CernVM-FS
2.12.0
|
#include <signature.h>
Public Types | |
enum | ESignMethod { kSignManifest, kSignWhitelist } |
Public Member Functions | |
SignatureManager () | |
void | Init () |
void | Fini () |
std::string | GetCryptoError () |
void | UnloadPrivateKey () |
void | UnloadPublicRsaKeys () |
void | UnloadPrivateMasterKey () |
void | UnloadCertificate () |
bool | LoadPrivateMasterKeyPath (const std::string &file_pem) |
bool | LoadPrivateKeyPath (const std::string &file_pem, const std::string &password) |
bool | LoadPrivateMasterKeyMem (const std::string &key) |
bool | LoadPrivateKeyMem (const std::string &key) |
bool | LoadCertificatePath (const std::string &file_pem) |
bool | LoadCertificateMem (const unsigned char *buffer, const unsigned buffer_size) |
bool | WriteCertificateMem (unsigned char **buffer, unsigned *buffer_size) |
bool | KeysMatch () |
bool | VerifyCaChain () |
std::string | Whois () |
shash::Any | HashCertificate (const shash::Algorithms hash_algorithm) |
std::string | FingerprintCertificate (const shash::Algorithms hash_algorithm) |
bool | LoadPublicRsaKeys (const std::string &path_list) |
bool | LoadBlacklist (const std::string &path_blacklist, bool append) |
std::vector< std::string > | GetBlacklist () |
bool | LoadTrustedCaCrl (const std::string &path_list) |
bool | Sign (const unsigned char *buffer, const unsigned buffer_size, unsigned char **signature, unsigned *signature_size) |
bool | SignRsa (const unsigned char *buffer, const unsigned buffer_size, unsigned char **signature, unsigned *signature_size) |
bool | Verify (const unsigned char *buffer, const unsigned buffer_size, const unsigned char *signature, unsigned signature_size) |
bool | VerifyRsa (const unsigned char *buffer, const unsigned buffer_size, const unsigned char *signature, unsigned signature_size) |
bool | VerifyLetter (const unsigned char *buffer, const unsigned buffer_size, const bool by_rsa) |
bool | VerifyPkcs7 (const unsigned char *buffer, const unsigned buffer_size, unsigned char **content, unsigned *content_size, std::vector< std::string > *alt_uris) |
std::string | GetActivePubkeys () const |
std::vector< std::string > | GetActivePubkeysAsVector () const |
std::string | GetPrivateMasterKey () |
std::string | GetCertificate () const |
std::string | GetPrivateKey () |
void | GenerateMasterKeyPair () |
void | GenerateCertificate (const std::string &cn) |
Static Public Member Functions | |
static shash::Any | MkFromFingerprint (const std::string &fingerprint) |
static void | CutLetter (const unsigned char *buffer, const unsigned buffer_size, const char separator, unsigned *letter_length, unsigned *pos_after_mark) |
Private Member Functions | |
RSA * | GenerateRsaKeyPair () |
std::string | GenerateKeyText (RSA *pubkey) const |
void | InitX509Store () |
Private Attributes | |
EVP_PKEY * | private_key_ |
RSA * | private_master_key_ |
X509 * | certificate_ |
std::vector< RSA * > | public_keys_ |
pthread_mutex_t | lock_blacklist_ |
std::vector< std::string > | blacklist_ |
X509_STORE * | x509_store_ |
X509_LOOKUP * | x509_lookup_ |
Definition at line 29 of file signature.h.
Enumerator | |
---|---|
kSignManifest | |
kSignWhitelist |
Definition at line 31 of file signature.h.
signature::SignatureManager::SignatureManager | ( | ) |
|
static |
Strips a signature from the letter (if exists)
Definition at line 932 of file signature.cc.
Referenced by letter::Letter::Verify().
string signature::SignatureManager::FingerprintCertificate | ( | const shash::Algorithms | hash_algorithm | ) |
Returns cryptographic hash from DER encoded certificate, encoded the same way OpenSSL does (01:AB:...). Empty string on failure.
Definition at line 640 of file signature.cc.
Referenced by whitelist::Whitelist::CreateString().
void signature::SignatureManager::Fini | ( | ) |
Definition at line 115 of file signature.cc.
Referenced by publish::Repository(), MountPoint::~MountPoint(), and publish::~Repository().
void signature::SignatureManager::GenerateCertificate | ( | const std::string & | cn | ) |
Creates a new RSA key pair (private key) and a self-signed certificate
Definition at line 491 of file signature.cc.
Referenced by publish::CreateKeychain().
|
private |
void signature::SignatureManager::GenerateMasterKeyPair | ( | ) |
Creates the RSA master key pair for whitelist signing
Definition at line 478 of file signature.cc.
Referenced by publish::CreateKeychain().
|
private |
std::string signature::SignatureManager::GetActivePubkeys | ( | ) | const |
Definition at line 385 of file signature.cc.
Referenced by publish::ExportKeychain().
std::vector< std::string > signature::SignatureManager::GetActivePubkeysAsVector | ( | ) | const |
Definition at line 397 of file signature.cc.
Referenced by PubkeysMagicXattr::PrepareValueFenced().
vector< string > signature::SignatureManager::GetBlacklist | ( | ) |
Definition at line 578 of file signature.cc.
Referenced by catalog::ClientCatalogManager::IsRevisionBlacklisted().
std::string signature::SignatureManager::GetCertificate | ( | ) | const |
Definition at line 409 of file signature.cc.
Referenced by publish::ExportKeychain(), and publish::PushCertificate().
string signature::SignatureManager::GetCryptoError | ( | ) |
OpenSSL error strings.
Definition at line 136 of file signature.cc.
std::string signature::SignatureManager::GetPrivateKey | ( | ) |
Definition at line 425 of file signature.cc.
Referenced by publish::ExportKeychain().
std::string signature::SignatureManager::GetPrivateMasterKey | ( | ) |
Definition at line 441 of file signature.cc.
Referenced by publish::ExportKeychain().
shash::Any signature::SignatureManager::HashCertificate | ( | const shash::Algorithms | hash_algorithm | ) |
Returns cryptographic hash from DER encoded certificate, encoded the same way OpenSSL does (01:AB:...). Empty string on failure.
Definition at line 613 of file signature.cc.
void signature::SignatureManager::Init | ( | ) |
Definition at line 109 of file signature.cc.
Referenced by MountPoint::CreateSignatureManager(), and publish::Repository().
|
private |
bool signature::SignatureManager::KeysMatch | ( | ) |
Checks, whether the loaded certificate and the loaded private key match.
Definition at line 726 of file signature.cc.
Referenced by publish::Publisher().
bool signature::SignatureManager::LoadBlacklist | ( | const std::string & | path_blacklist, |
bool | append | ||
) |
Loads a list of blacklisted certificates (fingerprints) from a file.
Definition at line 547 of file signature.cc.
Referenced by MountPoint::CheckBlacklists(), and MountPoint::ReloadBlacklists().
bool signature::SignatureManager::LoadCertificateMem | ( | const unsigned char * | buffer, |
const unsigned | buffer_size | ||
) |
See the function that loads the certificate from file.
Definition at line 272 of file signature.cc.
Referenced by manifest::DoVerify(), and letter::Letter::Verify().
bool signature::SignatureManager::LoadCertificatePath | ( | const std::string & | file_pem | ) |
Loads a certificate. This certificate is used for the following signature verifications
Definition at line 245 of file signature.cc.
Referenced by publish::Publisher().
bool signature::SignatureManager::LoadPrivateKeyMem | ( | const std::string & | key | ) |
bool signature::SignatureManager::LoadPrivateKeyPath | ( | const std::string & | file_pem, |
const std::string & | password | ||
) |
[in] | file_pem | File name of the PEM key file |
[in] | password | Password for the private key. Password is not saved internally, but the private key is. |
Definition at line 185 of file signature.cc.
Referenced by publish::Publisher().
bool signature::SignatureManager::LoadPrivateMasterKeyMem | ( | const std::string & | key | ) |
bool signature::SignatureManager::LoadPrivateMasterKeyPath | ( | const std::string & | file_pem | ) |
[in] | file_pem | File name of the PEM key file |
[in] | password | Password for the private key. Password is not saved internally, but the private key is. |
Definition at line 153 of file signature.cc.
Referenced by publish::Publisher().
bool signature::SignatureManager::LoadPublicRsaKeys | ( | const std::string & | path_list | ) |
Loads a list of public RSA keys separated by ":".
Definition at line 305 of file signature.cc.
Referenced by MountPoint::CreateSignatureManager(), and publish::Repository().
bool signature::SignatureManager::LoadTrustedCaCrl | ( | const std::string & | path_list | ) |
Loads CA certificates CRLs from a ":" separated list of paths. The information is used for proper X509 verification. The format of the certificates and CRLs has to be OpenSSL hashed certs. The path can be something like /etc/grid-security/certificates. If path_list is empty, the default path is taken.
Definition at line 591 of file signature.cc.
|
static |
Parses a fingerprint from the whitelist
Definition at line 662 of file signature.cc.
Referenced by whitelist::Whitelist::ParseWhitelist(), and whitelist::Whitelist::VerifyLoadedCertificate().
bool signature::SignatureManager::Sign | ( | const unsigned char * | buffer, |
const unsigned | buffer_size, | ||
unsigned char ** | signature, | ||
unsigned * | signature_size | ||
) |
Signs a data block using the loaded private key.
Definition at line 769 of file signature.cc.
Referenced by publish::PushManifest(), SigningTool::Run(), and letter::Letter::Sign().
bool signature::SignatureManager::SignRsa | ( | const unsigned char * | buffer, |
const unsigned | buffer_size, | ||
unsigned char ** | signature, | ||
unsigned * | signature_size | ||
) |
Signs a data block using the loaded private master key.
Definition at line 817 of file signature.cc.
Referenced by whitelist::Whitelist::CreateString().
void signature::SignatureManager::UnloadCertificate | ( | ) |
Definition at line 224 of file signature.cc.
void signature::SignatureManager::UnloadPrivateKey | ( | ) |
Clears the memory storing the private key.
Definition at line 218 of file signature.cc.
void signature::SignatureManager::UnloadPrivateMasterKey | ( | ) |
Clears the memory storing the private RSA master key (whitelist signing).
Definition at line 233 of file signature.cc.
void signature::SignatureManager::UnloadPublicRsaKeys | ( | ) |
Definition at line 355 of file signature.cc.
bool signature::SignatureManager::Verify | ( | const unsigned char * | buffer, |
const unsigned | buffer_size, | ||
const unsigned char * | signature, | ||
unsigned | signature_size | ||
) |
Verifies a signature against loaded certificate.
Definition at line 851 of file signature.cc.
bool signature::SignatureManager::VerifyCaChain | ( | ) |
Verifies the currently loaded certificate against the trusted CA chain.
Definition at line 748 of file signature.cc.
bool signature::SignatureManager::VerifyLetter | ( | const unsigned char * | buffer, |
const unsigned | buffer_size, | ||
const bool | by_rsa | ||
) |
Checks a document of the form
<hash> <signature>
Definition at line 968 of file signature.cc.
Referenced by manifest::DoVerify(), and letter::Letter::Verify().
bool signature::SignatureManager::VerifyPkcs7 | ( | const unsigned char * | buffer, |
const unsigned | buffer_size, | ||
unsigned char ** | content, | ||
unsigned * | content_size, | ||
std::vector< std::string > * | alt_uris | ||
) |
Verifies a PKCS#7 binary content + signature structure using the loaded trusted CAs/CRLs
Definition at line 1009 of file signature.cc.
bool signature::SignatureManager::VerifyRsa | ( | const unsigned char * | buffer, |
const unsigned | buffer_size, | ||
const unsigned char * | signature, | ||
unsigned | signature_size | ||
) |
Verifies a signature against all loaded public keys.
Definition at line 898 of file signature.cc.
string signature::SignatureManager::Whois | ( | ) |
Definition at line 681 of file signature.cc.
bool signature::SignatureManager::WriteCertificateMem | ( | unsigned char ** | buffer, |
unsigned * | buffer_size | ||
) |
Definition at line 702 of file signature.cc.
Referenced by letter::Letter::Sign().
|
private |
Definition at line 109 of file signature.h.
|
private |
Definition at line 106 of file signature.h.
|
private |
Definition at line 108 of file signature.h.
|
private |
Definition at line 104 of file signature.h.
|
private |
Definition at line 105 of file signature.h.
|
private |
Contains cvmfs public master keys
Definition at line 107 of file signature.h.
|
private |
Definition at line 111 of file signature.h.
|
private |
Definition at line 110 of file signature.h.