More tests.

[libdcp.git] / src / certificates.cc

diff --git a/src/certificates.cc b/src/certificates.cc
index 0a0393c652bdd6032c98c4a33d9f37a7eda804b6..601662ea1c0009ac8aa7192d04b5cfc15a92d112 100644 (file)
--- a/src/certificates.cc
+++ b/src/certificates.cc
@@ -33,10 +33,12 @@
 #include <openssl/err.h>
 #include <boost/algorithm/string.hpp>
 #include <cerrno>
+#include <algorithm>
 
 using std::list;
 using std::string;
-using boost::shared_ptr;
+using std::cout;
+using std::ostream;
 using namespace dcp;
 
 /** @param c X509 certificate, which this object will take ownership of */
@@ -47,23 +49,6 @@ Certificate::Certificate (X509* c)
        
 }
 
-/** Load an X509 certificate from a file.
- *  @param filename File to load.
- */
-Certificate::Certificate (boost::filesystem::path filename)
-       : _certificate (0)
-       , _public_key (0)
-{
-       FILE* f = fopen_boost (filename, "r");
-       if (!f) {
-               throw FileError ("could not open file", filename, errno);
-       }
-       
-       if (!PEM_read_X509 (f, &_certificate, 0, 0)) {
-               throw MiscError ("could not read X509 certificate");
-       }
-}
-
 /** Load an X509 certificate from a string.
  *  @param cert String to read from.
  */
@@ -125,7 +110,7 @@ Certificate::operator= (Certificate const & other)
        RSA_free (_public_key);
        _public_key = 0;
        
-       read_string (other.certificate ());
+       read_string (other.certificate (true));
 
        return *this;
 }
@@ -253,8 +238,8 @@ Certificate::thumbprint () const
        uint8_t buffer[8192];
        uint8_t* p = buffer;
        i2d_X509_CINF (_certificate->cert_info, &p);
-       int const length = p - buffer;
-       if (length > 8192) {
+       unsigned int const length = p - buffer;
+       if (length > sizeof (buffer)) {
                throw MiscError ("buffer too small to generate thumbprint");
        }
 
@@ -291,8 +276,27 @@ Certificate::public_key () const
        return _public_key;
 }
 
+bool
+dcp::operator== (Certificate const & a, Certificate const & b)
+{
+       return a.certificate() == b.certificate();
+}
+
+bool
+dcp::operator< (Certificate const & a, Certificate const & b)
+{
+       return a.certificate() < b.certificate();
+}
+
+ostream&
+dcp::operator<< (ostream& s, Certificate const & c)
+{
+       s << c.certificate();
+       return s;
+}
+
 /** @return Root certificate */
-shared_ptr<Certificate>
+Certificate
 CertificateChain::root () const
 {
        assert (!_certificates.empty());
@@ -300,18 +304,25 @@ CertificateChain::root () const
 }
 
 /** @return Leaf certificate */
-shared_ptr<Certificate>
+Certificate
 CertificateChain::leaf () const
 {
        assert (_certificates.size() >= 2);
        return _certificates.back ();
 }
 
+/** @return Certificates in order from root to leaf */
+CertificateChain::List
+CertificateChain::root_to_leaf () const
+{
+       return _certificates;
+}
+
 /** @return Certificates in order from leaf to root */
-list<shared_ptr<Certificate> >
+CertificateChain::List
 CertificateChain::leaf_to_root () const
 {
-       list<shared_ptr<Certificate> > c = _certificates;
+       List c = _certificates;
        c.reverse ();
        return c;
 }
@@ -320,7 +331,102 @@ CertificateChain::leaf_to_root () const
  *  @param c Certificate to add.
  */
 void
-CertificateChain::add (shared_ptr<Certificate> c)
+CertificateChain::add (Certificate c)
 {
        _certificates.push_back (c);
 }
+
+/** Remove a certificate from the chain.
+ *  @param c Certificate to remove.
+ */
+void
+CertificateChain::remove (Certificate c)
+{
+       _certificates.remove (c);
+}
+
+/** Remove the i'th certificate in the list, as listed
+ *  from root to leaf.
+ */
+void
+CertificateChain::remove (int i)
+{
+       List::iterator j = _certificates.begin ();
+        while (j != _certificates.end () && i > 0) {
+               --i;
+               ++j;
+       }
+
+       if (j != _certificates.end ()) {
+               _certificates.erase (j);
+       }
+}
+
+/** Check to see if the chain is valid (i.e. root signs the intermediate, intermediate
+ *  signs the leaf and so on).
+ *  @return true if it's ok, false if not.
+ */
+bool
+CertificateChain::valid () const
+{
+       X509_STORE* store = X509_STORE_new ();
+       if (!store) {
+               return false;
+       }
+
+       for (List::const_iterator i = _certificates.begin(); i != _certificates.end(); ++i) {
+
+               List::const_iterator j = i;
+               ++j;
+               if (j ==  _certificates.end ()) {
+                       break;
+               }
+
+               if (!X509_STORE_add_cert (store, i->x509 ())) {
+                       X509_STORE_free (store);
+                       return false;
+               }
+
+               X509_STORE_CTX* ctx = X509_STORE_CTX_new ();
+               if (!ctx) {
+                       X509_STORE_free (store);
+                       return false;
+               }
+
+               X509_STORE_set_flags (store, 0);
+               if (!X509_STORE_CTX_init (ctx, store, j->x509 (), 0)) {
+                       X509_STORE_CTX_free (ctx);
+                       X509_STORE_free (store);
+                       return false;
+               }
+
+               int v = X509_verify_cert (ctx);
+               X509_STORE_CTX_free (ctx);
+
+               if (v == 0) {
+                       X509_STORE_free (store);
+                       return false;
+               }
+       }
+
+       X509_STORE_free (store);
+       return true;
+}
+
+/** @return true if the chain is now in order from root to leaf,
+ *  false if no correct order was found.
+ */
+bool
+CertificateChain::attempt_reorder ()
+{
+       List original = _certificates;
+       _certificates.sort ();
+       do {
+               if (valid ()) {
+                       return true;
+               }
+       } while (std::next_permutation (_certificates.begin(), _certificates.end ()));
+
+       _certificates = original;
+       return false;
+}