From 1bebb951f1a398038a602ea8ac1fc1cbc92959c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Remko=20Tron=C3=A7on?= Date: Sat, 12 May 2012 20:24:40 +0200 Subject: Remove peer certificate from APIs. The peer certificate chain contains the peer certificate, so this was redundant. diff --git a/Swift/Controllers/Storages/CertificateStorageTrustChecker.h b/Swift/Controllers/Storages/CertificateStorageTrustChecker.h index a73590a..df15575 100644 --- a/Swift/Controllers/Storages/CertificateStorageTrustChecker.h +++ b/Swift/Controllers/Storages/CertificateStorageTrustChecker.h @@ -18,7 +18,7 @@ namespace Swift { CertificateStorageTrustChecker(CertificateStorage* storage) : storage(storage) { } - virtual bool isCertificateTrusted(Certificate::ref, const std::vector& certificateChain) { + virtual bool isCertificateTrusted(const std::vector& certificateChain) { lastCertificateChain = std::vector(certificateChain.begin(), certificateChain.end()); return certificateChain.empty() ? false : storage->hasCertificate(certificateChain[0]); } diff --git a/Swiften/Client/ClientSession.cpp b/Swiften/Client/ClientSession.cpp index c2dc3ae..7e1f517 100644 --- a/Swiften/Client/ClientSession.cpp +++ b/Swiften/Client/ClientSession.cpp @@ -370,25 +370,24 @@ void ClientSession::sendCredentials(const SafeByteArray& password) { void ClientSession::handleTLSEncrypted() { checkState(Encrypting); - Certificate::ref certificate = stream->getPeerCertificate(); std::vector certificateChain = stream->getPeerCertificateChain(); boost::shared_ptr verificationError = stream->getPeerCertificateVerificationError(); if (verificationError) { - checkTrustOrFinish(certificate, certificateChain, verificationError); + checkTrustOrFinish(certificateChain, verificationError); } else { ServerIdentityVerifier identityVerifier(localJID); - if (identityVerifier.certificateVerifies(certificate)) { + if (!certificateChain.empty() && identityVerifier.certificateVerifies(certificateChain[0])) { continueAfterTLSEncrypted(); } else { - checkTrustOrFinish(certificate, certificateChain, boost::make_shared(CertificateVerificationError::InvalidServerIdentity)); + checkTrustOrFinish(certificateChain, boost::make_shared(CertificateVerificationError::InvalidServerIdentity)); } } } -void ClientSession::checkTrustOrFinish(Certificate::ref certificate, const std::vector& certificateChain, boost::shared_ptr error) { - if (certificateTrustChecker && certificateTrustChecker->isCertificateTrusted(certificate, certificateChain)) { +void ClientSession::checkTrustOrFinish(const std::vector& certificateChain, boost::shared_ptr error) { + if (certificateTrustChecker && certificateTrustChecker->isCertificateTrusted(certificateChain)) { continueAfterTLSEncrypted(); } else { diff --git a/Swiften/Client/ClientSession.h b/Swiften/Client/ClientSession.h index 9c4b980..66a90ed 100644 --- a/Swiften/Client/ClientSession.h +++ b/Swiften/Client/ClientSession.h @@ -154,7 +154,7 @@ namespace Swift { void handleStanzaAcked(boost::shared_ptr stanza); void ack(unsigned int handledStanzasCount); void continueAfterTLSEncrypted(); - void checkTrustOrFinish(Certificate::ref certificate, const std::vector& certificateChain, boost::shared_ptr error); + void checkTrustOrFinish(const std::vector& certificateChain, boost::shared_ptr error); private: JID localJID; diff --git a/Swiften/TLS/BlindCertificateTrustChecker.h b/Swiften/TLS/BlindCertificateTrustChecker.h index 9ed7ff2..d91ec25 100644 --- a/Swiften/TLS/BlindCertificateTrustChecker.h +++ b/Swiften/TLS/BlindCertificateTrustChecker.h @@ -19,7 +19,7 @@ namespace Swift { */ class BlindCertificateTrustChecker : public CertificateTrustChecker { public: - virtual bool isCertificateTrusted(Certificate::ref, const std::vector&) { + virtual bool isCertificateTrusted(const std::vector&) { return true; } }; diff --git a/Swiften/TLS/CertificateTrustChecker.h b/Swiften/TLS/CertificateTrustChecker.h index 91cc530..2ba6b40 100644 --- a/Swiften/TLS/CertificateTrustChecker.h +++ b/Swiften/TLS/CertificateTrustChecker.h @@ -21,13 +21,13 @@ namespace Swift { virtual ~CertificateTrustChecker(); /** - * This method is called to find out whether a certificate is + * This method is called to find out whether a certificate (chain) is * trusted. This usually happens when a certificate's validation * fails, to check whether to proceed with the connection or not. * - * certificateChain contains the chain of certificates, if available. - * This chain includes certificate. + * certificateChain contains the chain of certificates. The first certificate + * is the subject certificate. */ - virtual bool isCertificateTrusted(Certificate::ref certificate, const std::vector& certificateChain) = 0; + virtual bool isCertificateTrusted(const std::vector& certificateChain) = 0; }; } diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index 58a8d05..2364c2e 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp @@ -232,16 +232,6 @@ bool OpenSSLContext::setClientCertificate(CertificateWithKey::ref certificate) { return true; } -Certificate::ref OpenSSLContext::getPeerCertificate() const { - boost::shared_ptr x509Cert(SSL_get_peer_certificate(handle_), X509_free); - if (x509Cert) { - return boost::make_shared(x509Cert); - } - else { - return Certificate::ref(); - } -} - std::vector OpenSSLContext::getPeerCertificateChain() const { std::vector result; STACK_OF(X509)* chain = SSL_get_peer_cert_chain(handle_); diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.h b/Swiften/TLS/OpenSSL/OpenSSLContext.h index cee4f79..d4327ca 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.h +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.h @@ -27,7 +27,6 @@ namespace Swift { void handleDataFromNetwork(const SafeByteArray&); void handleDataFromApplication(const SafeByteArray&); - Certificate::ref getPeerCertificate() const; std::vector getPeerCertificateChain() const; boost::shared_ptr getPeerCertificateVerificationError() const; diff --git a/Swiften/TLS/Schannel/SchannelContext.cpp b/Swiften/TLS/Schannel/SchannelContext.cpp index 997d760..b4b2843 100644 --- a/Swiften/TLS/Schannel/SchannelContext.cpp +++ b/Swiften/TLS/Schannel/SchannelContext.cpp @@ -625,14 +625,6 @@ void SchannelContext::handleCertificateCardRemoved() { //------------------------------------------------------------------------ -Certificate::ref SchannelContext::getPeerCertificate() const { - ScopedCertContext pServerCert; - SECURITY_STATUS status = QueryContextAttributes(m_ctxtHandle, SECPKG_ATTR_REMOTE_CERT_CONTEXT, pServerCert.Reset()); - return status == SEC_E_OK ? boost::make_shared(pServerCert) : SchannelCertificate::ref(); -} - -//------------------------------------------------------------------------ - std::vector SchannelContext::getPeerCertificateChain() const { std::vector certificateChain; ScopedCertContext pServerCert; diff --git a/Swiften/TLS/Schannel/SchannelContext.h b/Swiften/TLS/Schannel/SchannelContext.h index 2d65a8a..8603498 100644 --- a/Swiften/TLS/Schannel/SchannelContext.h +++ b/Swiften/TLS/Schannel/SchannelContext.h @@ -50,7 +50,6 @@ namespace Swift virtual void handleDataFromNetwork(const SafeByteArray& data); virtual void handleDataFromApplication(const SafeByteArray& data); - virtual Certificate::ref getPeerCertificate() const; virtual std::vector getPeerCertificateChain() const; virtual CertificateVerificationError::ref getPeerCertificateVerificationError() const; diff --git a/Swiften/TLS/TLSContext.cpp b/Swiften/TLS/TLSContext.cpp index 026ae70..d461d91 100644 --- a/Swiften/TLS/TLSContext.cpp +++ b/Swiften/TLS/TLSContext.cpp @@ -11,4 +11,9 @@ namespace Swift { TLSContext::~TLSContext() { } +Certificate::ref TLSContext::getPeerCertificate() const { + std::vector chain = getPeerCertificateChain(); + return chain.empty() ? Certificate::ref() : chain[0]; +} + } diff --git a/Swiften/TLS/TLSContext.h b/Swiften/TLS/TLSContext.h index 388f8ee..5fee021 100644 --- a/Swiften/TLS/TLSContext.h +++ b/Swiften/TLS/TLSContext.h @@ -28,7 +28,7 @@ namespace Swift { virtual void handleDataFromNetwork(const SafeByteArray&) = 0; virtual void handleDataFromApplication(const SafeByteArray&) = 0; - virtual Certificate::ref getPeerCertificate() const = 0; + Certificate::ref getPeerCertificate() const; virtual std::vector getPeerCertificateChain() const = 0; virtual CertificateVerificationError::ref getPeerCertificateVerificationError() const = 0; -- cgit v0.10.2-6-g49f6