Add ability to set external Trust Anchors to Swift OpenSSL context

Add a new (optional) field to TLSContext, which allows a vector of Trust Anchor certificates to be specified. Inside OpenSSLContext::configure, pass the X509 components of these certificates into the OpenSSL context: these are now available for client certificate verification in any callback method set via TLSOptions.verifyCertificateCallback. JIRA: LINK-1765 Test-information: Tested via MLink unit tests. No leaks reported. Change-Id: Ie9cc2051ee212249a12a4bc71b62306b5bce3013
author: Tim Costen <tim.costen@isode.com> 2019-10-04 14:51:06 (GMT)
committer: Kevin Smith <kevin.smith@isode.com> 2019-10-07 09:30:04 (GMT)
commit: 2239cdae45b39e675877ae32c86c47bcadce3090 (patch)
tree: 5ee18af14ee9e9ee6f8616d352b4e808cfd95e4b /Swiften/TLS/OpenSSL/OpenSSLContext.cpp
parent: 2ad1938c50f9fe57fe3dd98eb9f4bb711ac52acd (diff)
download: swift-2239cdae45b39e675877ae32c86c47bcadce3090.zip
swift-2239cdae45b39e675877ae32c86c47bcadce3090.tar.bz2
1 files changed, 15 insertions, 0 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
index d9560de..6dd75d6 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
@@ -396,6 +396,21 @@ bool OpenSSLContext::configure(const TLSOptions &options)
    updateOptionIfPresent(options.disableTLSRollBackBug, SSL_OP_TLS_ROLLBACK_BUG);
    updateOptionIfPresent(options.singleDHUse, SSL_OP_SINGLE_DH_USE);
+    if (options.trustAnchors) {
+        // Add any additional Trust Anchors which are present in the TLSOptions
+        X509_STORE* store = SSL_CTX_get_cert_store(context_.get());
+        if (store) {
+            for (auto& certificate : *options.trustAnchors) {
+                auto openSSLCert = dynamic_cast<OpenSSLCertificate*>(certificate.get());
+                if (openSSLCert && openSSLCert->getInternalX509()) {
+                    X509_STORE_add_cert(store, openSSLCert->getInternalX509().get());
+                    // Don't need to increment reference count as X509_STORE_add_cert does thiS
+                }
+            }
+        }
+    }
    return true;
 }
author	Tim Costen <tim.costen@isode.com>	2019-10-04 14:51:06 (GMT)
committer	Kevin Smith <kevin.smith@isode.com>	2019-10-07 09:30:04 (GMT)
commit	2239cdae45b39e675877ae32c86c47bcadce3090 (patch)
tree	5ee18af14ee9e9ee6f8616d352b4e808cfd95e4b /Swiften/TLS/OpenSSL/OpenSSLContext.cpp
parent	2ad1938c50f9fe57fe3dd98eb9f4bb711ac52acd (diff)
download	swift-2239cdae45b39e675877ae32c86c47bcadce3090.zip swift-2239cdae45b39e675877ae32c86c47bcadce3090.tar.bz2

diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index d9560de..6dd75d6 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
@@ -396,6 +396,21 @@ bool OpenSSLContext::configure(const TLSOptions &options)
396	updateOptionIfPresent(options.disableTLSRollBackBug, SSL_OP_TLS_ROLLBACK_BUG);	396	updateOptionIfPresent(options.disableTLSRollBackBug, SSL_OP_TLS_ROLLBACK_BUG);
397	updateOptionIfPresent(options.singleDHUse, SSL_OP_SINGLE_DH_USE);	397	updateOptionIfPresent(options.singleDHUse, SSL_OP_SINGLE_DH_USE);
398		398
		399	if (options.trustAnchors) {
		400	// Add any additional Trust Anchors which are present in the TLSOptions
		401	X509_STORE* store = SSL_CTX_get_cert_store(context_.get());
		402
		403	if (store) {
		404	for (auto& certificate : *options.trustAnchors) {
		405	auto openSSLCert = dynamic_cast<OpenSSLCertificate*>(certificate.get());
		406	if (openSSLCert && openSSLCert->getInternalX509()) {
		407	X509_STORE_add_cert(store, openSSLCert->getInternalX509().get());
		408	// Don't need to increment reference count as X509_STORE_add_cert does thiS
		409	}
		410	}
		411	}
		412	}
		413
399	return true;	414	return true;
400	}	415	}
401		416