From 7fcb3514a6e781c2165ba5a25d85f22658ec1a7b Mon Sep 17 00:00:00 2001 From: Emmanuel Lepage Vallee <emmanuel.lepage@savoirfairelinux.com> Date: Wed, 28 Jan 2015 19:42:12 +0000 Subject: [PATCH] security: Exported DBus constants in a .h This commit also fix various issues with the TLSValidator: * Remove dead code (-Wunused) * Handle exeptions in configurationmanager (runtime assert) * Add missing construction initializer (-Wuninitialized) Refs #64785 Change-Id: I315396b2a3a29d097743ce825cda91235a6e7936 --- daemon/bin/Makefile.am | 4 +- daemon/bin/dbus/Makefile.am | 2 +- .../dbus/configurationmanager-introspec.xml | 2 + daemon/bin/dbus/dbuscallmanager.cpp | 2 +- daemon/bin/dbus/dbusclient.cpp | 2 +- daemon/bin/dbus/dbusclient.h | 2 +- daemon/bin/dbus/dbusconfigurationmanager.cpp | 2 +- daemon/bin/dbus/dbuspresencemanager.cpp | 2 +- daemon/bin/dbus/dbusvideomanager.cpp | 2 +- daemon/bin/osxmain.cpp | 2 +- daemon/globals.mak | 2 +- daemon/src/Makefile.am | 3 + daemon/src/client/callmanager.h | 2 +- daemon/src/client/configurationmanager.cpp | 26 ++- daemon/src/client/configurationmanager.h | 2 +- daemon/src/client/presencemanager.h | 2 +- daemon/src/client/videomanager.h | 2 +- daemon/src/{public/ring.h => dring/dring.h} | 0 daemon/src/dring/security.h | 111 +++++++++++++ daemon/src/ring_api.cpp | 2 +- daemon/src/sip/tlsvalidator.cpp | 153 +++++++----------- 21 files changed, 211 insertions(+), 116 deletions(-) rename daemon/src/{public/ring.h => dring/dring.h} (100%) create mode 100644 daemon/src/dring/security.h diff --git a/daemon/bin/Makefile.am b/daemon/bin/Makefile.am index 6e340d78d3..96b12d76ef 100644 --- a/daemon/bin/Makefile.am +++ b/daemon/bin/Makefile.am @@ -9,7 +9,7 @@ if HAVE_OSX libexec_PROGRAMS = ringcli ringcli_SOURCES = osxmain.cpp ringcli_CXXFLAGS = -I$(top_srcdir)/src \ - -I$(top_srcdir)/src/public \ + -I$(top_srcdir)/src/dring \ -DTOP_BUILDDIR=\"$$(cd "$(top_builddir)"; pwd)\" ringcli_LDADD = $(top_builddir)/src/libring.la endif @@ -22,7 +22,7 @@ libexec_PROGRAMS = dring dring_SOURCES = main.cpp dring_CXXFLAGS= -I$(top_srcdir)/src ${DBUSCPP_CFLAGS} \ - -I$(top_srcdir)/src/public \ + -I$(top_srcdir)/src/dring \ -DTOP_BUILDDIR=\"$$(cd "$(top_builddir)"; pwd)\" dring_LDADD = dbus/libclient_dbus.la ${DBUSCPP_LIBS} $(top_builddir)/src/libring.la diff --git a/daemon/bin/dbus/Makefile.am b/daemon/bin/dbus/Makefile.am index 121fedef3d..965e4588bc 100644 --- a/daemon/bin/dbus/Makefile.am +++ b/daemon/bin/dbus/Makefile.am @@ -49,7 +49,7 @@ endif libclient_dbus_la_CXXFLAGS = -I../ \ -I$(top_srcdir)/src \ - -I$(top_srcdir)/src/public \ + -I$(top_srcdir)/src/dring \ -DPREFIX=\"$(prefix)\" \ -DPROGSHAREDIR=\"${datadir}/ring\" \ $(DBUSCPP_CFLAGS) diff --git a/daemon/bin/dbus/configurationmanager-introspec.xml b/daemon/bin/dbus/configurationmanager-introspec.xml index 68f4431666..c19f3229a2 100644 --- a/daemon/bin/dbus/configurationmanager-introspec.xml +++ b/daemon/bin/dbus/configurationmanager-introspec.xml @@ -646,6 +646,7 @@ <arg type="a{ss}" name="details" direction="out"> <tp:docstring> <p>A key-value list of all certificate validation</p> + The constants used as keys are defined in the "security.h" constants header file </tp:docstring> </arg> </method> @@ -660,6 +661,7 @@ <arg type="a{ss}" name="details" direction="out"> <tp:docstring> <p>A key-value list of all certificate details</p> + The constants used as keys are defined in the "security.h" constants header file </tp:docstring> </arg> </method> diff --git a/daemon/bin/dbus/dbuscallmanager.cpp b/daemon/bin/dbus/dbuscallmanager.cpp index fdab56216f..1d1d5213ac 100644 --- a/daemon/bin/dbus/dbuscallmanager.cpp +++ b/daemon/bin/dbus/dbuscallmanager.cpp @@ -28,7 +28,7 @@ * as that of the covered work. */ #include <iostream> -#include "ring.h" +#include "dring.h" #include "dbuscallmanager.h" diff --git a/daemon/bin/dbus/dbusclient.cpp b/daemon/bin/dbus/dbusclient.cpp index 9ebc7460d8..777c76b0fe 100644 --- a/daemon/bin/dbus/dbusclient.cpp +++ b/daemon/bin/dbus/dbusclient.cpp @@ -31,7 +31,7 @@ #include <iostream> #include <cstring> #include <stdexcept> -#include "ring.h" +#include "dring.h" #include "dbusclient.h" #include "dbus_cpp.h" diff --git a/daemon/bin/dbus/dbusclient.h b/daemon/bin/dbus/dbusclient.h index 85077020a6..0aedcae9c2 100644 --- a/daemon/bin/dbus/dbusclient.h +++ b/daemon/bin/dbus/dbusclient.h @@ -31,7 +31,7 @@ #ifndef __DBUSCLIENT_H__ #define __DBUSCLIENT_H__ -#include "ring.h" +#include "dring.h" #include "noncopyable.h" class DBusConfigurationManager; diff --git a/daemon/bin/dbus/dbusconfigurationmanager.cpp b/daemon/bin/dbus/dbusconfigurationmanager.cpp index ab06d305fe..a0648294a0 100644 --- a/daemon/bin/dbus/dbusconfigurationmanager.cpp +++ b/daemon/bin/dbus/dbusconfigurationmanager.cpp @@ -28,7 +28,7 @@ * as that of the covered work. */ #include <iostream> -#include "ring.h" +#include "dring.h" #include "dbusconfigurationmanager.h" diff --git a/daemon/bin/dbus/dbuspresencemanager.cpp b/daemon/bin/dbus/dbuspresencemanager.cpp index 3ad66fdf46..14f3246830 100644 --- a/daemon/bin/dbus/dbuspresencemanager.cpp +++ b/daemon/bin/dbus/dbuspresencemanager.cpp @@ -27,7 +27,7 @@ * shall include the source code for the parts of OpenSSL used as well * as that of the covered work. */ -#include "ring.h" +#include "dring.h" #include "dbuspresencemanager.h" diff --git a/daemon/bin/dbus/dbusvideomanager.cpp b/daemon/bin/dbus/dbusvideomanager.cpp index 24b1d24004..16596813b0 100644 --- a/daemon/bin/dbus/dbusvideomanager.cpp +++ b/daemon/bin/dbus/dbusvideomanager.cpp @@ -27,7 +27,7 @@ * shall include the source code for the parts of OpenSSL used as well * as that of the covered work. */ -#include "ring.h" +#include "dring.h" #include "dbusvideomanager.h" diff --git a/daemon/bin/osxmain.cpp b/daemon/bin/osxmain.cpp index 3f2c62e048..c98b101ffe 100644 --- a/daemon/bin/osxmain.cpp +++ b/daemon/bin/osxmain.cpp @@ -36,7 +36,7 @@ #include <getopt.h> #include <string> -#include "ring.h" +#include "dring.h" #include "fileutils.h" static int sflphFlags = 0; diff --git a/daemon/globals.mak b/daemon/globals.mak index c6e53e47bb..4ddafaf0fe 100644 --- a/daemon/globals.mak +++ b/daemon/globals.mak @@ -26,7 +26,7 @@ AM_CPPFLAGS = \ -I$(src)/src/config \ -I$(src)/src/media \ -I$(src)/test \ - -I$(src)/src/public \ + -I$(src)/src/dring \ $(SIP_CFLAGS) \ -DPREFIX=\"$(prefix)\" \ -DPROGSHAREDIR=\"${datadir}/ring\" \ diff --git a/daemon/src/Makefile.am b/daemon/src/Makefile.am index 19237c386c..a21584ca35 100644 --- a/daemon/src/Makefile.am +++ b/daemon/src/Makefile.am @@ -133,3 +133,6 @@ libring_la_SOURCES = conference.cpp \ string_utils.cpp \ rw_mutex.h \ ring_api.cpp + +nobase_include_HEADERS= dring/dring.h \ + dring/security.h diff --git a/daemon/src/client/callmanager.h b/daemon/src/client/callmanager.h index a9a4f3e5e7..6686a14a74 100644 --- a/daemon/src/client/callmanager.h +++ b/daemon/src/client/callmanager.h @@ -40,7 +40,7 @@ #include <vector> #include <string> -#include "ring.h" +#include "dring.h" namespace ring { diff --git a/daemon/src/client/configurationmanager.cpp b/daemon/src/client/configurationmanager.cpp index 5519d0574c..ad04d0429d 100644 --- a/daemon/src/client/configurationmanager.cpp +++ b/daemon/src/client/configurationmanager.cpp @@ -45,6 +45,7 @@ #include "fileutils.h" #include "ip_utils.h" #include "sip/sipaccount.h" +#include "security.h" #include "audio/audiolayer.h" #include <dirent.h> @@ -142,13 +143,21 @@ void ConfigurationManager::setTlsSettings(const std::map<std::string, std::strin accountsChanged(); } -std::map<std::string, std::string> ConfigurationManager::validateCertificate(const std::string& accountId, +std::map<std::string, std::string> ConfigurationManager::validateCertificate(const std::string&, const std::string& certificate, const std::string& privateKey) { #if HAVE_TLS && HAVE_DHT - TlsValidator validator(certificate,privateKey); - return validator.getSerializedChecks(); + try { + TlsValidator validator(certificate,privateKey); + return validator.getSerializedChecks(); + } + catch(const std::runtime_error& e) { + std::map<std::string, std::string> res; + RING_WARN("Certificate loading failed"); + res[DRing::Certificate::ChecksNames::EXIST] = DRing::Certificate::CheckValuesNames::FAILED; + return res; + } #else RING_WARN("TLS not supported"); return std::map<std::string, std::string>(); @@ -158,12 +167,17 @@ std::map<std::string, std::string> ConfigurationManager::validateCertificate(con std::map<std::string, std::string> ConfigurationManager::getCertificateDetails(const std::string& certificate) { #if HAVE_TLS && HAVE_DHT - TlsValidator validator(certificate,""); - return validator.getSerializedDetails(); + try { + TlsValidator validator(certificate,""); + return validator.getSerializedDetails(); + } + catch(const std::runtime_error& e) { + RING_WARN("Certificate loading failed"); + } #else RING_WARN("TLS not supported"); - return std::map<std::string, std::string>(); #endif + return std::map<std::string, std::string>(); } void ConfigurationManager::setAccountDetails(const std::string& accountID, const std::map<std::string, std::string>& details) diff --git a/daemon/src/client/configurationmanager.h b/daemon/src/client/configurationmanager.h index 6ea802eb4b..b62bbc2bbd 100644 --- a/daemon/src/client/configurationmanager.h +++ b/daemon/src/client/configurationmanager.h @@ -42,7 +42,7 @@ #include <map> #include <string> -#include "ring.h" +#include "dring.h" namespace ring { diff --git a/daemon/src/client/presencemanager.h b/daemon/src/client/presencemanager.h index 0b6ae9052c..ddd24e953e 100644 --- a/daemon/src/client/presencemanager.h +++ b/daemon/src/client/presencemanager.h @@ -38,7 +38,7 @@ #include <vector> #include <string> -#include "ring.h" +#include "dring.h" namespace ring { diff --git a/daemon/src/client/videomanager.h b/daemon/src/client/videomanager.h index f653448e4d..d287ca320d 100644 --- a/daemon/src/client/videomanager.h +++ b/daemon/src/client/videomanager.h @@ -43,7 +43,7 @@ #include "video/video_base.h" #include "video/video_input.h" -#include "ring.h" +#include "dring.h" namespace ring { diff --git a/daemon/src/public/ring.h b/daemon/src/dring/dring.h similarity index 100% rename from daemon/src/public/ring.h rename to daemon/src/dring/dring.h diff --git a/daemon/src/dring/security.h b/daemon/src/dring/security.h new file mode 100644 index 0000000000..e92fa4b80b --- /dev/null +++ b/daemon/src/dring/security.h @@ -0,0 +1,111 @@ +/* + * Copyright (C) 2015 Savoir-Faire Linux Inc. + * Author: Philippe Proulx <philippe.proulx@savoirfairelinux.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Additional permission under GNU GPL version 3 section 7: + * + * If you modify this program, or any covered work, by linking or + * combining it with the OpenSSL project's OpenSSL library (or a + * modified version of that library), containing parts covered by the + * terms of the OpenSSL or SSLeay licenses, Savoir-Faire Linux Inc. + * grants you additional permission to convey the resulting work. + * Corresponding Source for a non-source form of such a combination + * shall include the source code for the parts of OpenSSL used as well + * as that of the covered work. + */ + +namespace DRing { + +namespace Certificate { + +/** +* Those constantes are used by the ConfigurationManager.validateCertificate method +*/ +namespace ChecksNames { + constexpr static char* HAS_PRIVATE_KEY = "HAS_PRIVATE_KEY" ; + constexpr static char* EXPIRED = "EXPIRED" ; + constexpr static char* STRONG_SIGNING = "STRONG_SIGNING" ; + constexpr static char* NOT_SELF_SIGNED = "NOT_SELF_SIGNED" ; + constexpr static char* KEY_MATCH = "KEY_MATCH" ; + constexpr static char* PRIVATE_KEY_STORAGE_PERMISSION = "PRIVATE_KEY_STORAGE_PERMISSION" ; + constexpr static char* PUBLIC_KEY_STORAGE_PERMISSION = "PUBLIC_KEY_STORAGE_PERMISSION" ; + constexpr static char* PRIVATE_KEY_DIRECTORY_PERMISSIONS = "PRIVATEKEY_DIRECTORY_PERMISSIONS"; + constexpr static char* PUBLIC_KEY_DIRECTORY_PERMISSIONS = "PUBLICKEY_DIRECTORY_PERMISSIONS" ; + constexpr static char* PRIVATE_KEY_STORAGE_LOCATION = "PRIVATE_KEY_STORAGE_LOCATION" ; + constexpr static char* PUBLIC_KEY_STORAGE_LOCATION = "PUBLIC_KEY_STORAGE_LOCATION" ; + constexpr static char* PRIVATE_KEY_SELINUX_ATTRIBUTES = "PRIVATE_KEY_SELINUX_ATTRIBUTES" ; + constexpr static char* PUBLIC_KEY_SELINUX_ATTRIBUTES = "PUBLIC_KEY_SELINUX_ATTRIBUTES" ; + constexpr static char* OUTGOING_SERVER = "OUTGOING_SERVER" ; + constexpr static char* EXIST = "EXIST" ; + constexpr static char* VALID = "VALID" ; + constexpr static char* VALID_AUTHORITY = "VALID_AUTHORITY" ; + constexpr static char* KNOWN_AUTHORITY = "KNOWN_AUTHORITY" ; + constexpr static char* NOT_REVOKED = "NOT_REVOKED" ; + constexpr static char* AUTHORITY_MISMATCH = "AUTHORITY_MISMATCH" ; + constexpr static char* UNEXPECTED_OWNER = "UNEXPECTED_OWNER" ; + constexpr static char* NOT_ACTIVATED = "NOT_ACTIVATED" ; +} //namespace DRing::Certificate::CheckValuesNames + +/** +* Those constants are used by the ConfigurationManager.getCertificateDetails method +*/ +namespace DetailsNames { + constexpr static char* EXPIRATION_DATE = "EXPIRATION_DATE" ; + constexpr static char* ACTIVATION_DATE = "ACTIVATION_DATE" ; + constexpr static char* REQUIRE_PRIVATE_KEY_PASSWORD = "REQUIRE_PRIVATE_KEY_PASSWORD" ; + constexpr static char* PUBLIC_SIGNATURE = "PUBLIC_SIGNATURE" ; + constexpr static char* VERSION_NUMBER = "VERSION_NUMBER" ; + constexpr static char* SERIAL_NUMBER = "SERIAL_NUMBER" ; + constexpr static char* ISSUER = "ISSUER" ; + constexpr static char* SUBJECT_KEY_ALGORITHM = "SUBJECT_KEY_ALGORITHM" ; + constexpr static char* CN = "CN" ; + constexpr static char* N = "N" ; + constexpr static char* O = "O" ; + constexpr static char* SIGNATURE_ALGORITHM = "SIGNATURE_ALGORITHM" ; + constexpr static char* MD5_FINGERPRINT = "MD5_FINGERPRINT" ; + constexpr static char* SHA1_FINGERPRINT = "SHA1_FINGERPRINT" ; + constexpr static char* PUBLIC_KEY_ID = "PUBLIC_KEY_ID" ; + constexpr static char* ISSUER_DN = "ISSUER_DN" ; + constexpr static char* NEXT_EXPECTED_UPDATE_DATE = "NEXT_EXPECTED_UPDATE_DATE" ; +} //namespace DRing::Certificate::CheckValuesNames + +/** +* Those constants are used by the ConfigurationManager.getCertificateDetails and +* ConfigurationManager.validateCertificate methods +*/ +namespace ChecksValuesTypesNames { + constexpr static char* BOOLEAN = "BOOLEAN" ; + constexpr static char* ISO_DATE = "ISO_DATE" ; + constexpr static char* CUSTOM = "CUSTOM" ; + constexpr static char* NUMBER = "NUMBER" ; +} //namespace DRing::Certificate::CheckValuesNames + +/** +* Those constantes are used by the ConfigurationManager.validateCertificate method +*/ +namespace CheckValuesNames { + constexpr static char* PASSED = "PASSED" ; + constexpr static char* FAILED = "FAILED" ; + constexpr static char* UNSUPPORTED = "UNSUPPORTED"; + constexpr static char* ISO_DATE = "ISO_DATE" ; + constexpr static char* CUSTOM = "CUSTOM" ; + constexpr static char* DATE = "DATE" ; +} //namespace DRing::Certificate::CheckValuesNames + +} //namespace DRing::Certificate + +} //namespace DRing \ No newline at end of file diff --git a/daemon/src/ring_api.cpp b/daemon/src/ring_api.cpp index 327f3f464a..f1acf44b40 100644 --- a/daemon/src/ring_api.cpp +++ b/daemon/src/ring_api.cpp @@ -39,7 +39,7 @@ #include "manager.h" #include "managerimpl.h" #include "logger.h" -#include "ring.h" +#include "dring.h" #include "client/callmanager.h" #include "client/configurationmanager.h" #include "client/presencemanager.h" diff --git a/daemon/src/sip/tlsvalidator.cpp b/daemon/src/sip/tlsvalidator.cpp index c7b1e203f8..a739aea9c8 100644 --- a/daemon/src/sip/tlsvalidator.cpp +++ b/daemon/src/sip/tlsvalidator.cpp @@ -40,6 +40,7 @@ #include "fileutils.h" #include "logger.h" +#include "security.h" #include <sstream> #include <iomanip> @@ -63,14 +64,16 @@ namespace ring { +//Map the internal ring Enum class of the exported names + const EnumClassNames<TlsValidator::CheckValues> TlsValidator::CheckValuesNames = {{ - /* CheckValues Name */ - /* PASSED */ "PASSED" , - /* FAILED */ "FAILED" , - /* UNSUPPORTED */ "UNSUPPORTED" , - /* ISO_DATE */ "ISO_DATE" , - /* CUSTOM */ "CUSTOM" , - /* CUSTOM */ "DATE" , + /* CheckValues Name */ + /* PASSED */ DRing::Certificate::CheckValuesNames::PASSED , + /* FAILED */ DRing::Certificate::CheckValuesNames::FAILED , + /* UNSUPPORTED */ DRing::Certificate::CheckValuesNames::UNSUPPORTED , + /* ISO_DATE */ DRing::Certificate::CheckValuesNames::ISO_DATE , + /* CUSTOM */ DRing::Certificate::CheckValuesNames::CUSTOM , + /* CUSTOM */ DRing::Certificate::CheckValuesNames::DATE , }}; const CallbackMatrix1D<TlsValidator::CertificateCheck, TlsValidator, TlsValidator::CheckResult> TlsValidator::checkCallback = {{ @@ -99,7 +102,6 @@ const CallbackMatrix1D<TlsValidator::CertificateCheck, TlsValidator, TlsValidato /*NOT_ACTIVATED */ &TlsValidator::activated , }}; - const CallbackMatrix1D<TlsValidator::CertificateDetails, TlsValidator, TlsValidator::CheckResult> TlsValidator::getterCallback = {{ /* EXPIRATION_DATE */ &TlsValidator::getExpirationDate , /* ACTIVATION_DATE */ &TlsValidator::getActivationDate , @@ -135,75 +137,69 @@ const Matrix1D<TlsValidator::CertificateCheck, TlsValidator::CheckValuesType> Tl /*PUBLIC_KEY_STORAGE_LOCATION */ CheckValuesType::BOOLEAN , /*PRIVATE_KEY_SELINUX_ATTRIBUTES */ CheckValuesType::BOOLEAN , /*PUBLIC_KEY_SELINUX_ATTRIBUTES */ CheckValuesType::BOOLEAN , -// /*REQUIRE_PRIVATE_KEY_PASSWORD */ CheckValuesType::BOOLEAN , /*OUTGOING_SERVER */ CheckValuesType::CUSTOM , /*EXIST */ CheckValuesType::BOOLEAN , /*VALID */ CheckValuesType::BOOLEAN , /*VALID_AUTHORITY */ CheckValuesType::BOOLEAN , /*KNOWN_AUTHORITY */ CheckValuesType::BOOLEAN , /*NOT_REVOKED */ CheckValuesType::BOOLEAN , -// /*EXPIRATION_DATE */ CheckValuesType::ISO_DATE, -// /*ACTIVATION_DATE */ CheckValuesType::ISO_DATE, /*AUTHORITY_MISMATCH */ CheckValuesType::BOOLEAN , /*UNEXPECTED_OWNER */ CheckValuesType::BOOLEAN , /*NOT_ACTIVATED */ CheckValuesType::BOOLEAN , }}; const EnumClassNames<TlsValidator::CertificateCheck> TlsValidator::CertificateCheckNames = {{ - /* CertificateCheck Name */ - /*HAS_PRIVATE_KEY */ "HAS_PRIVATE_KEY" , - /*EXPIRED */ "EXPIRED" , - /*STRONG_SIGNING */ "STRONG_SIGNING" , - /*NOT_SELF_SIGNED */ "NOT_SELF_SIGNED" , - /*KEY_MATCH */ "KEY_MATCH" , - /*PRIVATE_KEY_STORAGE_PERMISSION */ "PRIVATE_KEY_STORAGE_PERMISSION" , - /*PUBLIC_KEY_STORAGE_PERMISSION */ "PUBLIC_KEY_STORAGE_PERMISSION" , - /*PRIVATEKEY_DIRECTORY_PERMISSIONS */ "PRIVATEKEY_DIRECTORY_PERMISSIONS" , - /*PUBLICKEY_DIRECTORY_PERMISSIONS */ "PUBLICKEY_DIRECTORY_PERMISSIONS" , - /*PRIVATE_KEY_STORAGE_LOCATION */ "PRIVATE_KEY_STORAGE_LOCATION" , - /*PUBLIC_KEY_STORAGE_LOCATION */ "PUBLIC_KEY_STORAGE_LOCATION" , - /*PRIVATE_KEY_SELINUX_ATTRIBUTES */ "PRIVATE_KEY_SELINUX_ATTRIBUTES" , - /*PUBLIC_KEY_SELINUX_ATTRIBUTES */ "PUBLIC_KEY_SELINUX_ATTRIBUTES" , -// /*REQUIRE_PRIVATE_KEY_PASSWORD */ "REQUIRE_PRIVATE_KEY_PASSWORD" , // TODO move to certificateDetails() - /*OUTGOING_SERVER */ "OUTGOING_SERVER" , - /*EXIST */ "EXIST" , - /*VALID */ "VALID" , - /*VALID_AUTHORITY */ "VALID_AUTHORITY" , - /*KNOWN_AUTHORITY */ "KNOWN_AUTHORITY" , - /*NOT_REVOKED */ "NOT_REVOKED" , -// /*EXPIRATION_DATE */ "EXPIRATION_DATE" , // TODO move to certificateDetails() -// /*ACTIVATION_DATE */ "ACTIVATION_DATE" , // TODO move to certificateDetails() - /*AUTHORITY_MISMATCH */ "AUTHORITY_MISMATCH" , - /*UNEXPECTED_OWNER */ "UNEXPECTED_OWNER" , - /*NOT_ACTIVATED */ "NOT_ACTIVATED" , + /* CertificateCheck Name */ + /*HAS_PRIVATE_KEY */ DRing::Certificate::ChecksNames::HAS_PRIVATE_KEY , + /*EXPIRED */ DRing::Certificate::ChecksNames::EXPIRED , + /*STRONG_SIGNING */ DRing::Certificate::ChecksNames::STRONG_SIGNING , + /*NOT_SELF_SIGNED */ DRing::Certificate::ChecksNames::NOT_SELF_SIGNED , + /*KEY_MATCH */ DRing::Certificate::ChecksNames::KEY_MATCH , + /*PRIVATE_KEY_STORAGE_PERMISSION */ DRing::Certificate::ChecksNames::PRIVATE_KEY_STORAGE_PERMISSION , + /*PUBLIC_KEY_STORAGE_PERMISSION */ DRing::Certificate::ChecksNames::PUBLIC_KEY_STORAGE_PERMISSION , + /*PRIVATEKEY_DIRECTORY_PERMISSIONS */ DRing::Certificate::ChecksNames::PRIVATE_KEY_DIRECTORY_PERMISSIONS , + /*PUBLICKEY_DIRECTORY_PERMISSIONS */ DRing::Certificate::ChecksNames::PUBLIC_KEY_DIRECTORY_PERMISSIONS , + /*PRIVATE_KEY_STORAGE_LOCATION */ DRing::Certificate::ChecksNames::PRIVATE_KEY_STORAGE_LOCATION , + /*PUBLIC_KEY_STORAGE_LOCATION */ DRing::Certificate::ChecksNames::PUBLIC_KEY_STORAGE_LOCATION , + /*PRIVATE_KEY_SELINUX_ATTRIBUTES */ DRing::Certificate::ChecksNames::PRIVATE_KEY_SELINUX_ATTRIBUTES , + /*PUBLIC_KEY_SELINUX_ATTRIBUTES */ DRing::Certificate::ChecksNames::PUBLIC_KEY_SELINUX_ATTRIBUTES , + /*OUTGOING_SERVER */ DRing::Certificate::ChecksNames::OUTGOING_SERVER , + /*EXIST */ DRing::Certificate::ChecksNames::EXIST , + /*VALID */ DRing::Certificate::ChecksNames::VALID , + /*VALID_AUTHORITY */ DRing::Certificate::ChecksNames::VALID_AUTHORITY , + /*KNOWN_AUTHORITY */ DRing::Certificate::ChecksNames::KNOWN_AUTHORITY , + /*NOT_REVOKED */ DRing::Certificate::ChecksNames::NOT_REVOKED , + /*AUTHORITY_MISMATCH */ DRing::Certificate::ChecksNames::AUTHORITY_MISMATCH , + /*UNEXPECTED_OWNER */ DRing::Certificate::ChecksNames::UNEXPECTED_OWNER , + /*NOT_ACTIVATED */ DRing::Certificate::ChecksNames::NOT_ACTIVATED , }}; const EnumClassNames<TlsValidator::CertificateDetails> TlsValidator::CertificateDetailsNames = {{ - /* EXPIRATION_DATE */ "EXPIRATION_DATE" , - /* ACTIVATION_DATE */ "ACTIVATION_DATE" , - /* REQUIRE_PRIVATE_KEY_PASSWORD */ "REQUIRE_PRIVATE_KEY_PASSWORD" , - /* PUBLIC_SIGNATURE */ "PUBLIC_SIGNATURE" , - /* VERSION_NUMBER */ "VERSION_NUMBER" , - /* SERIAL_NUMBER */ "SERIAL_NUMBER" , - /* ISSUER */ "ISSUER" , - /* SUBJECT_KEY_ALGORITHM */ "SUBJECT_KEY_ALGORITHM" , - /* CN */ "CN" , - /* N */ "N" , - /* O */ "O" , - /* SIGNATURE_ALGORITHM */ "SIGNATURE_ALGORITHM" , - /* MD5_FINGERPRINT */ "MD5_FINGERPRINT" , - /* SHA1_FINGERPRINT */ "SHA1_FINGERPRINT" , - /* PUBLIC_KEY_ID */ "PUBLIC_KEY_ID" , - /* ISSUER_DN */ "ISSUER_DN" , - /* NEXT_EXPECTED_UPDATE_DATE */ "NEXT_EXPECTED_UPDATE_DATE" , + /* EXPIRATION_DATE */ DRing::Certificate::DetailsNames::EXPIRATION_DATE , + /* ACTIVATION_DATE */ DRing::Certificate::DetailsNames::ACTIVATION_DATE , + /* REQUIRE_PRIVATE_KEY_PASSWORD */ DRing::Certificate::DetailsNames::REQUIRE_PRIVATE_KEY_PASSWORD , + /* PUBLIC_SIGNATURE */ DRing::Certificate::DetailsNames::PUBLIC_SIGNATURE , + /* VERSION_NUMBER */ DRing::Certificate::DetailsNames::VERSION_NUMBER , + /* SERIAL_NUMBER */ DRing::Certificate::DetailsNames::SERIAL_NUMBER , + /* ISSUER */ DRing::Certificate::DetailsNames::ISSUER , + /* SUBJECT_KEY_ALGORITHM */ DRing::Certificate::DetailsNames::SUBJECT_KEY_ALGORITHM , + /* CN */ DRing::Certificate::DetailsNames::CN , + /* N */ DRing::Certificate::DetailsNames::N , + /* O */ DRing::Certificate::DetailsNames::O , + /* SIGNATURE_ALGORITHM */ DRing::Certificate::DetailsNames::SIGNATURE_ALGORITHM , + /* MD5_FINGERPRINT */ DRing::Certificate::DetailsNames::MD5_FINGERPRINT , + /* SHA1_FINGERPRINT */ DRing::Certificate::DetailsNames::SHA1_FINGERPRINT , + /* PUBLIC_KEY_ID */ DRing::Certificate::DetailsNames::PUBLIC_KEY_ID , + /* ISSUER_DN */ DRing::Certificate::DetailsNames::ISSUER_DN , + /* NEXT_EXPECTED_UPDATE_DATE */ DRing::Certificate::DetailsNames::NEXT_EXPECTED_UPDATE_DATE , }}; const EnumClassNames<const TlsValidator::CheckValuesType> TlsValidator::CheckValuesTypeNames = {{ - /* Type Name */ - /* BOOLEAN */ "BOOLEAN" , - /* ISO_DATE */ "ISO_DATE" , - /* CUSTOM */ "CUSTOM" , - /* NUMBER */ "NUMBER" , + /* Type Name */ + /* BOOLEAN */ DRing::Certificate::ChecksValuesTypesNames::BOOLEAN , + /* ISO_DATE */ DRing::Certificate::ChecksValuesTypesNames::ISO_DATE , + /* CUSTOM */ DRing::Certificate::ChecksValuesTypesNames::CUSTOM , + /* NUMBER */ DRing::Certificate::ChecksValuesTypesNames::NUMBER , }}; const Matrix2D<TlsValidator::CheckValuesType , TlsValidator::CheckValues , bool> TlsValidator::acceptedCheckValuesResult = {{ @@ -216,7 +212,8 @@ const Matrix2D<TlsValidator::CheckValuesType , TlsValidator::CheckValues , bool> TlsValidator::TlsValidator(const std::string& certificate, const std::string& privatekey) : -certificatePath_(certificate), privateKeyPath_(privatekey), caCert_(nullptr), caChecked_(false) +certificatePath_(certificate), privateKeyPath_(privatekey), certificateFound_(false), caCert_(nullptr), +caChecked_(false) { int err = gnutls_global_init(); if (err != GNUTLS_E_SUCCESS) @@ -225,6 +222,7 @@ certificatePath_(certificate), privateKeyPath_(privatekey), caCert_(nullptr), ca try { x509crt_ = {fileutils::loadFile(certificatePath_)}; certificateContent_ = x509crt_.getPacked(); + certificateFound_ = true; } catch (const std::exception& e) { throw TlsValidatorException("Can't load certificate"); } @@ -351,39 +349,6 @@ void TlsValidator::setCaTlsValidator(const TlsValidator& validator) caCert_ = (TlsValidator*)(&validator); } -/** - * Print the Subject, the Issuer and the Verification status of a given certificate. - * - * @todo Move to "certificateDetails()" once completed - */ -static int crypto_cert_print_issuer(gnutls_x509_crt_t cert, - gnutls_x509_crt_t issuer) -{ - char name[512]; - char issuer_name[512]; - size_t name_size; - size_t issuer_name_size; - - issuer_name_size = sizeof(issuer_name); - gnutls_x509_crt_get_issuer_dn(cert, issuer_name, - &issuer_name_size); - - name_size = sizeof(name); - gnutls_x509_crt_get_dn(cert, name, &name_size); - - RING_DBG("Subject: %s", name); - RING_DBG("Issuer: %s", issuer_name); - - if (issuer != nullptr) { - issuer_name_size = sizeof(issuer_name); - gnutls_x509_crt_get_dn(issuer, issuer_name, &issuer_name_size); - - RING_DBG("Verified against: %s", issuer_name); - } - - return 0; -} - /** * Helper method to return UNSUPPORTED when an error is detected */ @@ -1177,4 +1142,4 @@ TlsValidator::CheckResult TlsValidator::getActivationDate() return formatDate(expiration); } -} // namespace ring +} //namespace ring -- GitLab