Skip to content

Commit

Permalink
HPCC-27255 TLS cert/key as buffers 4a
Browse files Browse the repository at this point in the history
Signed-off-by: Mark Kelly <[email protected]>
  • Loading branch information
mckellyln committed Sep 18, 2023
1 parent 40fd720 commit d51854a
Showing 1 changed file with 42 additions and 38 deletions.
80 changes: 42 additions & 38 deletions system/security/securesocket/securesocket.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1231,47 +1231,11 @@ static bool useCertificateChainPEMBuffer(SSL_CTX *ctx, const char *certBuf, int
return true;
}

static bool setVerifyCertsPEMBuffer(SSL_CTX *ctx, const char *caCertBuf, int caCertLen=-1)
{
// this routine based on code originally from:
// https://stackoverflow.com/questions/5052563/c-openssl-use-root-ca-from-buffer-rather-than-file-ssl-ctx-load-verify-locat

// can have multiple certs in buffer

OwnedEVPBio cbio(BIO_new_mem_buf(caCertBuf, caCertLen));
if (!cbio)
return false;

OwnedX509Store store(X509_STORE_new());
if (!store)
return false;

OwnedX509StkPtr infoStk(PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL));
if (!infoStk)
return false;

X509_INFO *infoVal;
for (int i = 0; i < sk_X509_INFO_num(infoStk); i++)
{
infoVal = sk_X509_INFO_value(infoStk, i);
if (infoVal->x509)
{
if (!X509_STORE_add_cert(store, infoVal->x509))
return false;

infoVal->x509 = NULL;
}
}

SSL_CTX_set_cert_store(ctx, store.getClear());

return true;
}

class CSecureSocketContext : public CInterfaceOf<ISecureSocketContext>
{
private:
OwnedSSLCTX m_ctx;
OwnedX509Store m_store;
#if (OPENSSL_VERSION_NUMBER > 0x00909000L)
const SSL_METHOD* m_meth = nullptr;
#else
Expand Down Expand Up @@ -1345,13 +1309,53 @@ class CSecureSocketContext : public CInterfaceOf<ISecureSocketContext>
if (containsEmbeddedKey(caCertsPathOrBuf))
{
// can have multiple certs in buffer
if (!setVerifyCertsPEMBuffer(m_ctx, caCertsPathOrBuf))
if (!setVerifyCertsPEMBuffer(caCertsPathOrBuf))
throw makeStringException(-1, "Error loading CA certificates");
}
else if (SSL_CTX_load_verify_locations(m_ctx, caCertsPathOrBuf, NULL) != 1)
throw makeStringExceptionV(-1, "Error loading CA certificates from %s", caCertsPathOrBuf);
}

bool setVerifyCertsPEMBuffer(const char *caCertBuf, int caCertLen=-1)
{
// this routine based on code originally from:
// https://stackoverflow.com/questions/5052563/c-openssl-use-root-ca-from-buffer-rather-than-file-ssl-ctx-load-verify-locat

// can have multiple certs in buffer

OwnedEVPBio cbio(BIO_new_mem_buf(caCertBuf, caCertLen));
if (!cbio)
return false;

if (m_store)
m_store.clear();

m_store.setown(X509_STORE_new());
if (!m_store)
return false;

OwnedX509StkPtr infoStk(PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL));
if (!infoStk)
return false;

X509_INFO *infoVal;
for (int i = 0; i < sk_X509_INFO_num(infoStk); i++)
{
infoVal = sk_X509_INFO_value(infoStk, i);
if (infoVal->x509)
{
if (!X509_STORE_add_cert(m_store, infoVal->x509))
return false;

infoVal->x509 = NULL;
}
}

SSL_CTX_set1_cert_store(m_ctx, m_store);

return true;
}

public:
CSecureSocketContext(SecureSocketType sockettype)
{
Expand Down

0 comments on commit d51854a

Please sign in to comment.