1/*
2 * Copyright 2017-present Facebook, Inc.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16#pragma once
17
18#include <string>
19#include <vector>
20
21#include <folly/Optional.h>
22#include <folly/io/IOBuf.h>
23#include <folly/portability/OpenSSL.h>
24#include <folly/ssl/OpenSSLPtrTypes.h>
25
26namespace folly {
27namespace ssl {
28
29class OpenSSLCertUtils {
30 public:
31 // Note: non-const until OpenSSL 1.1.0
32 static Optional<std::string> getCommonName(X509& x509);
33
34 static std::vector<std::string> getSubjectAltNames(X509& x509);
35
36 /*
37 * Return the subject name, if any, from the cert
38 * @param x509 Reference to an X509
39 * @return a folly::Optional<std::string>, or folly::none
40 */
41 static Optional<std::string> getSubject(X509& x509);
42
43 /*
44 * Return the issuer name, if any, from the cert
45 * @param x509 Reference to an X509
46 * @return a folly::Optional<std::string>, or folly::none
47 */
48 static Optional<std::string> getIssuer(X509& x509);
49
50 /*
51 * Get a string representation of the not-before time on the certificate
52 */
53 static std::string getNotBeforeTime(X509& x509);
54
55 /*
56 * Get a string representation of the not-after (expiration) time
57 */
58 static std::string getNotAfterTime(X509& x509);
59
60 /*
61 * Summarize the CN, Subject, Issuer, Validity, and extensions as a string
62 */
63 static folly::Optional<std::string> toString(X509& x509);
64
65 /**
66 * Decode the DER representation of an X509 certificate.
67 *
68 * Throws on error (if a valid certificate can't be decoded).
69 */
70 static X509UniquePtr derDecode(ByteRange);
71
72 /**
73 * Encode an X509 certificate in DER format.
74 *
75 * Throws on error.
76 */
77 static std::unique_ptr<IOBuf> derEncode(X509&);
78
79 /**
80 * Read certificates from memory and returns them as a vector of X509
81 * pointers. Throw if there is any malformed cert or memory allocation
82 * problem.
83 * @param range Buffer to parse.
84 * @return A vector of X509 objects.
85 */
86 static std::vector<X509UniquePtr> readCertsFromBuffer(ByteRange range);
87
88 /**
89 * Return the output of the X509_digest for chosen message-digest algo
90 * NOTE: The returned digest will be in binary, and may need to be
91 * hex-encoded
92 */
93 static std::array<uint8_t, SHA_DIGEST_LENGTH> getDigestSha1(X509& x509);
94 static std::array<uint8_t, SHA256_DIGEST_LENGTH> getDigestSha256(X509& x509);
95
96 /**
97 * Read a store from a file. Throw if unable to read the file, memory
98 * allocation fails, or any cert can't be parsed or added to the store.
99 * @param caFile Path to the CA file.
100 * @return A X509 store that contains certs in the CA file.
101 */
102 static X509StoreUniquePtr readStoreFromFile(std::string caFile);
103
104 /**
105 * Read a store from a PEM buffer. Throw if memory allocation fails, or
106 * any cert can't be parsed or added to the store.
107 * @param range A buffer containing certs in PEM format.
108 * @return A X509 store that contains certs in the CA file.
109 */
110 static X509StoreUniquePtr readStoreFromBuffer(ByteRange range);
111
112 private:
113 static std::string getDateTimeStr(const ASN1_TIME* time);
114};
115} // namespace ssl
116} // namespace folly
117