[
https://issues.apache.org/jira/browse/QPID-7130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Ross updated QPID-7130:
------------------------------
Component/s: C++ Client
> qpid C++ with SSL authentication returning dummy string from
> Connection::getAuthenticatedUsername()
> ---------------------------------------------------------------------------------------------------
>
> Key: QPID-7130
> URL: https://issues.apache.org/jira/browse/QPID-7130
> Project: Qpid
> Issue Type: Improvement
> Components: C++ Client
> Affects Versions: qpid-cpp-0.34
> Environment: Fedora 21 Linux
> Reporter: Domen Vrankar
> Assignee: Gordon Sim
> Priority: Minor
> Labels: features, patch
> Fix For: qpid-cpp-1.35.0
>
> Attachments:
> 0001-qpid-messaging-Connection-getAuthenticatedUsername.patch,
> 0002-Added-getLocalAuthId-to-all-socket-classes.patch,
> 0003-Added-virtual-keyword-to-functions-BSDSocket-getKeyL.patch,
> 0004-Added-getPeerAuthId-as-an-alias-for-getClientAuthId-.patch,
> 0005-Deleted-old-getClientAuthId-function-that-was-replac.patch
>
>
> When using Qpid C++ without SASL or with authentication disabled you can do:
> qpid_message.setUserId(qpid_connection_.getAuthenticatedUsername());
> and message can be received on remote location.
> Without SASL "ANONYMOUS" string is returned.
> With SASL but without authentication "anonymous" string is returned.
> In both cases message isn't rejected by broker.
> With SASL and SLL authentication "dummy" is returned. This string is rejected
> by broker and also doesn't help with identifying who sent the message.
> First patch fixes this by reading local certificate authentication id the
> same way as SslSocket::getClientAuthId does but for local instead of peer
> certificate.
> Second patch adds getLocalAuthId to all other classes derived from Socket
> (not certain if this is necessary that's why it's in a separate patch).
> Third patch adds virtual keyword to BSDSocket getKeyLen, getClientAuthId and
> ~BSDSocket() functions since this class is parent class of SslSocket. (Since
> with C++11 and later compilers final and override keywords can be used to
> find such errors perhaps two macros should be defined and used throughout the
> code e.g.:
> create file qpid_cpp.hpp
> #if __cplusplus <= 199711L
> #define QPID_CPP_OVERRIDE
> #define QPID_CPP_FINAL
> #else
> #define QPID_CPP_OVERRIDE override
> #define QPID_CPP_FINAL final
> #endif
> and then used somewhere:
> #include "qpid_cpp.hpp"
> struct A {
> virtual void foo() QPID_CPP_FINAL; // A::foo is final
> virtual void bar();
> virtual void bas();
> };
>
> struct B QPID_CPP_FINAL : A { // struct B is final
> void foo(); // Error: foo cannot be overridden as it's final in A
> void bar() QPID_CPP_OVERRIDE;
> int bas() QPID_CPP_OVERRIDE; // Error: wrong bar signature used
> void baf() QPID_CPP_OVERRIDE; // Error: function doesn't override
> anything
> };
>
> struct C : B { // Error: B is final
> };
> )
> Fourth patch adds getPeerAuthId as alias for getClientAuthId since current
> name is meaningful only on broker side (on client side it returns broker
> authentication id).
> Fifth patch removes getClientAuthId altogether (split into a separate patch
> as I am not certain if this function can be accessed from outside Qpid
> internal implementation and should remain as is).
> How to test:
> Build qpid with SASL and SSL.
> Create ssl certificate store.
> Run qpid with:
> qpidd --ssl-cert-db ${CERT_DB_DIR} --ssl-cert-password-file /tmp/password.txt
> --ssl-cert-name 127.0.0.1 --ssl-require-client-authentication --acl-file
> ${ACL_DIR}/acl_file.acl --auth yes
> ACL file should contain:
> acl allow send@QPID all # sender cert
> acl allow receive@QPID all # receiver cert
> acl deny all all
> On sending client use:
> qpid_message.setUserId(qpid_connection_.getAuthenticatedUsername());
> On receiving client use:
> qpid_message.getUserId();
> Message should be delivered and Id's should be the same and matching sender
> certificate nickname.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
