XRootD
XrdCryptogsiX509Chain Class Reference

#include <XrdCryptogsiX509Chain.hh>

+ Inheritance diagram for XrdCryptogsiX509Chain:
+ Collaboration diagram for XrdCryptogsiX509Chain:

Public Member Functions

 XrdCryptogsiX509Chain (XrdCryptogsiX509Chain *c, XrdCryptoFactory *f=0)
 
 XrdCryptogsiX509Chain (XrdCryptoX509 *c=0, XrdCryptoFactory *f=0)
 
virtual ~XrdCryptogsiX509Chain ()
 
bool Verify (EX509ChainErr &e, x509ChainVerifyOpt_t *vopt=0)
 
- Public Member Functions inherited from XrdCryptoX509Chain
 XrdCryptoX509Chain (XrdCryptoX509 *c=0)
 
 XrdCryptoX509Chain (XrdCryptoX509Chain *ch)
 
virtual ~XrdCryptoX509Chain ()
 
XrdCryptoX509Begin ()
 
const char * CAhash ()
 
const char * CAname ()
 
bool CheckCA (bool checkselfsigned=1)
 
virtual int CheckValidity (bool outatfirst=1, int when=0)
 
void Cleanup (bool keepCA=0)
 
void Dump ()
 
const char * EEChash ()
 
const char * EECname ()
 
XrdCryptoX509EffCA () const
 
XrdCryptoX509End () const
 
void InsertAfter (XrdCryptoX509 *c, XrdCryptoX509 *cp)
 
const char * LastError () const
 
XrdCryptoX509Next ()
 
void PushBack (XrdCryptoX509 *c)
 
void PutInFront (XrdCryptoX509 *c)
 
void Remove (XrdCryptoX509 *c)
 
virtual int Reorder ()
 
XrdCryptoX509SearchByIssuer (const char *issuer, ESearchMode mode=kExact)
 
XrdCryptoX509SearchBySubject (const char *subject, ESearchMode mode=kExact)
 
void SetStatusCA (ECAStatus st)
 
int Size () const
 
ECAStatus StatusCA () const
 
const char * X509ChainError (EX509ChainErr e)
 

Additional Inherited Members

- Public Types inherited from XrdCryptoX509Chain
enum  ECAStatus {
  kUnknown = 0 ,
  kAbsent ,
  kInvalid ,
  kValid
}
 
enum  EX509ChainErr {
  kNone = 0 ,
  kInconsistent ,
  kTooMany ,
  kNoCA ,
  kNoCertificate ,
  kInvalidType ,
  kInvalidNames ,
  kRevoked ,
  kExpired ,
  kMissingExtension ,
  kVerifyFail ,
  kInvalidSign ,
  kCANotAutoSigned ,
  kNoEEC ,
  kTooManyEEC ,
  kInvalidProxy
}
 
- Protected Member Functions inherited from XrdCryptoX509Chain
XrdCryptoX509ChainNodeFind (XrdCryptoX509 *c)
 
XrdCryptoX509ChainNodeFindIssuer (const char *issuer, ESearchMode mode=kExact, XrdCryptoX509ChainNode **p=0)
 
XrdCryptoX509ChainNodeFindSubject (const char *subject, ESearchMode mode=kExact, XrdCryptoX509ChainNode **p=0)
 
void SetEffectiveCA ()
 
bool Verify (EX509ChainErr &e, const char *msg, XrdCryptoX509::EX509Type type, int when, XrdCryptoX509 *xcer, XrdCryptoX509 *xsig, XrdCryptoX509Crl *crl=0)
 
- Protected Attributes inherited from XrdCryptoX509Chain
XrdCryptoX509ChainNodebegin
 
XrdOucString cahash
 
XrdOucString caname
 
XrdCryptoX509ChainNodecurrent
 
XrdOucString eechash
 
XrdOucString eecname
 
XrdCryptoX509ChainNodeeffca
 
XrdCryptoX509ChainNodeend
 
XrdOucString lastError
 
XrdCryptoX509ChainNodeprevious
 
int size
 
ECAStatus statusCA
 

Detailed Description

Definition at line 50 of file XrdCryptogsiX509Chain.hh.

Constructor & Destructor Documentation

◆ XrdCryptogsiX509Chain() [1/2]

XrdCryptogsiX509Chain::XrdCryptogsiX509Chain ( XrdCryptoX509 c = 0,
XrdCryptoFactory f = 0 
)
inline

Definition at line 53 of file XrdCryptogsiX509Chain.hh.

54  : XrdCryptoX509Chain(c), cfact(f) { }
XrdCryptoX509Chain(XrdCryptoX509 *c=0)

◆ XrdCryptogsiX509Chain() [2/2]

XrdCryptogsiX509Chain::XrdCryptogsiX509Chain ( XrdCryptogsiX509Chain c,
XrdCryptoFactory f = 0 
)
inline

Definition at line 55 of file XrdCryptogsiX509Chain.hh.

56  : XrdCryptoX509Chain(c), cfact(f) { }

◆ ~XrdCryptogsiX509Chain()

virtual XrdCryptogsiX509Chain::~XrdCryptogsiX509Chain ( )
inlinevirtual

Definition at line 57 of file XrdCryptogsiX509Chain.hh.

57 { }

Member Function Documentation

◆ Verify()

bool XrdCryptogsiX509Chain::Verify ( EX509ChainErr e,
x509ChainVerifyOpt_t vopt = 0 
)
virtual

Reimplemented from XrdCryptoX509Chain.

Definition at line 45 of file XrdCryptogsiX509Chain.cc.

46 {
47  // Verify the chain
48  EPNAME("X509Chain::Verify");
49  errcode = kNone;
50 
51  // There must be at least a CA and a { EEC or subCA }.
52  if (size < 2) {
53  DEBUG("Nothing to verify (size: "<<size<<")");
54  return 0;
55  }
56  if (QTRACE(Dump)) { Dump(); }
57 
58  //
59  // Reorder if needed
60  if (Reorder() != 0) {
61  errcode = kInconsistent;
62  lastError = ":";
63  lastError += X509ChainError(errcode);
64  return 0;
65  }
66 
67  //
68  // Verification options
69  int opt = (vopt) ? vopt->opt : 0;
70  int when = (vopt) ? vopt->when : (int)time(0);
71  int plen = (vopt) ? vopt->pathlen : -1;
72  XrdCryptoX509Crl *crl = (vopt) ? vopt->crl : 0;
73 
74  //
75  // Global path depth length consistency check
76  if (plen > -1 && plen < size) {
77  errcode = kTooMany;
78  lastError = "checking path depth: ";
79  lastError += X509ChainError(errcode);
80  }
81 
82  //
83  // Check the first certificate: it MUST be of CA type, valid,
84  // self-signed
86  XrdCryptoX509 *xcer = node->Cert(); // Certificate under exam
87  XrdCryptoX509 *xsig = xcer; // Signing certificate
88  if (statusCA == kUnknown) {
89  if (!XrdCryptoX509Chain::Verify(errcode, "CA: ",
90  XrdCryptoX509::kCA, when, xcer, xsig))
91  return 0;
92  statusCA = kValid;
93  } else if (statusCA == kAbsent || statusCA == kInvalid) {
94  errcode = kNoCA;
95  lastError = X509ChainError(errcode);
96  return 0;
97  }
98 
99  //
100  // Update the max path depth len
101  if (plen > -1)
102  plen -= 1;
103  //
104  // Check sub-CA's certificate, if any
105  while (node->Next() && node->Next()->Cert()->type == XrdCryptoX509::kCA) {
106  xsig = xcer;
107  node = node->Next();
108  xcer = node->Cert();
109  if (!XrdCryptoX509Chain::Verify(errcode, "Sub-CA: ",
111  when, xcer, xsig, crl))
112  return 0;
113  //
114  // Update the max path depth len
115  if (plen > -1)
116  plen -= 1;
117  }
118 
119  //
120  // If subCA verification case we are done
121  if (opt & kOptsCheckSubCA) return 1;
122 
123  //
124  // Check the end-point entity certificate
125  if (!node->Next() || // We expect somethign else if not in subCA checking mode
126  (node->Next() && node->Next()->Cert()->type != XrdCryptoX509::kEEC)) {
127  errcode = kNoEEC;
128  lastError = X509ChainError(errcode);
129  return 0;
130  }
131 
132  //
133  // Check the end-point entity certificate
134  xsig = xcer;
135  node = node->Next();
136  xcer = node->Cert();
137  if (!XrdCryptoX509Chain::Verify(errcode, "EEC: ",
139  when, xcer, xsig, crl))
140  return 0;
141  //
142  // Update the max path depth len
143  if (plen > -1)
144  plen -= 1;
145 
146  //
147  // Only one end-point entity certificate
148  if (node->Next() && node->Next()->Cert()->type == XrdCryptoX509::kEEC) {
149  errcode = kTooManyEEC;
150  lastError = X509ChainError(errcode);
151  return 0;
152  }
153 
154  //
155  // There are proxy certificates
156  xsig = xcer;
157  node = node->Next();
158  while (node && (plen == -1 || plen > 0)) {
159 
160  // Attache to certificate
161  xcer = node->Cert();
162 
163  //
164  // Must be a recognized proxy certificate
165  if (xcer && xcer->type != XrdCryptoX509::kProxy) {
166  errcode = kInvalidProxy;
167  lastError = X509ChainError(errcode);
168  return 0;
169  }
170 
171  // Proxy subject name must follow some rules
172  if (!SubjectOK(errcode, xcer))
173  return 0;
174 
175  // Check if ProxyCertInfo extension is there (required by RFC3820)
176  int pxplen = -1; bool b;
177  if (opt & kOptsRfc3820) {
178  const void *extdata = xcer->GetExtension(gsiProxyCertInfo_OID);
179  if (!extdata) extdata = xcer->GetExtension(gsiProxyCertInfo_OLD_OID);
180  if (!extdata || !cfact || !(cfact && (*(cfact->ProxyCertInfo()))(extdata, pxplen, &b))) {
181  errcode = kMissingExtension;
182  lastError = "rfc3820: ";
183  lastError += X509ChainError(errcode);
184  return 0;
185  }
186  }
187  // Update plen, if needed
188  if (plen == -1) {
189  plen = (pxplen > -1) ? pxplen : plen;
190  } else {
191  plen--;
192  // Aply stricter rules if required
193  plen = (pxplen > -1 && pxplen < plen) ? pxplen : plen;
194  }
195 
196  // Standard verification
197  if (!XrdCryptoX509Chain::Verify(errcode, "Proxy: ",
198  XrdCryptoX509::kProxy, when, xcer, xsig))
199  return 0;
200 
201  // Get next
202  xsig = xcer;
203  node = node->Next();
204  }
205 
206  // We are done (successfully!)
207  return 1;
208 }
#define DEBUG(x)
Definition: XrdBwmTrace.hh:54
#define EPNAME(x)
Definition: XrdBwmTrace.hh:56
#define QTRACE(act)
Definition: XrdCmsTrace.hh:49
#define gsiProxyCertInfo_OID
#define gsiProxyCertInfo_OLD_OID
XrdCryptoX509Crl * crl
const int kOptsCheckSubCA
const int kOptsRfc3820
virtual XrdCryptoProxyCertInfo_t ProxyCertInfo()
XrdCryptoX509 * Cert() const
XrdCryptoX509ChainNode * Next() const
virtual bool Verify(EX509ChainErr &e, x509ChainVerifyOpt_t *vopt=0)
XrdCryptoX509ChainNode * begin
const char * X509ChainError(EX509ChainErr e)
virtual XrdCryptoX509data GetExtension(const char *oid)
EX509Type type

References XrdCryptoX509Chain::begin, XrdCryptoX509ChainNode::Cert(), x509ChainVerifyOpt_t::crl, DEBUG, XrdCryptoX509Chain::Dump(), EPNAME, XrdCryptoX509::GetExtension(), gsiProxyCertInfo_OID, gsiProxyCertInfo_OLD_OID, XrdCryptoX509Chain::kAbsent, XrdCryptoX509::kCA, XrdCryptoX509::kEEC, XrdCryptoX509Chain::kInconsistent, XrdCryptoX509Chain::kInvalid, XrdCryptoX509Chain::kInvalidProxy, XrdCryptoX509Chain::kMissingExtension, XrdCryptoX509Chain::kNoCA, XrdCryptoX509Chain::kNoEEC, XrdCryptoX509Chain::kNone, kOptsCheckSubCA, kOptsRfc3820, XrdCryptoX509::kProxy, XrdCryptoX509Chain::kTooMany, XrdCryptoX509Chain::kTooManyEEC, XrdCryptoX509::kUnknown, XrdCryptoX509Chain::kUnknown, XrdCryptoX509Chain::kValid, XrdCryptoX509Chain::lastError, XrdCryptoX509ChainNode::Next(), x509ChainVerifyOpt_t::opt, x509ChainVerifyOpt_t::pathlen, XrdCryptoFactory::ProxyCertInfo(), QTRACE, XrdCryptoX509Chain::Reorder(), XrdCryptoX509Chain::size, XrdCryptoX509Chain::statusCA, XrdCryptoX509::type, XrdCryptoX509Chain::Verify(), x509ChainVerifyOpt_t::when, and XrdCryptoX509Chain::X509ChainError().

Referenced by main().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

The documentation for this class was generated from the following files: