1 karl 1.39 //%2006////////////////////////////////////////////////////////////////////////
|
2 kumpf 1.1 //
|
3 karl 1.27 // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
4 // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
5 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
|
6 karl 1.16 // IBM Corp.; EMC Corporation, The Open Group.
|
7 karl 1.27 // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
8 // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
|
9 karl 1.30 // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
10 // EMC Corporation; VERITAS Software Corporation; The Open Group.
|
11 karl 1.39 // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
12 // EMC Corporation; Symantec Corporation; The Open Group.
|
13 kumpf 1.1 //
14 // Permission is hereby granted, free of charge, to any person obtaining a copy
|
15 kumpf 1.2 // of this software and associated documentation files (the "Software"), to
16 // deal in the Software without restriction, including without limitation the
17 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
18 kumpf 1.1 // sell copies of the Software, and to permit persons to whom the Software is
19 // furnished to do so, subject to the following conditions:
20 //
|
21 kumpf 1.2 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
|
22 kumpf 1.1 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
23 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
|
24 kumpf 1.2 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
25 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
26 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
|
27 kumpf 1.1 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
29 //
30 //==============================================================================
31 //
32 //%/////////////////////////////////////////////////////////////////////////////
33
34 #ifndef Pegasus_SSLContext_h
35 #define Pegasus_SSLContext_h
36
|
37 kumpf 1.13 #include <Pegasus/Common/CIMDateTime.h>
|
38 kumpf 1.1 #include <Pegasus/Common/Config.h>
39 #include <Pegasus/Common/String.h>
40 #include <Pegasus/Common/Exception.h>
|
41 kumpf 1.3 #include <Pegasus/Common/Linkage.h>
|
42 kumpf 1.1
|
43 h.sterling 1.28 #ifdef PEGASUS_HAS_SSL
|
44 h.sterling 1.32 typedef struct x509_store_st X509_STORE;
|
45 h.sterling 1.28 #else
46 #define X509_STORE void
47 #endif
48
|
49 kumpf 1.1 PEGASUS_NAMESPACE_BEGIN
50
|
51 kumpf 1.6 class SSLCertificateInfoRep;
|
52 kumpf 1.1 class SSLContextRep;
|
53 h.sterling 1.18 class SSLContext;
|
54 kumpf 1.6 class SSLSocket;
|
55 kumpf 1.13 class CIMServer;
|
56 kumpf 1.15 class CIMxmlIndicationHandler;
|
57 h.sterling 1.19 class SSLCertificateInfo;
|
58 david.dillard 1.26 class SSLCallback;
|
59 nag.boranna 1.31 class SSLContextManager;
|
60 dave.sudlik 1.36 class SSLCallbackInfoRep;
|
61 h.sterling 1.19
62 // Pegasus-defined SSL certificate verification callback
63 typedef Boolean (SSLCertificateVerifyFunction) (SSLCertificateInfo &certInfo);
64
65 /** This class provides information that is used during the SSL verification callback.
66 We pass a pointer to this object to the SSL_set_ex_data function. We can then use SSL_get_ex_data
|
67 kumpf 1.38 from within the callback and cast the void* back to this object. In this case, we store a pointer
68 to the Pegasus-defined callback function set in the SSLContext. We also store a pointer to a
69 certificate object which we construct during the callback. Some of the certificate information is
|
70 h.sterling 1.19 inaccessible outside the callback, so we need to retrieve the data within the function.
71 Each SSL connection object will have the same callback function, but each connection will have its
72 own certificate. Therefore, this class is constructed on a per-connection basis in SSLSocket.
|
73 kumpf 1.38 */
|
74 h.sterling 1.19 class PEGASUS_COMMON_LINKAGE SSLCallbackInfo
75 {
76 public:
|
77 kumpf 1.38
|
78 h.sterling 1.32 // index to the application-specific data in the SSL connection object
|
79 h.sterling 1.23 static const int SSL_CALLBACK_INDEX;
80
|
81 kumpf 1.38 SSLCallbackInfo(SSLCertificateVerifyFunction* verifyCert);
|
82 dave.sudlik 1.36
|
83 kumpf 1.38 SSLCallbackInfo(
84 SSLCertificateVerifyFunction* verifyCert,
85 X509_STORE* crlStore);
|
86 h.sterling 1.19
|
87 kumpf 1.38 ~SSLCallbackInfo();
|
88 h.sterling 1.19
89 private:
90
|
91 dave.sudlik 1.36 SSLCallbackInfo();
|
92 kumpf 1.37 SSLCallbackInfo(const SSLCallbackInfo& sslCallbackInfo);
93 SSLCallbackInfo& operator=(const SSLCallbackInfo& sslCallbackInfo);
|
94 h.sterling 1.19
|
95 dave.sudlik 1.36 SSLCallbackInfoRep* _rep;
|
96 h.sterling 1.28
|
97 h.sterling 1.19 friend class SSLSocket;
98
|
99 david.dillard 1.26 friend class SSLCallback;
|
100 h.sterling 1.19 };
|
101 kumpf 1.1
102
103 /** This class provides the interface that a client gets as argument
104 to certificate verification call back function.
105 */
|
106 kumpf 1.6 class PEGASUS_COMMON_LINKAGE SSLCertificateInfo
|
107 kumpf 1.1 {
108 public:
|
109 kumpf 1.13
110 //
111 // Certificate validation result codes.
112 //
113 static const int V_OK;
114
115 static const int V_ERR_UNABLE_TO_GET_ISSUER_CERT;
116 static const int V_ERR_UNABLE_TO_GET_CRL;
117 static const int V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE;
118 static const int V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE;
119 static const int V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
120 static const int V_ERR_CERT_SIGNATURE_FAILURE;
121 static const int V_ERR_CRL_SIGNATURE_FAILURE;
122 static const int V_ERR_CERT_NOT_YET_VALID;
123 static const int V_ERR_CERT_HAS_EXPIRED;
124 static const int V_ERR_CRL_NOT_YET_VALID;
125 static const int V_ERR_CRL_HAS_EXPIRED;
126 static const int V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
127 static const int V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
128 static const int V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
129 static const int V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
130 kumpf 1.13 static const int V_ERR_OUT_OF_MEM;
131 static const int V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
132 static const int V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
133 static const int V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
134 static const int V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
135 static const int V_ERR_CERT_CHAIN_TOO_LONG;
136 static const int V_ERR_CERT_REVOKED;
137 static const int V_ERR_INVALID_CA;
138 static const int V_ERR_PATH_LENGTH_EXCEEDED;
139 static const int V_ERR_INVALID_PURPOSE;
140 static const int V_ERR_CERT_UNTRUSTED;
141 static const int V_ERR_CERT_REJECTED;
142 static const int V_ERR_SUBJECT_ISSUER_MISMATCH;
143 static const int V_ERR_AKID_SKID_MISMATCH;
144 static const int V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
145 static const int V_ERR_KEYUSAGE_NO_CERTSIGN;
146
147 static const int V_ERR_APPLICATION_VERIFICATION;
148
149
|
150 kumpf 1.6 /** Constructor for a SSLCertificateInfo object.
|
151 kumpf 1.38 Note: Do not use this constructor, instead use the private constructor.
152 The constructor is not for client applications use, it is intended to be
153 used only by the CIMServer.
154 @param subjectName subject name of the certificate.
155 @param issuerName issuer name of the certificate.
156 @param errorDepth depth of the certificate chain.
157 @param errorCode error code from the default verification of the
158 certificate by the OpenSSL library.
159 @param respCode result code from the default verification of the
160 certificate by the OpenSSL library.
|
161 kumpf 1.1 */
|
162 kumpf 1.6 SSLCertificateInfo(
|
163 kumpf 1.1 const String subjectName,
164 const String issuerName,
165 const int errorDepth,
|
166 kumpf 1.12 const int errorCode,
167 const int respCode);
|
168 kumpf 1.1
|
169 kumpf 1.6 /** Copy constructor for a SSLCertificateInfo object.
|
170 kumpf 1.38 @param certificateInfo SSLCertificateInfo object to copy
|
171 kumpf 1.6 */
172 SSLCertificateInfo(const SSLCertificateInfo& certificateInfo);
173
174 ~SSLCertificateInfo();
|
175 kumpf 1.1
|
176 kumpf 1.13 /** Gets the subject name of the certificate.
|
177 kumpf 1.38 @return a string containing the subject name.
|
178 kumpf 1.1 */
179 String getSubjectName() const;
180
|
181 kumpf 1.13 /** Gets the issuer name of the certificate.
|
182 kumpf 1.38 @return a string containing the issuer name.
|
183 kumpf 1.1 */
184 String getIssuerName() const;
185
|
186 kumpf 1.38 /** Gets the notAfter date from the validity period of
187 the certificate.
188 @return a CIMDateTime containing the notAfter date.
|
189 kumpf 1.13 */
190 CIMDateTime getNotAfter() const;
191
|
192 kumpf 1.38 /** Gets the notBefore date from the validity period of
193 the certificate.
194 @return a CIMDateTime containing the notBefore date.
|
195 kumpf 1.13 */
196 CIMDateTime getNotBefore() const;
197
198 /** Gets the version (version number) from the certificate.
|
199 kumpf 1.38 @return a int containing the version.
|
200 kumpf 1.13 */
201 Uint32 getVersionNumber() const;
202
203 /** Gets the serialNumber value from the certificate.
|
204 kumpf 1.38 @return a long integer containing the serial number.
|
205 kumpf 1.13 */
206 long getSerialNumber() const;
207
208 /** Gets the depth of the certificate chain.
|
209 kumpf 1.38 @return an int containing the depth of the certificate chain
|
210 kumpf 1.1 */
|
211 kumpf 1.13 Uint32 getErrorDepth() const;
|
212 kumpf 1.1
|
213 kumpf 1.13 /** Gets the pre-verify error code.
|
214 kumpf 1.38 @return an int containing the pre-verify error code
|
215 kumpf 1.1 */
|
216 kumpf 1.13 Uint32 getErrorCode() const;
|
217 kumpf 1.1
|
218 kumpf 1.13 /** Sets the error code.
|
219 kumpf 1.38 @param errorCode error code to be set
|
220 kumpf 1.12 */
|
221 kumpf 1.13 void setErrorCode(const int errorCode);
|
222 kumpf 1.12
|
223 kumpf 1.13 /** Gets the pre-verify error string.
|
224 kumpf 1.38 @return a string containing the pre-verify error string
|
225 kumpf 1.13 */
226 String getErrorString() const;
227
228 /** Gets the pre-verify response code.
|
229 kumpf 1.38 @return an int containing the pre-verify response code
|
230 kumpf 1.13 */
231 Uint32 getResponseCode() const;
232
233 /** Sets the response code.
|
234 kumpf 1.38 Note: Do not use this function, the value set using this function
235 is ignored.
236 @param respCode response code to be set.
|
237 kumpf 1.1 */
238 void setResponseCode(const int respCode);
239
|
240 h.sterling 1.19 /** Returns a string representation of this object
|
241 kumpf 1.38 @return a string containing the certificate fields
|
242 h.sterling 1.19 */
243 String toString() const;
244
|
245 kumpf 1.1 private:
246
|
247 kumpf 1.13 /** Constructor for a SSLCertificateInfo object.
|
248 kumpf 1.38 @param subjectName subject name of the certificate.
249 @param issuerName issuer name of the certificate.
250 @param version version number value from the certificate.
251 @param serailNumber serial number value from the certificate.
252 @param notAfter notAfter date from the validity period of the certificate.
253 @param notBefore notBefore date from the validity period of the certificate.
254 @param depth depth of the certificate chain.
255 @param errorCode error code from the default verification of the
256 certificate by the OpenSSL library.
257 @param errorString error message from the default verification of the
258 certificate by the Open SSL library.
259 @param respCode result code from the default verification of the
260 certificate by the OpenSSL library.
|
261 kumpf 1.13 */
262 SSLCertificateInfo(
263 const String subjectName,
264 const String issuerName,
265 const Uint32 versionNumber,
266 const long serialNumber,
267 const CIMDateTime notBefore,
268 const CIMDateTime notAfter,
269 const Uint32 depth,
270 const Uint32 errorCode,
271 const String errorString,
272 const Uint32 respCode);
273
|
274 kumpf 1.7 SSLCertificateInfo();
|
275 kumpf 1.37 SSLCertificateInfo& operator=(const SSLCertificateInfo& sslCertificateInfo);
|
276 kumpf 1.7
|
277 kumpf 1.6 SSLCertificateInfoRep* _rep;
|
278 kumpf 1.13
|
279 h.sterling 1.18 // SSLSocket needs to use the private constructor to create
280 // a certificate object to pass to the AuthenticationInfo and
281 // OperationContext classes
282 friend class SSLSocket;
283
|
284 h.sterling 1.32 friend class SSLCallback;
|
285 kumpf 1.6 };
|
286 kumpf 1.1
|
287 kumpf 1.12 /** This class provides the interface that a client uses to create
|
288 kumpf 1.1 SSL context.
289
290 For the OSs that don't have /dev/random device file,
|
291 kumpf 1.9 must enable PEGASUS_SSL_RANDOMFILE flag and pass
292 random file name to constructor.
|
293 kumpf 1.1 */
|
294 kumpf 1.3 class PEGASUS_COMMON_LINKAGE SSLContext
|
295 kumpf 1.1 {
296 public:
297
298 /** Constructor for a SSLContext object.
|
299 kumpf 1.38 @param trustStore file path of the trust store
300 @param verifyCert function pointer to a certificate verification
301 call back function. A null pointer indicates that no callback is
302 requested for certificate verification.
303 @param randomFile file path of a random file that is used as a seed
304 for random number generation by OpenSSL.
|
305 kumpf 1.1
|
306 kumpf 1.38 @exception SSLException indicates failure to create an SSL context.
|
307 kumpf 1.1 */
308 SSLContext(
|
309 h.sterling 1.18 const String& trustStore,
|
310 kumpf 1.6 SSLCertificateVerifyFunction* verifyCert,
|
311 kumpf 1.9 const String& randomFile = String::EMPTY);
312
|
313 kumpf 1.6 SSLContext(const SSLContext& sslContext);
|
314 kumpf 1.1
315 ~SSLContext();
316
|
317 h.sterling 1.18 /** Gets the truststore path of the SSLContext object. This may be a CA file or a directory.
|
318 kumpf 1.38 @return a string containing the truststore path.
|
319 h.sterling 1.18 */
320 String getTrustStore() const;
|
321 kumpf 1.38
|
322 h.sterling 1.18 /** Gets the x509 certificate path of the SSLContext object.
|
323 kumpf 1.38 @return a string containing the certificate path.
|
324 h.sterling 1.18 */
325 String getCertPath() const;
326
327 /** Gets the private key path of the SSLContext object.
|
328 kumpf 1.38 @return a string containing the key path
|
329 h.sterling 1.18 */
330 String getKeyPath() const;
331
|
332 h.sterling 1.32 //PEP187
333 /** Gets the certificate revocation list path of the SSLContext object.
|
334 kumpf 1.38 @return a string containing the crl path
|
335 h.sterling 1.28 */
336 String getCRLPath() const;
337
|
338 h.sterling 1.32 //PEP187
339 /** Gets the certificate revocation store of the SSLContext object.
|
340 kumpf 1.38 @return a string containing the crl store
|
341 h.sterling 1.28 */
342 X509_STORE* getCRLStore() const;
343
|
344 h.sterling 1.18 /** Returns whether peer verification is ON of OFF
|
345 kumpf 1.38 Corresponds to what the SSL_CTX_set_verify is set to
346 @return true if verification is on; false otherwise
|
347 h.sterling 1.18 */
348 Boolean isPeerVerificationEnabled() const;
349
|
350 dave.sudlik 1.36 #ifdef PEGASUS_USE_DEPRECATED_INTERFACES
351 /** In OpenPegasus 2.4 this method returned the username associated
|
352 kumpf 1.38 with the truststore, if applicable. This method is currently deprecated
353 beginning in OpenPegasus 2.5, and will always return String::EMPTY.
354 @return String::EMPTY
355 */
356 String getTrustStoreUserName() const;
|
357 dave.sudlik 1.36 #endif
358
|
359 h.sterling 1.19 /** Returns the verification callback associated with this context. This may be NULL.
|
360 kumpf 1.38 @return the verification callback function
|
361 h.sterling 1.19 */
362 SSLCertificateVerifyFunction* getSSLCertificateVerifyFunction() const;
363
|
364 kumpf 1.12 /** Constructor for a SSLContext object. This constructor is intended
|
365 kumpf 1.38 to be used by the CIMServer or CIMClient.
366 @param trustStore file path of the trust store.
367 @param certPath file path of the server certificate.
368 @param KeyPath file path of the private key.
369 @param verifyCert function pointer to a certificate verification
370 call back function. A null pointer indicates that no callback is
371 requested for certificate verification.
372 @param randomFile file path of a random file that is used as a seed
373 for random number generation by OpenSSL.
|
374 kumpf 1.12
|
375 kumpf 1.38 @exception SSLException indicates failure to create an SSL context.
|
376 kumpf 1.12 */
377 SSLContext(
|
378 h.sterling 1.18 const String& trustStore,
|
379 kumpf 1.12 const String& certPath,
|
380 kumpf 1.13 const String& keyPath,
|
381 kumpf 1.12 SSLCertificateVerifyFunction* verifyCert,
382 const String& randomFile);
|
383 h.sterling 1.18
|
384 h.sterling 1.28
|
385 h.sterling 1.32 //PEP187
386 /** Constructor for a SSLContext object. This constructor is intended
|
387 kumpf 1.38 to be used by the CIMServer or CIMClient.
388 @param trustStore file path of the trust store.
389 @param certPath file path of the server certificate.
390 @param keyPath file path of the private key.
391 @param crlPath file path of the certificate revocation list.
392 @param verifyCert function pointer to a certificate verification
393 call back function. A null pointer indicates that no callback is
394 requested for certificate verification.
395 @param randomFile file path of a random file that is used as a seed
396 for random number generation by OpenSSL.
|
397 h.sterling 1.21
|
398 kumpf 1.38 @exception SSLException indicates failure to create an SSL context.
|
399 h.sterling 1.21 */
400 SSLContext(
401 const String& trustStore,
402 const String& certPath,
403 const String& keyPath,
|
404 h.sterling 1.32 const String& crlPath,
|
405 h.sterling 1.21 SSLCertificateVerifyFunction* verifyCert,
406 const String& randomFile);
407
|
408 dave.sudlik 1.36 #ifdef PEGASUS_USE_DEPRECATED_INTERFACES
|
409 kumpf 1.38 /** Constructor for a SSLContextRep object.
410 @param trustStore trust store file path
411 @param certPath server certificate file path
412 @param keyPath server key file path
413 @param verifyCert function pointer to a certificate verification
414 call back function.
415 @param trustStoreUserName In OpenPegasus 2.5 this parameter specified the user to
416 associate the truststore with; this was basically a workaround to
417 providers that required a username. With the support provided in PEP 187,
418 this parameter is ignored beginning in release 2.5.
419 @param randomFile file path of a random file that is used as a seed
420 for random number generation by OpenSSL.
|
421 dave.sudlik 1.36
|
422 kumpf 1.38 @exception SSLException exception indicating failure to create a context.
|
423 dave.sudlik 1.36 */
424 SSLContext(
425 const String& trustStore,
426 const String& certPath,
427 const String& keyPath,
428 SSLCertificateVerifyFunction* verifyCert,
|
429 kumpf 1.38 String trustStoreUserName,
|
430 dave.sudlik 1.36 const String& randomFile);
431 #endif
432
|
433 h.sterling 1.28 private:
|
434 kumpf 1.12
|
435 kumpf 1.7 SSLContext();
|
436 kumpf 1.37 SSLContext& operator=(const SSLContext& sslContext);
|
437 kumpf 1.1
438 SSLContextRep* _rep;
439
440 friend class SSLSocket;
|
441 kumpf 1.12
442 friend class CIMServer;
|
443 kumpf 1.15
444 friend class CIMxmlIndicationHandler;
|
445 nag.boranna 1.31
446 friend class SSLContextManager;
|
447 kumpf 1.1 };
448
449 PEGASUS_NAMESPACE_END
450
451 #endif /* Pegasus_SSLContext_h */
|