/* +------------------------------------+
* | Inspire Internet Relay Chat Daemon |
* +------------------------------------+
*
* InspIRCd: (C) 2002-2010 InspIRCd Development Team
* See: http://wiki.inspircd.org/Credits
*
* This program is free but copyrighted software; see
* the file COPYING for details.
*
* ---------------------------------------------------
*/
#ifndef __SSL_H__
#define __SSL_H__
#include <map>
#include <string>
/** ssl_cert is a class which abstracts SSL certificate
* and key information.
*
* Because gnutls and openssl represent key information in
* wildly different ways, this class allows it to be accessed
* in a unified manner. These classes are attached to ssl-
* connected local users using SSLCertExt
*/
class ssl_cert : public refcountbase
{
public:
std::string dn;
std::string issuer;
std::string error;
std::string fingerprint;
bool trusted, invalid, unknownsigner, revoked;
ssl_cert() : trusted(false), invalid(true), unknownsigner(true), revoked(false) {}
/** Get certificate distinguished name
* @return Certificate DN
*/
const std::string& GetDN()
{
return dn;
}
/** Get Certificate issuer
* @return Certificate issuer
*/
const std::string& GetIssuer()
{
return issuer;
}
/** Get error string if an error has occured
* @return The error associated with this users certificate,
* or an empty string if there is no error.
*/
const std::string& GetError()
{
return error;
}
/** Get key fingerprint.
* @return The key fingerprint as a hex string.
*/
const std::string& GetFingerprint()
{
return fingerprint;
}
/** Get trust status
* @return True if this is a trusted certificate
* (the certificate chain validates)
*/
bool IsTrusted()
{
return trusted;
}
/** Get validity status
* @return True if the certificate itself is
* correctly formed.
*/
bool IsInvalid()
{
return invalid;
}
/** Get signer status
* @return True if the certificate appears to be
* self-signed.
*/
bool IsUnknownSigner()
{
return unknownsigner;
}
/** Get revokation status.
* @return True if the certificate is revoked.
* Note that this only works properly for GnuTLS
* right now.
*/
bool IsRevoked()
{
return revoked;
}
bool IsCAVerified()
{
return trusted && !invalid && !revoked && !unknownsigner && error.empty();
}
std::string GetMetaLine()
{
std::stringstream value;
bool hasError = error.length();
value << (IsInvalid() ? "v" : "V") << (IsTrusted() ? "T" : "t") << (IsRevoked() ? "R" : "r")
<< (IsUnknownSigner() ? "s" : "S") << (hasError ? "E" : "e") << " ";
if (hasError)
value << GetError();
else
value << GetFingerprint() << " " << GetDN() << " " << GetIssuer();
return value.str();
}
};
/** Get certificate from a socket (only useful with an SSL module) */
struct SocketCertificateRequest : public Request
{
StreamSocket* const sock;
ssl_cert* cert;
SocketCertificateRequest(StreamSocket* ss, Module* Me)
: Request(Me, ss->GetIOHook(), "GET_SSL_CERT"), sock(ss), cert(NULL)
{
Send();
}
std::string GetFingerprint()
{
if (cert)
return cert->GetFingerprint();
return "";
}
};
/** Get certificate from a user (requires m_sslinfo) */
struct UserCertificateRequest : public Request
{
User* const user;
ssl_cert* cert;
UserCertificateRequest(User* u, Module* Me, Module* info = ServerInstance->Modules->Find("m_sslinfo.so"))
: Request(Me, info, "GET_USER_CERT"), user(u), cert(NULL)
{
Send();
}
std::string GetFingerprint()
{
if (cert)
return cert->GetFingerprint();
return "";
}
};
#endif