XRootD
XrdCryptosslX509 Class Reference

#include <XrdCryptosslX509.hh>

+ Inheritance diagram for XrdCryptosslX509:
+ Collaboration diagram for XrdCryptosslX509:

Public Member Functions

 XrdCryptosslX509 (const char *cf, const char *kf=0)
 
 XrdCryptosslX509 (X509 *cert)
 
 XrdCryptosslX509 (XrdSutBucket *bck)
 
virtual ~XrdCryptosslX509 ()
 
int BitStrength ()
 
int DumpExtensions (bool dumpunknown=0)
 
XrdSutBucketExport ()
 
XrdCryptoX509data GetExtension (const char *oid)
 
const char * Issuer ()
 
const char * IssuerHash (int=0)
 
virtual bool MatchesSAN (const char *, bool &)
 
time_t NotAfter ()
 
time_t NotBefore ()
 
XrdCryptoX509data Opaque ()
 
const char * ParentFile ()
 
XrdCryptoRSAPKI ()
 
const char * ProxyType () const
 
kXR_int64 SerialNumber ()
 
XrdOucString SerialNumberString ()
 
void SetPKI (XrdCryptoX509data pki)
 
const char * Subject ()
 
const char * SubjectHash (int=0)
 
bool Verify (XrdCryptoX509 *ref)
 
- Public Member Functions inherited from XrdCryptoX509
 XrdCryptoX509 ()
 
virtual ~XrdCryptoX509 ()
 
virtual void Dump ()
 
virtual bool IsExpired (int when=0)
 
const char * IssuerHash ()
 
virtual bool IsValid (int when=0)
 
const char * SubjectHash ()
 
const char * Type (EX509Type t=kUnknown) const
 

Additional Inherited Members

- Public Types inherited from XrdCryptoX509
enum  EX509Type {
  kUnknown = -1 ,
  kCA = 0 ,
  kEEC = 1 ,
  kProxy = 2
}
 
- Static Public Member Functions inherited from XrdCryptoX509
static bool MatchHostnames (const char *match_pattern, const char *fqdn)
 
- Public Attributes inherited from XrdCryptoX509
EX509Type type
 

Detailed Description

Definition at line 48 of file XrdCryptosslX509.hh.

Constructor & Destructor Documentation

◆ XrdCryptosslX509() [1/3]

XrdCryptosslX509::XrdCryptosslX509 ( const char *  cf,
const char *  kf = 0 
)

Definition at line 66 of file XrdCryptosslX509.cc.

67  : XrdCryptoX509()
68 {
69  // Constructor certificate from file 'cf'. If 'kf' is defined,
70  // complete the key of the certificate with the private key in kf.
71  EPNAME("X509::XrdCryptosslX509_file");
72 
73  // Init private members
74  cert = 0; // The certificate object
75  notbefore = -1; // begin-validity time in secs since Epoch
76  notafter = -1; // end-validity time in secs since Epoch
77  subject = ""; // subject;
78  issuer = ""; // issuer;
79  subjecthash = ""; // hash of subject;
80  issuerhash = ""; // hash of issuer;
81  subjectoldhash = ""; // hash of subject (md5 algorithm);
82  issueroldhash = ""; // hash of issuer (md5 algorithm);
83  srcfile = ""; // source file;
84  bucket = 0; // bucket for serialization
85  pki = 0; // PKI of the certificate
86  pxytype = 0; // Proxy sub-type
87 
88  // Make sure file name is defined;
89  if (!cf) {
90  DEBUG("file name undefined");
91  return;
92  }
93  // Make sure file exists;
94  struct stat st;
95  int fd = open(cf, O_RDONLY);
96 
97  if (fd == -1) {
98  if (errno == ENOENT) {
99  DEBUG("file "<<cf<<" does not exist - do nothing");
100  } else {
101  DEBUG("cannot open file "<<cf<<" (errno: "<<errno<<")");
102  }
103  return;
104  }
105 
106  if (fstat(fd, &st) != 0) {
107  DEBUG("cannot stat file "<<cf<<" (errno: "<<errno<<")");
108  close(fd);
109  return;
110  }
111  //
112  // Open file in read mode
113  FILE *fc = fdopen(fd, "r");
114  if (!fc) {
115  DEBUG("cannot fdopen file "<<cf<<" (errno: "<<errno<<")");
116  close(fd);
117  return;
118  }
119  //
120  // Read the content:
121  if (!PEM_read_X509(fc, &cert, 0, 0)) {
122  DEBUG("Unable to load certificate from file");
123  fclose(fc);
124  return;
125  } else {
126  DEBUG("certificate successfully loaded");
127  }
128  //
129  // Close the file
130  fclose(fc);
131  //
132  // Save source file name
133  srcfile = cf;
134 
135  // Init some of the private members (the others upon need)
136  Subject();
137  Issuer();
138  CertType();
139 
140  // Get the public key
141  EVP_PKEY *evpp = 0;
142  // Read the private key file, if specified
143  if (kf) {
144  int fd = open(kf, O_RDONLY);
145  if (fd == -1) {
146  DEBUG("cannot open file "<<kf<<" (errno: "<<errno<<")");
147  return;
148  }
149  if (fstat(fd, &st) == -1) {
150  DEBUG("cannot stat private key file "<<kf<<" (errno:"<<errno<<")");
151  close(fd);
152  return;
153  }
154  if (!S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) ||
155  (st.st_mode & (S_IROTH | S_IWOTH)) != 0 ||
156  (st.st_mode & (S_IWGRP)) != 0) {
157  DEBUG("private key file "<<kf<<" has wrong permissions "<<
158  (st.st_mode & 0777) << " (should be at most 0640)");
159  close(fd);
160  return;
161  }
162  // Open file in read mode
163  FILE *fk = fdopen(fd, "r");
164  if (!fk) {
165  DEBUG("cannot open file "<<kf<<" (errno: "<<errno<<")");
166  close(fd);
167  return;
168  }
169  // This call fills the full key, i.e. also the public part (not really documented, though)
170  if ((evpp = PEM_read_PrivateKey(fk,0,0,0))) {
171  DEBUG("RSA key completed ");
172  // Test consistency
173  auto tmprsa = std::make_unique<XrdCryptosslRSA>(evpp, 1);
174  if (tmprsa->status == XrdCryptoRSA::kComplete) {
175  // Save it in pki
176  pki = tmprsa.release();
177  }
178  } else {
179  DEBUG("cannot read the key from file");
180  }
181  // Close the file
182  fclose(fk);
183  }
184  // If there were no private key or we did not manage to import it
185  // init pki with the partial key
186  if (!pki)
187  pki = new XrdCryptosslRSA(X509_get_pubkey(cert), 0);
188 }
#define DEBUG(x)
Definition: XrdBwmTrace.hh:54
#define EPNAME(x)
Definition: XrdBwmTrace.hh:56
int fclose(FILE *stream)
#define close(a)
Definition: XrdPosix.hh:48
#define fstat(a, b)
Definition: XrdPosix.hh:62
#define open
Definition: XrdPosix.hh:78
#define stat(a, b)
Definition: XrdPosix.hh:105
const char * Issuer()
const char * Subject()

References close, DEBUG, EPNAME, fclose(), fstat, Issuer(), XrdCryptoRSA::kComplete, open, stat, and Subject().

+ Here is the call graph for this function:

◆ XrdCryptosslX509() [2/3]

XrdCryptosslX509::XrdCryptosslX509 ( XrdSutBucket bck)

Definition at line 191 of file XrdCryptosslX509.cc.

191  : XrdCryptoX509()
192 {
193  // Constructor certificate from BIO 'bcer'
194  EPNAME("X509::XrdCryptosslX509_bio");
195 
196  // Init private members
197  cert = 0; // The certificate object
198  notbefore = -1; // begin-validity time in secs since Epoch
199  notafter = -1; // end-validity time in secs since Epoch
200  subject = ""; // subject;
201  issuer = ""; // issuer;
202  subjecthash = ""; // hash of subject;
203  issuerhash = ""; // hash of issuer;
204  subjectoldhash = ""; // hash of subject (md5 algorithm);
205  issueroldhash = ""; // hash of issuer (md5 algorithm);
206  srcfile = ""; // source file;
207  bucket = 0; // bucket for serialization
208  pki = 0; // PKI of the certificate
209  pxytype = 0; // Proxy sub-type
210 
211  // Make sure we got something;
212  if (!buck) {
213  DEBUG("got undefined opaque buffer");
214  return;
215  }
216 
217  //
218  // Create a bio_mem to store the certificates
219  BIO *bmem = BIO_new(BIO_s_mem());
220  if (!bmem) {
221  DEBUG("unable to create BIO for memory operations");
222  return;
223  }
224 
225  // Write data to BIO
226  int nw = BIO_write(bmem,(const void *)(buck->buffer),buck->size);
227  if (nw != buck->size) {
228  DEBUG("problems writing data to memory BIO (nw: "<<nw<<")");
229  return;
230  }
231 
232  // Get certificate from BIO
233  if (!(cert = PEM_read_bio_X509(bmem,0,0,0))) {
234  DEBUG("unable to read certificate to memory BIO");
235  return;
236  }
237  //
238  // Free BIO
239  BIO_free(bmem);
240 
241  //
242  // Init some of the private members (the others upon need)
243  Subject();
244  Issuer();
245  CertType();
246 
247  // Get the public key
248  EVP_PKEY *evpp = X509_get_pubkey(cert);
249  //
250  if (evpp) {
251  // init pki with the partial key
252  if (!pki)
253  pki = new XrdCryptosslRSA(evpp, 0);
254  } else {
255  DEBUG("could not access the public key");
256  }
257 }

References XrdSutBucket::buffer, DEBUG, EPNAME, Issuer(), XrdSutBucket::size, and Subject().

+ Here is the call graph for this function:

◆ XrdCryptosslX509() [3/3]

XrdCryptosslX509::XrdCryptosslX509 ( X509 *  cert)

Definition at line 260 of file XrdCryptosslX509.cc.

260  : XrdCryptoX509()
261 {
262  // Constructor: import X509 object
263  EPNAME("X509::XrdCryptosslX509_x509");
264 
265  // Init private members
266  cert = 0; // The certificate object
267  notbefore = -1; // begin-validity time in secs since Epoch
268  notafter = -1; // end-validity time in secs since Epoch
269  subject = ""; // subject;
270  issuer = ""; // issuer;
271  subjecthash = ""; // hash of subject;
272  issuerhash = ""; // hash of issuer;
273  subjectoldhash = ""; // hash of subject (md5 algorithm);
274  issueroldhash = ""; // hash of issuer (md5 algorithm);
275  srcfile = ""; // source file;
276  bucket = 0; // bucket for serialization
277  pki = 0; // PKI of the certificate
278  pxytype = 0; // Proxy sub-type
279 
280  // Make sure we got something;
281  if (!xc) {
282  DEBUG("got undefined X509 object");
283  return;
284  }
285 
286  // Set certificate
287  cert = xc;
288 
289  //
290  // Init some of the private members (the others upon need)
291  Subject();
292  Issuer();
293  CertType();
294 
295  // Get the public key
296  EVP_PKEY *evpp = X509_get_pubkey(cert);
297  //
298  if (evpp) {
299  // init pki with the partial key
300  if (!pki)
301  pki = new XrdCryptosslRSA(evpp, 0);
302  } else {
303  DEBUG("could not access the public key");
304  }
305 }

References DEBUG, EPNAME, Issuer(), and Subject().

+ Here is the call graph for this function:

◆ ~XrdCryptosslX509()

XrdCryptosslX509::~XrdCryptosslX509 ( )
virtual

Definition at line 308 of file XrdCryptosslX509.cc.

309 {
310  // Destructor
311 
312  // Cleanup certificate
313  if (cert) X509_free(cert);
314  // Cleanup key
315  if (pki) delete pki;
316 }

Member Function Documentation

◆ BitStrength()

int XrdCryptosslX509::BitStrength ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 77 of file XrdCryptosslX509.hh.

77 { return ((cert) ? EVP_PKEY_bits(X509_get_pubkey(cert)) : -1);}

◆ DumpExtensions()

int XrdCryptosslX509::DumpExtensions ( bool  dumpunknown = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 815 of file XrdCryptosslX509.cc.

816 {
817  // Dump our extensions, if any
818  // Returns -1 on failure, 0 on success
819  EPNAME("DumpExtensions");
820 
821  int rc = -1;
822  // Point to the cerificate
823  X509 *xpi = (X509 *) Opaque();
824 
825  // Make sure we got the right inputs
826  if (!xpi) {
827  PRINT("we are empty! Do nothing");
828  return rc;
829  }
830 
831  rc = 1;
832  // Go through the extensions
833 #if OPENSSL_VERSION_NUMBER < 0x40000000L
834  X509_EXTENSION *xpiext = 0;
835 #else
836  const X509_EXTENSION *xpiext = 0;
837 #endif
838  int npiext = X509_get_ext_count(xpi);
839  PRINT("found "<<npiext<<" extensions ");
840  int i = 0;
841  for (i = 0; i< npiext; i++) {
842  xpiext = X509_get_ext(xpi, i);
843  char s[256];
844  OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(xpiext), 1);
845  int crit = X509_EXTENSION_get_critical(xpiext);
846  // Notify what we found
847  PRINT(i << ": found extension '"<<s<<"', critical: " << crit);
848  // Dump its content
849  rc = 0;
850  const unsigned char *pp = ASN1_STRING_get0_data(X509_EXTENSION_get_data(xpiext));
851  long length = ASN1_STRING_length(X509_EXTENSION_get_data(xpiext));
852  int ret = FillUnknownExt(&pp, length, dumpunknown);
853  PRINT("ret: " << ret);
854  }
855 
856  // Done
857  return rc;
858 }
#define PRINT(y)
XrdCryptoX509data Opaque()

References EPNAME, Opaque(), and PRINT.

+ Here is the call graph for this function:

◆ Export()

XrdSutBucket * XrdCryptosslX509::Export ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 725 of file XrdCryptosslX509.cc.

726 {
727  // Export in form of bucket
728  EPNAME("X509::Export");
729 
730  // If we have already done it, return the previous result
731  if (bucket) {
732  DEBUG("serialization already performed:"
733  " return previous result ("<<bucket->size<<" bytes)");
734  return bucket;
735  }
736 
737  // Make sure we got something to export
738  if (!cert) {
739  DEBUG("certificate is not initialized");
740  return 0;
741  }
742 
743  //
744  // Now we create a bio_mem to serialize the certificate
745  BIO *bmem = BIO_new(BIO_s_mem());
746  if (!bmem) {
747  DEBUG("unable to create BIO for memory operations");
748  return 0;
749  }
750 
751  // Write certificate to BIO
752  if (!PEM_write_bio_X509(bmem, cert)) {
753  DEBUG("unable to write certificate to memory BIO");
754  return 0;
755  }
756 
757  // Extract pointer to BIO data and length of segment
758  char *bdata = 0;
759  int blen = BIO_get_mem_data(bmem, &bdata);
760  DEBUG("BIO data: "<<blen<<" bytes at 0x"<<(int *)bdata);
761 
762  // create the bucket now
763  bucket = new XrdSutBucket(0,0,kXRS_x509);
764  if (bucket) {
765  // Fill bucket
766  bucket->SetBuf(bdata, blen);
767  DEBUG("result of serialization: "<<bucket->size<<" bytes");
768  } else {
769  DEBUG("unable to create bucket for serialized format");
770  BIO_free(bmem);
771  return 0;
772  }
773  //
774  // Free BIO
775  BIO_free(bmem);
776  //
777  // We are done
778  return bucket;
779 }
@ kXRS_x509
Definition: XrdSutAux.hh:79
kXR_int32 size
Definition: XrdSutBucket.hh:47
int SetBuf(const char *nb=0, int ns=0)

References DEBUG, EPNAME, kXRS_x509, XrdSutBucket::SetBuf(), and XrdSutBucket::size.

+ Here is the call graph for this function:

◆ GetExtension()

XrdCryptoX509data XrdCryptosslX509::GetExtension ( const char *  oid)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 658 of file XrdCryptosslX509.cc.

659 {
660  // Return pointer to extension with OID oid, if any, in
661  // opaque form
662  EPNAME("X509::GetExtension");
663  XrdCryptoX509data ext = 0;
664 
665  // Make sure we got something to look for
666  if (!oid) {
667  DEBUG("OID string not defined");
668  return ext;
669  }
670 
671  // Make sure we got something to look for
672  if (!cert) {
673  DEBUG("certificate is not initialized");
674  return ext;
675  }
676 
677  // Are there any extension?
678  int numext = X509_get_ext_count(cert);
679  if (numext <= 0) {
680  DEBUG("certificate has got no extensions");
681  return ext;
682  }
683  DEBUG("certificate has "<<numext<<" extensions");
684 
685  // If the string is the Standard Name of a known extension check
686  // searche the corresponding NID
687  int nid = OBJ_sn2nid(oid);
688  bool usenid = (nid > 0);
689 
690  // Loop to identify the one we would like
691  int i = 0;
692 #if OPENSSL_VERSION_NUMBER < 0x40000000L
693  X509_EXTENSION *wext = 0;
694 #else
695  const X509_EXTENSION *wext = 0;
696 #endif
697  for (i = 0; i< numext; i++) {
698  wext = X509_get_ext(cert, i);
699  if (usenid) {
700  int enid = OBJ_obj2nid(X509_EXTENSION_get_object(wext));
701  if (enid == nid)
702  break;
703  } else {
704  // Try matching of the text
705  char s[256];
706  OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(wext), 1);
707  if (!strcmp(s, oid))
708  break;
709  }
710  // Do not free the extension: its owned by the certificate
711  wext = 0;
712  }
713 
714  // We are done if nothing was found
715  if (!wext) {
716  DEBUG("Extension "<<oid<<" not found");
717  return ext;
718  }
719 
720  // We are done
721  return (XrdCryptoX509data)wext;
722 }
void * XrdCryptoX509data

References DEBUG, and EPNAME.

◆ Issuer()

const char * XrdCryptosslX509::Issuer ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 513 of file XrdCryptosslX509.cc.

514 {
515  // Return issuer name
516  EPNAME("X509::Issuer");
517 
518  // If we do not have it already, try extraction
519  if (issuer.length() <= 0) {
520 
521  // Make sure we have a certificate
522  if (!cert) {
523  DEBUG("WARNING: no certificate available - cannot extract issuer name");
524  return (const char *)0;
525  }
526 
527  // Extract issuer name
528  XrdCryptosslNameOneLine(X509_get_issuer_name(cert), issuer);
529  }
530 
531  // return what we have
532  return (issuer.length() > 0) ? issuer.c_str() : (const char *)0;
533 }
void XrdCryptosslNameOneLine(const X509_NAME *nm, XrdOucString &s)
const char * c_str() const
int length() const

References XrdOucString::c_str(), DEBUG, EPNAME, XrdOucString::length(), and XrdCryptosslNameOneLine().

Referenced by XrdCryptosslX509().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ IssuerHash()

const char * XrdCryptosslX509::IssuerHash ( int  alg = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 536 of file XrdCryptosslX509.cc.

537 {
538  // Return hash of issuer name
539  // Use default algorithm (X509_NAME_hash) for alg = 0, old algorithm
540  // (for v>=1.0.0) when alg = 1
541  EPNAME("X509::IssuerHash");
542 
543  if (alg == 1) {
544  // md5 based
545  if (issueroldhash.length() <= 0) {
546  // Make sure we have a certificate
547  if (cert) {
548  char chash[30] = {0};
549  snprintf(chash, sizeof(chash),
550  "%08lx.0",X509_NAME_hash_old(X509_get_issuer_name(cert)));
551  issueroldhash = chash;
552  } else {
553  DEBUG("WARNING: no certificate available - cannot extract issuer hash (md5)");
554  }
555  }
556  // return what we have
557  return (issueroldhash.length() > 0) ? issueroldhash.c_str() : (const char *)0;
558  }
559 
560  // If we do not have it already, try extraction
561  if (issuerhash.length() <= 0) {
562 
563  // Make sure we have a certificate
564  if (cert) {
565  char chash[30] = {0};
566  snprintf(chash, sizeof(chash),
567  "%08lx.0",X509_NAME_hash(X509_get_issuer_name(cert)));
568  issuerhash = chash;
569  } else {
570  DEBUG("WARNING: no certificate available - cannot extract issuer hash (default)");
571  }
572  }
573 
574  // return what we have
575  return (issuerhash.length() > 0) ? issuerhash.c_str() : (const char *)0;
576 }

References XrdOucString::c_str(), DEBUG, EPNAME, and XrdOucString::length().

+ Here is the call graph for this function:

◆ MatchesSAN()

bool XrdCryptosslX509::MatchesSAN ( const char *  fqdn,
bool &  hasSAN 
)
virtual

Implements XrdCryptoX509.

Definition at line 1124 of file XrdCryptosslX509.cc.

1125 {
1126  EPNAME("MatchesSAN");
1127 
1128  // Statically allocated array for hostname lengths. RFC1035 limits
1129  // valid lengths to 255 characters.
1130  char san_fqdn[256];
1131 
1132  // Assume we have no SAN extension. Failure may allow the caller to try
1133  // using the common name before giving up.
1134  hasSAN = false;
1135 
1136  GENERAL_NAMES *gens = static_cast<GENERAL_NAMES *>(X509_get_ext_d2i(cert,
1137  NID_subject_alt_name, NULL, NULL));
1138  if (!gens)
1139  return false;
1140 
1141  // Only an EEC is usable as a host certificate.
1142  if (type != kEEC)
1143  return false;
1144 
1145  // All failures are under the notion that we have a SAN extension.
1146  hasSAN = true;
1147 
1148  if (!fqdn)
1149  return false;
1150 
1151  bool success = false;
1152  for (int idx = 0; idx < sk_GENERAL_NAME_num(gens); idx++) {
1153  GENERAL_NAME *gen;
1154  ASN1_STRING *cstr;
1155  gen = sk_GENERAL_NAME_value(gens, idx);
1156  if (gen->type != GEN_DNS)
1157  continue;
1158  cstr = gen->d.dNSName;
1159  if (ASN1_STRING_type(cstr) != V_ASN1_IA5STRING)
1160  continue;
1161  int san_fqdn_len = ASN1_STRING_length(cstr);
1162  if (san_fqdn_len > 255)
1163  continue;
1164  memcpy(san_fqdn, ASN1_STRING_get0_data(cstr), san_fqdn_len);
1165  san_fqdn[san_fqdn_len] = '\0';
1166  if (strlen(san_fqdn) != static_cast<size_t>(san_fqdn_len)) // Avoid embedded null's.
1167  continue;
1168  DEBUG("Comparing SAN " << san_fqdn << " with " << fqdn);
1169  if (MatchHostnames(san_fqdn, fqdn)) {
1170  DEBUG("SAN " << san_fqdn << " matches with " << fqdn);
1171  success = true;
1172  break;
1173  }
1174  }
1175  sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
1176  return success;
1177 }
static bool MatchHostnames(const char *match_pattern, const char *fqdn)
EX509Type type

References DEBUG, EPNAME, XrdCryptoX509::kEEC, XrdCryptoX509::MatchHostnames(), and XrdCryptoX509::type.

+ Here is the call graph for this function:

◆ NotAfter()

time_t XrdCryptosslX509::NotAfter ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 474 of file XrdCryptosslX509.cc.

475 {
476  // End-validity time in secs since Epoch
477 
478  // If we do not have it already, try extraction
479  if (notafter < 0) {
480  // Make sure we have a certificate
481  if (cert)
482  // Extract UTC time in secs from Epoch
483  notafter = XrdCryptosslASN1toUTC(X509_get_notAfter(cert));
484  }
485  // return what we have
486  return notafter;
487 }
time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1)

References XrdCryptosslASN1toUTC().

+ Here is the call graph for this function:

◆ NotBefore()

time_t XrdCryptosslX509::NotBefore ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 458 of file XrdCryptosslX509.cc.

459 {
460  // Begin-validity time in secs since Epoch
461 
462  // If we do not have it already, try extraction
463  if (notbefore < 0) {
464  // Make sure we have a certificate
465  if (cert)
466  // Extract UTC time in secs from Epoch
467  notbefore = XrdCryptosslASN1toUTC(X509_get_notBefore(cert));
468  }
469  // return what we have
470  return notbefore;
471 }

References XrdCryptosslASN1toUTC().

+ Here is the call graph for this function:

◆ Opaque()

XrdCryptoX509data XrdCryptosslX509::Opaque ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 58 of file XrdCryptosslX509.hh.

58 { return (XrdCryptoX509data)cert; }

Referenced by DumpExtensions().

+ Here is the caller graph for this function:

◆ ParentFile()

const char* XrdCryptosslX509::ParentFile ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 71 of file XrdCryptosslX509.hh.

71 { return (const char *)(srcfile.c_str()); }

References XrdOucString::c_str().

+ Here is the call graph for this function:

◆ PKI()

XrdCryptoRSA* XrdCryptosslX509::PKI ( )
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 64 of file XrdCryptosslX509.hh.

64 { return pki; }

◆ ProxyType()

const char* XrdCryptosslX509::ProxyType ( ) const
inlinevirtual

Reimplemented from XrdCryptoX509.

Definition at line 74 of file XrdCryptosslX509.hh.

74 { return cpxytype[pxytype]; }

◆ SerialNumber()

kXR_int64 XrdCryptosslX509::SerialNumber ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 622 of file XrdCryptosslX509.cc.

623 {
624  // Return serial number as a kXR_int64
625 
626  kXR_int64 sernum = -1;
627  if (cert && X509_get_serialNumber(cert)) {
628  BIGNUM *bn = BN_new();
629  ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
630  char *sn = BN_bn2dec(bn);
631  sernum = strtoll(sn, 0, 10);
632  BN_free(bn);
633  OPENSSL_free(sn);
634  }
635 
636  return sernum;
637 }
long long kXR_int64
Definition: XPtypes.hh:98

◆ SerialNumberString()

XrdOucString XrdCryptosslX509::SerialNumberString ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 640 of file XrdCryptosslX509.cc.

641 {
642  // Return serial number as a hex string
643 
644  XrdOucString sernum;
645  if (cert && X509_get_serialNumber(cert)) {
646  BIGNUM *bn = BN_new();
647  ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
648  char *sn = BN_bn2hex(bn);
649  sernum = sn;
650  BN_free(bn);
651  OPENSSL_free(sn);
652  }
653 
654  return sernum;
655 }

◆ SetPKI()

void XrdCryptosslX509::SetPKI ( XrdCryptoX509data  pki)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 433 of file XrdCryptosslX509.cc.

434 {
435  // SetPKI:
436  // if newpki is null does nothing
437  // if newpki contains a consistent private & public key we take ownership
438  // so that this->PKI()->status will be kComplete.
439  // otherwise, newpki is not consistent:
440  // if the previous PKI() was null or was already kComplete it is and reset
441  // so that this->PKI()->status will be kInvalid.
442 
443  if (!newpki) return;
444 
445  auto tmprsa = std::make_unique<XrdCryptosslRSA>((EVP_PKEY*)newpki, 1);
446  if (!pki || pki->status == XrdCryptoRSA::kComplete ||
447  tmprsa->status == XrdCryptoRSA::kComplete) {
448  // Cleanup any existing key first
449  if (pki)
450  delete pki;
451 
452  // Set PKI
453  pki = tmprsa.release();
454  }
455 }
ERSAStatus status
Definition: XrdCryptoRSA.hh:58

References XrdCryptoRSA::kComplete, and XrdCryptoRSA::status.

◆ Subject()

const char * XrdCryptosslX509::Subject ( )
virtual

Reimplemented from XrdCryptoX509.

Definition at line 490 of file XrdCryptosslX509.cc.

491 {
492  // Return subject name
493  EPNAME("X509::Subject");
494 
495  // If we do not have it already, try extraction
496  if (subject.length() <= 0) {
497 
498  // Make sure we have a certificate
499  if (!cert) {
500  DEBUG("WARNING: no certificate available - cannot extract subject name");
501  return (const char *)0;
502  }
503 
504  // Extract subject name
505  XrdCryptosslNameOneLine(X509_get_subject_name(cert), subject);
506  }
507 
508  // return what we have
509  return (subject.length() > 0) ? subject.c_str() : (const char *)0;
510 }

References XrdOucString::c_str(), DEBUG, EPNAME, XrdOucString::length(), and XrdCryptosslNameOneLine().

Referenced by XrdCryptosslX509().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ SubjectHash()

const char * XrdCryptosslX509::SubjectHash ( int  alg = 0)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 579 of file XrdCryptosslX509.cc.

580 {
581  // Return hash of subject name
582  // Use default algorithm (X509_NAME_hash) for alg = 0, old algorithm
583  // (for v>=1.0.0) when alg = 1
584  EPNAME("X509::SubjectHash");
585 
586  if (alg == 1) {
587  // md5 based
588  if (subjectoldhash.length() <= 0) {
589  // Make sure we have a certificate
590  if (cert) {
591  char chash[30] = {0};
592  snprintf(chash, sizeof(chash),
593  "%08lx.0",X509_NAME_hash_old(X509_get_subject_name(cert)));
594  subjectoldhash = chash;
595  } else {
596  DEBUG("WARNING: no certificate available - cannot extract subject hash (md5)");
597  }
598  }
599  // return what we have
600  return (subjectoldhash.length() > 0) ? subjectoldhash.c_str() : (const char *)0;
601  }
602 
603  // If we do not have it already, try extraction
604  if (subjecthash.length() <= 0) {
605 
606  // Make sure we have a certificate
607  if (cert) {
608  char chash[30] = {0};
609  snprintf(chash, sizeof(chash),
610  "%08lx.0",X509_NAME_hash(X509_get_subject_name(cert)));
611  subjecthash = chash;
612  } else {
613  DEBUG("WARNING: no certificate available - cannot extract subject hash (default)");
614  }
615  }
616 
617  // return what we have
618  return (subjecthash.length() > 0) ? subjecthash.c_str() : (const char *)0;
619 }

References XrdOucString::c_str(), DEBUG, EPNAME, and XrdOucString::length().

+ Here is the call graph for this function:

◆ Verify()

bool XrdCryptosslX509::Verify ( XrdCryptoX509 ref)
virtual

Reimplemented from XrdCryptoX509.

Definition at line 782 of file XrdCryptosslX509.cc.

783 {
784  // Verify certificate signature with pub key of ref cert
785  EPNAME("X509::Verify");
786 
787  // We must have been initialized
788  if (!cert)
789  return 0;
790 
791  // We must have something to check with
792  X509 *r = ref ? (X509 *)(ref->Opaque()) : 0;
793  EVP_PKEY *rk = r ? X509_get_pubkey(r) : 0;
794  if (!rk)
795  return 0;
796 
797  // Ok: we can verify
798  int rc = X509_verify(cert, rk);
799  EVP_PKEY_free(rk);
800  if (rc <= 0) {
801  if (rc == 0) {
802  // Signatures are not OK
803  DEBUG("signature not OK");
804  } else {
805  // General failure
806  DEBUG("could not verify signature");
807  }
808  return 0;
809  }
810  // Success
811  return 1;
812 }
virtual XrdCryptoX509data Opaque()

References DEBUG, EPNAME, and XrdCryptoX509::Opaque().

+ Here is the call graph for this function:

The documentation for this class was generated from the following files: