-
Notifications
You must be signed in to change notification settings - Fork 4.7k
/
utility.h
138 lines (117 loc) · 4.61 KB
/
utility.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#pragma once
#include <string>
#include <vector>
#include "envoy/ssl/context.h"
#include "source/common/common/utility.h"
#include "absl/types/optional.h"
#include "openssl/ssl.h"
#include "openssl/x509v3.h"
namespace Envoy {
namespace Extensions {
namespace TransportSockets {
namespace Tls {
namespace Utility {
Envoy::Ssl::CertificateDetailsPtr certificateDetails(X509* cert, const std::string& path,
TimeSource& time_source);
/**
* Determines whether the given name matches 'pattern' which may optionally begin with a wildcard
* or contain a wildcard inside the pattern's first label.
* See: https://www.rfc-editor.org/rfc/rfc6125#section-6.4.3.
* @param dns_name the DNS name to match
* @param pattern the pattern to match against (*.example.com) or (test*.example.com)
* @return true if the san matches pattern
*/
bool dnsNameMatch(absl::string_view dns_name, absl::string_view pattern);
/**
* Determines whether the given DNS label matches 'pattern' which may contain a wildcard. e.g.,
* patterns "baz*" and "*baz" and "b*z" would match DNS labels "baz1" and "foobaz" and "buzz",
* respectively.
* @param dns_label the DNS name label to match in lower case
* @param pattern the pattern to match against in lower case
* @return true if the dns_label matches pattern
*/
bool labelWildcardMatch(absl::string_view dns_label, absl::string_view pattern);
/**
* Retrieves the serial number of a certificate.
* @param cert the certificate
* @return std::string the serial number field of the certificate. Returns "" if
* there is no serial number.
*/
std::string getSerialNumberFromCertificate(X509& cert);
/**
* Retrieves the subject alternate names of a certificate.
* @param cert the certificate
* @param type type of subject alternate name
* @param skip_unsupported If true and a name is for an unsupported (on this host) IP version,
* omit that name from the return value. If false, an exception will be thrown in this situation.
* @return std::vector returns the list of subject alternate names.
*/
std::vector<std::string> getSubjectAltNames(X509& cert, int type, bool skip_unsupported = false);
/**
* Converts the Subject Alternate Name to string.
* @param general_name the subject alternate name
* @return std::string returns the string representation of subject alt names.
*/
std::string generalNameAsString(const GENERAL_NAME* general_name);
/**
* Retrieves the issuer from certificate.
* @param cert the certificate
* @return std::string the issuer field for the certificate.
*/
std::string getIssuerFromCertificate(X509& cert);
/**
* Retrieves the subject from certificate.
* @param cert the certificate
* @return std::string the subject field for the certificate.
*/
std::string getSubjectFromCertificate(X509& cert);
/**
* Retrieves the value of a specific X509 extension from the cert, if present.
* @param cert the certificate.
* @param extension_name the name of the extension to extract in dotted number format
* @return absl::string_view the DER-encoded value of the extension field or empty if not present.
*/
absl::string_view getCertificateExtensionValue(X509& cert, absl::string_view extension_name);
/**
* Returns the days until this certificate is valid.
* @param cert the certificate
* @param time_source the time source to use for current time calculation.
* @return the number of days till this certificate is valid, the value is set when not expired.
*/
absl::optional<uint32_t> getDaysUntilExpiration(const X509* cert, TimeSource& time_source);
/**
* Returns the time from when this certificate is valid.
* @param cert the certificate.
* @return time from when this certificate is valid.
*/
SystemTime getValidFrom(const X509& cert);
/**
* Returns the time when this certificate expires.
* @param cert the certificate.
* @return time after which the certificate expires.
*/
SystemTime getExpirationTime(const X509& cert);
/**
* Returns the last crypto error from ERR_get_error(), or `absl::nullopt`
* if the error stack is empty.
* @return std::string error message
*/
absl::optional<std::string> getLastCryptoError();
/**
* Returns error string corresponding error code derived from OpenSSL.
* @param err error code
* @return string message corresponding error code.
*/
absl::string_view getErrorDescription(int err);
/**
* Extracts the X509 certificate validation error information.
*
* @param ctx the store context
* @return the error details
*/
std::string getX509VerificationErrorInfo(X509_STORE_CTX* ctx);
} // namespace Utility
} // namespace Tls
} // namespace TransportSockets
} // namespace Extensions
} // namespace Envoy