XRootD
Loading...
Searching...
No Matches
XrdCryptosslX509Crl.cc
Go to the documentation of this file.
1/******************************************************************************/
2/* */
3/* X r d C r y p t o s s l X 5 0 9 C r l. c c */
4/* */
5/* (c) 2005 G. Ganis , CERN */
6/* */
7/* This file is part of the XRootD software suite. */
8/* */
9/* XRootD is free software: you can redistribute it and/or modify it under */
10/* the terms of the GNU Lesser General Public License as published by the */
11/* Free Software Foundation, either version 3 of the License, or (at your */
12/* option) any later version. */
13/* */
14/* XRootD is distributed in the hope that it will be useful, but WITHOUT */
15/* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */
16/* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */
17/* License for more details. */
18/* */
19/* You should have received a copy of the GNU Lesser General Public License */
20/* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */
21/* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */
22/* */
23/* The copyright holder's institutional names and contributor's names may not */
24/* be used to endorse or promote products derived from this software without */
25/* specific prior written permission of the institution or contributor. */
26/* */
27/******************************************************************************/
28
29/* ************************************************************************** */
30/* */
31/* OpenSSL implementation of XrdCryptoX509Crl */
32/* */
33/* ************************************************************************** */
34#include "XrdCrypto/XrdCryptosslRSA.hh"
35#include "XrdCrypto/XrdCryptosslX509Crl.hh"
36#include "XrdCrypto/XrdCryptosslAux.hh"
37#include "XrdCrypto/XrdCryptosslTrace.hh"
38
39#include <openssl/bn.h>
40#include <openssl/pem.h>
41
42#include <cerrno>
43#include <ctime>
44
45#include <fcntl.h>
46#include <sys/types.h>
47#include <sys/stat.h>
48#include <unistd.h>
49
50//_____________________________________________________________________________
51XrdCryptosslX509Crl::XrdCryptosslX509Crl(const char *cf, int opt)
52 : XrdCryptoX509Crl()
53{
54 // Constructor certificate from file 'cf'.
55 EPNAME("X509Crl::XrdCryptosslX509Crl_file");
56
57 // Make sure file name is defined;
58 if (opt == 0) {
59 if (Init(cf) != 0) {
60 DEBUG("could not initialize the CRL from "<<cf);
61 return;
62 }
63 } else {
64 if (InitFromURI(cf, 0) != 0) {
65 DEBUG("could not initialize the CRL from URI"<<cf);
66 return;
67 }
68 }
69}
70
71//_____________________________________________________________________________
72XrdCryptosslX509Crl::XrdCryptosslX509Crl(FILE *fc, const char *cf)
73{
74 // Constructe CRL from a FILE handle `fc` with (assumed) filename `cf`.
75 EPNAME("X509Crl::XrdCryptosslX509Crl_file");
76
77 if (Init(fc, cf)) {
78 DEBUG("could not initialize the CRL from " << cf);
79 return;
80 }
81}
82
83//_____________________________________________________________________________
84XrdCryptosslX509Crl::XrdCryptosslX509Crl(XrdCryptoX509 *cacert)
85 : XrdCryptoX509Crl()
86{
87 // Constructor certificate from CA certificate 'cacert'. This constructor
88 // extracts the information about the location of the CRL cerificate from the
89 // CA certificate extension 'crlDistributionPoints', downloads the file and
90 // loads it in the cache
91 EPNAME("X509Crl::XrdCryptosslX509Crl_CA");
92
93 // The CA certificate must be defined
94 if (!cacert || cacert->type != XrdCryptoX509::kCA) {
95 DEBUG("the CA certificate is undefined or not CA! ("<<cacert<<")");
96 return;
97 }
98
99 // Get the extension
100 X509_EXTENSION *crlext = (X509_EXTENSION *) cacert->GetExtension("crlDistributionPoints");
101 if (!crlext) {
102 DEBUG("extension 'crlDistributionPoints' not found in the CA certificate");
103 return;
104 }
105
106 // Bio for exporting the extension
107 BIO *bext = BIO_new(BIO_s_mem());
108 ASN1_OBJECT *obj = X509_EXTENSION_get_object(crlext);
109 i2a_ASN1_OBJECT(bext, obj);
110 X509V3_EXT_print(bext, crlext, 0, 4);
111 // data length
112 char *cbio = 0;
113 int lbio = (int) BIO_get_mem_data(bext, &cbio);
114 char *buf = (char *) malloc(lbio+1);
115 // Read key from BIO to buf
116 memcpy(buf, cbio, lbio);
117 buf[lbio] = 0;
118 BIO_free(bext);
119 // Save it
120 XrdOucString uris(buf);
121 free(buf);
122
123 DEBUG("URI string: "<< uris);
124
125 XrdOucString uri;
126 int from = 0;
127 while ((from = uris.tokenize(uri, from, ' ')) != -1) {
128 if (uri.beginswith("URI:")) {
129 uri.replace("URI:","");
130 uri.replace("\n","");
131 if (InitFromURI(uri.c_str(), cacert->SubjectHash()) == 0) {
132 crluri = uri;
133 // We are done
134 break;
135 }
136 }
137 }
138}
139
140//_____________________________________________________________________________
141XrdCryptosslX509Crl::~XrdCryptosslX509Crl()
142{
143 // Destructor
144
145 // Cleanup CRL
146 if (crl)
147 X509_CRL_free(crl);
148}
149
150//_____________________________________________________________________________
151int XrdCryptosslX509Crl::Init(const char *cf)
152{
153 // Load a CRL from an open file handle; for debugging purposes,
154 // we assume it's loaded from file named `cf`.
155 EPNAME("X509Crl::Init");
156
157 // Make sure file name is defined;
158 if (!cf) {
159 DEBUG("file name undefined");
160 return -1;
161 }
162
163 // Make sure file exists;
164 int fd = open(cf, O_RDONLY);
165
166 if (fd == -1) {
167 if (errno == ENOENT) {
168 DEBUG("file "<<cf<<" does not exist - do nothing");
169 } else {
170 DEBUG("cannot open file "<<cf<<" (errno: "<<errno<<")");
171 }
172 return -1;
173 }
174
175 // Open file in read mode
176 FILE *fc = fdopen(fd, "r");
177
178 if (!fc) {
179 DEBUG("cannot open file "<<cf<<" (errno: "<<errno<<")");
180 close(fd);
181 return -1;
182 }
183
184 auto rval = Init(fc, cf);
185
186 //
187 // Close the file
188 fclose(fc);
189
190 return rval;
191}
192
193
194//_____________________________________________________________________________
195int XrdCryptosslX509Crl::Init(FILE *fc, const char *cf)
196{
197 // Constructor certificate from file 'cf'.
198 // Return 0 on success, -1 on failure
199 EPNAME("X509Crl::Init");
200
201 //
202 // Read the content:
203 if (!PEM_read_X509_CRL(fc, &crl, 0, 0)) {
204 DEBUG("Unable to load CRL from file");
205 return -1;
206 }
207
208 //
209 // Notify
210 DEBUG("CRL successfully loaded from "<< cf);
211
212 //
213 // Save source file name
214 srcfile = cf;
215 //
216 // Init some of the private members (the others upon need)
217 Issuer();
218 //
219 // Load into cache
220 LoadCache();
221 //
222 // Done
223 return 0;
224}
225
226//_____________________________________________________________________________
227int XrdCryptosslX509Crl::InitFromURI(const char *uri, const char *hash)
228{
229 // Initialize the CRL taking the file indicated by URI. Download and
230 // reformat the file first.
231 // Returns 0 on success, -1 on failure.
232 EPNAME("X509Crl::InitFromURI");
233
234 // Make sure file name is defined;
235 if (!uri) {
236 DEBUG("uri undefined");
237 return -1;
238 }
239 XrdOucString u(uri), h(hash);
240 if (h == "") {
241 int isl = u.rfind('/');
242 if (isl != STR_NPOS) h.assign(u, isl + 1);
243 }
244 if (h == "") h = "hashtmp";
245
246 // Create local output file path
247 XrdOucString outtmp(getenv("TMPDIR")), outpem;
248 if (outtmp.length() <= 0) outtmp = "/tmp";
249 if (!outtmp.endswith("/")) outtmp += "/";
250 outtmp += h;
251 outtmp += ".crltmp";
252
253 // Prepare 'wget' command
254 XrdOucString cmd("wget ");
255 cmd += uri;
256 cmd += " -O ";
257 cmd += outtmp;
258
259 // Execute 'wget'
260 DEBUG("executing ... "<<cmd);
261 if (system(cmd.c_str()) == -1) {
262 DEBUG("'system' could not fork to execute command '"<<cmd<<"'");
263 return -1;
264 }
265 struct stat st;
266 if (stat(outtmp.c_str(), &st) != 0) {
267 DEBUG("did not manage to get the CRL file from "<<uri);
268 return -1;
269 }
270 outpem = outtmp;
271
272 // Find out the file type
273 int needsopenssl = GetFileType(outtmp.c_str());
274 if (needsopenssl < 0) {
275 DEBUG("did not manage to coorectly parse "<<outtmp);
276 return -1;
277 }
278
279 if (needsopenssl > 0) {
280 // Put it in PEM format
281 outpem.replace(".crltmp", ".pem");
282 cmd = "openssl crl -inform DER -in ";
283 cmd += outtmp;
284 cmd += " -out ";
285 cmd += outpem;
286 cmd += " -text";
287
288 // Execute 'openssl crl'
289 DEBUG("executing ... "<<cmd);
290 if (system(cmd.c_str()) == -1) {
291 DEBUG("system: problem executing: "<<cmd);
292 return -1;
293 }
294
295 // Cleanup the temporary files
296 if (unlink(outtmp.c_str()) != 0) {
297 DEBUG("problems removing "<<outtmp);
298 }
299 }
300
301 // Make sure the file is there
302 if (stat(outpem.c_str(), &st) != 0) {
303 DEBUG("did not manage to change format from DER to PEM ("<<outpem<<")");
304 return -1;
305 }
306
307 // Now init from the new file
308 if (Init(outpem.c_str()) != 0) {
309 DEBUG("could not initialize the CRL from "<<outpem);
310 return -1;
311 }
312
313 // Cleanup the temporary files
314 unlink(outpem.c_str());
315
316 //
317 // Done
318 return 0;
319}
320
321//_____________________________________________________________________________
322bool XrdCryptosslX509Crl::ToFile(FILE *fh)
323{
324 // Write the CRL's contents to a file in the PEM format.
325 EPNAME("ToFile");
326
327 if (!crl) {
328 DEBUG("CRL object invalid; cannot write to a file");
329 return false;
330 }
331
332 if (PEM_write_X509_CRL(fh, crl) == 0) {
333 DEBUG("Unable to write CRL to file");
334 return false;
335 }
336
337 //
338 // Notify
339 DEBUG("CRL successfully written to file");
340
341 return true;
342}
343
344//_____________________________________________________________________________
345int XrdCryptosslX509Crl::GetFileType(const char *crlfn)
346{
347 // Try to understand if file 'crlfn' is in DER (binary) or PEM (ASCII)
348 // format (assume that is not ASCII is a DER).
349 // Return 1 if not-PEM, 0 if PEM, -1 if any error occurred
350 EPNAME("GetFileType");
351
352 if (!crlfn || strlen(crlfn) <= 0) {
353 PRINT("file name undefined!");
354 return -1;
355 }
356
357 char line[1024] = {0};
358 FILE *f = fopen(crlfn, "r");
359 if (!f) {
360 PRINT("could not open file "<<crlfn<<" - errno: "<<(int)errno);
361 return -1;
362 }
363
364 int rc = 1;
365 while (fgets(line, 1024, f)) {
366 // Skip empty lines at beginning
367 if (line[0] == '\n') continue;
368 // Analyse line for '-----BEGIN X509 CRL-----'
369 if (strstr(line, "BEGIN X509 CRL")) rc = 0;
370 break;
371 }
372 // Close the files
373 fclose(f);
374 // Done
375 return rc;
376}
377
378bool XrdCryptosslX509Crl::hasCriticalExtension() {
379 // If the X509_CRL_get_ext_by_critical() function returns -1, no critical extension
380 // has been found
381 return X509_CRL_get_ext_by_critical(crl,1,-1) != -1;
382}
383
384//_____________________________________________________________________________
385int XrdCryptosslX509Crl::LoadCache()
386{
387 // Load relevant info into the cache
388 // Return 0 if ok, -1 in case of error
389 EPNAME("LoadCache");
390
391 // The CRL must exists
392 if (!crl) {
393 DEBUG("CRL undefined");
394 return -1;
395 }
396
397 // Parse CRL
398 STACK_OF(X509_REVOKED *) rsk = X509_CRL_get_REVOKED(crl);
399 if (!rsk) {
400 DEBUG("could not get stack of revoked instances");
401 return -1;
402 }
403
404 // Number of revocations
405 nrevoked = sk_X509_REVOKED_num(rsk);
406 DEBUG(nrevoked << "certificates have been revoked");
407 if (nrevoked <= 0) {
408 DEBUG("no valid certificate has been revoked - nothing to do");
409 return 0;
410 }
411
412 // Get serial numbers of revoked certificates
413 char *tagser = 0;
414 int i = 0;
415 for (; i < nrevoked; i++ ){
416 X509_REVOKED *rev = sk_X509_REVOKED_value(rsk,i);
417 if (rev) {
418 BIGNUM *bn = BN_new();
419 ASN1_INTEGER_to_BN(X509_REVOKED_get0_serialNumber(rev), bn);
420 tagser = BN_bn2hex(bn);
421 BN_free(bn);
422 TRACE(Dump, "certificate with serial number: "<<tagser<<
423 " has been revoked");
424 // Add to the cache
425 bool rdlock = false;
426 XrdSutCacheEntry *cent = cache.Get((const char *)tagser, rdlock);
427 if (!cent) {
428 DEBUG("problems getting entry in the cache");
429 return -1;
430 }
431 // Add revocation date
432 cent->mtime = XrdCryptosslASN1toUTC(X509_REVOKED_get0_revocationDate(rev));
433 // Set status
434 cent->mtime = kCE_ok;
435 // Release the string for the serial number
436 OPENSSL_free(tagser);
437 // Unlock the entry
438 cent->rwmtx.UnLock();
439 }
440 }
441
442 return 0;
443}
444
445//_____________________________________________________________________________
446time_t XrdCryptosslX509Crl::LastUpdate()
447{
448 // Time of last update
449
450 // If we do not have it already, try extraction
451 if (lastupdate < 0) {
452 // Make sure we have a CRL
453 if (crl)
454 // Extract UTC time in secs from Epoch
455 lastupdate = XrdCryptosslASN1toUTC(X509_CRL_get0_lastUpdate(crl));
456 }
457 // return what we have
458 return lastupdate;
459}
460
461//_____________________________________________________________________________
462time_t XrdCryptosslX509Crl::NextUpdate()
463{
464 // Time of next update
465
466 // If we do not have it already, try extraction
467 if (nextupdate < 0) {
468 // Make sure we have a CRL
469 if (crl)
470 // Extract UTC time in secs from Epoch
471 nextupdate = XrdCryptosslASN1toUTC(X509_CRL_get0_nextUpdate(crl));
472 }
473 // return what we have
474 return nextupdate;
475}
476
477//_____________________________________________________________________________
478const char *XrdCryptosslX509Crl::Issuer()
479{
480 // Return issuer name
481 EPNAME("X509Crl::Issuer");
482
483 // If we do not have it already, try extraction
484 if (issuer.length() <= 0) {
485
486 // Make sure we have a CRL
487 if (!crl) {
488 DEBUG("WARNING: no CRL available - cannot extract issuer name");
489 return (const char *)0;
490 }
491
492 // Extract issuer name
493 XrdCryptosslNameOneLine(X509_CRL_get_issuer(crl), issuer);
494 }
495
496 // return what we have
497 return (issuer.length() > 0) ? issuer.c_str() : (const char *)0;
498}
499
500//_____________________________________________________________________________
501const char *XrdCryptosslX509Crl::IssuerHash(int alg)
502{
503 // Return hash of issuer name
504 // Use default algorithm (X509_NAME_hash) for alg = 0, old algorithm
505 // (for v>=1.0.0) when alg = 1
506 EPNAME("X509::IssuerHash");
507
508 if (alg == 1) {
509 // md5 based
510 if (issueroldhash.length() <= 0) {
511 // Make sure we have a certificate
512 if (crl) {
513 char chash[30] = {0};
514 snprintf(chash, sizeof(chash),
515 "%08lx.0",X509_NAME_hash_old(X509_CRL_get_issuer(crl)));
516 issueroldhash = chash;
517 } else {
518 DEBUG("WARNING: no certificate available - cannot extract issuer hash (md5)");
519 }
520 }
521 // return what we have
522 return (issueroldhash.length() > 0) ? issueroldhash.c_str() : (const char *)0;
523 }
524
525 // If we do not have it already, try extraction
526 if (issuerhash.length() <= 0) {
527
528 // Make sure we have a certificate
529 if (crl) {
530 char chash[30] = {0};
531 snprintf(chash, sizeof(chash),
532 "%08lx.0",X509_NAME_hash(X509_CRL_get_issuer(crl)));
533 issuerhash = chash;
534 } else {
535 DEBUG("WARNING: no certificate available - cannot extract issuer hash (default)");
536 }
537 }
538
539 // return what we have
540 return (issuerhash.length() > 0) ? issuerhash.c_str() : (const char *)0;
541}
542
543//_____________________________________________________________________________
544bool XrdCryptosslX509Crl::Verify(XrdCryptoX509 *ref)
545{
546 // Verify certificate signature with pub key of ref cert
547
548 // We must have been initialized
549 if (!crl)
550 return 0;
551
552 // We must have something to check with
553 X509 *r = ref ? (X509 *)(ref->Opaque()) : 0;
554 EVP_PKEY *rk = r ? X509_get_pubkey(r) : 0;
555 if (!rk)
556 return 0;
557
558 // Ok: we can verify
559 return (X509_CRL_verify(crl, rk) > 0);
560}
561
562//_____________________________________________________________________________
563bool XrdCryptosslX509Crl::IsRevoked(int serialnumber, int when)
564{
565 // Check if certificate with serialnumber is in the
566 // list of revocated certificates
567 EPNAME("IsRevoked");
568
569 // Reference time
570 int now = (when > 0) ? when : time(0);
571
572 // Warn if CRL should be updated
573 if (now > NextUpdate()) {
574 DEBUG("WARNING: CRL is expired: you should download the updated one");
575 }
576
577 // We must have something to check against
578 if (nrevoked <= 0) {
579 DEBUG("No certificate in the list");
580 return 0;
581 }
582
583 // Ok, build the tag
584 char tagser[20] = {0};
585 sprintf(tagser,"%x",serialnumber);
586
587 // Look into the cache
588 XrdSutCacheEntry *cent = cache.Get((const char *)tagser);
589 if (cent && cent->status == kCE_ok) {
590 // Check the revocation time
591 if (now > cent->mtime) {
592 DEBUG("certificate "<<tagser<<" has been revoked");
593 cent->rwmtx.UnLock();
594 return 1;
595 }
596 cent->rwmtx.UnLock();
597 }
598
599 // Certificate not revoked
600 return 0;
601}
602
603//_____________________________________________________________________________
604bool XrdCryptosslX509Crl::IsRevoked(const char *sernum, int when)
605{
606 // Check if certificate with 'sernum' is in the
607 // list of revocated certificates
608 EPNAME("IsRevoked");
609
610 // Reference time
611 int now = (when > 0) ? when : time(0);
612
613 // Warn if CRL should be updated
614 if (now > NextUpdate()) {
615 DEBUG("WARNING: CRL is expired: you should download the updated one");
616 }
617
618 // We must have something to check against
619 if (nrevoked <= 0) {
620 DEBUG("No certificate in the list");
621 return 0;
622 }
623
624 // Look into the cache
625 XrdSutCacheEntry *cent = cache.Get((const char *)sernum);
626 if (cent && cent->status == kCE_ok) {
627 // Check the revocation time
628 if (now > cent->mtime) {
629 DEBUG("certificate "<<sernum<<" has been revoked");
630 cent->rwmtx.UnLock();
631 return 1;
632 }
633 cent->rwmtx.UnLock();
634 }
635
636 // Certificate not revoked
637 return 0;
638}
639
640//_____________________________________________________________________________
641void XrdCryptosslX509Crl::Dump()
642{
643 // Dump content
644 EPNAME("X509Crl::Dump");
645
646 // Time strings
647 struct tm tst;
648 char stbeg[256] = {0};
649 time_t tbeg = LastUpdate();
650 localtime_r(&tbeg,&tst);
651 asctime_r(&tst,stbeg);
652 stbeg[strlen(stbeg)-1] = 0;
653 char stend[256] = {0};
654 time_t tend = NextUpdate();
655 localtime_r(&tend,&tst);
656 asctime_r(&tst,stend);
657 stend[strlen(stend)-1] = 0;
658
659 PRINT("+++++++++++++++ X509 CRL dump +++++++++++++++++++++++");
660 PRINT("+");
661 PRINT("+ File: "<<ParentFile());
662 PRINT("+");
663 PRINT("+ Issuer: "<<Issuer());
664 PRINT("+ Issuer hash: "<<IssuerHash(0));
665 PRINT("+");
666 if (IsExpired()) {
667 PRINT("+ Validity: (expired!)");
668 } else {
669 PRINT("+ Validity:");
670 }
671 PRINT("+ LastUpdate: "<<tbeg<<" UTC - "<<stbeg);
672 PRINT("+ NextUpdate: "<<tend<<" UTC - "<<stend);
673 PRINT("+");
674 PRINT("+ Number of revoked certificates: "<<nrevoked);
675 PRINT("+");
676 PRINT("+++++++++++++++++++++++++++++++++++++++++++++++++");
677}
DEBUG
#define DEBUG(x)
Definition XrdBwmTrace.hh:54
EPNAME
#define EPNAME(x)
Definition XrdBwmTrace.hh:56
XrdCryptosslNameOneLine
void XrdCryptosslNameOneLine(X509_NAME *nm, XrdOucString &s)
Definition XrdCryptosslAux.cc:736
XrdCryptosslASN1toUTC
time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1)
Definition XrdCryptosslAux.cc:675
PRINT
#define PRINT(y)
Definition XrdCryptosslTrace.hh:39
STR_NPOS
#define STR_NPOS
Definition XrdOucString.hh:250
fclose
int fclose(FILE *stream)
Definition XrdPosixPreload.cc:169
close
#define close(a)
Definition XrdPosix.hh:48
fopen
#define fopen(a, b)
Definition XrdPosix.hh:54
open
#define open
Definition XrdPosix.hh:76
unlink
#define unlink(a)
Definition XrdPosix.hh:113
stat
#define stat(a, b)
Definition XrdPosix.hh:101
kCE_ok
@ kCE_ok
Definition XrdSutCacheEntry.hh:45
TRACE
#define TRACE(act, x)
Definition XrdTrace.hh:63
XrdCryptoX509Crl::IsExpired
virtual bool IsExpired(int when=0)
Definition XrdCryptoX509Crl.cc:55
XrdCryptoX509Crl::IssuerHash
const char * IssuerHash()
Definition XrdCryptoX509Crl.hh:73
XrdCryptoX509::GetExtension
virtual XrdCryptoX509data GetExtension(const char *oid)
Definition XrdCryptoX509.cc:221
XrdCryptoX509::Opaque
virtual XrdCryptoX509data Opaque()
Definition XrdCryptoX509.cc:181
XrdCryptoX509::SubjectHash
virtual const char * SubjectHash(int)
Definition XrdCryptoX509.cc:165
XrdCryptosslX509Crl::XrdCryptosslX509Crl
XrdCryptosslX509Crl(const char *crlf, int opt=0)
Definition XrdCryptosslX509Crl.cc:51
XrdCryptosslX509Crl::IsRevoked
bool IsRevoked(int serialnumber, int when=0)
Definition XrdCryptosslX509Crl.cc:563
XrdCryptosslX509Crl::Verify
bool Verify(XrdCryptoX509 *ref)
Definition XrdCryptosslX509Crl.cc:544
XrdOucString::beginswith
bool beginswith(char c)
Definition XrdOucString.hh:289
XrdOucString::replace
int replace(const char *s1, const char *s2, int from=0, int to=-1)
Definition XrdOucString.cc:733
XrdOucString::tokenize
int tokenize(XrdOucString &tok, int from, char del=':')
Definition XrdOucString.cc:1220
XrdOucString::c_str
const char * c_str() const
Definition XrdOucString.hh:278