39 #include <openssl/pem.h>
46 #include <sys/types.h>
49 #define BIO_PRINT(b,c) \
51 BIO_get_mem_ptr(b, &bptr); \
53 char *s = new char[bptr->length+1]; \
54 memcpy(s, bptr->data, bptr->length); \
55 s[bptr->length] = '\0'; \
59 PRINT("ERROR: "<<c<<" BIO internal buffer undefined!"); \
63 const char *XrdCryptosslX509::cpxytype[5] = {
"",
"unknown",
"RFC",
"GSI3",
"legacy" };
71 EPNAME(
"X509::XrdCryptosslX509_file");
90 DEBUG(
"file name undefined");
95 int fd =
open(cf, O_RDONLY);
98 if (errno == ENOENT) {
99 DEBUG(
"file "<<cf<<
" does not exist - do nothing");
101 DEBUG(
"cannot open file "<<cf<<
" (errno: "<<errno<<
")");
106 if (
fstat(fd, &st) != 0) {
107 DEBUG(
"cannot stat file "<<cf<<
" (errno: "<<errno<<
")");
113 FILE *fc = fdopen(fd,
"r");
115 DEBUG(
"cannot fdopen file "<<cf<<
" (errno: "<<errno<<
")");
121 if (!PEM_read_X509(fc, &cert, 0, 0)) {
122 DEBUG(
"Unable to load certificate from file");
125 DEBUG(
"certificate successfully loaded");
143 int fd =
open(kf, O_RDONLY);
145 DEBUG(
"cannot open file "<<kf<<
" (errno: "<<errno<<
")");
148 if (
fstat(fd, &st) == -1) {
149 DEBUG(
"cannot stat private key file "<<kf<<
" (errno:"<<errno<<
")");
153 if (!S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) ||
154 (st.st_mode & (S_IROTH | S_IWOTH)) != 0 ||
155 (st.st_mode & (S_IWGRP)) != 0) {
156 DEBUG(
"private key file "<<kf<<
" has wrong permissions "<<
157 (st.st_mode & 0777) <<
" (should be at most 0640)");
162 FILE *fk = fdopen(fd,
"r");
164 DEBUG(
"cannot open file "<<kf<<
" (errno: "<<errno<<
")");
169 if ((evpp = PEM_read_PrivateKey(fk,0,0,0))) {
170 DEBUG(
"RSA key completed ");
172 auto tmprsa = std::make_unique<XrdCryptosslRSA>(evpp, 1);
175 pki = tmprsa.release();
178 DEBUG(
"cannot read the key from file");
193 EPNAME(
"X509::XrdCryptosslX509_bio");
212 DEBUG(
"got undefined opaque buffer");
218 BIO *bmem = BIO_new(BIO_s_mem());
220 DEBUG(
"unable to create BIO for memory operations");
225 int nw = BIO_write(bmem,(
const void *)(buck->
buffer),buck->
size);
226 if (nw != buck->
size) {
227 DEBUG(
"problems writing data to memory BIO (nw: "<<nw<<
")");
232 if (!(cert = PEM_read_bio_X509(bmem,0,0,0))) {
233 DEBUG(
"unable to read certificate to memory BIO");
247 EVP_PKEY *evpp = X509_get_pubkey(cert);
254 DEBUG(
"could not access the public key");
262 EPNAME(
"X509::XrdCryptosslX509_x509");
281 DEBUG(
"got undefined X509 object");
295 EVP_PKEY *evpp = X509_get_pubkey(cert);
302 DEBUG(
"could not access the public key");
312 if (cert) X509_free(cert);
318 void XrdCryptosslX509::CertType()
326 PRINT(
"ERROR: certificate is not initialized");
334 int numext = X509_get_ext_count(cert);
336 DEBUG(
"certificate has got no extensions");
339 TRACE(ALL,
"certificate has "<<numext<<
" extensions");
343 X509_EXTENSION *ext = 0;
348 BASIC_CONSTRAINTS *bc = 0;
349 if ((bc = (BASIC_CONSTRAINTS *)X509_get_ext_d2i(cert, NID_basic_constraints, &crit, &idx)) &&
352 DEBUG(
"CA certificate");
355 if (bc) BASIC_CONSTRAINTS_free(bc);
363 if (issuer == common) {
370 if ((idx = X509_get_ext_by_NID(cert, NID_proxyCertInfo,-1)) == -1) {
376 DEBUG(
"Found GSI 3 proxyCertInfo extension");
377 }
else if (xcp == -1) {
381 if ((ext = X509_get_ext(cert,idx)) == 0) {
382 PRINT(
"ERROR: could not get proxyCertInfo extension");
388 if (X509_EXTENSION_get_critical(ext)) {
389 PROXY_CERT_INFO_EXTENSION *pci = (PROXY_CERT_INFO_EXTENSION *)X509V3_EXT_d2i(ext);
391 if ((pci->proxyPolicy) != 0) {
392 if ((pci->proxyPolicy->policyLanguage) != 0) {
396 DEBUG(
"Found RFC 382{0,1}compliant proxyCertInfo extension");
397 if (X509_get_ext_by_NID(cert, NID_proxyCertInfo, idx) != -1) {
398 PRINT(
"WARNING: multiple proxyCertInfo extensions found: taking the first");
401 PRINT(
"ERROR: accessing policy language from proxyCertInfo extension");
404 PRINT(
"ERROR: accessing policy from proxyCertInfo extension");
406 PROXY_CERT_INFO_EXTENSION_free(pci);
408 PRINT(
"ERROR: proxyCertInfo conversion error");
411 PRINT(
"ERROR: proxyCertInfo not flagged as critical");
414 if (!pxyname || done)
return;
418 if (lastcn ==
"proxy" || lastcn ==
"limited proxy") {
440 auto tmprsa = std::make_unique<XrdCryptosslRSA>((EVP_PKEY*)newpki, 1);
448 pki = tmprsa.release();
491 if (subject.
length() <= 0) {
495 DEBUG(
"WARNING: no certificate available - cannot extract subject name");
496 return (
const char *)0;
504 return (subject.
length() > 0) ? subject.
c_str() : (
const char *)0;
514 if (issuer.
length() <= 0) {
518 DEBUG(
"WARNING: no certificate available - cannot extract issuer name");
519 return (
const char *)0;
527 return (issuer.
length() > 0) ? issuer.
c_str() : (
const char *)0;
536 EPNAME(
"X509::IssuerHash");
538 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(__APPLE__))
541 if (issueroldhash.
length() <= 0) {
544 char chash[30] = {0};
545 snprintf(chash,
sizeof(chash),
546 "%08lx.0",X509_NAME_hash_old(X509_get_issuer_name(cert)));
547 issueroldhash = chash;
549 DEBUG(
"WARNING: no certificate available - cannot extract issuer hash (md5)");
553 return (issueroldhash.
length() > 0) ? issueroldhash.
c_str() : (
const char *)0;
560 if (issuerhash.
length() <= 0) {
564 char chash[30] = {0};
565 snprintf(chash,
sizeof(chash),
566 "%08lx.0",X509_NAME_hash(X509_get_issuer_name(cert)));
569 DEBUG(
"WARNING: no certificate available - cannot extract issuer hash (default)");
574 return (issuerhash.
length() > 0) ? issuerhash.
c_str() : (
const char *)0;
583 EPNAME(
"X509::SubjectHash");
585 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(__APPLE__))
588 if (subjectoldhash.
length() <= 0) {
591 char chash[30] = {0};
592 snprintf(chash,
sizeof(chash),
593 "%08lx.0",X509_NAME_hash_old(X509_get_subject_name(cert)));
594 subjectoldhash = chash;
596 DEBUG(
"WARNING: no certificate available - cannot extract subject hash (md5)");
600 return (subjectoldhash.
length() > 0) ? subjectoldhash.
c_str() : (
const char *)0;
607 if (subjecthash.
length() <= 0) {
611 char chash[30] = {0};
612 snprintf(chash,
sizeof(chash),
613 "%08lx.0",X509_NAME_hash(X509_get_subject_name(cert)));
616 DEBUG(
"WARNING: no certificate available - cannot extract subject hash (default)");
621 return (subjecthash.
length() > 0) ? subjecthash.
c_str() : (
const char *)0;
630 if (cert && X509_get_serialNumber(cert)) {
631 BIGNUM *bn = BN_new();
632 ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
633 char *sn = BN_bn2dec(bn);
634 sernum = strtoll(sn, 0, 10);
648 if (cert && X509_get_serialNumber(cert)) {
649 BIGNUM *bn = BN_new();
650 ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
651 char *sn = BN_bn2hex(bn);
665 EPNAME(
"X509::GetExtension");
670 DEBUG(
"OID string not defined");
676 DEBUG(
"certificate is not initialized");
681 int numext = X509_get_ext_count(cert);
683 DEBUG(
"certificate has got no extensions");
686 DEBUG(
"certificate has "<<numext<<
" extensions");
690 int nid = OBJ_sn2nid(oid);
691 bool usenid = (nid > 0);
695 X509_EXTENSION *wext = 0;
696 for (i = 0; i< numext; i++) {
697 wext = X509_get_ext(cert, i);
699 int enid = OBJ_obj2nid(X509_EXTENSION_get_object(wext));
705 OBJ_obj2txt(s,
sizeof(s), X509_EXTENSION_get_object(wext), 1);
715 DEBUG(
"Extension "<<oid<<
" not found");
731 DEBUG(
"serialization already performed:"
732 " return previous result ("<<bucket->
size<<
" bytes)");
738 DEBUG(
"certificate is not initialized");
744 BIO *bmem = BIO_new(BIO_s_mem());
746 DEBUG(
"unable to create BIO for memory operations");
751 if (!PEM_write_bio_X509(bmem, cert)) {
752 DEBUG(
"unable to write certificate to memory BIO");
758 int blen = BIO_get_mem_data(bmem, &bdata);
759 DEBUG(
"BIO data: "<<blen<<
" bytes at 0x"<<(
int *)bdata);
765 bucket->
SetBuf(bdata, blen);
766 DEBUG(
"result of serialization: "<<bucket->
size<<
" bytes");
768 DEBUG(
"unable to create bucket for serialized format");
791 X509 *r = ref ? (X509 *)(ref->
Opaque()) : 0;
792 EVP_PKEY *rk = r ? X509_get_pubkey(r) : 0;
797 int rc = X509_verify(cert, rk);
802 DEBUG(
"signature not OK");
805 DEBUG(
"could not verify signature");
822 X509 *xpi = (X509 *)
Opaque();
826 PRINT(
"we are empty! Do nothing");
832 X509_EXTENSION *xpiext = 0;
833 int npiext = X509_get_ext_count(xpi);
834 PRINT(
"found "<<npiext<<
" extensions ");
836 for (i = 0; i< npiext; i++) {
837 xpiext = X509_get_ext(xpi, i);
839 OBJ_obj2txt(s,
sizeof(s), X509_EXTENSION_get_object(xpiext), 1);
840 int crit = X509_EXTENSION_get_critical(xpiext);
842 PRINT(i <<
": found extension '"<<s<<
"', critical: " << crit);
846 long length = X509_EXTENSION_get_data(xpiext)->length;
847 int ret = FillUnknownExt(&pp, length, dumpunknown);
848 PRINT(
"ret: " << ret);
856 int XrdCryptosslX509::FillUnknownExt(
XRDGSI_CONST unsigned char **pp,
long length,
bool dump)
863 int tag, xclass, ret = 0;
866 ASN1_OCTET_STRING *os = 0;
875 while ((p < tot) && (op < p)) {
877 j = ASN1_get_object(&p, &len, &tag, &xclass, length);
882 if (dump)
PRINT(
"ERROR: error in encoding");
890 if (j != (V_ASN1_CONSTRUCTED | 1)) {
891 if (dump)
PRINT(
"PRIM: d="<<depth<<
" hl="<<hl<<
" l="<<len);
893 if (dump)
PRINT(
"CONST: d="<<depth<<
" hl="<<hl<<
" l=inf ");
895 if (!Asn1PrintInfo(tag, xclass, j, (indent) ? depth : 0))
897 if (j & V_ASN1_CONSTRUCTED) {
899 if (dump)
PRINT(
" ");
901 if (dump)
PRINT(
"ERROR:CONST: length is greater than " <<length);
905 if ((j == 0x21) && (len == 0)) {
907 r = FillUnknownExt(&p, (
long)(tot-p), dump);
912 if ((r == 2) || (p >= tot))
917 r = FillUnknownExt(&p, (
long)len, dump);
924 }
else if (xclass != 0) {
926 if (dump)
PRINT(
" ");
929 if ((tag == V_ASN1_PRINTABLESTRING) ||
930 (tag == V_ASN1_T61STRING) ||
931 (tag == V_ASN1_IA5STRING) ||
932 (tag == V_ASN1_VISIBLESTRING) ||
933 (tag == V_ASN1_NUMERICSTRING) ||
934 (tag == V_ASN1_UTF8STRING) ||
935 (tag == V_ASN1_UTCTIME) ||
936 (tag == V_ASN1_GENERALIZEDTIME)) {
938 char *s =
new char[len + 1];
941 if (dump)
PRINT(
"GENERIC:" << s <<
" (len: "<<(
int)len<<
")");
944 if (dump)
PRINT(
"GENERIC: (len: "<<(
int)len<<
")");
946 }
else if (tag == V_ASN1_OBJECT) {
948 if (d2i_ASN1_OBJECT(&o, &opp, len+hl)) {
949 BIO *mem = BIO_new(BIO_s_mem());
950 i2a_ASN1_OBJECT(mem, o);
954 if (dump)
PRINT(
"ERROR:AOBJ: BAD OBJECT");
956 }
else if (tag == V_ASN1_BOOLEAN) {
958 if (dump)
PRINT(
"ERROR:BOOL: Bad boolean");
961 if (dump)
PRINT(
"BOOL:"<< p[0]);
962 }
else if (tag == V_ASN1_BMPSTRING) {
964 }
else if (tag == V_ASN1_OCTET_STRING) {
965 int i, printable = 1;
967 os = d2i_ASN1_OCTET_STRING(0, &opp, len + hl);
968 if (os && os->length > 0) {
971 for (i=0; i<os->length; i++) {
972 if (( (opp[i] <
' ') && (opp[i] !=
'\n') &&
973 (opp[i] !=
'\r') && (opp[i] !=
'\t')) || (opp[i] >
'~')) {
980 char *s =
new char[os->length + 1];
981 memcpy(s, opp, os->length);
983 if (dump)
PRINT(
"OBJS:" << s <<
" (len: "<<os->length<<
")");
987 if (!nl)
PRINT(
"OBJS:");
988 BIO *mem = BIO_new(BIO_s_mem());
989 if (BIO_dump_indent(mem, (
const char *)opp, os->length, dump_indent) <= 0) {
990 if (dump)
PRINT(
"ERROR:OBJS: problems dumping to BIO");
999 ASN1_OCTET_STRING_free(os);
1002 }
else if (tag == V_ASN1_INTEGER) {
1007 bs = d2i_ASN1_INTEGER(0, &opp, len+hl);
1009 if (dump)
PRINT(
"AINT:");
1010 if (bs->type == V_ASN1_NEG_INTEGER)
1011 if (dump)
PRINT(
"-");
1012 BIO *mem = BIO_new(BIO_s_mem());
1013 for (i = 0; i < bs->length; i++) {
1014 if (BIO_printf(mem,
"%02X", bs->data[i]) <= 0) {
1015 if (dump)
PRINT(
"ERROR:AINT: problems printf-ing to BIO");
1021 if (bs->length == 0)
PRINT(
"00");
1023 if (dump)
PRINT(
"ERROR:AINT: BAD INTEGER");
1025 ASN1_INTEGER_free(bs);
1026 }
else if (tag == V_ASN1_ENUMERATED) {
1027 ASN1_ENUMERATED *bs;
1031 bs = d2i_ASN1_ENUMERATED(0, &opp, len+hl);
1033 if (dump)
PRINT(
"AENU:");
1034 if (bs->type == V_ASN1_NEG_ENUMERATED)
1035 if (dump)
PRINT(
"-");
1036 BIO *mem = BIO_new(BIO_s_mem());
1037 for (i = 0; i < bs->length; i++) {
1038 if (BIO_printf(mem,
"%02X", bs->data[i]) <= 0) {
1039 if (dump)
PRINT(
"ERROR:AENU: problems printf-ing to BIO");
1045 if (bs->length == 0)
PRINT(
"00");
1047 if (dump)
PRINT(
"ERROR:AENU: BAD ENUMERATED");
1049 ASN1_ENUMERATED_free(bs);
1052 if (!nl && dump)
PRINT(
" ");
1055 if ((tag == V_ASN1_EOC) && (xclass == 0)) {
1064 if (o) ASN1_OBJECT_free(o);
1065 if (os) ASN1_OCTET_STRING_free(os);
1067 if (dump)
PRINT(
"ret: "<<ret);
1073 int XrdCryptosslX509::Asn1PrintInfo(
int tag,
int xclass,
int constructed,
int indent)
1078 static const char fmt[]=
"%-18s";
1079 static const char fmt2[]=
"%2d %-15s";
1081 const char *p, *p2 = 0;
1083 BIO *bp = BIO_new(BIO_s_mem());
1084 if (constructed & V_ASN1_CONSTRUCTED)
1088 if (BIO_write(bp, p, 6) < 6)
1090 BIO_indent(bp, indent, 128);
1093 if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
1094 BIO_snprintf(str,
sizeof str,
"priv [ %d ] ",tag);
1095 else if ((xclass & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC)
1096 BIO_snprintf(str,
sizeof str,
"cont [ %d ]",tag);
1097 else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION)
1098 BIO_snprintf(str,
sizeof str,
"appl [ %d ]",tag);
1100 BIO_snprintf(str,
sizeof str,
"<ASN1 %d>",tag);
1102 p = ASN1_tag2str(tag);
1105 if (BIO_printf(bp,fmt2,tag,p2) <= 0)
1108 if (BIO_printf(bp, fmt, p) <= 0)
1131 GENERAL_NAMES *gens =
static_cast<GENERAL_NAMES *
>(X509_get_ext_d2i(cert,
1132 NID_subject_alt_name, NULL, NULL));
1146 bool success =
false;
1147 for (
int idx = 0; idx < sk_GENERAL_NAME_num(gens); idx++) {
1150 gen = sk_GENERAL_NAME_value(gens, idx);
1151 if (gen->type != GEN_DNS)
1153 cstr = gen->d.dNSName;
1154 if (ASN1_STRING_type(cstr) != V_ASN1_IA5STRING)
1156 int san_fqdn_len = ASN1_STRING_length(cstr);
1157 if (san_fqdn_len > 255)
1159 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
1160 memcpy(san_fqdn, ASN1_STRING_get0_data(cstr), san_fqdn_len);
1162 memcpy(san_fqdn, ASN1_STRING_data(cstr), san_fqdn_len);
1164 san_fqdn[san_fqdn_len] =
'\0';
1165 if (strlen(san_fqdn) !=
static_cast<size_t>(san_fqdn_len))
1167 DEBUG(
"Comparing SAN " << san_fqdn <<
" with " << fqdn);
1169 DEBUG(
"SAN " << san_fqdn <<
" matches with " << fqdn);
1174 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
void XrdCryptosslNameOneLine(X509_NAME *nm, XrdOucString &s)
time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1)
int XrdCryptosslX509CheckProxy3(XrdCryptoX509 *, XrdOucString &)
int stat(const char *path, struct stat *buf)
int open(const char *path, int oflag,...)
int fstat(int fildes, struct stat *buf)
int emsg(int rc, char *msg)
const char * IssuerHash()
virtual XrdCryptoX509data Opaque()
const char * SubjectHash()
static bool MatchHostnames(const char *match_pattern, const char *fqdn)
XrdCryptoX509data GetExtension(const char *oid)
int DumpExtensions(bool dumpunknown=0)
virtual ~XrdCryptosslX509()
XrdOucString SerialNumberString()
XrdCryptoX509data Opaque()
bool Verify(XrdCryptoX509 *ref)
virtual bool MatchesSAN(const char *, bool &)
XrdCryptosslX509(const char *cf, const char *kf=0)
void SetPKI(XrdCryptoX509data pki)
const char * c_str() const
int rfind(const char c, int start=STR_NPOS)
int SetBuf(const char *nb=0, int ns=0)