summaryrefslogtreecommitdiffstats
path: root/tdeio/kssl/ksslcertificate.cc
diff options
context:
space:
mode:
Diffstat (limited to 'tdeio/kssl/ksslcertificate.cc')
-rw-r--r--tdeio/kssl/ksslcertificate.cc1236
1 files changed, 0 insertions, 1236 deletions
diff --git a/tdeio/kssl/ksslcertificate.cc b/tdeio/kssl/ksslcertificate.cc
deleted file mode 100644
index edf877496..000000000
--- a/tdeio/kssl/ksslcertificate.cc
+++ /dev/null
@@ -1,1236 +0,0 @@
-/* This file is part of the KDE project
- *
- * Copyright (C) 2000-2003 George Staikos <[email protected]>
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Library General Public
- * License as published by the Free Software Foundation; either
- * version 2 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Library General Public License for more details.
- *
- * You should have received a copy of the GNU Library General Public License
- * along with this library; see the file COPYING.LIB. If not, write to
- * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
- * Boston, MA 02110-1301, USA.
- */
-
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-
-
-#include <unistd.h>
-#include <tqstring.h>
-#include <tqstringlist.h>
-#include <tqfile.h>
-
-#include "kssldefs.h"
-#include "ksslcertificate.h"
-#include "ksslcertchain.h"
-#include "ksslutils.h"
-
-#include <kstandarddirs.h>
-#include <kmdcodec.h>
-#include <tdelocale.h>
-#include <tqdatetime.h>
-#include <tdetempfile.h>
-
-#include <sys/types.h>
-
-#ifdef HAVE_SYS_STAT_H
-#include <sys/stat.h>
-#endif
-
-// this hack provided by Malte Starostik to avoid glibc/openssl bug
-// on some systems
-#ifdef KSSL_HAVE_SSL
-#define crypt _openssl_crypt
-#include <openssl/ssl.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include <openssl/x509_vfy.h>
-#include <openssl/pem.h>
-#undef crypt
-#endif
-
-#include <kopenssl.h>
-#include <tqcstring.h>
-#include <kdebug.h>
-#include "ksslx509v3.h"
-
-
-
-static char hv[] = {'0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F'};
-
-
-class KSSLCertificatePrivate {
-public:
- KSSLCertificatePrivate() {
- kossl = KOSSL::self();
- _lastPurpose = KSSLCertificate::None;
- }
-
- ~KSSLCertificatePrivate() {
- }
-
- KSSLCertificate::KSSLValidation m_stateCache;
- bool m_stateCached;
- #ifdef KSSL_HAVE_SSL
- X509 *m_cert;
- X509_CRL *m_cert_crl;
- #endif
- KOSSL *kossl;
- KSSLCertChain _chain;
- KSSLX509V3 _extensions;
- KSSLCertificate::KSSLPurpose _lastPurpose;
-};
-
-KSSLCertificate::KSSLCertificate() {
- d = new KSSLCertificatePrivate;
- d->m_stateCached = false;
- TDEGlobal::dirs()->addResourceType("kssl", TDEStandardDirs::kde_default("data") + "kssl");
- #ifdef KSSL_HAVE_SSL
- d->m_cert = NULL;
- d->m_cert_crl = NULL;
- #endif
-}
-
-
-KSSLCertificate::KSSLCertificate(const KSSLCertificate& x) {
- d = new KSSLCertificatePrivate;
- d->m_stateCached = false;
- TDEGlobal::dirs()->addResourceType("kssl", TDEStandardDirs::kde_default("data") + "kssl");
- #ifdef KSSL_HAVE_SSL
- d->m_cert = NULL;
- d->m_cert_crl = NULL;
- setCert(KOSSL::self()->X509_dup(const_cast<KSSLCertificate&>(x).getCert()));
- KSSLCertChain *c = x.d->_chain.replicate();
- setChain(c->rawChain());
- delete c;
- #endif
-}
-
-
-
-KSSLCertificate::~KSSLCertificate() {
-#ifdef KSSL_HAVE_SSL
- if (d->m_cert) {
- d->kossl->X509_free(d->m_cert);
- }
- if (d->m_cert_crl) {
- d->kossl->X509_CRL_free(d->m_cert_crl);
- }
-#endif
- delete d;
-}
-
-
-KSSLCertChain& KSSLCertificate::chain() {
- return d->_chain;
-}
-
-
-KSSLCertificate *KSSLCertificate::fromX509(X509 *x5) {
-KSSLCertificate *n = NULL;
-#ifdef KSSL_HAVE_SSL
- if (x5) {
- n = new KSSLCertificate;
- n->setCert(KOSSL::self()->X509_dup(x5));
- }
-#endif
-return n;
-}
-
-
-KSSLCertificate *KSSLCertificate::fromString(TQCString cert) {
-KSSLCertificate *n = NULL;
-#ifdef KSSL_HAVE_SSL
- if (cert.length() == 0)
- return NULL;
-
- TQByteArray qba, qbb = cert.copy();
- KCodecs::base64Decode(qbb, qba);
- unsigned char *qbap = reinterpret_cast<unsigned char *>(qba.data());
- X509 *x5c = KOSSL::self()->d2i_X509(NULL, &qbap, qba.size());
- if (!x5c) {
- return NULL;
- }
-
- n = new KSSLCertificate;
- n->setCert(x5c);
-#endif
-return n;
-}
-
-KSSLCertificate *KSSLCertificate::crlFromString(TQCString cert) {
-KSSLCertificate *n = NULL;
-#ifdef KSSL_HAVE_SSL
- if (cert.length() == 0)
- return NULL;
-
- TQByteArray qba, qbb = cert.copy();
- KCodecs::base64Decode(qbb, qba);
- unsigned char *qbap = reinterpret_cast<unsigned char *>(qba.data());
- X509_CRL *x5c = KOSSL::self()->d2i_X509_CRL(NULL, &qbap, qba.size());
- if (!x5c) {
- return NULL;
- }
-
- n = new KSSLCertificate;
- n->setCRL(x5c);
-#endif
-return n;
-}
-
-
-
-TQString KSSLCertificate::getSubject() const {
-TQString rc = "";
-
-#ifdef KSSL_HAVE_SSL
- char *t = d->kossl->X509_NAME_oneline(d->kossl->X509_get_subject_name(d->m_cert), 0, 0);
- if (!t)
- return rc;
- rc = t;
- d->kossl->CRYPTO_free(t);
-#endif
-return rc;
-}
-
-
-TQString KSSLCertificate::getSerialNumber() const {
-TQString rc = "";
-
-#ifdef KSSL_HAVE_SSL
- ASN1_INTEGER *aint = d->kossl->X509_get_serialNumber(d->m_cert);
- if (aint) {
- rc = ASN1_INTEGER_QString(aint);
- // d->kossl->ASN1_INTEGER_free(aint); this makes the sig test fail
- }
-#endif
-return rc;
-}
-
-
-TQString KSSLCertificate::getSignatureText() const {
-TQString rc = "";
-
-#ifdef KSSL_HAVE_SSL
-char *s;
-int n, i;
-
- const ASN1_BIT_STRING *signature = 0L;
- const X509_ALGOR *sig_alg = 0L;
- d->kossl->X509_get0_signature(&signature, &sig_alg, d->m_cert);
- i = d->kossl->OBJ_obj2nid(sig_alg->algorithm);
- rc = i18n("Signature Algorithm: ");
- rc += (i == NID_undef)?i18n("Unknown"):TQString(d->kossl->OBJ_nid2ln(i));
-
- rc += "\n";
- rc += i18n("Signature Contents:");
- n = signature->length;
- s = (char *)signature->data;
- for (i = 0; i < n; i++) {
- if (i%20 != 0) rc += ":";
- else rc += "\n";
- rc.append(hv[(s[i]&0xf0)>>4]);
- rc.append(hv[s[i]&0x0f]);
- }
-
-#endif
-
-return rc;
-}
-
-
-void KSSLCertificate::getEmails(TQStringList &to) const {
- to.clear();
-#ifdef KSSL_HAVE_SSL
- if (!d->m_cert)
- return;
-
- STACK *s = d->kossl->X509_get1_email(d->m_cert);
- if (s) {
- for(int n=0; n < d->kossl->OPENSSL_sk_num(s); n++) {
- to.append(d->kossl->OPENSSL_sk_value(s,n));
- }
- d->kossl->X509_email_free(s);
- }
-#endif
-}
-
-
-TQString KSSLCertificate::getKDEKey() const {
- return getSubject() + " (" + getMD5DigestText() + ")";
-}
-
-
-TQString KSSLCertificate::getMD5DigestFromKDEKey(const TQString &k) {
- TQString rc;
- int pos = k.findRev('(');
- if (pos != -1) {
- unsigned int len = k.length();
- if (k.at(len-1) == ')') {
- rc = k.mid(pos+1, len-pos-2);
- }
- }
- return rc;
-}
-
-
-TQString KSSLCertificate::getMD5DigestText() const {
-TQString rc = "";
-
-#ifdef KSSL_HAVE_SSL
- unsigned int n;
- unsigned char md[EVP_MAX_MD_SIZE];
-
- if (!d->kossl->X509_digest(d->m_cert, d->kossl->EVP_md5(), md, &n)) {
- return rc;
- }
-
- for (unsigned int j = 0; j < n; j++) {
- if (j > 0)
- rc += ":";
- rc.append(hv[(md[j]&0xf0)>>4]);
- rc.append(hv[md[j]&0x0f]);
- }
-
-#endif
-
-return rc;
-}
-
-
-
-TQString KSSLCertificate::getMD5Digest() const {
-TQString rc = "";
-
-#ifdef KSSL_HAVE_SSL
- unsigned int n;
- unsigned char md[EVP_MAX_MD_SIZE];
-
- if (!d->kossl->X509_digest(d->m_cert, d->kossl->EVP_md5(), md, &n)) {
- return rc;
- }
-
- for (unsigned int j = 0; j < n; j++) {
- rc.append(hv[(md[j]&0xf0)>>4]);
- rc.append(hv[md[j]&0x0f]);
- }
-
-#endif
-
-return rc;
-}
-
-
-
-TQString KSSLCertificate::getKeyType() const {
-TQString rc = "";
-
-#ifdef KSSL_HAVE_SSL
- EVP_PKEY *pkey = d->kossl->X509_get_pubkey(d->m_cert);
- if (pkey) {
- #ifndef NO_RSA
- if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA)
- rc = "RSA";
- else
- #endif
- #ifndef NO_DSA
- if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA)
- rc = "DSA";
- else
- #endif
- rc = "Unknown";
- d->kossl->EVP_PKEY_free(pkey);
- }
-#endif
-
-return rc;
-}
-
-
-
-TQString KSSLCertificate::getPublicKeyText() const {
-TQString rc = "";
-char *x = NULL;
-
-#ifdef KSSL_HAVE_SSL
- EVP_PKEY *pkey = d->kossl->X509_get_pubkey(d->m_cert);
- if (pkey) {
- rc = i18n("Unknown", "Unknown key algorithm");
- #ifndef NO_RSA
- if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA) {
- rc = i18n("Key type: RSA (%1 bit)") + "\n";
-
- RSA *pkey_rsa = d->kossl->EVP_PKEY_get0_RSA(pkey);
- const BIGNUM *bn_n = 0L;
- const BIGNUM *bn_e = 0L;
- d->kossl->RSA_get0_key(pkey_rsa, &bn_n, &bn_e, NULL);
- x = d->kossl->BN_bn2hex(bn_n);
- rc += i18n("Modulus: ");
- rc = rc.arg(strlen(x)*4);
- for (unsigned int i = 0; i < strlen(x); i++) {
- if (i%40 != 0 && i%2 == 0)
- rc += ":";
- else if (i%40 == 0)
- rc += "\n";
- rc += x[i];
- }
- rc += "\n";
- d->kossl->CRYPTO_free(x);
-
- x = d->kossl->BN_bn2hex(bn_e);
- rc += i18n("Exponent: 0x") + x + "\n";
- d->kossl->CRYPTO_free(x);
- }
- #endif
- #ifndef NO_DSA
- if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA) {
- rc = i18n("Key type: DSA (%1 bit)") + "\n";
-
- DSA *pkey_dsa = d->kossl->EVP_PKEY_get0_DSA(pkey);
- const BIGNUM *bn_p = 0L;
- const BIGNUM *bn_q = 0L;
- const BIGNUM *bn_g = 0L;
- const BIGNUM *bn_pub_key = 0L;
- d->kossl->DSA_get0_pqg(pkey_dsa, &bn_p, &bn_q, &bn_g);
- d->kossl->DSA_get0_key(pkey_dsa, &bn_pub_key, NULL);
-
- x = d->kossl->BN_bn2hex(bn_p);
- rc += i18n("Prime: ");
- // hack - this may not be always accurate
- rc = rc.arg(strlen(x)*4) ;
- for (unsigned int i = 0; i < strlen(x); i++) {
- if (i%40 != 0 && i%2 == 0)
- rc += ":";
- else if (i%40 == 0)
- rc += "\n";
- rc += x[i];
- }
- rc += "\n";
- d->kossl->CRYPTO_free(x);
-
- x = d->kossl->BN_bn2hex(bn_q);
- rc += i18n("160 bit prime factor: ");
- for (unsigned int i = 0; i < strlen(x); i++) {
- if (i%40 != 0 && i%2 == 0)
- rc += ":";
- else if (i%40 == 0)
- rc += "\n";
- rc += x[i];
- }
- rc += "\n";
- d->kossl->CRYPTO_free(x);
-
- x = d->kossl->BN_bn2hex(bn_g);
- rc += TQString("g: ");
- for (unsigned int i = 0; i < strlen(x); i++) {
- if (i%40 != 0 && i%2 == 0)
- rc += ":";
- else if (i%40 == 0)
- rc += "\n";
- rc += x[i];
- }
- rc += "\n";
- d->kossl->CRYPTO_free(x);
-
- x = d->kossl->BN_bn2hex(bn_pub_key);
- rc += i18n("Public key: ");
- for (unsigned int i = 0; i < strlen(x); i++) {
- if (i%40 != 0 && i%2 == 0)
- rc += ":";
- else if (i%40 == 0)
- rc += "\n";
- rc += x[i];
- }
- rc += "\n";
- d->kossl->CRYPTO_free(x);
- }
- #endif
- d->kossl->EVP_PKEY_free(pkey);
- }
-#endif
-
-return rc;
-}
-
-
-
-TQString KSSLCertificate::getIssuer() const {
-TQString rc = "";
-
-#ifdef KSSL_HAVE_SSL
- char *t = d->kossl->X509_NAME_oneline(d->kossl->X509_get_issuer_name(d->m_cert), 0, 0);
-
- if (!t)
- return rc;
-
- rc = t;
- d->kossl->CRYPTO_free(t);
-#endif
-
-return rc;
-}
-
-void KSSLCertificate::setChain(void *c) {
-#ifdef KSSL_HAVE_SSL
- d->_chain.setChain(c);
-#endif
- d->m_stateCached = false;
- d->m_stateCache = KSSLCertificate::Unknown;
-}
-
-void KSSLCertificate::setCert(X509 *c) {
-#ifdef KSSL_HAVE_SSL
-d->m_cert = c;
-if (c) {
- d->_extensions.flags = 0;
- d->kossl->X509_check_purpose(c, -1, 0); // setup the fields (!!)
-
-#if 0
- kdDebug(7029) << "---------------- Certificate ------------------"
- << endl;
- kdDebug(7029) << getSubject() << endl;
-#endif
-
- for (int j = 0; j < d->kossl->X509_PURPOSE_get_count(); j++) {
- X509_PURPOSE *ptmp = d->kossl->X509_PURPOSE_get0(j);
- int id = d->kossl->X509_PURPOSE_get_id(ptmp);
- for (int ca = 0; ca < 2; ca++) {
- int idret = d->kossl->X509_check_purpose(c, id, ca);
- if (idret == 1 || idret == 2) { // have it
-// kdDebug() << "PURPOSE: " << id << (ca?" CA":"") << endl;
- if (!ca)
- d->_extensions.flags |= (1L <<(id-1));
- else d->_extensions.flags |= (1L <<(16+id-1));
- } else {
- if (!ca)
- d->_extensions.flags &= ~(1L <<(id-1));
- else d->_extensions.flags &= ~(1L <<(16+id-1));
- }
- }
- }
-
-#if 0
- kdDebug(7029) << "flags: " << TQString::number(c->ex_flags, 2)
- << "\nkeyusage: " << TQString::number(c->ex_kusage, 2)
- << "\nxkeyusage: " << TQString::number(c->ex_xkusage, 2)
- << "\nnscert: " << TQString::number(c->ex_nscert, 2)
- << endl;
- if (c->ex_flags & EXFLAG_KUSAGE)
- kdDebug(7029) << " --- Key Usage extensions found" << endl;
- else kdDebug(7029) << " --- Key Usage extensions NOT found" << endl;
-
- if (c->ex_flags & EXFLAG_XKUSAGE)
- kdDebug(7029) << " --- Extended key usage extensions found" << endl;
- else kdDebug(7029) << " --- Extended key usage extensions NOT found" << endl;
-
- if (c->ex_flags & EXFLAG_NSCERT)
- kdDebug(7029) << " --- NS extensions found" << endl;
- else kdDebug(7029) << " --- NS extensions NOT found" << endl;
-
- if (d->_extensions.certTypeSSLCA())
- kdDebug(7029) << "NOTE: this is an SSL CA file." << endl;
- else kdDebug(7029) << "NOTE: this is NOT an SSL CA file." << endl;
-
- if (d->_extensions.certTypeEmailCA())
- kdDebug(7029) << "NOTE: this is an EMAIL CA file." << endl;
- else kdDebug(7029) << "NOTE: this is NOT an EMAIL CA file." << endl;
-
- if (d->_extensions.certTypeCodeCA())
- kdDebug(7029) << "NOTE: this is a CODE CA file." << endl;
- else kdDebug(7029) << "NOTE: this is NOT a CODE CA file." << endl;
-
- if (d->_extensions.certTypeSSLClient())
- kdDebug(7029) << "NOTE: this is an SSL client." << endl;
- else kdDebug(7029) << "NOTE: this is NOT an SSL client." << endl;
-
- if (d->_extensions.certTypeSSLServer())
- kdDebug(7029) << "NOTE: this is an SSL server." << endl;
- else kdDebug(7029) << "NOTE: this is NOT an SSL server." << endl;
-
- if (d->_extensions.certTypeNSSSLServer())
- kdDebug(7029) << "NOTE: this is a NETSCAPE SSL server." << endl;
- else kdDebug(7029) << "NOTE: this is NOT a NETSCAPE SSL server." << endl;
-
- if (d->_extensions.certTypeSMIME())
- kdDebug(7029) << "NOTE: this is an SMIME certificate." << endl;
- else kdDebug(7029) << "NOTE: this is NOT an SMIME certificate." << endl;
-
- if (d->_extensions.certTypeSMIMEEncrypt())
- kdDebug(7029) << "NOTE: this is an SMIME encrypt cert." << endl;
- else kdDebug(7029) << "NOTE: this is NOT an SMIME encrypt cert." << endl;
-
- if (d->_extensions.certTypeSMIMESign())
- kdDebug(7029) << "NOTE: this is an SMIME sign cert." << endl;
- else kdDebug(7029) << "NOTE: this is NOT an SMIME sign cert." << endl;
-
- if (d->_extensions.certTypeCRLSign())
- kdDebug(7029) << "NOTE: this is a CRL signer." << endl;
- else kdDebug(7029) << "NOTE: this is NOT a CRL signer." << endl;
-
- kdDebug(7029) << "-----------------------------------------------"
- << endl;
-#endif
-}
-#endif
-d->m_stateCached = false;
-d->m_stateCache = KSSLCertificate::Unknown;
-}
-
-void KSSLCertificate::setCRL(X509_CRL *c) {
-#ifdef KSSL_HAVE_SSL
-d->m_cert_crl = c;
-if (c) {
- d->_extensions.flags = 0;
-}
-#endif
-d->m_stateCached = false;
-d->m_stateCache = KSSLCertificate::Unknown;
-}
-
-X509 *KSSLCertificate::getCert() {
-#ifdef KSSL_HAVE_SSL
- return d->m_cert;
-#endif
-return 0;
-}
-
-// pull in the callback. It's common across multiple files but we want
-// it to be hidden.
-
-#include "ksslcallback.c"
-
-
-bool KSSLCertificate::isValid(KSSLCertificate::KSSLPurpose p) {
- return (validate(p) == KSSLCertificate::Ok);
-}
-
-
-bool KSSLCertificate::isValid() {
- return isValid(KSSLCertificate::SSLServer);
-}
-
-
-int KSSLCertificate::purposeToOpenSSL(KSSLCertificate::KSSLPurpose p) const {
-int rc = 0;
-#ifdef KSSL_HAVE_SSL
- if (p == KSSLCertificate::SSLServer) {
- rc = X509_PURPOSE_SSL_SERVER;
- } else if (p == KSSLCertificate::SSLClient) {
- rc = X509_PURPOSE_SSL_CLIENT;
- } else if (p == KSSLCertificate::SMIMEEncrypt) {
- rc = X509_PURPOSE_SMIME_ENCRYPT;
- } else if (p == KSSLCertificate::SMIMESign) {
- rc = X509_PURPOSE_SMIME_SIGN;
- } else if (p == KSSLCertificate::Any) {
- rc = X509_PURPOSE_ANY;
- }
-#endif
-return rc;
-}
-
-
-// For backward compatibility
-KSSLCertificate::KSSLValidation KSSLCertificate::validate() {
- return validate(KSSLCertificate::SSLServer);
-}
-
-KSSLCertificate::KSSLValidation KSSLCertificate::validate(KSSLCertificate::KSSLPurpose purpose)
-{
- KSSLValidationList result = validateVerbose(purpose);
- if (result.isEmpty())
- return KSSLCertificate::Ok;
- else
- return result.first();
-}
-
-//
-// See apps/verify.c in OpenSSL for the source of most of this logic.
-//
-
-// CRL files? we don't do that yet
-KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertificate::KSSLPurpose purpose)
-{
- return validateVerbose(purpose, 0);
-}
-
-KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertificate::KSSLPurpose purpose, KSSLCertificate *ca)
-{
- KSSLValidationList errors;
- if (ca || (d->_lastPurpose != purpose)) {
- d->m_stateCached = false;
- }
-
- if (!d->m_stateCached)
- d->_lastPurpose = purpose;
-
-#ifdef KSSL_HAVE_SSL
- X509_STORE *certStore;
- X509_LOOKUP *certLookup;
- X509_STORE_CTX *certStoreCTX;
-
- if (!d->m_cert)
- {
- errors << KSSLCertificate::Unknown;
- return errors;
- }
-
- if (d->m_stateCached) {
- errors << d->m_stateCache;
- return errors;
- }
-
- TQStringList qsl = TDEGlobal::dirs()->resourceDirs("kssl");
-
- if (qsl.isEmpty()) {
- errors << KSSLCertificate::NoCARoot;
- return errors;
- }
-
- KSSLCertificate::KSSLValidation ksslv = Unknown;
-
- for (TQStringList::Iterator j = qsl.begin(); j != qsl.end(); ++j) {
- struct stat sb;
- TQString _j = (*j) + "ca-bundle.crt";
- if (-1 == stat(_j.ascii(), &sb)) {
- continue;
- }
-
- certStore = d->kossl->X509_STORE_new();
- if (!certStore) {
- errors << KSSLCertificate::Unknown;
- return errors;
- }
-
- d->kossl->X509_STORE_set_verify_cb(certStore, X509Callback);
-
- certLookup = d->kossl->X509_STORE_add_lookup(certStore, d->kossl->X509_LOOKUP_file());
- if (!certLookup) {
- ksslv = KSSLCertificate::Unknown;
- d->kossl->X509_STORE_free(certStore);
- continue;
- }
-
- if (!d->kossl->X509_LOOKUP_load_file(certLookup, _j.ascii(), X509_FILETYPE_PEM)) {
- // error accessing directory and loading pems
- kdDebug(7029) << "KSSL couldn't read CA root: "
- << _j << endl;
- ksslv = KSSLCertificate::ErrorReadingRoot;
- d->kossl->X509_STORE_free(certStore);
- continue;
- }
-
- // This is the checking code
- certStoreCTX = d->kossl->X509_STORE_CTX_new();
-
- // this is a bad error - could mean no free memory.
- // This may be the wrong thing to do here
- if (!certStoreCTX) {
- kdDebug(7029) << "KSSL couldn't create an X509 store context." << endl;
- d->kossl->X509_STORE_free(certStore);
- continue;
- }
-
- d->kossl->X509_STORE_CTX_init(certStoreCTX, certStore, d->m_cert, NULL);
- if (d->_chain.isValid()) {
- d->kossl->X509_STORE_CTX_set0_untrusted(certStoreCTX, (STACK_OF(X509)*)d->_chain.rawChain());
- }
-
- //kdDebug(7029) << "KSSL setting CRL.............." << endl;
- // int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
-
- d->kossl->X509_STORE_CTX_set_purpose(certStoreCTX, purposeToOpenSSL(purpose));
-
- KSSL_X509CallBack_ca = ca ? ca->d->m_cert : 0;
- KSSL_X509CallBack_ca_found = false;
-
- d->kossl->X509_STORE_CTX_set_error(certStoreCTX, X509_V_OK);
- d->kossl->X509_verify_cert(certStoreCTX);
- int errcode = d->kossl->X509_STORE_CTX_get_error(certStoreCTX);
- if (ca && !KSSL_X509CallBack_ca_found) {
- ksslv = KSSLCertificate::Irrelevant;
- } else {
- ksslv = processError(errcode);
- }
- // For servers, we can try NS_SSL_SERVER too
- if ( (ksslv != KSSLCertificate::Ok) &&
- (ksslv != KSSLCertificate::Irrelevant) &&
- purpose == KSSLCertificate::SSLServer) {
- d->kossl->X509_STORE_CTX_set_purpose(certStoreCTX,
- X509_PURPOSE_NS_SSL_SERVER);
-
- d->kossl->X509_STORE_CTX_set_error(certStoreCTX, X509_V_OK);
- d->kossl->X509_verify_cert(certStoreCTX);
- errcode = d->kossl->X509_STORE_CTX_get_error(certStoreCTX);
- ksslv = processError(errcode);
- }
- d->kossl->X509_STORE_CTX_free(certStoreCTX);
- d->kossl->X509_STORE_free(certStore);
- // end of checking code
- //
-
- //kdDebug(7029) << "KSSL Validation procedure RC: "
- // << rc << endl;
- //kdDebug(7029) << "KSSL Validation procedure errcode: "
- // << errcode << endl;
- //kdDebug(7029) << "KSSL Validation procedure RESULTS: "
- // << ksslv << endl;
-
- if (ksslv != NoCARoot && ksslv != InvalidCA) {
- d->m_stateCached = true;
- d->m_stateCache = ksslv;
- }
- break;
- }
-
- if (ksslv != KSSLCertificate::Ok)
- errors << ksslv;
-#else
- errors << KSSLCertificate::NoSSL;
-#endif
- return errors;
-}
-
-
-
-KSSLCertificate::KSSLValidation KSSLCertificate::revalidate() {
- return revalidate(KSSLCertificate::SSLServer);
-}
-
-
-KSSLCertificate::KSSLValidation KSSLCertificate::revalidate(KSSLCertificate::KSSLPurpose p) {
- d->m_stateCached = false;
- return validate(p);
-}
-
-
-KSSLCertificate::KSSLValidation KSSLCertificate::processError(int ec) {
-KSSLCertificate::KSSLValidation rc;
-
-rc = KSSLCertificate::Unknown;
-#ifdef KSSL_HAVE_SSL
- switch (ec) {
- case X509_V_OK: // OK
- rc = KSSLCertificate::Ok;
- break;
-
-
- case X509_V_ERR_CERT_REJECTED:
- rc = KSSLCertificate::Rejected;
- break;
-
-
- case X509_V_ERR_CERT_UNTRUSTED:
- rc = KSSLCertificate::Untrusted;
- break;
-
-
- case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
- case X509_V_ERR_CERT_SIGNATURE_FAILURE:
- case X509_V_ERR_CRL_SIGNATURE_FAILURE:
- case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
- case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
- rc = KSSLCertificate::SignatureFailed;
- break;
-
- case X509_V_ERR_INVALID_CA:
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
- case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
- rc = KSSLCertificate::InvalidCA;
- break;
-
-
- case X509_V_ERR_INVALID_PURPOSE:
- rc = KSSLCertificate::InvalidPurpose;
- break;
-
-
- case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- rc = KSSLCertificate::SelfSigned;
- break;
-
- case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
- rc = KSSLCertificate::SelfSignedChain;
- break;
-
- case X509_V_ERR_CERT_REVOKED:
- rc = KSSLCertificate::Revoked;
- break;
-
- case X509_V_ERR_PATH_LENGTH_EXCEEDED:
- rc = KSSLCertificate::PathLengthExceeded;
- break;
-
- case X509_V_ERR_CERT_NOT_YET_VALID:
- case X509_V_ERR_CERT_HAS_EXPIRED:
- case X509_V_ERR_CRL_NOT_YET_VALID:
- case X509_V_ERR_CRL_HAS_EXPIRED:
- case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
- case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
- case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
- case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
- rc = KSSLCertificate::Expired;
- kdDebug(7029) << "KSSL apparently this is expired. Not after: "
- << getNotAfter() << endl;
- break;
-
- //case 1:
- case X509_V_ERR_APPLICATION_VERIFICATION:
- case X509_V_ERR_OUT_OF_MEM:
- case X509_V_ERR_UNABLE_TO_GET_CRL:
- case X509_V_ERR_CERT_CHAIN_TOO_LONG:
- default:
- rc = KSSLCertificate::Unknown;
- break;
-}
-
-d->m_stateCache = rc;
-d->m_stateCached = true;
-#endif
-return rc;
-}
-
-
-TQString KSSLCertificate::getNotBefore() const {
-#ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QString(d->kossl->X509_getm_notBefore(d->m_cert));
-#else
-return TQString::null;
-#endif
-}
-
-
-TQString KSSLCertificate::getNotAfter() const {
-#ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QString(d->kossl->X509_getm_notAfter(d->m_cert));
-#else
-return TQString::null;
-#endif
-}
-
-
-TQDateTime KSSLCertificate::getQDTNotBefore() const {
-#ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notBefore(d->m_cert), NULL);
-#else
-return TQDateTime::currentDateTime();
-#endif
-}
-
-
-TQDateTime KSSLCertificate::getQDTNotAfter() const {
-#ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notAfter(d->m_cert), NULL);
-#else
-return TQDateTime::currentDateTime();
-#endif
-}
-
-
-TQDateTime KSSLCertificate::getQDTLastUpdate() const {
-#ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QDateTime((ASN1_UTCTIME*)d->kossl->X509_CRL_get0_lastUpdate(d->m_cert_crl), NULL);
-#else
-return TQDateTime::currentDateTime();
-#endif
-}
-
-
-TQDateTime KSSLCertificate::getQDTNextUpdate() const {
-#ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QDateTime((ASN1_UTCTIME*)d->kossl->X509_CRL_get0_nextUpdate(d->m_cert_crl), NULL);
-#else
-return TQDateTime::currentDateTime();
-#endif
-}
-
-
-int operator==(KSSLCertificate &x, KSSLCertificate &y) {
-#ifndef KSSL_HAVE_SSL
- return 1;
-#else
- if (!KOSSL::self()->X509_cmp(x.getCert(), y.getCert())) return 1;
- return 0;
-#endif
-}
-
-
-KSSLCertificate *KSSLCertificate::replicate() {
-// The new certificate doesn't have the cached value. It's probably
-// better this way. We can't anticipate every reason for doing this.
-KSSLCertificate *newOne = new KSSLCertificate();
-#ifdef KSSL_HAVE_SSL
- newOne->setCert(d->kossl->X509_dup(getCert()));
- KSSLCertChain *c = d->_chain.replicate();
- newOne->setChain(c->rawChain());
- delete c;
-#endif
-return newOne;
-}
-
-
-TQString KSSLCertificate::toString() {
-return KCodecs::base64Encode(toDer());
-}
-
-
-TQString KSSLCertificate::verifyText(KSSLValidation x) {
-switch (x) {
-case KSSLCertificate::Ok:
- return i18n("The certificate is valid.");
-case KSSLCertificate::PathLengthExceeded:
-case KSSLCertificate::ErrorReadingRoot:
-case KSSLCertificate::NoCARoot:
- return i18n("Certificate signing authority root files could not be found so the certificate is not verified.");
-case KSSLCertificate::SelfSignedChain:
-case KSSLCertificate::InvalidCA:
- return i18n("Certificate signing authority is unknown or invalid.");
-case KSSLCertificate::SelfSigned:
- return i18n("Certificate is self-signed and thus may not be trustworthy.");
-case KSSLCertificate::Expired:
- return i18n("Certificate has expired.");
-case KSSLCertificate::Revoked:
- return i18n("Certificate has been revoked.");
-case KSSLCertificate::NoSSL:
- return i18n("SSL support was not found.");
-case KSSLCertificate::Untrusted:
- return i18n("Signature is untrusted.");
-case KSSLCertificate::SignatureFailed:
- return i18n("Signature test failed.");
-case KSSLCertificate::Rejected:
-case KSSLCertificate::InvalidPurpose:
- return i18n("Rejected, possibly due to an invalid purpose.");
-case KSSLCertificate::PrivateKeyFailed:
- return i18n("Private key test failed.");
-case KSSLCertificate::InvalidHost:
- return i18n("The certificate has not been issued for this host.");
-case KSSLCertificate::Irrelevant:
- return i18n("This certificate is not relevant.");
-default:
-break;
-}
-
-return i18n("The certificate is invalid.");
-}
-
-
-TQByteArray KSSLCertificate::toDer() {
-TQByteArray qba;
-#ifdef KSSL_HAVE_SSL
-unsigned int certlen = d->kossl->i2d_X509(getCert(), NULL);
-unsigned char *cert = new unsigned char[certlen];
-unsigned char *p = cert;
- // FIXME: return code!
- d->kossl->i2d_X509(getCert(), &p);
-
- // encode it into a QString
- qba.duplicate((const char*)cert, certlen);
- delete[] cert;
-#endif
-return qba;
-}
-
-
-
-TQByteArray KSSLCertificate::toPem() {
-TQByteArray qba;
-TQString thecert = toString();
-const char *header = "-----BEGIN CERTIFICATE-----\n";
-const char *footer = "-----END CERTIFICATE-----\n";
-
- // We just do base64 on the ASN1
- // 64 character lines (unpadded)
- unsigned int xx = thecert.length() - 1;
- for (unsigned int i = 0; i < xx/64; i++) {
- thecert.insert(64*(i+1)+i, '\n');
- }
-
- thecert.prepend(header);
-
- if (thecert[thecert.length()-1] != '\n')
- thecert += "\n";
-
- thecert.append(footer);
-
- qba.duplicate(thecert.local8Bit(), thecert.length());
-return qba;
-}
-
-
-#define NETSCAPE_CERT_HDR "certificate"
-#ifdef KSSL_HAVE_SSL
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-typedef struct NETSCAPE_X509_st
-{
- ASN1_OCTET_STRING *header;
- X509 *cert;
-} NETSCAPE_X509;
-#endif
-#endif
-
-// what a piece of crap this is
-TQByteArray KSSLCertificate::toNetscape() {
-TQByteArray qba;
-#ifdef KSSL_HAVE_SSL
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
- NETSCAPE_X509 nx;
- ASN1_OCTET_STRING hdr;
-#else
- ASN1_HEADER ah;
- ASN1_OCTET_STRING os;
-#endif
- KTempFile ktf;
-
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
- hdr.data = (unsigned char *)NETSCAPE_CERT_HDR;
- hdr.length = strlen(NETSCAPE_CERT_HDR);
- nx.header = &hdr;
- nx.cert = getCert();
-
- d->kossl->ASN1_i2d_fp(ktf.fstream(),(unsigned char *)&nx);
-#else
- os.data = (unsigned char *)NETSCAPE_CERT_HDR;
- os.length = strlen(NETSCAPE_CERT_HDR);
- ah.header = &os;
- ah.data = (char *)getCert();
- ah.meth = d->kossl->X509_asn1_meth();
-
- d->kossl->ASN1_i2d_fp(ktf.fstream(),(unsigned char *)&ah);
-#endif
-
- ktf.close();
-
- TQFile qf(ktf.name());
- qf.open(IO_ReadOnly);
- char *buf = new char[qf.size()];
- qf.readBlock(buf, qf.size());
- qba.duplicate(buf, qf.size());
- qf.close();
- delete[] buf;
-
- ktf.unlink();
-
-#endif
-return qba;
-}
-
-
-
-TQString KSSLCertificate::toText() {
-TQString text;
-#ifdef KSSL_HAVE_SSL
-KTempFile ktf;
-
- d->kossl->X509_print(ktf.fstream(), getCert());
- ktf.close();
-
- TQFile qf(ktf.name());
- qf.open(IO_ReadOnly);
- char *buf = new char[qf.size()+1];
- qf.readBlock(buf, qf.size());
- buf[qf.size()] = 0;
- text = buf;
- delete[] buf;
- qf.close();
- ktf.unlink();
-#endif
-return text;
-}
-
-// KDE 4: Make it const TQString &
-bool KSSLCertificate::setCert(TQString& cert) {
-#ifdef KSSL_HAVE_SSL
-TQByteArray qba, qbb = cert.local8Bit().copy();
- KCodecs::base64Decode(qbb, qba);
- unsigned char *qbap = reinterpret_cast<unsigned char *>(qba.data());
- X509 *x5c = KOSSL::self()->d2i_X509(NULL, &qbap, qba.size());
- if (x5c) {
- setCert(x5c);
- return true;
- }
-#endif
-return false;
-}
-
-
-KSSLX509V3& KSSLCertificate::x509V3Extensions() {
-return d->_extensions;
-}
-
-
-bool KSSLCertificate::isSigner() {
-return d->_extensions.certTypeCA();
-}
-
-
-TQStringList KSSLCertificate::subjAltNames() const {
- TQStringList rc;
-#ifdef KSSL_HAVE_SSL
- STACK_OF(GENERAL_NAME) *names;
- names = (STACK_OF(GENERAL_NAME)*)d->kossl->X509_get_ext_d2i(d->m_cert, NID_subject_alt_name, 0, 0);
-
- if (!names) {
- return rc;
- }
-
- int cnt = d->kossl->OPENSSL_sk_num(names);
-
- for (int i = 0; i < cnt; i++) {
- const GENERAL_NAME *val = (const GENERAL_NAME *)d->kossl->OPENSSL_sk_value(names, i);
- if (val->type != GEN_DNS) {
- continue;
- }
-
- TQString s = (const char *)d->kossl->ASN1_STRING_data(val->d.ia5);
- if (!s.isEmpty() &&
- /* skip subjectAltNames with embedded NULs */
- s.length() == (unsigned int)d->kossl->ASN1_STRING_length(val->d.ia5)) {
- rc += s;
- }
- }
- d->kossl->OPENSSL_sk_free(names);
-#endif
- return rc;
-}
-
-
-TQDataStream& operator<<(TQDataStream& s, const KSSLCertificate& r) {
-TQStringList qsl;
-TQPtrList<KSSLCertificate> cl = const_cast<KSSLCertificate&>(r).chain().getChain();
-
- for (KSSLCertificate *c = cl.first(); c != 0; c = cl.next()) {
- qsl << c->toString();
- }
-
- cl.setAutoDelete(true);
-
- s << const_cast<KSSLCertificate&>(r).toString() << qsl;
-
-return s;
-}
-
-
-TQDataStream& operator>>(TQDataStream& s, KSSLCertificate& r) {
-TQStringList qsl;
-TQString cert;
-
-s >> cert >> qsl;
-
- if (r.setCert(cert) && !qsl.isEmpty())
- r.chain().setCertChain(qsl);
-
-return s;
-}
-
-
-