2 * InspIRCd -- Internet Relay Chat Daemon
4 * Copyright (C) 2009 Daniel De Graaf <danieldg@inspircd.org>
5 * Copyright (C) 2006 Craig Edwards <craigedwards@brainbox.cc>
7 * This file is part of InspIRCd. InspIRCd is free software: you can
8 * redistribute it and/or modify it under the terms of the GNU General Public
9 * License as published by the Free Software Foundation, version 2.
11 * This program is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
13 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
27 /** ssl_cert is a class which abstracts SSL certificate
28 * and key information.
30 * Because gnutls and openssl represent key information in
31 * wildly different ways, this class allows it to be accessed
32 * in a unified manner. These classes are attached to ssl-
33 * connected local users using SSLCertExt
35 class ssl_cert : public refcountbase
41 std::string fingerprint;
42 bool trusted, invalid, unknownsigner, revoked;
44 ssl_cert() : trusted(false), invalid(true), unknownsigner(true), revoked(false) {}
46 /** Get certificate distinguished name
47 * @return Certificate DN
49 const std::string& GetDN()
54 /** Get Certificate issuer
55 * @return Certificate issuer
57 const std::string& GetIssuer()
62 /** Get error string if an error has occured
63 * @return The error associated with this users certificate,
64 * or an empty string if there is no error.
66 const std::string& GetError()
71 /** Get key fingerprint.
72 * @return The key fingerprint as a hex string.
74 const std::string& GetFingerprint()
80 * @return True if this is a trusted certificate
81 * (the certificate chain validates)
88 /** Get validity status
89 * @return True if the certificate itself is
98 * @return True if the certificate appears to be
101 bool IsUnknownSigner()
103 return unknownsigner;
106 /** Get revokation status.
107 * @return True if the certificate is revoked.
108 * Note that this only works properly for GnuTLS
118 return trusted && !invalid && !revoked && !unknownsigner && error.empty();
121 std::string GetMetaLine()
123 std::stringstream value;
124 bool hasError = !error.empty();
125 value << (IsInvalid() ? "v" : "V") << (IsTrusted() ? "T" : "t") << (IsRevoked() ? "R" : "r")
126 << (IsUnknownSigner() ? "s" : "S") << (hasError ? "E" : "e") << " ";
130 value << GetFingerprint() << " " << GetDN() << " " << GetIssuer();
135 class SSLIOHook : public IOHook
138 SSLIOHook(Module* mod, const std::string& Name)
139 : IOHook(mod, Name, IOHook::IOH_SSL)
144 * Get the client certificate from a socket
145 * @param sock The socket to get the certificate from, must be using this IOHook
146 * @return The SSL client certificate information
148 virtual ssl_cert* GetCertificate(StreamSocket* sock) = 0;
151 * Get the fingerprint of a client certificate from a socket
152 * @param sock The socket to get the certificate fingerprint from, must be using this IOHook
153 * @return The fingerprint of the SSL client certificate sent by the peer,
154 * empty if no cert was sent
156 std::string GetFingerprint(StreamSocket* sock)
158 ssl_cert* cert = GetCertificate(sock);
160 return cert->GetFingerprint();
165 /** Helper functions for obtaining SSL client certificates and key fingerprints
172 * Get the client certificate from a socket
173 * @param sock The socket to get the certificate from, the socket does not have to use SSL
174 * @return The SSL client certificate information, NULL if the peer is not using SSL
176 static ssl_cert* GetCertificate(StreamSocket* sock)
178 IOHook* iohook = sock->GetIOHook();
179 if ((!iohook) || (iohook->type != IOHook::IOH_SSL))
182 SSLIOHook* ssliohook = static_cast<SSLIOHook*>(iohook);
183 return ssliohook->GetCertificate(sock);
187 * Get the fingerprint of a client certificate from a socket
188 * @param sock The socket to get the certificate fingerprint from, the
189 * socket does not have to use SSL
190 * @return The key fingerprint from the SSL certificate sent by the peer,
191 * empty if no cert was sent or the peer is not using SSL
193 static std::string GetFingerprint(StreamSocket* sock)
195 ssl_cert* cert = SSLClientCert::GetCertificate(sock);
197 return cert->GetFingerprint();
202 /** Get certificate from a user (requires m_sslinfo) */
203 struct UserCertificateRequest : public Request
208 UserCertificateRequest(User* u, Module* Me, Module* info = ServerInstance->Modules->Find("m_sslinfo.so"))
209 : Request(Me, info, "GET_USER_CERT"), user(u), cert(NULL)
214 std::string GetFingerprint()
217 return cert->GetFingerprint();