5 #ifndef SQUID_SSL_GADGETS_H
6 #define SQUID_SSL_GADGETS_H
8 #include "base/TidyPointer.h"
9 #include "ssl/crtd_message.h"
11 #if HAVE_OPENSSL_SSL_H
12 #include <openssl/ssl.h>
14 #if HAVE_OPENSSL_TXT_DB_H
15 #include <openssl/txt_db.h>
24 \defgroup SslCrtdSslAPI ssl_crtd SSL api.
25 These functions must not depend on Squid runtime code such as debug()
26 because they are used by ssl_crtd.
30 \ingroup SslCrtdSslAPI
31 * Add SSL locking (a.k.a. reference counting) to TidyPointer
33 template <typename T
, void (*DeAllocator
)(T
*t
), int lock
>
34 class LockingPointer
: public TidyPointer
<T
, DeAllocator
>
37 typedef TidyPointer
<T
, DeAllocator
> Parent
;
39 LockingPointer(T
*t
= NULL
): Parent(t
) {
42 void resetAndLock(T
*t
) {
43 if (t
!= this->get()) {
46 CRYPTO_add(&t
->references
, 1, lock
);
51 // Macro to be used to define the C++ equivalent function of an extern "C"
52 // function. The C++ function suffixed with the _cpp extension
53 #define CtoCpp1(function, argument) \
54 extern "C++" inline void function ## _cpp(argument a) { \
59 \ingroup SslCrtdSslAPI
60 * TidyPointer typedefs for common SSL objects
62 CtoCpp1(X509_free
, X509
*)
63 typedef LockingPointer
<X509
, X509_free_cpp
, CRYPTO_LOCK_X509
> X509_Pointer
;
65 CtoCpp1(sk_X509_free
, STACK_OF(X509
) *)
66 typedef TidyPointer
<STACK_OF(X509
), sk_X509_free_cpp
> X509_STACK_Pointer
;
68 CtoCpp1(EVP_PKEY_free
, EVP_PKEY
*)
69 typedef LockingPointer
<EVP_PKEY
, EVP_PKEY_free_cpp
, CRYPTO_LOCK_EVP_PKEY
> EVP_PKEY_Pointer
;
71 CtoCpp1(BN_free
, BIGNUM
*)
72 typedef TidyPointer
<BIGNUM
, BN_free_cpp
> BIGNUM_Pointer
;
74 CtoCpp1(BIO_free
, BIO
*)
75 typedef TidyPointer
<BIO
, BIO_free_cpp
> BIO_Pointer
;
77 CtoCpp1(ASN1_INTEGER_free
, ASN1_INTEGER
*)
78 typedef TidyPointer
<ASN1_INTEGER
, ASN1_INTEGER_free_cpp
> ASN1_INT_Pointer
;
80 CtoCpp1(TXT_DB_free
, TXT_DB
*)
81 typedef TidyPointer
<TXT_DB
, TXT_DB_free_cpp
> TXT_DB_Pointer
;
83 CtoCpp1(X509_NAME_free
, X509_NAME
*)
84 typedef TidyPointer
<X509_NAME
, X509_NAME_free_cpp
> X509_NAME_Pointer
;
86 CtoCpp1(RSA_free
, RSA
*)
87 typedef TidyPointer
<RSA
, RSA_free_cpp
> RSA_Pointer
;
89 CtoCpp1(X509_REQ_free
, X509_REQ
*)
90 typedef TidyPointer
<X509_REQ
, X509_REQ_free_cpp
> X509_REQ_Pointer
;
92 CtoCpp1(SSL_CTX_free
, SSL_CTX
*)
93 typedef TidyPointer
<SSL_CTX
, SSL_CTX_free_cpp
> SSL_CTX_Pointer
;
95 CtoCpp1(SSL_free
, SSL
*)
96 typedef TidyPointer
<SSL
, SSL_free_cpp
> SSL_Pointer
;
100 \ingroup SslCrtdSslAPI
101 * Create 1024 bits rsa key.
103 EVP_PKEY
* createSslPrivateKey();
106 \ingroup SslCrtdSslAPI
107 * Write private key and SSL certificate to memory.
109 bool writeCertAndPrivateKeyToMemory(X509_Pointer
const & cert
, EVP_PKEY_Pointer
const & pkey
, std::string
& bufferToWrite
);
112 \ingroup SslCrtdSslAPI
113 * Append SSL certificate to bufferToWrite.
115 bool appendCertToMemory(X509_Pointer
const & cert
, std::string
& bufferToWrite
);
118 \ingroup SslCrtdSslAPI
119 * Write private key and SSL certificate to file.
121 bool writeCertAndPrivateKeyToFile(X509_Pointer
const & cert
, EVP_PKEY_Pointer
const & pkey
, char const * filename
);
124 \ingroup SslCrtdSslAPI
125 * Write private key and SSL certificate to memory.
127 bool readCertAndPrivateKeyFromMemory(X509_Pointer
& cert
, EVP_PKEY_Pointer
& pkey
, char const * bufferToRead
);
130 \ingroup SslCrtdSslAPI
131 * Read SSL certificate from memory.
133 bool readCertFromMemory(X509_Pointer
& cert
, char const * bufferToRead
);
136 \ingroup SslCrtdSslAPI
137 * Supported certificate signing algorithms
139 enum CertSignAlgorithm
{algSignTrusted
= 0, algSignUntrusted
, algSignSelf
, algSignEnd
};
142 \ingroup SslCrtdSslAPI
143 * Short names for certificate signing algorithms
146 extern const char *CertSignAlgorithmStr
[];
149 \ingroup SslCrtdSslAPI
150 * Return the short name of the signing algorithm "sg"
152 inline const char *certSignAlgorithm(int sg
)
154 if (sg
>=0 && sg
< Ssl::algSignEnd
)
155 return Ssl::CertSignAlgorithmStr
[sg
];
161 \ingroup SslCrtdSslAPI
162 * Return the id of the signing algorithm "sg"
164 inline CertSignAlgorithm
certSignAlgorithmId(const char *sg
)
166 for (int i
= 0; i
< algSignEnd
&& Ssl::CertSignAlgorithmStr
[i
] != NULL
; i
++)
167 if (strcmp(Ssl::CertSignAlgorithmStr
[i
], sg
) == 0)
168 return (CertSignAlgorithm
)i
;
174 \ingroup SslCrtdSslAPI
175 * Supported certificate adaptation algorithms
177 enum CertAdaptAlgorithm
{algSetValidAfter
= 0, algSetValidBefore
, algSetCommonName
, algSetEnd
};
180 \ingroup SslCrtdSslAPI
181 * Short names for certificate adaptation algorithms
183 extern const char *CertAdaptAlgorithmStr
[];
186 \ingroup SslCrtdSslAPI
187 * Return the short name of the adaptation algorithm "alg"
189 inline const char *sslCertAdaptAlgoritm(int alg
)
191 if (alg
>=0 && alg
< Ssl::algSetEnd
)
192 return Ssl::CertAdaptAlgorithmStr
[alg
];
198 \ingroup SslCrtdSslAPI
199 * Simple struct to pass certificate generation parameters to generateSslCertificate function.
201 class CertificateProperties
204 CertificateProperties();
205 X509_Pointer mimicCert
; ///< Certificate to mimic
206 X509_Pointer signWithX509
; ///< Certificate to sign the generated request
207 EVP_PKEY_Pointer signWithPkey
; ///< The key of the signing certificate
208 bool setValidAfter
; ///< Do not mimic "Not Valid After" field
209 bool setValidBefore
; ///< Do not mimic "Not Valid Before" field
210 bool setCommonName
; ///< Replace the CN field of the mimicing subject with the given
211 std::string commonName
; ///< A CN to use for the generated certificate
212 CertSignAlgorithm signAlgorithm
; ///< The signing algorithm to use
213 /// Returns certificate database primary key. New fake certificates
214 /// purge old fake certificates with the same key.
215 std::string
& dbKey() const;
217 CertificateProperties(CertificateProperties
&);
218 CertificateProperties
&operator =(CertificateProperties
const &);
222 \ingroup SslCrtdSslAPI
223 * Decide on the kind of certificate and generate a CA- or self-signed one.
224 * The generated certificate will inherite properties from certToMimic
225 * Return generated certificate and private key in resultX509 and resultPkey
228 bool generateSslCertificate(X509_Pointer
& cert
, EVP_PKEY_Pointer
& pkey
, CertificateProperties
const &properties
);
231 \ingroup SslCrtdSslAPI
232 * Read private key from file. Make sure that this is not encrypted file.
234 EVP_PKEY
* readSslPrivateKey(char const * keyFilename
, pem_password_cb
*passwd_callback
= NULL
);
237 \ingroup SslCrtdSslAPI
238 * Read certificate and private key from files.
239 * \param certFilename name of file with certificate.
240 * \param keyFilename name of file with private key.
242 void readCertAndPrivateKeyFromFiles(X509_Pointer
& cert
, EVP_PKEY_Pointer
& pkey
, char const * certFilename
, char const * keyFilename
);
245 \ingroup SslCrtdSslAPI
246 * Verify date. Date format it ASN1_UTCTIME. if there is out of date error,
249 bool sslDateIsInTheFuture(char const * date
);
252 \ingroup SslCrtdSslAPI
253 * Check if the major fields of a certificates matches the properties given by
254 * a CertficateProperties object
255 \return true if the certificates matches false otherwise.
257 bool certificateMatchesProperties(X509
*peer_cert
, CertificateProperties
const &properties
);
260 \ingroup ServerProtocolSSLAPI
261 * Returns CN from the certificate, suitable for use as a host name.
262 * Uses static memory to temporary store the extracted name.
264 const char *CommonHostName(X509
*x509
);
267 \ingroup ServerProtocolSSLAPI
268 * Returns Organization from the certificate.
269 * Uses static memory to temporary store the extracted name.
271 const char *getOrganization(X509
*x509
);
274 #endif // SQUID_SSL_GADGETS_H