djarek / certify Goto Github PK
View Code? Open in Web Editor NEWBoost.ASIO-based TLS certificate verification library
Home Page: https://djarek.github.io/certify/
License: Boost Software License 1.0
certify's People
Contributors
Stargazers
Watchers
Forkers
cppalliance princio amenshov dooapps 3n16m4 denchat waqqas autoantwort jens-diewald jacob-hegna leha-bot longhronshen jhabermas mikepulaski igor-egorov anton-nikan sschoen fstorck delgemoon plorax frozensource stevenchen1976 arcoth iyp-programer-yeah 0x1306a94 planetmarshall swift-nav mjscosta jontitorr halmoni100 skentagon chatterinocertify's Issues
Try to use verification in OpenSSL
OpenSSL 1.0.2 and higher has built-in rfc 2818 verification - try to use that instead.
Reference: https://www.openssl.org/docs/man1.0.2/man3/X509_VERIFY_PARAM_set1_host.html
Pass the entire peer chain on Windows
The Windows impl currently just passes the leaf certificate, which may result in validation failing with more complex chains which are not entirely known by the Windows certificate store.
Fix/add coverage collection on Linux and Windows
Proper path discovery in a certificate chain on MacOS
Wrong conversion
Hello Djarek,
You have a wrong conversion from size_t to DWORD into keystore_windows.ipp in the CertAddEncodedCertificateToStore function.
Any compiler with enabled warnings as errors will fail on this issue
Thanx for your work
Compilation warning on Windows
Scenario:
- Windows 10 64-bit
- GCC 10.3.0 (from MSYS2)
- boost 1.75.0
Compiling an application using certify in the scenario listed above yields the following compilation warnings:
In file included from C:/Users/joel/Documents/projects/malloy/lib/malloy/client/3rdparty/boost/certify/https_verification.hpp:33,
from C:\Users\joel\Documents\projects\malloy\lib\malloy\client\controller.cpp:7:
C:/Users/joel/Documents/projects/malloy/lib/malloy/client/3rdparty/boost/certify/detail/keystore_windows.ipp: In function 'std::unique_ptr<const _CERT_CONTEXT, boost::certify::detail::cert_context_deleter> boost::certify::detail::create_cert_ctx(stack_st_X509*)':
C:/Users/joel/Documents/projects/malloy/lib/malloy/client/3rdparty/boost/certify/detail/keystore_windows.ipp:85:21: warning: passing NULL to non-pointer argument 3 of 'void* CertOpenStore(LPCSTR, DWORD, HCRYPTPROV_LEGACY, DWORD, const void*)' [-Wconversion-null]
85 | NULL,
| ^~~~
In file included from C:/Users/joel/Documents/projects/malloy/lib/malloy/client/3rdparty/boost/certify/detail/keystore_windows.ipp:8,
from C:/Users/joel/Documents/projects/malloy/lib/malloy/client/3rdparty/boost/certify/https_verification.hpp:33,
from C:\Users\joel\Documents\projects\malloy\lib\malloy\client\controller.cpp:7:
C:/msys64/mingw64/x86_64-w64-mingw32/include/wincrypt.h:3966:108: note: declared here
3966 | WINIMPM HCERTSTORE WINAPI CertOpenStore (LPCSTR lpszStoreProvider, DWORD dwEncodingType, HCRYPTPROV_LEGACY hCryptProv, DWORD dwFlags, const void *pvPara);
| ~~~~~~~~~~~~~~~~~~^~~~~~~~~~
TLS SNI wrapper
Provide a free-function that sets up the SNI extension for a ssl::stream.
Compilation error with mac os x 10.15.4
hello, I get the following compilition errors and warnings with compiling with mac os. There is bunch of deprecation and unidentified symbols errors for some functions. Does that mean I can't use this library with mac os catalina? or am I doing something wrong
/usr/local/include/boost/certify/detail/keystore_apple.ipp:121:14: warning: 'SecTrustEvaluate' is deprecated: first deprecated in macOS 10.15 [-Wdeprecated-declarations]
status = SecTrustEvaluate(trust.get(), &result);
^~~~~~~~~~~~~~~~
SecTrustEvaluateWithError
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecTrust.h:353:10: note:
'SecTrustEvaluate' has been explicitly marked deprecated here
OSStatus SecTrustEvaluate(SecTrustRef trust, SecTrustResultType *result)
akils-MBP:arbitrage akil$ clang++ arbitrage.cpp -std=c++17 -o arb -lboost_system -O3 -I /usr/local/Cellar/[email protected]/1.1.1d/include -L /usr/local/Cellar/[email protected]/1.1.1d/lib -lssl -lcrypto
In file included from arbitrage.cpp:13:
In file included from /usr/local/include/boost/certify/https_verification.hpp:35:
/usr/local/include/boost/certify/detail/keystore_apple.ipp:121:14: warning: 'SecTrustEvaluate' is deprecated: first deprecated in macOS 10.15 [-Wdeprecated-declarations]
status = SecTrustEvaluate(trust.get(), &result);
^~~~~~~~~~~~~~~~
SecTrustEvaluateWithError
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecTrust.h:353:10: note:
'SecTrustEvaluate' has been explicitly marked deprecated here
OSStatus SecTrustEvaluate(SecTrustRef trust, SecTrustResultType *result)
^
1 warning generated.
Undefined symbols for architecture x86_64:
"_CFArrayCreate", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_CFDataCreateWithBytesNoCopy", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_CFRelease", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_SecCertificateCreateWithData", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_SecPolicyCreateSSL", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_SecTrustCreateWithCertificates", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_SecTrustEvaluate", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
"_kCFAllocatorNull", referenced from:
boost::certify::detail::verify_certificate_chain(x509_store_ctx_st*) in arbitrage-84c913.o
Seems like I am missing a library to link? But boost beast was compiling fine with tcp request code and this library is header only. Do I still need to link another library? Here is my command to compile clang++ testcon.cpp -std=c++17 -o test -lboost_system -O3 -I /usr/local/Cellar/[email protected]/1.1.1d/include -L /usr/local/Cellar/[email protected]/1.1.1d/lib -lssl -lcrypto
Remove uses of std::fopen
macOS/iOS TLS keystore abstraction
Abstract away the access to the macOS/iOS TLS keystore.
How to use certify with Async SSL
I'm trying get certify working for a Async SSL Client (I have to use Async because I need to set a timeout). The stream is declared as:
beast::ssl_streambeast::tcp_stream stream_;
I don't find the matching function for setting host name and sni:
boost::certify::set_server_hostname(beast::get_lowest_layer(stream_).socket(), host);
boost::certify::sni_hostname(beast::get_lowest_layer(stream_), host);
Does certify work in async mode?
Edit: Sorry, the title should read Async SSL instead.
Example with failing certificate
The only example of a failing certificate is one loaded locally. When trying with an actual site (https://badssl.com/) there seems to be no error coming from certify with all the cases:
expired
wrong.host
self-signed
untrusted-root
revoked
I am using the example from /examples folder.
example with using beast
Edited.
Sorry I realized I made a mistake
Which branch to use?
I am trying to install the project, and checked out and attempted to install the project using the following steps:
mkdir build && cd build
cmake -DCMAKE_PREFIX_PATH=/usr/local/boost -DBoost_USE_STATIC_LIBS=ON -DBoost_USE_STATIC_RUNTIME=ON -DBUILD_TESTING=OFF -DCMAKE_INSTALL_PREFIX=/usr/local/certify ..
sudo make install
This results in an error:
CMake Error at cmake_install.cmake:36 (file):
file INSTALL cannot find "/tmp/certify/netutilsConfig.cmake".
If I leave off the BUILD_TESTING=OFF directive, then I get an error about missing file:
CMake Error at tests/CMakeLists.txt:3 (add_executable):
Cannot find source file:
rfc2818_verification_fail.cpp
Tried extensions .c .C .c++ .cc .cpp .cxx .cu .m .M .mm .h .hh .h++ .hm
.hpp .hxx .in .txx
Call Stack (most recent call first):
tests/CMakeLists.txt:15 (certify_verify_add_test)
Android keystore abstraction
Use the native keystore when compiled on Android.
Chromium Research
We should research Chromium's interfaces, for example:
https://github.com/chromium/chromium/blob/3c74836d8b7f780a875758af530bc2194ef0e39c/net/cert/caching_cert_verifier.h#L46
In the research (which should go into the documentation as an appendix) we can describe what Chromium does, and then compare it to what Certify does.
"tests/CMakeLists.txt:13" references non-existent file "rfc2818_verification.cpp"
Should this be "rfc2818_verification_success.cpp" ?
Cleanup duplication in Jamfiles
Documentation
Prepare the build system for building documentation, document existing API.
Don't depend on UB in MacOS impl
https://github.com/djarek/certify/blob/master/include/boost/certify/detail/keystore_apple.hpp#L79
This reinterpret_cast is most likely UB.
Add error test cases
Add error test cases (self-signed cert, expired cert, etc.).
Remove duplication of peer URI
The verification callback contains the peer URI twice, because the callback in ASIO stores its own copy.
multiple definition of `boost::certify::detail::set_server_hostname'
When I include <boost/certify/https_verification.hpp> (no separate compilation) in two separate source files in the same project, I get the linking error "multiple definition of `boost::certify::detail::set_server_hostname(X509_VERIFY_PARAM_st*, boost::basic_string_view<char, std::char_traits >, boost::system::error_code&)'". How can this be resolved? Thanks.
How to do Hostname verification?
I used the template and changed the domain to https://wrong.host.badssl.com/ and the program downloaded the html, but I expect that I get an wrong hostname error. How to achieve that?
Research other libraries
It would be nice to have a few links to other similar libraries that are best-in-breed for interface, implementation, and testing ideas.
Incorrect test names in CMakeLists.txt
Separate compilation
Implement a way to do separate compilation, just like ASIO does.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.