XRootD
XrdCryptosslX509 Class Reference

#include <XrdCryptosslX509.hh>

+ Inheritance diagram for XrdCryptosslX509:
+ Collaboration diagram for XrdCryptosslX509:

Public Member Functions

 XrdCryptosslX509 (const char *cf, const char *kf=0)
 
 XrdCryptosslX509 (X509 *cert)
 
 XrdCryptosslX509 (XrdSutBucket *bck)
 
virtual ~XrdCryptosslX509 ()
 
int BitStrength ()
 
int DumpExtensions (bool dumpunknown=0)
 
XrdSutBucketExport ()
 
XrdCryptoX509data GetExtension (const char *oid)
 
const char * Issuer ()
 
const char * IssuerHash (int=0)
 
virtual bool MatchesSAN (const char *, bool &)
 
time_t NotAfter ()
 
time_t NotBefore ()
 
XrdCryptoX509data Opaque ()
 
const char * ParentFile ()
 
XrdCryptoRSAPKI ()
 
const char * ProxyType () const
 
kXR_int64 SerialNumber ()
 
XrdOucString SerialNumberString ()
 
void SetPKI (XrdCryptoX509data pki)
 
const char * Subject ()
 
const char * SubjectHash (int=0)
 
bool Verify (XrdCryptoX509 *ref)
 
- Public Member Functions inherited from XrdCryptoX509
 XrdCryptoX509 ()
 
virtual ~XrdCryptoX509 ()
 
virtual void Dump ()
 
virtual bool IsExpired (int when=0)
 
const char * IssuerHash ()
 
virtual bool IsValid (int when=0)
 
const char * SubjectHash ()
 
const char * Type (EX509Type t=kUnknown) const
 

Additional Inherited Members

- Public Types inherited from XrdCryptoX509
enum  EX509Type {
  kUnknown = -1 ,
  kCA = 0 ,
  kEEC = 1 ,
  kProxy = 2
}
 
- Static Public Member Functions inherited from XrdCryptoX509
static bool MatchHostnames (const char *match_pattern, const char *fqdn)
 
- Public Attributes inherited from XrdCryptoX509
EX509Type type
 

Detailed Description

Definition at line 54 of file XrdCryptosslX509.hh.

Constructor & Destructor Documentation

◆ XrdCryptosslX509() [1/3]

XrdCryptosslX509::XrdCryptosslX509 ( const char *  cf,
const char *  kf = 0 
)

Definition at line 66 of file XrdCryptosslX509.cc.

67  : XrdCryptoX509()
68 {
69  // Constructor certificate from file 'cf'. If 'kf' is defined,
70  // complete the key of the certificate with the private key in kf.
71  EPNAME("X509::XrdCryptosslX509_file");
72 
73  // Init private members
74  cert = 0; // The certificate object
75  notbefore = -1; // begin-validity time in secs since Epoch
76  notafter = -1; // end-validity time in secs since Epoch
77  subject = ""; // subject;
78  issuer = ""; // issuer;
79  subjecthash = ""; // hash of subject;
80  issuerhash = ""; // hash of issuer;
81  subjectoldhash = ""; // hash of subject (md5 algorithm);
82  issueroldhash = ""; // hash of issuer (md5 algorithm);
83  srcfile = ""; // source file;
84  bucket = 0; // bucket for serialization
85  pki = 0; // PKI of the certificate
86  pxytype = 0; // Proxy sub-type
87 
88  // Make sure file name is defined;
89  if (!cf) {
90  DEBUG("file name undefined");
91  return;
92  }
93  // Make sure file exists;
94  struct stat st;
95  int fd = open(cf, O_RDONLY);
96 
97  if (fd == -1) {
98  if (errno == ENOENT) {
99  DEBUG("file "<<cf<<" does not exist - do nothing");
100  } else {
101  DEBUG("cannot open file "<<cf<<" (errno: "<<errno<<")");
102  }
103  return;
104  }
105 
106  if (fstat(fd, &st) != 0) {
107  DEBUG("cannot stat file "<<cf<<" (errno: "<<errno<<")");
108  close(fd);
109  return;
110  }
111  //
112  // Open file in read mode
113  FILE *fc = fdopen(fd, "r");
114  if (!fc) {
115  DEBUG("cannot fdopen file "<<cf<<" (errno: "<<errno<<")");
116  close(fd);
117  return;
118  }
119  //
120  // Read the content:
121  if (!PEM_read_X509(fc, &cert, 0, 0)) {
122  DEBUG("Unable to load certificate from file");
123  return;
124  } else {
125  DEBUG("certificate successfully loaded");
126  }
127  //
128  // Close the file
129  fclose(fc);
130  //
131  // Save source file name
132  srcfile = cf;
133 
134  // Init some of the private members (the others upon need)
135  Subject();
136  Issuer();
137  CertType();
138 
139  // Get the public key
140  EVP_PKEY *evpp = 0;
141  // Read the private key file, if specified
142  if (kf) {
143  int fd = open(kf, O_RDONLY);
144  if (fd == -1) {
145  DEBUG("cannot open file "<<kf<<" (errno: "<<errno<<")");
146  return;
147  }
148  if (fstat(fd, &st) == -1) {
149  DEBUG("cannot stat private key file "<<kf<<" (errno:"<<errno<<")");
150  close(fd);
151  return;
152  }
153  if (!S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) ||
154  (st.st_mode & (S_IROTH | S_IWOTH)) != 0 ||
155  (st.st_mode & (S_IWGRP)) != 0) {
156  DEBUG("private key file "<<kf<<" has wrong permissions "<<
157  (st.st_mode & 0777) << " (should be at most 0640)");
158  close(fd);
159  return;
160  }
161  // Open file in read mode
162  FILE *fk = fdopen(fd, "r");
163  if (!fk) {
164  DEBUG("cannot open file "<<kf<<" (errno: "<<errno<<")");
165  close(fd);
166  return;
167  }
168  // This call fills the full key, i.e. also the public part (not really documented, though)
169  if ((evpp = PEM_read_PrivateKey(fk,0,0,0))) {
170  DEBUG("RSA key completed ");
171  // Test consistency
172  auto tmprsa = std::make_unique<XrdCryptosslRSA>(evpp, 1);
173  if (tmprsa->status == XrdCryptoRSA::kComplete) {
174  // Save it in pki
175  pki = tmprsa.release();
176  }
177  } else {
178  DEBUG("cannot read the key from file");
179  }
180  // Close the file
181  fclose(fk);
182  }
183  // If there were no private key or we did not manage to import it
184  // init pki with the partial key
185  if (!pki)
186  pki = new XrdCryptosslRSA(X509_get_pubkey(cert), 0);
187 }
#define DEBUG(x)
Definition: XrdBwmTrace.hh:54
#define EPNAME(x)
Definition: XrdBwmTrace.hh:56
int stat(const char *path, struct stat *buf)
int open(const char *path, int oflag,...)
int fstat(int fildes, struct stat *buf)
int fclose(FILE *stream)
#define close(a)
Definition: XrdPosix.hh:43
const char * Issuer()
const char * Subject()

References close, DEBUG, EPNAME, fclose(), fstat(), Issuer(), XrdCryptoRSA::kComplete, open(), stat(), and Subject().

+ Here is the call graph for this function:

◆ XrdCryptosslX509() [2/3]

XrdCryptosslX509::XrdCryptosslX509 ( XrdSutBucket bck)

Definition at line 190 of file XrdCryptosslX509.cc.

190  : XrdCryptoX509()
191 {
192  // Constructor certificate from BIO 'bcer'
193  EPNAME("X509::XrdCryptosslX509_bio");
194 
195  // Init private members
196  cert = 0; // The certificate object
197  notbefore = -1; // begin-validity time in secs since Epoch
198  notafter = -1; // end-validity time in secs since Epoch
199  subject = ""; // subject;
200  issuer = ""; // issuer;
201  subjecthash = ""; // hash of subject;
202  issuerhash = ""; // hash of issuer;
203  subjectoldhash = ""; // hash of subject (md5 algorithm);
204  issueroldhash = ""; // hash of issuer (md5 algorithm);
205  srcfile = ""; // source file;
206  bucket = 0; // bucket for serialization
207  pki = 0; // PKI of the certificate
208  pxytype = 0; // Proxy sub-type
209 
210  // Make sure we got something;
211  if (!buck) {
212  DEBUG("got undefined opaque buffer");
213  return;
214  }
215 
216  //
217  // Create a bio_mem to store the certificates
218  BIO *bmem = BIO_new(BIO_s_mem());
219  if (!bmem) {
220  DEBUG("unable to create BIO for memory operations");
221  return;
222  }
223 
224  // Write data to BIO
225  int nw = BIO_write(bmem,(const void *)(buck->buffer),buck->size);
226  if (nw != buck->size) {
227  DEBUG("problems writing data to memory BIO (nw: "<<nw<<")");
228  return;
229  }
230 
231  // Get certificate from BIO
232  if (!(cert = PEM_read_bio_X509(bmem,0,0,0))) {
233  DEBUG("unable to read certificate to memory BIO");
234  return;
235  }
236  //
237  // Free BIO
238  BIO_free(bmem);
239 
240  //
241  // Init some of the private members (the others upon need)
242  Subject();
243  Issuer();
244  CertType();
245 
246  // Get the public key
247  EVP_PKEY *evpp = X509_get_pubkey(cert);
248  //
249  if (evpp) {
250  // init pki with the partial key
251  if (!pki)
252  pki = new XrdCryptosslRSA(evpp, 0);
253  } else {
254  DEBUG("could not access the public key");
255  }
256 }

References XrdSutBucket::buffer, DEBUG, EPNAME, Issuer(), XrdSutBucket::size, and Subject().

+ Here is the call graph for this function:

◆ XrdCryptosslX509() [3/3]

XrdCryptosslX509::XrdCryptosslX509 ( X509 *  cert)

Definition at line 259 of file XrdCryptosslX509.cc.

259  : XrdCryptoX509()
260 {
261  // Constructor: import X509 object
262  EPNAME("X509::XrdCryptosslX509_x509");
263 
264  // Init private members
265  cert = 0; // The certificate object
266  notbefore = -1; // begin-validity time in secs since Epoch
267  notafter = -1; // end-validity time in secs since Epoch
268  subject = ""; // subject;
269  issuer = ""; // issuer;
270  subjecthash = ""; // hash of subject;
271  issuerhash = ""; // hash of issuer;
272  subjectoldhash = ""; // hash of subject (md5 algorithm);
273  issueroldhash = ""; // hash of issuer (md5 algorithm);
274  srcfile = ""; // source file;
275  bucket = 0; // bucket for serialization
276  pki = 0; // PKI of the certificate
277  pxytype = 0; // Proxy sub-type
278 
279  // Make sure we got something;
280  if (!xc) {
281  DEBUG("got undefined X509 object");
282  return;
283  }
284 
285  // Set certificate
286  cert = xc;
287 
288  //
289  // Init some of the private members (the others upon need)
290  Subject();
291  Issuer();
292  CertType();
293 
294  // Get the public key
295  EVP_PKEY *evpp = X509_get_pubkey(cert);
296  //
297  if (evpp) {
298  // init pki with the partial key
299  if (!pki)
300  pki = new XrdCryptosslRSA(evpp, 0);
301  } else {
302  DEBUG("could not access the public key");
303  }
304 }

References DEBUG, EPNAME, Issuer(), and Subject().

+ Here is the call graph for this function:

◆ ~XrdCryptosslX509()

XrdCryptosslX509::~XrdCryptosslX509 ( )
virtual

Definition at line 307 of file XrdCryptosslX509.cc.

308 {
309  // Destructor
310 
311  // Cleanup certificate
312  if (cert) X509_free(cert);
313  // Cleanup key
314  if (pki) delete pki;
315 }

Member Function Documentation

◆ BitStrength()

int XrdCryptosslX509::BitStrength ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 83 of file XrdCryptosslX509.hh.

83 { return ((cert) ? EVP_PKEY_bits(X509_get_pubkey(cert)) : -1);}

◆ DumpExtensions()

int XrdCryptosslX509::DumpExtensions ( bool  dumpunknown = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 814 of file XrdCryptosslX509.cc.

815 {
816  // Dump our extensions, if any
817  // Returns -1 on failure, 0 on success
818  EPNAME("DumpExtensions");
819 
820  int rc = -1;
821  // Point to the cerificate
822  X509 *xpi = (X509 *) Opaque();
823 
824  // Make sure we got the right inputs
825  if (!xpi) {
826  PRINT("we are empty! Do nothing");
827  return rc;
828  }
829 
830  rc = 1;
831  // Go through the extensions
832  X509_EXTENSION *xpiext = 0;
833  int npiext = X509_get_ext_count(xpi);
834  PRINT("found "<<npiext<<" extensions ");
835  int i = 0;
836  for (i = 0; i< npiext; i++) {
837  xpiext = X509_get_ext(xpi, i);
838  char s[256];
839  OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(xpiext), 1);
840  int crit = X509_EXTENSION_get_critical(xpiext);
841  // Notify what we found
842  PRINT(i << ": found extension '"<<s<<"', critical: " << crit);
843  // Dump its content
844  rc = 0;
845  XRDGSI_CONST unsigned char *pp = (XRDGSI_CONST unsigned char *) X509_EXTENSION_get_data(xpiext)->data;
846  long length = X509_EXTENSION_get_data(xpiext)->length;
847  int ret = FillUnknownExt(&pp, length, dumpunknown);
848  PRINT("ret: " << ret);
849  }
850 
851  // Done
852  return rc;
853 }
#define PRINT(y)
#define XRDGSI_CONST
XrdCryptoX509data Opaque()

References EPNAME, Opaque(), PRINT, and XRDGSI_CONST.

+ Here is the call graph for this function:

◆ Export()

XrdSutBucket * XrdCryptosslX509::Export ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 724 of file XrdCryptosslX509.cc.

725 {
726  // Export in form of bucket
727  EPNAME("X509::Export");
728 
729  // If we have already done it, return the previous result
730  if (bucket) {
731  DEBUG("serialization already performed:"
732  " return previous result ("<<bucket->size<<" bytes)");
733  return bucket;
734  }
735 
736  // Make sure we got something to export
737  if (!cert) {
738  DEBUG("certificate is not initialized");
739  return 0;
740  }
741 
742  //
743  // Now we create a bio_mem to serialize the certificate
744  BIO *bmem = BIO_new(BIO_s_mem());
745  if (!bmem) {
746  DEBUG("unable to create BIO for memory operations");
747  return 0;
748  }
749 
750  // Write certificate to BIO
751  if (!PEM_write_bio_X509(bmem, cert)) {
752  DEBUG("unable to write certificate to memory BIO");
753  return 0;
754  }
755 
756  // Extract pointer to BIO data and length of segment
757  char *bdata = 0;
758  int blen = BIO_get_mem_data(bmem, &bdata);
759  DEBUG("BIO data: "<<blen<<" bytes at 0x"<<(int *)bdata);
760 
761  // create the bucket now
762  bucket = new XrdSutBucket(0,0,kXRS_x509);
763  if (bucket) {
764  // Fill bucket
765  bucket->SetBuf(bdata, blen);
766  DEBUG("result of serialization: "<<bucket->size<<" bytes");
767  } else {
768  DEBUG("unable to create bucket for serialized format");
769  BIO_free(bmem);
770  return 0;
771  }
772  //
773  // Free BIO
774  BIO_free(bmem);
775  //
776  // We are done
777  return bucket;
778 }
@ kXRS_x509
Definition: XrdSutAux.hh:79
kXR_int32 size
Definition: XrdSutBucket.hh:47
int SetBuf(const char *nb=0, int ns=0)

References DEBUG, EPNAME, kXRS_x509, XrdSutBucket::SetBuf(), and XrdSutBucket::size.

+ Here is the call graph for this function:

◆ GetExtension()

XrdCryptoX509data XrdCryptosslX509::GetExtension ( const char *  oid)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 661 of file XrdCryptosslX509.cc.

662 {
663  // Return pointer to extension with OID oid, if any, in
664  // opaque form
665  EPNAME("X509::GetExtension");
666  XrdCryptoX509data ext = 0;
667 
668  // Make sure we got something to look for
669  if (!oid) {
670  DEBUG("OID string not defined");
671  return ext;
672  }
673 
674  // Make sure we got something to look for
675  if (!cert) {
676  DEBUG("certificate is not initialized");
677  return ext;
678  }
679 
680  // Are there any extension?
681  int numext = X509_get_ext_count(cert);
682  if (numext <= 0) {
683  DEBUG("certificate has got no extensions");
684  return ext;
685  }
686  DEBUG("certificate has "<<numext<<" extensions");
687 
688  // If the string is the Standard Name of a known extension check
689  // searche the corresponding NID
690  int nid = OBJ_sn2nid(oid);
691  bool usenid = (nid > 0);
692 
693  // Loop to identify the one we would like
694  int i = 0;
695  X509_EXTENSION *wext = 0;
696  for (i = 0; i< numext; i++) {
697  wext = X509_get_ext(cert, i);
698  if (usenid) {
699  int enid = OBJ_obj2nid(X509_EXTENSION_get_object(wext));
700  if (enid == nid)
701  break;
702  } else {
703  // Try matching of the text
704  char s[256];
705  OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(wext), 1);
706  if (!strcmp(s, oid))
707  break;
708  }
709  // Do not free the extension: its owned by the certificate
710  wext = 0;
711  }
712 
713  // We are done if nothing was found
714  if (!wext) {
715  DEBUG("Extension "<<oid<<" not found");
716  return ext;
717  }
718 
719  // We are done
720  return (XrdCryptoX509data)wext;
721 }
void * XrdCryptoX509data

References DEBUG, and EPNAME.

◆ Issuer()

const char * XrdCryptosslX509::Issuer ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 508 of file XrdCryptosslX509.cc.

509 {
510  // Return issuer name
511  EPNAME("X509::Issuer");
512 
513  // If we do not have it already, try extraction
514  if (issuer.length() <= 0) {
515 
516  // Make sure we have a certificate
517  if (!cert) {
518  DEBUG("WARNING: no certificate available - cannot extract issuer name");
519  return (const char *)0;
520  }
521 
522  // Extract issuer name
523  XrdCryptosslNameOneLine(X509_get_issuer_name(cert), issuer);
524  }
525 
526  // return what we have
527  return (issuer.length() > 0) ? issuer.c_str() : (const char *)0;
528 }
void XrdCryptosslNameOneLine(X509_NAME *nm, XrdOucString &s)
const char * c_str() const
int length() const

References XrdOucString::c_str(), DEBUG, EPNAME, XrdOucString::length(), and XrdCryptosslNameOneLine().

Referenced by XrdCryptosslX509().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ IssuerHash()

const char * XrdCryptosslX509::IssuerHash ( int  alg = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 531 of file XrdCryptosslX509.cc.

532 {
533  // Return hash of issuer name
534  // Use default algorithm (X509_NAME_hash) for alg = 0, old algorithm
535  // (for v>=1.0.0) when alg = 1
536  EPNAME("X509::IssuerHash");
537 
538 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(__APPLE__))
539  if (alg == 1) {
540  // md5 based
541  if (issueroldhash.length() <= 0) {
542  // Make sure we have a certificate
543  if (cert) {
544  char chash[30] = {0};
545  snprintf(chash, sizeof(chash),
546  "%08lx.0",X509_NAME_hash_old(X509_get_issuer_name(cert)));
547  issueroldhash = chash;
548  } else {
549  DEBUG("WARNING: no certificate available - cannot extract issuer hash (md5)");
550  }
551  }
552  // return what we have
553  return (issueroldhash.length() > 0) ? issueroldhash.c_str() : (const char *)0;
554  }
555 #else
556  if (alg == 1) { }
557 #endif
558 
559  // If we do not have it already, try extraction
560  if (issuerhash.length() <= 0) {
561 
562  // Make sure we have a certificate
563  if (cert) {
564  char chash[30] = {0};
565  snprintf(chash, sizeof(chash),
566  "%08lx.0",X509_NAME_hash(X509_get_issuer_name(cert)));
567  issuerhash = chash;
568  } else {
569  DEBUG("WARNING: no certificate available - cannot extract issuer hash (default)");
570  }
571  }
572 
573  // return what we have
574  return (issuerhash.length() > 0) ? issuerhash.c_str() : (const char *)0;
575 }

References XrdOucString::c_str(), DEBUG, EPNAME, and XrdOucString::length().

+ Here is the call graph for this function:

◆ MatchesSAN()

bool XrdCryptosslX509::MatchesSAN ( const char *  fqdn,
bool &  hasSAN 
)
virtual

Implements XrdCryptoX509.

Definition at line 1119 of file XrdCryptosslX509.cc.

1120 {
1121  EPNAME("MatchesSAN");
1122 
1123  // Statically allocated array for hostname lengths. RFC1035 limits
1124  // valid lengths to 255 characters.
1125  char san_fqdn[256];
1126 
1127  // Assume we have no SAN extension. Failure may allow the caller to try
1128  // using the common name before giving up.
1129  hasSAN = false;
1130 
1131  GENERAL_NAMES *gens = static_cast<GENERAL_NAMES *>(X509_get_ext_d2i(cert,
1132  NID_subject_alt_name, NULL, NULL));
1133  if (!gens)
1134  return false;
1135 
1136  // Only an EEC is usable as a host certificate.
1137  if (type != kEEC)
1138  return false;
1139 
1140  // All failures are under the notion that we have a SAN extension.
1141  hasSAN = true;
1142 
1143  if (!fqdn)
1144  return false;
1145 
1146  bool success = false;
1147  for (int idx = 0; idx < sk_GENERAL_NAME_num(gens); idx++) {
1148  GENERAL_NAME *gen;
1149  ASN1_STRING *cstr;
1150  gen = sk_GENERAL_NAME_value(gens, idx);
1151  if (gen->type != GEN_DNS)
1152  continue;
1153  cstr = gen->d.dNSName;
1154  if (ASN1_STRING_type(cstr) != V_ASN1_IA5STRING)
1155  continue;
1156  int san_fqdn_len = ASN1_STRING_length(cstr);
1157  if (san_fqdn_len > 255)
1158  continue;
1159 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
1160  memcpy(san_fqdn, ASN1_STRING_get0_data(cstr), san_fqdn_len);
1161 #else
1162  memcpy(san_fqdn, ASN1_STRING_data(cstr), san_fqdn_len);
1163 #endif
1164  san_fqdn[san_fqdn_len] = '\0';
1165  if (strlen(san_fqdn) != static_cast<size_t>(san_fqdn_len)) // Avoid embedded null's.
1166  continue;
1167  DEBUG("Comparing SAN " << san_fqdn << " with " << fqdn);
1168  if (MatchHostnames(san_fqdn, fqdn)) {
1169  DEBUG("SAN " << san_fqdn << " matches with " << fqdn);
1170  success = true;
1171  break;
1172  }
1173  }
1174  sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
1175  return success;
1176 }
static bool MatchHostnames(const char *match_pattern, const char *fqdn)
EX509Type type

References DEBUG, EPNAME, XrdCryptoX509::kEEC, XrdCryptoX509::MatchHostnames(), and XrdCryptoX509::type.

+ Here is the call graph for this function:

◆ NotAfter()

time_t XrdCryptosslX509::NotAfter ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 469 of file XrdCryptosslX509.cc.

470 {
471  // End-validity time in secs since Epoch
472 
473  // If we do not have it already, try extraction
474  if (notafter < 0) {
475  // Make sure we have a certificate
476  if (cert)
477  // Extract UTC time in secs from Epoch
478  notafter = XrdCryptosslASN1toUTC(X509_get_notAfter(cert));
479  }
480  // return what we have
481  return notafter;
482 }
time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1)

References XrdCryptosslASN1toUTC().

+ Here is the call graph for this function:

◆ NotBefore()

time_t XrdCryptosslX509::NotBefore ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 453 of file XrdCryptosslX509.cc.

454 {
455  // Begin-validity time in secs since Epoch
456 
457  // If we do not have it already, try extraction
458  if (notbefore < 0) {
459  // Make sure we have a certificate
460  if (cert)
461  // Extract UTC time in secs from Epoch
462  notbefore = XrdCryptosslASN1toUTC(X509_get_notBefore(cert));
463  }
464  // return what we have
465  return notbefore;
466 }

References XrdCryptosslASN1toUTC().

+ Here is the call graph for this function:

◆ Opaque()

XrdCryptoX509data XrdCryptosslX509::Opaque ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 64 of file XrdCryptosslX509.hh.

64 { return (XrdCryptoX509data)cert; }

Referenced by DumpExtensions().

+ Here is the caller graph for this function:

◆ ParentFile()

const char* XrdCryptosslX509::ParentFile ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 77 of file XrdCryptosslX509.hh.

77 { return (const char *)(srcfile.c_str()); }

References XrdOucString::c_str().

+ Here is the call graph for this function:

◆ PKI()

XrdCryptoRSA* XrdCryptosslX509::PKI ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 70 of file XrdCryptosslX509.hh.

70 { return pki; }

◆ ProxyType()

const char* XrdCryptosslX509::ProxyType ( ) const
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 80 of file XrdCryptosslX509.hh.

80 { return cpxytype[pxytype]; }

◆ SerialNumber()

kXR_int64 XrdCryptosslX509::SerialNumber ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 625 of file XrdCryptosslX509.cc.

626 {
627  // Return serial number as a kXR_int64
628 
629  kXR_int64 sernum = -1;
630  if (cert && X509_get_serialNumber(cert)) {
631  BIGNUM *bn = BN_new();
632  ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
633  char *sn = BN_bn2dec(bn);
634  sernum = strtoll(sn, 0, 10);
635  BN_free(bn);
636  OPENSSL_free(sn);
637  }
638 
639  return sernum;
640 }
long long kXR_int64
Definition: XPtypes.hh:98

◆ SerialNumberString()

XrdOucString XrdCryptosslX509::SerialNumberString ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 643 of file XrdCryptosslX509.cc.

644 {
645  // Return serial number as a hex string
646 
647  XrdOucString sernum;
648  if (cert && X509_get_serialNumber(cert)) {
649  BIGNUM *bn = BN_new();
650  ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
651  char *sn = BN_bn2hex(bn);
652  sernum = sn;
653  BN_free(bn);
654  OPENSSL_free(sn);
655  }
656 
657  return sernum;
658 }

◆ SetPKI()

void XrdCryptosslX509::SetPKI ( XrdCryptoX509data  pki)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 428 of file XrdCryptosslX509.cc.

429 {
430  // SetPKI:
431  // if newpki is null does nothing
432  // if newpki contains a consistent private & public key we take ownership
433  // so that this->PKI()->status will be kComplete.
434  // otherwise, newpki is not consistent:
435  // if the previous PKI() was null or was already kComplete it is and reset
436  // so that this->PKI()->status will be kInvalid.
437 
438  if (!newpki) return;
439 
440  auto tmprsa = std::make_unique<XrdCryptosslRSA>((EVP_PKEY*)newpki, 1);
441  if (!pki || pki->status == XrdCryptoRSA::kComplete ||
442  tmprsa->status == XrdCryptoRSA::kComplete) {
443  // Cleanup any existing key first
444  if (pki)
445  delete pki;
446 
447  // Set PKI
448  pki = tmprsa.release();
449  }
450 }
ERSAStatus status
Definition: XrdCryptoRSA.hh:58

References XrdCryptoRSA::kComplete, and XrdCryptoRSA::status.

◆ Subject()

const char * XrdCryptosslX509::Subject ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 485 of file XrdCryptosslX509.cc.

486 {
487  // Return subject name
488  EPNAME("X509::Subject");
489 
490  // If we do not have it already, try extraction
491  if (subject.length() <= 0) {
492 
493  // Make sure we have a certificate
494  if (!cert) {
495  DEBUG("WARNING: no certificate available - cannot extract subject name");
496  return (const char *)0;
497  }
498 
499  // Extract subject name
500  XrdCryptosslNameOneLine(X509_get_subject_name(cert), subject);
501  }
502 
503  // return what we have
504  return (subject.length() > 0) ? subject.c_str() : (const char *)0;
505 }

References XrdOucString::c_str(), DEBUG, EPNAME, XrdOucString::length(), and XrdCryptosslNameOneLine().

Referenced by XrdCryptosslX509().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ SubjectHash()

const char * XrdCryptosslX509::SubjectHash ( int  alg = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 578 of file XrdCryptosslX509.cc.

579 {
580  // Return hash of subject name
581  // Use default algorithm (X509_NAME_hash) for alg = 0, old algorithm
582  // (for v>=1.0.0) when alg = 1
583  EPNAME("X509::SubjectHash");
584 
585 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(__APPLE__))
586  if (alg == 1) {
587  // md5 based
588  if (subjectoldhash.length() <= 0) {
589  // Make sure we have a certificate
590  if (cert) {
591  char chash[30] = {0};
592  snprintf(chash, sizeof(chash),
593  "%08lx.0",X509_NAME_hash_old(X509_get_subject_name(cert)));
594  subjectoldhash = chash;
595  } else {
596  DEBUG("WARNING: no certificate available - cannot extract subject hash (md5)");
597  }
598  }
599  // return what we have
600  return (subjectoldhash.length() > 0) ? subjectoldhash.c_str() : (const char *)0;
601  }
602 #else
603  if (alg == 1) { }
604 #endif
605 
606  // If we do not have it already, try extraction
607  if (subjecthash.length() <= 0) {
608 
609  // Make sure we have a certificate
610  if (cert) {
611  char chash[30] = {0};
612  snprintf(chash, sizeof(chash),
613  "%08lx.0",X509_NAME_hash(X509_get_subject_name(cert)));
614  subjecthash = chash;
615  } else {
616  DEBUG("WARNING: no certificate available - cannot extract subject hash (default)");
617  }
618  }
619 
620  // return what we have
621  return (subjecthash.length() > 0) ? subjecthash.c_str() : (const char *)0;
622 }

References XrdOucString::c_str(), DEBUG, EPNAME, and XrdOucString::length().

+ Here is the call graph for this function:

◆ Verify()

bool XrdCryptosslX509::Verify ( XrdCryptoX509 ref)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 781 of file XrdCryptosslX509.cc.

782 {
783  // Verify certificate signature with pub key of ref cert
784  EPNAME("X509::Verify");
785 
786  // We must have been initialized
787  if (!cert)
788  return 0;
789 
790  // We must have something to check with
791  X509 *r = ref ? (X509 *)(ref->Opaque()) : 0;
792  EVP_PKEY *rk = r ? X509_get_pubkey(r) : 0;
793  if (!rk)
794  return 0;
795 
796  // Ok: we can verify
797  int rc = X509_verify(cert, rk);
798  EVP_PKEY_free(rk);
799  if (rc <= 0) {
800  if (rc == 0) {
801  // Signatures are not OK
802  DEBUG("signature not OK");
803  } else {
804  // General failure
805  DEBUG("could not verify signature");
806  }
807  return 0;
808  }
809  // Success
810  return 1;
811 }
virtual XrdCryptoX509data Opaque()

References DEBUG, EPNAME, and XrdCryptoX509::Opaque().

+ Here is the call graph for this function:

The documentation for this class was generated from the following files: