xrootd
|
00001 // $Id$ 00002 #ifndef __CRYPTO_X509CHAIN_H__ 00003 #define __CRYPTO_X509CHAIN_H__ 00004 /******************************************************************************/ 00005 /* */ 00006 /* X r d C r y p t o X 5 0 9 C h a i n . h h */ 00007 /* */ 00008 /* (c) 2005 G. Ganis , CERN */ 00009 /* */ 00010 /******************************************************************************/ 00011 00012 /* ************************************************************************** */ 00013 /* */ 00014 /* Chain of X509 certificates. */ 00015 /* */ 00016 /* ************************************************************************** */ 00017 00018 #include <XrdSut/XrdSutBucket.hh> 00019 #include <XrdCrypto/XrdCryptoX509.hh> 00020 #include <XrdCrypto/XrdCryptoX509Crl.hh> 00021 00022 // ---------------------------------------------------------------------------// 00023 // // 00024 // XrdCryptoX509Chain // 00025 // // 00026 // Light single-linked list for managing stacks of XrdCryptoX509* objects // 00027 // // 00028 // ---------------------------------------------------------------------------// 00029 00030 // 00031 // Description of options for verify 00032 typedef struct { 00033 int opt; // option container 00034 int when; // time of verification (UTC) 00035 int pathlen; // max allowed path length of chain 00036 XrdCryptoX509Crl *crl; // CRL 00037 } x509ChainVerifyOpt_t; 00038 00039 const int kOptsCheckSelfSigned = 0x2; // CA ckecking option 00040 00041 // 00042 // Node definition 00043 // 00044 class XrdCryptoX509ChainNode { 00045 00046 private: 00047 XrdCryptoX509 *cert; 00048 XrdCryptoX509ChainNode *next; 00049 public: 00050 XrdCryptoX509ChainNode(XrdCryptoX509 *c = 0, XrdCryptoX509ChainNode *n = 0) 00051 { cert = c; next = n;} 00052 virtual ~XrdCryptoX509ChainNode() { } 00053 00054 XrdCryptoX509 *Cert() const { return cert; } 00055 XrdCryptoX509ChainNode *Next() const { return next; } 00056 00057 void SetNext(XrdCryptoX509ChainNode *n) { next = n; } 00058 }; 00059 00060 class XrdCryptoX509Chain { 00061 00062 friend class XrdCryptosslgsiX509Chain; 00063 00064 enum ESearchMode { kExact = 0, kBegin = 1, kEnd = 2 }; 00065 00066 public: 00067 XrdCryptoX509Chain(XrdCryptoX509 *c = 0); 00068 XrdCryptoX509Chain(XrdCryptoX509Chain *ch); 00069 virtual ~XrdCryptoX509Chain(); 00070 00071 // CA status 00072 enum ECAStatus { kUnknown = 0, kAbsent, kInvalid, kValid}; 00073 00074 // Error codes 00075 enum EX509ChainErr { kNone = 0, kInconsistent, kTooMany, kNoCA, 00076 kNoCertificate, kInvalidType, kInvalidNames, 00077 kRevoked, kExpired, kMissingExtension, 00078 kVerifyFail, kInvalidSign, kCANotAutoSigned }; 00079 00080 // In case or error 00081 const char *X509ChainError(EX509ChainErr e); 00082 const char *LastError() const { return lastError.c_str(); } 00083 00084 // Dump content 00085 void Dump(); 00086 00087 // Access information 00088 int Size() const { return size; } 00089 XrdCryptoX509 *End() const { return end->Cert(); } 00090 ECAStatus StatusCA() const { return statusCA; } 00091 const char *CAname(); 00092 const char *EECname(); 00093 const char *CAhash(); 00094 const char *EEChash(); 00095 00096 // Modifiers 00097 void InsertAfter(XrdCryptoX509 *c, XrdCryptoX509 *cp); 00098 void PutInFront(XrdCryptoX509 *c); 00099 void PushBack(XrdCryptoX509 *c); 00100 void Remove(XrdCryptoX509 *c); 00101 bool CheckCA(bool checkselfsigned = 1); 00102 void Cleanup(bool keepCA = 0); 00103 void SetStatusCA(ECAStatus st) { statusCA = st; } 00104 00105 // Search 00106 XrdCryptoX509 *SearchByIssuer(const char *issuer, 00107 ESearchMode mode = kExact); 00108 XrdCryptoX509 *SearchBySubject(const char *subject, 00109 ESearchMode mode = kExact); 00110 00111 // Check validity in time 00112 virtual int CheckValidity(bool outatfirst = 1, int when = 0); 00113 00114 // Reorder (C(n) issuer of C(n+1)) 00115 virtual int Reorder(); 00116 00117 // Verify chain 00118 virtual bool Verify(EX509ChainErr &e, x509ChainVerifyOpt_t *vopt = 0); 00119 00120 // Pseudo - iterator functionality 00121 XrdCryptoX509 *Begin(); 00122 XrdCryptoX509 *Next(); 00123 00124 private: 00125 00126 00127 XrdCryptoX509ChainNode *begin; 00128 XrdCryptoX509ChainNode *current; 00129 XrdCryptoX509ChainNode *end; 00130 XrdCryptoX509ChainNode *previous; 00131 int size; 00132 XrdOucString lastError; 00133 XrdOucString caname; 00134 XrdOucString eecname; 00135 XrdOucString cahash; 00136 XrdOucString eechash; 00137 ECAStatus statusCA; 00138 00139 XrdCryptoX509ChainNode *Find(XrdCryptoX509 *c); 00140 XrdCryptoX509ChainNode *FindIssuer(const char *issuer, 00141 ESearchMode mode = kExact, 00142 XrdCryptoX509ChainNode **p = 0); 00143 XrdCryptoX509ChainNode *FindSubject(const char *subject, 00144 ESearchMode mode = kExact, 00145 XrdCryptoX509ChainNode **p = 0); 00146 bool Verify(EX509ChainErr &e, const char *msg, 00147 XrdCryptoX509::EX509Type type, int when, 00148 XrdCryptoX509 *xcer, XrdCryptoX509 *xsig, 00149 XrdCryptoX509Crl *crl = 0); 00150 00151 }; 00152 00153 #endif