Add support for cert-pinning on Windows and Mac.

CONTRIBUTORS.txt

@@ -35,6 +35,7 @@ Gery Vessere ([email protected])
 Cisco Systems
 Gergely Lukacsy (glukacsy)
 Chris Deering (deeringc)
+Chris O'Gorman (chogorma)
 
 Ocedo GmbH
 Henning Pfeiffer (megaposer)

Release/include/cpprest/certificate_info.h

@@ -0,0 +1,48 @@
+/***
+* ==++==
+*
+* Copyright (c) Microsoft Corporation. All rights reserved.
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*
+* ==--==
+* =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+*
+* Certificate info
+*
+* For the latest on this and related APIs, please see: https://github.com/Microsoft/cpprestsdk
+*
+* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+****/
+
+#pragma once
+
+#include <vector>
+#include <string>
+
+namespace web { namespace http { namespace client {
+
+    using CertificateChain = std::vector<std::vector<unsigned char>>;
+
+    struct certificate_info
+    {
+        CertificateChain certificate_chain;
+        std::string host_name;
+        long certificate_error{ 0 };
+        bool verified{ false };
+
+        certificate_info(const std::string host) : host_name(host) {};
+        certificate_info(const std::string host, CertificateChain chain, long error = 0) : host_name(host), certificate_chain(chain), certificate_error(error) {};
+    };
+
+    using CertificateChainFunction = std::function<bool(const std::shared_ptr<certificate_info> certificate_Info)>;
+
+}}}

Release/include/cpprest/details/x509_cert_utilities.h

@@ -14,6 +14,7 @@
 #pragma once
 
 #include <string>
+#include "cpprest/certificate_info.h"
 
 #if defined(__APPLE__) || (defined(ANDROID) || defined(__ANDROID__)) || (defined(_WIN32)  && !defined(__cplusplus_winrt) && !defined(_M_ARM) && !defined(CPPREST_EXCLUDE_WEBSOCKETS))
 
@@ -35,15 +36,24 @@
 
 namespace web { namespace http { namespace client { namespace details {
 
+using namespace utility;
+
+
+bool is_end_certificate_in_chain(boost::asio::ssl::verify_context &verifyCtx);
+
 /// <summary>
 /// Using platform specific APIs verifies server certificate.
 /// Currently implemented to work on iOS, Android, and OS X.
 /// </summary>
 /// <param name="verifyCtx">Boost.ASIO context to get certificate chain from.</param>
 /// <param name="hostName">Host name from the URI.</param>
 /// <returns>True if verification passed and server can be trusted, false otherwise.</returns>
-bool verify_cert_chain_platform_specific(boost::asio::ssl::verify_context &verifyCtx, const std::string &hostName);
+bool verify_cert_chain_platform_specific(boost::asio::ssl::verify_context &verifyCtx, const std::string &hostName, const CertificateChainFunction& func = nullptr);
+
+bool verify_X509_cert_chain(const std::vector<std::string> &certChain, const std::string &hostName, const CertificateChainFunction& func = nullptr);
+
+std::vector<std::vector<unsigned char>> get_X509_cert_chain_encoded_data(boost::asio::ssl::verify_context &verifyCtx);
 
 }}}}
 
-#endif
+#endif

Release/include/cpprest/http_client.h

@@ -35,6 +35,7 @@ typedef void* native_handle;}}}
 #include "cpprest/http_msg.h"
 #include "cpprest/json.h"
 #include "cpprest/uri.h"
+#include "cpprest/certificate_info.h"
 #include "cpprest/details/web_utilities.h"
 #include "cpprest/details/basic_types.h"
 #include "cpprest/asyncrt_utils.h"
@@ -87,6 +88,7 @@ class http_client_config
 #if !defined(__cplusplus_winrt)
         , m_validate_certificates(true)
 #endif
+        , m_certificate_chain_callback([](const std::shared_ptr<certificate_info>&)->bool { return true; })
 #if !defined(_WIN32) && !defined(__cplusplus_winrt) || defined(CPPREST_FORCE_HTTP_CLIENT_ASIO)
         , m_tlsext_sni_enabled(true)
 #endif
@@ -349,7 +351,7 @@ class http_client_config
     /// <param name="callback">A user callback allowing for customization of the request</param>
     void set_nativehandle_options(const std::function<void(native_handle)> &callback)
     {
-         m_set_user_nativehandle_options = callback;
+        m_set_user_nativehandle_options = callback;
     }
 
     /// <summary>
@@ -362,6 +364,25 @@ class http_client_config
             m_set_user_nativehandle_options(handle);
     }
 
+
+    /// <summary>
+    /// Set the certificate chain callback. If set, HTTP client will call this callback in a blocking manner during HTTP connection.
+    /// </summary>
+    void set_user_certificate_chain_callback(const CertificateChainFunction& callback)
+    {
+        m_certificate_chain_callback = callback;
+    }
+
+    /// <summary>
+    /// Invokes the certificate chain callback.
+    /// </summary>
+    /// <param name="certificate_info">Pointer to the certificate_info struct that has the certificate information.</param>
+    /// <returns>True if the consumer code allows the connection, false otherwise. False will terminate the HTTP connection.</returns>
+    bool invoke_certificate_chain_callback(const std::shared_ptr<certificate_info>& certificate_Info) const
+    {
+        return m_certificate_chain_callback(certificate_Info);
+    }
+
 #if !defined(_WIN32) && !defined(__cplusplus_winrt) || defined(CPPREST_FORCE_HTTP_CLIENT_ASIO)
     /// <summary>
     /// Sets a callback to enable custom setting of the ssl context, at construction time.
@@ -420,6 +441,7 @@ class http_client_config
     bool m_validate_certificates;
 #endif
 
+    CertificateChainFunction m_certificate_chain_callback;
     std::function<void(native_handle)> m_set_user_nativehandle_options;
 	std::function<void(native_handle)> m_set_user_nativesessionhandle_options;
 

Release/include/cpprest/oauth2.h

@@ -16,6 +16,7 @@
 #define _CASA_OAUTH2_H
 
 #include "cpprest/http_msg.h"
+#include "cpprest/certificate_info.h"
 #include "cpprest/details/web_utilities.h"
 
 namespace web
@@ -216,7 +217,8 @@ class oauth2_config
                 m_implicit_grant(false),
                 m_bearer_auth(true),
                 m_http_basic_auth(true),
-                m_access_token_key(details::oauth2_strings::access_token)
+                m_access_token_key(details::oauth2_strings::access_token),
+                m_certificate_chain_callback([](const std::shared_ptr<web::http::client::certificate_info>&)->bool { return true; })
     {}
 
     /// <summary>
@@ -467,6 +469,17 @@ class oauth2_config
     /// </summary>
     void set_user_agent(utility::string_t user_agent) { m_user_agent = std::move(user_agent); }
 
+    /// <summary>
+    /// Set the certificate chain callback to be used by the http client.
+    /// </summary>
+    void set_user_certificate_chain_callback(const web::http::client::CertificateChainFunction& callback) { m_certificate_chain_callback = callback; }
+
+    /// <summary>
+    /// Get the cert chain callback.
+    /// </summary>
+    /// <returns>A reference to cert chain callback user by the client.</returns>
+    const web::http::client::CertificateChainFunction& user_certificate_chain_callback() { return m_certificate_chain_callback; }
+
 private:
     friend class web::http::client::http_client_config;
     friend class web::http::oauth2::details::oauth2_handler;
@@ -514,6 +527,8 @@ class oauth2_config
     oauth2_token m_token;
 
     utility::nonce_generator m_state_generator;
+
+    web::http::client::CertificateChainFunction m_certificate_chain_callback;
 };
 
 } // namespace web::http::oauth2::experimental

Release/include/cpprest/ws_client.h

@@ -24,8 +24,10 @@
 
 #include "pplx/pplxtasks.h"
 #include "cpprest/uri.h"
+#include "cpprest/certificate_info.h"
 #include "cpprest/details/web_utilities.h"
 #include "cpprest/http_headers.h"
+#include "cpprest/json.h"
 #include "cpprest/asyncrt_utils.h"
 #include "cpprest/ws_msg.h"
 
@@ -73,6 +75,7 @@ class websocket_client_config
     /// Creates a websocket client configuration with default settings.
     /// </summary>
     websocket_client_config() :
+        m_certificate_chain_callback([](const std::shared_ptr<http::client::certificate_info>&)->bool { return true; }),
         m_sni_enabled(true),
         m_validate_certificates(true)
 	{
@@ -205,13 +208,31 @@ class websocket_client_config
         m_validate_certificates = validate_certs;
     }
 
+    /// Set the certificate chain callback. If set, HTTP client will call this callback in a blocking manner during HTTP connection.
+    /// </summary>
+    void set_user_certificate_chain_callback(const http::client::CertificateChainFunction& callback)
+    {
+        m_certificate_chain_callback = callback;
+    }
+
+    /// <summary>
+    /// Invokes the certificate chain callback.
+    /// </summary>
+    /// <param name="certificate_info">Pointer to the certificate_info struct that has the certificate information.</param>
+    /// <returns>True if the consumer code allows the connection, false otherwise. False will terminate the HTTP connection.</returns>
+    bool invoke_certificate_chain_callback(const std::shared_ptr<http::client::certificate_info>& certificate_Info) const
+    {
+        return m_certificate_chain_callback(certificate_Info);
+    }
+
 private:
     web::web_proxy m_proxy;
     web::credentials m_credentials;
     web::http::http_headers m_headers;
     bool m_sni_enabled;
     utf8string m_sni_hostname;
     bool m_validate_certificates;
+    http::client::CertificateChainFunction m_certificate_chain_callback;
 };
 
 /// <summary>

Release/src/http/client/http_client_asio.cpp

@@ -1,3 +1,4 @@
+
 /***
 * Copyright (C) Microsoft. All rights reserved.
 * Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
@@ -44,6 +45,7 @@
 #include "cpprest/base_uri.h"
 #include "cpprest/details/x509_cert_utilities.h"
 #include "cpprest/details/http_helpers.h"
+#include "cpprest/certificate_info.h"
 #include <unordered_set>
 #include <memory>
 
@@ -975,6 +977,9 @@ class asio_context : public request_context, public std::enable_shared_from_this
         // finally by the root CA self signed certificate.
 
         const auto &host = utility::conversions::to_utf8string(m_http_client->base_uri().host());
+
+        using namespace web::http::client::details;
+
 #if defined(__APPLE__) || (defined(ANDROID) || defined(__ANDROID__))
         // On OS X, iOS, and Android, OpenSSL doesn't have access to where the OS
         // stores keychains. If OpenSSL fails we will doing verification at the
@@ -986,12 +991,31 @@ class asio_context : public request_context, public std::enable_shared_from_this
         }
         if(m_openssl_failed)
         {
-            return verify_cert_chain_platform_specific(verifyCtx, host);
-        }
+
+            if (!is_end_certificate_in_chain(verifyCtx))
+            {
+                // Continue until we get the end certificate.
+                return true;
+            }
+
+            auto chainFunc = [this](const std::shared_ptr<certificate_info>& cert_info) {
+                return m_http_client->client_config().invoke_certificate_chain_callback(cert_info);
+            };
+
+            return http::client::details::verify_cert_chain_platform_specific(verifyCtx, utility::conversions::to_utf8string(host), chainFunc);
+            }
 #endif
 
         boost::asio::ssl::rfc2818_verification rfc2818(host);
-        return rfc2818(preverified, verifyCtx);
+        if(!rfc2818(preverified, verifyCtx))
+        {
+            return false;
+        }
+
+        auto info = std::make_shared<certificate_info>(host, get_X509_cert_chain_encoded_data(verifyCtx));
+        info->verified = true;
+
+        return m_http_client->client_config().invoke_certificate_chain_callback(info);
     }
 
     void handle_write_headers(const boost::system::error_code& ec)

Release/src/http/client/http_client_impl.h

@@ -88,6 +88,8 @@ class request_context
     // Registration for cancellation notification if enabled.
     pplx::cancellation_token_registration m_cancellationRegistration;
 
+    bool m_certificate_chain_verification_failed{ false };
+
 protected:
 
     request_context(const std::shared_ptr<_http_client_communicator> &client, const http_request &request);