XRootD
Loading...
Searching...
No Matches
XrdCryptoX509Chain.hh
Go to the documentation of this file.
1#ifndef __CRYPTO_X509CHAIN_H__
2#define __CRYPTO_X509CHAIN_H__
3/******************************************************************************/
4/* */
5/* X r d C r y p t o X 5 0 9 C h a i n . h h */
6/* */
7/* (c) 2005 G. Ganis , CERN */
8/* */
9/* This file is part of the XRootD software suite. */
10/* */
11/* XRootD is free software: you can redistribute it and/or modify it under */
12/* the terms of the GNU Lesser General Public License as published by the */
13/* Free Software Foundation, either version 3 of the License, or (at your */
14/* option) any later version. */
15/* */
16/* XRootD is distributed in the hope that it will be useful, but WITHOUT */
17/* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */
18/* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */
19/* License for more details. */
20/* */
21/* You should have received a copy of the GNU Lesser General Public License */
22/* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */
23/* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */
24/* */
25/* The copyright holder's institutional names and contributor's names may not */
26/* be used to endorse or promote products derived from this software without */
27/* specific prior written permission of the institution or contributor. */
28/* */
29/******************************************************************************/
30
31/* ************************************************************************** */
32/* */
33/* Chain of X509 certificates. */
34/* */
35/* ************************************************************************** */
36
40
41// ---------------------------------------------------------------------------//
42// //
43// XrdCryptoX509Chain //
44// //
45// Light single-linked list for managing stacks of XrdCryptoX509* objects //
46// //
47// ---------------------------------------------------------------------------//
48
49//
50// Description of options for verify
51typedef struct {
52 int opt; // option container
53 int when; // time of verification (UTC)
54 int pathlen; // max allowed path length of chain
57
58const int kOptsCheckSelfSigned = 0x2; // CA ckecking option
59const int kOptsCheckSubCA = 0x4; // CA-SubCA case (no EEC)
60
61//
62// Node definition
63//
65
66private:
67 XrdCryptoX509 *cert;
69public:
71 { cert = c; next = n;}
73
74 XrdCryptoX509 *Cert() const { return cert; }
75 XrdCryptoX509ChainNode *Next() const { return next; }
76
77 void SetNext(XrdCryptoX509ChainNode *n) { next = n; }
78};
79
81
82 enum ESearchMode { kExact = 0, kBegin = 1, kEnd = 2 };
83
84public:
87 virtual ~XrdCryptoX509Chain();
88
89 // CA status
91
92 // Error codes
98
99 // In case or error
100 const char *X509ChainError(EX509ChainErr e);
101 const char *LastError() const { return lastError.c_str(); }
102
103 // Dump content
104 void Dump();
105
106 // Access information
107 int Size() const { return size; }
108 XrdCryptoX509 *End() const { return end->Cert(); }
109 ECAStatus StatusCA() const { return statusCA; }
110 const char *CAname();
111 const char *EECname();
112 const char *CAhash();
113 const char *EEChash();
114 XrdCryptoX509 *EffCA() const { return effca ? effca->Cert() : (XrdCryptoX509 *)0; }
115
116 // Modifiers
118 void PutInFront(XrdCryptoX509 *c);
119 void PushBack(XrdCryptoX509 *c);
120 void Remove(XrdCryptoX509 *c);
121 bool CheckCA(bool checkselfsigned = 1);
122 void Cleanup(bool keepCA = 0);
123 void SetStatusCA(ECAStatus st) { statusCA = st; }
124
125 // Search
126 XrdCryptoX509 *SearchByIssuer(const char *issuer,
127 ESearchMode mode = kExact);
128 XrdCryptoX509 *SearchBySubject(const char *subject,
129 ESearchMode mode = kExact);
130
131 // Check validity in time
132 virtual int CheckValidity(bool outatfirst = 1, int when = 0);
133
134 // Reorder (C(n) issuer of C(n+1))
135 virtual int Reorder();
136
137 // Verify chain
138 virtual bool Verify(EX509ChainErr &e, x509ChainVerifyOpt_t *vopt = 0);
139
140 // Pseudo - iterator functionality
143
144protected:
145
146
152 int size;
159
161 XrdCryptoX509ChainNode *FindIssuer(const char *issuer,
162 ESearchMode mode = kExact,
163 XrdCryptoX509ChainNode **p = 0);
164 XrdCryptoX509ChainNode *FindSubject(const char *subject,
165 ESearchMode mode = kExact,
166 XrdCryptoX509ChainNode **p = 0);
167 void SetEffectiveCA();
168 bool Verify(EX509ChainErr &e, const char *msg,
169 XrdCryptoX509::EX509Type type, int when,
170 XrdCryptoX509 *xcer, XrdCryptoX509 *xsig,
171 XrdCryptoX509Crl *crl = 0);
172
173};
174
175#endif
const int kOptsCheckSelfSigned
XrdCryptoX509Crl * crl
const int kOptsCheckSubCA
XrdCryptoX509ChainNode(XrdCryptoX509 *c=0, XrdCryptoX509ChainNode *n=0)
XrdCryptoX509 * Cert() const
XrdCryptoX509ChainNode * Next() const
void SetNext(XrdCryptoX509ChainNode *n)
virtual bool Verify(EX509ChainErr &e, x509ChainVerifyOpt_t *vopt=0)
void InsertAfter(XrdCryptoX509 *c, XrdCryptoX509 *cp)
bool CheckCA(bool checkselfsigned=1)
XrdCryptoX509 * Next()
virtual int CheckValidity(bool outatfirst=1, int when=0)
XrdCryptoX509ChainNode * end
const char * LastError() const
XrdCryptoX509 * Begin()
XrdCryptoX509ChainNode * FindIssuer(const char *issuer, ESearchMode mode=kExact, XrdCryptoX509ChainNode **p=0)
XrdCryptoX509 * EffCA() const
XrdCryptoX509ChainNode * FindSubject(const char *subject, ESearchMode mode=kExact, XrdCryptoX509ChainNode **p=0)
XrdCryptoX509ChainNode * begin
void Cleanup(bool keepCA=0)
void Remove(XrdCryptoX509 *c)
XrdCryptoX509 * SearchByIssuer(const char *issuer, ESearchMode mode=kExact)
void SetStatusCA(ECAStatus st)
ECAStatus StatusCA() const
XrdCryptoX509ChainNode * previous
XrdCryptoX509ChainNode * current
void PushBack(XrdCryptoX509 *c)
const char * X509ChainError(EX509ChainErr e)
XrdCryptoX509 * End() const
XrdCryptoX509 * SearchBySubject(const char *subject, ESearchMode mode=kExact)
void PutInFront(XrdCryptoX509 *c)
XrdCryptoX509ChainNode * effca
XrdCryptoX509ChainNode * Find(XrdCryptoX509 *c)
XrdCryptoX509Chain(XrdCryptoX509 *c=0)