diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/credentials/credentials_manager.cpp | 30 | ||||
| -rw-r--r-- | src/credentials/credentials_manager.h | 27 | ||||
| -rw-r--r-- | src/tls/tls_client.cpp | 12 | ||||
| -rw-r--r-- | src/tls/tls_policy.h | 11 | ||||
| -rw-r--r-- | src/tls/tls_server.cpp | 12 |
5 files changed, 76 insertions, 16 deletions
diff --git a/src/credentials/credentials_manager.cpp b/src/credentials/credentials_manager.cpp index e7886d307..82da8a75d 100644 --- a/src/credentials/credentials_manager.cpp +++ b/src/credentials/credentials_manager.cpp @@ -49,4 +49,34 @@ Private_Key* Credentials_Manager::private_key_for(const X509_Certificate&, return 0; } +std::vector<X509_Certificate> +Credentials_Manager::trusted_certificate_authorities( + const std::string&, + const std::string&) + { + return std::vector<X509_Certificate>(); + } + +void Credentials_Manager::verify_certificate_chain( + const std::vector<X509_Certificate>& cert_chain, + const std::string& purported_hostname) + { + if(cert_chain.empty()) + throw std::invalid_argument("Certificate chain was empty"); + +#if 0 + if(!cert_chain[0].matches_dns_name(purported_hostname)) + return false; + + X509_Store store; + + std::vector<X509_Certificate> CAs = trusted_certificate_authorities(); + + for(size_t i = 1; i != CAs.size(); ++i) + store.add_cert(CAs[i], true); + for(size_t i = 1; i != cert_chain.size(); ++i) + store.add_cert(cert_chain[i]); +#endif + } + } diff --git a/src/credentials/credentials_manager.h b/src/credentials/credentials_manager.h index 43bccec69..fdcfa74da 100644 --- a/src/credentials/credentials_manager.h +++ b/src/credentials/credentials_manager.h @@ -62,6 +62,10 @@ class BOTAN_DLL Credentials_Manager bool generate_fake_on_unknown); /** + * Return a cert chain we can use, ordered from leaf to root. + * Assumed that we can get the private key of the leaf with + * private_key_for + * * @param cert_key_type is a string representing the key type * ("rsa", "dsa", "ecdsa", etc) or empty if no preference. */ @@ -71,8 +75,29 @@ class BOTAN_DLL Credentials_Manager const std::string& context); /** + * Return a list of the certificates of CAs that we trust in this + * type/context. + */ + virtual std::vector<X509_Certificate> trusted_certificate_authorities( + const std::string& type, + const std::string& context); + + /** + * Check the certificate chain is valid up to a trusted root, and + * optionally (if hostname != "") that the hostname given is + * consistent with the leaf certificate. + * + * This function should throw an exception derived from + * std::exception with an informative what() result if the + * certificate chain cannot be verified. + */ + virtual void verify_certificate_chain( + const std::vector<X509_Certificate>& cert_chain, + const std::string& hostname = ""); + + /** * @return private key associated with this certificate if we should - * use it with this context + * use it with this context. cert was returned by cert_chain */ virtual Private_Key* private_key_for(const X509_Certificate& cert, const std::string& type, diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp index 835e8d4bd..215ff6972 100644 --- a/src/tls/tls_client.cpp +++ b/src/tls/tls_client.cpp @@ -251,9 +251,15 @@ void Client::process_handshake_msg(Handshake_Type type, throw TLS_Exception(HANDSHAKE_FAILURE, "Client: No certificates sent by server"); - if(!policy.check_cert(peer_certs)) - throw TLS_Exception(BAD_CERTIFICATE, - "Client: Server certificate is not valid"); + try + { + creds.verify_certificate_chain(peer_certs, + state->client_hello->sni_hostname()); + } + catch(std::exception& e) + { + throw TLS_Exception(BAD_CERTIFICATE, e.what()); + } std::auto_ptr<Public_Key> peer_key(peer_certs[0].subject_public_key()); diff --git a/src/tls/tls_policy.h b/src/tls/tls_policy.h index 61de53dcd..68de2c4df 100644 --- a/src/tls/tls_policy.h +++ b/src/tls/tls_policy.h @@ -46,15 +46,6 @@ class BOTAN_DLL Policy virtual std::vector<byte> compression() const; - virtual bool check_cert(const std::vector<X509_Certificate>& cert_chain) const = 0; - - /** - * If client authentication is desired, returns a list of allowable - * CAs for same. If not desired, returns empty list. - */ - virtual std::vector<X509_Certificate> client_auth_CAs() const - { return std::vector<X509_Certificate>(); } - /** * Require support for RFC 5746 extensions to enable * renegotiation. @@ -70,7 +61,7 @@ class BOTAN_DLL Policy virtual DL_Group dh_group() const { return DL_Group("modp/ietf/1536"); } /* - * @return the minimum version that we will negotiate + * @return the minimum version that we are willing to negotiate */ virtual Protocol_Version min_version() const { return Protocol_Version::SSL_V3; } diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index cd7888c8b..b38a010dd 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -270,7 +270,8 @@ void Server::process_handshake_msg(Handshake_Type type, else state->kex_priv = PKCS8::copy_key(*private_key, rng); - std::vector<X509_Certificate> client_auth_CAs = policy.client_auth_CAs(); + std::vector<X509_Certificate> client_auth_CAs = + creds.trusted_certificate_authorities("tls-server", m_hostname); if(!client_auth_CAs.empty() && state->suite.sig_algo() != "") { @@ -342,7 +343,14 @@ void Server::process_handshake_msg(Handshake_Type type, if(!sig_valid) throw TLS_Exception(DECRYPT_ERROR, "Client cert verify failed"); - // FIXME: check cert was issued by a CA we requested, signatures, etc. + try + { + creds.verify_certificate_chain(client_certs); + } + catch(std::exception& e) + { + throw TLS_Exception(BAD_CERTIFICATE, e.what()); + } state->set_expected_next(HANDSHAKE_CCS); } |