-
Notifications
You must be signed in to change notification settings - Fork 149
/
XrdCryptoX509.hh
128 lines (103 loc) · 5.44 KB
/
XrdCryptoX509.hh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#ifndef __CRYPTO_X509_H__
#define __CRYPTO_X509_H__
/******************************************************************************/
/* */
/* X r d C r y p t o X 5 0 9 . h h */
/* */
/* (c) 2005 G. Ganis , CERN */
/* */
/* This file is part of the XRootD software suite. */
/* */
/* XRootD is free software: you can redistribute it and/or modify it under */
/* the terms of the GNU Lesser General Public License as published by the */
/* Free Software Foundation, either version 3 of the License, or (at your */
/* option) any later version. */
/* */
/* XRootD is distributed in the hope that it will be useful, but WITHOUT */
/* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */
/* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */
/* License for more details. */
/* */
/* You should have received a copy of the GNU Lesser General Public License */
/* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */
/* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */
/* */
/* The copyright holder's institutional names and contributor's names may not */
/* be used to endorse or promote products derived from this software without */
/* specific prior written permission of the institution or contributor. */
/* */
/******************************************************************************/
/* ************************************************************************** */
/* */
/* Abstract interface for X509 certificates. */
/* Allows to plug-in modules based on different crypto implementation */
/* (OpenSSL, Botan, ...) */
/* */
/* ************************************************************************** */
#include "XProtocol/XPtypes.hh"
#include "XrdSut/XrdSutBucket.hh"
#include "XrdCrypto/XrdCryptoRSA.hh"
typedef void * XrdCryptoX509data;
// ---------------------------------------------------------------------------//
//
// X509 interface
// Describes one certificate
//
// ---------------------------------------------------------------------------//
class XrdCryptoX509 {
public:
// Certificate type
enum EX509Type { kUnknown = -1, kCA = 0, kEEC = 1, kProxy = 2 };
EX509Type type;
XrdCryptoX509() { type = kUnknown; }
virtual ~XrdCryptoX509() { }
// Status
virtual bool IsValid(int when = 0); // object correctly loaded
virtual bool IsExpired(int when = 0); // Expired
// Access underlying data (in opaque form: used in chains)
virtual XrdCryptoX509data Opaque();
// Access certificate key
virtual XrdCryptoRSA *PKI();
virtual void SetPKI(XrdCryptoX509data pki);
// Export in form of bucket (for transfers)
virtual XrdSutBucket *Export();
// Dump information
virtual void Dump();
virtual int DumpExtensions(bool = 0); // extensions
const char *Type(EX509Type t = kUnknown) const
{ return ((t == kUnknown) ? ctype[type+1] : ctype[t+1]); }
virtual const char *ParentFile();
virtual const char *ProxyType() const { return ""; }
// Key strength
virtual int BitStrength();
// Serial number
virtual kXR_int64 SerialNumber();
virtual XrdOucString SerialNumberString();
// Validity interval
virtual int NotBefore(); // begin-validity time in secs since Epoch
virtual int NotAfter(); // end-validity time in secs since Epoch
// Issuer of top certificate
virtual const char *Issuer();
virtual const char *IssuerHash(int); // hash
const char *IssuerHash() { return IssuerHash(0); } // hash
// Subject of bottom certificate
virtual const char *Subject();
virtual const char *SubjectHash(int); // hash
const char *SubjectHash() { return SubjectHash(0); } // hash
// Returns true if the certificate has a subject alt name which matches
// the given hostnem.
virtual bool MatchesSAN(const char * fqdn) = 0;
// Retrieve a given extension if there (in opaque form)
virtual XrdCryptoX509data GetExtension(const char *oid);
// Verify signature
virtual bool Verify(XrdCryptoX509 *ref);
// Compare two hostnames, handling wildcards as appropriate. Necessary
// for support for accepting connections where the remote X509 certificate
// is a wildcard certificate.
//
// Returns true if the FQDN matches the specified pattern
static bool MatchHostnames(const char *match_pattern, const char *fqdn);
private:
static const char *ctype[4]; // Names of types
};
#endif