Changeset 45331 in vbox for trunk/src

Timestamp:

Apr 4, 2013 9:37:00 AM (12 years ago)

Author:

vboxsync

Message:

Runtime/http: add new function to set the filename containing the trusted root certificates, plus an extension of the testcase which fetches the root certificates

Location:

trunk/src/VBox/Runtime

Files:

• common/misc/http.cpp (modified) (6 diffs)
• testcase/tstHttp.cpp (modified) (4 diffs)

trunk/src/VBox/Runtime/common/misc/http.cpp

@@ -1 @@
-
 /* $Id$ */
 /** @file
@@ -6 +5 @@
 
 /*
- * Copyright (C) 2012 Oracle Corporation
+ * Copyright (C) 2012-2013 Oracle Corporation
  *
  * This file is part of VirtualBox Open Source Edition (OSE), as
@@ -35 +34 @@
 #include <iprt/mem.h>
 #include <iprt/string.h>
+#include <iprt/file.h>
 
 #include <curl/curl.h>
@@ -49 +49 @@
     long lLastResp;
     struct curl_slist *pHeaders;
+    const char *pcszCAFile;
 } RTHTTPINTERNAL;
 typedef RTHTTPINTERNAL *PRTHTTPINTERNAL;
@@ -198 +199 @@
 }
 
+RTR3DECL(int) RTHttpSetCAFile(RTHTTP hHttp, const char *pcszCAFile)
+{
+    PRTHTTPINTERNAL pHttpInt = hHttp;
+    RTHTTP_VALID_RETURN(pHttpInt);
+
+    pHttpInt->pcszCAFile = pcszCAFile;
+
+    return VINF_SUCCESS;
+}
+
 RTR3DECL(int) RTHttpGet(RTHTTP hHttp, const char *pcszUrl, char **ppszResponse)
 {
@@ -213 +224 @@
 #endif
 
-    /* XXX */
-    rcCurl = curl_easy_setopt(pHttpInt->pCurl, CURLOPT_CAINFO, "/etc/ssl/certs/ca-certificates.crt");
-    if (CURL_FAILED(rcCurl))
-        return VERR_INTERNAL_ERROR;
+    const char *pcszCAFile = "/etc/ssl/certs/ca-certificates.crt";
+    if (pHttpInt->pcszCAFile)
+        pcszCAFile = pHttpInt->pcszCAFile;
+    if (RTFileExists(pcszCAFile))
+    {
+        rcCurl = curl_easy_setopt(pHttpInt->pCurl, CURLOPT_CAINFO, pcszCAFile);
+        if (CURL_FAILED(rcCurl))
+            return VERR_INTERNAL_ERROR;
+    }
 
     RTHTTPMEMCHUNK chunk = { NULL, 0 };

trunk/src/VBox/Runtime/testcase/tstHttp.cpp

@@ -5 +5 @@
 
 /*
- * Copyright (C) 2012 Oracle Corporation
+ * Copyright (C) 2012-2013 Oracle Corporation
  *
  * This file is part of VirtualBox Open Source Edition (OSE), as
@@ -31 +31 @@
 #include <iprt/http.h>
 #include <iprt/mem.h>
+#include <iprt/file.h>
 #include <iprt/stream.h>
+#include <iprt/string.h>
 #include <iprt/initterm.h>
-#include <iprt/thread.h>
+
+#define CAFILE_NAME "tstHttp-tempcafile.crt"
 
 int main()
@@ -44 +47 @@
     int rc = RTHttpCreate(&hHttp);
     char *pszBuf = NULL;
+    PRTSTREAM CAFile = NULL;
+
+    // create certificate file
+    rc = RTStrmOpen(CAFILE_NAME, "w+b", &CAFile);
+
+    // fetch root CA certificate (new one, often avoided in cert chains by
+    // using an intermediate cert which is signed by old root)
+    if (RT_SUCCESS(rc))
+        rc = RTHttpGet(hHttp,
+                       "http://www.verisign.com/repository/roots/root-certificates/PCA-3G5.pem",
+                       &pszBuf);
+    if (RT_SUCCESS(rc) && pszBuf)
+    {
+        /// @todo check certificate fingerprint against a strong hash,
+        // otherwise there's a simple way for a man-in-the-middle attack
+        rc = RTStrmWrite(CAFile, pszBuf, strlen(pszBuf));
+        if (RT_SUCCESS(rc))
+            rc = RTStrmWrite(CAFile, RTFILE_LINEFEED, strlen(RTFILE_LINEFEED));
+    }
+    if (pszBuf)
+    {
+        RTMemFree(pszBuf);
+        pszBuf = NULL;
+    }
+
+    // fetch root CA certificate (old one, but still very widely used)
+    if (RT_SUCCESS(rc))
+        rc = RTHttpGet(hHttp,
+                       "http://www.verisign.com/repository/roots/root-certificates/PCA-3.pem",
+                       &pszBuf);
+    if (RT_SUCCESS(rc) && pszBuf)
+    {
+        /// @todo check certificate fingerprint against a strong hash,
+        // otherwise there's a simple way for a man-in-the-middle attack
+        rc = RTStrmWrite(CAFile, pszBuf, strlen(pszBuf));
+        if (RT_SUCCESS(rc))
+            rc = RTStrmWrite(CAFile, RTFILE_LINEFEED, strlen(RTFILE_LINEFEED));
+    }
+    if (pszBuf)
+    {
+        RTMemFree(pszBuf);
+        pszBuf = NULL;
+    }
+
+    // close certificate file
+    if (CAFile)
+    {
+        RTStrmClose(CAFile);
+        CAFile = NULL;
+    }
+
+    if (RT_SUCCESS(rc))
+        rc = RTHttpSetCAFile(hHttp, CAFILE_NAME);
     if (RT_SUCCESS(rc))
         rc = RTHttpGet(hHttp,
@@ -50 +106 @@
     RTHttpDestroy(hHttp);
 
+    if (RT_FAILURE(rc))
+        cErrors++;
+
     RTPrintf("Error code: %Rrc\nGot: %s\n", rc, pszBuf);
     RTMemFree(pszBuf);
 
+//    RTFileDelete(CAFILE_NAME);
+
     return !!cErrors;
 }