+ private static const string CERT_HEADER = "-----BEGIN CERTIFICATE-----";
+ private static const string CERT_FOOTER = "-----END CERTIFICATE-----";
+
+ public enum TrustAnchorType {
+ EMPTY,
+ CA_CERT,
+ SERVER_CERT
+ }
+
+ private string _ca_cert = "";
+ private string _subject = "";
+ private string _subject_alt = "";
+ private string _server_cert = "";
+ private string _datetime_added = "";
+
+ private static string fixup (string s) {
+ return (s == null ? "" : s.strip());
+ }
+
+ public TrustAnchor(string ca_cert, string server_cert, string subject, string subject_alt) {
+ _ca_cert = fixup(ca_cert);
+ _server_cert = fixup(server_cert);
+ _subject = fixup(subject);
+ _subject_alt = fixup(subject_alt);
+
+ // If we're reading from store, this will be overridden (see set_datetime_added)
+ _datetime_added = "";
+
+ // Work around a Portal bug that littered some credential files with this cruft.
+ string cruft =
+"""<!-- Remove the begin and end lines from the PEM output of
+openssl to produce this format. Alternatively, base64 encode a DER format certificate -->""";
+ _ca_cert = _ca_cert.replace(cruft, "");
+ }
+
+ public TrustAnchor.empty() {
+ }
+
+
+ public string ca_cert {
+ get {
+ return _ca_cert;
+ }
+ }
+
+ public string subject {
+ get {
+ return _subject;
+ }
+ }
+
+ public string subject_alt {
+ get {
+ return _subject_alt;
+ }
+ }
+
+
+ public string server_cert {
+ get {
+ return _server_cert;
+ }
+ }
+
+ public string datetime_added {
+ get {
+ return _datetime_added;
+ }
+ }
+
+ public bool is_empty() {
+ return ca_cert == "" && server_cert == "";
+ }
+
+ public TrustAnchorType get_anchor_type() {
+ return (server_cert != "" ? TrustAnchorType.SERVER_CERT
+ : (ca_cert != "" ? TrustAnchorType.CA_CERT : TrustAnchorType.EMPTY));
+ }
+
+ internal void set_datetime_added(string datetime) {
+ _datetime_added = fixup(datetime);
+ }
+
+ internal static string format_datetime_now() {
+ DateTime now = new DateTime.now_utc();
+ string dt = now.format("%b %d %T %Y %Z");
+ return dt;
+ }
+
+ internal void update_server_fingerprint(string fingerprint) {
+ this._server_cert = fingerprint;
+ string ta_datetime_added = TrustAnchor.format_datetime_now();
+ this.set_datetime_added(ta_datetime_added);
+ }
+
+ public int Compare(TrustAnchor other)
+ {
+ if (this.ca_cert != other.ca_cert) {
+ // IdCard.logger.trace("TrustAnchor.Compare: this.ca_cert='%s'; other.ca_cert='%s'".printf(this.ca_cert, other.ca_cert));
+ return 1;
+ }
+ if (this.subject != other.subject) {
+ // IdCard.logger.trace("TrustAnchor.Compare: this.subject='%s'; other.subject='%s'".printf(this.subject, other.subject));
+ return 1;
+ }
+ if (this.subject_alt != other.subject_alt) {
+ // IdCard.logger.trace("TrustAnchor.Compare: this.subject_alt='%s'; other.subject_alt='%s'".printf(this.subject_alt, other.subject_alt));
+ return 1;
+ }
+ if (this.server_cert != other.server_cert) {
+ // IdCard.logger.trace("TrustAnchor.Compare: this.server_cert=%s'; other.server_cert='%s'".printf(this.server_cert, other.server_cert));
+ return 1;
+ }
+
+ // Do not compare the datetime_added fields; it's not essential.
+
+ return 0;
+ }
+
+ public string? get_expiration_date(out string? err_out=null)
+ {
+ if (&err_out != null) {
+ err_out = null;
+ }
+
+ if (this.ca_cert == "") {
+ if (&err_out != null) {
+ err_out = "Trust anchor does not have a ca_certificate";
+ return null;
+ }
+ }
+
+ string cert = this.ca_cert;
+ cert.chomp();
+
+ uchar[] binary = Base64.decode(cert);
+ IdCard.logger.trace("get_expiration_date: encoded length=%d; decoded length=%d".printf(cert.length, binary.length));
+
+ char buf[64];
+ string err = (string) get_cert_valid_before(binary, binary.length, buf, 64);
+ if (err != "") {
+ IdCard.logger.error(@"get_expiration_date: get_cert_valid_before returned '$err'");
+ if (&err_out != null) {
+ err_out = err;
+ }
+ return null;
+ }
+
+ string date = (string) buf;
+ IdCard.logger.trace(@"get_expiration_date: get_cert_valid_before returned '$date'");
+
+ return date;
+ }