cpp/src/IceSSL/Certificate.cpp

   1 // **********************************************************************
   2 //
   3 // Copyright (c) 2003-2011 ZeroC, Inc. All rights reserved.
   4 //
   5 // This copy of Ice is licensed to you under the terms described in the
   6 // ICE_LICENSE file included in this distribution.
   7 //
   8 // **********************************************************************
   9
  10 #include <IceUtil/DisableWarnings.h>
  11 #include <IceUtil/Mutex.h>
  12 #include <IceUtil/MutexPtrLock.h>
  13 #include <IceUtil/StringUtil.h>
  14 #include <IceSSL/Plugin.h>
  15 #include <IceSSL/Util.h>
  16 #include <IceSSL/RFC2253.h>
  17
  18 #include <openssl/x509v3.h>
  19 #include <openssl/pem.h>
  20
  21 using namespace std;
  22 using namespace Ice;
  23 using namespace IceSSL;
  24
  25 const char* IceSSL::CertificateReadException::_name = "IceSSL::CertificateReadException";
  26
  27 CertificateReadException::CertificateReadException(const char* file, int line, const string& r) :
  28     Exception(file, line),
  29     reason(r)
  30 {
  31 }
  32
  33 CertificateReadException::~CertificateReadException() throw()
  34 {
  35 }
  36
  37 string
  38 CertificateReadException::ice_name() const
  39 {
  40     return _name;
  41 }
  42
  43 Exception*
  44 CertificateReadException::ice_clone() const
  45 {
  46     return new CertificateReadException(*this);
  47 }
  48
  49 void
  50 CertificateReadException::ice_throw() const
  51 {
  52     throw *this;
  53 }
  54
  55 const char* IceSSL::CertificateEncodingException::_name = "IceSSL::CertificateEncodingException";
  56
  57 CertificateEncodingException::CertificateEncodingException(const char* file, int line, const string& r) :
  58     Exception(file, line),
  59     reason(r)
  60 {
  61 }
  62
  63 CertificateEncodingException::~CertificateEncodingException() throw()
  64 {
  65 }
  66
  67 string
  68 CertificateEncodingException::ice_name() const
  69 {
  70     return _name;
  71 }
  72
  73 Exception*
  74 CertificateEncodingException::ice_clone() const
  75 {
  76     return new CertificateEncodingException(*this);
  77 }
  78
  79 void
  80 CertificateEncodingException::ice_throw() const
  81 {
  82     throw *this;
  83 }
  84
  85 namespace
  86 {
  87
  88 IceUtil::Mutex* mut = 0;
  89
  90 class Init
  91 {
  92 public:
  93
  94     Init()
  95     {
  96         mut = new IceUtil::Mutex;
  97     }
  98
  99     ~Init()
 100     {
 101         delete mut;
 102         mut = 0;
 103     }
 104 };
 105
 106 Init init;
 107
 108 }
 109
 110 static IceUtil::Time
 111 ASMUtcTimeToIceUtilTime(const ASN1_UTCTIME* s)
 112 {
 113     struct tm tm;
 114     int offset;
 115
 116     memset(&tm, '\0', sizeof tm);
 117
 118 #define g2(p) (((p)[0]-'0')*10+(p)[1]-'0')
 119     tm.tm_year = g2(s->data);
 120     if(tm.tm_year < 50)
 121         tm.tm_year += 100;
 122     tm.tm_mon = g2(s->data + 2) - 1;
 123     tm.tm_mday = g2(s->data + 4);
 124     tm.tm_hour = g2(s->data + 6);
 125     tm.tm_min = g2(s->data + 8);
 126     tm.tm_sec = g2(s->data + 10);
 127     if(s->data[12] == 'Z')
 128     {
 129         offset = 0;
 130     }
 131     else
 132     {
 133         offset = g2(s->data + 13) * 60 + g2(s->data + 15);
 134         if(s->data[12] == '-')
 135         {
 136             offset = -offset;
 137         }
 138     }
 139 #undef g2
 140
 141     //
 142     // If timegm was on all systems this code could be
 143     // return IceUtil::Time::seconds(timegm(&tm) - offset*60);
 144     //
 145     // Windows doesn't support the re-entrant _r versions.
 146     //
 147     time_t tzone;
 148     {
 149         IceUtilInternal::MutexPtrLock<IceUtil::Mutex> sync(mut);
 150         time_t now = time(0);
 151         tzone = mktime(localtime(&now)) - mktime(gmtime(&now));
 152     }
 153     return IceUtil::Time::seconds(mktime(&tm) - offset*60 + tzone);
 154 }
 155
 156 static string
 157 convertX509NameToString(X509NAME* name)
 158 {
 159     BIO* out = BIO_new(BIO_s_mem());
 160     X509_NAME_print_ex(out, name, 0, XN_FLAG_RFC2253);
 161     BUF_MEM* p;
 162     BIO_get_mem_ptr(out, &p);
 163     string result = string(p->data, p->length);
 164     BIO_free(out);
 165     return result;
 166 }
 167
 168 static vector<pair<int, string> >
 169 convertGeneralNames(GENERAL_NAMES* gens)
 170 {
 171     vector<pair<int, string> > alt;
 172     if(gens == 0)
 173     {
 174         return alt;
 175     }
 176     for(int i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
 177     {
 178         GENERAL_NAME* gen = sk_GENERAL_NAME_value(gens, i);
 179         pair<int, string> p;
 180         p.first = gen->type;
 181         switch(gen->type)
 182         {
 183         case GEN_EMAIL:
 184         {
 185             ASN1_IA5STRING* str = gen->d.rfc822Name;
 186             if(str && str->type == V_ASN1_IA5STRING && str->data && str->length > 0)
 187             {
 188                 p.second = string(reinterpret_cast<const char*>(str->data), str->length);
 189             }
 190             break;
 191         }
 192         case GEN_DNS:
 193         {
 194             ASN1_IA5STRING* str = gen->d.dNSName;
 195             if(str && str->type == V_ASN1_IA5STRING && str->data && str->length > 0)
 196             {
 197                 p.second = string(reinterpret_cast<const char*>(str->data), str->length);
 198             }
 199             break;
 200         }
 201         case GEN_DIRNAME:
 202         {
 203             p.second = convertX509NameToString(gen->d.directoryName);
 204             break;
 205         }
 206         case GEN_URI:
 207         {
 208             ASN1_IA5STRING* str = gen->d.uniformResourceIdentifier;
 209             if(str && str->type == V_ASN1_IA5STRING && str->data && str->length > 0)
 210             {
 211                 p.second = string(reinterpret_cast<const char*>(str->data), str->length);
 212             }
 213             break;
 214         }
 215         case GEN_IPADD:
 216         {
 217             ASN1_OCTET_STRING* addr = gen->d.iPAddress;
 218             // TODO: Support IPv6 someday.
 219             if(addr && addr->type == V_ASN1_OCTET_STRING && addr->data && addr->length == 4)
 220             {
 221                 ostringstream ostr;
 222                 for(int j = 0; j < 4; ++j)
 223                 {
 224                     if(j > 0)
 225                     {
 226                         ostr << '.';
 227                     }
 228                     ostr << static_cast<int>(addr->data[j]);
 229                 }
 230                 p.second = ostr.str();
 231             }
 232             break;
 233         }
 234         case GEN_OTHERNAME:
 235         case GEN_EDIPARTY:
 236         case GEN_X400:
 237         case GEN_RID:
 238         {
 239             //
 240             // TODO: These types are not supported. If the user wants
 241             // them, they have to get at the certificate data. Another
 242             // alternative is to DER encode the data (as the Java
 243             // certificate does).
 244             //
 245             break;
 246         }
 247         }
 248         alt.push_back(p);
 249     }
 250     sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
 251     return alt;
 252 }
 253
 254 const char* ParseException::_name = "IceSSL::ParseException";
 255
 256 ParseException::ParseException(const char* file, int line, const string& r) :
 257     Exception(file, line),
 258     reason(r)
 259 {
 260 }
 261
 262 ParseException::~ParseException() throw()
 263 {
 264 }
 265
 266 string
 267 ParseException::ice_name() const
 268 {
 269     return _name;
 270 }
 271
 272 IceUtil::Exception*
 273 ParseException::ice_clone() const
 274 {
 275     return new ParseException(*this);
 276 }
 277
 278 void
 279 ParseException::ice_throw() const
 280 {
 281     throw *this;
 282 }
 283
 284 DistinguishedName::DistinguishedName(X509NAME* name) :
 285     _rdns(RFC2253::parseStrict(convertX509NameToString(name)))
 286 {
 287     unescape();
 288 }
 289
 290 DistinguishedName::DistinguishedName(const string& dn) :
 291     _rdns(RFC2253::parseStrict(dn))
 292 {
 293     unescape();
 294 }
 295
 296 DistinguishedName::DistinguishedName(const list<pair<string, string> >& rdns) :
 297     _rdns(rdns)
 298 {
 299     unescape();
 300 }
 301
 302 bool
 303 DistinguishedName::operator==(const DistinguishedName& other) const
 304 {
 305     return other._unescaped == _unescaped;
 306 }
 307
 308 bool
 309 DistinguishedName::operator!=(const DistinguishedName& other) const
 310 {
 311     return other._unescaped != _unescaped;
 312 }
 313
 314 bool
 315 DistinguishedName::operator<(const DistinguishedName& other) const
 316 {
 317     return other._unescaped < _unescaped;
 318 }
 319
 320 bool
 321 DistinguishedName::match(const DistinguishedName& other) const
 322 {
 323     for(list< pair<string, string> >::const_iterator p = other._unescaped.begin(); p != other._unescaped.end(); ++p)
 324     {
 325         bool found = false;
 326         for(list< pair<string, string> >::const_iterator q = _unescaped.begin(); q != _unescaped.end(); ++q)
 327         {
 328             if(p->first == q->first)
 329             {
 330                 found = true;
 331                 if(p->second != q->second)
 332                 {
 333                     return false;
 334                 }
 335             }
 336         }
 337         if(!found)
 338         {
 339             return false;
 340         }
 341     }
 342     return true;
 343 }
 344
 345 //
 346 // This always produces the same output as the input DN -- the type of
 347 // escaping is not changed.
 348 //
 349 DistinguishedName::operator string() const
 350 {
 351     ostringstream os;
 352     bool first = true;
 353     for(list< pair<string, string> >::const_iterator p = _rdns.begin(); p != _rdns.end(); ++p)
 354     {
 355         if(!first)
 356         {
 357             os << ",";
 358         }
 359         first = false;
 360         os << p->first << "=" << p->second;
 361     }
 362     return os.str();
 363 }
 364
 365 void
 366 DistinguishedName::unescape()
 367 {
 368     for(list< pair<string, string> >::const_iterator q = _rdns.begin(); q != _rdns.end(); ++q)
 369     {
 370         pair<string, string> rdn = *q;
 371         rdn.second = RFC2253::unescape(rdn.second);
 372         _unescaped.push_back(rdn);
 373     }
 374 }
 375
 376 PublicKey::PublicKey(EVP_PKEY* key) :
 377     _key(key)
 378 {
 379 }
 380
 381 PublicKey::~PublicKey()
 382 {
 383     EVP_PKEY_free(_key);
 384 }
 385
 386 EVP_PKEY*
 387 PublicKey::key() const
 388 {
 389     return _key;
 390 }
 391
 392 //
 393 // The caller is responsible for incrementing the reference count.
 394 //
 395 Certificate::Certificate(X509* cert) :
 396     _cert(cert)
 397 {
 398     assert(_cert != 0);
 399 }
 400
 401 Certificate::~Certificate()
 402 {
 403     X509_free(_cert);
 404 }
 405
 406 CertificatePtr
 407 Certificate::load(const string& file)
 408 {
 409     BIO *cert = BIO_new(BIO_s_file());
 410     if(BIO_read_filename(cert, file.c_str()) <= 0)
 411     {
 412         BIO_free(cert);
 413         throw CertificateReadException(__FILE__, __LINE__, "error opening file");
 414     }
 415
 416     X509* x = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
 417     if(x == NULL)
 418     {
 419         BIO_free(cert);
 420         throw CertificateReadException(__FILE__, __LINE__, "error reading file:\n" + getSslErrors(false));
 421     }
 422     BIO_free(cert);
 423     return new Certificate(x);
 424 }
 425
 426 CertificatePtr
 427 Certificate::decode(const string& encoding)
 428 {
 429     BIO *cert = BIO_new_mem_buf(static_cast<void*>(const_cast<char*>(&encoding[0])), static_cast<int>(encoding.size()));
 430     X509* x = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
 431     if(x == NULL)
 432     {
 433         BIO_free(cert);
 434         throw CertificateReadException(__FILE__, __LINE__, "error decoding certificate:\n" + getSslErrors(false));
 435     }
 436     BIO_free(cert);
 437     return new Certificate(x);
 438 }
 439
 440 bool
 441 Certificate::operator==(const Certificate& other) const
 442 {
 443     return X509_cmp(_cert, other._cert) == 0;
 444 }
 445
 446 bool
 447 Certificate::operator!=(const Certificate& other) const
 448 {
 449     return X509_cmp(_cert, other._cert) != 0;
 450 }
 451
 452 PublicKeyPtr
 453 Certificate::getPublicKey() const
 454 {
 455     return new PublicKey(X509_get_pubkey(_cert));
 456 }
 457
 458 bool
 459 Certificate::verify(const PublicKeyPtr& key) const
 460 {
 461     return X509_verify(_cert, key->key()) > 0;
 462 }
 463
 464 string
 465 Certificate::encode() const
 466 {
 467     BIO* out = BIO_new(BIO_s_mem());
 468     int i = PEM_write_bio_X509_AUX(out, _cert);
 469     if(i <= 0)
 470     {
 471         BIO_free(out);
 472         throw CertificateEncodingException(__FILE__, __LINE__, getSslErrors(false));
 473     }
 474     BUF_MEM* p;
 475     BIO_get_mem_ptr(out, &p);
 476     string result = string(p->data, p->length);
 477     BIO_free(out);
 478     return result;
 479 }
 480
 481 bool
 482 Certificate::checkValidity() const
 483 {
 484     IceUtil::Time now = IceUtil::Time::now();
 485     return now > getNotBefore() && now <= getNotAfter();
 486 }
 487
 488 bool
 489 Certificate::checkValidity(const IceUtil::Time& now) const
 490 {
 491     return now > getNotBefore() && now <= getNotAfter();
 492 }
 493
 494 IceUtil::Time
 495 Certificate::getNotAfter() const
 496 {
 497     return ASMUtcTimeToIceUtilTime(X509_get_notAfter(_cert));
 498 }
 499
 500 IceUtil::Time
 501 Certificate::getNotBefore() const
 502 {
 503     return ASMUtcTimeToIceUtilTime(X509_get_notBefore(_cert));
 504 }
 505
 506 string
 507 Certificate::getSerialNumber() const
 508 {
 509     BIGNUM* bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(_cert), 0);
 510     char* dec = BN_bn2dec(bn);
 511     string result = dec;
 512     OPENSSL_free(dec);
 513     BN_free(bn);
 514
 515     return result;
 516 }
 517
 518 //string
 519 //Certificate::getSigAlgName() const
 520 //{
 521 //}
 522
 523 //string
 524 //Certificate::getSigAlgOID() const
 525 //{
 526 //}
 527
 528 DistinguishedName
 529 Certificate::getIssuerDN() const
 530 {
 531     return DistinguishedName(X509_get_issuer_name(_cert));
 532 }
 533
 534 vector<pair<int, string> >
 535 Certificate::getIssuerAlternativeNames()
 536 {
 537     return convertGeneralNames(reinterpret_cast<GENERAL_NAMES*>(
 538         X509_get_ext_d2i(_cert, NID_issuer_alt_name, 0, 0)));
 539 }
 540
 541 DistinguishedName
 542 Certificate::getSubjectDN() const
 543 {
 544     return DistinguishedName(X509_get_subject_name(_cert));
 545 }
 546
 547 vector<pair<int, string> >
 548 Certificate::getSubjectAlternativeNames()
 549 {
 550     return convertGeneralNames(
 551         reinterpret_cast<GENERAL_NAMES*>(X509_get_ext_d2i(_cert, NID_subject_alt_name, 0, 0)));
 552 }
 553
 554 int
 555 Certificate::getVersion() const
 556 {
 557     return static_cast<int>(X509_get_version(_cert));
 558 }
 559
 560 string
 561 Certificate::toString() const
 562 {
 563     ostringstream os;
 564     os << "serial: " << getSerialNumber() << "\n";
 565     os << "issuer: " << string(getIssuerDN()) << "\n";
 566     os << "subject: " << string(getSubjectDN()) << "\n";
 567     os << "notBefore: " << getNotBefore().toDateTime() << "\n";
 568     os << "notAfter: " << getNotAfter().toDateTime();
 569
 570     return os.str();
 571 }
 572
 573 X509*
 574 Certificate::getCert() const
 575 {
 576     return _cert;
 577 }