diff options
author | Mark Benvenuto <mark.benvenuto@mongodb.com> | 2018-03-15 13:24:39 -0400 |
---|---|---|
committer | Mark Benvenuto <mark.benvenuto@mongodb.com> | 2018-03-15 13:24:39 -0400 |
commit | af4a205d76af2f9ae366e723db47e671cb951ab2 (patch) | |
tree | f3de6747d02b8c8083d2cc21f3ce469d30cd0a09 /src/mongo/util/net/ssl_manager_openssl.cpp | |
parent | a65f5add63e89bf4303c4ea6abac1cefac81d98b (diff) | |
download | mongo-af4a205d76af2f9ae366e723db47e671cb951ab2.tar.gz |
SERVER-33549 Refactor OpenSSL to use common ASN.1 code and add test
Diffstat (limited to 'src/mongo/util/net/ssl_manager_openssl.cpp')
-rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 97 |
1 files changed, 3 insertions, 94 deletions
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index 190e39ea6b8..98db6a830fc 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -1361,100 +1361,9 @@ StatusWith<stdx::unordered_set<RoleName>> SSLManagerOpenSSL::_parsePeerRoles(X50 // We've found an extension which has our roles OID ASN1_OCTET_STRING* data = X509_EXTENSION_get_data(ex); - /* - * MongoDBAuthorizationGrant ::= CHOICE { - * MongoDBRole, - * ...!UTF8String:"Unrecognized entity in MongoDBAuthorizationGrant" - * } - * MongoDBAuthorizationGrants ::= SET OF MongoDBAuthorizationGrant - */ - // Extract the set of roles from our extension, and load them into an OpenSSL stack. - STACK_OF(ASN1_TYPE)* mongoDBAuthorizationGrants = nullptr; - - // OpenSSL's parsing function will try and manipulate the pointer it's passed. If we - // passed it 'data->data' directly, it would modify structures owned by peerCert. - const unsigned char* dataBytes = data->data; - mongoDBAuthorizationGrants = - d2i_ASN1_SET_ANY(&mongoDBAuthorizationGrants, &dataBytes, data->length); - if (!mongoDBAuthorizationGrants) { - return Status(ErrorCodes::FailedToParse, - "Failed to parse x509 authorization grants"); - } - const auto grantGuard = MakeGuard([&mongoDBAuthorizationGrants]() { - sk_ASN1_TYPE_pop_free(mongoDBAuthorizationGrants, ASN1_TYPE_free); - }); - - /* - * MongoDBRole ::= SEQUENCE { - * role UTF8String, - * database UTF8String - * } - */ - // Loop through every role in the stack. - ASN1_TYPE* MongoDBRoleWrapped = nullptr; - while ((MongoDBRoleWrapped = sk_ASN1_TYPE_pop(mongoDBAuthorizationGrants))) { - const auto roleWrappedGuard = - MakeGuard([MongoDBRoleWrapped]() { ASN1_TYPE_free(MongoDBRoleWrapped); }); - - if (MongoDBRoleWrapped->type == V_ASN1_SEQUENCE) { - // Unwrap the ASN1Type into a STACK_OF(ASN1_TYPE) - unsigned char* roleBytes = ASN1_STRING_data(MongoDBRoleWrapped->value.sequence); - int roleBytesLength = ASN1_STRING_length(MongoDBRoleWrapped->value.sequence); - ASN1_SEQUENCE_ANY* MongoDBRole = nullptr; - MongoDBRole = d2i_ASN1_SEQUENCE_ANY( - &MongoDBRole, (const unsigned char**)&roleBytes, roleBytesLength); - if (!MongoDBRole) { - return Status(ErrorCodes::FailedToParse, - "Failed to parse role in x509 authorization grant"); - } - const auto roleGuard = MakeGuard( - [&MongoDBRole]() { sk_ASN1_TYPE_pop_free(MongoDBRole, ASN1_TYPE_free); }); - - if (sk_ASN1_TYPE_num(MongoDBRole) != 2) { - return Status(ErrorCodes::FailedToParse, - "Role entity in MongoDBAuthorizationGrant must have exactly " - "2 sequence elements"); - } - // Extract the subcomponents of the sequence, which are popped off the stack in - // reverse order. Here, parse the role's database. - ASN1_TYPE* roleComponent = sk_ASN1_TYPE_pop(MongoDBRole); - const auto roleDBGuard = - MakeGuard([roleComponent]() { ASN1_TYPE_free(roleComponent); }); - if (roleComponent->type != V_ASN1_UTF8STRING) { - return Status(ErrorCodes::FailedToParse, - "database in MongoDBRole must be a UTF8 string"); - } - std::string roleDB( - reinterpret_cast<char*>(ASN1_STRING_data(roleComponent->value.utf8string))); - - // Parse the role's name. - roleComponent = sk_ASN1_TYPE_pop(MongoDBRole); - const auto roleNameGuard = - MakeGuard([roleComponent]() { ASN1_TYPE_free(roleComponent); }); - if (roleComponent->type != V_ASN1_UTF8STRING) { - return Status(ErrorCodes::FailedToParse, - "role in MongoDBRole must be a UTF8 string"); - } - std::string roleName( - reinterpret_cast<char*>(ASN1_STRING_data(roleComponent->value.utf8string))); - - // Construct a RoleName from the subcomponents - roles.emplace(RoleName(roleName, roleDB)); - - } else { - return Status(ErrorCodes::FailedToParse, - "Unrecognized entity in MongoDBAuthorizationGrant"); - } - } - LOG(1) << "MONGODB-X509 authorization parsed the following roles from peer " - "certificate: " - << [&roles]() { - StringBuilder sb; - std::for_each(roles.begin(), roles.end(), [&sb](const RoleName& role) { - sb << role.toString(); - }); - return sb.str(); - }(); + return parsePeerRoles( + ConstDataRange(reinterpret_cast<char*>(data->data), + reinterpret_cast<char*>(data->data) + data->length)); } } |