2 Copyright (C) 2012-2015 Carl Hetherington <cth@carlh.net>
4 This file is part of libdcp.
6 libdcp is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 libdcp is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with libdcp. If not, see <http://www.gnu.org/licenses/>.
19 In addition, as a special exception, the copyright holders give
20 permission to link the code of portions of this program with the
21 OpenSSL library under certain conditions as described in each
22 individual source file, and distribute linked combinations
25 You must obey the GNU General Public License in all respects
26 for all of the code used other than OpenSSL. If you modify
27 file(s) with this exception, you may extend this exception to your
28 version of the file(s), but you are not obligated to do so. If you
29 do not wish to do so, delete this exception statement from your
30 version. If you delete this exception statement from all source
31 files in the program, then also delete it here.
34 /** @file src/certificate.cc
35 * @brief Certificate class.
38 #include "certificate.h"
39 #include "compose.hpp"
40 #include "exceptions.h"
42 #include "dcp_assert.h"
43 #include <asdcp/KM_util.h>
44 #include <libxml++/nodes/element.h>
45 #include <openssl/x509.h>
46 #include <openssl/ssl.h>
47 #include <openssl/asn1.h>
48 #include <openssl/err.h>
49 #include <boost/algorithm/string.hpp>
60 static string const begin_certificate = "-----BEGIN CERTIFICATE-----";
61 static string const end_certificate = "-----END CERTIFICATE-----";
63 /** @param c X509 certificate, which this object will take ownership of */
64 Certificate::Certificate (X509* c)
72 /** Load an X509 certificate from a string.
73 * @param cert String to read from.
75 Certificate::Certificate (string cert)
79 _extra_data = read_string (cert);
83 * @param other Certificate to copy.
85 Certificate::Certificate (Certificate const & other)
88 , _extra_data (other._extra_data)
90 if (other._certificate) {
91 read_string (other.certificate (true));
95 /** Read a certificate from a string.
96 * @param cert String to read.
97 * @return true if there is extra stuff after the end of the certificate, false if not.
100 Certificate::read_string (string cert)
102 /* Reformat cert so that it has line breaks every 64 characters.
103 See http://comments.gmane.org/gmane.comp.encryption.openssl.user/55593
109 for (size_t i = 0; i < cert.length(); ++i) {
111 if (cert[i] == '\r' || cert[i] == '\n') {
112 boost::algorithm::trim (line);
113 lines.push_back (line);
119 boost::algorithm::trim (line);
120 lines.push_back (line);
123 list<string>::iterator i = lines.begin ();
126 while (i != lines.end() && *i != begin_certificate) {
130 if (i == lines.end()) {
131 throw MiscError ("missing BEGIN line in certificate");
134 /* Skip over the BEGIN line */
137 /* The base64 data */
138 bool got_end = false;
140 while (i != lines.end()) {
141 if (*i == end_certificate) {
150 throw MiscError ("missing END line in certificate");
153 /* Skip over the END line */
156 /* Make up the fixed version */
158 string fixed = begin_certificate + "\n";
159 while (!base64.empty ()) {
160 size_t const t = min (size_t(64), base64.length());
161 fixed += base64.substr (0, t) + "\n";
162 base64 = base64.substr (t, base64.length() - t);
165 fixed += end_certificate;
167 BIO* bio = BIO_new_mem_buf (const_cast<char *> (fixed.c_str ()), -1);
169 throw MiscError ("could not create memory BIO");
172 _certificate = PEM_read_bio_X509 (bio, 0, 0, 0);
174 throw MiscError ("could not read X509 certificate from memory BIO");
179 /* See if there are any non-blank lines after the certificate that we read */
180 while (i != lines.end() && i->empty()) {
183 return i != lines.end();
187 Certificate::~Certificate ()
189 X509_free (_certificate);
190 RSA_free (_public_key);
193 /** operator= for Certificate.
194 * @param other Certificate to read from.
197 Certificate::operator= (Certificate const & other)
199 if (this == &other) {
203 X509_free (_certificate);
205 RSA_free (_public_key);
207 _extra_data = other._extra_data;
209 read_string (other.certificate (true));
214 /** Return the certificate as a string.
215 * @param with_begin_end true to include the -----BEGIN CERTIFICATE--- / -----END CERTIFICATE----- markers.
216 * @return Certificate string.
219 Certificate::certificate (bool with_begin_end) const
221 DCP_ASSERT (_certificate);
223 BIO* bio = BIO_new (BIO_s_mem ());
225 throw MiscError ("could not create memory BIO");
228 PEM_write_bio_X509 (bio, _certificate);
232 long int const data_length = BIO_get_mem_data (bio, &data);
233 for (long int i = 0; i < data_length; ++i) {
239 if (!with_begin_end) {
240 boost::replace_all (s, begin_certificate + "\n", "");
241 boost::replace_all (s, "\n" + end_certificate + "\n", "");
247 /** @return Certificate's issuer, in the form
248 * dnqualifier=<dnQualififer>,CN=<commonName>,OU=<organizationalUnitName>,O=<organizationName>
249 * and with + signs escaped to \+
252 Certificate::issuer () const
254 DCP_ASSERT (_certificate);
255 return name_for_xml (X509_get_issuer_name (_certificate));
259 Certificate::asn_to_utf8 (ASN1_STRING* s)
261 unsigned char* buf = 0;
262 ASN1_STRING_to_UTF8 (&buf, s);
263 string const u (reinterpret_cast<char *> (buf));
269 Certificate::get_name_part (X509_NAME* n, int nid)
272 p = X509_NAME_get_index_by_NID (n, nid, p);
276 return asn_to_utf8 (X509_NAME_ENTRY_get_data (X509_NAME_get_entry (n, p)));
280 Certificate::name_for_xml (X509_NAME* name)
284 BIO* bio = BIO_new (BIO_s_mem ());
286 throw MiscError ("could not create memory BIO");
289 X509_NAME_print_ex (bio, name, 0, XN_FLAG_RFC2253);
290 int n = BIO_pending (bio);
291 char* result = new char[n + 1];
292 n = BIO_read (bio, result, n);
304 Certificate::subject () const
306 DCP_ASSERT (_certificate);
308 return name_for_xml (X509_get_subject_name (_certificate));
312 Certificate::subject_common_name () const
314 DCP_ASSERT (_certificate);
316 return get_name_part (X509_get_subject_name (_certificate), NID_commonName);
320 Certificate::subject_organization_name () const
322 DCP_ASSERT (_certificate);
324 return get_name_part (X509_get_subject_name (_certificate), NID_organizationName);
328 Certificate::subject_organizational_unit_name () const
330 DCP_ASSERT (_certificate);
332 return get_name_part (X509_get_subject_name (_certificate), NID_organizationalUnitName);
336 Certificate::serial () const
338 DCP_ASSERT (_certificate);
340 ASN1_INTEGER* s = X509_get_serialNumber (_certificate);
343 BIGNUM* b = ASN1_INTEGER_to_BN (s, 0);
344 char* c = BN_bn2dec (b);
354 Certificate::thumbprint () const
356 DCP_ASSERT (_certificate);
358 uint8_t buffer[8192];
360 i2d_X509_CINF (_certificate->cert_info, &p);
361 unsigned int const length = p - buffer;
362 if (length > sizeof (buffer)) {
363 throw MiscError ("buffer too small to generate thumbprint");
368 SHA1_Update (&sha, buffer, length);
370 SHA1_Final (digest, &sha);
372 char digest_base64[64];
373 return Kumu::base64encode (digest, 20, digest_base64, 64);
376 /** @return RSA public key from this Certificate. Caller must not free the returned value. */
378 Certificate::public_key () const
380 DCP_ASSERT (_certificate);
386 EVP_PKEY* key = X509_get_pubkey (_certificate);
388 throw MiscError ("could not get public key from certificate");
391 _public_key = EVP_PKEY_get1_RSA (key);
393 throw MiscError (String::compose ("could not get RSA public key (%1)", ERR_error_string (ERR_get_error(), 0)));
400 dcp::operator== (Certificate const & a, Certificate const & b)
402 return a.certificate() == b.certificate();
406 dcp::operator< (Certificate const & a, Certificate const & b)
408 return a.certificate() < b.certificate();
412 dcp::operator<< (ostream& s, Certificate const & c)
414 s << c.certificate();