XRootD
Loading...
Searching...
No Matches
XrdCryptosslX509 Class Reference

#include <XrdCryptosslX509.hh>

Inheritance diagram for XrdCryptosslX509:
Collaboration diagram for XrdCryptosslX509:

Public Member Functions

 XrdCryptosslX509 (const char *cf, const char *kf=0)
 XrdCryptosslX509 (X509 *cert)
 XrdCryptosslX509 (XrdSutBucket *bck)
virtual ~XrdCryptosslX509 ()
int BitStrength ()
int DumpExtensions (bool dumpunknown=0)
XrdSutBucketExport ()
XrdCryptoX509data GetExtension (const char *oid)
const char * Issuer ()
const char * IssuerHash (int=0)
virtual bool MatchesSAN (const char *, bool &)
time_t NotAfter ()
time_t NotBefore ()
XrdCryptoX509data Opaque ()
const char * ParentFile ()
XrdCryptoRSAPKI ()
const char * ProxyType () const
kXR_int64 SerialNumber ()
XrdOucString SerialNumberString ()
void SetPKI (XrdCryptoX509data pki)
const char * Subject ()
const char * SubjectHash (int=0)
bool Verify (XrdCryptoX509 *ref)
Public Member Functions inherited from XrdCryptoX509
 XrdCryptoX509 ()
virtual ~XrdCryptoX509 ()
virtual void Dump ()
virtual bool IsExpired (int when=0)
const char * IssuerHash ()
virtual bool IsValid (int when=0)
const char * SubjectHash ()
const char * Type (EX509Type t=kUnknown) const

Additional Inherited Members

Public Types inherited from XrdCryptoX509
enum  EX509Type {
  kUnknown = -1 ,
  kCA = 0 ,
  kEEC = 1 ,
  kProxy = 2
}
Static Public Member Functions inherited from XrdCryptoX509
static bool MatchHostnames (const char *match_pattern, const char *fqdn)
Public Attributes inherited from XrdCryptoX509
EX509Type type

Detailed Description

Definition at line 48 of file XrdCryptosslX509.hh.

Constructor & Destructor Documentation

◆ XrdCryptosslX509() [1/3]

XrdCryptosslX509::XrdCryptosslX509 ( const char * cf,
const char * kf = 0 )

Definition at line 66 of file XrdCryptosslX509.cc.

67 : XrdCryptoX509()
68{
69 // Constructor certificate from file 'cf'. If 'kf' is defined,
70 // complete the key of the certificate with the private key in kf.
71 EPNAME("X509::XrdCryptosslX509_file");
72
73 // Init private members
74 cert = 0; // The certificate object
75 notbefore = -1; // begin-validity time in secs since Epoch
76 notafter = -1; // end-validity time in secs since Epoch
77 subject = ""; // subject;
78 issuer = ""; // issuer;
79 subjecthash = ""; // hash of subject;
80 issuerhash = ""; // hash of issuer;
81 subjectoldhash = ""; // hash of subject (md5 algorithm);
82 issueroldhash = ""; // hash of issuer (md5 algorithm);
83 srcfile = ""; // source file;
84 bucket = 0; // bucket for serialization
85 pki = 0; // PKI of the certificate
86 pxytype = 0; // Proxy sub-type
87
88 // Make sure file name is defined;
89 if (!cf) {
90 DEBUG("file name undefined");
91 return;
92 }
93 // Make sure file exists;
94 struct stat st;
95 int fd = open(cf, O_RDONLY);
96
97 if (fd == -1) {
98 if (errno == ENOENT) {
99 DEBUG("file "<<cf<<" does not exist - do nothing");
100 } else {
101 DEBUG("cannot open file "<<cf<<" (errno: "<<errno<<")");
102 }
103 return;
104 }
105
106 if (fstat(fd, &st) != 0) {
107 DEBUG("cannot stat file "<<cf<<" (errno: "<<errno<<")");
108 close(fd);
109 return;
110 }
111 //
112 // Open file in read mode
113 FILE *fc = fdopen(fd, "r");
114 if (!fc) {
115 DEBUG("cannot fdopen file "<<cf<<" (errno: "<<errno<<")");
116 close(fd);
117 return;
118 }
119 //
120 // Read the content:
121 if (!PEM_read_X509(fc, &cert, 0, 0)) {
122 DEBUG("Unable to load certificate from file");
123 fclose(fc);
124 return;
125 } else {
126 DEBUG("certificate successfully loaded");
127 }
128 //
129 // Close the file
130 fclose(fc);
131 //
132 // Save source file name
133 srcfile = cf;
134
135 // Init some of the private members (the others upon need)
136 Subject();
137 Issuer();
138 CertType();
139
140 // Get the public key
141 EVP_PKEY *evpp = 0;
142 // Read the private key file, if specified
143 if (kf) {
144 int fd = open(kf, O_RDONLY);
145 if (fd == -1) {
146 DEBUG("cannot open file "<<kf<<" (errno: "<<errno<<")");
147 return;
148 }
149 if (fstat(fd, &st) == -1) {
150 DEBUG("cannot stat private key file "<<kf<<" (errno:"<<errno<<")");
151 close(fd);
152 return;
153 }
154 if (!S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) ||
155 (st.st_mode & (S_IROTH | S_IWOTH)) != 0 ||
156 (st.st_mode & (S_IWGRP)) != 0) {
157 DEBUG("private key file "<<kf<<" has wrong permissions "<<
158 (st.st_mode & 0777) << " (should be at most 0640)");
159 close(fd);
160 return;
161 }
162 // Open file in read mode
163 FILE *fk = fdopen(fd, "r");
164 if (!fk) {
165 DEBUG("cannot open file "<<kf<<" (errno: "<<errno<<")");
166 close(fd);
167 return;
168 }
169 // This call fills the full key, i.e. also the public part (not really documented, though)
170 if ((evpp = PEM_read_PrivateKey(fk,0,0,0))) {
171 DEBUG("RSA key completed ");
172 // Test consistency
173 auto tmprsa = std::make_unique<XrdCryptosslRSA>(evpp, 1);
174 if (tmprsa->status == XrdCryptoRSA::kComplete) {
175 // Save it in pki
176 pki = tmprsa.release();
177 }
178 } else {
179 DEBUG("cannot read the key from file");
180 }
181 // Close the file
182 fclose(fk);
183 }
184 // If there were no private key or we did not manage to import it
185 // init pki with the partial key
186 if (!pki)
187 pki = new XrdCryptosslRSA(X509_get_pubkey(cert), 0);
188}
DEBUG
#define DEBUG(x)
Definition XrdBwmTrace.hh:54
EPNAME
#define EPNAME(x)
Definition XrdBwmTrace.hh:56
fclose
int fclose(FILE *stream)
Definition XrdPosixPreload.cc:173
close
#define close(a)
Definition XrdPosix.hh:48
fstat
#define fstat(a, b)
Definition XrdPosix.hh:62
open
#define open
Definition XrdPosix.hh:78
stat
#define stat(a, b)
Definition XrdPosix.hh:105
XrdCryptosslX509::Issuer
const char * Issuer()
Definition XrdCryptosslX509.cc:513
XrdCryptosslX509::Subject
const char * Subject()
Definition XrdCryptosslX509.cc:490

References XrdCryptoX509::XrdCryptoX509(), close, DEBUG, EPNAME, fclose(), fstat, Issuer(), XrdCryptoRSA::kComplete, open, stat, and Subject().

Here is the call graph for this function:

◆ XrdCryptosslX509() [2/3]

XrdCryptosslX509::XrdCryptosslX509 ( XrdSutBucket * bck)

Definition at line 191 of file XrdCryptosslX509.cc.

191 : XrdCryptoX509()
192{
193 // Constructor certificate from BIO 'bcer'
194 EPNAME("X509::XrdCryptosslX509_bio");
195
196 // Init private members
197 cert = 0; // The certificate object
198 notbefore = -1; // begin-validity time in secs since Epoch
199 notafter = -1; // end-validity time in secs since Epoch
200 subject = ""; // subject;
201 issuer = ""; // issuer;
202 subjecthash = ""; // hash of subject;
203 issuerhash = ""; // hash of issuer;
204 subjectoldhash = ""; // hash of subject (md5 algorithm);
205 issueroldhash = ""; // hash of issuer (md5 algorithm);
206 srcfile = ""; // source file;
207 bucket = 0; // bucket for serialization
208 pki = 0; // PKI of the certificate
209 pxytype = 0; // Proxy sub-type
210
211 // Make sure we got something;
212 if (!buck) {
213 DEBUG("got undefined opaque buffer");
214 return;
215 }
216
217 //
218 // Create a bio_mem to store the certificates
219 BIO *bmem = BIO_new(BIO_s_mem());
220 if (!bmem) {
221 DEBUG("unable to create BIO for memory operations");
222 return;
223 }
224
225 // Write data to BIO
226 int nw = BIO_write(bmem,(const void *)(buck->buffer),buck->size);
227 if (nw != buck->size) {
228 DEBUG("problems writing data to memory BIO (nw: "<<nw<<")");
229 return;
230 }
231
232 // Get certificate from BIO
233 if (!(cert = PEM_read_bio_X509(bmem,0,0,0))) {
234 DEBUG("unable to read certificate to memory BIO");
235 return;
236 }
237 //
238 // Free BIO
239 BIO_free(bmem);
240
241 //
242 // Init some of the private members (the others upon need)
243 Subject();
244 Issuer();
245 CertType();
246
247 // Get the public key
248 EVP_PKEY *evpp = X509_get_pubkey(cert);
249 //
250 if (evpp) {
251 // init pki with the partial key
252 if (!pki)
253 pki = new XrdCryptosslRSA(evpp, 0);
254 } else {
255 DEBUG("could not access the public key");
256 }
257}

References XrdCryptoX509::XrdCryptoX509(), XrdSutBucket::buffer, DEBUG, EPNAME, Issuer(), XrdSutBucket::size, and Subject().

Here is the call graph for this function:

◆ XrdCryptosslX509() [3/3]

XrdCryptosslX509::XrdCryptosslX509 ( X509 * cert)

Definition at line 260 of file XrdCryptosslX509.cc.

260 : XrdCryptoX509()
261{
262 // Constructor: import X509 object
263 EPNAME("X509::XrdCryptosslX509_x509");
264
265 // Init private members
266 cert = 0; // The certificate object
267 notbefore = -1; // begin-validity time in secs since Epoch
268 notafter = -1; // end-validity time in secs since Epoch
269 subject = ""; // subject;
270 issuer = ""; // issuer;
271 subjecthash = ""; // hash of subject;
272 issuerhash = ""; // hash of issuer;
273 subjectoldhash = ""; // hash of subject (md5 algorithm);
274 issueroldhash = ""; // hash of issuer (md5 algorithm);
275 srcfile = ""; // source file;
276 bucket = 0; // bucket for serialization
277 pki = 0; // PKI of the certificate
278 pxytype = 0; // Proxy sub-type
279
280 // Make sure we got something;
281 if (!xc) {
282 DEBUG("got undefined X509 object");
283 return;
284 }
285
286 // Set certificate
287 cert = xc;
288
289 //
290 // Init some of the private members (the others upon need)
291 Subject();
292 Issuer();
293 CertType();
294
295 // Get the public key
296 EVP_PKEY *evpp = X509_get_pubkey(cert);
297 //
298 if (evpp) {
299 // init pki with the partial key
300 if (!pki)
301 pki = new XrdCryptosslRSA(evpp, 0);
302 } else {
303 DEBUG("could not access the public key");
304 }
305}

References XrdCryptoX509::XrdCryptoX509(), DEBUG, EPNAME, Issuer(), and Subject().

Here is the call graph for this function:

◆ ~XrdCryptosslX509()

XrdCryptosslX509::~XrdCryptosslX509 ( )
virtual

Definition at line 308 of file XrdCryptosslX509.cc.

309{
310 // Destructor
311
312 // Cleanup certificate
313 if (cert) X509_free(cert);
314 // Cleanup key
315 if (pki) delete pki;
316}

Member Function Documentation

◆ BitStrength()

int XrdCryptosslX509::BitStrength ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 77 of file XrdCryptosslX509.hh.

77{ return ((cert) ? EVP_PKEY_bits(X509_get_pubkey(cert)) : -1);}

◆ DumpExtensions()

int XrdCryptosslX509::DumpExtensions ( bool dumpunknown = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 815 of file XrdCryptosslX509.cc.

816{
817 // Dump our extensions, if any
818 // Returns -1 on failure, 0 on success
819 EPNAME("DumpExtensions");
820
821 int rc = -1;
822 // Point to the cerificate
823 X509 *xpi = (X509 *) Opaque();
824
825 // Make sure we got the right inputs
826 if (!xpi) {
827 PRINT("we are empty! Do nothing");
828 return rc;
829 }
830
831 rc = 1;
832 // Go through the extensions
833#if OPENSSL_VERSION_NUMBER < 0x40000000L
834 X509_EXTENSION *xpiext = 0;
835#else
836 const X509_EXTENSION *xpiext = 0;
837#endif
838 int npiext = X509_get_ext_count(xpi);
839 PRINT("found "<<npiext<<" extensions ");
840 int i = 0;
841 for (i = 0; i< npiext; i++) {
842 xpiext = X509_get_ext(xpi, i);
843 char s[256];
844 OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(xpiext), 1);
845 int crit = X509_EXTENSION_get_critical(xpiext);
846 // Notify what we found
847 PRINT(i << ": found extension '"<<s<<"', critical: " << crit);
848 // Dump its content
849 rc = 0;
850 const unsigned char *pp = ASN1_STRING_get0_data(X509_EXTENSION_get_data(xpiext));
851 long length = ASN1_STRING_length(X509_EXTENSION_get_data(xpiext));
852 int ret = FillUnknownExt(&pp, length, dumpunknown);
853 PRINT("ret: " << ret);
854 }
855
856 // Done
857 return rc;
858}
PRINT
#define PRINT(y)
Definition XrdCryptosslTrace.hh:39
XrdCryptosslX509::Opaque
XrdCryptoX509data Opaque()
Definition XrdCryptosslX509.hh:58

References EPNAME, Opaque(), and PRINT.

Here is the call graph for this function:

◆ Export()

XrdSutBucket * XrdCryptosslX509::Export ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 725 of file XrdCryptosslX509.cc.

726{
727 // Export in form of bucket
728 EPNAME("X509::Export");
729
730 // If we have already done it, return the previous result
731 if (bucket) {
732 DEBUG("serialization already performed:"
733 " return previous result ("<<bucket->size<<" bytes)");
734 return bucket;
735 }
736
737 // Make sure we got something to export
738 if (!cert) {
739 DEBUG("certificate is not initialized");
740 return 0;
741 }
742
743 //
744 // Now we create a bio_mem to serialize the certificate
745 BIO *bmem = BIO_new(BIO_s_mem());
746 if (!bmem) {
747 DEBUG("unable to create BIO for memory operations");
748 return 0;
749 }
750
751 // Write certificate to BIO
752 if (!PEM_write_bio_X509(bmem, cert)) {
753 DEBUG("unable to write certificate to memory BIO");
754 return 0;
755 }
756
757 // Extract pointer to BIO data and length of segment
758 char *bdata = 0;
759 int blen = BIO_get_mem_data(bmem, &bdata);
760 DEBUG("BIO data: "<<blen<<" bytes at 0x"<<(int *)bdata);
761
762 // create the bucket now
763 bucket = new XrdSutBucket(0,0,kXRS_x509);
764 if (bucket) {
765 // Fill bucket
766 bucket->SetBuf(bdata, blen);
767 DEBUG("result of serialization: "<<bucket->size<<" bytes");
768 } else {
769 DEBUG("unable to create bucket for serialized format");
770 BIO_free(bmem);
771 return 0;
772 }
773 //
774 // Free BIO
775 BIO_free(bmem);
776 //
777 // We are done
778 return bucket;
779}
kXRS_x509
@ kXRS_x509
Definition XrdSutAux.hh:79

References DEBUG, EPNAME, and kXRS_x509.

◆ GetExtension()

XrdCryptoX509data XrdCryptosslX509::GetExtension ( const char * oid)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 658 of file XrdCryptosslX509.cc.

659{
660 // Return pointer to extension with OID oid, if any, in
661 // opaque form
662 EPNAME("X509::GetExtension");
663 XrdCryptoX509data ext = 0;
664
665 // Make sure we got something to look for
666 if (!oid) {
667 DEBUG("OID string not defined");
668 return ext;
669 }
670
671 // Make sure we got something to look for
672 if (!cert) {
673 DEBUG("certificate is not initialized");
674 return ext;
675 }
676
677 // Are there any extension?
678 int numext = X509_get_ext_count(cert);
679 if (numext <= 0) {
680 DEBUG("certificate has got no extensions");
681 return ext;
682 }
683 DEBUG("certificate has "<<numext<<" extensions");
684
685 // If the string is the Standard Name of a known extension check
686 // searche the corresponding NID
687 int nid = OBJ_sn2nid(oid);
688 bool usenid = (nid > 0);
689
690 // Loop to identify the one we would like
691 int i = 0;
692#if OPENSSL_VERSION_NUMBER < 0x40000000L
693 X509_EXTENSION *wext = 0;
694#else
695 const X509_EXTENSION *wext = 0;
696#endif
697 for (i = 0; i< numext; i++) {
698 wext = X509_get_ext(cert, i);
699 if (usenid) {
700 int enid = OBJ_obj2nid(X509_EXTENSION_get_object(wext));
701 if (enid == nid)
702 break;
703 } else {
704 // Try matching of the text
705 char s[256];
706 OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(wext), 1);
707 if (!strcmp(s, oid))
708 break;
709 }
710 // Do not free the extension: its owned by the certificate
711 wext = 0;
712 }
713
714 // We are done if nothing was found
715 if (!wext) {
716 DEBUG("Extension "<<oid<<" not found");
717 return ext;
718 }
719
720 // We are done
721 return (XrdCryptoX509data)wext;
722}
XrdCryptoX509data
void * XrdCryptoX509data
Definition XrdCryptoX509.hh:43

References DEBUG, and EPNAME.

◆ Issuer()

const char * XrdCryptosslX509::Issuer ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 513 of file XrdCryptosslX509.cc.

514{
515 // Return issuer name
516 EPNAME("X509::Issuer");
517
518 // If we do not have it already, try extraction
519 if (issuer.length() <= 0) {
520
521 // Make sure we have a certificate
522 if (!cert) {
523 DEBUG("WARNING: no certificate available - cannot extract issuer name");
524 return (const char *)0;
525 }
526
527 // Extract issuer name
528 XrdCryptosslNameOneLine(X509_get_issuer_name(cert), issuer);
529 }
530
531 // return what we have
532 return (issuer.length() > 0) ? issuer.c_str() : (const char *)0;
533}
XrdCryptosslNameOneLine
void XrdCryptosslNameOneLine(const X509_NAME *nm, XrdOucString &s)
Definition XrdCryptosslAux.cc:736

References DEBUG, EPNAME, and XrdCryptosslNameOneLine().

Referenced by XrdCryptosslX509(), XrdCryptosslX509(), and XrdCryptosslX509().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ IssuerHash()

const char * XrdCryptosslX509::IssuerHash ( int alg = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 536 of file XrdCryptosslX509.cc.

537{
538 // Return hash of issuer name
539 // Use default algorithm (X509_NAME_hash) for alg = 0, old algorithm
540 // (for v>=1.0.0) when alg = 1
541 EPNAME("X509::IssuerHash");
542
543 if (alg == 1) {
544 // md5 based
545 if (issueroldhash.length() <= 0) {
546 // Make sure we have a certificate
547 if (cert) {
548 char chash[30] = {0};
549 snprintf(chash, sizeof(chash),
550 "%08lx.0",X509_NAME_hash_old(X509_get_issuer_name(cert)));
551 issueroldhash = chash;
552 } else {
553 DEBUG("WARNING: no certificate available - cannot extract issuer hash (md5)");
554 }
555 }
556 // return what we have
557 return (issueroldhash.length() > 0) ? issueroldhash.c_str() : (const char *)0;
558 }
559
560 // If we do not have it already, try extraction
561 if (issuerhash.length() <= 0) {
562
563 // Make sure we have a certificate
564 if (cert) {
565 char chash[30] = {0};
566 snprintf(chash, sizeof(chash),
567 "%08lx.0",X509_NAME_hash(X509_get_issuer_name(cert)));
568 issuerhash = chash;
569 } else {
570 DEBUG("WARNING: no certificate available - cannot extract issuer hash (default)");
571 }
572 }
573
574 // return what we have
575 return (issuerhash.length() > 0) ? issuerhash.c_str() : (const char *)0;
576}

References DEBUG, and EPNAME.

◆ MatchesSAN()

bool XrdCryptosslX509::MatchesSAN ( const char * fqdn,
bool & hasSAN )
virtual

Implements XrdCryptoX509.

Definition at line 1124 of file XrdCryptosslX509.cc.

1125{
1126 EPNAME("MatchesSAN");
1127
1128 // Statically allocated array for hostname lengths. RFC1035 limits
1129 // valid lengths to 255 characters.
1130 char san_fqdn[256];
1131
1132 // Assume we have no SAN extension. Failure may allow the caller to try
1133 // using the common name before giving up.
1134 hasSAN = false;
1135
1136 GENERAL_NAMES *gens = static_cast<GENERAL_NAMES *>(X509_get_ext_d2i(cert,
1137 NID_subject_alt_name, NULL, NULL));
1138 if (!gens)
1139 return false;
1140
1141 // Only an EEC is usable as a host certificate.
1142 if (type != kEEC)
1143 return false;
1144
1145 // All failures are under the notion that we have a SAN extension.
1146 hasSAN = true;
1147
1148 if (!fqdn)
1149 return false;
1150
1151 bool success = false;
1152 for (int idx = 0; idx < sk_GENERAL_NAME_num(gens); idx++) {
1153 GENERAL_NAME *gen;
1154 ASN1_STRING *cstr;
1155 gen = sk_GENERAL_NAME_value(gens, idx);
1156 if (gen->type != GEN_DNS)
1157 continue;
1158 cstr = gen->d.dNSName;
1159 if (ASN1_STRING_type(cstr) != V_ASN1_IA5STRING)
1160 continue;
1161 int san_fqdn_len = ASN1_STRING_length(cstr);
1162 if (san_fqdn_len > 255)
1163 continue;
1164 memcpy(san_fqdn, ASN1_STRING_get0_data(cstr), san_fqdn_len);
1165 san_fqdn[san_fqdn_len] = '\0';
1166 if (strlen(san_fqdn) != static_cast<size_t>(san_fqdn_len)) // Avoid embedded null's.
1167 continue;
1168 DEBUG("Comparing SAN " << san_fqdn << " with " << fqdn);
1169 if (MatchHostnames(san_fqdn, fqdn)) {
1170 DEBUG("SAN " << san_fqdn << " matches with " << fqdn);
1171 success = true;
1172 break;
1173 }
1174 }
1175 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
1176 return success;
1177}
XrdCryptoX509::MatchHostnames
static bool MatchHostnames(const char *match_pattern, const char *fqdn)
Definition XrdCryptoX509.cc:253

References DEBUG, EPNAME, XrdCryptoX509::kEEC, XrdCryptoX509::MatchHostnames(), and XrdCryptoX509::type.

Here is the call graph for this function:

◆ NotAfter()

time_t XrdCryptosslX509::NotAfter ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 474 of file XrdCryptosslX509.cc.

475{
476 // End-validity time in secs since Epoch
477
478 // If we do not have it already, try extraction
479 if (notafter < 0) {
480 // Make sure we have a certificate
481 if (cert)
482 // Extract UTC time in secs from Epoch
483 notafter = XrdCryptosslASN1toUTC(X509_get_notAfter(cert));
484 }
485 // return what we have
486 return notafter;
487}
XrdCryptosslASN1toUTC
time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1)
Definition XrdCryptosslAux.cc:675

References XrdCryptosslASN1toUTC().

Here is the call graph for this function:

◆ NotBefore()

time_t XrdCryptosslX509::NotBefore ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 458 of file XrdCryptosslX509.cc.

459{
460 // Begin-validity time in secs since Epoch
461
462 // If we do not have it already, try extraction
463 if (notbefore < 0) {
464 // Make sure we have a certificate
465 if (cert)
466 // Extract UTC time in secs from Epoch
467 notbefore = XrdCryptosslASN1toUTC(X509_get_notBefore(cert));
468 }
469 // return what we have
470 return notbefore;
471}

References XrdCryptosslASN1toUTC().

Here is the call graph for this function:

◆ Opaque()

XrdCryptoX509data XrdCryptosslX509::Opaque ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 58 of file XrdCryptosslX509.hh.

58{ return (XrdCryptoX509data)cert; }

Referenced by DumpExtensions().

Here is the caller graph for this function:

◆ ParentFile()

const char * XrdCryptosslX509::ParentFile ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 71 of file XrdCryptosslX509.hh.

71{ return (const char *)(srcfile.c_str()); }

◆ PKI()

XrdCryptoRSA * XrdCryptosslX509::PKI ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 64 of file XrdCryptosslX509.hh.

64{ return pki; }

◆ ProxyType()

const char * XrdCryptosslX509::ProxyType ( ) const
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 74 of file XrdCryptosslX509.hh.

74{ return cpxytype[pxytype]; }

◆ SerialNumber()

kXR_int64 XrdCryptosslX509::SerialNumber ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 622 of file XrdCryptosslX509.cc.

623{
624 // Return serial number as a kXR_int64
625
626 kXR_int64 sernum = -1;
627 if (cert && X509_get_serialNumber(cert)) {
628 BIGNUM *bn = BN_new();
629 ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
630 char *sn = BN_bn2dec(bn);
631 sernum = strtoll(sn, 0, 10);
632 BN_free(bn);
633 OPENSSL_free(sn);
634 }
635
636 return sernum;
637}
kXR_int64
long long kXR_int64
Definition XPtypes.hh:98

◆ SerialNumberString()

XrdOucString XrdCryptosslX509::SerialNumberString ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 640 of file XrdCryptosslX509.cc.

641{
642 // Return serial number as a hex string
643
644 XrdOucString sernum;
645 if (cert && X509_get_serialNumber(cert)) {
646 BIGNUM *bn = BN_new();
647 ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
648 char *sn = BN_bn2hex(bn);
649 sernum = sn;
650 BN_free(bn);
651 OPENSSL_free(sn);
652 }
653
654 return sernum;
655}

◆ SetPKI()

void XrdCryptosslX509::SetPKI ( XrdCryptoX509data pki)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 433 of file XrdCryptosslX509.cc.

434{
435 // SetPKI:
436 // if newpki is null does nothing
437 // if newpki contains a consistent private & public key we take ownership
438 // so that this->PKI()->status will be kComplete.
439 // otherwise, newpki is not consistent:
440 // if the previous PKI() was null or was already kComplete it is and reset
441 // so that this->PKI()->status will be kInvalid.
442
443 if (!newpki) return;
444
445 auto tmprsa = std::make_unique<XrdCryptosslRSA>((EVP_PKEY*)newpki, 1);
446 if (!pki || pki->status == XrdCryptoRSA::kComplete ||
447 tmprsa->status == XrdCryptoRSA::kComplete) {
448 // Cleanup any existing key first
449 if (pki)
450 delete pki;
451
452 // Set PKI
453 pki = tmprsa.release();
454 }
455}

References XrdCryptoRSA::kComplete.

◆ Subject()

const char * XrdCryptosslX509::Subject ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 490 of file XrdCryptosslX509.cc.

491{
492 // Return subject name
493 EPNAME("X509::Subject");
494
495 // If we do not have it already, try extraction
496 if (subject.length() <= 0) {
497
498 // Make sure we have a certificate
499 if (!cert) {
500 DEBUG("WARNING: no certificate available - cannot extract subject name");
501 return (const char *)0;
502 }
503
504 // Extract subject name
505 XrdCryptosslNameOneLine(X509_get_subject_name(cert), subject);
506 }
507
508 // return what we have
509 return (subject.length() > 0) ? subject.c_str() : (const char *)0;
510}

References DEBUG, EPNAME, and XrdCryptosslNameOneLine().

Referenced by XrdCryptosslX509(), XrdCryptosslX509(), and XrdCryptosslX509().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SubjectHash()

const char * XrdCryptosslX509::SubjectHash ( int alg = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 579 of file XrdCryptosslX509.cc.

580{
581 // Return hash of subject name
582 // Use default algorithm (X509_NAME_hash) for alg = 0, old algorithm
583 // (for v>=1.0.0) when alg = 1
584 EPNAME("X509::SubjectHash");
585
586 if (alg == 1) {
587 // md5 based
588 if (subjectoldhash.length() <= 0) {
589 // Make sure we have a certificate
590 if (cert) {
591 char chash[30] = {0};
592 snprintf(chash, sizeof(chash),
593 "%08lx.0",X509_NAME_hash_old(X509_get_subject_name(cert)));
594 subjectoldhash = chash;
595 } else {
596 DEBUG("WARNING: no certificate available - cannot extract subject hash (md5)");
597 }
598 }
599 // return what we have
600 return (subjectoldhash.length() > 0) ? subjectoldhash.c_str() : (const char *)0;
601 }
602
603 // If we do not have it already, try extraction
604 if (subjecthash.length() <= 0) {
605
606 // Make sure we have a certificate
607 if (cert) {
608 char chash[30] = {0};
609 snprintf(chash, sizeof(chash),
610 "%08lx.0",X509_NAME_hash(X509_get_subject_name(cert)));
611 subjecthash = chash;
612 } else {
613 DEBUG("WARNING: no certificate available - cannot extract subject hash (default)");
614 }
615 }
616
617 // return what we have
618 return (subjecthash.length() > 0) ? subjecthash.c_str() : (const char *)0;
619}

References DEBUG, and EPNAME.

◆ Verify()

bool XrdCryptosslX509::Verify ( XrdCryptoX509 * ref)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 782 of file XrdCryptosslX509.cc.

783{
784 // Verify certificate signature with pub key of ref cert
785 EPNAME("X509::Verify");
786
787 // We must have been initialized
788 if (!cert)
789 return 0;
790
791 // We must have something to check with
792 X509 *r = ref ? (X509 *)(ref->Opaque()) : 0;
793 EVP_PKEY *rk = r ? X509_get_pubkey(r) : 0;
794 if (!rk)
795 return 0;
796
797 // Ok: we can verify
798 int rc = X509_verify(cert, rk);
799 EVP_PKEY_free(rk);
800 if (rc <= 0) {
801 if (rc == 0) {
802 // Signatures are not OK
803 DEBUG("signature not OK");
804 } else {
805 // General failure
806 DEBUG("could not verify signature");
807 }
808 return 0;
809 }
810 // Success
811 return 1;
812}
XrdCryptoX509::Opaque
virtual XrdCryptoX509data Opaque()
Definition XrdCryptoX509.cc:181

References XrdCryptoX509::XrdCryptoX509(), DEBUG, EPNAME, and XrdCryptoX509::Opaque().

Here is the call graph for this function:
The documentation for this class was generated from the following files: