pegasus/src/Pegasus/Common/SSLContext.cpp - diff

Return to SSLContext.cpp CVS log

Up to [Pegasus] / pegasus / src / Pegasus / Common

Diff for /pegasus/src/Pegasus/Common/SSLContext.cpp between version 1.40 and 1.74

version 1.40, 2004/12/07 22:43:14

version 1.74, 2006/08/26 19:24:39

Line 1

//%2004////////////////////////////////////////////////////////////////////////

//%2006////////////////////////////////////////////////////////////////////////

// Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.

Line 6

// IBM Corp.; EMC Corporation, The Open Group.

// IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.

// EMC Corporation; VERITAS Software Corporation; The Open Group.

// EMC Corporation; Symantec Corporation; The Open Group.

// Permission is hereby granted, free of charge, to any person obtaining a copy

// of this software and associated documentation files (the "Software"), to

Line 32

Line 36

// Sushma Fernandes, Hewlett-Packard Company (sushma_fernandes@hp.com)

// Heather Sterling, IBM (hsterl@us.ibm.com)

// Amit K Arora, IBM (amita@in.ibm.com) for Bug#1090

// David Dillard, Symantec Corp. (david_dillard@symantec.com)

// Aruran, IBM (ashanmug@in.ibm.com) for Bug#4422

//%/////////////////////////////////////////////////////////////////////////////

#ifdef PEGASUS_HAS_SSL

#include <Pegasus/Common/Config.h>

#include "Network.h"

#define OPENSSL_NO_KRB5 1

#include <openssl/err.h>

#include <openssl/ssl.h>

Line 43

Line 54

#else

#define SSL_CTX void

#endif // end of PEGASUS_HAS_SSL

#include <Pegasus/Common/Destroyer.h>

#include <Pegasus/Common/Socket.h>

#include <Pegasus/Common/Tracer.h>

#include <Pegasus/Common/FileSystem.h>

Line 54

Line 64

#include "SSLContext.h"

#include "SSLContextRep.h"

#ifdef PEGASUS_OS_OS400

#include "SSLWrapperOS400.h"

#endif

// Typedef's for OpenSSL callback functions.

Line 64

Line 77

typedef unsigned long (* CRYPTO_SET_ID_CALLBACK)(void);

};

typedef struct x509_store_ctx_st X509_STORE_CTX;

typedef struct Timestamp

{

Line 91

Line 105

#ifdef PEGASUS_HAS_SSL

// Mutex for SSL locks.

// Mutex for SSL locks which will get initialized by AutoArrayPtr constructor.

Mutex* SSLContextRep::_sslLocks = 0;

AutoArrayPtr<Mutex> SSLContextRep::_sslLocks;

// Mutex for _countRep.

Mutex SSLContextRep::_countRepMutex;

Line 195

Line 209

// Callback function that is called by the OpenSSL library. This function

// checks whether the certificate is listed in any of the CRL's

// return 1 if revoked, 0 otherwise

int SSLCallback::verificationCRLCallback(int ok, X509_STORE_CTX *ctx, X509_STORE* sslCRLStore)

{

PEG_METHOD_ENTER(TRC_SSL, "SSLCallback::verificationCRLCallback");

X509_OBJECT obj;

char buf[1024];

X509_NAME *subject;

X509_NAME *issuer;

X509 *xs;

X509_CRL *crl;

X509_REVOKED *revoked;

long serial;

BIO *bio;

int i, n, rc;

char *cp;

char *cp2;

//check whether a CRL store was specified

if (sslCRLStore == NULL)

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL store is NULL");

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: CRL store is NULL");

return ok;

}

//ATTN: The following excerpt is based off of modssl's callback function

//We may need to do something here for legal purposes. I have informed Warren of this, will resolve before 2.5 ships.

* Determine certificate ingredients in advance

xs = X509_STORE_CTX_get_current_cert(ctx);

subject = X509_get_subject_name(xs);

issuer = X509_get_issuer_name(xs);

* OpenSSL provides the general mechanism to deal with CRLs but does not

* use them automatically when verifying certificates, so we do it

* explicitly here. We will check the CRL for the currently checked

* certificate, if there is such a CRL in the store.

* We come through this procedure for each certificate in the certificate

* chain, starting with the root-CA's certificate. At each step we've to

* both verify the signature on the CRL (to make sure it's a valid CRL)

* and it's revocation list (to make sure the current certificate isn't

* revoked). But because to check the signature on the CRL we need the

* public key of the issuing CA certificate (which was already processed

* one round before), we've a little problem. But we can both solve it and

* at the same time optimize the processing by using the following

* verification scheme (idea and code snippets borrowed from the GLOBUS

* project):

* 1. We'll check the signature of a CRL in each step when we find a CRL

* through the _subject_ name of the current certificate. This CRL

* itself will be needed the first time in the next round, of course.

* But we do the signature processing one round before this where the

* public key of the CA is available.

* 2. We'll check the revocation list of a CRL in each step when

* we find a CRL through the _issuer_ name of the current certificate.

* This CRLs signature was then already verified one round before.

* This verification scheme allows a CA to revoke its own certificate as

* well, of course.

* Try to retrieve a CRL corresponding to the _subject_ of

* the current certificate in order to verify it's integrity.

memset((char *)&obj, 0, sizeof(obj));

X509_STORE_CTX pStoreCtx;

X509_STORE_CTX_init(&pStoreCtx, sslCRLStore, NULL, NULL);

rc = X509_STORE_get_by_subject(&pStoreCtx, X509_LU_CRL, subject, &obj);

X509_STORE_CTX_cleanup(&pStoreCtx);

crl = obj.data.crl;

//////////////////////////////////////////

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL : return code is %d", rc);

if (rc > 0 && crl != NULL)

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL found");

// Log information about CRL

// (A little bit complicated because of ASN.1 and BIOs...)

bio = BIO_new(BIO_s_mem());

BIO_printf(bio, "lastUpdate: ");

ASN1_UTCTIME_print(bio, X509_CRL_get_lastUpdate(crl));

BIO_printf(bio, ", nextUpdate: ");

ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));

n = BIO_pending(bio);

cp = (char*) malloc(n+1);

n = BIO_read(bio, cp, n);

cp[n] = '\0';

BIO_free(bio);

cp2 = X509_NAME_oneline(subject, NULL, 0);

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL : CRL Issuer : %s, %s", cp2, cp);

//ATTN: This throws a memory error

//free(cp2);

free(cp);

// Verify the signature on this CRL

if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0)

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL : Invalid signature on CRL");

//ATTN: Do we need to set this?

//X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);

//X509_OBJECT_free_contents(&obj);

PEG_METHOD_EXIT();

return 0;

}

//get the current certificate info

// Check date of CRL to make sure it's not expired

X509* currentCert;

X509_NAME* issuerName;

i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));

X509_NAME* subjectName;

if (i == 0)

ASN1_INTEGER* serialNumber;

currentCert = X509_STORE_CTX_get_current_cert(ctx);

subjectName = X509_get_subject_name(currentCert);

issuerName = X509_get_issuer_name(currentCert);

serialNumber = X509_get_serialNumber(currentCert);

//log certificate information

//this is information in the "public" key, so it does no harm to log it

X509_NAME_oneline(issuerName, buf, sizeof(buf));

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Certificate Data: Issuer/Subject");

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, buf);

X509_NAME_oneline(subjectName, buf, sizeof(buf));

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, buf);

//initialize the CRL store

X509_STORE_CTX crlStoreCtx;

X509_STORE_CTX_init(&crlStoreCtx, sslCRLStore, NULL, NULL);

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Initialized CRL store");

//attempt to get a CRL issued by the certificate's issuer

X509_OBJECT obj;

if (X509_STORE_get_by_subject(&crlStoreCtx, X509_LU_CRL, issuerName, &obj) <= 0)

{

Tracer::trace(TRC_SSL, Tracer::LEVEL2, "CRL has invalid nextUpdate field\n");

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: No CRL by that issuer");

//ATTN: Do we need to set this?

//X509_STORE_CTX_set_error(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);

//X509_OBJECT_free_contents(&obj);

PEG_METHOD_EXIT();

return 0;

}

if (i < 0)

X509_STORE_CTX_cleanup(&crlStoreCtx);

//get CRL

X509_CRL* crl = obj.data.crl;

if (crl == NULL)

{

Tracer::trace(TRC_SSL, Tracer::LEVEL2, "CRL has expired\n");

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL is null");

//ATTN: Do we need to set this?

//X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED);

//X509_OBJECT_free_contents(&obj);

PEG_METHOD_EXIT();

return 0;

}

X509_OBJECT_free_contents(&obj);

} else

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: No CRL for that subject found");

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Found CRL by that issuer");

}

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL checks out ok\n");

//get revoked certificates

STACK_OF(X509_REVOKED)* revokedCerts = NULL;

revokedCerts = X509_CRL_get_REVOKED(crl);

// Try to retrieve a CRL corresponding to the _issuer_ of

int numRevoked = sk_X509_REVOKED_num(revokedCerts);

// the current certificate in order to check for revocation.

Tracer::trace(TRC_SSL, Tracer::LEVEL4,"---> SSL: Number of certificates revoked by the issuer %d\n", numRevoked);

memset((char *)&obj, 0, sizeof(obj));

X509_STORE_CTX_init(&pStoreCtx, sslCRLStore, NULL, NULL);

rc = X509_STORE_get_by_subject(&pStoreCtx, X509_LU_CRL, issuer, &obj);

X509_STORE_CTX_cleanup(&pStoreCtx);

crl = obj.data.crl;

if (rc > 0 && crl != NULL)

//check whether the subject's certificate is revoked

X509_REVOKED* revokedCert = NULL;

for (int i = 0; i < sk_X509_REVOKED_num(revokedCerts); i++)

{

revokedCert = (X509_REVOKED *)sk_value(X509_CRL_get_REVOKED(crl), i);

// Check if the current certificate is revoked by this CRL

#if SSL_LIBRARY_VERSION < 0x00904000

n = sk_num(X509_CRL_get_REVOKED(crl));

#else

n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));

#endif

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: Number of certificates revoked by the issuer %d", n);

//a matching serial number indicates revocation

if (ASN1_INTEGER_cmp(revokedCert->serialNumber, serialNumber) == 0)

for (i = 0; i < n; i++)

{

#if SSL_LIBRARY_VERSION < 0x00904000

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: Certificate is revoked");

revoked = (X509_REVOKED *)sk_value(X509_CRL_get_REVOKED(crl), i);

#else

revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);

#endif

serial = ASN1_INTEGER_get(revoked->serialNumber);

printf("Got serial number %ld\n", serial);

if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(xs)) == 0)

{

serial = ASN1_INTEGER_get(revoked->serialNumber);

cp = X509_NAME_oneline(issuer, NULL, 0);

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"---> SSL : Certificate with serial %ld revoked per CRL from issuer %s\n", serial, cp);

//ATTN: Mem error if uncomment following

//free(cp);

X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);

X509_OBJECT_free_contents(&obj);

PEG_METHOD_EXIT();

return 0;

return 1;

}

X509_OBJECT_free_contents(&obj);

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Certificate is not revoked at this level");

}

PEG_METHOD_EXIT();

return ok;

return 0;

}

Line 432

Line 326

ssl = (SSL*) X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());

SSLCallbackInfo* exData = (SSLCallbackInfo*) SSL_get_ex_data(ssl, SSLCallbackInfo::SSL_CALLBACK_INDEX);

#ifdef PEGASUS_ENABLE_SSL_CRL_VERIFICATION

// If the SSLContext does not have an additional callback

// Check to see if a CRL path is defined

// simply return the preverification error (or check the CRL)

// We do not need to go through the additional steps.

if (exData->verifyCertificateCallback == NULL)

if (exData->_rep->crlStore != NULL)

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_rep->crlStore);

"--->SSL: No verification callback specified");

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL callback returned %d", revoked);

if (exData->_crlStore == NULL)

if (revoked) //with the SSL callbacks '0' indicates failure

{

PEG_METHOD_EXIT();

return (preVerifyOk);

return 0;

} else

{

revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_crlStore);

PEG_METHOD_EXIT();

return (revoked);

}

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL callback returned %d", revoked);

// Check to see if a CRL path is defined

#endif

if (exData->_crlStore)

{

revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_crlStore);

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"---> SSL: CRL callback returned %d", revoked);

}

// get the current certificate

Line 519

Line 401

// get the issuer name on the certificate

if (!preVerifyOk && (errorCode == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT))

{

X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);

}

else

{

X509_NAME_oneline(X509_get_issuer_name(currentCert), buf, 256);

}

String issuerName = String(buf);

// Create the certificate object

exData->_peerCertificate = new SSLCertificateInfo(subjectName, issuerName, version, serialNumber,

notBefore, notAfter, depth, errorCode, errorStr, preVerifyOk);

//insert at the beginning of the array so that the peer certificate is first and the root CA is last

exData->_rep->peerCertificate.insert(0, new SSLCertificateInfo(subjectName, issuerName, version, serialNumber,

notBefore, notAfter, depth, errorCode, errorStr, preVerifyOk));

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "Created SSLCertificateInfo");

// NOT_YET_VALID checks do not work correctly on subsequent tries -- Bugzilla#4283

// call this prior to calling the user-specified callback in case they want to override it

if (errorCode == X509_V_OK && (CIMDateTime::getDifference(CIMDateTime::getCurrentDateTime(), notBefore) > 0))

{

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "Certificate was not yet valid.");

X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_NOT_YET_VALID);

}

// Call the application callback.

// Call the user-specified application callback if it is specified. If it is null, return OpenSSL's verification code.

// Note that the verification result does not automatically get set to X509_V_OK if the callback is successful.

// This is because OpenSSL retains the original default error in case we want to use it later.

// To set the error, we could use X509_STORE_CTX_set_error(ctx, verifyError); but there is no real benefit to doing that here.

if (exData->verifyCertificateCallback(*exData->_peerCertificate))

if (exData->_rep->verifyCertificateCallback == NULL)

{

return preVerifyOk;

} else

{

if (exData->_rep->verifyCertificateCallback(*exData->_rep->peerCertificate[0]))

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"--> SSL: verifyCertificateCallback() returned X509_V_OK");

"--> SSL: _rep->verifyCertificateCallback() returned X509_V_OK");

PEG_METHOD_EXIT();

return 1;

Line 552

Line 445

else // verification failed, handshake will be immediately terminated

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"--> SSL: verifyCertificateCallback() returned error %d", exData->_peerCertificate->getErrorCode());

"--> SSL: _rep->verifyCertificateCallback() returned error %d", exData->_rep->peerCertificate[0]->getErrorCode());

PEG_METHOD_EXIT();

return 0;

}

// Callback function called by OpenSSL. This request is merely forwarded to the static

Line 582

Line 476

if ( mode & CRYPTO_LOCK )

{

/*Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"Now locking for %d", pegasus_thread_self());*/

"Now locking for %d", Threads::id());*/

SSLContextRep::_sslLocks[type].lock( pegasus_thread_self() );

SSLContextRep::_sslLocks.get()[type].lock( );

}

else

{

/*Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"Now unlocking for %d", pegasus_thread_self());*/

"Now unlocking for %d", Threads::id());*/

SSLContextRep::_sslLocks[type].unlock( );

SSLContextRep::_sslLocks.get()[type].unlock( );

}

Line 603

Line 497

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4,

"Initialized SSL callback.");

_sslLocks= new Mutex[CRYPTO_num_locks()];

#ifdef PEGASUS_OS_OS400

// Load the OpenSSL library and get the exports

SSL_OS400_Init();

#endif

_sslLocks.reset(new Mutex[CRYPTO_num_locks()]);

#if defined(PEGASUS_HAVE_PTHREADS) && !defined(PEGASUS_OS_VMS)

// Set the ID callback. The ID callback returns a thread ID.

CRYPTO_set_id_callback((CRYPTO_SET_ID_CALLBACK) pthread_self);

CRYPTO_set_id_callback((CRYPTO_SET_ID_CALLBACK) pegasus_thread_self);

#endif

// Set the locking callback to pegasus_locking_callback.

Line 624

Line 524

CRYPTO_set_id_callback (NULL);

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4,

"Freed SSL callback.");

_sslLocks.reset();

delete []_sslLocks;

}

Line 685

Line 584

// load SSL library

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"Before calling SSL_load_error_strings %d", pegasus_thread_self());

"Before calling SSL_load_error_strings %d", Threads::id());

SSL_load_error_strings();

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"After calling SSL_load_error_strings %d", pegasus_thread_self());

"After calling SSL_load_error_strings %d", Threads::id());

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"Before calling SSL_library_init %d", pegasus_thread_self());

"Before calling SSL_library_init %d", Threads::id());

SSL_library_init();

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"After calling SSL_library_init %d", pegasus_thread_self());

"After calling SSL_library_init %d", Threads::id());

}

_countRep++;

Line 720

Line 618

_certPath = sslContextRep._certPath;

_keyPath = sslContextRep._keyPath;

_crlPath = sslContextRep._crlPath;

_crlStore = sslContextRep._crlStore;

_verifyPeer = sslContextRep._verifyPeer;

_certificateVerifyFunction = sslContextRep._certificateVerifyFunction;

_randomFile = sslContextRep._randomFile;

Line 836

Line 735

// Try to do more seeding

long seedNumber;

#if defined(PEGASUS_PLATFORM_WIN32_IX86_MSVC)

#if defined(PEGASUS_COMPILER_MSVC)

srand((unsigned int)time(NULL)); // Initialize

seedNumber = rand();

#else

Line 916

Line 815

SSL_CTX_set_quiet_shutdown(sslContext, 1);

SSL_CTX_set_mode(sslContext, SSL_MODE_AUTO_RETRY);

SSL_CTX_set_options(sslContext,SSL_OP_ALL);

SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE);

SSL_CTX_set_session_cache_mode(sslContext, SSL_SESS_CACHE_OFF);

int options = SSL_OP_ALL;

#ifndef PEGASUS_ENABLE_SSLV2 //SSLv2 is disabled by default

options |= SSL_OP_NO_SSLv2;

#endif

SSL_CTX_set_options(sslContext, options);

if (_verifyPeer)

{

//ATTN: We might still need a flag to specify SSL_VERIFY_FAIL_IF_NO_PEER_CERT

Line 1197

Line 1102

return _keyPath;

}

#ifdef PEGASUS_USE_DEPRECATED_INTERFACES

String SSLContextRep::getTrustStoreUserName() const

{

return String::EMPTY;

}

#endif

String SSLContextRep::getCRLPath() const

{

return _crlPath;

Line 1207

Line 1119

return _crlStore;

}

void SSLContextRep::setCRLStore(X509_STORE* store)

{

_crlStore = store;

}

Boolean SSLContextRep::isPeerVerificationEnabled() const

{

return _verifyPeer;

Line 1226

Line 1143

SSLContextRep::SSLContextRep(const String& trustStore,

const String& certPath,

const String& keyPath,

const String& crlPath,

SSLCertificateVerifyFunction* verifyCert,

const String& randomFile) {}

const String& randomFile)

{}

SSLContextRep::SSLContextRep(const SSLContextRep& sslContextRep) {}

Line 1246

Line 1165

String SSLContextRep::getKeyPath() const { return String::EMPTY; }

#ifdef PEGASUS_USE_DEPRECATED_INTERFACES

String SSLContextRep::getTrustStoreUserName() const { return String::EMPTY; }

#endif

String SSLContextRep::getCRLPath() const { return String::EMPTY; }

X509_STORE* SSLContextRep::getCRLStore() const { return NULL; }

void SSLContextRep::setCRLStore(X509_STORE* store) { }

Boolean SSLContextRep::isPeerVerificationEnabled() const { return false; }

SSLCertificateVerifyFunction* SSLContextRep::getSSLCertificateVerifyFunction() const { return NULL; }

Line 1294

Line 1219

SSLCertificateVerifyFunction* verifyCert,

const String& randomFile)

{

#ifndef PEGASUS_ENABLE_SSL_CRL_VERIFICATION

if ( crlPath.size() > 0 )

{

MessageLoaderParms parms("Common.Exception.SSL_CRL_NOT_ENABLED_EXCEPTION",

"SSL CRL verification is not enabled.");

throw Exception(parms);

}

#endif

_rep = new SSLContextRep(trustStore, certPath, keyPath, crlPath, verifyCert, randomFile);

}

#ifdef PEGASUS_USE_DEPRECATED_INTERFACES

SSLContext::SSLContext(

const String& trustStore,

const String& certPath,

const String& keyPath,

SSLCertificateVerifyFunction* verifyCert,

String trustStoreUserName,

const String& randomFile)

{

_rep = new SSLContextRep(trustStore, certPath, keyPath, String::EMPTY, verifyCert, randomFile);

}

#endif

SSLContext::SSLContext(const SSLContext& sslContext)

{

_rep = new SSLContextRep(*sslContext._rep);

Line 1329

Line 1275

String SSLContext::getCRLPath() const

{

#ifdef PEGASUS_ENABLE_SSL_CRL_VERIFICATION

return (_rep->getCRLPath());

#else

MessageLoaderParms parms("Common.Exception.SSL_CRL_NOT_ENABLED_EXCEPTION",

"SSL CRL verification is not enabled.");

throw Exception(parms);

#endif

}

X509_STORE* SSLContext::getCRLStore() const

{

#ifdef PEGASUS_ENABLE_SSL_CRL_VERIFICATION

return (_rep->getCRLStore());

#else

MessageLoaderParms parms("Common.Exception.SSL_CRL_NOT_ENABLED_EXCEPTION",

"SSL CRL verification is not enabled.");

throw Exception(parms);

#endif

}

Boolean SSLContext::isPeerVerificationEnabled() const

Line 1342

Line 1300

return (_rep->isPeerVerificationEnabled());

}

#ifdef PEGASUS_USE_DEPRECATED_INTERFACES

String SSLContext::getTrustStoreUserName() const

{

return (_rep->getTrustStoreUserName());

}

#endif

SSLCertificateVerifyFunction* SSLContext::getSSLCertificateVerifyFunction() const

{

return (_rep->getSSLCertificateVerifyFunction());

Line 1568

Line 1533

sprintf(buf, "Version number: %d\n", _rep->versionNumber);

s.append(buf);

sprintf(buf, "Serial number: %ld\n", _rep->serialNumber);

sprintf(buf, "Serial number: %lu\n", _rep->serialNumber);

s.append(buf);

s.append("Not before date: ");

Line 1582

Line 1547

return s;

}

///////////////////////////////////////////////////////////////////////////////

// SSLCallbackInfo

///////////////////////////////////////////////////////////////////////////////

SSLCallbackInfo::SSLCallbackInfo(SSLCertificateVerifyFunction* verifyCert)

{

_rep = new SSLCallbackInfoRep();

_rep->verifyCertificateCallback = verifyCert;

_rep->crlStore = NULL;

}

SSLCallbackInfo::SSLCallbackInfo(SSLCertificateVerifyFunction* verifyCert, X509_STORE* crlStore)

{

verifyCertificateCallback = verifyCert;

_rep = new SSLCallbackInfoRep();

_crlStore = crlStore;

_rep->verifyCertificateCallback = verifyCert;

_peerCertificate = NULL;

_rep->crlStore = crlStore;

}

SSLCallbackInfo::~SSLCallbackInfo()

{

if (_peerCertificate)

PEG_METHOD_ENTER(TRC_SSL, "SSLCallbackInfo::~SSLCallbackInfo");

for (Uint32 i = 0; i < _rep->peerCertificate.size(); i++)

{

delete _peerCertificate;

delete _rep->peerCertificate[i];

}

delete _rep;

PEG_METHOD_EXIT();

}

PEGASUS_NAMESPACE_END

Legend:

Removed from v.1.40
changed lines
	Added in v.1.74

No CVS admin address has been configured