#include <ctime>
#include <cerrno>
#include <cstdlib>
#include <sys/types.h>
#include <sys/stat.h>
#include "XrdCrypto/XrdCryptoX509Chain.hh"
#include "XrdCrypto/XrdCryptosslAux.hh"
#include "XrdCrypto/XrdCryptosslRSA.hh"
#include "XrdCrypto/XrdCryptosslX509.hh"
#include "XrdCrypto/XrdCryptosslTrace.hh"
#include "XrdTls/XrdTlsPeerCerts.hh"
#include <openssl/pem.h>
Go to the source code of this file.
|
time_t | XrdCryptosslASN1toUTC (const ASN1_TIME *tsn1) |
|
int | XrdCryptosslKDFun (const char *pass, int plen, const char *salt, int slen, char *key, int klen) |
|
int | XrdCryptosslKDFunLen () |
|
void | XrdCryptosslNameOneLine (X509_NAME *nm, XrdOucString &s) |
|
int | XrdCryptosslX509ChainToFile (XrdCryptoX509Chain *ch, const char *fn) |
|
XrdSutBucket * | XrdCryptosslX509ExportChain (XrdCryptoX509Chain *chain, bool withprivatekey) |
|
int | XrdCryptosslX509ParseBucket (XrdSutBucket *b, XrdCryptoX509Chain *chain) |
|
int | XrdCryptosslX509ParseFile (const char *fname, XrdCryptoX509Chain *chain, const char *fkey) |
|
int | XrdCryptosslX509ParseFile (FILE *fcer, XrdCryptoX509Chain *chain, const char *fname, const char *fkey) |
|
int | XrdCryptosslX509ParseStack (XrdTlsPeerCerts *pc, XrdCryptoX509Chain *chain) |
|
int | XrdCryptosslX509ToFile (XrdCryptoX509 *x509, FILE *file, const char *fname) |
|
int | XrdCryptosslX509VerifyCB (int ok, X509_STORE_CTX *ctx) |
|
bool | XrdCryptosslX509VerifyCert (XrdCryptoX509 *cert, XrdCryptoX509 *ref) |
|
bool | XrdCryptosslX509VerifyChain (XrdCryptoX509Chain *chain, int &errcode) |
|
◆ XrdCryptosslASN1toUTC()
time_t XrdCryptosslASN1toUTC |
( |
const ASN1_TIME * |
tsn1 | ) |
|
Definition at line 683 of file XrdCryptosslAux.cc.
693 if (!tsn1)
return etime;
702 if ((sscanf((
const char *)(tsn1->data),
703 "%02d%02d%02d%02d%02d%02d%c",
704 &(ltm.tm_year), &(ltm.tm_mon), &(ltm.tm_mday),
705 &(ltm.tm_hour), &(ltm.tm_min), &(ltm.tm_sec),
706 &zz) != 7) || (zz !=
'Z')) {
708 if ((sscanf((
const char *)(tsn1->data),
709 "%04d%02d%02d%02d%02d%02d%c",
710 &(ltm.tm_year), &(ltm.tm_mon), &(ltm.tm_mday),
711 &(ltm.tm_hour), &(ltm.tm_min), &(ltm.tm_sec),
712 &zz) != 7) || (zz !=
'Z')) {
722 if (ltm.tm_year < 50) {
724 }
else if (ltm.tm_year < 100) {
733 etime = mktime(<m);
References XrdCryptoTZCorr().
Referenced by XrdCryptosslX509Crl::LastUpdate(), XrdCryptosslX509Crl::NextUpdate(), XrdCryptosslX509::NotAfter(), and XrdCryptosslX509::NotBefore().
◆ XrdCryptosslKDFun()
int XrdCryptosslKDFun |
( |
const char * |
pass, |
|
|
int |
plen, |
|
|
const char * |
salt, |
|
|
int |
slen, |
|
|
char * |
key, |
|
|
int |
klen |
|
) |
| |
Definition at line 78 of file XrdCryptosslAux.cc.
87 klen = (klen <= 0) ? 24 : klen;
90 char *realsalt = (
char *)salt;
95 char *ibeg = (
char *)memchr(salt+1,
'$',slen-1);
98 int newit = strtol(ibeg+1, &del, 10);
99 if (newit > 0 && del[0] ==
'$' && errno != ERANGE) {
103 realslen = slen - (int)(realsalt-salt);
107 PKCS5_PBKDF2_HMAC_SHA1(pass, plen,
108 (
unsigned char *)realsalt, realslen, it,
109 klen, (
unsigned char *)key);
Referenced by XrdCryptosslFactory::KDFun().
◆ XrdCryptosslKDFunLen()
int XrdCryptosslKDFunLen |
( |
| ) |
|
◆ XrdCryptosslNameOneLine()
void XrdCryptosslNameOneLine |
( |
X509_NAME * |
nm, |
|
|
XrdOucString & |
s |
|
) |
| |
Definition at line 744 of file XrdCryptosslAux.cc.
748 #ifndef USEX509NAMEONELINE
749 BIO *mbio = BIO_new(BIO_s_mem());
750 X509_NAME_print_ex(mbio, nm, 0, XN_FLAG_SEP_MULTILINE);
752 long len = BIO_get_mem_data(mbio, &data);
758 char *xn = X509_NAME_oneline(nm, 0, 0);
void insert(const int i, int start=-1)
int replace(const char *s1, const char *s2, int from=0, int to=-1)
References XrdOucString::insert(), and XrdOucString::replace().
Referenced by XrdCryptosslX509::Issuer(), XrdCryptosslX509Crl::Issuer(), XrdCryptosslX509::Subject(), and XrdCryptosslX509Req::Subject().
◆ XrdCryptosslX509ChainToFile()
Definition at line 311 of file XrdCryptosslAux.cc.
314 EPNAME(
"X509ChainToFile");
318 DEBUG(
"Invalid inputs");
323 FILE *fp =
fopen(fn,
"w");
325 DEBUG(
"cannot open file to save chain (file: "<<fn<<
")");
328 int ifp = fileno(fp);
330 DEBUG(
"got invalid file descriptor (file: "<<fn<<
")");
340 DEBUG(
"could not lock file: "<<fn<<
")");
346 if (fchmod(ifp, 0600) == -1) {
347 DEBUG(
"cannot set permissions on file: "<<fn<<
" (errno: "<<errno<<
")");
357 if (PEM_write_X509(fp, (X509 *)c->
Opaque()) != 1) {
358 DEBUG(
"error while writing proxy certificate");
365 if (PEM_write_PrivateKey(fp, (EVP_PKEY *)(k->
Opaque()),
366 0, 0, 0, 0, 0) != 1) {
367 DEBUG(
"error while writing proxy private key");
375 if (PEM_write_X509(fp, (X509 *)c->
Opaque()) != 1) {
376 DEBUG(
"error while writing proxy certificate");
virtual XrdCryptoRSAdata Opaque()
XrdCryptoX509 * End() const
XrdCryptoX509 * SearchBySubject(const char *subject, ESearchMode mode=kExact)
virtual XrdCryptoX509data Opaque()
virtual XrdCryptoRSA * PKI()
virtual const char * Issuer()
References DEBUG, XrdCryptoX509Chain::End(), EPNAME, fclose(), fopen, XrdCryptoX509::Issuer(), XrdSutFileLocker::IsValid(), XrdCryptoX509::kCA, XrdCryptoRSA::kComplete, XrdSutFileLocker::kExcl, XrdCryptoRSA::Opaque(), XrdCryptoX509::Opaque(), XrdCryptoX509::PKI(), XrdCryptoX509Chain::Reorder(), XrdCryptoX509Chain::SearchBySubject(), XrdCryptoRSA::status, and XrdCryptoX509::type.
Referenced by XrdCryptosslFactory::X509ChainToFile().
◆ XrdCryptosslX509ExportChain()
Definition at line 198 of file XrdCryptosslAux.cc.
202 EPNAME(
"X509ExportChain");
206 if (!chain || chain->
Size() <= 0) {
207 DEBUG(
"chain undefined or empty: nothing to export");
214 DEBUG(
"chain contains only a CA certificate: nothing to export");
219 BIO *bmem = BIO_new(BIO_s_mem());
221 DEBUG(
"unable to create BIO for memory operations");
230 if (!PEM_write_bio_X509(bmem, (X509 *)c->
Opaque())) {
231 DEBUG(
"error while writing proxy certificate");
236 if (withprivatekey) {
239 if (!PEM_write_bio_PrivateKey(bmem, (EVP_PKEY *)(k->
Opaque()),
241 DEBUG(
"error while writing proxy private key");
250 DEBUG(
"Encountered CA in chain; breaking. Subject: " << c->
Subject());
255 if (!PEM_write_bio_X509(bmem, (X509 *)c->
Opaque())) {
256 DEBUG(
"error while writing proxy certificate");
261 DEBUG(
"Encountered self-signed CA in chain; breaking. Subject: " << c->
Subject());
268 int blen = BIO_get_mem_data(bmem, &bdata);
269 DEBUG(
"BIO data: "<<blen<<
" bytes at 0x"<<(
int *)bdata);
276 DEBUG(
"result of serialization: "<<bck->
size<<
" bytes");
278 DEBUG(
"unable to create bucket for serialized format");
virtual const char * Subject()
virtual const char * SubjectHash(int)
virtual const char * IssuerHash(int)
int SetBuf(const char *nb=0, int ns=0)
References XrdCryptoX509Chain::Begin(), DEBUG, XrdCryptoX509Chain::End(), EPNAME, XrdCryptoX509::Issuer(), XrdCryptoX509::IssuerHash(), XrdCryptoX509::kCA, XrdCryptoRSA::kComplete, kXRS_x509, XrdCryptoRSA::Opaque(), XrdCryptoX509::Opaque(), XrdCryptoX509::PKI(), XrdCryptoX509Chain::Reorder(), XrdCryptoX509Chain::SearchBySubject(), XrdSutBucket::SetBuf(), XrdCryptoX509Chain::Size(), XrdSutBucket::size, XrdCryptoRSA::status, XrdCryptoX509::Subject(), XrdCryptoX509::SubjectHash(), and XrdCryptoX509::type.
Referenced by XrdCryptosslFactory::X509ExportChain().
◆ XrdCryptosslX509ParseBucket()
Definition at line 575 of file XrdCryptosslAux.cc.
579 EPNAME(
"X509ParseBucket");
583 if (!b || b->
size <= 0) {
584 DEBUG(
"bucket undefined or empty: can do nothing");
590 DEBUG(
"chain undefined: can do nothing");
595 BIO *bmem = BIO_new(BIO_s_mem());
597 DEBUG(
"unable to create BIO to import certificates");
602 if (BIO_write(bmem,(
const void *)(b->
buffer),b->
size) != b->
size) {
603 DEBUG(
"problems writing data to BIO");
610 while (PEM_read_bio_X509(bmem, &xcer, 0, 0)) {
617 DEBUG(
"certificate added to the chain - ord: "<<chain->
Size());
619 DEBUG(
"could not create certificate: memory exhausted?");
631 if (nci && BIO_write(bmem,(
const void *)(b->
buffer),b->
size) == b->
size) {
633 if (!PEM_read_bio_PrivateKey(bmem, &rsa, 0, 0)) {
634 DEBUG(
"no RSA private key found in bucket");
636 DEBUG(
"found a RSA private key in bucket");
642 while (cert && cert->
Opaque()) {
645 EVP_PKEY *evpp = X509_get_pubkey((X509 *)(cert->
Opaque()));
648 #if OPENSSL_VERSION_NUMBER < 0x30000000L
649 int rc = EVP_PKEY_cmp(evpp, rsa);
651 int rc = EVP_PKEY_eq(evpp, rsa);
658 DEBUG(
"RSA key completed");
665 cert = chain->
Next();
void PushBack(XrdCryptoX509 *c)
virtual void SetPKI(XrdCryptoX509data pki)
References XrdCryptoX509Chain::Begin(), XrdSutBucket::buffer, DEBUG, EPNAME, XrdCryptoX509::kCA, XrdCryptoRSA::kComplete, XrdCryptoX509Chain::Next(), XrdCryptoX509::Opaque(), XrdCryptoX509::PKI(), XrdCryptoX509Chain::PushBack(), XrdCryptoX509::SetPKI(), XrdCryptoX509Chain::Size(), XrdSutBucket::size, XrdCryptoRSA::status, and XrdCryptoX509::type.
Referenced by XrdCryptosslFactory::X509ParseBucket(), and XrdSecgsiAuthzKey().
◆ XrdCryptosslX509ParseFile() [1/2]
int XrdCryptosslX509ParseFile |
( |
const char * |
fname, |
|
|
XrdCryptoX509Chain * |
chain, |
|
|
const char * |
fkey |
|
) |
| |
◆ XrdCryptosslX509ParseFile() [2/2]
int XrdCryptosslX509ParseFile |
( |
FILE * |
fcer, |
|
|
XrdCryptoX509Chain * |
chain, |
|
|
const char * |
fname, |
|
|
const char * |
fkey |
|
) |
| |
Definition at line 464 of file XrdCryptosslAux.cc.
477 DEBUG(
"FILE object undefined: can do nothing");
483 DEBUG(
"chain undefined: can do nothing");
489 while (PEM_read_X509(fcer, &xcer, 0, 0)) {
495 DEBUG(
"certificate for '"<<c->
Subject()<<
"'added to the chain - ord: "<<chain->
Size());
497 DEBUG(
"could not create certificate: memory exhausted?");
515 fcer =
fopen(fkey,
"r");
517 DEBUG(
"unable to open key file (errno: "<<errno<<
")");
523 if (!PEM_read_PrivateKey(fcer, &rsa, 0, 0)) {
524 DEBUG(
"no RSA private key found in file " << fname);
526 DEBUG(
"found a RSA private key in file " << fname);
532 while (cert && cert->
Opaque()) {
535 EVP_PKEY *evpp = X509_get_pubkey((X509 *)(cert->
Opaque()));
538 #if OPENSSL_VERSION_NUMBER < 0x30000000L
539 int rc = EVP_PKEY_cmp(evpp, rsa);
541 int rc = EVP_PKEY_eq(evpp, rsa);
548 DEBUG(
"RSA key completed");
555 cert = chain->
Next();
References XrdCryptoX509Chain::Begin(), DEBUG, EPNAME, fclose(), fopen, XrdCryptoX509::kCA, XrdCryptoRSA::kComplete, XrdCryptoX509Chain::Next(), XrdCryptoX509::Opaque(), XrdCryptoX509::PKI(), XrdCryptoX509Chain::PushBack(), XrdCryptoX509::SetPKI(), XrdCryptoX509Chain::Size(), XrdCryptoRSA::status, XrdCryptoX509::Subject(), and XrdCryptoX509::type.
◆ XrdCryptosslX509ParseStack()
◆ XrdCryptosslX509ToFile()
int XrdCryptosslX509ToFile |
( |
XrdCryptoX509 * |
x509, |
|
|
FILE * |
file, |
|
|
const char * |
fname |
|
) |
| |
◆ XrdCryptosslX509VerifyCB()
int XrdCryptosslX509VerifyCB |
( |
int |
ok, |
|
|
X509_STORE_CTX * |
ctx |
|
) |
| |
◆ XrdCryptosslX509VerifyCert()
◆ XrdCryptosslX509VerifyChain()
Definition at line 129 of file XrdCryptosslAux.cc.
135 if (!chain || chain->
Size() <= 1)
139 X509_STORE *store = X509_STORE_new();
144 X509_STORE_set_verify_cb_func(store, 0);
150 X509_STORE_add_cert(store, (X509 *)(cert->
Opaque()));
153 STACK_OF(X509) *stk = sk_X509_new_null();
159 while ((cert = chain->
Next()) && cert->
Opaque()) {
161 cref = (X509 *)(cert->
Opaque());
162 sk_X509_push(stk, (X509 *)(cert->
Opaque()));
166 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
167 if (sk_X509_num(stk) != chain->
Size() - 1)
169 if (sk_num(stk) != chain->
Size() - 1)
174 X509_STORE_CTX *ctx = X509_STORE_CTX_new();
179 X509_STORE_CTX_init(ctx, store, cref, stk);
182 bool verify_ok = (X509_verify_cert(ctx) == 1);
190 X509_STORE_CTX_free(ctx);
191 sk_X509_pop_free(stk, X509_free);
192 X509_STORE_free(store);
References XrdCryptoX509Chain::Begin(), gErrVerifyChain, XrdCryptoX509::kCA, XrdCryptoX509Chain::Next(), XrdCryptoX509::Opaque(), XrdCryptoX509Chain::Size(), and XrdCryptoX509::type.
Referenced by XrdCryptosslFactory::X509VerifyChain().
◆ gErrVerifyChain
◆ sslTrace