CACertificate Class Reference

#include <CACertificate.hpp>

Collaboration diagram for CACertificate:

Public Member Functions
	~CACertificate ()
CACertificate *	clone () const
SINT32	encode (UINT8 *buff, UINT32 *bufflen, UINT32 type) const
SINT32	encode (DOMElement *&elemRoot, XERCES_CPP_NAMESPACE::DOMDocument *doc) const
SINT32	getRawSubjectKeyIdentifier (UINT8 *r_ski, UINT32 *r_skiLen)
SINT32	getAuthorityKeyIdentifier (UINT8 *r_aki, UINT32 *r_akiLen) const
SINT32	getSubjectKeyIdentifier (UINT8 *r_ski, UINT32 *r_skiLen)
	LERNGRUPPE Accessor method for the subjectKeyIdentifier (SKI) extension stored in this certificate. More...
SINT32	setSubjectKeyIdentifier (UINT8 *a_value, UINT32 a_valueLen)
	LERNGRUPPE Sets the subjectKeyIdentifier extension for this certificate to the given value. More...
SINT32	setSubjectKeyIdentifier ()
	LERNGRUPPE Sets the subjectKeyIdentifier extension for this certificate to the hash of the public key. More...
SINT32	verify (const CACertificate *a_cert) const
bool	isValid () const

Static Public Member Functions
static CACertificate *	decode (const UINT8 *const buff, UINT32 bufflen, UINT32 type, const char *const passwd=NULL)
	Extracts a certificate from an encoded (DER,XML) form. More...
static CACertificate *	decode (const DOMNode *node, UINT32 type, const char *passwd=NULL)
static UINT8 *	getXmlElementName ()
static SINT32	removeColons (const UINT8 *a_cSki, UINT32 a_cSkiLen, UINT8 *&r_ski, UINT32 *r_skiLen)
	LERNGRUPPE Removes the colons from the string representation of the given SKI. More...

Private Member Functions
	CACertificate ()
	CACertificate (X509 *x)
X509 *	getX509 () const

Static Private Member Functions
static X509 *	decode (const UINT8 **derX509, UINT32 derX509Len)

Private Attributes
X509 *	m_pCert
ASN1_OCTET_STRING *	m_pSKI
AUTHORITY_KEYID *	m_pAKI

Static Private Attributes
static UINT8 *	m_spXmlElementName =0

Friends
class	CASignature
class	CAASymCipher
class	CASSLContext
class	CATLSClientSocket

Detailed Description

Definition at line 39 of file CACertificate.hpp.

Constructor & Destructor Documentation

~CACertificate()

CACertificate::~CACertificate ( )

inline

Definition at line 47 of file CACertificate.hpp.

        {
          X509_free(m_pCert);
          ASN1_OCTET_STRING_free(m_pSKI);
          AUTHORITY_KEYID_free(m_pAKI);
        }

References m_pAKI, m_pCert, and m_pSKI.

CACertificate() [1/2]

CACertificate::CACertificate ( )

private

Definition at line 38 of file CACertificate.cpp.

  {
    m_pCert = NULL;
    m_pSKI = NULL;
    m_pAKI = NULL;
  }

References m_pAKI, m_pCert, and m_pSKI.

Referenced by clone(), and decode().

Here is the caller graph for this function:

CACertificate() [2/2]

CACertificate::CACertificate ( X509 *  x )

private

Definition at line 45 of file CACertificate.cpp.

  {
    m_pCert = x;
    m_pSKI = NULL;
    m_pAKI = NULL;
    if(m_pCert != NULL)
      {
        m_pSKI = (ASN1_OCTET_STRING*) X509_get_ext_d2i(m_pCert, NID_subject_key_identifier, NULL, NULL);
        m_pAKI = (AUTHORITY_KEYID*) X509_get_ext_d2i (m_pCert, NID_authority_key_identifier, NULL, NULL);
      }
  }

References m_pAKI, m_pCert, and m_pSKI.

Member Function Documentation

clone()

CACertificate* CACertificate::clone ( ) const

inline

Definition at line 53 of file CACertificate.hpp.

        {
          X509* x = X509_dup(m_pCert);
          CACertificate* tmp = new CACertificate(x);
          return tmp;
        }

References CACertificate(), and m_pCert.

Referenced by CACertStore::add(), CACmdLnOptions::getLogEncryptionKey(), CACmdLnOptions::getNextMixTestCertificate(), CACmdLnOptions::getPrevMixTestCertificate(), CACmdLnOptions::setNextMixTestCertificate(), CACmdLnOptions::setPrevMixTestCertificate(), and CATLSClientSocket::setServerCertificate().

Here is the call graph for this function:

Here is the caller graph for this function:

decode() [1/3]

CACertificate * CACertificate::decode ( const DOMNode *  node, UINT32  type, const char *  passwd = NULL  )

static

Definition at line 85 of file CACertificate.cpp.

  {
    const DOMNode* node=n;
    switch(type)
      {
        case CERT_PKCS12:
          while(node!=NULL)
            {
              if(equals(node->getNodeName(),"X509PKCS12"))
                {
                  UINT32 strLen=4096;
                  UINT8* tmpStr=new UINT8[strLen];
                  CACertificate* cert=NULL;
                  if(getDOMElementValue(node,tmpStr,&strLen)!=E_SUCCESS)
                    {
                      delete[] tmpStr;
                      tmpStr = NULL;
                      return NULL;
                    }
                  UINT32 decLen=4096;
                  UINT8* decBuff=new UINT8[decLen];
                  SINT32 ret=CABase64::decode((UINT8*)tmpStr,strLen,decBuff,&decLen);
                  delete[] tmpStr;
                  tmpStr = NULL;
                  if(ret==E_SUCCESS)
                    {
                      cert=decode(decBuff,decLen,CERT_PKCS12,passwd);
                    }
                  delete[] decBuff;
                  decBuff = NULL;
                  return cert;
                }
              node=node->getNextSibling();
            }
        break;
        case  CERT_X509CERTIFICATE:
          while(node!=NULL)
            {
              if(equals(node->getNodeName(),"X509Certificate"))
                {
                  UINT32 strLen=4096;
                  UINT8* tmpStr=new UINT8[strLen];
                  CACertificate* cert=NULL;
                  if(getDOMElementValue(node,tmpStr,&strLen)!=E_SUCCESS)
                    {
                      delete[] tmpStr;
                      tmpStr = NULL;
                      return NULL;
                    }
                  UINT32 decLen=4096;
                  UINT8* decBuff=new UINT8[decLen];
                  SINT32 ret=CABase64::decode((UINT8*)tmpStr,strLen,decBuff,&decLen);
                  delete[] tmpStr;
                  tmpStr = NULL;
                  if(ret==E_SUCCESS)
                    {
                      cert=decode(decBuff,decLen,CERT_DER);
                    }
                  delete[] decBuff;
                  decBuff = NULL;
                  return cert;
                }
              node=node->getNextSibling();
            }
 
      }
    return NULL;
  }

References CERT_DER, CERT_PKCS12, CERT_X509CERTIFICATE, decode(), CABase64::decode(), E_SUCCESS, equals(), getDOMElementValue(), and type.

Here is the call graph for this function:

decode() [2/3]

static X509* CACertificate::decode ( const UINT8 **  derX509, UINT32  derX509Len  )

staticprivate

decode() [3/3]

CACertificate * CACertificate::decode ( const UINT8 *const  buff, UINT32  bufflen, UINT32  type, const char *const  passwd = NULL  )

static

Extracts a certificate from an encoded (DER,XML) form.

Definition at line 154 of file CACertificate.cpp.

  {
    if(buff==NULL)
      return NULL;
    X509* tmpCert=NULL;
    EVP_PKEY* tmpKey=NULL;
    SINT32 ret=-1;
    const UINT8* tmp=buff;
    switch(type)
      {
        case CERT_DER:
          tmp=buff;
          #if OPENSSL_VERSION_NUMBER  > 0x009070CfL
            tmpCert=d2i_X509(NULL,&tmp,bufflen);
          #else
            tmpCert=d2i_X509(NULL,(UINT8**)&tmp,bufflen);
          #endif
        break;
        case CERT_PKCS12:
          PKCS12* tmpPKCS12;
          #if OPENSSL_VERSION_NUMBER  > 0x009070CfL
            tmpPKCS12=d2i_PKCS12(NULL,&tmp,bufflen);
          #else
            tmpPKCS12=d2i_PKCS12(NULL,(UINT8**)&tmp,bufflen);
          #endif
          /*Note: Basically we are not interested in the private keys here - but still we need cannot supply
           *NULL for that parameter, as OpenSSL 1.0.0. would not work in that case*/
          ret=PKCS12_parse(tmpPKCS12,passwd,&tmpKey,&tmpCert,NULL);
          PKCS12_free(tmpPKCS12);
          EVP_PKEY_free(tmpKey);
          if(ret!=1)
            {
              return NULL;
            }
        break;
        case CERT_XML_X509CERTIFICATE:
          XERCES_CPP_NAMESPACE::DOMDocument* doc=parseDOMDocument(buff,bufflen);
          if(doc == NULL)
          {
            return NULL;
          }
          DOMElement* root=doc->getDocumentElement();
          if(root==NULL||!equals(root->getNodeName(),"X509Certificate"))
          {
            return NULL;
          }
          UINT8* tmpBuff=new UINT8[bufflen];
          UINT32 tmpBuffSize=bufflen;
          if(getDOMElementValue(root,tmpBuff,&tmpBuffSize)==E_SUCCESS)
            {
              ret=CABase64::decode(tmpBuff,tmpBuffSize,tmpBuff,&tmpBuffSize);
            }
          tmp=tmpBuff;
          if(ret==E_SUCCESS)
            {
              #if OPENSSL_VERSION_NUMBER  > 0x009070CfL
                tmpCert=d2i_X509(NULL,&tmp,tmpBuffSize);
              #else
                tmpCert=d2i_X509(NULL,(UINT8**)&tmp,tmpBuffSize);
              #endif
            }
          delete[] tmpBuff;
          tmpBuff = NULL;
          break;
      }
    if(tmpCert == NULL)
    {
      return NULL;
    }
    return new CACertificate(tmpCert);
  }

References CACertificate(), CERT_DER, CERT_PKCS12, CERT_XML_X509CERTIFICATE, CABase64::decode(), E_SUCCESS, equals(), getDOMElementValue(), parseDOMDocument(), and type.

Referenced by CACertStore::decode(), decode(), CACmdLnOptions::setLoggingOptions(), CACmdLnOptions::setNextMix(), CACmdLnOptions::setNextMixCertificate(), CACmdLnOptions::setOwnCertificate(), CACmdLnOptions::setOwnOperatorCertificate(), CACmdLnOptions::setPrevMixCertificate(), and CACmdLnOptions::setTrustedRootCertificates().

Here is the call graph for this function:

Here is the caller graph for this function:

encode() [1/2]

SINT32 CACertificate::encode	(	DOMElement *&	elemRoot,
		XERCES_CPP_NAMESPACE::DOMDocument *	doc
	)		const

Definition at line 259 of file CACertificate.cpp.

  {
    elemRoot=createDOMElement(doc,"X509Certificate");
    UINT8 buff[2048]; //TODO: Very bad --> looks like easy buffer overflow... [donn't care at the moment...]
    UINT8* tmp=buff;
    int i=i2d_X509(m_pCert,&tmp); //now we need DER
    UINT32 bufflen=2048;
    CABase64::encode(buff,i,buff,&bufflen); //now we have it converted to Base64
    buff[bufflen]=0;
    setDOMElementValue(elemRoot,buff);
    return E_SUCCESS;
  }

References createDOMElement(), E_SUCCESS, CABase64::encode(), m_pCert, and setDOMElementValue().

Here is the call graph for this function:

encode() [2/2]

SINT32 CACertificate::encode	(	UINT8 *	buff,
		UINT32 *	bufflen,
		UINT32	type
	)		const

Definition at line 226 of file CACertificate.cpp.

  {
    if(m_pCert==NULL||buff==NULL||bufflen==NULL)
      return E_UNKNOWN;
    int i=0;
    UINT8* tmp=buff;
    switch(type)
      {
        case CERT_DER:
          i=i2d_X509(m_pCert,&tmp);
          if(i==0)
            return E_UNKNOWN;
          *bufflen=i;
        break;
        case CERT_XML_X509CERTIFICATE:
        #define X509_CERTIFICATE_TAGNAME_LEN 17
          memcpy(buff,"<X509Certificate>",X509_CERTIFICATE_TAGNAME_LEN); //we start with '<X509Certificate>'
          tmp+=X509_CERTIFICATE_TAGNAME_LEN;
          i=i2d_X509(m_pCert,&tmp); //now we need DER
          if(i==0)
            return E_UNKNOWN;
          CABase64::encode( buff+X509_CERTIFICATE_TAGNAME_LEN,i,
                            buff+X509_CERTIFICATE_TAGNAME_LEN,bufflen); //now we have it converted to Base64
          memcpy( buff+X509_CERTIFICATE_TAGNAME_LEN+*bufflen,
                  "</X509Certificate>",X509_CERTIFICATE_TAGNAME_LEN+1); //we end it with '</X509Certificate>'
          *bufflen+=2*X509_CERTIFICATE_TAGNAME_LEN+1;
        break;
        default:
          return E_UNKNOWN;
      }
    return E_SUCCESS;
  }

References CERT_DER, CERT_XML_X509CERTIFICATE, E_SUCCESS, E_UNKNOWN, CABase64::encode(), m_pCert, type, and X509_CERTIFICATE_TAGNAME_LEN.

Referenced by CACmdLnOptions::buildDefaultConfig(), and CACertStore::encode().

Here is the call graph for this function:

Here is the caller graph for this function:

getAuthorityKeyIdentifier()

SINT32 CACertificate::getAuthorityKeyIdentifier	(	UINT8 *	r_aki,
		UINT32 *	r_akiLen
	)		const

Definition at line 488 of file CACertificate.cpp.

{
  if(m_pAKI == NULL)
  {
    return E_UNKNOWN;
  }
 
  ASN1_OCTET_STRING* pKeyID = NULL;
  pKeyID = m_pAKI->keyid;
  if(pKeyID == NULL)
  {
    return E_UNKNOWN;
  }
 
  // Get the ASCII string format of the authority key identifier
  UINT8* cKeyID = (UINT8*)i2s_ASN1_OCTET_STRING(NULL, pKeyID);
  if (cKeyID == NULL)
  {
    return E_UNKNOWN;
  }
  removeColons(cKeyID, strlen((const char*)cKeyID), r_aki, r_akiLen);
  OPENSSL_free(cKeyID);
  return E_SUCCESS;
}

References E_SUCCESS, E_UNKNOWN, m_pAKI, and removeColons().

Referenced by CACmdLnOptions::setOwnCertificate().

Here is the call graph for this function:

Here is the caller graph for this function:

getRawSubjectKeyIdentifier()

SINT32 CACertificate::getRawSubjectKeyIdentifier	(	UINT8 *	r_ski,
		UINT32 *	r_skiLen
	)

Definition at line 463 of file CACertificate.cpp.

{
  if (m_pSKI == NULL)
  {
    setSubjectKeyIdentifier();
    if(m_pSKI == NULL)
    {
      CAMsg::printMsg( LOG_ERR, "Unable to retrieve raw SKI from Certificate\n");
      return E_UNKNOWN;
        }
 
  }
  if(*r_skiLen < (UINT32) m_pSKI->length)
  {
    CAMsg::printMsg( LOG_ERR, "Unable to copy SKI to target array, size must at least be %i but is only %i!\n", m_pSKI->length, r_skiLen );
    return E_UNKNOWN;
  }
  *r_skiLen = m_pSKI->length;
  for(SINT32 i=0; i<m_pSKI->length; i++)
  {
    r_ski[i] = m_pSKI->data[i];
  }
  return E_SUCCESS;
}

References E_SUCCESS, E_UNKNOWN, m_pSKI, CAMsg::printMsg(), and setSubjectKeyIdentifier().

Referenced by CACmdLnOptions::setOwnCertificate().

Here is the call graph for this function:

Here is the caller graph for this function:

getSubjectKeyIdentifier()

SINT32 CACertificate::getSubjectKeyIdentifier	(	UINT8 *	r_ski,
		UINT32 *	r_skiLen
	)

LERNGRUPPE Accessor method for the subjectKeyIdentifier (SKI) extension stored in this certificate.

Returns

r_ski The SKI as colon-free string

r_skiLen The length of r_ski

Return values

E_SUCCESS	upon successful retrieval
E_UNKNOWN	otherwise

Definition at line 280 of file CACertificate.cpp.

{
    if (m_pSKI == NULL)
    {
#ifdef DEBUG
        CAMsg::printMsg( LOG_ERR, "Unable to get SKI from Certificate, trying to recover\n");
#endif
        setSubjectKeyIdentifier();
        if(m_pSKI == NULL)
        {
            CAMsg::printMsg( LOG_ERR, "Unable to retrieve 1SKI from Certificate\n");
            return E_UNKNOWN;
        }
#ifdef DEBUG
        else
        {
            CAMsg::printMsg( LOG_ERR, "Recovery SUCCESSFUL!\n");
        }
#endif
    }
    // Get the ASCII string format of the subject key identifier
    UINT8* cSki = (UINT8*)i2s_ASN1_OCTET_STRING( NULL, m_pSKI );
    if ( cSki==NULL )
    {
        CAMsg::printMsg( LOG_ERR, "Unable to convert SKI\n");
        return E_UNKNOWN;
    }
#ifdef DEBUG
    CAMsg::printMsg( LOG_ERR, "getSubjectKeyIdentifier: SKI is %s\n", cSki);
#endif
    removeColons(cSki, strlen((const char*)cSki), r_ski, r_skiLen);
  OPENSSL_free(cSki);
    return E_SUCCESS;
}

References E_SUCCESS, E_UNKNOWN, m_pSKI, CAMsg::printMsg(), removeColons(), and setSubjectKeyIdentifier().

Referenced by CACmdLnOptions::buildDefaultConfig(), CACmdLnOptions::getOperatorSubjectKeyIdentifier(), and CACmdLnOptions::setOwnCertificate().

Here is the call graph for this function:

Here is the caller graph for this function:

getX509()

X509* CACertificate::getX509 ( ) const

inlineprivate

Definition at line 92 of file CACertificate.hpp.

        {
          return m_pCert;
        }

References m_pCert.

Referenced by CATLSClientSocket::doTLSConnect().

Here is the caller graph for this function:

getXmlElementName()

static UINT8* CACertificate::getXmlElementName ( )

inlinestatic

Definition at line 66 of file CACertificate.hpp.

        {
          if(!CACertificate::m_spXmlElementName)
          {
            UINT8 name[] = "X509Certificate";
            CACertificate::m_spXmlElementName = new UINT8[strlen((char*)name)+1];
            strcpy((char*)CACertificate::m_spXmlElementName, (char*)name);
          }
          return CACertificate::m_spXmlElementName;
        }

References m_spXmlElementName.

isValid()

bool CACertificate::isValid

(

)

const

Definition at line 420 of file CACertificate.cpp.

{
#ifdef __BUILD_AS_SHADOW_PLUGIN__
//if the build the Mix as a plugin for the shadow simulator, we do not test certificate validity, because
//the shadow simulator uses it own time base make this checks kind of usesless / break the simulation
return true;
 
#endif //D__BUILD_AS_SHADOW_PLUGIN__
#if  OPENSSL_VERSION_NUMBER > 0x100020cfL
  const ASN1_TIME* pValidNotBefore=X509_get0_notBefore(m_pCert);
  const ASN1_TIME* pValidNotAfter=X509_get0_notAfter(m_pCert);
#else
  ASN1_TIME* pValidNotBefore=X509_get_notBefore(m_pCert);
  ASN1_TIME* pValidNotAfter=X509_get_notAfter(m_pCert);
#endif
  if(X509_cmp_current_time( pValidNotBefore) <0 && X509_cmp_current_time(pValidNotAfter) >0)
    {
      return true;
    }
  //check if certificate is valid within grace period of two months
  time_t now = time(NULL);    //get current time;
  tm* time = new tm;
  time = gmtime_r(&now, time);  //convert time to modifiable format
  if(time->tm_mon < 2)      //go back two months in time
  {
    time->tm_mon = time->tm_mon+10;
    time->tm_year = time->tm_year-1;
  }
  else
  {
    time->tm_mon = time->tm_mon-2;
  }
  time_t ttiq  = mktime(time);    //convert time back to time_t and check again
  delete time;
  time = NULL;
  if(X509_cmp_time( pValidNotBefore, &ttiq) <0 && X509_cmp_time(pValidNotAfter, &ttiq) >0)
    {
      CAMsg::printMsg(LOG_WARNING, "Certificate is only valid within grace period of two months!\n");
      return true;
    }
  return false;
}

References m_pCert, and CAMsg::printMsg().

Referenced by verify().

Here is the call graph for this function:

Here is the caller graph for this function:

removeColons()

SINT32 CACertificate::removeColons ( const UINT8 *  a_cSkid, UINT32  a_cSkidLen, UINT8 *&  r_ski, UINT32 *  r_skiLen  )

static

LERNGRUPPE Removes the colons from the string representation of the given SKI.

Parameters

a_cSkid	The string from which the colons should be removed
a_cSkidLen	The length of a_cSkid
r_ski
r_skiLen

Returns

r_ski The SKI as colon-free string

r_skiLen The length of r_ski

Return values

E_SUCCESS	upon successful removal
E_UNKNOWN	otherwise

Definition at line 341 of file CACertificate.cpp.

{
    UINT32 i = 0, j = 0;
    UINT32 tmp = (2*a_cSkidLen)/3 + 2;
    if(*r_skiLen < tmp)
    {
        CAMsg::printMsg( LOG_ERR, "CACertificate::removeColons: Unable to copy SKI to target array, size must at least be %i but is only %i!\n", tmp, *r_skiLen);
        return E_UNKNOWN;
    }
    for(i = 0; i < a_cSkidLen; i++)
    {
        if(i % 3 == 2) {
            j++;
            continue;
        }
        r_ski[i-j] = a_cSkid[i];
    }
    r_ski[i-j] = 0;
    *r_skiLen = i-j;
    return E_SUCCESS;
}

References E_SUCCESS, E_UNKNOWN, and CAMsg::printMsg().

Referenced by getAuthorityKeyIdentifier(), CAMultiSignature::getSKI(), and getSubjectKeyIdentifier().

Here is the call graph for this function:

Here is the caller graph for this function:

setSubjectKeyIdentifier() [1/2]

SINT32 CACertificate::setSubjectKeyIdentifier

(

)

LERNGRUPPE Sets the subjectKeyIdentifier extension for this certificate to the hash of the public key.

Return values

E_SUCCESS	upon successful removal
E_UNKNOWN	otherwise

Definition at line 321 of file CACertificate.cpp.

{
    UINT32 len = 0;
    UINT8 sha_hash[SHA_DIGEST_LENGTH];
    X509_pubkey_digest(m_pCert, EVP_sha1(), sha_hash, &len);
    return setSubjectKeyIdentifier( sha_hash, len );
}

References len, and m_pCert.

Referenced by getRawSubjectKeyIdentifier(), and getSubjectKeyIdentifier().

Here is the caller graph for this function:

setSubjectKeyIdentifier() [2/2]

SINT32 CACertificate::setSubjectKeyIdentifier	(	UINT8 *	a_value,
		UINT32	a_valueLen
	)

LERNGRUPPE Sets the subjectKeyIdentifier extension for this certificate to the given value.

Parameters

a_value	The value which should be set as SKI
a_valueLen	The length of a_value

Return values

E_SUCCESS	upon successful removal
E_UNKNOWN	otherwise

Definition at line 64 of file CACertificate.cpp.

{
    SINT32 ret = E_UNKNOWN;
    ASN1_OCTET_STRING* skid = NULL;
 
    skid = ASN1_OCTET_STRING_new();
    if(NULL == skid)   goto end;
 
    ASN1_OCTET_STRING_set(skid, a_value, a_valueLen);
    if( X509_add1_ext_i2d(m_pCert, NID_subject_key_identifier, skid, false, X509V3_ADD_REPLACE) == 1)
    {
      m_pSKI = skid;
      ret = E_SUCCESS;
    }
 
end:
    //ASN1_OCTET_STRING_free(skid);
    return ret;
}

References E_SUCCESS, E_UNKNOWN, m_pCert, and m_pSKI.

verify()

SINT32 CACertificate::verify

(

const CACertificate *

a_cert

)

const

Definition at line 363 of file CACertificate.cpp.

{
  if(a_cert == NULL || a_cert->m_pCert == NULL || m_pCert == NULL)
  {
    return E_UNKNOWN;
  }
  //check validity
  if(!isValid())
  {
    CAMsg::printMsg(LOG_ERR, "Verification Error: Certificate is not valid!\n");
    return E_UNKNOWN;
  }
  //namechaining...
  if(X509_NAME_cmp(X509_get_issuer_name(m_pCert), X509_get_subject_name(a_cert->m_pCert)) != 0)
  {
    CAMsg::printMsg(LOG_ERR, "Verification Error: Names do not match!\n");
    return E_UNKNOWN;
  }
  //keychaining... (only if available)
  if(m_pAKI != NULL && a_cert->m_pSKI != NULL)
  {
    if(ASN1_OCTET_STRING_cmp(m_pAKI->keyid, a_cert->m_pSKI) != 0)
    {
      CAMsg::printMsg(LOG_ERR, "Verification Error: Key Identifiers do not match!\n");
      return E_UNKNOWN;
    }
  }
  //get public key
  EVP_PKEY* pubKey = X509_get_pubkey(a_cert->m_pCert);
  if(pubKey == NULL)
  {
    CAMsg::printMsg(LOG_ERR, "Verification Error: Public Key is NULL!\n");
    return E_UNKNOWN;
  }
  //check if public key and signature algorithm match -> does not work because of openssl bug!
  //SINT32 sigType = X509_get_signature_type(m_pCert);
  /*SINT32 sigType = OBJ_obj2nid((m_pCert)->sig_alg->algorithm);
  SINT32 keyType = EVP_PKEY_type(pubKey->type);
  CAMsg::printMsg(LOG_DEBUG, "sigType is %d and keyType is %d\n", sigType, keyType);
  if((sigType != (NID_dsaWithSHA1 || NID_sha1WithRSAEncryption ||NID_ecdsa_with_SHA1))
      && keyType != EVP_PKEY_DSA) ||
     (sigType == NID_sha1WithRSAEncryption && keyType != EVP_PKEY_RSA) ||
     (sigType == NID_ecdsa_with_SHA1 && keyType != EVP_PKEY_EC))
  {
    CAMsg::printMsg(LOG_ERR, "Verification Error: Signature Algorithm does not match!\n");
    //return E_UNKNOWN;
  }*/
  SINT32 ret = X509_verify(m_pCert, pubKey);
  if(ret == 1)
  {
    CAMsg::printMsg(LOG_DEBUG, "Successfully verified certificate.\n");
    return E_SUCCESS;
  }
  CAMsg::printMsg(LOG_ERR, "Verification Error: Signature is not correct!\n");
  return E_UNKNOWN;
}

References E_SUCCESS, E_UNKNOWN, isValid(), m_pAKI, m_pCert, m_pSKI, and CAMsg::printMsg().

Referenced by CACmdLnOptions::setOwnCertificate(), and CACertStore::verifyMixCert().

Here is the call graph for this function:

Here is the caller graph for this function:

Friends And Related Function Documentation

CAASymCipher

friend class CAASymCipher

friend

Definition at line 42 of file CACertificate.hpp.

CASignature

friend class CASignature

friend

Definition at line 41 of file CACertificate.hpp.

CASSLContext

friend class CASSLContext

friend

Definition at line 43 of file CACertificate.hpp.

CATLSClientSocket

friend class CATLSClientSocket

friend

Definition at line 44 of file CACertificate.hpp.

Member Data Documentation

m_pAKI

AUTHORITY_KEYID* CACertificate::m_pAKI

private

Definition at line 98 of file CACertificate.hpp.

Referenced by CACertificate(), getAuthorityKeyIdentifier(), verify(), and ~CACertificate().

m_pCert

X509* CACertificate::m_pCert

private

Definition at line 96 of file CACertificate.hpp.

Referenced by CACertificate(), clone(), encode(), CASignature::getSignKey(), getX509(), isValid(), CAASymCipher::setPublicKey(), setSubjectKeyIdentifier(), CASignature::setVerifyKey(), verify(), and ~CACertificate().

m_pSKI

ASN1_OCTET_STRING* CACertificate::m_pSKI

private

Definition at line 97 of file CACertificate.hpp.

Referenced by CACertificate(), getRawSubjectKeyIdentifier(), getSubjectKeyIdentifier(), setSubjectKeyIdentifier(), verify(), and ~CACertificate().

m_spXmlElementName

UINT8 * CACertificate::m_spXmlElementName =0

staticprivate

Definition at line 99 of file CACertificate.hpp.

Referenced by getXmlElementName().

---

The documentation for this class was generated from the following files:

• CACertificate.hpp
• CACertificate.cpp