void ContextImpl::setIdentity(const Certificate& cert) { if( ! cert.impl()->pkey() ) throw InvalidCertificate("invalid certificate"); if(_pkey) EVP_PKEY_free(_pkey); _pkey = 0; if(_x509) X509_free(_x509); _x509 = 0; _x509 = copyX509( cert.impl()->x509() ); _pkey = copyPrivateKey( cert.impl()->pkey() ); if( ! SSL_CTX_use_certificate(_ctx, _x509) ) { throw InvalidCertificate("invalid certificate"); } if( ! SSL_CTX_use_PrivateKey( _ctx, _pkey ) ) { throw InvalidCertificate("invalid certificate"); } // openssl will not check the private key of this context against the // certifictate. TO do so call SSL_CTX_check_private_key(_ctx) }
void ContextImpl::addCertificate(const Certificate& certificate) { // NOTE: SSL_CTX_add_extra_chain_cert does not copy the X509 certificate, // or increase the refcount. We must copy it, because the SSL_CTX will // free it _extraCerts.reserve(_extraCerts.size() + 1); X509* extraX509 = copyX509( certificate.impl()->x509() ); X509AutoPtr x509Ptr(extraX509); if( ! SSL_CTX_add_extra_chain_cert(_ctx, extraX509) ) { throw InvalidCertificate("invalid extra certificate"); } _extraCerts.push_back(extraX509); x509Ptr.release(); }
void ContextImpl::addCACertificate(const Certificate& trustedCert) { log_trace("adding CA certificate:" << trustedCert.subject()); _caCerts.reserve(_caCerts.size() + 1); X509* x509 = copyX509( trustedCert.impl()->x509() ); X509AutoPtr x509Ptr(x509); X509_STORE* store = SSL_CTX_get_cert_store(_ctx); if( ! store) { log_trace("creating new X509 store"); store = X509_STORE_new(); } if( ! X509_STORE_add_cert(store, x509) ) { throw InvalidCertificate("invalid CA certificate"); } _caCerts.push_back(x509); x509Ptr.release(); }
/** * @return returns copy of OpenSSL X509 struct pointer that is being wrapped. * NB! This struct must be freed using X509_free() function from OpenSSL or X509_scope(X509**) macro * @throws IOException throws exception if the X509 cert structure copy fails. */ X509* digidoc::X509Cert::getX509() const throw(IOException) { return copyX509(cert); }
/** * Assignment operator. * * @param copy instance of X509Cert class to be assigned. * @return copies parameters from the copy instance. * @throws IOException throws exception if the X509 cert structure copy fails. */ digidoc::X509Cert& digidoc::X509Cert::operator=(const X509Cert& copy) throw(IOException) { this->cert = copyX509(copy.cert); return *this; }
/** * Copy constructor. * * @param copy instance of X509Cert class to be copied. * @throws IOException throws exception if the X509 cert structure copy fails. */ digidoc::X509Cert::X509Cert(const X509Cert& copy) throw(IOException) : cert(NULL) { this->cert = copyX509(copy.cert); }
/** * Creates copy of the X509 certificate. * * @param cert X509 certificate structure to be wrapped. * @throws IOException throws exception if the X509 certificate structure copy fails. */ digidoc::X509Cert::X509Cert(X509* cert) throw(IOException) : cert(NULL) { this->cert = copyX509(cert); }
X509* bdoc::X509Cert::getX509() const { return copyX509(cert); }
bdoc::X509Cert& bdoc::X509Cert::operator=(const X509Cert& copy) { this->cert = copyX509(copy.cert); return *this; }
bdoc::X509Cert::X509Cert(const X509Cert& copy) : cert(NULL) { this->cert = copyX509(copy.cert); }
bdoc::X509Cert::X509Cert(X509* cert) : cert(NULL) { this->cert = copyX509(cert); }
void ContextImpl::assign(const ContextImpl& ctx) { // TODO: consider to create a new SSL_CTX if required setProtocol(ctx._protocol); setVerifyMode(ctx._verify); setVerifyDepth(ctx._verifyDepth); // copy certificates presented to peer if(_pkey) EVP_PKEY_free(_pkey); _pkey = 0; if(_x509) X509_free(_x509); _x509 = 0; if( ctx._x509 ) { _pkey = copyPrivateKey( ctx._pkey ); _x509 = copyX509( ctx._x509 ); if( ! SSL_CTX_use_certificate(_ctx, _x509) ) { throw InvalidCertificate("invalid certificate"); } if( ! SSL_CTX_use_PrivateKey( _ctx, _pkey ) ) { throw InvalidCertificate("invalid certificate"); } } _extraCerts.clear(); _extraCerts.reserve( ctx._extraCerts.size() ); for(std::vector<X509*>::const_iterator it = ctx._extraCerts.begin(); it != ctx._extraCerts.end(); ++it) { // NOTE: SSL_CTX_add_extra_chain_cert does not copy the X509 certificate, // or increase the refcount. We must copy it, because the SSL_CTX will // free it X509* extraX509 = copyX509(*it); X509AutoPtr x509Ptr(extraX509); if( ! SSL_CTX_add_extra_chain_cert( _ctx, extraX509 ) ) throw InvalidCertificate("invalid extra certificate"); _extraCerts.push_back(extraX509); x509Ptr.release(); } // copy trusted CA certificates for(std::vector<X509*>::iterator it = _caCerts.begin(); it != _caCerts.end(); ++it) { X509_free(*it); } _caCerts.clear(); _caCerts.reserve( ctx._caCerts.size() ); X509_STORE* store = X509_STORE_new(); X509StoreAutoPtr storePtr(store); for(std::vector<X509*>::const_iterator it = ctx._caCerts.begin(); it != ctx._caCerts.end(); ++it) { X509* x509 = copyX509(*it); X509AutoPtr x509Ptr(x509); if( ! X509_STORE_add_cert(store, x509) ) throw InvalidCertificate("untrusted certificate"); _caCerts.push_back(x509); x509Ptr.release(); } SSL_CTX_set_cert_store( _ctx, store ); storePtr.release(); }