Certificate trigger and directory operations
Implement trigger of certificate and permission expiries using the timed callbacks. Implement directory operations such that trusted CA can be read. This implements OS abstraction functions such as opendir and stat. Signed-off-by: Stefan Kimmer <skimmer@s2e-systems.com>
This commit is contained in:
Stefan Kimmer
eboasson
parent
3b4facbd45
commit
aef4f0a126
25 changed files with 3039 additions and 169 deletions
|
|
@ -30,6 +30,8 @@
|
|||
#include <openssl/rand.h>
|
||||
#include "dds/ddsrt/time.h"
|
||||
#include "dds/ddsrt/heap.h"
|
||||
#include "dds/ddsrt/filesystem.h"
|
||||
#include "dds/ddsrt/retcode.h"
|
||||
#include "dds/security/dds_security_api_defs.h"
|
||||
#include "dds/security/core/dds_security_utils.h"
|
||||
#include <assert.h>
|
||||
|
|
@ -47,11 +49,11 @@
|
|||
#include "dds/ddsrt/heap.h"
|
||||
#include "dds/ddsrt/atomics.h"
|
||||
#include "dds/ddsrt/string.h"
|
||||
#include "dds/ddsrt/io.h"
|
||||
#include "dds/security/core/dds_security_utils.h"
|
||||
#include <string.h>
|
||||
#include "auth_utils.h"
|
||||
|
||||
|
||||
#define MAX_TRUSTED_CA 100
|
||||
|
||||
char *
|
||||
|
|
@ -1190,40 +1192,29 @@ get_trusted_ca_list ( const char* trusted_ca_dir,
|
|||
|
||||
|
||||
DDS_Security_ValidationResult_t loading_result = DDS_RETCODE_OK;
|
||||
DDSRT_UNUSED_ARG( ca_list );
|
||||
DDSRT_UNUSED_ARG( trusted_ca_dir );
|
||||
DDSRT_UNUSED_ARG( ex );
|
||||
/* TODO: Trusted CA directory tracing function should be ported */
|
||||
/* TODO: MAX_TRUSTED_CA limitation will be removed */
|
||||
#ifdef TRUSTED_CA_LIST_IMPLEMENTED
|
||||
|
||||
os_result r;
|
||||
os_dirHandle d_descr;
|
||||
struct os_dirent d_entry;
|
||||
struct os_stat_s status;
|
||||
dds_return_t r;
|
||||
ddsrt_dir_handle_t d_descr;
|
||||
struct ddsrt_dirent d_entry;
|
||||
struct ddsrt_stat status;
|
||||
char *full_file_path;
|
||||
char *trusted_ca_dir_normalized;
|
||||
|
||||
X509 *ca_buffer_array[MAX_TRUSTED_CA]; /*max trusted CA size */
|
||||
unsigned ca_buffer_array_size=0;
|
||||
unsigned i;
|
||||
trusted_ca_dir_normalized = os_fileNormalize(trusted_ca_dir);
|
||||
trusted_ca_dir_normalized = ddsrt_file_normalize(trusted_ca_dir);
|
||||
|
||||
r = os_opendir(trusted_ca_dir_normalized, &d_descr);
|
||||
r = ddsrt_opendir(trusted_ca_dir_normalized, &d_descr);
|
||||
ddsrt_free ( trusted_ca_dir_normalized );
|
||||
|
||||
if (r == os_resultSuccess && ca_buffer_array_size < MAX_TRUSTED_CA) { /* accessable */
|
||||
r = os_readdir(d_descr, &d_entry);
|
||||
while (r == os_resultSuccess) {
|
||||
full_file_path = (char*) ddsrt_malloc(strlen(trusted_ca_dir) + strlen(os_fileSep()) + strlen(d_entry.d_name) + strlen(os_fileSep()) + 1 );
|
||||
ddsrt_strcpy(full_file_path, trusted_ca_dir);
|
||||
ddsrt_strcat(full_file_path, os_fileSep());
|
||||
ddsrt_strcat(full_file_path, d_entry.d_name);
|
||||
|
||||
if (os_stat (full_file_path, &status) == os_resultSuccess) { /* accessable */
|
||||
if (r == DDS_RETCODE_OK && ca_buffer_array_size < MAX_TRUSTED_CA) { /* accessable */
|
||||
r = ddsrt_readdir(d_descr, &d_entry);
|
||||
while (r == DDS_RETCODE_OK) {
|
||||
ddsrt_asprintf(&full_file_path, "%s%s%s", trusted_ca_dir, ddsrt_file_sep(), d_entry.d_name);
|
||||
if (ddsrt_stat (full_file_path, &status) == DDS_RETCODE_OK) { /* accessable */
|
||||
if ((strcmp(d_entry.d_name, ".") != 0) &&
|
||||
(strcmp(d_entry.d_name, "..") != 0)) {
|
||||
char * filename = os_fileNormalize(full_file_path);
|
||||
char * filename = ddsrt_file_normalize(full_file_path);
|
||||
|
||||
if(filename){
|
||||
X509 *identityCA;
|
||||
|
|
@ -1239,26 +1230,26 @@ get_trusted_ca_list ( const char* trusted_ca_dir,
|
|||
}
|
||||
}
|
||||
}
|
||||
r = os_readdir(d_descr, &d_entry);
|
||||
r = ddsrt_readdir(d_descr, &d_entry);
|
||||
|
||||
ddsrt_free(full_file_path);
|
||||
}
|
||||
|
||||
os_closedir (d_descr);
|
||||
ddsrt_closedir (d_descr);
|
||||
|
||||
/* deallocate given ca_list if it is not NULL */
|
||||
free_ca_list_contents(ca_list);
|
||||
|
||||
/*copy CAs to out parameter as HASH*/
|
||||
if( ca_buffer_array_size > 0 ){
|
||||
ca_list->_buffer = ddsrt_malloc( ca_buffer_array_size * sizeof(X509 * ) );
|
||||
ca_list->buffer = ddsrt_malloc( ca_buffer_array_size * sizeof(X509 * ) );
|
||||
for (i = 0; i < ca_buffer_array_size; ++i) {
|
||||
ca_list->_buffer[i] = ca_buffer_array[i];
|
||||
ca_list->buffer[i] = ca_buffer_array[i];
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
ca_list->_length = ca_buffer_array_size;
|
||||
ca_list->length = ca_buffer_array_size;
|
||||
|
||||
return DDS_SECURITY_VALIDATION_OK;
|
||||
|
||||
|
|
@ -1267,7 +1258,6 @@ get_trusted_ca_list ( const char* trusted_ca_dir,
|
|||
DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_TRUSTED_CA_DIR_CODE, 0, DDS_SECURITY_ERR_INVALID_TRUSTED_CA_DIR_MESSAGE);
|
||||
return DDS_SECURITY_VALIDATION_FAILED;
|
||||
}
|
||||
#endif
|
||||
|
||||
return loading_result;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@
|
|||
#include "authentication.h"
|
||||
#include "dds/ddsrt/heap.h"
|
||||
#include "dds/security/dds_security_api.h"
|
||||
#include "dds/security/core/dds_security_timed_cb.h"
|
||||
|
||||
|
||||
#if OPENSLL_VERSION_NUMBER >= 0x10002000L
|
||||
|
|
@ -202,7 +203,8 @@ typedef struct dds_security_authentication_impl {
|
|||
ddsrt_mutex_t lock;
|
||||
struct ddsrt_hh *objectHash;
|
||||
struct ddsrt_hh *remoteGuidHash;
|
||||
struct ut_timed_dispatcher_t *timed_callbacks;
|
||||
struct dds_security_timed_cb_data *timed_callbacks;
|
||||
struct dds_security_timed_dispatcher_t *dispatcher;
|
||||
X509Seq trustedCAList;
|
||||
|
||||
|
||||
|
|
@ -844,22 +846,19 @@ hash_value_to_binary_property(
|
|||
return bp;
|
||||
}
|
||||
|
||||
|
||||
/* Will be enabled after timed callback feature implementation */
|
||||
#if TIMED_CALLBACK_IMPLEMENTED
|
||||
|
||||
static void
|
||||
validity_callback(struct ut_timed_dispatcher_t *d,
|
||||
ut_timed_cb_kind kind,
|
||||
validity_callback(struct dds_security_timed_dispatcher_t *d,
|
||||
dds_security_timed_cb_kind kind,
|
||||
void *listener,
|
||||
void *arg)
|
||||
{
|
||||
validity_cb_info *info = arg;
|
||||
|
||||
DDSRT_UNUSED_ARG(d);
|
||||
assert(d);
|
||||
assert(arg);
|
||||
|
||||
if (kind == UT_TIMED_CB_KIND_TIMEOUT) {
|
||||
if (kind == DDS_SECURITY_TIMED_CB_KIND_TIMEOUT) {
|
||||
assert(listener);
|
||||
dds_security_authentication_listener *auth_listener = (dds_security_authentication_listener*)listener;
|
||||
if (auth_listener->on_revoke_identity) {
|
||||
|
|
@ -872,26 +871,19 @@ validity_callback(struct ut_timed_dispatcher_t *d,
|
|||
ddsrt_free(arg);
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
static void
|
||||
add_validity_end_trigger(dds_security_authentication_impl *auth,
|
||||
const DDS_Security_IdentityHandle identity_handle,
|
||||
dds_time_t end)
|
||||
{
|
||||
DDSRT_UNUSED_ARG( auth );
|
||||
DDSRT_UNUSED_ARG( identity_handle );
|
||||
DDSRT_UNUSED_ARG( end );
|
||||
/* Will be enabled after timed call back feature implementation */
|
||||
/*
|
||||
validity_cb_info *arg = ddsrt_malloc(sizeof(validity_cb_info));
|
||||
arg->auth = auth;
|
||||
arg->hdl = identity_handle;
|
||||
ut_timed_dispatcher_add(auth->timed_callbacks,
|
||||
dds_security_timed_dispatcher_add(auth->timed_callbacks, auth->dispatcher,
|
||||
validity_callback,
|
||||
end,
|
||||
(void*)arg);
|
||||
*/
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -3170,18 +3162,14 @@ DDS_Security_boolean set_listener(dds_security_authentication *instance,
|
|||
{
|
||||
dds_security_authentication_impl *auth = (dds_security_authentication_impl*)instance;
|
||||
|
||||
DDSRT_UNUSED_ARG(auth);
|
||||
DDSRT_UNUSED_ARG(listener);
|
||||
DDSRT_UNUSED_ARG(ex);
|
||||
|
||||
/* Will be enabled after timed call back feature implementation */
|
||||
#if TIMED_CALLBACK_IMPLEMENTED
|
||||
if (listener) {
|
||||
ut_timed_dispatcher_enable(auth->timed_callbacks, (void*)listener);
|
||||
dds_security_timed_dispatcher_enable(auth->timed_callbacks, auth->dispatcher, (void*)listener);
|
||||
} else {
|
||||
ut_timed_dispatcher_disable(auth->timed_callbacks);
|
||||
dds_security_timed_dispatcher_disable(auth->timed_callbacks, auth->dispatcher);
|
||||
}
|
||||
#endif
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
@ -3398,8 +3386,8 @@ init_authentication( const char *argument, void **context)
|
|||
memset(authentication, 0, sizeof(dds_security_authentication_impl));
|
||||
|
||||
/* assign dispatcher to be notified when a validity date ends */
|
||||
/* Disable it until timed callback is ready */
|
||||
/*authentication->timed_callbacks = ut_timed_dispatcher_new(); */
|
||||
authentication->timed_callbacks = dds_security_timed_cb_new();
|
||||
authentication->dispatcher = dds_security_timed_dispatcher_new(authentication->timed_callbacks);
|
||||
|
||||
/* assign the interface functions */
|
||||
authentication->base.validate_local_identity = &validate_local_identity;
|
||||
|
|
@ -3474,8 +3462,9 @@ int32_t finalize_authentication(void *instance)
|
|||
if( authentication ){
|
||||
ddsrt_mutex_lock(&authentication->lock);
|
||||
|
||||
/* Will be enabled after timed call back feature implementation */
|
||||
/* ut_timed_dispatcher_free(authentication->timed_callbacks); */
|
||||
dds_security_timed_dispatcher_free(authentication->timed_callbacks, authentication->dispatcher);
|
||||
dds_security_timed_cb_free(authentication->timed_callbacks);
|
||||
|
||||
if (authentication->remoteGuidHash) {
|
||||
ddsrt_hh_free(authentication->remoteGuidHash);
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue