/*
- Copyright (C) 2012-2015 Carl Hetherington <cth@carlh.net>
+ Copyright (C) 2012-2016 Carl Hetherington <cth@carlh.net>
- This program is free software; you can redistribute it and/or modify
+ This file is part of libdcp.
+
+ libdcp is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
- This program is distributed in the hope that it will be useful,
+ libdcp is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
+ along with libdcp. If not, see <http://www.gnu.org/licenses/>.
+
+ In addition, as a special exception, the copyright holders give
+ permission to link the code of portions of this program with the
+ OpenSSL library under certain conditions as described in each
+ individual source file, and distribute linked combinations
+ including the two.
+
+ You must obey the GNU General Public License in all respects
+ for all of the code used other than OpenSSL. If you modify
+ file(s) with this exception, you may extend this exception to your
+ version of the file(s), but you are not obligated to do so. If you
+ do not wish to do so, delete this exception statement from your
+ version. If you delete this exception statement from all source
+ files in the program, then also delete it here.
*/
/** @file src/certificate.cc
* @brief Certificate class.
*/
-#include "KM_util.h"
#include "certificate.h"
#include "compose.hpp"
#include "exceptions.h"
#include "util.h"
#include "dcp_assert.h"
+#include <asdcp/KM_util.h>
#include <libxml++/nodes/element.h>
#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <boost/algorithm/string.hpp>
#include <cerrno>
+#include <iostream>
#include <algorithm>
using std::list;
using std::string;
using std::ostream;
+using std::min;
using namespace dcp;
+static string const begin_certificate = "-----BEGIN CERTIFICATE-----";
+static string const end_certificate = "-----END CERTIFICATE-----";
+
/** @param c X509 certificate, which this object will take ownership of */
Certificate::Certificate (X509* c)
: _certificate (c)
: _certificate (0)
, _public_key (0)
{
- read_string (cert);
+ string const s = read_string (cert);
+ if (!s.empty ()) {
+ throw MiscError ("unexpected data after certificate");
+ }
}
/** Copy constructor.
/** Read a certificate from a string.
* @param cert String to read.
+ * @return remaining part of the input string after the certificate which was read.
*/
-void
+string
Certificate::read_string (string cert)
{
- BIO* bio = BIO_new_mem_buf (const_cast<char *> (cert.c_str ()), -1);
+ /* Reformat cert so that it has line breaks every 64 characters.
+ See http://comments.gmane.org/gmane.comp.encryption.openssl.user/55593
+ */
+
+ list<string> lines;
+ string line;
+
+ for (size_t i = 0; i < cert.length(); ++i) {
+ line += cert[i];
+ if (cert[i] == '\r' || cert[i] == '\n') {
+ boost::algorithm::trim (line);
+ lines.push_back (line);
+ line = "";
+ }
+ }
+
+ if (!line.empty()) {
+ boost::algorithm::trim (line);
+ lines.push_back (line);
+ }
+
+ list<string>::iterator i = lines.begin ();
+
+ /* BEGIN */
+ while (i != lines.end() && *i != begin_certificate) {
+ ++i;
+ }
+
+ if (i == lines.end()) {
+ throw MiscError ("missing BEGIN line in certificate");
+ }
+
+ /* Skip over the BEGIN line */
+ ++i;
+
+ /* The base64 data */
+ bool got_end = false;
+ string base64 = "";
+ while (i != lines.end()) {
+ if (*i == end_certificate) {
+ got_end = true;
+ break;
+ }
+ base64 += *i;
+ ++i;
+ }
+
+ if (!got_end) {
+ throw MiscError ("missing END line in certificate");
+ }
+
+ /* Skip over the END line */
+ ++i;
+
+ /* Make up the fixed version */
+
+ string fixed = begin_certificate + "\n";
+ while (!base64.empty ()) {
+ size_t const t = min (size_t(64), base64.length());
+ fixed += base64.substr (0, t) + "\n";
+ base64 = base64.substr (t, base64.length() - t);
+ }
+
+ fixed += end_certificate;
+
+ BIO* bio = BIO_new_mem_buf (const_cast<char *> (fixed.c_str ()), -1);
if (!bio) {
throw MiscError ("could not create memory BIO");
}
}
BIO_free (bio);
+
+ string extra;
+
+ while (i != lines.end()) {
+ if (!i->empty()) {
+ extra += *i + "\n";
+ }
+ ++i;
+ }
+
+ return extra;
}
/** Destructor */
BIO_free (bio);
if (!with_begin_end) {
- boost::replace_all (s, "-----BEGIN CERTIFICATE-----\n", "");
- boost::replace_all (s, "\n-----END CERTIFICATE-----\n", "");
+ boost::replace_all (s, begin_certificate + "\n", "");
+ boost::replace_all (s, "\n" + end_certificate + "\n", "");
}
return s;
return st;
}
+/** @return thumbprint of the to-be-signed portion of this certificate */
string
Certificate::thumbprint () const
{
uint8_t buffer[8192];
uint8_t* p = buffer;
+
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+ i2d_re_X509_tbs(_certificate, &p);
+#else
i2d_X509_CINF (_certificate->cert_info, &p);
+#endif
unsigned int const length = p - buffer;
if (length > sizeof (buffer)) {
throw MiscError ("buffer too small to generate thumbprint");
return _public_key;
}
+static bool string_is_utf8 (X509_NAME* n, int nid)
+{
+ int p = -1;
+ p = X509_NAME_get_index_by_NID (n, nid, p);
+ return p != -1 && X509_NAME_ENTRY_get_data(X509_NAME_get_entry(n, p))->type == V_ASN1_UTF8STRING;
+}
+
+bool
+Certificate::has_utf8_strings () const
+{
+ X509_NAME* n = X509_get_subject_name (_certificate);
+ return string_is_utf8(n, NID_commonName) ||
+ string_is_utf8(n, NID_organizationName) ||
+ string_is_utf8(n, NID_organizationalUnitName);
+}
+
bool
dcp::operator== (Certificate const & a, Certificate const & b)
{