diff options
author | Tobias Markmann <tm@ayena.de> | 2012-05-04 21:39:30 (GMT) |
---|---|---|
committer | Tobias Markmann <tm@ayena.de> | 2012-05-11 19:22:57 (GMT) |
commit | 3cb80b8a52a9532d5876cc8cb947b2856e481fd3 (patch) | |
tree | e66ca4acbf869c82bba607ca9c394a47615c6e6e /Swiften/TLS | |
parent | 15ed4a079a8bbe3cc9ee2ca47233be7b890464ec (diff) | |
download | swift-contrib-tobias/openssl_crl.zip swift-contrib-tobias/openssl_crl.tar.bz2 |
Showing stream encryption status in the roster header. Provide native certificate viewers on click.tobias/openssl_crl
Native viewers for Windows and Mac OS X are implemented.
Added TODOs to OpenSSL based TLS interface related to CRL and OCSP.
Resolves: #167
License: This patch is BSD-licensed, see http://www.opensource.org/licenses/bsd-license.php
Diffstat (limited to 'Swiften/TLS')
-rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.cpp | 18 | ||||
-rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.h | 1 | ||||
-rw-r--r-- | Swiften/TLS/Schannel/SchannelContext.cpp | 29 | ||||
-rw-r--r-- | Swiften/TLS/Schannel/SchannelContext.h | 1 | ||||
-rw-r--r-- | Swiften/TLS/TLSContext.h | 1 |
5 files changed, 50 insertions, 0 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index 8c03052..58a8d05 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp @@ -39,6 +39,12 @@ OpenSSLContext::OpenSSLContext() : state_(Start), context_(0), handle_(0), readB ensureLibraryInitialized(); context_ = SSL_CTX_new(TLSv1_client_method()); + // TODO: implement CRL checking + // TODO: download CRL (HTTP transport) + // TODO: cache CRL downloads for configurable time period + + // TODO: implement OCSP support + // TODO: handle OCSP stapling see https://www.rfc-editor.org/rfc/rfc4366.txt // Load system certs #if defined(SWIFTEN_PLATFORM_WINDOWS) X509_STORE* store = SSL_CTX_get_cert_store(context_); @@ -236,6 +242,18 @@ Certificate::ref OpenSSLContext::getPeerCertificate() const { } } +std::vector<Certificate::ref> OpenSSLContext::getPeerCertificateChain() const { + std::vector<Certificate::ref> result; + STACK_OF(X509)* chain = SSL_get_peer_cert_chain(handle_); + for (int i = 0; i < sk_X509_num(chain); ++i) { + boost::shared_ptr<X509> x509Cert(X509_dup(sk_X509_value(chain, i)), X509_free); + + Certificate::ref cert = boost::make_shared<OpenSSLCertificate>(x509Cert); + result.push_back(cert); + } + return result; +} + boost::shared_ptr<CertificateVerificationError> OpenSSLContext::getPeerCertificateVerificationError() const { int verifyResult = SSL_get_verify_result(handle_); if (verifyResult != X509_V_OK) { diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.h b/Swiften/TLS/OpenSSL/OpenSSLContext.h index d8d0d2f..cee4f79 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.h +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.h @@ -28,6 +28,7 @@ namespace Swift { void handleDataFromApplication(const SafeByteArray&); Certificate::ref getPeerCertificate() const; + std::vector<Certificate::ref> getPeerCertificateChain() const; boost::shared_ptr<CertificateVerificationError> getPeerCertificateVerificationError() const; virtual ByteArray getFinishMessage() const; diff --git a/Swiften/TLS/Schannel/SchannelContext.cpp b/Swiften/TLS/Schannel/SchannelContext.cpp index 641568d..997d760 100644 --- a/Swiften/TLS/Schannel/SchannelContext.cpp +++ b/Swiften/TLS/Schannel/SchannelContext.cpp @@ -633,6 +633,35 @@ Certificate::ref SchannelContext::getPeerCertificate() const { //------------------------------------------------------------------------ +std::vector<Certificate::ref> SchannelContext::getPeerCertificateChain() const { + std::vector<Certificate::ref> certificateChain; + ScopedCertContext pServerCert; + ScopedCertContext pIssuerCert; + ScopedCertContext pCurrentCert; + SECURITY_STATUS status = QueryContextAttributes(m_ctxtHandle, SECPKG_ATTR_REMOTE_CERT_CONTEXT, pServerCert.Reset()); + + if (status != SEC_E_OK) { + return certificateChain; + } + certificateChain.push_back(boost::make_shared<SchannelCertificate>(pServerCert)); + + pCurrentCert = pServerCert; + while(pCurrentCert.GetPointer()) { + DWORD dwVerificationFlags = 0; + pIssuerCert = CertGetIssuerCertificateFromStore(pServerCert->hCertStore, pCurrentCert, NULL, &dwVerificationFlags ); + if (!(*pIssuerCert.GetPointer())) { + break; + } + certificateChain.push_back(boost::make_shared<SchannelCertificate>(pIssuerCert)); + + pCurrentCert = pIssuerCert; + pIssuerCert = NULL; + } + return certificateChain; +} + +//------------------------------------------------------------------------ + CertificateVerificationError::ref SchannelContext::getPeerCertificateVerificationError() const { return m_verificationError ? boost::make_shared<CertificateVerificationError>(*m_verificationError) : CertificateVerificationError::ref(); } diff --git a/Swiften/TLS/Schannel/SchannelContext.h b/Swiften/TLS/Schannel/SchannelContext.h index 587d0e7..2d65a8a 100644 --- a/Swiften/TLS/Schannel/SchannelContext.h +++ b/Swiften/TLS/Schannel/SchannelContext.h @@ -51,6 +51,7 @@ namespace Swift virtual void handleDataFromApplication(const SafeByteArray& data); virtual Certificate::ref getPeerCertificate() const; + virtual std::vector<Certificate::ref> getPeerCertificateChain() const; virtual CertificateVerificationError::ref getPeerCertificateVerificationError() const; virtual ByteArray getFinishMessage() const; diff --git a/Swiften/TLS/TLSContext.h b/Swiften/TLS/TLSContext.h index 5640fe1..388f8ee 100644 --- a/Swiften/TLS/TLSContext.h +++ b/Swiften/TLS/TLSContext.h @@ -29,6 +29,7 @@ namespace Swift { virtual void handleDataFromApplication(const SafeByteArray&) = 0; virtual Certificate::ref getPeerCertificate() const = 0; + virtual std::vector<Certificate::ref> getPeerCertificateChain() const = 0; virtual CertificateVerificationError::ref getPeerCertificateVerificationError() const = 0; virtual ByteArray getFinishMessage() const = 0; |