45#include <openssl/pem.h>
47#define BIO_PRINT(b,c) \
49 BIO_get_mem_ptr(b, &bptr); \
51 char *s = new char[bptr->length+1]; \
52 memcpy(s, bptr->data, bptr->length); \
53 s[bptr->length] = '\0'; \
57 PRINT("ERROR: "<<c<<" BIO internal buffer undefined!"); \
61const char *XrdCryptosslX509::cpxytype[5] = {
"",
"unknown",
"RFC",
"GSI3",
"legacy" };
69 EPNAME(
"X509::XrdCryptosslX509_file");
88 DEBUG(
"file name undefined");
93 if (
stat(cf, &st) != 0) {
94 if (errno == ENOENT) {
95 DEBUG(
"file "<<cf<<
" does not exist - do nothing");
97 DEBUG(
"cannot stat file "<<cf<<
" (errno: "<<errno<<
")");
103 FILE *fc =
fopen(cf,
"r");
105 DEBUG(
"cannot open file "<<cf<<
" (errno: "<<errno<<
")");
110 if (!PEM_read_X509(fc, &cert, 0, 0)) {
111 DEBUG(
"Unable to load certificate from file");
114 DEBUG(
"certificate successfully loaded");
132 if (
stat(kf, &st) == -1) {
133 DEBUG(
"cannot stat private key file "<<kf<<
" (errno:"<<errno<<
")");
136 if (!S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) ||
137 (st.st_mode & (S_IROTH | S_IWOTH)) != 0 ||
138 (st.st_mode & (S_IWGRP)) != 0) {
139 DEBUG(
"private key file "<<kf<<
" has wrong permissions "<<
140 (st.st_mode & 0777) <<
" (should be at most 0640)");
144 FILE *fk =
fopen(kf,
"r");
146 DEBUG(
"cannot open file "<<kf<<
" (errno: "<<errno<<
")");
150 if ((evpp = PEM_read_PrivateKey(fk,0,0,0))) {
151 DEBUG(
"RSA key completed ");
153 auto tmprsa = std::make_unique<XrdCryptosslRSA>(evpp, 1);
156 pki = tmprsa.release();
159 DEBUG(
"cannot read the key from file");
174 EPNAME(
"X509::XrdCryptosslX509_bio");
193 DEBUG(
"got undefined opaque buffer");
199 BIO *bmem = BIO_new(BIO_s_mem());
201 DEBUG(
"unable to create BIO for memory operations");
206 int nw = BIO_write(bmem,(
const void *)(buck->
buffer),buck->
size);
207 if (nw != buck->
size) {
208 DEBUG(
"problems writing data to memory BIO (nw: "<<nw<<
")");
213 if (!(cert = PEM_read_bio_X509(bmem,0,0,0))) {
214 DEBUG(
"unable to read certificate to memory BIO");
228 EVP_PKEY *evpp = X509_get_pubkey(cert);
235 DEBUG(
"could not access the public key");
243 EPNAME(
"X509::XrdCryptosslX509_x509");
262 DEBUG(
"got undefined X509 object");
276 EVP_PKEY *evpp = X509_get_pubkey(cert);
283 DEBUG(
"could not access the public key");
293 if (cert) X509_free(cert);
299void XrdCryptosslX509::CertType()
307 PRINT(
"ERROR: certificate is not initialized");
315 int numext = X509_get_ext_count(cert);
317 DEBUG(
"certificate has got no extensions");
320 TRACE(ALL,
"certificate has "<<numext<<
" extensions");
324 X509_EXTENSION *ext = 0;
329 BASIC_CONSTRAINTS *bc = 0;
330 if ((bc = (BASIC_CONSTRAINTS *)X509_get_ext_d2i(cert, NID_basic_constraints, &crit, &idx)) &&
333 DEBUG(
"CA certificate");
336 if (bc) BASIC_CONSTRAINTS_free(bc);
344 if (issuer == common) {
351 if ((idx = X509_get_ext_by_NID(cert, NID_proxyCertInfo,-1)) == -1) {
357 DEBUG(
"Found GSI 3 proxyCertInfo extension");
358 }
else if (xcp == -1) {
362 if ((ext = X509_get_ext(cert,idx)) == 0) {
363 PRINT(
"ERROR: could not get proxyCertInfo extension");
369 if (X509_EXTENSION_get_critical(ext)) {
370 PROXY_CERT_INFO_EXTENSION *pci = (PROXY_CERT_INFO_EXTENSION *)X509V3_EXT_d2i(ext);
372 if ((pci->proxyPolicy) != 0) {
373 if ((pci->proxyPolicy->policyLanguage) != 0) {
377 DEBUG(
"Found RFC 382{0,1}compliant proxyCertInfo extension");
378 if (X509_get_ext_by_NID(cert, NID_proxyCertInfo, idx) != -1) {
379 PRINT(
"WARNING: multiple proxyCertInfo extensions found: taking the first");
382 PRINT(
"ERROR: accessing policy language from proxyCertInfo extension");
385 PRINT(
"ERROR: accessing policy from proxyCertInfo extension");
387 PROXY_CERT_INFO_EXTENSION_free(pci);
389 PRINT(
"ERROR: proxyCertInfo conversion error");
392 PRINT(
"ERROR: proxyCertInfo not flagged as critical");
395 if (!pxyname || done)
return;
399 if (lastcn ==
"proxy" || lastcn ==
"limited proxy") {
421 auto tmprsa = std::make_unique<XrdCryptosslRSA>((EVP_PKEY*)newpki, 1);
429 pki = tmprsa.release();
472 if (subject.
length() <= 0) {
476 DEBUG(
"WARNING: no certificate available - cannot extract subject name");
477 return (
const char *)0;
485 return (subject.
length() > 0) ? subject.
c_str() : (
const char *)0;
495 if (issuer.
length() <= 0) {
499 DEBUG(
"WARNING: no certificate available - cannot extract issuer name");
500 return (
const char *)0;
508 return (issuer.
length() > 0) ? issuer.
c_str() : (
const char *)0;
517 EPNAME(
"X509::IssuerHash");
519#if (OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(__APPLE__))
522 if (issueroldhash.
length() <= 0) {
525 char chash[30] = {0};
526 snprintf(chash,
sizeof(chash),
527 "%08lx.0",X509_NAME_hash_old(X509_get_issuer_name(cert)));
528 issueroldhash = chash;
530 DEBUG(
"WARNING: no certificate available - cannot extract issuer hash (md5)");
534 return (issueroldhash.
length() > 0) ? issueroldhash.
c_str() : (
const char *)0;
541 if (issuerhash.
length() <= 0) {
545 char chash[30] = {0};
546 snprintf(chash,
sizeof(chash),
547 "%08lx.0",X509_NAME_hash(X509_get_issuer_name(cert)));
550 DEBUG(
"WARNING: no certificate available - cannot extract issuer hash (default)");
555 return (issuerhash.
length() > 0) ? issuerhash.
c_str() : (
const char *)0;
564 EPNAME(
"X509::SubjectHash");
566#if (OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(__APPLE__))
569 if (subjectoldhash.
length() <= 0) {
572 char chash[30] = {0};
573 snprintf(chash,
sizeof(chash),
574 "%08lx.0",X509_NAME_hash_old(X509_get_subject_name(cert)));
575 subjectoldhash = chash;
577 DEBUG(
"WARNING: no certificate available - cannot extract subject hash (md5)");
581 return (subjectoldhash.
length() > 0) ? subjectoldhash.
c_str() : (
const char *)0;
588 if (subjecthash.
length() <= 0) {
592 char chash[30] = {0};
593 snprintf(chash,
sizeof(chash),
594 "%08lx.0",X509_NAME_hash(X509_get_subject_name(cert)));
597 DEBUG(
"WARNING: no certificate available - cannot extract subject hash (default)");
602 return (subjecthash.
length() > 0) ? subjecthash.
c_str() : (
const char *)0;
611 if (cert && X509_get_serialNumber(cert)) {
612 BIGNUM *bn = BN_new();
613 ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
614 char *sn = BN_bn2dec(bn);
615 sernum = strtoll(sn, 0, 10);
629 if (cert && X509_get_serialNumber(cert)) {
630 BIGNUM *bn = BN_new();
631 ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn);
632 char *sn = BN_bn2hex(bn);
646 EPNAME(
"X509::GetExtension");
651 DEBUG(
"OID string not defined");
657 DEBUG(
"certificate is not initialized");
662 int numext = X509_get_ext_count(cert);
664 DEBUG(
"certificate has got no extensions");
667 DEBUG(
"certificate has "<<numext<<
" extensions");
671 int nid = OBJ_sn2nid(oid);
672 bool usenid = (nid > 0);
676 X509_EXTENSION *wext = 0;
677 for (i = 0; i< numext; i++) {
678 wext = X509_get_ext(cert, i);
680 int enid = OBJ_obj2nid(X509_EXTENSION_get_object(wext));
686 OBJ_obj2txt(s,
sizeof(s), X509_EXTENSION_get_object(wext), 1);
696 DEBUG(
"Extension "<<oid<<
" not found");
712 DEBUG(
"serialization already performed:"
713 " return previous result ("<<bucket->
size<<
" bytes)");
719 DEBUG(
"certificate is not initialized");
725 BIO *bmem = BIO_new(BIO_s_mem());
727 DEBUG(
"unable to create BIO for memory operations");
732 if (!PEM_write_bio_X509(bmem, cert)) {
733 DEBUG(
"unable to write certificate to memory BIO");
739 int blen = BIO_get_mem_data(bmem, &bdata);
740 DEBUG(
"BIO data: "<<blen<<
" bytes at 0x"<<(
int *)bdata);
746 bucket->
SetBuf(bdata, blen);
747 DEBUG(
"result of serialization: "<<bucket->
size<<
" bytes");
749 DEBUG(
"unable to create bucket for serialized format");
772 X509 *r = ref ? (X509 *)(ref->
Opaque()) : 0;
773 EVP_PKEY *rk = r ? X509_get_pubkey(r) : 0;
778 int rc = X509_verify(cert, rk);
783 DEBUG(
"signature not OK");
786 DEBUG(
"could not verify signature");
803 X509 *xpi = (X509 *)
Opaque();
807 PRINT(
"we are empty! Do nothing");
813 X509_EXTENSION *xpiext = 0;
814 int npiext = X509_get_ext_count(xpi);
815 PRINT(
"found "<<npiext<<
" extensions ");
817 for (i = 0; i< npiext; i++) {
818 xpiext = X509_get_ext(xpi, i);
820 OBJ_obj2txt(s,
sizeof(s), X509_EXTENSION_get_object(xpiext), 1);
821 int crit = X509_EXTENSION_get_critical(xpiext);
823 PRINT(i <<
": found extension '"<<s<<
"', critical: " << crit);
827 long length = X509_EXTENSION_get_data(xpiext)->length;
828 int ret = FillUnknownExt(&pp, length, dumpunknown);
829 PRINT(
"ret: " << ret);
837int XrdCryptosslX509::FillUnknownExt(
XRDGSI_CONST unsigned char **pp,
long length,
bool dump)
844 int tag, xclass, ret = 0;
847 ASN1_OCTET_STRING *os = 0;
856 while ((p < tot) && (op < p)) {
858 j = ASN1_get_object(&p, &len, &tag, &xclass, length);
863 if (dump)
PRINT(
"ERROR: error in encoding");
871 if (j != (V_ASN1_CONSTRUCTED | 1)) {
872 if (dump)
PRINT(
"PRIM: d="<<depth<<
" hl="<<hl<<
" l="<<len);
874 if (dump)
PRINT(
"CONST: d="<<depth<<
" hl="<<hl<<
" l=inf ");
876 if (!Asn1PrintInfo(tag, xclass, j, (indent) ? depth : 0))
878 if (j & V_ASN1_CONSTRUCTED) {
880 if (dump)
PRINT(
" ");
882 if (dump)
PRINT(
"ERROR:CONST: length is greater than " <<length);
886 if ((j == 0x21) && (len == 0)) {
888 r = FillUnknownExt(&p, (
long)(tot-p), dump);
893 if ((r == 2) || (p >= tot))
898 r = FillUnknownExt(&p, (
long)len, dump);
905 }
else if (xclass != 0) {
907 if (dump)
PRINT(
" ");
910 if ((tag == V_ASN1_PRINTABLESTRING) ||
911 (tag == V_ASN1_T61STRING) ||
912 (tag == V_ASN1_IA5STRING) ||
913 (tag == V_ASN1_VISIBLESTRING) ||
914 (tag == V_ASN1_NUMERICSTRING) ||
915 (tag == V_ASN1_UTF8STRING) ||
916 (tag == V_ASN1_UTCTIME) ||
917 (tag == V_ASN1_GENERALIZEDTIME)) {
919 char *s =
new char[len + 1];
922 if (dump)
PRINT(
"GENERIC:" << s <<
" (len: "<<(
int)len<<
")");
925 if (dump)
PRINT(
"GENERIC: (len: "<<(
int)len<<
")");
927 }
else if (tag == V_ASN1_OBJECT) {
929 if (d2i_ASN1_OBJECT(&o, &opp, len+hl)) {
930 BIO *mem = BIO_new(BIO_s_mem());
931 i2a_ASN1_OBJECT(mem, o);
935 if (dump)
PRINT(
"ERROR:AOBJ: BAD OBJECT");
937 }
else if (tag == V_ASN1_BOOLEAN) {
939 if (dump)
PRINT(
"ERROR:BOOL: Bad boolean");
942 if (dump)
PRINT(
"BOOL:"<< p[0]);
943 }
else if (tag == V_ASN1_BMPSTRING) {
945 }
else if (tag == V_ASN1_OCTET_STRING) {
946 int i, printable = 1;
948 os = d2i_ASN1_OCTET_STRING(0, &opp, len + hl);
949 if (os && os->length > 0) {
952 for (i=0; i<os->length; i++) {
953 if (( (opp[i] <
' ') && (opp[i] !=
'\n') &&
954 (opp[i] !=
'\r') && (opp[i] !=
'\t')) || (opp[i] >
'~')) {
961 char *s =
new char[os->length + 1];
962 memcpy(s, opp, os->length);
964 if (dump)
PRINT(
"OBJS:" << s <<
" (len: "<<os->length<<
")");
968 if (!nl)
PRINT(
"OBJS:");
969 BIO *mem = BIO_new(BIO_s_mem());
970 if (BIO_dump_indent(mem, (
const char *)opp, os->length, dump_indent) <= 0) {
971 if (dump)
PRINT(
"ERROR:OBJS: problems dumping to BIO");
980 ASN1_OCTET_STRING_free(os);
983 }
else if (tag == V_ASN1_INTEGER) {
988 bs = d2i_ASN1_INTEGER(0, &opp, len+hl);
990 if (dump)
PRINT(
"AINT:");
991 if (bs->type == V_ASN1_NEG_INTEGER)
992 if (dump)
PRINT(
"-");
993 BIO *mem = BIO_new(BIO_s_mem());
994 for (i = 0; i < bs->length; i++) {
995 if (BIO_printf(mem,
"%02X", bs->data[i]) <= 0) {
996 if (dump)
PRINT(
"ERROR:AINT: problems printf-ing to BIO");
1002 if (bs->length == 0)
PRINT(
"00");
1004 if (dump)
PRINT(
"ERROR:AINT: BAD INTEGER");
1006 ASN1_INTEGER_free(bs);
1007 }
else if (tag == V_ASN1_ENUMERATED) {
1008 ASN1_ENUMERATED *bs;
1012 bs = d2i_ASN1_ENUMERATED(0, &opp, len+hl);
1014 if (dump)
PRINT(
"AENU:");
1015 if (bs->type == V_ASN1_NEG_ENUMERATED)
1016 if (dump)
PRINT(
"-");
1017 BIO *mem = BIO_new(BIO_s_mem());
1018 for (i = 0; i < bs->length; i++) {
1019 if (BIO_printf(mem,
"%02X", bs->data[i]) <= 0) {
1020 if (dump)
PRINT(
"ERROR:AENU: problems printf-ing to BIO");
1026 if (bs->length == 0)
PRINT(
"00");
1028 if (dump)
PRINT(
"ERROR:AENU: BAD ENUMERATED");
1030 ASN1_ENUMERATED_free(bs);
1033 if (!nl && dump)
PRINT(
" ");
1036 if ((tag == V_ASN1_EOC) && (xclass == 0)) {
1045 if (o) ASN1_OBJECT_free(o);
1046 if (os) ASN1_OCTET_STRING_free(os);
1048 if (dump)
PRINT(
"ret: "<<ret);
1054int XrdCryptosslX509::Asn1PrintInfo(
int tag,
int xclass,
int constructed,
int indent)
1059 static const char fmt[]=
"%-18s";
1060 static const char fmt2[]=
"%2d %-15s";
1062 const char *p, *p2 = 0;
1064 BIO *bp = BIO_new(BIO_s_mem());
1065 if (constructed & V_ASN1_CONSTRUCTED)
1069 if (BIO_write(bp, p, 6) < 6)
1071 BIO_indent(bp, indent, 128);
1074 if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
1075 BIO_snprintf(str,
sizeof str,
"priv [ %d ] ",tag);
1076 else if ((xclass & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC)
1077 BIO_snprintf(str,
sizeof str,
"cont [ %d ]",tag);
1078 else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION)
1079 BIO_snprintf(str,
sizeof str,
"appl [ %d ]",tag);
1081 BIO_snprintf(str,
sizeof str,
"<ASN1 %d>",tag);
1083 p = ASN1_tag2str(tag);
1086 if (BIO_printf(bp,fmt2,tag,p2) <= 0)
1089 if (BIO_printf(bp, fmt, p) <= 0)
1112 GENERAL_NAMES *gens =
static_cast<GENERAL_NAMES *
>(X509_get_ext_d2i(cert,
1113 NID_subject_alt_name, NULL, NULL));
1127 bool success =
false;
1128 for (
int idx = 0; idx < sk_GENERAL_NAME_num(gens); idx++) {
1131 gen = sk_GENERAL_NAME_value(gens, idx);
1132 if (gen->type != GEN_DNS)
1134 cstr = gen->d.dNSName;
1135 if (ASN1_STRING_type(cstr) != V_ASN1_IA5STRING)
1137 int san_fqdn_len = ASN1_STRING_length(cstr);
1138 if (san_fqdn_len > 255)
1140#if OPENSSL_VERSION_NUMBER >= 0x10100000L
1141 memcpy(san_fqdn, ASN1_STRING_get0_data(cstr), san_fqdn_len);
1143 memcpy(san_fqdn, ASN1_STRING_data(cstr), san_fqdn_len);
1145 san_fqdn[san_fqdn_len] =
'\0';
1146 if (strlen(san_fqdn) !=
static_cast<size_t>(san_fqdn_len))
1148 DEBUG(
"Comparing SAN " << san_fqdn <<
" with " << fqdn);
1150 DEBUG(
"SAN " << san_fqdn <<
" matches with " << fqdn);
1155 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
void XrdCryptosslNameOneLine(X509_NAME *nm, XrdOucString &s)
time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1)
int XrdCryptosslX509CheckProxy3(XrdCryptoX509 *, XrdOucString &)
int emsg(int rc, char *msg)
const char * SubjectHash()
virtual XrdCryptoX509data Opaque()
const char * IssuerHash()
static bool MatchHostnames(const char *match_pattern, const char *fqdn)
XrdCryptoX509data GetExtension(const char *oid)
int DumpExtensions(bool dumpunknown=0)
virtual ~XrdCryptosslX509()
XrdOucString SerialNumberString()
XrdCryptoX509data Opaque()
bool Verify(XrdCryptoX509 *ref)
virtual bool MatchesSAN(const char *, bool &)
XrdCryptosslX509(const char *cf, const char *kf=0)
void SetPKI(XrdCryptoX509data pki)
int rfind(const char c, int start=STR_NPOS)
const char * c_str() const
int SetBuf(const char *nb=0, int ns=0)