foundationdb/FDBLibTLS/FDBLibTLSVerify.h

/*
 * FDBLibTLSVerify.h
 *
 * This source file is part of the FoundationDB open source project
 *
 * Copyright 2013-2018 Apple Inc. and the FoundationDB project authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#ifndef FDB_LIBTLS_VERIFY_H
#define FDB_LIBTLS_VERIFY_H

#pragma once

#include <stdint.h>

#include "ReferenceCounted.h"

#include <map>
#include <string>
#include <utility>

typedef int NID;

enum class MatchType {
	EXACT,
	PREFIX,
	SUFFIX,
};

enum class X509Location {
	// This NID is located within a X509_NAME
	NAME,
	// This NID is an X509 extension, and should be parsed accordingly
	EXTENSION,
};

struct Criteria {
	Criteria( const std::string& s )
		: criteria(s), match_type(MatchType::EXACT), location(X509Location::NAME) {}
	Criteria( const std::string& s, MatchType mt )
		: criteria(s), match_type(mt), location(X509Location::NAME) {}
	Criteria( const std::string& s, X509Location loc)
		: criteria(s), match_type(MatchType::EXACT), location(loc) {}
	Criteria( const std::string& s, MatchType mt, X509Location loc)
		: criteria(s), match_type(mt), location(loc) {}

	std::string criteria;
	MatchType match_type;
	X509Location location;

	bool operator==(const Criteria& c) const {
		return criteria == c.criteria && match_type == c.match_type && location == c.location;
	}
};

struct FDBLibTLSVerify: ReferenceCounted<FDBLibTLSVerify> {
	FDBLibTLSVerify(std::string verify);
	virtual ~FDBLibTLSVerify();

	virtual void addref() { ReferenceCounted<FDBLibTLSVerify>::addref(); }
	virtual void delref() { ReferenceCounted<FDBLibTLSVerify>::delref(); }

	void parse_verify(std::string input);

	bool verify_cert;
	bool verify_time;

	std::map< NID, Criteria > subject_criteria;
	std::map< NID, Criteria > issuer_criteria;
	std::map< NID, Criteria > root_criteria;
};

#endif /* FDB_LIBTLS_VERIFY_H */
TLS Plugin Changes. 2018-05-09 07:27:21 +08:00			`/*`
			`* FDBLibTLSVerify.h`
			`*`
			`* This source file is part of the FoundationDB open source project`
			`*`
			`* Copyright 2013-2018 Apple Inc. and the FoundationDB project authors`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`#ifndef FDB_LIBTLS_VERIFY_H`
			`#define FDB_LIBTLS_VERIFY_H`

			`#pragma once`

			`#include <stdint.h>`

			`#include "ReferenceCounted.h"`

			`#include <map>`
			`#include <string>`
Implement prefix and suffix matching for TLS certificate verification. This extends our language for specifying verification rules from, e.g. S.O=XYZCorp to also include two more operators S.O>=XYZ # Prefix S.O<=Corp # Suffix both of which would match against an Organization of XYZCorp (among others). 2018-06-28 09:06:24 +08:00			`#include <utility>`

Fix Subject Alternative Name matching and add test cases. The previous change was done in the optimistic hope that NID_subject_alt_name could be handled in the same fashion as all the rest of the attributes we match against. However, X509 is not a place for optimisim. Instead, it turns out that the Subject Alternative Name is an X509v3 extension, and needs to be handled separately. Therefore, this change... * Introduces the idea of Criteria matching against a location in the certificate, and not just against the entirety of the certificate. * Extracts the Subject Alternative Name extension, and allows iteration and matching against its components. * Extends our constraint language to sensibly match against SubjectAlternativeNames. The `S.subjectAltName` syntax has been kept, but the value is now required to provide what type of field the rest of the value is intended to match against. The code currently supports DNS, EMAIL, URI, and IP. Prefix and suffix matching is supported. Both verify-test and plugin-test were updated to cover Subject Alternative Name matching. I've additionally run plugin-test under valgrind to verify that I've understood object lifetimes correctly. 2018-06-30 08:10:27 +08:00			`typedef int NID;`

Implement prefix and suffix matching for TLS certificate verification. This extends our language for specifying verification rules from, e.g. S.O=XYZCorp to also include two more operators S.O>=XYZ # Prefix S.O<=Corp # Suffix both of which would match against an Organization of XYZCorp (among others). 2018-06-28 09:06:24 +08:00			`enum class MatchType {`
			`EXACT,`
			`PREFIX,`
			`SUFFIX,`
			`};`

Fix Subject Alternative Name matching and add test cases. The previous change was done in the optimistic hope that NID_subject_alt_name could be handled in the same fashion as all the rest of the attributes we match against. However, X509 is not a place for optimisim. Instead, it turns out that the Subject Alternative Name is an X509v3 extension, and needs to be handled separately. Therefore, this change... * Introduces the idea of Criteria matching against a location in the certificate, and not just against the entirety of the certificate. * Extracts the Subject Alternative Name extension, and allows iteration and matching against its components. * Extends our constraint language to sensibly match against SubjectAlternativeNames. The `S.subjectAltName` syntax has been kept, but the value is now required to provide what type of field the rest of the value is intended to match against. The code currently supports DNS, EMAIL, URI, and IP. Prefix and suffix matching is supported. Both verify-test and plugin-test were updated to cover Subject Alternative Name matching. I've additionally run plugin-test under valgrind to verify that I've understood object lifetimes correctly. 2018-06-30 08:10:27 +08:00			`enum class X509Location {`
			`// This NID is located within a X509_NAME`
			`NAME,`
			`// This NID is an X509 extension, and should be parsed accordingly`
			`EXTENSION,`
			`};`

Implement prefix and suffix matching for TLS certificate verification. This extends our language for specifying verification rules from, e.g. S.O=XYZCorp to also include two more operators S.O>=XYZ # Prefix S.O<=Corp # Suffix both of which would match against an Organization of XYZCorp (among others). 2018-06-28 09:06:24 +08:00			`struct Criteria {`
Fix Subject Alternative Name matching and add test cases. The previous change was done in the optimistic hope that NID_subject_alt_name could be handled in the same fashion as all the rest of the attributes we match against. However, X509 is not a place for optimisim. Instead, it turns out that the Subject Alternative Name is an X509v3 extension, and needs to be handled separately. Therefore, this change... * Introduces the idea of Criteria matching against a location in the certificate, and not just against the entirety of the certificate. * Extracts the Subject Alternative Name extension, and allows iteration and matching against its components. * Extends our constraint language to sensibly match against SubjectAlternativeNames. The `S.subjectAltName` syntax has been kept, but the value is now required to provide what type of field the rest of the value is intended to match against. The code currently supports DNS, EMAIL, URI, and IP. Prefix and suffix matching is supported. Both verify-test and plugin-test were updated to cover Subject Alternative Name matching. I've additionally run plugin-test under valgrind to verify that I've understood object lifetimes correctly. 2018-06-30 08:10:27 +08:00			`Criteria( const std::string& s )`
			`: criteria(s), match_type(MatchType::EXACT), location(X509Location::NAME) {}`
			`Criteria( const std::string& s, MatchType mt )`
			`: criteria(s), match_type(mt), location(X509Location::NAME) {}`
			`Criteria( const std::string& s, X509Location loc)`
			`: criteria(s), match_type(MatchType::EXACT), location(loc) {}`
			`Criteria( const std::string& s, MatchType mt, X509Location loc)`
			`: criteria(s), match_type(mt), location(loc) {}`
Implement prefix and suffix matching for TLS certificate verification. This extends our language for specifying verification rules from, e.g. S.O=XYZCorp to also include two more operators S.O>=XYZ # Prefix S.O<=Corp # Suffix both of which would match against an Organization of XYZCorp (among others). 2018-06-28 09:06:24 +08:00
			`std::string criteria;`
			`MatchType match_type;`
Fix Subject Alternative Name matching and add test cases. The previous change was done in the optimistic hope that NID_subject_alt_name could be handled in the same fashion as all the rest of the attributes we match against. However, X509 is not a place for optimisim. Instead, it turns out that the Subject Alternative Name is an X509v3 extension, and needs to be handled separately. Therefore, this change... * Introduces the idea of Criteria matching against a location in the certificate, and not just against the entirety of the certificate. * Extracts the Subject Alternative Name extension, and allows iteration and matching against its components. * Extends our constraint language to sensibly match against SubjectAlternativeNames. The `S.subjectAltName` syntax has been kept, but the value is now required to provide what type of field the rest of the value is intended to match against. The code currently supports DNS, EMAIL, URI, and IP. Prefix and suffix matching is supported. Both verify-test and plugin-test were updated to cover Subject Alternative Name matching. I've additionally run plugin-test under valgrind to verify that I've understood object lifetimes correctly. 2018-06-30 08:10:27 +08:00			`X509Location location;`
Implement prefix and suffix matching for TLS certificate verification. This extends our language for specifying verification rules from, e.g. S.O=XYZCorp to also include two more operators S.O>=XYZ # Prefix S.O<=Corp # Suffix both of which would match against an Organization of XYZCorp (among others). 2018-06-28 09:06:24 +08:00
			`bool operator==(const Criteria& c) const {`
Fix Subject Alternative Name matching and add test cases. The previous change was done in the optimistic hope that NID_subject_alt_name could be handled in the same fashion as all the rest of the attributes we match against. However, X509 is not a place for optimisim. Instead, it turns out that the Subject Alternative Name is an X509v3 extension, and needs to be handled separately. Therefore, this change... * Introduces the idea of Criteria matching against a location in the certificate, and not just against the entirety of the certificate. * Extracts the Subject Alternative Name extension, and allows iteration and matching against its components. * Extends our constraint language to sensibly match against SubjectAlternativeNames. The `S.subjectAltName` syntax has been kept, but the value is now required to provide what type of field the rest of the value is intended to match against. The code currently supports DNS, EMAIL, URI, and IP. Prefix and suffix matching is supported. Both verify-test and plugin-test were updated to cover Subject Alternative Name matching. I've additionally run plugin-test under valgrind to verify that I've understood object lifetimes correctly. 2018-06-30 08:10:27 +08:00			`return criteria == c.criteria && match_type == c.match_type && location == c.location;`
Implement prefix and suffix matching for TLS certificate verification. This extends our language for specifying verification rules from, e.g. S.O=XYZCorp to also include two more operators S.O>=XYZ # Prefix S.O<=Corp # Suffix both of which would match against an Organization of XYZCorp (among others). 2018-06-28 09:06:24 +08:00			`}`
			`};`
TLS Plugin Changes. 2018-05-09 07:27:21 +08:00
			`struct FDBLibTLSVerify: ReferenceCounted<FDBLibTLSVerify> {`
			`FDBLibTLSVerify(std::string verify);`
			`virtual ~FDBLibTLSVerify();`

			`virtual void addref() { ReferenceCounted<FDBLibTLSVerify>::addref(); }`
			`virtual void delref() { ReferenceCounted<FDBLibTLSVerify>::delref(); }`

			`void parse_verify(std::string input);`

			`bool verify_cert;`
			`bool verify_time;`

Fix Subject Alternative Name matching and add test cases. The previous change was done in the optimistic hope that NID_subject_alt_name could be handled in the same fashion as all the rest of the attributes we match against. However, X509 is not a place for optimisim. Instead, it turns out that the Subject Alternative Name is an X509v3 extension, and needs to be handled separately. Therefore, this change... * Introduces the idea of Criteria matching against a location in the certificate, and not just against the entirety of the certificate. * Extracts the Subject Alternative Name extension, and allows iteration and matching against its components. * Extends our constraint language to sensibly match against SubjectAlternativeNames. The `S.subjectAltName` syntax has been kept, but the value is now required to provide what type of field the rest of the value is intended to match against. The code currently supports DNS, EMAIL, URI, and IP. Prefix and suffix matching is supported. Both verify-test and plugin-test were updated to cover Subject Alternative Name matching. I've additionally run plugin-test under valgrind to verify that I've understood object lifetimes correctly. 2018-06-30 08:10:27 +08:00			`std::map< NID, Criteria > subject_criteria;`
			`std::map< NID, Criteria > issuer_criteria;`
			`std::map< NID, Criteria > root_criteria;`
TLS Plugin Changes. 2018-05-09 07:27:21 +08:00			`};`

			`#endif /* FDB_LIBTLS_VERIFY_H */`