MonetDB: monetdburl - Implement client certificates

Joeri van Ruth via checkin-list Fri, 27 Oct 2023 07:34:41 -0700

Changeset: b4ccbe3a3fe6 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/b4ccbe3a3fe6
Modified Files:
        clients/mapilib/Tests/tlssecurity.py
        clients/mapilib/connect_openssl.c
        clients/mapilib/msettings.h
Branch: monetdburl
Log Message:


Implement client certificates


diffs (73 lines):

diff --git a/clients/mapilib/Tests/tlssecurity.py 
b/clients/mapilib/Tests/tlssecurity.py
--- a/clients/mapilib/Tests/tlssecurity.py
+++ b/clients/mapilib/Tests/tlssecurity.py
@@ -143,8 +143,7 @@ attempt('refuse_expired', 'expiredcert',
 # Authenticate using client2.key and client2.crt. Have a succesful MAPI
 # exchange.
 
-# TODO
-#attempt('connect_client_auth', 'clientauth', None, 
cert=certpath('ca1.crt'),clientcert=certpath('client2.crt'), 
clientkey=certpath('client2.key'))
+attempt('connect_client_auth', 'clientauth', None, cert=certpath('ca1.crt'), 
clientcert=certpath('client2.crt'), clientkey=certpath('client2.key'))
 
 # fail_plain_to_tls
 #
diff --git a/clients/mapilib/connect_openssl.c 
b/clients/mapilib/connect_openssl.c
--- a/clients/mapilib/connect_openssl.c
+++ b/clients/mapilib/connect_openssl.c
@@ -125,6 +125,11 @@ wrap_tls(Mapi mid, SOCKET sock)
        size_t hostlen = strlen(host);
        size_t hostportlen = hostlen + 1 + 20;
 
+       const char *clientkey = msetting_string(settings, MP_CLIENTKEY);
+       const char *clientcert = msetting_string(settings, MP_CLIENTCERT);
+       if (!clientcert[0])
+               clientcert = clientkey;  // this logic should be virtual 
parameters in the spec!
+
        // Clear any earlier errrors
        do {} while (ERR_get_error() != 0);
 
@@ -192,10 +197,29 @@ wrap_tls(Mapi mid, SOCKET sock)
                return croak_openssl(mid, __func__, "SSL_set_tlsext_host_name");
        }
 
+        // if target.clientkey:
+        //     ssl_context.load_cert_chain(
+        //         certfile=target.clientcert if target.clientcert is not None 
else target.clientkey,
+        //         keyfile=target.clientkey,
+        //         password=target.clientkeypassword,
+        //     )
+       assert(clientkey);
+       assert(clientcert);
+       if (clientkey[0]) {
+               if (1 != SSL_use_PrivateKey_file(ssl, clientkey, 
SSL_FILETYPE_PEM)) {
+                       BIO_free_all(bio);
+                       return croak_openssl(mid, __func__, 
"SSL_use_PrivateKey_file");
+               }
+               if (1 != SSL_use_certificate_chain_file(ssl, clientcert)) {
+                       BIO_free_all(bio);
+                       return croak_openssl(mid, __func__, 
"SSL_use_certificate_chain_file");
+               }
+       }
+
        // handshake
        if (1 != SSL_connect(ssl)) {
                BIO_free_all(bio);
-               return croak_openssl(mid, __func__, "SSL_connect");
+               return croak_openssl(mid, __func__, "SSL_connect handshake");
        }
 
        /////////////////////////////////////////////////////////////////////
diff --git a/clients/mapilib/msettings.h b/clients/mapilib/msettings.h
--- a/clients/mapilib/msettings.h
+++ b/clients/mapilib/msettings.h
@@ -48,8 +48,8 @@ typedef enum mparm {
         MP_SOCK = MP__STRING_START,
        MP_SOCKDIR,
         MP_CERT,
-        MP_CLIENTKEY,          // TODO implement this
-        MP_CLIENTCERT,         // TODO implement this
+        MP_CLIENTKEY,
+        MP_CLIENTCERT,
         MP_HOST,
         MP_DATABASE,
         MP_TABLESCHEMA,
_______________________________________________
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org

MonetDB: monetdburl - Implement client certificates

Reply via email to