#include <signature.h>

Public Types
enum	ESignMethod { kSignManifest, kSignWhitelist }

Public Member Functions
	SignatureManager ()

void	Init ()

void	Fini ()

std::string	GetCryptoError ()

void	UnloadPrivateKey ()

void	UnloadPublicRsaKeys ()

void	UnloadPrivateMasterKey ()

void	UnloadCertificate ()

bool	LoadPrivateMasterKeyPath (const std::string &file_pem)

bool	LoadPrivateKeyPath (const std::string &file_pem, const std::string &password)

bool	LoadPrivateMasterKeyMem (const std::string &key)

bool	LoadPrivateKeyMem (const std::string &key)

bool	LoadCertificatePath (const std::string &file_pem)

bool	LoadCertificateMem (const unsigned char *buffer, const unsigned buffer_size)

bool	WriteCertificateMem (unsigned char *buffer, unsigned buffer_size)

bool	KeysMatch ()

bool	VerifyCaChain ()

std::string	Whois ()

shash::Any	HashCertificate (const shash::Algorithms hash_algorithm)

std::string	FingerprintCertificate (const shash::Algorithms hash_algorithm)

bool	LoadPublicRsaKeys (const std::string &path_list)

bool	LoadBlacklist (const std::string &path_blacklist, bool append)

std::vector< std::string >	GetBlacklist ()

bool	LoadTrustedCaCrl (const std::string &path_list)

bool	Sign (const unsigned char buffer, const unsigned buffer_size, unsigned char signature, unsigned signature_size)

bool	SignRsa (const unsigned char buffer, const unsigned buffer_size, unsigned char signature, unsigned signature_size)

bool	Verify (const unsigned char buffer, const unsigned buffer_size, const unsigned char signature, unsigned signature_size)

bool	VerifyRsa (const unsigned char buffer, const unsigned buffer_size, const unsigned char signature, unsigned signature_size)

bool	VerifyLetter (const unsigned char *buffer, const unsigned buffer_size, const bool by_rsa)

bool	VerifyPkcs7 (const unsigned char buffer, const unsigned buffer_size, unsigned char content, unsigned content_size, std::vector< std::string > *alt_uris)

std::string	GetActivePubkeys () const

std::vector< std::string >	GetActivePubkeysAsVector () const

std::string	GetPrivateMasterKey ()

std::string	GetCertificate () const

std::string	GetPrivateKey ()

void	GenerateMasterKeyPair ()

void	GenerateCertificate (const std::string &cn)

Static Public Member Functions
static shash::Any	MkFromFingerprint (const std::string &fingerprint)

static void	CutLetter (const unsigned char buffer, const unsigned buffer_size, const char separator, unsigned letter_length, unsigned *pos_after_mark)

Private Member Functions
RSA *	GenerateRsaKeyPair ()

std::string	GenerateKeyText (RSA *pubkey) const

void	InitX509Store ()

Private Attributes
EVP_PKEY *	private_key_

RSA *	private_master_key_

X509 *	certificate_

std::vector< RSA * >	public_keys_

pthread_mutex_t	lock_blacklist_

std::vector< std::string >	blacklist_

X509_STORE *	x509_store_

X509_LOOKUP *	x509_lookup_

Detailed Description

Definition at line 29 of file signature.h.

Member Enumeration Documentation

enum signature::SignatureManager::ESignMethod

Enumerator
kSignManifest
kSignWhitelist

Definition at line 31 of file signature.h.

Constructor & Destructor Documentation

signature::SignatureManager::SignatureManager ( )

Definition at line 69 of file signature.cc.

Here is the call graph for this function:

Member Function Documentation

void signature::SignatureManager::CutLetter	(	const unsigned char *	buffer,
		const unsigned	buffer_size,
		const char	separator,
		unsigned *	letter_length,
		unsigned *	pos_after_mark
	)

static

Strips a signature from the letter (if exists)

Definition at line 932 of file signature.cc.

Referenced by letter::Letter::Verify().

Here is the caller graph for this function:

string signature::SignatureManager::FingerprintCertificate ( const shash::Algorithms hash_algorithm )

Returns cryptographic hash from DER encoded certificate, encoded the same way OpenSSL does (01:AB:...). Empty string on failure.

Definition at line 640 of file signature.cc.

Referenced by whitelist::Whitelist::CreateString().

Here is the call graph for this function:

Here is the caller graph for this function:

void signature::SignatureManager::Fini ( )

Definition at line 115 of file signature.cc.

Referenced by publish::Repository(), MountPoint::~MountPoint(), and publish::~Repository().

Here is the caller graph for this function:

void signature::SignatureManager::GenerateCertificate ( const std::string & cn )

Creates a new RSA key pair (private key) and a self-signed certificate

Definition at line 491 of file signature.cc.

Referenced by publish::CreateKeychain().

Here is the call graph for this function:

Here is the caller graph for this function:

std::string signature::SignatureManager::GenerateKeyText ( RSA * pubkey ) const

private

Definition at line 362 of file signature.cc.

Here is the call graph for this function:

void signature::SignatureManager::GenerateMasterKeyPair ( )

Creates the RSA master key pair for whitelist signing

Definition at line 478 of file signature.cc.

Referenced by publish::CreateKeychain().

Here is the caller graph for this function:

RSA * signature::SignatureManager::GenerateRsaKeyPair ( )

private

Definition at line 457 of file signature.cc.

Here is the call graph for this function:

std::string signature::SignatureManager::GetActivePubkeys ( ) const

Definition at line 385 of file signature.cc.

Referenced by publish::ExportKeychain().

Here is the caller graph for this function:

std::vector< std::string > signature::SignatureManager::GetActivePubkeysAsVector ( ) const

Definition at line 397 of file signature.cc.

Referenced by PubkeysMagicXattr::PrepareValueFenced().

Here is the caller graph for this function:

vector< string > signature::SignatureManager::GetBlacklist ( )

Definition at line 578 of file signature.cc.

Referenced by catalog::ClientCatalogManager::IsRevisionBlacklisted().

Here is the caller graph for this function:

std::string signature::SignatureManager::GetCertificate ( ) const

Definition at line 409 of file signature.cc.

Referenced by publish::ExportKeychain(), and publish::PushCertificate().

Here is the call graph for this function:

Here is the caller graph for this function:

string signature::SignatureManager::GetCryptoError ( )

OpenSSL error strings.

Definition at line 136 of file signature.cc.

std::string signature::SignatureManager::GetPrivateKey ( )

Definition at line 425 of file signature.cc.

Referenced by publish::ExportKeychain().

Here is the call graph for this function:

Here is the caller graph for this function:

std::string signature::SignatureManager::GetPrivateMasterKey ( )

Definition at line 441 of file signature.cc.

Referenced by publish::ExportKeychain().

Here is the call graph for this function:

Here is the caller graph for this function:

shash::Any signature::SignatureManager::HashCertificate ( const shash::Algorithms hash_algorithm )

Returns cryptographic hash from DER encoded certificate, encoded the same way OpenSSL does (01:AB:...). Empty string on failure.

Definition at line 613 of file signature.cc.

Here is the call graph for this function:

void signature::SignatureManager::Init ( )

Definition at line 109 of file signature.cc.

Referenced by MountPoint::CreateSignatureManager(), and publish::Repository().

Here is the caller graph for this function:

void signature::SignatureManager::InitX509Store ( )

private

Definition at line 80 of file signature.cc.

Here is the call graph for this function:

bool signature::SignatureManager::KeysMatch ( )

Checks, whether the loaded certificate and the loaded private key match.

Returns: True, if private key and certificate match, false otherwise.

Definition at line 726 of file signature.cc.

Referenced by publish::Publisher().

Here is the call graph for this function:

Here is the caller graph for this function:

bool signature::SignatureManager::LoadBlacklist	(	const std::string &	path_blacklist,
		bool	append
	)

Loads a list of blacklisted certificates (fingerprints) from a file.

Definition at line 547 of file signature.cc.

Referenced by MountPoint::CheckBlacklists(), and MountPoint::ReloadBlacklists().

Here is the call graph for this function:

Here is the caller graph for this function:

bool signature::SignatureManager::LoadCertificateMem	(	const unsigned char *	buffer,
		const unsigned	buffer_size
	)

See the function that loads the certificate from file.

Definition at line 272 of file signature.cc.

Referenced by manifest::DoVerify(), and letter::Letter::Verify().

Here is the caller graph for this function:

bool signature::SignatureManager::LoadCertificatePath ( const std::string & file_pem )

Loads a certificate. This certificate is used for the following signature verifications

Returns: True on success, false otherwise

Definition at line 245 of file signature.cc.

Referenced by publish::Publisher().

Here is the caller graph for this function:

bool signature::SignatureManager::LoadPrivateKeyMem ( const std::string & key )

Definition at line 200 of file signature.cc.

Here is the call graph for this function:

bool signature::SignatureManager::LoadPrivateKeyPath	(	const std::string &	file_pem,
		const std::string &	password
	)

Parameters

[in]	file_pem	File name of the PEM key file
[in]	password	Password for the private key. Password is not saved internally, but the private key is.

Returns: True on success, false otherwise

Definition at line 185 of file signature.cc.

Referenced by publish::Publisher().

Here is the caller graph for this function:

bool signature::SignatureManager::LoadPrivateMasterKeyMem ( const std::string & key )

Definition at line 164 of file signature.cc.

Here is the call graph for this function:

bool signature::SignatureManager::LoadPrivateMasterKeyPath ( const std::string & file_pem )

Parameters

[in]	file_pem	File name of the PEM key file
[in]	password	Password for the private key. Password is not saved internally, but the private key is.

Returns: True on success, false otherwise

Definition at line 153 of file signature.cc.

Referenced by publish::Publisher().

Here is the caller graph for this function:

bool signature::SignatureManager::LoadPublicRsaKeys ( const std::string & path_list )

Loads a list of public RSA keys separated by ":".

Definition at line 305 of file signature.cc.

Referenced by MountPoint::CreateSignatureManager(), and publish::Repository().

Here is the call graph for this function:

Here is the caller graph for this function:

bool signature::SignatureManager::LoadTrustedCaCrl ( const std::string & path_list )

Loads CA certificates CRLs from a ":" separated list of paths. The information is used for proper X509 verification. The format of the certificates and CRLs has to be OpenSSL hashed certs. The path can be something like /etc/grid-security/certificates. If path_list is empty, the default path is taken.

Definition at line 591 of file signature.cc.

Here is the call graph for this function:

shash::Any signature::SignatureManager::MkFromFingerprint ( const std::string & fingerprint )

static

Parses a fingerprint from the whitelist

Definition at line 662 of file signature.cc.

Referenced by whitelist::Whitelist::ParseWhitelist(), and whitelist::Whitelist::VerifyLoadedCertificate().

Here is the call graph for this function:

Here is the caller graph for this function:

bool signature::SignatureManager::Sign	(	const unsigned char *	buffer,
		const unsigned	buffer_size,
		unsigned char **	signature,
		unsigned *	signature_size
	)

Signs a data block using the loaded private key.

Returns: True on success, false otherwise

Definition at line 769 of file signature.cc.

Referenced by publish::PushManifest(), SigningTool::Run(), and letter::Letter::Sign().

Here is the caller graph for this function:

bool signature::SignatureManager::SignRsa	(	const unsigned char *	buffer,
		const unsigned	buffer_size,
		unsigned char **	signature,
		unsigned *	signature_size
	)

Signs a data block using the loaded private master key.

Returns: True on success, false otherwise

Definition at line 817 of file signature.cc.

Referenced by whitelist::Whitelist::CreateString().

Here is the caller graph for this function:

void signature::SignatureManager::UnloadCertificate ( )

Definition at line 224 of file signature.cc.

void signature::SignatureManager::UnloadPrivateKey ( )

Clears the memory storing the private key.

Definition at line 218 of file signature.cc.

void signature::SignatureManager::UnloadPrivateMasterKey ( )

Clears the memory storing the private RSA master key (whitelist signing).

Definition at line 233 of file signature.cc.

void signature::SignatureManager::UnloadPublicRsaKeys ( )

Definition at line 355 of file signature.cc.

bool signature::SignatureManager::Verify	(	const unsigned char *	buffer,
		const unsigned	buffer_size,
		const unsigned char *	signature,
		unsigned	signature_size
	)

Verifies a signature against loaded certificate.

Returns: True if signature is valid, false on error or otherwise

Definition at line 851 of file signature.cc.

bool signature::SignatureManager::VerifyCaChain ( )

Verifies the currently loaded certificate against the trusted CA chain.

Definition at line 748 of file signature.cc.

Here is the call graph for this function:

bool signature::SignatureManager::VerifyLetter	(	const unsigned char *	buffer,
		const unsigned	buffer_size,
		const bool	by_rsa
	)

Checks a document of the form

Definition at line 968 of file signature.cc.

Referenced by manifest::DoVerify(), and letter::Letter::Verify().

Here is the call graph for this function:

Here is the caller graph for this function:

bool signature::SignatureManager::VerifyPkcs7	(	const unsigned char *	buffer,
		const unsigned	buffer_size,
		unsigned char **	content,
		unsigned *	content_size,
		std::vector< std::string > *	alt_uris
	)

Verifies a PKCS#7 binary content + signature structure using the loaded trusted CAs/CRLs

Definition at line 1009 of file signature.cc.

Here is the call graph for this function:

bool signature::SignatureManager::VerifyRsa	(	const unsigned char *	buffer,
		const unsigned	buffer_size,
		const unsigned char *	signature,
		unsigned	signature_size
	)

Verifies a signature against all loaded public keys.

Returns: True if signature is valid with any public key, false on error or otherwise

Definition at line 898 of file signature.cc.

Here is the call graph for this function:

string signature::SignatureManager::Whois ( )

Returns: Some human-readable information about the loaded certificate.

Definition at line 681 of file signature.cc.

bool signature::SignatureManager::WriteCertificateMem	(	unsigned char **	buffer,
		unsigned *	buffer_size
	)

Definition at line 702 of file signature.cc.

Referenced by letter::Letter::Sign().

Here is the caller graph for this function:

Member Data Documentation

std::vector<std::string> signature::SignatureManager::blacklist_

private

Definition at line 109 of file signature.h.

X509* signature::SignatureManager::certificate_

private

Definition at line 106 of file signature.h.

pthread_mutex_t signature::SignatureManager::lock_blacklist_

private

Definition at line 108 of file signature.h.

EVP_PKEY* signature::SignatureManager::private_key_

private

Definition at line 104 of file signature.h.

RSA* signature::SignatureManager::private_master_key_

private

Definition at line 105 of file signature.h.

std::vector<RSA *> signature::SignatureManager::public_keys_

private

Contains cvmfs public master keys

Definition at line 107 of file signature.h.

X509_LOOKUP* signature::SignatureManager::x509_lookup_

private

Definition at line 111 of file signature.h.

X509_STORE* signature::SignatureManager::x509_store_

private

Definition at line 110 of file signature.h.

The documentation for this class was generated from the following files:

/home/sftnight/jenkins/workspace/CvmfsDoxygen/label/docker-x86_64/cvmfs/cvmfs/crypto/signature.h
/home/sftnight/jenkins/workspace/CvmfsDoxygen/label/docker-x86_64/cvmfs/cvmfs/crypto/signature.cc

Public Types

Public Member Functions

Static Public Member Functions

Private Member Functions

Private Attributes

Detailed Description

Member Enumeration Documentation

Constructor & Destructor Documentation

Member Function Documentation

Member Data Documentation