Showing stream encryption status in the roster header. Provide native certificate viewers on click.

Native viewers for Windows and Mac OS X are implemented. Added TODOs to OpenSSL based TLS interface related to CRL and OCSP. Resolves: #167 License: This patch is BSD-licensed, see http://www.opensource.org/licenses/bsd-license.php
author: Tobias Markmann <tm@ayena.de> 2012-05-04 21:39:30 (GMT)
committer: Remko Tronçon <git@el-tramo.be> 2012-05-11 19:29:38 (GMT)
commit: 0f91f88ac69644fb7e7bdbf601b7e098194490fa (patch)
tree: e66ca4acbf869c82bba607ca9c394a47615c6e6e /Swiften/TLS
parent: 15ed4a079a8bbe3cc9ee2ca47233be7b890464ec (diff)
download: swift-0f91f88ac69644fb7e7bdbf601b7e098194490fa.zip
swift-0f91f88ac69644fb7e7bdbf601b7e098194490fa.tar.bz2
5 files changed, 50 insertions, 0 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
index 8c03052..58a8d05 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
@@ -39,6 +39,12 @@ OpenSSLContext::OpenSSLContext() : state_(Start), context_(0), handle_(0), readB
 	ensureLibraryInitialized();
 	context_ = SSL_CTX_new(TLSv1_client_method());
 
+	// TODO: implement CRL checking
+	// TODO: download CRL (HTTP transport)
+	// TODO: cache CRL downloads for configurable time period
+
+	// TODO: implement OCSP support
+	// TODO: handle OCSP stapling see https://www.rfc-editor.org/rfc/rfc4366.txt
 	// Load system certs
 #if defined(SWIFTEN_PLATFORM_WINDOWS)
 	X509_STORE* store = SSL_CTX_get_cert_store(context_);
@@ -236,6 +242,18 @@ Certificate::ref OpenSSLContext::getPeerCertificate() const {
 	}
 }
 
+std::vector<Certificate::ref> OpenSSLContext::getPeerCertificateChain() const {
+	std::vector<Certificate::ref> result;
+	STACK_OF(X509)* chain = SSL_get_peer_cert_chain(handle_);
+	for (int i = 0; i < sk_X509_num(chain); ++i) {
+		boost::shared_ptr<X509> x509Cert(X509_dup(sk_X509_value(chain, i)), X509_free);
+
+		Certificate::ref cert = boost::make_shared<OpenSSLCertificate>(x509Cert);
+		result.push_back(cert);
+	}
+	return result;
+}
+
 boost::shared_ptr<CertificateVerificationError> OpenSSLContext::getPeerCertificateVerificationError() const {
 	int verifyResult = SSL_get_verify_result(handle_);
 	if (verifyResult != X509_V_OK) {
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.h b/Swiften/TLS/OpenSSL/OpenSSLContext.h
index d8d0d2f..cee4f79 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.h
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.h
@@ -28,6 +28,7 @@ namespace Swift {
 			void handleDataFromApplication(const SafeByteArray&);
 
 			Certificate::ref getPeerCertificate() const;
+			std::vector<Certificate::ref> getPeerCertificateChain() const;
 			boost::shared_ptr<CertificateVerificationError> getPeerCertificateVerificationError() const;
 
 			virtual ByteArray getFinishMessage() const;
diff --git a/Swiften/TLS/Schannel/SchannelContext.cpp b/Swiften/TLS/Schannel/SchannelContext.cpp
index 641568d..997d760 100644
--- a/Swiften/TLS/Schannel/SchannelContext.cpp
+++ b/Swiften/TLS/Schannel/SchannelContext.cpp
@@ -633,6 +633,35 @@ Certificate::ref SchannelContext::getPeerCertificate() const {
 
 //------------------------------------------------------------------------
 
+std::vector<Certificate::ref> SchannelContext::getPeerCertificateChain() const {
+	std::vector<Certificate::ref> certificateChain;
+	ScopedCertContext pServerCert;
+	ScopedCertContext pIssuerCert;
+	ScopedCertContext pCurrentCert;
+	SECURITY_STATUS status = QueryContextAttributes(m_ctxtHandle, SECPKG_ATTR_REMOTE_CERT_CONTEXT, pServerCert.Reset());
+
+	if (status != SEC_E_OK) {
+		return certificateChain;
+	}
+	certificateChain.push_back(boost::make_shared<SchannelCertificate>(pServerCert));
+
+	pCurrentCert = pServerCert;
+	while(pCurrentCert.GetPointer()) {
+		DWORD dwVerificationFlags = 0;
+		pIssuerCert = CertGetIssuerCertificateFromStore(pServerCert->hCertStore, pCurrentCert, NULL, &dwVerificationFlags );
+		if (!(*pIssuerCert.GetPointer())) {
+			break;
+		}
+		certificateChain.push_back(boost::make_shared<SchannelCertificate>(pIssuerCert));
+
+		pCurrentCert = pIssuerCert;
+		pIssuerCert = NULL;
+	}
+	return certificateChain;
+}
+
+//------------------------------------------------------------------------
+
 CertificateVerificationError::ref SchannelContext::getPeerCertificateVerificationError() const {
 	return m_verificationError ? boost::make_shared<CertificateVerificationError>(*m_verificationError) : CertificateVerificationError::ref();
 }
diff --git a/Swiften/TLS/Schannel/SchannelContext.h b/Swiften/TLS/Schannel/SchannelContext.h
index 587d0e7..2d65a8a 100644
--- a/Swiften/TLS/Schannel/SchannelContext.h
+++ b/Swiften/TLS/Schannel/SchannelContext.h
@@ -51,6 +51,7 @@ namespace Swift
 		virtual void	handleDataFromApplication(const SafeByteArray& data);
 
 		virtual Certificate::ref getPeerCertificate() const;
+		virtual std::vector<Certificate::ref> getPeerCertificateChain() const;
 		virtual CertificateVerificationError::ref getPeerCertificateVerificationError() const;
 
 		virtual ByteArray getFinishMessage() const;
diff --git a/Swiften/TLS/TLSContext.h b/Swiften/TLS/TLSContext.h
index 5640fe1..388f8ee 100644
--- a/Swiften/TLS/TLSContext.h
+++ b/Swiften/TLS/TLSContext.h
@@ -29,6 +29,7 @@ namespace Swift {
 			virtual void handleDataFromApplication(const SafeByteArray&) = 0;
 
 			virtual Certificate::ref getPeerCertificate() const = 0;
+			virtual std::vector<Certificate::ref> getPeerCertificateChain() const = 0;
 			virtual CertificateVerificationError::ref getPeerCertificateVerificationError() const = 0;
 
 			virtual ByteArray getFinishMessage() const = 0;
author	Tobias Markmann <tm@ayena.de>	2012-05-04 21:39:30 (GMT)
committer	Remko Tronçon <git@el-tramo.be>	2012-05-11 19:29:38 (GMT)
commit	0f91f88ac69644fb7e7bdbf601b7e098194490fa (patch)
tree	e66ca4acbf869c82bba607ca9c394a47615c6e6e /Swiften/TLS
parent	15ed4a079a8bbe3cc9ee2ca47233be7b890464ec (diff)
download	swift-0f91f88ac69644fb7e7bdbf601b7e098194490fa.zip swift-0f91f88ac69644fb7e7bdbf601b7e098194490fa.tar.bz2