From 80a1128ec7e212133f69f17d080bdeea23aabe6f Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Fri, 16 Jul 2021 18:31:52 +0200 Subject: [PATCH] Introduce SetupSslContext() --- lib/base/tlsutility.cpp | 43 ++++++++++++++++++++++++++++++++++++++ lib/base/tlsutility.hpp | 4 ++++ lib/remote/apilistener.cpp | 39 +--------------------------------- 3 files changed, 48 insertions(+), 38 deletions(-) diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp index 40f7b57da..1357ed617 100644 --- a/lib/base/tlsutility.cpp +++ b/lib/base/tlsutility.cpp @@ -258,6 +258,49 @@ int ResolveTlsProtocolVersion(const std::string& version) { } } +Shared::Ptr SetupSslContext(String certPath, String keyPath, + String caPath, String crlPath, String cipherList, String protocolmin, DebugInfo di) +{ + namespace ssl = boost::asio::ssl; + + Shared::Ptr context; + + try { + context = MakeAsioSslContext(certPath, keyPath, caPath); + } catch (const std::exception&) { + BOOST_THROW_EXCEPTION(ScriptError("Cannot make SSL context for cert path: '" + + certPath + "' key path: '" + keyPath + "' ca path: '" + caPath + "'.", di)); + } + + if (!crlPath.IsEmpty()) { + try { + AddCRLToSSLContext(context, crlPath); + } catch (const std::exception&) { + BOOST_THROW_EXCEPTION(ScriptError("Cannot add certificate revocation list to SSL context for crl path: '" + + crlPath + "'.", di)); + } + } + + if (!cipherList.IsEmpty()) { + try { + SetCipherListToSSLContext(context, cipherList); + } catch (const std::exception&) { + BOOST_THROW_EXCEPTION(ScriptError("Cannot set cipher list to SSL context for cipher list: '" + + cipherList + "'.", di)); + } + } + + if (!protocolmin.IsEmpty()){ + try { + SetTlsProtocolminToSSLContext(context, protocolmin); + } catch (const std::exception&) { + BOOST_THROW_EXCEPTION(ScriptError("Cannot set minimum TLS protocol version to SSL context with tls_protocolmin: '" + protocolmin + "'.", di)); + } + } + + return std::move(context); +} + /** * Set the minimum TLS protocol version to the specified SSL context. * diff --git a/lib/base/tlsutility.hpp b/lib/base/tlsutility.hpp index 2493ff279..ce50fb427 100644 --- a/lib/base/tlsutility.hpp +++ b/lib/base/tlsutility.hpp @@ -4,6 +4,7 @@ #define TLSUTILITY_H #include "base/i2-base.hpp" +#include "base/debuginfo.hpp" #include "base/object.hpp" #include "base/shared.hpp" #include "base/array.hpp" @@ -35,6 +36,9 @@ void SetCipherListToSSLContext(const Shared::Ptr& con void SetTlsProtocolminToSSLContext(const Shared::Ptr& context, const String& tlsProtocolmin); int ResolveTlsProtocolVersion(const std::string& version); +Shared::Ptr SetupSslContext(String certPath, String keyPath, + String caPath, String crlPath, String cipherList, String protocolmin, DebugInfo di); + String GetCertificateCN(const std::shared_ptr& certificate); std::shared_ptr GetX509Certificate(const String& pemfile); int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), bool ca = false); diff --git a/lib/remote/apilistener.cpp b/lib/remote/apilistener.cpp index fcf902cfa..45dc69131 100644 --- a/lib/remote/apilistener.cpp +++ b/lib/remote/apilistener.cpp @@ -181,44 +181,7 @@ void ApiListener::OnConfigLoaded() void ApiListener::UpdateSSLContext() { - namespace ssl = boost::asio::ssl; - - Shared::Ptr context; - - try { - context = MakeAsioSslContext(GetDefaultCertPath(), GetDefaultKeyPath(), GetDefaultCaPath()); - } catch (const std::exception&) { - BOOST_THROW_EXCEPTION(ScriptError("Cannot make SSL context for cert path: '" - + GetDefaultCertPath() + "' key path: '" + GetDefaultKeyPath() + "' ca path: '" + GetDefaultCaPath() + "'.", GetDebugInfo())); - } - - if (!GetCrlPath().IsEmpty()) { - try { - AddCRLToSSLContext(context, GetCrlPath()); - } catch (const std::exception&) { - BOOST_THROW_EXCEPTION(ScriptError("Cannot add certificate revocation list to SSL context for crl path: '" - + GetCrlPath() + "'.", GetDebugInfo())); - } - } - - if (!GetCipherList().IsEmpty()) { - try { - SetCipherListToSSLContext(context, GetCipherList()); - } catch (const std::exception&) { - BOOST_THROW_EXCEPTION(ScriptError("Cannot set cipher list to SSL context for cipher list: '" - + GetCipherList() + "'.", GetDebugInfo())); - } - } - - if (!GetTlsProtocolmin().IsEmpty()){ - try { - SetTlsProtocolminToSSLContext(context, GetTlsProtocolmin()); - } catch (const std::exception&) { - BOOST_THROW_EXCEPTION(ScriptError("Cannot set minimum TLS protocol version to SSL context with tls_protocolmin: '" + GetTlsProtocolmin() + "'.", GetDebugInfo())); - } - } - - m_SSLContext = context; + m_SSLContext = SetupSslContext(GetDefaultCertPath(), GetDefaultKeyPath(), GetDefaultCaPath(), GetCrlPath(), GetCipherList(), GetTlsProtocolmin(), GetDebugInfo()); for (const Endpoint::Ptr& endpoint : ConfigType::GetObjectsByType()) { for (const JsonRpcConnection::Ptr& client : endpoint->GetClients()) {