CernVM-FS  2.12.0
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
signature::SignatureManager Class Reference

#include <signature.h>

Public Types

enum  ESignMethod { kSignManifest, kSignWhitelist }
 

Public Member Functions

 SignatureManager ()
 
void Init ()
 
void Fini ()
 
std::string GetCryptoError ()
 
void UnloadPrivateKey ()
 
void UnloadPublicRsaKeys ()
 
void UnloadPrivateMasterKey ()
 
void UnloadCertificate ()
 
bool LoadPrivateMasterKeyPath (const std::string &file_pem)
 
bool LoadPrivateKeyPath (const std::string &file_pem, const std::string &password)
 
bool LoadPrivateMasterKeyMem (const std::string &key)
 
bool LoadPrivateKeyMem (const std::string &key)
 
bool LoadCertificatePath (const std::string &file_pem)
 
bool LoadCertificateMem (const unsigned char *buffer, const unsigned buffer_size)
 
bool WriteCertificateMem (unsigned char **buffer, unsigned *buffer_size)
 
bool KeysMatch ()
 
bool VerifyCaChain ()
 
std::string Whois ()
 
shash::Any HashCertificate (const shash::Algorithms hash_algorithm)
 
std::string FingerprintCertificate (const shash::Algorithms hash_algorithm)
 
bool LoadPublicRsaKeys (const std::string &path_list)
 
bool LoadBlacklist (const std::string &path_blacklist, bool append)
 
std::vector< std::string > GetBlacklist ()
 
bool LoadTrustedCaCrl (const std::string &path_list)
 
bool Sign (const unsigned char *buffer, const unsigned buffer_size, unsigned char **signature, unsigned *signature_size)
 
bool SignRsa (const unsigned char *buffer, const unsigned buffer_size, unsigned char **signature, unsigned *signature_size)
 
bool Verify (const unsigned char *buffer, const unsigned buffer_size, const unsigned char *signature, unsigned signature_size)
 
bool VerifyRsa (const unsigned char *buffer, const unsigned buffer_size, const unsigned char *signature, unsigned signature_size)
 
bool VerifyLetter (const unsigned char *buffer, const unsigned buffer_size, const bool by_rsa)
 
bool VerifyPkcs7 (const unsigned char *buffer, const unsigned buffer_size, unsigned char **content, unsigned *content_size, std::vector< std::string > *alt_uris)
 
std::string GetActivePubkeys () const
 
std::vector< std::string > GetActivePubkeysAsVector () const
 
std::string GetPrivateMasterKey ()
 
std::string GetCertificate () const
 
std::string GetPrivateKey ()
 
void GenerateMasterKeyPair ()
 
void GenerateCertificate (const std::string &cn)
 

Static Public Member Functions

static shash::Any MkFromFingerprint (const std::string &fingerprint)
 
static void CutLetter (const unsigned char *buffer, const unsigned buffer_size, const char separator, unsigned *letter_length, unsigned *pos_after_mark)
 

Private Member Functions

RSA * GenerateRsaKeyPair ()
 
std::string GenerateKeyText (RSA *pubkey) const
 
void InitX509Store ()
 

Private Attributes

EVP_PKEY * private_key_
 
RSA * private_master_key_
 
X509 * certificate_
 
std::vector< RSA * > public_keys_
 
pthread_mutex_t lock_blacklist_
 
std::vector< std::string > blacklist_
 
X509_STORE * x509_store_
 
X509_LOOKUP * x509_lookup_
 

Detailed Description

Definition at line 29 of file signature.h.

Member Enumeration Documentation

Enumerator
kSignManifest 
kSignWhitelist 

Definition at line 31 of file signature.h.

Constructor & Destructor Documentation

signature::SignatureManager::SignatureManager ( )

Definition at line 69 of file signature.cc.

Here is the call graph for this function:

Member Function Documentation

void signature::SignatureManager::CutLetter ( const unsigned char *  buffer,
const unsigned  buffer_size,
const char  separator,
unsigned *  letter_length,
unsigned *  pos_after_mark 
)
static

Strips a signature from the letter (if exists)

Definition at line 932 of file signature.cc.

Referenced by letter::Letter::Verify().

Here is the caller graph for this function:

string signature::SignatureManager::FingerprintCertificate ( const shash::Algorithms  hash_algorithm)

Returns cryptographic hash from DER encoded certificate, encoded the same way OpenSSL does (01:AB:...). Empty string on failure.

Definition at line 640 of file signature.cc.

Referenced by whitelist::Whitelist::CreateString().

Here is the call graph for this function:

Here is the caller graph for this function:

void signature::SignatureManager::Fini ( )

Definition at line 115 of file signature.cc.

Referenced by publish::Repository(), MountPoint::~MountPoint(), and publish::~Repository().

Here is the caller graph for this function:

void signature::SignatureManager::GenerateCertificate ( const std::string &  cn)

Creates a new RSA key pair (private key) and a self-signed certificate

Definition at line 491 of file signature.cc.

Referenced by publish::CreateKeychain().

Here is the call graph for this function:

Here is the caller graph for this function:

std::string signature::SignatureManager::GenerateKeyText ( RSA *  pubkey) const
private

Definition at line 362 of file signature.cc.

Here is the call graph for this function:

void signature::SignatureManager::GenerateMasterKeyPair ( )

Creates the RSA master key pair for whitelist signing

Definition at line 478 of file signature.cc.

Referenced by publish::CreateKeychain().

Here is the caller graph for this function:

RSA * signature::SignatureManager::GenerateRsaKeyPair ( )
private

Definition at line 457 of file signature.cc.

Here is the call graph for this function:

std::string signature::SignatureManager::GetActivePubkeys ( ) const

Definition at line 385 of file signature.cc.

Referenced by publish::ExportKeychain().

Here is the caller graph for this function:

std::vector< std::string > signature::SignatureManager::GetActivePubkeysAsVector ( ) const

Definition at line 397 of file signature.cc.

Referenced by PubkeysMagicXattr::PrepareValueFenced().

Here is the caller graph for this function:

vector< string > signature::SignatureManager::GetBlacklist ( )

Definition at line 578 of file signature.cc.

Referenced by catalog::ClientCatalogManager::IsRevisionBlacklisted().

Here is the caller graph for this function:

std::string signature::SignatureManager::GetCertificate ( ) const

Definition at line 409 of file signature.cc.

Referenced by publish::ExportKeychain(), and publish::PushCertificate().

Here is the call graph for this function:

Here is the caller graph for this function:

string signature::SignatureManager::GetCryptoError ( )

OpenSSL error strings.

Definition at line 136 of file signature.cc.

std::string signature::SignatureManager::GetPrivateKey ( )

Definition at line 425 of file signature.cc.

Referenced by publish::ExportKeychain().

Here is the call graph for this function:

Here is the caller graph for this function:

std::string signature::SignatureManager::GetPrivateMasterKey ( )

Definition at line 441 of file signature.cc.

Referenced by publish::ExportKeychain().

Here is the call graph for this function:

Here is the caller graph for this function:

shash::Any signature::SignatureManager::HashCertificate ( const shash::Algorithms  hash_algorithm)

Returns cryptographic hash from DER encoded certificate, encoded the same way OpenSSL does (01:AB:...). Empty string on failure.

Definition at line 613 of file signature.cc.

Here is the call graph for this function:

void signature::SignatureManager::Init ( )

Definition at line 109 of file signature.cc.

Referenced by MountPoint::CreateSignatureManager(), and publish::Repository().

Here is the caller graph for this function:

void signature::SignatureManager::InitX509Store ( )
private

Definition at line 80 of file signature.cc.

Here is the call graph for this function:

bool signature::SignatureManager::KeysMatch ( )

Checks, whether the loaded certificate and the loaded private key match.

Returns
True, if private key and certificate match, false otherwise.

Definition at line 726 of file signature.cc.

Referenced by publish::Publisher().

Here is the call graph for this function:

Here is the caller graph for this function:

bool signature::SignatureManager::LoadBlacklist ( const std::string &  path_blacklist,
bool  append 
)

Loads a list of blacklisted certificates (fingerprints) from a file.

Definition at line 547 of file signature.cc.

Referenced by MountPoint::CheckBlacklists(), and MountPoint::ReloadBlacklists().

Here is the call graph for this function:

Here is the caller graph for this function:

bool signature::SignatureManager::LoadCertificateMem ( const unsigned char *  buffer,
const unsigned  buffer_size 
)

See the function that loads the certificate from file.

Definition at line 272 of file signature.cc.

Referenced by manifest::DoVerify(), and letter::Letter::Verify().

Here is the caller graph for this function:

bool signature::SignatureManager::LoadCertificatePath ( const std::string &  file_pem)

Loads a certificate. This certificate is used for the following signature verifications

Returns
True on success, false otherwise

Definition at line 245 of file signature.cc.

Referenced by publish::Publisher().

Here is the caller graph for this function:

bool signature::SignatureManager::LoadPrivateKeyMem ( const std::string &  key)

Definition at line 200 of file signature.cc.

Here is the call graph for this function:

bool signature::SignatureManager::LoadPrivateKeyPath ( const std::string &  file_pem,
const std::string &  password 
)
Parameters
[in]file_pemFile name of the PEM key file
[in]passwordPassword for the private key. Password is not saved internally, but the private key is.
Returns
True on success, false otherwise

Definition at line 185 of file signature.cc.

Referenced by publish::Publisher().

Here is the caller graph for this function:

bool signature::SignatureManager::LoadPrivateMasterKeyMem ( const std::string &  key)

Definition at line 164 of file signature.cc.

Here is the call graph for this function:

bool signature::SignatureManager::LoadPrivateMasterKeyPath ( const std::string &  file_pem)
Parameters
[in]file_pemFile name of the PEM key file
[in]passwordPassword for the private key. Password is not saved internally, but the private key is.
Returns
True on success, false otherwise

Definition at line 153 of file signature.cc.

Referenced by publish::Publisher().

Here is the caller graph for this function:

bool signature::SignatureManager::LoadPublicRsaKeys ( const std::string &  path_list)

Loads a list of public RSA keys separated by ":".

Definition at line 305 of file signature.cc.

Referenced by MountPoint::CreateSignatureManager(), and publish::Repository().

Here is the call graph for this function:

Here is the caller graph for this function:

bool signature::SignatureManager::LoadTrustedCaCrl ( const std::string &  path_list)

Loads CA certificates CRLs from a ":" separated list of paths. The information is used for proper X509 verification. The format of the certificates and CRLs has to be OpenSSL hashed certs. The path can be something like /etc/grid-security/certificates. If path_list is empty, the default path is taken.

Definition at line 591 of file signature.cc.

Here is the call graph for this function:

shash::Any signature::SignatureManager::MkFromFingerprint ( const std::string &  fingerprint)
static

Parses a fingerprint from the whitelist

Definition at line 662 of file signature.cc.

Referenced by whitelist::Whitelist::ParseWhitelist(), and whitelist::Whitelist::VerifyLoadedCertificate().

Here is the call graph for this function:

Here is the caller graph for this function:

bool signature::SignatureManager::Sign ( const unsigned char *  buffer,
const unsigned  buffer_size,
unsigned char **  signature,
unsigned *  signature_size 
)

Signs a data block using the loaded private key.

Returns
True on success, false otherwise

Definition at line 769 of file signature.cc.

Referenced by publish::PushManifest(), SigningTool::Run(), and letter::Letter::Sign().

Here is the caller graph for this function:

bool signature::SignatureManager::SignRsa ( const unsigned char *  buffer,
const unsigned  buffer_size,
unsigned char **  signature,
unsigned *  signature_size 
)

Signs a data block using the loaded private master key.

Returns
True on success, false otherwise

Definition at line 817 of file signature.cc.

Referenced by whitelist::Whitelist::CreateString().

Here is the caller graph for this function:

void signature::SignatureManager::UnloadCertificate ( )

Definition at line 224 of file signature.cc.

void signature::SignatureManager::UnloadPrivateKey ( )

Clears the memory storing the private key.

Definition at line 218 of file signature.cc.

void signature::SignatureManager::UnloadPrivateMasterKey ( )

Clears the memory storing the private RSA master key (whitelist signing).

Definition at line 233 of file signature.cc.

void signature::SignatureManager::UnloadPublicRsaKeys ( )

Definition at line 355 of file signature.cc.

bool signature::SignatureManager::Verify ( const unsigned char *  buffer,
const unsigned  buffer_size,
const unsigned char *  signature,
unsigned  signature_size 
)

Verifies a signature against loaded certificate.

Returns
True if signature is valid, false on error or otherwise

Definition at line 851 of file signature.cc.

bool signature::SignatureManager::VerifyCaChain ( )

Verifies the currently loaded certificate against the trusted CA chain.

Definition at line 748 of file signature.cc.

Here is the call graph for this function:

bool signature::SignatureManager::VerifyLetter ( const unsigned char *  buffer,
const unsigned  buffer_size,
const bool  by_rsa 
)

Checks a document of the form

<hash> <signature>

Definition at line 968 of file signature.cc.

Referenced by manifest::DoVerify(), and letter::Letter::Verify().

Here is the call graph for this function:

Here is the caller graph for this function:

bool signature::SignatureManager::VerifyPkcs7 ( const unsigned char *  buffer,
const unsigned  buffer_size,
unsigned char **  content,
unsigned *  content_size,
std::vector< std::string > *  alt_uris 
)

Verifies a PKCS#7 binary content + signature structure using the loaded trusted CAs/CRLs

Definition at line 1009 of file signature.cc.

Here is the call graph for this function:

bool signature::SignatureManager::VerifyRsa ( const unsigned char *  buffer,
const unsigned  buffer_size,
const unsigned char *  signature,
unsigned  signature_size 
)

Verifies a signature against all loaded public keys.

Returns
True if signature is valid with any public key, false on error or otherwise

Definition at line 898 of file signature.cc.

Here is the call graph for this function:

string signature::SignatureManager::Whois ( )
Returns
Some human-readable information about the loaded certificate.

Definition at line 681 of file signature.cc.

bool signature::SignatureManager::WriteCertificateMem ( unsigned char **  buffer,
unsigned *  buffer_size 
)

Definition at line 702 of file signature.cc.

Referenced by letter::Letter::Sign().

Here is the caller graph for this function:

Member Data Documentation

std::vector<std::string> signature::SignatureManager::blacklist_
private

Definition at line 109 of file signature.h.

X509* signature::SignatureManager::certificate_
private

Definition at line 106 of file signature.h.

pthread_mutex_t signature::SignatureManager::lock_blacklist_
private

Definition at line 108 of file signature.h.

EVP_PKEY* signature::SignatureManager::private_key_
private

Definition at line 104 of file signature.h.

RSA* signature::SignatureManager::private_master_key_
private

Definition at line 105 of file signature.h.

std::vector<RSA *> signature::SignatureManager::public_keys_
private

Contains cvmfs public master keys

Definition at line 107 of file signature.h.

X509_LOOKUP* signature::SignatureManager::x509_lookup_
private

Definition at line 111 of file signature.h.

X509_STORE* signature::SignatureManager::x509_store_
private

Definition at line 110 of file signature.h.


The documentation for this class was generated from the following files: