djarek / certify Goto Github PK
View Code? Open in Web Editor NEWBoost.ASIO-based TLS certificate verification library
Home Page: https://djarek.github.io/certify/
License: Boost Software License 1.0
Boost.ASIO-based TLS certificate verification library
Home Page: https://djarek.github.io/certify/
License: Boost Software License 1.0
OpenSSL 1.0.2 and higher has built-in rfc 2818 verification - try to use that instead.
Reference: https://www.openssl.org/docs/man1.0.2/man3/X509_VERIFY_PARAM_set1_host.html
The Windows impl currently just passes the leaf certificate, which may result in validation failing with more complex chains which are not entirely known by the Windows certificate store.
Hello Djarek,
You have a wrong conversion from size_t
to DWORD
into keystore_windows.ipp
in the CertAddEncodedCertificateToStore
function.
Any compiler with enabled warnings as errors will fail on this issue
Thanx for your work
Scenario:
Compiling an application using certify
in the scenario listed above yields the following compilation warnings:
In file included from C:/Users/joel/Documents/projects/malloy/lib/malloy/client/3rdparty/boost/certify/https_verification.hpp:33,
from C:\Users\joel\Documents\projects\malloy\lib\malloy\client\controller.cpp:7:
C:/Users/joel/Documents/projects/malloy/lib/malloy/client/3rdparty/boost/certify/detail/keystore_windows.ipp: In function 'std::unique_ptr<const _CERT_CONTEXT, boost::certify::detail::cert_context_deleter> boost::certify::detail::create_cert_ctx(stack_st_X509*)':
C:/Users/joel/Documents/projects/malloy/lib/malloy/client/3rdparty/boost/certify/detail/keystore_windows.ipp:85:21: warning: passing NULL to non-pointer argument 3 of 'void* CertOpenStore(LPCSTR, DWORD, HCRYPTPROV_LEGACY, DWORD, const void*)' [-Wconversion-null]
85 | NULL,
| ^~~~
In file included from C:/Users/joel/Documents/projects/malloy/lib/malloy/client/3rdparty/boost/certify/detail/keystore_windows.ipp:8,
from C:/Users/joel/Documents/projects/malloy/lib/malloy/client/3rdparty/boost/certify/https_verification.hpp:33,
from C:\Users\joel\Documents\projects\malloy\lib\malloy\client\controller.cpp:7:
C:/msys64/mingw64/x86_64-w64-mingw32/include/wincrypt.h:3966:108: note: declared here
3966 | WINIMPM HCERTSTORE WINAPI CertOpenStore (LPCSTR lpszStoreProvider, DWORD dwEncodingType, HCRYPTPROV_LEGACY hCryptProv, DWORD dwFlags, const void *pvPara);
| ~~~~~~~~~~~~~~~~~~^~~~~~~~~~
Provide a free-function that sets up the SNI extension for a ssl::stream
.
hello, I get the following compilition errors and warnings with compiling with mac os. There is bunch of deprecation and unidentified symbols errors for some functions. Does that mean I can't use this library with mac os catalina? or am I doing something wrong
/usr/local/include/boost/certify/detail/keystore_apple.ipp:121:14: warning: 'SecTrustEvaluate' is deprecated: first deprecated in macOS 10.15 [-Wdeprecated-declarations]
status = SecTrustEvaluate(trust.get(), &result);
^~~~~~~~~~~~~~~~
SecTrustEvaluateWithError
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecTrust.h:353:10: note:
'SecTrustEvaluate' has been explicitly marked deprecated here
OSStatus SecTrustEvaluate(SecTrustRef trust, SecTrustResultType *result)
akils-MBP:arbitrage akil$ clang++ arbitrage.cpp -std=c++17 -o arb -lboost_system -O3 -I /usr/local/Cellar/[email protected]/1.1.1d/include -L /usr/local/Cellar/[email protected]/1.1.1d/lib -lssl -lcrypto
In file included from arbitrage.cpp:13:
In file included from /usr/local/include/boost/certify/https_verification.hpp:35:
/usr/local/include/boost/certify/detail/keystore_apple.ipp:121:14: warning: 'SecTrustEvaluate' is deprecated: first deprecated in macOS 10.15 [-Wdeprecated-declarations]
status = SecTrustEvaluate(trust.get(), &result);
^~~~~~~~~~~~~~~~
SecTrustEvaluateWithError
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecTrust.h:353:10: note:
'SecTrustEvaluate' has been explicitly marked deprecated here
OSStatus SecTrustEvaluate(SecTrustRef trust, SecTrustResultType *result)
^
1 warning generated.
Undefined symbols for architecture x86_64:
"_CFArrayCreate", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_CFDataCreateWithBytesNoCopy", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_CFRelease", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_SecCertificateCreateWithData", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_SecPolicyCreateSSL", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_SecTrustCreateWithCertificates", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_SecTrustEvaluate", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_kCFAllocatorNull", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
Seems like I am missing a library to link? But boost beast was compiling fine with tcp request code and this library is header only. Do I still need to link another library? Here is my command to compile clang++ testcon.cpp -std=c++17 -o test -lboost_system -O3 -I /usr/local/Cellar/[email protected]/1.1.1d/include -L /usr/local/Cellar/[email protected]/1.1.1d/lib -lssl -lcrypto
Abstract away the access to the macOS/iOS TLS keystore.
I'm trying get certify working for a Async SSL Client (I have to use Async because I need to set a timeout). The stream is declared as:
beast::ssl_streambeast::tcp_stream stream_;
I don't find the matching function for setting host name and sni:
boost::certify::set_server_hostname(beast::get_lowest_layer(stream_).socket(), host);
boost::certify::sni_hostname(beast::get_lowest_layer(stream_), host);
Does certify work in async mode?
Edit: Sorry, the title should read Async SSL instead.
The only example of a failing certificate is one loaded locally. When trying with an actual site (https://badssl.com/) there seems to be no error coming from certify with all the cases:
expired
wrong.host
self-signed
untrusted-root
revoked
I am using the example from /examples folder.
Edited.
Sorry I realized I made a mistake
I am trying to install the project, and checked out and attempted to install the project using the following steps:
mkdir build && cd build
cmake -DCMAKE_PREFIX_PATH=/usr/local/boost -DBoost_USE_STATIC_LIBS=ON -DBoost_USE_STATIC_RUNTIME=ON -DBUILD_TESTING=OFF -DCMAKE_INSTALL_PREFIX=/usr/local/certify ..
sudo make install
This results in an error:
CMake Error at cmake_install.cmake:36 (file):
file INSTALL cannot find "/tmp/certify/netutilsConfig.cmake".
If I leave off the BUILD_TESTING=OFF
directive, then I get an error about missing file:
CMake Error at tests/CMakeLists.txt:3 (add_executable):
Cannot find source file:
rfc2818_verification_fail.cpp
Tried extensions .c .C .c++ .cc .cpp .cxx .cu .m .M .mm .h .hh .h++ .hm
.hpp .hxx .in .txx
Call Stack (most recent call first):
tests/CMakeLists.txt:15 (certify_verify_add_test)
Use the native keystore when compiled on Android.
We should research Chromium's interfaces, for example:
https://github.com/chromium/chromium/blob/3c74836d8b7f780a875758af530bc2194ef0e39c/net/cert/caching_cert_verifier.h#L46
In the research (which should go into the documentation as an appendix) we can describe what Chromium does, and then compare it to what Certify does.
Should this be "rfc2818_verification_success.cpp" ?
Prepare the build system for building documentation, document existing API.
https://github.com/djarek/certify/blob/master/include/boost/certify/detail/keystore_apple.hpp#L79
This reinterpret_cast
is most likely UB.
Add error test cases (self-signed cert, expired cert, etc.).
The verification callback contains the peer URI twice, because the callback in ASIO stores its own copy.
When I include <boost/certify/https_verification.hpp> (no separate compilation) in two separate source files in the same project, I get the linking error "multiple definition of `boost::certify::detail::set_server_hostname(X509_VERIFY_PARAM_st*, boost::basic_string_view<char, std::char_traits >, boost::system::error_code&)'". How can this be resolved? Thanks.
I used the template and changed the domain to https://wrong.host.badssl.com/ and the program downloaded the html, but I expect that I get an wrong hostname error. How to achieve that?
It would be nice to have a few links to other similar libraries that are best-in-breed for interface, implementation, and testing ideas.
Implement a way to do separate compilation, just like ASIO does.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.