LCOV - code coverage report
Current view: top level - src/connectivity/security - tlsvalidator.h (source / functions) Hit Total Coverage
Test: jami-coverage-filtered.info Lines: 0 3 0.0 %
Date: 2024-12-21 08:56:24 Functions: 0 2 0.0 %

          Line data    Source code
       1             : /*
       2             :  *  Copyright (C) 2004-2024 Savoir-faire Linux Inc.
       3             :  *
       4             :  *  This program is free software: you can redistribute it and/or modify
       5             :  *  it under the terms of the GNU General Public License as published by
       6             :  *  the Free Software Foundation, either version 3 of the License, or
       7             :  *  (at your option) any later version.
       8             :  *
       9             :  *  This program is distributed in the hope that it will be useful,
      10             :  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
      11             :  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
      12             :  *  GNU General Public License for more details.
      13             :  *
      14             :  *  You should have received a copy of the GNU General Public License
      15             :  *  along with this program. If not, see <https://www.gnu.org/licenses/>.
      16             :  */
      17             : #pragma once
      18             : 
      19             : #include "enumclass_utils.h"
      20             : #include <dhtnet/certstore.h>
      21             : 
      22             : #include <string>
      23             : #include <vector>
      24             : #include <memory>
      25             : 
      26             : // OpenDHT
      27             : namespace dht {
      28             : namespace crypto {
      29             : struct Certificate;
      30             : }
      31             : } // namespace dht
      32             : 
      33             : namespace jami {
      34             : namespace tls {
      35             : 
      36             : #if !defined(S_IRWXG)
      37             : #define S_IRWXG 00070
      38             : #endif /* S_IRWXG */
      39             : #if !defined(S_IRGRP)
      40             : #define S_IRGRP 00040
      41             : #endif /* S_IRGRP */
      42             : #if !defined(S_IWGRP)
      43             : #define S_IWGRP 00020
      44             : #endif /* S_IWGRP */
      45             : #if !defined(S_IXGRP)
      46             : #define S_IXGRP 00010
      47             : #endif /* S_IXGRP */
      48             : #if !defined(S_IRWXO)
      49             : #define S_IRWXO 00007
      50             : #endif /* S_IRWXO */
      51             : #if !defined(S_IROTH)
      52             : #define S_IROTH 00004
      53             : #endif /* S_IROTH */
      54             : #if !defined(S_IWOTH)
      55             : #define S_IWOTH 00002
      56             : #endif /* S_IWOTH */
      57             : #if !defined(S_IXOTH)
      58             : #define S_IXOTH 00001
      59             : #endif /* S_IXOTH */
      60             : 
      61             : class TlsValidatorException : public std::runtime_error
      62             : {
      63             : public:
      64           0 :     TlsValidatorException(const std::string& str)
      65           0 :         : std::runtime_error(str) {};
      66             : };
      67             : 
      68             : class TlsValidator
      69             : {
      70             : public:
      71             :     /**
      72             :      * @enum CertificateCheck All validation fields
      73             :      *
      74             :      */
      75             :     enum class CertificateCheck {
      76             :         HAS_PRIVATE_KEY, /** This certificate has a build in private key                          */
      77             :         EXPIRED,         /** This certificate is past its expiration date                         */
      78             :         STRONG_SIGNING,  /** This certificate has been signed with a brute-force-able method      */
      79             :         NOT_SELF_SIGNED, /** This certificate has been self signed                                */
      80             :         KEY_MATCH,       /** The public and private keys provided don't match                     */
      81             :         PRIVATE_KEY_STORAGE_PERMISSION, /** The file hosting the private key isn't correctly secured */
      82             :         PUBLIC_KEY_STORAGE_PERMISSION, /** The file hosting the public key isn't correctly secured */
      83             :         PRIVATE_KEY_DIRECTORY_PERMISSIONS, /** The folder storing the private key isn't correctly
      84             :                                               secured           */
      85             :         PUBLIC_KEY_DIRECTORY_PERMISSIONS,  /** The folder storing the public key isn't correctly
      86             :                                               secured            */
      87             :         PRIVATE_KEY_STORAGE_LOCATION, /** Some operating systems have extra policies for certificate
      88             :                                          storage   */
      89             :         PUBLIC_KEY_STORAGE_LOCATION,  /** Some operating systems have extra policies for certificate
      90             :                                          storage   */
      91             :         PRIVATE_KEY_SELINUX_ATTRIBUTES, /** Some operating systems require keys to have extra
      92             :                                            attributes         */
      93             :         PUBLIC_KEY_SELINUX_ATTRIBUTES,  /** Some operating systems require keys to have extra
      94             :                                            attributes         */
      95             :         EXIST,           /** The certificate file doesn't exist or is not accessible              */
      96             :         VALID,           /** The file is not a certificate                                        */
      97             :         VALID_AUTHORITY, /** The claimed authority did not sign the certificate                   */
      98             :         KNOWN_AUTHORITY, /** Some operating systems provide a list of trusted authorities, use it */
      99             :         NOT_REVOKED,     /** The certificate has been revoked by the authority                    */
     100             :         AUTHORITY_MISMATCH, /** The certificate and authority mismatch */
     101             :         UNEXPECTED_OWNER,   /** The certificate has an expected owner   */
     102             :         NOT_ACTIVATED, /** The certificate has not been activated yet                           */
     103             :         COUNT__,
     104             :     };
     105             : 
     106             :     /**
     107             :      * @enum CertificateDetails Informative fields about a certificate
     108             :      */
     109             :     enum class CertificateDetails {
     110             :         EXPIRATION_DATE, /** The certificate expiration date                                      */
     111             :         ACTIVATION_DATE, /** The certificate activation date                                      */
     112             :         REQUIRE_PRIVATE_KEY_PASSWORD, /** Does the private key require a password */
     113             :         PUBLIC_SIGNATURE,
     114             :         VERSION_NUMBER,
     115             :         SERIAL_NUMBER,
     116             :         ISSUER,
     117             :         SUBJECT_KEY_ALGORITHM,
     118             :         SUBJECT_KEY,
     119             :         CN,
     120             :         UID,
     121             :         N,
     122             :         O,
     123             :         SIGNATURE_ALGORITHM,
     124             :         MD5_FINGERPRINT,
     125             :         SHA1_FINGERPRINT,
     126             :         PUBLIC_KEY_ID,
     127             :         ISSUER_DN,
     128             :         ISSUER_CN,
     129             :         ISSUER_UID,
     130             :         ISSUER_N,
     131             :         ISSUER_O,
     132             :         NEXT_EXPECTED_UPDATE_DATE,
     133             :         OUTGOING_SERVER, /** The hostname/outgoing server used for this certificate               */
     134             :         IS_CA,
     135             :         COUNT__
     136             :     };
     137             : 
     138             :     /**
     139             :      * @enum CheckValuesType Categories of possible values for each CertificateCheck
     140             :      */
     141             :     enum class CheckValuesType {
     142             :         BOOLEAN,
     143             :         ISO_DATE,
     144             :         CUSTOM,
     145             :         NUMBER,
     146             :         COUNT__,
     147             :     };
     148             : 
     149             :     /**
     150             :      * @enum CheckValue possible values for check
     151             :      *
     152             :      * All boolean check use PASSED when the test result is positive and
     153             :      * FAILED when it is negative. All new check need to keep this convention
     154             :      * or ::isValid() result will become unrepresentative of the real state.
     155             :      *
     156             :      * CUSTOM should be avoided when possible. This enum can be extended when
     157             :      * new validated types are required.
     158             :      */
     159             :     enum class CheckValues {
     160             :         PASSED,      /** Equivalent of a boolean "true"                                    */
     161             :         FAILED,      /** Equivalent of a boolean "false"                                   */
     162             :         UNSUPPORTED, /** The operating system doesn't support or require the check         */
     163             :         ISO_DATE,    /** The check value is an ISO 8601 date YYYY-MM-DD[TH24:MM:SS+00:00]  */
     164             :         CUSTOM,      /** The check value cannot be represented with a finite set of values */
     165             :         NUMBER,
     166             :         COUNT__,
     167             :     };
     168             : 
     169             :     /**
     170             :      * @typedef CheckResult A validated and unvalidated result pair
     171             :      *
     172             :      * The CheckValue is the most important value of the pair. The string
     173             :      * can either be the value of a CheckValues::CUSTOM result or an
     174             :      * error code (where applicable).
     175             :      */
     176             :     using CheckResult = std::pair<CheckValues, std::string>;
     177             : 
     178             :     /**
     179             :      * Create a TlsValidator for a given certificate
     180             :      * @param certificate The certificate path
     181             :      * @param privatekey An optional private key file path
     182             :      * @param privatekeyPasswd An optional private key password
     183             :      * @param caList An optional CA list to use for certificate validation
     184             :      */
     185             :     TlsValidator(const dhtnet::tls::CertificateStore& certStore,
     186             :                  const std::string& certificate,
     187             :                  const std::string& privatekey = "",
     188             :                  const std::string& privatekeyPasswd = "",
     189             :                  const std::string& caList = "");
     190             : 
     191             :     TlsValidator(const dhtnet::tls::CertificateStore& certStore, const std::vector<std::vector<uint8_t>>& certificate_chain_raw);
     192             : 
     193             :     TlsValidator(const dhtnet::tls::CertificateStore& certStore, const std::vector<uint8_t>& certificate_raw);
     194             : 
     195             :     TlsValidator(const dhtnet::tls::CertificateStore& certStore, const std::shared_ptr<dht::crypto::Certificate>&);
     196             : 
     197             :     ~TlsValidator();
     198             : 
     199             :     bool hasCa() const;
     200             : 
     201             :     bool isValid(bool verbose = false);
     202             : 
     203             :     // Security checks
     204             :     CheckResult hasPrivateKey();
     205             :     CheckResult notExpired();
     206             :     CheckResult strongSigning();
     207             :     CheckResult notSelfSigned();
     208             :     CheckResult keyMatch();
     209             :     CheckResult privateKeyStoragePermissions();
     210             :     CheckResult publicKeyStoragePermissions();
     211             :     CheckResult privateKeyDirectoryPermissions();
     212             :     CheckResult publicKeyDirectoryPermissions();
     213             :     CheckResult privateKeyStorageLocation();
     214             :     CheckResult publicKeyStorageLocation();
     215             :     CheckResult privateKeySelinuxAttributes();
     216             :     CheckResult publicKeySelinuxAttributes();
     217             :     CheckResult exist();
     218             :     CheckResult valid();
     219             :     CheckResult validAuthority();
     220             :     CheckResult knownAuthority();
     221             :     CheckResult notRevoked();
     222             :     CheckResult authorityMatch();
     223             :     CheckResult expectedOwner();
     224             :     CheckResult activated();
     225             : 
     226             :     // Certificate details
     227             :     CheckResult getExpirationDate();
     228             :     CheckResult getActivationDate();
     229             :     CheckResult requirePrivateKeyPassword();
     230             :     CheckResult getPublicSignature();
     231             :     CheckResult getVersionNumber();
     232             :     CheckResult getSerialNumber();
     233             :     CheckResult getIssuer();
     234             :     CheckResult getSubjectKeyAlgorithm();
     235             :     CheckResult getSubjectKey();
     236             :     CheckResult getCN();
     237             :     CheckResult getUID();
     238             :     CheckResult getN();
     239             :     CheckResult getO();
     240             :     CheckResult getSignatureAlgorithm();
     241             :     CheckResult getMd5Fingerprint();
     242             :     CheckResult getSha1Fingerprint();
     243             :     CheckResult getPublicKeyId();
     244             :     CheckResult getIssuerDN();
     245             :     CheckResult getIssuerCN();
     246             :     CheckResult getIssuerUID();
     247             :     CheckResult getIssuerN();
     248             :     CheckResult getIssuerO();
     249             :     CheckResult outgoingServer();
     250             :     CheckResult isCA();
     251             : 
     252             :     void setCaTlsValidator(const TlsValidator& validator);
     253             : 
     254             :     std::map<std::string, std::string> getSerializedChecks();
     255             : 
     256             :     std::map<std::string, std::string> getSerializedDetails();
     257             : 
     258           0 :     std::shared_ptr<dht::crypto::Certificate> getCertificate() const { return x509crt_; }
     259             : 
     260             : private:
     261             :     // Enum class names
     262             :     static const EnumClassNames<CertificateCheck> CertificateCheckNames;
     263             : 
     264             :     static const EnumClassNames<CertificateDetails> CertificateDetailsNames;
     265             : 
     266             :     static const EnumClassNames<const CheckValuesType> CheckValuesTypeNames;
     267             : 
     268             :     static const EnumClassNames<CheckValues> CheckValuesNames;
     269             : 
     270             :     /**
     271             :      * Map check to their check method
     272             :      */
     273             :     static const CallbackMatrix1D<CertificateCheck, TlsValidator, CheckResult> checkCallback;
     274             : 
     275             :     /**
     276             :      * Map check to their getter method
     277             :      */
     278             :     static const CallbackMatrix1D<CertificateDetails, TlsValidator, CheckResult> getterCallback;
     279             : 
     280             :     /**
     281             :      * Valid values for each categories
     282             :      */
     283             :     static const Matrix2D<CheckValuesType, CheckValues, bool> acceptedCheckValuesResult;
     284             : 
     285             :     static const Matrix1D<CertificateCheck, CheckValuesType> enforcedCheckType;
     286             : 
     287             :     const dhtnet::tls::CertificateStore&  certStore_;
     288             :     std::string certificatePath_;
     289             :     std::string privateKeyPath_;
     290             :     std::string caListPath_ {};
     291             : 
     292             :     std::vector<uint8_t> certificateContent_;
     293             : 
     294             :     std::shared_ptr<dht::crypto::Certificate> x509crt_;
     295             : 
     296             :     bool certificateFileFound_ {false};
     297             :     bool certificateFound_ {false};
     298             :     bool privateKeyFound_ {false};
     299             :     bool privateKeyPassword_ {false};
     300             :     bool privateKeyMatch_ {false};
     301             : 
     302             :     bool caChecked_ {false};
     303             :     unsigned int caValidationOutput_ {
     304             :         0}; // 0 means "no flags set", where flags are ones from gnutls_certificate_status_t
     305             : 
     306             :     mutable char copy_buffer[4096];
     307             : 
     308             :     /**
     309             :      * Helper method to convert a CheckResult into a std::string
     310             :      */
     311             :     std::string getStringValue(const CertificateCheck check, const CheckResult result);
     312             : 
     313             :     // Helper
     314             :     unsigned int compareToCa();
     315             : 
     316             : public:
     317             : #if 0 // TODO reimplement this method. do not use it as it
     318             :     /**
     319             :      * Verify that the local hostname points to a valid SSL server by
     320             :      * establishing a connection to it and by validating its certificate.
     321             :      *
     322             :      * @param host the DNS domain address that the certificate should feature
     323             :      * @return 0 if success, -1 otherwise
     324             :      */
     325             :     static int verifyHostnameCertificate(const std::string& host,
     326             :                                          const uint16_t port);
     327             : #endif
     328             : 
     329             : }; // TlsValidator
     330             : 
     331             : } // namespace tls
     332             : } // namespace jami

Generated by: LCOV version 1.14