OpenSSL improvements
This commit is contained in:
Guenter Obiltschnig
Родитель
5ae8225ece
Коммит
5f605414ff
|
|
@ -1,7 +1,7 @@
|
|||
//
|
||||
// Context.h
|
||||
//
|
||||
// $Id: //poco/svn/NetSSL_OpenSSL/include/Poco/Net/Context.h#1 $
|
||||
// $Id: //poco/1.3/NetSSL_OpenSSL/include/Poco/Net/Context.h#3 $
|
||||
//
|
||||
// Library: NetSSL_OpenSSL
|
||||
// Package: SSLCore
|
||||
|
|
@ -41,6 +41,7 @@
|
|||
|
||||
|
||||
#include "Poco/Net/NetSSL.h"
|
||||
#include "Poco/SharedPtr.h"
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
|
||||
|
|
@ -52,6 +53,7 @@ class NetSSL_API Context
|
|||
/// This class encapsulates an SSL Context.
|
||||
{
|
||||
public:
|
||||
typedef Poco::SharedPtr<Context> Ptr;
|
||||
enum VerificationMode
|
||||
{
|
||||
VERIFY_NONE = SSL_VERIFY_NONE,
|
||||
|
|
@ -80,10 +82,13 @@ public:
|
|||
/// Destroys the Context.
|
||||
|
||||
SSL_CTX* sslContext() const;
|
||||
/// Returns the OpenSSL SSL Context object.
|
||||
|
||||
Context::VerificationMode verificationMode() const;
|
||||
/// Returns the verification mode.
|
||||
|
||||
bool serverContext() const;
|
||||
/// Returns true iff the context is for a server.
|
||||
|
||||
private:
|
||||
SSL_CTX* _pSSLContext;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
//
|
||||
// SecureSocketImpl.h
|
||||
//
|
||||
// $Id: //poco/svn/NetSSL_OpenSSL/include/Poco/Net/SecureSocketImpl.h#1 $
|
||||
// $Id: //poco/1.3/NetSSL_OpenSSL/include/Poco/Net/SecureSocketImpl.h#2 $
|
||||
//
|
||||
// Library: NetSSL_OpenSSL
|
||||
// Package: SSLSockets
|
||||
|
|
@ -42,6 +42,7 @@
|
|||
|
||||
#include "Poco/Net/NetSSL.h"
|
||||
#include "Poco/Net/SocketImpl.h"
|
||||
#include "Poco/Net/SSLManager.h"
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
|
|
@ -164,6 +165,8 @@ public:
|
|||
/// that works as a tunnel to the given endPoint.
|
||||
/// Only call this method on disconnected sockets.
|
||||
|
||||
static long postConnectionCheck(SSLManager::ContextPtr pContext, X509* pCert, const std::string& hostName);
|
||||
|
||||
protected:
|
||||
void setSockfd(poco_socket_t sock);
|
||||
/// Set a socket description iff no socket is already set.
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
//
|
||||
// X509Certificate.h
|
||||
//
|
||||
// $Id: //poco/svn/NetSSL_OpenSSL/include/Poco/Net/X509Certificate.h#1 $
|
||||
// $Id: //poco/1.3/NetSSL_OpenSSL/include/Poco/Net/X509Certificate.h#3 $
|
||||
//
|
||||
// Library: NetSSL_OpenSSL
|
||||
// Package: SSLCore
|
||||
|
|
@ -41,6 +41,8 @@
|
|||
|
||||
|
||||
#include "Poco/Net/NetSSL.h"
|
||||
#include "Poco/Net/Context.h"
|
||||
#include "Poco/SharedPtr.h"
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
|
||||
|
|
@ -52,9 +54,18 @@ class NetSSL_API X509Certificate
|
|||
/// This class represents an X509 Certificate.
|
||||
{
|
||||
public:
|
||||
X509Certificate(const std::string& file);
|
||||
/// Loads the X509Certificate from the file
|
||||
|
||||
X509Certificate(X509* pCert);
|
||||
/// Creates the X509Certificate.
|
||||
|
||||
X509Certificate(const X509Certificate&);
|
||||
|
||||
X509Certificate& operator=(const X509Certificate&);
|
||||
|
||||
void swap(X509Certificate& cert);
|
||||
|
||||
~X509Certificate();
|
||||
/// Destroys the X509Certificate.
|
||||
|
||||
|
|
@ -66,6 +77,9 @@ public:
|
|||
|
||||
const X509* certificate() const;
|
||||
/// Returns the OpenSSL certificate.
|
||||
|
||||
bool verify(const std::string& hostName, Poco::SharedPtr<Context> ptr);
|
||||
/// Verifies the validity of the certificate against the hostname.
|
||||
|
||||
private:
|
||||
void initialize();
|
||||
|
|
@ -75,6 +89,7 @@ private:
|
|||
std::string _issuerName;
|
||||
std::string _subjectName;
|
||||
X509* _pCert;
|
||||
std::string _file;
|
||||
};
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
//
|
||||
// Context.cpp
|
||||
//
|
||||
// $Id: //poco/svn/NetSSL_OpenSSL/src/Context.cpp#1 $
|
||||
// $Id: //poco/1.3/NetSSL_OpenSSL/src/Context.cpp#2 $
|
||||
//
|
||||
// Library: NetSSL_OpenSSL
|
||||
// Package: SSLCore
|
||||
|
|
@ -64,17 +64,21 @@ Context::Context(
|
|||
_pSSLContext = SSL_CTX_new(SSLv23_method());
|
||||
SSL_CTX_set_default_passwd_cb(_pSSLContext, &SSLManager::privateKeyPasswdCallback);
|
||||
|
||||
File aFile(caLocation);
|
||||
|
||||
int errCode = 0;
|
||||
if (aFile.isDirectory())
|
||||
errCode = SSL_CTX_load_verify_locations(_pSSLContext, 0, caLocation.c_str());
|
||||
else
|
||||
errCode = SSL_CTX_load_verify_locations(_pSSLContext, caLocation.c_str(), 0);
|
||||
if (errCode != 1)
|
||||
if (!caLocation.empty())
|
||||
{
|
||||
SSL_CTX_free(_pSSLContext);
|
||||
_pSSLContext = 0;
|
||||
throw SSLContextException(std::string("Failed to load CA file/directory from ") + caLocation);
|
||||
File aFile(caLocation);
|
||||
if (aFile.isDirectory())
|
||||
errCode = SSL_CTX_load_verify_locations(_pSSLContext, 0, caLocation.c_str());
|
||||
else
|
||||
errCode = SSL_CTX_load_verify_locations(_pSSLContext, caLocation.c_str(), 0);
|
||||
if (errCode != 1)
|
||||
{
|
||||
SSL_CTX_free(_pSSLContext);
|
||||
_pSSLContext = 0;
|
||||
throw SSLContextException(std::string("Failed to load CA file/directory from ") + caLocation);
|
||||
}
|
||||
}
|
||||
|
||||
if (loadCAFromDefaultPath)
|
||||
|
|
@ -87,22 +91,24 @@ Context::Context(
|
|||
throw SSLContextException(std::string("Failed to load CA file/directory from default location"));
|
||||
}
|
||||
}
|
||||
|
||||
errCode = SSL_CTX_use_certificate_chain_file(_pSSLContext, privateKeyFile.c_str());
|
||||
if (errCode != 1)
|
||||
if (!privateKeyFile.empty())
|
||||
{
|
||||
SSL_CTX_free(_pSSLContext);
|
||||
_pSSLContext = 0;
|
||||
throw SSLContextException(std::string("Error loading certificate from file ") + privateKeyFile);
|
||||
}
|
||||
File tmp(privateKeyFile);
|
||||
poco_assert (tmp.exists());
|
||||
errCode = SSL_CTX_use_PrivateKey_file(_pSSLContext, privateKeyFile.c_str(), SSL_FILETYPE_PEM);
|
||||
if (errCode != 1)
|
||||
{
|
||||
SSL_CTX_free(_pSSLContext);
|
||||
_pSSLContext = 0;
|
||||
throw SSLContextException(std::string("Error loading private key from file ") + privateKeyFile);
|
||||
errCode = SSL_CTX_use_certificate_chain_file(_pSSLContext, privateKeyFile.c_str());
|
||||
if (errCode != 1)
|
||||
{
|
||||
SSL_CTX_free(_pSSLContext);
|
||||
_pSSLContext = 0;
|
||||
throw SSLContextException(std::string("Error loading certificate from file ") + privateKeyFile);
|
||||
}
|
||||
File tmp(privateKeyFile);
|
||||
poco_assert (tmp.exists());
|
||||
errCode = SSL_CTX_use_PrivateKey_file(_pSSLContext, privateKeyFile.c_str(), SSL_FILETYPE_PEM);
|
||||
if (errCode != 1)
|
||||
{
|
||||
SSL_CTX_free(_pSSLContext);
|
||||
_pSSLContext = 0;
|
||||
throw SSLContextException(std::string("Error loading private key from file ") + privateKeyFile);
|
||||
}
|
||||
}
|
||||
int flags = (int)verMode;
|
||||
if (verMode == VERIFY_STRICT || verMode == VERIFY_ONCE)
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
//
|
||||
// SecureSocketImpl.cpp
|
||||
//
|
||||
// $Id: //poco/Main/NetSSL_OpenSSL/src/SecureSocketImpl.cpp#25 $
|
||||
// $Id: //poco/1.3/NetSSL_OpenSSL/src/SecureSocketImpl.cpp#6 $
|
||||
//
|
||||
// Library: NetSSL_OpenSSL
|
||||
// Package: SSLSockets
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
//
|
||||
// X509Certificate.cpp
|
||||
//
|
||||
// $Id: //poco/svn/NetSSL_OpenSSL/src/X509Certificate.cpp#1 $
|
||||
// $Id: //poco/1.3/NetSSL_OpenSSL/src/X509Certificate.cpp#2 $
|
||||
//
|
||||
// Library: NetSSL_OpenSSL
|
||||
// Package: SSLCore
|
||||
|
|
@ -35,21 +35,89 @@
|
|||
|
||||
|
||||
#include "Poco/Net/X509Certificate.h"
|
||||
#include "Poco/Net/SSLException.h"
|
||||
#include "Poco/Net/SSLManager.h"
|
||||
#include "Poco/Net/SecureSocketImpl.h"
|
||||
#include <openssl/pem.h>
|
||||
|
||||
|
||||
namespace Poco {
|
||||
namespace Net {
|
||||
|
||||
|
||||
X509Certificate::X509Certificate(X509* pCert):_pCert(pCert)
|
||||
X509Certificate::X509Certificate(const std::string& file):
|
||||
_issuerName(),
|
||||
_subjectName(),
|
||||
_pCert(0),
|
||||
_file(file)
|
||||
{
|
||||
BIO *fp=BIO_new(BIO_s_file());
|
||||
const char* pFN = file.c_str();
|
||||
BIO_read_filename(fp, (void*)pFN);
|
||||
if (!fp)
|
||||
throw Poco::PathNotFoundException("Failed to open " + file);
|
||||
try
|
||||
{
|
||||
_pCert = PEM_read_bio_X509(fp,0,0,0);
|
||||
}
|
||||
catch(...)
|
||||
{
|
||||
BIO_free(fp);
|
||||
throw;
|
||||
}
|
||||
if (!_pCert)
|
||||
throw SSLException("Faild to load certificate from " + file);
|
||||
initialize();
|
||||
}
|
||||
|
||||
|
||||
X509Certificate::X509Certificate(X509* pCert):
|
||||
_issuerName(),
|
||||
_subjectName(),
|
||||
_pCert(pCert),
|
||||
_file()
|
||||
{
|
||||
poco_check_ptr(_pCert);
|
||||
initialize();
|
||||
}
|
||||
|
||||
|
||||
X509Certificate::X509Certificate(const X509Certificate& cert):
|
||||
_issuerName(cert._issuerName),
|
||||
_subjectName(cert._subjectName),
|
||||
_pCert(cert._pCert),
|
||||
_file(cert._file)
|
||||
{
|
||||
if (!_file.empty())
|
||||
_pCert = X509_dup(_pCert);
|
||||
}
|
||||
|
||||
|
||||
X509Certificate& X509Certificate::operator=(const X509Certificate& cert)
|
||||
{
|
||||
if (this != &cert)
|
||||
{
|
||||
X509Certificate c(cert);
|
||||
swap(c);
|
||||
}
|
||||
return *this;
|
||||
}
|
||||
|
||||
|
||||
void X509Certificate::swap(X509Certificate& cert)
|
||||
{
|
||||
using std::swap;
|
||||
swap(cert._file, _file);
|
||||
swap(cert._issuerName, _issuerName);
|
||||
swap(cert._subjectName, _subjectName);
|
||||
swap(cert._pCert, _pCert);
|
||||
}
|
||||
|
||||
|
||||
X509Certificate::~X509Certificate()
|
||||
{
|
||||
if (!_file.empty() && _pCert)
|
||||
X509_free(_pCert);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -63,4 +131,11 @@ void X509Certificate::initialize()
|
|||
}
|
||||
|
||||
|
||||
bool X509Certificate::verify(const std::string& hostName, Poco::SharedPtr<Context> ptr)
|
||||
{
|
||||
X509* pCert = X509_dup(_pCert);
|
||||
return (X509_V_OK == SecureSocketImpl::postConnectionCheck(ptr, pCert, hostName));
|
||||
}
|
||||
|
||||
|
||||
} } // namespace Poco::Net
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче