Implementing server certificate verification for secure websockets on Windows desktop.

Author: stgates

Release/include/cpprest/astreambuf.h

@@ -62,7 +62,7 @@ namespace concurrency = Concurrency;
 
 namespace Concurrency 
 { 
-/// Library for asychronous streams.
+/// Library for asynchronous streams.
 namespace streams
 {
     /// <summary>

Release/include/cpprest/x509_cert_utilities.h

@@ -30,7 +30,7 @@
 #include <vector>
 #include <string>
 
-#if defined(__APPLE__) || defined(ANDROID)
+#if defined(__APPLE__) || defined(ANDROID) || (defined(_MS_WINDOWS)  && !defined(__cplusplus_winrt))
 
 #include <boost/asio/ssl.hpp>
 

Release/src/build/sources.proj

@@ -129,6 +129,9 @@
     <ClInclude Include="$(CasablancaIncludeDir)\cpprest\xxpublic.h">
       <Filter>Header Files\cpprest</Filter>
     </ClInclude>
+    <ClInclude Include="$(CasablancaIncludeDir)\cpprest\x509_cert_utilities.h">
+      <Filter>Header Files\cpprest</Filter>
+    </ClInclude>
     <ClInclude Include="$(CasablancaIncludeDir)\pplx\pplxcancellation_token.h">
       <Filter>Header Files\pplx</Filter>
     </ClInclude>
@@ -152,6 +155,9 @@
     <ClCompile Include="$(CasablancaSrcDir)\http\client\http_msg_client.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="$(CasablancaSrcDir)\http\client\x509_cert_utilities.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
     <ClCompile Include="$(CasablancaSrcDir)\http\common\http_helpers.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>

Release/src/build/vs12/casablanca120.vcxproj

@@ -44,7 +44,7 @@
   </ItemGroup>
   <ItemDefinitionGroup>
     <ClCompile>
-      <PreprocessorDefinitions>_ASYNCRT_EXPORT;_PPLX_EXPORT;WIN32;_MBCS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>_WINSOCK_DEPRECATED_NO_WARNINGS;_ASYNCRT_EXPORT;_PPLX_EXPORT;WIN32;_MBCS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions> <!-- TODO stgates -->
       <AdditionalIncludeDirectories>$(CasablancaIncludeDir);$(CasablancaSrcDir)\pch;$(WebsocketppIncludeDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <PrecompiledHeader>Use</PrecompiledHeader>
       <PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>

Release/src/http/client/x509_cert_utilities.cpp

@@ -41,13 +41,16 @@
 
 #if defined(ANDROID)
 #include <jni.h>
+using namespace crossplat;
 #endif
 
-using namespace crossplat;
+#if defined(_MS_WINDOWS)  && !defined(__cplusplus_winrt)
+#include <wincrypt.h>
+#endif
 
 namespace web { namespace http { namespace client { namespace details {
 
-#if defined(__APPLE__) || defined(ANDROID)
+#if defined(__APPLE__) || defined(ANDROID) || (defined(_MS_WINDOWS)  && !defined(__cplusplus_winrt))
 bool verify_cert_chain_platform_specific(boost::asio::ssl::verify_context &verifyCtx, const std::string &hostName)
 {
     X509_STORE_CTX *storeContext = verifyCtx.native_handle();
@@ -89,7 +92,83 @@ bool verify_cert_chain_platform_specific(boost::asio::ssl::verify_context &verif
         certChain.push_back(std::move(certData));
     }
 
-    return verify_X509_cert_chain(certChain, hostName);
+    auto verify_result = verify_X509_cert_chain(certChain, hostName);
+
+    // The Windows Crypto APIs don't do host name checks, use Boost's implementation.
+#if defined(_MS_WINDOWS)
+    if (verify_result)
+    {
+        boost::asio::ssl::rfc2818_verification rfc2818(hostName);
+        verify_result = rfc2818(verify_result, verifyCtx);
+    }
+#endif
+    return verify_result;
+}
+#endif
+
+#if defined(_MS_WINDOWS)  && !defined(__cplusplus_winrt)
+
+// Helper RAII unique_ptrs to free Windows structures.
+struct cert_free_certificate_context
+{
+    void operator()(const CERT_CONTEXT *ctx) const
+    {
+        CertFreeCertificateContext(ctx);
+    }
+};
+typedef std::unique_ptr<const CERT_CONTEXT, cert_free_certificate_context> cert_context;
+struct cert_free_certificate_chain
+{
+    void operator()(const CERT_CHAIN_CONTEXT *chain) const
+    {
+        CertFreeCertificateChain(chain);
+    }
+};
+typedef std::unique_ptr<const CERT_CHAIN_CONTEXT, cert_free_certificate_chain> chain_context;
+
+bool verify_X509_cert_chain(const std::vector<std::string> &certChain, const std::string &)
+{
+    // Create certificate context from server certificate.
+    cert_context cert(CertCreateCertificateContext(
+        X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+        reinterpret_cast<const unsigned char *>(certChain[0].c_str()),
+        certChain[0].size()));
+    if (cert == nullptr)
+    {
+        return false;
+    }
+
+    // Let the OS build a certificate chain from the server certificate.
+    CERT_CHAIN_PARA params;
+    ZeroMemory(&params, sizeof(params));
+    params.cbSize = sizeof(CERT_CHAIN_PARA);
+    params.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
+    LPTSTR usages[] = { szOID_PKIX_KP_SERVER_AUTH };
+    params.RequestedUsage.Usage.cUsageIdentifier = 1;
+    params.RequestedUsage.Usage.rgpszUsageIdentifier = usages;
+    PCCERT_CHAIN_CONTEXT chainContext;
+    chain_context chain;
+    if (!CertGetCertificateChain(
+        nullptr,
+        cert.get(),
+        nullptr,
+        nullptr,
+        &params,
+        CERT_CHAIN_REVOCATION_CHECK_CHAIN,
+        nullptr,
+        &chainContext))
+    {
+        return false;
+    }
+    chain.reset(chainContext);
+
+    // Check to see if the certificate chain is actually trusted.
+    if (chain->TrustStatus.dwErrorStatus != CERT_TRUST_NO_ERROR)
+    {
+        return false;
+    }
+
+    return true;
 }
 #endif
 

Release/src/websockets/client/ws_client.cpp

@@ -109,7 +109,7 @@ class wspp_client : public _websocket_client_impl, public std::enable_shared_fro
         m_work(utility::details::make_unique<boost::asio::io_service::work>(m_service)),
         m_state(CREATED),
         m_num_sends(0)
-#if defined(__APPLE__) || defined(ANDROID)
+#if defined(__APPLE__) || defined(ANDROID) || defined(_MS_WINDOWS)
         , m_openssl_failed(false)
 #endif
     {}
@@ -174,12 +174,12 @@ class wspp_client : public _websocket_client_impl, public std::enable_shared_fro
                 sslContext->set_default_verify_paths();
                 sslContext->set_options(boost::asio::ssl::context::default_workarounds);
                 sslContext->set_verify_mode(boost::asio::ssl::context::verify_peer);
-#if defined(__APPLE__) || defined(ANDROID)
+#if defined(__APPLE__) || defined(ANDROID) || defined(_MS_WINDOWS)
                 m_openssl_failed = false;
 #endif
                 sslContext->set_verify_callback([this](bool preverified, boost::asio::ssl::verify_context &verifyCtx)
                 {
-#if defined(__APPLE__) || defined(ANDROID)
+#if defined(__APPLE__) || defined(ANDROID) || defined(_MS_WINDOWS)
                     // On OS X, iOS, and Android, OpenSSL doesn't have access to where the OS
                     // stores keychains. If OpenSSL fails we will doing verification at the
                     // end using the whole certificate chain so wait until the 'leaf' cert.
@@ -190,7 +190,7 @@ class wspp_client : public _websocket_client_impl, public std::enable_shared_fro
                     }
                     if(m_openssl_failed)
                     {
-                        return http::client::details::verify_cert_chain_platform_specific(verifyCtx, m_uri.host());
+                        return http::client::details::verify_cert_chain_platform_specific(verifyCtx, utility::conversions::to_utf8string(m_uri.host()));
                     }
 #endif
                     boost::asio::ssl::rfc2818_verification rfc2818(utility::conversions::to_utf8string(m_uri.host()));
@@ -711,7 +711,7 @@ class wspp_client : public _websocket_client_impl, public std::enable_shared_fro
     // Used to track if any of the OpenSSL server certificate verifications
     // failed. This can safely be tracked at the client level since connections
     // only happen once for each client.
-#if defined(__APPLE__) || defined(ANDROID)
+#if defined(__APPLE__) || defined(ANDROID) || defined(_MS_WINDOWS)
     bool m_openssl_failed;
 #endif
 

Release/tests/functional/http/client/vs12/HttpClient120_test.vcxproj

@@ -1,6 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <Import Project="$(_NTDRIVE)$(_NTROOT)\vctools\cpp_rest\cpprest.razzle.props" Condition="exists('$(_NTDRIVE)$(_NTROOT)\vctools\cpp_rest\cpprest.razzle.props')" />
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|ARM">
       <Configuration>Debug</Configuration>
@@ -83,15 +82,6 @@
       <AdditionalIncludeDirectories>$(CasablancaIncludeDir);$(CommonTestIncludeDir);..\..\utilities\include;$(TestListenerPath)\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
   </ItemDefinitionGroup>
-  <!-- If testing against a VS installation, need to include the libs. -->
-  <ItemDefinitionGroup Condition="'$(BuildAgainstVSInstallation)'!=''">
-    <Link>
-      <AdditionalLibraryDirectories>$(CasablancaVSLibDir);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-    </Link>
-    <Link>
-      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
-    </Link>
-  </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <ClCompile>
       <PrecompiledHeader>Use</PrecompiledHeader>
@@ -239,7 +229,6 @@
     <ClCompile Include="..\to_string_tests.cpp" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
-  <Import Project="$(BuildRoot)\cpprest.razzle.targets" Condition="'$(BuildInRazzle)'!=''" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
 </Project>

Release/tests/functional/websockets/client/authentication_tests.cpp

@@ -86,8 +86,6 @@ TEST_FIXTURE(uri_address, auth_with_credentials, "Ignore", "245")
 }
 #endif
 
-// Server certificate verification isn't implemented on Windows desktop yet.
-#if !defined(_MS_WINDOWS) || defined(__cplusplus_winrt)
 TEST_FIXTURE(uri_address, ssl_test)
 {
     websocket_client client;
@@ -110,7 +108,6 @@ TEST_FIXTURE(uri_address, ssl_test)
     receive_task.wait();
     client.close().wait();
 }
-#endif
 
 } // SUITE(authentication_tests)
 

Release/tests/functional/websockets/client/vs12/websocketsclient120_test.vcxproj

@@ -68,17 +68,6 @@
     </Link>
   </ItemDefinitionGroup>
 
-  <!-- If testing against a VS installation, need to include the libs. -->
-  <ItemDefinitionGroup Condition="'$(BuildAgainstVSInstallation)'!=''">
-    <Link>
-      <AdditionalLibraryDirectories>$(CasablancaVSLibDir);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-    </Link>
-    <Link>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
-    </Link>
-  </ItemDefinitionGroup>
-
   <ItemDefinitionGroup Condition="'$(Configuration)'=='Debug'">
     <ClCompile>
       <Optimization>Disabled</Optimization>