Ring Daemon 16.0.0
Loading...
Searching...
No Matches
tlsvalidator.cpp
Go to the documentation of this file.
1/*
2 * Copyright (C) 2004-2025 Savoir-faire Linux Inc.
3 *
4 * This program is free software: you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation, either version 3 of the License, or
7 * (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program. If not, see <https://www.gnu.org/licenses/>.
16 */
17
18#include "tlsvalidator.h"
19
20#ifdef HAVE_CONFIG_H
21#include "config.h"
22#endif
23
24#include <opendht/infohash.h> // for toHex
25#include <dhtnet/certstore.h>
26
27#include "fileutils.h"
28#include "logger.h"
29#include "security_const.h"
30
31#include <sstream>
32#include <iomanip>
33
34#include <cstdio>
35#include <cerrno>
36#include <cassert>
37#include <ctime>
38
39#include <sys/types.h>
40#include <sys/stat.h>
41
42#ifndef _MSC_VER
43#include <libgen.h>
44#endif
45
46#ifndef _WIN32
47#include <sys/socket.h>
48#include <netinet/tcp.h>
49#include <netinet/in.h>
50#include <netdb.h>
51#else
52#ifndef _MSC_VER
53#define close(x) closesocket(x)
54#endif
55#endif
56#include <unistd.h>
57#include <fcntl.h>
58
59#ifdef _MSC_VER
60#include "windirent.h"
61#endif
62
63namespace jami {
64namespace tls {
65
66// Map the internal ring Enum class of the exported names
67
68const EnumClassNames<TlsValidator::CheckValues> TlsValidator::CheckValuesNames = {{
69 /* CheckValues Name */
70 /* PASSED */ libjami::Certificate::CheckValuesNames::PASSED,
71 /* FAILED */ libjami::Certificate::CheckValuesNames::FAILED,
72 /* UNSUPPORTED */ libjami::Certificate::CheckValuesNames::UNSUPPORTED,
73 /* ISO_DATE */ libjami::Certificate::CheckValuesNames::ISO_DATE,
74 /* CUSTOM */ libjami::Certificate::CheckValuesNames::CUSTOM,
75 /* CUSTOM */ libjami::Certificate::CheckValuesNames::DATE,
76}};
77
78const CallbackMatrix1D<TlsValidator::CertificateCheck, TlsValidator, TlsValidator::CheckResult>
79 TlsValidator::checkCallback = {{
80 /* CertificateCheck Callback */
81 /*HAS_PRIVATE_KEY */ &TlsValidator::hasPrivateKey,
82 /*EXPIRED */ &TlsValidator::notExpired,
83 /*STRONG_SIGNING */ &TlsValidator::strongSigning,
84 /*NOT_SELF_SIGNED */ &TlsValidator::notSelfSigned,
85 /*KEY_MATCH */ &TlsValidator::keyMatch,
86 /*PRIVATE_KEY_STORAGE_PERMISSION */ &TlsValidator::privateKeyStoragePermissions,
87 /*PUBLIC_KEY_STORAGE_PERMISSION */ &TlsValidator::publicKeyStoragePermissions,
88 /*PRIVATEKEY_DIRECTORY_PERMISSIONS */ &TlsValidator::privateKeyDirectoryPermissions,
89 /*PUBLICKEY_DIRECTORY_PERMISSIONS */ &TlsValidator::publicKeyDirectoryPermissions,
90 /*PRIVATE_KEY_STORAGE_LOCATION */ &TlsValidator::privateKeyStorageLocation,
91 /*PUBLIC_KEY_STORAGE_LOCATION */ &TlsValidator::publicKeyStorageLocation,
92 /*PRIVATE_KEY_SELINUX_ATTRIBUTES */ &TlsValidator::privateKeySelinuxAttributes,
93 /*PUBLIC_KEY_SELINUX_ATTRIBUTES */ &TlsValidator::publicKeySelinuxAttributes,
94 /*EXIST */ &TlsValidator::exist,
95 /*VALID */ &TlsValidator::valid,
96 /*VALID_AUTHORITY */ &TlsValidator::validAuthority,
97 /*KNOWN_AUTHORITY */ &TlsValidator::knownAuthority,
98 /*NOT_REVOKED */ &TlsValidator::notRevoked,
99 /*AUTHORITY_MISMATCH */ &TlsValidator::authorityMatch,
100 /*UNEXPECTED_OWNER */ &TlsValidator::expectedOwner,
101 /*NOT_ACTIVATED */ &TlsValidator::activated,
102 }};
103
104const CallbackMatrix1D<TlsValidator::CertificateDetails, TlsValidator, TlsValidator::CheckResult>
105 TlsValidator::getterCallback = {{
106 /* EXPIRATION_DATE */ &TlsValidator::getExpirationDate,
107 /* ACTIVATION_DATE */ &TlsValidator::getActivationDate,
108 /* REQUIRE_PRIVATE_KEY_PASSWORD */ &TlsValidator::requirePrivateKeyPassword,
109 /* PUBLIC_SIGNATURE */ &TlsValidator::getPublicSignature,
110 /* VERSION_NUMBER */ &TlsValidator::getVersionNumber,
111 /* SERIAL_NUMBER */ &TlsValidator::getSerialNumber,
112 /* ISSUER */ &TlsValidator::getIssuer,
113 /* SUBJECT_KEY_ALGORITHM */ &TlsValidator::getSubjectKeyAlgorithm,
114 /* SUBJECT_KEY */ &TlsValidator::getSubjectKey,
115 /* CN */ &TlsValidator::getCN,
116 /* UID */ &TlsValidator::getUID,
117 /* N */ &TlsValidator::getN,
118 /* O */ &TlsValidator::getO,
119 /* SIGNATURE_ALGORITHM */ &TlsValidator::getSignatureAlgorithm,
120 /* MD5_FINGERPRINT */ &TlsValidator::getMd5Fingerprint,
121 /* SHA1_FINGERPRINT */ &TlsValidator::getSha1Fingerprint,
122 /* PUBLIC_KEY_ID */ &TlsValidator::getPublicKeyId,
123 /* ISSUER_DN */ &TlsValidator::getIssuerDN,
124 /* ISSUER_CN */ &TlsValidator::getIssuerCN,
125 /* ISSUER_UID */ &TlsValidator::getIssuerUID,
126 /* ISSUER_N */ &TlsValidator::getIssuerN,
127 /* ISSUER_O */ &TlsValidator::getIssuerO,
128 /* NEXT_EXPECTED_UPDATE_DATE */ &TlsValidator::getIssuerDN, // TODO
129 /* OUTGOING_SERVER */ &TlsValidator::outgoingServer,
130 /* IS_CA */ &TlsValidator::isCA,
131 }};
132
133const Matrix1D<TlsValidator::CertificateCheck, TlsValidator::CheckValuesType>
134 TlsValidator::enforcedCheckType = {{
135 /* CertificateCheck Callback */
136 /*HAS_PRIVATE_KEY */ CheckValuesType::BOOLEAN,
137 /*EXPIRED */ CheckValuesType::BOOLEAN,
138 /*STRONG_SIGNING */ CheckValuesType::BOOLEAN,
139 /*NOT_SELF_SIGNED */ CheckValuesType::BOOLEAN,
140 /*KEY_MATCH */ CheckValuesType::BOOLEAN,
141 /*PRIVATE_KEY_STORAGE_PERMISSION */ CheckValuesType::BOOLEAN,
142 /*PUBLIC_KEY_STORAGE_PERMISSION */ CheckValuesType::BOOLEAN,
143 /*PRIVATEKEY_DIRECTORY_PERMISSIONS */ CheckValuesType::BOOLEAN,
144 /*PUBLICKEY_DIRECTORY_PERMISSIONS */ CheckValuesType::BOOLEAN,
145 /*PRIVATE_KEY_STORAGE_LOCATION */ CheckValuesType::BOOLEAN,
146 /*PUBLIC_KEY_STORAGE_LOCATION */ CheckValuesType::BOOLEAN,
147 /*PRIVATE_KEY_SELINUX_ATTRIBUTES */ CheckValuesType::BOOLEAN,
148 /*PUBLIC_KEY_SELINUX_ATTRIBUTES */ CheckValuesType::BOOLEAN,
149 /*EXIST */ CheckValuesType::BOOLEAN,
150 /*VALID */ CheckValuesType::BOOLEAN,
151 /*VALID_AUTHORITY */ CheckValuesType::BOOLEAN,
152 /*KNOWN_AUTHORITY */ CheckValuesType::BOOLEAN,
153 /*NOT_REVOKED */ CheckValuesType::BOOLEAN,
154 /*AUTHORITY_MISMATCH */ CheckValuesType::BOOLEAN,
155 /*UNEXPECTED_OWNER */ CheckValuesType::BOOLEAN,
156 /*NOT_ACTIVATED */ CheckValuesType::BOOLEAN,
157 }};
158
159const EnumClassNames<TlsValidator::CertificateCheck> TlsValidator::CertificateCheckNames = {{
160 /* CertificateCheck Name */
161 /*HAS_PRIVATE_KEY */ libjami::Certificate::ChecksNames::HAS_PRIVATE_KEY,
162 /*EXPIRED */ libjami::Certificate::ChecksNames::EXPIRED,
163 /*STRONG_SIGNING */ libjami::Certificate::ChecksNames::STRONG_SIGNING,
164 /*NOT_SELF_SIGNED */ libjami::Certificate::ChecksNames::NOT_SELF_SIGNED,
165 /*KEY_MATCH */ libjami::Certificate::ChecksNames::KEY_MATCH,
166 /*PRIVATE_KEY_STORAGE_PERMISSION */ libjami::Certificate::ChecksNames::PRIVATE_KEY_STORAGE_PERMISSION,
167 /*PUBLIC_KEY_STORAGE_PERMISSION */ libjami::Certificate::ChecksNames::PUBLIC_KEY_STORAGE_PERMISSION,
168 /*PRIVATEKEY_DIRECTORY_PERMISSIONS */ libjami::Certificate::ChecksNames::PRIVATE_KEY_DIRECTORY_PERMISSIONS,
169 /*PUBLICKEY_DIRECTORY_PERMISSIONS */ libjami::Certificate::ChecksNames::PUBLIC_KEY_DIRECTORY_PERMISSIONS,
170 /*PRIVATE_KEY_STORAGE_LOCATION */ libjami::Certificate::ChecksNames::PRIVATE_KEY_STORAGE_LOCATION,
171 /*PUBLIC_KEY_STORAGE_LOCATION */ libjami::Certificate::ChecksNames::PUBLIC_KEY_STORAGE_LOCATION,
172 /*PRIVATE_KEY_SELINUX_ATTRIBUTES */ libjami::Certificate::ChecksNames::PRIVATE_KEY_SELINUX_ATTRIBUTES,
173 /*PUBLIC_KEY_SELINUX_ATTRIBUTES */ libjami::Certificate::ChecksNames::PUBLIC_KEY_SELINUX_ATTRIBUTES,
174 /*EXIST */ libjami::Certificate::ChecksNames::EXIST,
175 /*VALID */ libjami::Certificate::ChecksNames::VALID,
176 /*VALID_AUTHORITY */ libjami::Certificate::ChecksNames::VALID_AUTHORITY,
177 /*KNOWN_AUTHORITY */ libjami::Certificate::ChecksNames::KNOWN_AUTHORITY,
178 /*NOT_REVOKED */ libjami::Certificate::ChecksNames::NOT_REVOKED,
179 /*AUTHORITY_MISMATCH */ libjami::Certificate::ChecksNames::AUTHORITY_MISMATCH,
180 /*UNEXPECTED_OWNER */ libjami::Certificate::ChecksNames::UNEXPECTED_OWNER,
181 /*NOT_ACTIVATED */ libjami::Certificate::ChecksNames::NOT_ACTIVATED,
182}};
183
184const EnumClassNames<TlsValidator::CertificateDetails> TlsValidator::CertificateDetailsNames = {{
185 /* EXPIRATION_DATE */ libjami::Certificate::DetailsNames::EXPIRATION_DATE,
186 /* ACTIVATION_DATE */ libjami::Certificate::DetailsNames::ACTIVATION_DATE,
187 /* REQUIRE_PRIVATE_KEY_PASSWORD */ libjami::Certificate::DetailsNames::REQUIRE_PRIVATE_KEY_PASSWORD,
188 /* PUBLIC_SIGNATURE */ libjami::Certificate::DetailsNames::PUBLIC_SIGNATURE,
189 /* VERSION_NUMBER */ libjami::Certificate::DetailsNames::VERSION_NUMBER,
190 /* SERIAL_NUMBER */ libjami::Certificate::DetailsNames::SERIAL_NUMBER,
191 /* ISSUER */ libjami::Certificate::DetailsNames::ISSUER,
192 /* SUBJECT_KEY_ALGORITHM */ libjami::Certificate::DetailsNames::SUBJECT_KEY_ALGORITHM,
193 /* SUBJECT_KEY */ libjami::Certificate::DetailsNames::SUBJECT_KEY,
194 /* CN */ libjami::Certificate::DetailsNames::CN,
195 /* UID */ libjami::Certificate::DetailsNames::UID,
196 /* N */ libjami::Certificate::DetailsNames::N,
197 /* O */ libjami::Certificate::DetailsNames::O,
198 /* SIGNATURE_ALGORITHM */ libjami::Certificate::DetailsNames::SIGNATURE_ALGORITHM,
199 /* MD5_FINGERPRINT */ libjami::Certificate::DetailsNames::MD5_FINGERPRINT,
200 /* SHA1_FINGERPRINT */ libjami::Certificate::DetailsNames::SHA1_FINGERPRINT,
201 /* PUBLIC_KEY_ID */ libjami::Certificate::DetailsNames::PUBLIC_KEY_ID,
202 /* ISSUER_DN */ libjami::Certificate::DetailsNames::ISSUER_DN,
203 /* ISSUER_CN */ libjami::Certificate::DetailsNames::ISSUER_CN,
204 /* ISSUER_UID */ libjami::Certificate::DetailsNames::ISSUER_UID,
205 /* ISSUER_N */ libjami::Certificate::DetailsNames::ISSUER_N,
206 /* ISSUER_O */ libjami::Certificate::DetailsNames::ISSUER_O,
207 /* NEXT_EXPECTED_UPDATE_DATE */ libjami::Certificate::DetailsNames::NEXT_EXPECTED_UPDATE_DATE,
208 /* OUTGOING_SERVER */ libjami::Certificate::DetailsNames::OUTGOING_SERVER,
209 /* IS_CA */ libjami::Certificate::DetailsNames::IS_CA,
210
211}};
212
213const EnumClassNames<const TlsValidator::CheckValuesType> TlsValidator::CheckValuesTypeNames = {{
214 /* Type Name */
215 /* BOOLEAN */ libjami::Certificate::ChecksValuesTypesNames::BOOLEAN,
216 /* ISO_DATE */ libjami::Certificate::ChecksValuesTypesNames::ISO_DATE,
217 /* CUSTOM */ libjami::Certificate::ChecksValuesTypesNames::CUSTOM,
218 /* NUMBER */ libjami::Certificate::ChecksValuesTypesNames::NUMBER,
219}};
220
221const Matrix2D<TlsValidator::CheckValuesType, TlsValidator::CheckValues, bool>
222 TlsValidator::acceptedCheckValuesResult = {{
223 /* Type PASSED FAILED UNSUPPORTED ISO_DATE CUSTOM NUMBER */
224 /* BOOLEAN */ {{true, true, true, false, false, false}},
225 /* ISO_DATE */ {{false, false, true, true, false, false}},
226 /* CUSTOM */ {{false, false, true, false, true, false}},
227 /* NUMBER */ {{false, false, true, false, false, true}},
228 }};
229
230TlsValidator::TlsValidator(const dhtnet::tls::CertificateStore& certStore, const std::vector<std::vector<uint8_t>>& crtChain)
231 : TlsValidator(certStore, std::make_shared<dht::crypto::Certificate>(crtChain.begin(), crtChain.end()))
232{}
233
234TlsValidator::TlsValidator(const dhtnet::tls::CertificateStore& certStore,
235 const std::string& certificate,
236 const std::string& privatekey,
237 const std::string& privatekeyPasswd,
238 const std::string& caList)
239 : certStore_(certStore)
240 , certificatePath_(certificate)
241 , privateKeyPath_(privatekey)
242 , caListPath_(caList)
243 , certificateFound_(false)
244{
245 std::vector<uint8_t> certificate_raw;
246 try {
247 certificate_raw = fileutils::loadFile(certificatePath_);
248 certificateFileFound_ = true;
249 } catch (const std::exception& e) {
250 }
251
252 if (not certificate_raw.empty()) {
253 try {
254 x509crt_ = std::make_shared<dht::crypto::Certificate>(certificate_raw);
255 certificateContent_ = x509crt_->getPacked();
256 certificateFound_ = true;
257 } catch (const std::exception& e) {
258 }
259 }
260
261 try {
262 auto privateKeyContent = fileutils::loadFile(privateKeyPath_);
263 dht::crypto::PrivateKey key_tmp(privateKeyContent, privatekeyPasswd);
264 privateKeyFound_ = true;
265 privateKeyPassword_ = not privatekeyPasswd.empty();
266 privateKeyMatch_ = key_tmp.getPublicKey().getId() == x509crt_->getId();
267 } catch (const dht::crypto::DecryptError& d) {
268 // If we encounter a DecryptError, it means the private key exists and is encrypted,
269 // otherwise we would get some other exception.
270 JAMI_WARN("decryption error: %s", d.what());
271 privateKeyFound_ = true;
272 privateKeyPassword_ = true;
273 } catch (const std::exception& e) {
274 JAMI_WARN("creation failed: %s", e.what());
275 }
276}
277
278TlsValidator::TlsValidator(const dhtnet::tls::CertificateStore& certStore, const std::vector<uint8_t>& certificate_raw)
279 : certStore_(certStore)
280{
281 try {
282 x509crt_ = std::make_shared<dht::crypto::Certificate>(certificate_raw);
283 certificateContent_ = x509crt_->getPacked();
284 certificateFound_ = true;
285 } catch (const std::exception& e) {
286 throw TlsValidatorException("Unable to load certificate");
287 }
288}
289
290TlsValidator::TlsValidator(const dhtnet::tls::CertificateStore& certStore, const std::shared_ptr<dht::crypto::Certificate>& crt)
291 : certStore_(certStore)
292 , certificateFound_(true)
293{
294 try {
295 if (not crt)
296 throw std::invalid_argument("Certificate must be set");
297 x509crt_ = crt;
298 certificateContent_ = x509crt_->getPacked();
299 } catch (const std::exception& e) {
300 throw TlsValidatorException("Unable to load certificate");
301 }
302}
303
304TlsValidator::~TlsValidator() {}
305
311std::string
312TlsValidator::getStringValue([[maybe_unused]]const TlsValidator::CertificateCheck check,
313 const TlsValidator::CheckResult result)
314{
315 assert(acceptedCheckValuesResult[enforcedCheckType[check]][result.first]);
316
317 switch (result.first) {
318 case CheckValues::PASSED:
319 case CheckValues::FAILED:
320 case CheckValues::UNSUPPORTED:
321 return std::string(CheckValuesNames[result.first]);
322 case CheckValues::ISO_DATE:
323 // TODO validate date
324 // return CheckValues::FAILED;
325 return result.second;
326 case CheckValues::NUMBER:
327 // TODO Validate numbers
328 case CheckValues::CUSTOM:
329 return result.second;
330 default:
331 // Consider any other case (such as forced int->CheckValues casting) as failed
332 return std::string(CheckValuesNames[CheckValues::FAILED]);
333 };
334}
335
342bool
343TlsValidator::isValid(bool verbose)
344{
345 for (const CertificateCheck check : Matrix0D<CertificateCheck>()) {
346 if (enforcedCheckType[check] == CheckValuesType::BOOLEAN) {
347 if (((this->*(checkCallback[check]))()).first == CheckValues::FAILED) {
348 if (verbose)
349 JAMI_WARNING("Check failed: {}", CertificateCheckNames[check]);
350 return false;
351 }
352 }
353 }
354 return true;
355}
356
360std::map<std::string, std::string>
361TlsValidator::getSerializedChecks()
362{
363 std::map<std::string, std::string> ret;
364 if (not certificateFound_) {
365 // Instead of checking `certificateFound` everywhere, handle it once
366 ret[std::string(CertificateCheckNames[CertificateCheck::EXIST])] = getStringValue(CertificateCheck::EXIST,
367 exist());
368 } else {
369 for (const CertificateCheck check : Matrix0D<CertificateCheck>())
370 ret[std::string(CertificateCheckNames[check])] = getStringValue(check,
371 (this->*(checkCallback[check]))());
372 }
373
374 return ret;
375}
376
380std::map<std::string, std::string>
381TlsValidator::getSerializedDetails()
382{
383 std::map<std::string, std::string> ret;
384 if (certificateFound_) {
385 for (const CertificateDetails& det : Matrix0D<CertificateDetails>()) {
386 const CheckResult r = (this->*(getterCallback[det]))();
387 std::string val;
388 // TODO move this to a fuction
389 switch (r.first) {
390 case CheckValues::PASSED:
391 case CheckValues::FAILED:
392 case CheckValues::UNSUPPORTED:
393 val = CheckValuesNames[r.first];
394 break;
395 case CheckValues::ISO_DATE:
396 // TODO validate date
397 case CheckValues::NUMBER:
398 // TODO Validate numbers
399 case CheckValues::CUSTOM:
400 default:
401 val = r.second;
402 break;
403 }
404 ret[std::string(CertificateDetailsNames[det])] = val;
405 }
406 }
407 return ret;
408}
409
413static TlsValidator::CheckResult
414checkError(int err, char* copy_buffer, size_t size)
415{
416 return TlsValidator::TlsValidator::CheckResult(err == GNUTLS_E_SUCCESS
417 ? TlsValidator::CheckValues::CUSTOM
418 : TlsValidator::CheckValues::UNSUPPORTED,
419 err == GNUTLS_E_SUCCESS
420 ? std::string(copy_buffer, size)
421 : "");
422}
423
427static TlsValidator::CheckResult
428formatDate(const time_t time)
429{
430 char buffer[12];
431 struct tm* timeinfo = localtime(&time);
432 strftime(buffer, sizeof(buffer), "%F", timeinfo);
433 return TlsValidator::CheckResult(TlsValidator::CheckValues::ISO_DATE, buffer);
434}
435
441static TlsValidator::CheckResult
442checkBinaryError(int err, char* copy_buffer, size_t resultSize)
443{
444 if (err == GNUTLS_E_SUCCESS)
445 return TlsValidator::CheckResult(TlsValidator::CheckValues::CUSTOM,
446 dht::toHex(reinterpret_cast<uint8_t*>(copy_buffer),
447 resultSize));
448 else
449 return TlsValidator::CheckResult(TlsValidator::CheckValues::UNSUPPORTED, "");
450}
451
455unsigned int
456TlsValidator::compareToCa()
457{
458 // Don't check unless the certificate changed
459 if (caChecked_)
460 return caValidationOutput_;
461
462 // build the CA trusted list
463 gnutls_x509_trust_list_t trust;
464 gnutls_x509_trust_list_init(&trust, 0);
465
466 auto root_cas = certStore_.getTrustedCertificates();
467 auto err = gnutls_x509_trust_list_add_cas(trust, root_cas.data(), root_cas.size(), 0);
468 if (err)
469 JAMI_WARN("gnutls_x509_trust_list_add_cas failed: %s", gnutls_strerror(err));
470
471 if (not caListPath_.empty()) {
472 if (std::filesystem::is_directory(caListPath_))
473 gnutls_x509_trust_list_add_trust_dir(trust,
474 caListPath_.c_str(),
475 nullptr,
476 GNUTLS_X509_FMT_PEM,
477 0,
478 0);
479 else
480 gnutls_x509_trust_list_add_trust_file(trust,
481 caListPath_.c_str(),
482 nullptr,
483 GNUTLS_X509_FMT_PEM,
484 0,
485 0);
486 }
487
488 // build the certificate chain
489 auto crts = x509crt_->getChain();
490 err = gnutls_x509_trust_list_verify_crt2(trust,
491 crts.data(),
492 crts.size(),
493 nullptr,
494 0,
495 GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
496 &caValidationOutput_,
497 nullptr);
498
499 gnutls_x509_trust_list_deinit(trust, true);
500
501 if (err) {
502 JAMI_WARN("gnutls_x509_trust_list_verify_crt2 failed: %s", gnutls_strerror(err));
503 return GNUTLS_CERT_SIGNER_NOT_FOUND;
504 }
505
506 caChecked_ = true;
507 return caValidationOutput_;
508}
509
510#if 0 // disabled, see .h for reason
519int TlsValidator::verifyHostnameCertificate(const std::string& host, const uint16_t port)
520{
521 int err, arg, res = -1;
522 unsigned int status = (unsigned) -1;
523 const char *errptr = nullptr;
524 gnutls_session_t session = nullptr;
525 gnutls_certificate_credentials_t cred = nullptr;
526 unsigned int certslen = 0;
527 const gnutls_datum_t *certs = nullptr;
528 gnutls_x509_crt_t cert = nullptr;
529
530 char buf[4096];
531 int sockfd;
532 struct sockaddr_in name;
533 struct hostent *hostinfo;
534 const int one = 1;
535 fd_set fdset;
536 struct timeval tv;
537
538 if (!host.size() || !port) {
539 JAMI_ERR("Wrong parameters used - host %s, port %d.", host.c_str(), port);
540 return res;
541 }
542
543 /* Create the socket. */
544 sockfd = socket (PF_INET, SOCK_STREAM, 0);
545 if (sockfd < 0) {
546 JAMI_ERR("Unable to create socket.");
547 return res;
548 }
549 /* Set non-blocking so we can dected timeouts. */
550 arg = fcntl(sockfd, F_GETFL, nullptr);
551 if (arg < 0)
552 goto out;
553 arg |= O_NONBLOCK;
554 if (fcntl(sockfd, F_SETFL, arg) < 0)
555 goto out;
556
557 /* Give the socket a name. */
558 memset(&name, 0, sizeof(name));
559 name.sin_family = AF_INET;
560 name.sin_port = htons(port);
561 hostinfo = gethostbyname(host.c_str());
562 if (hostinfo == nullptr) {
563 JAMI_ERR("Unknown host %s.", host.c_str());
564 goto out;
565 }
566 name.sin_addr = *(struct in_addr *)hostinfo->h_addr;
567 /* Connect to the address specified in name struct. */
568 err = connect(sockfd, (struct sockaddr *)&name, sizeof(name));
569 if (err < 0) {
570 /* Connection in progress, use select to see if timeout is reached. */
571 if (errno == EINPROGRESS) {
572 do {
573 FD_ZERO(&fdset);
574 FD_SET(sockfd, &fdset);
575 tv.tv_sec = 10; // 10 second timeout
576 tv.tv_usec = 0;
577 err = select(sockfd + 1, nullptr, &fdset, nullptr, &tv);
578 if (err < 0 && errno != EINTR) {
579 JAMI_ERR("Unable to connect to hostname %s at port %d",
580 host.c_str(), port);
581 goto out;
582 } else if (err > 0) {
583 /* Select returned, if so_error is clean we are ready. */
584 int so_error;
585 socklen_t len = sizeof(so_error);
586 getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &so_error, &len);
587
588 if (so_error) {
589 JAMI_ERR("Connection delayed.");
590 goto out;
591 }
592 break; // exit do-while loop
593 } else {
594 JAMI_ERR("Connection timeout.");
595 goto out;
596 }
597 } while(1);
598 } else {
599 JAMI_ERR("Unable to connect to hostname %s at port %d", host.c_str(), port);
600 goto out;
601 }
602 }
603 /* Set the socked blocking again. */
604 arg = fcntl(sockfd, F_GETFL, nullptr);
605 if (arg < 0)
606 goto out;
607 arg &= ~O_NONBLOCK;
608 if (fcntl(sockfd, F_SETFL, arg) < 0)
609 goto out;
610
611 /* Disable Nagle algorithm that slows down the SSL handshake. */
612 err = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &one, sizeof(one));
613 if (err < 0) {
614 JAMI_ERR("Unable to set TCP_NODELAY.");
615 goto out;
616 }
617
618
619 /* Load the trusted CA certificates. */
620 err = gnutls_certificate_allocate_credentials(&cred);
621 if (err != GNUTLS_E_SUCCESS) {
622 JAMI_ERR("Unable to allocate credentials - %s", gnutls_strerror(err));
623 goto out;
624 }
625 err = gnutls_certificate_set_x509_system_trust(cred);
626 if (err != GNUTLS_E_SUCCESS) {
627 JAMI_ERR("Unable to load credentials.");
628 goto out;
629 }
630
631 /* Create the session object. */
632 err = gnutls_init(&session, GNUTLS_CLIENT);
633 if (err != GNUTLS_E_SUCCESS) {
634 JAMI_ERR("Unable to init session -%s\n", gnutls_strerror(err));
635 goto out;
636 }
637
638 /* Configure the cipher preferences. The default set should be good enough. */
639 err = gnutls_priority_set_direct(session, "NORMAL", &errptr);
640 if (err != GNUTLS_E_SUCCESS) {
641 JAMI_ERR("Unable to set up ciphers - %s (%s)", gnutls_strerror(err), errptr);
642 goto out;
643 }
644
645 /* Install the trusted certificates. */
646 err = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);
647 if (err != GNUTLS_E_SUCCESS) {
648 JAMI_ERR("Unable to set up credentials - %s", gnutls_strerror(err));
649 goto out;
650 }
651
652 /* Associate the socket with the session object and set the server name. */
653 gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) (uintptr_t) sockfd);
654 err = gnutls_server_name_set(session, GNUTLS_NAME_DNS, host.c_str(), host.size());
655 if (err != GNUTLS_E_SUCCESS) {
656 JAMI_ERR("Unable to set server name - %s", gnutls_strerror(err));
657 goto out;
658 }
659
660 /* Establish the connection. */
661 err = gnutls_handshake(session);
662 if (err != GNUTLS_E_SUCCESS) {
663 JAMI_ERR("Handshake failed - %s", gnutls_strerror(err));
664 goto out;
665 }
666 /* Obtain the server certificate chain. The server certificate
667 * itself is stored in the first element of the array. */
668 certs = gnutls_certificate_get_peers(session, &certslen);
669 if (certs == nullptr || certslen == 0) {
670 JAMI_ERR("Unable to obtain peer certificate - %s", gnutls_strerror(err));
671 goto out;
672 }
673
674 /* Validate the certificate chain. */
675 err = gnutls_certificate_verify_peers2(session, &status);
676 if (err != GNUTLS_E_SUCCESS) {
677 JAMI_ERR("Unable to verify the certificate chain - %s", gnutls_strerror(err));
678 goto out;
679 }
680 if (status != 0) {
681 gnutls_datum_t msg;
682#if GNUTLS_VERSION_AT_LEAST_3_1_4
683 int type = gnutls_certificate_type_get(session);
684 err = gnutls_certificate_verification_status_print(status, type, &out, 0);
685#else
686 err = -1;
687#endif
688 if (err == 0) {
689 JAMI_ERR("Certificate validation failed - %s\n", msg.data);
690 gnutls_free(msg.data);
691 goto out;
692 } else {
693 JAMI_ERR("Certificate validation failed with code 0x%x.", status);
694 goto out;
695 }
696 }
697
698 /* Match the peer certificate against the hostname.
699 * We can only obtain a set of DER-encoded certificates from the
700 * session object, so we have to re-parse the peer certificate into
701 * a certificate object. */
702
703 err = gnutls_x509_crt_init(&cert);
704 if (err != GNUTLS_E_SUCCESS) {
705 JAMI_ERR("Unable to init certificate - %s", gnutls_strerror(err));
706 goto out;
707 }
708
709 /* The peer certificate is the first certificate in the list. */
710 err = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_PEM);
711 if (err != GNUTLS_E_SUCCESS)
712 err = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);
713 if (err != GNUTLS_E_SUCCESS) {
714 JAMI_ERR("Unable to read peer certificate - %s", gnutls_strerror(err));
715 goto out;
716 }
717 /* Finally check if the hostnames match. */
718 err = gnutls_x509_crt_check_hostname(cert, host.c_str());
719 if (err == 0) {
720 JAMI_ERR("Hostname %s does not match certificate.", host.c_str());
721 goto out;
722 }
723
724 /* Try sending and receiving some data through. */
725 snprintf(buf, sizeof(buf), "GET / HTTP/1.0\r\nHost: %s\r\n\r\n", host.c_str());
726 err = gnutls_record_send(session, buf, strlen(buf));
727 if (err < 0) {
728 JAMI_ERR("Send failed - %s", gnutls_strerror(err));
729 goto out;
730 }
731 err = gnutls_record_recv(session, buf, sizeof(buf));
732 if (err < 0) {
733 JAMI_ERR("Recv failed - %s", gnutls_strerror(err));
734 goto out;
735 }
736
737 JAMI_DBG("Hostname %s seems to point to a valid server.", host.c_str());
738 res = 0;
739out:
740 if (session) {
741 gnutls_bye(session, GNUTLS_SHUT_RDWR);
742 gnutls_deinit(session);
743 }
744 if (cert)
745 gnutls_x509_crt_deinit(cert);
746 if (cred)
747 gnutls_certificate_free_credentials(cred);
748 close(sockfd);
749 return res;
750}
751#endif
752
756TlsValidator::CheckResult
757TlsValidator::hasPrivateKey()
758{
759 if (privateKeyFound_)
760 return TlsValidator::CheckResult(CheckValues::PASSED, "");
761
762 try {
763 dht::crypto::PrivateKey key_tmp(certificateContent_);
764 } catch (const std::exception& e) {
765 return CheckResult(CheckValues::FAILED, e.what());
766 }
767
768 JAMI_DBG("Key from %s seems valid.", certificatePath_.c_str());
769 return CheckResult(CheckValues::PASSED, "");
770}
771
780TlsValidator::CheckResult
781TlsValidator::notExpired()
782{
783 if (exist().first == CheckValues::FAILED)
784 TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
785
786 // time_t expirationTime = gnutls_x509_crt_get_expiration_time(cert);
787 return TlsValidator::CheckResult(compareToCa() & GNUTLS_CERT_EXPIRED ? CheckValues::FAILED
788 : CheckValues::PASSED,
789 "");
790}
791
797TlsValidator::CheckResult
798TlsValidator::activated()
799{
800 if (exist().first == CheckValues::FAILED)
801 TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
802
803 // time_t activationTime = gnutls_x509_crt_get_activation_time(cert);
804 return TlsValidator::CheckResult(compareToCa() & GNUTLS_CERT_NOT_ACTIVATED
805 ? CheckValues::FAILED
806 : CheckValues::PASSED,
807 "");
808}
809
814TlsValidator::CheckResult
815TlsValidator::strongSigning()
816{
817 if (exist().first == CheckValues::FAILED)
818 TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
819
820 // Doesn't seem to have the same value as
821 // certtool --infile /home/etudiant/Téléchargements/mynsauser.pem --key-inf
822 // TODO figure out why
823 return TlsValidator::CheckResult(compareToCa() & GNUTLS_CERT_INSECURE_ALGORITHM
824 ? CheckValues::FAILED
825 : CheckValues::PASSED,
826 "");
827}
828
832TlsValidator::CheckResult
837
841TlsValidator::CheckResult
852
853TlsValidator::CheckResult
854TlsValidator::privateKeyStoragePermissions()
855{
856 struct stat statbuf;
857 int err = stat(privateKeyPath_.c_str(), &statbuf);
858 if (err)
859 return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
860
861// clang-format off
862 return TlsValidator::CheckResult(
863 (statbuf.st_mode & S_IFREG) && /* Regular file only */
864 /* READ WRITE EXECUTE */
865 /* Owner */ ( (statbuf.st_mode & S_IRUSR) /* write is not relevant */ && !(statbuf.st_mode & S_IXUSR))
866 /* Group */ && (!(statbuf.st_mode & S_IRGRP) && !(statbuf.st_mode & S_IWGRP) && !(statbuf.st_mode & S_IXGRP))
867 /* Other */ && (!(statbuf.st_mode & S_IROTH) && !(statbuf.st_mode & S_IWOTH) && !(statbuf.st_mode & S_IXOTH))
868 ? CheckValues::PASSED:CheckValues::FAILED, "");
869// clang-format on
870}
871
872TlsValidator::CheckResult
873TlsValidator::publicKeyStoragePermissions()
874{
875 struct stat statbuf;
876 int err = stat(certificatePath_.c_str(), &statbuf);
877 if (err)
878 return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
879
880// clang-format off
881 return TlsValidator::CheckResult(
882 (statbuf.st_mode & S_IFREG) && /* Regular file only */
883 /* READ WRITE EXECUTE */
884 /* Owner */ ( (statbuf.st_mode & S_IRUSR) /* write is not relevant */ && !(statbuf.st_mode & S_IXUSR))
885 /* Group */ && ( /* read is not relevant */ !(statbuf.st_mode & S_IWGRP) && !(statbuf.st_mode & S_IXGRP))
886 /* Other */ && ( /* read is not relevant */ !(statbuf.st_mode & S_IWOTH) && !(statbuf.st_mode & S_IXOTH))
887 ? CheckValues::PASSED:CheckValues::FAILED, "");
888// clang-format on
889}
890
891TlsValidator::CheckResult
892TlsValidator::privateKeyDirectoryPermissions()
893{
894 if (privateKeyPath_.empty())
895 return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
896
897#ifndef _MSC_VER
898 auto path = std::unique_ptr<char, decltype(free)&>(strdup(privateKeyPath_.c_str()), free);
899 const char* dir = dirname(path.get());
900#else
901 char* dir;
902 _splitpath(certificatePath_.c_str(), nullptr, dir, nullptr, nullptr);
903#endif
904
905 struct stat statbuf;
906 int err = stat(dir, &statbuf);
907 if (err)
908 return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
909
910 return TlsValidator::CheckResult(
911 /* READ WRITE EXECUTE */
912 /* Owner */ (
913 (statbuf.st_mode & S_IRUSR) /* write is not relevant */ && (statbuf.st_mode & S_IXUSR))
914 /* Group */
915 && (!(statbuf.st_mode & S_IRGRP) && !(statbuf.st_mode & S_IWGRP)
916 && !(statbuf.st_mode & S_IXGRP))
917 /* Other */
918 && (!(statbuf.st_mode & S_IROTH) && !(statbuf.st_mode & S_IWOTH)
919 && !(statbuf.st_mode & S_IXOTH))
920 && S_ISDIR(statbuf.st_mode)
921 ? CheckValues::PASSED
922 : CheckValues::FAILED,
923 "");
924}
925
926TlsValidator::CheckResult
927TlsValidator::publicKeyDirectoryPermissions()
928{
929#ifndef _MSC_VER
930 auto path = std::unique_ptr<char, decltype(free)&>(strdup(certificatePath_.c_str()), free);
931 const char* dir = dirname(path.get());
932#else
933 char* dir;
934 _splitpath(certificatePath_.c_str(), nullptr, dir, nullptr, nullptr);
935#endif
936
937 struct stat statbuf;
938 int err = stat(dir, &statbuf);
939 if (err)
940 return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
941
942 return TlsValidator::CheckResult(
943 /* READ WRITE EXECUTE */
944 /* Owner */ (
945 (statbuf.st_mode & S_IRUSR) /* write is not relevant */ && (statbuf.st_mode & S_IXUSR))
946 /* Group */
947 && (!(statbuf.st_mode & S_IRGRP) && !(statbuf.st_mode & S_IWGRP)
948 && !(statbuf.st_mode & S_IXGRP))
949 /* Other */
950 && (!(statbuf.st_mode & S_IROTH) && !(statbuf.st_mode & S_IWOTH)
951 && !(statbuf.st_mode & S_IXOTH))
952 && S_ISDIR(statbuf.st_mode)
953 ? CheckValues::PASSED
954 : CheckValues::FAILED,
955 "");
956}
957
961TlsValidator::CheckResult
967
971TlsValidator::CheckResult
977
981TlsValidator::CheckResult
987
991TlsValidator::CheckResult
997
1003TlsValidator::CheckResult
1012TlsValidator::CheckResult
1020
1024TlsValidator::CheckResult
1025TlsValidator::exist()
1026{
1027 return TlsValidator::CheckResult((certificateFound_ or certificateFileFound_)
1028 ? CheckValues::PASSED
1029 : CheckValues::FAILED,
1030 "");
1031}
1032
1038TlsValidator::CheckResult
1039TlsValidator::valid()
1040{
1041 return TlsValidator::CheckResult(certificateFound_ ? CheckValues::PASSED : CheckValues::FAILED,
1042 "");
1043}
1044
1048TlsValidator::CheckResult
1049TlsValidator::validAuthority()
1050{
1051 // TODO Merge with either above or below
1052 return TlsValidator::CheckResult((compareToCa() & GNUTLS_CERT_SIGNER_NOT_FOUND)
1053 ? CheckValues::FAILED
1054 : CheckValues::PASSED,
1055 "");
1056}
1057
1061TlsValidator::CheckResult
1069
1078TlsValidator::CheckResult
1079TlsValidator::knownAuthority()
1080{
1081 // TODO need a new boolean account setting "require trusted authority" or something defaulting
1082 // to true using GNUTLS_CERT_SIGNER_NOT_FOUND is a temporary placeholder as it is close enough
1083 return TlsValidator::CheckResult(compareToCa() & GNUTLS_CERT_SIGNER_NOT_FOUND
1084 ? CheckValues::FAILED
1085 : CheckValues::PASSED,
1086 "");
1087}
1088
1092TlsValidator::CheckResult
1093TlsValidator::notRevoked()
1094{
1095 return TlsValidator::CheckResult((compareToCa() & GNUTLS_CERT_REVOKED)
1096 || (compareToCa()
1097 & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE)
1098 ? CheckValues::FAILED
1099 : CheckValues::PASSED,
1100 "");
1101}
1102
1106bool
1107TlsValidator::hasCa() const
1108{
1109 return (x509crt_ and x509crt_->issuer); /* or
1110 (caCert_ != nullptr and caCert_->certificateFound_);*/
1111}
1112
1113//
1114// Certificate details
1115//
1116
1117// TODO gnutls_x509_crl_get_this_update
1118
1122TlsValidator::CheckResult
1123TlsValidator::getPublicSignature()
1124{
1125 size_t resultSize = sizeof(copy_buffer);
1126 int err = gnutls_x509_crt_get_signature(x509crt_->cert, copy_buffer, &resultSize);
1127 return checkBinaryError(err, copy_buffer, resultSize);
1128}
1129
1133TlsValidator::CheckResult
1134TlsValidator::getVersionNumber()
1135{
1136 int version = gnutls_x509_crt_get_version(x509crt_->cert);
1137 if (version < 0)
1138 return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
1139
1140 std::ostringstream convert;
1141 convert << version;
1142
1143 return TlsValidator::CheckResult(CheckValues::NUMBER, convert.str());
1144}
1145
1149TlsValidator::CheckResult
1150TlsValidator::getSerialNumber()
1151{
1152 // gnutls_x509_crl_iter_crt_serial
1153 // gnutls_x509_crt_get_authority_key_gn_serial
1154 size_t resultSize = sizeof(copy_buffer);
1155 int err = gnutls_x509_crt_get_serial(x509crt_->cert, copy_buffer, &resultSize);
1156 return checkBinaryError(err, copy_buffer, resultSize);
1157}
1158
1162TlsValidator::CheckResult
1163TlsValidator::getIssuer()
1164{
1165 if (not x509crt_->issuer) {
1166 auto icrt = certStore_.findIssuer(x509crt_);
1167 if (icrt)
1168 return TlsValidator::CheckResult(CheckValues::CUSTOM, icrt->getId().toString());
1169 return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
1170 }
1171 return TlsValidator::CheckResult(CheckValues::CUSTOM, x509crt_->issuer->getId().toString());
1172}
1173
1177TlsValidator::CheckResult
1178TlsValidator::getSubjectKeyAlgorithm()
1179{
1180 unsigned key_length = 0;
1181 gnutls_pk_algorithm_t algo = (gnutls_pk_algorithm_t)
1182 gnutls_x509_crt_get_pk_algorithm(x509crt_->cert, &key_length);
1183
1184 if (algo < 0)
1185 return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
1186
1187 const char* name = gnutls_pk_get_name(algo);
1188
1189 if (!name)
1190 return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
1191
1192 if (key_length)
1193 return TlsValidator::CheckResult(CheckValues::CUSTOM, fmt::format("{} ({} bits)", name, key_length));
1194 else
1195 return TlsValidator::CheckResult(CheckValues::CUSTOM, name);
1196}
1197
1201TlsValidator::CheckResult
1202TlsValidator::getSubjectKey()
1203{
1204 try {
1205 std::vector<uint8_t> data;
1206 x509crt_->getPublicKey().pack(data);
1207 return TlsValidator::CheckResult(CheckValues::CUSTOM, dht::toHex(data));
1208 } catch (const dht::crypto::CryptoException& e) {
1209 return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, e.what());
1210 }
1211}
1212
1216TlsValidator::CheckResult
1217TlsValidator::getCN()
1218{
1219 // TODO split, cache
1220 size_t resultSize = sizeof(copy_buffer);
1221 int err = gnutls_x509_crt_get_dn_by_oid(x509crt_->cert,
1222 GNUTLS_OID_X520_COMMON_NAME,
1223 0,
1224 0,
1225 copy_buffer,
1226 &resultSize);
1227 return checkError(err, copy_buffer, resultSize);
1228}
1229
1233TlsValidator::CheckResult
1234TlsValidator::getUID()
1235{
1236 size_t resultSize = sizeof(copy_buffer);
1237 int err = gnutls_x509_crt_get_dn_by_oid(x509crt_->cert,
1238 GNUTLS_OID_LDAP_UID,
1239 0,
1240 0,
1241 copy_buffer,
1242 &resultSize);
1243 return checkError(err, copy_buffer, resultSize);
1244}
1245
1249TlsValidator::CheckResult
1250TlsValidator::getN()
1251{
1252 // TODO split, cache
1253 size_t resultSize = sizeof(copy_buffer);
1254 int err = gnutls_x509_crt_get_dn_by_oid(x509crt_->cert,
1255 GNUTLS_OID_X520_NAME,
1256 0,
1257 0,
1258 copy_buffer,
1259 &resultSize);
1260 return checkError(err, copy_buffer, resultSize);
1261}
1262
1266TlsValidator::CheckResult
1267TlsValidator::getO()
1268{
1269 // TODO split, cache
1270 size_t resultSize = sizeof(copy_buffer);
1271 int err = gnutls_x509_crt_get_dn_by_oid(x509crt_->cert,
1272 GNUTLS_OID_X520_ORGANIZATION_NAME,
1273 0,
1274 0,
1275 copy_buffer,
1276 &resultSize);
1277 return checkError(err, copy_buffer, resultSize);
1278}
1279
1285TlsValidator::CheckResult
1297
1303TlsValidator::CheckResult
1304TlsValidator::getMd5Fingerprint()
1305{
1306 size_t resultSize = sizeof(copy_buffer);
1307 int err = gnutls_x509_crt_get_fingerprint(x509crt_->cert,
1308 GNUTLS_DIG_MD5,
1309 copy_buffer,
1310 &resultSize);
1311 return checkBinaryError(err, copy_buffer, resultSize);
1312}
1313
1319TlsValidator::CheckResult
1320TlsValidator::getSha1Fingerprint()
1321{
1322 size_t resultSize = sizeof(copy_buffer);
1323 int err = gnutls_x509_crt_get_fingerprint(x509crt_->cert,
1324 GNUTLS_DIG_SHA1,
1325 copy_buffer,
1326 &resultSize);
1327 return checkBinaryError(err, copy_buffer, resultSize);
1328}
1329
1333TlsValidator::CheckResult
1334TlsValidator::getPublicKeyId()
1335{
1336 static unsigned char unsigned_copy_buffer[4096];
1337 size_t resultSize = sizeof(unsigned_copy_buffer);
1338 int err = gnutls_x509_crt_get_key_id(x509crt_->cert, 0, unsigned_copy_buffer, &resultSize);
1339
1340 // TODO check for GNUTLS_E_SHORT_MEMORY_BUFFER and increase the buffer size
1341 // TODO get rid of the cast, display a HEX or something, need research
1342
1343 return checkBinaryError(err, (char*) unsigned_copy_buffer, resultSize);
1344}
1345// gnutls_x509_crt_get_authority_key_id
1346
1350TlsValidator::CheckResult
1351TlsValidator::getIssuerDN()
1352{
1353 size_t resultSize = sizeof(copy_buffer);
1354 int err = gnutls_x509_crt_get_issuer_dn(x509crt_->cert, copy_buffer, &resultSize);
1355 return checkError(err, copy_buffer, resultSize);
1356}
1357
1361TlsValidator::CheckResult
1362TlsValidator::getIssuerCN()
1363{
1364 size_t resultSize = sizeof(copy_buffer);
1365 int err = gnutls_x509_crt_get_issuer_dn_by_oid(x509crt_->cert,
1366 GNUTLS_OID_X520_COMMON_NAME,
1367 0,
1368 0,
1369 copy_buffer,
1370 &resultSize);
1371 return checkError(err, copy_buffer, resultSize);
1372}
1373
1377TlsValidator::CheckResult
1378TlsValidator::getIssuerUID()
1379{
1380 size_t resultSize = sizeof(copy_buffer);
1381 int err = gnutls_x509_crt_get_issuer_dn_by_oid(x509crt_->cert,
1382 GNUTLS_OID_LDAP_UID,
1383 0,
1384 0,
1385 copy_buffer,
1386 &resultSize);
1387 return checkError(err, copy_buffer, resultSize);
1388}
1389
1393TlsValidator::CheckResult
1394TlsValidator::getIssuerN()
1395{
1396 size_t resultSize = sizeof(copy_buffer);
1397 int err = gnutls_x509_crt_get_issuer_dn_by_oid(x509crt_->cert,
1398 GNUTLS_OID_X520_NAME,
1399 0,
1400 0,
1401 copy_buffer,
1402 &resultSize);
1403 return checkError(err, copy_buffer, resultSize);
1404}
1405
1409TlsValidator::CheckResult
1410TlsValidator::getIssuerO()
1411{
1412 size_t resultSize = sizeof(copy_buffer);
1413 int err = gnutls_x509_crt_get_issuer_dn_by_oid(x509crt_->cert,
1414 GNUTLS_OID_X520_ORGANIZATION_NAME,
1415 0,
1416 0,
1417 copy_buffer,
1418 &resultSize);
1419 return checkError(err, copy_buffer, resultSize);
1420}
1421
1427TlsValidator::CheckResult
1428TlsValidator::getExpirationDate()
1429{
1430 if (not certificateFound_)
1431 return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
1432
1433 time_t expiration = gnutls_x509_crt_get_expiration_time(x509crt_->cert);
1434
1435 return formatDate(expiration);
1436}
1437
1443TlsValidator::CheckResult
1444TlsValidator::getActivationDate()
1445{
1446 if (not certificateFound_)
1447 return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
1448
1449 time_t expiration = gnutls_x509_crt_get_activation_time(x509crt_->cert);
1450
1451 return formatDate(expiration);
1452}
1453
1460TlsValidator::CheckResult
1466
1470TlsValidator::CheckResult
1475
1476} // namespace tls
1477} // namespace jami
jami::tls::TlsValidator::getSignatureAlgorithm
CheckResult getSignatureAlgorithm()
Return the algorithm used to sign the Key.
Definition tlsvalidator.cpp:1286
jami::tls::TlsValidator::privateKeyStoragePermissions
CheckResult privateKeyStoragePermissions()
Definition tlsvalidator.cpp:854
jami::tls::TlsValidator::requirePrivateKeyPassword
CheckResult requirePrivateKeyPassword()
If the key need decryption.
Definition tlsvalidator.cpp:1004
jami::tls::TlsValidator::getIssuerUID
CheckResult getIssuerUID()
If the certificate is not self signed, return the issuer UID.
Definition tlsvalidator.cpp:1378
jami::tls::TlsValidator::privateKeyDirectoryPermissions
CheckResult privateKeyDirectoryPermissions()
Definition tlsvalidator.cpp:892
jami::tls::TlsValidator::getSerialNumber
CheckResult getSerialNumber()
Return the certificate serial number.
Definition tlsvalidator.cpp:1150
jami::tls::TlsValidator::validAuthority
CheckResult validAuthority()
The provided authority is invalid.
Definition tlsvalidator.cpp:1049
jami::tls::TlsValidator::activated
CheckResult activated()
If the activation value is in the past.
Definition tlsvalidator.cpp:798
jami::tls::TlsValidator::keyMatch
CheckResult keyMatch()
The provided key can be used along with the certificate.
Definition tlsvalidator.cpp:842
jami::tls::TlsValidator::CertificateCheck
CertificateCheck
All validation fields.
Definition tlsvalidator.h:75
jami::tls::TlsValidator::CertificateCheck::EXIST
@ EXIST
Some operating systems require keys to have extra attributes
jami::tls::TlsValidator::getN
CheckResult getN()
The 'N' section of a DN (RFC4514)
Definition tlsvalidator.cpp:1250
jami::tls::TlsValidator::getO
CheckResult getO()
The 'O' section of a DN (RFC4514)
Definition tlsvalidator.cpp:1267
jami::tls::TlsValidator::notRevoked
CheckResult notRevoked()
Check if the certificate has been revoked.
Definition tlsvalidator.cpp:1093
jami::tls::TlsValidator::getActivationDate
CheckResult getActivationDate()
Get the activation date.
Definition tlsvalidator.cpp:1444
jami::tls::TlsValidator::notSelfSigned
CheckResult notSelfSigned()
The certificate is not self signed.
Definition tlsvalidator.cpp:833
jami::tls::TlsValidator::getVersionNumber
CheckResult getVersionNumber()
Return the certificate version.
Definition tlsvalidator.cpp:1134
jami::tls::TlsValidator::strongSigning
CheckResult strongSigning()
If the algorithm used to sign the certificate is considered weak by modern standard.
Definition tlsvalidator.cpp:815
jami::tls::TlsValidator::getPublicKeyId
CheckResult getPublicKeyId()
Return an hexadecimal identifier.
Definition tlsvalidator.cpp:1334
jami::tls::TlsValidator::authorityMatch
CheckResult authorityMatch()
Check if the authority match the certificate.
Definition tlsvalidator.cpp:1062
jami::tls::TlsValidator::getIssuer
CheckResult getIssuer()
If the certificate is not self signed, return the issuer.
Definition tlsvalidator.cpp:1163
jami::tls::TlsValidator::hasCa
bool hasCa() const
A certificate authority has been provided.
Definition tlsvalidator.cpp:1107
jami::tls::TlsValidator::isCA
CheckResult isCA()
If the certificate is not self signed, return the issuer.
Definition tlsvalidator.cpp:1471
jami::tls::TlsValidator::notExpired
CheckResult notExpired()
Check if the certificate is not expired.
Definition tlsvalidator.cpp:781
jami::tls::TlsValidator::getUID
CheckResult getUID()
The 'UID' section of a DN (RFC4514)
Definition tlsvalidator.cpp:1234
jami::tls::TlsValidator::getIssuerO
CheckResult getIssuerO()
If the certificate is not self signed, return the issuer O.
Definition tlsvalidator.cpp:1410
jami::tls::TlsValidator::getSubjectKeyAlgorithm
CheckResult getSubjectKeyAlgorithm()
The algorithm used to sign the certificate details (rather than the certificate itself)
Definition tlsvalidator.cpp:1178
jami::tls::TlsValidator::isValid
bool isValid(bool verbose=false)
Check if all boolean check passed return true if there was no FAILED checks.
Definition tlsvalidator.cpp:343
jami::tls::TlsValidator::getIssuerDN
CheckResult getIssuerDN()
If the certificate is not self signed, return the issuer DN (RFC4514)
Definition tlsvalidator.cpp:1351
jami::tls::TlsValidator::outgoingServer
CheckResult outgoingServer()
The expected outgoing server domain.
Definition tlsvalidator.cpp:1461
jami::tls::TlsValidator::knownAuthority
CheckResult knownAuthority()
When an account require an authority known by the system (like /usr/share/ssl/certs) then the whole c...
Definition tlsvalidator.cpp:1079
jami::tls::TlsValidator::privateKeySelinuxAttributes
CheckResult privateKeySelinuxAttributes()
SELinux provide additional key protection mechanism.
Definition tlsvalidator.cpp:982
jami::tls::TlsValidator::CheckResult
std::pair< CheckValues, std::string > CheckResult
Definition tlsvalidator.h:176
jami::tls::TlsValidator::getPublicSignature
CheckResult getPublicSignature()
An hexadecimal representation of the signature.
Definition tlsvalidator.cpp:1123
jami::tls::TlsValidator::getExpirationDate
CheckResult getExpirationDate()
Get the expiration date.
Definition tlsvalidator.cpp:1428
jami::tls::TlsValidator::exist
CheckResult exist()
The file has been found.
Definition tlsvalidator.cpp:1025
jami::tls::TlsValidator::valid
CheckResult valid()
The certificate is invalid compared to the authority.
Definition tlsvalidator.cpp:1039
jami::tls::TlsValidator::TlsValidator
TlsValidator(const dhtnet::tls::CertificateStore &certStore, const std::string &certificate, const std::string &privatekey="", const std::string &privatekeyPasswd="", const std::string &caList="")
Create a TlsValidator for a given certificate.
Definition tlsvalidator.cpp:234
jami::tls::TlsValidator::CheckValues::NUMBER
@ NUMBER
The check value cannot be represented with a finite set of values.
jami::tls::TlsValidator::CheckValues::ISO_DATE
@ ISO_DATE
The operating system doesn't support or require the check
jami::tls::TlsValidator::CheckValues::UNSUPPORTED
@ UNSUPPORTED
Equivalent of a boolean "false"
jami::tls::TlsValidator::CheckValues::CUSTOM
@ CUSTOM
The check value is an ISO 8601 date YYYY-MM-DD[TH24:MM:SS+00:00]
jami::tls::TlsValidator::CheckValues::FAILED
@ FAILED
Equivalent of a boolean "true"
jami::tls::TlsValidator::getMd5Fingerprint
CheckResult getMd5Fingerprint()
Compute the key fingerprint.
Definition tlsvalidator.cpp:1304
jami::tls::TlsValidator::hasPrivateKey
CheckResult hasPrivateKey()
Check if the Validator have access to a private key.
Definition tlsvalidator.cpp:757
jami::tls::TlsValidator::getSerializedChecks
std::map< std::string, std::string > getSerializedChecks()
Convert all checks results into a string map.
Definition tlsvalidator.cpp:361
jami::tls::TlsValidator::getSubjectKey
CheckResult getSubjectKey()
The subject public key.
Definition tlsvalidator.cpp:1202
jami::tls::TlsValidator::publicKeyStoragePermissions
CheckResult publicKeyStoragePermissions()
Definition tlsvalidator.cpp:873
jami::tls::TlsValidator::CertificateDetails
CertificateDetails
Informative fields about a certificate.
Definition tlsvalidator.h:109
jami::tls::TlsValidator::getIssuerN
CheckResult getIssuerN()
If the certificate is not self signed, return the issuer N.
Definition tlsvalidator.cpp:1394
jami::tls::TlsValidator::privateKeyStorageLocation
CheckResult privateKeyStorageLocation()
Certificate should be located in specific path on some operating systems.
Definition tlsvalidator.cpp:962
jami::tls::TlsValidator::publicKeyStorageLocation
CheckResult publicKeyStorageLocation()
Certificate should be located in specific path on some operating systems.
Definition tlsvalidator.cpp:972
jami::tls::TlsValidator::getIssuerCN
CheckResult getIssuerCN()
If the certificate is not self signed, return the issuer CN.
Definition tlsvalidator.cpp:1362
jami::tls::TlsValidator::getSha1Fingerprint
CheckResult getSha1Fingerprint()
Compute the key fingerprint.
Definition tlsvalidator.cpp:1320
jami::tls::TlsValidator::getSerializedDetails
std::map< std::string, std::string > getSerializedDetails()
Get a map with all common certificate details.
Definition tlsvalidator.cpp:381
jami::tls::TlsValidator::publicKeySelinuxAttributes
CheckResult publicKeySelinuxAttributes()
SELinux provide additional key protection mechanism.
Definition tlsvalidator.cpp:992
jami::tls::TlsValidator::expectedOwner
CheckResult expectedOwner()
The CA and certificate provide conflicting ownership information.
Definition tlsvalidator.cpp:1013
jami::tls::TlsValidator::publicKeyDirectoryPermissions
CheckResult publicKeyDirectoryPermissions()
Definition tlsvalidator.cpp:927
jami::tls::TlsValidator::getCN
CheckResult getCN()
The 'CN' section of a DN (RFC4514)
Definition tlsvalidator.cpp:1217
JAMI_ERR
#define JAMI_ERR(...)
Definition logger.h:218
JAMI_DBG
#define JAMI_DBG(...)
Definition logger.h:216
JAMI_WARN
#define JAMI_WARN(...)
Definition logger.h:217
JAMI_WARNING
#define JAMI_WARNING(formatstr,...)
Definition logger.h:227
dht
Definition account.h:55
jami::fileutils::loadFile
std::vector< uint8_t > loadFile(const std::filesystem::path &path, const std::filesystem::path &default_dir)
Read the full content of a file at path.
Definition fileutils.cpp:270
jami::swarm_protocol::version
static constexpr int version
Definition swarm_protocol.h:32
jami::tls::checkBinaryError
static TlsValidator::CheckResult checkBinaryError(int err, char *copy_buffer, size_t resultSize)
Helper method to return UNSUPPORTED when an error is detected.
Definition tlsvalidator.cpp:442
jami::tls::checkError
static TlsValidator::CheckResult checkError(int err, char *copy_buffer, size_t size)
Helper method to return UNSUPPORTED when an error is detected.
Definition tlsvalidator.cpp:414
jami::tls::formatDate
static TlsValidator::CheckResult formatDate(const time_t time)
Convert a time_t to an ISO date string.
Definition tlsvalidator.cpp:428
jami::TRUE_STR
static constexpr const char TRUE_STR[]
Definition string_utils.h:38
jami::emitSignal
void emitSignal(Args... args)
Definition ring_signal.h:64
jami::FALSE_STR
static constexpr const char FALSE_STR[]
Definition string_utils.h:39
libjami::Certificate::ChecksNames::PUBLIC_KEY_STORAGE_LOCATION
static constexpr char PUBLIC_KEY_STORAGE_LOCATION[]
Definition security_const.h:51
libjami::Certificate::ChecksNames::NOT_SELF_SIGNED
static constexpr char NOT_SELF_SIGNED[]
Definition security_const.h:44
libjami::Certificate::ChecksNames::AUTHORITY_MISMATCH
static constexpr char AUTHORITY_MISMATCH[]
Definition security_const.h:59
libjami::Certificate::ChecksNames::STRONG_SIGNING
static constexpr char STRONG_SIGNING[]
Definition security_const.h:43
libjami::Certificate::ChecksNames::HAS_PRIVATE_KEY
static constexpr char HAS_PRIVATE_KEY[]
Definition security_const.h:41
libjami::Certificate::ChecksNames::PRIVATE_KEY_STORAGE_LOCATION
static constexpr char PRIVATE_KEY_STORAGE_LOCATION[]
Definition security_const.h:50
libjami::Certificate::ChecksNames::KNOWN_AUTHORITY
static constexpr char KNOWN_AUTHORITY[]
Definition security_const.h:57
libjami::Certificate::ChecksNames::PRIVATE_KEY_DIRECTORY_PERMISSIONS
static constexpr char PRIVATE_KEY_DIRECTORY_PERMISSIONS[]
Definition security_const.h:48
libjami::Certificate::ChecksNames::KEY_MATCH
static constexpr char KEY_MATCH[]
Definition security_const.h:45
libjami::Certificate::ChecksNames::UNEXPECTED_OWNER
static constexpr char UNEXPECTED_OWNER[]
Definition security_const.h:60
libjami::Certificate::ChecksNames::PRIVATE_KEY_SELINUX_ATTRIBUTES
static constexpr char PRIVATE_KEY_SELINUX_ATTRIBUTES[]
Definition security_const.h:52
libjami::Certificate::ChecksNames::VALID
static constexpr char VALID[]
Definition security_const.h:55
libjami::Certificate::ChecksNames::NOT_ACTIVATED
static constexpr char NOT_ACTIVATED[]
Definition security_const.h:61
libjami::Certificate::ChecksNames::PRIVATE_KEY_STORAGE_PERMISSION
static constexpr char PRIVATE_KEY_STORAGE_PERMISSION[]
Definition security_const.h:46
libjami::Certificate::ChecksNames::EXIST
static constexpr char EXIST[]
Definition security_const.h:54
libjami::Certificate::ChecksNames::VALID_AUTHORITY
static constexpr char VALID_AUTHORITY[]
Definition security_const.h:56
libjami::Certificate::ChecksNames::PUBLIC_KEY_STORAGE_PERMISSION
static constexpr char PUBLIC_KEY_STORAGE_PERMISSION[]
Definition security_const.h:47
libjami::Certificate::ChecksNames::NOT_REVOKED
static constexpr char NOT_REVOKED[]
Definition security_const.h:58
libjami::Certificate::ChecksNames::PUBLIC_KEY_SELINUX_ATTRIBUTES
static constexpr char PUBLIC_KEY_SELINUX_ATTRIBUTES[]
Definition security_const.h:53
libjami::Certificate::ChecksNames::EXPIRED
static constexpr char EXPIRED[]
Definition security_const.h:42
libjami::Certificate::ChecksNames::PUBLIC_KEY_DIRECTORY_PERMISSIONS
static constexpr char PUBLIC_KEY_DIRECTORY_PERMISSIONS[]
Definition security_const.h:49
libjami::Certificate::DetailsNames::ISSUER_DN
static constexpr char ISSUER_DN[]
Definition security_const.h:85
libjami::Certificate::DetailsNames::ISSUER_CN
static constexpr char ISSUER_CN[]
Definition security_const.h:86
libjami::Certificate::DetailsNames::PUBLIC_SIGNATURE
static constexpr char PUBLIC_SIGNATURE[]
Definition security_const.h:71
libjami::Certificate::DetailsNames::NEXT_EXPECTED_UPDATE_DATE
static constexpr char NEXT_EXPECTED_UPDATE_DATE[]
Definition security_const.h:90
libjami::Certificate::DetailsNames::ACTIVATION_DATE
static constexpr char ACTIVATION_DATE[]
Definition security_const.h:69
libjami::Certificate::DetailsNames::OUTGOING_SERVER
static constexpr char OUTGOING_SERVER[]
Definition security_const.h:91
libjami::Certificate::DetailsNames::SERIAL_NUMBER
static constexpr char SERIAL_NUMBER[]
Definition security_const.h:73
libjami::Certificate::DetailsNames::EXPIRATION_DATE
static constexpr char EXPIRATION_DATE[]
Definition security_const.h:68
libjami::Certificate::DetailsNames::MD5_FINGERPRINT
static constexpr char MD5_FINGERPRINT[]
Definition security_const.h:82
libjami::Certificate::DetailsNames::PUBLIC_KEY_ID
static constexpr char PUBLIC_KEY_ID[]
Definition security_const.h:84
libjami::Certificate::DetailsNames::SHA1_FINGERPRINT
static constexpr char SHA1_FINGERPRINT[]
Definition security_const.h:83
libjami::Certificate::DetailsNames::ISSUER_N
static constexpr char ISSUER_N[]
Definition security_const.h:88
libjami::Certificate::DetailsNames::ISSUER_O
static constexpr char ISSUER_O[]
Definition security_const.h:89
libjami::Certificate::DetailsNames::ISSUER
static constexpr char ISSUER[]
Definition security_const.h:74
libjami::Certificate::DetailsNames::REQUIRE_PRIVATE_KEY_PASSWORD
static constexpr char REQUIRE_PRIVATE_KEY_PASSWORD[]
Definition security_const.h:70
libjami::Certificate::DetailsNames::SIGNATURE_ALGORITHM
static constexpr char SIGNATURE_ALGORITHM[]
Definition security_const.h:81
libjami::Certificate::DetailsNames::SUBJECT_KEY
static constexpr char SUBJECT_KEY[]
Definition security_const.h:76
libjami::Certificate::DetailsNames::IS_CA
static constexpr char IS_CA[]
Definition security_const.h:92
libjami::Certificate::DetailsNames::VERSION_NUMBER
static constexpr char VERSION_NUMBER[]
Definition security_const.h:72
libjami::Certificate::DetailsNames::SUBJECT_KEY_ALGORITHM
static constexpr char SUBJECT_KEY_ALGORITHM[]
Definition security_const.h:75
libjami::Certificate::DetailsNames::ISSUER_UID
static constexpr char ISSUER_UID[]
Definition security_const.h:87
security_const.h
jami::Matrix1D
This generic class represents a multidimensional enum class array.
Definition enumclass_utils.h:50
S_IXGRP
#define S_IXGRP
Definition tlsvalidator.h:46
S_IROTH
#define S_IROTH
Definition tlsvalidator.h:52
S_IXOTH
#define S_IXOTH
Definition tlsvalidator.h:58
S_IRGRP
#define S_IRGRP
Definition tlsvalidator.h:40
S_IWOTH
#define S_IWOTH
Definition tlsvalidator.h:55
S_IWGRP
#define S_IWGRP
Definition tlsvalidator.h:43
S_IFREG
#define S_IFREG
Definition windirent.h:65
S_ISDIR
#define S_ISDIR(mode)
Definition windirent.h:183
S_IRUSR
#define S_IRUSR
Definition windirent.h:105
S_IXUSR
#define S_IXUSR
Definition windirent.h:115