From 0915b3ef56dfac3113cce55a59a5765dc94976be Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 28 Apr 2024 14:34:54 +0200 Subject: Adding upstream version 2.13.6. Signed-off-by: Daniel Baumann --- lib/base/tlsutility.hpp | 85 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 lib/base/tlsutility.hpp (limited to 'lib/base/tlsutility.hpp') diff --git a/lib/base/tlsutility.hpp b/lib/base/tlsutility.hpp new file mode 100644 index 0000000..3b8a89c --- /dev/null +++ b/lib/base/tlsutility.hpp @@ -0,0 +1,85 @@ +/* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */ + +#ifndef TLSUTILITY_H +#define TLSUTILITY_H + +#include "base/i2-base.hpp" +#include "base/debuginfo.hpp" +#include "base/object.hpp" +#include "base/shared.hpp" +#include "base/array.hpp" +#include "base/string.hpp" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +namespace icinga +{ + +const char * const DEFAULT_TLS_CIPHERS = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:AES128-GCM-SHA256"; + +const char * const DEFAULT_TLS_PROTOCOLMIN = "TLSv1.2"; +const unsigned int DEFAULT_CONNECT_TIMEOUT = 15; + +const auto ROOT_VALID_FOR = 60 * 60 * 24 * 365 * 15; +const auto LEAF_VALID_FOR = 60 * 60 * 24 * 397; +const auto RENEW_THRESHOLD = 60 * 60 * 24 * 30; +const auto RENEW_INTERVAL = 60 * 60 * 24; + +void InitializeOpenSSL(); + +String GetOpenSSLVersion(); + +Shared::Ptr MakeAsioSslContext(const String& pubkey = String(), const String& privkey = String(), const String& cakey = String()); +void AddCRLToSSLContext(const Shared::Ptr& context, const String& crlPath); +void AddCRLToSSLContext(X509_STORE *x509_store, const String& crlPath); +void SetCipherListToSSLContext(const Shared::Ptr& context, const String& cipherList); +void SetTlsProtocolminToSSLContext(const Shared::Ptr& context, const String& tlsProtocolmin); +int ResolveTlsProtocolVersion(const std::string& version); + +Shared::Ptr SetupSslContext(String certPath, String keyPath, + String caPath, String crlPath, String cipherList, String protocolmin, DebugInfo di); + +String GetCertificateCN(const std::shared_ptr& certificate); +std::shared_ptr GetX509Certificate(const String& pemfile); +int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), bool ca = false); +std::shared_ptr CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NAME *issuer, EVP_PKEY *cakey, bool ca); + +String GetIcingaCADir(); +String CertificateToString(const std::shared_ptr& cert); + +std::shared_ptr StringToCertificate(const String& cert); +std::shared_ptr CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject); +std::shared_ptr CreateCertIcingaCA(const std::shared_ptr& cert); +bool IsCertUptodate(const std::shared_ptr& cert); + +String PBKDF2_SHA1(const String& password, const String& salt, int iterations); +String PBKDF2_SHA256(const String& password, const String& salt, int iterations); +String SHA1(const String& s, bool binary = false); +String SHA256(const String& s); +String RandomString(int length); +String BinaryToHex(const unsigned char* data, size_t length); + +bool VerifyCertificate(const std::shared_ptr& caCertificate, const std::shared_ptr& certificate, const String& crlFile); +bool IsCa(const std::shared_ptr& cacert); +int GetCertificateVersion(const std::shared_ptr& cert); +String GetSignatureAlgorithm(const std::shared_ptr& cert); +Array::Ptr GetSubjectAltNames(const std::shared_ptr& cert); + +class openssl_error : virtual public std::exception, virtual public boost::exception { }; + +struct errinfo_openssl_error_; +typedef boost::error_info errinfo_openssl_error; + +} + +#endif /* TLSUTILITY_H */ -- cgit v1.2.3