PKI.load.cert creates a certificate object from a string, connection or file.

PKI.verifyCA verifies a certificate against a given chain of trust.

PKI.pubkey extracts public key from a certificate.

PKI.get.subject extracts the subject name from the certificate.

PKI.get.cert.info decodes information from the certificate.

PKI.load.cert(what, format = c("PEM", "DER"), file)
PKI.verifyCA(certificate, ca, default = FALSE, partial = FALSE)
PKI.pubkey(certificate)
PKI.get.subject(certificate)
PKI.get.cert.info(certificate)

Arguments

what

string, raw vector or connection to load the certificate from

format

format used to encode the certificate

file

filename to load the certificate from - what and file are mutually exclusive

certificate

a certificate object (as returned by PKI.load.cert)

ca

a certificate object of the Certificate Authority (CA) or a list of such objects if a chain of certificates is involved

default

logical, if TRUE then root CAs known to OpenSSL will be added to the trust store. In that case ca can also be NULL if the certificate is directly signed by the root CA (very uncommon).

partial

logical, if TRUE then the CAs listed in ca are trusted even if they are neither root nor self-signed CAs.

Details

PKI.verifyCA is used to verify the validity of a certificate by following a chain of trust. In the most simple case the certificate was issued by a certificate authority (CA) directly, which has a self-signed certificate. This is typically the case when you (or your organization) have created your own CA for internal use. In that case you only need to supply that CA's certificate to ca and that's it. It is also possible that your self-signed CA issued an intermediate certificate - if that is the case then pass a list of both certificates (order doesn't matter) to ca.

Another use case is that you have a certificate which has been issued by publicly trusted CA - this is commonly the case with SSL certificates used by web servers. In that case, the chain doesn't end with an internal self-signed certificate, but instead it will end with a publicly known root CA. OpenSSL manages a list of such trusted CAs and you can check against them with default=TRUE. However, in most cases your certificate won't be issued directly by a root CA, but by an intermetiate authority so you have to pass the intermediate certificate(s) in the ca argument.

Finally, it is sometimes possible that the default list of trusted certificates does not include the root CA that you need. If that is the case, and you still want to trust that chain, you can set partial=TRUE and then PKI.verifyCA will trust the certificates provided in ca unconditinally, even if they don't lead to a trusted root or are not self-signed. Note, however, that this is the least secure option and you should only use it if the certificates are supplied by you and not the user. If you want to support user-supplied intermediate certificates then you can use PKI.verifyCA first to verify the integrity of the user-supplied chain with partial=TRUE and then verify just the intermediate certificate against your trusted certificate. That way you won't trust the intermediate certificate inadvertently.

Value

PKI.load.cert: a certificate object

PKI.verifyCA: TRUE is the certificate can be trusted,

FALSE otherwise

PKI.pubkey: public key object

PKI.get.subject: string containing the subject information in one-line RFC2253 format but in UTF8 encoding instead of MBS escapes. NOTE: this is experimantal, we may choose to parse the contents and return it in native R form as a named vector instead.

Author

Simon Urbanek

Examples

  (ca <- PKI.load.cert(file=system.file("certs", "RForge-ca.crt", package="PKI")))
#> X509 Certificate:
#>   Subject: /C=NZ/CN=ca.rforge.net/emailAddress=admin@rforge.net
#>   Issuer: /C=NZ/CN=ca.rforge.net/emailAddress=admin@rforge.net
#>   Fingerprint (SHA-1): ff:15:4e:4f:e3:ca:68:97:8c:7c:15:b2:9c:0b:45:2c:b3:4c:cc:49
#>   Validity: 2021-08-29 01:52:49 ... 2031-08-27 01:52:49 (is CA)
#> 
  (my.cert <- PKI.load.cert(readLines(system.file("certs", "demo.crt", package="PKI"))))
#> X509 Certificate:
#>   Subject: /C=NZ/O=RForge Demo Cert
#>   Issuer: /C=NZ/CN=ca.rforge.net/emailAddress=admin@rforge.net
#>   Fingerprint (SHA-1): 01:1e:87:9a:cc:a4:19:b7:66:8a:a3:3e:0f:00:d3:5d:38:3f:98:ab
#>   Validity: 2021-10-12 22:09:08 ... 2026-10-11 22:09:08
#> 
  PKI.verifyCA(my.cert, ca)
#> [1] TRUE
  PKI.pubkey(my.cert)
#> <pointer: 0x5618bc6f5920>
#> attr(,"class")
#> [1] "public.key"
  PKI.get.subject(my.cert)
#> [1] "C = NZ, O = RForge Demo Cert"
  PKI.get.cert.info(my.cert)
#> $subject
#> [1] "/C=NZ/O=RForge Demo Cert"
#> 
#> $issuer
#> [1] "/C=NZ/CN=ca.rforge.net/emailAddress=admin@rforge.net"
#> 
#> $fingerprint
#>  [1] 01 1e 87 9a cc a4 19 b7 66 8a a3 3e 0f 00 d3 5d 38 3f 98 ab
#> 
#> $validity
#> [1] "2021-10-12 22:09:08 UTC" "2026-10-11 22:09:08 UTC"
#> 
#> $ca
#> [1] FALSE
#>