diff options
Diffstat (limited to 'tdeio/kssl/ksslcertificate.h')
-rw-r--r-- | tdeio/kssl/ksslcertificate.h | 376 |
1 files changed, 376 insertions, 0 deletions
diff --git a/tdeio/kssl/ksslcertificate.h b/tdeio/kssl/ksslcertificate.h new file mode 100644 index 000000000..0c5f87323 --- /dev/null +++ b/tdeio/kssl/ksslcertificate.h @@ -0,0 +1,376 @@ +/* This file is part of the KDE project + * + * Copyright (C) 2000-2003 George Staikos <staikos@kde.org> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Library General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public License + * along with this library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, + * Boston, MA 02110-1301, USA. + */ + +#ifndef _KSSLCERTIFICATE_H +#define _KSSLCERTIFICATE_H + + +// UPDATE: I like the structure of this class less and less every time I look +// at it. I think it needs to change. +// +// +// The biggest reason for making everything protected here is so that +// the class can have all it's methods available even if openssl is not +// available. Also, to create a new certificate you should use the +// KSSLCertificateFactory, and to manage the user's database of certificates, +// you should go through the KSSLCertificateHome. +// +// There should be no reason to touch the X509 stuff directly. +// + +#include <tqcstring.h> +#include <tqvaluelist.h> + +class TQString; +class TQStringList; +class TQCString; +class KSSL; +class KSSLCertificatePrivate; +class TQDateTime; +class KSSLCertChain; +class KSSLX509V3; + +#include <tdelibs_export.h> + +#ifdef Q_WS_WIN +#include "ksslconfig_win.h" +#else +#include "ksslconfig.h" +#endif + +#ifdef KSSL_HAVE_SSL +typedef struct x509_st X509; +#else +class X509; +#endif + +/** + * KDE X.509 Certificate + * + * This class represents an X.509 (SSL) certificate. + * Note: this object is VERY HEAVY TO COPY. Please try to use reference + * or pointer whenever possible + * + * @author George Staikos <staikos@kde.org> + * @see KSSL + * @short KDE X.509 Certificate + */ +class TDEIO_EXPORT KSSLCertificate { +friend class KSSL; +friend class KSSLCertificateHome; +friend class KSSLCertificateFactory; +friend class KSSLCertificateCache; +friend class KSSLCertChain; +friend class KSSLPeerInfo; +friend class KSSLPKCS12; +friend class KSSLD; +friend class KSMIMECryptoPrivate; + + +public: + /** + * Destroy this X.509 certificate. + */ + ~KSSLCertificate(); + + /** + * Create an X.509 certificate from a base64 encoded string. + * @param cert the certificate in base64 form + * @return the X.509 certificate, or NULL + */ + static KSSLCertificate *fromString(TQCString cert); + + /** + * Create an X.509 certificate from the internal representation. + * This one duplicates the X509 object for itself. + * @param x5 the OpenSSL representation of the certificate + * @return the X.509 certificate, or NULL + * @internal + */ + static KSSLCertificate *fromX509(X509 *x5); + + /** + * A CA certificate can be validated as Irrelevant when it was + * not used to sign any other relevant certificate. + */ + enum KSSLValidation { Unknown, Ok, NoCARoot, InvalidPurpose, + PathLengthExceeded, InvalidCA, Expired, + SelfSigned, ErrorReadingRoot, NoSSL, + Revoked, Untrusted, SignatureFailed, + Rejected, PrivateKeyFailed, InvalidHost, + Irrelevant, SelfSignedChain + }; + + enum KSSLPurpose { None=0, SSLServer=1, SSLClient=2, + SMIMESign=3, SMIMEEncrypt=4, Any=5 }; + + typedef TQValueList<KSSLValidation> KSSLValidationList; + + /** + * Convert this certificate to a string. + * @return the certificate in base64 format + */ + TQString toString(); + + /** + * Get the subject of the certificate (X.509 map). + * @return the subject + */ + TQString getSubject() const; + + /** + * Get the issuer of the certificate (X.509 map). + * @return the issuer + */ + TQString getIssuer() const; + + /** + * Get the date that the certificate becomes valid on. + * @return the date as a string, localised + */ + TQString getNotBefore() const; + + /** + * Get the date that the certificate is valid until. + * @return the date as a string, localised + */ + TQString getNotAfter() const; + + /** + * Get the date that the certificate becomes valid on. + * @return the date + */ + TQDateTime getQDTNotBefore() const; + + /** + * Get the date that the certificate is valid until. + * @return the date + */ + TQDateTime getQDTNotAfter() const; + + /** + * Convert the certificate to DER (ASN.1) format. + * @return the binary data of the DER encoding + */ + TQByteArray toDer(); + + /** + * Convert the certificate to PEM (base64) format. + * @return the binary data of the PEM encoding + */ + TQByteArray toPem(); + + /** + * Convert the certificate to Netscape format. + * @return the binary data of the Netscape encoding + */ + TQByteArray toNetscape(); + + /** + * Convert the certificate to OpenSSL plain text format. + * @return the OpenSSL text encoding + */ + TQString toText(); + + /** + * Get the serial number of the certificate. + * @return the serial number as a string + */ + TQString getSerialNumber() const; + + /** + * Get the key type (RSA, DSA, etc). + * @return the key type as a string + */ + TQString getKeyType() const; + + /** + * Get the public key. + * @return the public key as a hexidecimal string + */ + TQString getPublicKeyText() const; + + /** + * Get the MD5 digest of the certificate. + * Result is padded with : to separate bytes - it's a text version! + * @return the MD5 digest in a hexidecimal string + */ + TQString getMD5DigestText() const; + + /** + * Get the MD5 digest of the certificate. + * @return the MD5 digest in a hexidecimal string + */ + TQString getMD5Digest() const; + + /** + * Get the signature. + * @return the signature in text format + */ + TQString getSignatureText() const; + + /** + * Check if this is a valid certificate. Will use cached data. + * @return true if it is valid + */ + bool isValid(); + + /** + * Check if this is a valid certificate. Will use cached data. + * @param p the purpose to validate for + * @return true if it is valid + */ + bool isValid(KSSLPurpose p); + + /** + * The alternate subject name. + * @return string list with subjectAltName + */ + TQStringList subjAltNames() const; + + /** + * Check if this is a valid certificate. Will use cached data. + * @return the result of the validation + */ + KSSLValidation validate(); + + /** + * Check if this is a valid certificate. Will use cached data. + * @param p the purpose to validate for + * @return the result of the validation + */ + KSSLValidation validate(KSSLPurpose p); + + /** + * Check if this is a valid certificate. Will use cached data. + * @param p the purpose to validate for + * @return all problems encountered during validation + */ + KSSLValidationList validateVerbose(KSSLPurpose p); + + /** + * Check if the certificate ca is a proper CA for this + * certificate. + * @param p the purpose to validate for + * @param ca the certificate to check + * @return all problems encountered during validation + */ + KSSLValidationList validateVerbose(KSSLPurpose p, KSSLCertificate *ca); + + /** + * Check if this is a valid certificate. Will NOT use cached data. + * @return the result of the validation + */ + KSSLValidation revalidate(); + + /** + * Check if this is a valid certificate. Will NOT use cached data. + * @param p the purpose to validate for + * @return the result of the validation + */ + KSSLValidation revalidate(KSSLPurpose p); + + /** + * Get a reference to the certificate chain. + * @return reference to the chain + */ + KSSLCertChain& chain(); + + /** + * Obtain the localized message that corresponds to a validation result. + * @param x the code to look up + * @return the message text corresponding to the validation code + */ + static TQString verifyText(KSSLValidation x); + + /** + * Explicitly make a copy of this certificate. + * @return a copy of the certificate + */ + KSSLCertificate *replicate(); + + /** + * Copy constructor. Beware, this is very expensive. + * @param x the object to copy from + */ + KSSLCertificate(const KSSLCertificate& x); // copy constructor + + /** + * Re-set the certificate from a base64 string. + * @param cert the certificate to set to + * @return true on success + */ + bool setCert(TQString& cert); + + /** + * Access the X.509v3 parameters. + * @return reference to the extension object + * @see KSSLX509V3 + */ + KSSLX509V3& x509V3Extensions(); + + /** + * Check if this is a signer certificate. + * @return true if this is a signer certificate + */ + bool isSigner(); + + /** + * FIXME: document + */ + void getEmails(TQStringList& to) const; + + /** + * KDEKey is a concatenation "Subject (MD5)", mostly needed for SMIME. + * The result of getKDEKey might change and should not be used for + * persistant storage. + */ + TQString getKDEKey() const; + + /** + * Aegypten semantics force us to search by MD5Digest only. + */ + static TQString getMD5DigestFromKDEKey(const TQString& k); + +private: + TDEIO_EXPORT friend int operator!=(KSSLCertificate& x, KSSLCertificate& y); + TDEIO_EXPORT friend int operator==(KSSLCertificate& x, KSSLCertificate& y); + + KSSLCertificatePrivate *d; + int purposeToOpenSSL(KSSLPurpose p) const; + +protected: + KSSLCertificate(); + + void setCert(X509 *c); + void setChain(void *c); + X509 *getCert(); + KSSLValidation processError(int ec); +}; + +TDEIO_EXPORT TQDataStream& operator<<(TQDataStream& s, const KSSLCertificate& r); +TDEIO_EXPORT TQDataStream& operator>>(TQDataStream& s, KSSLCertificate& r); + +TDEIO_EXPORT int operator==(KSSLCertificate& x, KSSLCertificate& y); +TDEIO_EXPORT inline int operator!=(KSSLCertificate& x, KSSLCertificate& y) +{ return !(x == y); } + +#endif + |