certificate.h 17.9 KB
Newer Older
1
/****************************************************************************
Guillaume Roguez's avatar
Guillaume Roguez committed
2
 *   Copyright (C) 2014-2018 Savoir-faire Linux                          *
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
 *   Author : Emmanuel Lepage Vallee <emmanuel.lepage@savoirfairelinux.com> *
 *                                                                          *
 *   This library is free software; you can redistribute it and/or          *
 *   modify it under the terms of the GNU Lesser General Public             *
 *   License as published by the Free Software Foundation; either           *
 *   version 2.1 of the License, or (at your option) any later version.     *
 *                                                                          *
 *   This library is distributed in the hope that it will be useful,        *
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of         *
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU      *
 *   Lesser General Public License for more details.                        *
 *                                                                          *
 *   You should have received a copy of the GNU General Public License      *
 *   along with this program.  If not, see <http://www.gnu.org/licenses/>.  *
 ***************************************************************************/
Guillaume Roguez's avatar
Guillaume Roguez committed
18
#pragma once
19 20

#include "typedefs.h"
21
#include "itembase.h"
22 23

//Qt
24
class QAbstractItemModel;
25

26
class CertificatePrivate;
27
class Account;
28
class ChainOfTrustModel;
29
class ContactMethod;
30

31 32 33
/**
 * This class represent a conceptual certificate.
 */
34
class LIB_EXPORT Certificate : public ItemBase
35
{
36
   Q_OBJECT
37 38 39

   friend class CertificateModel;
   friend class CertificateModelPrivate;
40 41
   friend class SecurityEvaluationModel;
   friend class SecurityEvaluationModelPrivate;
42 43
public:

44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
   //Properties
   Q_PROPERTY(CheckValues hasPrivateKey                       READ hasPrivateKey                       )
   Q_PROPERTY(CheckValues isNotExpired                        READ isNotExpired                        )
   Q_PROPERTY(CheckValues hasStrongSigning                    READ hasStrongSigning                    )
   Q_PROPERTY(CheckValues isNotSelfSigned                     READ isNotSelfSigned                     )
   Q_PROPERTY(CheckValues privateKeyMatch                     READ privateKeyMatch                     )
   Q_PROPERTY(CheckValues arePrivateKeyStoragePermissionOk    READ arePrivateKeyStoragePermissionOk    )
   Q_PROPERTY(CheckValues arePublicKeyStoragePermissionOk     READ arePublicKeyStoragePermissionOk     )
   Q_PROPERTY(CheckValues arePrivateKeyDirectoryPermissionsOk READ arePrivateKeyDirectoryPermissionsOk )
   Q_PROPERTY(CheckValues arePublicKeyDirectoryPermissionsOk  READ arePublicKeyDirectoryPermissionsOk  )
   Q_PROPERTY(CheckValues arePrivateKeyStorageLocationOk      READ arePrivateKeyStorageLocationOk      )
   Q_PROPERTY(CheckValues arePublicKeyStorageLocationOk       READ arePublicKeyStorageLocationOk       )
   Q_PROPERTY(CheckValues arePrivateKeySelinuxAttributesOk    READ arePrivateKeySelinuxAttributesOk    )
   Q_PROPERTY(CheckValues arePublicKeySelinuxAttributesOk     READ arePublicKeySelinuxAttributesOk     )
   Q_PROPERTY(CheckValues exist                               READ exist                               )
   Q_PROPERTY(CheckValues isValid                             READ isValid                             )
   Q_PROPERTY(CheckValues hasValidAuthority                   READ hasValidAuthority                   )
   Q_PROPERTY(CheckValues hasKnownAuthority                   READ hasKnownAuthority                   )
   Q_PROPERTY(CheckValues isNotRevoked                        READ isNotRevoked                        )
   Q_PROPERTY(CheckValues authorityMatch                      READ authorityMatch                      )
   Q_PROPERTY(CheckValues hasExpectedOwner                    READ hasExpectedOwner                    )
   Q_PROPERTY(bool        isActivated                         READ isActivated                         )
66 67
   Q_PROPERTY(bool        hasRemote                           READ hasRemote                           )
   Q_PROPERTY(QByteArray  remoteId                            READ remoteId                            )
68 69
   Q_PROPERTY(QString     path                                READ path              WRITE setPath     )
   Q_PROPERTY(QString     privateKeyPath                      READ privateKeyPath    WRITE setPrivateKeyPath)
70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87

   Q_PROPERTY(QDateTime  expirationDate                       READ expirationDate           )
   Q_PROPERTY(QDateTime  activationDate                       READ activationDate           )
   Q_PROPERTY(bool       requirePrivateKeyPassword            READ requirePrivateKeyPassword)
   Q_PROPERTY(QByteArray publicSignature                      READ publicSignature          )
   Q_PROPERTY(int        versionNumber                        READ versionNumber            )
   Q_PROPERTY(QByteArray serialNumber                         READ serialNumber             )
   Q_PROPERTY(QString    issuer                               READ issuer                   )
   Q_PROPERTY(QByteArray subjectKeyAlgorithm                  READ subjectKeyAlgorithm      )
   Q_PROPERTY(QString    cn                                   READ cn                       )
   Q_PROPERTY(QString    n                                    READ n                        )
   Q_PROPERTY(QString    o                                    READ o                        )
   Q_PROPERTY(QByteArray signatureAlgorithm                   READ signatureAlgorithm       )
   Q_PROPERTY(QByteArray md5Fingerprint                       READ md5Fingerprint           )
   Q_PROPERTY(QByteArray sha1Fingerprint                      READ sha1Fingerprint          )
   Q_PROPERTY(QByteArray publicKeyId                          READ publicKeyId              )
   Q_PROPERTY(QByteArray issuerDn                             READ issuerDn                 )
   Q_PROPERTY(QDateTime  nextExpectedUpdateDate               READ nextExpectedUpdateDate   )
88
   Q_PROPERTY(QString    outgoingServer                       READ outgoingServer           )
89
   Q_PROPERTY(ContactMethod* contactMethod                    READ contactMethod     WRITE setContactMethod)
90

91

92
   //Structures
93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115

   /**
    * Represent a certificate "reason to be" in the system.
    *
    * Certificates can be there for multiple reasons, they are flags. It will be
    * used as hints in other subsystem.
    */
   enum class OriginHint {
      UNKNOWN                = 0x0     , /*!< The origin isn't known                                                            */
      SYSTEM_AUTHORITY       = 0x1 << 0, /*!< The certificate is part of the system wide store                                  */
      ROOT_AUTORITY          = 0x1 << 1, /*!< The certificate is part of the system wide root store                             */
      INTERMEDIATE_AUTHORITY = 0x1 << 2, /*!< The certificate is part of the chain between a system certificate and another one */
      ACCOUNT_AUTHORITY      = 0x1 << 3, /*!< The certificate is used as CA by an account                                       */
      ACCOUNT_KEY            = 0x1 << 4, /*!< The certificate is used as a key by an account                                    */
      PERSON                 = 0x1 << 5, /*!< The certificate is associated with a person                                       */
      BLACKLIST              = 0x1 << 6, /*!< This certificate is part of an account communication blacklist                    */
      WHITELIST              = 0x1 << 7, /*!< This certificate is part of an account communication whitelist                    */
      HISTORY                = 0x1 << 8, /*!< This certificate is used by at least one history call                             */
      NETWORK_PRESENCE       = 0x1 << 9, /*!< This certificate is exposed by a peer on the local network                        */
   };
   Q_FLAGS(OriginHint)

   ///DEPRECATED
116 117 118 119
   enum class Type {
      AUTHORITY  ,
      USER       ,
      PRIVATE_KEY,
120
      CALL       ,
121 122 123
      NONE       ,
   };

124
   /**
125
   * @enum Checks All validation fields
126 127
   *
   */
128
   enum class Checks {
129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149
      HAS_PRIVATE_KEY                   , /*!< This certificate has a build in private key                          */
      EXPIRED                           , /*!< This certificate is past its expiration date                         */
      STRONG_SIGNING                    , /*!< This certificate has been signed with a brute-force-able method      */
      NOT_SELF_SIGNED                   , /*!< This certificate has been self signed                                */
      KEY_MATCH                         , /*!< The public and private keys provided don't match                     */
      PRIVATE_KEY_STORAGE_PERMISSION    , /*!< The file hosting the private key isn't correctly secured             */
      PUBLIC_KEY_STORAGE_PERMISSION     , /*!< The file hosting the public key isn't correctly secured              */
      PRIVATE_KEY_DIRECTORY_PERMISSIONS , /*!< The folder storing the private key isn't correctly secured           */
      PUBLIC_KEY_DIRECTORY_PERMISSIONS  , /*!< The folder storing the public key isn't correctly secured            */
      PRIVATE_KEY_STORAGE_LOCATION      , /*!< Some operating systems have extra policies for certificate storage   */
      PUBLIC_KEY_STORAGE_LOCATION       , /*!< Some operating systems have extra policies for certificate storage   */
      PRIVATE_KEY_SELINUX_ATTRIBUTES    , /*!< Some operating systems require keys to have extra attributes         */
      PUBLIC_KEY_SELINUX_ATTRIBUTES     , /*!< Some operating systems require keys to have extra attributes         */
      EXIST                             , /*!< The certificate file doesn't exist or is not accessible              */
      VALID                             , /*!< The file is not a certificate                                        */
      VALID_AUTHORITY                   , /*!< The claimed authority did not sign the certificate                   */
      KNOWN_AUTHORITY                   , /*!< Some operating systems provide a list of trusted authorities, use it */
      NOT_REVOKED                       , /*!< The certificate has been revoked by the authority                    */
      AUTHORITY_MATCH                   , /*!< The certificate and authority mismatch                               */
      EXPECTED_OWNER                    , /*!< The certificate has an expected owner                                */
      ACTIVATED                         , /*!< The certificate has not been activated yet                           */
150 151 152 153
      COUNT__,
   };

   /**
154
   * @enum Details Informative fields about a certificate
155
   */
156
   enum class Details {
157 158 159
      EXPIRATION_DATE                , /*!< The certificate expiration date                                      */
      ACTIVATION_DATE                , /*!< The certificate activation date                                      */
      REQUIRE_PRIVATE_KEY_PASSWORD   , /*!< Does the private key require a password                              */
160 161 162 163 164 165 166 167 168 169 170 171 172 173
      PUBLIC_SIGNATURE               ,
      VERSION_NUMBER                 ,
      SERIAL_NUMBER                  ,
      ISSUER                         ,
      SUBJECT_KEY_ALGORITHM          ,
      CN                             ,
      N                              ,
      O                              ,
      SIGNATURE_ALGORITHM            ,
      MD5_FINGERPRINT                ,
      SHA1_FINGERPRINT               ,
      PUBLIC_KEY_ID                  ,
      ISSUER_DN                      ,
      NEXT_EXPECTED_UPDATE_DATE      ,
174
      OUTGOING_SERVER                , /*!< The hostname/outgoing server used for this certificate               */
175

176 177 178 179
      COUNT__
   };

   /**
180
   * @enum CheckValuesType Categories of possible values for each Checks
181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200
   */
   enum class CheckValuesType {
      BOOLEAN,
      ISO_DATE,
      CUSTOM,
      NUMBER,
      COUNT__,
   };

   /**
   * @enum CheckValue possible values for check
   *
   * All boolean check use PASSED when the test result is positive and
   * FAILED when it is negative. All new check need to keep this convention
   * or ::isValid() result will become unrepresentative of the real state.
   *
   * CUSTOM should be avoided when possible. This enum can be extended when
   * new validated types are required.
   */
   enum class CheckValues {
201 202 203
      FAILED     , /*!< Equivalent of a boolean "false"                                   */
      PASSED     , /*!< Equivalent of a boolean "true"                                    */
      UNSUPPORTED, /*!< The operating system doesn't support or require the check         */
204 205
      COUNT__,
   };
206
   Q_ENUMS(CheckValues)
207

208 209 210 211 212 213 214 215 216 217 218 219 220 221 222
   /**
    * A certificate local status. A single certificate can have multiple status
    * at once depending on the context. For example, one account may block a
    * certificate while another one trust it.
    */
   enum class Status {
      UNDEFINED      ,
      ALLOWED        ,
      BANNED         ,
      REVOKED        ,
      REVOKED_ALLOWED,
      COUNT__
   };
   Q_ENUMS(Status)

223
   //Getter
224 225
   QString path                         (                             ) const;
   QString privateKeyPath               (                             ) const;
226 227 228 229 230
   Certificate::Type type               (                             ) const;
   Certificate::CheckValues checkResult ( Certificate::Checks check   ) const;
   QVariant detailResult                ( Certificate::Details detail ) const;
   QAbstractItemModel* model            (                             ) const;
   QAbstractItemModel* checksModel      (                             ) const;
231 232
   bool hasRemote                       (                             ) const;
   QByteArray remoteId                  (                             ) const;
233
   Status     status                    ( const Account* a            ) const;
234
   bool       requireStrictPermission   (                             ) const;
235 236
   Certificate* signedBy                (                             ) const;
   ChainOfTrustModel* chainOfTrustModel (                             ) const;
237
   FlagPack<OriginHint> originHint      (                             ) const;
238
   ContactMethod* contactMethod         (                             ) const;
239 240
   Q_INVOKABLE QVariant roleData        ( int role                    ) const;

241

242 243 244 245
   static QString getName        (Certificate::Checks   check  );
   static QString getName        (Certificate::Details details );
   static QString getDescription (Certificate::Checks   check  );
   static QString getDescription (Certificate::Details details );
246

247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267
   //Checks
   CheckValues hasPrivateKey                       () const;
   CheckValues isNotExpired                        () const;
   CheckValues hasStrongSigning                    () const;
   CheckValues isNotSelfSigned                     () const;
   CheckValues privateKeyMatch                     () const;
   CheckValues arePrivateKeyStoragePermissionOk    () const;
   CheckValues arePublicKeyStoragePermissionOk     () const;
   CheckValues arePrivateKeyDirectoryPermissionsOk () const;
   CheckValues arePublicKeyDirectoryPermissionsOk  () const;
   CheckValues arePrivateKeyStorageLocationOk      () const;
   CheckValues arePublicKeyStorageLocationOk       () const;
   CheckValues arePrivateKeySelinuxAttributesOk    () const;
   CheckValues arePublicKeySelinuxAttributesOk     () const;
   CheckValues exist                               () const;
   CheckValues isValid                             () const;
   CheckValues hasValidAuthority                   () const;
   CheckValues hasKnownAuthority                   () const;
   CheckValues isNotRevoked                        () const;
   CheckValues authorityMatch                      () const;
   CheckValues hasExpectedOwner                    () const;
268
   bool        isActivated                         () const;
269 270 271 272 273

   //Details
   QDateTime  expirationDate                       () const;
   QDateTime  activationDate                       () const;
   bool       requirePrivateKeyPassword            () const;
274 275
   QString    privateKeyPassword                   () const;

276
   bool       requirePrivateKey                    () const;
277 278 279 280 281 282 283 284 285 286 287 288 289 290
   QByteArray publicSignature                      () const;
   int        versionNumber                        () const;
   QByteArray serialNumber                         () const;
   QString    issuer                               () const;
   QByteArray subjectKeyAlgorithm                  () const;
   QString    cn                                   () const;
   QString    n                                    () const;
   QString    o                                    () const;
   QByteArray signatureAlgorithm                   () const;
   QByteArray md5Fingerprint                       () const;
   QByteArray sha1Fingerprint                      () const;
   QByteArray publicKeyId                          () const;
   QByteArray issuerDn                             () const;
   QDateTime  nextExpectedUpdateDate               () const;
291 292
   QString    outgoingServer                       () const;

293
   //Setter
294
   void setPath(const QString& path);
295
   bool setStatus(const Account* a, Status s);
296 297
   void setPrivateKeyPath(const QString& path);
   void setPrivateKeyPassword(const QString& pass);
298 299
   void setRequirePrivateKey(bool value);
   void setRequireStrictPermission(bool value);
300
   void addOrigin(const FlagPack<OriginHint>& hints);
301
   void setContactMethod(ContactMethod* contactMethod);
302

303
   //Mutator
304 305
   Q_INVOKABLE bool fixPermissions() const;
   Q_INVOKABLE bool moveToDotCert () const;
306

307
private:
308
   explicit Certificate(const QString& path, Type type, const QString& privateKey = QString());
309
   Certificate(const QString& id);
310
   Certificate(const QByteArray& content, Type type = Type::CALL);
311
   virtual ~Certificate();
312
   CertificatePrivate* d_ptr;
313 314

Q_SIGNALS:
315
   ///This certificate changed, all users need to reload it
316
   void changed() const;
317 318
};
Q_DECLARE_METATYPE(Certificate*)
319
Q_DECLARE_METATYPE(Certificate::CheckValues)
320 321
Q_DECLARE_METATYPE(Certificate::Checks)
Q_DECLARE_METATYPE(Certificate::Details)
322
Q_DECLARE_METATYPE(Certificate::Status)
323