1 |
|
|
/** |
2 |
|
|
* This file is part of the CernVM File System. |
3 |
|
|
*/ |
4 |
|
|
|
5 |
|
|
#ifndef CVMFS_SIGNATURE_H_ |
6 |
|
|
#define CVMFS_SIGNATURE_H_ |
7 |
|
|
|
8 |
|
|
#include <pthread.h> |
9 |
|
|
|
10 |
|
|
#include <openssl/bio.h> |
11 |
|
|
#include <openssl/engine.h> |
12 |
|
|
#include <openssl/err.h> |
13 |
|
|
#include <openssl/evp.h> |
14 |
|
|
#include <openssl/pem.h> |
15 |
|
|
#include <openssl/rsa.h> |
16 |
|
|
#include <openssl/x509.h> |
17 |
|
|
|
18 |
|
|
#include <cstdio> |
19 |
|
|
#include <string> |
20 |
|
|
#include <vector> |
21 |
|
|
|
22 |
|
|
#include "hash.h" |
23 |
|
|
|
24 |
|
|
namespace signature { |
25 |
|
|
|
26 |
|
151 |
class SignatureManager { |
27 |
|
|
public: |
28 |
|
|
SignatureManager(); |
29 |
|
|
|
30 |
|
|
void Init(); |
31 |
|
|
void Fini(); |
32 |
|
|
std::string GetCryptoError(); |
33 |
|
|
|
34 |
|
|
bool LoadPrivateKeyPath(const std::string &file_pem, |
35 |
|
|
const std::string &password); |
36 |
|
|
void UnloadPrivateKey(); |
37 |
|
|
|
38 |
|
|
bool LoadCertificatePath(const std::string &file_pem); |
39 |
|
|
bool LoadCertificateMem(const unsigned char *buffer, |
40 |
|
|
const unsigned buffer_size); |
41 |
|
|
bool WriteCertificateMem(unsigned char **buffer, unsigned *buffer_size); |
42 |
|
|
bool KeysMatch(); |
43 |
|
|
bool VerifyCaChain(); |
44 |
|
|
std::string Whois(); |
45 |
|
|
shash::Any HashCertificate(const shash::Algorithms hash_algorithm); |
46 |
|
|
std::string FingerprintCertificate(const shash::Algorithms hash_algorithm); |
47 |
|
|
static shash::Any MkFromFingerprint(const std::string &fingerprint); |
48 |
|
|
|
49 |
|
|
bool LoadPublicRsaKeys(const std::string &path_list); |
50 |
|
|
bool LoadBlacklist(const std::string &path_blacklist, bool append); |
51 |
|
|
std::vector<std::string> GetBlacklist(); |
52 |
|
|
|
53 |
|
|
bool LoadTrustedCaCrl(const std::string &path_list); |
54 |
|
|
|
55 |
|
|
bool Sign(const unsigned char *buffer, const unsigned buffer_size, |
56 |
|
|
unsigned char **signature, unsigned *signature_size); |
57 |
|
|
bool Verify(const unsigned char *buffer, const unsigned buffer_size, |
58 |
|
|
const unsigned char *signature, unsigned signature_size); |
59 |
|
|
bool VerifyRsa(const unsigned char *buffer, const unsigned buffer_size, |
60 |
|
|
const unsigned char *signature, unsigned signature_size); |
61 |
|
|
bool VerifyLetter(const unsigned char *buffer, const unsigned buffer_size, |
62 |
|
|
const bool by_rsa); |
63 |
|
|
bool VerifyPkcs7(const unsigned char *buffer, const unsigned buffer_size, |
64 |
|
|
unsigned char **content, unsigned *content_size, |
65 |
|
|
std::vector<std::string> *alt_uris); |
66 |
|
|
static void CutLetter(const unsigned char *buffer, |
67 |
|
|
const unsigned buffer_size, |
68 |
|
|
const char separator, |
69 |
|
|
unsigned *letter_length, |
70 |
|
|
unsigned *pos_after_mark); |
71 |
|
|
|
72 |
|
|
// Returns the PEM-encoded text of all loaded pubkeys (both raw RSA keys |
73 |
|
|
// and that from the current certificate). |
74 |
|
|
std::string GetActivePubkeys(); |
75 |
|
|
|
76 |
|
|
private: |
77 |
|
|
std::string GenerateKeyText(RSA *pubkey); |
78 |
|
|
|
79 |
|
|
void InitX509Store(); |
80 |
|
|
|
81 |
|
|
EVP_PKEY *private_key_; |
82 |
|
|
X509 *certificate_; |
83 |
|
|
std::vector<RSA *> public_keys_; /**< Contains cvmfs public master keys */ |
84 |
|
|
pthread_mutex_t lock_blacklist_; |
85 |
|
|
std::vector<std::string> blacklist_; |
86 |
|
|
X509_STORE *x509_store_; |
87 |
|
|
X509_LOOKUP *x509_lookup_; |
88 |
|
|
}; // class SignatureManager |
89 |
|
|
|
90 |
|
|
} // namespace signature |
91 |
|
|
|
92 |
|
|
#endif // CVMFS_SIGNATURE_H_ |