2 Copyright (C) 2012-2015 Carl Hetherington <cth@carlh.net>
4 This file is part of libdcp.
6 libdcp is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 libdcp is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with libdcp. If not, see <http://www.gnu.org/licenses/>.
19 In addition, as a special exception, the copyright holders give
20 permission to link the code of portions of this program with the
21 OpenSSL library under certain conditions as described in each
22 individual source file, and distribute linked combinations
25 You must obey the GNU General Public License in all respects
26 for all of the code used other than OpenSSL. If you modify
27 file(s) with this exception, you may extend this exception to your
28 version of the file(s), but you are not obligated to do so. If you
29 do not wish to do so, delete this exception statement from your
30 version. If you delete this exception statement from all source
31 files in the program, then also delete it here.
34 /** @file src/certificate.cc
35 * @brief Certificate class.
38 #include "certificate.h"
39 #include "compose.hpp"
40 #include "exceptions.h"
42 #include "dcp_assert.h"
43 #include <asdcp/KM_util.h>
44 #include <libxml++/nodes/element.h>
45 #include <openssl/x509.h>
46 #include <openssl/ssl.h>
47 #include <openssl/asn1.h>
48 #include <openssl/err.h>
49 #include <boost/algorithm/string.hpp>
60 static string const begin_certificate = "-----BEGIN CERTIFICATE-----";
61 static string const end_certificate = "-----END CERTIFICATE-----";
63 /** @param c X509 certificate, which this object will take ownership of */
64 Certificate::Certificate (X509* c)
72 /** Load an X509 certificate from a string.
73 * @param cert String to read from.
75 Certificate::Certificate (string cert)
79 _extra_data = read_string (cert);
83 * @param other Certificate to copy.
85 Certificate::Certificate (Certificate const & other)
88 , _extra_data (other._extra_data)
90 if (other._certificate) {
91 read_string (other.certificate (true));
95 /** Read a certificate from a string.
96 * @param cert String to read.
97 * @return true if there is extra stuff after the end of the certificate, false if not.
100 Certificate::read_string (string cert)
102 /* Reformat cert so that it has line breaks every 64 characters.
103 See http://comments.gmane.org/gmane.comp.encryption.openssl.user/55593
106 locked_stringstream s (cert);
112 boost::algorithm::trim (line);
113 } while (s.good() && line != begin_certificate);
115 if (line != begin_certificate) {
116 throw MiscError ("missing BEGIN line in certificate");
119 /* The base64 data */
120 bool got_end = false;
122 while (getline (s, line)) {
123 boost::algorithm::trim (line);
124 if (line == end_certificate) {
132 throw MiscError ("missing END line in certificate");
135 /* Make up the fixed version */
137 string fixed = begin_certificate + "\n";
138 while (!base64.empty ()) {
139 size_t const t = min (size_t(64), base64.length());
140 fixed += base64.substr (0, t) + "\n";
141 base64 = base64.substr (t, base64.length() - t);
144 fixed += end_certificate;
146 BIO* bio = BIO_new_mem_buf (const_cast<char *> (fixed.c_str ()), -1);
148 throw MiscError ("could not create memory BIO");
151 _certificate = PEM_read_bio_X509 (bio, 0, 0, 0);
153 throw MiscError ("could not read X509 certificate from memory BIO");
158 /* See if there are any non-blank lines after the certificate that we read */
160 while (s.good() && line.empty()) {
163 return (s.good() && !line.empty());
167 Certificate::~Certificate ()
169 X509_free (_certificate);
170 RSA_free (_public_key);
173 /** operator= for Certificate.
174 * @param other Certificate to read from.
177 Certificate::operator= (Certificate const & other)
179 if (this == &other) {
183 X509_free (_certificate);
185 RSA_free (_public_key);
187 _extra_data = other._extra_data;
189 read_string (other.certificate (true));
194 /** Return the certificate as a string.
195 * @param with_begin_end true to include the -----BEGIN CERTIFICATE--- / -----END CERTIFICATE----- markers.
196 * @return Certificate string.
199 Certificate::certificate (bool with_begin_end) const
201 DCP_ASSERT (_certificate);
203 BIO* bio = BIO_new (BIO_s_mem ());
205 throw MiscError ("could not create memory BIO");
208 PEM_write_bio_X509 (bio, _certificate);
212 long int const data_length = BIO_get_mem_data (bio, &data);
213 for (long int i = 0; i < data_length; ++i) {
219 if (!with_begin_end) {
220 boost::replace_all (s, begin_certificate + "\n", "");
221 boost::replace_all (s, "\n" + end_certificate + "\n", "");
227 /** @return Certificate's issuer, in the form
228 * dnqualifier=<dnQualififer>,CN=<commonName>,OU=<organizationalUnitName>,O=<organizationName>
229 * and with + signs escaped to \+
232 Certificate::issuer () const
234 DCP_ASSERT (_certificate);
235 return name_for_xml (X509_get_issuer_name (_certificate));
239 Certificate::asn_to_utf8 (ASN1_STRING* s)
241 unsigned char* buf = 0;
242 ASN1_STRING_to_UTF8 (&buf, s);
243 string const u (reinterpret_cast<char *> (buf));
249 Certificate::get_name_part (X509_NAME* n, int nid)
252 p = X509_NAME_get_index_by_NID (n, nid, p);
256 return asn_to_utf8 (X509_NAME_ENTRY_get_data (X509_NAME_get_entry (n, p)));
260 Certificate::name_for_xml (X509_NAME* name)
264 BIO* bio = BIO_new (BIO_s_mem ());
266 throw MiscError ("could not create memory BIO");
269 X509_NAME_print_ex (bio, name, 0, XN_FLAG_RFC2253);
270 int n = BIO_pending (bio);
271 char* result = new char[n + 1];
272 n = BIO_read (bio, result, n);
284 Certificate::subject () const
286 DCP_ASSERT (_certificate);
288 return name_for_xml (X509_get_subject_name (_certificate));
292 Certificate::subject_common_name () const
294 DCP_ASSERT (_certificate);
296 return get_name_part (X509_get_subject_name (_certificate), NID_commonName);
300 Certificate::subject_organization_name () const
302 DCP_ASSERT (_certificate);
304 return get_name_part (X509_get_subject_name (_certificate), NID_organizationName);
308 Certificate::subject_organizational_unit_name () const
310 DCP_ASSERT (_certificate);
312 return get_name_part (X509_get_subject_name (_certificate), NID_organizationalUnitName);
316 Certificate::serial () const
318 DCP_ASSERT (_certificate);
320 ASN1_INTEGER* s = X509_get_serialNumber (_certificate);
323 BIGNUM* b = ASN1_INTEGER_to_BN (s, 0);
324 char* c = BN_bn2dec (b);
334 Certificate::thumbprint () const
336 DCP_ASSERT (_certificate);
338 uint8_t buffer[8192];
340 i2d_X509_CINF (_certificate->cert_info, &p);
341 unsigned int const length = p - buffer;
342 if (length > sizeof (buffer)) {
343 throw MiscError ("buffer too small to generate thumbprint");
348 SHA1_Update (&sha, buffer, length);
350 SHA1_Final (digest, &sha);
352 char digest_base64[64];
353 return Kumu::base64encode (digest, 20, digest_base64, 64);
356 /** @return RSA public key from this Certificate. Caller must not free the returned value. */
358 Certificate::public_key () const
360 DCP_ASSERT (_certificate);
366 EVP_PKEY* key = X509_get_pubkey (_certificate);
368 throw MiscError ("could not get public key from certificate");
371 _public_key = EVP_PKEY_get1_RSA (key);
373 throw MiscError (String::compose ("could not get RSA public key (%1)", ERR_error_string (ERR_get_error(), 0)));
380 dcp::operator== (Certificate const & a, Certificate const & b)
382 return a.certificate() == b.certificate();
386 dcp::operator< (Certificate const & a, Certificate const & b)
388 return a.certificate() < b.certificate();
392 dcp::operator<< (ostream& s, Certificate const & c)
394 s << c.certificate();