mirror of
https://github.com/pocoproject/poco.git
synced 2025-10-20 14:02:38 +02:00
#3299: NetSSL: Allow per-Context InvalidCertificateHandler
This commit is contained in:
Günter Obiltschnig
@@ -20,10 +20,12 @@
|
||||
|
||||
#include "Poco/Net/NetSSL.h"
|
||||
#include "Poco/Net/SocketDefs.h"
|
||||
#include "Poco/Net/InvalidCertificateHandler.h"
|
||||
#include "Poco/Crypto/X509Certificate.h"
|
||||
#include "Poco/Crypto/EVPPKey.h"
|
||||
#include "Poco/Crypto/RSAKey.h"
|
||||
#include "Poco/RefCountedObject.h"
|
||||
#include "Poco/SharedPtr.h"
|
||||
#include "Poco/AutoPtr.h"
|
||||
#include <openssl/ssl.h>
|
||||
#include <cstdlib>
|
||||
@@ -188,6 +190,8 @@ public:
|
||||
/// "X448:X25519:ffdhe4096:ffdhe3072:ffdhe2048:ffdhe6144:ffdhe8192:P-521:P-384:P-256"
|
||||
};
|
||||
|
||||
using InvalidCertificateHandlerPtr = Poco::SharedPtr<InvalidCertificateHandler>;
|
||||
|
||||
Context(Usage usage, const Params& params);
|
||||
/// Creates a Context using the given parameters.
|
||||
///
|
||||
@@ -397,6 +401,16 @@ public:
|
||||
/// preferences. When called, the SSL/TLS server will choose following its own
|
||||
/// preferences.
|
||||
|
||||
void setInvalidCertificateHandler(InvalidCertificateHandlerPtr pInvalidCertificageHandler);
|
||||
/// Sets a Context-specific InvalidCertificateHandler.
|
||||
///
|
||||
/// If specified, this InvalidCertificateHandler will be used instead of the
|
||||
/// one globally set in the SSLManager.
|
||||
|
||||
InvalidCertificateHandlerPtr getInvalidCertificateHandler() const;
|
||||
/// Returns the InvalidCertificateHandler set for this Context,
|
||||
/// or a null pointer if none has been set.
|
||||
|
||||
private:
|
||||
void init(const Params& params);
|
||||
/// Initializes the Context with the given parameters.
|
||||
@@ -415,6 +429,7 @@ private:
|
||||
VerificationMode _mode;
|
||||
SSL_CTX* _pSSLContext;
|
||||
bool _extendedCertificateVerification;
|
||||
InvalidCertificateHandlerPtr _pInvalidCertificateHandler;
|
||||
};
|
||||
|
||||
|
||||
@@ -456,6 +471,12 @@ inline bool Context::extendedCertificateVerificationEnabled() const
|
||||
}
|
||||
|
||||
|
||||
inline Context::InvalidCertificateHandlerPtr Context::getInvalidCertificateHandler() const
|
||||
{
|
||||
return _pInvalidCertificateHandler;
|
||||
}
|
||||
|
||||
|
||||
} } // namespace Poco::Net
|
||||
|
||||
|
||||
|
||||
@@ -19,13 +19,15 @@
|
||||
|
||||
|
||||
#include "Poco/Net/NetSSL.h"
|
||||
#include "Poco/Net/VerificationErrorArgs.h"
|
||||
|
||||
|
||||
namespace Poco {
|
||||
namespace Net {
|
||||
|
||||
|
||||
class VerificationErrorArgs;
|
||||
|
||||
|
||||
class NetSSL_API InvalidCertificateHandler
|
||||
/// A InvalidCertificateHandler is invoked whenever an error occurs verifying the certificate. It allows the user
|
||||
/// to inspect and accept/reject the certificate.
|
||||
|
||||
@@ -278,6 +278,10 @@ protected:
|
||||
/// Throws a InvalidStateException if not application instance
|
||||
/// is available.
|
||||
|
||||
int contextIndex() const;
|
||||
/// Returns the index for SSL_CTX_set_ex_data() and SSL_CTX_get_ex_data() to
|
||||
/// store the Context* in the underlying SSL_CTX.
|
||||
|
||||
private:
|
||||
SSLManager();
|
||||
/// Creates the SSLManager.
|
||||
@@ -310,6 +314,7 @@ private:
|
||||
Context::Ptr _ptrDefaultClientContext;
|
||||
PrivateKeyPassphraseHandlerPtr _ptrClientPassphraseHandler;
|
||||
InvalidCertificateHandlerPtr _ptrClientCertificateHandler;
|
||||
int _contextIndex;
|
||||
Poco::FastMutex _mutex;
|
||||
|
||||
static const std::string CFG_PRIV_KEY_FILE;
|
||||
@@ -389,6 +394,12 @@ inline int SSLManager::verifyClientCallback(int ok, X509_STORE_CTX* pStore)
|
||||
}
|
||||
|
||||
|
||||
inline int SSLManager::contextIndex() const
|
||||
{
|
||||
return _contextIndex;
|
||||
}
|
||||
|
||||
|
||||
} } // namespace Poco::Net
|
||||
|
||||
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
|
||||
#include "Poco/Net/NetSSL.h"
|
||||
#include "Poco/Net/X509Certificate.h"
|
||||
#include "Poco/Net/Context.h"
|
||||
|
||||
|
||||
namespace Poco {
|
||||
@@ -30,12 +31,15 @@ class NetSSL_API VerificationErrorArgs
|
||||
/// A utility class for certificate error handling.
|
||||
{
|
||||
public:
|
||||
VerificationErrorArgs(const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg);
|
||||
VerificationErrorArgs(Poco::Net::Context::Ptr pContext, const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg);
|
||||
/// Creates the VerificationErrorArgs. _ignoreError is per default set to false.
|
||||
|
||||
~VerificationErrorArgs();
|
||||
/// Destroys the VerificationErrorArgs.
|
||||
|
||||
Poco::Net::Context::Ptr context() const;
|
||||
/// Returns the Context of the underlying connection causing the error.
|
||||
|
||||
const X509Certificate& certificate() const;
|
||||
/// Returns the certificate that caused the error.
|
||||
|
||||
@@ -55,6 +59,7 @@ public:
|
||||
/// returns the value of _ignoreError
|
||||
|
||||
private:
|
||||
Poco::Net::Context::Ptr _pContext;
|
||||
X509Certificate _cert;
|
||||
int _errorDepth;
|
||||
int _errorNumber;
|
||||
@@ -66,6 +71,12 @@ private:
|
||||
//
|
||||
// inlines
|
||||
//
|
||||
inline Poco::Net::Context::Ptr VerificationErrorArgs::context() const
|
||||
{
|
||||
return _pContext;
|
||||
}
|
||||
|
||||
|
||||
inline const X509Certificate& VerificationErrorArgs::certificate() const
|
||||
{
|
||||
return _cert;
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
|
||||
|
||||
#include "Poco/Net/AcceptCertificateHandler.h"
|
||||
#include "Poco/Net/VerificationErrorArgs.h"
|
||||
|
||||
|
||||
namespace Poco {
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
|
||||
|
||||
#include "Poco/Net/ConsoleCertificateHandler.h"
|
||||
#include "Poco/Net/VerificationErrorArgs.h"
|
||||
#include <iostream>
|
||||
|
||||
|
||||
|
||||
@@ -174,6 +174,7 @@ void Context::init(const Params& params)
|
||||
SSL_CTX_set_verify_depth(_pSSLContext, params.verificationDepth);
|
||||
SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY);
|
||||
SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF);
|
||||
SSL_CTX_set_ex_data(_pSSLContext, SSLManager::instance().contextIndex(), this);
|
||||
|
||||
initDH(params.dhUse2048Bits, params.dhParamsFile);
|
||||
initECDH(params.ecdhCurve);
|
||||
@@ -463,6 +464,12 @@ void Context::preferServerCiphers()
|
||||
}
|
||||
|
||||
|
||||
void Context::setInvalidCertificateHandler(InvalidCertificateHandlerPtr pInvalidCertificateHandler)
|
||||
{
|
||||
_pInvalidCertificateHandler = pInvalidCertificateHandler;
|
||||
}
|
||||
|
||||
|
||||
void Context::createSSLContext()
|
||||
{
|
||||
int minTLSVersion = 0;
|
||||
|
||||
@@ -26,26 +26,11 @@ namespace Net {
|
||||
|
||||
InvalidCertificateHandler::InvalidCertificateHandler(bool handleErrorsOnServerSide): _handleErrorsOnServerSide(handleErrorsOnServerSide)
|
||||
{
|
||||
if (_handleErrorsOnServerSide)
|
||||
SSLManager::instance().ServerVerificationError += Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
|
||||
else
|
||||
SSLManager::instance().ClientVerificationError += Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
|
||||
}
|
||||
|
||||
|
||||
InvalidCertificateHandler::~InvalidCertificateHandler()
|
||||
{
|
||||
try
|
||||
{
|
||||
if (_handleErrorsOnServerSide)
|
||||
SSLManager::instance().ServerVerificationError -= Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
|
||||
else
|
||||
SSLManager::instance().ClientVerificationError -= Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
|
||||
}
|
||||
catch (...)
|
||||
{
|
||||
poco_unexpected();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
|
||||
|
||||
#include "Poco/Net/RejectCertificateHandler.h"
|
||||
#include "Poco/Net/VerificationErrorArgs.h"
|
||||
|
||||
|
||||
namespace Poco {
|
||||
|
||||
@@ -67,7 +67,8 @@ const bool SSLManager::VAL_FIPS_MODE(false);
|
||||
#endif
|
||||
|
||||
|
||||
SSLManager::SSLManager()
|
||||
SSLManager::SSLManager():
|
||||
_contextIndex(SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL))
|
||||
{
|
||||
}
|
||||
|
||||
@@ -204,16 +205,45 @@ int SSLManager::verifyCallback(bool server, int ok, X509_STORE_CTX* pStore)
|
||||
{
|
||||
if (!ok)
|
||||
{
|
||||
SSLManager& sslManager = SSLManager::instance();
|
||||
SSL* pSSL = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(pStore, SSL_get_ex_data_X509_STORE_CTX_idx()));
|
||||
poco_assert_dbg (pSSL);
|
||||
SSL_CTX* pSSLContext = SSL_get_SSL_CTX(pSSL);
|
||||
poco_assert_dbg (pSSLContext);
|
||||
|
||||
Context* pContext = reinterpret_cast<Context*>(SSL_CTX_get_ex_data(pSSLContext, sslManager.contextIndex()));
|
||||
poco_assert_dbg (pContext);
|
||||
|
||||
X509* pCert = X509_STORE_CTX_get_current_cert(pStore);
|
||||
X509Certificate x509(pCert, true);
|
||||
int depth = X509_STORE_CTX_get_error_depth(pStore);
|
||||
int err = X509_STORE_CTX_get_error(pStore);
|
||||
std::string error(X509_verify_cert_error_string(err));
|
||||
VerificationErrorArgs args(x509, depth, err, error);
|
||||
VerificationErrorArgs args(Context::Ptr(pContext, true), x509, depth, err, error);
|
||||
if (server)
|
||||
SSLManager::instance().ServerVerificationError.notify(&SSLManager::instance(), args);
|
||||
{
|
||||
if (pContext->getInvalidCertificateHandler())
|
||||
{
|
||||
pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args);
|
||||
}
|
||||
else if (sslManager._ptrServerCertificateHandler)
|
||||
{
|
||||
sslManager._ptrServerCertificateHandler->onInvalidCertificate(&sslManager, args);
|
||||
}
|
||||
sslManager.ServerVerificationError.notify(&sslManager, args);
|
||||
}
|
||||
else
|
||||
SSLManager::instance().ClientVerificationError.notify(&SSLManager::instance(), args);
|
||||
{
|
||||
if (pContext->getInvalidCertificateHandler())
|
||||
{
|
||||
pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args);
|
||||
}
|
||||
else if (sslManager._ptrClientCertificateHandler)
|
||||
{
|
||||
sslManager._ptrClientCertificateHandler->onInvalidCertificate(&sslManager, args);
|
||||
}
|
||||
sslManager.ClientVerificationError.notify(&sslManager, args);
|
||||
}
|
||||
ok = args.getIgnoreError() ? 1 : 0;
|
||||
}
|
||||
|
||||
|
||||
@@ -19,7 +19,8 @@ namespace Poco {
|
||||
namespace Net {
|
||||
|
||||
|
||||
VerificationErrorArgs::VerificationErrorArgs(const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg):
|
||||
VerificationErrorArgs::VerificationErrorArgs(Poco::Net::Context::Ptr pContext, const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg):
|
||||
_pContext(pContext),
|
||||
_cert(cert),
|
||||
_errorDepth(errDepth),
|
||||
_errorNumber(errNum),
|
||||
|
||||
@@ -18,6 +18,8 @@
|
||||
#include "Poco/Net/SecureStreamSocket.h"
|
||||
#include "Poco/Net/SecureServerSocket.h"
|
||||
#include "Poco/Net/Context.h"
|
||||
#include "Poco/Net/RejectCertificateHandler.h"
|
||||
#include "Poco/Net/AcceptCertificateHandler.h"
|
||||
#include "Poco/Net/Session.h"
|
||||
#include "Poco/Net/SSLManager.h"
|
||||
#include "Poco/Util/Application.h"
|
||||
@@ -70,6 +72,26 @@ namespace
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
class NullConnection: public TCPServerConnection
|
||||
{
|
||||
public:
|
||||
NullConnection(const StreamSocket& s): TCPServerConnection(s)
|
||||
{
|
||||
}
|
||||
|
||||
void run()
|
||||
{
|
||||
SecureStreamSocket& ss = static_cast<SecureStreamSocket&>(socket());
|
||||
try
|
||||
{
|
||||
ss.completeHandshake();
|
||||
}
|
||||
catch (...)
|
||||
{
|
||||
}
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
@@ -381,6 +403,50 @@ void TCPServerTest::testReuseSession()
|
||||
}
|
||||
|
||||
|
||||
void TCPServerTest::testContextInvalidCertificateHandler()
|
||||
{
|
||||
SecureServerSocket svs(0);
|
||||
TCPServer srv(new TCPServerConnectionFactoryImpl<NullConnection>(), svs);
|
||||
srv.start();
|
||||
|
||||
Context::Ptr pClientContext = new Context(
|
||||
Context::CLIENT_USE,
|
||||
"",
|
||||
"",
|
||||
"",
|
||||
Context::VERIFY_RELAXED,
|
||||
9,
|
||||
true,
|
||||
"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
|
||||
|
||||
pClientContext->setInvalidCertificateHandler(new Poco::Net::RejectCertificateHandler(false));
|
||||
|
||||
SocketAddress sa("127.0.0.1", svs.address().port());
|
||||
|
||||
try
|
||||
{
|
||||
SecureStreamSocket ss1(sa, pClientContext);
|
||||
fail("must throw with RejectCertificateHandler");
|
||||
}
|
||||
catch (...)
|
||||
{
|
||||
}
|
||||
|
||||
pClientContext->setInvalidCertificateHandler(new Poco::Net::AcceptCertificateHandler(false));
|
||||
|
||||
try
|
||||
{
|
||||
SecureStreamSocket ss1(sa, pClientContext);
|
||||
}
|
||||
catch (...)
|
||||
{
|
||||
fail("must not throw with AcceptCertificateHandler");
|
||||
}
|
||||
|
||||
srv.stop();
|
||||
}
|
||||
|
||||
|
||||
void TCPServerTest::setUp()
|
||||
{
|
||||
}
|
||||
@@ -400,6 +466,7 @@ CppUnit::Test* TCPServerTest::suite()
|
||||
CppUnit_addTest(pSuite, TCPServerTest, testMultiConnections);
|
||||
CppUnit_addTest(pSuite, TCPServerTest, testReuseSocket);
|
||||
CppUnit_addTest(pSuite, TCPServerTest, testReuseSession);
|
||||
CppUnit_addTest(pSuite, TCPServerTest, testContextInvalidCertificateHandler);
|
||||
|
||||
return pSuite;
|
||||
}
|
||||
|
||||
@@ -29,6 +29,7 @@ public:
|
||||
void testMultiConnections();
|
||||
void testReuseSocket();
|
||||
void testReuseSession();
|
||||
void testContextInvalidCertificateHandler();
|
||||
|
||||
void setUp();
|
||||
void tearDown();
|
||||
|
||||
Reference in New Issue
Block a user