version 1.8, 2002/08/29 16:48:16
|
version 1.9, 2002/09/06 00:19:38
|
|
|
// | // |
// Author: Markus Mueller (sedgewick_de@yahoo.de) | // Author: Markus Mueller (sedgewick_de@yahoo.de) |
// | // |
// Modified By: |
// Modified By: Nag Boranna, Hewlett-Packard Company (nagaraja_boranna@hp.com) |
// Nag Boranna, Hewlett-Packard Company ( nagaraja_boranna@hp.com ) |
// Roger Kumpf, Hewlett-Packard Company (roger_kumpf@hp.com) |
// | // |
//%///////////////////////////////////////////////////////////////////////////// | //%///////////////////////////////////////////////////////////////////////////// |
| |
|
|
// certificate handling routine | // certificate handling routine |
// | // |
| |
VERIFY_CERTIFICATE verify_certificate; |
// ATTN-RK-20020905: This global variable is unsafe with multiple SSL contexts |
|
SSLCertificateVerifyFunction* verify_certificate; |
| |
static int cert_verify(SSL_CTX *ctx, const char *cert_file, const char *key_file) | static int cert_verify(SSL_CTX *ctx, const char *cert_file, const char *key_file) |
{ | { |
|
|
// | // |
// Call the verify_certificate() callback | // Call the verify_certificate() callback |
// | // |
CertificateInfo certInfo(subjectName, issuerName, depth, err); |
SSLCertificateInfo certInfo(subjectName, issuerName, depth, err); |
| |
if (verify_certificate(certInfo)) | if (verify_certificate(certInfo)) |
{ | { |
|
|
// | // |
// | // |
SSLContextRep::SSLContextRep(const String& certPath, | SSLContextRep::SSLContextRep(const String& certPath, |
VERIFY_CERTIFICATE verifyCert, |
SSLCertificateVerifyFunction* verifyCert, |
const String& randomFile, | const String& randomFile, |
Boolean isCIMClient) | Boolean isCIMClient) |
{ | { |
|
|
| |
#endif // end of PEGASUS_SSL_RANDOMFILE | #endif // end of PEGASUS_SSL_RANDOMFILE |
| |
|
_sslContext = _makeSSLContext(); |
|
|
|
PEG_METHOD_EXIT(); |
|
} |
|
|
|
SSLContextRep::SSLContextRep(const SSLContextRep& sslContextRep) |
|
{ |
|
PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::SSLContextRep()"); |
|
|
|
_certPath = sslContextRep._certPath; |
|
// ATTN: verify_certificate is set implicitly in global variable |
|
_randomFile = sslContextRep._randomFile; |
|
_isCIMClient = sslContextRep._isCIMClient; |
|
_sslContext = _makeSSLContext(); |
|
|
|
PEG_METHOD_EXIT(); |
|
} |
|
|
|
// |
|
// Destructor |
|
// |
|
|
|
SSLContextRep::~SSLContextRep() |
|
{ |
|
PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::~SSLContextRep()"); |
|
|
|
SSL_CTX_free(_sslContext); |
|
|
|
PEG_METHOD_EXIT(); |
|
} |
|
|
|
SSL_CTX * SSLContextRep::_makeSSLContext() |
|
{ |
|
PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::_makeSSLContext()"); |
|
|
|
SSL_CTX * sslContext = 0; |
|
|
// | // |
// create SSL Context Area | // create SSL Context Area |
// | // |
| |
if (!( _SSLContext = SSL_CTX_new(SSLv23_method()) )) |
if (!( sslContext = SSL_CTX_new(SSLv23_method()) )) |
{ | { |
PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
throw( SSLException("Could not get SSL CTX")); | throw( SSLException("Could not get SSL CTX")); |
} | } |
| |
#ifdef PEGASUS_OS_HPUX | #ifdef PEGASUS_OS_HPUX |
if (!(SSL_CTX_set_cipher_list(_SSLContext, SSL_TXT_EXP40))) |
if (!(SSL_CTX_set_cipher_list(sslContext, SSL_TXT_EXP40))) |
throw( SSLException("Could not set the cipher list")); | throw( SSLException("Could not set the cipher list")); |
#endif | #endif |
| |
|
|
// set overall SSL Context flags | // set overall SSL Context flags |
// | // |
| |
SSL_CTX_set_quiet_shutdown(_SSLContext, 1); |
SSL_CTX_set_quiet_shutdown(sslContext, 1); |
SSL_CTX_set_mode(_SSLContext, SSL_MODE_AUTO_RETRY); |
SSL_CTX_set_mode(sslContext, SSL_MODE_AUTO_RETRY); |
SSL_CTX_set_options(_SSLContext,SSL_OP_ALL); |
SSL_CTX_set_options(sslContext,SSL_OP_ALL); |
| |
#ifdef CLIENT_CERTIFY | #ifdef CLIENT_CERTIFY |
SSL_CTX_set_verify(_SSLContext, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, |
SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, |
prepareForCallback); | prepareForCallback); |
#else | #else |
if (verifyCert != NULL) | if (verifyCert != NULL) |
{ | { |
SSL_CTX_set_verify(_SSLContext, |
SSL_CTX_set_verify(sslContext, |
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, prepareForCallback); | SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, prepareForCallback); |
} | } |
#endif | #endif |
|
|
// check certificate given to me | // check certificate given to me |
// | // |
| |
if (!cert_verify(_SSLContext, _certPath, _certPath)) |
if (!cert_verify(sslContext, _certPath, _certPath)) |
{ | { |
PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
throw( SSLException("Could not get certificate and/or private key")); | throw( SSLException("Could not get certificate and/or private key")); |
} | } |
| |
PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
} |
return sslContext; |
|
|
|
|
// |
|
// Destructor |
|
// |
|
|
|
SSLContextRep::~SSLContextRep() |
|
{ |
|
PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::~SSLContextRep()"); |
|
|
|
SSL_CTX_free(_SSLContext); |
|
|
|
PEG_METHOD_EXIT(); |
|
} | } |
| |
SSL_CTX * SSLContextRep::getContext() const | SSL_CTX * SSLContextRep::getContext() const |
{ | { |
return _SSLContext; |
return _sslContext; |
} | } |
#else | #else |
| |
// | // |
// these definitions are used if ssl is not availabel |
// these definitions are used if ssl is not available |
// | // |
| |
SSLContextRep::SSLContextRep(const String& certPath, | SSLContextRep::SSLContextRep(const String& certPath, |
VERIFY_CERTIFICATE verifyCert, |
SSLCertificateVerifyFunction* verifyCert, |
const String& randomFile, | const String& randomFile, |
Boolean isCIMClient) {} | Boolean isCIMClient) {} |
| |
|
SSLContextRep::SSLContextRep(const SSLContextRep& sslContextRep) {} |
|
|
SSLContextRep::~SSLContextRep() {} | SSLContextRep::~SSLContextRep() {} |
| |
SSL_CTX * SSLContextRep::getContext() const { return NULL; } |
SSL_CTX * SSLContextRep::_makeSSLContext() { return 0; } |
|
|
|
SSL_CTX * SSLContextRep::getContext() const { return 0; } |
| |
#endif // end of PEGASUS_HAS_SSL | #endif // end of PEGASUS_HAS_SSL |
| |
|
|
| |
SSLContext::SSLContext( | SSLContext::SSLContext( |
const String& certPath, | const String& certPath, |
VERIFY_CERTIFICATE verifyCert, |
SSLCertificateVerifyFunction* verifyCert, |
const String& randomFile, | const String& randomFile, |
Boolean isCIMClient) | Boolean isCIMClient) |
{ | { |
_rep = new SSLContextRep(certPath, verifyCert, randomFile, isCIMClient); | _rep = new SSLContextRep(certPath, verifyCert, randomFile, isCIMClient); |
} | } |
| |
|
SSLContext::SSLContext(const SSLContext& sslContext) |
|
{ |
|
_rep = new SSLContextRep(*sslContext._rep); |
|
} |
|
|
SSLContext::~SSLContext() | SSLContext::~SSLContext() |
{ | { |
delete _rep; | delete _rep; |
|
|
| |
/////////////////////////////////////////////////////////////////////////////// | /////////////////////////////////////////////////////////////////////////////// |
// | // |
// CertificateInfo |
// SSLCertificateInfo |
// | // |
/////////////////////////////////////////////////////////////////////////////// | /////////////////////////////////////////////////////////////////////////////// |
| |
CertificateInfo::CertificateInfo( |
class SSLCertificateInfoRep |
|
{ |
|
public: |
|
String subjectName; |
|
String issuerName; |
|
int errorDepth; |
|
int errorCode; |
|
int respCode; |
|
}; |
|
|
|
|
|
SSLCertificateInfo::SSLCertificateInfo( |
const String subjectName, | const String subjectName, |
const String issuerName, | const String issuerName, |
const int errorDepth, | const int errorDepth, |
const int errorCode) | const int errorCode) |
: |
|
_subjectName(subjectName), |
|
_issuerName(issuerName), |
|
_errorDepth(errorDepth), |
|
_errorCode(errorCode) |
|
{ | { |
_respCode = 0; |
_rep = new SSLCertificateInfoRep(); |
|
_rep->subjectName = subjectName; |
|
_rep->issuerName = issuerName; |
|
_rep->errorDepth = errorDepth; |
|
_rep->errorCode = errorCode; |
|
_rep->respCode = 0; |
|
} |
|
|
|
SSLCertificateInfo::SSLCertificateInfo( |
|
const SSLCertificateInfo& certificateInfo) |
|
{ |
|
_rep = new SSLCertificateInfoRep(); |
|
_rep->subjectName = certificateInfo._rep->subjectName; |
|
_rep->issuerName = certificateInfo._rep->issuerName; |
|
_rep->errorDepth = certificateInfo._rep->errorDepth; |
|
_rep->errorCode = certificateInfo._rep->errorCode; |
|
_rep->respCode = certificateInfo._rep->respCode; |
} | } |
| |
CertificateInfo::~CertificateInfo() |
SSLCertificateInfo::~SSLCertificateInfo() |
{ | { |
|
delete _rep; |
} | } |
| |
String CertificateInfo::getSubjectName() const |
String SSLCertificateInfo::getSubjectName() const |
{ | { |
return (_subjectName); |
return (_rep->subjectName); |
} | } |
| |
String CertificateInfo::getIssuerName() const |
String SSLCertificateInfo::getIssuerName() const |
{ | { |
return (_issuerName); |
return (_rep->issuerName); |
} | } |
| |
int CertificateInfo::getErrorDepth() const |
int SSLCertificateInfo::getErrorDepth() const |
{ | { |
return (_errorDepth); |
return (_rep->errorDepth); |
} | } |
| |
int CertificateInfo::getErrorCode() const |
int SSLCertificateInfo::getErrorCode() const |
{ | { |
return (_errorCode); |
return (_rep->errorCode); |
} | } |
| |
void CertificateInfo::setResponseCode(const int respCode) |
void SSLCertificateInfo::setResponseCode(const int respCode) |
{ | { |
_respCode = respCode; |
_rep->respCode = respCode; |
} | } |
| |
PEGASUS_NAMESPACE_END | PEGASUS_NAMESPACE_END |