proxygen: fizz::DefaultCertificateVerifier Class Reference

#include <DefaultCertificateVerifier.h>

Inheritance diagram for fizz::DefaultCertificateVerifier:

Public Types
using	X509VerifyCallback = int()(int, X509_STORE_CTX )

Public Member Functions
	DefaultCertificateVerifier (VerificationContext context)

	DefaultCertificateVerifier (VerificationContext context, folly::ssl::X509StoreUniquePtr &&store)

void	verify (const std::vector< std::shared_ptr< const fizz::PeerCert >> &certs) const override

void	setCustomVerifyCallback (X509VerifyCallback cb)

void	setX509Store (folly::ssl::X509StoreUniquePtr &&store)

std::vector< Extension >	getCertificateRequestExtensions () const override

Public Member Functions inherited from fizz::CertificateVerifier
virtual	~CertificateVerifier ()=default

Static Public Member Functions
static X509_STORE *	getDefaultX509Store ()

static std::unique_ptr< DefaultCertificateVerifier >	createFromCAFile (VerificationContext context, const std::string &caFile)

Private Member Functions
void	createAuthorities ()

Private Attributes
CertificateAuthorities	authorities_

VerificationContext	context_

folly::ssl::X509StoreUniquePtr	x509Store_

X509VerifyCallback	customVerifyCallback_ {nullptr}

Detailed Description

Certificate verifier that verifies a certificate against a trusted certificate store

This does not perform any identity or hostname verification.

Definition at line 27 of file DefaultCertificateVerifier.h.

Member Typedef Documentation

using fizz::DefaultCertificateVerifier::X509VerifyCallback = int (*)(int, X509_STORE_CTX*)

Definition at line 29 of file DefaultCertificateVerifier.h.

Constructor & Destructor Documentation

fizz::DefaultCertificateVerifier::DefaultCertificateVerifier ( VerificationContext context )

inlineexplicit

Definition at line 31 of file DefaultCertificateVerifier.h.

       : context_(context), x509Store_(nullptr) {
     createAuthorities();
   }

fizz::DefaultCertificateVerifier::DefaultCertificateVerifier	(	VerificationContext	context,
		folly::ssl::X509StoreUniquePtr &&	store
	)

inlineexplicit

Definition at line 36 of file DefaultCertificateVerifier.h.

References verify().

       : context_(context), x509Store_(std::move(store)) {
     createAuthorities();
   }

Member Function Documentation

void fizz::DefaultCertificateVerifier::createAuthorities ( )

private

Definition at line 93 of file DefaultCertificateVerifier.cpp.

References fizz::CertificateAuthorities::authorities, folly::IOBuf::create(), fizz::DistinguishedName::encoded_name, i, folly::gen::move, folly::portability::ssl::STACK_OF(), folly::portability::ssl::X509_OBJECT_get0_X509(), and folly::portability::ssl::X509_OBJECT_get_type().

                                                    {
   CertificateAuthorities auth;
   X509_STORE* store = x509Store_ ? x509Store_.get() : getDefaultX509Store();
   // X509_STORE stores CA certs as objects in this stack.
   STACK_OF(X509_OBJECT)* entries = X509_STORE_get0_objects(store);
 
   for (int i = 0; i < sk_X509_OBJECT_num(entries); i++) {
     X509_OBJECT* obj = sk_X509_OBJECT_value(entries, i);
     if (X509_OBJECT_get_type(obj) == X509_LU_X509) {
       auto certIssuer = X509_get_subject_name(X509_OBJECT_get0_X509(obj));
       int dnLength = i2d_X509_NAME(certIssuer, nullptr);
       if (dnLength < 0) {
         throw std::runtime_error("Error computing DN length");
       }
       DistinguishedName dn;
       dn.encoded_name = folly::IOBuf::create(dnLength);
       auto dnData = dn.encoded_name->writableData();
       dnLength = i2d_X509_NAME(certIssuer, &dnData);
       if (dnLength < 0) {
         throw std::runtime_error("Error encoding DN in DER format");
       }
       dn.encoded_name->append(dnLength);
       auth.authorities.push_back(std::move(dn));
     }
   }
   authorities_ = std::move(auth);
 }

std::unique_ptr< DefaultCertificateVerifier > fizz::DefaultCertificateVerifier::createFromCAFile	(	VerificationContext	context,
		const std::string &	caFile
	)

static

Definition at line 21 of file DefaultCertificateVerifier.cpp.

References context, folly::gen::move, and folly::ssl::OpenSSLCertUtils::readStoreFromFile().

                              {
   auto store = folly::ssl::OpenSSLCertUtils::readStoreFromFile(caFile);
   return std::make_unique<DefaultCertificateVerifier>(
       context, std::move(store));
 }

std::vector< Extension > fizz::DefaultCertificateVerifier::getCertificateRequestExtensions ( ) const

overridevirtual

Returns a vector of extensions to send in a certificate request.

Implements fizz::CertificateVerifier.

Definition at line 140 of file DefaultCertificateVerifier.cpp.

References fizz::encodeExtension().

                                                                   {
   std::vector<Extension> exts;
   exts.push_back(encodeExtension(authorities_));
   return exts;
 }

X509_STORE * fizz::DefaultCertificateVerifier::getDefaultX509Store ( )

static

Definition at line 121 of file DefaultCertificateVerifier.cpp.

                                                             {
   static folly::ssl::X509StoreUniquePtr defaultStore([]() {
     X509_STORE* store = X509_STORE_new();
 
     if (!store) {
       throw std::bad_alloc();
     }
 
     if (X509_STORE_set_default_paths(store) != 1) {
       throw std::runtime_error("failed to set default paths");
     }
 
     return store;
   }());
 
   return defaultStore.get();
 }

void fizz::DefaultCertificateVerifier::setCustomVerifyCallback ( X509VerifyCallback cb )

inline

Definition at line 46 of file DefaultCertificateVerifier.h.

                                                       {
     customVerifyCallback_ = cb;
   }

void fizz::DefaultCertificateVerifier::setX509Store ( folly::ssl::X509StoreUniquePtr && store )

inline

Definition at line 50 of file DefaultCertificateVerifier.h.

References context, folly::gen::move, and string.

                                                         {
     x509Store_ = std::move(store);
     createAuthorities();
   }

void fizz::DefaultCertificateVerifier::verify ( const std::vector< std::shared_ptr< const fizz::PeerCert >> & certs ) const

overridevirtual

Verifies the certificates in certs. The peer has been already proven possession of the first certificate in certs. Throws on error or if verification fails.

Implements fizz::CertificateVerifier.

Definition at line 29 of file DefaultCertificateVerifier.cpp.

References i, fizz::Server, and string.

                                                                      {
   if (certs.empty()) {
     throw std::runtime_error("no certificates to verify");
   }
 
   auto leafCert = certs.front()->getX509();
 
   auto certChainStack = std::unique_ptr<STACK_OF(X509), STACK_OF_X509_deleter>(
       sk_X509_new_null());
   if (!certChainStack) {
     throw std::bad_alloc();
   }
 
   for (size_t i = 1; i < certs.size(); i++) {
     sk_X509_push(certChainStack.get(), certs[i]->getX509().get());
   }
 
   auto ctx = folly::ssl::X509StoreCtxUniquePtr(X509_STORE_CTX_new());
   if (!ctx) {
     throw std::bad_alloc();
   }
 
   if (X509_STORE_CTX_init(
           ctx.get(),
           x509Store_ ? x509Store_.get() : getDefaultX509Store(),
           leafCert.get(),
           certChainStack.get()) != 1) {
     throw std::runtime_error("failed to initialize store context");
   }
 
   if (X509_STORE_CTX_set_default(
           ctx.get(),
           context_ == VerificationContext::Server ? "ssl_client"
                                                   : "ssl_server") != 1) {
     throw std::runtime_error("failed to set default verification method");
   }
 
   if (customVerifyCallback_) {
     X509_STORE_CTX_set_verify_cb(ctx.get(), customVerifyCallback_);
   }
 
   folly::ssl::X509VerifyParam param(X509_VERIFY_PARAM_new());
   if (!param) {
     throw std::bad_alloc();
   }
 
   if (X509_VERIFY_PARAM_set_flags(param.get(), X509_V_FLAG_X509_STRICT) != 1) {
     throw std::runtime_error("failed to set strict certificate checking");
   }
 
   if (X509_VERIFY_PARAM_set1(
           X509_STORE_CTX_get0_param(ctx.get()), param.get()) != 1) {
     throw std::runtime_error("failed to apply verification parameters");
   }
 
   if (X509_verify_cert(ctx.get()) != 1) {
     const auto errorInt = X509_STORE_CTX_get_error(ctx.get());
     std::string errorText =
         std::string(X509_verify_cert_error_string(errorInt));
     throw std::runtime_error("certificate verification failed: " + errorText);
   }
 }