#include <Certificate.h>

Collaboration diagram for OpenDDS::Security::SSL::Certificate:

Public Types
typedef DCPS::unique_ptr< Certificate >	unique_ptr

Public Member Functions
	Certificate (const std::string &uri, const std::string &password="")

	Certificate (const DDS::OctetSeq &src)

	Certificate (const Certificate &other)

	Certificate ()

virtual	~Certificate ()

Certificate &	operator= (const Certificate &rhs)

bool	load (DDS::Security::SecurityException &ex, const std::string &uri, const std::string &password="")

int	validate (const Certificate &ca, unsigned long int flags=0u) const

int	verify_signature (const DDS::OctetSeq &src, const std::vector< const DDS::OctetSeq *> &expected_contents) const

int	subject_name_to_str (std::string &dst, unsigned long flags=XN_FLAG_ONELINE) const

int	subject_name_digest (std::vector< CORBA::Octet > &dst) const

int	serialize (DDS::OctetSeq &dst) const

int	deserialize (const DDS::OctetSeq &src)

const DDS::OctetSeq &	original_bytes () const

const char *	dsign_algo () const

const char *	keypair_algo () const

X509 *	x509 () const

Private Member Functions
bool	loaded ()

int	cache_dsign_algo ()

void	load_cert_bytes (const std::string &path)

void	load_cert_data_bytes (const std::string &data)

Static Private Member Functions
static X509 *	x509_from_pem (const std::string &path, const std::string &password="")

static X509 *	x509_from_pem (const DDS::OctetSeq &bytes, const std::string &password="")

Private Attributes
X509 *	x_

DDS::OctetSeq	original_bytes_

std::string	dsign_algo_

Friends
class	verify_signature_impl

OpenDDS_Security_Export std::ostream &	operator<< (std::ostream &, const Certificate &)

OpenDDS_Security_Export bool	operator== (const Certificate &lhs, const Certificate &rhs)

Detailed Description

Definition at line 29 of file Certificate.h.

Member Typedef Documentation

◆ unique_ptr

typedef DCPS::unique_ptr<Certificate> OpenDDS::Security::SSL::Certificate::unique_ptr

Definition at line 33 of file Certificate.h.

Constructor & Destructor Documentation

◆ Certificate() [1/4]

OpenDDS::Security::SSL::Certificate::Certificate	(	const std::string &	uri,
		const std::string &	password = `""`
	)

explicit

Definition at line 25 of file Certificate.cpp.

References ACE_ERROR, LM_WARNING, load(), and DDS::Security::SecurityException::message.

   : x_(0), original_bytes_(), dsign_algo_("")
 {
   DDS::Security::SecurityException ex;
   if (! load(ex, uri, password)) {
     ACE_ERROR((LM_WARNING, "(%P|%t) %C\n", ex.message.in()));
   }
 }

◆ Certificate() [2/4]

OpenDDS::Security::SSL::Certificate::Certificate ( const DDS::OctetSeq & src )

explicit

Definition at line 35 of file Certificate.cpp.

References deserialize().

   : x_(0), original_bytes_(), dsign_algo_("")
 {
   deserialize(src);
 }

◆ Certificate() [3/4]

OpenDDS::Security::SSL::Certificate::Certificate ( const Certificate & other )

Definition at line 46 of file Certificate.cpp.

References deserialize(), and original_bytes_.

   : x_(0), original_bytes_(), dsign_algo_("")
 {
   if (0 < other.original_bytes_.length()) {
     deserialize(other.original_bytes_);
   }
 }

◆ Certificate() [4/4]

OpenDDS::Security::SSL::Certificate::Certificate ( )

Definition at line 41 of file Certificate.cpp.

   : x_(0), original_bytes_(), dsign_algo_("")
 {
 }

◆ ~Certificate()

OpenDDS::Security::SSL::Certificate::~Certificate ( )

virtual

Definition at line 54 of file Certificate.cpp.

References x_.

 {
   if (x_) {
     X509_free(x_);
   }
 }

Member Function Documentation

◆ cache_dsign_algo()

int OpenDDS::Security::SSL::Certificate::cache_dsign_algo ( )

private

Returns: int 0 on success; 1 on failure.

Definition at line 426 of file Certificate.cpp.

References dsign_algo_, and x_.

Referenced by deserialize(), and load().

 {
   return cache_dsign_algo_impl()(x_, dsign_algo_);
 }

◆ deserialize()

int OpenDDS::Security::SSL::Certificate::deserialize ( const DDS::OctetSeq & src )

Returns: int 0 on success; 1 on failure.

Definition at line 634 of file Certificate.cpp.

References cache_dsign_algo(), original_bytes_, and x_.

Referenced by Certificate(), and operator=().

 {
   int err = deserialize_impl(src)(x_) || cache_dsign_algo();
   if (!err) {
     original_bytes_ = src;
   }
 
   return err;
 }

◆ dsign_algo()

const char* OpenDDS::Security::SSL::Certificate::dsign_algo ( ) const

inline

Definition at line 92 of file Certificate.h.

Referenced by OpenDDS::Security::AuthenticationBuiltInImpl::begin_handshake_reply(), and OpenDDS::Security::AuthenticationBuiltInImpl::begin_handshake_request().

92 { return dsign_algo_.c_str(); }

OpenDDS::Security::SSL::Certificate::dsign_algo_

std::string dsign_algo_

Definition: Certificate.h:123

◆ keypair_algo()

const char * OpenDDS::Security::SSL::Certificate::keypair_algo ( ) const

Definition at line 340 of file Certificate.cpp.

References dsign_algo_.

Referenced by OpenDDS::Security::AuthenticationBuiltInImpl::get_identity_token().

 {
   // This should probably be pulling the information directly from
   // the certificate.
   if (std::string("RSASSA-PSS-SHA256") == dsign_algo_) {
     return "RSA-2048";
 
   } else if (std::string("ECDSA-SHA256") == dsign_algo_) {
     return "EC-prime256v1";
 
   } else {
     return "UNKNOWN";
   }
 }

◆ load()

bool OpenDDS::Security::SSL::Certificate::load	(	DDS::Security::SecurityException &	ex,
		const std::string &	uri,
		const std::string &	password = `""`
	)

Definition at line 72 of file Certificate.cpp.

References ACE_ERROR, cache_dsign_algo(), OpenDDS::Security::CommonUtilities::URI::everything_else, LM_WARNING, load_cert_bytes(), load_cert_data_bytes(), loaded(), original_bytes_, OpenDDS::Security::CommonUtilities::URI::scheme, OpenDDS::Security::CommonUtilities::set_security_error(), OpenDDS::Security::CommonUtilities::URI::URI_DATA, OpenDDS::Security::CommonUtilities::URI::URI_FILE, OpenDDS::Security::CommonUtilities::URI::URI_PKCS11, OpenDDS::Security::CommonUtilities::URI::URI_UNKNOWN, x509_from_pem(), and x_.

Referenced by Certificate().

 {
   using namespace CommonUtilities;
 
   if (x_) {
     set_security_error(ex, -1, 0, "SSL::Certificate::load: WARNING: document already loaded");
     return false;
   }
 
   URI uri_info(uri);
 
   switch (uri_info.scheme) {
   case URI::URI_FILE:
     load_cert_bytes(uri_info.everything_else);
     x_ = x509_from_pem(original_bytes_, password);
     break;
 
   case URI::URI_DATA:
     load_cert_data_bytes(uri_info.everything_else);
     x_ = x509_from_pem(original_bytes_, password);
     break;
 
   case URI::URI_PKCS11:
   case URI::URI_UNKNOWN:
   default:
     ACE_ERROR((LM_WARNING,
                "(%P|%t) SSL::Certificate::load: WARNING: Unsupported URI scheme\n"));
 
     break;
   }
 
   if (!loaded()) {
     std::stringstream msg;
     msg << "SSL::Certificate::load: WARNING: Failed to load document supplied "
       "with URI '"  << uri << "'";
     set_security_error(ex, -1, 0, msg.str().c_str());
     return false;
   }
 
   const int err = cache_dsign_algo();
   if (err) {
     set_security_error(ex, -1, 0, "SSL::Certificate::load: WARNING: Failed to cache signature algorithm");
     return false;
   }
   return true;
 }

◆ load_cert_bytes()

void OpenDDS::Security::SSL::Certificate::load_cert_bytes ( const std::string & path )

private

Definition at line 431 of file Certificate.cpp.

References ACE_ERROR, ACE_OS::fclose(), ACE_OS::fopen(), ACE_OS::fread(), LM_WARNING, ACE_OS::memcpy(), and original_bytes_.

Referenced by load().

 {
 #ifdef ACE_ANDROID
   CORBA::Octet *buffer;
 
   char b[1024];
   FILE* fp = ACE_OS::fopen(path.c_str(), "rb");
 
   int n;
   int i = 0;
   while (!feof(fp)) {
     n = ACE_OS::fread(&b, 1, 1024, fp);
     i += n;
 
     original_bytes_.length(i + 1); // +1 for null byte at end of cert
     buffer = original_bytes_.get_buffer();
     ACE_OS::memcpy(buffer + i - n, b, n);
   }
 
   ACE_OS::fclose(fp);
 
   // To appease the other DDS security implementations which
   // append a null byte at the end of the cert.
   buffer[i + 1] = 0u;
 
 #else
   std::ifstream in(path.c_str(), std::ios::binary);
 
   if (!in) {
     ACE_ERROR((LM_WARNING,
                "(%P|%t) Certificate::load_cert_bytes:"
                "WARNING: Failed to load file '%C'; '%m'\n",
                path.c_str()));
     return;
   }
 
   const std::ifstream::pos_type begin = in.tellg();
   in.seekg(0, std::ios::end);
   const std::ifstream::pos_type end = in.tellg();
   in.seekg(0, std::ios::beg);
 
   original_bytes_.length(static_cast<CORBA::ULong>(end - begin + 1));
   in.read(reinterpret_cast<char*>(original_bytes_.get_buffer()), end - begin);
 
   if (!in) {
     ACE_ERROR((LM_WARNING,
                "(%P|%t) Certificate::load_cert_bytes:"
                "WARNING: Failed to load file '%C'; '%m'\n",
                path.c_str()));
     return;
   }
 
   // To appease the other DDS security implementations which
   // append a null byte at the end of the cert.
   original_bytes_[original_bytes_.length() - 1] = 0u;
 #endif
 }

◆ load_cert_data_bytes()

void OpenDDS::Security::SSL::Certificate::load_cert_data_bytes ( const std::string & data )

private

Definition at line 489 of file Certificate.cpp.

References original_bytes_.

Referenced by load().

 {
   // Start at position 1 because path contains a comma in element 0
   // and that comma is not included in the cert string
   // copy the full length to get the terminating null
   original_bytes_.length(static_cast<unsigned int>(data.size()));
   std::memcpy(original_bytes_.get_buffer(), data.c_str() + 1, data.size());
 }

◆ loaded()

bool OpenDDS::Security::SSL::Certificate::loaded ( )

inlineprivate

Definition at line 100 of file Certificate.h.

Referenced by load().

   {
     return (x_ != NULL) &&
       (0 < original_bytes_.length());
   }

◆ operator=()

Certificate & OpenDDS::Security::SSL::Certificate::operator= ( const Certificate & rhs )

Definition at line 61 of file Certificate.cpp.

References deserialize(), original_bytes_, and x_.

 {
   if (this != &rhs) {
     if (rhs.x_ && (0 < rhs.original_bytes_.length())) {
       deserialize(rhs.original_bytes_);
     }
 
   }
   return *this;
 }

◆ original_bytes()

const DDS::OctetSeq& OpenDDS::Security::SSL::Certificate::original_bytes ( ) const

inline

Definition at line 90 of file Certificate.h.

Referenced by OpenDDS::Security::AuthenticationBuiltInImpl::begin_handshake_reply(), and OpenDDS::Security::AuthenticationBuiltInImpl::begin_handshake_request().

90 { return original_bytes_; }

OpenDDS::Security::SSL::Certificate::original_bytes_

DDS::OctetSeq original_bytes_

Definition: Certificate.h:122

◆ serialize()

int OpenDDS::Security::SSL::Certificate::serialize ( DDS::OctetSeq & dst ) const

Returns: int 0 on success; 1 on failure.

Definition at line 572 of file Certificate.cpp.

References original_bytes_.

 {
   dst = original_bytes_;
 
   if (dst.length() == original_bytes_.length()) {
     return 0;
   }
 
   return 1;
 }

◆ subject_name_digest()

int OpenDDS::Security::SSL::Certificate::subject_name_digest ( std::vector< CORBA::Octet > & dst ) const

Returns: int 0 on success; 1 on failure.

Definition at line 314 of file Certificate.cpp.

References name, OPENDDS_SSL_LOG_ERR, and x_.

Referenced by OpenDDS::Security::SSL::make_adjusted_guid().

 {
   dst.clear();
 
   if (!x_) return 1;
 
   /* Do not free name! */
   X509_NAME* name = X509_get_subject_name(x_);
   if (0 == name) {
     OPENDDS_SSL_LOG_ERR("X509_get_subject_name failed");
     return 1;
   }
 
   std::vector<CORBA::Octet> tmp(EVP_MAX_MD_SIZE);
 
   unsigned int len = 0;
   if (1 != X509_NAME_digest(name, EVP_sha256(), &tmp[0], &len)) {
     OPENDDS_SSL_LOG_ERR("X509_NAME_digest failed");
     return 1;
   }
 
   dst.insert(dst.begin(), tmp.begin(), tmp.begin() + len);
 
   return 0;
 }

◆ subject_name_to_str()

int OpenDDS::Security::SSL::Certificate::subject_name_to_str	(	std::string &	dst,
		unsigned long	flags = `XN_FLAG_ONELINE`
	)		const

Returns: int 0 on success; 1 on failure.

Definition at line 272 of file Certificate.cpp.

References OpenDDS::DCPS::back_inserter(), OpenDDS::XTypes::copy(), name, OPENDDS_SSL_LOG_ERR, and x_.

Referenced by OpenDDS::Security::AuthenticationBuiltInImpl::get_identity_token(), and OpenDDS::Security::AccessControlBuiltInImpl::validate_remote_permissions().

 {
   int result = 1;
 
   dst.clear();
 
   if (x_) {
     /* Do not free name! */
     X509_NAME* name = X509_get_subject_name(x_);
     if (name) {
       BIO* buffer = BIO_new(BIO_s_mem());
       if (buffer) {
         int len = X509_NAME_print_ex(buffer, name, 0, flags);
         if (len > 0) {
           std::vector<char> tmp(len +
                                 1);  // BIO_gets will add null hence +1
           len = BIO_gets(buffer, &tmp[0], len + 1);
           if (len > 0) {
             std::copy(
                       tmp.begin(),
                       tmp.end() -
                       1,  // But... string inserts a null so it's not needed
                       std::back_inserter(dst));
             result = 0;
 
           } else {
             OPENDDS_SSL_LOG_ERR("failed to write BIO to string");
           }
 
         } else {
           OPENDDS_SSL_LOG_ERR("failed to read X509_NAME into BIO buffer");
         }
 
         BIO_free(buffer);
       }
     }
   }
 
   return result;
 }

◆ validate()

int OpenDDS::Security::SSL::Certificate::validate	(	const Certificate &	ca,
		unsigned long int	flags = `0u`
	)		const

Returns: int 0 on success; 1 on failure.

Definition at line 121 of file Certificate.cpp.

References ACE_ERROR, ACE_ERROR_RETURN, ACE_TEXT(), LM_WARNING, OPENDDS_SSL_LOG_ERR, and x_.

 {
   if (!x_) {
     ACE_ERROR_RETURN((LM_WARNING,
                       ACE_TEXT("(%P|%t) SSL::Certificate::verify: WARNING, a ")
                       ACE_TEXT("certificate must be loaded before it can be verified\n")), 1);
   }
 
   if (!ca.x_) {
     ACE_ERROR_RETURN((LM_WARNING,
                       ACE_TEXT("(%P|%t) SSL::Certificate::verify: WARNING, passed-in ")
                       ACE_TEXT("CA has not loaded a certificate\n")), 1);
   }
 
   X509_STORE* const certs = X509_STORE_new();
   if (!certs) {
     OPENDDS_SSL_LOG_ERR("failed to create X509_STORE");
     return 1;
   }
 
   X509_STORE_add_cert(certs, ca.x_);
 
   X509_STORE_CTX* validation_ctx = X509_STORE_CTX_new();
   if (!validation_ctx) {
     X509_STORE_free(certs);
     return 1;
   }
 
   X509_STORE_CTX_init(validation_ctx, certs, x_, 0);
   X509_STORE_CTX_set_flags(validation_ctx, flags);
 
   int result =
     X509_verify_cert(validation_ctx) == 1
     ? X509_V_OK : 1; // X509_V_ERR_UNSPECIFIED is not provided by all OpenSSL versions
 
   if (result == 1) {
     const int err = X509_STORE_CTX_get_error(validation_ctx),
       depth = X509_STORE_CTX_get_error_depth(validation_ctx);
     ACE_ERROR((LM_WARNING,
                ACE_TEXT("(%P|%t) SSL::Certificate::verify: WARNING '%C' occurred using cert at ")
                ACE_TEXT("depth '%i', validation failed.\n"),
                X509_verify_cert_error_string(err), depth));
     result = err;
   }
 
   X509_STORE_CTX_free(validation_ctx);
   X509_STORE_free(certs);
   return result;
 }

◆ verify_signature()

int OpenDDS::Security::SSL::Certificate::verify_signature	(	const DDS::OctetSeq &	src,
		const std::vector< const DDS::OctetSeq *> &	expected_contents
	)		const

Returns: int 0 on success; 1 on failure.

Definition at line 254 of file Certificate.cpp.

References pkey_, and x_.

Referenced by OpenDDS::Security::SSL::verify_serialized().

 {
 #ifdef OPENSSL_V_1_0
   struct EVP_PKEY_Handle {
     EVP_PKEY* pkey_;
     explicit EVP_PKEY_Handle(EVP_PKEY* pkey) : pkey_(pkey) {}
     operator EVP_PKEY*() { return pkey_; }
     ~EVP_PKEY_Handle() { EVP_PKEY_free(pkey_); }
   } pkey(X509_get_pubkey(x_));
 #else
   EVP_PKEY* pkey = X509_get0_pubkey(x_);
 #endif
   verify_implementation verify(pkey);
   return verify(src, expected_contents);
 }

◆ x509()

X509* OpenDDS::Security::SSL::Certificate::x509 ( ) const

inline

Definition at line 96 of file Certificate.h.

Referenced by OpenDDS::Security::SSL::X509Store::add_cert(), and OpenDDS::Security::SSL::StackOfX509::push().

96 { return x_; }

OpenDDS::Security::SSL::Certificate::x_

X509 * x_

Definition: Certificate.h:121

◆ x509_from_pem() [1/2]

X509 * OpenDDS::Security::SSL::Certificate::x509_from_pem	(	const std::string &	path,
		const std::string &	password = `""`
	)

staticprivate

Definition at line 498 of file Certificate.cpp.

References OPENDDS_SSL_LOG_ERR.

Referenced by load().

 {
   X509* result = NULL;
 
   BIO* filebuf = BIO_new_file(path.c_str(), "r");
   if (filebuf) {
     if (!password.empty()) {
       result =
         PEM_read_bio_X509_AUX(filebuf, 0, 0, (void*)password.c_str());
       if (!result) {
         OPENDDS_SSL_LOG_ERR("PEM_read_bio_X509_AUX failed");
       }
 
     } else {
       result = PEM_read_bio_X509_AUX(filebuf, 0, 0, 0);
       if (!result) {
         OPENDDS_SSL_LOG_ERR("PEM_read_bio_X509_AUX failed");
       }
     }
 
     BIO_free(filebuf);
 
   } else {
     std::stringstream errmsg;
     errmsg << "failed to read file '" << path << "' using BIO_new_file";
     OPENDDS_SSL_LOG_ERR(errmsg.str().c_str());
   }
 
   return result;
 }

◆ x509_from_pem() [2/2]

X509 * OpenDDS::Security::SSL::Certificate::x509_from_pem	(	const DDS::OctetSeq &	bytes,
		const std::string &	password = `""`
	)

staticprivate

Definition at line 530 of file Certificate.cpp.

References OPENDDS_SSL_LOG_ERR.

 {
   X509* result = 0;
 
   BIO* filebuf = BIO_new(BIO_s_mem());
   do {
     if (filebuf) {
       if (0 >= BIO_write(filebuf, bytes.get_buffer(), bytes.length())) {
         OPENDDS_SSL_LOG_ERR("BIO_write failed");
         break;
       }
       if (!password.empty()) {
         result = PEM_read_bio_X509_AUX(filebuf, 0, 0,
                                        (void*)password.c_str());
         if (!result) {
           OPENDDS_SSL_LOG_ERR("PEM_read_bio_X509_AUX failed");
           break;
         }
 
       } else {
         result = PEM_read_bio_X509_AUX(filebuf, 0, 0, 0);
         if (!result) {
           OPENDDS_SSL_LOG_ERR("PEM_read_bio_X509_AUX failed");
           break;
         }
       }
 
     } else {
       std::stringstream errmsg;
       errmsg << "BIO_new failed";
       OPENDDS_SSL_LOG_ERR(errmsg.str().c_str());
       break;
     }
 
   } while (0);
 
   BIO_free(filebuf);
 
   return result;
 }

Friends And Related Function Documentation

◆ operator<<

OpenDDS_Security_Export std::ostream& operator<<	(	std::ostream &	,
		const Certificate &
	)

friend

Definition at line 644 of file Certificate.cpp.

 {
   if (rhs.x_) {
     lhs << "Certificate: { is_ca? '"
         << (X509_check_ca(rhs.x_) ? "yes" : "no") << "'; }";
 
   } else {
     lhs << "NULL";
   }
   return lhs;
 }

◆ operator==

OpenDDS_Security_Export bool operator==	(	const Certificate &	lhs,
		const Certificate &	rhs
	)

friend

Definition at line 656 of file Certificate.cpp.

 {
   if (lhs.x_ && rhs.x_) {
     return (0 == X509_cmp(lhs.x_, rhs.x_)) &&
       (lhs.original_bytes_ == rhs.original_bytes_);
   }
   return (lhs.x_ == rhs.x_) &&
     (lhs.original_bytes_ == rhs.original_bytes_);
 }

◆ verify_signature_impl

friend class verify_signature_impl

friend

Definition at line 31 of file Certificate.h.

Member Data Documentation

◆ dsign_algo_

std::string OpenDDS::Security::SSL::Certificate::dsign_algo_

private

Definition at line 123 of file Certificate.h.

Referenced by cache_dsign_algo(), and keypair_algo().

◆ original_bytes_

DDS::OctetSeq OpenDDS::Security::SSL::Certificate::original_bytes_

private

Definition at line 122 of file Certificate.h.

Referenced by Certificate(), deserialize(), load(), load_cert_bytes(), load_cert_data_bytes(), operator=(), OpenDDS::Security::SSL::operator==(), and serialize().

◆ x_

X509* OpenDDS::Security::SSL::Certificate::x_

private

Definition at line 121 of file Certificate.h.

Referenced by cache_dsign_algo(), deserialize(), load(), OpenDDS::Security::SSL::operator<<(), operator=(), OpenDDS::Security::SSL::operator==(), subject_name_digest(), subject_name_to_str(), validate(), verify_signature(), and ~Certificate().

The documentation for this class was generated from the following files:

Public Types

Public Member Functions

Private Member Functions

Static Private Member Functions

Private Attributes

Friends

Detailed Description

Member Typedef Documentation

◆ unique_ptr

Constructor & Destructor Documentation

◆ Certificate() [1/4]

◆ Certificate() [2/4]

◆ Certificate() [3/4]

◆ Certificate() [4/4]

◆ ~Certificate()

Member Function Documentation

◆ cache_dsign_algo()

◆ deserialize()

◆ dsign_algo()

◆ keypair_algo()

◆ load()

◆ load_cert_bytes()

◆ load_cert_data_bytes()

◆ loaded()

◆ operator=()

◆ original_bytes()

◆ serialize()

◆ subject_name_digest()

◆ subject_name_to_str()

◆ validate()

◆ verify_signature()

◆ x509()

◆ x509_from_pem() [1/2]

◆ x509_from_pem() [2/2]

Friends And Related Function Documentation

◆ operator<<

◆ operator==

◆ verify_signature_impl

Member Data Documentation

◆ dsign_algo_

◆ original_bytes_

◆ x_