diff options
| author | Clifford Jansen <cliffjansen@apache.org> | 2014-02-05 03:06:58 +0000 |
|---|---|---|
| committer | Clifford Jansen <cliffjansen@apache.org> | 2014-02-05 03:06:58 +0000 |
| commit | cf0c292adebfaad1656ace99cbb88b17c19cc592 (patch) | |
| tree | cae26f837cf5e97009384a0270a4a3771f43c90a /cpp/src/qpid/sys | |
| parent | df5e9bdd8d148f31b20fc3e4da92f4c5187ed11f (diff) | |
| download | qpid-python-cf0c292adebfaad1656ace99cbb88b17c19cc592.tar.gz | |
QPID-5539: Separate credential processing for re-use in AMQP1.0 SSL transport.
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1564611 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'cpp/src/qpid/sys')
| -rw-r--r-- | cpp/src/qpid/sys/windows/SslCredential.cpp | 273 | ||||
| -rw-r--r-- | cpp/src/qpid/sys/windows/SslCredential.h | 81 |
2 files changed, 354 insertions, 0 deletions
diff --git a/cpp/src/qpid/sys/windows/SslCredential.cpp b/cpp/src/qpid/sys/windows/SslCredential.cpp new file mode 100644 index 0000000000..667f0f1ef0 --- /dev/null +++ b/cpp/src/qpid/sys/windows/SslCredential.cpp @@ -0,0 +1,273 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ + + +#include <string> +#include <windows.h> +#include "qpid/Msg.h" +#include "qpid/log/Logger.h" +#include "qpid/sys/windows/check.h" +#include "qpid/sys/windows/util.h" +#include "qpid/sys/windows/SslCredential.h" + + +namespace qpid { +namespace sys { +namespace windows { + + +SslCredential::SslCredential() : certStore(0), cert(0) +{ + SecInvalidateHandle(&credHandle); + memset(&cred, 0, sizeof(cred)); + cred.dwVersion = SCHANNEL_CRED_VERSION; + cred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS; +} + +SslCredential::~SslCredential() +{ + if (SecIsValidHandle(&credHandle)) + ::FreeCredentialsHandle(&credHandle); + if (cert) + ::CertFreeCertificateContext(cert); + if (certStore) + ::CertCloseStore(certStore, CERT_CLOSE_STORE_FORCE_FLAG); +} + +bool SslCredential::load(const std::string& certName) +{ + cert = findCertificate(certName); + if (cert != NULL) { + // assign the certificate into the credentials + cred.paCred = &cert; + cred.cCreds = 1; + } + + SECURITY_STATUS status = ::AcquireCredentialsHandle(NULL, + UNISP_NAME, + SECPKG_CRED_OUTBOUND, + NULL, + &cred, + NULL, + NULL, + &credHandle, + &credExpiry); + if (status != SEC_E_OK) + throw QPID_WINDOWS_ERROR(status); + + return (cert != NULL); +} + +CredHandle SslCredential::handle() +{ + return credHandle; +} + +std::string SslCredential::error() +{ + // Certificate needed after all. Return main error and log additional context + if (!loadError.logMessage.empty()) + QPID_LOG(warning, loadError.logMessage); + return loadError.error; +} + +void SslCredential::loadPrivCertStore() +{ + // Get a handle to the system store or pkcs#12 file + qpid::sys::ssl::SslOptions& opts = qpid::sys::ssl::SslOptions::global; + if (opts.certFilename.empty()) { + // opening a system store, names are not case sensitive + std::string store = opts.certStore.empty() ? "my" : opts.certStore; + std::transform(store.begin(), store.end(), store.begin(), ::tolower); + // map confusing GUI name to actual registry store name + if (store == "personal") + store = "my"; + certStore = ::CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, NULL, + CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG | + CERT_SYSTEM_STORE_CURRENT_USER, store.c_str()); + if (!certStore) { + HRESULT status = GetLastError(); + loadError.set(Msg() << "Could not open system certificate store: " << store, status); + return; + } + QPID_LOG(debug, "SslConnector using certifcates from system store: " << store); + } else { + // opening the store from file and populating it with a private key + HANDLE certFileHandle = NULL; + certFileHandle = CreateFile(opts.certFilename.c_str(), GENERIC_READ, 0, NULL, OPEN_EXISTING, + FILE_ATTRIBUTE_NORMAL, NULL); + if (INVALID_HANDLE_VALUE == certFileHandle) { + HRESULT status = GetLastError(); + loadError.set(Msg() << "Failed to open the file holding the private key: " << opts.certFilename, status); + return; + } + std::vector<BYTE> certEncoded; + DWORD certEncodedSize = 0L; + const DWORD fileSize = GetFileSize(certFileHandle, NULL); + if (INVALID_FILE_SIZE != fileSize) { + certEncoded.resize(fileSize); + bool result = false; + result = ReadFile(certFileHandle, &certEncoded[0], + fileSize, + &certEncodedSize, + NULL); + if (!result) { + // the read failed, return the error as an HRESULT + HRESULT status = GetLastError(); + CloseHandle(certFileHandle); + loadError.set(Msg() << "Reading the private key from file failed " << opts.certFilename, status); + return; + } + } + else { + HRESULT status = GetLastError(); + loadError.set(Msg() << "Unable to read the certificate file " << opts.certFilename, status); + return; + } + CloseHandle(certFileHandle); + + CRYPT_DATA_BLOB blobData; + blobData.cbData = certEncodedSize; + blobData.pbData = &certEncoded[0]; + + // get passwd from file and convert to null terminated wchar_t (Windows UCS2) + std::string passwd = getPasswd(opts.certPasswordFile); + if (loadError.pending()) + return; + int pwlen = passwd.length(); + std::vector<wchar_t> pwUCS2(pwlen + 1, L'\0'); + int nwc = MultiByteToWideChar(CP_UTF8, MB_ERR_INVALID_CHARS, passwd.data(), pwlen, &pwUCS2[0], pwlen); + if (!nwc) { + HRESULT status = GetLastError(); + loadError.set("Error converting password from UTF8", status); + return; + } + + certStore = PFXImportCertStore(&blobData, &pwUCS2[0], 0); + if (certStore == NULL) { + HRESULT status = GetLastError(); + loadError.set("Failed to open the certificate store", status); + return; + } + QPID_LOG(debug, "SslConnector using certificate from pkcs#12 file: " << opts.certFilename); + } +} + + +PCCERT_CONTEXT SslCredential::findCertificate(const std::string& name) +{ + loadPrivCertStore(); + if (loadError.pending()) + return NULL; + + // search for the certificate by Friendly Name + PCCERT_CONTEXT tmpctx = NULL; + while (tmpctx = CertEnumCertificatesInStore(certStore, tmpctx)) { + DWORD len = CertGetNameString(tmpctx, CERT_NAME_FRIENDLY_DISPLAY_TYPE, + 0, NULL, NULL, 0); + if (len == 1) + continue; + std::vector<char> ctxname(len); + CertGetNameString(tmpctx, CERT_NAME_FRIENDLY_DISPLAY_TYPE, + 0, NULL, &ctxname[0], len); + bool found = !name.compare(&ctxname[0]); + if (found) + break; + } + + // verify whether some certificate has been found + if (tmpctx == NULL) { + loadError.set(Msg() << "Client SSL/TLS certificate not found in the certificate store for name " << name, + "client certificate not found"); + } + return tmpctx; +} + + +std::string SslCredential::getPasswd(const std::string& filename) +{ + std::string passwd; + if (filename == "") + return passwd; + + HANDLE pwfHandle = CreateFile(filename.c_str(), GENERIC_READ, 0, NULL, OPEN_EXISTING, + FILE_ATTRIBUTE_NORMAL, NULL); + + if (INVALID_HANDLE_VALUE == pwfHandle) { + HRESULT status = GetLastError(); + loadError.set(Msg() << "Failed to open the password file: " << filename, status); + return passwd; + } + + const DWORD fileSize = GetFileSize(pwfHandle, NULL); + if (fileSize == INVALID_FILE_SIZE) { + CloseHandle(pwfHandle); + loadError.set("", "Cannot read password file"); + return passwd; + } + + std::vector<char> pwbuf; + pwbuf.resize(fileSize); + DWORD nbytes = 0; + if (!ReadFile(pwfHandle, &pwbuf[0], fileSize, &nbytes, NULL)) { + HRESULT status = GetLastError(); + CloseHandle(pwfHandle); + loadError.set("Error reading password file", status); + return passwd; + } + CloseHandle(pwfHandle); + + if (nbytes == 0) + return passwd; + + while (nbytes) { + if ((pwbuf[nbytes-1] == 012) || (pwbuf[nbytes-1] == 015)) + nbytes--; + else + break; + } + + if (nbytes) + passwd.assign(&pwbuf[0], nbytes); + + return passwd; +} + +void SslCredential::SavedError::set(const std::string &lm, const std::string es) { + logMessage = lm; + error = es; +} + +void SslCredential::SavedError::set(const std::string &lm, int status) { + logMessage = lm; + error = qpid::sys::strError(status); +} + +void SslCredential::SavedError::clear() { + logMessage.clear(); + error.clear(); +} + +bool SslCredential::SavedError::pending() { + return !logMessage.empty() || !error.empty(); +} + +}}} diff --git a/cpp/src/qpid/sys/windows/SslCredential.h b/cpp/src/qpid/sys/windows/SslCredential.h new file mode 100644 index 0000000000..ba16dcdab5 --- /dev/null +++ b/cpp/src/qpid/sys/windows/SslCredential.h @@ -0,0 +1,81 @@ +#ifndef _sys_SslCredential +#define _sys_SslCredential +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ + +#include "qpid/CommonImportExport.h" + +#include <string.h> +// security.h needs to see this to distinguish from kernel use. +#define SECURITY_WIN32 +#include <security.h> +#include <Schnlsp.h> +#undef SECURITY_WIN32 + +namespace qpid { +namespace sys { +namespace windows { + +/* + * Manage certificate data structures for SChannel. + * + * Note on client certificates: The Posix/NSS implementation performs a lazy + * client certificate search part way through the ssl handshake if the server + * requests one. Here, it is not known in advance if the server will + * request the certificate so the certificate is pre-loaded (even if never + * used). To match the Linux behavior, client certificate load problems are + * remembered and reported later if appropriate, but do not prevent the + * connection attempt. + */ + +class SslCredential { +public: + QPID_COMMON_EXTERN SslCredential(); + QPID_COMMON_EXTERN ~SslCredential(); + QPID_COMMON_EXTERN bool load(const std::string& certName); + QPID_COMMON_EXTERN CredHandle handle(); + QPID_COMMON_EXTERN std::string error(); + +private: + struct SavedError { + std::string logMessage; + std::string error; + void set(const std::string &lm, const std::string es); + void set(const std::string &lm, int status); + void clear(); + bool pending(); + }; + + HCERTSTORE certStore; + PCCERT_CONTEXT cert; + SCHANNEL_CRED cred; + CredHandle credHandle; + TimeStamp credExpiry; + SavedError loadError; + + PCCERT_CONTEXT findCertificate(const std::string& name); + void loadPrivCertStore(); + std::string getPasswd(const std::string& filename); +}; + +}}} + +#endif // _sys_SslCredential |