20 std::unique_ptr<JavaCryptoCertificateVerifier>
25 return std::make_unique<JavaCryptoCertificateVerifier>(
30 const std::vector<std::shared_ptr<const fizz::PeerCert>>& certs)
const {
32 throw std::runtime_error(
"no certificates to verify");
35 auto leafCert = certs.front()->getX509();
37 auto certChainStack = std::unique_ptr<STACK_OF(X509), STACK_OF_X509_deleter>(
39 if (!certChainStack) {
40 throw std::bad_alloc();
43 for (
size_t i = 1;
i < certs.size();
i++) {
44 sk_X509_push(certChainStack.get(), certs[
i]->getX509().get());
49 throw std::bad_alloc();
52 if (X509_STORE_CTX_init(
54 x509Store_ ? x509Store_.get() : getDefaultX509Store(),
56 certChainStack.get()) != 1) {
57 throw std::runtime_error(
"failed to initialize store context");
60 if (X509_STORE_CTX_set_default(
63 :
"ssl_server") != 1) {
64 throw std::runtime_error(
"failed to set default verification method");
69 throw std::bad_alloc();
72 if (X509_VERIFY_PARAM_set_flags(param.get(), X509_V_FLAG_X509_STRICT) != 1) {
73 throw std::runtime_error(
"failed to set strict certificate checking");
76 if (X509_VERIFY_PARAM_set1(
77 X509_STORE_CTX_get0_param(ctx.get()), param.get()) != 1) {
78 throw std::runtime_error(
"failed to apply verification parameters");
81 if (X509_verify_cert(ctx.get()) != 1) {
82 const auto errorInt = X509_STORE_CTX_get_error(ctx.get());
84 std::string(X509_verify_cert_error_string(errorInt));
85 throw std::runtime_error(
"certificate verification failed: " + errorText);
91 X509_STORE* store = x509Store_ ? x509Store_.get() : getDefaultX509Store();
93 STACK_OF(X509_OBJECT)* entries = X509_STORE_get0_objects(store);
95 for (
int i = 0;
i < sk_X509_OBJECT_num(entries);
i++) {
96 X509_OBJECT* obj = sk_X509_OBJECT_value(entries,
i);
99 int dnLength = i2d_X509_NAME(certIssuer,
nullptr);
101 throw std::runtime_error(
"Error computing DN length");
106 dnLength = i2d_X509_NAME(certIssuer, &dnData);
108 throw std::runtime_error(
"Error encoding DN in DER format");
119 X509_STORE* store = X509_STORE_new();
122 throw std::bad_alloc();
125 if (X509_STORE_set_default_paths(store) != 1) {
126 throw std::runtime_error(
"failed to set default paths");
132 return defaultStore.get();
135 std::vector<Extension>
137 std::vector<Extension> exts;
void operator()(STACK_OF(X509)*sk)
void verify(const std::vector< std::shared_ptr< const fizz::PeerCert >> &certs) const override
X509 * X509_OBJECT_get0_X509(const X509_OBJECT *obj)
static std::unique_ptr< IOBuf > create(std::size_t capacity)
STACK_OF(X509_OBJECT)*X509_STORE_get0_objects(X509_STORE *store)
constexpr detail::Map< Move > move
static X509_STORE * getDefaultX509Store()
std::vector< Extension > getCertificateRequestExtensions() const override
static X509StoreUniquePtr readStoreFromFile(std::string caFile)
static std::unique_ptr< JavaCryptoCertificateVerifier > createFromCAFile(VerificationContext context, const std::string &caFile)
std::unique_ptr< X509_STORE, X509StoreDeleter > X509StoreUniquePtr
int X509_OBJECT_get_type(const X509_OBJECT *obj)
std::unique_ptr< X509_STORE_CTX, X509StoreCtxDeleter > X509StoreCtxUniquePtr
std::vector< DistinguishedName > authorities
Extension encodeExtension(const TokenBindingParameters ¶ms)
std::unique_ptr< X509_VERIFY_PARAM, X509VerifyParamDeleter > X509VerifyParam