1 karl 1.39 //%2006////////////////////////////////////////////////////////////////////////
|
2 kumpf 1.1 //
|
3 karl 1.27 // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
4 // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
5 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
|
6 karl 1.16 // IBM Corp.; EMC Corporation, The Open Group.
|
7 karl 1.27 // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
8 // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
|
9 karl 1.30 // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
10 // EMC Corporation; VERITAS Software Corporation; The Open Group.
|
11 karl 1.39 // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
12 // EMC Corporation; Symantec Corporation; The Open Group.
|
13 kumpf 1.1 //
14 // Permission is hereby granted, free of charge, to any person obtaining a copy
|
15 kumpf 1.2 // of this software and associated documentation files (the "Software"), to
16 // deal in the Software without restriction, including without limitation the
17 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
18 kumpf 1.1 // sell copies of the Software, and to permit persons to whom the Software is
19 // furnished to do so, subject to the following conditions:
20 //
|
21 kumpf 1.2 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
|
22 kumpf 1.1 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
23 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
|
24 kumpf 1.2 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
25 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
26 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
|
27 kumpf 1.1 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
29 //
30 //==============================================================================
31 //
32 //%/////////////////////////////////////////////////////////////////////////////
33
34 #ifndef Pegasus_SSLContext_h
35 #define Pegasus_SSLContext_h
36
|
37 kumpf 1.13 #include <Pegasus/Common/CIMDateTime.h>
|
38 kumpf 1.1 #include <Pegasus/Common/Config.h>
39 #include <Pegasus/Common/String.h>
40 #include <Pegasus/Common/Exception.h>
|
41 kumpf 1.3 #include <Pegasus/Common/Linkage.h>
|
42 kumpf 1.1
|
43 h.sterling 1.28 #ifdef PEGASUS_HAS_SSL
|
44 h.sterling 1.32 typedef struct x509_store_st X509_STORE;
|
45 h.sterling 1.28 #else
46 #define X509_STORE void
47 #endif
48
|
49 kumpf 1.1 PEGASUS_NAMESPACE_BEGIN
50
|
51 kumpf 1.6 class SSLCertificateInfoRep;
|
52 kumpf 1.1 class SSLContextRep;
|
53 h.sterling 1.18 class SSLContext;
|
54 kumpf 1.6 class SSLSocket;
|
55 kumpf 1.13 class CIMServer;
|
56 kumpf 1.15 class CIMxmlIndicationHandler;
|
57 h.sterling 1.19 class SSLCertificateInfo;
|
58 david.dillard 1.26 class SSLCallback;
|
59 nag.boranna 1.31 class SSLContextManager;
|
60 dave.sudlik 1.36 class SSLCallbackInfoRep;
|
61 h.sterling 1.19
62 // Pegasus-defined SSL certificate verification callback
63 typedef Boolean (SSLCertificateVerifyFunction) (SSLCertificateInfo &certInfo);
64
|
65 kumpf 1.40 /** This class provides information that is used during the SSL verification
66 callback. We pass a pointer to this object to the SSL_set_ex_data
67 function. We can then use SSL_get_ex_data from within the callback and
68 cast the void* back to this object. In this case, we store a pointer to
69 the Pegasus-defined callback function set in the SSLContext. We also
70 store a pointer to a certificate object which we construct during the
71 callback. Some of the certificate information is inaccessible outside
72 the callback, so we need to retrieve the data within the function. Each
73 SSL connection object will have the same callback function, but each
74 connection will have its own certificate. Therefore, this class is
75 constructed on a per-connection basis in SSLSocket.
|
76 kumpf 1.38 */
|
77 h.sterling 1.19 class PEGASUS_COMMON_LINKAGE SSLCallbackInfo
78 {
79 public:
|
80 kumpf 1.38
|
81 h.sterling 1.32 // index to the application-specific data in the SSL connection object
|
82 h.sterling 1.23 static const int SSL_CALLBACK_INDEX;
83
|
84 kumpf 1.38 SSLCallbackInfo(SSLCertificateVerifyFunction* verifyCert);
|
85 dave.sudlik 1.36
|
86 kumpf 1.38 SSLCallbackInfo(
87 SSLCertificateVerifyFunction* verifyCert,
88 X509_STORE* crlStore);
|
89 h.sterling 1.19
|
90 kumpf 1.38 ~SSLCallbackInfo();
|
91 h.sterling 1.19
92 private:
93
|
94 sushma.fernandes 1.41 SSLCallbackInfo(
95 SSLCertificateVerifyFunction* verifyCert,
96 X509_STORE* crlStore,
97 String ipAddress);
98
|
99 dave.sudlik 1.36 SSLCallbackInfo();
|
100 sushma.fernandes 1.41
|
101 kumpf 1.37 SSLCallbackInfo(const SSLCallbackInfo& sslCallbackInfo);
102 SSLCallbackInfo& operator=(const SSLCallbackInfo& sslCallbackInfo);
|
103 h.sterling 1.19
|
104 dave.sudlik 1.36 SSLCallbackInfoRep* _rep;
|
105 h.sterling 1.28
|
106 h.sterling 1.19 friend class SSLSocket;
107
|
108 david.dillard 1.26 friend class SSLCallback;
|
109 h.sterling 1.19 };
|
110 kumpf 1.1
111
112 /** This class provides the interface that a client gets as argument
113 to certificate verification call back function.
114 */
|
115 kumpf 1.6 class PEGASUS_COMMON_LINKAGE SSLCertificateInfo
|
116 kumpf 1.1 {
117 public:
|
118 kumpf 1.13
119 //
120 // Certificate validation result codes.
121 //
|
122 kumpf 1.40 static const int V_OK;
|
123 kumpf 1.13
|
124 kumpf 1.40 static const int V_ERR_UNABLE_TO_GET_ISSUER_CERT;
125 static const int V_ERR_UNABLE_TO_GET_CRL;
126 static const int V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE;
127 static const int V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE;
128 static const int V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
129 static const int V_ERR_CERT_SIGNATURE_FAILURE;
130 static const int V_ERR_CRL_SIGNATURE_FAILURE;
131 static const int V_ERR_CERT_NOT_YET_VALID;
132 static const int V_ERR_CERT_HAS_EXPIRED;
133 static const int V_ERR_CRL_NOT_YET_VALID;
134 static const int V_ERR_CRL_HAS_EXPIRED;
135 static const int V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
136 static const int V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
137 static const int V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
138 static const int V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
139 static const int V_ERR_OUT_OF_MEM;
140 static const int V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
141 static const int V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
142 static const int V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
143 static const int V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
144 static const int V_ERR_CERT_CHAIN_TOO_LONG;
145 kumpf 1.40 static const int V_ERR_CERT_REVOKED;
146 static const int V_ERR_INVALID_CA;
147 static const int V_ERR_PATH_LENGTH_EXCEEDED;
148 static const int V_ERR_INVALID_PURPOSE;
149 static const int V_ERR_CERT_UNTRUSTED;
150 static const int V_ERR_CERT_REJECTED;
151 static const int V_ERR_SUBJECT_ISSUER_MISMATCH;
152 static const int V_ERR_AKID_SKID_MISMATCH;
153 static const int V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
154 static const int V_ERR_KEYUSAGE_NO_CERTSIGN;
|
155 kumpf 1.13
|
156 kumpf 1.40 static const int V_ERR_APPLICATION_VERIFICATION;
|
157 kumpf 1.13
158
|
159 kumpf 1.6 /** Constructor for a SSLCertificateInfo object.
|
160 kumpf 1.38 Note: Do not use this constructor, instead use the private constructor.
161 The constructor is not for client applications use, it is intended to be
162 used only by the CIMServer.
163 @param subjectName subject name of the certificate.
164 @param issuerName issuer name of the certificate.
165 @param errorDepth depth of the certificate chain.
166 @param errorCode error code from the default verification of the
167 certificate by the OpenSSL library.
168 @param respCode result code from the default verification of the
169 certificate by the OpenSSL library.
|
170 kumpf 1.1 */
|
171 kumpf 1.6 SSLCertificateInfo(
|
172 kumpf 1.1 const String subjectName,
173 const String issuerName,
174 const int errorDepth,
|
175 kumpf 1.12 const int errorCode,
176 const int respCode);
|
177 kumpf 1.1
|
178 kumpf 1.6 /** Copy constructor for a SSLCertificateInfo object.
|
179 kumpf 1.38 @param certificateInfo SSLCertificateInfo object to copy
|
180 kumpf 1.6 */
181 SSLCertificateInfo(const SSLCertificateInfo& certificateInfo);
182
183 ~SSLCertificateInfo();
|
184 kumpf 1.1
|
185 kumpf 1.13 /** Gets the subject name of the certificate.
|
186 kumpf 1.38 @return a string containing the subject name.
|
187 kumpf 1.1 */
188 String getSubjectName() const;
189
|
190 kumpf 1.13 /** Gets the issuer name of the certificate.
|
191 kumpf 1.38 @return a string containing the issuer name.
|
192 kumpf 1.1 */
193 String getIssuerName() const;
194
|
195 kumpf 1.38 /** Gets the notAfter date from the validity period of
196 the certificate.
197 @return a CIMDateTime containing the notAfter date.
|
198 kumpf 1.13 */
199 CIMDateTime getNotAfter() const;
200
|
201 kumpf 1.38 /** Gets the notBefore date from the validity period of
202 the certificate.
203 @return a CIMDateTime containing the notBefore date.
|
204 kumpf 1.13 */
205 CIMDateTime getNotBefore() const;
206
207 /** Gets the version (version number) from the certificate.
|
208 kumpf 1.38 @return a int containing the version.
|
209 kumpf 1.13 */
210 Uint32 getVersionNumber() const;
211
212 /** Gets the serialNumber value from the certificate.
|
213 kumpf 1.38 @return a long integer containing the serial number.
|
214 kumpf 1.13 */
215 long getSerialNumber() const;
216
217 /** Gets the depth of the certificate chain.
|
218 kumpf 1.38 @return an int containing the depth of the certificate chain
|
219 kumpf 1.1 */
|
220 kumpf 1.13 Uint32 getErrorDepth() const;
|
221 kumpf 1.1
|
222 kumpf 1.13 /** Gets the pre-verify error code.
|
223 kumpf 1.38 @return an int containing the pre-verify error code
|
224 kumpf 1.1 */
|
225 kumpf 1.13 Uint32 getErrorCode() const;
|
226 kumpf 1.1
|
227 kumpf 1.13 /** Sets the error code.
|
228 kumpf 1.38 @param errorCode error code to be set
|
229 kumpf 1.12 */
|
230 kumpf 1.13 void setErrorCode(const int errorCode);
|
231 kumpf 1.12
|
232 kumpf 1.13 /** Gets the pre-verify error string.
|
233 kumpf 1.38 @return a string containing the pre-verify error string
|
234 kumpf 1.13 */
235 String getErrorString() const;
236
237 /** Gets the pre-verify response code.
|
238 kumpf 1.38 @return an int containing the pre-verify response code
|
239 kumpf 1.13 */
240 Uint32 getResponseCode() const;
241
242 /** Sets the response code.
|
243 kumpf 1.38 Note: Do not use this function, the value set using this function
244 is ignored.
245 @param respCode response code to be set.
|
246 kumpf 1.1 */
247 void setResponseCode(const int respCode);
248
|
249 h.sterling 1.19 /** Returns a string representation of this object
|
250 kumpf 1.38 @return a string containing the certificate fields
|
251 h.sterling 1.19 */
252 String toString() const;
253
|
254 kumpf 1.1 private:
255
|
256 kumpf 1.13 /** Constructor for a SSLCertificateInfo object.
|
257 kumpf 1.38 @param subjectName subject name of the certificate.
258 @param issuerName issuer name of the certificate.
259 @param version version number value from the certificate.
260 @param serailNumber serial number value from the certificate.
|
261 kumpf 1.40 @param notAfter notAfter date from the validity period of the
262 certificate.
263 @param notBefore notBefore date from the validity period of the
264 certificate.
|
265 kumpf 1.38 @param depth depth of the certificate chain.
266 @param errorCode error code from the default verification of the
267 certificate by the OpenSSL library.
268 @param errorString error message from the default verification of the
269 certificate by the Open SSL library.
270 @param respCode result code from the default verification of the
271 certificate by the OpenSSL library.
|
272 kumpf 1.13 */
273 SSLCertificateInfo(
274 const String subjectName,
275 const String issuerName,
276 const Uint32 versionNumber,
277 const long serialNumber,
278 const CIMDateTime notBefore,
279 const CIMDateTime notAfter,
280 const Uint32 depth,
281 const Uint32 errorCode,
282 const String errorString,
283 const Uint32 respCode);
284
|
285 kumpf 1.7 SSLCertificateInfo();
|
286 kumpf 1.37 SSLCertificateInfo& operator=(const SSLCertificateInfo& sslCertificateInfo);
|
287 kumpf 1.7
|
288 kumpf 1.6 SSLCertificateInfoRep* _rep;
|
289 kumpf 1.13
|
290 h.sterling 1.18 // SSLSocket needs to use the private constructor to create
291 // a certificate object to pass to the AuthenticationInfo and
292 // OperationContext classes
293 friend class SSLSocket;
294
|
295 h.sterling 1.32 friend class SSLCallback;
|
296 kumpf 1.6 };
|
297 kumpf 1.1
|
298 kumpf 1.12 /** This class provides the interface that a client uses to create
|
299 kumpf 1.1 SSL context.
300
301 For the OSs that don't have /dev/random device file,
|
302 kumpf 1.9 must enable PEGASUS_SSL_RANDOMFILE flag and pass
303 random file name to constructor.
|
304 kumpf 1.1 */
|
305 kumpf 1.3 class PEGASUS_COMMON_LINKAGE SSLContext
|
306 kumpf 1.1 {
307 public:
308
309 /** Constructor for a SSLContext object.
|
310 kumpf 1.38 @param trustStore file path of the trust store
311 @param verifyCert function pointer to a certificate verification
312 call back function. A null pointer indicates that no callback is
313 requested for certificate verification.
314 @param randomFile file path of a random file that is used as a seed
315 for random number generation by OpenSSL.
|
316 kumpf 1.1
|
317 kumpf 1.38 @exception SSLException indicates failure to create an SSL context.
|
318 kumpf 1.1 */
319 SSLContext(
|
320 h.sterling 1.18 const String& trustStore,
|
321 kumpf 1.6 SSLCertificateVerifyFunction* verifyCert,
|
322 kumpf 1.9 const String& randomFile = String::EMPTY);
323
|
324 kumpf 1.6 SSLContext(const SSLContext& sslContext);
|
325 kumpf 1.1
326 ~SSLContext();
327
|
328 kumpf 1.40 /** Gets the truststore path of the SSLContext object. This may be a
329 CA file or a directory.
|
330 kumpf 1.38 @return a string containing the truststore path.
|
331 h.sterling 1.18 */
332 String getTrustStore() const;
|
333 kumpf 1.38
|
334 h.sterling 1.18 /** Gets the x509 certificate path of the SSLContext object.
|
335 kumpf 1.38 @return a string containing the certificate path.
|
336 h.sterling 1.18 */
337 String getCertPath() const;
338
339 /** Gets the private key path of the SSLContext object.
|
340 kumpf 1.38 @return a string containing the key path
|
341 h.sterling 1.18 */
342 String getKeyPath() const;
343
|
344 h.sterling 1.32 //PEP187
345 /** Gets the certificate revocation list path of the SSLContext object.
|
346 kumpf 1.38 @return a string containing the crl path
|
347 h.sterling 1.28 */
348 String getCRLPath() const;
349
|
350 h.sterling 1.32 //PEP187
351 /** Gets the certificate revocation store of the SSLContext object.
|
352 kumpf 1.38 @return a string containing the crl store
|
353 h.sterling 1.28 */
354 X509_STORE* getCRLStore() const;
355
|
356 h.sterling 1.18 /** Returns whether peer verification is ON of OFF
|
357 kumpf 1.38 Corresponds to what the SSL_CTX_set_verify is set to
358 @return true if verification is on; false otherwise
|
359 h.sterling 1.18 */
360 Boolean isPeerVerificationEnabled() const;
361
|
362 dave.sudlik 1.36 #ifdef PEGASUS_USE_DEPRECATED_INTERFACES
363 /** In OpenPegasus 2.4 this method returned the username associated
|
364 kumpf 1.38 with the truststore, if applicable. This method is currently deprecated
365 beginning in OpenPegasus 2.5, and will always return String::EMPTY.
366 @return String::EMPTY
367 */
368 String getTrustStoreUserName() const;
|
369 dave.sudlik 1.36 #endif
370
|
371 kumpf 1.40 /** Returns the verification callback associated with this context.
372 This may be NULL.
|
373 kumpf 1.38 @return the verification callback function
|
374 h.sterling 1.19 */
375 SSLCertificateVerifyFunction* getSSLCertificateVerifyFunction() const;
376
|
377 kumpf 1.12 /** Constructor for a SSLContext object. This constructor is intended
|
378 kumpf 1.38 to be used by the CIMServer or CIMClient.
379 @param trustStore file path of the trust store.
380 @param certPath file path of the server certificate.
381 @param KeyPath file path of the private key.
382 @param verifyCert function pointer to a certificate verification
383 call back function. A null pointer indicates that no callback is
384 requested for certificate verification.
385 @param randomFile file path of a random file that is used as a seed
386 for random number generation by OpenSSL.
|
387 kumpf 1.12
|
388 kumpf 1.38 @exception SSLException indicates failure to create an SSL context.
|
389 kumpf 1.12 */
390 SSLContext(
|
391 h.sterling 1.18 const String& trustStore,
|
392 kumpf 1.12 const String& certPath,
|
393 kumpf 1.13 const String& keyPath,
|
394 kumpf 1.12 SSLCertificateVerifyFunction* verifyCert,
395 const String& randomFile);
|
396 h.sterling 1.18
|
397 h.sterling 1.28
|
398 h.sterling 1.32 //PEP187
399 /** Constructor for a SSLContext object. This constructor is intended
|
400 kumpf 1.38 to be used by the CIMServer or CIMClient.
401 @param trustStore file path of the trust store.
402 @param certPath file path of the server certificate.
403 @param keyPath file path of the private key.
404 @param crlPath file path of the certificate revocation list.
405 @param verifyCert function pointer to a certificate verification
406 call back function. A null pointer indicates that no callback is
407 requested for certificate verification.
408 @param randomFile file path of a random file that is used as a seed
409 for random number generation by OpenSSL.
|
410 h.sterling 1.21
|
411 kumpf 1.38 @exception SSLException indicates failure to create an SSL context.
|
412 h.sterling 1.21 */
413 SSLContext(
414 const String& trustStore,
415 const String& certPath,
416 const String& keyPath,
|
417 h.sterling 1.32 const String& crlPath,
|
418 h.sterling 1.21 SSLCertificateVerifyFunction* verifyCert,
419 const String& randomFile);
420
|
421 dave.sudlik 1.36 #ifdef PEGASUS_USE_DEPRECATED_INTERFACES
|
422 kumpf 1.38 /** Constructor for a SSLContextRep object.
423 @param trustStore trust store file path
424 @param certPath server certificate file path
425 @param keyPath server key file path
426 @param verifyCert function pointer to a certificate verification
427 call back function.
|
428 kumpf 1.40 @param trustStoreUserName In OpenPegasus 2.5 this parameter
429 specified the user to associate the truststore with; this was
430 basically a workaround to providers that required a username. With
431 the support provided in PEP 187,
|
432 kumpf 1.38 this parameter is ignored beginning in release 2.5.
433 @param randomFile file path of a random file that is used as a seed
434 for random number generation by OpenSSL.
|
435 dave.sudlik 1.36
|
436 kumpf 1.40 @exception SSLException exception indicating failure to create a
437 context.
|
438 dave.sudlik 1.36 */
439 SSLContext(
440 const String& trustStore,
441 const String& certPath,
442 const String& keyPath,
443 SSLCertificateVerifyFunction* verifyCert,
|
444 kumpf 1.38 String trustStoreUserName,
|
445 dave.sudlik 1.36 const String& randomFile);
446 #endif
447
|
448 h.sterling 1.28 private:
|
449 kumpf 1.12
|
450 kumpf 1.7 SSLContext();
|
451 kumpf 1.37 SSLContext& operator=(const SSLContext& sslContext);
|
452 kumpf 1.1
453 SSLContextRep* _rep;
454
455 friend class SSLSocket;
|
456 kumpf 1.12
457 friend class CIMServer;
|
458 kumpf 1.15
459 friend class CIMxmlIndicationHandler;
|
460 nag.boranna 1.31
461 friend class SSLContextManager;
|
462 kumpf 1.1 };
463
464 PEGASUS_NAMESPACE_END
465
466 #endif /* Pegasus_SSLContext_h */
|