ACE_TAO
ACE_TAO copied to clipboard
TAO does not support revocation lists
Version
TAO 2.5.14
Host machine and operating system
Linux
Compiler name and version (including patch level)
GCC 7.3
The $ACE_ROOT/ace/config.h file
N/A
The $ACE_ROOT/include/makeinclude/platform_macros.GNU file
N/A
Contents of $ACE_ROOT/bin/MakeProjectCreator/config/default.features
N/A
AREA/CLASS/EXAMPLE AFFECTED:
Protocol_Factory
The problem effects:
CORBA support CA file, but not support revocation list
Synopsis
Protocol_Factory::init not support revocation list
Description
CORBA support CA file, but not support revocation list
Repeat by
CORBA support CA file, but not support revocation list
Sample fix/ workaround
I think we can add a parameter named SSLCRLFile and call the openssl function to load the CRL specified by the parameter. I've developed the code and it's been tested to work.
diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp
index 907e724698..169d9c1c20 100644
--- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp
+++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp
@@ -299,6 +299,45 @@ TAO::SSLIOP::Protocol_Factory::parse_x509_file (char *arg, char *&path)
return -1;
}
+int TAO::SSLIOP::Protocol_Factory::load_crl_file(SSL_CTX *ctx, const char *file_name, int type)
+{
+ if (ctx == nullptr || file_name == nullptr) {
+ return 0;
+ }
+
+ int ret = 0;
+ BIO *in = nullptr;
+ X509_CRL *x = nullptr;
+ X509_STORE *st = SSL_CTX_get_cert_store(ctx);
+ if (st == nullptr) {
+ goto err;
+ }
+
+ if (type == SSL_FILETYPE_PEM) {
+ ret = SSL_CTX_load_verify_locations(ctx, file_name, nullptr);
+ } else if (type == SSL_FILETYPE_ASN1) {
+ in = BIO_new(BIO_s_file());
+ if ((in == nullptr) || (BIO_read_filename(in, file_name) <= 0)) {
+ goto err;
+ }
+ x = d2i_X509_CRL_bio(in, nullptr);
+ if (x == nullptr) {
+ goto err;
+ }
+ ret = X509_STORE_add_crl(st, x);
+ }
+
+ if (ret == 1) {
+ (void)X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK);
+ }
+
+err:
+ X509_CRL_free(x);
+ (void)BIO_free(in);
+
+ return ret;
+}
+
int
TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
{
@@ -313,6 +352,8 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
int certificate_type = -1;
int private_key_type = -1;
int dhparams_type = -1;
+ CORBA::String_var crl_path;
+ int crl_type = -1;
int prevdebug = -1;
@@ -411,6 +452,17 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
}
}
+ else if (ACE_OS::strcasecmp (argv[curarg],
+ ACE_TEXT("-SSLCRLFile")) == 0)
+ {
+ curarg++;
+ if (curarg < argc)
+ {
+ std::string str_crl_path = ACE_OS::replaceEnvVar(ACE_TEXT_ALWAYS_CHAR(argv[curarg]));
+ crl_type = parse_x509_file ((char*)str_crl_path.c_str(), crl_path.out());
+ }
+ }
+
else if (ACE_OS::strcasecmp (argv[curarg],
ACE_TEXT("-SSLAuthenticate")) == 0)
{
@@ -739,6 +791,24 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
}
}
+ if (crl_path.in() != 0)
+ {
+ if (load_crl_file(ssl_ctx->context(), crl_path.in(), crl_type) != 1) {
+ ORBSVCS_ERROR ((LM_ERROR,
+ ACE_TEXT ("TAO (%P|%t) - Unable to load ")
+ ACE_TEXT ("crl file ")
+ ACE_TEXT ("<%C> in SSLIOP factory, errno=%s.\n"),
+ crl_path.in(), ERR_reason_error_string(ERR_get_error())));
+ } else {
+ if (TAO_debug_level > 0)
+ ORBSVCS_DEBUG ((LM_INFO,
+ ACE_TEXT ("TAO (%P|%t) - SSLIOP loaded ")
+ ACE_TEXT ("crl file ")
+ ACE_TEXT ("<%C>\n"),
+ crl_path.in ()));
+ }
+ }
+
if (ec_name.in ())
{
#ifdef OPENSSL_NO_EC
diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.h b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.h
index 7fcacc9fbf..44046e2648 100644
--- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.h
+++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.h
@@ -29,6 +29,7 @@
#include "tao/Protocol_Factory.h"
#include "ace/Service_Config.h"
+#include "ace/SSL/SSL_Context.h"
TAO_BEGIN_VERSIONED_NAMESPACE_DECL
@@ -94,6 +95,8 @@ namespace TAO
///
static int parse_x509_file (char *arg, char *&path);
+ int load_crl_file(SSL_CTX *ctx, const char *file_name, int type);
+
/// Callback for supplying a password to be used accessing a private key.
/// Key initialized by env var or supplied in arg list.
/// This callback is only used when a password is configured.
--
2.14.1.windows.1
Please open a pull request with the proposed changes
Please open a pull request with the proposed changes I have already made a pull request, There's an issuse with a cyclomatic complexity of 130. However, the cyclomatic complexity of this function was high before. Can I ignore this issuse? https://github.com/DOCGroup/ACE_TAO/pull/1830