Credential.h

#ifndef __ARC_CREDENTIAL_H__
#define __ARC_CREDENTIAL_H__

#include <stdlib.h>
#include <stdexcept>
#include <iostream>
#include <string>
#include <openssl/asn1.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pkcs12.h>
#include <openssl/err.h>

#include <arc/Logger.h>
#include <arc/DateTime.h>
#include <arc/UserConfig.h>

#include <arc/credential/CertUtil.h>

namespace Arc {



class CredentialError : public std::runtime_error {
  public:
    // Constructor
    CredentialError(const std::string& what="");
};

typedef enum {CRED_PEM, CRED_DER, CRED_PKCS, CRED_UNKNOWN} Credformat;

extern Logger CredentialLogger;


class Credential {
  public:
    Credential();

    Credential(int keybits);

    virtual ~Credential();

    Credential(const std::string& CAfile, const std::string& CAkey,
               const std::string& CAserial,
               const std::string& extfile, const std::string& extsect,
               const std::string& passphrase4key);

    Credential(Time start, Period lifetime = Period("PT12H"),
              int keybits = 1024, std::string proxyversion = "rfc",
              std::string policylang = "inheritAll", std::string policy = "",
              int pathlength = -1);

    Credential(const std::string& cert, const std::string& key, const std::string& cadir,
               const std::string& cafile, const std::string& passphrase4key = "",
               const bool is_file = true);

    Credential(const UserConfig& usercfg, const std::string& passphrase4key = "");

    static void InitProxyCertInfo(void);

    static bool IsCredentialsValid(const UserConfig& usercfg);

    void AddCertExtObj(std::string& sn, std::string& oid);

    static std::string NoPassword(void) { return std::string("\0",1); };

  private:

    Credential(const Credential&);

    void InitCredential(const std::string& cert, const std::string& key, const std::string& cadir,
               const std::string& cafile, const std::string& passphrase4key, const bool is_file);

    void loadKeyString(const std::string& key, EVP_PKEY* &pkey, const std::string& passphrase = "");
    void loadKeyFile(const std::string& keyfile, EVP_PKEY* &pkey, const std::string& passphrase = "");
    //void loadKey(BIO* bio, EVP_PKEY* &pkey, const std::string& passphrase = "", const std::string& prompt_info = "", const bool is_file = true);

    void loadCertificateString(const std::string& cert, X509* &x509, STACK_OF(X509)** certchain);
    void loadCertificateFile(const std::string& certfile, X509* &x509, STACK_OF(X509)** certchain);
    //void loadCertificate(BIO* bio, X509* &x509, STACK_OF(X509)** certchain, const bool is_file=true);

    void InitVerification(void);

    bool Verify(void);

    X509_EXTENSION* CreateExtension(const std::string& name, const std::string& data, bool crit = false);

    bool SetProxyPeriod(X509* tosign, X509* issuer, const Time& start, const Period& lifetime);

    bool SignRequestAssistant(Credential* proxy, EVP_PKEY* req_pubkey, X509** tosign);

  public:
    void LogError(void) const;

    /************************************/
    /*****Get information from "this" object**/

    bool GetVerification(void) const {return verification_valid; };

    EVP_PKEY* GetPrivKey(void) const;

    EVP_PKEY* GetPubKey(void) const;

    X509* GetCert(void) const;

    X509_REQ* GetCertReq(void) const;

    STACK_OF(X509)* GetCertChain(void) const;

    int GetCertNumofChain(void) const;

    Credformat getFormat_BIO(BIO * in, const bool is_file = true) const;
    Credformat getFormat_str(const std::string& source) const;
 
    std::string GetDN(void) const;

    std::string GetIdentityName(void) const;

    ArcCredential::certType GetType(void) const;

    std::string GetIssuerName(void) const;

    std::string GetCAName(void) const;

    std::string GetProxyPolicy(void) const;

    void SetProxyPolicy(const std::string& proxyversion, const std::string& policylang,
        const std::string& policy, int pathlength);

    bool OutputPrivatekey(std::string &content,  bool encryption = false, const std::string& passphrase ="");

    bool OutputPublickey(std::string &content);

    bool OutputCertificate(std::string &content, bool is_der=false);

    bool OutputCertificateChain(std::string &content, bool is_der=false);

    Period GetLifeTime(void) const;

    Time GetStartTime() const;

    Time GetEndTime() const;

    void SetLifeTime(const Period& period);

    void SetStartTime(const Time& start_time);

    bool IsValid(void);

    /************************************/
    /*****Generate certificate request, add certificate extension, inquire certificate request,
    *and sign certificate request
    **/

    bool AddExtension(const std::string& name, const std::string& data, bool crit = false);

    bool AddExtension(const std::string& name, char** binary);

    std::string GetExtension(const std::string& name);

    bool GenerateEECRequest(BIO* reqbio, BIO* keybio, const std::string& dn = "");

    bool GenerateEECRequest(std::string &reqcontent, std::string &keycontent, const std::string& dn = "");

    bool GenerateEECRequest(const char* request_filename, const char* key_filename, const std::string& dn = "");

    bool GenerateRequest(BIO* bio, bool if_der = false);

    bool GenerateRequest(std::string &content, bool if_der = false);

    bool GenerateRequest(const char* filename, bool if_der = false);

    bool InquireRequest(BIO* reqbio, bool if_eec = false, bool if_der = false);

    bool InquireRequest(std::string &content, bool if_eec = false, bool if_der = false);

    bool InquireRequest(const char* filename, bool if_eec = false, bool if_der = false);

    bool SignRequest(Credential* proxy, BIO* outputbio, bool if_der = false);

    bool SignRequest(Credential* proxy, std::string &content, bool if_der = false);

    bool SignRequest(Credential* proxy, const char* filename, bool if_der = false);

    bool SelfSignEECRequest(const std::string& dn, const char* extfile, const std::string& extsect, const char* certfile);

    //The following three methods is about signing an EEC certificate by implementing the same
    //functionality as a normal CA
    bool SignEECRequest(Credential* eec, const std::string& dn, BIO* outputbio);

    bool SignEECRequest(Credential* eec, const std::string& dn, std::string &content);

    bool SignEECRequest(Credential* eec, const std::string& dn, const char* filename);

  private:
    // PKI files
    std::string cacertfile_;
    std::string cacertdir_;
    std::string certfile_;
    std::string keyfile_;

    // Verification context
    ArcCredential::cert_verify_context verify_ctx_;

    //Verification result
    bool verification_valid;

    //Certificate structures
    X509 *           cert_;    //certificate
    ArcCredential::certType cert_type_;
    EVP_PKEY *       pkey_;    //private key
    STACK_OF(X509) * cert_chain_;  //certificates chain which is parsed
                                   //from the certificate, after
                                   //verification, the ca certificate
                                   //will be included
    ArcCredential::PROXYCERTINFO* proxy_cert_info_;
    Credformat       format;
    Time        start_;
    Period      lifetime_;

    //Certificate request
    X509_REQ* req_;
    RSA* rsa_key_;
    EVP_MD* signing_alg_;
    int keybits_;

    //Proxy policy
    std::string proxyversion_;
    std::string policy_;
    std::string policylang_;
    int proxyver_;
    int pathlength_;

    //Extensions for certificate, such as certificate policy, attributes, etc.
    STACK_OF(X509_EXTENSION)* extensions_;

    //CA functionality related information
    std::string CAserial_;
    std::string extfile_;
    std::string extsect_;

    static X509_NAME *parse_name(char *subject, long chtype, int multirdn);
};

}// namespace Arc

#endif /* __ARC_CREDENTIAL_H__ */