2 Copyright (C) 2013-2021 Carl Hetherington <cth@carlh.net>
4 This file is part of libdcp.
6 libdcp is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 libdcp is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with libdcp. If not, see <http://www.gnu.org/licenses/>.
19 In addition, as a special exception, the copyright holders give
20 permission to link the code of portions of this program with the
21 OpenSSL library under certain conditions as described in each
22 individual source file, and distribute linked combinations
25 You must obey the GNU General Public License in all respects
26 for all of the code used other than OpenSSL. If you modify
27 file(s) with this exception, you may extend this exception to your
28 version of the file(s), but you are not obligated to do so. If you
29 do not wish to do so, delete this exception statement from your
30 version. If you delete this exception statement from all source
31 files in the program, then also delete it here.
35 /** @file src/certificate_chain.h
36 * @brief CertificateChain class
40 #ifndef LIBDCP_CERTIFICATE_CHAIN_H
41 #define LIBDCP_CERTIFICATE_CHAIN_H
44 #include "certificate.h"
46 #include <boost/filesystem.hpp>
47 #include <boost/optional.hpp>
55 struct certificates_validation1;
56 struct certificates_validation2;
57 struct certificates_validation3;
58 struct certificates_validation4;
59 struct certificates_validation5;
60 struct certificates_validation6;
61 struct certificates_validation7;
62 struct certificates_validation8;
68 /** @class CertificateChain
69 * @brief A chain of any number of certificates, from root to leaf.
71 * A CertificateChain object can also (optionally) hold the private key corresponding
72 * to the leaf certificate.
74 class CertificateChain
77 CertificateChain () {}
79 /** Create a chain of certificates for signing things.
80 * @param openssl Name of openssl binary (if it is on the path) or full path.
81 * @return Directory (which should be deleted by the caller) containing:
82 * - ca.self-signed.pem self-signed root certificate
83 * - intermediate.signed.pem intermediate certificate
84 * - leaf.key leaf certificate private key
85 * - leaf.signed.pem leaf certificate
88 boost::filesystem::path openssl,
90 std::string organisation = "example.org",
91 std::string organisational_unit = "example.org",
92 std::string root_common_name = ".smpte-430-2.ROOT.NOT_FOR_PRODUCTION",
93 std::string intermediate_common_name = ".smpte-430-2.INTERMEDIATE.NOT_FOR_PRODUCTION",
94 std::string leaf_common_name = "CS.smpte-430-2.LEAF.NOT_FOR_PRODUCTION"
97 /** Read a CertificateChain from a string.
98 * @param s A string containing one or more PEM-encoded certificates.
100 explicit CertificateChain (std::string s);
102 /** Add a certificate to the chain.
103 * @param c Certificate to add.
105 void add (Certificate c);
107 /** Remove a certificate from the chain.
108 * @param c Certificate to remove.
110 void remove (Certificate c);
112 /** Remove the i'th certificate in the chain, as listed
117 /** @return Root certificate */
118 Certificate root () const;
120 /** @return Leaf certificate */
121 Certificate leaf () const;
123 typedef std::vector<Certificate> List;
125 /** @return Certificates in order from leaf to root */
126 List leaf_to_root () const;
127 /** @return Certificates in order from root to leaf */
128 List root_to_leaf () const;
129 List unordered () const;
131 /** Check if the certificates form a chain (i.e. root signs intermediate etc.)
132 * and that the private key matches the leaf certificate.
133 * @param if not nullptr, filled in with a reason for vailure (or untouched
134 * if there is no error)
135 * @return true if the chain is valid, false if not.
137 bool valid (std::string* reason = nullptr) const;
139 /** Check to see if the chain is valid (i.e. root signs the intermediate, intermediate
140 * signs the leaf and so on) and that the private key (if there is one) matches the
142 * @return true if it's ok, false if not.
144 bool chain_valid () const;
146 /** Check that there is a valid private key for the leaf certificate.
147 * Will return true if there are no certificates.
149 bool private_key_valid () const;
151 /** Add a <Signer> and <ds:Signature> nodes to an XML node.
152 * @param parent XML node to add to.
153 * @param standard INTEROP or SMPTE.
155 void sign (xmlpp::Element* parent, Standard standard) const;
157 /** Sign an XML node.
159 * @param parent Node to sign.
160 * @param ns Namespace to use for the signature XML nodes.
162 void add_signature_value (xmlpp::Element* parent, std::string ns, bool add_indentation) const;
164 boost::optional<std::string> key () const {
168 void set_key (std::string k) {
172 std::string chain () const;
175 friend struct ::certificates_validation1;
176 friend struct ::certificates_validation2;
177 friend struct ::certificates_validation3;
178 friend struct ::certificates_validation4;
179 friend struct ::certificates_validation5;
180 friend struct ::certificates_validation6;
181 friend struct ::certificates_validation7;
182 friend struct ::certificates_validation8;
184 bool chain_valid(List const & chain, std::string* error = nullptr) const;
186 /** Our certificates, not in any particular order */
188 /** Leaf certificate's private key, if known, in PEM format */
189 boost::optional<std::string> _key;
193 std::string public_key_digest(RSA* public_key);
194 std::string public_key_digest(boost::filesystem::path private_key);
195 std::string escape_digest(std::string digest);