libfilezilla
tls_info.hpp
Go to the documentation of this file.
1 #ifndef LIBFILEZILLA_TLS_INFO_HEADER
2 #define LIBFILEZILLA_TLS_INFO_HEADER
3 
8 #include "time.hpp"
9 
10 namespace fz {
11 class logger_interface;
12 
16 class x509_certificate final
17 {
18 public:
20  class subject_name final
21  {
22  public:
23  std::string name;
24  bool is_dns{};
25  };
26 
27  x509_certificate() = default;
28  ~x509_certificate() noexcept = default;
29  x509_certificate(x509_certificate const&) = default;
30  x509_certificate(x509_certificate&&) noexcept = default;
31  x509_certificate& operator=(x509_certificate const&) = default;
32  x509_certificate& operator=(x509_certificate&&) noexcept = default;
33 
35  std::vector<uint8_t> const& rawData,
36  fz::datetime const& activation_time, fz::datetime const& expiration_time,
37  std::string const& serial,
38  std::string const& pkalgoname, unsigned int bits,
39  std::string const& signalgoname,
40  std::string const& fingerprint_sha256,
41  std::string const& fingerprint_sha1,
42  std::string const& issuer,
43  std::string const& subject,
44  std::vector<subject_name> const& alt_subject_names,
45  bool const self_signed);
46 
48  std::vector<uint8_t> && rawdata,
49  fz::datetime const& activation_time, fz::datetime const& expiration_time,
50  std::string const& serial,
51  std::string const& pkalgoname, unsigned int bits,
52  std::string const& signalgoname,
53  std::string const& fingerprint_sha256,
54  std::string const& fingerprint_sha1,
55  std::string const& issuer,
56  std::string const& subject,
57  std::vector<subject_name> && alt_subject_names,
58  bool const self_Signed);
59 
60 
62  std::vector<uint8_t> get_raw_data() const { return raw_cert_; }
63 
64  fz::datetime const& get_activation_time() const { return activation_time_; }
65  fz::datetime const& get_expiration_time() const { return expiration_time_; }
66 
67  std::string const& get_serial() const { return serial_; }
68 
70  std::string const& get_pubkey_algorithm() const { return pkalgoname_; }
71 
73  unsigned int get_pubkey_bits() const { return pkalgobits_; }
74 
76  std::string const& get_signature_algorithm() const { return signalgoname_; }
77 
79  std::string const& get_fingerprint_sha256() const { return fingerprint_sha256_; }
80 
82  std::string const& get_fingerprint_sha1() const { return fingerprint_sha1_; }
83 
88  std::string const& get_subject() const { return subject_; }
89 
91  std::string const& get_issuer() const { return issuer_; }
92 
94  std::vector<subject_name> const& get_alt_subject_names() const { return alt_subject_names_; }
95 
96  explicit operator bool() const { return !raw_cert_.empty(); }
97 
99  bool self_signed() const { return self_signed_; }
100 
101 private:
102  fz::datetime activation_time_;
103  fz::datetime expiration_time_;
104 
105  std::vector<uint8_t> raw_cert_;
106 
107  std::string serial_;
108  std::string pkalgoname_;
109  unsigned int pkalgobits_{};
110 
111  std::string signalgoname_;
112 
113  std::string fingerprint_sha256_;
114  std::string fingerprint_sha1_;
115 
116  std::string issuer_;
117  std::string subject_;
118 
119  std::vector<subject_name> alt_subject_names_;
120 
121  bool self_signed_{};
122 };
123 
131 std::vector<x509_certificate> FZ_PUBLIC_SYMBOL load_certificates_file(native_string const& certsfile, bool pem, bool sort, logger_interface * logger = nullptr);
132 std::vector<x509_certificate> FZ_PUBLIC_SYMBOL load_certificates(std::string_view const& certdata, bool pem, bool sort, logger_interface * logger = nullptr);
133 
142 native_string FZ_PUBLIC_SYMBOL check_certificate_status(std::string_view const& key, std::string_view const& certs, native_string const& password, bool pem = true);
143 
153 class tls_session_info final
154 {
155 public:
156  tls_session_info() = default;
157  ~tls_session_info() = default;
158  tls_session_info(tls_session_info const&) = default;
159  tls_session_info(tls_session_info&&) noexcept = default;
160  tls_session_info& operator=(tls_session_info const&) = default;
161  tls_session_info& operator=(tls_session_info&&) noexcept = default;
162 
163  tls_session_info(std::string const& host, unsigned int port,
164  std::string const& protocol,
165  std::string const& key_exchange,
166  std::string const& session_cipher,
167  std::string const& session_mac,
168  int algorithm_warnings,
169  std::vector<x509_certificate>&& peer_certificates,
170  std::vector<x509_certificate>&& system_trust_chain,
171  bool hostname_mismatch);
172 
174  std::string const& get_host() const { return host_; }
175 
177  unsigned int get_port() const { return port_; }
178 
180  std::string const& get_session_cipher() const { return session_cipher_; }
181 
183  std::string const& get_session_mac() const { return session_mac_; }
184 
197  std::vector<fz::x509_certificate> const& get_certificates() const { return system_trust_chain_.empty() ? peer_certificates_ : system_trust_chain_; }
198 
208  std::vector<fz::x509_certificate> const& get_peer_certificates() const { return peer_certificates_; }
209 
211  std::string const& get_protocol() const { return protocol_; }
212 
214  std::string const& get_key_exchange() const { return key_exchange_; }
215 
216  enum algorithm_warnings_t
217  {
218  tlsver = 1,
219  cipher = 2,
220  mac = 4,
221  kex = 8
222  };
223 
225  int get_algorithm_warnings() const { return algorithm_warnings_; }
226 
229  bool system_trust() const { return !system_trust_chain_.empty(); }
230 
232  bool mismatched_hostname() const { return hostname_mismatch_; }
233 
234 private:
235  std::string host_;
236  unsigned int port_{};
237 
238  std::string protocol_;
239  std::string key_exchange_;
240  std::string session_cipher_;
241  std::string session_mac_;
242  int algorithm_warnings_{};
243 
244  std::vector<x509_certificate> peer_certificates_;
245  std::vector<x509_certificate> system_trust_chain_;
246 
247  bool hostname_mismatch_{};
248 };
249 }
250 
251 #endif
Represents a point of time in wallclock, tracking the timestamps accuracy/precision.
Definition: time.hpp:41
Abstract interface for logging strings.
Definition: logger.hpp:51
Information about a TLS session.
Definition: tls_info.hpp:154
unsigned int get_port() const
The server's port.
Definition: tls_info.hpp:177
bool system_trust() const
Definition: tls_info.hpp:229
bool mismatched_hostname() const
True if the hostname in the SANs does not match the requested hostname.
Definition: tls_info.hpp:232
std::string const & get_key_exchange() const
Key exchange algorithm.
Definition: tls_info.hpp:214
std::vector< fz::x509_certificate > const & get_peer_certificates() const
The certificate chain sent by the peer.
Definition: tls_info.hpp:208
std::string const & get_protocol() const
TLS version.
Definition: tls_info.hpp:211
std::string const & get_session_mac() const
The MAC used for integrity-protect and authenticate the exchanged application data.
Definition: tls_info.hpp:183
std::vector< fz::x509_certificate > const & get_certificates() const
The server's certificate chain.
Definition: tls_info.hpp:197
std::string const & get_host() const
The server's hostname used to connect.
Definition: tls_info.hpp:174
int get_algorithm_warnings() const
Warnings about old algorithms used, which are considered weak.
Definition: tls_info.hpp:225
std::string const & get_session_cipher() const
The symmetric algorithm used to encrypt all exchanged application data.
Definition: tls_info.hpp:180
A subject name, typically a DNS hostname.
Definition: tls_info.hpp:21
Represents all relevant information of a X.509 certificate as used by TLS.
Definition: tls_info.hpp:17
unsigned int get_pubkey_bits() const
The number of bits of the public key algorithm.
Definition: tls_info.hpp:73
std::string const & get_fingerprint_sha1() const
Gets fingerprint as hex-encoded sha1.
Definition: tls_info.hpp:82
std::string const & get_fingerprint_sha256() const
Gets fingerprint as hex-encoded sha256.
Definition: tls_info.hpp:79
std::string const & get_pubkey_algorithm() const
The public key algorithm used by the certificate.
Definition: tls_info.hpp:70
std::string const & get_signature_algorithm() const
The algorithm used for signing, typically the public key algorithm combined with a hash.
Definition: tls_info.hpp:76
bool self_signed() const
Indicates whether the certificate is self-signed.
Definition: tls_info.hpp:99
std::vector< uint8_t > get_raw_data() const
The raw, DER-encoded X.509 certificate.
Definition: tls_info.hpp:62
std::string const & get_subject() const
Gets the subject of the certificate as RDN as described in RFC4514.
Definition: tls_info.hpp:88
std::string const & get_issuer() const
Gets the issuer of the certificate as RDN as described in RFC4514.
Definition: tls_info.hpp:91
std::vector< subject_name > const & get_alt_subject_names() const
Gets the alternative subject names (SANSs) of the certificated, usually hostnames.
Definition: tls_info.hpp:94
The namespace used by libfilezilla.
Definition: apply.hpp:17
native_string check_certificate_status(std::string_view const &key, std::string_view const &certs, native_string const &password, bool pem=true)
Checks that the key and certificates chain are valid and matching.
std::wstring native_string
A string in the system's native character type and encoding. Note: This typedef changes depending on...
Definition: string.hpp:34
std::vector< x509_certificate > load_certificates_file(native_string const &certsfile, bool pem, bool sort, logger_interface *logger=nullptr)
Gets the certificate information for the certificates in the file.
Assorted classes dealing with time.