X-Git-Url: https://main.carlh.net/gitweb/?a=blobdiff_plain;f=src%2Fcertificates.cc;h=a9d0b37130db8f527601fc180e23248ad95efd26;hb=86bfdeb77f55b379302a65b22f57fc0583ec6b3c;hp=085e462272130bd2b39c4d2878630a3211ec9c14;hpb=a353528b070fe264ce60220b4af07d0561494def;p=libdcp.git diff --git a/src/certificates.cc b/src/certificates.cc index 085e4622..a9d0b371 100644 --- a/src/certificates.cc +++ b/src/certificates.cc @@ -1,5 +1,5 @@ /* - Copyright (C) 2012 Carl Hetherington + Copyright (C) 2012-2014 Carl Hetherington This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -17,54 +17,112 @@ */ -#include -#include -#include -#include -#include -#include -#include +/** @file src/certificates.cc + * @brief Certificate and CertificateChain classes. + */ + #include "KM_util.h" #include "certificates.h" #include "compose.hpp" #include "exceptions.h" +#include "util.h" +#include "dcp_assert.h" +#include +#include +#include +#include +#include +#include +#include +#include using std::list; using std::string; -using std::stringstream; -using std::vector; -using boost::shared_ptr; -using namespace libdcp; +using std::ostream; +using namespace dcp; /** @param c X509 certificate, which this object will take ownership of */ Certificate::Certificate (X509* c) : _certificate (c) + , _public_key (0) { } -Certificate::Certificate (string const & filename) +/** Load an X509 certificate from a string. + * @param cert String to read from. + */ +Certificate::Certificate (string cert) : _certificate (0) + , _public_key (0) { - FILE* f = fopen (filename.c_str(), "r"); - if (!f) { - throw FileError ("could not open file", filename); + read_string (cert); +} + +/** Copy constructor. + * @param other Certificate to copy. + */ +Certificate::Certificate (Certificate const & other) + : _certificate (0) + , _public_key (0) +{ + read_string (other.certificate (true)); +} + +/** Read a certificate from a string. + * @param cert String to read. + */ +void +Certificate::read_string (string cert) +{ + BIO* bio = BIO_new_mem_buf (const_cast (cert.c_str ()), -1); + if (!bio) { + throw MiscError ("could not create memory BIO"); } - - if (!PEM_read_X509 (f, &_certificate, 0, 0)) { - throw MiscError ("could not read X509 certificate"); + + _certificate = PEM_read_bio_X509 (bio, 0, 0, 0); + if (!_certificate) { + throw MiscError ("could not read X509 certificate from memory BIO"); } + + BIO_free (bio); } +/** Destructor */ Certificate::~Certificate () { X509_free (_certificate); + RSA_free (_public_key); +} + +/** operator= for Certificate. + * @param other Certificate to read from. + */ +Certificate & +Certificate::operator= (Certificate const & other) +{ + if (this == &other) { + return *this; + } + + X509_free (_certificate); + _certificate = 0; + RSA_free (_public_key); + _public_key = 0; + + read_string (other.certificate (true)); + + return *this; } +/** Return the certificate as a string. + * @param with_begin_end true to include the -----BEGIN CERTIFICATE--- / -----END CERTIFICATE----- markers. + * @return Certificate string. + */ string -Certificate::certificate () const +Certificate::certificate (bool with_begin_end) const { - assert (_certificate); + DCP_ASSERT (_certificate); BIO* bio = BIO_new (BIO_s_mem ()); if (!bio) { @@ -82,25 +140,32 @@ Certificate::certificate () const BIO_free (bio); - boost::replace_all (s, "-----BEGIN CERTIFICATE-----\n", ""); - boost::replace_all (s, "\n-----END CERTIFICATE-----\n", ""); + if (!with_begin_end) { + boost::replace_all (s, "-----BEGIN CERTIFICATE-----\n", ""); + boost::replace_all (s, "\n-----END CERTIFICATE-----\n", ""); + } + return s; } +/** @return Certificate's issuer, in the form + * dnqualifier=<dnQualififer>,CN=<commonName>,OU=<organizationalUnitName>,O=<organizationName> + * and with + signs escaped to \+ + */ string Certificate::issuer () const { - assert (_certificate); + DCP_ASSERT (_certificate); return name_for_xml (X509_get_issuer_name (_certificate)); } string Certificate::asn_to_utf8 (ASN1_STRING* s) { - unsigned char* buf = new unsigned char[256]; + unsigned char* buf = 0; ASN1_STRING_to_UTF8 (&buf, s); string const u (reinterpret_cast (buf)); - delete[] buf; + OPENSSL_free (buf); return u; } @@ -109,7 +174,7 @@ Certificate::get_name_part (X509_NAME* n, int nid) { int p = -1; p = X509_NAME_get_index_by_NID (n, nid, p); - assert (p != -1); + DCP_ASSERT (p != -1); return asn_to_utf8 (X509_NAME_ENTRY_get_data (X509_NAME_get_entry (n, p))); } @@ -117,7 +182,7 @@ Certificate::get_name_part (X509_NAME* n, int nid) string Certificate::name_for_xml (X509_NAME * n) { - assert (n); + DCP_ASSERT (n); string s = String::compose ( "dnQualifier=%1,CN=%2,OU=%3,O=%4", @@ -134,18 +199,26 @@ Certificate::name_for_xml (X509_NAME * n) string Certificate::subject () const { - assert (_certificate); + DCP_ASSERT (_certificate); return name_for_xml (X509_get_subject_name (_certificate)); } +string +Certificate::common_name () const +{ + DCP_ASSERT (_certificate); + + return get_name_part (X509_get_subject_name (_certificate), NID_commonName); +} + string Certificate::serial () const { - assert (_certificate); + DCP_ASSERT (_certificate); ASN1_INTEGER* s = X509_get_serialNumber (_certificate); - assert (s); + DCP_ASSERT (s); BIGNUM* b = ASN1_INTEGER_to_BN (s, 0); char* c = BN_bn2dec (b); @@ -160,13 +233,13 @@ Certificate::serial () const string Certificate::thumbprint () const { - assert (_certificate); + DCP_ASSERT (_certificate); uint8_t buffer[8192]; uint8_t* p = buffer; i2d_X509_CINF (_certificate->cert_info, &p); - int const length = p - buffer; - if (length > 8192) { + unsigned int const length = p - buffer; + if (length > sizeof (buffer)) { throw MiscError ("buffer too small to generate thumbprint"); } @@ -180,30 +253,180 @@ Certificate::thumbprint () const return Kumu::base64encode (digest, 20, digest_base64, 64); } -shared_ptr +/** @return RSA public key from this Certificate. Caller must not free the returned value. */ +RSA * +Certificate::public_key () const +{ + DCP_ASSERT (_certificate); + + if (_public_key) { + return _public_key; + } + + EVP_PKEY* key = X509_get_pubkey (_certificate); + if (!key) { + throw MiscError ("could not get public key from certificate"); + } + + _public_key = EVP_PKEY_get1_RSA (key); + if (!_public_key) { + throw MiscError (String::compose ("could not get RSA public key (%1)", ERR_error_string (ERR_get_error(), 0))); + } + + return _public_key; +} + +bool +dcp::operator== (Certificate const & a, Certificate const & b) +{ + return a.certificate() == b.certificate(); +} + +bool +dcp::operator< (Certificate const & a, Certificate const & b) +{ + return a.certificate() < b.certificate(); +} + +ostream& +dcp::operator<< (ostream& s, Certificate const & c) +{ + s << c.certificate(); + return s; +} + +/** @return Root certificate */ +Certificate CertificateChain::root () const { - assert (!_certificates.empty()); + DCP_ASSERT (!_certificates.empty()); return _certificates.front (); } -shared_ptr +/** @return Leaf certificate */ +Certificate CertificateChain::leaf () const { - assert (_certificates.size() >= 2); + DCP_ASSERT (_certificates.size() >= 2); return _certificates.back (); } -list > +/** @return Certificates in order from root to leaf */ +CertificateChain::List +CertificateChain::root_to_leaf () const +{ + return _certificates; +} + +/** @return Certificates in order from leaf to root */ +CertificateChain::List CertificateChain::leaf_to_root () const { - list > c = _certificates; + List c = _certificates; c.reverse (); return c; } +/** Add a certificate to the end of the chain. + * @param c Certificate to add. + */ void -CertificateChain::add (shared_ptr c) +CertificateChain::add (Certificate c) { _certificates.push_back (c); } + +/** Remove a certificate from the chain. + * @param c Certificate to remove. + */ +void +CertificateChain::remove (Certificate c) +{ + _certificates.remove (c); +} + +/** Remove the i'th certificate in the list, as listed + * from root to leaf. + */ +void +CertificateChain::remove (int i) +{ + List::iterator j = _certificates.begin (); + while (j != _certificates.end () && i > 0) { + --i; + ++j; + } + + if (j != _certificates.end ()) { + _certificates.erase (j); + } +} + +/** Check to see if the chain is valid (i.e. root signs the intermediate, intermediate + * signs the leaf and so on). + * @return true if it's ok, false if not. + */ +bool +CertificateChain::valid () const +{ + X509_STORE* store = X509_STORE_new (); + if (!store) { + return false; + } + + for (List::const_iterator i = _certificates.begin(); i != _certificates.end(); ++i) { + + List::const_iterator j = i; + ++j; + if (j == _certificates.end ()) { + break; + } + + if (!X509_STORE_add_cert (store, i->x509 ())) { + X509_STORE_free (store); + return false; + } + + X509_STORE_CTX* ctx = X509_STORE_CTX_new (); + if (!ctx) { + X509_STORE_free (store); + return false; + } + + X509_STORE_set_flags (store, 0); + if (!X509_STORE_CTX_init (ctx, store, j->x509 (), 0)) { + X509_STORE_CTX_free (ctx); + X509_STORE_free (store); + return false; + } + + int v = X509_verify_cert (ctx); + X509_STORE_CTX_free (ctx); + + if (v == 0) { + X509_STORE_free (store); + return false; + } + } + + X509_STORE_free (store); + return true; +} + +/** @return true if the chain is now in order from root to leaf, + * false if no correct order was found. + */ +bool +CertificateChain::attempt_reorder () +{ + List original = _certificates; + _certificates.sort (); + do { + if (valid ()) { + return true; + } + } while (std::next_permutation (_certificates.begin(), _certificates.end ())); + + _certificates = original; + return false; +}