#3299: NetSSL: Allow per-Context InvalidCertificateHandler

2025-10-23 00:07:59 +02:00 · 2021-06-06 18:11:05 +02:00
parent 3249abe2a4
commit ab010473b9
14 changed files with 166 additions and 27 deletions
--- a/NetSSL_OpenSSL/src/AcceptCertificateHandler.cpp
+++ b/NetSSL_OpenSSL/src/AcceptCertificateHandler.cpp
@@ -13,6 +13,7 @@


 #include "Poco/Net/AcceptCertificateHandler.h"
+#include "Poco/Net/VerificationErrorArgs.h"


 namespace Poco {
--- a/NetSSL_OpenSSL/src/ConsoleCertificateHandler.cpp
+++ b/NetSSL_OpenSSL/src/ConsoleCertificateHandler.cpp
@@ -13,6 +13,7 @@


 #include "Poco/Net/ConsoleCertificateHandler.h"
+#include "Poco/Net/VerificationErrorArgs.h"
 #include <iostream>


--- a/NetSSL_OpenSSL/src/Context.cpp
+++ b/NetSSL_OpenSSL/src/Context.cpp
@@ -174,6 +174,7 @@ void Context::init(const Params& params)
 		SSL_CTX_set_verify_depth(_pSSLContext, params.verificationDepth);
 		SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY);
 		SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF);
+		SSL_CTX_set_ex_data(_pSSLContext, SSLManager::instance().contextIndex(), this);

 		initDH(params.dhUse2048Bits, params.dhParamsFile);
 		initECDH(params.ecdhCurve);
@@ -463,6 +464,12 @@ void Context::preferServerCiphers()
 }


+void Context::setInvalidCertificateHandler(InvalidCertificateHandlerPtr pInvalidCertificateHandler)
+{
+	_pInvalidCertificateHandler = pInvalidCertificateHandler;
+}
+
+
 void Context::createSSLContext()
 {
 	int minTLSVersion = 0;
--- a/NetSSL_OpenSSL/src/InvalidCertificateHandler.cpp
+++ b/NetSSL_OpenSSL/src/InvalidCertificateHandler.cpp
@@ -26,26 +26,11 @@ namespace Net {

 InvalidCertificateHandler::InvalidCertificateHandler(bool handleErrorsOnServerSide): _handleErrorsOnServerSide(handleErrorsOnServerSide)
 {
-	if (_handleErrorsOnServerSide)
-		SSLManager::instance().ServerVerificationError += Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
-	else
-		SSLManager::instance().ClientVerificationError += Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
 }


 InvalidCertificateHandler::~InvalidCertificateHandler()
 {
-	try
-	{
-		if (_handleErrorsOnServerSide)
-			SSLManager::instance().ServerVerificationError -= Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
-		else
-			SSLManager::instance().ClientVerificationError -= Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
-	}
-	catch (...)
-	{
-		poco_unexpected();
-	}
 }


--- a/NetSSL_OpenSSL/src/RejectCertificateHandler.cpp
+++ b/NetSSL_OpenSSL/src/RejectCertificateHandler.cpp
@@ -13,6 +13,7 @@


 #include "Poco/Net/RejectCertificateHandler.h"
+#include "Poco/Net/VerificationErrorArgs.h"


 namespace Poco {
--- a/NetSSL_OpenSSL/src/SSLManager.cpp
+++ b/NetSSL_OpenSSL/src/SSLManager.cpp
@@ -67,7 +67,8 @@ const bool        SSLManager::VAL_FIPS_MODE(false);
 #endif


-SSLManager::SSLManager()
+SSLManager::SSLManager():
+	_contextIndex(SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL))
 {
 }

@@ -204,16 +205,45 @@ int SSLManager::verifyCallback(bool server, int ok, X509_STORE_CTX* pStore)
 {
 	if (!ok)
 	{
+		SSLManager& sslManager = SSLManager::instance();
+		SSL* pSSL = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(pStore, SSL_get_ex_data_X509_STORE_CTX_idx()));
+		poco_assert_dbg (pSSL);
+		SSL_CTX* pSSLContext = SSL_get_SSL_CTX(pSSL);
+		poco_assert_dbg (pSSLContext);
+
+		Context* pContext = reinterpret_cast<Context*>(SSL_CTX_get_ex_data(pSSLContext, sslManager.contextIndex()));
+		poco_assert_dbg (pContext);
+
 		X509* pCert = X509_STORE_CTX_get_current_cert(pStore);
 		X509Certificate x509(pCert, true);
 		int depth = X509_STORE_CTX_get_error_depth(pStore);
 		int err = X509_STORE_CTX_get_error(pStore);
 		std::string error(X509_verify_cert_error_string(err));
-		VerificationErrorArgs args(x509, depth, err, error);
+		VerificationErrorArgs args(Context::Ptr(pContext, true), x509, depth, err, error);
 		if (server)
-			SSLManager::instance().ServerVerificationError.notify(&SSLManager::instance(), args);
+		{
+			if (pContext->getInvalidCertificateHandler())
+			{
+				pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args);
+			}
+			else if (sslManager._ptrServerCertificateHandler)
+			{
+				sslManager._ptrServerCertificateHandler->onInvalidCertificate(&sslManager, args);
+			}
+			sslManager.ServerVerificationError.notify(&sslManager, args);
+		}
 		else
-			SSLManager::instance().ClientVerificationError.notify(&SSLManager::instance(), args);
+		{
+			if (pContext->getInvalidCertificateHandler())
+			{
+				pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args);
+			}
+			else if (sslManager._ptrClientCertificateHandler)
+			{
+				sslManager._ptrClientCertificateHandler->onInvalidCertificate(&sslManager, args);
+			}
+			sslManager.ClientVerificationError.notify(&sslManager, args);
+		}
 		ok = args.getIgnoreError() ? 1 : 0;
 	}

--- a/NetSSL_OpenSSL/src/VerificationErrorArgs.cpp
+++ b/NetSSL_OpenSSL/src/VerificationErrorArgs.cpp
@@ -19,7 +19,8 @@ namespace Poco {
 namespace Net {


-VerificationErrorArgs::VerificationErrorArgs(const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg):
+VerificationErrorArgs::VerificationErrorArgs(Poco::Net::Context::Ptr pContext, const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg):
+	_pContext(pContext),
 	_cert(cert),
 	_errorDepth(errDepth),
 	_errorNumber(errNum),