Verify the remote TLS certificates using the system-wide trusted CAs

f928f762 · louiz’ · 7e07a174 · f928f762 · f928f762 · f928f762
Commit f928f762 authored Nov 02, 2015 by louiz’
4 changed files
--- a/louloulibs/network/credentials_manager.cpp
+++ b/louloulibs/network/credentials_manager.cpp
+#include <network/credentials_manager.hpp>
+#include <logger/logger.hpp>
+
+Basic_Credentials_Manager::Basic_Credentials_Manager():
+    Botan::Credentials_Manager()
+{
+  this->load_certs();
+}
+void Basic_Credentials_Manager::verify_certificate_chain(const std::string& type,
+                                                         const std::string& purported_hostname,
+                                                         const std::vector<Botan::X509_Certificate>& certs)
+{
+  log_debug("Checking remote certificate (" << type << ") for hostname " << purported_hostname);
+  Botan::Credentials_Manager::verify_certificate_chain(type, "louiz.org", certs);
+  log_debug("Certificate is valid");
+}
+void Basic_Credentials_Manager::load_certs()
+{
+  const std::vector<std::string> paths = {"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"};
+  for (const auto& path: paths)
+    {
+      Botan::DataSource_Stream bundle(path);
+      while (!bundle.end_of_data() && bundle.check_available(27))
+        {
+          const Botan::X509_Certificate cert(bundle);
+          this->certificate_store.add_certificate(cert);
+        }
+    }
+}
+std::vector<Botan::Certificate_Store*> Basic_Credentials_Manager::trusted_certificate_authorities(const std::string&, const std::string&)
+{
+  return {&this->certificate_store};
+}
--- a/louloulibs/network/credentials_manager.hpp
+++ b/louloulibs/network/credentials_manager.hpp
+#ifndef BIBOUMI_CREDENTIALS_MANAGER_HPP
+#define BIBOUMI_CREDENTIALS_MANAGER_HPP
+
+#include <botan/botan.h>
+#include <botan/tls_client.h>
+
+class Basic_Credentials_Manager: public Botan::Credentials_Manager
+{
+public:
+  Basic_Credentials_Manager();
+  void verify_certificate_chain(const std::string& type,
+                                const std::string& purported_hostname,
+                                const std::vector<Botan::X509_Certificate>&) override final;
+  std::vector<Botan::Certificate_Store*> trusted_certificate_authorities(const std::string& type,
+                                                                         const std::string& context) override final;
+
+private:
+  void load_certs();
+  Botan::Certificate_Store_In_Memory certificate_store;
+};
+
+#endif //BIBOUMI_CREDENTIALS_MANAGER_HPP
--- a/louloulibs/network/tcp_socket_handler.cpp
+++ b/louloulibs/network/tcp_socket_handler.cpp
@@ -19,7 +19,7 @@
 # include <botan/tls_exceptn.h>

 Botan::AutoSeeded_RNG TCPSocketHandler::rng;
-Permissive_Credentials_Manager TCPSocketHandler::credential_manager;
+Basic_Credentials_Manager TCPSocketHandler::credential_manager;
 Botan::TLS::Policy TCPSocketHandler::policy;
 Botan::TLS::Session_Manager_In_Memory TCPSocketHandler::session_manager(TCPSocketHandler::rng);

@@ -451,15 +451,7 @@ bool TCPSocketHandler::tls_handshake_cb(const Botan::TLS::Session& session)

 void TCPSocketHandler::on_tls_activated()
 {
-  this->send_data("");
-}
-
-void Permissive_Credentials_Manager::verify_certificate_chain(const std::string& type,
-                                                              const std::string& purported_hostname,
-                                                              const std::vector<Botan::X509_Certificate>&)
-{ // TODO: Offer the admin to disallow connection on untrusted
-  // certificates
-  log_debug("Checking remote certificate (" << type << ") for hostname " << purported_hostname);
+  this->send_data({});
 }

 #endif // BOTAN_FOUND
--- a/louloulibs/network/tcp_socket_handler.hpp
+++ b/louloulibs/network/tcp_socket_handler.hpp
 #ifndef SOCKET_HANDLER_INCLUDED
 # define SOCKET_HANDLER_INCLUDED

+#include "louloulibs.h"
+
 #include <network/socket_handler.hpp>
 #include <network/resolver.hpp>

+#include <network/credentials_manager.hpp>
+
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -13,23 +17,6 @@
 #include <string>
 #include <list>

-#include "louloulibs.h"
-
-#ifdef BOTAN_FOUND
-# include <botan/botan.h>
-# include <botan/tls_client.h>
-
-/**
- * A very simple credential manager that accepts any certificate.
- */
-class Permissive_Credentials_Manager: public Botan::Credentials_Manager
-{
-public:
-  void verify_certificate_chain(const std::string& type,
-                                const std::string& purported_hostname,
-                                const std::vector<Botan::X509_Certificate>&);
-};
-#endif // BOTAN_FOUND

 /**
 * An interface, with a series of callbacks that should be implemented in
@@ -243,7 +230,7 @@ private:
   * Botan stuff to manipulate a TLS session.
   */
  static Botan::AutoSeeded_RNG rng;
-  static Permissive_Credentials_Manager credential_manager;
+  static Basic_Credentials_Manager credential_manager;
  static Botan::TLS::Policy policy;
  static Botan::TLS::Session_Manager_In_Memory session_manager;
  /**
@@ -267,3 +254,4 @@ private:
 };

 #endif // SOCKET_HANDLER_INCLUDED
+