1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
// This is a standalone server used to test Delegated Credentials
// (see: https://tools.ietf.org/html/draft-ietf-tls-subcerts-03).
//
// The client is expected to connect, initiate an SSL handshake (with SNI
// to indicate which "server" to connect to), and verify the certificate.
// If all is good, the client then sends one encrypted byte and receives that
// same byte back.
// This server also has the ability to "call back" another process waiting on
// it. That is, when the server is all set up and ready to receive connections,
// it will connect to a specified port and issue a simple HTTP request.
#include <iostream>
#include "TLSServer.h"
#include "sslexp.h"
using namespace mozilla;
using namespace mozilla::test;
struct DelegatedCertHost {
const char* mHostName;
const char* mCertName;
const char* mDCKeyNick;
bool mEnableDelegatedCredentials;
};
const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
// {host, eeCert, dcCert, enableDC}
const DelegatedCertHost sDelegatedCertHosts[] = {
{"delegated-enabled.example.com", "delegated-ee", "delegated.key", true},
{"standard-enabled.example.com", "default-ee", "delegated.key", true},
{"delegated-disabled.example.com", "delegated-ee",
/* anything non-null */ "delegated.key", false},
{nullptr, nullptr, nullptr, false}};
int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
uint32_t aSrvNameArrSize, void* aArg) {
const DelegatedCertHost* host =
GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sDelegatedCertHosts);
if (!host) {
return SSL_SNI_SEND_ALERT;
}
if (gDebugLevel >= DEBUG_VERBOSE) {
std::cerr << "Identified host " << host->mHostName << std::endl;
}
UniqueCERTCertificate delegatorCert(
PK11_FindCertFromNickname(host->mCertName, nullptr));
if (!delegatorCert) {
PrintPRError("PK11_FindCertFromNickname failed");
return SSL_SNI_SEND_ALERT;
}
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
if (!slot) {
PrintPRError("PK11_GetInternalKeySlot failed");
return SSL_SNI_SEND_ALERT;
}
SSLExtraServerCertData extra_data = {ssl_auth_null,
/* Filled in by callee */ nullptr,
nullptr,
nullptr,
/* DC */ nullptr,
/* DC PrivKey */ nullptr};
UniqueSECKEYPrivateKey delegatorPriv(
PK11_FindKeyByDERCert(slot.get(), delegatorCert.get(), nullptr));
if (!delegatorPriv) {
PrintPRError("PK11_FindKeyByDERCert failed");
return SSL_SNI_SEND_ALERT;
}
// Find the DC keypair by the file (nick) name.
ScopedAutoSECItem dc;
UniqueSECKEYPrivateKey dcPriv;
if (host->mEnableDelegatedCredentials) {
if (gDebugLevel >= DEBUG_VERBOSE) {
std::cerr << "Enabling a delegated credential for host "
<< host->mHostName << std::endl;
}
if (PK11_NeedLogin(slot.get())) {
SECStatus rv = PK11_Authenticate(slot.get(), PR_TRUE, nullptr);
if (rv != SECSuccess) {
PrintPRError("PK11_Authenticate failed");
return SSL_SNI_SEND_ALERT;
}
}
UniqueSECKEYPrivateKeyList list(PK11_ListPrivKeysInSlot(
slot.get(), const_cast<char*>(host->mDCKeyNick), nullptr));
if (!list) {
PrintPRError("PK11_ListPrivKeysInSlot failed");
return SSL_SNI_SEND_ALERT;
}
SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(list);
dcPriv.reset(SECKEY_CopyPrivateKey(node->key));
if (!dcPriv) {
PrintPRError("PK11_ListPrivKeysInSlot could not find dcPriv");
return SSL_SNI_SEND_ALERT;
}
UniqueSECKEYPublicKey dcPub(SECKEY_ConvertToPublicKey(dcPriv.get()));
if (!dcPub) {
PrintPRError("SECKEY_ConvertToPublicKey failed");
return SSL_SNI_SEND_ALERT;
}
// Create and set the DC.
if (SSL_DelegateCredential(delegatorCert.get(), delegatorPriv.get(),
dcPub.get(), ssl_sig_ecdsa_secp384r1_sha384,
kDCValidFor, PR_Now(), &dc) != SECSuccess) {
PrintPRError("SSL_DelegateCredential failed");
return SSL_SNI_SEND_ALERT;
}
extra_data.delegCred = &dc;
extra_data.delegCredPrivKey = dcPriv.get();
// The list should only have a single key.
PORT_Assert(PRIVKEY_LIST_END(PRIVKEY_LIST_NEXT(node), list));
}
if (ConfigSecureServerWithNamedCert(aFd, host->mCertName, nullptr, nullptr,
&extra_data) != SECSuccess) {
PrintPRError("ConfigSecureServerWithNamedCert failed");
return SSL_SNI_SEND_ALERT;
}
return 0;
}
int main(int argc, char* argv[]) {
return StartServer(argc, argv, DoSNISocketConfig, nullptr);
}
|