X-Git-Url: https://main.carlh.net/gitweb/?a=blobdiff_plain;f=src%2Fcertificates.cc;h=3566fba01e4ee2a5a4c7473f26eaba5812aa36fb;hb=ad3d9f8bbe623f87e440bd6a5a12520361a7661f;hp=ba0ebaaeb48c9520977f90a662e097943ec27359;hpb=3c6a628ebd9699dcf760ed98df83c1a3c267bfb4;p=libdcp.git

diff --git a/src/certificates.cc b/src/certificates.cc
index ba0ebaae..3566fba0 100644
--- a/src/certificates.cc
+++ b/src/certificates.cc
@@ -1,10 +1,32 @@
+/*
+    Copyright (C) 2012 Carl Hetherington <cth@carlh.net>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+*/
+
 #include <sstream>
 #include <vector>
 #include <boost/algorithm/string.hpp>
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
 #include <openssl/asn1.h>
+#include <libxml++/nodes/element.h>
+#include "KM_util.h"
 #include "certificates.h"
+#include "compose.hpp"
 #include "exceptions.h"
 
 using std::list;
@@ -21,6 +43,19 @@ Certificate::Certificate (X509* c)
 	
 }
 
+Certificate::Certificate (string const & filename)
+	: _certificate (0)
+{
+	FILE* f = fopen (filename.c_str(), "r");
+	if (!f) {
+		throw FileError ("could not open file", filename);
+	}
+	
+	if (!PEM_read_X509 (f, &_certificate, 0, 0)) {
+		throw MiscError ("could not read X509 certificate");
+	}
+}
+
 Certificate::~Certificate ()
 {
 	X509_free (_certificate);
@@ -29,6 +64,8 @@ Certificate::~Certificate ()
 string
 Certificate::certificate () const
 {
+	assert (_certificate);
+	
 	BIO* bio = BIO_new (BIO_s_mem ());
 	if (!bio) {
 		throw MiscError ("could not create memory BIO");
@@ -53,45 +90,60 @@ Certificate::certificate () const
 string
 Certificate::issuer () const
 {
-	X509_NAME* n = X509_get_issuer_name (_certificate);
-	assert (n);
+	assert (_certificate);
+	return name_for_xml (X509_get_issuer_name (_certificate));
+}
 
-	char b[256];
-	X509_NAME_oneline (n, b, 256);
-	return b;
+string
+Certificate::asn_to_utf8 (ASN1_STRING* s)
+{
+	unsigned char* buf = 0;
+	ASN1_STRING_to_UTF8 (&buf, s);
+	string const u (reinterpret_cast<char *> (buf));
+	OPENSSL_free (buf);
+	return u;
 }
 
 string
-Certificate::name_for_xml (string const & n)
+Certificate::get_name_part (X509_NAME* n, int nid)
 {
-	stringstream x;
+	int p = -1;
+	p = X509_NAME_get_index_by_NID (n, nid, p);
+	assert (p != -1);
+	return asn_to_utf8 (X509_NAME_ENTRY_get_data (X509_NAME_get_entry (n, p)));
+}
 	
-	vector<string> p;
-	boost::split (p, n, boost::is_any_of ("/"));
-	for (vector<string>::const_reverse_iterator i = p.rbegin(); i != p.rend(); ++i) {
-		x << *i << ",";
-	}
 
-	string s = x.str();
-	boost::replace_all (s, "+", "\\+");
+string
+Certificate::name_for_xml (X509_NAME * n)
+{
+	assert (n);
 
-	return s.substr(0, s.length() - 2);
+	string s = String::compose (
+		"dnQualifier=%1,CN=%2,OU=%3,O=%4",
+		get_name_part (n, NID_dnQualifier),
+		get_name_part (n, NID_commonName),
+		get_name_part (n, NID_organizationalUnitName),
+		get_name_part (n, NID_organizationName)
+		);
+	
+	boost::replace_all (s, "+", "\\+");
+	return s;
 }
 
 string
 Certificate::subject () const
 {
-	X509_NAME* n = X509_get_subject_name (_certificate);
-	assert (n);
+	assert (_certificate);
 
-	char b[256];
-	X509_NAME_oneline (n, b, 256);
-	return b;
+	return name_for_xml (X509_get_subject_name (_certificate));
 }
 
 string
 Certificate::serial () const
 {
+	assert (_certificate);
+
 	ASN1_INTEGER* s = X509_get_serialNumber (_certificate);
 	assert (s);
 	
@@ -104,32 +156,28 @@ Certificate::serial () const
 
 	return st;
 }
-		
-
-/** @param filename Text file of PEM-format certificates,
- *  in the order:
- *
- *  1. self-signed root certificate
- *  2. intermediate certificate signed by root certificate
- *  ...
- *  n. leaf certificate signed by previous intermediate.
- */
-
-CertificateChain::CertificateChain (string const & filename)
+
+string
+Certificate::thumbprint () const
 {
-	FILE* f = fopen (filename.c_str(), "r");
-	if (!f) {
-		throw FileError ("could not open file", filename);
-	}
+	assert (_certificate);
 	
-	while (1) {
-		X509* c = 0;
-		if (!PEM_read_X509 (f, &c, 0, 0)) {
-			break;
-		}
-
-		_certificates.push_back (shared_ptr<Certificate> (new Certificate (c)));
+	uint8_t buffer[8192];
+	uint8_t* p = buffer;
+	i2d_X509_CINF (_certificate->cert_info, &p);
+	int const length = p - buffer;
+	if (length > 8192) {
+		throw MiscError ("buffer too small to generate thumbprint");
 	}
+
+	SHA_CTX sha;
+	SHA1_Init (&sha);
+	SHA1_Update (&sha, buffer, length);
+	uint8_t digest[20];
+	SHA1_Final (digest, &sha);
+
+	char digest_base64[64];
+	return Kumu::base64encode (digest, 20, digest_base64, 64);
 }
 
 shared_ptr<Certificate>
@@ -153,3 +201,9 @@ CertificateChain::leaf_to_root () const
 	c.reverse ();
 	return c;
 }
+
+void
+CertificateChain::add (shared_ptr<Certificate> c)
+{
+	_certificates.push_back (c);
+}