvertently.
Value
PKI.load.cert: a certificate object
PKI.verifyCA: TRUE is the certificate can be trusted,
FALSE otherwise
PKI.pubkey: public key object
PKI.get.subject: string containing the subject information in
one-line RFC2253 format but in UTF8 encoding instead of MBS escapes.
NOTE: this is experimantal, we may choose to parse the contents and
return it in native R form as a named vector instead.
Author(s)
Simon Urbanek
Examples
(ca <- PKI.load.cert(file=system.file("certs", "RForge-ca.crt", package="PKI")))
(my.cert <- PKI.load.cert(readLines(system.file("certs", "demo.crt", package="PKI"))))
PKI.verifyCA(my.cert, ca)
PKI.pubkey(my.cert)
PKI.get.subject(my.cert)
PKI.get.cert.info(my.cert)