private/XrdCrypto/XrdCryptosslAux.hh

0001 #ifndef __CRYPTO_SSLAUX_H__
0002 #define __CRYPTO_SSLAUX_H__
0003 /******************************************************************************/
0004 /*                                                                            */
0005 /*                  X r d C r y p t o S s l A u x . h h                       */
0006 /*                                                                            */
0007 /* (c) 2004 by the Board of Trustees of the Leland Stanford, Jr., University  */
0008 /*   Produced by Gerri Ganis for CERN                                         */
0009 /*                                                                            */
0010 /* This file is part of the XRootD software suite.                            */
0011 /*                                                                            */
0012 /* XRootD is free software: you can redistribute it and/or modify it under    */
0013 /* the terms of the GNU Lesser General Public License as published by the     */
0014 /* Free Software Foundation, either version 3 of the License, or (at your     */
0015 /* option) any later version.                                                 */
0016 /*                                                                            */
0017 /* XRootD is distributed in the hope that it will be useful, but WITHOUT      */
0018 /* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or      */
0019 /* FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public       */
0020 /* License for more details.                                                  */
0021 /*                                                                            */
0022 /* You should have received a copy of the GNU Lesser General Public License   */
0023 /* along with XRootD in a file called COPYING.LESSER (LGPL license) and file  */
0024 /* COPYING (GPL license).  If not, see <http://www.gnu.org/licenses/>.        */
0025 /*                                                                            */
0026 /* The copyright holder's institutional names and contributor's names may not */
0027 /* be used to endorse or promote products derived from this software without  */
0028 /* specific prior written permission of the institution or contributor.       */
0029 /******************************************************************************/
0030
0031 /* ************************************************************************** */
0032 /*                                                                            */
0033 /* OpenSSL utility functions                                                  */
0034 /*                                                                            */
0035 /* ************************************************************************** */
0036
0037 #include "XrdCrypto/XrdCryptoAux.hh"
0038 #include "XrdCrypto/XrdCryptoFactory.hh"
0039 #include "XrdCrypto/XrdCryptoX509Chain.hh"
0040 #include <openssl/asn1.h>
0041
0042 #define kSslKDFunDefLen  24
0043
0044 //! Froward declaration
0045 class XrdTlsPeerCerts;
0046
0047 //
0048 // Password-Based Key Derivation Function 2, specified in PKCS #5
0049 //
0050 int XrdCryptosslKDFunLen(); // default buffer length
0051 int XrdCryptosslKDFun(const char *pass, int plen, const char *salt, int slen,
0052                       char *key, int len);
0053 //
0054 // X509 manipulation: certificate verification
0055 bool XrdCryptosslX509VerifyCert(XrdCryptoX509 *c, XrdCryptoX509 *r);
0056 // chain verification
0057 bool XrdCryptosslX509VerifyChain(XrdCryptoX509Chain *chain, int &errcode);
0058 // chain export to bucket
0059 XrdSutBucket *XrdCryptosslX509ExportChain(XrdCryptoX509Chain *c, bool key = 0);
0060 // chain export to file (proxy file creation)
0061 int XrdCryptosslX509ChainToFile(XrdCryptoX509Chain *c, const char *fn);
0062 // export single certificate to file; fname is solely for debug message purposes
0063 extern "C" int XrdCryptosslX509ToFile(XrdCryptoX509 *x509, FILE *file, const char *fname);
0064 // certificates from file parsing
0065 int XrdCryptosslX509ParseFile(const char *fname, XrdCryptoX509Chain *c, const char *fkey = 0);
0066 // certificates from FILE object; fname is solely for debug message purposes
0067 extern "C" int XrdCryptosslX509ParseFile(FILE *file, XrdCryptoX509Chain *c, const char *fname, const char *fkey = 0);
0068 // certificates from bucket parsing
0069 int XrdCryptosslX509ParseBucket(XrdSutBucket *b, XrdCryptoX509Chain *c);
0070 // certificates from STACK_OF(X509*)
0071 int XrdCryptosslX509ParseStack(XrdTlsPeerCerts* pc, XrdCryptoX509Chain *chain);
0072 //
0073 // Function to convert from ASN1 time format into UTC since Epoch (Jan 1, 1970)
0074 time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1);
0075
0076 // Function to convert X509_NAME into a one-line human readable string
0077 void XrdCryptosslNameOneLine(X509_NAME *nm, XrdOucString &s);
0078
0079 //
0080 // X509 proxy auxilliary functions
0081 // Function to check presence of a proxyCertInfo and retrieve the path length
0082 // constraint. Written following RFC3820 and examples in openssl-<vers>/crypto
0083 // source code. Extracts the policy field but ignores it contents.
0084 bool XrdCryptosslProxyCertInfo(const void *ext, int &pathlen, bool *haspolicy = 0);
0085 void XrdCryptosslSetPathLenConstraint(void *ext, int pathlen);
0086 // Create proxy certificates
0087 int XrdCryptosslX509CreateProxy(const char *, const char *, XrdProxyOpt_t *,
0088                              XrdCryptogsiX509Chain *, XrdCryptoRSA **, const char *);
0089 // Create a proxy certificate request
0090 int XrdCryptosslX509CreateProxyReq(XrdCryptoX509 *,
0091                                 XrdCryptoX509Req **, XrdCryptoRSA **);
0092 // Sign a proxy certificate request
0093 int XrdCryptosslX509SignProxyReq(XrdCryptoX509 *, XrdCryptoRSA *,
0094                               XrdCryptoX509Req *, XrdCryptoX509 **);
0095 // Check a proxy certificate GSI 3
0096 int XrdCryptosslX509CheckProxy3(XrdCryptoX509 *, XrdOucString &);
0097 // Get VOMS attributes, if any
0098 int XrdCryptosslX509GetVOMSAttr(XrdCryptoX509 *, XrdOucString &);
0099
0100 /******************************************************************************/
0101 /*          E r r o r   L o g g i n g / T r a c i n g   F l a g s             */
0102 /******************************************************************************/
0103 #define sslTRACE_ALL       0x0007
0104 #define sslTRACE_Dump      0x0004
0105 #define sslTRACE_Debug     0x0002
0106 #define sslTRACE_Notify    0x0001
0107
0108 /******************************************************************************/
0109 /*          E r r o r s   i n   P r o x y   M a n i p u l a t i o n s         */
0110 /******************************************************************************/
0111 #define kErrPX_Error            1      // Generic error condition
0112 #define kErrPX_BadEECfile       2      // Absent or bad EEC cert or key file
0113 #define kErrPX_BadEECkey        3      // Inconsistent EEC key
0114 #define kErrPX_ExpiredEEC       4      // EEC is expired
0115 #define kErrPX_NoResources      5      // Unable to create new objects
0116 #define kErrPX_SetAttribute     6      // Unable to set a certificate attribute
0117 #define kErrPX_SetPathDepth     7      // Unable to set path depth
0118 #define kErrPX_Signing          8      // Problems signing
0119 #define kErrPX_GenerateKey      9      // Problem generating the RSA key
0120 #define kErrPX_ProxyFile       10      // Problem creating / updating proxy file
0121 #define kErrPX_BadNames        11      // Names in certificates are bad
0122 #define kErrPX_BadSerial       12      // Problems resolving serial number
0123 #define kErrPX_BadExtension    13      // Problems with the extensions
0124
0125 #endif
0126