XRootD
Loading...
Searching...
No Matches
XrdCryptosslX509 Class Reference

#include <XrdCryptosslX509.hh>

+ Inheritance diagram for XrdCryptosslX509:
+ Collaboration diagram for XrdCryptosslX509:

Public Member Functions

 XrdCryptosslX509 (const char *cf, const char *kf=0)
 
 XrdCryptosslX509 (X509 *cert)
 
 XrdCryptosslX509 (XrdSutBucket *bck)
 
virtual ~XrdCryptosslX509 ()
 
int BitStrength ()
 
int DumpExtensions (bool dumpunknown=0)
 
XrdSutBucketExport ()
 
XrdCryptoX509data GetExtension (const char *oid)
 
const char * Issuer ()
 
const char * IssuerHash (int=0)
 
virtual bool MatchesSAN (const char *, bool &)
 
time_t NotAfter ()
 
time_t NotBefore ()
 
XrdCryptoX509data Opaque ()
 
const char * ParentFile ()
 
XrdCryptoRSAPKI ()
 
const char * ProxyType () const
 
kXR_int64 SerialNumber ()
 
XrdOucString SerialNumberString ()
 
void SetPKI (XrdCryptoX509data pki)
 
const char * Subject ()
 
const char * SubjectHash (int=0)
 
bool Verify (XrdCryptoX509 *ref)
 
- Public Member Functions inherited from XrdCryptoX509
 XrdCryptoX509 ()
 
virtual ~XrdCryptoX509 ()
 
virtual void Dump ()
 
virtual bool IsExpired (int when=0)
 
const char * IssuerHash ()
 
virtual bool IsValid (int when=0)
 
const char * SubjectHash ()
 
const char * Type (EX509Type t=kUnknown) const
 

Additional Inherited Members

- Public Types inherited from XrdCryptoX509
enum  EX509Type {
  kUnknown = -1 ,
  kCA = 0 ,
  kEEC = 1 ,
  kProxy = 2
}
 
- Static Public Member Functions inherited from XrdCryptoX509
static bool MatchHostnames (const char *match_pattern, const char *fqdn)
 
- Public Attributes inherited from XrdCryptoX509
EX509Type type
 

Detailed Description

Definition at line 54 of file XrdCryptosslX509.hh.

Constructor & Destructor Documentation

◆ XrdCryptosslX509() [1/3]

XrdCryptosslX509::XrdCryptosslX509 ( const char * cf,
const char * kf = 0 )

Definition at line 64 of file XrdCryptosslX509.cc.

66{
67 // Constructor certificate from file 'cf'. If 'kf' is defined,
68 // complete the key of the certificate with the private key in kf.
69 EPNAME("X509::XrdCryptosslX509_file");
70
71 // Init private members
72 cert = 0; // The certificate object
73 notbefore = -1; // begin-validity time in secs since Epoch
74 notafter = -1; // end-validity time in secs since Epoch
75 subject = ""; // subject;
76 issuer = ""; // issuer;
77 subjecthash = ""; // hash of subject;
78 issuerhash = ""; // hash of issuer;
79 subjectoldhash = ""; // hash of subject (md5 algorithm);
80 issueroldhash = ""; // hash of issuer (md5 algorithm);
81 srcfile = ""; // source file;
82 bucket = 0; // bucket for serialization
83 pki = 0; // PKI of the certificate
84 pxytype = 0; // Proxy sub-type
85
86 // Make sure file name is defined;
87 if (!cf) {
88 DEBUG("file name undefined");
89 return;
90 }
91 // Make sure file exists;
92 struct stat st;
93 if (stat(cf, &st) != 0) {
94 if (errno == ENOENT) {
95 DEBUG("file "<<cf<<" does not exist - do nothing");
96 } else {
97 DEBUG("cannot stat file "<<cf<<" (errno: "<<errno<<")");
98 }
99 return;
100 }
101 //
102 // Open file in read mode
103 FILE *fc = fopen(cf, "r");
104 if (!fc) {
105 DEBUG("cannot open file "<<cf<<" (errno: "<<errno<<")");
106 return;
107 }
108 //
109 // Read the content:
110 if (!PEM_read_X509(fc, &cert, 0, 0)) {
111 DEBUG("Unable to load certificate from file");
112 return;
113 } else {
114 DEBUG("certificate successfully loaded");
115 }
116 //
117 // Close the file
118 fclose(fc);
119 //
120 // Save source file name
121 srcfile = cf;
122
123 // Init some of the private members (the others upon need)
124 Subject();
125 Issuer();
126 CertType();
127
128 // Get the public key
129 EVP_PKEY *evpp = 0;
130 // Read the private key file, if specified
131 if (kf) {
132 if (stat(kf, &st) == -1) {
133 DEBUG("cannot stat private key file "<<kf<<" (errno:"<<errno<<")");
134 return;
135 }
136 if (!S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) ||
137 (st.st_mode & (S_IROTH | S_IWOTH)) != 0 ||
138 (st.st_mode & (S_IWGRP)) != 0) {
139 DEBUG("private key file "<<kf<<" has wrong permissions "<<
140 (st.st_mode & 0777) << " (should be at most 0640)");
141 return;
142 }
143 // Open file in read mode
144 FILE *fk = fopen(kf, "r");
145 if (!fk) {
146 DEBUG("cannot open file "<<kf<<" (errno: "<<errno<<")");
147 return;
148 }
149 // This call fills the full key, i.e. also the public part (not really documented, though)
150 if ((evpp = PEM_read_PrivateKey(fk,0,0,0))) {
151 DEBUG("RSA key completed ");
152 // Test consistency
153 auto tmprsa = std::make_unique<XrdCryptosslRSA>(evpp, 1);
154 if (tmprsa->status == XrdCryptoRSA::kComplete) {
155 // Save it in pki
156 pki = tmprsa.release();
157 }
158 } else {
159 DEBUG("cannot read the key from file");
160 }
161 // Close the file
162 fclose(fk);
163 }
164 // If there were no private key or we did not manage to import it
165 // init pki with the partial key
166 if (!pki)
167 pki = new XrdCryptosslRSA(X509_get_pubkey(cert), 0);
168}
#define DEBUG(x)
#define EPNAME(x)
int fclose(FILE *stream)
#define fopen(a, b)
Definition XrdPosix.hh:49
#define stat(a, b)
Definition XrdPosix.hh:96
const char * Issuer()
const char * Subject()

References DEBUG, EPNAME, fclose(), fopen, Issuer(), XrdCryptoRSA::kComplete, stat, and Subject().

+ Here is the call graph for this function:

◆ XrdCryptosslX509() [2/3]

XrdCryptosslX509::XrdCryptosslX509 ( XrdSutBucket * bck)

Definition at line 171 of file XrdCryptosslX509.cc.

171 : XrdCryptoX509()
172{
173 // Constructor certificate from BIO 'bcer'
174 EPNAME("X509::XrdCryptosslX509_bio");
175
176 // Init private members
177 cert = 0; // The certificate object
178 notbefore = -1; // begin-validity time in secs since Epoch
179 notafter = -1; // end-validity time in secs since Epoch
180 subject = ""; // subject;
181 issuer = ""; // issuer;
182 subjecthash = ""; // hash of subject;
183 issuerhash = ""; // hash of issuer;
184 subjectoldhash = ""; // hash of subject (md5 algorithm);
185 issueroldhash = ""; // hash of issuer (md5 algorithm);
186 srcfile = ""; // source file;
187 bucket = 0; // bucket for serialization
188 pki = 0; // PKI of the certificate
189 pxytype = 0; // Proxy sub-type
190
191 // Make sure we got something;
192 if (!buck) {
193 DEBUG("got undefined opaque buffer");
194 return;
195 }
196
197 //
198 // Create a bio_mem to store the certificates
199 BIO *bmem = BIO_new(BIO_s_mem());
200 if (!bmem) {
201 DEBUG("unable to create BIO for memory operations");
202 return;
203 }
204
205 // Write data to BIO
206 int nw = BIO_write(bmem,(const void *)(buck->buffer),buck->size);
207 if (nw != buck->size) {
208 DEBUG("problems writing data to memory BIO (nw: "<<nw<<")");
209 return;
210 }
211
212 // Get certificate from BIO
213 if (!(cert = PEM_read_bio_X509(bmem,0,0,0))) {
214 DEBUG("unable to read certificate to memory BIO");
215 return;
216 }
217 //
218 // Free BIO
219 BIO_free(bmem);
220
221 //
222 // Init some of the private members (the others upon need)
223 Subject();
224 Issuer();
225 CertType();
226
227 // Get the public key
228 EVP_PKEY *evpp = X509_get_pubkey(cert);
229 //
230 if (evpp) {
231 // init pki with the partial key
232 if (!pki)
233 pki = new XrdCryptosslRSA(evpp, 0);
234 } else {
235 DEBUG("could not access the public key");
236 }
237}

References XrdSutBucket::buffer, DEBUG, EPNAME, Issuer(), XrdSutBucket::size, and Subject().

+ Here is the call graph for this function:

◆ XrdCryptosslX509() [3/3]

XrdCryptosslX509::XrdCryptosslX509 ( X509 * cert)

Definition at line 240 of file XrdCryptosslX509.cc.

240 : XrdCryptoX509()
241{
242 // Constructor: import X509 object
243 EPNAME("X509::XrdCryptosslX509_x509");
244
245 // Init private members
246 cert = 0; // The certificate object
247 notbefore = -1; // begin-validity time in secs since Epoch
248 notafter = -1; // end-validity time in secs since Epoch
249 subject = ""; // subject;
250 issuer = ""; // issuer;
251 subjecthash = ""; // hash of subject;
252 issuerhash = ""; // hash of issuer;
253 subjectoldhash = ""; // hash of subject (md5 algorithm);
254 issueroldhash = ""; // hash of issuer (md5 algorithm);
255 srcfile = ""; // source file;
256 bucket = 0; // bucket for serialization
257 pki = 0; // PKI of the certificate
258 pxytype = 0; // Proxy sub-type
259
260 // Make sure we got something;
261 if (!xc) {
262 DEBUG("got undefined X509 object");
263 return;
264 }
265
266 // Set certificate
267 cert = xc;
268
269 //
270 // Init some of the private members (the others upon need)
271 Subject();
272 Issuer();
273 CertType();
274
275 // Get the public key
276 EVP_PKEY *evpp = X509_get_pubkey(cert);
277 //
278 if (evpp) {
279 // init pki with the partial key
280 if (!pki)
281 pki = new XrdCryptosslRSA(evpp, 0);
282 } else {
283 DEBUG("could not access the public key");
284 }
285}

References DEBUG, EPNAME, Issuer(), and Subject().

+ Here is the call graph for this function:

◆ ~XrdCryptosslX509()

XrdCryptosslX509::~XrdCryptosslX509 ( )
virtual

Definition at line 288 of file XrdCryptosslX509.cc.

289{
290 // Destructor
291
292 // Cleanup certificate
293 if (cert) X509_free(cert);
294 // Cleanup key
295 if (pki) delete pki;
296}

Member Function Documentation

◆ BitStrength()

int XrdCryptosslX509::BitStrength ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 83 of file XrdCryptosslX509.hh.

83{ return ((cert) ? EVP_PKEY_bits(X509_get_pubkey(cert)) : -1);}

◆ DumpExtensions()

int XrdCryptosslX509::DumpExtensions ( bool dumpunknown = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 795 of file XrdCryptosslX509.cc.

796{
797 // Dump our extensions, if any
798 // Returns -1 on failure, 0 on success
799 EPNAME("DumpExtensions");
800
801 int rc = -1;
802 // Point to the cerificate
803 X509 *xpi = (X509 *) Opaque();
804
805 // Make sure we got the right inputs
806 if (!xpi) {
807 PRINT("we are empty! Do nothing");
808 return rc;
809 }
810
811 rc = 1;
812 // Go through the extensions
813 X509_EXTENSION *xpiext = 0;
814 int npiext = X509_get_ext_count(xpi);
815 PRINT("found "<<npiext<<" extensions ");
816 int i = 0;
817 for (i = 0; i< npiext; i++) {
818 xpiext = X509_get_ext(xpi, i);
819 char s[256];
820 OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(xpiext), 1);
821 int crit = X509_EXTENSION_get_critical(xpiext);
822 // Notify what we found
823 PRINT(i << ": found extension '"<<s<<"', critical: " << crit);
824 // Dump its content
825 rc = 0;
826 XRDGSI_CONST unsigned char *pp = (XRDGSI_CONST unsigned char *) X509_EXTENSION_get_data(xpiext)->data;
827 long length = X509_EXTENSION_get_data(xpiext)->length;
828 int ret = FillUnknownExt(&pp, length, dumpunknown);
829 PRINT("ret: " << ret);
830 }
831
832 // Done
833 return rc;
834}
#define PRINT(y)
#define XRDGSI_CONST
XrdCryptoX509data Opaque()

References EPNAME, Opaque(), PRINT, and XRDGSI_CONST.

+ Here is the call graph for this function:

◆ Export()

XrdSutBucket * XrdCryptosslX509::Export ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 705 of file XrdCryptosslX509.cc.

706{
707 // Export in form of bucket
708 EPNAME("X509::Export");
709
710 // If we have already done it, return the previous result
711 if (bucket) {
712 DEBUG("serialization already performed:"
713 " return previous result ("<<bucket->size<<" bytes)");
714 return bucket;
715 }
716
717 // Make sure we got something to export
718 if (!cert) {
719 DEBUG("certificate is not initialized");
720 return 0;
721 }
722
723 //
724 // Now we create a bio_mem to serialize the certificate
725 BIO *bmem = BIO_new(BIO_s_mem());
726 if (!bmem) {
727 DEBUG("unable to create BIO for memory operations");
728 return 0;
729 }
730
731 // Write certificate to BIO
732 if (!PEM_write_bio_X509(bmem, cert)) {
733 DEBUG("unable to write certificate to memory BIO");
734 return 0;
735 }
736
737 // Extract pointer to BIO data and length of segment
738 char *bdata = 0;
739 int blen = BIO_get_mem_data(bmem, &bdata);
740 DEBUG("BIO data: "<<blen<<" bytes at 0x"<<(int *)bdata);
741
742 // create the bucket now
743 bucket = new XrdSutBucket(0,0,kXRS_x509);
744 if (bucket) {
745 // Fill bucket
746 bucket->SetBuf(bdata, blen);
747 DEBUG("result of serialization: "<<bucket->size<<" bytes");
748 } else {
749 DEBUG("unable to create bucket for serialized format");
750 BIO_free(bmem);
751 return 0;
752 }
753 //
754 // Free BIO
755 BIO_free(bmem);
756 //
757 // We are done
758 return bucket;
759}
@ kXRS_x509
Definition XrdSutAux.hh:79
kXR_int32 size
int SetBuf(const char *nb=0, int ns=0)

References DEBUG, EPNAME, kXRS_x509, XrdSutBucket::SetBuf(), and XrdSutBucket::size.

+ Here is the call graph for this function:

◆ GetExtension()

XrdCryptoX509data XrdCryptosslX509::GetExtension ( const char * oid)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 642 of file XrdCryptosslX509.cc.

643{
644 // Return pointer to extension with OID oid, if any, in
645 // opaque form
646 EPNAME("X509::GetExtension");
647 XrdCryptoX509data ext = 0;
648
649 // Make sure we got something to look for
650 if (!oid) {
651 DEBUG("OID string not defined");
652 return ext;
653 }
654
655 // Make sure we got something to look for
656 if (!cert) {
657 DEBUG("certificate is not initialized");
658 return ext;
659 }
660
661 // Are there any extension?
662 int numext = X509_get_ext_count(cert);
663 if (numext <= 0) {
664 DEBUG("certificate has got no extensions");
665 return ext;
666 }
667 DEBUG("certificate has "<<numext<<" extensions");
668
669 // If the string is the Standard Name of a known extension check
670 // searche the corresponding NID
671 int nid = OBJ_sn2nid(oid);
672 bool usenid = (nid > 0);
673
674 // Loop to identify the one we would like
675 int i = 0;
676 X509_EXTENSION *wext = 0;
677 for (i = 0; i< numext; i++) {
678 wext = X509_get_ext(cert, i);
679 if (usenid) {
680 int enid = OBJ_obj2nid(X509_EXTENSION_get_object(wext));
681 if (enid == nid)
682 break;
683 } else {
684 // Try matching of the text
685 char s[256];
686 OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(wext), 1);
687 if (!strcmp(s, oid))
688 break;
689 }
690 // Do not free the extension: its owned by the certificate
691 wext = 0;
692 }
693
694 // We are done if nothing was found
695 if (!wext) {
696 DEBUG("Extension "<<oid<<" not found");
697 return ext;
698 }
699
700 // We are done
701 return (XrdCryptoX509data)wext;
702}
void * XrdCryptoX509data

References DEBUG, and EPNAME.

◆ Issuer()

const char * XrdCryptosslX509::Issuer ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 489 of file XrdCryptosslX509.cc.

490{
491 // Return issuer name
492 EPNAME("X509::Issuer");
493
494 // If we do not have it already, try extraction
495 if (issuer.length() <= 0) {
496
497 // Make sure we have a certificate
498 if (!cert) {
499 DEBUG("WARNING: no certificate available - cannot extract issuer name");
500 return (const char *)0;
501 }
502
503 // Extract issuer name
504 XrdCryptosslNameOneLine(X509_get_issuer_name(cert), issuer);
505 }
506
507 // return what we have
508 return (issuer.length() > 0) ? issuer.c_str() : (const char *)0;
509}
void XrdCryptosslNameOneLine(X509_NAME *nm, XrdOucString &s)
int length() const
const char * c_str() const

References XrdOucString::c_str(), DEBUG, EPNAME, XrdOucString::length(), and XrdCryptosslNameOneLine().

Referenced by XrdCryptosslX509(), XrdCryptosslX509(), and XrdCryptosslX509().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ IssuerHash()

const char * XrdCryptosslX509::IssuerHash ( int alg = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 512 of file XrdCryptosslX509.cc.

513{
514 // Return hash of issuer name
515 // Use default algorithm (X509_NAME_hash) for alg = 0, old algorithm
516 // (for v>=1.0.0) when alg = 1
517 EPNAME("X509::IssuerHash");
518
519#if (OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(__APPLE__))
520 if (alg == 1) {
521 // md5 based
522 if (issueroldhash.length() <= 0) {
523 // Make sure we have a certificate
524 if (cert) {
525 char chash[30] = {0};
526 snprintf(chash, sizeof(chash),
527 "%08lx.0",X509_NAME_hash_old(X509_get_issuer_name(cert)));
528 issueroldhash = chash;
529 } else {
530 DEBUG("WARNING: no certificate available - cannot extract issuer hash (md5)");
531 }
532 }
533 // return what we have
534 return (issueroldhash.length() > 0) ? issueroldhash.c_str() : (const char *)0;
535 }
536#else
537 if (alg == 1) { }
538#endif
539
540 // If we do not have it already, try extraction
541 if (issuerhash.length() <= 0) {
542
543 // Make sure we have a certificate
544 if (cert) {
545 char chash[30] = {0};
546 snprintf(chash, sizeof(chash),
547 "%08lx.0",X509_NAME_hash(X509_get_issuer_name(cert)));
548 issuerhash = chash;
549 } else {
550 DEBUG("WARNING: no certificate available - cannot extract issuer hash (default)");
551 }
552 }
553
554 // return what we have
555 return (issuerhash.length() > 0) ? issuerhash.c_str() : (const char *)0;
556}

References XrdOucString::c_str(), DEBUG, EPNAME, and XrdOucString::length().

+ Here is the call graph for this function:

◆ MatchesSAN()

bool XrdCryptosslX509::MatchesSAN ( const char * fqdn,
bool & hasSAN )
virtual

Implements XrdCryptoX509.

Definition at line 1100 of file XrdCryptosslX509.cc.

1101{
1102 EPNAME("MatchesSAN");
1103
1104 // Statically allocated array for hostname lengths. RFC1035 limits
1105 // valid lengths to 255 characters.
1106 char san_fqdn[256];
1107
1108 // Assume we have no SAN extension. Failure may allow the caller to try
1109 // using the common name before giving up.
1110 hasSAN = false;
1111
1112 GENERAL_NAMES *gens = static_cast<GENERAL_NAMES *>(X509_get_ext_d2i(cert,
1113 NID_subject_alt_name, NULL, NULL));
1114 if (!gens)
1115 return false;
1116
1117 // Only an EEC is usable as a host certificate.
1118 if (type != kEEC)
1119 return false;
1120
1121 // All failures are under the notion that we have a SAN extension.
1122 hasSAN = true;
1123
1124 if (!fqdn)
1125 return false;
1126
1127 bool success = false;
1128 for (int idx = 0; idx < sk_GENERAL_NAME_num(gens); idx++) {
1129 GENERAL_NAME *gen;
1130 ASN1_STRING *cstr;
1131 gen = sk_GENERAL_NAME_value(gens, idx);
1132 if (gen->type != GEN_DNS)
1133 continue;
1134 cstr = gen->d.dNSName;
1135 if (ASN1_STRING_type(cstr) != V_ASN1_IA5STRING)
1136 continue;
1137 int san_fqdn_len = ASN1_STRING_length(cstr);
1138 if (san_fqdn_len > 255)
1139 continue;
1140#if OPENSSL_VERSION_NUMBER >= 0x10100000L
1141 memcpy(san_fqdn, ASN1_STRING_get0_data(cstr), san_fqdn_len);
1142#else
1143 memcpy(san_fqdn, ASN1_STRING_data(cstr), san_fqdn_len);
1144#endif
1145 san_fqdn[san_fqdn_len] = '\0';
1146 if (strlen(san_fqdn) != static_cast<size_t>(san_fqdn_len)) // Avoid embedded null's.
1147 continue;
1148 DEBUG("Comparing SAN " << san_fqdn << " with " << fqdn);
1149 if (MatchHostnames(san_fqdn, fqdn)) {
1150 DEBUG("SAN " << san_fqdn << " matches with " << fqdn);
1151 success = true;
1152 break;
1153 }
1154 }
1155 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
1156 return success;
1157}
static bool MatchHostnames(const char *match_pattern, const char *fqdn)

References DEBUG, EPNAME, XrdCryptoX509::kEEC, XrdCryptoX509::MatchHostnames(), and XrdCryptoX509::type.

+ Here is the call graph for this function:

◆ NotAfter()

time_t XrdCryptosslX509::NotAfter ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 450 of file XrdCryptosslX509.cc.

451{
452 // End-validity time in secs since Epoch
453
454 // If we do not have it already, try extraction
455 if (notafter < 0) {
456 // Make sure we have a certificate
457 if (cert)
458 // Extract UTC time in secs from Epoch
459 notafter = XrdCryptosslASN1toUTC(X509_get_notAfter(cert));
460 }
461 // return what we have
462 return notafter;
463}
time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1)

References XrdCryptosslASN1toUTC().

+ Here is the call graph for this function:

◆ NotBefore()

time_t XrdCryptosslX509::NotBefore ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 434 of file XrdCryptosslX509.cc.

435{
436 // Begin-validity time in secs since Epoch
437
438 // If we do not have it already, try extraction
439 if (notbefore < 0) {
440 // Make sure we have a certificate
441 if (cert)
442 // Extract UTC time in secs from Epoch
443 notbefore = XrdCryptosslASN1toUTC(X509_get_notBefore(cert));
444 }
445 // return what we have
446 return notbefore;
447}

References XrdCryptosslASN1toUTC().

+ Here is the call graph for this function:

◆ Opaque()

XrdCryptoX509data XrdCryptosslX509::Opaque ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 64 of file XrdCryptosslX509.hh.

64{ return (XrdCryptoX509data)cert; }

Referenced by DumpExtensions().

+ Here is the caller graph for this function:

◆ ParentFile()

const char * XrdCryptosslX509::ParentFile ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 77 of file XrdCryptosslX509.hh.

77{ return (const char *)(srcfile.c_str()); }

References XrdOucString::c_str().

+ Here is the call graph for this function:

◆ PKI()

XrdCryptoRSA * XrdCryptosslX509::PKI ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 70 of file XrdCryptosslX509.hh.

70{ return pki; }

◆ ProxyType()

const char * XrdCryptosslX509::ProxyType ( ) const
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 80 of file XrdCryptosslX509.hh.

80{ return cpxytype[pxytype]; }

◆ SerialNumber()

kXR_int64 XrdCryptosslX509::SerialNumber ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 606 of file XrdCryptosslX509.cc.

607{
608 // Return serial number as a kXR_int64
609
610 kXR_int64 sernum = -1;
611 if (cert && X509_get_serialNumber(cert)) {
612 BIGNUM *bn = BN_new();
613 ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
614 char *sn = BN_bn2dec(bn);
615 sernum = strtoll(sn, 0, 10);
616 BN_free(bn);
617 OPENSSL_free(sn);
618 }
619
620 return sernum;
621}
long long kXR_int64
Definition XPtypes.hh:98

◆ SerialNumberString()

XrdOucString XrdCryptosslX509::SerialNumberString ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 624 of file XrdCryptosslX509.cc.

625{
626 // Return serial number as a hex string
627
628 XrdOucString sernum;
629 if (cert && X509_get_serialNumber(cert)) {
630 BIGNUM *bn = BN_new();
631 ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
632 char *sn = BN_bn2hex(bn);
633 sernum = sn;
634 BN_free(bn);
635 OPENSSL_free(sn);
636 }
637
638 return sernum;
639}

◆ SetPKI()

void XrdCryptosslX509::SetPKI ( XrdCryptoX509data pki)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 409 of file XrdCryptosslX509.cc.

410{
411 // SetPKI:
412 // if newpki is null does nothing
413 // if newpki contains a consistent private & public key we take ownership
414 // so that this->PKI()->status will be kComplete.
415 // otherwise, newpki is not consistent:
416 // if the previous PKI() was null or was already kComplete it is and reset
417 // so that this->PKI()->status will be kInvalid.
418
419 if (!newpki) return;
420
421 auto tmprsa = std::make_unique<XrdCryptosslRSA>((EVP_PKEY*)newpki, 1);
422 if (!pki || pki->status == XrdCryptoRSA::kComplete ||
423 tmprsa->status == XrdCryptoRSA::kComplete) {
424 // Cleanup any existing key first
425 if (pki)
426 delete pki;
427
428 // Set PKI
429 pki = tmprsa.release();
430 }
431}
ERSAStatus status

References XrdCryptoRSA::kComplete, and XrdCryptoRSA::status.

◆ Subject()

const char * XrdCryptosslX509::Subject ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 466 of file XrdCryptosslX509.cc.

467{
468 // Return subject name
469 EPNAME("X509::Subject");
470
471 // If we do not have it already, try extraction
472 if (subject.length() <= 0) {
473
474 // Make sure we have a certificate
475 if (!cert) {
476 DEBUG("WARNING: no certificate available - cannot extract subject name");
477 return (const char *)0;
478 }
479
480 // Extract subject name
481 XrdCryptosslNameOneLine(X509_get_subject_name(cert), subject);
482 }
483
484 // return what we have
485 return (subject.length() > 0) ? subject.c_str() : (const char *)0;
486}

References XrdOucString::c_str(), DEBUG, EPNAME, XrdOucString::length(), and XrdCryptosslNameOneLine().

Referenced by XrdCryptosslX509(), XrdCryptosslX509(), and XrdCryptosslX509().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ SubjectHash()

const char * XrdCryptosslX509::SubjectHash ( int alg = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 559 of file XrdCryptosslX509.cc.

560{
561 // Return hash of subject name
562 // Use default algorithm (X509_NAME_hash) for alg = 0, old algorithm
563 // (for v>=1.0.0) when alg = 1
564 EPNAME("X509::SubjectHash");
565
566#if (OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(__APPLE__))
567 if (alg == 1) {
568 // md5 based
569 if (subjectoldhash.length() <= 0) {
570 // Make sure we have a certificate
571 if (cert) {
572 char chash[30] = {0};
573 snprintf(chash, sizeof(chash),
574 "%08lx.0",X509_NAME_hash_old(X509_get_subject_name(cert)));
575 subjectoldhash = chash;
576 } else {
577 DEBUG("WARNING: no certificate available - cannot extract subject hash (md5)");
578 }
579 }
580 // return what we have
581 return (subjectoldhash.length() > 0) ? subjectoldhash.c_str() : (const char *)0;
582 }
583#else
584 if (alg == 1) { }
585#endif
586
587 // If we do not have it already, try extraction
588 if (subjecthash.length() <= 0) {
589
590 // Make sure we have a certificate
591 if (cert) {
592 char chash[30] = {0};
593 snprintf(chash, sizeof(chash),
594 "%08lx.0",X509_NAME_hash(X509_get_subject_name(cert)));
595 subjecthash = chash;
596 } else {
597 DEBUG("WARNING: no certificate available - cannot extract subject hash (default)");
598 }
599 }
600
601 // return what we have
602 return (subjecthash.length() > 0) ? subjecthash.c_str() : (const char *)0;
603}

References XrdOucString::c_str(), DEBUG, EPNAME, and XrdOucString::length().

+ Here is the call graph for this function:

◆ Verify()

bool XrdCryptosslX509::Verify ( XrdCryptoX509 * ref)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 762 of file XrdCryptosslX509.cc.

763{
764 // Verify certificate signature with pub key of ref cert
765 EPNAME("X509::Verify");
766
767 // We must have been initialized
768 if (!cert)
769 return 0;
770
771 // We must have something to check with
772 X509 *r = ref ? (X509 *)(ref->Opaque()) : 0;
773 EVP_PKEY *rk = r ? X509_get_pubkey(r) : 0;
774 if (!rk)
775 return 0;
776
777 // Ok: we can verify
778 int rc = X509_verify(cert, rk);
779 EVP_PKEY_free(rk);
780 if (rc <= 0) {
781 if (rc == 0) {
782 // Signatures are not OK
783 DEBUG("signature not OK");
784 } else {
785 // General failure
786 DEBUG("could not verify signature");
787 }
788 return 0;
789 }
790 // Success
791 return 1;
792}
virtual XrdCryptoX509data Opaque()

References DEBUG, EPNAME, and XrdCryptoX509::Opaque().

+ Here is the call graph for this function:

The documentation for this class was generated from the following files: