Back to index

nordugrid-arc-nox  1.1.0~rc6
CertUtil.h
Go to the documentation of this file.
00001 #ifndef __ARC_CERTUTIL_H__
00002 #define __ARC_CERTUTIL_H__
00003 
00004 #include <string>
00005 #include <openssl/pem.h>
00006 #include <openssl/x509.h>
00007 #include <openssl/stack.h>
00008 
00009 #include <arc/credential/Proxycertinfo.h>
00010 
00011 namespace ArcCredential {
00012   
00013     #define PROXYCERTINFO_V3      "1.3.6.1.4.1.3536.1.222"
00014     #ifdef HAVE_OPENSSL_PROXY
00015       #define PROXYCERTINFO_V4      "1.3.6.1.5.5.7.1.1400"
00016     #else
00017       #define PROXYCERTINFO_V4      "1.3.6.1.5.5.7.1.14"
00018     #endif
00019     #define PROXYCERTINFO_OPENSSL      "1.3.6.1.5.5.7.1.14"
00020 
00021  
00022     /* Certificate Types */
00023     typedef enum {
00025       CERT_TYPE_EEC,
00027       CERT_TYPE_CA,
00029       CERT_TYPE_GSI_3_IMPERSONATION_PROXY,
00031       CERT_TYPE_GSI_3_INDEPENDENT_PROXY,
00033       CERT_TYPE_GSI_3_LIMITED_PROXY,
00035       CERT_TYPE_GSI_3_RESTRICTED_PROXY,
00037       CERT_TYPE_GSI_2_PROXY,
00039       CERT_TYPE_GSI_2_LIMITED_PROXY,
00041       CERT_TYPE_RFC_IMPERSONATION_PROXY,
00043       CERT_TYPE_RFC_INDEPENDENT_PROXY,
00045       CERT_TYPE_RFC_LIMITED_PROXY,
00047       CERT_TYPE_RFC_RESTRICTED_PROXY,
00049       CERT_TYPE_RFC_ANYLANGUAGE_PROXY
00050     } certType; 
00051 
00053     #define CERT_IS_PROXY(cert_type) \
00054         (cert_type == CERT_TYPE_GSI_3_IMPERSONATION_PROXY || \
00055          cert_type == CERT_TYPE_GSI_3_INDEPENDENT_PROXY || \
00056          cert_type == CERT_TYPE_GSI_3_LIMITED_PROXY || \
00057          cert_type == CERT_TYPE_GSI_3_RESTRICTED_PROXY || \
00058          cert_type == CERT_TYPE_RFC_IMPERSONATION_PROXY || \
00059          cert_type == CERT_TYPE_RFC_INDEPENDENT_PROXY || \
00060          cert_type == CERT_TYPE_RFC_LIMITED_PROXY || \
00061          cert_type == CERT_TYPE_RFC_RESTRICTED_PROXY || \
00062          cert_type == CERT_TYPE_RFC_ANYLANGUAGE_PROXY || \
00063          cert_type == CERT_TYPE_GSI_2_PROXY || \
00064          cert_type == CERT_TYPE_GSI_2_LIMITED_PROXY)
00065 
00067     #define CERT_IS_RFC_PROXY(cert_type) \
00068         (cert_type == CERT_TYPE_RFC_IMPERSONATION_PROXY || \
00069          cert_type == CERT_TYPE_RFC_INDEPENDENT_PROXY || \
00070          cert_type == CERT_TYPE_RFC_LIMITED_PROXY || \
00071          cert_type == CERT_TYPE_RFC_RESTRICTED_PROXY || \
00072          cert_type == CERT_TYPE_RFC_ANYLANGUAGE_PROXY)
00073 
00075     #define CERT_IS_GSI_3_PROXY(cert_type) \
00076         (cert_type == CERT_TYPE_GSI_3_IMPERSONATION_PROXY || \
00077          cert_type == CERT_TYPE_GSI_3_INDEPENDENT_PROXY || \
00078          cert_type == CERT_TYPE_GSI_3_LIMITED_PROXY || \
00079          cert_type == CERT_TYPE_GSI_3_RESTRICTED_PROXY)
00080 
00082     #define CERT_IS_GSI_2_PROXY(cert_type) \
00083         (cert_type == CERT_TYPE_GSI_2_PROXY || \
00084          cert_type == CERT_TYPE_GSI_2_LIMITED_PROXY)
00085 
00086     #define CERT_IS_INDEPENDENT_PROXY(cert_type) \
00087         (cert_type == CERT_TYPE_RFC_INDEPENDENT_PROXY || \
00088          cert_type == CERT_TYPE_GSI_3_INDEPENDENT_PROXY)
00089 
00090     #define CERT_IS_RESTRICTED_PROXY(cert_type) \
00091         (cert_type == CERT_TYPE_RFC_RESTRICTED_PROXY || \
00092          cert_type == CERT_TYPE_GSI_3_RESTRICTED_PROXY)
00093 
00094     #define CERT_IS_LIMITED_PROXY(cert_type) \
00095         (cert_type == CERT_TYPE_RFC_LIMITED_PROXY || \
00096          cert_type == CERT_TYPE_GSI_3_LIMITED_PROXY || \
00097          cert_type == CERT_TYPE_GSI_2_LIMITED_PROXY)
00098 
00099     #define CERT_IS_IMPERSONATION_PROXY(cert_type) \
00100         (cert_type == CERT_TYPE_RFC_IMPERSONATION_PROXY || \
00101          cert_type == CERT_TYPE_RFC_LIMITED_PROXY || \
00102          cert_type == CERT_TYPE_GSI_3_IMPERSONATION_PROXY || \
00103          cert_type == CERT_TYPE_GSI_3_LIMITED_PROXY || \
00104          cert_type == CERT_TYPE_GSI_2_PROXY || \
00105          cert_type == CERT_TYPE_GSI_2_LIMITED_PROXY)
00106 
00107     /* VERIFY_CTX_STORE_EX_DATA_IDX here could be temporal solution.
00108      * OpenSSL >= 098 has get_proxy_auth_ex_data_idx() which is 
00109      * specific for proxy extention.
00110      */
00111     #define VERIFY_CTX_STORE_EX_DATA_IDX  1
00112 
00113     typedef struct {
00114       X509_STORE_CTX *                    cert_store;
00115       int                                 cert_depth;
00116       int                                 proxy_depth;
00117       int                                 max_proxy_depth;
00118       int                                 limited_proxy;
00119       certType                            cert_type;
00120       STACK_OF(X509) *                    cert_chain; /*  X509 */
00121       std::string                         ca_dir;
00122       std::string                         ca_file;
00123       std::string                         proxy_policy; /* The policy attached to proxy cert info extension*/
00124     } cert_verify_context;
00125 
00126     int verify_cert_chain(X509* cert, STACK_OF(X509)** certchain, cert_verify_context* vctx);
00127     bool check_cert_type(X509* cert, certType& type);
00128     const char* certTypeToString(certType type);
00129 
00130 }
00131 
00132 #endif // __ARC_CERTUTIL_H__
00133