Gitiles
Code Review Sign In
review.jami.net / dhtnet / 24cc01e3deacb1332745929840268af06ebe9068 / . / include / certstore.h
blob: f92c8a15fa0ab28d82709f44d79a2857a952aa83 [file] [log] [blame]
Adrien Béraud612b55b2023-05-29 10:42:04 -0400[diff] [blame]1/*
2 * Copyright (C) 2004-2023 Savoir-faire Linux Inc.
3 *
Adrien Béraudcb753622023-07-17 22:32:49 -0400[diff] [blame]4 * This program is free software: you can redistribute it and/or modify
Adrien Béraud612b55b2023-05-29 10:42:04 -0400[diff] [blame]5 * it under the terms of the GNU General Public License as published by
Adrien Béraudcb753622023-07-17 22:32:49 -0400[diff] [blame]6 * the Free Software Foundation, either version 3 of the License, or
Adrien Béraud612b55b2023-05-29 10:42:04 -0400[diff] [blame]7 * (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
Adrien Béraudcb753622023-07-17 22:32:49 -0400[diff] [blame]11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
Adrien Béraud612b55b2023-05-29 10:42:04 -0400[diff] [blame]12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
Adrien Béraudcb753622023-07-17 22:32:49 -0400[diff] [blame]15 * along with this program. If not, see <https://www.gnu.org/licenses/>.
Adrien Béraud612b55b2023-05-29 10:42:04 -0400[diff] [blame]16 */
Adrien Béraud612b55b2023-05-29 10:42:04 -0400[diff] [blame]17#pragma once
18
Adrien Béraud612b55b2023-05-29 10:42:04 -0400[diff] [blame]19#include <opendht/crypto.h>
20
21#include <string>
22#include <vector>
23#include <map>
24#include <set>
25#include <future>
26#include <mutex>
27
28namespace crypto = ::dht::crypto;
29
30namespace dht {
31namespace log {
Adrien Béraud9132a812023-07-21 11:20:40 -0400[diff] [blame]32struct Logger;
Adrien Béraud612b55b2023-05-29 10:42:04 -0400[diff] [blame]33}
34}
35
Adrien Béraud1ae60aa2023-07-07 09:55:09 -0400[diff] [blame]36namespace dhtnet {
Adrien Béraud612b55b2023-05-29 10:42:04 -0400[diff] [blame]37
38using Logger = dht::log::Logger;
39namespace tls {
40
41enum class TrustStatus { UNTRUSTED = 0, TRUSTED };
42TrustStatus trustStatusFromStr(const char* str);
43const char* statusToStr(TrustStatus s);
44
45/**
46 * Global certificate store.
47 * Stores system root CAs and any other encountred certificate
48 */
49class CertificateStore
50{
51public:
Sébastien Blincc8f9d32023-07-25 09:51:48 -0400[diff] [blame]52 explicit CertificateStore(const std::string& path, std::shared_ptr<Logger> logger);
Adrien Béraud612b55b2023-05-29 10:42:04 -0400[diff] [blame]53
54 std::vector<std::string> getPinnedCertificates() const;
55 /**
56 * Return certificate (with full chain)
57 */
58 std::shared_ptr<crypto::Certificate> getCertificate(const std::string& cert_id);
59 std::shared_ptr<crypto::Certificate> getCertificateLegacy(const std::string& dataDir, const std::string& cert_id);
60
61 std::shared_ptr<crypto::Certificate> findCertificateByName(
62 const std::string& name, crypto::NameType type = crypto::NameType::UNKNOWN) const;
63 std::shared_ptr<crypto::Certificate> findCertificateByUID(const std::string& uid) const;
64 std::shared_ptr<crypto::Certificate> findIssuer(
65 const std::shared_ptr<crypto::Certificate>& crt) const;
66
67 std::vector<std::string> pinCertificate(const std::vector<uint8_t>& crt,
68 bool local = true) noexcept;
69 std::vector<std::string> pinCertificate(crypto::Certificate&& crt, bool local = true);
70 std::vector<std::string> pinCertificate(const std::shared_ptr<crypto::Certificate>& crt,
71 bool local = true);
72 bool unpinCertificate(const std::string&);
73
74 void pinCertificatePath(const std::string& path,
75 std::function<void(const std::vector<std::string>&)> cb = {});
76 unsigned unpinCertificatePath(const std::string&);
77
78 bool setTrustedCertificate(const std::string& id, TrustStatus status);
79 std::vector<gnutls_x509_crt_t> getTrustedCertificates() const;
80
81 void pinRevocationList(const std::string& id,
82 const std::shared_ptr<dht::crypto::RevocationList>& crl);
83 void pinRevocationList(const std::string& id, dht::crypto::RevocationList&& crl)
84 {
85 pinRevocationList(id,
86 std::make_shared<dht::crypto::RevocationList>(
87 std::forward<dht::crypto::RevocationList>(crl)));
88 }
89 void pinOcspResponse(const dht::crypto::Certificate& cert);
90
91 void loadRevocations(crypto::Certificate& crt) const;
92
93 const std::shared_ptr<Logger>& logger() const {
94 return logger_;
95 }
96
97private:
98 //NON_COPYABLE(CertificateStore);
99
100
101 unsigned loadLocalCertificates();
102 void pinRevocationList(const std::string& id, const dht::crypto::RevocationList& crl);
103 std::shared_ptr<Logger> logger_;
104
105 const std::string certPath_;
106 const std::string crlPath_;
107 const std::string ocspPath_;
108
109 mutable std::mutex lock_;
110 std::map<std::string, std::shared_ptr<crypto::Certificate>> certs_;
111 std::map<std::string, std::vector<std::weak_ptr<crypto::Certificate>>> paths_;
112
113 // globally trusted certificates (root CAs)
114 std::vector<std::shared_ptr<crypto::Certificate>> trustedCerts_;
115};
116
117/**
118 * Keeps track of the allowed and trust status of certificates
119 * Trusted is the status of top certificates we trust to build our
120 * certificate chain: root CAs and other configured CAs.
121 *
122 * Allowed is the status of certificates we accept for incoming
123 * connections.
124 */
125class TrustStore
126{
127public:
128 explicit TrustStore(CertificateStore& certStore)
129 : certStore_(certStore)
130 {}
131
132 enum class PermissionStatus { UNDEFINED = 0, ALLOWED, BANNED };
133
134 static PermissionStatus statusFromStr(const char* str);
135 static const char* statusToStr(PermissionStatus s);
136
137 bool addRevocationList(dht::crypto::RevocationList&& crl);
138
139 bool setCertificateStatus(const std::string& cert_id, const PermissionStatus status);
140 bool setCertificateStatus(const std::shared_ptr<crypto::Certificate>& cert,
141 PermissionStatus status,
142 bool local = true);
143
144 PermissionStatus getCertificateStatus(const std::string& cert_id) const;
145
146 std::vector<std::string> getCertificatesByStatus(PermissionStatus status) const;
147
148 /**
149 * Check that the certificate is allowed (valid and permited) for contact.
150 * Valid means the certificate chain matches with our CA list,
151 * has valid signatures, expiration dates etc.
152 * Permited means at least one of the certificate in the chain is
153 * ALLOWED (if allowPublic is false), and none is BANNED.
154 *
155 * @param crt the end certificate of the chain to check
156 * @param allowPublic if false, requires at least one ALLOWED certificate.
157 * (not required otherwise). In any case a BANNED
158 * certificate means permission refusal.
159 * @return true if the certificate is valid and permitted.
160 */
161 bool isAllowed(const crypto::Certificate& crt, bool allowPublic = false);
162
163private:
164 TrustStore(const TrustStore& o) = delete;
165 TrustStore& operator=(const TrustStore& o) = delete;
166 TrustStore(TrustStore&& o) = delete;
167 TrustStore& operator=(TrustStore&& o) = delete;
168
169 void updateKnownCerts();
170 bool setCertificateStatus(std::shared_ptr<crypto::Certificate> cert,
171 const std::string& cert_id,
172 const TrustStore::PermissionStatus status,
173 bool local);
174 void setStoreCertStatus(const crypto::Certificate& crt, bool status);
175 void rebuildTrust();
176
177 struct Status
178 {
179 bool allowed;
180 };
181
182 // unknown certificates with known status
183 mutable std::recursive_mutex mutex_;
184 std::map<std::string, Status> unknownCertStatus_;
185 std::map<std::string, std::pair<std::shared_ptr<crypto::Certificate>, Status>> certStatus_;
186 dht::crypto::TrustList allowed_;
187 CertificateStore& certStore_;
188};
189
190} // namespace tls
Sébastien Blin464bdff2023-07-19 08:02:53 -0400[diff] [blame]191} // namespace dhtnet