2 Copyright (C) 2012-2021 Carl Hetherington <cth@carlh.net>
4 This file is part of libdcp.
6 libdcp is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 libdcp is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with libdcp. If not, see <http://www.gnu.org/licenses/>.
19 In addition, as a special exception, the copyright holders give
20 permission to link the code of portions of this program with the
21 OpenSSL library under certain conditions as described in each
22 individual source file, and distribute linked combinations
25 You must obey the GNU General Public License in all respects
26 for all of the code used other than OpenSSL. If you modify
27 file(s) with this exception, you may extend this exception to your
28 version of the file(s), but you are not obligated to do so. If you
29 do not wish to do so, delete this exception statement from your
30 version. If you delete this exception statement from all source
31 files in the program, then also delete it here.
35 /** @file src/certificate.cc
36 * @brief Certificate class
40 #include "certificate.h"
41 #include "compose.hpp"
42 #include "exceptions.h"
44 #include "dcp_assert.h"
45 #include <asdcp/KM_util.h>
46 #include <libxml++/nodes/element.h>
47 #include <openssl/x509.h>
48 #include <openssl/ssl.h>
49 #include <openssl/asn1.h>
50 #include <openssl/err.h>
51 #include <boost/algorithm/string.hpp>
64 static string const begin_certificate = "-----BEGIN CERTIFICATE-----";
65 static string const end_certificate = "-----END CERTIFICATE-----";
68 Certificate::Certificate (X509* c)
75 Certificate::Certificate (string cert)
77 auto const s = read_string (cert);
79 throw MiscError ("unexpected data after certificate");
84 Certificate::Certificate (Certificate const & other)
86 if (other._certificate) {
87 read_string (other.certificate (true));
93 Certificate::read_string (string cert)
95 /* Reformat cert so that it has line breaks every 64 characters.
96 See http://comments.gmane.org/gmane.comp.encryption.openssl.user/55593
102 for (size_t i = 0; i < cert.length(); ++i) {
104 if (cert[i] == '\r' || cert[i] == '\n') {
105 boost::algorithm::trim (line);
106 lines.push_back (line);
112 boost::algorithm::trim (line);
113 lines.push_back (line);
116 auto i = lines.begin ();
119 while (i != lines.end() && *i != begin_certificate) {
123 if (i == lines.end()) {
124 throw MiscError ("missing BEGIN line in certificate");
127 /* Skip over the BEGIN line */
130 /* The base64 data */
131 bool got_end = false;
133 while (i != lines.end()) {
134 if (*i == end_certificate) {
143 throw MiscError ("missing END line in certificate");
146 /* Skip over the END line */
149 /* Make up the fixed version */
151 string fixed = begin_certificate + "\n";
152 while (!base64.empty ()) {
153 size_t const t = min (size_t(64), base64.length());
154 fixed += base64.substr (0, t) + "\n";
155 base64 = base64.substr (t, base64.length() - t);
158 fixed += end_certificate;
160 auto bio = BIO_new_mem_buf (const_cast<char *> (fixed.c_str ()), -1);
162 throw MiscError ("could not create memory BIO");
165 _certificate = PEM_read_bio_X509 (bio, 0, 0, 0);
167 throw MiscError ("could not read X509 certificate from memory BIO");
174 while (i != lines.end()) {
185 Certificate::~Certificate ()
187 X509_free (_certificate);
188 RSA_free (_public_key);
193 Certificate::operator= (Certificate const & other)
195 if (this == &other) {
199 X509_free (_certificate);
201 RSA_free (_public_key);
204 read_string (other.certificate(true));
211 Certificate::certificate (bool with_begin_end) const
213 DCP_ASSERT (_certificate);
215 auto bio = BIO_new (BIO_s_mem());
217 throw MiscError ("could not create memory BIO");
220 PEM_write_bio_X509 (bio, _certificate);
224 long int const data_length = BIO_get_mem_data (bio, &data);
225 for (long int i = 0; i < data_length; ++i) {
231 if (!with_begin_end) {
232 boost::replace_all (s, begin_certificate + "\n", "");
233 boost::replace_all (s, "\n" + end_certificate + "\n", "");
241 Certificate::issuer () const
243 DCP_ASSERT (_certificate);
244 return name_for_xml (X509_get_issuer_name(_certificate));
249 Certificate::asn_to_utf8 (ASN1_STRING* s)
251 unsigned char* buf = 0;
252 ASN1_STRING_to_UTF8 (&buf, s);
253 string const u (reinterpret_cast<char *> (buf));
260 Certificate::get_name_part (X509_NAME* n, int nid)
263 p = X509_NAME_get_index_by_NID (n, nid, p);
267 return asn_to_utf8 (X509_NAME_ENTRY_get_data(X509_NAME_get_entry(n, p)));
272 Certificate::name_for_xml (X509_NAME* name)
276 auto bio = BIO_new (BIO_s_mem ());
278 throw MiscError ("could not create memory BIO");
281 X509_NAME_print_ex (bio, name, 0, XN_FLAG_RFC2253);
282 int n = BIO_pending (bio);
283 char* result = new char[n + 1];
284 n = BIO_read (bio, result, n);
296 Certificate::subject () const
298 DCP_ASSERT (_certificate);
300 return name_for_xml (X509_get_subject_name(_certificate));
305 Certificate::subject_common_name () const
307 DCP_ASSERT (_certificate);
309 return get_name_part (X509_get_subject_name(_certificate), NID_commonName);
314 Certificate::subject_organization_name () const
316 DCP_ASSERT (_certificate);
318 return get_name_part (X509_get_subject_name(_certificate), NID_organizationName);
323 Certificate::subject_organizational_unit_name () const
325 DCP_ASSERT (_certificate);
327 return get_name_part (X509_get_subject_name(_certificate), NID_organizationalUnitName);
333 convert_time (ASN1_TIME const * time)
336 char const * s = (char const *) time->data;
338 if (time->type == V_ASN1_UTCTIME) {
339 sscanf(s, "%2d%2d%2d%2d%2d%2d", &t.tm_year, &t.tm_mon, &t.tm_mday, &t.tm_hour, &t.tm_min, &t.tm_sec);
340 if (t.tm_year < 70) {
343 } else if (time->type == V_ASN1_GENERALIZEDTIME) {
344 sscanf(s, "%4d%2d%2d%2d%2d%2d", &t.tm_year, &t.tm_mon, &t.tm_mday, &t.tm_hour, &t.tm_min, &t.tm_sec);
355 Certificate::not_before () const
357 DCP_ASSERT (_certificate);
358 #if OPENSSL_VERSION_NUMBER > 0x10100000L
359 return convert_time(X509_get0_notBefore(_certificate));
361 return convert_time(X509_get_notBefore(_certificate));
367 Certificate::not_after () const
369 DCP_ASSERT (_certificate);
370 #if OPENSSL_VERSION_NUMBER > 0x10100000L
371 return convert_time(X509_get0_notAfter(_certificate));
373 return convert_time(X509_get_notAfter(_certificate));
379 Certificate::serial () const
381 DCP_ASSERT (_certificate);
383 auto s = X509_get_serialNumber (_certificate);
386 auto b = ASN1_INTEGER_to_BN (s, 0);
387 char* c = BN_bn2dec (b);
398 Certificate::thumbprint () const
400 DCP_ASSERT (_certificate);
402 uint8_t buffer[8192];
405 #if OPENSSL_VERSION_NUMBER > 0x10100000L
406 i2d_re_X509_tbs(_certificate, &p);
408 i2d_X509_CINF (_certificate->cert_info, &p);
410 unsigned int const length = p - buffer;
411 if (length > sizeof (buffer)) {
412 throw MiscError ("buffer too small to generate thumbprint");
417 SHA1_Update (&sha, buffer, length);
419 SHA1_Final (digest, &sha);
421 char digest_base64[64];
422 return Kumu::base64encode (digest, 20, digest_base64, 64);
427 Certificate::public_key () const
429 DCP_ASSERT (_certificate);
435 auto key = X509_get_pubkey (_certificate);
437 throw MiscError ("could not get public key from certificate");
440 _public_key = EVP_PKEY_get1_RSA (key);
442 throw MiscError (String::compose ("could not get RSA public key (%1)", ERR_error_string (ERR_get_error(), 0)));
449 static bool string_is_utf8 (X509_NAME* n, int nid)
452 p = X509_NAME_get_index_by_NID (n, nid, p);
453 return p != -1 && X509_NAME_ENTRY_get_data(X509_NAME_get_entry(n, p))->type == V_ASN1_UTF8STRING;
458 Certificate::has_utf8_strings () const
460 auto n = X509_get_subject_name (_certificate);
461 return string_is_utf8(n, NID_commonName) ||
462 string_is_utf8(n, NID_organizationName) ||
463 string_is_utf8(n, NID_organizationalUnitName);
468 dcp::operator== (Certificate const & a, Certificate const & b)
470 return a.certificate() == b.certificate();
475 dcp::operator< (Certificate const & a, Certificate const & b)
477 return a.certificate() < b.certificate();
482 dcp::operator<< (ostream& s, Certificate const & c)
484 s << c.certificate();