xrootd
XrdCryptoX509Chain.hh
Go to the documentation of this file.
1 #ifndef __CRYPTO_X509CHAIN_H__
2 #define __CRYPTO_X509CHAIN_H__
3 /******************************************************************************/
4 /* */
5 /* X r d C r y p t o X 5 0 9 C h a i n . h h */
6 /* */
7 /* (c) 2005 G. Ganis , CERN */
8 /* */
9 /* This file is part of the XRootD software suite. */
10 /* */
11 /* XRootD is free software: you can redistribute it and/or modify it under */
12 /* the terms of the GNU Lesser General Public License as published by the */
13 /* Free Software Foundation, either version 3 of the License, or (at your */
14 /* option) any later version. */
15 /* */
16 /* XRootD is distributed in the hope that it will be useful, but WITHOUT */
17 /* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */
18 /* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */
19 /* License for more details. */
20 /* */
21 /* You should have received a copy of the GNU Lesser General Public License */
22 /* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */
23 /* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */
24 /* */
25 /* The copyright holder's institutional names and contributor's names may not */
26 /* be used to endorse or promote products derived from this software without */
27 /* specific prior written permission of the institution or contributor. */
28 /* */
29 /******************************************************************************/
30 
31 /* ************************************************************************** */
32 /* */
33 /* Chain of X509 certificates. */
34 /* */
35 /* ************************************************************************** */
36 
37 #include "XrdSut/XrdSutBucket.hh"
38 #include "XrdCrypto/XrdCryptoX509.hh"
39 #include "XrdCrypto/XrdCryptoX509Crl.hh"
40 
41 // ---------------------------------------------------------------------------//
42 // //
43 // XrdCryptoX509Chain //
44 // //
45 // Light single-linked list for managing stacks of XrdCryptoX509* objects //
46 // //
47 // ---------------------------------------------------------------------------//
48 
49 //
50 // Description of options for verify
51 typedef struct {
52  int opt; // option container
53  int when; // time of verification (UTC)
54  int pathlen; // max allowed path length of chain
55  XrdCryptoX509Crl *crl; // CRL
56 } x509ChainVerifyOpt_t;
57 
58 const int kOptsCheckSelfSigned = 0x2; // CA ckecking option
59 
60 //
61 // Node definition
62 //
63 class XrdCryptoX509ChainNode {
64 
65 private:
66  XrdCryptoX509 *cert;
67  XrdCryptoX509ChainNode *next;
68 public:
69  XrdCryptoX509ChainNode(XrdCryptoX509 *c = 0, XrdCryptoX509ChainNode *n = 0)
70  { cert = c; next = n;}
71  virtual ~XrdCryptoX509ChainNode() { }
72 
73  XrdCryptoX509 *Cert() const { return cert; }
74  XrdCryptoX509ChainNode *Next() const { return next; }
75 
76  void SetNext(XrdCryptoX509ChainNode *n) { next = n; }
77 };
78 
79 class XrdCryptoX509Chain {
80 
81  friend class XrdCryptosslgsiX509Chain;
82 
83  enum ESearchMode { kExact = 0, kBegin = 1, kEnd = 2 };
84 
85 public:
86  XrdCryptoX509Chain(XrdCryptoX509 *c = 0);
87  XrdCryptoX509Chain(XrdCryptoX509Chain *ch);
88  virtual ~XrdCryptoX509Chain();
89 
90  // CA status
91  enum ECAStatus { kUnknown = 0, kAbsent, kInvalid, kValid};
92 
93  // Error codes
94  enum EX509ChainErr { kNone = 0, kInconsistent, kTooMany, kNoCA,
95  kNoCertificate, kInvalidType, kInvalidNames,
96  kRevoked, kExpired, kMissingExtension,
97  kVerifyFail, kInvalidSign, kCANotAutoSigned };
98 
99  // In case or error
100  const char *X509ChainError(EX509ChainErr e);
101  const char *LastError() const { return lastError.c_str(); }
102 
103  // Dump content
104  void Dump();
105 
106  // Access information
107  int Size() const { return size; }
108  XrdCryptoX509 *End() const { return end->Cert(); }
109  ECAStatus StatusCA() const { return statusCA; }
110  const char *CAname();
111  const char *EECname();
112  const char *CAhash();
113  const char *EEChash();
114 
115  // Modifiers
116  void InsertAfter(XrdCryptoX509 *c, XrdCryptoX509 *cp);
117  void PutInFront(XrdCryptoX509 *c);
118  void PushBack(XrdCryptoX509 *c);
119  void Remove(XrdCryptoX509 *c);
120  bool CheckCA(bool checkselfsigned = 1);
121  void Cleanup(bool keepCA = 0);
122  void SetStatusCA(ECAStatus st) { statusCA = st; }
123 
124  // Search
125  XrdCryptoX509 *SearchByIssuer(const char *issuer,
126  ESearchMode mode = kExact);
127  XrdCryptoX509 *SearchBySubject(const char *subject,
128  ESearchMode mode = kExact);
129 
130  // Check validity in time
131  virtual int CheckValidity(bool outatfirst = 1, int when = 0);
132 
133  // Reorder (C(n) issuer of C(n+1))
134  virtual int Reorder();
135 
136  // Verify chain
137  virtual bool Verify(EX509ChainErr &e, x509ChainVerifyOpt_t *vopt = 0);
138 
139  // Pseudo - iterator functionality
140  XrdCryptoX509 *Begin();
141  XrdCryptoX509 *Next();
142 
143 private:
144 
145 
146  XrdCryptoX509ChainNode *begin;
147  XrdCryptoX509ChainNode *current;
148  XrdCryptoX509ChainNode *end;
149  XrdCryptoX509ChainNode *previous;
150  int size;
151  XrdOucString lastError;
152  XrdOucString caname;
153  XrdOucString eecname;
154  XrdOucString cahash;
155  XrdOucString eechash;
156  ECAStatus statusCA;
157 
158  XrdCryptoX509ChainNode *Find(XrdCryptoX509 *c);
159  XrdCryptoX509ChainNode *FindIssuer(const char *issuer,
160  ESearchMode mode = kExact,
161  XrdCryptoX509ChainNode **p = 0);
162  XrdCryptoX509ChainNode *FindSubject(const char *subject,
163  ESearchMode mode = kExact,
164  XrdCryptoX509ChainNode **p = 0);
165  bool Verify(EX509ChainErr &e, const char *msg,
166  XrdCryptoX509::EX509Type type, int when,
167  XrdCryptoX509 *xcer, XrdCryptoX509 *xsig,
168  XrdCryptoX509Crl *crl = 0);
169 
170 };
171 
172 #endif
Generated by   doxygen 1.8.3.1