|
|
|
/* This file is part of the KDE project
|
|
|
|
*
|
|
|
|
* Copyright (C) 2000-2003 George Staikos <staikos@kde.org>
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Library General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Library General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Library General Public License
|
|
|
|
* along with this library; see the file COPYING.LIB. If not, write to
|
|
|
|
* the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
|
|
* Boston, MA 02110-1301, USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _KSSLCERTIFICATE_H
|
|
|
|
#define _KSSLCERTIFICATE_H
|
|
|
|
|
|
|
|
|
|
|
|
// UPDATE: I like the structure of this class less and less every time I look
|
|
|
|
// at it. I think it needs to change.
|
|
|
|
//
|
|
|
|
//
|
|
|
|
// The biggest reason for making everything protected here is so that
|
|
|
|
// the class can have all it's methods available even if openssl is not
|
|
|
|
// available. Also, to create a new certificate you should use the
|
|
|
|
// KSSLCertificateFactory, and to manage the user's database of certificates,
|
|
|
|
// you should go through the KSSLCertificateHome.
|
|
|
|
//
|
|
|
|
// There should be no reason to touch the X509 stuff directly.
|
|
|
|
//
|
|
|
|
|
|
|
|
#include <tqcstring.h>
|
|
|
|
#include <tqvaluelist.h>
|
|
|
|
|
|
|
|
class TQString;
|
|
|
|
class TQStringList;
|
|
|
|
class TQCString;
|
|
|
|
class KSSL;
|
|
|
|
class KSSLCertificatePrivate;
|
|
|
|
class TQDateTime;
|
|
|
|
class KSSLCertChain;
|
|
|
|
class KSSLX509V3;
|
|
|
|
|
|
|
|
#include <tdelibs_export.h>
|
|
|
|
|
|
|
|
#ifdef TQ_WS_WIN
|
|
|
|
#include "ksslconfig_win.h"
|
|
|
|
#else
|
|
|
|
#include "ksslconfig.h"
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef KSSL_HAVE_SSL
|
|
|
|
typedef struct x509_st X509;
|
|
|
|
typedef struct X509_crl_st X509_CRL;
|
|
|
|
#else
|
|
|
|
class X509;
|
|
|
|
class X509_CRL;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/**
|
|
|
|
* KDE X.509 Certificate
|
|
|
|
*
|
|
|
|
* This class represents an X.509 (SSL) certificate.
|
|
|
|
* Note: this object is VERY HEAVY TO COPY. Please try to use reference
|
|
|
|
* or pointer whenever possible
|
|
|
|
*
|
|
|
|
* @author George Staikos <staikos@kde.org>
|
|
|
|
* @see KSSL
|
|
|
|
* @short KDE X.509 Certificate
|
|
|
|
*/
|
|
|
|
class TDEIO_EXPORT KSSLCertificate {
|
|
|
|
friend class KSSL;
|
|
|
|
friend class KSSLCertificateHome;
|
|
|
|
friend class KSSLCertificateFactory;
|
|
|
|
friend class KSSLCertificateCache;
|
|
|
|
friend class KSSLCertChain;
|
|
|
|
friend class KSSLPeerInfo;
|
|
|
|
friend class KSSLPKCS12;
|
|
|
|
friend class KSSLD;
|
|
|
|
friend class KSMIMECryptoPrivate;
|
|
|
|
|
|
|
|
|
|
|
|
public:
|
|
|
|
/**
|
|
|
|
* Destroy this X.509 certificate.
|
|
|
|
*/
|
|
|
|
~KSSLCertificate();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Create an X.509 certificate from a base64 encoded string.
|
|
|
|
* @param cert the certificate in base64 form
|
|
|
|
* @return the X.509 certificate, or NULL
|
|
|
|
*/
|
|
|
|
static KSSLCertificate *fromString(TQCString cert);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Create an X.509 CRL certificate from a base64 encoded string.
|
|
|
|
* @param cert the certificate in base64 form
|
|
|
|
* @return the X.509 CRL certificate, or NULL
|
|
|
|
*/
|
|
|
|
static KSSLCertificate *crlFromString(TQCString cert);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Create an X.509 certificate from the internal representation.
|
|
|
|
* This one duplicates the X509 object for itself.
|
|
|
|
* @param x5 the OpenSSL representation of the certificate
|
|
|
|
* @return the X.509 certificate, or NULL
|
|
|
|
* @internal
|
|
|
|
*/
|
|
|
|
static KSSLCertificate *fromX509(X509 *x5);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* A CA certificate can be validated as Irrelevant when it was
|
|
|
|
* not used to sign any other relevant certificate.
|
|
|
|
*/
|
|
|
|
enum KSSLValidation { Unknown, Ok, NoCARoot, InvalidPurpose,
|
|
|
|
PathLengthExceeded, InvalidCA, Expired,
|
|
|
|
SelfSigned, ErrorReadingRoot, NoSSL,
|
|
|
|
Revoked, Untrusted, SignatureFailed,
|
|
|
|
Rejected, PrivateKeyFailed, InvalidHost,
|
|
|
|
Irrelevant, SelfSignedChain
|
|
|
|
};
|
|
|
|
|
|
|
|
enum KSSLPurpose { None=0, SSLServer=1, SSLClient=2,
|
|
|
|
SMIMESign=3, SMIMEEncrypt=4, Any=5 };
|
|
|
|
|
|
|
|
typedef TQValueList<KSSLValidation> KSSLValidationList;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Convert this certificate to a string.
|
|
|
|
* @return the certificate in base64 format
|
|
|
|
*/
|
|
|
|
TQString toString();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the subject of the certificate (X.509 map).
|
|
|
|
* @return the subject
|
|
|
|
*/
|
|
|
|
TQString getSubject() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the issuer of the certificate (X.509 map).
|
|
|
|
* @return the issuer
|
|
|
|
*/
|
|
|
|
TQString getIssuer() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the date that the certificate becomes valid on.
|
|
|
|
* @return the date as a string, localised
|
|
|
|
*/
|
|
|
|
TQString getNotBefore() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the date that the certificate is valid until.
|
|
|
|
* @return the date as a string, localised
|
|
|
|
*/
|
|
|
|
TQString getNotAfter() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the date that the certificate becomes valid on.
|
|
|
|
* @return the date
|
|
|
|
*/
|
|
|
|
TQDateTime getQDTNotBefore() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the date that the certificate is valid until.
|
|
|
|
* @return the date
|
|
|
|
*/
|
|
|
|
TQDateTime getQDTNotAfter() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the date that the CRL was generated on.
|
|
|
|
* @return the date
|
|
|
|
*/
|
|
|
|
TQDateTime getQDTLastUpdate() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the date that the CRL must be updated by.
|
|
|
|
* @return the date
|
|
|
|
*/
|
|
|
|
TQDateTime getQDTNextUpdate() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Convert the certificate to DER (ASN.1) format.
|
|
|
|
* @return the binary data of the DER encoding
|
|
|
|
*/
|
|
|
|
TQByteArray toDer();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Convert the certificate to PEM (base64) format.
|
|
|
|
* @return the binary data of the PEM encoding
|
|
|
|
*/
|
|
|
|
TQByteArray toPem();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Convert the certificate to Netscape format.
|
|
|
|
* @return the binary data of the Netscape encoding
|
|
|
|
*/
|
|
|
|
TQByteArray toNetscape();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Convert the certificate to OpenSSL plain text format.
|
|
|
|
* @return the OpenSSL text encoding
|
|
|
|
*/
|
|
|
|
TQString toText();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the serial number of the certificate.
|
|
|
|
* @return the serial number as a string
|
|
|
|
*/
|
|
|
|
TQString getSerialNumber() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the key type (RSA, DSA, etc).
|
|
|
|
* @return the key type as a string
|
|
|
|
*/
|
|
|
|
TQString getKeyType() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the public key.
|
|
|
|
* @return the public key as a hexidecimal string
|
|
|
|
*/
|
|
|
|
TQString getPublicKeyText() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the MD5 digest of the certificate.
|
|
|
|
* Result is padded with : to separate bytes - it's a text version!
|
|
|
|
* @return the MD5 digest in a hexidecimal string
|
|
|
|
*/
|
|
|
|
TQString getMD5DigestText() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the MD5 digest of the certificate.
|
|
|
|
* @return the MD5 digest in a hexidecimal string
|
|
|
|
*/
|
|
|
|
TQString getMD5Digest() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the signature.
|
|
|
|
* @return the signature in text format
|
|
|
|
*/
|
|
|
|
TQString getSignatureText() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check if this is a valid certificate. Will use cached data.
|
|
|
|
* @return true if it is valid
|
|
|
|
*/
|
|
|
|
bool isValid();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check if this is a valid certificate. Will use cached data.
|
|
|
|
* @param p the purpose to validate for
|
|
|
|
* @return true if it is valid
|
|
|
|
*/
|
|
|
|
bool isValid(KSSLPurpose p);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* The alternate subject name.
|
|
|
|
* @return string list with subjectAltName
|
|
|
|
*/
|
|
|
|
TQStringList subjAltNames() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check if this is a valid certificate. Will use cached data.
|
|
|
|
* @return the result of the validation
|
|
|
|
*/
|
|
|
|
KSSLValidation validate();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check if this is a valid certificate. Will use cached data.
|
|
|
|
* @param p the purpose to validate for
|
|
|
|
* @return the result of the validation
|
|
|
|
*/
|
|
|
|
KSSLValidation validate(KSSLPurpose p);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check if this is a valid certificate. Will use cached data.
|
|
|
|
* @param p the purpose to validate for
|
|
|
|
* @return all problems encountered during validation
|
|
|
|
*/
|
|
|
|
KSSLValidationList validateVerbose(KSSLPurpose p);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check if the certificate ca is a proper CA for this
|
|
|
|
* certificate.
|
|
|
|
* @param p the purpose to validate for
|
|
|
|
* @param ca the certificate to check
|
|
|
|
* @return all problems encountered during validation
|
|
|
|
*/
|
|
|
|
KSSLValidationList validateVerbose(KSSLPurpose p, KSSLCertificate *ca);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check if this is a valid certificate. Will NOT use cached data.
|
|
|
|
* @return the result of the validation
|
|
|
|
*/
|
|
|
|
KSSLValidation revalidate();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check if this is a valid certificate. Will NOT use cached data.
|
|
|
|
* @param p the purpose to validate for
|
|
|
|
* @return the result of the validation
|
|
|
|
*/
|
|
|
|
KSSLValidation revalidate(KSSLPurpose p);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get a reference to the certificate chain.
|
|
|
|
* @return reference to the chain
|
|
|
|
*/
|
|
|
|
KSSLCertChain& chain();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Obtain the localized message that corresponds to a validation result.
|
|
|
|
* @param x the code to look up
|
|
|
|
* @return the message text corresponding to the validation code
|
|
|
|
*/
|
|
|
|
static TQString verifyText(KSSLValidation x);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Explicitly make a copy of this certificate.
|
|
|
|
* @return a copy of the certificate
|
|
|
|
*/
|
|
|
|
KSSLCertificate *replicate();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Copy constructor. Beware, this is very expensive.
|
|
|
|
* @param x the object to copy from
|
|
|
|
*/
|
|
|
|
KSSLCertificate(const KSSLCertificate& x); // copy constructor
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Re-set the certificate from a base64 string.
|
|
|
|
* @param cert the certificate to set to
|
|
|
|
* @return true on success
|
|
|
|
*/
|
|
|
|
bool setCert(TQString& cert);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Access the X.509v3 parameters.
|
|
|
|
* @return reference to the extension object
|
|
|
|
* @see KSSLX509V3
|
|
|
|
*/
|
|
|
|
KSSLX509V3& x509V3Extensions();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check if this is a signer certificate.
|
|
|
|
* @return true if this is a signer certificate
|
|
|
|
*/
|
|
|
|
bool isSigner();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* FIXME: document
|
|
|
|
*/
|
|
|
|
void getEmails(TQStringList& to) const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* KDEKey is a concatenation "Subject (MD5)", mostly needed for SMIME.
|
|
|
|
* The result of getKDEKey might change and should not be used for
|
|
|
|
* persistant storage.
|
|
|
|
*/
|
|
|
|
TQString getKDEKey() const;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Aegypten semantics force us to search by MD5Digest only.
|
|
|
|
*/
|
|
|
|
static TQString getMD5DigestFromKDEKey(const TQString& k);
|
|
|
|
|
|
|
|
private:
|
|
|
|
TDEIO_EXPORT friend int operator!=(KSSLCertificate& x, KSSLCertificate& y);
|
|
|
|
TDEIO_EXPORT friend int operator==(KSSLCertificate& x, KSSLCertificate& y);
|
|
|
|
|
|
|
|
KSSLCertificatePrivate *d;
|
|
|
|
int purposeToOpenSSL(KSSLPurpose p) const;
|
|
|
|
|
|
|
|
protected:
|
|
|
|
KSSLCertificate();
|
|
|
|
|
|
|
|
void setCert(X509 *c);
|
|
|
|
void setCRL(X509_CRL *c);
|
|
|
|
void setChain(void *c);
|
|
|
|
X509 *getCert();
|
|
|
|
KSSLValidation processError(int ec);
|
|
|
|
};
|
|
|
|
|
|
|
|
TDEIO_EXPORT TQDataStream& operator<<(TQDataStream& s, const KSSLCertificate& r);
|
|
|
|
TDEIO_EXPORT TQDataStream& operator>>(TQDataStream& s, KSSLCertificate& r);
|
|
|
|
|
|
|
|
TDEIO_EXPORT int operator==(KSSLCertificate& x, KSSLCertificate& y);
|
|
|
|
TDEIO_EXPORT inline int operator!=(KSSLCertificate& x, KSSLCertificate& y)
|
|
|
|
{ return !(x == y); }
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|