tlsvalidator.h

Go to the documentation of this file.

/*
 *  Copyright (C) 2004-2025 Savoir-faire Linux Inc.
 *
 *  This program is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation, either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program. If not, see <https://www.gnu.org/licenses/>.
 */
#pragma once
 
#include "enumclass_utils.h"
#include <dhtnet/certstore.h>
 
#include <string>
#include <vector>
#include <memory>
 
// OpenDHT
namespace dht {
namespace crypto {
struct Certificate;
}
} // namespace dht
 
namespace jami {
namespace tls {
 
#if !defined(S_IRWXG)
#define S_IRWXG 00070
#endif /* S_IRWXG */
#if !defined(S_IRGRP)
#define S_IRGRP 00040
#endif /* S_IRGRP */
#if !defined(S_IWGRP)
#define S_IWGRP 00020
#endif /* S_IWGRP */
#if !defined(S_IXGRP)
#define S_IXGRP 00010
#endif /* S_IXGRP */
#if !defined(S_IRWXO)
#define S_IRWXO 00007
#endif /* S_IRWXO */
#if !defined(S_IROTH)
#define S_IROTH 00004
#endif /* S_IROTH */
#if !defined(S_IWOTH)
#define S_IWOTH 00002
#endif /* S_IWOTH */
#if !defined(S_IXOTH)
#define S_IXOTH 00001
#endif /* S_IXOTH */
 
class TlsValidatorException : public std::runtime_error
{
public:
    TlsValidatorException(const std::string& str)
        : std::runtime_error(str) {};
};
 
class TlsValidator
{
public:
    enum class CertificateCheck {
        HAS_PRIVATE_KEY, 
        EXPIRED,         
        STRONG_SIGNING,  
        NOT_SELF_SIGNED, 
        KEY_MATCH,       
        PRIVATE_KEY_STORAGE_PERMISSION, 
        PUBLIC_KEY_STORAGE_PERMISSION, 
        PRIVATE_KEY_DIRECTORY_PERMISSIONS, 
        PUBLIC_KEY_DIRECTORY_PERMISSIONS,  
        PRIVATE_KEY_STORAGE_LOCATION, 
        PUBLIC_KEY_STORAGE_LOCATION,  
        PRIVATE_KEY_SELINUX_ATTRIBUTES, 
        PUBLIC_KEY_SELINUX_ATTRIBUTES,  
        EXIST,           
        VALID,           
        VALID_AUTHORITY, 
        KNOWN_AUTHORITY, 
        NOT_REVOKED,     
        AUTHORITY_MISMATCH, 
        UNEXPECTED_OWNER,   
        NOT_ACTIVATED, 
        COUNT__,
    };
 
    enum class CertificateDetails {
        EXPIRATION_DATE, 
        ACTIVATION_DATE, 
        REQUIRE_PRIVATE_KEY_PASSWORD, 
        PUBLIC_SIGNATURE,
        VERSION_NUMBER,
        SERIAL_NUMBER,
        ISSUER,
        SUBJECT_KEY_ALGORITHM,
        SUBJECT_KEY,
        CN,
        UID,
        N,
        O,
        SIGNATURE_ALGORITHM,
        MD5_FINGERPRINT,
        SHA1_FINGERPRINT,
        PUBLIC_KEY_ID,
        ISSUER_DN,
        ISSUER_CN,
        ISSUER_UID,
        ISSUER_N,
        ISSUER_O,
        NEXT_EXPECTED_UPDATE_DATE,
        OUTGOING_SERVER, 
        IS_CA,
        COUNT__
    };
 
    enum class CheckValuesType {
        BOOLEAN,
        ISO_DATE,
        CUSTOM,
        NUMBER,
        COUNT__,
    };
 
    enum class CheckValues {
        PASSED,      
        FAILED,      
        UNSUPPORTED, 
        ISO_DATE,    
        CUSTOM,      
        NUMBER,
        COUNT__,
    };
 
    using CheckResult = std::pair<CheckValues, std::string>;
 
    TlsValidator(const dhtnet::tls::CertificateStore& certStore,
                 const std::string& certificate,
                 const std::string& privatekey = "",
                 const std::string& privatekeyPasswd = "",
                 const std::string& caList = "");
 
    TlsValidator(const dhtnet::tls::CertificateStore& certStore, const std::vector<std::vector<uint8_t>>& certificate_chain_raw);
 
    TlsValidator(const dhtnet::tls::CertificateStore& certStore, const std::vector<uint8_t>& certificate_raw);
 
    TlsValidator(const dhtnet::tls::CertificateStore& certStore, const std::shared_ptr<dht::crypto::Certificate>&);
 
    ~TlsValidator();
 
    bool hasCa() const;
 
    bool isValid(bool verbose = false);
 
    // Security checks
    CheckResult hasPrivateKey();
    CheckResult notExpired();
    CheckResult strongSigning();
    CheckResult notSelfSigned();
    CheckResult keyMatch();
    CheckResult privateKeyStoragePermissions();
    CheckResult publicKeyStoragePermissions();
    CheckResult privateKeyDirectoryPermissions();
    CheckResult publicKeyDirectoryPermissions();
    CheckResult privateKeyStorageLocation();
    CheckResult publicKeyStorageLocation();
    CheckResult privateKeySelinuxAttributes();
    CheckResult publicKeySelinuxAttributes();
    CheckResult exist();
    CheckResult valid();
    CheckResult validAuthority();
    CheckResult knownAuthority();
    CheckResult notRevoked();
    CheckResult authorityMatch();
    CheckResult expectedOwner();
    CheckResult activated();
 
    // Certificate details
    CheckResult getExpirationDate();
    CheckResult getActivationDate();
    CheckResult requirePrivateKeyPassword();
    CheckResult getPublicSignature();
    CheckResult getVersionNumber();
    CheckResult getSerialNumber();
    CheckResult getIssuer();
    CheckResult getSubjectKeyAlgorithm();
    CheckResult getSubjectKey();
    CheckResult getCN();
    CheckResult getUID();
    CheckResult getN();
    CheckResult getO();
    CheckResult getSignatureAlgorithm();
    CheckResult getMd5Fingerprint();
    CheckResult getSha1Fingerprint();
    CheckResult getPublicKeyId();
    CheckResult getIssuerDN();
    CheckResult getIssuerCN();
    CheckResult getIssuerUID();
    CheckResult getIssuerN();
    CheckResult getIssuerO();
    CheckResult outgoingServer();
    CheckResult isCA();
 
    void setCaTlsValidator(const TlsValidator& validator);
 
    std::map<std::string, std::string> getSerializedChecks();
 
    std::map<std::string, std::string> getSerializedDetails();
 
    std::shared_ptr<dht::crypto::Certificate> getCertificate() const { return x509crt_; }
 
private:
    // Enum class names
    static const EnumClassNames<CertificateCheck> CertificateCheckNames;
 
    static const EnumClassNames<CertificateDetails> CertificateDetailsNames;
 
    static const EnumClassNames<const CheckValuesType> CheckValuesTypeNames;
 
    static const EnumClassNames<CheckValues> CheckValuesNames;
 
    static const CallbackMatrix1D<CertificateCheck, TlsValidator, CheckResult> checkCallback;
 
    static const CallbackMatrix1D<CertificateDetails, TlsValidator, CheckResult> getterCallback;
 
    static const Matrix2D<CheckValuesType, CheckValues, bool> acceptedCheckValuesResult;
 
    static const Matrix1D<CertificateCheck, CheckValuesType> enforcedCheckType;
 
    const dhtnet::tls::CertificateStore&  certStore_;
    std::string certificatePath_;
    std::string privateKeyPath_;
    std::string caListPath_ {};
 
    std::vector<uint8_t> certificateContent_;
 
    std::shared_ptr<dht::crypto::Certificate> x509crt_;
 
    bool certificateFileFound_ {false};
    bool certificateFound_ {false};
    bool privateKeyFound_ {false};
    bool privateKeyPassword_ {false};
    bool privateKeyMatch_ {false};
 
    bool caChecked_ {false};
    unsigned int caValidationOutput_ {
        0}; // 0 means "no flags set", where flags are ones from gnutls_certificate_status_t
 
    mutable char copy_buffer[4096];
 
    std::string getStringValue(const CertificateCheck check, const CheckResult result);
 
    // Helper
    unsigned int compareToCa();
 
public:
#if 0 // TODO reimplement this method. do not use it as it
    static int verifyHostnameCertificate(const std::string& host,
                                         const uint16_t port);
#endif
 
}; // TlsValidator
 
} // namespace tls
} // namespace jami