From 4522121196f11de0200ed54ea50830c1baf017a6 Mon Sep 17 00:00:00 2001 From: Vincent Richard Date: Sun, 30 Oct 2005 15:02:39 +0000 Subject: Moved certificate code into 'vmime::net::security::cert' namespace. --- SConstruct | 10 +- examples/example6.cpp | 12 +- src/net/service.cpp | 8 +- src/net/tls/TLSSession.cpp | 4 +- src/net/tls/TLSSocket.cpp | 14 +- src/net/tls/X509Certificate.cpp | 273 --------------------- src/net/tls/certificateChain.cpp | 53 ---- src/net/tls/defaultCertificateVerifier.cpp | 164 ------------- src/security/cert/X509Certificate.cpp | 273 +++++++++++++++++++++ src/security/cert/certificateChain.cpp | 53 ++++ src/security/cert/defaultCertificateVerifier.cpp | 164 +++++++++++++ vmime/net/service.hpp | 8 +- vmime/net/tls/TLSSession.hpp | 8 +- vmime/net/tls/TLSSocket.hpp | 4 +- vmime/net/tls/X509Certificate.hpp | 158 ------------ vmime/net/tls/certificate.hpp | 77 ------ vmime/net/tls/certificateChain.hpp | 79 ------ vmime/net/tls/certificateVerifier.hpp | 60 ----- vmime/net/tls/defaultCertificateVerifier.hpp | 88 ------- vmime/security/cert/X509Certificate.hpp | 158 ++++++++++++ vmime/security/cert/certificate.hpp | 77 ++++++ vmime/security/cert/certificateChain.hpp | 79 ++++++ vmime/security/cert/certificateVerifier.hpp | 60 +++++ vmime/security/cert/defaultCertificateVerifier.hpp | 88 +++++++ vmime/vmime.hpp | 10 +- 25 files changed, 991 insertions(+), 991 deletions(-) delete mode 100644 src/net/tls/X509Certificate.cpp delete mode 100644 src/net/tls/certificateChain.cpp delete mode 100644 src/net/tls/defaultCertificateVerifier.cpp create mode 100644 src/security/cert/X509Certificate.cpp create mode 100644 src/security/cert/certificateChain.cpp create mode 100644 src/security/cert/defaultCertificateVerifier.cpp delete mode 100644 vmime/net/tls/X509Certificate.hpp delete mode 100644 vmime/net/tls/certificate.hpp delete mode 100644 vmime/net/tls/certificateChain.hpp delete mode 100644 vmime/net/tls/certificateVerifier.hpp delete mode 100644 vmime/net/tls/defaultCertificateVerifier.hpp create mode 100644 vmime/security/cert/X509Certificate.hpp create mode 100644 vmime/security/cert/certificate.hpp create mode 100644 vmime/security/cert/certificateChain.hpp create mode 100644 vmime/security/cert/certificateVerifier.hpp create mode 100644 vmime/security/cert/defaultCertificateVerifier.hpp diff --git a/SConstruct b/SConstruct index 8848cf7a..796e3aeb 100644 --- a/SConstruct +++ b/SConstruct @@ -218,11 +218,11 @@ libvmime_messaging_sources = [ libvmime_net_tls_sources = [ 'net/tls/TLSSession.cpp', 'net/tls/TLSSession.hpp', 'net/tls/TLSSocket.cpp', 'net/tls/TLSSocket.hpp', - 'net/tls/certificateChain.cpp', 'net/tls/certificateChain.hpp', - 'net/tls/certificateVerifier.hpp', - 'net/tls/defaultCertificateVerifier.cpp', 'net/tls/defaultCertificateVerifier.hpp', - 'net/tls/certificate.hpp', - 'net/tls/X509Certificate.cpp', 'net/tls/X509Certificate.hpp' + 'security/cert/certificateChain.cpp', 'security/cert/certificateChain.hpp', + 'security/cert/certificateVerifier.hpp', + 'security/cert/defaultCertificateVerifier.cpp', 'security/cert/defaultCertificateVerifier.hpp', + 'security/cert/certificate.hpp', + 'security/cert/X509Certificate.cpp', 'security/cert/X509Certificate.hpp' ] libvmime_messaging_proto_sources = [ diff --git a/examples/example6.cpp b/examples/example6.cpp index bcbdcaf6..e64db44b 100644 --- a/examples/example6.cpp +++ b/examples/example6.cpp @@ -101,11 +101,11 @@ private: #if VMIME_HAVE_TLS_SUPPORT // Certificate verifier (TLS/SSL) -class interactiveCertificateVerifier : public vmime::net::tls::defaultCertificateVerifier +class interactiveCertificateVerifier : public vmime::security::cert::defaultCertificateVerifier { public: - void verify(vmime::ref chain) + void verify(vmime::ref chain) { try { @@ -116,7 +116,7 @@ public: catch (vmime::exceptions::certificate_verification_exception&) { // Obtain subject's certificate - vmime::ref cert = chain->getAt(0); + vmime::ref cert = chain->getAt(0); std::cout << std::endl; std::cout << "Server sent a '" << cert->getType() << "'" << " certificate." << std::endl; @@ -133,7 +133,7 @@ public: if (cert->getType() == "X.509") { m_trustedCerts.push_back(cert.dynamicCast - ()); + ()); } return; @@ -146,11 +146,11 @@ public: private: - static std::vector > m_trustedCerts; + static std::vector > m_trustedCerts; }; -std::vector > +std::vector > interactiveCertificateVerifier::m_trustedCerts; #endif // VMIME_HAVE_TLS_SUPPORT diff --git a/src/net/service.cpp b/src/net/service.cpp index 8dde675a..6b1c34f3 100644 --- a/src/net/service.cpp +++ b/src/net/service.cpp @@ -29,7 +29,7 @@ #endif // VMIME_HAVE_SASL_SUPPORT #if VMIME_HAVE_TLS_SUPPORT - #include "vmime/net/tls/defaultCertificateVerifier.hpp" + #include "vmime/security/cert/defaultCertificateVerifier.hpp" #endif // VMIME_HAVE_TLS_SUPPORT @@ -53,7 +53,7 @@ service::service(ref sess, const serviceInfos& /* infos */, } #if VMIME_HAVE_TLS_SUPPORT - m_certVerifier = vmime::create (); + m_certVerifier = vmime::create (); #endif // VMIME_HAVE_TLS_SUPPORT m_socketFactory = platformDependant::getHandler()->getSocketFactory(); @@ -97,13 +97,13 @@ void service::setAuthenticator(ref auth) #if VMIME_HAVE_TLS_SUPPORT -void service::setCertificateVerifier(ref cv) +void service::setCertificateVerifier(ref cv) { m_certVerifier = cv; } -ref service::getCertificateVerifier() +ref service::getCertificateVerifier() { return m_certVerifier; } diff --git a/src/net/tls/TLSSession.cpp b/src/net/tls/TLSSession.cpp index fb84714c..caa63d0a 100644 --- a/src/net/tls/TLSSession.cpp +++ b/src/net/tls/TLSSession.cpp @@ -91,7 +91,7 @@ static TLSGlobal g_gnutlsGlobal; -TLSSession::TLSSession(ref cv) +TLSSession::TLSSession(ref cv) : m_certVerifier(cv) { int res; @@ -212,7 +212,7 @@ ref TLSSession::getSocket(ref sok) } -ref TLSSession::getCertificateVerifier() +ref TLSSession::getCertificateVerifier() { return m_certVerifier; } diff --git a/src/net/tls/TLSSocket.cpp b/src/net/tls/TLSSocket.cpp index ebf3214b..93066b98 100644 --- a/src/net/tls/TLSSocket.cpp +++ b/src/net/tls/TLSSocket.cpp @@ -29,7 +29,7 @@ #include "vmime/platformDependant.hpp" -#include "vmime/net/tls/X509Certificate.hpp" +#include "vmime/security/cert/X509Certificate.hpp" namespace vmime { @@ -185,7 +185,7 @@ void TLSSocket::handshake(ref toHandler) m_toHandler = NULL; // Verify server's certificate(s) - ref certs = getPeerCertificates(); + ref certs = getPeerCertificates(); if (certs == NULL) throw exceptions::tls_exception("No peer certificate."); @@ -280,7 +280,7 @@ ssize_t TLSSocket::gnutlsPullFunc } -ref TLSSocket::getPeerCertificates() +ref TLSSocket::getPeerCertificates() { unsigned int certCount = 0; const gnutls_datum* rawData = gnutls_certificate_get_peers @@ -304,7 +304,7 @@ ref TLSSocket::getPeerCertificates() if (res >= 1) { - std::vector > certs; + std::vector > certs; bool error = false; count = static_cast (res); @@ -321,8 +321,8 @@ ref TLSSocket::getPeerCertificates() gnutls_x509_crt_export(x509Certs[i], GNUTLS_X509_FMT_DER, data, &dataSize); - ref cert = - X509Certificate::import(data, dataSize); + ref cert = + security::cert::X509Certificate::import(data, dataSize); if (cert != NULL) certs.push_back(cert); @@ -339,7 +339,7 @@ ref TLSSocket::getPeerCertificates() if (error) return NULL; - return vmime::create (certs); + return vmime::create (certs); } delete [] x509Certs; diff --git a/src/net/tls/X509Certificate.cpp b/src/net/tls/X509Certificate.cpp deleted file mode 100644 index cfb52a1d..00000000 --- a/src/net/tls/X509Certificate.cpp +++ /dev/null @@ -1,273 +0,0 @@ -// -// VMime library (http://www.vmime.org) -// Copyright (C) 2002-2005 Vincent Richard -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License as -// published by the Free Software Foundation; either version 2 of -// the License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// Linking this library statically or dynamically with other modules is making -// a combined work based on this library. Thus, the terms and conditions of -// the GNU General Public License cover the whole combination. -// - -#include -#include - -#include - -#include "vmime/net/tls/X509Certificate.hpp" - - -namespace vmime { -namespace net { -namespace tls { - - -#ifndef VMIME_BUILDING_DOC - -struct X509CertificateInternalData -{ - X509CertificateInternalData() - { - gnutls_x509_crt_init(&cert); - } - - ~X509CertificateInternalData() - { - gnutls_x509_crt_deinit(cert); - } - - - gnutls_x509_crt cert; -}; - -#endif // VMIME_BUILDING_DOC - - -X509Certificate::X509Certificate() - : m_data(new X509CertificateInternalData) -{ -} - - -X509Certificate::X509Certificate(const X509Certificate&) - : certificate(), m_data(NULL) -{ - // Not used -} - - -X509Certificate::~X509Certificate() -{ - delete m_data; -} - - -// static -ref X509Certificate::import(utility::inputStream& is) -{ - byteArray bytes; - utility::stream::value_type chunk[4096]; - - while (!is.eof()) - { - const int len = is.read(chunk, sizeof(chunk)); - bytes.insert(bytes.end(), chunk, chunk + len); - } - - return import(&bytes[0], bytes.size()); -} - - -// static -ref X509Certificate::import - (const byte* data, const unsigned int length) -{ - ref cert = vmime::create (); - - gnutls_datum buffer; - buffer.data = const_cast (data); - buffer.size = length; - - // Try DER format - if (gnutls_x509_crt_import(cert->m_data->cert, &buffer, GNUTLS_X509_FMT_DER) >= 0) - return cert; - - // Try PEM format - if (gnutls_x509_crt_import(cert->m_data->cert, &buffer, GNUTLS_X509_FMT_PEM) >= 0) - return cert; - - return NULL; -} - - -void X509Certificate::write - (utility::outputStream& os, const Format format) const -{ - size_t dataSize = 0; - gnutls_x509_crt_fmt fmt = GNUTLS_X509_FMT_DER; - - switch (format) - { - case FORMAT_DER: fmt = GNUTLS_X509_FMT_DER; break; - case FORMAT_PEM: fmt = GNUTLS_X509_FMT_PEM; break; - } - - gnutls_x509_crt_export(m_data->cert, fmt, NULL, &dataSize); - - byte* data = new byte[dataSize]; - - gnutls_x509_crt_export(m_data->cert, fmt, data, &dataSize); - - try - { - os.write(reinterpret_cast (data), dataSize); - } - catch (...) - { - delete [] data; - throw; - } -} - - -const byteArray X509Certificate::getSerialNumber() const -{ - char serial[64]; - size_t serialSize = sizeof(serial); - - gnutls_x509_crt_get_serial(m_data->cert, serial, &serialSize); - - return byteArray(serial, serial + serialSize); -} - - -const bool X509Certificate::checkIssuer - (ref issuer) const -{ - return (gnutls_x509_crt_check_issuer - (m_data->cert, issuer->m_data->cert) >= 1); -} - - -const bool X509Certificate::verify(ref caCert) const -{ - unsigned int verify = 0; - - const int res = gnutls_x509_crt_verify - (m_data->cert, &(caCert->m_data->cert), 1, - GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, - &verify); - - return (res == 0 && verify == 0); -} - - -const datetime X509Certificate::getActivationDate() const -{ - const time_t t = gnutls_x509_crt_get_activation_time(m_data->cert); - return datetime(t); -} - - -const datetime X509Certificate::getExpirationDate() const -{ - const time_t t = gnutls_x509_crt_get_expiration_time(m_data->cert); - return datetime(t); -} - - -const byteArray X509Certificate::getFingerprint(const DigestAlgorithm algo) const -{ - gnutls_digest_algorithm galgo; - - switch (algo) - { - case DIGEST_MD5: - - galgo = GNUTLS_DIG_MD5; - break; - - default: - case DIGEST_SHA1: - - galgo = GNUTLS_DIG_SHA; - break; - } - - size_t bufferSize = 0; - gnutls_x509_crt_get_fingerprint - (m_data->cert, galgo, NULL, &bufferSize); - - byte* buffer = new byte[bufferSize]; - - if (gnutls_x509_crt_get_fingerprint - (m_data->cert, galgo, buffer, &bufferSize) == 0) - { - byteArray res; - res.insert(res.end(), buffer, buffer + bufferSize); - - delete [] buffer; - - return res; - } - - delete [] buffer; - - return byteArray(); -} - - -const byteArray X509Certificate::getEncoded() const -{ - byteArray bytes; - utility::outputStreamByteArrayAdapter os(bytes); - - write(os, FORMAT_DER); - - return bytes; -} - - -const string X509Certificate::getType() const -{ - return "X.509"; -} - - -const int X509Certificate::getVersion() const -{ - return gnutls_x509_crt_get_version(m_data->cert); -} - - -const bool X509Certificate::equals(ref other) const -{ - ref otherX509 = - other.dynamicCast (); - - if (!otherX509) - return false; - - const byteArray fp1 = getFingerprint(DIGEST_MD5); - const byteArray fp2 = otherX509->getFingerprint(DIGEST_MD5); - - return fp1 == fp2; -} - - -} // tls -} // net -} // vmime - diff --git a/src/net/tls/certificateChain.cpp b/src/net/tls/certificateChain.cpp deleted file mode 100644 index 52855cc2..00000000 --- a/src/net/tls/certificateChain.cpp +++ /dev/null @@ -1,53 +0,0 @@ -// -// VMime library (http://www.vmime.org) -// Copyright (C) 2002-2005 Vincent Richard -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License as -// published by the Free Software Foundation; either version 2 of -// the License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// Linking this library statically or dynamically with other modules is making -// a combined work based on this library. Thus, the terms and conditions of -// the GNU General Public License cover the whole combination. -// - -#include "vmime/net/tls/certificateChain.hpp" - - -namespace vmime { -namespace net { -namespace tls { - - -certificateChain::certificateChain(const std::vector >& certs) - : m_certs(certs) -{ -} - - -const unsigned int certificateChain::getCount() const -{ - return static_cast (m_certs.size()); -} - - -ref certificateChain::getAt(const unsigned int index) -{ - return m_certs[index]; -} - - -} // tls -} // net -} // vmime - diff --git a/src/net/tls/defaultCertificateVerifier.cpp b/src/net/tls/defaultCertificateVerifier.cpp deleted file mode 100644 index de0c6e45..00000000 --- a/src/net/tls/defaultCertificateVerifier.cpp +++ /dev/null @@ -1,164 +0,0 @@ -// -// VMime library (http://www.vmime.org) -// Copyright (C) 2002-2005 Vincent Richard -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License as -// published by the Free Software Foundation; either version 2 of -// the License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// Linking this library statically or dynamically with other modules is making -// a combined work based on this library. Thus, the terms and conditions of -// the GNU General Public License cover the whole combination. -// - -#include "vmime/net/tls/defaultCertificateVerifier.hpp" - -#include "vmime/net/tls/X509Certificate.hpp" - -#include "vmime/exception.hpp" - - -namespace vmime { -namespace net { -namespace tls { - - -defaultCertificateVerifier::defaultCertificateVerifier() -{ -} - - -defaultCertificateVerifier::~defaultCertificateVerifier() -{ -} - - -defaultCertificateVerifier::defaultCertificateVerifier(const defaultCertificateVerifier&) - : certificateVerifier() -{ - // Not used -} - - -void defaultCertificateVerifier::verify(ref chain) -{ - if (chain->getCount() == 0) - return; - - const string type = chain->getAt(0)->getType(); - - if (type == "X.509") - verifyX509(chain); - else - throw exceptions::unsupported_certificate_type(type); -} - - -void defaultCertificateVerifier::verifyX509(ref chain) -{ - // For every certificate in the chain, verify that the certificate - // has been issued by the next certificate in the chain - if (chain->getCount() >= 2) - { - for (unsigned int i = 0 ; i < chain->getCount() - 1 ; ++i) - { - ref cert = - chain->getAt(i).dynamicCast (); - - ref next = - chain->getAt(i + 1).dynamicCast (); - - if (!cert->checkIssuer(next)) - { - throw exceptions::certificate_verification_exception - ("Subject/issuer verification failed."); - } - } - } - - // For every certificate in the chain, verify that the certificate - // is valid at the current time - const datetime now = datetime::now(); - - for (unsigned int i = 0 ; i < chain->getCount() ; ++i) - { - ref cert = - chain->getAt(i).dynamicCast (); - - const datetime begin = cert->getActivationDate(); - const datetime end = cert->getExpirationDate(); - - if (now < begin || now > end) - { - throw exceptions::certificate_verification_exception - ("Validity date check failed."); - } - } - - // Check whether the certificate can be trusted - - // -- First, verify that the the last certificate in the chain was - // -- issued by a third-party that we trust - ref lastCert = - chain->getAt(chain->getCount() - 1).dynamicCast (); - - bool trusted = false; - - for (unsigned int i = 0 ; !trusted && i < m_x509RootCAs.size() ; ++i) - { - ref rootCa = m_x509RootCAs[i]; - - if (lastCert->verify(rootCa)) - trusted = true; - } - - // -- Next, if the issuer certificate cannot be verified against - // -- root CAs, compare the subject's certificate against the - // -- trusted certificates - ref firstCert = - chain->getAt(0).dynamicCast (); - - for (unsigned int i = 0 ; !trusted && i < m_x509TrustedCerts.size() ; ++i) - { - ref cert = m_x509TrustedCerts[i]; - - if (firstCert->equals(cert)) - trusted = true; - } - - if (!trusted) - { - throw exceptions::certificate_verification_exception - ("Cannot verify certificate against trusted certificates."); - } -} - - -void defaultCertificateVerifier::setX509RootCAs - (const std::vector >& caCerts) -{ - m_x509RootCAs = caCerts; -} - - -void defaultCertificateVerifier::setX509TrustedCerts - (const std::vector >& trustedCerts) -{ - m_x509TrustedCerts = trustedCerts; -} - - -} // tls -} // net -} // vmime - diff --git a/src/security/cert/X509Certificate.cpp b/src/security/cert/X509Certificate.cpp new file mode 100644 index 00000000..a1310f51 --- /dev/null +++ b/src/security/cert/X509Certificate.cpp @@ -0,0 +1,273 @@ +// +// VMime library (http://www.vmime.org) +// Copyright (C) 2002-2005 Vincent Richard +// +// This program is free software; you can redistribute it and/or +// modify it under the terms of the GNU General Public License as +// published by the Free Software Foundation; either version 2 of +// the License, or (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// Linking this library statically or dynamically with other modules is making +// a combined work based on this library. Thus, the terms and conditions of +// the GNU General Public License cover the whole combination. +// + +#include +#include + +#include + +#include "vmime/security/cert/X509Certificate.hpp" + + +namespace vmime { +namespace security { +namespace cert { + + +#ifndef VMIME_BUILDING_DOC + +struct X509CertificateInternalData +{ + X509CertificateInternalData() + { + gnutls_x509_crt_init(&cert); + } + + ~X509CertificateInternalData() + { + gnutls_x509_crt_deinit(cert); + } + + + gnutls_x509_crt cert; +}; + +#endif // VMIME_BUILDING_DOC + + +X509Certificate::X509Certificate() + : m_data(new X509CertificateInternalData) +{ +} + + +X509Certificate::X509Certificate(const X509Certificate&) + : certificate(), m_data(NULL) +{ + // Not used +} + + +X509Certificate::~X509Certificate() +{ + delete m_data; +} + + +// static +ref X509Certificate::import(utility::inputStream& is) +{ + byteArray bytes; + utility::stream::value_type chunk[4096]; + + while (!is.eof()) + { + const int len = is.read(chunk, sizeof(chunk)); + bytes.insert(bytes.end(), chunk, chunk + len); + } + + return import(&bytes[0], bytes.size()); +} + + +// static +ref X509Certificate::import + (const byte* data, const unsigned int length) +{ + ref cert = vmime::create (); + + gnutls_datum buffer; + buffer.data = const_cast (data); + buffer.size = length; + + // Try DER format + if (gnutls_x509_crt_import(cert->m_data->cert, &buffer, GNUTLS_X509_FMT_DER) >= 0) + return cert; + + // Try PEM format + if (gnutls_x509_crt_import(cert->m_data->cert, &buffer, GNUTLS_X509_FMT_PEM) >= 0) + return cert; + + return NULL; +} + + +void X509Certificate::write + (utility::outputStream& os, const Format format) const +{ + size_t dataSize = 0; + gnutls_x509_crt_fmt fmt = GNUTLS_X509_FMT_DER; + + switch (format) + { + case FORMAT_DER: fmt = GNUTLS_X509_FMT_DER; break; + case FORMAT_PEM: fmt = GNUTLS_X509_FMT_PEM; break; + } + + gnutls_x509_crt_export(m_data->cert, fmt, NULL, &dataSize); + + byte* data = new byte[dataSize]; + + gnutls_x509_crt_export(m_data->cert, fmt, data, &dataSize); + + try + { + os.write(reinterpret_cast (data), dataSize); + } + catch (...) + { + delete [] data; + throw; + } +} + + +const byteArray X509Certificate::getSerialNumber() const +{ + char serial[64]; + size_t serialSize = sizeof(serial); + + gnutls_x509_crt_get_serial(m_data->cert, serial, &serialSize); + + return byteArray(serial, serial + serialSize); +} + + +const bool X509Certificate::checkIssuer + (ref issuer) const +{ + return (gnutls_x509_crt_check_issuer + (m_data->cert, issuer->m_data->cert) >= 1); +} + + +const bool X509Certificate::verify(ref caCert) const +{ + unsigned int verify = 0; + + const int res = gnutls_x509_crt_verify + (m_data->cert, &(caCert->m_data->cert), 1, + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, + &verify); + + return (res == 0 && verify == 0); +} + + +const datetime X509Certificate::getActivationDate() const +{ + const time_t t = gnutls_x509_crt_get_activation_time(m_data->cert); + return datetime(t); +} + + +const datetime X509Certificate::getExpirationDate() const +{ + const time_t t = gnutls_x509_crt_get_expiration_time(m_data->cert); + return datetime(t); +} + + +const byteArray X509Certificate::getFingerprint(const DigestAlgorithm algo) const +{ + gnutls_digest_algorithm galgo; + + switch (algo) + { + case DIGEST_MD5: + + galgo = GNUTLS_DIG_MD5; + break; + + default: + case DIGEST_SHA1: + + galgo = GNUTLS_DIG_SHA; + break; + } + + size_t bufferSize = 0; + gnutls_x509_crt_get_fingerprint + (m_data->cert, galgo, NULL, &bufferSize); + + byte* buffer = new byte[bufferSize]; + + if (gnutls_x509_crt_get_fingerprint + (m_data->cert, galgo, buffer, &bufferSize) == 0) + { + byteArray res; + res.insert(res.end(), buffer, buffer + bufferSize); + + delete [] buffer; + + return res; + } + + delete [] buffer; + + return byteArray(); +} + + +const byteArray X509Certificate::getEncoded() const +{ + byteArray bytes; + utility::outputStreamByteArrayAdapter os(bytes); + + write(os, FORMAT_DER); + + return bytes; +} + + +const string X509Certificate::getType() const +{ + return "X.509"; +} + + +const int X509Certificate::getVersion() const +{ + return gnutls_x509_crt_get_version(m_data->cert); +} + + +const bool X509Certificate::equals(ref other) const +{ + ref otherX509 = + other.dynamicCast (); + + if (!otherX509) + return false; + + const byteArray fp1 = getFingerprint(DIGEST_MD5); + const byteArray fp2 = otherX509->getFingerprint(DIGEST_MD5); + + return fp1 == fp2; +} + + +} // cert +} // security +} // vmime + diff --git a/src/security/cert/certificateChain.cpp b/src/security/cert/certificateChain.cpp new file mode 100644 index 00000000..2ac25258 --- /dev/null +++ b/src/security/cert/certificateChain.cpp @@ -0,0 +1,53 @@ +// +// VMime library (http://www.vmime.org) +// Copyright (C) 2002-2005 Vincent Richard +// +// This program is free software; you can redistribute it and/or +// modify it under the terms of the GNU General Public License as +// published by the Free Software Foundation; either version 2 of +// the License, or (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// Linking this library statically or dynamically with other modules is making +// a combined work based on this library. Thus, the terms and conditions of +// the GNU General Public License cover the whole combination. +// + +#include "vmime/security/cert/certificateChain.hpp" + + +namespace vmime { +namespace security { +namespace cert { + + +certificateChain::certificateChain(const std::vector >& certs) + : m_certs(certs) +{ +} + + +const unsigned int certificateChain::getCount() const +{ + return static_cast (m_certs.size()); +} + + +ref certificateChain::getAt(const unsigned int index) +{ + return m_certs[index]; +} + + +} // cert +} // security +} // vmime + diff --git a/src/security/cert/defaultCertificateVerifier.cpp b/src/security/cert/defaultCertificateVerifier.cpp new file mode 100644 index 00000000..b125d3e4 --- /dev/null +++ b/src/security/cert/defaultCertificateVerifier.cpp @@ -0,0 +1,164 @@ +// +// VMime library (http://www.vmime.org) +// Copyright (C) 2002-2005 Vincent Richard +// +// This program is free software; you can redistribute it and/or +// modify it under the terms of the GNU General Public License as +// published by the Free Software Foundation; either version 2 of +// the License, or (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// Linking this library statically or dynamically with other modules is making +// a combined work based on this library. Thus, the terms and conditions of +// the GNU General Public License cover the whole combination. +// + +#include "vmime/security/cert/defaultCertificateVerifier.hpp" + +#include "vmime/security/cert/X509Certificate.hpp" + +#include "vmime/exception.hpp" + + +namespace vmime { +namespace security { +namespace cert { + + +defaultCertificateVerifier::defaultCertificateVerifier() +{ +} + + +defaultCertificateVerifier::~defaultCertificateVerifier() +{ +} + + +defaultCertificateVerifier::defaultCertificateVerifier(const defaultCertificateVerifier&) + : certificateVerifier() +{ + // Not used +} + + +void defaultCertificateVerifier::verify(ref chain) +{ + if (chain->getCount() == 0) + return; + + const string type = chain->getAt(0)->getType(); + + if (type == "X.509") + verifyX509(chain); + else + throw exceptions::unsupported_certificate_type(type); +} + + +void defaultCertificateVerifier::verifyX509(ref chain) +{ + // For every certificate in the chain, verify that the certificate + // has been issued by the next certificate in the chain + if (chain->getCount() >= 2) + { + for (unsigned int i = 0 ; i < chain->getCount() - 1 ; ++i) + { + ref cert = + chain->getAt(i).dynamicCast (); + + ref next = + chain->getAt(i + 1).dynamicCast (); + + if (!cert->checkIssuer(next)) + { + throw exceptions::certificate_verification_exception + ("Subject/issuer verification failed."); + } + } + } + + // For every certificate in the chain, verify that the certificate + // is valid at the current time + const datetime now = datetime::now(); + + for (unsigned int i = 0 ; i < chain->getCount() ; ++i) + { + ref cert = + chain->getAt(i).dynamicCast (); + + const datetime begin = cert->getActivationDate(); + const datetime end = cert->getExpirationDate(); + + if (now < begin || now > end) + { + throw exceptions::certificate_verification_exception + ("Validity date check failed."); + } + } + + // Check whether the certificate can be trusted + + // -- First, verify that the the last certificate in the chain was + // -- issued by a third-party that we trust + ref lastCert = + chain->getAt(chain->getCount() - 1).dynamicCast (); + + bool trusted = false; + + for (unsigned int i = 0 ; !trusted && i < m_x509RootCAs.size() ; ++i) + { + ref rootCa = m_x509RootCAs[i]; + + if (lastCert->verify(rootCa)) + trusted = true; + } + + // -- Next, if the issuer certificate cannot be verified against + // -- root CAs, compare the subject's certificate against the + // -- trusted certificates + ref firstCert = + chain->getAt(0).dynamicCast (); + + for (unsigned int i = 0 ; !trusted && i < m_x509TrustedCerts.size() ; ++i) + { + ref cert = m_x509TrustedCerts[i]; + + if (firstCert->equals(cert)) + trusted = true; + } + + if (!trusted) + { + throw exceptions::certificate_verification_exception + ("Cannot verify certificate against trusted certificates."); + } +} + + +void defaultCertificateVerifier::setX509RootCAs + (const std::vector >& caCerts) +{ + m_x509RootCAs = caCerts; +} + + +void defaultCertificateVerifier::setX509TrustedCerts + (const std::vector >& trustedCerts) +{ + m_x509TrustedCerts = trustedCerts; +} + + +} // cert +} // security +} // vmime + diff --git a/vmime/net/service.hpp b/vmime/net/service.hpp index c96a8c4b..ec165462 100644 --- a/vmime/net/service.hpp +++ b/vmime/net/service.hpp @@ -36,7 +36,7 @@ #include "vmime/net/timeoutHandler.hpp" #if VMIME_HAVE_TLS_SUPPORT - #include "vmime/net/tls/certificateVerifier.hpp" + #include "vmime/security/cert/certificateVerifier.hpp" #endif // VMIME_HAVE_TLS_SUPPORT #include "vmime/utility/progressListener.hpp" @@ -139,12 +139,12 @@ public: /** Set the object responsible for verifying certificates when * using secured connections (TLS/SSL). */ - void setCertificateVerifier(ref cv); + void setCertificateVerifier(ref cv); /** Get the object responsible for verifying certificates when * using secured connections (TLS/SSL). */ - ref getCertificateVerifier(); + ref getCertificateVerifier(); #endif // VMIME_HAVE_TLS_SUPPORT @@ -197,7 +197,7 @@ private: ref m_auth; #if VMIME_HAVE_TLS_SUPPORT - ref m_certVerifier; + ref m_certVerifier; #endif // VMIME_HAVE_TLS_SUPPORT ref m_socketFactory; diff --git a/vmime/net/tls/TLSSession.hpp b/vmime/net/tls/TLSSession.hpp index e946c102..7927fba3 100644 --- a/vmime/net/tls/TLSSession.hpp +++ b/vmime/net/tls/TLSSession.hpp @@ -29,7 +29,7 @@ #include "vmime/net/tls/TLSSocket.hpp" -#include "vmime/net/tls/certificateVerifier.hpp" +#include "vmime/security/cert/certificateVerifier.hpp" namespace vmime { @@ -53,7 +53,7 @@ public: * sent by the server * @return a new TLS session */ - TLSSession(ref cv); + TLSSession(ref cv); /** Create a new socket that adds a TLS security layer around * an existing socket. You should create only one socket @@ -67,7 +67,7 @@ public: /** Get the object responsible for verifying certificates when * using secured connections (TLS/SSL). */ - ref getCertificateVerifier(); + ref getCertificateVerifier(); private: @@ -82,7 +82,7 @@ private: void* m_gnutlsSession; #endif // LIBGNUTLS_VERSION - ref m_certVerifier; + ref m_certVerifier; }; diff --git a/vmime/net/tls/TLSSocket.hpp b/vmime/net/tls/TLSSocket.hpp index 1fbe045a..8fb22990 100644 --- a/vmime/net/tls/TLSSocket.hpp +++ b/vmime/net/tls/TLSSocket.hpp @@ -30,7 +30,7 @@ #include "vmime/net/socket.hpp" #include "vmime/net/timeoutHandler.hpp" -#include "vmime/net/tls/certificateChain.hpp" +#include "vmime/security/cert/certificateChain.hpp" namespace vmime { @@ -75,7 +75,7 @@ public: * @return server certificate chain, or NULL if the handshake * has not been performed yet */ - ref getPeerCertificates(); + ref getPeerCertificates(); // Implementation of 'socket' diff --git a/vmime/net/tls/X509Certificate.hpp b/vmime/net/tls/X509Certificate.hpp deleted file mode 100644 index 5edd4e46..00000000 --- a/vmime/net/tls/X509Certificate.hpp +++ /dev/null @@ -1,158 +0,0 @@ -// -// VMime library (http://www.vmime.org) -// Copyright (C) 2002-2005 Vincent Richard -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License as -// published by the Free Software Foundation; either version 2 of -// the License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// Linking this library statically or dynamically with other modules is making -// a combined work based on this library. Thus, the terms and conditions of -// the GNU General Public License cover the whole combination. -// - -#ifndef VMIME_NET_TLS_X509CERTIFICATE_HPP_INCLUDED -#define VMIME_NET_TLS_X509CERTIFICATE_HPP_INCLUDED - - -#include "vmime/net/tls/certificate.hpp" - -#include "vmime/utility/stream.hpp" - -#include "vmime/base.hpp" -#include "vmime/dateTime.hpp" - - -namespace vmime { -namespace net { -namespace tls { - - -/** Identity certificate based on X.509 standard. - */ -class X509Certificate : public certificate -{ - friend class vmime::creator; - -protected: - - X509Certificate(); - X509Certificate(const X509Certificate&); - -public: - - ~X509Certificate(); - - /** Supported encodings for X.509 certificates. */ - enum Format - { - FORMAT_DER, /**< DER encoding */ - FORMAT_PEM /**< PEM encoding */ - }; - - /** Supported digest algorithms (used for fingerprint). */ - enum DigestAlgorithm - { - DIGEST_MD5, /**< MD5 digest */ - DIGEST_SHA1 /**< SHA1 digest */ - }; - - - /** Imports a DER or PEM encoded X.509 certificate. - * - * @param is input stream to read data from - * @return a X.509 certificate, or NULL if the given data does not - * represent a valid certificate - */ - static ref import(utility::inputStream& is); - - /** Imports a DER or PEM encoded X.509 certificate. - * - * @param data points to raw data - * @param length size of data - * @return a X.509 certificate, or NULL if the given data does not - * represent a valid certificate - */ - static ref import(const byte* data, const unsigned int length); - - /** Exports this X.509 certificate to the specified format. - * - * @param os output stream into which write data - * @param format output format - */ - void write(utility::outputStream& os, const Format format) const; - - /** Returns the X.509 certificate's serial number. This is obtained - * by the X.509 Certificate 'serialNumber' field. Serial is not - * always a 32 or 64bit number. Some CAs use large serial numbers, - * thus it may be wise to handle it as something opaque. - * - * @return serial number of this certificate - */ - const byteArray getSerialNumber() const; - - /** Checks if this certificate has the given issuer. - * - * @param issuer certificate of a possible issuer - * @return true if this certificate was issued by the given issuer, - * false otherwise - */ - const bool checkIssuer(ref issuer) const; - - /** Verifies this certificate against a given trusted one. - * - * @param caCert a certificate that is considered to be trusted one - * @return true if the verification succeeded, false otherwise - */ - const bool verify(ref caCert) const; - - /** Gets the expiration date of this certificate. This is the date - * at which this certificate will not be valid anymore. - * - * @return expiration date of this certificate - */ - const datetime getExpirationDate() const; - - /** Gets the activation date of this certificate. This is the date - * at which this certificate will be valid. - * - * @return activation date of this certificate - */ - const datetime getActivationDate() const; - - /** Returns the fingerprint of this certificate. - * - * @return the fingerprint of this certificate - */ - const byteArray getFingerprint(const DigestAlgorithm algo) const; - - - // Implementation of 'certificate' - const byteArray getEncoded() const; - const string getType() const; - const int getVersion() const; - const bool equals(ref other) const; - -private: - - class X509CertificateInternalData* m_data; -}; - - -} // tls -} // net -} // vmime - - -#endif // VMIME_NET_TLS_X509CERTIFICATE_HPP_INCLUDED - diff --git a/vmime/net/tls/certificate.hpp b/vmime/net/tls/certificate.hpp deleted file mode 100644 index c070484b..00000000 --- a/vmime/net/tls/certificate.hpp +++ /dev/null @@ -1,77 +0,0 @@ -// -// VMime library (http://www.vmime.org) -// Copyright (C) 2002-2005 Vincent Richard -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License as -// published by the Free Software Foundation; either version 2 of -// the License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// Linking this library statically or dynamically with other modules is making -// a combined work based on this library. Thus, the terms and conditions of -// the GNU General Public License cover the whole combination. -// - -#ifndef VMIME_NET_TLS_CERTIFICATE_HPP_INCLUDED -#define VMIME_NET_TLS_CERTIFICATE_HPP_INCLUDED - - -#include "vmime/types.hpp" - - -namespace vmime { -namespace net { -namespace tls { - - -/** Identity certificate for a peer. - */ -class certificate : public object -{ -public: - - /** Returns the encoded form of this certificate (for example, - * X.509 certificates are encoded as ASN.1 DER). - * - * @return the encoded form of this certificate - */ - virtual const byteArray getEncoded() const = 0; - - /** Return the type of this certificate. - * - * @return the type of this certificate - */ - virtual const string getType() const = 0; - - /** Return the version of this certificate. - * - * @return the version of this certificate - */ - virtual const int getVersion() const = 0; - - /** Checks if two certificates are the same. - * - * @param other certificate to compare with - * @return true if the two certificates are the same, - * false otherwise - */ - virtual const bool equals(ref other) const = 0; -}; - - -} // tls -} // net -} // vmime - - -#endif // VMIME_NET_TLS_CERTIFICATE_HPP_INCLUDED - diff --git a/vmime/net/tls/certificateChain.hpp b/vmime/net/tls/certificateChain.hpp deleted file mode 100644 index 332e3f70..00000000 --- a/vmime/net/tls/certificateChain.hpp +++ /dev/null @@ -1,79 +0,0 @@ -// -// VMime library (http://www.vmime.org) -// Copyright (C) 2002-2005 Vincent Richard -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License as -// published by the Free Software Foundation; either version 2 of -// the License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// Linking this library statically or dynamically with other modules is making -// a combined work based on this library. Thus, the terms and conditions of -// the GNU General Public License cover the whole combination. -// - -#ifndef VMIME_NET_TLS_CERTIFICATECHAIN_HPP_INCLUDED -#define VMIME_NET_TLS_CERTIFICATECHAIN_HPP_INCLUDED - - -#include "vmime/types.hpp" - -#include "vmime/net/tls/certificate.hpp" - - -namespace vmime { -namespace net { -namespace tls { - - -/** An ordered list of certificates, from the subject certificate to - * the issuer certificate. - */ -class certificateChain : public object -{ -public: - - /** Construct a new certificateChain object given an ordered list - * of certificates. - * - * @param certs chain of certificates - */ - certificateChain(const std::vector >& certs); - - /** Return the number of certificates in the chain. - * - * @return number of certificates in the chain - */ - const unsigned int getCount() const; - - /** Return the certificate at the specified position. 0 is the - * subject certificate, 1 is the issuer's certificate, 2 is - * the issuer's issuer, etc. - * - * @param index position at which to retrieve certificate - * @return certificate at the specified position - */ - ref getAt(const unsigned int index); - -protected: - - std::vector > m_certs; -}; - - -} // tls -} // net -} // vmime - - -#endif // VMIME_NET_TLS_CERTIFICATECHAIN_HPP_INCLUDED - diff --git a/vmime/net/tls/certificateVerifier.hpp b/vmime/net/tls/certificateVerifier.hpp deleted file mode 100644 index fd235b48..00000000 --- a/vmime/net/tls/certificateVerifier.hpp +++ /dev/null @@ -1,60 +0,0 @@ -// -// VMime library (http://www.vmime.org) -// Copyright (C) 2002-2005 Vincent Richard -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License as -// published by the Free Software Foundation; either version 2 of -// the License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// Linking this library statically or dynamically with other modules is making -// a combined work based on this library. Thus, the terms and conditions of -// the GNU General Public License cover the whole combination. -// - -#ifndef VMIME_NET_TLS_CERTIFICATEVERIFIER_HPP_INCLUDED -#define VMIME_NET_TLS_CERTIFICATEVERIFIER_HPP_INCLUDED - - -#include "vmime/types.hpp" - -#include "vmime/net/tls/certificateChain.hpp" - - -namespace vmime { -namespace net { -namespace tls { - - -/** Verify that a certificate path issued by a server can be trusted. - */ -class certificateVerifier : public object -{ -public: - - /** Verify that the specified certificate chain is trusted. - * - * @param chain certificate chain - * @throw exceptions::certificate_verification_exception if one - * or more certificates can not be trusted - */ - virtual void verify(ref chain) = 0; -}; - - -} // tls -} // net -} // vmime - - -#endif // VMIME_NET_TLS_CERTIFICATEVERIFIER_HPP_INCLUDED - diff --git a/vmime/net/tls/defaultCertificateVerifier.hpp b/vmime/net/tls/defaultCertificateVerifier.hpp deleted file mode 100644 index 3713fd21..00000000 --- a/vmime/net/tls/defaultCertificateVerifier.hpp +++ /dev/null @@ -1,88 +0,0 @@ -// -// VMime library (http://www.vmime.org) -// Copyright (C) 2002-2005 Vincent Richard -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License as -// published by the Free Software Foundation; either version 2 of -// the License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// Linking this library statically or dynamically with other modules is making -// a combined work based on this library. Thus, the terms and conditions of -// the GNU General Public License cover the whole combination. -// - -#ifndef VMIME_NET_TLS_DEFAULTCERTIFICATEVERIFIER_HPP_INCLUDED -#define VMIME_NET_TLS_DEFAULTCERTIFICATEVERIFIER_HPP_INCLUDED - - -#include "vmime/net/tls/certificateVerifier.hpp" - - -namespace vmime { -namespace net { -namespace tls { - - -class X509Certificate; - - -/** Default implementation for certificate verification. - */ -class defaultCertificateVerifier : public certificateVerifier -{ -private: - - defaultCertificateVerifier(const defaultCertificateVerifier&); - -public: - - defaultCertificateVerifier(); - ~defaultCertificateVerifier(); - - /** Sets a list of X.509 certificates that are trusted. - * - * @param trustedCerts list of trusted certificates - */ - void setX509TrustedCerts(const std::vector >& trustedCerts); - - /** Sets the X.509 root CAs used for certificate verification. - * - * @param caCerts list of root CAs - */ - void setX509RootCAs(const std::vector >& caCerts); - - - // Implementation of 'certificateVerifier' - void verify(ref chain); - -private: - - /** Verify a chain of X.509 certificates. - * - * @param chain list of X.509 certificates - */ - void verifyX509(ref chain); - - - std::vector > m_x509RootCAs; - std::vector > m_x509TrustedCerts; -}; - - -} // tls -} // net -} // vmime - - -#endif // VMIME_NET_TLS_DEFAULTCERTIFICATEVERIFIER_HPP_INCLUDED - diff --git a/vmime/security/cert/X509Certificate.hpp b/vmime/security/cert/X509Certificate.hpp new file mode 100644 index 00000000..45c50060 --- /dev/null +++ b/vmime/security/cert/X509Certificate.hpp @@ -0,0 +1,158 @@ +// +// VMime library (http://www.vmime.org) +// Copyright (C) 2002-2005 Vincent Richard +// +// This program is free software; you can redistribute it and/or +// modify it under the terms of the GNU General Public License as +// published by the Free Software Foundation; either version 2 of +// the License, or (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// Linking this library statically or dynamically with other modules is making +// a combined work based on this library. Thus, the terms and conditions of +// the GNU General Public License cover the whole combination. +// + +#ifndef VMIME_SECURITY_CERT_X509CERTIFICATE_HPP_INCLUDED +#define VMIME_SECURITY_CERT_X509CERTIFICATE_HPP_INCLUDED + + +#include "vmime/security/cert/certificate.hpp" + +#include "vmime/utility/stream.hpp" + +#include "vmime/base.hpp" +#include "vmime/dateTime.hpp" + + +namespace vmime { +namespace security { +namespace cert { + + +/** Identity certificate based on X.509 standard. + */ +class X509Certificate : public certificate +{ + friend class vmime::creator; + +protected: + + X509Certificate(); + X509Certificate(const X509Certificate&); + +public: + + ~X509Certificate(); + + /** Supported encodings for X.509 certificates. */ + enum Format + { + FORMAT_DER, /**< DER encoding */ + FORMAT_PEM /**< PEM encoding */ + }; + + /** Supported digest algorithms (used for fingerprint). */ + enum DigestAlgorithm + { + DIGEST_MD5, /**< MD5 digest */ + DIGEST_SHA1 /**< SHA1 digest */ + }; + + + /** Imports a DER or PEM encoded X.509 certificate. + * + * @param is input stream to read data from + * @return a X.509 certificate, or NULL if the given data does not + * represent a valid certificate + */ + static ref import(utility::inputStream& is); + + /** Imports a DER or PEM encoded X.509 certificate. + * + * @param data points to raw data + * @param length size of data + * @return a X.509 certificate, or NULL if the given data does not + * represent a valid certificate + */ + static ref import(const byte* data, const unsigned int length); + + /** Exports this X.509 certificate to the specified format. + * + * @param os output stream into which write data + * @param format output format + */ + void write(utility::outputStream& os, const Format format) const; + + /** Returns the X.509 certificate's serial number. This is obtained + * by the X.509 Certificate 'serialNumber' field. Serial is not + * always a 32 or 64bit number. Some CAs use large serial numbers, + * thus it may be wise to handle it as something opaque. + * + * @return serial number of this certificate + */ + const byteArray getSerialNumber() const; + + /** Checks if this certificate has the given issuer. + * + * @param issuer certificate of a possible issuer + * @return true if this certificate was issued by the given issuer, + * false otherwise + */ + const bool checkIssuer(ref issuer) const; + + /** Verifies this certificate against a given trusted one. + * + * @param caCert a certificate that is considered to be trusted one + * @return true if the verification succeeded, false otherwise + */ + const bool verify(ref caCert) const; + + /** Gets the expiration date of this certificate. This is the date + * at which this certificate will not be valid anymore. + * + * @return expiration date of this certificate + */ + const datetime getExpirationDate() const; + + /** Gets the activation date of this certificate. This is the date + * at which this certificate will be valid. + * + * @return activation date of this certificate + */ + const datetime getActivationDate() const; + + /** Returns the fingerprint of this certificate. + * + * @return the fingerprint of this certificate + */ + const byteArray getFingerprint(const DigestAlgorithm algo) const; + + + // Implementation of 'certificate' + const byteArray getEncoded() const; + const string getType() const; + const int getVersion() const; + const bool equals(ref other) const; + +private: + + class X509CertificateInternalData* m_data; +}; + + +} // cert +} // security +} // vmime + + +#endif // VMIME_SECURITY_CERT_X509CERTIFICATE_HPP_INCLUDED + diff --git a/vmime/security/cert/certificate.hpp b/vmime/security/cert/certificate.hpp new file mode 100644 index 00000000..1c967f84 --- /dev/null +++ b/vmime/security/cert/certificate.hpp @@ -0,0 +1,77 @@ +// +// VMime library (http://www.vmime.org) +// Copyright (C) 2002-2005 Vincent Richard +// +// This program is free software; you can redistribute it and/or +// modify it under the terms of the GNU General Public License as +// published by the Free Software Foundation; either version 2 of +// the License, or (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// Linking this library statically or dynamically with other modules is making +// a combined work based on this library. Thus, the terms and conditions of +// the GNU General Public License cover the whole combination. +// + +#ifndef VMIME_SECURITY_CERT_CERTIFICATE_HPP_INCLUDED +#define VMIME_SECURITY_CERT_CERTIFICATE_HPP_INCLUDED + + +#include "vmime/types.hpp" + + +namespace vmime { +namespace security { +namespace cert { + + +/** Identity certificate for a peer. + */ +class certificate : public object +{ +public: + + /** Returns the encoded form of this certificate (for example, + * X.509 certificates are encoded as ASN.1 DER). + * + * @return the encoded form of this certificate + */ + virtual const byteArray getEncoded() const = 0; + + /** Return the type of this certificate. + * + * @return the type of this certificate + */ + virtual const string getType() const = 0; + + /** Return the version of this certificate. + * + * @return the version of this certificate + */ + virtual const int getVersion() const = 0; + + /** Checks if two certificates are the same. + * + * @param other certificate to compare with + * @return true if the two certificates are the same, + * false otherwise + */ + virtual const bool equals(ref other) const = 0; +}; + + +} // cert +} // security +} // vmime + + +#endif // VMIME_SECURITY_CERT_CERTIFICATE_HPP_INCLUDED + diff --git a/vmime/security/cert/certificateChain.hpp b/vmime/security/cert/certificateChain.hpp new file mode 100644 index 00000000..c9d2f1d0 --- /dev/null +++ b/vmime/security/cert/certificateChain.hpp @@ -0,0 +1,79 @@ +// +// VMime library (http://www.vmime.org) +// Copyright (C) 2002-2005 Vincent Richard +// +// This program is free software; you can redistribute it and/or +// modify it under the terms of the GNU General Public License as +// published by the Free Software Foundation; either version 2 of +// the License, or (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// Linking this library statically or dynamically with other modules is making +// a combined work based on this library. Thus, the terms and conditions of +// the GNU General Public License cover the whole combination. +// + +#ifndef VMIME_SECURITY_CERT_CERTIFICATECHAIN_HPP_INCLUDED +#define VMIME_SECURITY_CERT_CERTIFICATECHAIN_HPP_INCLUDED + + +#include "vmime/types.hpp" + +#include "vmime/security/cert/certificate.hpp" + + +namespace vmime { +namespace security { +namespace cert { + + +/** An ordered list of certificates, from the subject certificate to + * the issuer certificate. + */ +class certificateChain : public object +{ +public: + + /** Construct a new certificateChain object given an ordered list + * of certificates. + * + * @param certs chain of certificates + */ + certificateChain(const std::vector >& certs); + + /** Return the number of certificates in the chain. + * + * @return number of certificates in the chain + */ + const unsigned int getCount() const; + + /** Return the certificate at the specified position. 0 is the + * subject certificate, 1 is the issuer's certificate, 2 is + * the issuer's issuer, etc. + * + * @param index position at which to retrieve certificate + * @return certificate at the specified position + */ + ref getAt(const unsigned int index); + +protected: + + std::vector > m_certs; +}; + + +} // cert +} // security +} // vmime + + +#endif // VMIME_SECURITY_CERT_CERTIFICATECHAIN_HPP_INCLUDED + diff --git a/vmime/security/cert/certificateVerifier.hpp b/vmime/security/cert/certificateVerifier.hpp new file mode 100644 index 00000000..0b62fb89 --- /dev/null +++ b/vmime/security/cert/certificateVerifier.hpp @@ -0,0 +1,60 @@ +// +// VMime library (http://www.vmime.org) +// Copyright (C) 2002-2005 Vincent Richard +// +// This program is free software; you can redistribute it and/or +// modify it under the terms of the GNU General Public License as +// published by the Free Software Foundation; either version 2 of +// the License, or (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// Linking this library statically or dynamically with other modules is making +// a combined work based on this library. Thus, the terms and conditions of +// the GNU General Public License cover the whole combination. +// + +#ifndef VMIME_SECURITY_CERT_CERTIFICATEVERIFIER_HPP_INCLUDED +#define VMIME_SECURITY_CERT_CERTIFICATEVERIFIER_HPP_INCLUDED + + +#include "vmime/types.hpp" + +#include "vmime/security/cert/certificateChain.hpp" + + +namespace vmime { +namespace security { +namespace cert { + + +/** Verify that a certificate path issued by a server can be trusted. + */ +class certificateVerifier : public object +{ +public: + + /** Verify that the specified certificate chain is trusted. + * + * @param chain certificate chain + * @throw exceptions::certificate_verification_exception if one + * or more certificates can not be trusted + */ + virtual void verify(ref chain) = 0; +}; + + +} // cert +} // security +} // vmime + + +#endif // VMIME_SECURITY_CERT_CERTIFICATEVERIFIER_HPP_INCLUDED + diff --git a/vmime/security/cert/defaultCertificateVerifier.hpp b/vmime/security/cert/defaultCertificateVerifier.hpp new file mode 100644 index 00000000..b4df6e8c --- /dev/null +++ b/vmime/security/cert/defaultCertificateVerifier.hpp @@ -0,0 +1,88 @@ +// +// VMime library (http://www.vmime.org) +// Copyright (C) 2002-2005 Vincent Richard +// +// This program is free software; you can redistribute it and/or +// modify it under the terms of the GNU General Public License as +// published by the Free Software Foundation; either version 2 of +// the License, or (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// Linking this library statically or dynamically with other modules is making +// a combined work based on this library. Thus, the terms and conditions of +// the GNU General Public License cover the whole combination. +// + +#ifndef VMIME_SECURITY_CERT_DEFAULTCERTIFICATEVERIFIER_HPP_INCLUDED +#define VMIME_SECURITY_CERT_DEFAULTCERTIFICATEVERIFIER_HPP_INCLUDED + + +#include "vmime/security/cert/certificateVerifier.hpp" + + +namespace vmime { +namespace security { +namespace cert { + + +class X509Certificate; + + +/** Default implementation for certificate verification. + */ +class defaultCertificateVerifier : public certificateVerifier +{ +private: + + defaultCertificateVerifier(const defaultCertificateVerifier&); + +public: + + defaultCertificateVerifier(); + ~defaultCertificateVerifier(); + + /** Sets a list of X.509 certificates that are trusted. + * + * @param trustedCerts list of trusted certificates + */ + void setX509TrustedCerts(const std::vector >& trustedCerts); + + /** Sets the X.509 root CAs used for certificate verification. + * + * @param caCerts list of root CAs + */ + void setX509RootCAs(const std::vector >& caCerts); + + + // Implementation of 'certificateVerifier' + void verify(ref chain); + +private: + + /** Verify a chain of X.509 certificates. + * + * @param chain list of X.509 certificates + */ + void verifyX509(ref chain); + + + std::vector > m_x509RootCAs; + std::vector > m_x509TrustedCerts; +}; + + +} // cert +} // security +} // vmime + + +#endif // VMIME_SECURITY_CERT_DEFAULTCERTIFICATEVERIFIER_HPP_INCLUDED + diff --git a/vmime/vmime.hpp b/vmime/vmime.hpp index 337f91f2..36b9e0e3 100644 --- a/vmime/vmime.hpp +++ b/vmime/vmime.hpp @@ -124,13 +124,13 @@ // Net/TLS #if VMIME_HAVE_TLS_SUPPORT - #include "vmime/net/tls/certificate.hpp" - #include "vmime/net/tls/certificateChain.hpp" - #include "vmime/net/tls/certificateVerifier.hpp" + #include "vmime/security/cert/certificate.hpp" + #include "vmime/security/cert/certificateChain.hpp" + #include "vmime/security/cert/certificateVerifier.hpp" - #include "vmime/net/tls/X509Certificate.hpp" + #include "vmime/security/cert/X509Certificate.hpp" - #include "vmime/net/tls/defaultCertificateVerifier.hpp" + #include "vmime/security/cert/defaultCertificateVerifier.hpp" #include "vmime/net/tls/TLSSession.hpp" #endif // VMIME_HAVE_TLS_SUPPORT -- cgit v1.2.3