2 * Copyright (c) 2011-2016, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 extern char* get_cert_valid_before(uchar* inbuf, int inlen, char* outbuf, int outlen);
38 // A TrustAnchor object can be imported or installed via the API, but cannot
39 // be modified by the user, other than being cleared. Hence the fields are read-only.
40 public class TrustAnchor : Object
42 private static const string CERT_HEADER = "-----BEGIN CERTIFICATE-----";
43 private static const string CERT_FOOTER = "-----END CERTIFICATE-----";
45 public enum TrustAnchorType {
51 private string _ca_cert = "";
52 private string _subject = "";
53 private string _subject_alt = "";
54 private string _server_cert = "";
55 private string _datetime_added = "";
57 private static string fixup (string s) {
58 return (s == null ? "" : s.strip());
61 public TrustAnchor(string ca_cert, string server_cert, string subject, string subject_alt) {
62 _ca_cert = fixup(ca_cert);
63 _server_cert = fixup(server_cert);
64 _subject = fixup(subject);
65 _subject_alt = fixup(subject_alt);
67 // If we're reading from store, this will be overridden (see set_datetime_added)
70 // Work around a Portal bug that littered some credential files with this cruft.
72 """<!-- Remove the begin and end lines from the PEM output of
73 openssl to produce this format. Alternatively, base64 encode a DER format certificate -->""";
74 _ca_cert = _ca_cert.replace(cruft, "");
75 stdout.printf("ca_cert is now " + _ca_cert + "\n");
78 public TrustAnchor.empty() {
82 public string ca_cert {
88 public string subject {
94 public string subject_alt {
101 public string server_cert {
107 public string datetime_added {
109 return _datetime_added;
113 public bool is_empty() {
114 return ca_cert == "" && server_cert == "";
117 public TrustAnchorType get_anchor_type() {
118 return (server_cert != "" ? TrustAnchorType.SERVER_CERT
119 : (ca_cert != "" ? TrustAnchorType.CA_CERT : TrustAnchorType.EMPTY));
122 internal void set_datetime_added(string datetime) {
123 _datetime_added = fixup(datetime);
126 internal static string format_datetime_now() {
127 DateTime now = new DateTime.now_utc();
128 string dt = now.format("%b %d %T %Y %Z");
132 internal void update_server_fingerprint(string fingerprint) {
133 this._server_cert = fingerprint;
134 string ta_datetime_added = TrustAnchor.format_datetime_now();
135 this.set_datetime_added(ta_datetime_added);
138 public int Compare(TrustAnchor other)
140 if (this.ca_cert != other.ca_cert) {
141 // IdCard.logger.trace("TrustAnchor.Compare: this.ca_cert='%s'; other.ca_cert='%s'".printf(this.ca_cert, other.ca_cert));
144 if (this.subject != other.subject) {
145 // IdCard.logger.trace("TrustAnchor.Compare: this.subject='%s'; other.subject='%s'".printf(this.subject, other.subject));
148 if (this.subject_alt != other.subject_alt) {
149 // IdCard.logger.trace("TrustAnchor.Compare: this.subject_alt='%s'; other.subject_alt='%s'".printf(this.subject_alt, other.subject_alt));
152 if (this.server_cert != other.server_cert) {
153 // IdCard.logger.trace("TrustAnchor.Compare: this.server_cert=%s'; other.server_cert='%s'".printf(this.server_cert, other.server_cert));
157 // Do not compare the datetime_added fields; it's not essential.
162 public string? get_expiration_date(out string? err_out=null)
164 if (&err_out != null) {
168 if (this.ca_cert == "") {
169 if (&err_out != null) {
170 err_out = "Trust anchor does not have a ca_certificate";
175 string cert = this.ca_cert;
178 uchar[] binary = Base64.decode(cert);
179 IdCard.logger.trace("get_expiration_date: encoded length=%d; decoded length=%d".printf(cert.length, binary.length));
182 string err = (string) get_cert_valid_before(binary, binary.length, buf, 64);
184 IdCard.logger.error(@"get_expiration_date: get_cert_valid_before returned '$err'");
185 if (&err_out != null) {
191 string date = (string) buf;
192 IdCard.logger.trace(@"get_expiration_date: get_cert_valid_before returned '$date'");
201 public string pattern;
202 public string always_confirm;
203 public int Compare(Rule other) {
204 if (this.pattern != other.pattern)
206 if (this.always_confirm != other.always_confirm)
212 public class IdCard : Object
214 internal static MoonshotLogger logger = get_logger("IdCard");
216 public const string NO_IDENTITY = "No Identity";
218 private string _username = "";
219 private string _issuer = "";
221 public string display_name { get; set; default = ""; }
223 public string username {
233 public string issuer {
243 private void update_nai() {
244 _nai = username + "@" + issuer;
248 private unowned string _password;
249 public string password {
251 return (_password!=null) ? _password : "";
254 if (_password != null) {
255 GnomeKeyring.memory_free((void *)_password);
259 _password = GnomeKeyring.memory_strdup(value);
263 public string password { get; set; default = null; }
266 private Rule[] _rules = new Rule[0];
267 public Rule[] rules {
269 internal set {_rules = value ?? new Rule[0] ;}
272 private ArrayList<string> _services = new ArrayList<string>();
274 internal ArrayList<string> services {
275 get {return _services;}
278 // Returns the list of services as a string, using the given separator.
279 internal string get_services_string(string sep) {
280 if (_services.is_empty) {
284 // ArrayList.to_array() seems to be unreliable -- it causes segfaults
285 // semi-randomly. (Possibly because it returns an unowned ref?)
286 // return string.joinv(sep, _services.to_array());
288 // This problem may be related to the one noted elsewhere as the
289 // "Centos vala array property bug".
291 string[] svcs = new string[_services.size];
292 for (int i = 0; i < _services.size; i++) {
293 svcs[i] = _services[i];
296 return string.joinv(sep, svcs);
299 internal void update_services(string[] services) {
302 // Doesn't exist in older versions of libgee:
303 // _services.add_all_array(services);
305 if (services != null) {
306 foreach (string s in services) {
312 internal void update_services_from_list(ArrayList<string> services) {
313 if (services == this._services) {
314 // Don't try to update from self.
320 if (services != null) {
321 _services.add_all(services);
326 public bool temporary {get; set; default = false; }
328 private TrustAnchor _trust_anchor = new TrustAnchor.empty();
329 public TrustAnchor trust_anchor {
331 return _trust_anchor;
335 // For use by storage implementations.
336 internal void set_trust_anchor_from_store(TrustAnchor ta) {
340 internal void clear_trust_anchor() {
341 _trust_anchor = new TrustAnchor.empty();
344 public string nai { public get; private set;}
346 public bool store_password { get; set; default = false; }
348 // uuid is currently used only for debugging. Must be unique, even between cards with same nai and display name.
350 public get {return _uuid;}
352 private string _uuid = generate_uuid();
354 internal static string generate_uuid() {
355 uint32 rand1 = Random.next_int();
356 uint32 rand2 = Random.next_int();
357 return "%08X.%08X::%s".printf(rand1, rand2, TrustAnchor.format_datetime_now());
360 public bool is_no_identity()
362 return (display_name == NO_IDENTITY);
365 public enum DiffFlags {
375 public int Compare(IdCard other)
378 if (this.display_name != other.display_name)
379 diff |= 1 << DiffFlags.DISPLAY_NAME;
381 if (this.username != other.username)
382 diff |= 1 << DiffFlags.USERNAME;
384 if (this.password != other.password)
385 diff |= 1 << DiffFlags.PASSWORD;
387 if (this.issuer != other.issuer)
388 diff |= 1 << DiffFlags.ISSUER;
390 if (CompareRules(this.rules, other.rules)!=0)
391 diff |= 1 << DiffFlags.RULES;
393 if (CompareStringArrayList(this._services, other._services)!=0)
394 diff |= 1 << DiffFlags.SERVICES;
396 if (this.trust_anchor.Compare(other.trust_anchor)!=0)
397 diff |= 1 << DiffFlags.TRUST_ANCHOR;
399 // stdout.printf("Diff Flags: %x\n", diff);
400 if (this.display_name == other.display_name && diff != 0) {
401 logger.trace("Compare: Two IDs with display_name '%s', but diff_flags=%0x".printf(this.display_name, diff));
406 public static IdCard NewNoIdentity()
408 IdCard card = new IdCard();
409 card.display_name = NO_IDENTITY;
417 internal void add_rule(Rule rule) {
422 public int CompareRules(Rule[] a, Rule[] b)
424 if (a.length != b.length) {
428 for (int i = 0; i < a.length; i++) {
429 if (a[i].Compare(b[i]) != 0) {
436 public int CompareStringArrayList(ArrayList<string> a, ArrayList<string> b)
438 if (a.size != b.size) {
442 for (int i = 0; i < a.size; i++) {