TAO_SSLIOP: SSLIOP_Credentials.cpp Source File

00001 #include "orbsvcs/SSLIOP/SSLIOP_Credentials.h"
00002 
00003 #include "tao/ORB_Constants.h"
00004 
00005 #include "ace/SString.h"
00006 
00007 
00008 ACE_RCSID (SSLIOP,
00009            SSLIOP_Credentials,
00010            "$Id: SSLIOP_Credentials.cpp 80425 2008-01-14 14:10:19Z vzykov $")
00011 
00012 
00013 #if !defined (__ACE_INLINE__)
00014 # include "orbsvcs/SSLIOP/SSLIOP_Credentials.inl"
00015 #endif /* __ACE_INLINE__ */
00016 
00017 TAO_BEGIN_VERSIONED_NAMESPACE_DECL
00018 
00019 TAO::SSLIOP_Credentials::SSLIOP_Credentials (::X509 *cert, ::EVP_PKEY *evp)
00020   : x509_ (TAO::SSLIOP::OpenSSL_traits< ::X509 >::_duplicate (cert)),
00021     evp_ (TAO::SSLIOP::OpenSSL_traits< ::EVP_PKEY >::_duplicate (evp)),
00022     id_ (),
00023     creds_usage_ (SecurityLevel3::CU_Indefinite),
00024     expiry_time_ (),
00025     creds_state_ (SecurityLevel3::CS_Invalid)
00026 {
00027   ::X509 *x = cert;
00028 
00029   if (x != 0)
00030     {
00031       // We use the X.509 certificate's serial number as the
00032       // credentials Id.
00033       BIGNUM * bn = ASN1_INTEGER_to_BN (::X509_get_serialNumber (x), 0);
00034       if (BN_is_zero (bn))
00035         this->id_ = CORBA::string_dup ("X509: 00");
00036       else
00037         {
00038           char * id = BN_bn2hex (bn);
00039 
00040           ACE_CString s =
00041             ACE_CString ("X509: ")
00042             + ACE_CString (const_cast<const char *> (id));
00043 
00044           this->id_ = CORBA::string_dup (s.c_str ());
00045 
00046 #ifdef OPENSSL_free
00047           OPENSSL_free (id);
00048 #else
00049           // Older versions of OpenSSL didn't define the OpenSSL
00050           // macro.
00051           CRYPTO_free (id);
00052 #endif  /* OPENSSL_free */
00053         }
00054       BN_free (bn);
00055 
00056       // -------------------------------------------
00057 
00058       TimeBase::UtcT & t = this->expiry_time_;
00059 
00060       const ASN1_TIME * exp = X509_get_notAfter (x);
00061 
00062       if (exp->length > ACE_SIZEOF_LONG_LONG)
00063         {
00064           // @@ Will this ever happen?
00065 
00066           // Overflow!
00067           t.time = ACE_UINT64_LITERAL (0xffffffffffffffff);
00068         }
00069       else
00070         {
00071           t.time = 0;
00072           for (int i = 0; i < exp->length; ++i)
00073             {
00074               t.time <<= 8;
00075               t.time |= (unsigned char) exp->data[i];
00076             }
00077         }
00078     }
00079 }
00080 
00081 TAO::SSLIOP_Credentials::~SSLIOP_Credentials (void)
00082 {
00083 }
00084 
00085 char *
00086 TAO::SSLIOP_Credentials::creds_id (void)
00087 {
00088   return CORBA::string_dup (this->id_.in ());
00089 }
00090 
00091 SecurityLevel3::CredentialsUsage
00092 TAO::SSLIOP_Credentials::creds_usage (void)
00093 {
00094   return SecurityLevel3::CU_Indefinite;
00095 }
00096 
00097 TimeBase::UtcT
00098 TAO::SSLIOP_Credentials::expiry_time (void)
00099 {
00100   return this->expiry_time_;
00101 }
00102 
00103 SecurityLevel3::CredentialsState
00104 TAO::SSLIOP_Credentials::creds_state (void)
00105 {
00106   const ::X509 *x = this->x509_.in ();
00107 
00108   // The pointer to the underlying X509 structure should only be zero
00109   // if destroy() was called on this Credentials object.
00110   if (x == 0)
00111     throw CORBA::BAD_OPERATION ();
00112 
00113   if (this->creds_state_ == SecurityLevel3::CS_Valid)
00114     {
00115       // Make sure the X.509 certificate is still valid.
00116 
00117       const int after_status =
00118         ::X509_cmp_current_time (X509_get_notAfter (x));
00119 
00120       if (after_status == 0)
00121         {
00122           // Error in certificate's "not after" field.
00123           throw CORBA::BAD_PARAM ();
00124         }
00125       else if (after_status > 0)     // Certificate has expired.
00126         this->creds_state_ = SecurityLevel3::CS_Expired;
00127     }
00128   else if (this->creds_state_ == SecurityLevel3::CS_Invalid)
00129     {
00130       // Check if the X.509 certificate has become valid.
00131 
00132       const int before_status =
00133         ::X509_cmp_current_time (X509_get_notBefore (x));
00134 
00135       if (before_status == 0)
00136         {
00137           // Error in certificate's "not before" field.
00138           throw CORBA::BAD_PARAM ();
00139         }
00140       else if (before_status < 0)     // Certificate is now valid.
00141         this->creds_state_ = SecurityLevel3::CS_Valid;
00142     }
00143 
00144   return this->creds_state_;
00145 }
00146 
00147 char *
00148 TAO::SSLIOP_Credentials::add_relinquished_listener (
00149     SecurityLevel3::RelinquishedCredentialsListener_ptr /* listener */)
00150 {
00151   throw CORBA::NO_IMPLEMENT ();
00152 }
00153 
00154 void
00155 TAO::SSLIOP_Credentials::remove_relinquished_listener (const char * /* id */)
00156 {
00157   throw CORBA::NO_IMPLEMENT ();
00158 }
00159 
00160 bool
00161 TAO::SSLIOP_Credentials::operator== (const TAO::SSLIOP_Credentials &rhs)
00162 {
00163   ::X509 * xa = this->x509_.in ();
00164   ::X509 * xb = rhs.x509_.in ();
00165   // EVP_PKEY *ea = this->evp_.in ();
00166   // EVP_PKEY *eb = rhs.evp_.in ();
00167 
00168   // No need for a full blown ACE_TRY/CATCH block.
00169 
00170   const SecurityLevel3::CredentialsType lct =
00171     this->creds_type ();
00172 
00173   const SecurityLevel3::CredentialsType rct =
00174     const_cast<TAO::SSLIOP_Credentials &> (rhs).creds_type ();
00175 
00176   // Don't bother check the creds_id and expiry_time attributes.  They
00177   // are checked implicitly by the below X509_cmp() call.
00178   //
00179   // Additionally, the creds_state attribute is not included in the
00180   // check since it is not considered important when distinguishing
00181   // between two Credentials.
00182 
00183   return
00184     lct == rct
00185     && this->creds_usage_ == rhs.creds_usage_
00186     && ((xa == xb) || (xa != 0 && xb != 0 && ::X509_cmp (xa, xb) == 0))
00187 //     && ((ea == eb) || (ea != 0 && eb != 0 && ::EVP_PKEY_cmp (ea, eb) == 0))
00188     ;
00189 }
00190 
00191 CORBA::ULong
00192 TAO::SSLIOP_Credentials::hash (void) const
00193 {
00194   ::X509 * x509 = this->x509_.in ();
00195 
00196   return (x509 == 0 ? 0 : ::X509_issuer_name_hash (x509));
00197 }
00198 
00199 TAO::SSLIOP::Credentials_ptr
00200 TAO::SSLIOP_Credentials::_narrow (CORBA::Object_ptr obj)
00201 {
00202   return  TAO::SSLIOP_Credentials::_duplicate (
00203               dynamic_cast<TAO::SSLIOP_Credentials *> (obj));
00204 }
00205 
00206 TAO::SSLIOP::Credentials_ptr
00207 TAO::SSLIOP_Credentials::_duplicate (TAO::SSLIOP::Credentials_ptr obj)
00208 {
00209   if (!CORBA::is_nil (obj))
00210     obj->_add_ref ();
00211 
00212   return obj;
00213 }
00214 
00215 // -----------------------------------------------------------
00216 
00217 TAO::SSLIOP::Credentials_ptr
00218 tao_TAO_SSLIOP_Credentials_duplicate (TAO::SSLIOP::Credentials_ptr p)
00219 {
00220   return TAO::SSLIOP_Credentials::_duplicate (p);
00221 }
00222 
00223 void
00224 tao_TAO_SSLIOP_Credentials_release (TAO::SSLIOP::Credentials_ptr p)
00225 {
00226   CORBA::release (p);
00227 }
00228 
00229 TAO::SSLIOP::Credentials_ptr
00230 tao_TAO_SSLIOP_Credentials_nil (void)
00231 {
00232   return TAO::SSLIOP_Credentials::_nil ();
00233 }
00234 
00235 TAO::SSLIOP::Credentials_ptr
00236 tao_TAO_SSLIOP_Credentials_narrow (CORBA::Object *p)
00237 {
00238   return TAO::SSLIOP_Credentials::_narrow (p);
00239 }
00240 
00241 CORBA::Object_ptr
00242 tao_TAO_SSLIOP_Credentials_upcast (void *src)
00243 {
00244   TAO::SSLIOP_Credentials **tmp =
00245     static_cast<TAO::SSLIOP_Credentials **> (src);
00246 
00247   return *tmp;
00248 }
00249 
00250 TAO_END_VERSIONED_NAMESPACE_DECL