DEV-34822 - merge with 1.23

certificate notification code
-r 118191

ignore-dead-branch

1 files changed, 247 insertions, 64 deletions

diff --git a/indra/newview/llsecapi.h b/indra/newview/llsecapi.h
index d456ca95b1..6fd12c044a 100644
--- a/indra/newview/llsecapi.h
+++ b/indra/newview/llsecapi.h
@@ -36,11 +36,16 @@
 #include <openssl/x509.h>
 #include <ostream>
 
+#ifdef LL_WINDOWS
+#pragma warning(disable:4250)
+#endif // LL_WINDOWS
+
 // All error handling is via exceptions.
 
 
 #define CERT_SUBJECT_NAME "subject_name"
 #define CERT_ISSUER_NAME "issuer_name"
+#define CERT_NAME_CN "commonName"
 		
 #define  CERT_SUBJECT_NAME_STRING "subject_name_string"
 #define CERT_ISSUER_NAME_STRING "issuer_name_string"
@@ -51,23 +56,62 @@
 #define CERT_VALID_TO "valid_to"
 #define CERT_SHA1_DIGEST "sha1_digest"
 #define CERT_MD5_DIGEST "md5_digest"
+#define CERT_HOSTNAME "hostname"
+#define CERT_BASIC_CONSTRAINTS "basicConstraints"
+#define CERT_BASIC_CONSTRAINTS_CA "CA"
+#define CERT_BASIC_CONSTRAINTS_PATHLEN "pathLen"
+
+#define CERT_KEY_USAGE "keyUsage"
+#define CERT_KU_DIGITAL_SIGNATURE    "digitalSignature"
+#define CERT_KU_NON_REPUDIATION      "nonRepudiation"
+#define CERT_KU_KEY_ENCIPHERMENT     "keyEncipherment"
+#define CERT_KU_DATA_ENCIPHERMENT    "dataEncipherment"
+#define CERT_KU_KEY_AGREEMENT        "keyAgreement"
+#define CERT_KU_CERT_SIGN        "certSigning"
+#define CERT_KU_CRL_SIGN             "crlSigning"
+#define CERT_KU_ENCIPHER_ONLY        "encipherOnly"
+#define CERT_KU_DECIPHER_ONLY        "decipherOnly"
 
 #define BASIC_SECHANDLER "BASIC_SECHANDLER"
+#define CERT_VALIDATION_DATE "validation_date"
+
+#define CERT_EXTENDED_KEY_USAGE "extendedKeyUsage"
+#define CERT_EKU_SERVER_AUTH SN_server_auth
+
+// validate the current time lies within 
+// the validation period of the cert
+#define VALIDATION_POLICY_TIME 1
+
+// validate that the CA, or some cert in the chain
+// lies within the certificate store
+#define VALIDATION_POLICY_TRUSTED 2
+
+// validate that the subject name of
+// the cert contains the passed in hostname
+// or validates against the hostname
+#define VALIDATION_POLICY_HOSTNAME 4
+
+
+// validate that the cert contains the SSL EKU
+#define VALIDATION_POLICY_SSL_KU 8
+
+// validate that the cert contains the SSL EKU
+#define VALIDATION_POLICY_CA_KU 16
+
+#define VALIDATION_POLICY_CA_BASIC_CONSTRAINTS 32
+
+// validate that the cert is correct for SSL
+#define VALIDATION_POLICY_SSL (VALIDATION_POLICY_TIME | \
+                               VALIDATION_POLICY_HOSTNAME | \
+                               VALIDATION_POLICY_TRUSTED | \
+                               VALIDATION_POLICY_SSL_KU | \
+                               VALIDATION_POLICY_CA_BASIC_CONSTRAINTS | \
+                               VALIDATION_POLICY_CA_KU)
+
+
 
 
-// All error handling is via exceptions.
 
-class LLCertException
-{
-public:
-	LLCertException(const char* msg)
-	{
-		llerrs << "Certificate Error: " << msg << llendl;
-		mMsg = std::string(msg);
-	}
-protected:
-	std::string mMsg;
-};
 
 class LLProtectedDataException
 {
@@ -96,53 +140,88 @@ public:
 	
 	// return a PEM encoded certificate.  The encoding
 	// includes the -----BEGIN CERTIFICATE----- and end certificate elements
-	virtual std::string getPem()=0; 
+	virtual std::string getPem() const=0; 
 	
 	// return a DER encoded certificate
-	virtual std::vector<U8> getBinary()=0;  
+	virtual std::vector<U8> getBinary() const=0;  
 	
 	// return an LLSD object containing information about the certificate
 	// such as its name, signature, expiry time, serial number
-	virtual LLSD getLLSD()=0; 
+	virtual LLSD getLLSD() const=0; 
 	
 	// return an openSSL X509 struct for the certificate
-	virtual X509* getOpenSSLX509()=0;
+	virtual X509* getOpenSSLX509() const=0;
 
 };
 
+// class LLCertificateVector
+// base class for a list of certificates.
 
-// class LLCertificateChain
-// Class representing a chain of certificates in order, with the 
-// 0th element being the CA
-class LLCertificateChain : public LLRefCount
+
+class LLCertificateVector : public LLRefCount
 {
-	LOG_CLASS(LLCertificateChain);
-	static const int VT_SSL = 0;
-	static const int VT_AGENT_DOMAIN = 1;
-	static const int VT_GRID_DOMAIN = 1;
 	
 public:
-	LLCertificateChain() {}
 	
-	virtual ~LLCertificateChain() {}
+	LLCertificateVector() {};
+	virtual ~LLCertificateVector() {};
+	
+	// base iterator implementation class, providing
+	// the functionality needed for the iterator class.
+	class iterator_impl : public LLRefCount
+	{
+	public:
+		iterator_impl() {};
+		virtual ~iterator_impl() {};
+		virtual void seek(bool incr)=0;
+		virtual LLPointer<iterator_impl> clone() const=0;
+		virtual bool equals(const LLPointer<iterator_impl>& _iter) const=0;
+		virtual LLPointer<LLCertificate> get()=0;
+	};
+	
+	// iterator class
+	class iterator
+	{
+	public:
+		iterator(LLPointer<iterator_impl> impl) : mImpl(impl) {}
+		iterator() : mImpl(NULL) {}
+		iterator(const iterator& _iter) {mImpl = _iter.mImpl->clone(); }
+		~iterator() {}
+		iterator& operator++() { if(mImpl.notNull()) mImpl->seek(true); return *this;}
+		iterator& operator--() { if(mImpl.notNull()) mImpl->seek(false); return *this;}
+		
+		iterator operator++(int) { iterator result = *this; if(mImpl.notNull()) mImpl->seek(true); return result;}
+		iterator operator--(int) { iterator result = *this; if(mImpl.notNull()) mImpl->seek(false); return result;}
+		LLPointer<LLCertificate> operator*() { return mImpl->get(); }		
+		
+		LLPointer<iterator_impl> mImpl;
+	protected:
+		friend bool operator==(const LLCertificateVector::iterator& _lhs, const LLCertificateVector::iterator& _rhs);
+		bool equals(const iterator& _iter) const { return mImpl->equals(_iter.mImpl); }
+	};
 	
-	virtual X509_STORE getOpenSSLX509Store()=0;  // return an openssl X509_STORE  
-	// for this store
+	// numeric indexer
+	virtual LLPointer<LLCertificate> operator[](int)=0;
 	
-	virtual void appendCert(const LLCertificate& cert)=0;  // append a cert to the end 
-	//of the chain
+	// Iteration
+	virtual iterator begin()=0;
 	
-	virtual LLPointer<LLCertificate>& operator [](int index)=0; // retrieve a certificate 
-	// from the chain by index
-	// -1 == end of chain
+	virtual iterator end()=0;
 	
-	virtual int len() const =0;  // return number of certificates in the chain
+	// find a cert given params
+	virtual iterator find(const LLSD& params) =0;
 	
-	// validate a certificate chain given the params.
-	// validation type indicates whether it's simply an SSL cert, or 
-	// something more specific
-	virtual bool validate(int validation_type, 
-						  const LLSD& validation_params) const =0;
+	// return the number of certs in the store
+	virtual int size() const = 0;	
+	
+	// append the cert to the store.  if a copy of the cert already exists in the store, it is removed first
+	virtual void  add(LLPointer<LLCertificate> cert)=0;
+	
+	// insert the cert to the store.  if a copy of the cert already exists in the store, it is removed first
+	virtual void  insert(iterator location, LLPointer<LLCertificate> cert)=0;	
+	
+	// remove a certificate from the store
+	virtual LLPointer<LLCertificate> erase(iterator cert)=0;	
 };
 
 
@@ -151,43 +230,55 @@ public:
 // certificates.  The store can be persisted, and can be used to validate
 // a cert chain
 //
-class LLCertificateStore : public LLRefCount
+class LLCertificateStore : virtual public LLCertificateVector
 {
+	
 public:
+	
 	LLCertificateStore() {}
 	virtual ~LLCertificateStore() {}
 	
-	virtual X509_STORE* getOpenSSLX509Store()=0;  // return an openssl X509_STORE  
-	// for this store
-	
-	// add a copy of a cert to the store
-	virtual void  append(const LLCertificate& cert)=0;
-	
-	// add a copy of a cert to the store
-	virtual void insert(const int index, const LLCertificate& cert)=0;
-	
-	// remove a certificate from the store
-	virtual void remove(int index)=0;
-	
-	// return a certificate at the index
-	virtual LLPointer<LLCertificate> operator[](int index)=0;
-	
-	// return the number of certs in the store
-	virtual int len() const =0;
-	
-	// load the store from a persisted location
-	virtual void load(const std::string& store_id)=0;
-	
 	// persist the store
 	virtual void save()=0;
 	
 	// return the store id
-	virtual std::string storeId()=0;
+	virtual std::string storeId() const=0;
+};
+
+// class LLCertificateChain
+// Class representing a chain of certificates in order, with the 
+// first element being the child cert.
+class LLCertificateChain : virtual public LLCertificateVector
+{	
+
+public:
+	LLCertificateChain() {}
 	
-	// validate a cert chain
-	virtual bool validate(const LLCertificateChain& cert_chain) const=0;
+	virtual ~LLCertificateChain() {}
+
+	// validate a certificate chain given the params.
+	// Will throw exceptions on error
+	
+	virtual void validate(int validation_policy,
+						  LLPointer<LLCertificateStore> ca_store,
+						  const LLSD& validation_params) =0;
 };
 
+
+
+
+inline
+bool operator==(const LLCertificateVector::iterator& _lhs, const LLCertificateVector::iterator& _rhs)
+{
+	return _lhs.equals(_rhs);
+}
+inline
+bool operator!=(const LLCertificateVector::iterator& _lhs, const LLCertificateVector::iterator& _rhs)
+{
+	return !(_lhs == _rhs);
+}
+
+
 //
 // LLCredential - interface for credentials providing the following functionality:
 // * persistance of credential information based on grid (for saving username/password)
@@ -232,6 +323,98 @@ protected:
 std::ostream& operator <<(std::ostream& s, const LLCredential& cred);
 
 
+// All error handling is via exceptions.
+
+class LLCertException
+{
+public:
+	LLCertException(LLPointer<LLCertificate> cert, const char* msg)
+	{
+
+		mCert = cert;
+
+		LL_WARNS("SECAPI") << "Certificate Error: " << (std::string)msg << LL_ENDL;
+		mMsg = (std::string)msg;
+	}
+	LLPointer<LLCertificate> getCert() { return mCert; }
+	std::string getMessage() { return mMsg; }
+protected:
+	LLPointer<LLCertificate> mCert;
+	std::string mMsg;
+};
+
+class LLInvalidCertificate : public LLCertException
+{
+public:
+	LLInvalidCertificate(LLPointer<LLCertificate> cert) : LLCertException(cert, "CertInvalid")
+	{
+	}
+protected:
+};
+
+class LLCertValidationTrustException : public LLCertException
+{
+public:
+	LLCertValidationTrustException(LLPointer<LLCertificate> cert) : LLCertException(cert, "CertUntrusted")
+	{
+	}
+protected:
+};
+
+class LLCertValidationHostnameException : public LLCertException
+{
+public:
+	LLCertValidationHostnameException(std::string hostname,
+									  LLPointer<LLCertificate> cert) : LLCertException(cert, "CertInvalidHostname")
+	{
+		mHostname = hostname;
+	}
+	
+	std::string getHostname() { return mHostname; }
+protected:
+	std::string mHostname;
+};
+
+class LLCertValidationExpirationException : public LLCertException
+{
+public:
+	LLCertValidationExpirationException(LLPointer<LLCertificate> cert,
+										LLDate current_time) : LLCertException(cert, "CertExpired")
+	{
+		mTime = current_time;
+	}
+	LLDate GetTime() { return mTime; }
+protected:
+	LLDate mTime;
+};
+
+class LLCertKeyUsageValidationException : public LLCertException
+{
+public:
+	LLCertKeyUsageValidationException(LLPointer<LLCertificate> cert) : LLCertException(cert, "CertKeyUsage")
+	{
+	}
+protected:
+};
+
+class LLCertBasicConstraintsValidationException : public LLCertException
+{
+public:
+	LLCertBasicConstraintsValidationException(LLPointer<LLCertificate> cert) : LLCertException(cert, "CertBasicConstraints")
+	{
+	}
+protected:
+};
+
+class LLCertValidationInvalidSignatureException : public LLCertException
+{
+public:
+	LLCertValidationInvalidSignatureException(LLPointer<LLCertificate> cert) : LLCertException(cert, "CertInvalidSignature")
+	{
+	}
+protected:
+};
+
 // LLSecAPIHandler Class
 // Interface handler class for the various security storage handlers.
 class LLSecAPIHandler : public LLRefCount