certificate_db.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #include "squid.h"
10 #include "base/HardFun.h"
11 #include "security/cert_generators/file/certificate_db.h"
12 
13 #include <cerrno>
14 #include <fstream>
15 #include <memory>
16 #include <stdexcept>
17 #if HAVE_SYS_STAT_H
18 #include <sys/stat.h>
19 #endif
20 #if HAVE_FCNTL_H
21 #include <fcntl.h>
22 #endif
23 #if HAVE_SYS_FILE_H
24 #include <sys/file.h>
25 #endif
26 
27 #define HERE "(security_file_certgen) " << __FILE__ << ':' << __LINE__ << ": "
28 
29 Ssl::Lock::Lock(std::string const &aFilename) :
30  filename(aFilename),
31 #if _SQUID_WINDOWS_
32  hFile(INVALID_HANDLE_VALUE)
33 #else
34  fd(-1)
35 #endif
36 {
37 }
38 
39 bool Ssl::Lock::locked() const
40 {
41 #if _SQUID_WINDOWS_
42  return hFile != INVALID_HANDLE_VALUE;
43 #else
44  return fd != -1;
45 #endif
46 }
47 
48 void Ssl::Lock::lock()
49 {
50 
51 #if _SQUID_WINDOWS_
52  hFile = CreateFile(TEXT(filename.c_str()), GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
53  if (hFile == INVALID_HANDLE_VALUE)
54 #else
55  fd = open(filename.c_str(), O_RDWR);
56  if (fd == -1)
57 #endif
58  throw std::runtime_error("Failed to open file " + filename);
59 
60 #if _SQUID_WINDOWS_
61  if (!LockFile(hFile, 0, 0, 1, 0))
62 #elif _SQUID_SOLARIS_
63  if (lockf(fd, F_LOCK, 0) != 0)
64 #else
65  if (flock(fd, LOCK_EX) != 0)
66 #endif
67  throw std::runtime_error("Failed to get a lock of " + filename);
68 }
69 
70 void Ssl::Lock::unlock()
71 {
72 #if _SQUID_WINDOWS_
73  if (hFile != INVALID_HANDLE_VALUE) {
74  UnlockFile(hFile, 0, 0, 1, 0);
75  CloseHandle(hFile);
76  hFile = INVALID_HANDLE_VALUE;
77  }
78 #else
79  if (fd != -1) {
80 #if _SQUID_SOLARIS_
81  lockf(fd, F_ULOCK, 0);
82 #else
83  flock(fd, LOCK_UN);
84 #endif
85  close(fd);
86  fd = -1;
87  }
88 #endif
89  else
90  throw std::runtime_error("Lock is already unlocked for " + filename);
91 }
92 
93 Ssl::Lock::~Lock()
94 {
95  if (locked())
96  unlock();
97 }
98 
99 Ssl::Locker::Locker(Lock &aLock, const char *aFileName, int aLineNo):
100  weLocked(false), lock(aLock), fileName(aFileName), lineNo(aLineNo)
101 {
102  if (!lock.locked()) {
103  lock.lock();
104  weLocked = true;
105  }
106 }
107 
108 Ssl::Locker::~Locker()
109 {
110  if (weLocked)
111  lock.unlock();
112 }
113 
114 Ssl::CertificateDb::Row::Row()
115  : width(cnlNumber)
116 {
117  row = (char **)OPENSSL_malloc(sizeof(char *) * (width + 1));
118  for (size_t i = 0; i < width + 1; ++i)
119  row[i] = NULL;
120 }
121 
122 Ssl::CertificateDb::Row::Row(char **aRow, size_t aWidth): width(aWidth)
123 {
124  row = aRow;
125 }
126 
127 Ssl::CertificateDb::Row::~Row()
128 {
129  if (!row)
130  return;
131 
132  void *max;
133  if ((max = (void *)row[width]) != NULL) {
134  // It is an openSSL allocated row. The TXT_DB_read function stores the
135  // index and row items one one memory segment. The row[width] points
136  // to the end of buffer. We have to check for items in the array which
137  // are not stored in this segment. These items should released.
138  for (size_t i = 0; i < width + 1; ++i) {
139  if (((row[i] < (char *)row) || (row[i] > max)) && (row[i] != NULL))
140  OPENSSL_free(row[i]);
141  }
142  } else {
143  for (size_t i = 0; i < width + 1; ++i) {
144  if (row[i])
145  OPENSSL_free(row[i]);
146  }
147  }
148  OPENSSL_free(row);
149 }
150 
151 void Ssl::CertificateDb::Row::reset()
152 {
153  row = NULL;
154 }
155 
156 void Ssl::CertificateDb::Row::setValue(size_t cell, char const * value)
157 {
158  assert(cell < width);
159  if (row[cell]) {
160  free(row[cell]);
161  }
162  if (value) {
163  row[cell] = static_cast<char *>(OPENSSL_malloc(sizeof(char) * (strlen(value) + 1)));
164  memcpy(row[cell], value, sizeof(char) * (strlen(value) + 1));
165  } else
166  row[cell] = NULL;
167 }
168 
169 char ** Ssl::CertificateDb::Row::getRow()
170 {
171  return row;
172 }
173 
174 void Ssl::CertificateDb::sq_TXT_DB_delete(TXT_DB *db, const char **row)
175 {
176  if (!db)
177  return;
178 
179 #if SQUID_SSLTXTDB_PSTRINGDATA
180  for (int i = 0; i < sk_OPENSSL_PSTRING_num(db->data); ++i) {
181 #if SQUID_STACKOF_PSTRINGDATA_HACK
182  const char ** current_row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db->data), i));
183 #else
184  const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db->data, i));
185 #endif
186 #else
187  for (int i = 0; i < sk_num(db->data); ++i) {
188  const char ** current_row = ((const char **)sk_value(db->data, i));
189 #endif
190  if (current_row == row) {
191  sq_TXT_DB_delete_row(db, i);
192  return;
193  }
194  }
195 }
196 
197 #define countof(arr) (sizeof(arr)/sizeof(*arr))
198 void Ssl::CertificateDb::sq_TXT_DB_delete_row(TXT_DB *db, int idx) {
199  char **rrow;
200 #if SQUID_SSLTXTDB_PSTRINGDATA
201  rrow = (char **)sk_OPENSSL_PSTRING_delete(db->data, idx);
202 #else
203  rrow = (char **)sk_delete(db->data, idx);
204 #endif
205 
206  if (!rrow)
207  return;
208 
209  Row row(rrow, cnlNumber); // row wrapper used to free the rrow
210 
211  const Columns db_indexes[]= {cnlSerial, cnlKey};
212  for (unsigned int i = 0; i < countof(db_indexes); ++i) {
213  void *data = NULL;
214 #if SQUID_SSLTXTDB_PSTRINGDATA
215  if (LHASH_OF(OPENSSL_STRING) *fieldIndex = db->index[db_indexes[i]])
216  data = lh_OPENSSL_STRING_delete(fieldIndex, rrow);
217 #else
218  if (LHASH *fieldIndex = db->index[db_indexes[i]])
219  data = OPENSSL_LH_delete(fieldIndex, rrow);
220 #endif
221  if (data)
222  assert(data == rrow);
223  }
224 }
225 
226 unsigned long Ssl::CertificateDb::index_serial_hash(const char **a) {
227  const char *n = a[Ssl::CertificateDb::cnlSerial];
228  while (*n == '0')
229  ++n;
230  return OPENSSL_LH_strhash(n);
231 }
232 
233 int Ssl::CertificateDb::index_serial_cmp(const char **a, const char **b) {
234  const char *aa, *bb;
235  for (aa = a[Ssl::CertificateDb::cnlSerial]; *aa == '0'; ++aa);
236  for (bb = b[Ssl::CertificateDb::cnlSerial]; *bb == '0'; ++bb);
237  return strcmp(aa, bb);
238 }
239 
240 unsigned long Ssl::CertificateDb::index_name_hash(const char **a) {
241  return(OPENSSL_LH_strhash(a[Ssl::CertificateDb::cnlKey]));
242 }
243 
244 int Ssl::CertificateDb::index_name_cmp(const char **a, const char **b) {
245  return(strcmp(a[Ssl::CertificateDb::cnlKey], b[CertificateDb::cnlKey]));
246 }
247 
248 const std::string Ssl::CertificateDb::db_file("index.txt");
249 const std::string Ssl::CertificateDb::cert_dir("certs");
250 const std::string Ssl::CertificateDb::size_file("size");
251 
252 Ssl::CertificateDb::CertificateDb(std::string const & aDb_path, size_t aMax_db_size, size_t aFs_block_size)
253  : db_path(aDb_path),
254  db_full(aDb_path + "/" + db_file),
255  cert_full(aDb_path + "/" + cert_dir),
256  size_full(aDb_path + "/" + size_file),
257  max_db_size(aMax_db_size),
258  fs_block_size((aFs_block_size ? aFs_block_size : 2048)),
259  dbLock(db_full)
260 {}
261 
262 bool
263 Ssl::CertificateDb::find(std::string const &key, const Security::CertPointer &expectedOrig, Security::CertPointer &cert, Security::PrivateKeyPointer &pkey)
264 {
265  const Locker locker(dbLock, Here);
266  load();
267  return pure_find(key, expectedOrig, cert, pkey);
268 }
269 
270 bool Ssl::CertificateDb::purgeCert(std::string const & key) {
271  const Locker locker(dbLock, Here);
272  load();
273  if (!db)
274  return false;
275 
276  if (!deleteByKey(key))
277  return false;
278 
279  save();
280  return true;
281 }
282 
283 bool
284 Ssl::CertificateDb::addCertAndPrivateKey(std::string const &useKey, const Security::CertPointer &cert, const Security::PrivateKeyPointer &pkey, const Security::CertPointer &orig)
285 {
286  const Locker locker(dbLock, Here);
287  load();
288  if (!db || !cert || !pkey)
289  return false;
290 
291  if(useKey.empty())
292  return false;
293 
294  // Functor to wrap xfree() for std::unique_ptr
295  typedef HardFun<void, const void*, &xfree> CharDeleter;
296 
297  Row row;
298  ASN1_INTEGER * ai = X509_get_serialNumber(cert.get());
299  std::string serial_string;
300  Ssl::BIGNUM_Pointer serial(ASN1_INTEGER_to_BN(ai, NULL));
301  {
302  std::unique_ptr<char, CharDeleter> hex_bn(BN_bn2hex(serial.get()));
303  serial_string = std::string(hex_bn.get());
304  }
305  row.setValue(cnlSerial, serial_string.c_str());
306  char ** rrow = TXT_DB_get_by_index(db.get(), cnlSerial, row.getRow());
307  // We are creating certificates with unique serial numbers. If the serial
308  // number is found in the database, the same certificate is already stored.
309  if (rrow != NULL) {
310  // TODO: check if the stored row is valid.
311  return true;
312  }
313 
314  // Remove any entry with given key
315  deleteByKey(useKey);
316 
317  // check db size while trying to minimize calls to size()
318  size_t dbSize = size();
319  if ((dbSize == 0 && hasRows()) ||
320  (dbSize > 0 && !hasRows()) ||
321  (dbSize > 10 * max_db_size)) {
322  // Invalid database size, rebuild
323  dbSize = rebuildSize();
324  }
325  while (dbSize > max_db_size && deleteInvalidCertificate()) {
326  dbSize = size(); // get the current database size
327  // and try to find another invalid certificate if needed
328  }
329  // there are no more invalid ones, but there must be valid certificates
330  while (dbSize > max_db_size) {
331  if (!deleteOldestCertificate()) {
332  rebuildSize(); // No certificates in database.Update the size file.
333  save(); // Some entries may have been removed. Update the index file.
334  return false; // errors prevented us from freeing enough space
335  }
336  dbSize = size(); // get the current database size
337  }
338 
339  const auto tm = X509_getm_notAfter(cert.get());
340  row.setValue(cnlExp_date, std::string(reinterpret_cast<char *>(tm->data), tm->length).c_str());
341  std::unique_ptr<char, CharDeleter> subject(X509_NAME_oneline(X509_get_subject_name(cert.get()), nullptr, 0));
342  row.setValue(cnlName, subject.get());
343  row.setValue(cnlKey, useKey.c_str());
344 
345  if (!TXT_DB_insert(db.get(), row.getRow())) {
346  // failed to add index (???) but we may have already modified
347  // the database so save before exit
348  save();
349  return false;
350  }
351  rrow = row.getRow();
352  row.reset();
353 
354  std::string filename(cert_full + "/" + serial_string + ".pem");
355  if (!WriteEntry(filename.c_str(), cert, pkey, orig)) {
356  //remove row from txt_db and save
357  sq_TXT_DB_delete(db.get(), (const char **)rrow);
358  save();
359  return false;
360  }
361  addSize(filename);
362 
363  save();
364  return true;
365 }
366 
367 void
368 Ssl::CertificateDb::Create(std::string const & db_path) {
369  if (db_path == "")
370  throw std::runtime_error("Path to db is empty");
371  std::string db_full(db_path + "/" + db_file);
372  std::string cert_full(db_path + "/" + cert_dir);
373  std::string size_full(db_path + "/" + size_file);
374 
375  if (mkdir(db_path.c_str(), 0777))
376  throw std::runtime_error("Cannot create " + db_path);
377 
378  if (mkdir(cert_full.c_str(), 0777))
379  throw std::runtime_error("Cannot create " + cert_full);
380 
381  std::ofstream size(size_full.c_str());
382  if (size)
383  size << 0;
384  else
385  throw std::runtime_error("Cannot open " + size_full + " to open");
386  std::ofstream db(db_full.c_str());
387  if (!db)
388  throw std::runtime_error("Cannot open " + db_full + " to open");
389 }
390 
391 void
392 Ssl::CertificateDb::Check(std::string const & db_path, size_t max_db_size, size_t fs_block_size) {
393  CertificateDb db(db_path, max_db_size, fs_block_size);
394  db.load();
395 
396  // Call readSize to force rebuild size file in the case it is corrupted
397  (void)db.readSize();
398 }
399 
400 size_t Ssl::CertificateDb::rebuildSize()
401 {
402  size_t dbSize = 0;
403 #if SQUID_SSLTXTDB_PSTRINGDATA
404  for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); ++i) {
405 #if SQUID_STACKOF_PSTRINGDATA_HACK
406  const char ** current_row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db.get()->data), i));
407 #else
408  const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i));
409 #endif
410 #else
411  for (int i = 0; i < sk_num(db.get()->data); ++i) {
412  const char ** current_row = ((const char **)sk_value(db.get()->data, i));
413 #endif
414  const std::string filename(cert_full + "/" + current_row[cnlSerial] + ".pem");
415  const size_t fSize = getFileSize(filename);
416  dbSize += fSize;
417  }
418  writeSize(dbSize);
419  return dbSize;
420 }
421 
422 bool
423 Ssl::CertificateDb::pure_find(std::string const &key, const Security::CertPointer &expectedOrig, Security::CertPointer &cert, Security::PrivateKeyPointer &pkey)
424 {
425  if (!db)
426  return false;
427 
428  Row row;
429  row.setValue(cnlKey, key.c_str());
430 
431  char **rrow = TXT_DB_get_by_index(db.get(), cnlKey, row.getRow());
432  if (rrow == NULL)
433  return false;
434 
435  if (!sslDateIsInTheFuture(rrow[cnlExp_date]))
436  return false;
437 
438  Security::CertPointer storedOrig;
439  // read cert and pkey from file.
440  std::string filename(cert_full + "/" + rrow[cnlSerial] + ".pem");
441  if (!ReadEntry(filename.c_str(), cert, pkey, storedOrig))
442  return false;
443 
444  if (!storedOrig && !expectedOrig)
445  return true;
446  else
447  return Ssl::CertificatesCmp(expectedOrig, storedOrig);
448 }
449 
450 size_t Ssl::CertificateDb::size() {
451  return readSize();
452 }
453 
454 void Ssl::CertificateDb::addSize(std::string const & filename) {
455  // readSize will rebuild 'size' file if missing or it is corrupted
456  size_t dbSize = readSize();
457  dbSize += getFileSize(filename);
458  writeSize(dbSize);
459 }
460 
461 void Ssl::CertificateDb::subSize(std::string const & filename) {
462  // readSize will rebuild 'size' file if missing or it is corrupted
463  size_t dbSize = readSize();
464  const size_t fileSize = getFileSize(filename);
465  dbSize = dbSize > fileSize ? dbSize - fileSize : 0;
466  writeSize(dbSize);
467 }
468 
469 size_t Ssl::CertificateDb::readSize() {
470  std::ifstream ifstr(size_full.c_str());
471  size_t db_size = 0;
472  if (!ifstr || !(ifstr >> db_size))
473  return rebuildSize();
474  return db_size;
475 }
476 
477 void Ssl::CertificateDb::writeSize(size_t db_size) {
478  std::ofstream ofstr(size_full.c_str());
479  if (!ofstr)
480  throw std::runtime_error("cannot write \"" + size_full + "\" file");
481  ofstr << db_size;
482 }
483 
484 size_t Ssl::CertificateDb::getFileSize(std::string const & filename) {
485  std::ifstream file(filename.c_str(), std::ios::binary);
486  if (!file)
487  return 0;
488  file.seekg(0, std::ios_base::end);
489  const std::streampos file_size = file.tellg();
490  if (file_size < 0)
491  return 0;
492  return ((static_cast<size_t>(file_size) + fs_block_size - 1) / fs_block_size) * fs_block_size;
493 }
494 
495 void Ssl::CertificateDb::load() {
496  // Load db from file.
497  Ssl::BIO_Pointer in(BIO_new(BIO_s_file()));
498  if (!in || BIO_read_filename(in.get(), db_full.c_str()) <= 0)
499  throw std::runtime_error("Uninitialized SSL certificate database directory: " + db_path + ". To initialize, run \"security_file_certgen -c -s " + db_path + "\".");
500 
501  bool corrupt = false;
502  Ssl::TXT_DB_Pointer temp_db(TXT_DB_read(in.get(), cnlNumber));
503  if (!temp_db)
504  corrupt = true;
505 
506  // Create indexes in db.
507  if (!corrupt && !TXT_DB_create_index(temp_db.get(), cnlSerial, NULL, LHASH_HASH_FN(index_serial_hash), LHASH_COMP_FN(index_serial_cmp)))
508  corrupt = true;
509 
510  if (!corrupt && !TXT_DB_create_index(temp_db.get(), cnlKey, NULL, LHASH_HASH_FN(index_name_hash), LHASH_COMP_FN(index_name_cmp)))
511  corrupt = true;
512 
513  if (corrupt)
514  throw std::runtime_error("The SSL certificate database " + db_path + " is corrupted. Please rebuild");
515 
516  db.reset(temp_db.release());
517 }
518 
519 void Ssl::CertificateDb::save() {
520  if (!db)
521  throw std::runtime_error("The certificates database is not loaded");;
522 
523  // To save the db to file, create a new BIO with BIO file methods.
524  Ssl::BIO_Pointer out(BIO_new(BIO_s_file()));
525  if (!out || !BIO_write_filename(out.get(), const_cast<char *>(db_full.c_str())))
526  throw std::runtime_error("Failed to initialize " + db_full + " file for writing");;
527 
528  if (TXT_DB_write(out.get(), db.get()) < 0)
529  throw std::runtime_error("Failed to write " + db_full + " file");
530 }
531 
532 // Normally defined in defines.h file
533 void Ssl::CertificateDb::deleteRow(const char **row, int rowIndex) {
534  const std::string filename(cert_full + "/" + row[cnlSerial] + ".pem");
535  sq_TXT_DB_delete_row(db.get(), rowIndex);
536 
537  subSize(filename);
538  int ret = remove(filename.c_str());
539  if (ret < 0 && errno != ENOENT)
540  throw std::runtime_error("Failed to remove certificate file " + filename + " from db");
541 }
542 
543 bool Ssl::CertificateDb::deleteInvalidCertificate() {
544  if (!db)
545  return false;
546 
547  bool removed_one = false;
548 #if SQUID_SSLTXTDB_PSTRINGDATA
549  for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); ++i) {
550 #if SQUID_STACKOF_PSTRINGDATA_HACK
551  const char ** current_row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db.get()->data), i));
552 #else
553  const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i));
554 #endif
555 #else
556  for (int i = 0; i < sk_num(db.get()->data); ++i) {
557  const char ** current_row = ((const char **)sk_value(db.get()->data, i));
558 #endif
559 
560  if (!sslDateIsInTheFuture(current_row[cnlExp_date])) {
561  deleteRow(current_row, i);
562  removed_one = true;
563  break;
564  }
565  }
566 
567  if (!removed_one)
568  return false;
569  return true;
570 }
571 
572 bool Ssl::CertificateDb::deleteOldestCertificate()
573 {
574  if (!hasRows())
575  return false;
576 
577 #if SQUID_SSLTXTDB_PSTRINGDATA
578 #if SQUID_STACKOF_PSTRINGDATA_HACK
579  const char **row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db.get()->data), 0));
580 #else
581  const char **row = (const char **)sk_OPENSSL_PSTRING_value(db.get()->data, 0);
582 #endif
583 #else
584  const char **row = (const char **)sk_value(db.get()->data, 0);
585 #endif
586 
587  deleteRow(row, 0);
588 
589  return true;
590 }
591 
592 bool
593 Ssl::CertificateDb::deleteByKey(std::string const & key) {
594  if (!db)
595  return false;
596 
597 #if SQUID_SSLTXTDB_PSTRINGDATA
598  for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); ++i) {
599 #if SQUID_STACKOF_PSTRINGDATA_HACK
600  const char ** current_row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db.get()->data), i));
601 #else
602  const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i));
603 #endif
604 #else
605  for (int i = 0; i < sk_num(db.get()->data); ++i) {
606  const char ** current_row = ((const char **)sk_value(db.get()->data, i));
607 #endif
608  if (key == current_row[cnlKey]) {
609  deleteRow(current_row, i);
610  return true;
611  }
612  }
613  return false;
614 }
615 
616 bool Ssl::CertificateDb::hasRows() const
617 {
618  if (!db)
619  return false;
620 
621 #if SQUID_SSLTXTDB_PSTRINGDATA
622  if (sk_OPENSSL_PSTRING_num(db.get()->data) == 0)
623 #else
624  if (sk_num(db.get()->data) == 0)
625 #endif
626  return false;
627  return true;
628 }
629 
630 bool
631 Ssl::CertificateDb::WriteEntry(const std::string &filename, const Security::CertPointer &cert, const Security::PrivateKeyPointer &pkey, const Security::CertPointer &orig)
632 {
633  Ssl::BIO_Pointer bio;
634  if (!Ssl::OpenCertsFileForWriting(bio, filename.c_str()))
635  return false;
636  if (!Ssl::WriteX509Certificate(bio, cert))
637  return false;
638  if (!Ssl::WritePrivateKey(bio, pkey))
639  return false;
640  if (orig && !Ssl::WriteX509Certificate(bio, orig))
641  return false;
642  return true;
643 }
644 
645 bool
646 Ssl::CertificateDb::ReadEntry(std::string filename, Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, Security::CertPointer &orig)
647 {
648  Ssl::BIO_Pointer bio;
649  if (!Ssl::OpenCertsFileForReading(bio, filename.c_str()))
650  return false;
651  if (!Ssl::ReadX509Certificate(bio, cert))
652  return false;
653  if (!Ssl::ReadPrivateKey(bio, pkey, NULL))
654  return false;
655  // The orig certificate is not mandatory
656  (void)Ssl::ReadX509Certificate(bio, orig);
657  return true;
658 }
659 
Ssl::CertificateDb::size_full
const std::string size_full
Full path of the file to store the db size.
Definition: certificate_db.h:179
Ssl::CertificateDb::Row::Row
Row()
Create row wrapper.
Definition: certificate_db.cc:114
Here
#define Here()
source code location of the caller
Definition: Here.h:15
Ssl::Lock::lock
void lock()
locks the lock, may block
Definition: certificate_db.cc:48
Ssl::CertificateDb::cert_dir
static const std::string cert_dir
Base name of the directory to store the certs.
Definition: certificate_db.h:171
OPENSSL_LH_strhash
#define OPENSSL_LH_strhash
Definition: openssl.h:127
Ssl::Lock
maintains an exclusive blocking file-based lock
Definition: certificate_db.h:20
Ssl::Locker::weLocked
bool weLocked
whether we locked the lock
Definition: certificate_db.h:46
Ssl::CertificateDb::sq_TXT_DB_delete
static void sq_TXT_DB_delete(TXT_DB *db, const char **row)
Removes the first matching row from TXT_DB. Ignores failures.
Definition: certificate_db.cc:174
Ssl::BIO_Pointer
std::unique_ptr< BIO, HardFun< void, BIO *, &BIO_vfree > > BIO_Pointer
Definition: gadgets.h:50
Ssl::CertificateDb::ReadEntry
static bool ReadEntry(std::string filename, Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, Security::CertPointer &orig)
loads a db entry from the file
Definition: certificate_db.cc:646
Ssl::ReadPrivateKey
bool ReadPrivateKey(BIO_Pointer &bio, Security::PrivateKeyPointer &pkey, pem_password_cb *passwd_callback)
Definition: gadgets.cc:708
db
TDB_CONTEXT * db
Definition: ext_time_quota_acl.cc:55
Ssl::ReadX509Certificate
bool ReadX509Certificate(BIO_Pointer &bio, Security::CertPointer &cert)
Definition: gadgets.cc:697
Ssl::CertificateDb::Row
A wrapper for OpenSSL database row of TXT_DB database.
Definition: certificate_db.h:79
Ssl::Lock::locked
bool locked() const
whether our lock is locked
Definition: certificate_db.cc:39
Ssl::CertificateDb::addSize
void addSize(std::string const &filename)
Increase db size by the given file size and update size_file.
Definition: certificate_db.cc:454
Ssl::CertificateDb::dbLock
Lock dbLock
protects the database file
Definition: certificate_db.h:184
Ssl::CertificateDb::Row::setValue
void setValue(size_t number, char const *value)
Set cell's value in row.
Definition: certificate_db.cc:156
Ssl::CertificateDb::Row::getRow
char ** getRow()
Raw row.
Definition: certificate_db.cc:169
Ssl::CertificatesCmp
bool CertificatesCmp(const Security::CertPointer &cert1, const Security::CertPointer &cert2)
Definition: gadgets.cc:914
Ssl::WriteX509Certificate
bool WriteX509Certificate(BIO_Pointer &bio, const Security::CertPointer &cert)
Definition: gadgets.cc:741
db_path
char * db_path
Definition: ext_session_acl.cc:63
max
A const & max(A const &lhs, A const &rhs)
Definition: compat_shared.h:142
Ssl::CertificateDb::size_file
static const std::string size_file
Definition: certificate_db.h:172
Ssl::CertificateDb::addCertAndPrivateKey
bool addCertAndPrivateKey(std::string const &useKey, const Security::CertPointer &cert, const Security::PrivateKeyPointer &pkey, const Security::CertPointer &orig)
Save certificate to disk.
Definition: certificate_db.cc:284
Ssl::CertificateDb::db
TXT_DB_Pointer db
Database with certificates info.
Definition: certificate_db.h:181
Ssl::CertificateDb::Row::reset
void reset()
Abandon row and don't free memory.
Definition: certificate_db.cc:151
Ssl::CertificateDb::Row::width
size_t width
Number of cells in the row.
Definition: certificate_db.h:92
Ssl::CertificateDb::sq_TXT_DB_delete_row
static void sq_TXT_DB_delete_row(TXT_DB *db, int idx)
Remove the row on position idx from TXT_DB. Ignores failures.
Definition: certificate_db.cc:198
Ssl::CertificateDb::subSize
void subSize(std::string const &filename)
Decrease db size by the given file size and update size_file.
Definition: certificate_db.cc:461
Ssl::CertificateDb::readSize
size_t readSize()
Read size from file size_file.
Definition: certificate_db.cc:469
Ssl::OpenCertsFileForReading
bool OpenCertsFileForReading(BIO_Pointer &bio, const char *filename)
Definition: gadgets.cc:686
size
int size
Definition: ModDevPoll.cc:77
Ssl::CertificateDb::deleteInvalidCertificate
bool deleteInvalidCertificate()
Delete invalid certificate.
Definition: certificate_db.cc:543
NULL
#define NULL
Definition: types.h:166
Ssl::CertificateDb::save
void save()
Save db to disk.
Definition: certificate_db.cc:519
Ssl::CertificateDb::index_name_cmp
static int index_name_cmp(const char **a, const char **b)
Callback compare function for names. Used to create TXT_DB index of names..
Definition: certificate_db.cc:244
Ssl::CertificateDb::fs_block_size
const size_t fs_block_size
File system block size.
Definition: certificate_db.h:183
Ssl::CertificateDb::max_db_size
const size_t max_db_size
Max size of db.
Definition: certificate_db.h:182
Ssl::Locker::Locker
Locker(Lock &lock, const char *aFileName, int lineNo)
locks the lock if the lock was unlocked
Definition: certificate_db.cc:99
OPENSSL_LH_delete
#define OPENSSL_LH_delete
Definition: openssl.h:126
data
void const char HLPCB void * data
Definition: stub_helper.cc:16
Ssl::CertificateDb::Create
static void Create(std::string const &db_path)
Create and initialize a database under the db_path.
Definition: certificate_db.cc:368
Ssl::CertificateDb::WriteEntry
static bool WriteEntry(const std::string &filename, const Security::CertPointer &cert, const Security::PrivateKeyPointer &pkey, const Security::CertPointer &orig)
stores the db entry into a file
Definition: certificate_db.cc:631
assert
#define assert(EX)
Definition: assert.h:19
Ssl::Lock::~Lock
~Lock()
releases the lock if it is locked
Definition: certificate_db.cc:93
Ssl::TXT_DB_Pointer
std::unique_ptr< TXT_DB, HardFun< void, TXT_DB *, &TXT_DB_free > > TXT_DB_Pointer
Definition: gadgets.h:56
Ssl::CertificateDb::index_serial_cmp
static int index_serial_cmp(const char **a, const char **b)
Callback compare function for serials. Used to create TXT_DB index of serials.
Definition: certificate_db.cc:233
Ssl::Locker::lock
Lock & lock
the lock we are operating on
Definition: certificate_db.h:47
X509_getm_notAfter
#define X509_getm_notAfter
Definition: openssl.h:205
Ssl::CertificateDb::index_name_hash
static unsigned long index_name_hash(const char **a)
Callback hash function for names. Used to create TXT_DB index of names..
Definition: certificate_db.cc:240
Ssl::CertificateDb::deleteOldestCertificate
bool deleteOldestCertificate()
Delete oldest certificate.
Definition: certificate_db.cc:572
Ssl::Lock::unlock
void unlock()
unlocks locked lock or throws
Definition: certificate_db.cc:70
Ssl::sslDateIsInTheFuture
bool sslDateIsInTheFuture(char const *date)
Definition: gadgets.cc:760
Ssl::CertificateDb::find
bool find(std::string const &key, const Security::CertPointer &expectedOrig, Security::CertPointer &cert, Security::PrivateKeyPointer &pkey)
finds matching generated certificate and its private key
Definition: certificate_db.cc:263
Ssl::Lock::Lock
Lock(std::string const &filename)
creates an unlocked lock
Definition: certificate_db.cc:29
Ssl::OpenCertsFileForWriting
bool OpenCertsFileForWriting(BIO_Pointer &bio, const char *filename)
Definition: gadgets.cc:730
Ssl::CertificateDb::db_full
const std::string db_full
Full path of the database index file.
Definition: certificate_db.h:177
Ssl::WritePrivateKey
bool WritePrivateKey(BIO_Pointer &bio, const Security::PrivateKeyPointer &pkey)
Definition: gadgets.cc:751
Ssl::CertificateDb::load
void load()
Load db from disk.
Definition: certificate_db.cc:495
Ssl::CertificateDb::hasRows
bool hasRows() const
Whether the TXT_DB has stored items.
Definition: certificate_db.cc:616
Ssl::CertificateDb::db_path
const std::string db_path
The database directory.
Definition: certificate_db.h:176
Ssl::BIGNUM_Pointer
std::unique_ptr< BIGNUM, HardFun< void, BIGNUM *, &BN_free > > BIGNUM_Pointer
Definition: gadgets.h:48
Ssl::CertificateDb::deleteRow
void deleteRow(const char **row, int rowIndex)
Delete a row from TXT_DB.
Definition: certificate_db.cc:533
Ssl::CertificateDb::Check
static void Check(std::string const &db_path, size_t max_db_size, size_t fs_block_size)
Check the database stored under the db_path.
Definition: certificate_db.cc:392
Ssl::Locker::~Locker
~Locker()
unlocks the lock if it was locked by us
Definition: certificate_db.cc:108
Ssl::CertificateDb::purgeCert
bool purgeCert(std::string const &key)
Delete a certificate from database.
Definition: certificate_db.cc:270
Ssl::CertificateDb::cert_full
const std::string cert_full
Full path of the directory to store the certs.
Definition: certificate_db.h:178
countof
#define countof(arr)
Definition: certificate_db.cc:197
Ssl::CertificateDb::deleteByKey
bool deleteByKey(std::string const &key)
Delete using key.
Definition: certificate_db.cc:593
Ssl::CertificateDb::db_file
static const char **static const char **static const std::string db_file
Base name of the database index file.
Definition: certificate_db.h:170
Ssl::CertificateDb::index_serial_hash
static unsigned long index_serial_hash(const char **a)
Callback hash function for serials. Used to create TXT_DB index of serials.
Definition: certificate_db.cc:226
Ssl::Locker
an exception-safe way to obtain and release a lock
Definition: certificate_db.h:39
false
#define false
Definition: GnuRegex.c:233
Ssl::CertificateDb::Columns
Columns
Names of db columns.
Definition: certificate_db.h:68
Ssl::CertificateDb::writeSize
void writeSize(size_t db_size)
Write size to file size_file.
Definition: certificate_db.cc:477
Ssl::CertificateDb::pure_find
bool pure_find(std::string const &key, const Security::CertPointer &expectedOrig, Security::CertPointer &cert, Security::PrivateKeyPointer &pkey)
Only find certificate in current db and return it.
Definition: certificate_db.cc:423
Ssl::CertificateDb::CertificateDb
CertificateDb(std::string const &db_path, size_t aMax_db_size, size_t aFs_block_size)
Definition: certificate_db.cc:252
Ssl::CertificateDb::getFileSize
size_t getFileSize(std::string const &filename)
get file size on disk.
Definition: certificate_db.cc:484
Security::LockingPointer::get
T * get() const
Returns raw and possibly nullptr pointer.
Definition: LockingPointer.h:106
certificate_db.h

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors