X509Certificate

X509Certificate

#include <icy/crypto/x509certificate.h>

RAII wrapper for an OpenSSL X509 certificate with PEM loading and inspection.

Public Methods

X509Certificate

explicit

explicit X509Certificate(const char * data, size_t length)

Constructs an X509Certificate by parsing a PEM-encoded certificate from memory.

Parameters

• data Pointer to a buffer containing the PEM-encoded certificate.

• length Number of bytes in data.

Exceptions

• std::runtime_error if the BIO cannot be created or PEM parsing fails.

X509Certificate

explicit

explicit X509Certificate(const std::string & path)

Constructs an X509Certificate by reading a PEM-encoded certificate from a file.

Parameters

• path Filesystem path to the PEM certificate file.

Exceptions

• std::runtime_error if the file cannot be opened or PEM parsing fails.

X509Certificate

explicit

explicit X509Certificate(X509 * pCert)

Constructs an X509Certificate taking ownership of an existing OpenSSL X509 object.

Parameters

• pCert Non-null pointer to an OpenSSL X509 certificate. This object takes ownership and will call X509_free on destruction.

Exceptions

• std::runtime_error if pCert is null.

X509Certificate

X509Certificate(X509 * pCert, bool shared)

Constructs an X509Certificate from an existing OpenSSL X509 object, optionally sharing ownership via reference count increment.

Parameters

• pCert Non-null pointer to an OpenSSL X509 certificate. Ownership is always taken (X509_free called on destruction).

• shared If true, increments the certificate's reference count via X509_up_ref before taking ownership, so the original pointer remains valid after this object is destroyed.

Exceptions

• std::runtime_error if pCert is null.

X509Certificate

X509Certificate(const X509Certificate & cert)

Copy-constructs an X509Certificate by duplicating the underlying X509 object.

Parameters

• cert The certificate to copy.

X509Certificate

X509Certificate(X509Certificate && cert) noexcept

Move-constructs an X509Certificate, transferring ownership from cert.

Parameters

• cert The certificate to move from; left in a valid but empty state.

operator=

X509Certificate & operator=(const X509Certificate & cert)

Copy-assigns a certificate, duplicating the underlying X509 object.

Parameters

• cert The certificate to copy.

Returns

Reference to this object.

operator=

X509Certificate & operator=(X509Certificate && cert) noexcept

Move-assigns a certificate, transferring ownership from cert.

Parameters

• cert The certificate to move from; left in a valid but empty state.

Returns

Reference to this object.

swap

void swap(X509Certificate & cert)

Swaps this certificate with cert.

Parameters

• cert The certificate to swap with.

~X509Certificate

~X509Certificate()

Destroys the X509Certificate and releases the underlying OpenSSL X509 object.

issuerName

const

const std::string & issuerName() const

Returns the full distinguished name of the certificate issuer.

Returns

One-line string representation produced by X509_NAME_oneline.

issuerName

const

std::string issuerName(NID nid) const

Extracts a single field from the certificate issuer's distinguished name.

Parameters

• nid The field to extract (e.g. NID_COMMON_NAME).

Returns

Field value, or an empty string if the field is absent.

subjectName

const

const std::string & subjectName() const

Returns the full distinguished name of the certificate subject.

Returns

One-line string representation produced by X509_NAME_oneline.

subjectName

const

std::string subjectName(NID nid) const

Extracts a single field from the certificate subject's distinguished name.

Parameters

• nid The field to extract (e.g. NID_ORGANIZATION_NAME).

Returns

Field value, or an empty string if the field is absent.

commonName

const

std::string commonName() const

Returns the common name (CN) from the certificate subject.

Convenience wrapper for subjectName(NID_COMMON_NAME).

Returns

Common name string, or empty if absent.

extractNames

const

void extractNames(std::string & commonName, std::set< std::string > & domainNames) const

Extracts the common name and the set of Subject Alternative Name (SAN) DNS entries from the certificate.

If no SAN DNS entries are present and the common name is non-empty, the common name is added to domainNames as a fallback.

Parameters

• commonName Receives the certificate's common name.

• domainNames Receives all DNS SAN entries (cleared before population).

validFrom

const

DateTime validFrom() const

Returns the date and time from which the certificate is valid.

Parsed from the X509 notBefore field.

Returns

UTC DateTime representing the start of the validity period.

expiresOn

const

DateTime expiresOn() const

Returns the date and time at which the certificate expires.

Parsed from the X509 notAfter field.

Returns

UTC DateTime representing the end of the validity period.

save

const

void save(std::ostream & stream) const

Writes the certificate in PEM format to an output stream.

Parameters

• stream Destination stream to write to.

Exceptions

• std::runtime_error if the BIO cannot be created or write fails.

save

const

void save(const std::string & path) const

Writes the certificate in PEM format to a file.

Parameters

• path Filesystem path of the output file (created or truncated).

Exceptions

• std::runtime_error if the file cannot be opened or write fails.

issuedBy

const

bool issuedBy(const X509Certificate & issuerCertificate) const

Verifies whether this certificate was signed by the given issuer.

Extracts the public key from issuerCertificate and calls X509_verify. Use this to validate links in a certificate chain.

Parameters

• issuerCertificate The certificate of the purported issuer.

Returns

true if this certificate's signature verifies against the issuer's public key, false otherwise.

Exceptions

• std::invalid_argument if the issuer certificate has no public key.

certificate

const

const X509 * certificate() const

Returns a const pointer to the underlying OpenSSL X509 object.

Returns

Pointer valid for the lifetime of this X509Certificate.

certificate

X509 * certificate()

Returns a mutable pointer to the underlying OpenSSL X509 object.

Returns

Pointer valid for the lifetime of this X509Certificate.

Protected Methods

load

void load(const char * data, size_t length)

Parses a PEM-encoded certificate from a memory buffer and stores it.

Parameters

• data Pointer to PEM data.

• length Number of bytes in data.

Exceptions

• std::logic_error if a certificate is already loaded.

• std::runtime_error if BIO creation or PEM parsing fails.

load

void load(const std::string & path)

Reads a PEM-encoded certificate from a file and stores it.

Parameters

• path Filesystem path to the PEM certificate file.

Exceptions

• std::logic_error if a certificate is already loaded.

• std::runtime_error if the file cannot be opened or PEM parsing fails.

init

void init()

Populates _issuerName and _subjectName from the loaded certificate.

Called after each successful load or construction from an X509 pointer.

Public Types

NID

enum NID

Name identifier for extracting fields from a certificate's distinguished name.

Values correspond to OpenSSL NID constants used with X509_NAME_get_text_by_NID.

Private Attributes

_issuerName

std::string _issuerName

_subjectName

std::string _subjectName

_certificate

X509Ptr _certificate