TAO_SSLIOP: SSLIOP_Credentials.cpp Source File

00001 #include "orbsvcs/SSLIOP/SSLIOP_Credentials.h"
00002 
00003 #include "tao/ORB_Constants.h"
00004 
00005 #include "ace/SString.h"
00006 
00007 
00008 ACE_RCSID (SSLIOP,
00009            SSLIOP_Credentials,
00010            "$Id: SSLIOP_Credentials.cpp 77001 2007-02-12 07:54:49Z johnnyw $")
00011 
00012 
00013 #if !defined (__ACE_INLINE__)
00014 # include "orbsvcs/SSLIOP/SSLIOP_Credentials.inl"
00015 #endif /* __ACE_INLINE__ */
00016 
00017 TAO_BEGIN_VERSIONED_NAMESPACE_DECL
00018 
00019 TAO::SSLIOP_Credentials::SSLIOP_Credentials (::X509 *cert, ::EVP_PKEY *evp)
00020   : x509_ (TAO::SSLIOP::OpenSSL_traits< ::X509 >::_duplicate (cert)),
00021     evp_ (TAO::SSLIOP::OpenSSL_traits< ::EVP_PKEY >::_duplicate (evp)),
00022     id_ (),
00023     creds_usage_ (SecurityLevel3::CU_Indefinite),
00024     expiry_time_ (),
00025     creds_state_ (SecurityLevel3::CS_Invalid)
00026 {
00027   ::X509 *x = cert;
00028 
00029   if (x != 0)
00030     {
00031       // We use the X.509 certificate's serial number as the
00032       // credentials Id.
00033       BIGNUM * bn = ASN1_INTEGER_to_BN (::X509_get_serialNumber (x), 0);
00034       if (BN_is_zero (bn))
00035         this->id_ = CORBA::string_dup ("X509: 00");
00036       else
00037         {
00038           char * id = BN_bn2hex (bn);
00039 
00040           ACE_CString s =
00041             ACE_CString ("X509: ")
00042             + ACE_CString (const_cast<const char *> (id));
00043 
00044           this->id_ = CORBA::string_dup (s.c_str ());
00045 
00046 #ifdef OPENSSL_free
00047           OPENSSL_free (id);
00048 #else
00049           // Older versions of OpenSSL didn't define the OpenSSL
00050           // macro.
00051           CRYPTO_free (id);
00052 #endif  /* OPENSSL_free */
00053         }
00054 
00055       // -------------------------------------------
00056 
00057       TimeBase::UtcT & t = this->expiry_time_;
00058 
00059       const ASN1_TIME * exp = X509_get_notAfter (x);
00060 
00061       if (exp->length > ACE_SIZEOF_LONG_LONG)
00062         {
00063           // @@ Will this ever happen?
00064 
00065           // Overflow!
00066           t.time = ACE_UINT64_LITERAL (0xffffffffffffffff);
00067         }
00068       else
00069         {
00070           t.time = 0;
00071           for (int i = 0; i < exp->length; ++i)
00072             {
00073               t.time <<= 8;
00074               t.time |= (unsigned char) exp->data[i];
00075             }
00076         }
00077     }
00078 }
00079 
00080 TAO::SSLIOP_Credentials::~SSLIOP_Credentials (void)
00081 {
00082 }
00083 
00084 char *
00085 TAO::SSLIOP_Credentials::creds_id (void)
00086 {
00087   return CORBA::string_dup (this->id_.in ());
00088 }
00089 
00090 SecurityLevel3::CredentialsUsage
00091 TAO::SSLIOP_Credentials::creds_usage (void)
00092 {
00093   return SecurityLevel3::CU_Indefinite;
00094 }
00095 
00096 TimeBase::UtcT
00097 TAO::SSLIOP_Credentials::expiry_time (void)
00098 {
00099   return this->expiry_time_;
00100 }
00101 
00102 SecurityLevel3::CredentialsState
00103 TAO::SSLIOP_Credentials::creds_state (void)
00104 {
00105   const ::X509 *x = this->x509_.in ();
00106 
00107   // The pointer to the underlying X509 structure should only be zero
00108   // if destroy() was called on this Credentials object.
00109   if (x == 0)
00110     throw CORBA::BAD_OPERATION ();
00111 
00112   if (this->creds_state_ == SecurityLevel3::CS_Valid)
00113     {
00114       // Make sure the X.509 certificate is still valid.
00115 
00116       const int after_status =
00117         ::X509_cmp_current_time (X509_get_notAfter (x));
00118 
00119       if (after_status == 0)
00120         {
00121           // Error in certificate's "not after" field.
00122           throw CORBA::BAD_PARAM ();
00123         }
00124       else if (after_status > 0)     // Certificate has expired.
00125         this->creds_state_ = SecurityLevel3::CS_Expired;
00126     }
00127   else if (this->creds_state_ == SecurityLevel3::CS_Invalid)
00128     {
00129       // Check if the X.509 certificate has become valid.
00130 
00131       const int before_status =
00132         ::X509_cmp_current_time (X509_get_notBefore (x));
00133 
00134       if (before_status == 0)
00135         {
00136           // Error in certificate's "not before" field.
00137           throw CORBA::BAD_PARAM ();
00138         }
00139       else if (before_status < 0)     // Certificate is now valid.
00140         this->creds_state_ = SecurityLevel3::CS_Valid;
00141     }
00142 
00143   return this->creds_state_;
00144 }
00145 
00146 char *
00147 TAO::SSLIOP_Credentials::add_relinquished_listener (
00148     SecurityLevel3::RelinquishedCredentialsListener_ptr /* listener */)
00149 {
00150   throw CORBA::NO_IMPLEMENT ();
00151 }
00152 
00153 void
00154 TAO::SSLIOP_Credentials::remove_relinquished_listener (const char * /* id */)
00155 {
00156   throw CORBA::NO_IMPLEMENT ();
00157 }
00158 
00159 bool
00160 TAO::SSLIOP_Credentials::operator== (const TAO::SSLIOP_Credentials &rhs)
00161 {
00162   ::X509 * xa = this->x509_.in ();
00163   ::X509 * xb = rhs.x509_.in ();
00164   // EVP_PKEY *ea = this->evp_.in ();
00165   // EVP_PKEY *eb = rhs.evp_.in ();
00166 
00167   // No need for a full blown ACE_TRY/CATCH block.
00168 
00169   const SecurityLevel3::CredentialsType lct =
00170     this->creds_type ();
00171 
00172   const SecurityLevel3::CredentialsType rct =
00173     const_cast<TAO::SSLIOP_Credentials &> (rhs).creds_type ();
00174 
00175   // Don't bother check the creds_id and expiry_time attributes.  They
00176   // are checked implicitly by the below X509_cmp() call.
00177   //
00178   // Additionally, the creds_state attribute is not included in the
00179   // check since it is not considered important when distinguishing
00180   // between two Credentials.
00181 
00182   return
00183     lct == rct
00184     && this->creds_usage_ == rhs.creds_usage_
00185     && ((xa == xb) || (xa != 0 && xb != 0 && ::X509_cmp (xa, xb) == 0))
00186 //     && ((ea == eb) || (ea != 0 && eb != 0 && ::EVP_PKEY_cmp (ea, eb) == 0))
00187     ;
00188 }
00189 
00190 CORBA::ULong
00191 TAO::SSLIOP_Credentials::hash (void) const
00192 {
00193   ::X509 * x509 = this->x509_.in ();
00194 
00195   return (x509 == 0 ? 0 : ::X509_issuer_name_hash (x509));
00196 }
00197 
00198 TAO::SSLIOP::Credentials_ptr
00199 TAO::SSLIOP_Credentials::_narrow (CORBA::Object_ptr obj)
00200 {
00201   return  TAO::SSLIOP_Credentials::_duplicate (
00202               dynamic_cast<TAO::SSLIOP_Credentials *> (obj));
00203 }
00204 
00205 TAO::SSLIOP::Credentials_ptr
00206 TAO::SSLIOP_Credentials::_duplicate (TAO::SSLIOP::Credentials_ptr obj)
00207 {
00208   if (!CORBA::is_nil (obj))
00209     obj->_add_ref ();
00210 
00211   return obj;
00212 }
00213 
00214 // -----------------------------------------------------------
00215 
00216 TAO::SSLIOP::Credentials_ptr
00217 tao_TAO_SSLIOP_Credentials_duplicate (TAO::SSLIOP::Credentials_ptr p)
00218 {
00219   return TAO::SSLIOP_Credentials::_duplicate (p);
00220 }
00221 
00222 void
00223 tao_TAO_SSLIOP_Credentials_release (TAO::SSLIOP::Credentials_ptr p)
00224 {
00225   CORBA::release (p);
00226 }
00227 
00228 TAO::SSLIOP::Credentials_ptr
00229 tao_TAO_SSLIOP_Credentials_nil (void)
00230 {
00231   return TAO::SSLIOP_Credentials::_nil ();
00232 }
00233 
00234 TAO::SSLIOP::Credentials_ptr
00235 tao_TAO_SSLIOP_Credentials_narrow (CORBA::Object *p)
00236 {
00237   return TAO::SSLIOP_Credentials::_narrow (p);
00238 }
00239 
00240 CORBA::Object_ptr
00241 tao_TAO_SSLIOP_Credentials_upcast (void *src)
00242 {
00243   TAO::SSLIOP_Credentials **tmp =
00244     static_cast<TAO::SSLIOP_Credentials **> (src);
00245 
00246   return *tmp;
00247 }
00248 
00249 TAO_END_VERSIONED_NAMESPACE_DECL