#ifndef __CRYPTO_X509CHAIN_H__ #define __CRYPTO_X509CHAIN_H__ /******************************************************************************/ /* */ /* X r d C r y p t o X 5 0 9 C h a i n . h h */ /* */ /* (c) 2005 G. Ganis , CERN */ /* */ /* This file is part of the XRootD software suite. */ /* */ /* XRootD is free software: you can redistribute it and/or modify it under */ /* the terms of the GNU Lesser General Public License as published by the */ /* Free Software Foundation, either version 3 of the License, or (at your */ /* option) any later version. */ /* */ /* XRootD is distributed in the hope that it will be useful, but WITHOUT */ /* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */ /* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */ /* License for more details. */ /* */ /* You should have received a copy of the GNU Lesser General Public License */ /* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */ /* COPYING (GPL license). If not, see . */ /* */ /* The copyright holder's institutional names and contributor's names may not */ /* be used to endorse or promote products derived from this software without */ /* specific prior written permission of the institution or contributor. */ /* */ /******************************************************************************/ /* ************************************************************************** */ /* */ /* Chain of X509 certificates. */ /* */ /* ************************************************************************** */ #include "XrdSut/XrdSutBucket.hh" #include "XrdCrypto/XrdCryptoX509.hh" #include "XrdCrypto/XrdCryptoX509Crl.hh" // ---------------------------------------------------------------------------// // // // XrdCryptoX509Chain // // // // Light single-linked list for managing stacks of XrdCryptoX509* objects // // // // ---------------------------------------------------------------------------// // // Description of options for verify typedef struct { int opt; // option container int when; // time of verification (UTC) int pathlen; // max allowed path length of chain XrdCryptoX509Crl *crl; // CRL } x509ChainVerifyOpt_t; const int kOptsCheckSelfSigned = 0x2; // CA ckecking option const int kOptsCheckSubCA = 0x4; // CA-SubCA case (no EEC) // // Node definition // class XrdCryptoX509ChainNode { private: XrdCryptoX509 *cert; XrdCryptoX509ChainNode *next; public: XrdCryptoX509ChainNode(XrdCryptoX509 *c = 0, XrdCryptoX509ChainNode *n = 0) { cert = c; next = n;} virtual ~XrdCryptoX509ChainNode() { } XrdCryptoX509 *Cert() const { return cert; } XrdCryptoX509ChainNode *Next() const { return next; } void SetNext(XrdCryptoX509ChainNode *n) { next = n; } }; class XrdCryptoX509Chain { enum ESearchMode { kExact = 0, kBegin = 1, kEnd = 2 }; public: XrdCryptoX509Chain(XrdCryptoX509 *c = 0); XrdCryptoX509Chain(XrdCryptoX509Chain *ch); virtual ~XrdCryptoX509Chain(); // CA status enum ECAStatus { kUnknown = 0, kAbsent, kInvalid, kValid}; // Error codes enum EX509ChainErr { kNone = 0, kInconsistent, kTooMany, kNoCA, kNoCertificate, kInvalidType, kInvalidNames, kRevoked, kExpired, kMissingExtension, kVerifyFail, kInvalidSign, kCANotAutoSigned, kNoEEC, kTooManyEEC, kInvalidProxy }; // In case or error const char *X509ChainError(EX509ChainErr e); const char *LastError() const { return lastError.c_str(); } // Dump content void Dump(); // Access information int Size() const { return size; } XrdCryptoX509 *End() const { return end->Cert(); } ECAStatus StatusCA() const { return statusCA; } const char *CAname(); const char *EECname(); const char *CAhash(); const char *EEChash(); XrdCryptoX509 *EffCA() const { return effca ? effca->Cert() : (XrdCryptoX509 *)0; } // Modifiers void InsertAfter(XrdCryptoX509 *c, XrdCryptoX509 *cp); void PutInFront(XrdCryptoX509 *c); void PushBack(XrdCryptoX509 *c); void Remove(XrdCryptoX509 *c); bool CheckCA(bool checkselfsigned = 1); void Cleanup(bool keepCA = 0); void SetStatusCA(ECAStatus st) { statusCA = st; } // Search XrdCryptoX509 *SearchByIssuer(const char *issuer, ESearchMode mode = kExact); XrdCryptoX509 *SearchBySubject(const char *subject, ESearchMode mode = kExact); // Check validity in time virtual int CheckValidity(bool outatfirst = 1, int when = 0); // Reorder (C(n) issuer of C(n+1)) virtual int Reorder(); // Verify chain virtual bool Verify(EX509ChainErr &e, x509ChainVerifyOpt_t *vopt = 0); // Pseudo - iterator functionality XrdCryptoX509 *Begin(); XrdCryptoX509 *Next(); protected: XrdCryptoX509ChainNode *begin; XrdCryptoX509ChainNode *current; XrdCryptoX509ChainNode *end; XrdCryptoX509ChainNode *previous; XrdCryptoX509ChainNode *effca; int size; XrdOucString lastError; XrdOucString caname; XrdOucString eecname; XrdOucString cahash; XrdOucString eechash; ECAStatus statusCA; XrdCryptoX509ChainNode *Find(XrdCryptoX509 *c); XrdCryptoX509ChainNode *FindIssuer(const char *issuer, ESearchMode mode = kExact, XrdCryptoX509ChainNode **p = 0); XrdCryptoX509ChainNode *FindSubject(const char *subject, ESearchMode mode = kExact, XrdCryptoX509ChainNode **p = 0); void SetEffectiveCA(); bool Verify(EX509ChainErr &e, const char *msg, XrdCryptoX509::EX509Type type, int when, XrdCryptoX509 *xcer, XrdCryptoX509 *xsig, XrdCryptoX509Crl *crl = 0); }; #endif