release/src/router/mysql/extra/yassl/src/cert_wrapper.cpp

   1 /*
   2    Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
   3
   4    This program is free software; you can redistribute it and/or modify
   5    it under the terms of the GNU General Public License as published by
   6    the Free Software Foundation; version 2 of the License.
   7
   8    This program is distributed in the hope that it will be useful,
   9    but WITHOUT ANY WARRANTY; without even the implied warranty of
  10    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11    GNU General Public License for more details.
  12
  13    You should have received a copy of the GNU General Public License
  14    along with this program; see the file COPYING. If not, write to the
  15    Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
  16    MA  02110-1301  USA.
  17 */
  18
  19
  20 /*  The certificate wrapper source implements certificate management functions
  21  *
  22  */
  23
  24 #include "runtime.hpp"
  25 #include "cert_wrapper.hpp"
  26 #include "yassl_int.hpp"
  27 #include "error.hpp"
  28
  29 #if defined(USE_CML_LIB)
  30     #include "cmapi_cpp.h"
  31 #else
  32     #include "asn.hpp"
  33     #include "file.hpp"
  34 #endif // USE_CML_LIB
  35
  36
  37 namespace yaSSL {
  38
  39
  40 x509::x509(uint sz) : length_(sz), buffer_(NEW_YS opaque[sz])
  41 {
  42 }
  43
  44
  45 x509::~x509()
  46 {
  47     ysArrayDelete(buffer_);
  48 }
  49
  50
  51 x509::x509(const x509& that) : length_(that.length_),
  52                                buffer_(NEW_YS opaque[length_])
  53 {
  54     memcpy(buffer_, that.buffer_, length_);
  55 }
  56
  57
  58 void x509::Swap(x509& that)
  59 {
  60     STL::swap(length_, that.length_);
  61     STL::swap(buffer_, that.buffer_);
  62 }
  63
  64
  65 x509& x509::operator=(const x509& that)
  66 {
  67     x509 temp(that);
  68     Swap(temp);
  69     return *this;
  70 }
  71
  72
  73 uint x509::get_length() const
  74 {
  75     return length_;
  76 }
  77
  78
  79 const opaque* x509::get_buffer() const
  80 {
  81     return buffer_;
  82 }
  83
  84
  85 opaque* x509::use_buffer()
  86 {
  87     return buffer_;
  88 }
  89
  90
  91 //CertManager
  92 CertManager::CertManager()
  93     : peerX509_(0), verifyPeer_(false), verifyNone_(false), failNoCert_(false),
  94       sendVerify_(false), verifyCallback_(0)
  95 {}
  96
  97
  98 CertManager::~CertManager()
  99 {
 100     ysDelete(peerX509_);
 101
 102     STL::for_each(signers_.begin(), signers_.end(), del_ptr_zero()) ;
 103
 104     STL::for_each(peerList_.begin(), peerList_.end(), del_ptr_zero()) ;
 105
 106     STL::for_each(list_.begin(), list_.end(), del_ptr_zero()) ;
 107 }
 108
 109
 110 bool CertManager::verifyPeer() const
 111 {
 112     return verifyPeer_;
 113 }
 114
 115
 116 bool CertManager::verifyNone() const
 117 {
 118     return verifyNone_;
 119 }
 120
 121
 122 bool CertManager::failNoCert() const
 123 {
 124     return failNoCert_;
 125 }
 126
 127
 128 bool CertManager::sendVerify() const
 129 {
 130     return sendVerify_;
 131 }
 132
 133
 134 void CertManager::setVerifyPeer()
 135 {
 136     verifyPeer_ = true;
 137 }
 138
 139
 140 void CertManager::setVerifyNone()
 141 {
 142     verifyNone_ = true;
 143 }
 144
 145
 146 void CertManager::setFailNoCert()
 147 {
 148     failNoCert_ = true;
 149 }
 150
 151
 152 void CertManager::setSendVerify()
 153 {
 154     sendVerify_ = true;
 155 }
 156
 157
 158 void CertManager::setVerifyCallback(VerifyCallback vc)
 159 {
 160     verifyCallback_ = vc;
 161 }
 162
 163
 164 void CertManager::AddPeerCert(x509* x)
 165 {
 166     peerList_.push_back(x);  // take ownership
 167 }
 168
 169
 170 void CertManager::CopySelfCert(const x509* x)
 171 {
 172     if (x)
 173         list_.push_back(NEW_YS x509(*x));
 174 }
 175
 176
 177 // add to signers
 178 int CertManager::CopyCaCert(const x509* x)
 179 {
 180     TaoCrypt::Source source(x->get_buffer(), x->get_length());
 181     TaoCrypt::CertDecoder cert(source, true, &signers_, verifyNone_,
 182                                TaoCrypt::CertDecoder::CA);
 183
 184     if (!cert.GetError().What()) {
 185         const TaoCrypt::PublicKey& key = cert.GetPublicKey();
 186         signers_.push_back(NEW_YS TaoCrypt::Signer(key.GetKey(), key.size(),
 187                                         cert.GetCommonName(), cert.GetHash()));
 188     }
 189     // just don't add, not an error return cert.GetError().What();
 190     return 0;
 191 }
 192
 193
 194 const x509* CertManager::get_cert() const
 195 {
 196     return list_.front();
 197 }
 198
 199
 200 const opaque* CertManager::get_peerKey() const
 201 {
 202     return peerPublicKey_.get_buffer();
 203 }
 204
 205
 206 X509* CertManager::get_peerX509() const
 207 {
 208     return peerX509_;
 209 }
 210
 211
 212 SignatureAlgorithm CertManager::get_peerKeyType() const
 213 {
 214     return peerKeyType_;
 215 }
 216
 217
 218 SignatureAlgorithm CertManager::get_keyType() const
 219 {
 220     return keyType_;
 221 }
 222
 223
 224 uint CertManager::get_peerKeyLength() const
 225 {
 226     return peerPublicKey_.get_size();
 227 }
 228
 229
 230 const opaque* CertManager::get_privateKey() const
 231 {
 232     return privateKey_.get_buffer();
 233 }
 234
 235
 236 uint CertManager::get_privateKeyLength() const
 237 {
 238     return privateKey_.get_size();
 239 }
 240
 241
 242 // Validate the peer's certificate list, from root to peer (last to first)
 243 int CertManager::Validate()
 244 {
 245     CertList::reverse_iterator last = peerList_.rbegin();
 246     size_t count = peerList_.size();
 247
 248     while ( count > 1 ) {
 249         TaoCrypt::Source source((*last)->get_buffer(), (*last)->get_length());
 250         TaoCrypt::CertDecoder cert(source, true, &signers_, verifyNone_);
 251
 252         if (int err = cert.GetError().What())
 253             return err;
 254
 255         const TaoCrypt::PublicKey& key = cert.GetPublicKey();
 256         signers_.push_back(NEW_YS TaoCrypt::Signer(key.GetKey(), key.size(),
 257                                         cert.GetCommonName(), cert.GetHash()));
 258         ++last;
 259         --count;
 260     }
 261
 262     if (count) {
 263         // peer's is at the front
 264         TaoCrypt::Source source((*last)->get_buffer(), (*last)->get_length());
 265         TaoCrypt::CertDecoder cert(source, true, &signers_, verifyNone_);
 266
 267         int err = cert.GetError().What();
 268         if ( err && err != TaoCrypt::SIG_OTHER_E)
 269             return err;
 270
 271         uint sz = cert.GetPublicKey().size();
 272         peerPublicKey_.allocate(sz);
 273         peerPublicKey_.assign(cert.GetPublicKey().GetKey(), sz);
 274
 275         if (cert.GetKeyType() == TaoCrypt::RSAk)
 276             peerKeyType_ = rsa_sa_algo;
 277         else
 278             peerKeyType_ = dsa_sa_algo;
 279
 280         size_t iSz = strlen(cert.GetIssuer()) + 1;
 281         size_t sSz = strlen(cert.GetCommonName()) + 1;
 282         int bSz = (int)strlen(cert.GetBeforeDate()) + 1;
 283         int aSz = (int)strlen(cert.GetAfterDate()) + 1;
 284         peerX509_ = NEW_YS X509(cert.GetIssuer(), iSz, cert.GetCommonName(),
 285                                 sSz, cert.GetBeforeDate(), bSz,
 286                                 cert.GetAfterDate(), aSz);
 287
 288         if (err == TaoCrypt::SIG_OTHER_E && verifyCallback_) {
 289             X509_STORE_CTX store;
 290             store.error = err;
 291             store.error_depth = static_cast<int>(count) - 1;
 292             store.current_cert = peerX509_;
 293
 294             int ok = verifyCallback_(0, &store);
 295             if (ok) return 0;
 296         }
 297
 298         if (err == TaoCrypt::SIG_OTHER_E) return err;
 299     }
 300     return 0;
 301 }
 302
 303
 304 // Set the private key
 305 int CertManager::SetPrivateKey(const x509& key)
 306 {
 307     privateKey_.allocate(key.get_length());
 308     privateKey_.assign(key.get_buffer(), key.get_length());
 309
 310     // set key type
 311     if (x509* cert = list_.front()) {
 312         TaoCrypt::Source source(cert->get_buffer(), cert->get_length());
 313         TaoCrypt::CertDecoder cd(source, false);
 314         cd.DecodeToKey();
 315         if (int err = cd.GetError().What())
 316             return err;
 317         if (cd.GetKeyType() == TaoCrypt::RSAk)
 318             keyType_ = rsa_sa_algo;
 319         else
 320             keyType_ = dsa_sa_algo;
 321     }
 322     return 0;
 323 }
 324
 325
 326 // Store OpenSSL type peer's cert
 327 void CertManager::setPeerX509(X509* x)
 328 {
 329     if (x == 0) return;
 330
 331     X509_NAME* issuer   = x->GetIssuer();
 332     X509_NAME* subject  = x->GetSubject();
 333     ASN1_STRING* before = x->GetBefore();
 334     ASN1_STRING* after  = x->GetAfter();
 335
 336     peerX509_ = NEW_YS X509(issuer->GetName(), issuer->GetLength(),
 337         subject->GetName(), subject->GetLength(), (const char*) before->data,
 338         before->length, (const char*) after->data, after->length);
 339 }
 340
 341
 342 #if defined(USE_CML_LIB)
 343
 344 // Get the peer's certificate, extract and save public key
 345 void CertManager::SetPeerKey()
 346 {
 347     // first cert is the peer's
 348     x509* main = peerList_.front();
 349
 350     Bytes_struct cert;
 351     cert.num  = main->get_length();
 352     cert.data = main->set_buffer();
 353
 354     CML::Certificate cm(cert);
 355     const CML::ASN::Cert& raw = cm.base();
 356     CTIL::CSM_Buffer key = raw.pubKeyInfo.key;
 357
 358     uint sz;
 359     opaque* key_buffer = reinterpret_cast<opaque*>(key.Get(sz));
 360     peerPublicKey_.allocate(sz);
 361     peerPublicKey_.assign(key_buffer, sz);
 362 }
 363
 364
 365 #endif // USE_CML_LIB
 366
 367
 368
 369 } // namespace