proxygen
Public Types | Public Member Functions | Private Types | Private Member Functions | Private Attributes | List of all members
fizz::server::CertManager Class Reference

#include <CertManager.h>

Inheritance diagram for fizz::server::CertManager:
fizz::server::test::MockCertManager

Public Types

using CertMatch = folly::Optional< std::pair< std::shared_ptr< SelfCert >, SignatureScheme >>
 

Public Member Functions

virtual ~CertManager ()=default
 
virtual CertMatch getCert (const folly::Optional< std::string > &sni, const std::vector< SignatureScheme > &supportedSigSchemes, const std::vector< SignatureScheme > &peerSigSchemes) const
 
virtual std::shared_ptr< SelfCertgetCert (const std::string &identity) const
 
void addCert (std::shared_ptr< SelfCert > cert, bool defaultCert=false)
 

Private Types

using SigSchemeMap = std::map< SignatureScheme, std::shared_ptr< SelfCert >>
 

Private Member Functions

CertMatch findCert (const std::string &key, const std::vector< SignatureScheme > &supportedSigSchemes, const std::vector< SignatureScheme > &peerSigSchemes, CertMatch &lastResort) const
 
void addCertIdentity (std::shared_ptr< SelfCert > cert, const std::string &ident)
 

Private Attributes

std::unordered_map< std::string, SigSchemeMapcerts_
 
std::unordered_map< std::string, std::shared_ptr< SelfCert > > identMap_
 
std::string default_
 

Detailed Description

Definition at line 19 of file CertManager.h.

Member Typedef Documentation

using fizz::server::CertManager::CertMatch = folly::Optional<std::pair<std::shared_ptr<SelfCert>, SignatureScheme>>

Definition at line 22 of file CertManager.h.

using fizz::server::CertManager::SigSchemeMap = std::map<SignatureScheme, std::shared_ptr<SelfCert>>
private

Definition at line 56 of file CertManager.h.

Constructor & Destructor Documentation

virtual fizz::server::CertManager::~CertManager ( )
virtualdefault

Member Function Documentation

void fizz::server::CertManager::addCert ( std::shared_ptr< SelfCert cert,
bool  defaultCert = false 
)

Definition at line 129 of file CertManager.cpp.

References fizz::server::getKeyFromIdent().

129  {
130  auto primaryIdent = cert->getIdentity();
131  addCertIdentity(cert, primaryIdent);
132 
133  auto altIdents = cert->getAltIdentities();
134  for (const auto& ident : altIdents) {
135  if (ident != primaryIdent) {
136  addCertIdentity(cert, ident);
137  }
138  }
139 
140  if (defaultCert) {
141  default_ = getKeyFromIdent(primaryIdent);
142  }
143 
144  if (identMap_.find(primaryIdent) == identMap_.end()) {
145  identMap_[primaryIdent] = cert;
146  }
147 }
fizz::server::CertManager::addCertIdentity
void addCertIdentity(std::shared_ptr< SelfCert > cert, const std::string &ident)
Definition: CertManager.cpp:109
fizz::server::CertManager::identMap_
std::unordered_map< std::string, std::shared_ptr< SelfCert > > identMap_
Definition: CertManager.h:58
fizz::server::getKeyFromIdent
static std::string getKeyFromIdent(const std::string &ident)
Definition: CertManager.cpp:93
void fizz::server::CertManager::addCertIdentity ( std::shared_ptr< SelfCert cert,
const std::string ident 
)
private

Definition at line 109 of file CertManager.cpp.

References fizz::server::getKeyFromIdent(), and folly::INFO.

111  {
112  auto key = getKeyFromIdent(ident);
113 
114  if (key.empty() || key == "." || key.find('*') != std::string::npos) {
115  throw std::runtime_error(to<std::string>("invalid identity: ", ident));
116  }
117 
118  auto sigSchemes = cert->getSigSchemes();
119  auto& schemeMap = certs_[key];
120  for (auto sigScheme : sigSchemes) {
121  if (schemeMap.find(sigScheme) != schemeMap.end()) {
122  LOG(INFO) << "Skipping duplicate certificate for " << key;
123  } else {
124  schemeMap[sigScheme] = cert;
125  }
126  }
127 }
fizz::server::CertManager::certs_
std::unordered_map< std::string, SigSchemeMap > certs_
Definition: CertManager.h:57
fizz::server::getKeyFromIdent
static std::string getKeyFromIdent(const std::string &ident)
Definition: CertManager.cpp:93
CertManager::CertMatch fizz::server::CertManager::findCert ( const std::string key,
const std::vector< SignatureScheme > &  supportedSigSchemes,
const std::vector< SignatureScheme > &  peerSigSchemes,
CertMatch lastResort 
) const
private

Definition at line 21 of file CertManager.cpp.

References folly::none.

25  {
26  auto it = certs_.find(key);
27  if (it == certs_.end()) {
28  return none;
29  }
30  for (auto scheme : supportedSigSchemes) {
31  auto cert = it->second.find(scheme);
32  if (cert == it->second.end()) {
33  continue;
34  }
35  if (std::find(peerSigSchemes.begin(), peerSigSchemes.end(), scheme) !=
36  peerSigSchemes.end()) {
37  return std::make_pair(cert->second, scheme);
38  } else if (!lastResort) {
39  lastResort = std::make_pair(cert->second, scheme);
40  }
41  }
42  return none;
43 }
fizz::server::CertManager::certs_
std::unordered_map< std::string, SigSchemeMap > certs_
Definition: CertManager.h:57
folly::none
constexpr None none
Definition: Optional.h:87
CertManager::CertMatch fizz::server::CertManager::getCert ( const folly::Optional< std::string > &  sni,
const std::vector< SignatureScheme > &  supportedSigSchemes,
const std::vector< SignatureScheme > &  peerSigSchemes 
) const
virtual

Select a cert given a client supplied SNI value, server supportedSigSchemes, and client peerSigSchemes.

Will ignore peerSigSchemes if no matching certificate is found.

Definition at line 45 of file CertManager.cpp.

References GCC61971::dot, sni, string, and folly::toLowerAscii().

48  {
49  CertMatch lastResort;
50  if (sni) {
51  auto key = *sni;
52  toLowerAscii(key);
53 
54  auto ret = findCert(key, supportedSigSchemes, peerSigSchemes, lastResort);
55  if (ret) {
56  VLOG(8) << "Found exact SNI match for: " << key;
57  return ret;
58  }
59 
60  auto dot = key.find_first_of('.');
61  if (dot != std::string::npos) {
62  std::string wildcardKey(key, dot);
63  ret = findCert(
64  wildcardKey, supportedSigSchemes, peerSigSchemes, lastResort);
65  if (ret) {
66  VLOG(8) << "Found wildcard SNI match for: " << key;
67  return ret;
68  }
69  }
70 
71  VLOG(8) << "Did not find match for SNI: " << key;
72  }
73 
74  auto ret =
75  findCert(default_, supportedSigSchemes, peerSigSchemes, lastResort);
76  if (ret) {
77  return ret;
78  }
79 
80  VLOG(8) << "No matching cert for client sig schemes found";
81  return lastResort;
82 }
folly::toLowerAscii
void toLowerAscii(char *str, size_t length)
Definition: String.cpp:601
sni
StringPiece sni
Definition: ExtensionsTest.cpp:23
string
const char * string
Definition: Conv.cpp:212
fizz::server::CertManager::CertMatch
folly::Optional< std::pair< std::shared_ptr< SelfCert >, SignatureScheme >> CertMatch
Definition: CertManager.h:22
fizz::server::CertManager::findCert
CertMatch findCert(const std::string &key, const std::vector< SignatureScheme > &supportedSigSchemes, const std::vector< SignatureScheme > &peerSigSchemes, CertMatch &lastResort) const
Definition: CertManager.cpp:21
GCC61971::dot
constexpr auto dot
Definition: FixedStringTest.cpp:671
std::shared_ptr< SelfCert > fizz::server::CertManager::getCert ( const std::string identity) const
virtual

Return a certificate with the a primary identity exactly matching identity. Will return nullptr if no matching cert is found.

Definition at line 84 of file CertManager.cpp.

85  {
86  auto it = identMap_.find(identity);
87  if (it == identMap_.end()) {
88  return nullptr;
89  }
90  return it->second;
91 }
fizz::server::CertManager::identMap_
std::unordered_map< std::string, std::shared_ptr< SelfCert > > identMap_
Definition: CertManager.h:58

Member Data Documentation

std::unordered_map<std::string, SigSchemeMap> fizz::server::CertManager::certs_
private

Definition at line 57 of file CertManager.h.

std::string fizz::server::CertManager::default_
private

Definition at line 59 of file CertManager.h.

std::unordered_map<std::string, std::shared_ptr<SelfCert> > fizz::server::CertManager::identMap_
private

Definition at line 58 of file CertManager.h.

The documentation for this class was generated from the following files: