#3299: NetSSL: Allow per-Context InvalidCertificateHandler

2026-01-12 10:02:36 +01:00 · 2021-06-06 18:11:05 +02:00
parent 3249abe2a4
commit ab010473b9
14 changed files with 166 additions and 27 deletions
--- a/NetSSL_OpenSSL/src/SSLManager.cpp
+++ b/NetSSL_OpenSSL/src/SSLManager.cpp
@@ -67,7 +67,8 @@ const bool        SSLManager::VAL_FIPS_MODE(false);
 #endif


-SSLManager::SSLManager()
+SSLManager::SSLManager():
+	_contextIndex(SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL))
 {
 }

@@ -204,16 +205,45 @@ int SSLManager::verifyCallback(bool server, int ok, X509_STORE_CTX* pStore)
 {
 	if (!ok)
 	{
+		SSLManager& sslManager = SSLManager::instance();
+		SSL* pSSL = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(pStore, SSL_get_ex_data_X509_STORE_CTX_idx()));
+		poco_assert_dbg (pSSL);
+		SSL_CTX* pSSLContext = SSL_get_SSL_CTX(pSSL);
+		poco_assert_dbg (pSSLContext);
+
+		Context* pContext = reinterpret_cast<Context*>(SSL_CTX_get_ex_data(pSSLContext, sslManager.contextIndex()));
+		poco_assert_dbg (pContext);
+
 		X509* pCert = X509_STORE_CTX_get_current_cert(pStore);
 		X509Certificate x509(pCert, true);
 		int depth = X509_STORE_CTX_get_error_depth(pStore);
 		int err = X509_STORE_CTX_get_error(pStore);
 		std::string error(X509_verify_cert_error_string(err));
-		VerificationErrorArgs args(x509, depth, err, error);
+		VerificationErrorArgs args(Context::Ptr(pContext, true), x509, depth, err, error);
 		if (server)
-			SSLManager::instance().ServerVerificationError.notify(&SSLManager::instance(), args);
+		{
+			if (pContext->getInvalidCertificateHandler())
+			{
+				pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args);
+			}
+			else if (sslManager._ptrServerCertificateHandler)
+			{
+				sslManager._ptrServerCertificateHandler->onInvalidCertificate(&sslManager, args);
+			}
+			sslManager.ServerVerificationError.notify(&sslManager, args);
+		}
 		else
-			SSLManager::instance().ClientVerificationError.notify(&SSLManager::instance(), args);
+		{
+			if (pContext->getInvalidCertificateHandler())
+			{
+				pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args);
+			}
+			else if (sslManager._ptrClientCertificateHandler)
+			{
+				sslManager._ptrClientCertificateHandler->onInvalidCertificate(&sslManager, args);
+			}
+			sslManager.ClientVerificationError.notify(&sslManager, args);
+		}
 		ok = args.getIgnoreError() ? 1 : 0;
 	}