XRootD
Loading...
Searching...
No Matches
XrdCryptosslX509Crl Class Reference

#include <XrdCryptosslX509Crl.hh>

+ Inheritance diagram for XrdCryptosslX509Crl:
+ Collaboration diagram for XrdCryptosslX509Crl:

Public Member Functions

 XrdCryptosslX509Crl (const char *crlf, int opt=0)
 
 XrdCryptosslX509Crl (FILE *, const char *crlf)
 
 XrdCryptosslX509Crl (XrdCryptoX509 *cacert)
 
virtual ~XrdCryptosslX509Crl ()
 
void Dump ()
 
bool hasCriticalExtension ()
 
bool IsRevoked (const char *sernum, int when=0)
 
bool IsRevoked (int serialnumber, int when=0)
 
const char * Issuer ()
 
const char * IssuerHash (int)
 
bool IsValid ()
 
time_t LastUpdate ()
 
time_t NextUpdate ()
 
XrdCryptoX509Crldata Opaque ()
 
const char * ParentFile ()
 
bool ToFile (FILE *fh)
 
bool Verify (XrdCryptoX509 *ref)
 
- Public Member Functions inherited from XrdCryptoX509Crl
 XrdCryptoX509Crl ()
 
virtual ~XrdCryptoX509Crl ()
 
virtual bool IsExpired (int when=0)
 
const char * IssuerHash ()
 

Detailed Description

Definition at line 50 of file XrdCryptosslX509Crl.hh.

Constructor & Destructor Documentation

◆ XrdCryptosslX509Crl() [1/3]

XrdCryptosslX509Crl::XrdCryptosslX509Crl ( const char *  crlf,
int  opt = 0 
)

Definition at line 56 of file XrdCryptosslX509Crl.cc.

58{
59 // Constructor certificate from file 'cf'.
60 EPNAME("X509Crl::XrdCryptosslX509Crl_file");
61
62 // Make sure file name is defined;
63 if (opt == 0) {
64 if (Init(cf) != 0) {
65 DEBUG("could not initialize the CRL from "<<cf);
66 return;
67 }
68 } else {
69 if (InitFromURI(cf, 0) != 0) {
70 DEBUG("could not initialize the CRL from URI"<<cf);
71 return;
72 }
73 }
74}
#define DEBUG(x)
#define EPNAME(x)

References DEBUG, and EPNAME.

◆ XrdCryptosslX509Crl() [2/3]

XrdCryptosslX509Crl::XrdCryptosslX509Crl ( FILE *  fc,
const char *  crlf 
)

Definition at line 77 of file XrdCryptosslX509Crl.cc.

78{
79 // Constructe CRL from a FILE handle `fc` with (assumed) filename `cf`.
80 EPNAME("X509Crl::XrdCryptosslX509Crl_file");
81
82 if (Init(fc, cf)) {
83 DEBUG("could not initialize the CRL from " << cf);
84 return;
85 }
86}

References DEBUG, and EPNAME.

◆ XrdCryptosslX509Crl() [3/3]

XrdCryptosslX509Crl::XrdCryptosslX509Crl ( XrdCryptoX509 cacert)

Definition at line 89 of file XrdCryptosslX509Crl.cc.

91{
92 // Constructor certificate from CA certificate 'cacert'. This constructor
93 // extracts the information about the location of the CRL cerificate from the
94 // CA certificate extension 'crlDistributionPoints', downloads the file and
95 // loads it in the cache
96 EPNAME("X509Crl::XrdCryptosslX509Crl_CA");
97
98 // The CA certificate must be defined
99 if (!cacert || cacert->type != XrdCryptoX509::kCA) {
100 DEBUG("the CA certificate is undefined or not CA! ("<<cacert<<")");
101 return;
102 }
103
104 // Get the extension
105 X509_EXTENSION *crlext = (X509_EXTENSION *) cacert->GetExtension("crlDistributionPoints");
106 if (!crlext) {
107 DEBUG("extension 'crlDistributionPoints' not found in the CA certificate");
108 return;
109 }
110
111 // Bio for exporting the extension
112 BIO *bext = BIO_new(BIO_s_mem());
113 ASN1_OBJECT *obj = X509_EXTENSION_get_object(crlext);
114 i2a_ASN1_OBJECT(bext, obj);
115 X509V3_EXT_print(bext, crlext, 0, 4);
116 // data length
117 char *cbio = 0;
118 int lbio = (int) BIO_get_mem_data(bext, &cbio);
119 char *buf = (char *) malloc(lbio+1);
120 // Read key from BIO to buf
121 memcpy(buf, cbio, lbio);
122 buf[lbio] = 0;
123 BIO_free(bext);
124 // Save it
125 XrdOucString uris(buf);
126 free(buf);
127
128 DEBUG("URI string: "<< uris);
129
130 XrdOucString uri;
131 int from = 0;
132 while ((from = uris.tokenize(uri, from, ' ')) != -1) {
133 if (uri.beginswith("URI:")) {
134 uri.replace("URI:","");
135 uri.replace("\n","");
136 if (InitFromURI(uri.c_str(), cacert->SubjectHash()) == 0) {
137 crluri = uri;
138 // We are done
139 break;
140 }
141 }
142 }
143}
virtual XrdCryptoX509data GetExtension(const char *oid)
virtual const char * SubjectHash(int)
bool beginswith(char c)
int replace(const char *s1, const char *s2, int from=0, int to=-1)
const char * c_str() const

References XrdOucString::beginswith(), XrdOucString::c_str(), DEBUG, EPNAME, XrdCryptoX509::GetExtension(), XrdCryptoX509::kCA, XrdOucString::replace(), XrdCryptoX509::SubjectHash(), XrdOucString::tokenize(), and XrdCryptoX509::type.

+ Here is the call graph for this function:

◆ ~XrdCryptosslX509Crl()

XrdCryptosslX509Crl::~XrdCryptosslX509Crl ( )
virtual

Definition at line 146 of file XrdCryptosslX509Crl.cc.

147{
148 // Destructor
149
150 // Cleanup CRL
151 if (crl)
152 X509_CRL_free(crl);
153}

Member Function Documentation

◆ Dump()

void XrdCryptosslX509Crl::Dump ( )
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 658 of file XrdCryptosslX509Crl.cc.

659{
660 // Dump content
661 EPNAME("X509Crl::Dump");
662
663 // Time strings
664 struct tm tst;
665 char stbeg[256] = {0};
666 time_t tbeg = LastUpdate();
667 localtime_r(&tbeg,&tst);
668 asctime_r(&tst,stbeg);
669 stbeg[strlen(stbeg)-1] = 0;
670 char stend[256] = {0};
671 time_t tend = NextUpdate();
672 localtime_r(&tend,&tst);
673 asctime_r(&tst,stend);
674 stend[strlen(stend)-1] = 0;
675
676 PRINT("+++++++++++++++ X509 CRL dump +++++++++++++++++++++++");
677 PRINT("+");
678 PRINT("+ File: "<<ParentFile());
679 PRINT("+");
680 PRINT("+ Issuer: "<<Issuer());
681 PRINT("+ Issuer hash: "<<IssuerHash(0));
682 PRINT("+");
683 if (IsExpired()) {
684 PRINT("+ Validity: (expired!)");
685 } else {
686 PRINT("+ Validity:");
687 }
688 PRINT("+ LastUpdate: "<<tbeg<<" UTC - "<<stbeg);
689 PRINT("+ NextUpdate: "<<tend<<" UTC - "<<stend);
690 PRINT("+");
691 PRINT("+ Number of revoked certificates: "<<nrevoked);
692 PRINT("+");
693 PRINT("+++++++++++++++++++++++++++++++++++++++++++++++++");
694}
#define PRINT(y)
virtual bool IsExpired(int when=0)
const char * IssuerHash()

References EPNAME, XrdCryptoX509Crl::IsExpired(), Issuer(), XrdCryptoX509Crl::IssuerHash(), LastUpdate(), NextUpdate(), ParentFile(), and PRINT.

+ Here is the call graph for this function:

◆ hasCriticalExtension()

bool XrdCryptosslX509Crl::hasCriticalExtension ( )

Definition at line 379 of file XrdCryptosslX509Crl.cc.

379 {
380 // If the X509_CRL_get_ext_by_critical() function returns -1, no critical extension
381 // has been found
382 return X509_CRL_get_ext_by_critical(crl,1,-1) != -1;
383}

◆ IsRevoked() [1/2]

bool XrdCryptosslX509Crl::IsRevoked ( const char *  sernum,
int  when = 0 
)
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 621 of file XrdCryptosslX509Crl.cc.

622{
623 // Check if certificate with 'sernum' is in the
624 // list of revocated certificates
625 EPNAME("IsRevoked");
626
627 // Reference time
628 int now = (when > 0) ? when : time(0);
629
630 // Warn if CRL should be updated
631 if (now > NextUpdate()) {
632 DEBUG("WARNING: CRL is expired: you should download the updated one");
633 }
634
635 // We must have something to check against
636 if (nrevoked <= 0) {
637 DEBUG("No certificate in the list");
638 return 0;
639 }
640
641 // Look into the cache
642 XrdSutCacheEntry *cent = cache.Get((const char *)sernum);
643 if (cent && cent->status == kCE_ok) {
644 // Check the revocation time
645 if (now > cent->mtime) {
646 DEBUG("certificate "<<sernum<<" has been revoked");
647 cent->rwmtx.UnLock();
648 return 1;
649 }
650 cent->rwmtx.UnLock();
651 }
652
653 // Certificate not revoked
654 return 0;
655}
@ kCE_ok
XrdSutCacheEntry * Get(const char *tag)

References DEBUG, EPNAME, XrdSutCache::Get(), kCE_ok, XrdSutCacheEntry::mtime, NextUpdate(), XrdSutCacheEntry::rwmtx, XrdSutCacheEntry::status, and XrdSysRWLock::UnLock().

+ Here is the call graph for this function:

◆ IsRevoked() [2/2]

bool XrdCryptosslX509Crl::IsRevoked ( int  serialnumber,
int  when = 0 
)
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 580 of file XrdCryptosslX509Crl.cc.

581{
582 // Check if certificate with serialnumber is in the
583 // list of revocated certificates
584 EPNAME("IsRevoked");
585
586 // Reference time
587 int now = (when > 0) ? when : time(0);
588
589 // Warn if CRL should be updated
590 if (now > NextUpdate()) {
591 DEBUG("WARNING: CRL is expired: you should download the updated one");
592 }
593
594 // We must have something to check against
595 if (nrevoked <= 0) {
596 DEBUG("No certificate in the list");
597 return 0;
598 }
599
600 // Ok, build the tag
601 char tagser[20] = {0};
602 sprintf(tagser,"%x",serialnumber);
603
604 // Look into the cache
605 XrdSutCacheEntry *cent = cache.Get((const char *)tagser);
606 if (cent && cent->status == kCE_ok) {
607 // Check the revocation time
608 if (now > cent->mtime) {
609 DEBUG("certificate "<<tagser<<" has been revoked");
610 cent->rwmtx.UnLock();
611 return 1;
612 }
613 cent->rwmtx.UnLock();
614 }
615
616 // Certificate not revoked
617 return 0;
618}

References DEBUG, EPNAME, XrdSutCache::Get(), kCE_ok, XrdSutCacheEntry::mtime, NextUpdate(), XrdSutCacheEntry::rwmtx, XrdSutCacheEntry::status, and XrdSysRWLock::UnLock().

+ Here is the call graph for this function:

◆ Issuer()

const char * XrdCryptosslX509Crl::Issuer ( )
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 491 of file XrdCryptosslX509Crl.cc.

492{
493 // Return issuer name
494 EPNAME("X509Crl::Issuer");
495
496 // If we do not have it already, try extraction
497 if (issuer.length() <= 0) {
498
499 // Make sure we have a CRL
500 if (!crl) {
501 DEBUG("WARNING: no CRL available - cannot extract issuer name");
502 return (const char *)0;
503 }
504
505 // Extract issuer name
506 XrdCryptosslNameOneLine(X509_CRL_get_issuer(crl), issuer);
507 }
508
509 // return what we have
510 return (issuer.length() > 0) ? issuer.c_str() : (const char *)0;
511}
void XrdCryptosslNameOneLine(X509_NAME *nm, XrdOucString &s)
int length() const

References XrdOucString::c_str(), DEBUG, EPNAME, XrdOucString::length(), and XrdCryptosslNameOneLine().

Referenced by Dump().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ IssuerHash()

const char * XrdCryptosslX509Crl::IssuerHash ( int  alg)
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 514 of file XrdCryptosslX509Crl.cc.

515{
516 // Return hash of issuer name
517 // Use default algorithm (X509_NAME_hash) for alg = 0, old algorithm
518 // (for v>=1.0.0) when alg = 1
519 EPNAME("X509::IssuerHash");
520
521#if (OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(__APPLE__))
522 if (alg == 1) {
523 // md5 based
524 if (issueroldhash.length() <= 0) {
525 // Make sure we have a certificate
526 if (crl) {
527 char chash[30] = {0};
528 snprintf(chash, sizeof(chash),
529 "%08lx.0",X509_NAME_hash_old(X509_CRL_get_issuer(crl)));
530 issueroldhash = chash;
531 } else {
532 DEBUG("WARNING: no certificate available - cannot extract issuer hash (md5)");
533 }
534 }
535 // return what we have
536 return (issueroldhash.length() > 0) ? issueroldhash.c_str() : (const char *)0;
537 }
538#else
539 if (alg == 1) { }
540#endif
541
542 // If we do not have it already, try extraction
543 if (issuerhash.length() <= 0) {
544
545 // Make sure we have a certificate
546 if (crl) {
547 char chash[30] = {0};
548 snprintf(chash, sizeof(chash),
549 "%08lx.0",X509_NAME_hash(X509_CRL_get_issuer(crl)));
550 issuerhash = chash;
551 } else {
552 DEBUG("WARNING: no certificate available - cannot extract issuer hash (default)");
553 }
554 }
555
556 // return what we have
557 return (issuerhash.length() > 0) ? issuerhash.c_str() : (const char *)0;
558}

References XrdOucString::c_str(), DEBUG, EPNAME, and XrdOucString::length().

+ Here is the call graph for this function:

◆ IsValid()

bool XrdCryptosslX509Crl::IsValid ( )
inlinevirtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 59 of file XrdCryptosslX509Crl.hh.

59{ return (crl != 0); }

◆ LastUpdate()

time_t XrdCryptosslX509Crl::LastUpdate ( )
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 459 of file XrdCryptosslX509Crl.cc.

460{
461 // Time of last update
462
463 // If we do not have it already, try extraction
464 if (lastupdate < 0) {
465 // Make sure we have a CRL
466 if (crl)
467 // Extract UTC time in secs from Epoch
469 }
470 // return what we have
471 return lastupdate;
472}
time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1)
#define X509_CRL_get0_lastUpdate

References X509_CRL_get0_lastUpdate, and XrdCryptosslASN1toUTC().

Referenced by Dump().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ NextUpdate()

time_t XrdCryptosslX509Crl::NextUpdate ( )
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 475 of file XrdCryptosslX509Crl.cc.

476{
477 // Time of next update
478
479 // If we do not have it already, try extraction
480 if (nextupdate < 0) {
481 // Make sure we have a CRL
482 if (crl)
483 // Extract UTC time in secs from Epoch
485 }
486 // return what we have
487 return nextupdate;
488}
#define X509_CRL_get0_nextUpdate

References X509_CRL_get0_nextUpdate, and XrdCryptosslASN1toUTC().

Referenced by Dump(), IsRevoked(), and IsRevoked().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Opaque()

XrdCryptoX509Crldata XrdCryptosslX509Crl::Opaque ( )
inlinevirtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 62 of file XrdCryptosslX509Crl.hh.

62{ return (XrdCryptoX509Crldata)crl; }
void * XrdCryptoX509Crldata

◆ ParentFile()

const char * XrdCryptosslX509Crl::ParentFile ( )
inlinevirtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 66 of file XrdCryptosslX509Crl.hh.

66{ return (const char *)(srcfile.c_str()); }

References XrdOucString::c_str().

Referenced by Dump().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ToFile()

bool XrdCryptosslX509Crl::ToFile ( FILE *  fh)

Definition at line 323 of file XrdCryptosslX509Crl.cc.

324{
325 // Write the CRL's contents to a file in the PEM format.
326 EPNAME("ToFile");
327
328 if (!crl) {
329 DEBUG("CRL object invalid; cannot write to a file");
330 return false;
331 }
332
333 if (PEM_write_X509_CRL(fh, crl) == 0) {
334 DEBUG("Unable to write CRL to file");
335 return false;
336 }
337
338 //
339 // Notify
340 DEBUG("CRL successfully written to file");
341
342 return true;
343}

References DEBUG, and EPNAME.

◆ Verify()

bool XrdCryptosslX509Crl::Verify ( XrdCryptoX509 ref)
virtual

Reimplemented from XrdCryptoX509Crl.

Definition at line 561 of file XrdCryptosslX509Crl.cc.

562{
563 // Verify certificate signature with pub key of ref cert
564
565 // We must have been initialized
566 if (!crl)
567 return 0;
568
569 // We must have something to check with
570 X509 *r = ref ? (X509 *)(ref->Opaque()) : 0;
571 EVP_PKEY *rk = r ? X509_get_pubkey(r) : 0;
572 if (!rk)
573 return 0;
574
575 // Ok: we can verify
576 return (X509_CRL_verify(crl, rk) > 0);
577}
virtual XrdCryptoX509data Opaque()

References XrdCryptoX509::Opaque().

+ Here is the call graph for this function:

The documentation for this class was generated from the following files: