From ff116fa0d696c0a8bd67cfed5091aa1620704964 Mon Sep 17 00:00:00 2001 From: Dmitri Dolguikh Date: Wed, 12 Feb 2020 15:29:31 -0800 Subject: [PATCH] Fixes MAISTRA-1168: added implementation of boringssl function SSL_get_peer_full_cert_chain --- .../transport_sockets/tls/openssl_impl.cc | 18 ++++++++++++++++++ .../transport_sockets/tls/openssl_impl.h | 2 ++ .../transport_sockets/tls/ssl_socket.cc | 2 +- .../transport_sockets/tls/ssl_socket_test.cc | 4 +--- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/source/extensions/transport_sockets/tls/openssl_impl.cc b/source/extensions/transport_sockets/tls/openssl_impl.cc index 8d913e2d54..162155f55c 100644 --- a/source/extensions/transport_sockets/tls/openssl_impl.cc +++ b/source/extensions/transport_sockets/tls/openssl_impl.cc @@ -90,6 +90,24 @@ std::string getSerialNumberFromCertificate(X509* cert) { return ""; } +STACK_OF(X509)* SSL_get_peer_full_cert_chain(const SSL *ssl) { + STACK_OF(X509)* to_copy = SSL_get_peer_cert_chain(ssl); + if (!to_copy) { + return nullptr; + } + STACK_OF(X509)* ret = sk_X509_dup(SSL_get_peer_cert_chain(ssl)); + + if (SSL_is_server(ssl)) { + X509* peer_cert = SSL_get_peer_certificate(ssl); + if (!sk_X509_insert(ret, peer_cert, 0)) { + sk_X509_pop_free(ret, X509_free); + return nullptr; + } + } + + return ret; +} + void allowRenegotiation(SSL* ssl) { // SSL_set_renegotiate_mode(ssl, mode); } diff --git a/source/extensions/transport_sockets/tls/openssl_impl.h b/source/extensions/transport_sockets/tls/openssl_impl.h index b7aa363169..bcffefe7f3 100644 --- a/source/extensions/transport_sockets/tls/openssl_impl.h +++ b/source/extensions/transport_sockets/tls/openssl_impl.h @@ -28,6 +28,8 @@ int set_strict_cipher_list(SSL_CTX* ctx, const char* str); std::string getSerialNumberFromCertificate(X509* cert); +STACK_OF(X509)* SSL_get_peer_full_cert_chain(const SSL *ssl); + void allowRenegotiation(SSL* ssl); bssl::UniquePtr initX509Names(); diff --git a/source/extensions/transport_sockets/tls/ssl_socket.cc b/source/extensions/transport_sockets/tls/ssl_socket.cc index 4bc8d33d32..310fec261c 100644 --- a/source/extensions/transport_sockets/tls/ssl_socket.cc +++ b/source/extensions/transport_sockets/tls/ssl_socket.cc @@ -381,7 +381,7 @@ const std::string& SslSocketInfo::urlEncodedPemEncodedPeerCertificateChain() con return cached_url_encoded_pem_encoded_peer_cert_chain_; } - STACK_OF(X509)* cert_chain = SSL_get_peer_cert_chain(ssl_.get()); + STACK_OF(X509)* cert_chain = SSL_get_peer_full_cert_chain(ssl_.get()); if (cert_chain == nullptr) { ASSERT(cached_url_encoded_pem_encoded_peer_cert_chain_.empty()); return cached_url_encoded_pem_encoded_peer_cert_chain_; diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index 7bfcd3cf4a..720dec30e2 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -1137,8 +1137,7 @@ TEST_P(SslSocketTest, GetPeerCert) { .setExpectedPeerCert(expected_peer_cert)); } -TEST_P(SslSocketTest, DISABLED_GetPeerCertChain) { - std::cout << "11111111111111111111111111111111111111111111111111111111111111111111111111111111\n"; +TEST_P(SslSocketTest, GetPeerCertChain) { const std::string client_ctx_yaml = R"EOF( common_tls_context: tls_certificates: @@ -1168,7 +1167,6 @@ TEST_P(SslSocketTest, DISABLED_GetPeerCertChain) { "}}/test/extensions/transport_sockets/tls/test_data/no_san_chain.pem")); testUtil(test_options.setExpectedSerialNumber(TEST_NO_SAN_CERT_SERIAL) .setExpectedPeerCertChain(expected_peer_cert_chain)); - std::cout << "222222222222222222222222222222222222222222222222222222222222222222222222222222222222\n"; } TEST_P(SslSocketTest, GetIssueExpireTimesPeerCert) {