mirror of https://github.com/aria2/aria2
394 lines
11 KiB
C++
394 lines
11 KiB
C++
/* <!-- copyright */
|
|
/*
|
|
* aria2 - The high speed download utility
|
|
*
|
|
* Copyright (C) 2013 Nils Maier
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*
|
|
* In addition, as a special exception, the copyright holders give
|
|
* permission to link the code of portions of this program with the
|
|
* OpenSSL library under certain conditions as described in each
|
|
* individual source file, and distribute linked combinations
|
|
* including the two.
|
|
* You must obey the GNU General Public License in all respects
|
|
* for all of the code used other than OpenSSL. If you modify
|
|
* file(s) with this exception, you may extend this exception to your
|
|
* version of the file(s), but you are not obligated to do so. If you
|
|
* do not wish to do so, delete this exception statement from your
|
|
* version. If you delete this exception statement from all source
|
|
* files in the program, then also delete it here.
|
|
*/
|
|
/* copyright --> */
|
|
#include "AppleTLSContext.h"
|
|
|
|
#include <algorithm>
|
|
#include <functional>
|
|
#include <sstream>
|
|
|
|
#ifdef __MAC_10_6
|
|
# include <Security/SecImportExport.h>
|
|
#endif
|
|
|
|
#include "LogFactory.h"
|
|
#include "BufferedFile.h"
|
|
#include "Logger.h"
|
|
#include "MessageDigest.h"
|
|
#include "fmt.h"
|
|
#include "message.h"
|
|
#include "util.h"
|
|
|
|
namespace {
|
|
using namespace aria2;
|
|
|
|
#if defined(__MAC_10_6)
|
|
|
|
# if defined(__MAC_10_7)
|
|
static const void* query_keys[] = {kSecClass, kSecReturnRef, kSecMatchPolicy,
|
|
kSecMatchLimit};
|
|
# endif // defined(__MAC_10_7)
|
|
|
|
template <typename T> class CFRef {
|
|
T ref_;
|
|
|
|
public:
|
|
CFRef() : ref_(nullptr) {}
|
|
|
|
CFRef(T ref) : ref_(ref) {}
|
|
|
|
~CFRef() { reset(nullptr); }
|
|
|
|
void reset(T ref)
|
|
{
|
|
if (ref_) {
|
|
CFRelease(ref_);
|
|
}
|
|
ref_ = ref;
|
|
}
|
|
|
|
T get() { return ref_; }
|
|
|
|
const T get() const { return ref_; }
|
|
|
|
operator bool() const { return !!ref_; }
|
|
};
|
|
|
|
static inline bool isWhitespace(char c)
|
|
{
|
|
// Fingerprints are often separated by colons
|
|
return isspace(c) || c == ':';
|
|
}
|
|
|
|
static inline std::string stripWhitespace(std::string str)
|
|
{
|
|
str.erase(std::remove_if(std::begin(str), std::end(str), isWhitespace),
|
|
std::end(str));
|
|
return str;
|
|
}
|
|
|
|
struct hash_validator {
|
|
const std::string& hash_;
|
|
|
|
hash_validator(const std::string& hash) : hash_(hash) {}
|
|
|
|
inline bool operator()(std::string type) const
|
|
{
|
|
return MessageDigest::isValidHash(type, hash_);
|
|
}
|
|
};
|
|
|
|
struct hash_finder {
|
|
CFDataRef data_;
|
|
const std::string& hash_;
|
|
|
|
hash_finder(CFDataRef data, const std::string& hash)
|
|
: data_(data), hash_(hash)
|
|
{
|
|
}
|
|
|
|
inline bool operator()(std::string type) const
|
|
{
|
|
std::string hash =
|
|
MessageDigest::create(type)
|
|
->update(CFDataGetBytePtr(data_), CFDataGetLength(data_))
|
|
.digest();
|
|
hash = util::toHex(hash);
|
|
return hash == hash_;
|
|
}
|
|
};
|
|
|
|
std::string errToString(OSStatus err)
|
|
{
|
|
std::string rv = "Unkown error";
|
|
CFRef<CFStringRef> cerr(SecCopyErrorMessageString(err, nullptr));
|
|
if (!cerr) {
|
|
return rv;
|
|
}
|
|
size_t len = CFStringGetLength(cerr.get()) * 4;
|
|
auto buf = make_unique<char[]>(len);
|
|
if (CFStringGetCString(cerr.get(), buf.get(), len, kCFStringEncodingUTF8)) {
|
|
rv = buf.get();
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
bool checkIdentity(const SecIdentityRef id, const std::string& fingerPrint,
|
|
const std::vector<std::string> supported)
|
|
{
|
|
CFRef<SecCertificateRef> ref;
|
|
SecCertificateRef raw_ref = nullptr;
|
|
if (SecIdentityCopyCertificate(id, &raw_ref) != errSecSuccess) {
|
|
A2_LOG_ERROR("Failed to get a certref!");
|
|
return false;
|
|
}
|
|
ref.reset(raw_ref);
|
|
|
|
CFRef<CFDataRef> data(SecCertificateCopyData(ref.get()));
|
|
if (!data) {
|
|
A2_LOG_ERROR("Failed to get a data!");
|
|
return false;
|
|
}
|
|
|
|
// Do try all supported hash algorithms.
|
|
// Usually the fingerprint would be sha1 or md5, however this is more
|
|
// future-proof. Also "usually" doesn't cut it; there is already software
|
|
// using SHA-2 class algos, and SHA-3 is standardized and potential users
|
|
// cannot be far.
|
|
return std::find_if(std::begin(supported), std::end(supported),
|
|
hash_finder(data.get(), fingerPrint)) !=
|
|
std::end(supported);
|
|
}
|
|
|
|
#endif // defined(__MAC_10_6)
|
|
} // namespace
|
|
|
|
namespace aria2 {
|
|
|
|
TLSContext* TLSContext::make(TLSSessionSide side, TLSVersion ver)
|
|
{
|
|
return new AppleTLSContext(side, ver);
|
|
}
|
|
|
|
AppleTLSContext::~AppleTLSContext()
|
|
{
|
|
if (credentials_) {
|
|
CFRelease(credentials_);
|
|
credentials_ = nullptr;
|
|
}
|
|
}
|
|
|
|
bool AppleTLSContext::addCredentialFile(const std::string& certfile,
|
|
const std::string& keyfile)
|
|
{
|
|
if (certfile.empty()) {
|
|
return false;
|
|
}
|
|
|
|
if (tryAsFingerprint(certfile)) {
|
|
return true;
|
|
}
|
|
if (tryAsPKCS12(certfile)) {
|
|
return true;
|
|
}
|
|
|
|
A2_LOG_WARN("Only PKCS12/PFX files with a blank password and fingerprints of "
|
|
"certificates in your KeyChain are supported. See the manual.");
|
|
return false;
|
|
}
|
|
|
|
bool AppleTLSContext::addTrustedCACertFile(const std::string& certfile)
|
|
{
|
|
A2_LOG_INFO("TLS CA bundle files are not supported. Use the KeyChain to "
|
|
"manage your certificates.");
|
|
return false;
|
|
}
|
|
|
|
SecIdentityRef AppleTLSContext::getCredentials() { return credentials_; }
|
|
|
|
bool AppleTLSContext::tryAsFingerprint(const std::string& fingerprint)
|
|
{
|
|
auto fp = stripWhitespace(fingerprint);
|
|
// Verify this is a valid hex representation and normalize.
|
|
fp = util::toHex(util::fromHex(std::begin(fp), std::end(fp)));
|
|
|
|
// Verify this can represent a hash
|
|
auto ht = MessageDigest::getSupportedHashTypes();
|
|
if (std::find_if(std::begin(ht), std::end(ht), hash_validator(fp)) ==
|
|
std::end(ht)) {
|
|
A2_LOG_INFO(fmt("%s is not a fingerprint, invalid hash representation",
|
|
fingerprint.c_str()));
|
|
return false;
|
|
}
|
|
|
|
#if defined(__MAC_10_7)
|
|
A2_LOG_DEBUG(fmt("Looking for cert with fingerprint %s", fp.c_str()));
|
|
|
|
// Build and run the KeyChain the query.
|
|
CFRef<SecPolicyRef> policy(SecPolicyCreateSSL(true, nullptr));
|
|
if (!policy) {
|
|
A2_LOG_ERROR("Failed to create SecPolicy");
|
|
return false;
|
|
}
|
|
const void* query_values[] = {kSecClassIdentity, kCFBooleanTrue, policy.get(),
|
|
kSecMatchLimitAll};
|
|
CFRef<CFDictionaryRef> query(CFDictionaryCreate(
|
|
nullptr, query_keys, query_values, 4, nullptr, nullptr));
|
|
if (!query) {
|
|
A2_LOG_ERROR("Failed to create identity query");
|
|
return false;
|
|
}
|
|
CFArrayRef identities;
|
|
OSStatus err = SecItemCopyMatching(query.get(), (CFTypeRef*)&identities);
|
|
if (err != errSecSuccess) {
|
|
A2_LOG_ERROR("Query failed: " + errToString(err));
|
|
return false;
|
|
}
|
|
|
|
// Alrighty, search the fingerprint.
|
|
const size_t nvals = CFArrayGetCount(identities);
|
|
for (size_t i = 0; i < nvals; ++i) {
|
|
SecIdentityRef id = (SecIdentityRef)CFArrayGetValueAtIndex(identities, i);
|
|
if (!id) {
|
|
A2_LOG_ERROR("Failed to get a value!");
|
|
continue;
|
|
}
|
|
if (!checkIdentity(id, fp, ht)) {
|
|
continue;
|
|
}
|
|
A2_LOG_INFO("Found cert with matching fingerprint");
|
|
credentials_ = id;
|
|
CFRetain(id);
|
|
return true;
|
|
}
|
|
|
|
A2_LOG_ERROR(
|
|
fmt("Failed to lookup %s in your KeyChain", fingerprint.c_str()));
|
|
return false;
|
|
|
|
#else // defined(__MAC_10_7)
|
|
# if defined(__MAC_10_6)
|
|
|
|
CFRef<SecIdentitySearchRef> search;
|
|
SecIdentitySearchRef raw_search;
|
|
|
|
// Deprecated as of 10.7
|
|
OSStatus err = SecIdentitySearchCreate(0, CSSM_KEYUSE_SIGN, &raw_search);
|
|
if (err != errSecSuccess) {
|
|
A2_LOG_ERROR("Certificate search failed: " + errToString(err));
|
|
}
|
|
search.reset(raw_search);
|
|
|
|
SecIdentityRef id;
|
|
while (SecIdentitySearchCopyNext(search, &id) == errSecSuccess) {
|
|
if (!checkIdentity(id, fp, ht)) {
|
|
continue;
|
|
}
|
|
A2_LOG_INFO("Found cert with matching fingerprint");
|
|
credentials_ = id;
|
|
return true;
|
|
}
|
|
|
|
A2_LOG_ERROR(
|
|
fmt("Failed to lookup %s in your KeyChain", fingerprint.c_str()));
|
|
return false;
|
|
|
|
# else // defined(__MAC_10_6)
|
|
|
|
A2_LOG_ERROR("Your system does not support creditials via fingerprints; "
|
|
"Upgrade to OSX 10.6 or later");
|
|
return false;
|
|
|
|
# endif // defined(__MAC_10_6)
|
|
#endif // defined(__MAC_10_7)
|
|
}
|
|
|
|
bool AppleTLSContext::tryAsPKCS12(const std::string& certfile)
|
|
{
|
|
#if defined(__MAC_10_6)
|
|
std::stringstream ss;
|
|
BufferedFile(certfile.c_str(), BufferedFile::READ).transfer(ss);
|
|
auto data = ss.str();
|
|
if (data.empty()) {
|
|
A2_LOG_ERROR("Couldn't read certificate file.");
|
|
return false;
|
|
}
|
|
CFRef<CFDataRef> dataRef(
|
|
CFDataCreate(nullptr, (const UInt8*)data.c_str(), data.size()));
|
|
if (!dataRef) {
|
|
A2_LOG_ERROR("Couldn't allocate PKCS12 data");
|
|
return false;
|
|
}
|
|
|
|
return tryAsPKCS12(dataRef.get(), "") || tryAsPKCS12(dataRef.get(), nullptr);
|
|
|
|
#else // defined(__MAC_10_6)
|
|
A2_LOG_INFO("PKCS12 files are only supported in OSX 10.6 or later.");
|
|
return false;
|
|
|
|
#endif // defined(__MAC_10_6)
|
|
}
|
|
|
|
bool AppleTLSContext::tryAsPKCS12(CFDataRef data, const char* password)
|
|
{
|
|
#if defined(__MAC_10_6)
|
|
CFRef<CFStringRef> passwordRef;
|
|
if (password) {
|
|
passwordRef.reset(CFStringCreateWithBytes(nullptr, (const UInt8*)password,
|
|
strlen(password),
|
|
kCFStringEncodingUTF8, false));
|
|
}
|
|
const void* keys[] = {kSecImportExportPassphrase};
|
|
const void* values[] = {passwordRef.get()};
|
|
CFRef<CFDictionaryRef> options(
|
|
CFDictionaryCreate(nullptr, keys, values, 1, nullptr, nullptr));
|
|
if (!options) {
|
|
A2_LOG_ERROR("Failed to create options");
|
|
return false;
|
|
}
|
|
|
|
CFRef<CFArrayRef> items;
|
|
CFArrayRef raw_items = nullptr;
|
|
OSStatus rv = SecPKCS12Import(data, options.get(), &raw_items);
|
|
if (rv != errSecSuccess) {
|
|
A2_LOG_DEBUG(
|
|
fmt("Failed to parse PKCS12 data: %s", errToString(rv).c_str()));
|
|
return false;
|
|
}
|
|
items.reset(raw_items);
|
|
|
|
CFDictionaryRef idAndTrust =
|
|
(CFDictionaryRef)CFArrayGetValueAtIndex(items.get(), 0);
|
|
if (!idAndTrust) {
|
|
A2_LOG_ERROR("Failed to get identity and trust from PKCS12 data");
|
|
return false;
|
|
}
|
|
credentials_ =
|
|
(SecIdentityRef)CFDictionaryGetValue(idAndTrust, kSecImportItemIdentity);
|
|
if (!credentials_) {
|
|
A2_LOG_ERROR("Failed to get credentials PKCS12 data");
|
|
return false;
|
|
}
|
|
CFRetain(credentials_);
|
|
A2_LOG_INFO("Loaded certificate from file");
|
|
return true;
|
|
|
|
#else // defined(__MAC_10_6)
|
|
return false;
|
|
|
|
#endif // defined(__MAC_10_6)
|
|
}
|
|
|
|
} // namespace aria2
|