WIP: dhtproxy: load client cert in server memory

savoirfairelinux · Oct 7, 2019 · 1eebd70 · 1eebd70
1 parent 92766f7
commit 1eebd70
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 10 deletions.
diff --git a/include/opendht/dht_proxy_server.h b/include/opendht/dht_proxy_server.h
@@ -74,7 +74,7 @@ class OPENDHT_PUBLIC DhtProxyServer
     DhtProxyServer(
        dht::crypto::Identity identity,
        std::shared_ptr<DhtRunner> dht, in_port_t port = 8000, const std::string& pushServer = "",
-       const std::string& client_certificate = "", std::shared_ptr<dht::Logger> logger = {});
+       std::shared_ptr<dht::crypto::Certificate> client_certificate = {}, std::shared_ptr<dht::Logger> logger = {});
 
     virtual ~DhtProxyServer();
 

diff --git a/src/dht_proxy_server.cpp b/src/dht_proxy_server.cpp
@@ -197,7 +197,7 @@ struct DhtProxyServer::RestRouterTraits : public restinio::default_traits_t
 DhtProxyServer::DhtProxyServer(
     dht::crypto::Identity identity,
     std::shared_ptr<DhtRunner> dht, in_port_t port, const std::string& pushServer,
-    const std::string& client_certificate, std::shared_ptr<dht::Logger> logger
+    std::shared_ptr<dht::crypto::Certificate> client_certificate, std::shared_ptr<dht::Logger> logger
 )
     :   dht_(dht), logger_(logger), lockListener_(std::make_shared<std::mutex>()),
         listeners_(std::make_shared<std::map<restinio::connection_id_t, http::ListenerSession>>()),
@@ -242,10 +242,14 @@ DhtProxyServer::DhtProxyServer(
         if (ec)
             throw std::runtime_error("Error setting tls context options: " + ec.message());
         // verify client auth
-        if (!client_certificate.empty()){
+        if (!client_certificate){
             tls_context.set_verify_mode(asio::ssl::context::verify_fail_if_no_peer_cert
                                         | asio::ssl::context::verify_peer, ec);
-            tls_context.load_verify_file(client_certificate);
+            auto ca = client_certificate->toString(false/*chain*/);
+            //tls_context.load_verify_file(client_certificate);
+            tls_context.add_certificate_authority(asio::const_buffer{ca.data(), ca.size()}, ec);
+            if (ec)
+                throw std::runtime_error("Error adding client certificate: " + ec.message());
         }
         if (ec)
             throw std::runtime_error("Error setting tls verify peer options: " + ec.message());

diff --git a/tests/dhtproxytester.cpp b/tests/dhtproxytester.cpp
@@ -48,7 +48,7 @@ DhtProxyTester::setUp() {
         new dht::DhtProxyServer(
             ///*http*/dht::crypto::Identity{},
             /*https*/serverIdentity,
-            nodeProxy, 8080, /*pushServer*/"127.0.0.1:8090", "", logger));
+            nodeProxy, 8080, /*pushServer*/"127.0.0.1:8090", {}, logger));
 
     clientConfig.client_cert = serverIdentity.second;
     clientConfig.dht_config.node_config.maintain_storage = false;

diff --git a/tests/httptester.cpp b/tests/httptester.cpp
@@ -42,7 +42,7 @@ HttpTester::setUp() {
 
     serverProxy = std::unique_ptr<dht::DhtProxyServer>(
         new dht::DhtProxyServer(
-            /*http*/dht::crypto::Identity{}, nodeProxy, 8080, /*pushServer*/"127.0.0.1:8090", "", logger));
+            /*http*/dht::crypto::Identity{}, nodeProxy, 8080, /*pushServer*/"127.0.0.1:8090", {}, logger));
 
 }
 

diff --git a/tools/dhtnode.cpp b/tools/dhtnode.cpp
@@ -591,7 +591,7 @@ main(int argc, char **argv)
             proxies.emplace(params.proxyserver, std::unique_ptr<DhtProxyServer>(
                 new DhtProxyServer(
                     dht::crypto::Identity{}, node, params.proxyserver, params.pushserver,
-                    "", context.logger)));
+                    {}, context.logger)));
 #else
             std::cerr << "DHT proxy server requested but OpenDHT built without proxy server support." << std::endl;
             exit(EXIT_FAILURE);

diff --git a/tools/tools_common.h b/tools/tools_common.h
@@ -131,7 +131,7 @@ struct dht_params {
     std::string save_identity {};
     dht::crypto::Identity proxy_id {};
     std::string proxy_privkey_pwd {};
-    std::string proxy_client_certificate {};
+    std::shared_ptr<dht::crypto::Certificate> proxy_client_certificate {};
 };
 
 static const constexpr struct option long_options[] = {
@@ -276,9 +276,14 @@ parseArgs(int argc, char **argv) {
         case 'I':
             params.save_identity = optarg;
             break;
-        case 'P':
-            params.proxy_client_certificate = optarg;
+        case 'P': {
+            try {
+                params.proxy_client_certificate = std::make_shared<dht::crypto::Certificate>(loadFile(optarg));
+            } catch (const std::exception& e) {
+                throw std::runtime_error(std::string("Error loading proxy certificate: ") + e.what());
+            }
             break;
+        }
         default:
             break;
         }