1 karl 1.16 //%2003////////////////////////////////////////////////////////////////////////
|
2 kumpf 1.1 //
|
3 karl 1.16 // Copyright (c) 2000, 2001, 2002 BMC Software, Hewlett-Packard Development
4 // Company, L. P., IBM Corp., The Open Group, Tivoli Systems.
5 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L. P.;
6 // IBM Corp.; EMC Corporation, The Open Group.
|
7 kumpf 1.1 //
8 // Permission is hereby granted, free of charge, to any person obtaining a copy
|
9 kumpf 1.2 // of this software and associated documentation files (the "Software"), to
10 // deal in the Software without restriction, including without limitation the
11 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
12 kumpf 1.1 // sell copies of the Software, and to permit persons to whom the Software is
13 // furnished to do so, subject to the following conditions:
14 //
|
15 kumpf 1.2 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
|
16 kumpf 1.1 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
17 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
|
18 kumpf 1.2 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
19 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
20 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
|
21 kumpf 1.1 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
23 //
24 //==============================================================================
25 //
26 // Author: Markus Mueller (sedgewick_de@yahoo.de)
27 //
|
28 kumpf 1.6 // Modified By: Nag Boranna, Hewlett-Packard Company (nagaraja_boranna@hp.com)
29 // Roger Kumpf, Hewlett-Packard Company (roger_kumpf@hp.com)
|
30 h.sterling 1.18 // Heather Sterling, IBM (hsterl@us.ibm.com)
|
31 kumpf 1.1 //
32 //%/////////////////////////////////////////////////////////////////////////////
33
34 #ifndef Pegasus_SSLContext_h
35 #define Pegasus_SSLContext_h
36
|
37 kumpf 1.13 #include <Pegasus/Common/CIMDateTime.h>
|
38 kumpf 1.1 #include <Pegasus/Common/Config.h>
39 #include <Pegasus/Common/String.h>
40 #include <Pegasus/Common/Exception.h>
|
41 kumpf 1.3 #include <Pegasus/Common/Linkage.h>
|
42 kumpf 1.1
|
43 kumpf 1.13 typedef struct x509_store_ctx_st X509_STORE_CTX;
|
44 kumpf 1.1
45 PEGASUS_NAMESPACE_BEGIN
46
|
47 kumpf 1.6 class SSLCertificateInfoRep;
|
48 kumpf 1.1 class SSLContextRep;
|
49 h.sterling 1.18 class SSLContext;
|
50 kumpf 1.6 class SSLSocket;
|
51 kumpf 1.13 class CIMServer;
|
52 kumpf 1.15 class CIMxmlIndicationHandler;
|
53 h.sterling 1.19 class SSLCertificateInfo;
54
55 // Pegasus-defined SSL certificate verification callback
56 typedef Boolean (SSLCertificateVerifyFunction) (SSLCertificateInfo &certInfo);
57
58 /** This class provides information that is used during the SSL verification callback.
59 We pass a pointer to this object to the SSL_set_ex_data function. We can then use SSL_get_ex_data
60 from within the callback and cast the void* back to this object. In this case, we store a pointer
61 to the Pegasus-defined callback function set in the SSLContext. We also store a pointer to a
62 certificate object which we construct during the callback. Some of the certificate information is
63 inaccessible outside the callback, so we need to retrieve the data within the function.
64 Each SSL connection object will have the same callback function, but each connection will have its
65 own certificate. Therefore, this class is constructed on a per-connection basis in SSLSocket.
66 */
67 class PEGASUS_COMMON_LINKAGE SSLCallbackInfo
68 {
69 public:
70
|
71 h.sterling 1.23 // index to the application-specific data in the SSL connection object
72 static const int SSL_CALLBACK_INDEX;
73
|
74 h.sterling 1.19 SSLCallbackInfo(SSLCertificateVerifyFunction* verifyCert);
75
76 ~SSLCallbackInfo();
77
78 private:
79
80 SSLCertificateVerifyFunction* verifyCertificateCallback;
81
82 SSLCertificateInfo* _peerCertificate;
83
84 friend class SSLSocket;
85
86 friend int prepareForCallback(int, X509_STORE_CTX*);
87 };
|
88 kumpf 1.1
89
90 /** This class provides the interface that a client gets as argument
91 to certificate verification call back function.
92 */
|
93 kumpf 1.6 class PEGASUS_COMMON_LINKAGE SSLCertificateInfo
|
94 kumpf 1.1 {
95 public:
|
96 kumpf 1.13
97 //
98 // Certificate validation result codes.
99 //
100 static const int V_OK;
101
102 static const int V_ERR_UNABLE_TO_GET_ISSUER_CERT;
103 static const int V_ERR_UNABLE_TO_GET_CRL;
104 static const int V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE;
105 static const int V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE;
106 static const int V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
107 static const int V_ERR_CERT_SIGNATURE_FAILURE;
108 static const int V_ERR_CRL_SIGNATURE_FAILURE;
109 static const int V_ERR_CERT_NOT_YET_VALID;
110 static const int V_ERR_CERT_HAS_EXPIRED;
111 static const int V_ERR_CRL_NOT_YET_VALID;
112 static const int V_ERR_CRL_HAS_EXPIRED;
113 static const int V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
114 static const int V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
115 static const int V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
116 static const int V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
117 kumpf 1.13 static const int V_ERR_OUT_OF_MEM;
118 static const int V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
119 static const int V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
120 static const int V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
121 static const int V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
122 static const int V_ERR_CERT_CHAIN_TOO_LONG;
123 static const int V_ERR_CERT_REVOKED;
124 static const int V_ERR_INVALID_CA;
125 static const int V_ERR_PATH_LENGTH_EXCEEDED;
126 static const int V_ERR_INVALID_PURPOSE;
127 static const int V_ERR_CERT_UNTRUSTED;
128 static const int V_ERR_CERT_REJECTED;
129 static const int V_ERR_SUBJECT_ISSUER_MISMATCH;
130 static const int V_ERR_AKID_SKID_MISMATCH;
131 static const int V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
132 static const int V_ERR_KEYUSAGE_NO_CERTSIGN;
133
134 static const int V_ERR_APPLICATION_VERIFICATION;
135
136
|
137 kumpf 1.6 /** Constructor for a SSLCertificateInfo object.
|
138 kumpf 1.13 Note: Do not use this constructor, instead use the private constructor.
139 The constructor is not for client applications use, it is intended to be
140 used only by the CIMServer.
141 @param subjectName subject name of the certificate.
142 @param issuerName issuer name of the certificate.
143 @param errorDepth depth of the certificate chain.
|
144 kumpf 1.1 @param errorCode error code from the default verification of the
|
145 kumpf 1.13 certificate by the OpenSSL library.
146 @param respCode result code from the default verification of the
147 certificate by the OpenSSL library.
|
148 kumpf 1.1 */
|
149 kumpf 1.6 SSLCertificateInfo(
|
150 kumpf 1.1 const String subjectName,
151 const String issuerName,
152 const int errorDepth,
|
153 kumpf 1.12 const int errorCode,
154 const int respCode);
|
155 kumpf 1.1
|
156 kumpf 1.6 /** Copy constructor for a SSLCertificateInfo object.
|
157 kumpf 1.12 @param certificateInfo SSLCertificateInfo object to copy
|
158 kumpf 1.6 */
159 SSLCertificateInfo(const SSLCertificateInfo& certificateInfo);
160
161 ~SSLCertificateInfo();
|
162 kumpf 1.1
|
163 kumpf 1.13 /** Gets the subject name of the certificate.
|
164 kumpf 1.1 @return a string containing the subject name.
165 */
166 String getSubjectName() const;
167
|
168 kumpf 1.13 /** Gets the issuer name of the certificate.
|
169 kumpf 1.1 @return a string containing the issuer name.
170 */
171 String getIssuerName() const;
172
|
173 kumpf 1.13 /** Gets the notAfter date from the validity period of
174 the certificate.
175 @return a CIMDateTime containing the notAfter date.
176 */
177 CIMDateTime getNotAfter() const;
178
179 /** Gets the notBefore date from the validity period of
180 the certificate.
181 @return a CIMDateTime containing the notBefore date.
182 */
183 CIMDateTime getNotBefore() const;
184
185 /** Gets the version (version number) from the certificate.
186 @return a int containing the version.
187 */
188 Uint32 getVersionNumber() const;
189
190 /** Gets the serialNumber value from the certificate.
191 @return a long integer containing the serial number.
192 */
193 long getSerialNumber() const;
194 kumpf 1.13
195 /** Gets the depth of the certificate chain.
|
196 kumpf 1.12 @return an int containing the depth of the certificate chain
|
197 kumpf 1.1 */
|
198 kumpf 1.13 Uint32 getErrorDepth() const;
|
199 kumpf 1.1
|
200 kumpf 1.13 /** Gets the pre-verify error code.
201 @return an int containing the pre-verify error code
|
202 kumpf 1.1 */
|
203 kumpf 1.13 Uint32 getErrorCode() const;
|
204 kumpf 1.1
|
205 kumpf 1.13 /** Sets the error code.
206 @param errorCode error code to be set
|
207 kumpf 1.12 */
|
208 kumpf 1.13 void setErrorCode(const int errorCode);
|
209 kumpf 1.12
|
210 kumpf 1.13 /** Gets the pre-verify error string.
211 @return a string containing the pre-verify error string
212 */
213 String getErrorString() const;
214
215 /** Gets the pre-verify response code.
216 @return an int containing the pre-verify response code
217 */
218 Uint32 getResponseCode() const;
219
220 /** Sets the response code.
221 Note: Do not use this function, the value set using this function
222 is ignored.
|
223 kumpf 1.1 @param respCode response code to be set.
224 */
225 void setResponseCode(const int respCode);
226
|
227 h.sterling 1.19 /** Returns a string representation of this object
228 @return a string containing the certificate fields
229 */
230 String toString() const;
231
|
232 kumpf 1.1 private:
233
|
234 kumpf 1.13 /** Constructor for a SSLCertificateInfo object.
235 @param subjectName subject name of the certificate.
236 @param issuerName issuer name of the certificate.
237 @param version version number value from the certificate.
238 @param serailNumber serial number value from the certificate.
239 @param notAfter notAfter date from the validity period of the certificate.
240 @param notBefore notBefore date from the validity period of the certificate.
241 @param depth depth of the certificate chain.
242 @param errorCode error code from the default verification of the
243 certificate by the OpenSSL library.
244 @param errorString error message from the default verification of the
245 certificate by the Open SSL library.
246 @param respCode result code from the default verification of the
247 certificate by the OpenSSL library.
248 */
249 SSLCertificateInfo(
250 const String subjectName,
251 const String issuerName,
252 const Uint32 versionNumber,
253 const long serialNumber,
254 const CIMDateTime notBefore,
255 kumpf 1.13 const CIMDateTime notAfter,
256 const Uint32 depth,
257 const Uint32 errorCode,
258 const String errorString,
259 const Uint32 respCode);
260
|
261 kumpf 1.7 SSLCertificateInfo();
262
|
263 kumpf 1.6 SSLCertificateInfoRep* _rep;
|
264 kumpf 1.13
|
265 h.sterling 1.18 // SSLSocket needs to use the private constructor to create
266 // a certificate object to pass to the AuthenticationInfo and
267 // OperationContext classes
268 friend class SSLSocket;
269
|
270 kumpf 1.13 friend int prepareForCallback(int, X509_STORE_CTX*);
|
271 kumpf 1.6 };
|
272 kumpf 1.1
|
273 kumpf 1.12 /** This class provides the interface that a client uses to create
|
274 kumpf 1.1 SSL context.
275
276 For the OSs that don't have /dev/random device file,
|
277 kumpf 1.9 must enable PEGASUS_SSL_RANDOMFILE flag and pass
278 random file name to constructor.
|
279 kumpf 1.1 */
|
280 kumpf 1.3 class PEGASUS_COMMON_LINKAGE SSLContext
|
281 kumpf 1.1 {
282 public:
283
284 /** Constructor for a SSLContext object.
|
285 h.sterling 1.18 @param trustStore file path of the trust store
|
286 kumpf 1.1 @param verifyCert function pointer to a certificate verification
|
287 kumpf 1.8 call back function. A null pointer indicates that no callback is
288 requested for certificate verification.
|
289 kumpf 1.1 @param randomFile file path of a random file that is used as a seed
290 for random number generation by OpenSSL.
291
|
292 kumpf 1.6 @exception SSLException indicates failure to create an SSL context.
|
293 kumpf 1.1 */
294 SSLContext(
|
295 h.sterling 1.18 const String& trustStore,
|
296 kumpf 1.6 SSLCertificateVerifyFunction* verifyCert,
|
297 kumpf 1.9 const String& randomFile = String::EMPTY);
298
|
299 kumpf 1.6 SSLContext(const SSLContext& sslContext);
|
300 kumpf 1.1
301 ~SSLContext();
302
|
303 h.sterling 1.18 /** Gets the truststore path of the SSLContext object. This may be a CA file or a directory.
304 @return a string containing the truststore path.
305 */
306 String getTrustStore() const;
307
308 /** Gets the x509 certificate path of the SSLContext object.
309 @return a string containing the certificate path.
310 */
311 String getCertPath() const;
312
313 /** Gets the private key path of the SSLContext object.
314 @return a string containing the key path
315 */
316 String getKeyPath() const;
317
318 /** Returns whether peer verification is ON of OFF
319 Corresponds to what the SSL_CTX_set_verify
320 @return true if verification is on; false otherwise
321 */
322 Boolean isPeerVerificationEnabled() const;
323
|
324 h.sterling 1.21 #ifdef PEGASUS_USE_AUTOMATIC_TRUSTSTORE_UPDATE
|
325 h.sterling 1.18 /** Returns whether enableSSLTrustStoreAutoUpdate is ON or OFF
326 If on, untrusted certificates sent with privileged credentials will
327 be automatically added to the server's truststore
328 @return true if auto update is on; false otherwise
329 */
330 Boolean isTrustStoreAutoUpdateEnabled() const;
|
331 h.sterling 1.21 #endif
|
332 h.sterling 1.18
333 /** Returns the username associated with the truststore, if applicable
334 This is currently necessary for OperationContext
335 @return the username associated with the truststore or String::EMPTY if not applicable
336 */
337 String getTrustStoreUserName() const;
338
|
339 h.sterling 1.19 /** Returns the verification callback associated with this context. This may be NULL.
340 @return the verification callback function
341 */
342 SSLCertificateVerifyFunction* getSSLCertificateVerifyFunction() const;
343
|
344 kumpf 1.12 /** Constructor for a SSLContext object. This constructor is intended
|
345 h.sterling 1.21 to be used by the CIMServer or CIMClient.
|
346 h.sterling 1.18 @param trustStore file path of the trust store.
|
347 kumpf 1.13 @param certPath file path of the server certificate.
348 @param KeyPath file path of the private key.
|
349 kumpf 1.12 @param verifyCert function pointer to a certificate verification
350 call back function. A null pointer indicates that no callback is
351 requested for certificate verification.
352 @param randomFile file path of a random file that is used as a seed
353 for random number generation by OpenSSL.
354
355 @exception SSLException indicates failure to create an SSL context.
356 */
357 SSLContext(
|
358 h.sterling 1.18 const String& trustStore,
|
359 kumpf 1.12 const String& certPath,
|
360 kumpf 1.13 const String& keyPath,
|
361 kumpf 1.12 SSLCertificateVerifyFunction* verifyCert,
362 const String& randomFile);
|
363 h.sterling 1.18
|
364 h.sterling 1.21 /** Constructor for a SSLContextRep object.
365 @param trustStore trust store file path
366 @param certPath server certificate file path
367 @param keyPath server key file path
368 @param verifyCert function pointer to a certificate verification
369 call back function.
370 @param trustStoreUserName the user to associate the truststore with; this is basically
371 a workaround to providers that require a username and will be addressed post 2.4
372 @param randomFile file path of a random file that is used as a seed
373 for random number generation by OpenSSL.
374
375 @exception SSLException exception indicating failure to create a context.
376 */
377 SSLContext(
378 const String& trustStore,
379 const String& certPath,
380 const String& keyPath,
381 SSLCertificateVerifyFunction* verifyCert,
382 String trustStoreUserName,
383 const String& randomFile);
384
385 h.sterling 1.21 #ifdef PEGASUS_USE_AUTOMATIC_TRUSTSTORE_UPDATE
386 /** Constructor for a SSLContextRep object.
387 @param trustStore trust store file path
388 @param certPath server certificate file path
389 @param keyPath server key file path
390 @param verifyCert function pointer to a certificate verification
391 call back function.
392 @param trustStoreAutoUpdate indicates that the server can automatically add certificates
393 to the truststore if they are sent with valid sslTrustStoreUserName credentials
394 @param trustStoreUserName the user to associate the truststore with; this is basically
395 a workaround to providers that require a username and will be addressed post 2.4
396 @param randomFile file path of a random file that is used as a seed
397 for random number generation by OpenSSL.
|
398 h.sterling 1.18
|
399 h.sterling 1.21 @exception SSLException exception indicating failure to create a context.
400 */
|
401 h.sterling 1.18 SSLContext(
402 const String& trustStore,
403 const String& certPath,
404 const String& keyPath,
405 SSLCertificateVerifyFunction* verifyCert,
406 Boolean trustStoreAutoUpdate,
407 String trustStoreUserName,
408 const String& randomFile);
409 #endif
|
410 kumpf 1.12
|
411 kumpf 1.7 SSLContext();
|
412 kumpf 1.1
413 SSLContextRep* _rep;
414
415 friend class SSLSocket;
|
416 kumpf 1.12
417 friend class CIMServer;
|
418 kumpf 1.15
419 friend class CIMxmlIndicationHandler;
|
420 kumpf 1.1 };
421
422 PEGASUS_NAMESPACE_END
423
424 #endif /* Pegasus_SSLContext_h */
|