From c34ce0160b59dc86ef424055c958838c31a5042e Mon Sep 17 00:00:00 2001 From: Benjamin Sergeant Date: Sun, 17 May 2020 10:06:11 -0700 Subject: [PATCH] mbedls system certs --- CMakeLists.txt | 4 +-- ixwebsocket/IXSocketMbedTLS.cpp | 56 +++++++++++++++++++++++++++++++-- ixwebsocket/IXSocketMbedTLS.h | 1 + test/IXSocketTest.cpp | 2 +- 4 files changed, 57 insertions(+), 6 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5df926cc..772b5751 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -123,8 +123,8 @@ if (USE_TLS) if (NOT USE_MBED_TLS AND NOT USE_OPEN_SSL) # unless we want something else set(USE_SECURE_TRANSPORT ON) endif() - # default to mbedtls on uwp (universal windows platform) if nothing is configured - elseif (${CMAKE_SYSTEM_NAME} MATCHES "WindowsStore") + # default to mbedtls on windows if nothing is configured + elseif (WIN32) if (NOT USE_OPEN_SSL) # unless we want something else set(USE_MBED_TLS ON) endif() diff --git a/ixwebsocket/IXSocketMbedTLS.cpp b/ixwebsocket/IXSocketMbedTLS.cpp index 583d5e84..3fa916d6 100644 --- a/ixwebsocket/IXSocketMbedTLS.cpp +++ b/ixwebsocket/IXSocketMbedTLS.cpp @@ -43,6 +43,54 @@ namespace ix mbedtls_pk_init(&_pkey); } + bool SocketMbedTLS::loadSystemCertificates(std::string& errorMsg) + { +#ifdef _WIN32 + DWORD flags = CERT_STORE_READONLY_FLAG | CERT_STORE_OPEN_EXISTING_FLAG | + CERT_SYSTEM_STORE_CURRENT_USER; + HCERTSTORE systemStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, flags, L"Root"); + + if (!systemStore) + { + errorMsg = "CertOpenStore failed with "; + errorMsg += std::to_string(GetLastError()); + return false; + } + + PCCERT_CONTEXT certificateIterator = NULL; + + int certificateCount = 0; + while (certificateIterator = CertEnumCertificatesInStore(systemStore, certificateIterator)) + { + if (certificateIterator->dwCertEncodingType & X509_ASN_ENCODING) + { + int ret = mbedtls_x509_crt_parse(&_cacert, + certificateIterator->pbCertEncoded, + certificateIterator->cbCertEncoded); + if (ret == 0) + { + ++certificateCount; + } + } + + CertFreeCertificateContext(certificateIterator); + CertCloseStore(systemStore, 0); + + if (certificateCount == 0) + { + errorMsg = "No certificates found"; + return false; + } + + return true; +#else + // On macOS we can query the system cert location from the keychain + // On Linux we could try to fetch some local files based on the distribution + // On Android we could use JNI to get to the system certs + return false; +#endif + } + bool SocketMbedTLS::init(const std::string& host, bool isClient, std::string& errMsg) { initMBedTLS(); @@ -96,13 +144,15 @@ namespace ix } else { - mbedtls_ssl_conf_authmode(&_conf, MBEDTLS_SSL_VERIFY_REQUIRED); - // FIXME: should we call mbedtls_ssl_conf_verify ? + mbedtls_ssl_conf_authmode(&_conf, MBEDTLS_SSL_VERIFY_REQUIRED); if (_tlsOptions.isUsingSystemDefaults()) { - ; // FIXME + if (!loadSystemCertificates(errMsg)) + { + return false; + } } else { diff --git a/ixwebsocket/IXSocketMbedTLS.h b/ixwebsocket/IXSocketMbedTLS.h index d804ddf0..032560b9 100644 --- a/ixwebsocket/IXSocketMbedTLS.h +++ b/ixwebsocket/IXSocketMbedTLS.h @@ -52,6 +52,7 @@ namespace ix bool init(const std::string& host, bool isClient, std::string& errMsg); void initMBedTLS(); + bool loadSystemCertificates(std::string& errMsg); }; } // namespace ix diff --git a/test/IXSocketTest.cpp b/test/IXSocketTest.cpp index ca423706..679728f2 100644 --- a/test/IXSocketTest.cpp +++ b/test/IXSocketTest.cpp @@ -84,7 +84,7 @@ TEST_CASE("socket", "[socket]") std::string errMsg; bool tls = true; SocketTLSOptions tlsOptions; - tlsOptions.caFile = "cacert.pem"; + // tlsOptions.caFile = "cacert.pem"; std::shared_ptr socket = createSocket(tls, -1, errMsg, tlsOptions); std::string host("www.google.com"); int port = 443;