Initial completion of verifying X509 certs on OS X/iOS.

stgates · Steve Gates · commit 807a18e31a0b · 2014-08-05T15:33:23.000-07:00
diff --git a/Release/include/cpprest/x509_cert_utilities.h b/Release/include/cpprest/x509_cert_utilities.h
@@ -0,0 +1,37 @@
+/***
+* ==++==
+*
+* Copyright (c) Microsoft Corporation. All rights reserved. 
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*
+* ==--==
+* =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+*
+* x509_cert_utilities.h
+*
+* Contains utility functions for helping to verify server certificates in OS X/iOS.
+*
+* For the latest on this and related APIs, please see http://casablanca.codeplex.com.
+*
+* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+****/
+
+#pragma once
+
+#include <vector>
+#include <string>
+
+namespace web { namespace http { namespace client { namespace details {
+
+bool verify_X509_cert_chain(const std::vector<std::string> &certChain, const std::string &hostName);
+
+}}}}
diff --git a/Release/src/CMakeLists.txt b/Release/src/CMakeLists.txt
@@ -17,6 +17,7 @@ if(UNIX)
     http/common/http_helpers.cpp
     http/client/http_msg_client.cpp
     http/client/http_linux.cpp
+    http/client/x509_cert_utilities.cpp
     http/listener/http_linux_server.cpp
     http/listener/http_listener.cpp
     http/listener/http_msg_listen.cpp
@@ -30,7 +31,8 @@ if(UNIX)
   if(APPLE)
     set(SOURCES ${SOURCES} pplx/apple/pplxapple.cpp)
     find_library(COREFOUNDATION CoreFoundation "/")
-    set(EXTRALINKS ${COREFOUNDATION})
+    find_library(SECURITY Security "/")
+    set(EXTRALINKS ${COREFOUNDATION} ${SECURITY})
   else()
     set(SOURCES ${SOURCES} pplx/linux/pplxlinux.cpp)
   endif()
@@ -46,6 +48,7 @@ elseif(WIN32)
     http/common/http_msg.cpp
     http/common/http_helpers.cpp
     http/client/http_msg_client.cpp
+    http/client/x509_cert_utilities.cpp
     http/listener/http_listener.cpp
     http/listener/http_msg_listen.cpp
     http/listener/http_server_api.cpp
@@ -82,7 +85,6 @@ target_link_libraries(${Casablanca_LIBRARY}
   ${Boost_LOCALE_LIBRARY}
   ${Boost_REGEX_LIBRARY}
   ${Boost_RANDOM_LIBRARY}
-  ${COREFOUNDATION}
   ${EXTRALINKS}
   )
 
diff --git a/Release/src/http/client/http_linux.cpp b/Release/src/http/client/http_linux.cpp
@@ -30,6 +30,7 @@
 #include "stdafx.h"
 
 #include "cpprest/http_client_impl.h"
+#include "cpprest/x509_cert_utilities.h"
 #include <unordered_set>
 
 using boost::asio::ip::tcp;
@@ -280,7 +281,7 @@ namespace web { namespace http
                 bool m_timedout;
                 boost::asio::streambuf m_body_buf;
                 boost::asio::deadline_timer m_timeout_timer;
-
+                
                 virtual ~linux_client_request_context();
 
                 void handle_timeout_timer(const boost::system::error_code& ec)
@@ -485,7 +486,7 @@ namespace web { namespace http
                             if(client_config().validate_certificates())
                             {
                                 ctx->m_ssl_stream->set_verify_mode(boost::asio::ssl::context::verify_peer);
-                                ctx->m_ssl_stream->set_verify_callback(boost::asio::ssl::rfc2818_verification(m_uri.host()));
+                                ctx->m_ssl_stream->set_verify_callback(boost::bind(&linux_client::handle_cert_verification, shared_from_this(), _1, _2));
                             }
                             else
                             {
@@ -536,7 +537,7 @@ namespace web { namespace http
                             if(client_config().validate_certificates())
                             {
                                 ctx->m_ssl_stream->set_verify_mode(boost::asio::ssl::context::verify_peer);
-                                ctx->m_ssl_stream->set_verify_callback(boost::asio::ssl::rfc2818_verification(m_uri.host()));
+                                ctx->m_ssl_stream->set_verify_callback(boost::bind(&linux_client::handle_cert_verification, shared_from_this(), _1, _2));
                             }
                             else
                             {
@@ -548,6 +549,53 @@ namespace web { namespace http
                     }
                 }
 
+                bool handle_cert_verification(bool preverified, boost::asio::ssl::verify_context &ctx)
+                {
+#if defined(__APPLE__)
+                    // The 'leaf', non-Certificate Authority (CA) certificate, i.e. actual server certificate
+                    // is at the '0' position in the certificate chain, the rest are optional intermediate
+                    // certificates, followed finally by the root CA self signed certificate.
+                        
+                    // OpenSSL calls the verification callback once per certificate in the chain,
+                    // starting with the root CA certificate. We will be performing verification all
+                    // at once using the whole certificate chain so wait until the 'leaf' cert.
+                    X509_STORE_CTX *storeContext = ctx.native_handle();
+                    int currentDepth = X509_STORE_CTX_get_error_depth(storeContext);
+                    if(currentDepth == 0)
+                    {
+                        // preverified false means OpenSSL falied to verify the certificate successfully.
+                        // On OS X, iOS, or Android, OpenSSL doesn't have access to where the OS stores keychains.
+                        // To work around this we fall back to the OS facilities to verify the server certificate.
+                        if(!preverified)
+                        {
+                            STACK_OF(X509) *certStack = X509_STORE_CTX_get_chain(ctx.native_handle());
+                            const int numCerts = sk_X509_num(certStack);
+                            std::vector<std::string> certChain;
+                           
+                            for(int i = 0; i < numCerts; ++i)
+                            {
+                                X509 *cert = sk_X509_value(certStack, i);
+                                
+                                // Encode into DER format into raw memory.
+                                unsigned char * buffer = nullptr;
+                                const int len = i2d_X509(cert, &buffer);
+                                if(len < 0)
+                                {
+                                    return false;
+                                }
+                                
+                                certChain.emplace_back(reinterpret_cast<char *>(buffer), len);
+                            }
+                            
+                            return verify_X509_cert_chain(certChain, m_uri.host());
+                        }
+                    }
+#endif
+
+                    boost::asio::ssl::rfc2818_verification rfc2818(m_uri.host());
+                    return rfc2818(preverified, ctx);
+                }
+
                 void handle_handshake(const boost::system::error_code& ec, std::shared_ptr<linux_client_request_context> ctx)
                 {
                     if (!ec)
diff --git a/Release/src/http/client/x509_cert_utilities.cpp b/Release/src/http/client/x509_cert_utilities.cpp
@@ -0,0 +1,154 @@
+/***
+* ==++==
+*
+* Copyright (c) Microsoft Corporation. All rights reserved. 
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*
+* ==--==
+* =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+*
+* x509_cert_utilities.cpp
+*
+* Contains utility functions for helping to verify server certificates in OS X/iOS.
+*
+* For the latest on this and related APIs, please see http://casablanca.codeplex.com.
+*
+* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+****/
+
+#include "cpprest/x509_cert_utilities.h"
+
+#include <vector>
+#include <string>
+
+#if defined(__APPLE__)
+#include <CoreFoundation/CFData.h>
+#include <Security/SecBase.h>
+#include <Security/SecCertificate.h>
+#include <Security/SecPolicy.h>
+#include <Security/SecTrust.h>
+#endif
+
+namespace web { namespace http { namespace client { namespace details {
+
+#if defined(__APPLE__)
+
+// Simple RAII pattern wrapper to perform CFRelease on objects.
+template <typename T>
+class CFRef
+{
+public:
+    CFRef(T v) : value(v) {}
+    CFRef() : value(nullptr) {}
+
+    ~CFRef()
+    {
+        if(value != nullptr)
+        {
+            CFRelease(value);
+        }
+    }
+
+    T & Get()
+    {
+        return value;
+    }
+private:
+    T value;
+};
+    
+template <typename T>
+class CFVectorRef
+{
+public:
+    CFVectorRef() {}
+    ~CFVectorRef()
+    {
+        for(auto & item : container)
+        {
+            CFRelease(item);
+        }
+    }
+    
+    void push_back(T item)
+    {
+        container.push_back(item);
+    }
+    std::vector<T> & items()
+    {
+        return container;
+    }
+    
+private:
+    std::vector<T> container;
+};
+
+bool verify_X509_cert_chain(const std::vector<std::string> &certChain, const std::string &hostName)
+{
+    // Build up CFArrayRef with all the certificates.
+    // All this code is basically just to get into the correct structures for the Apple APIs.
+    // Copies are avoided whenever possible.
+    CFVectorRef<SecCertificateRef> certs;
+    for(const auto & certBuf : certChain)
+    {
+        CFRef<CFDataRef> certDataRef = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
+                                                                   reinterpret_cast<const unsigned char*>(certBuf.c_str()),
+                                                                   certBuf.size(),
+                                                                   kCFAllocatorNull);
+        if(certDataRef.Get() == nullptr)
+        {
+            return false;
+        }
+        
+        SecCertificateRef certObj = SecCertificateCreateWithData(nullptr, certDataRef.Get());
+        if(certObj == nullptr)
+        {
+            return false;
+        }
+        certs.push_back(certObj);
+    }
+    CFRef<CFArrayRef> certsArray = CFArrayCreate(kCFAllocatorDefault, (const void **)&certs.items()[0], certs.items().size(), nullptr);
+    if(certsArray.Get() == nullptr)
+    {
+        return false;
+    }
+    
+    // Create trust management object with certificates and SSL policy.
+    // Note: SecTrustCreateWithCertificates expects the certificate to be
+    // verified is the first element.
+    CFRef<CFStringRef> cfHostName = CFStringCreateWithCStringNoCopy(kCFAllocatorDefault,
+                                                                    &hostName[0],
+                                                                    kCFStringEncodingASCII,
+                                                                    kCFAllocatorNull);
+    if(cfHostName.Get() == nullptr)
+    {
+        return false;
+    }
+    CFRef<SecPolicyRef> policy = SecPolicyCreateSSL(true /* client side */, cfHostName.Get());
+    CFRef<SecTrustRef> trust;
+    OSStatus status = SecTrustCreateWithCertificates(certsArray.Get(), policy.Get(), &trust.Get());
+    if(status == noErr)
+    {
+        // Perform actual certificate verification.
+        SecTrustResultType trustResult;
+        status = SecTrustEvaluate(trust.Get(), &trustResult);
+        if(status == noErr && (trustResult == kSecTrustResultUnspecified || trustResult == kSecTrustResultProceed))
+        {
+            return true;
+        }
+    }
+
+    return false;
+}
+#endif
+
+}}}}
