Domen Vrankar created QPID-7130:
-----------------------------------
Summary: qpid C++ with SSL authentication returning dummy string
from Connection::getAuthenticatedUsername()
Key: QPID-7130
URL: https://issues.apache.org/jira/browse/QPID-7130
Project: Qpid
Issue Type: Improvement
Affects Versions: qpid-cpp-0.34
Environment: Fedora 21 Linux
Reporter: Domen Vrankar
Priority: Minor
Fix For: qpid-cpp-next
Attachments:
0001-qpid-messaging-Connection-getAuthenticatedUsername.patch,
0002-Added-getLocalAuthId-to-all-socket-classes.patch,
0003-Added-virtual-keyword-to-functions-BSDSocket-getKeyL.patch,
0004-Added-getPeerAuthId-as-an-alias-for-getClientAuthId-.patch,
0005-Deleted-old-getClientAuthId-function-that-was-replac.patch
When using Qpid C++ without SASL or with authentication disabled you can do:
qpid_message.setUserId(qpid_connection_.getAuthenticatedUsername());
and message can be received on remote location.
Without SASL "ANONYMOUS" string is returned.
With SASL but without authentication "anonymous" string is returned.
In both cases message isn't rejected by broker.
With SASL and SLL authentication "dummy" is returned. This string is rejected
by broker and also doesn't help with identifying who sent the message.
First patch fixes this by reading local certificate authentication id the same
way as SslSocket::getClientAuthId does but for local instead of peer
certificate.
Second patch adds getLocalAuthId to all other classes derived from Socket (not
certain if this is necessary that's why it's in a separate patch).
Third patch adds virtual keyword to BSDSocket getKeyLen, getClientAuthId and
~BSDSocket() functions since this class is parent class of SslSocket. (Since
with C++11 and later compilers final and override keywords can be used to find
such errors perhaps two macros should be defined and used throughout the code
e.g.:
create file qpid_cpp.hpp
#if __cplusplus <= 199711L
#define QPID_CPP_OVERRIDE
#define QPID_CPP_FINAL
#else
#define QPID_CPP_OVERRIDE override
#define QPID_CPP_FINAL final
#endif
and then used somewhere:
#include "qpid_cpp.hpp"
struct A {
virtual void foo() QPID_CPP_FINAL; // A::foo is final
virtual void bar();
virtual void bas();
};
struct B QPID_CPP_FINAL : A { // struct B is final
void foo(); // Error: foo cannot be overridden as it's final in A
void bar() QPID_CPP_OVERRIDE;
int bas() QPID_CPP_OVERRIDE; // Error: wrong bar signature used
void baf() QPID_CPP_OVERRIDE; // Error: function doesn't override anything
};
struct C : B { // Error: B is final
};
)
Fourth patch adds getPeerAuthId as alias for getClientAuthId since current name
is meaningful only on broker side (on client side it returns broker
authentication id).
Fifth patch removes getClientAuthId altogether (split into a separate patch as
I am not certain if this function can be accessed from outside Qpid internal
implementation and should remain as is).
How to test:
Build qpid with SASL and SSL.
Create ssl certificate store.
Run qpid with:
qpidd --ssl-cert-db ${CERT_DB_DIR} --ssl-cert-password-file /tmp/password.txt
--ssl-cert-name 127.0.0.1 --ssl-require-client-authentication --acl-file
${ACL_DIR}/acl_file.acl --auth yes
ACL file should contain:
acl allow send@QPID all # sender cert
acl allow receive@QPID all # receiver cert
acl deny all all
On sending client use:
qpid_message.setUserId(qpid_connection_.getAuthenticatedUsername());
On receiving client use:
qpid_message.getUserId();
Message should be delivered and Id's should be the same and matching sender
certificate nickname.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
