1 /* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */ 2 3 #ifndef TLSUTILITY_H 4 #define TLSUTILITY_H 5 6 #include "base/i2-base.hpp" 7 #include "base/debuginfo.hpp" 8 #include "base/object.hpp" 9 #include "base/shared.hpp" 10 #include "base/array.hpp" 11 #include "base/string.hpp" 12 #include <openssl/ssl.h> 13 #include <openssl/bio.h> 14 #include <openssl/err.h> 15 #include <openssl/comp.h> 16 #include <openssl/sha.h> 17 #include <openssl/pem.h> 18 #include <openssl/x509.h> 19 #include <openssl/x509v3.h> 20 #include <openssl/evp.h> 21 #include <openssl/rand.h> 22 #include <boost/asio/ssl/context.hpp> 23 #include <boost/exception/info.hpp> 24 25 namespace icinga 26 { 27 28 const char * const DEFAULT_TLS_CIPHERS = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:AES128-GCM-SHA256"; 29 30 const char * const DEFAULT_TLS_PROTOCOLMIN = "TLSv1.2"; 31 const unsigned int DEFAULT_CONNECT_TIMEOUT = 15; 32 33 void InitializeOpenSSL(); 34 35 String GetOpenSSLVersion(); 36 37 Shared<boost::asio::ssl::context>::Ptr MakeAsioSslContext(const String& pubkey = String(), const String& privkey = String(), const String& cakey = String()); 38 void AddCRLToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& crlPath); 39 void AddCRLToSSLContext(X509_STORE *x509_store, const String& crlPath); 40 void SetCipherListToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& cipherList); 41 void SetTlsProtocolminToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& tlsProtocolmin); 42 int ResolveTlsProtocolVersion(const std::string& version); 43 44 Shared<boost::asio::ssl::context>::Ptr SetupSslContext(String certPath, String keyPath, 45 String caPath, String crlPath, String cipherList, String protocolmin, DebugInfo di); 46 47 String GetCertificateCN(const std::shared_ptr<X509>& certificate); 48 std::shared_ptr<X509> GetX509Certificate(const String& pemfile); 49 int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), bool ca = false); 50 std::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NAME *issuer, EVP_PKEY *cakey, bool ca); 51 52 String GetIcingaCADir(); 53 String CertificateToString(const std::shared_ptr<X509>& cert); 54 55 std::shared_ptr<X509> StringToCertificate(const String& cert); 56 std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject); 57 std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert); 58 59 String PBKDF2_SHA1(const String& password, const String& salt, int iterations); 60 String PBKDF2_SHA256(const String& password, const String& salt, int iterations); 61 String SHA1(const String& s, bool binary = false); 62 String SHA256(const String& s); 63 String RandomString(int length); 64 String BinaryToHex(const unsigned char* data, size_t length); 65 66 bool VerifyCertificate(const std::shared_ptr<X509>& caCertificate, const std::shared_ptr<X509>& certificate, const String& crlFile); 67 bool IsCa(const std::shared_ptr<X509>& cacert); 68 int GetCertificateVersion(const std::shared_ptr<X509>& cert); 69 String GetSignatureAlgorithm(const std::shared_ptr<X509>& cert); 70 Array::Ptr GetSubjectAltNames(const std::shared_ptr<X509>& cert); 71 72 class openssl_error : virtual public std::exception, virtual public boost::exception { }; 73 74 struct errinfo_openssl_error_; 75 typedef boost::error_info<struct errinfo_openssl_error_, unsigned long> errinfo_openssl_error; 76 77 } 78 79 #endif /* TLSUTILITY_H */ 80