pki_x509.cpp

一个小型证书管理系统

	intToData(&p1, sLastCrl); // size of last CRL
	if (sLastCrl) {
		i2d_ASN1_TIME(lastCrl, &p1); // last CRL date
	}
	openssl_error();
	return p;
}


string pki_x509::getDNs(int nid)
{
	char buf[200] = "";
	string s;
	X509_NAME *subj = X509_get_subject_name(cert);
	X509_NAME_get_text_by_NID(subj, nid, buf, 200);
	openssl_error();
	s = buf;
	return s;
}

string pki_x509::getDNi(int nid)
{
	char buf[200] = "";
	string s;
	X509_NAME *iss = X509_get_issuer_name(cert);
	X509_NAME_get_text_by_NID(iss, nid, buf, 200);
	openssl_error();
	s = buf;
	return s;
}

string pki_x509::notBefore()
{
	return asn1TimeToString(X509_get_notBefore(cert));
}


string pki_x509::notAfter()
{
	return asn1TimeToString(X509_get_notAfter(cert));
}

string pki_x509::revokedAt()
{
	return asn1TimeToString(revoked);
}


string pki_x509::asn1TimeToString(ASN1_TIME *a)
{
	string time = "";
	if (!a) return time;
	BIO * bio = BIO_new(BIO_s_mem());
	char buf[200];
	ASN1_TIME_print(bio, a);
	BIO_gets(bio, buf, 200);
	time = buf;
	BIO_free(bio);
	openssl_error();
	return time;
}


void pki_x509::writeCert(const string fname, bool PEM, bool append)
{
	FILE *fp;
	if (append)
		fp = fopen(fname.c_str(),"a");
	else
		fp = fopen(fname.c_str(),"w");

	if (fp != NULL) {
	   if (cert){
		if (PEM) 
		   PEM_write_X509(fp, cert);
		else
		   i2d_X509_fp(fp, cert);
	        openssl_error();
	   }
	}
	else fopen_error(fname);
	fclose(fp);
}

bool pki_x509::compare(pki_base *refreq)
{
	bool ret = !X509_cmp(cert, ((pki_x509 *)refreq)->cert);
	ign_openssl_error();
	return ret;
}

bool pki_x509::cmpIssuerAndSerial(pki_x509 *refcert)
{
	if (!refcert || !refcert->cert) return false;
	if (getSerial() != refcert->getSerial()) return false;
	X509_NAME *issuer = X509_get_issuer_name(cert);
	X509_NAME *refissuer = X509_get_issuer_name(refcert->cert);
	openssl_error();
	return !X509_NAME_cmp(issuer, refissuer);
}	
	
bool pki_x509::verify(pki_x509 *signer)
{
	if (psigner == signer) return true;
	if ((psigner != NULL )||( signer == NULL)) return false;
	X509_NAME *subject =  X509_get_subject_name(signer->cert);
	X509_NAME *issuer = X509_get_issuer_name(cert);
	openssl_error();
	if (X509_NAME_cmp(subject, issuer)) {
		return false;
	}
	pki_key *pkey = signer->getPubKey();
	int i = X509_verify(cert,pkey->key);
	ign_openssl_error();
	if (pkey) delete(pkey);
	if (i>0) {
		CERR("psigner set for: " << getDescription().c_str() );
		psigner = signer;
		return true;
	}
	return false;
}


pki_key *pki_x509::getPubKey()
{
	EVP_PKEY *pkey = X509_get_pubkey(cert);
	openssl_error();
	pki_key *key = new pki_key(pkey);	
	return key;
}



string pki_x509::fingerprint(const EVP_MD *digest)
{
	 int j;
	 string fp="";
	 char zs[4];
         unsigned int n;
         unsigned char md[EVP_MAX_MD_SIZE];
         X509_digest(cert, digest, md, &n);
	 openssl_error();
         for (j=0; j<(int)n; j++)
         {
              sprintf(zs, "%02X%c",md[j], (j+1 == (int)n) ?'\0':':');
	      fp += zs;
         }
	 return fp;
}

int pki_x509::checkDate()
{
	time_t tnow = time(NULL);
	int ret=0;
	if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(cert), tnow) == -1)
		ret = -1;
	if (!ASN1_UTCTIME_cmp_time_t(X509_get_notBefore(cert), tnow) == -1)
	 	ret = 1;
	openssl_error();
	return ret;
}

int pki_x509::resetTimes(pki_x509 *signer)
{
	int ret = 0;
	if (!signer) return -1;
	if (ASN1_STRING_cmp(X509_get_notAfter(cert), X509_get_notAfter(signer->cert)) == 1) {
		// client cert is longer valid....
		CERR("adjust notAfter");
		if (X509_get_notAfter(cert)) ASN1_TIME_free(X509_get_notAfter(cert));
		X509_get_notAfter(cert) = M_ASN1_TIME_dup(X509_get_notAfter(signer->cert));
		ret=1;
	}
	if (ASN1_STRING_cmp(X509_get_notBefore(cert), X509_get_notBefore(signer->cert)) == -1) {
		// client cert is longer valid....
		CERR("adjust notBefore");
		if (X509_get_notBefore(cert)) ASN1_TIME_free(X509_get_notBefore(cert));
		X509_get_notBefore(cert) = M_ASN1_TIME_dup(X509_get_notBefore(signer->cert));
		ret=2;
	}
	openssl_error();
	return ret;
}
	

pki_x509 *pki_x509::getSigner() { return (psigner); }
pki_key *pki_x509::getKey() { return (pkey); }


bool pki_x509::setKey(pki_key *key) 
{
	bool ret=false;
	if (!pkey && key) {
		CERR( "KEY COUNT UP");
		key->incUcount();
		ret=true;
	}
	pkey = key;
	return ret;
}

void pki_x509::delKey() { pkey = NULL; }

void pki_x509::delSigner() { psigner=NULL; }

string pki_x509::printV3ext()
{
#define V3_BUF 100
	ASN1_OBJECT *obj;
	BIO *bio = BIO_new(BIO_s_mem());
	int i, len, n = X509_get_ext_count(cert);
	char buffer[V3_BUF+1];
	X509_EXTENSION *ex;
	string text="";
	for (i=0; i<n; i++) {
		text += "<b><u>";
		ex = X509_get_ext(cert,i);
		obj = X509_EXTENSION_get_object(ex);
		len = i2t_ASN1_OBJECT(buffer, V3_BUF, obj);
		if (len <0 || len > V3_BUF) openssl_error("V3 buffer too small, this is a bug!");
		buffer[len] = '\0';
		CERR("extension: "<< buffer <<", length: " << len);
		text += buffer;
		text += ": ";
		if (X509_EXTENSION_get_critical(ex)) {
			text += " <font color=\"red\">critical</font>:";
		}
		if(!X509V3_EXT_print(bio, ex, 0, 0)) {
			M_ASN1_OCTET_STRING_print(bio,ex->value);
		}
		text+="</u></b><br><tt>";
        	do {
			len = BIO_read(bio, buffer, V3_BUF);
			buffer[len] = '\0';
			text+=buffer;
			CERR("extension-length: "<< len);
		} while (len == V3_BUF);
		text+="</tt><br>";
	}
	BIO_free(bio);
	openssl_error();
	return text;
}

string pki_x509::getSerial()
{
	char buf[100];
	BIO *bio = BIO_new(BIO_s_mem());
	i2a_ASN1_INTEGER(bio, cert->cert_info->serialNumber);
	int len = BIO_read(bio, buf, 100);
	buf[len]='\0';
	string x = buf;
	BIO_free(bio);
	openssl_error();
	return x;
}

int pki_x509::getTrust()
{
	return trust;
}

void pki_x509::setTrust(int t)
{
	if (t>=0 && t<=2)
		trust = t;
}

int pki_x509::getEffTrust()
{
	return efftrust;
}

void pki_x509::setEffTrust(int t)
{
	if (t>= 0 && t<= 2)
		efftrust = t;
}


bool pki_x509::isRevoked()
{
	return (revoked != NULL);
}


void pki_x509::setRevoked(bool rev)
{
	if (rev) {
		setEffTrust(0);
		setTrust(0);
		if (revoked) return;
		revoked = ASN1_TIME_new();
		openssl_error();
		X509_gmtime_adj(revoked,0);
	}
	else {
		if (!revoked) return;
		ASN1_TIME_free(revoked);
		revoked = NULL;
	}
	openssl_error();
}

int pki_x509::calcEffTrust()
{
	int mytrust = trust;
	if (mytrust != 1) {
		efftrust = mytrust;
		return mytrust;
	}
	if (getSigner() == this && trust == 1) { // inherit trust, but self signed
		trust=0;
		efftrust=0;
		return 0;
	}
	//we must look at the parent certs
	pki_x509 *signer = getSigner();
	pki_x509 *prevsigner = this;
	while (mytrust==1 && signer != NULL && signer != prevsigner) {
		mytrust = signer->getTrust();
		prevsigner = signer;
		signer = signer->getSigner();
	}
	
	if (mytrust == 1) mytrust = 0;
	efftrust = mytrust;
	return mytrust;
}

int pki_x509::getIncCaSerial() { return caSerial++; }

int pki_x509::getCaSerial() { return caSerial; }

void pki_x509::setCaSerial(int s) { if (s>0) caSerial = s; }

int pki_x509::getCrlDays() {return crlDays;}

void pki_x509::setCrlDays(int s){if (s>0) crlDays = s;}

string pki_x509::getTemplate(){ return caTemplate; }

void pki_x509::setTemplate(string s) {if (s.length()>0) caTemplate = s; }

void pki_x509::setLastCrl(ASN1_TIME *time)
{
	if (!time) return;
	lastCrl=M_ASN1_TIME_dup(time);
	openssl_error();
}