summaryrefslogtreecommitdiff
path: root/cpp/src/qpid/sys/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'cpp/src/qpid/sys/ssl')
-rw-r--r--cpp/src/qpid/sys/ssl/SslHandler.cpp16
-rw-r--r--cpp/src/qpid/sys/ssl/SslHandler.h4
-rw-r--r--cpp/src/qpid/sys/ssl/SslIo.cpp7
-rw-r--r--cpp/src/qpid/sys/ssl/SslIo.h3
-rw-r--r--cpp/src/qpid/sys/ssl/SslSocket.cpp49
-rw-r--r--cpp/src/qpid/sys/ssl/SslSocket.h1
6 files changed, 73 insertions, 7 deletions
diff --git a/cpp/src/qpid/sys/ssl/SslHandler.cpp b/cpp/src/qpid/sys/ssl/SslHandler.cpp
index 3469f88c0f..5516d72065 100644
--- a/cpp/src/qpid/sys/ssl/SslHandler.cpp
+++ b/cpp/src/qpid/sys/ssl/SslHandler.cpp
@@ -42,13 +42,14 @@ struct Buff : public SslIO::BufferBase {
{ delete [] bytes;}
};
-SslHandler::SslHandler(std::string id, ConnectionCodec::Factory* f) :
+SslHandler::SslHandler(std::string id, ConnectionCodec::Factory* f, bool _nodict) :
identifier(id),
aio(0),
factory(f),
codec(0),
readError(false),
- isClient(false)
+ isClient(false),
+ nodict(_nodict)
{}
SslHandler::~SslHandler() {
@@ -111,7 +112,7 @@ void SslHandler::readbuff(SslIO& , SslIO::BufferBase* buff) {
decoded = in.getPosition();
QPID_LOG(debug, "RECV [" << identifier << "] INIT(" << protocolInit << ")");
try {
- codec = factory->create(protocolInit.getVersion(), *this, identifier, aio->getKeyLen());
+ codec = factory->create(protocolInit.getVersion(), *this, identifier, getSecuritySettings(aio));
if (!codec) {
//TODO: may still want to revise this...
//send valid version header & close connection.
@@ -166,7 +167,7 @@ void SslHandler::nobuffs(SslIO&) {
void SslHandler::idle(SslIO&){
if (isClient && codec == 0) {
- codec = factory->create(*this, identifier, aio->getKeyLen());
+ codec = factory->create(*this, identifier, getSecuritySettings(aio));
write(framing::ProtocolInitiation(codec->getVersion()));
return;
}
@@ -183,5 +184,12 @@ void SslHandler::idle(SslIO&){
aio->queueWriteClose();
}
+SecuritySettings SslHandler::getSecuritySettings(SslIO* aio)
+{
+ SecuritySettings settings = aio->getSecuritySettings();
+ settings.nodict = nodict;
+ return settings;
+}
+
}}} // namespace qpid::sys::ssl
diff --git a/cpp/src/qpid/sys/ssl/SslHandler.h b/cpp/src/qpid/sys/ssl/SslHandler.h
index 8f6b8e732a..a340109966 100644
--- a/cpp/src/qpid/sys/ssl/SslHandler.h
+++ b/cpp/src/qpid/sys/ssl/SslHandler.h
@@ -45,11 +45,13 @@ class SslHandler : public OutputControl {
ConnectionCodec* codec;
bool readError;
bool isClient;
+ bool nodict;
void write(const framing::ProtocolInitiation&);
+ qpid::sys::SecuritySettings getSecuritySettings(SslIO* aio);
public:
- SslHandler(std::string id, ConnectionCodec::Factory* f);
+ SslHandler(std::string id, ConnectionCodec::Factory* f, bool nodict);
~SslHandler();
void init(SslIO* a, int numBuffs);
diff --git a/cpp/src/qpid/sys/ssl/SslIo.cpp b/cpp/src/qpid/sys/ssl/SslIo.cpp
index c149d6ea74..a57123c182 100644
--- a/cpp/src/qpid/sys/ssl/SslIo.cpp
+++ b/cpp/src/qpid/sys/ssl/SslIo.cpp
@@ -436,4 +436,9 @@ void SslIO::close(DispatchHandle& h) {
}
}
-int SslIO::getKeyLen() {return socket.getKeyLen();}
+SecuritySettings SslIO::getSecuritySettings() {
+ SecuritySettings settings;
+ settings.ssf = socket.getKeyLen();
+ settings.authid = socket.getClientAuthId();
+ return settings;
+}
diff --git a/cpp/src/qpid/sys/ssl/SslIo.h b/cpp/src/qpid/sys/ssl/SslIo.h
index 3162abac40..53ac69d8d6 100644
--- a/cpp/src/qpid/sys/ssl/SslIo.h
+++ b/cpp/src/qpid/sys/ssl/SslIo.h
@@ -22,6 +22,7 @@
*/
#include "qpid/sys/DispatchHandle.h"
+#include "qpid/sys/SecuritySettings.h"
#include <boost/function.hpp>
#include <deque>
@@ -156,7 +157,7 @@ public:
bool writeQueueEmpty() { return writeQueue.empty(); }
BufferBase* getQueuedBuffer();
- int getKeyLen();
+ qpid::sys::SecuritySettings getSecuritySettings();
private:
~SslIO();
diff --git a/cpp/src/qpid/sys/ssl/SslSocket.cpp b/cpp/src/qpid/sys/ssl/SslSocket.cpp
index aa8cf127d7..22b0909ad4 100644
--- a/cpp/src/qpid/sys/ssl/SslSocket.cpp
+++ b/cpp/src/qpid/sys/ssl/SslSocket.cpp
@@ -102,6 +102,34 @@ std::string getService(int fd, bool local)
return servName;
}
+const std::string DOMAIN_SEPARATOR("@");
+const std::string DC_SEPARATOR(".");
+const std::string DC("DC");
+const std::string DN_DELIMS(" ,=");
+
+std::string getDomainFromSubject(std::string subject)
+{
+ std::string::size_type last = subject.find_first_not_of(DN_DELIMS, 0);
+ std::string::size_type i = subject.find_first_of(DN_DELIMS, last);
+
+ std::string domain;
+ bool nextTokenIsDC = false;
+ while (std::string::npos != i || std::string::npos != last)
+ {
+ std::string token = subject.substr(last, i - last);
+ if (nextTokenIsDC) {
+ if (domain.size()) domain += DC_SEPARATOR;
+ domain += token;
+ nextTokenIsDC = false;
+ } else if (token == DC) {
+ nextTokenIsDC = true;
+ }
+ last = subject.find_first_not_of(DN_DELIMS, i);
+ i = subject.find_first_of(DN_DELIMS, last);
+ }
+ return domain;
+}
+
}
SslSocket::SslSocket() : IOHandle(new IOHandlePrivate()), socket(0), prototype(0)
@@ -294,4 +322,25 @@ int SslSocket::getKeyLen() const
return 0;
}
+std::string SslSocket::getClientAuthId() const
+{
+ std::string authId;
+ CERTCertificate* cert = SSL_PeerCertificate(socket);
+ if (cert) {
+ authId = CERT_GetCommonName(&(cert->subject));
+ /*
+ * The NSS function CERT_GetDomainComponentName only returns
+ * the last component of the domain name, so we have to parse
+ * the subject manually to extract the full domain.
+ */
+ std::string domain = getDomainFromSubject(cert->subjectName);
+ if (!domain.empty()) {
+ authId += DOMAIN_SEPARATOR;
+ authId += domain;
+ }
+ CERT_DestroyCertificate(cert);
+ }
+ return authId;
+}
+
}}} // namespace qpid::sys::ssl
diff --git a/cpp/src/qpid/sys/ssl/SslSocket.h b/cpp/src/qpid/sys/ssl/SslSocket.h
index f1f05e7a98..e2443e31c8 100644
--- a/cpp/src/qpid/sys/ssl/SslSocket.h
+++ b/cpp/src/qpid/sys/ssl/SslSocket.h
@@ -101,6 +101,7 @@ public:
int getError() const;
int getKeyLen() const;
+ std::string getClientAuthId() const;
private:
mutable std::string connectname;
View Lorry Controller Status