Author: rfm
Date: Fri May 19 13:38:48 2017
New Revision: 40508
URL: http://svn.gna.org/viewcvs/gnustep?rev=40508&view=rev
Log:
Make TLS client certificate issuer/owner names available
Modified:
libs/base/trunk/ChangeLog
libs/base/trunk/Headers/Foundation/NSFileHandle.h
libs/base/trunk/Source/GSSocketStream.m
libs/base/trunk/Source/GSTLS.h
libs/base/trunk/Source/GSTLS.m
libs/base/trunk/Source/NSFileHandle.m
Modified: libs/base/trunk/ChangeLog
URL:
http://svn.gna.org/viewcvs/gnustep/libs/base/trunk/ChangeLog?rev=40508&r1=40507&r2=40508&view=diff
==============================================================================
--- libs/base/trunk/ChangeLog (original)
+++ libs/base/trunk/ChangeLog Fri May 19 13:38:48 2017
@@ -1,3 +1,13 @@
+2017-05-19 Richard Frith-Macdonald <[email protected]>
+
+ * Headers/Foundation/NSFileHandle.h:
+ * Source/GSSocketStream.m:
+ * Source/GSTLS.h:
+ * Source/GSTLS.m:
+ * Source/NSFileHandle.m:
+ Add code to make the issuer and owner of a client certificate
+ available when we require/verify an incoming certificate.
+
2017-05-10 Wolfgang Lux <[email protected]>
* Tools/gdomap.c (nameServer, donames): Fix incorrect use
Modified: libs/base/trunk/Headers/Foundation/NSFileHandle.h
URL:
http://svn.gna.org/viewcvs/gnustep/libs/base/trunk/Headers/Foundation/NSFileHandle.h?rev=40508&r1=40507&r2=40508&view=diff
==============================================================================
--- libs/base/trunk/Headers/Foundation/NSFileHandle.h (original)
+++ libs/base/trunk/Headers/Foundation/NSFileHandle.h Fri May 19 13:38:48 2017
@@ -263,6 +263,18 @@
*/
- (BOOL) sslHandshakeEstablished: (BOOL*)result outgoing: (BOOL)isOutgoing;
+/** If the session verified a certificate from the remote end, returns the
+ * name of the certificate issuer in the form "C=xxxx,O=yyyy,CN=zzzz" as
+ * described in RFC2253. Otherwise returns nil.
+ */
+- (NSString*) sslIssuer;
+
+/** If the session verified a certificate from the remote end, returns the
+ * name of the certificate owner in the form "C=xxxx,O=yyyy,CN=zzzz" as
+ * described in RFC2253. Otherwise returns nil.
+ */
+- (NSString*) sslOwner;
+
/** Deprecated ... use -sslSetOptions: instead
*/
- (void) sslSetCertificate: (NSString*)certFile
Modified: libs/base/trunk/Source/GSSocketStream.m
URL:
http://svn.gna.org/viewcvs/gnustep/libs/base/trunk/Source/GSSocketStream.m?rev=40508&r1=40507&r2=40508&view=diff
==============================================================================
--- libs/base/trunk/Source/GSSocketStream.m (original)
+++ libs/base/trunk/Source/GSSocketStream.m Fri May 19 13:38:48 2017
@@ -358,8 +358,7 @@
GSTLSSession *session;
}
-/**
- * Populates the dictionary 'dict', copying in all the properties
+/** Populates the dictionary 'dict', copying in all the properties
* of the supplied streams. If a property is set for both then
* the output stream's one has precedence.
*/
@@ -367,6 +366,11 @@
withTLSPriority: (NSString*)pri
fromInputStream: (NSStream*)i
orOutputStream: (NSStream*)o;
+
+/** Called on verification of the remote end's certificate to tell the
+ * delegate of the input stream who the certificate issuer and owner are.
+ */
+- (void) stream: (NSStream*)stream issuer: (NSString*)i owner: (NSString*)o;
@end
@@ -572,6 +576,18 @@
[ostream _recordError: theError];
}
[self bye];
+ }
+ else
+ {
+ NSString *issuer = [session issuer];
+ NSString *owner = [session owner];
+ id del = [istream delegate];
+
+ if (nil != issuer && nil != owner
+ && [del respondsToSelector: @selector(stream:issuer:owner:)])
+ {
+ [del stream: istream issuer: issuer owner: owner];
+ }
}
}
}
@@ -716,6 +732,11 @@
}
}
}
+}
+
+- (void) stream: (NSStream*)stream issuer: (NSString*)i owner: (NSString*)o
+{
+ return;
}
- (NSInteger) write: (const uint8_t *)buffer maxLength: (NSUInteger)len
Modified: libs/base/trunk/Source/GSTLS.h
URL:
http://svn.gna.org/viewcvs/gnustep/libs/base/trunk/Source/GSTLS.h?rev=40508&r1=40507&r2=40508&view=diff
==============================================================================
--- libs/base/trunk/Source/GSTLS.h (original)
+++ libs/base/trunk/Source/GSTLS.h Fri May 19 13:38:48 2017
@@ -184,6 +184,8 @@
NSDictionary *opts;
GSTLSCredentials *credentials;
NSString *problem;
+ NSString *issuer;
+ NSString *owner;
BOOL outgoing;
BOOL active;
BOOL handshake;
@@ -230,6 +232,18 @@
*/
- (BOOL) handshake;
+/** If the session verified a certificate from the remote end, returns the
+ * name of the certificate issuer in the form "C=xxxx,O=yyyy,CN=zzzz" as
+ * described in RFC2253. Otherwise returns nil.
+ */
+- (NSString*) issuer;
+
+/** If the session verified a certificate from the remote end, returns the
+ * name of the certificate owner in the form "C=xxxx,O=yyyy,CN=zzzz" as
+ * described in RFC2253. Otherwise returns nil.
+ */
+- (NSString*) owner;
+
/* After a failed handshake, this should contain a description of the
* failure reason.
*/
Modified: libs/base/trunk/Source/GSTLS.m
URL:
http://svn.gna.org/viewcvs/gnustep/libs/base/trunk/Source/GSTLS.m?rev=40508&r1=40507&r2=40508&view=diff
==============================================================================
--- libs/base/trunk/Source/GSTLS.m (original)
+++ libs/base/trunk/Source/GSTLS.m Fri May 19 13:38:48 2017
@@ -160,7 +160,7 @@
/* The verifyClient variable tells us if connections from a remote server
* should (by default) require and verify a client certificate against
- * trusted authorities.
+ * our trusted authorities.
* The hard-coded value can be overridden by the GS_TLS_VERIFY_C environment
* variable, which in turn will be overridden by the GSTLSVerifyClient user
* default string.
@@ -168,8 +168,9 @@
*/
static BOOL verifyClient = NO;
-/* The verifyServer variable tells us if connections to a remote server should
- * (by default) verify its certificate against trusted authorities.
+/* The verifyServer variable tells us if outgoing connections (as a client)
+ * to a remote server should (by default) verify that server's certificate
+ * against trusted authorities.
* The hard-coded value can be overridden by the GS_TLS_VERIFY_S environment
* variable, which in turn will be overridden by the GSTLSVerifyServer user
* default string.
@@ -1430,6 +1431,8 @@
DESTROY(opts);
DESTROY(credentials);
DESTROY(problem);
+ DESTROY(issuer);
+ DESTROY(owner);
[super dealloc];
}
@@ -1801,6 +1804,16 @@
}
return YES; // Handshake complete
}
+}
+
+- (NSString*) issuer
+{
+ return issuer;
+}
+
+- (NSString*) owner
+{
+ return owner;
}
- (NSString*) problem
@@ -2113,13 +2126,15 @@
if (status & GNUTLS_CERT_REVOKED)
NSLog(@"%@ TLS verification: certificate has been revoked.", self);
- /*
+#if defined(GNUTLS_CERT_EXPIRED)
if (status & GNUTLS_CERT_EXPIRED)
NSLog(@"%@ TLS verification: certificate has expired", self);
-
+#endif
+
+#if defined(GNUTLS_CERT_NOT_ACTIVATED)
if (status & GNUTLS_CERT_NOT_ACTIVATED)
NSLog(@"%@ TLS verification: certificate is not yet activated", self);
- */
+#endif
}
if (status & GNUTLS_CERT_INVALID)
@@ -2165,6 +2180,23 @@
gnutls_x509_crt_deinit(cert);
if (YES == debug) NSLog(@"%@ %@", self, problem);
return GNUTLS_E_CERTIFICATE_ERROR;
+ }
+ else
+ {
+ char dn[1024];
+ size_t dn_size;
+
+ /* Get certificate owner and issuer
+ */
+ dn_size = sizeof(dn);
+ gnutls_x509_crt_get_dn(cert, dn, &dn_size);
+ dn[dn_size - 1] = '\0';
+ ASSIGN(owner, [NSString stringWithUTF8String: dn]);
+
+ dn_size = sizeof(dn);
+ gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size);
+ dn[dn_size - 1] = '\0';
+ ASSIGN(issuer, [NSString stringWithUTF8String: dn]);
}
str = [opts objectForKey: GSTLSRemoteHosts];
Modified: libs/base/trunk/Source/NSFileHandle.m
URL:
http://svn.gna.org/viewcvs/gnustep/libs/base/trunk/Source/NSFileHandle.m?rev=40508&r1=40507&r2=40508&view=diff
==============================================================================
--- libs/base/trunk/Source/NSFileHandle.m (original)
+++ libs/base/trunk/Source/NSFileHandle.m Fri May 19 13:38:48 2017
@@ -848,6 +848,16 @@
return YES;
}
+- (NSString*) sslIssuer
+{
+ return nil;
+}
+
+- (NSString*) sslOwner
+{
+ return nil;
+}
+
- (void) sslSetCertificate: (NSString*)certFile
privateKey: (NSString*)privateKey
PEMpasswd: (NSString*)PEMpasswd
@@ -1045,6 +1055,16 @@
}
}
+- (NSString*) sslIssuer
+{
+ return [session issuer];
+}
+
+- (NSString*) sslOwner
+{
+ return [session owner];
+}
+
- (NSString*) sslSetOptions: (NSDictionary*)options
{
if (isStandardFile == YES)
_______________________________________________
Gnustep-cvs mailing list
[email protected]
https://mail.gna.org/listinfo/gnustep-cvs
