TAO does not support revocation lists

[caoxiaolins]

Version

TAO 2.5.14

Host machine and operating system

Linux

Compiler name and version (including patch level)

GCC 7.3

The $ACE_ROOT/ace/config.h file

N/A

The $ACE_ROOT/include/makeinclude/platform_macros.GNU file

N/A

Contents of $ACE_ROOT/bin/MakeProjectCreator/config/default.features

N/A

AREA/CLASS/EXAMPLE AFFECTED:

Protocol_Factory

The problem effects:

CORBA support CA file, but not support revocation list

Synopsis

Protocol_Factory::init not support revocation list

Description

CORBA support CA file, but not support revocation list

Repeat by

CORBA support CA file, but not support revocation list

Sample fix/ workaround

I think we can add a parameter named SSLCRLFile and call the openssl function to load the CRL specified by the parameter. I've developed the code and it's been tested to work.

diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp
index 907e724698..169d9c1c20 100644
--- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp
+++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp
@@ -299,6 +299,45 @@ TAO::SSLIOP::Protocol_Factory::parse_x509_file (char *arg, char *&path)
   return -1;
 }
 
+int TAO::SSLIOP::Protocol_Factory::load_crl_file(SSL_CTX *ctx, const char *file_name, int type)
+{
+    if (ctx == nullptr || file_name == nullptr) {
+        return 0;
+    }
+
+    int ret = 0;
+    BIO *in = nullptr;
+    X509_CRL *x = nullptr;
+    X509_STORE *st = SSL_CTX_get_cert_store(ctx);
+    if (st == nullptr) {
+        goto err;
+    }
+
+    if (type == SSL_FILETYPE_PEM) {
+        ret = SSL_CTX_load_verify_locations(ctx, file_name, nullptr);
+    } else if (type == SSL_FILETYPE_ASN1) {
+        in = BIO_new(BIO_s_file());
+        if ((in == nullptr) || (BIO_read_filename(in, file_name) <= 0)) {
+            goto err;
+        }
+        x = d2i_X509_CRL_bio(in, nullptr);
+        if (x == nullptr) {
+            goto err;
+        }
+        ret = X509_STORE_add_crl(st, x);
+    }
+
+    if (ret == 1) {
+        (void)X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK);
+    }
+
+err:
+    X509_CRL_free(x);
+    (void)BIO_free(in);
+
+    return ret;
+}
+
 int
 TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
 {
@@ -313,6 +352,8 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
   int certificate_type = -1;
   int private_key_type = -1;
   int dhparams_type = -1;
+  CORBA::String_var crl_path;
+  int crl_type = -1;
 
   int prevdebug = -1;
 
@@ -411,6 +452,17 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
             }
         }
 
+      else if (ACE_OS::strcasecmp (argv[curarg],
+                                   ACE_TEXT("-SSLCRLFile")) == 0)
+        {
+          curarg++;
+          if (curarg < argc)
+            {
+              std::string str_crl_path = ACE_OS::replaceEnvVar(ACE_TEXT_ALWAYS_CHAR(argv[curarg]));
+              crl_type = parse_x509_file ((char*)str_crl_path.c_str(), crl_path.out());
+            }
+        }
+
       else if (ACE_OS::strcasecmp (argv[curarg],
                                    ACE_TEXT("-SSLAuthenticate")) == 0)
         {
@@ -739,6 +791,24 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
         }
     }
 
+  if (crl_path.in() != 0)
+    {
+      if (load_crl_file(ssl_ctx->context(), crl_path.in(), crl_type) != 1) {
+        ORBSVCS_ERROR ((LM_ERROR,
+                        ACE_TEXT ("TAO (%P|%t) - Unable to load ")
+                        ACE_TEXT ("crl file ")
+                        ACE_TEXT ("<%C> in SSLIOP factory, errno=%s.\n"),
+                        crl_path.in(), ERR_reason_error_string(ERR_get_error())));
+      } else {
+        if (TAO_debug_level > 0)
+        ORBSVCS_DEBUG ((LM_INFO,
+                        ACE_TEXT ("TAO (%P|%t) - SSLIOP loaded ")
+                        ACE_TEXT ("crl file ")
+                        ACE_TEXT ("<%C>\n"),
+                        crl_path.in ()));
+      }
+    }
+
   if (ec_name.in ())
     {
 #ifdef OPENSSL_NO_EC
diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.h b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.h
index 7fcacc9fbf..44046e2648 100644
--- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.h
+++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.h
@@ -29,6 +29,7 @@
 #include "tao/Protocol_Factory.h"
 
 #include "ace/Service_Config.h"
+#include "ace/SSL/SSL_Context.h"
 
 
 TAO_BEGIN_VERSIONED_NAMESPACE_DECL
@@ -94,6 +95,8 @@ namespace TAO
       ///
       static int parse_x509_file (char *arg, char *&path);
 
+      int load_crl_file(SSL_CTX *ctx, const char *file_name, int type);
+
       /// Callback for supplying a password to be used accessing a private key.
       /// Key initialized by env var or supplied in arg list.
       /// This callback is only used when a password is configured.
-- 
2.14.1.windows.1

[jwillemsen]

Please open a pull request with the proposed changes

[caoxiaolins]

Please open a pull request with the proposed changes I have already made a pull request, There's an issuse with a cyclomatic complexity of 130. However, the cyclomatic complexity of this function was high before. Can I ignore this issuse? https://github.com/DOCGroup/ACE_TAO/pull/1830