void ContextImpl::setIdentity(const Certificate& cert)
{
if( ! cert.impl()->pkey() )
throw InvalidCertificate("invalid certificate");
if(_pkey)
EVP_PKEY_free(_pkey);
_pkey = 0;
if(_x509)
X509_free(_x509);
_x509 = 0;
_x509 = copyX509( cert.impl()->x509() );
_pkey = copyPrivateKey( cert.impl()->pkey() );
if( ! SSL_CTX_use_certificate(_ctx, _x509) )
{
throw InvalidCertificate("invalid certificate");
}
if( ! SSL_CTX_use_PrivateKey( _ctx, _pkey ) )
{
throw InvalidCertificate("invalid certificate");
}
// openssl will not check the private key of this context against the
// certifictate. TO do so call SSL_CTX_check_private_key(_ctx)
}
void ContextImpl::addCertificate(const Certificate& certificate)
{
// NOTE: SSL_CTX_add_extra_chain_cert does not copy the X509 certificate,
// or increase the refcount. We must copy it, because the SSL_CTX will
// free it
_extraCerts.reserve(_extraCerts.size() + 1);
X509* extraX509 = copyX509( certificate.impl()->x509() );
X509AutoPtr x509Ptr(extraX509);
if( ! SSL_CTX_add_extra_chain_cert(_ctx, extraX509) )
{
throw InvalidCertificate("invalid extra certificate");
}
_extraCerts.push_back(extraX509);
x509Ptr.release();
}
void ContextImpl::addCACertificate(const Certificate& trustedCert)
{
log_trace("adding CA certificate:" << trustedCert.subject());
_caCerts.reserve(_caCerts.size() + 1);
X509* x509 = copyX509( trustedCert.impl()->x509() );
X509AutoPtr x509Ptr(x509);
X509_STORE* store = SSL_CTX_get_cert_store(_ctx);
if( ! store)
{
log_trace("creating new X509 store");
store = X509_STORE_new();
}
if( ! X509_STORE_add_cert(store, x509) )
{
throw InvalidCertificate("invalid CA certificate");
}
_caCerts.push_back(x509);
x509Ptr.release();
}
/**
* @return returns copy of OpenSSL X509 struct pointer that is being wrapped.
* NB! This struct must be freed using X509_free() function from OpenSSL or X509_scope(X509**) macro
* @throws IOException throws exception if the X509 cert structure copy fails.
*/
X509* digidoc::X509Cert::getX509() const throw(IOException)
{
return copyX509(cert);
}
/**
* Assignment operator.
*
* @param copy instance of X509Cert class to be assigned.
* @return copies parameters from the copy instance.
* @throws IOException throws exception if the X509 cert structure copy fails.
*/
digidoc::X509Cert& digidoc::X509Cert::operator=(const X509Cert& copy) throw(IOException)
{
this->cert = copyX509(copy.cert);
return *this;
}
/**
* Copy constructor.
*
* @param copy instance of X509Cert class to be copied.
* @throws IOException throws exception if the X509 cert structure copy fails.
*/
digidoc::X509Cert::X509Cert(const X509Cert& copy) throw(IOException)
: cert(NULL)
{
this->cert = copyX509(copy.cert);
}
/**
* Creates copy of the X509 certificate.
*
* @param cert X509 certificate structure to be wrapped.
* @throws IOException throws exception if the X509 certificate structure copy fails.
*/
digidoc::X509Cert::X509Cert(X509* cert) throw(IOException)
: cert(NULL)
{
this->cert = copyX509(cert);
}
X509* bdoc::X509Cert::getX509() const
{
return copyX509(cert);
}
bdoc::X509Cert& bdoc::X509Cert::operator=(const X509Cert& copy)
{
this->cert = copyX509(copy.cert);
return *this;
}
bdoc::X509Cert::X509Cert(const X509Cert& copy) :
cert(NULL)
{
this->cert = copyX509(copy.cert);
}
bdoc::X509Cert::X509Cert(X509* cert) : cert(NULL)
{
this->cert = copyX509(cert);
}
void ContextImpl::assign(const ContextImpl& ctx)
{
// TODO: consider to create a new SSL_CTX if required
setProtocol(ctx._protocol);
setVerifyMode(ctx._verify);
setVerifyDepth(ctx._verifyDepth);
// copy certificates presented to peer
if(_pkey)
EVP_PKEY_free(_pkey);
_pkey = 0;
if(_x509)
X509_free(_x509);
_x509 = 0;
if( ctx._x509 )
{
_pkey = copyPrivateKey( ctx._pkey );
_x509 = copyX509( ctx._x509 );
if( ! SSL_CTX_use_certificate(_ctx, _x509) )
{
throw InvalidCertificate("invalid certificate");
}
if( ! SSL_CTX_use_PrivateKey( _ctx, _pkey ) )
{
throw InvalidCertificate("invalid certificate");
}
}
_extraCerts.clear();
_extraCerts.reserve( ctx._extraCerts.size() );
for(std::vector<X509*>::const_iterator it = ctx._extraCerts.begin(); it != ctx._extraCerts.end(); ++it)
{
// NOTE: SSL_CTX_add_extra_chain_cert does not copy the X509 certificate,
// or increase the refcount. We must copy it, because the SSL_CTX will
// free it
X509* extraX509 = copyX509(*it);
X509AutoPtr x509Ptr(extraX509);
if( ! SSL_CTX_add_extra_chain_cert( _ctx, extraX509 ) )
throw InvalidCertificate("invalid extra certificate");
_extraCerts.push_back(extraX509);
x509Ptr.release();
}
// copy trusted CA certificates
for(std::vector<X509*>::iterator it = _caCerts.begin(); it != _caCerts.end(); ++it)
{
X509_free(*it);
}
_caCerts.clear();
_caCerts.reserve( ctx._caCerts.size() );
X509_STORE* store = X509_STORE_new();
X509StoreAutoPtr storePtr(store);
for(std::vector<X509*>::const_iterator it = ctx._caCerts.begin(); it != ctx._caCerts.end(); ++it)
{
X509* x509 = copyX509(*it);
X509AutoPtr x509Ptr(x509);
if( ! X509_STORE_add_cert(store, x509) )
throw InvalidCertificate("untrusted certificate");
_caCerts.push_back(x509);
x509Ptr.release();
}
SSL_CTX_set_cert_store( _ctx, store );
storePtr.release();
}
