From 871d04512c5b55fb5575ca42a1e4a1f5c9c71173 Mon Sep 17 00:00:00 2001 From: caoxiaolins Date: Thu, 5 May 2022 09:48:45 +0800 Subject: [PATCH 1/5] ACETAO support revocation lists --- ACE/ace/SSL/SSL_Context.cpp | 48 +++++++++++++++++++ ACE/ace/SSL/SSL_Context.h | 2 + TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp | 37 ++++++++++++++ 3 files changed, 87 insertions(+) diff --git a/ACE/ace/SSL/SSL_Context.cpp b/ACE/ace/SSL/SSL_Context.cpp index ebc883ed93ab2..c1db24579c328 100644 --- a/ACE/ace/SSL/SSL_Context.cpp +++ b/ACE/ace/SSL/SSL_Context.cpp @@ -550,6 +550,54 @@ ACE_SSL_Context::load_trusted_ca (const char* ca_file, return 0; } +int +ACE_SSL_Context::load_crl_file(const char *file_name, int type) +{ + if (context_ == nullptr || file_name == nullptr) + { + return 0; + } + + int ret = 0; + BIO *in = nullptr; + X509_CRL *x = nullptr; + X509_STORE *st = ::SSL_CTX_get_cert_store(context_); + if (st == nullptr) + { + goto err; + } + + if (type == SSL_FILETYPE_PEM) + { + ret = ::SSL_CTX_load_verify_locations(context_, file_name, nullptr); + } + else if (type == SSL_FILETYPE_ASN1) + { + in = BIO_new(BIO_s_file()); + if (in == nullptr || BIO_read_filename(in, file_name) <= 0) + { + goto err; + } + x = d2i_X509_CRL_bio(in, nullptr); + if (x == nullptr) + { + goto err; + } + ret = ::X509_STORE_adn_crl(st, x); + } + + if (ret == 1) + { + (void)X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK); + } + +err: + X509_CRL_free(x); + (void)BIO_free(in); + + return ret; +} + int ACE_SSL_Context::private_key (const char *file_name, int type) diff --git a/ACE/ace/SSL/SSL_Context.h b/ACE/ace/SSL/SSL_Context.h index 97eae945e62d9..611a5a553681b 100644 --- a/ACE/ace/SSL/SSL_Context.h +++ b/ACE/ace/SSL/SSL_Context.h @@ -254,6 +254,8 @@ class ACE_SSL_Export ACE_SSL_Context const char* ca_dir = 0, bool use_env_defaults = true); + int load_crl_file(const char* file_name, int type); + /** * Test whether any CA locations have been successfully loaded and * return the number of successful attempts. diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp index 13a3d95679a2c..1ebabadec08be 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp @@ -314,6 +314,9 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) int private_key_type = -1; int dhparams_type = -1; + CORBA::String_var crl_path; + int crl_type = -1; + int prevdebug = -1; // Force the Singleton instance to be initialized/instantiated. @@ -411,6 +414,17 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) } } + else if (ACE_OS::strcasecmp (argv[curarg], + ACE_TEXT("-SSLCRLFile")) == 0) + { + curarg++; + if (curarg < argc) + { + crl_type = parse_x509_file (ACE_TEXT_ALWAYS_CHAR(argv[curarg]), + crl_path.out ()); + } + } + else if (ACE_OS::strcasecmp (argv[curarg], ACE_TEXT("-SSLAuthenticate")) == 0) { @@ -634,6 +648,29 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) } } + if (crl_path.in() != 0) + { + if (ssl_ctx->load_crl_file(crl_path.in(), crl_type) != 1) + { + ORBSVCS_ERROR ((LM_ERROR, + ACE_TEXT ("TAO (%P|%t) - Unable to load ") + ACE_TEXT ("crl file ") + ACE_TEXT ("<%C> in SSLIOP factory, errno = %s.\n"), + crl_path.in(), ERR_reason_error_string(ERR_get_error()))); + } + else + { + if (TAO_debug_level > 0) + { + ORBSVCS_DEBUG ((LM_INFO, + ACE_TEXT ("TAO (%P|%t) - SSLIOP loaded ") + ACE_TEXT("crl file ") + ACE_TEXT("<%C>\n"), + crl_path.in())); + } + } + } + // Load in the DH params. If there was a file explicitly specified, // then we do that here, otherwise we load them in from the cert file. // Note that we only do this on the server side, I think so we might From ee04ea42bdf86d1375a247bee22be1ff0ae44715 Mon Sep 17 00:00:00 2001 From: caoxiaolins Date: Thu, 5 May 2022 10:22:57 +0800 Subject: [PATCH 2/5] ACETAO support revocation lists --- ACE/ace/SSL/SSL_Context.cpp | 2 +- TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/ACE/ace/SSL/SSL_Context.cpp b/ACE/ace/SSL/SSL_Context.cpp index c1db24579c328..0a42301fbf9e9 100644 --- a/ACE/ace/SSL/SSL_Context.cpp +++ b/ACE/ace/SSL/SSL_Context.cpp @@ -583,7 +583,7 @@ ACE_SSL_Context::load_crl_file(const char *file_name, int type) { goto err; } - ret = ::X509_STORE_adn_crl(st, x); + ret = ::X509_STORE_add_crl(st, x); } if (ret == 1) diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp index 1ebabadec08be..8292920487777 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp @@ -418,7 +418,7 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) ACE_TEXT("-SSLCRLFile")) == 0) { curarg++; - if (curarg < argc) + if (curarg < argc) { crl_type = parse_x509_file (ACE_TEXT_ALWAYS_CHAR(argv[curarg]), crl_path.out ()); @@ -654,9 +654,9 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) { ORBSVCS_ERROR ((LM_ERROR, ACE_TEXT ("TAO (%P|%t) - Unable to load ") - ACE_TEXT ("crl file ") - ACE_TEXT ("<%C> in SSLIOP factory, errno = %s.\n"), - crl_path.in(), ERR_reason_error_string(ERR_get_error()))); + ACE_TEXT ("crl file ") + ACE_TEXT ("<%C> in SSLIOP factory, errno = %s.\n"), + crl_path.in(), ERR_reason_error_string(ERR_get_error()))); } else { @@ -664,9 +664,9 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) { ORBSVCS_DEBUG ((LM_INFO, ACE_TEXT ("TAO (%P|%t) - SSLIOP loaded ") - ACE_TEXT("crl file ") - ACE_TEXT("<%C>\n"), - crl_path.in())); + ACE_TEXT("crl file ") + ACE_TEXT("<%C>\n"), + crl_path.in())); } } } From 5d9ed94e0180163e918b17ef8d5780242e67c636 Mon Sep 17 00:00:00 2001 From: caoxiaolins Date: Sat, 7 May 2022 16:46:49 +0800 Subject: [PATCH 3/5] TAO support CRL --- ACE/ace/SSL/SSL_Context.h | 11 +++++++++++ TAO/docs/Security/SSLIOP-USAGE.html | 4 ++++ TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp | 5 ++--- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/ACE/ace/SSL/SSL_Context.h b/ACE/ace/SSL/SSL_Context.h index 611a5a553681b..cf7a89ff219cd 100644 --- a/ACE/ace/SSL/SSL_Context.h +++ b/ACE/ace/SSL/SSL_Context.h @@ -254,6 +254,17 @@ class ACE_SSL_Export ACE_SSL_Context const char* ca_dir = 0, bool use_env_defaults = true); + /** + * Load the location of the CRL. + * + * @param[in] file_name CRL file pathname. Passed to + * @c SSL_CTX_Load_verify_locations() if not + * 0 and @a type is SSL_FILETYPE_PEM. Pass to + * @c X509_STORE_add_crl if not 0 @a type is SSL_FILETYPE_ASN1. + * @param[in] type CRL file type. Support SSL_FILETYPE_PEM and + * SSL_FILETYPE_ASN1. + * @return 1 for success or others on error. + */ int load_crl_file(const char* file_name, int type); /** diff --git a/TAO/docs/Security/SSLIOP-USAGE.html b/TAO/docs/Security/SSLIOP-USAGE.html index 24297ac067c84..2bd7bc37f41f6 100644 --- a/TAO/docs/Security/SSLIOP-USAGE.html +++ b/TAO/docs/Security/SSLIOP-USAGE.html @@ -167,6 +167,10 @@

SSLIOP Options

-SSLCAfile filename Provide a file containing a trusted certificate, overriding the file named by SSL_CERT_FILE environment variable. + + -SSLCRLFile filename + Provide a file containing a certificate revocation list. + -SSLCApath directory Provide a directory from which all files are read for trusted certificates overriding the directory named by SSL_CERT_DIR environment variable.< diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp index 8292920487777..edb41c96243b2 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp @@ -655,7 +655,7 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) ORBSVCS_ERROR ((LM_ERROR, ACE_TEXT ("TAO (%P|%t) - Unable to load ") ACE_TEXT ("crl file ") - ACE_TEXT ("<%C> in SSLIOP factory, errno = %s.\n"), + ACE_TEXT ("<%C> in SSLIOP factory, errno = %C.\n"), crl_path.in(), ERR_reason_error_string(ERR_get_error()))); } else @@ -663,8 +663,7 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) if (TAO_debug_level > 0) { ORBSVCS_DEBUG ((LM_INFO, - ACE_TEXT ("TAO (%P|%t) - SSLIOP loaded ") - ACE_TEXT("crl file ") + ACE_TEXT ("TAO (%P|%t) - SSLIOP loaded crl file ") ACE_TEXT("<%C>\n"), crl_path.in())); } From 58aa6ef0a728b86447dbfbf4cdaf91b7321b0bb4 Mon Sep 17 00:00:00 2001 From: caoxiaolins Date: Sat, 7 May 2022 17:01:03 +0800 Subject: [PATCH 4/5] TAO support CRL --- ACE/ace/SSL/SSL_Context.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ACE/ace/SSL/SSL_Context.h b/ACE/ace/SSL/SSL_Context.h index cf7a89ff219cd..3a57dac17d971 100644 --- a/ACE/ace/SSL/SSL_Context.h +++ b/ACE/ace/SSL/SSL_Context.h @@ -255,7 +255,7 @@ class ACE_SSL_Export ACE_SSL_Context bool use_env_defaults = true); /** - * Load the location of the CRL. + * Load the location of the CRL. * * @param[in] file_name CRL file pathname. Passed to * @c SSL_CTX_Load_verify_locations() if not From ad82b5e92420d275cbe669a746eac15522916cdc Mon Sep 17 00:00:00 2001 From: caoxiaolins Date: Sat, 7 May 2022 17:13:53 +0800 Subject: [PATCH 5/5] TAO support CRL --- TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp index edb41c96243b2..c8a278772e70a 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp @@ -653,8 +653,7 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) if (ssl_ctx->load_crl_file(crl_path.in(), crl_type) != 1) { ORBSVCS_ERROR ((LM_ERROR, - ACE_TEXT ("TAO (%P|%t) - Unable to load ") - ACE_TEXT ("crl file ") + ACE_TEXT ("TAO (%P|%t) - Unable to load crl file ") ACE_TEXT ("<%C> in SSLIOP factory, errno = %C.\n"), crl_path.in(), ERR_reason_error_string(ERR_get_error()))); }