ROOT_528-00b_version: net/xrootd/src/xrootd/src/XrdCrypto/XrdCryptoX509Chain.hh Source File

00001 // $Id: XrdCryptoX509Chain.hh 24468 2008-06-22 16:47:03Z ganis $
00002 #ifndef __CRYPTO_X509CHAIN_H__
00003 #define __CRYPTO_X509CHAIN_H__
00004 /******************************************************************************/
00005 /*                                                                            */
00006 /*                   X r d C r y p t o X 5 0 9 C h a i n . h h                */
00007 /*                                                                            */
00008 /* (c) 2005 G. Ganis , CERN                                                   */
00009 /*                                                                            */
00010 /******************************************************************************/
00011 
00012 /* ************************************************************************** */
00013 /*                                                                            */
00014 /* Chain of X509 certificates.                                                */
00015 /*                                                                            */
00016 /* ************************************************************************** */
00017 
00018 #include <XrdSut/XrdSutBucket.hh>
00019 #include <XrdCrypto/XrdCryptoX509.hh>
00020 #include <XrdCrypto/XrdCryptoX509Crl.hh>
00021 
00022 // ---------------------------------------------------------------------------//
00023 //                                                                            //
00024 // XrdCryptoX509Chain                                                         //
00025 //                                                                            //
00026 // Light single-linked list for managing stacks of XrdCryptoX509* objects     //
00027 //                                                                            //
00028 // ---------------------------------------------------------------------------//
00029 
00030 //
00031 // Description of options for verify
00032 typedef struct {
00033    int  opt;            // option container
00034    int  when;           // time of verification (UTC)
00035    int  pathlen;        // max allowed path length of chain
00036    XrdCryptoX509Crl *crl; // CRL
00037 } x509ChainVerifyOpt_t;
00038 
00039 const int kOptsCheckSelfSigned = 0x2;    // CA ckecking option
00040 
00041 //
00042 // Node definition
00043 //
00044 class XrdCryptoX509ChainNode {
00045 
00046 private:
00047    XrdCryptoX509          *cert;
00048    XrdCryptoX509ChainNode *next;
00049 public:
00050    XrdCryptoX509ChainNode(XrdCryptoX509 *c = 0, XrdCryptoX509ChainNode *n = 0)
00051         { cert = c; next = n;}
00052    virtual ~XrdCryptoX509ChainNode() { }
00053 
00054    XrdCryptoX509          *Cert() const { return cert; }
00055    XrdCryptoX509ChainNode *Next() const { return next; }
00056 
00057    void SetNext(XrdCryptoX509ChainNode *n) { next = n; }
00058 };
00059 
00060 class XrdCryptoX509Chain {
00061 
00062    friend class XrdCryptosslgsiX509Chain;
00063 
00064    enum ESearchMode { kExact = 0, kBegin = 1, kEnd = 2 };
00065 
00066 public:
00067    XrdCryptoX509Chain(XrdCryptoX509 *c = 0);
00068    XrdCryptoX509Chain(XrdCryptoX509Chain *ch);
00069    virtual ~XrdCryptoX509Chain();
00070 
00071    // CA status
00072    enum ECAStatus { kUnknown = 0, kAbsent, kInvalid, kValid};
00073 
00074    // Error codes
00075    enum EX509ChainErr { kNone = 0, kInconsistent, kTooMany, kNoCA,
00076                         kNoCertificate, kInvalidType, kInvalidNames,
00077                         kRevoked, kExpired, kMissingExtension,
00078                         kVerifyFail, kInvalidSign, kCANotAutoSigned };
00079 
00080    // In case or error
00081    const char         *X509ChainError(EX509ChainErr e);
00082    const char         *LastError() const { return lastError.c_str(); }
00083 
00084    // Dump content
00085    void Dump();
00086 
00087    // Access information
00088    int                 Size() const { return size; }
00089    XrdCryptoX509      *End() const { return end->Cert(); }
00090    ECAStatus           StatusCA() const { return statusCA; }
00091    const char         *CAname();
00092    const char         *EECname();
00093    const char         *CAhash();
00094    const char         *EEChash();
00095 
00096    // Modifiers
00097    void                InsertAfter(XrdCryptoX509 *c, XrdCryptoX509 *cp);
00098    void                PutInFront(XrdCryptoX509 *c);
00099    void                PushBack(XrdCryptoX509 *c);
00100    void                Remove(XrdCryptoX509 *c);
00101    bool                CheckCA(bool checkselfsigned = 1);
00102    void                Cleanup(bool keepCA = 0);
00103    void                SetStatusCA(ECAStatus st) { statusCA = st; }
00104 
00105    // Search
00106    XrdCryptoX509      *SearchByIssuer(const char *issuer,
00107                                       ESearchMode mode = kExact);
00108    XrdCryptoX509      *SearchBySubject(const char *subject,
00109                                        ESearchMode mode = kExact);
00110 
00111    // Check validity in time
00112    virtual int         CheckValidity(bool outatfirst = 1, int when = 0);
00113 
00114    // Reorder (C(n) issuer of C(n+1)) 
00115    virtual int         Reorder();
00116 
00117    // Verify chain
00118    virtual bool        Verify(EX509ChainErr &e, x509ChainVerifyOpt_t *vopt = 0);
00119 
00120    // Pseudo - iterator functionality
00121    XrdCryptoX509       *Begin();
00122    XrdCryptoX509       *Next();
00123 
00124 private:
00125 
00126 
00127    XrdCryptoX509ChainNode *begin;
00128    XrdCryptoX509ChainNode *current;
00129    XrdCryptoX509ChainNode *end;
00130    XrdCryptoX509ChainNode *previous;
00131    int                     size;
00132    XrdOucString            lastError;
00133    XrdOucString            caname;
00134    XrdOucString            eecname;
00135    XrdOucString            cahash;
00136    XrdOucString            eechash;
00137    ECAStatus               statusCA;
00138 
00139    XrdCryptoX509ChainNode *Find(XrdCryptoX509 *c);
00140    XrdCryptoX509ChainNode *FindIssuer(const char *issuer,
00141                                       ESearchMode mode = kExact,
00142                                       XrdCryptoX509ChainNode **p = 0);
00143    XrdCryptoX509ChainNode *FindSubject(const char *subject,
00144                                        ESearchMode mode = kExact,
00145                                        XrdCryptoX509ChainNode **p = 0);
00146    bool Verify(EX509ChainErr &e, const char *msg,
00147                XrdCryptoX509::EX509Type type, int when,
00148                XrdCryptoX509 *xcer, XrdCryptoX509 *xsig,
00149                XrdCryptoX509Crl *crl = 0);
00150 
00151 };
00152 
00153 #endif