1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
|
/*
Copyright (C) 2013-2021 Carl Hetherington <cth@carlh.net>
This file is part of libdcp.
libdcp is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
libdcp is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with libdcp. If not, see <http://www.gnu.org/licenses/>.
In addition, as a special exception, the copyright holders give
permission to link the code of portions of this program with the
OpenSSL library under certain conditions as described in each
individual source file, and distribute linked combinations
including the two.
You must obey the GNU General Public License in all respects
for all of the code used other than OpenSSL. If you modify
file(s) with this exception, you may extend this exception to your
version of the file(s), but you are not obligated to do so. If you
do not wish to do so, delete this exception statement from your
version. If you delete this exception statement from all source
files in the program, then also delete it here.
*/
/** @file src/certificate_chain.h
* @brief CertificateChain class
*/
#ifndef LIBDCP_CERTIFICATE_CHAIN_H
#define LIBDCP_CERTIFICATE_CHAIN_H
#include "certificate.h"
#include "types.h"
#include <boost/filesystem.hpp>
#include <boost/optional.hpp>
namespace xmlpp {
class Node;
}
struct certificates_validation1;
struct certificates_validation2;
struct certificates_validation3;
struct certificates_validation4;
struct certificates_validation5;
struct certificates_validation6;
struct certificates_validation7;
struct certificates_validation8;
namespace dcp {
/** @class CertificateChain
* @brief A chain of any number of certificates, from root to leaf.
*
* A CertificateChain object can also (optionally) hold the private key corresponding
* to the leaf certificate.
*/
class CertificateChain
{
public:
CertificateChain () {}
/** Create a chain of certificates for signing things.
* @param openssl Name of openssl binary (if it is on the path) or full path.
* @return Directory (which should be deleted by the caller) containing:
* - ca.self-signed.pem self-signed root certificate
* - intermediate.signed.pem intermediate certificate
* - leaf.key leaf certificate private key
* - leaf.signed.pem leaf certificate
*/
CertificateChain (
boost::filesystem::path openssl,
int validity_in_days,
std::string organisation = "example.org",
std::string organisational_unit = "example.org",
std::string root_common_name = ".smpte-430-2.ROOT.NOT_FOR_PRODUCTION",
std::string intermediate_common_name = ".smpte-430-2.INTERMEDIATE.NOT_FOR_PRODUCTION",
std::string leaf_common_name = "CS.smpte-430-2.LEAF.NOT_FOR_PRODUCTION"
);
/** Read a CertificateChain from a string.
* @param s A string containing one or more PEM-encoded certificates.
*/
explicit CertificateChain (std::string s);
/** Add a certificate to the chain.
* @param c Certificate to add.
*/
void add (Certificate c);
/** Remove a certificate from the chain.
* @param c Certificate to remove.
*/
void remove (Certificate c);
/** Remove the i'th certificate in the chain, as listed
* from root to leaf.
*/
void remove (int i);
/** @return Root certificate */
Certificate root () const;
/** @return Leaf certificate */
Certificate leaf () const;
typedef std::vector<Certificate> List;
/** @return Certificates in order from leaf to root */
List leaf_to_root () const;
/** @return Certificates in order from root to leaf */
List root_to_leaf () const;
List unordered () const;
bool valid (std::string* reason = nullptr) const;
/** Check to see if the chain is valid (i.e. root signs the intermediate, intermediate
* signs the leaf and so on) and that the private key (if there is one) matches the
* leaf certificate.
* @return true if it's ok, false if not.
*/
bool chain_valid () const;
/** Check that there is a valid private key for the leaf certificate.
* Will return true if there are no certificates.
*/
bool private_key_valid () const;
/** Add a <Signer> and <ds:Signature> nodes to an XML node.
* @param parent XML node to add to.
* @param standard INTEROP or SMPTE.
*/
void sign (xmlpp::Element* parent, Standard standard) const;
/** Sign an XML node.
*
* @param parent Node to sign.
* @param ns Namespace to use for the signature XML nodes.
*/
void add_signature_value (xmlpp::Element* parent, std::string ns, bool add_indentation) const;
boost::optional<std::string> key () const {
return _key;
}
void set_key (std::string k) {
_key = k;
}
std::string chain () const;
private:
friend struct ::certificates_validation1;
friend struct ::certificates_validation2;
friend struct ::certificates_validation3;
friend struct ::certificates_validation4;
friend struct ::certificates_validation5;
friend struct ::certificates_validation6;
friend struct ::certificates_validation7;
friend struct ::certificates_validation8;
bool chain_valid (List const & chain) const;
/** Our certificates, not in any particular order */
List _certificates;
/** Leaf certificate's private key, if known, in PEM format */
boost::optional<std::string> _key;
};
}
#endif
|
