TDE core libraries
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

ksslcertificate.h 10KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398
  1. /* This file is part of the KDE project
  2. *
  3. * Copyright (C) 2000-2003 George Staikos <staikos@kde.org>
  4. *
  5. * This library is free software; you can redistribute it and/or
  6. * modify it under the terms of the GNU Library General Public
  7. * License as published by the Free Software Foundation; either
  8. * version 2 of the License, or (at your option) any later version.
  9. *
  10. * This library is distributed in the hope that it will be useful,
  11. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  13. * Library General Public License for more details.
  14. *
  15. * You should have received a copy of the GNU Library General Public License
  16. * along with this library; see the file COPYING.LIB. If not, write to
  17. * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
  18. * Boston, MA 02110-1301, USA.
  19. */
  20. #ifndef _KSSLCERTIFICATE_H
  21. #define _KSSLCERTIFICATE_H
  22. // UPDATE: I like the structure of this class less and less every time I look
  23. // at it. I think it needs to change.
  24. //
  25. //
  26. // The biggest reason for making everything protected here is so that
  27. // the class can have all it's methods available even if openssl is not
  28. // available. Also, to create a new certificate you should use the
  29. // KSSLCertificateFactory, and to manage the user's database of certificates,
  30. // you should go through the KSSLCertificateHome.
  31. //
  32. // There should be no reason to touch the X509 stuff directly.
  33. //
  34. #include <tqcstring.h>
  35. #include <tqvaluelist.h>
  36. class TQString;
  37. class TQStringList;
  38. class TQCString;
  39. class KSSL;
  40. class KSSLCertificatePrivate;
  41. class TQDateTime;
  42. class KSSLCertChain;
  43. class KSSLX509V3;
  44. #include <tdelibs_export.h>
  45. #ifdef Q_WS_WIN
  46. #include "ksslconfig_win.h"
  47. #else
  48. #include "ksslconfig.h"
  49. #endif
  50. #ifdef KSSL_HAVE_SSL
  51. typedef struct x509_st X509;
  52. typedef struct X509_crl_st X509_CRL;
  53. #else
  54. class X509;
  55. class X509_CRL;
  56. #endif
  57. /**
  58. * KDE X.509 Certificate
  59. *
  60. * This class represents an X.509 (SSL) certificate.
  61. * Note: this object is VERY HEAVY TO COPY. Please try to use reference
  62. * or pointer whenever possible
  63. *
  64. * @author George Staikos <staikos@kde.org>
  65. * @see KSSL
  66. * @short KDE X.509 Certificate
  67. */
  68. class TDEIO_EXPORT KSSLCertificate {
  69. friend class KSSL;
  70. friend class KSSLCertificateHome;
  71. friend class KSSLCertificateFactory;
  72. friend class KSSLCertificateCache;
  73. friend class KSSLCertChain;
  74. friend class KSSLPeerInfo;
  75. friend class KSSLPKCS12;
  76. friend class KSSLD;
  77. friend class KSMIMECryptoPrivate;
  78. public:
  79. /**
  80. * Destroy this X.509 certificate.
  81. */
  82. ~KSSLCertificate();
  83. /**
  84. * Create an X.509 certificate from a base64 encoded string.
  85. * @param cert the certificate in base64 form
  86. * @return the X.509 certificate, or NULL
  87. */
  88. static KSSLCertificate *fromString(TQCString cert);
  89. /**
  90. * Create an X.509 CRL certificate from a base64 encoded string.
  91. * @param cert the certificate in base64 form
  92. * @return the X.509 CRL certificate, or NULL
  93. */
  94. static KSSLCertificate *crlFromString(TQCString cert);
  95. /**
  96. * Create an X.509 certificate from the internal representation.
  97. * This one duplicates the X509 object for itself.
  98. * @param x5 the OpenSSL representation of the certificate
  99. * @return the X.509 certificate, or NULL
  100. * @internal
  101. */
  102. static KSSLCertificate *fromX509(X509 *x5);
  103. /**
  104. * A CA certificate can be validated as Irrelevant when it was
  105. * not used to sign any other relevant certificate.
  106. */
  107. enum KSSLValidation { Unknown, Ok, NoCARoot, InvalidPurpose,
  108. PathLengthExceeded, InvalidCA, Expired,
  109. SelfSigned, ErrorReadingRoot, NoSSL,
  110. Revoked, Untrusted, SignatureFailed,
  111. Rejected, PrivateKeyFailed, InvalidHost,
  112. Irrelevant, SelfSignedChain
  113. };
  114. enum KSSLPurpose { None=0, SSLServer=1, SSLClient=2,
  115. SMIMESign=3, SMIMEEncrypt=4, Any=5 };
  116. typedef TQValueList<KSSLValidation> KSSLValidationList;
  117. /**
  118. * Convert this certificate to a string.
  119. * @return the certificate in base64 format
  120. */
  121. TQString toString();
  122. /**
  123. * Get the subject of the certificate (X.509 map).
  124. * @return the subject
  125. */
  126. TQString getSubject() const;
  127. /**
  128. * Get the issuer of the certificate (X.509 map).
  129. * @return the issuer
  130. */
  131. TQString getIssuer() const;
  132. /**
  133. * Get the date that the certificate becomes valid on.
  134. * @return the date as a string, localised
  135. */
  136. TQString getNotBefore() const;
  137. /**
  138. * Get the date that the certificate is valid until.
  139. * @return the date as a string, localised
  140. */
  141. TQString getNotAfter() const;
  142. /**
  143. * Get the date that the certificate becomes valid on.
  144. * @return the date
  145. */
  146. TQDateTime getQDTNotBefore() const;
  147. /**
  148. * Get the date that the certificate is valid until.
  149. * @return the date
  150. */
  151. TQDateTime getQDTNotAfter() const;
  152. /**
  153. * Get the date that the CRL was generated on.
  154. * @return the date
  155. */
  156. TQDateTime getQDTLastUpdate() const;
  157. /**
  158. * Get the date that the CRL must be updated by.
  159. * @return the date
  160. */
  161. TQDateTime getQDTNextUpdate() const;
  162. /**
  163. * Convert the certificate to DER (ASN.1) format.
  164. * @return the binary data of the DER encoding
  165. */
  166. TQByteArray toDer();
  167. /**
  168. * Convert the certificate to PEM (base64) format.
  169. * @return the binary data of the PEM encoding
  170. */
  171. TQByteArray toPem();
  172. /**
  173. * Convert the certificate to Netscape format.
  174. * @return the binary data of the Netscape encoding
  175. */
  176. TQByteArray toNetscape();
  177. /**
  178. * Convert the certificate to OpenSSL plain text format.
  179. * @return the OpenSSL text encoding
  180. */
  181. TQString toText();
  182. /**
  183. * Get the serial number of the certificate.
  184. * @return the serial number as a string
  185. */
  186. TQString getSerialNumber() const;
  187. /**
  188. * Get the key type (RSA, DSA, etc).
  189. * @return the key type as a string
  190. */
  191. TQString getKeyType() const;
  192. /**
  193. * Get the public key.
  194. * @return the public key as a hexidecimal string
  195. */
  196. TQString getPublicKeyText() const;
  197. /**
  198. * Get the MD5 digest of the certificate.
  199. * Result is padded with : to separate bytes - it's a text version!
  200. * @return the MD5 digest in a hexidecimal string
  201. */
  202. TQString getMD5DigestText() const;
  203. /**
  204. * Get the MD5 digest of the certificate.
  205. * @return the MD5 digest in a hexidecimal string
  206. */
  207. TQString getMD5Digest() const;
  208. /**
  209. * Get the signature.
  210. * @return the signature in text format
  211. */
  212. TQString getSignatureText() const;
  213. /**
  214. * Check if this is a valid certificate. Will use cached data.
  215. * @return true if it is valid
  216. */
  217. bool isValid();
  218. /**
  219. * Check if this is a valid certificate. Will use cached data.
  220. * @param p the purpose to validate for
  221. * @return true if it is valid
  222. */
  223. bool isValid(KSSLPurpose p);
  224. /**
  225. * The alternate subject name.
  226. * @return string list with subjectAltName
  227. */
  228. TQStringList subjAltNames() const;
  229. /**
  230. * Check if this is a valid certificate. Will use cached data.
  231. * @return the result of the validation
  232. */
  233. KSSLValidation validate();
  234. /**
  235. * Check if this is a valid certificate. Will use cached data.
  236. * @param p the purpose to validate for
  237. * @return the result of the validation
  238. */
  239. KSSLValidation validate(KSSLPurpose p);
  240. /**
  241. * Check if this is a valid certificate. Will use cached data.
  242. * @param p the purpose to validate for
  243. * @return all problems encountered during validation
  244. */
  245. KSSLValidationList validateVerbose(KSSLPurpose p);
  246. /**
  247. * Check if the certificate ca is a proper CA for this
  248. * certificate.
  249. * @param p the purpose to validate for
  250. * @param ca the certificate to check
  251. * @return all problems encountered during validation
  252. */
  253. KSSLValidationList validateVerbose(KSSLPurpose p, KSSLCertificate *ca);
  254. /**
  255. * Check if this is a valid certificate. Will NOT use cached data.
  256. * @return the result of the validation
  257. */
  258. KSSLValidation revalidate();
  259. /**
  260. * Check if this is a valid certificate. Will NOT use cached data.
  261. * @param p the purpose to validate for
  262. * @return the result of the validation
  263. */
  264. KSSLValidation revalidate(KSSLPurpose p);
  265. /**
  266. * Get a reference to the certificate chain.
  267. * @return reference to the chain
  268. */
  269. KSSLCertChain& chain();
  270. /**
  271. * Obtain the localized message that corresponds to a validation result.
  272. * @param x the code to look up
  273. * @return the message text corresponding to the validation code
  274. */
  275. static TQString verifyText(KSSLValidation x);
  276. /**
  277. * Explicitly make a copy of this certificate.
  278. * @return a copy of the certificate
  279. */
  280. KSSLCertificate *replicate();
  281. /**
  282. * Copy constructor. Beware, this is very expensive.
  283. * @param x the object to copy from
  284. */
  285. KSSLCertificate(const KSSLCertificate& x); // copy constructor
  286. /**
  287. * Re-set the certificate from a base64 string.
  288. * @param cert the certificate to set to
  289. * @return true on success
  290. */
  291. bool setCert(TQString& cert);
  292. /**
  293. * Access the X.509v3 parameters.
  294. * @return reference to the extension object
  295. * @see KSSLX509V3
  296. */
  297. KSSLX509V3& x509V3Extensions();
  298. /**
  299. * Check if this is a signer certificate.
  300. * @return true if this is a signer certificate
  301. */
  302. bool isSigner();
  303. /**
  304. * FIXME: document
  305. */
  306. void getEmails(TQStringList& to) const;
  307. /**
  308. * KDEKey is a concatenation "Subject (MD5)", mostly needed for SMIME.
  309. * The result of getKDEKey might change and should not be used for
  310. * persistant storage.
  311. */
  312. TQString getKDEKey() const;
  313. /**
  314. * Aegypten semantics force us to search by MD5Digest only.
  315. */
  316. static TQString getMD5DigestFromKDEKey(const TQString& k);
  317. private:
  318. TDEIO_EXPORT friend int operator!=(KSSLCertificate& x, KSSLCertificate& y);
  319. TDEIO_EXPORT friend int operator==(KSSLCertificate& x, KSSLCertificate& y);
  320. KSSLCertificatePrivate *d;
  321. int purposeToOpenSSL(KSSLPurpose p) const;
  322. protected:
  323. KSSLCertificate();
  324. void setCert(X509 *c);
  325. void setCRL(X509_CRL *c);
  326. void setChain(void *c);
  327. X509 *getCert();
  328. KSSLValidation processError(int ec);
  329. };
  330. TDEIO_EXPORT TQDataStream& operator<<(TQDataStream& s, const KSSLCertificate& r);
  331. TDEIO_EXPORT TQDataStream& operator>>(TQDataStream& s, KSSLCertificate& r);
  332. TDEIO_EXPORT int operator==(KSSLCertificate& x, KSSLCertificate& y);
  333. TDEIO_EXPORT inline int operator!=(KSSLCertificate& x, KSSLCertificate& y)
  334. { return !(x == y); }
  335. #endif