XRootD
XrdCryptosslX509Crl Class Reference

#include <XrdCryptosslX509Crl.hh>

+ Inheritance diagram for XrdCryptosslX509Crl:
+ Collaboration diagram for XrdCryptosslX509Crl:

Public Member Functions

 XrdCryptosslX509Crl (const char *crlf, int opt=0)
 
 XrdCryptosslX509Crl (FILE *, const char *crlf)
 
 XrdCryptosslX509Crl (XrdCryptoX509 *cacert)
 
virtual ~XrdCryptosslX509Crl ()
 
void Dump ()
 
bool hasCriticalExtension ()
 
bool IsRevoked (const char *sernum, int when=0)
 
bool IsRevoked (int serialnumber, int when=0)
 
const char * Issuer ()
 
const char * IssuerHash (int)
 
bool IsValid ()
 
time_t LastUpdate ()
 
time_t NextUpdate ()
 
XrdCryptoX509Crldata Opaque ()
 
const char * ParentFile ()
 
bool ToFile (FILE *fh)
 
bool Verify (XrdCryptoX509 *ref)
 
- Public Member Functions inherited from XrdCryptoX509Crl
 XrdCryptoX509Crl ()
 
virtual ~XrdCryptoX509Crl ()
 
virtual bool IsExpired (int when=0)
 
const char * IssuerHash ()
 

Detailed Description

Definition at line 50 of file XrdCryptosslX509Crl.hh.

Constructor & Destructor Documentation

◆ XrdCryptosslX509Crl() [1/3]

XrdCryptosslX509Crl::XrdCryptosslX509Crl ( const char *  crlf,
int  opt = 0 
)

Definition at line 58 of file XrdCryptosslX509Crl.cc.

60 {
61  // Constructor certificate from file 'cf'.
62  EPNAME("X509Crl::XrdCryptosslX509Crl_file");
63 
64  // Make sure file name is defined;
65  if (opt == 0) {
66  if (Init(cf) != 0) {
67  DEBUG("could not initialize the CRL from "<<cf);
68  return;
69  }
70  } else {
71  if (InitFromURI(cf, 0) != 0) {
72  DEBUG("could not initialize the CRL from URI"<<cf);
73  return;
74  }
75  }
76 }
#define DEBUG(x)
Definition: XrdBwmTrace.hh:54
#define EPNAME(x)
Definition: XrdBwmTrace.hh:56

References DEBUG, and EPNAME.

◆ XrdCryptosslX509Crl() [2/3]

XrdCryptosslX509Crl::XrdCryptosslX509Crl ( FILE *  fc,
const char *  crlf 
)

Definition at line 79 of file XrdCryptosslX509Crl.cc.

80 {
81  // Constructe CRL from a FILE handle `fc` with (assumed) filename `cf`.
82  EPNAME("X509Crl::XrdCryptosslX509Crl_file");
83 
84  if (Init(fc, cf)) {
85  DEBUG("could not initialize the CRL from " << cf);
86  return;
87  }
88 }

References DEBUG, and EPNAME.

◆ XrdCryptosslX509Crl() [3/3]

XrdCryptosslX509Crl::XrdCryptosslX509Crl ( XrdCryptoX509 cacert)

Definition at line 91 of file XrdCryptosslX509Crl.cc.

93 {
94  // Constructor certificate from CA certificate 'cacert'. This constructor
95  // extracts the information about the location of the CRL cerificate from the
96  // CA certificate extension 'crlDistributionPoints', downloads the file and
97  // loads it in the cache
98  EPNAME("X509Crl::XrdCryptosslX509Crl_CA");
99 
100  // The CA certificate must be defined
101  if (!cacert || cacert->type != XrdCryptoX509::kCA) {
102  DEBUG("the CA certificate is undefined or not CA! ("<<cacert<<")");
103  return;
104  }
105 
106  // Get the extension
107  X509_EXTENSION *crlext = (X509_EXTENSION *) cacert->GetExtension("crlDistributionPoints");
108  if (!crlext) {
109  DEBUG("extension 'crlDistributionPoints' not found in the CA certificate");
110  return;
111  }
112 
113  // Bio for exporting the extension
114  BIO *bext = BIO_new(BIO_s_mem());
115  ASN1_OBJECT *obj = X509_EXTENSION_get_object(crlext);
116  i2a_ASN1_OBJECT(bext, obj);
117  X509V3_EXT_print(bext, crlext, 0, 4);
118  // data length
119  char *cbio = 0;
120  int lbio = (int) BIO_get_mem_data(bext, &cbio);
121  char *buf = (char *) malloc(lbio+1);
122  // Read key from BIO to buf
123  memcpy(buf, cbio, lbio);
124  buf[lbio] = 0;
125  BIO_free(bext);
126  // Save it
127  XrdOucString uris(buf);
128  free(buf);
129 
130  DEBUG("URI string: "<< uris);
131 
132  XrdOucString uri;
133  int from = 0;
134  while ((from = uris.tokenize(uri, from, ' ')) != -1) {
135  if (uri.beginswith("URI:")) {
136  uri.replace("URI:","");
137  uri.replace("\n","");
138  if (InitFromURI(uri.c_str(), cacert->SubjectHash()) == 0) {
139  crluri = uri;
140  // We are done
141  break;
142  }
143  }
144  }
145 }
virtual XrdCryptoX509data GetExtension(const char *oid)
virtual const char * SubjectHash(int)
EX509Type type
const char * c_str() const
bool beginswith(char c)
int replace(const char *s1, const char *s2, int from=0, int to=-1)

References XrdOucString::beginswith(), XrdOucString::c_str(), DEBUG, EPNAME, XrdCryptoX509::GetExtension(), XrdCryptoX509::kCA, XrdOucString::replace(), XrdCryptoX509::SubjectHash(), XrdOucString::tokenize(), and XrdCryptoX509::type.

+ Here is the call graph for this function:

◆ ~XrdCryptosslX509Crl()

XrdCryptosslX509Crl::~XrdCryptosslX509Crl ( )
virtual

Definition at line 148 of file XrdCryptosslX509Crl.cc.

149 {
150  // Destructor
151 
152  // Cleanup CRL
153  if (crl)
154  X509_CRL_free(crl);
155 }

Member Function Documentation

◆ Dump()

void XrdCryptosslX509Crl::Dump ( )
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 664 of file XrdCryptosslX509Crl.cc.

665 {
666  // Dump content
667  EPNAME("X509Crl::Dump");
668 
669  // Time strings
670  struct tm tst;
671  char stbeg[256] = {0};
672  time_t tbeg = LastUpdate();
673  localtime_r(&tbeg,&tst);
674  asctime_r(&tst,stbeg);
675  stbeg[strlen(stbeg)-1] = 0;
676  char stend[256] = {0};
677  time_t tend = NextUpdate();
678  localtime_r(&tend,&tst);
679  asctime_r(&tst,stend);
680  stend[strlen(stend)-1] = 0;
681 
682  PRINT("+++++++++++++++ X509 CRL dump +++++++++++++++++++++++");
683  PRINT("+");
684  PRINT("+ File: "<<ParentFile());
685  PRINT("+");
686  PRINT("+ Issuer: "<<Issuer());
687  PRINT("+ Issuer hash: "<<IssuerHash(0));
688  PRINT("+");
689  if (IsExpired()) {
690  PRINT("+ Validity: (expired!)");
691  } else {
692  PRINT("+ Validity:");
693  }
694  PRINT("+ LastUpdate: "<<tbeg<<" UTC - "<<stbeg);
695  PRINT("+ NextUpdate: "<<tend<<" UTC - "<<stend);
696  PRINT("+");
697  PRINT("+ Number of revoked certificates: "<<nrevoked);
698  PRINT("+");
699  PRINT("+++++++++++++++++++++++++++++++++++++++++++++++++");
700 }
#define PRINT(y)
virtual bool IsExpired(int when=0)
const char * IssuerHash()

References EPNAME, XrdCryptoX509Crl::IsExpired(), Issuer(), XrdCryptoX509Crl::IssuerHash(), LastUpdate(), NextUpdate(), ParentFile(), and PRINT.

+ Here is the call graph for this function:

◆ hasCriticalExtension()

bool XrdCryptosslX509Crl::hasCriticalExtension ( )

Definition at line 385 of file XrdCryptosslX509Crl.cc.

385  {
386  // If the X509_CRL_get_ext_by_critical() function returns -1, no critical extension
387  // has been found
388  return X509_CRL_get_ext_by_critical(crl,1,-1) != -1;
389 }

◆ IsRevoked() [1/2]

bool XrdCryptosslX509Crl::IsRevoked ( const char *  sernum,
int  when = 0 
)
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 627 of file XrdCryptosslX509Crl.cc.

628 {
629  // Check if certificate with 'sernum' is in the
630  // list of revocated certificates
631  EPNAME("IsRevoked");
632 
633  // Reference time
634  int now = (when > 0) ? when : time(0);
635 
636  // Warn if CRL should be updated
637  if (now > NextUpdate()) {
638  DEBUG("WARNING: CRL is expired: you should download the updated one");
639  }
640 
641  // We must have something to check against
642  if (nrevoked <= 0) {
643  DEBUG("No certificate in the list");
644  return 0;
645  }
646 
647  // Look into the cache
648  XrdSutCacheEntry *cent = cache.Get((const char *)sernum);
649  if (cent && cent->status == kCE_ok) {
650  // Check the revocation time
651  if (now > cent->mtime) {
652  DEBUG("certificate "<<sernum<<" has been revoked");
653  cent->rwmtx.UnLock();
654  return 1;
655  }
656  cent->rwmtx.UnLock();
657  }
658 
659  // Certificate not revoked
660  return 0;
661 }
@ kCE_ok
XrdSysRWLock rwmtx
XrdSutCacheEntry * Get(const char *tag)
Definition: XrdSutCache.hh:54

References DEBUG, EPNAME, XrdSutCache::Get(), kCE_ok, XrdSutCacheEntry::mtime, NextUpdate(), XrdSutCacheEntry::rwmtx, XrdSutCacheEntry::status, and XrdSysRWLock::UnLock().

+ Here is the call graph for this function:

◆ IsRevoked() [2/2]

bool XrdCryptosslX509Crl::IsRevoked ( int  serialnumber,
int  when = 0 
)
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 586 of file XrdCryptosslX509Crl.cc.

587 {
588  // Check if certificate with serialnumber is in the
589  // list of revocated certificates
590  EPNAME("IsRevoked");
591 
592  // Reference time
593  int now = (when > 0) ? when : time(0);
594 
595  // Warn if CRL should be updated
596  if (now > NextUpdate()) {
597  DEBUG("WARNING: CRL is expired: you should download the updated one");
598  }
599 
600  // We must have something to check against
601  if (nrevoked <= 0) {
602  DEBUG("No certificate in the list");
603  return 0;
604  }
605 
606  // Ok, build the tag
607  char tagser[20] = {0};
608  sprintf(tagser,"%x",serialnumber);
609 
610  // Look into the cache
611  XrdSutCacheEntry *cent = cache.Get((const char *)tagser);
612  if (cent && cent->status == kCE_ok) {
613  // Check the revocation time
614  if (now > cent->mtime) {
615  DEBUG("certificate "<<tagser<<" has been revoked");
616  cent->rwmtx.UnLock();
617  return 1;
618  }
619  cent->rwmtx.UnLock();
620  }
621 
622  // Certificate not revoked
623  return 0;
624 }

References DEBUG, EPNAME, XrdSutCache::Get(), kCE_ok, XrdSutCacheEntry::mtime, NextUpdate(), XrdSutCacheEntry::rwmtx, XrdSutCacheEntry::status, and XrdSysRWLock::UnLock().

+ Here is the call graph for this function:

◆ Issuer()

const char * XrdCryptosslX509Crl::Issuer ( )
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 497 of file XrdCryptosslX509Crl.cc.

498 {
499  // Return issuer name
500  EPNAME("X509Crl::Issuer");
501 
502  // If we do not have it already, try extraction
503  if (issuer.length() <= 0) {
504 
505  // Make sure we have a CRL
506  if (!crl) {
507  DEBUG("WARNING: no CRL available - cannot extract issuer name");
508  return (const char *)0;
509  }
510 
511  // Extract issuer name
512  XrdCryptosslNameOneLine(X509_CRL_get_issuer(crl), issuer);
513  }
514 
515  // return what we have
516  return (issuer.length() > 0) ? issuer.c_str() : (const char *)0;
517 }
void XrdCryptosslNameOneLine(X509_NAME *nm, XrdOucString &s)
int length() const

References XrdOucString::c_str(), DEBUG, EPNAME, XrdOucString::length(), and XrdCryptosslNameOneLine().

Referenced by Dump().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ IssuerHash()

const char * XrdCryptosslX509Crl::IssuerHash ( int  alg)
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 520 of file XrdCryptosslX509Crl.cc.

521 {
522  // Return hash of issuer name
523  // Use default algorithm (X509_NAME_hash) for alg = 0, old algorithm
524  // (for v>=1.0.0) when alg = 1
525  EPNAME("X509::IssuerHash");
526 
527 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(__APPLE__))
528  if (alg == 1) {
529  // md5 based
530  if (issueroldhash.length() <= 0) {
531  // Make sure we have a certificate
532  if (crl) {
533  char chash[30] = {0};
534  snprintf(chash, sizeof(chash),
535  "%08lx.0",X509_NAME_hash_old(X509_CRL_get_issuer(crl)));
536  issueroldhash = chash;
537  } else {
538  DEBUG("WARNING: no certificate available - cannot extract issuer hash (md5)");
539  }
540  }
541  // return what we have
542  return (issueroldhash.length() > 0) ? issueroldhash.c_str() : (const char *)0;
543  }
544 #else
545  if (alg == 1) { }
546 #endif
547 
548  // If we do not have it already, try extraction
549  if (issuerhash.length() <= 0) {
550 
551  // Make sure we have a certificate
552  if (crl) {
553  char chash[30] = {0};
554  snprintf(chash, sizeof(chash),
555  "%08lx.0",X509_NAME_hash(X509_CRL_get_issuer(crl)));
556  issuerhash = chash;
557  } else {
558  DEBUG("WARNING: no certificate available - cannot extract issuer hash (default)");
559  }
560  }
561 
562  // return what we have
563  return (issuerhash.length() > 0) ? issuerhash.c_str() : (const char *)0;
564 }

References XrdOucString::c_str(), DEBUG, EPNAME, and XrdOucString::length().

+ Here is the call graph for this function:

◆ IsValid()

bool XrdCryptosslX509Crl::IsValid ( )
inlinevirtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 59 of file XrdCryptosslX509Crl.hh.

59 { return (crl != 0); }

◆ LastUpdate()

time_t XrdCryptosslX509Crl::LastUpdate ( )
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 465 of file XrdCryptosslX509Crl.cc.

466 {
467  // Time of last update
468 
469  // If we do not have it already, try extraction
470  if (lastupdate < 0) {
471  // Make sure we have a CRL
472  if (crl)
473  // Extract UTC time in secs from Epoch
475  }
476  // return what we have
477  return lastupdate;
478 }
time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1)
#define X509_CRL_get0_lastUpdate

References X509_CRL_get0_lastUpdate, and XrdCryptosslASN1toUTC().

Referenced by Dump().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ NextUpdate()

time_t XrdCryptosslX509Crl::NextUpdate ( )
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 481 of file XrdCryptosslX509Crl.cc.

482 {
483  // Time of next update
484 
485  // If we do not have it already, try extraction
486  if (nextupdate < 0) {
487  // Make sure we have a CRL
488  if (crl)
489  // Extract UTC time in secs from Epoch
491  }
492  // return what we have
493  return nextupdate;
494 }
#define X509_CRL_get0_nextUpdate

References X509_CRL_get0_nextUpdate, and XrdCryptosslASN1toUTC().

Referenced by Dump(), and IsRevoked().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Opaque()

XrdCryptoX509Crldata XrdCryptosslX509Crl::Opaque ( )
inlinevirtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 62 of file XrdCryptosslX509Crl.hh.

62 { return (XrdCryptoX509Crldata)crl; }
void * XrdCryptoX509Crldata

◆ ParentFile()

const char* XrdCryptosslX509Crl::ParentFile ( )
inlinevirtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 66 of file XrdCryptosslX509Crl.hh.

66 { return (const char *)(srcfile.c_str()); }

References XrdOucString::c_str().

Referenced by Dump().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ToFile()

bool XrdCryptosslX509Crl::ToFile ( FILE *  fh)

Definition at line 329 of file XrdCryptosslX509Crl.cc.

330 {
331  // Write the CRL's contents to a file in the PEM format.
332  EPNAME("ToFile");
333 
334  if (!crl) {
335  DEBUG("CRL object invalid; cannot write to a file");
336  return false;
337  }
338 
339  if (PEM_write_X509_CRL(fh, crl) == 0) {
340  DEBUG("Unable to write CRL to file");
341  return false;
342  }
343 
344  //
345  // Notify
346  DEBUG("CRL successfully written to file");
347 
348  return true;
349 }

References DEBUG, and EPNAME.

◆ Verify()

bool XrdCryptosslX509Crl::Verify ( XrdCryptoX509 ref)
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 567 of file XrdCryptosslX509Crl.cc.

568 {
569  // Verify certificate signature with pub key of ref cert
570 
571  // We must have been initialized
572  if (!crl)
573  return 0;
574 
575  // We must have something to check with
576  X509 *r = ref ? (X509 *)(ref->Opaque()) : 0;
577  EVP_PKEY *rk = r ? X509_get_pubkey(r) : 0;
578  if (!rk)
579  return 0;
580 
581  // Ok: we can verify
582  return (X509_CRL_verify(crl, rk) > 0);
583 }
virtual XrdCryptoX509data Opaque()

References XrdCryptoX509::Opaque().

+ Here is the call graph for this function:

The documentation for this class was generated from the following files: