XRootD
Loading...
Searching...
No Matches
XrdCryptosslX509 Class Reference

#include <XrdCryptosslX509.hh>

Inheritance diagram for XrdCryptosslX509:
Collaboration diagram for XrdCryptosslX509:

Public Member Functions

 XrdCryptosslX509 (const char *cf, const char *kf=0)
 XrdCryptosslX509 (X509 *cert)
 XrdCryptosslX509 (XrdSutBucket *bck)
virtual ~XrdCryptosslX509 ()
int BitStrength ()
int DumpExtensions (bool dumpunknown=0)
XrdSutBucketExport ()
XrdCryptoX509data GetExtension (const char *oid)
const char * Issuer ()
const char * IssuerHash (int=0)
virtual bool MatchesSAN (const char *, bool &)
time_t NotAfter ()
time_t NotBefore ()
XrdCryptoX509data Opaque ()
const char * ParentFile ()
XrdCryptoRSAPKI ()
const char * ProxyType () const
kXR_int64 SerialNumber ()
XrdOucString SerialNumberString ()
void SetPKI (XrdCryptoX509data pki)
const char * Subject ()
const char * SubjectHash (int=0)
bool Verify (XrdCryptoX509 *ref)
Public Member Functions inherited from XrdCryptoX509
 XrdCryptoX509 ()
virtual ~XrdCryptoX509 ()
virtual void Dump ()
virtual bool IsExpired (int when=0)
const char * IssuerHash ()
virtual bool IsValid (int when=0)
const char * SubjectHash ()
const char * Type (EX509Type t=kUnknown) const

Additional Inherited Members

Public Types inherited from XrdCryptoX509
enum  EX509Type {
  kUnknown = -1 ,
  kCA = 0 ,
  kEEC = 1 ,
  kProxy = 2
}
Static Public Member Functions inherited from XrdCryptoX509
static bool MatchHostnames (const char *match_pattern, const char *fqdn)
Public Attributes inherited from XrdCryptoX509
EX509Type type

Detailed Description

Definition at line 48 of file XrdCryptosslX509.hh.

Constructor & Destructor Documentation

◆ XrdCryptosslX509() [1/3]

XrdCryptosslX509::XrdCryptosslX509 ( const char * cf,
const char * kf = 0 )

Definition at line 66 of file XrdCryptosslX509.cc.

67 : XrdCryptoX509()
68{
69 // Constructor certificate from file 'cf'. If 'kf' is defined,
70 // complete the key of the certificate with the private key in kf.
71 EPNAME("X509::XrdCryptosslX509_file");
72
73 // Init private members
74 cert = 0; // The certificate object
75 notbefore = -1; // begin-validity time in secs since Epoch
76 notafter = -1; // end-validity time in secs since Epoch
77 subject = ""; // subject;
78 issuer = ""; // issuer;
79 subjecthash = ""; // hash of subject;
80 issuerhash = ""; // hash of issuer;
81 subjectoldhash = ""; // hash of subject (md5 algorithm);
82 issueroldhash = ""; // hash of issuer (md5 algorithm);
83 srcfile = ""; // source file;
84 bucket = 0; // bucket for serialization
85 pki = 0; // PKI of the certificate
86 pxytype = 0; // Proxy sub-type
87
88 // Make sure file name is defined;
89 if (!cf) {
90 DEBUG("file name undefined");
91 return;
92 }
93 // Make sure file exists;
94 struct stat st;
95 int fd = open(cf, O_RDONLY);
96
97 if (fd == -1) {
98 if (errno == ENOENT) {
99 DEBUG("file "<<cf<<" does not exist - do nothing");
100 } else {
101 DEBUG("cannot open file "<<cf<<" (errno: "<<errno<<")");
102 }
103 return;
104 }
105
106 if (fstat(fd, &st) != 0) {
107 DEBUG("cannot stat file "<<cf<<" (errno: "<<errno<<")");
108 close(fd);
109 return;
110 }
111 //
112 // Open file in read mode
113 FILE *fc = fdopen(fd, "r");
114 if (!fc) {
115 DEBUG("cannot fdopen file "<<cf<<" (errno: "<<errno<<")");
116 close(fd);
117 return;
118 }
119 //
120 // Read the content:
121 if (!PEM_read_X509(fc, &cert, 0, 0)) {
122 DEBUG("Unable to load certificate from file");
123 return;
124 } else {
125 DEBUG("certificate successfully loaded");
126 }
127 //
128 // Close the file
129 fclose(fc);
130 //
131 // Save source file name
132 srcfile = cf;
133
134 // Init some of the private members (the others upon need)
135 Subject();
136 Issuer();
137 CertType();
138
139 // Get the public key
140 EVP_PKEY *evpp = 0;
141 // Read the private key file, if specified
142 if (kf) {
143 int fd = open(kf, O_RDONLY);
144 if (fd == -1) {
145 DEBUG("cannot open file "<<kf<<" (errno: "<<errno<<")");
146 return;
147 }
148 if (fstat(fd, &st) == -1) {
149 DEBUG("cannot stat private key file "<<kf<<" (errno:"<<errno<<")");
150 close(fd);
151 return;
152 }
153 if (!S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) ||
154 (st.st_mode & (S_IROTH | S_IWOTH)) != 0 ||
155 (st.st_mode & (S_IWGRP)) != 0) {
156 DEBUG("private key file "<<kf<<" has wrong permissions "<<
157 (st.st_mode & 0777) << " (should be at most 0640)");
158 close(fd);
159 return;
160 }
161 // Open file in read mode
162 FILE *fk = fdopen(fd, "r");
163 if (!fk) {
164 DEBUG("cannot open file "<<kf<<" (errno: "<<errno<<")");
165 close(fd);
166 return;
167 }
168 // This call fills the full key, i.e. also the public part (not really documented, though)
169 if ((evpp = PEM_read_PrivateKey(fk,0,0,0))) {
170 DEBUG("RSA key completed ");
171 // Test consistency
172 auto tmprsa = std::make_unique<XrdCryptosslRSA>(evpp, 1);
173 if (tmprsa->status == XrdCryptoRSA::kComplete) {
174 // Save it in pki
175 pki = tmprsa.release();
176 }
177 } else {
178 DEBUG("cannot read the key from file");
179 }
180 // Close the file
181 fclose(fk);
182 }
183 // If there were no private key or we did not manage to import it
184 // init pki with the partial key
185 if (!pki)
186 pki = new XrdCryptosslRSA(X509_get_pubkey(cert), 0);
187}
DEBUG
#define DEBUG(x)
Definition XrdBwmTrace.hh:54
EPNAME
#define EPNAME(x)
Definition XrdBwmTrace.hh:56
fclose
int fclose(FILE *stream)
Definition XrdPosixPreload.cc:169
close
#define close(a)
Definition XrdPosix.hh:48
fstat
#define fstat(a, b)
Definition XrdPosix.hh:62
open
#define open
Definition XrdPosix.hh:76
stat
#define stat(a, b)
Definition XrdPosix.hh:101
XrdCryptosslX509::Issuer
const char * Issuer()
Definition XrdCryptosslX509.cc:508
XrdCryptosslX509::Subject
const char * Subject()
Definition XrdCryptosslX509.cc:485

References XrdCryptoX509::XrdCryptoX509(), close, DEBUG, EPNAME, fclose(), fstat, Issuer(), XrdCryptoRSA::kComplete, open, stat, and Subject().

Here is the call graph for this function:

◆ XrdCryptosslX509() [2/3]

XrdCryptosslX509::XrdCryptosslX509 ( XrdSutBucket * bck)

Definition at line 190 of file XrdCryptosslX509.cc.

190 : XrdCryptoX509()
191{
192 // Constructor certificate from BIO 'bcer'
193 EPNAME("X509::XrdCryptosslX509_bio");
194
195 // Init private members
196 cert = 0; // The certificate object
197 notbefore = -1; // begin-validity time in secs since Epoch
198 notafter = -1; // end-validity time in secs since Epoch
199 subject = ""; // subject;
200 issuer = ""; // issuer;
201 subjecthash = ""; // hash of subject;
202 issuerhash = ""; // hash of issuer;
203 subjectoldhash = ""; // hash of subject (md5 algorithm);
204 issueroldhash = ""; // hash of issuer (md5 algorithm);
205 srcfile = ""; // source file;
206 bucket = 0; // bucket for serialization
207 pki = 0; // PKI of the certificate
208 pxytype = 0; // Proxy sub-type
209
210 // Make sure we got something;
211 if (!buck) {
212 DEBUG("got undefined opaque buffer");
213 return;
214 }
215
216 //
217 // Create a bio_mem to store the certificates
218 BIO *bmem = BIO_new(BIO_s_mem());
219 if (!bmem) {
220 DEBUG("unable to create BIO for memory operations");
221 return;
222 }
223
224 // Write data to BIO
225 int nw = BIO_write(bmem,(const void *)(buck->buffer),buck->size);
226 if (nw != buck->size) {
227 DEBUG("problems writing data to memory BIO (nw: "<<nw<<")");
228 return;
229 }
230
231 // Get certificate from BIO
232 if (!(cert = PEM_read_bio_X509(bmem,0,0,0))) {
233 DEBUG("unable to read certificate to memory BIO");
234 return;
235 }
236 //
237 // Free BIO
238 BIO_free(bmem);
239
240 //
241 // Init some of the private members (the others upon need)
242 Subject();
243 Issuer();
244 CertType();
245
246 // Get the public key
247 EVP_PKEY *evpp = X509_get_pubkey(cert);
248 //
249 if (evpp) {
250 // init pki with the partial key
251 if (!pki)
252 pki = new XrdCryptosslRSA(evpp, 0);
253 } else {
254 DEBUG("could not access the public key");
255 }
256}

References XrdCryptoX509::XrdCryptoX509(), XrdSutBucket::buffer, DEBUG, EPNAME, Issuer(), XrdSutBucket::size, and Subject().

Here is the call graph for this function:

◆ XrdCryptosslX509() [3/3]

XrdCryptosslX509::XrdCryptosslX509 ( X509 * cert)

Definition at line 259 of file XrdCryptosslX509.cc.

259 : XrdCryptoX509()
260{
261 // Constructor: import X509 object
262 EPNAME("X509::XrdCryptosslX509_x509");
263
264 // Init private members
265 cert = 0; // The certificate object
266 notbefore = -1; // begin-validity time in secs since Epoch
267 notafter = -1; // end-validity time in secs since Epoch
268 subject = ""; // subject;
269 issuer = ""; // issuer;
270 subjecthash = ""; // hash of subject;
271 issuerhash = ""; // hash of issuer;
272 subjectoldhash = ""; // hash of subject (md5 algorithm);
273 issueroldhash = ""; // hash of issuer (md5 algorithm);
274 srcfile = ""; // source file;
275 bucket = 0; // bucket for serialization
276 pki = 0; // PKI of the certificate
277 pxytype = 0; // Proxy sub-type
278
279 // Make sure we got something;
280 if (!xc) {
281 DEBUG("got undefined X509 object");
282 return;
283 }
284
285 // Set certificate
286 cert = xc;
287
288 //
289 // Init some of the private members (the others upon need)
290 Subject();
291 Issuer();
292 CertType();
293
294 // Get the public key
295 EVP_PKEY *evpp = X509_get_pubkey(cert);
296 //
297 if (evpp) {
298 // init pki with the partial key
299 if (!pki)
300 pki = new XrdCryptosslRSA(evpp, 0);
301 } else {
302 DEBUG("could not access the public key");
303 }
304}

References XrdCryptoX509::XrdCryptoX509(), DEBUG, EPNAME, Issuer(), and Subject().

Here is the call graph for this function:

◆ ~XrdCryptosslX509()

XrdCryptosslX509::~XrdCryptosslX509 ( )
virtual

Definition at line 307 of file XrdCryptosslX509.cc.

308{
309 // Destructor
310
311 // Cleanup certificate
312 if (cert) X509_free(cert);
313 // Cleanup key
314 if (pki) delete pki;
315}

Member Function Documentation

◆ BitStrength()

int XrdCryptosslX509::BitStrength ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 77 of file XrdCryptosslX509.hh.

77{ return ((cert) ? EVP_PKEY_bits(X509_get_pubkey(cert)) : -1);}

◆ DumpExtensions()

int XrdCryptosslX509::DumpExtensions ( bool dumpunknown = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 806 of file XrdCryptosslX509.cc.

807{
808 // Dump our extensions, if any
809 // Returns -1 on failure, 0 on success
810 EPNAME("DumpExtensions");
811
812 int rc = -1;
813 // Point to the cerificate
814 X509 *xpi = (X509 *) Opaque();
815
816 // Make sure we got the right inputs
817 if (!xpi) {
818 PRINT("we are empty! Do nothing");
819 return rc;
820 }
821
822 rc = 1;
823 // Go through the extensions
824 X509_EXTENSION *xpiext = 0;
825 int npiext = X509_get_ext_count(xpi);
826 PRINT("found "<<npiext<<" extensions ");
827 int i = 0;
828 for (i = 0; i< npiext; i++) {
829 xpiext = X509_get_ext(xpi, i);
830 char s[256];
831 OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(xpiext), 1);
832 int crit = X509_EXTENSION_get_critical(xpiext);
833 // Notify what we found
834 PRINT(i << ": found extension '"<<s<<"', critical: " << crit);
835 // Dump its content
836 rc = 0;
837 const unsigned char *pp = (const unsigned char *) X509_EXTENSION_get_data(xpiext)->data;
838 long length = X509_EXTENSION_get_data(xpiext)->length;
839 int ret = FillUnknownExt(&pp, length, dumpunknown);
840 PRINT("ret: " << ret);
841 }
842
843 // Done
844 return rc;
845}
PRINT
#define PRINT(y)
Definition XrdCryptosslTrace.hh:39
XrdCryptosslX509::Opaque
XrdCryptoX509data Opaque()
Definition XrdCryptosslX509.hh:58

References EPNAME, Opaque(), and PRINT.

Here is the call graph for this function:

◆ Export()

XrdSutBucket * XrdCryptosslX509::Export ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 716 of file XrdCryptosslX509.cc.

717{
718 // Export in form of bucket
719 EPNAME("X509::Export");
720
721 // If we have already done it, return the previous result
722 if (bucket) {
723 DEBUG("serialization already performed:"
724 " return previous result ("<<bucket->size<<" bytes)");
725 return bucket;
726 }
727
728 // Make sure we got something to export
729 if (!cert) {
730 DEBUG("certificate is not initialized");
731 return 0;
732 }
733
734 //
735 // Now we create a bio_mem to serialize the certificate
736 BIO *bmem = BIO_new(BIO_s_mem());
737 if (!bmem) {
738 DEBUG("unable to create BIO for memory operations");
739 return 0;
740 }
741
742 // Write certificate to BIO
743 if (!PEM_write_bio_X509(bmem, cert)) {
744 DEBUG("unable to write certificate to memory BIO");
745 return 0;
746 }
747
748 // Extract pointer to BIO data and length of segment
749 char *bdata = 0;
750 int blen = BIO_get_mem_data(bmem, &bdata);
751 DEBUG("BIO data: "<<blen<<" bytes at 0x"<<(int *)bdata);
752
753 // create the bucket now
754 bucket = new XrdSutBucket(0,0,kXRS_x509);
755 if (bucket) {
756 // Fill bucket
757 bucket->SetBuf(bdata, blen);
758 DEBUG("result of serialization: "<<bucket->size<<" bytes");
759 } else {
760 DEBUG("unable to create bucket for serialized format");
761 BIO_free(bmem);
762 return 0;
763 }
764 //
765 // Free BIO
766 BIO_free(bmem);
767 //
768 // We are done
769 return bucket;
770}
kXRS_x509
@ kXRS_x509
Definition XrdSutAux.hh:79

References DEBUG, EPNAME, and kXRS_x509.

◆ GetExtension()

XrdCryptoX509data XrdCryptosslX509::GetExtension ( const char * oid)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 653 of file XrdCryptosslX509.cc.

654{
655 // Return pointer to extension with OID oid, if any, in
656 // opaque form
657 EPNAME("X509::GetExtension");
658 XrdCryptoX509data ext = 0;
659
660 // Make sure we got something to look for
661 if (!oid) {
662 DEBUG("OID string not defined");
663 return ext;
664 }
665
666 // Make sure we got something to look for
667 if (!cert) {
668 DEBUG("certificate is not initialized");
669 return ext;
670 }
671
672 // Are there any extension?
673 int numext = X509_get_ext_count(cert);
674 if (numext <= 0) {
675 DEBUG("certificate has got no extensions");
676 return ext;
677 }
678 DEBUG("certificate has "<<numext<<" extensions");
679
680 // If the string is the Standard Name of a known extension check
681 // searche the corresponding NID
682 int nid = OBJ_sn2nid(oid);
683 bool usenid = (nid > 0);
684
685 // Loop to identify the one we would like
686 int i = 0;
687 X509_EXTENSION *wext = 0;
688 for (i = 0; i< numext; i++) {
689 wext = X509_get_ext(cert, i);
690 if (usenid) {
691 int enid = OBJ_obj2nid(X509_EXTENSION_get_object(wext));
692 if (enid == nid)
693 break;
694 } else {
695 // Try matching of the text
696 char s[256];
697 OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(wext), 1);
698 if (!strcmp(s, oid))
699 break;
700 }
701 // Do not free the extension: its owned by the certificate
702 wext = 0;
703 }
704
705 // We are done if nothing was found
706 if (!wext) {
707 DEBUG("Extension "<<oid<<" not found");
708 return ext;
709 }
710
711 // We are done
712 return (XrdCryptoX509data)wext;
713}
XrdCryptoX509data
void * XrdCryptoX509data
Definition XrdCryptoX509.hh:43

References DEBUG, and EPNAME.

◆ Issuer()

const char * XrdCryptosslX509::Issuer ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 508 of file XrdCryptosslX509.cc.

509{
510 // Return issuer name
511 EPNAME("X509::Issuer");
512
513 // If we do not have it already, try extraction
514 if (issuer.length() <= 0) {
515
516 // Make sure we have a certificate
517 if (!cert) {
518 DEBUG("WARNING: no certificate available - cannot extract issuer name");
519 return (const char *)0;
520 }
521
522 // Extract issuer name
523 XrdCryptosslNameOneLine(X509_get_issuer_name(cert), issuer);
524 }
525
526 // return what we have
527 return (issuer.length() > 0) ? issuer.c_str() : (const char *)0;
528}
XrdCryptosslNameOneLine
void XrdCryptosslNameOneLine(X509_NAME *nm, XrdOucString &s)
Definition XrdCryptosslAux.cc:736

References DEBUG, EPNAME, and XrdCryptosslNameOneLine().

Referenced by XrdCryptosslX509(), XrdCryptosslX509(), and XrdCryptosslX509().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ IssuerHash()

const char * XrdCryptosslX509::IssuerHash ( int alg = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 531 of file XrdCryptosslX509.cc.

532{
533 // Return hash of issuer name
534 // Use default algorithm (X509_NAME_hash) for alg = 0, old algorithm
535 // (for v>=1.0.0) when alg = 1
536 EPNAME("X509::IssuerHash");
537
538 if (alg == 1) {
539 // md5 based
540 if (issueroldhash.length() <= 0) {
541 // Make sure we have a certificate
542 if (cert) {
543 char chash[30] = {0};
544 snprintf(chash, sizeof(chash),
545 "%08lx.0",X509_NAME_hash_old(X509_get_issuer_name(cert)));
546 issueroldhash = chash;
547 } else {
548 DEBUG("WARNING: no certificate available - cannot extract issuer hash (md5)");
549 }
550 }
551 // return what we have
552 return (issueroldhash.length() > 0) ? issueroldhash.c_str() : (const char *)0;
553 }
554
555 // If we do not have it already, try extraction
556 if (issuerhash.length() <= 0) {
557
558 // Make sure we have a certificate
559 if (cert) {
560 char chash[30] = {0};
561 snprintf(chash, sizeof(chash),
562 "%08lx.0",X509_NAME_hash(X509_get_issuer_name(cert)));
563 issuerhash = chash;
564 } else {
565 DEBUG("WARNING: no certificate available - cannot extract issuer hash (default)");
566 }
567 }
568
569 // return what we have
570 return (issuerhash.length() > 0) ? issuerhash.c_str() : (const char *)0;
571}

References DEBUG, and EPNAME.

◆ MatchesSAN()

bool XrdCryptosslX509::MatchesSAN ( const char * fqdn,
bool & hasSAN )
virtual

Implements XrdCryptoX509.

Definition at line 1111 of file XrdCryptosslX509.cc.

1112{
1113 EPNAME("MatchesSAN");
1114
1115 // Statically allocated array for hostname lengths. RFC1035 limits
1116 // valid lengths to 255 characters.
1117 char san_fqdn[256];
1118
1119 // Assume we have no SAN extension. Failure may allow the caller to try
1120 // using the common name before giving up.
1121 hasSAN = false;
1122
1123 GENERAL_NAMES *gens = static_cast<GENERAL_NAMES *>(X509_get_ext_d2i(cert,
1124 NID_subject_alt_name, NULL, NULL));
1125 if (!gens)
1126 return false;
1127
1128 // Only an EEC is usable as a host certificate.
1129 if (type != kEEC)
1130 return false;
1131
1132 // All failures are under the notion that we have a SAN extension.
1133 hasSAN = true;
1134
1135 if (!fqdn)
1136 return false;
1137
1138 bool success = false;
1139 for (int idx = 0; idx < sk_GENERAL_NAME_num(gens); idx++) {
1140 GENERAL_NAME *gen;
1141 ASN1_STRING *cstr;
1142 gen = sk_GENERAL_NAME_value(gens, idx);
1143 if (gen->type != GEN_DNS)
1144 continue;
1145 cstr = gen->d.dNSName;
1146 if (ASN1_STRING_type(cstr) != V_ASN1_IA5STRING)
1147 continue;
1148 int san_fqdn_len = ASN1_STRING_length(cstr);
1149 if (san_fqdn_len > 255)
1150 continue;
1151 memcpy(san_fqdn, ASN1_STRING_get0_data(cstr), san_fqdn_len);
1152 san_fqdn[san_fqdn_len] = '\0';
1153 if (strlen(san_fqdn) != static_cast<size_t>(san_fqdn_len)) // Avoid embedded null's.
1154 continue;
1155 DEBUG("Comparing SAN " << san_fqdn << " with " << fqdn);
1156 if (MatchHostnames(san_fqdn, fqdn)) {
1157 DEBUG("SAN " << san_fqdn << " matches with " << fqdn);
1158 success = true;
1159 break;
1160 }
1161 }
1162 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
1163 return success;
1164}
XrdCryptoX509::MatchHostnames
static bool MatchHostnames(const char *match_pattern, const char *fqdn)
Definition XrdCryptoX509.cc:253

References DEBUG, EPNAME, XrdCryptoX509::kEEC, XrdCryptoX509::MatchHostnames(), and XrdCryptoX509::type.

Here is the call graph for this function:

◆ NotAfter()

time_t XrdCryptosslX509::NotAfter ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 469 of file XrdCryptosslX509.cc.

470{
471 // End-validity time in secs since Epoch
472
473 // If we do not have it already, try extraction
474 if (notafter < 0) {
475 // Make sure we have a certificate
476 if (cert)
477 // Extract UTC time in secs from Epoch
478 notafter = XrdCryptosslASN1toUTC(X509_get_notAfter(cert));
479 }
480 // return what we have
481 return notafter;
482}
XrdCryptosslASN1toUTC
time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1)
Definition XrdCryptosslAux.cc:675

References XrdCryptosslASN1toUTC().

Here is the call graph for this function:

◆ NotBefore()

time_t XrdCryptosslX509::NotBefore ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 453 of file XrdCryptosslX509.cc.

454{
455 // Begin-validity time in secs since Epoch
456
457 // If we do not have it already, try extraction
458 if (notbefore < 0) {
459 // Make sure we have a certificate
460 if (cert)
461 // Extract UTC time in secs from Epoch
462 notbefore = XrdCryptosslASN1toUTC(X509_get_notBefore(cert));
463 }
464 // return what we have
465 return notbefore;
466}

References XrdCryptosslASN1toUTC().

Here is the call graph for this function:

◆ Opaque()

XrdCryptoX509data XrdCryptosslX509::Opaque ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 58 of file XrdCryptosslX509.hh.

58{ return (XrdCryptoX509data)cert; }

Referenced by DumpExtensions().

Here is the caller graph for this function:

◆ ParentFile()

const char * XrdCryptosslX509::ParentFile ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 71 of file XrdCryptosslX509.hh.

71{ return (const char *)(srcfile.c_str()); }

◆ PKI()

XrdCryptoRSA * XrdCryptosslX509::PKI ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 64 of file XrdCryptosslX509.hh.

64{ return pki; }

◆ ProxyType()

const char * XrdCryptosslX509::ProxyType ( ) const
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 74 of file XrdCryptosslX509.hh.

74{ return cpxytype[pxytype]; }

◆ SerialNumber()

kXR_int64 XrdCryptosslX509::SerialNumber ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 617 of file XrdCryptosslX509.cc.

618{
619 // Return serial number as a kXR_int64
620
621 kXR_int64 sernum = -1;
622 if (cert && X509_get_serialNumber(cert)) {
623 BIGNUM *bn = BN_new();
624 ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
625 char *sn = BN_bn2dec(bn);
626 sernum = strtoll(sn, 0, 10);
627 BN_free(bn);
628 OPENSSL_free(sn);
629 }
630
631 return sernum;
632}
kXR_int64
long long kXR_int64
Definition XPtypes.hh:98

◆ SerialNumberString()

XrdOucString XrdCryptosslX509::SerialNumberString ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 635 of file XrdCryptosslX509.cc.

636{
637 // Return serial number as a hex string
638
639 XrdOucString sernum;
640 if (cert && X509_get_serialNumber(cert)) {
641 BIGNUM *bn = BN_new();
642 ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
643 char *sn = BN_bn2hex(bn);
644 sernum = sn;
645 BN_free(bn);
646 OPENSSL_free(sn);
647 }
648
649 return sernum;
650}

◆ SetPKI()

void XrdCryptosslX509::SetPKI ( XrdCryptoX509data pki)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 428 of file XrdCryptosslX509.cc.

429{
430 // SetPKI:
431 // if newpki is null does nothing
432 // if newpki contains a consistent private & public key we take ownership
433 // so that this->PKI()->status will be kComplete.
434 // otherwise, newpki is not consistent:
435 // if the previous PKI() was null or was already kComplete it is and reset
436 // so that this->PKI()->status will be kInvalid.
437
438 if (!newpki) return;
439
440 auto tmprsa = std::make_unique<XrdCryptosslRSA>((EVP_PKEY*)newpki, 1);
441 if (!pki || pki->status == XrdCryptoRSA::kComplete ||
442 tmprsa->status == XrdCryptoRSA::kComplete) {
443 // Cleanup any existing key first
444 if (pki)
445 delete pki;
446
447 // Set PKI
448 pki = tmprsa.release();
449 }
450}

References XrdCryptoRSA::kComplete.

◆ Subject()

const char * XrdCryptosslX509::Subject ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 485 of file XrdCryptosslX509.cc.

486{
487 // Return subject name
488 EPNAME("X509::Subject");
489
490 // If we do not have it already, try extraction
491 if (subject.length() <= 0) {
492
493 // Make sure we have a certificate
494 if (!cert) {
495 DEBUG("WARNING: no certificate available - cannot extract subject name");
496 return (const char *)0;
497 }
498
499 // Extract subject name
500 XrdCryptosslNameOneLine(X509_get_subject_name(cert), subject);
501 }
502
503 // return what we have
504 return (subject.length() > 0) ? subject.c_str() : (const char *)0;
505}

References DEBUG, EPNAME, and XrdCryptosslNameOneLine().

Referenced by XrdCryptosslX509(), XrdCryptosslX509(), and XrdCryptosslX509().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SubjectHash()

const char * XrdCryptosslX509::SubjectHash ( int alg = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 574 of file XrdCryptosslX509.cc.

575{
576 // Return hash of subject name
577 // Use default algorithm (X509_NAME_hash) for alg = 0, old algorithm
578 // (for v>=1.0.0) when alg = 1
579 EPNAME("X509::SubjectHash");
580
581 if (alg == 1) {
582 // md5 based
583 if (subjectoldhash.length() <= 0) {
584 // Make sure we have a certificate
585 if (cert) {
586 char chash[30] = {0};
587 snprintf(chash, sizeof(chash),
588 "%08lx.0",X509_NAME_hash_old(X509_get_subject_name(cert)));
589 subjectoldhash = chash;
590 } else {
591 DEBUG("WARNING: no certificate available - cannot extract subject hash (md5)");
592 }
593 }
594 // return what we have
595 return (subjectoldhash.length() > 0) ? subjectoldhash.c_str() : (const char *)0;
596 }
597
598 // If we do not have it already, try extraction
599 if (subjecthash.length() <= 0) {
600
601 // Make sure we have a certificate
602 if (cert) {
603 char chash[30] = {0};
604 snprintf(chash, sizeof(chash),
605 "%08lx.0",X509_NAME_hash(X509_get_subject_name(cert)));
606 subjecthash = chash;
607 } else {
608 DEBUG("WARNING: no certificate available - cannot extract subject hash (default)");
609 }
610 }
611
612 // return what we have
613 return (subjecthash.length() > 0) ? subjecthash.c_str() : (const char *)0;
614}

References DEBUG, and EPNAME.

◆ Verify()

bool XrdCryptosslX509::Verify ( XrdCryptoX509 * ref)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 773 of file XrdCryptosslX509.cc.

774{
775 // Verify certificate signature with pub key of ref cert
776 EPNAME("X509::Verify");
777
778 // We must have been initialized
779 if (!cert)
780 return 0;
781
782 // We must have something to check with
783 X509 *r = ref ? (X509 *)(ref->Opaque()) : 0;
784 EVP_PKEY *rk = r ? X509_get_pubkey(r) : 0;
785 if (!rk)
786 return 0;
787
788 // Ok: we can verify
789 int rc = X509_verify(cert, rk);
790 EVP_PKEY_free(rk);
791 if (rc <= 0) {
792 if (rc == 0) {
793 // Signatures are not OK
794 DEBUG("signature not OK");
795 } else {
796 // General failure
797 DEBUG("could not verify signature");
798 }
799 return 0;
800 }
801 // Success
802 return 1;
803}
XrdCryptoX509::Opaque
virtual XrdCryptoX509data Opaque()
Definition XrdCryptoX509.cc:181

References XrdCryptoX509::XrdCryptoX509(), DEBUG, EPNAME, and XrdCryptoX509::Opaque().

Here is the call graph for this function:
The documentation for this class was generated from the following files: