#3299: NetSSL: Allow per-Context InvalidCertificateHandler

2025-10-23 00:07:59 +02:00 · 2021-06-06 18:11:05 +02:00
parent 3249abe2a4
commit ab010473b9
14 changed files with 166 additions and 27 deletions
--- a/NetSSL_OpenSSL/include/Poco/Net/AcceptCertificateHandler.h
+++ b/NetSSL_OpenSSL/include/Poco/Net/AcceptCertificateHandler.h
@@ -27,7 +27,7 @@ namespace Net {


 class NetSSL_API AcceptCertificateHandler: public InvalidCertificateHandler
-	/// A AcceptCertificateHandler is invoked whenever an error 
+	/// A AcceptCertificateHandler is invoked whenever an error
 	/// occurs verifying the certificate. It always accepts
 	/// the certificate.
 	///
--- a/NetSSL_OpenSSL/include/Poco/Net/Context.h
+++ b/NetSSL_OpenSSL/include/Poco/Net/Context.h
@@ -20,10 +20,12 @@

 #include "Poco/Net/NetSSL.h"
 #include "Poco/Net/SocketDefs.h"
+#include "Poco/Net/InvalidCertificateHandler.h"
 #include "Poco/Crypto/X509Certificate.h"
 #include "Poco/Crypto/EVPPKey.h"
 #include "Poco/Crypto/RSAKey.h"
 #include "Poco/RefCountedObject.h"
+#include "Poco/SharedPtr.h"
 #include "Poco/AutoPtr.h"
 #include <openssl/ssl.h>
 #include <cstdlib>
@@ -188,6 +190,8 @@ public:
 			///   "X448:X25519:ffdhe4096:ffdhe3072:ffdhe2048:ffdhe6144:ffdhe8192:P-521:P-384:P-256"
 	};

+	using InvalidCertificateHandlerPtr = Poco::SharedPtr<InvalidCertificateHandler>;
+
 	Context(Usage usage, const Params& params);
 		/// Creates a Context using the given parameters.
 		///
@@ -397,6 +401,16 @@ public:
 		/// preferences. When called, the SSL/TLS server will choose following its own
 		/// preferences.

+	void setInvalidCertificateHandler(InvalidCertificateHandlerPtr pInvalidCertificageHandler);
+		/// Sets a Context-specific InvalidCertificateHandler.
+		///
+		/// If specified, this InvalidCertificateHandler will be used instead of the
+		/// one globally set in the SSLManager.
+
+	InvalidCertificateHandlerPtr getInvalidCertificateHandler() const;
+		/// Returns the InvalidCertificateHandler set for this Context,
+		/// or a null pointer if none has been set.
+
 private:
 	void init(const Params& params);
 		/// Initializes the Context with the given parameters.
@@ -415,6 +429,7 @@ private:
 	VerificationMode _mode;
 	SSL_CTX* _pSSLContext;
 	bool _extendedCertificateVerification;
+	InvalidCertificateHandlerPtr _pInvalidCertificateHandler;
 };


@@ -456,6 +471,12 @@ inline bool Context::extendedCertificateVerificationEnabled() const
 }


+inline Context::InvalidCertificateHandlerPtr Context::getInvalidCertificateHandler() const
+{
+	return _pInvalidCertificateHandler;
+}
+
+
 } } // namespace Poco::Net


--- a/NetSSL_OpenSSL/include/Poco/Net/InvalidCertificateHandler.h
+++ b/NetSSL_OpenSSL/include/Poco/Net/InvalidCertificateHandler.h
@@ -19,20 +19,22 @@


 #include "Poco/Net/NetSSL.h"
-#include "Poco/Net/VerificationErrorArgs.h"


 namespace Poco {
 namespace Net {


+class VerificationErrorArgs;
+
+
 class NetSSL_API InvalidCertificateHandler
 	/// A InvalidCertificateHandler is invoked whenever an error occurs verifying the certificate. It allows the user
 	/// to inspect and accept/reject the certificate.
 	/// One can install one's own InvalidCertificateHandler by implementing this interface. Note that
-	/// in the implementation file of the subclass the following code must be present (assuming you use the namespace My_API 
+	/// in the implementation file of the subclass the following code must be present (assuming you use the namespace My_API
 	/// and the name of your handler class is MyGuiHandler):
-	///    
+	///
 	///    #include "Poco/Net/CertificateHandlerFactory.h"
 	///    ...
 	///    POCO_REGISTER_CHFACTORY(My_API, MyGuiHandler)
@@ -43,7 +45,7 @@ class NetSSL_API InvalidCertificateHandler
 	///
 	/// or in case one uses Poco::Util::Application one can rely on an XML configuration and put the following entry
 	/// under the path openSSL.invalidCertificateHandler:
-	///    
+	///
 	///    <invalidCertificateHandler>
 	///        <name>MyGuiHandler<name>
 	///        <options>
@@ -56,7 +58,7 @@ class NetSSL_API InvalidCertificateHandler
 public:
 	InvalidCertificateHandler(bool handleErrorsOnServerSide);
 		/// Creates the InvalidCertificateHandler.
-		/// 
+		///
 		/// Set handleErrorsOnServerSide to true if the certificate handler is used on the server side.
 		/// Automatically registers at one of the SSLManager::VerificationError events.

--- a/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h
+++ b/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h
@@ -278,6 +278,10 @@ protected:
 		/// Throws a InvalidStateException if not application instance
 		/// is available.

+	int contextIndex() const;
+		/// Returns the index for SSL_CTX_set_ex_data() and SSL_CTX_get_ex_data() to
+		/// store the Context* in the underlying SSL_CTX.
+
 private:
 	SSLManager();
 		/// Creates the SSLManager.
@@ -310,6 +314,7 @@ private:
 	Context::Ptr                     _ptrDefaultClientContext;
 	PrivateKeyPassphraseHandlerPtr   _ptrClientPassphraseHandler;
 	InvalidCertificateHandlerPtr     _ptrClientCertificateHandler;
+	int                              _contextIndex;
 	Poco::FastMutex                  _mutex;

 	static const std::string CFG_PRIV_KEY_FILE;
@@ -389,6 +394,12 @@ inline int SSLManager::verifyClientCallback(int ok, X509_STORE_CTX* pStore)
 }


+inline int SSLManager::contextIndex() const
+{
+	return _contextIndex;
+}
+
+
 } } // namespace Poco::Net


--- a/NetSSL_OpenSSL/include/Poco/Net/VerificationErrorArgs.h
+++ b/NetSSL_OpenSSL/include/Poco/Net/VerificationErrorArgs.h
@@ -20,6 +20,7 @@

 #include "Poco/Net/NetSSL.h"
 #include "Poco/Net/X509Certificate.h"
+#include "Poco/Net/Context.h"


 namespace Poco {
@@ -30,12 +31,15 @@ class NetSSL_API VerificationErrorArgs
 	/// A utility class for certificate error handling.
 {
 public:
-	VerificationErrorArgs(const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg);
+	VerificationErrorArgs(Poco::Net::Context::Ptr pContext, const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg);
 		/// Creates the VerificationErrorArgs. _ignoreError is per default set to false.

 	~VerificationErrorArgs();
 		/// Destroys the VerificationErrorArgs.

+	Poco::Net::Context::Ptr context() const;
+		/// Returns the Context of the underlying connection causing the error.
+
 	const X509Certificate& certificate() const;
 		/// Returns the certificate that caused the error.

@@ -55,6 +59,7 @@ public:
 		/// returns the value of _ignoreError

 private:
+	Poco::Net::Context::Ptr _pContext;
 	X509Certificate	_cert;
 	int             _errorDepth;
 	int             _errorNumber;
@@ -66,6 +71,12 @@ private:
 //
 // inlines
 //
+inline Poco::Net::Context::Ptr VerificationErrorArgs::context() const
+{
+	return _pContext;
+}
+
+
 inline const X509Certificate& VerificationErrorArgs::certificate() const
 {
 	return _cert;