CernVM-FS  2.13.0
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
signature.h
Go to the documentation of this file.
1 
5 #ifndef CVMFS_CRYPTO_SIGNATURE_H_
6 #define CVMFS_CRYPTO_SIGNATURE_H_
7 
8 #include <pthread.h>
9 
10 #include <openssl/bio.h>
11 #include <openssl/err.h>
12 #include <openssl/evp.h>
13 #include <openssl/pem.h>
14 #include <openssl/rsa.h>
15 #include <openssl/x509.h>
16 
17 #include <cstdio>
18 #include <map>
19 #include <set>
20 #include <string>
21 #include <vector>
22 
23 #include "crypto/hash.h"
24 #include "util/export.h"
25 
26 namespace signature {
27 
28 class CVMFS_EXPORT SignatureManager {
29  public:
30  enum ESignMethod { kSignManifest, kSignWhitelist };
31 
32  SignatureManager();
33 
34  void Init();
35  void Fini();
36  std::string GetCryptoError();
37 
38  void UnloadPrivateKey();
39  void UnloadPublicRsaKeys();
40  void UnloadPrivateMasterKey();
41  void UnloadCertificate();
42 
43  bool LoadPrivateMasterKeyPath(const std::string &file_pem);
44  bool LoadPrivateKeyPath(const std::string &file_pem,
45  const std::string &password);
46  bool LoadPrivateMasterKeyMem(const std::string &key);
47  bool LoadPrivateKeyMem(const std::string &key);
48  bool LoadCertificatePath(const std::string &file_pem);
49  bool LoadCertificateMem(const unsigned char *buffer,
50  const unsigned buffer_size);
51  bool WriteCertificateMem(unsigned char **buffer, unsigned *buffer_size);
52  bool KeysMatch();
53  bool VerifyCaChain();
54  std::string Whois();
55  shash::Any HashCertificate(const shash::Algorithms hash_algorithm);
56  std::string FingerprintCertificate(const shash::Algorithms hash_algorithm);
57  static shash::Any MkFromFingerprint(const std::string &fingerprint);
58 
59  bool LoadPublicRsaKeys(const std::string &path_list);
60  bool LoadBlacklist(const std::string &path_blacklist, bool append);
61  std::vector<std::string> GetBlacklist();
62 
63  bool LoadTrustedCaCrl(const std::string &path_list);
64 
65  bool Sign(const unsigned char *buffer, const unsigned buffer_size,
66  unsigned char **signature, unsigned *signature_size);
67  bool SignRsa(const unsigned char *buffer, const unsigned buffer_size,
68  unsigned char **signature, unsigned *signature_size);
69  bool Verify(const unsigned char *buffer, const unsigned buffer_size,
70  const unsigned char *signature, unsigned signature_size);
71  bool VerifyRsa(const unsigned char *buffer, const unsigned buffer_size,
72  const unsigned char *signature, unsigned signature_size);
73  bool VerifyLetter(const unsigned char *buffer, const unsigned buffer_size,
74  const bool by_rsa);
75  bool VerifyPkcs7(const unsigned char *buffer, const unsigned buffer_size,
76  unsigned char **content, unsigned *content_size,
77  std::vector<std::string> *alt_uris);
78  static void CutLetter(const unsigned char *buffer,
79  const unsigned buffer_size,
80  const char separator,
81  unsigned *letter_length,
82  unsigned *pos_after_mark);
83 
84  // Returns the PEM-encoded text of all loaded RSA pubkeys
85  std::string GetActivePubkeys() const;
86  std::vector<std::string> GetActivePubkeysAsVector() const;
87  // The PEM-encoded private key matching the public master key
88  std::string GetPrivateMasterKey();
89  // The PEM-encoded certificate without private key
90  std::string GetCertificate() const;
91  // The PEM-encoded private key matching the certificate
92  std::string GetPrivateKey();
93 
94  void GenerateMasterKeyPair();
95  void GenerateCertificate(const std::string &cn);
96 
97  private:
98  RSA *GenerateRsaKeyPair();
99  std::string GenerateKeyText(RSA *pubkey) const;
100 
101  void InitX509Store();
102 
103  EVP_PKEY *private_key_;
104  RSA *private_master_key_;
105  X509 *certificate_;
106  std::vector<RSA *> public_keys_;
107  pthread_mutex_t lock_blacklist_;
108  std::vector<std::string> blacklist_;
109  X509_STORE *x509_store_;
110  X509_LOOKUP *x509_lookup_;
111 }; // class SignatureManager
112 
113 } // namespace signature
114 
115 #endif // CVMFS_CRYPTO_SIGNATURE_H_
manifest::Verify
Failures Verify(unsigned char *manifest_data, size_t manifest_size, const std::string &base_url, const std::string &repository_name, const uint64_t minimum_timestamp, const shash::Any *base_catalog, signature::SignatureManager *signature_manager, download::DownloadManager *download_manager, ManifestEnsemble *ensemble)
Definition: manifest_fetch.cc:223
signature::SignatureManager::blacklist_
std::vector< std::string > blacklist_
Definition: signature.h:108
signature::SignatureManager::lock_blacklist_
pthread_mutex_t lock_blacklist_
Definition: signature.h:107
CVMFS_EXPORT
#define CVMFS_EXPORT
Definition: export.h:11
signature::SignatureManager::public_keys_
std::vector< RSA * > public_keys_
Definition: signature.h:106
shash::Algorithms
Algorithms
Definition: hash.h:41
Init
static int Init(const loader::LoaderExports *loader_exports)
Definition: cvmfs.cc:2311
signature::SignatureManager::x509_lookup_
X509_LOOKUP * x509_lookup_
Definition: signature.h:110
Fini
static void Fini()
Definition: cvmfs.cc:2534