1 |
|
|
/** |
2 |
|
|
* This file is part of the CernVM File System. |
3 |
|
|
*/ |
4 |
|
|
|
5 |
|
|
#ifndef CVMFS_WHITELIST_H_ |
6 |
|
|
#define CVMFS_WHITELIST_H_ |
7 |
|
|
|
8 |
|
|
#include <gtest/gtest_prod.h> |
9 |
|
|
#include <inttypes.h> |
10 |
|
|
|
11 |
|
|
#include <ctime> |
12 |
|
|
#include <string> |
13 |
|
|
#include <vector> |
14 |
|
|
|
15 |
|
|
#include "hash.h" |
16 |
|
|
|
17 |
|
|
namespace download { |
18 |
|
|
class DownloadManager; |
19 |
|
|
} |
20 |
|
|
|
21 |
|
|
namespace signature { |
22 |
|
|
class SignatureManager; |
23 |
|
|
} |
24 |
|
|
|
25 |
|
|
|
26 |
|
|
namespace whitelist { |
27 |
|
|
|
28 |
|
|
enum Failures { |
29 |
|
|
kFailOk = 0, |
30 |
|
|
kFailLoad, |
31 |
|
|
kFailEmpty, |
32 |
|
|
kFailMalformed, |
33 |
|
|
kFailNameMismatch, |
34 |
|
|
kFailExpired, |
35 |
|
|
kFailBadSignature, |
36 |
|
|
kFailLoadPkcs7, |
37 |
|
|
kFailEmptyPkcs7, |
38 |
|
|
kFailMalformedPkcs7, |
39 |
|
|
kFailBadSignaturePkcs7, |
40 |
|
|
kFailBadPkcs7, |
41 |
|
|
kFailBadCaChain, |
42 |
|
|
kFailNotListed, |
43 |
|
|
kFailBlacklisted, |
44 |
|
|
|
45 |
|
|
kFailNumEntries |
46 |
|
|
}; |
47 |
|
|
|
48 |
|
|
|
49 |
|
6 |
inline const char *Code2Ascii(const Failures error) { |
50 |
|
|
const char *texts[kFailNumEntries + 1]; |
51 |
|
6 |
texts[0] = "OK"; |
52 |
|
6 |
texts[1] = "failed to download whitelist"; |
53 |
|
6 |
texts[2] = "empty whitelist"; |
54 |
|
6 |
texts[3] = "malformed whitelist"; |
55 |
|
6 |
texts[4] = "repository name mismatch on whitelist"; |
56 |
|
6 |
texts[5] = "expired whitelist"; |
57 |
|
6 |
texts[6] = "invalid whitelist signature"; |
58 |
|
6 |
texts[7] = "failed to download whitelist (pkcs7)"; |
59 |
|
6 |
texts[8] = "empty whitelist (pkcs7)"; |
60 |
|
6 |
texts[9] = "malformed whitelist (pkcs7)"; |
61 |
|
6 |
texts[10] = "invalid whitelist signer (pkcs7)"; |
62 |
|
6 |
texts[11] = "invalid whitelist (pkcs7)"; |
63 |
|
6 |
texts[12] = "failed to verify CA chain"; |
64 |
|
6 |
texts[13] = "certificate not on whitelist"; |
65 |
|
6 |
texts[14] = "certificate blacklisted"; |
66 |
|
6 |
texts[15] = "no text"; |
67 |
|
6 |
return texts[error]; |
68 |
|
|
} |
69 |
|
|
|
70 |
|
|
|
71 |
|
|
class Whitelist { |
72 |
|
|
FRIEND_TEST(T_Whitelist, ParseWhitelist); |
73 |
|
|
|
74 |
|
|
public: |
75 |
|
|
enum Status { |
76 |
|
|
kStNone, |
77 |
|
|
kStAvailable, |
78 |
|
|
}; |
79 |
|
|
|
80 |
|
|
Whitelist(const std::string &fqrn, |
81 |
|
|
download::DownloadManager *download_manager, |
82 |
|
|
signature::SignatureManager *signature_manager); |
83 |
|
|
~Whitelist(); |
84 |
|
|
explicit Whitelist(const Whitelist &other); |
85 |
|
|
Whitelist &operator= (const Whitelist &other); |
86 |
|
|
Failures Load(const std::string &base_url); |
87 |
|
|
|
88 |
|
|
void CopyBuffers(unsigned *plain_size, unsigned char **plain_buf, |
89 |
|
|
unsigned *pkcs7_size, unsigned char **pkcs7_buf) const; |
90 |
|
|
time_t expires(); |
91 |
|
|
bool IsExpired() const; |
92 |
|
|
Failures VerifyLoadedCertificate() const; |
93 |
|
|
|
94 |
|
|
private: |
95 |
|
|
Whitelist(); |
96 |
|
|
|
97 |
|
|
static const int kFlagVerifyRsa; |
98 |
|
|
static const int kFlagVerifyPkcs7; |
99 |
|
|
static const int kFlagVerifyCaChain; |
100 |
|
|
|
101 |
|
|
bool IsBefore(time_t now, const struct tm &t_whitelist); |
102 |
|
|
Failures ParseWhitelist(const unsigned char *whitelist, |
103 |
|
|
const unsigned whitelist_size); |
104 |
|
|
void Reset(); |
105 |
|
|
|
106 |
|
|
std::string fqrn_; |
107 |
|
|
download::DownloadManager *download_manager_; |
108 |
|
|
signature::SignatureManager *signature_manager_; |
109 |
|
|
|
110 |
|
|
Status status_; |
111 |
|
|
std::vector<shash::Any> fingerprints_; |
112 |
|
|
time_t expires_; |
113 |
|
|
int verification_flags_; |
114 |
|
|
unsigned char *plain_buf_; |
115 |
|
|
unsigned plain_size_; |
116 |
|
|
unsigned char *pkcs7_buf_; |
117 |
|
|
unsigned pkcs7_size_; |
118 |
|
|
}; |
119 |
|
|
|
120 |
|
|
} // namespace whitelist |
121 |
|
|
|
122 |
|
|
#endif // CVMFS_WHITELIST_H_ |