summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--indra/newview/llsecapi.cpp2
-rw-r--r--indra/newview/llsecapi.h31
-rw-r--r--indra/newview/llsechandler_basic.cpp114
-rw-r--r--indra/newview/llsechandler_basic.h23
-rw-r--r--indra/newview/llstartup.cpp3
-rw-r--r--indra/newview/llxmlrpctransaction.cpp3
-rw-r--r--indra/newview/tests/llsechandler_basic_test.cpp34
7 files changed, 134 insertions, 76 deletions
diff --git a/indra/newview/llsecapi.cpp b/indra/newview/llsecapi.cpp
index 1caeec5b04..9e636f38c0 100644
--- a/indra/newview/llsecapi.cpp
+++ b/indra/newview/llsecapi.cpp
@@ -124,7 +124,7 @@ int secapiSSLCertVerifyCallback(X509_STORE_CTX *ctx, void *param)
// we rely on libcurl to validate the hostname, as libcurl does more extensive validation
// leaving our hostname validation call mechanism for future additions with respect to
// OS native (Mac keyring, windows CAPI) validation.
- chain->validate(VALIDATION_POLICY_SSL & (~VALIDATION_POLICY_HOSTNAME), store, validation_params);
+ store->validate(VALIDATION_POLICY_SSL & (~VALIDATION_POLICY_HOSTNAME), chain, validation_params);
}
catch (LLCertValidationTrustException& cert_exception)
{
diff --git a/indra/newview/llsecapi.h b/indra/newview/llsecapi.h
index 59a1e1eff0..5a1a3879d4 100644
--- a/indra/newview/llsecapi.h
+++ b/indra/newview/llsecapi.h
@@ -154,7 +154,7 @@ public:
// return an LLSD object containing information about the certificate
// such as its name, signature, expiry time, serial number
- virtual LLSD getLLSD() const=0;
+ virtual void getLLSD(LLSD& llsd)=0;
// return an openSSL X509 struct for the certificate
virtual X509* getOpenSSLX509() const=0;
@@ -231,6 +231,18 @@ public:
virtual LLPointer<LLCertificate> erase(iterator cert)=0;
};
+// class LLCertificateChain
+// Class representing a chain of certificates in order, with the
+// first element being the child cert.
+class LLCertificateChain : virtual public LLCertificateVector
+{
+
+public:
+ LLCertificateChain() {}
+
+ virtual ~LLCertificateChain() {}
+
+};
// class LLCertificateStore
// represents a store of certificates, typically a store of root CA
@@ -250,30 +262,17 @@ public:
// return the store id
virtual std::string storeId() const=0;
-};
-
-// class LLCertificateChain
-// Class representing a chain of certificates in order, with the
-// first element being the child cert.
-class LLCertificateChain : virtual public LLCertificateVector
-{
-
-public:
- LLCertificateChain() {}
- virtual ~LLCertificateChain() {}
-
// validate a certificate chain given the params.
// Will throw exceptions on error
virtual void validate(int validation_policy,
- LLPointer<LLCertificateStore> ca_store,
+ LLPointer<LLCertificateChain> cert_chain,
const LLSD& validation_params) =0;
+
};
-
-
inline
bool operator==(const LLCertificateVector::iterator& _lhs, const LLCertificateVector::iterator& _rhs)
{
diff --git a/indra/newview/llsechandler_basic.cpp b/indra/newview/llsechandler_basic.cpp
index edf5ce9b60..84ab9b9175 100644
--- a/indra/newview/llsechandler_basic.cpp
+++ b/indra/newview/llsechandler_basic.cpp
@@ -85,7 +85,6 @@ LLBasicCertificate::LLBasicCertificate(const std::string& pem_cert)
{
throw LLInvalidCertificate(this);
}
- _initLLSD();
}
@@ -96,7 +95,6 @@ LLBasicCertificate::LLBasicCertificate(X509* pCert)
throw LLInvalidCertificate(this);
}
mCert = X509_dup(pCert);
- _initLLSD();
}
LLBasicCertificate::~LLBasicCertificate()
@@ -150,9 +148,13 @@ std::vector<U8> LLBasicCertificate::getBinary() const
}
-LLSD LLBasicCertificate::getLLSD() const
+void LLBasicCertificate::getLLSD(LLSD &llsd)
{
- return mLLSDInfo;
+ if (mLLSDInfo.isUndefined())
+ {
+ _initLLSD();
+ }
+ llsd = mLLSDInfo;
}
// Initialize the LLSD info for the certificate
@@ -516,8 +518,9 @@ LLBasicCertificateVector::iterator LLBasicCertificateVector::find(const LLSD& pa
cert++)
{
- found= TRUE;
- LLSD cert_info = (*cert)->getLLSD();
+ found= TRUE;
+ LLSD cert_info;
+ (*cert)->getLLSD(cert_info);
for (LLSD::map_const_iterator param = params.beginMap();
param != params.endMap();
param++)
@@ -543,7 +546,8 @@ LLBasicCertificateVector::iterator LLBasicCertificateVector::find(const LLSD& pa
void LLBasicCertificateVector::insert(iterator _iter,
LLPointer<LLCertificate> cert)
{
- LLSD cert_info = cert->getLLSD();
+ LLSD cert_info;
+ cert->getLLSD(cert_info);
if (cert_info.isMap() && cert_info.has(CERT_SHA1_DIGEST))
{
LLSD existing_cert_info = LLSD::emptyMap();
@@ -691,7 +695,8 @@ LLBasicCertificateChain::LLBasicCertificateChain(const X509_STORE_CTX* store)
while(untrusted_certs.size() > 0)
{
LLSD find_data = LLSD::emptyMap();
- LLSD cert_data = current->getLLSD();
+ LLSD cert_data;
+ current->getLLSD(cert_data);
// we simply build the chain via subject/issuer name as the
// client should not have passed in multiple CA's with the same
// subject name. If they did, it'll come out in the wash during
@@ -850,12 +855,13 @@ bool _LLSDArrayIncludesValue(const LLSD& llsd_set, LLSD llsd_value)
}
void _validateCert(int validation_policy,
- const LLPointer<LLCertificate> cert,
+ LLPointer<LLCertificate> cert,
const LLSD& validation_params,
int depth)
{
- LLSD current_cert_info = cert->getLLSD();
+ LLSD current_cert_info;
+ cert->getLLSD(current_cert_info);
// check basic properties exist in the cert
if(!current_cert_info.has(CERT_SUBJECT_NAME) || !current_cert_info.has(CERT_SUBJECT_NAME_STRING))
{
@@ -943,8 +949,9 @@ bool _verify_signature(LLPointer<LLCertificate> parent,
LLPointer<LLCertificate> child)
{
bool verify_result = FALSE;
- LLSD cert1 = parent->getLLSD();
- LLSD cert2 = child->getLLSD();
+ LLSD cert1, cert2;
+ parent->getLLSD(cert1);
+ child->getLLSD(cert2);
X509 *signing_cert = parent->getOpenSSLX509();
X509 *child_cert = child->getOpenSSLX509();
if((signing_cert != NULL) && (child_cert != NULL))
@@ -979,6 +986,7 @@ bool _verify_signature(LLPointer<LLCertificate> parent,
return verify_result;
}
+
// validate the certificate chain against a store.
// There are many aspects of cert validatioin policy involved in
// trust validation. The policies in this validation algorithm include
@@ -993,8 +1001,8 @@ bool _verify_signature(LLPointer<LLCertificate> parent,
// and verify the last cert is in the certificate store, or points
// to a cert in the store. It validates whether any cert in the chain
// is trusted in the store, even if it's not the last one.
-void LLBasicCertificateChain::validate(int validation_policy,
- LLPointer<LLCertificateStore> ca_store,
+void LLBasicCertificateStore::validate(int validation_policy,
+ LLPointer<LLCertificateChain> cert_chain,
const LLSD& validation_params)
{
@@ -1002,8 +1010,8 @@ void LLBasicCertificateChain::validate(int validation_policy,
{
throw LLCertException(NULL, "No certs in chain");
}
- iterator current_cert = begin();
- LLSD current_cert_info = (*current_cert)->getLLSD();
+ iterator current_cert = cert_chain->begin();
+ LLSD current_cert_info;
LLSD validation_date;
if (validation_params.has(CERT_VALIDATION_DATE))
{
@@ -1012,6 +1020,7 @@ void LLBasicCertificateChain::validate(int validation_policy,
if (validation_policy & VALIDATION_POLICY_HOSTNAME)
{
+ (*current_cert)->getLLSD(current_cert_info);
if(!validation_params.has(CERT_HOSTNAME))
{
throw LLCertException((*current_cert), "No hostname passed in for validation");
@@ -1021,7 +1030,7 @@ void LLBasicCertificateChain::validate(int validation_policy,
throw LLInvalidCertificate((*current_cert));
}
- LL_INFOS("SECAPI") << "Validating the hostname " << validation_params[CERT_HOSTNAME].asString() <<
+ LL_DEBUGS("SECAPI") << "Validating the hostname " << validation_params[CERT_HOSTNAME].asString() <<
"against the cert CN " << current_cert_info[CERT_SUBJECT_NAME][CERT_NAME_CN].asString() << LL_ENDL;
if(!_cert_hostname_wildcard_match(validation_params[CERT_HOSTNAME].asString(),
current_cert_info[CERT_SUBJECT_NAME][CERT_NAME_CN].asString()))
@@ -1030,16 +1039,50 @@ void LLBasicCertificateChain::validate(int validation_policy,
(*current_cert));
}
}
-
+ // check the cache of already validated certs
+ X509* cert_x509 = (*current_cert)->getOpenSSLX509();
+ if(!cert_x509)
+ {
+ throw LLInvalidCertificate((*current_cert));
+ }
+ std::string sha1_hash((const char *)cert_x509->sha1_hash, SHA_DIGEST_LENGTH);
+ t_cert_cache::iterator cache_entry = mTrustedCertCache.find(sha1_hash);
+ if(cache_entry != mTrustedCertCache.end())
+ {
+ LL_DEBUGS("SECAPI") << "Found cert in cache" << LL_ENDL;
+ // this cert is in the cache, so validate the time.
+ if (validation_policy & VALIDATION_POLICY_TIME)
+ {
+ LLDate validation_date(time(NULL));
+ if(validation_params.has(CERT_VALIDATION_DATE))
+ {
+ validation_date = validation_params[CERT_VALIDATION_DATE];
+ }
+
+ if((validation_date < cache_entry->second.first) ||
+ (validation_date > cache_entry->second.second))
+ {
+ throw LLCertValidationExpirationException((*current_cert), validation_date);
+ }
+ }
+ // successfully found in cache
+ return;
+ }
+ if(current_cert_info.isUndefined())
+ {
+ (*current_cert)->getLLSD(current_cert_info);
+ }
+ LLDate from_time = current_cert_info[CERT_VALID_FROM].asDate();
+ LLDate to_time = current_cert_info[CERT_VALID_TO].asDate();
int depth = 0;
LLPointer<LLCertificate> previous_cert;
// loop through the cert chain, validating the current cert against the next one.
- while(current_cert != end())
+ while(current_cert != cert_chain->end())
{
int local_validation_policy = validation_policy;
- if(current_cert == begin())
+ if(current_cert == cert_chain->begin())
{
// for the child cert, we don't validate CA stuff
local_validation_policy &= ~(VALIDATION_POLICY_CA_KU |
@@ -1061,23 +1104,23 @@ void LLBasicCertificateChain::validate(int validation_policy,
depth);
// look for a CA in the CA store that may belong to this chain.
- LLSD cert_llsd = (*current_cert)->getLLSD();
LLSD cert_search_params = LLSD::emptyMap();
// is the cert itself in the store?
- cert_search_params[CERT_SHA1_DIGEST] = cert_llsd[CERT_SHA1_DIGEST];
- LLCertificateStore::iterator found_store_cert = ca_store->find(cert_search_params);
- if(found_store_cert != ca_store->end())
+ cert_search_params[CERT_SHA1_DIGEST] = current_cert_info[CERT_SHA1_DIGEST];
+ LLCertificateStore::iterator found_store_cert = find(cert_search_params);
+ if(found_store_cert != end())
{
+ mTrustedCertCache[sha1_hash] = std::pair<LLDate, LLDate>(from_time, to_time);
return;
}
// is the parent in the cert store?
cert_search_params = LLSD::emptyMap();
- cert_search_params[CERT_SUBJECT_NAME_STRING] = cert_llsd[CERT_ISSUER_NAME_STRING];
- if (cert_llsd.has(CERT_AUTHORITY_KEY_IDENTIFIER))
+ cert_search_params[CERT_SUBJECT_NAME_STRING] = current_cert_info[CERT_ISSUER_NAME_STRING];
+ if (current_cert_info.has(CERT_AUTHORITY_KEY_IDENTIFIER))
{
- LLSD cert_aki = cert_llsd[CERT_AUTHORITY_KEY_IDENTIFIER];
+ LLSD cert_aki = current_cert_info[CERT_AUTHORITY_KEY_IDENTIFIER];
if(cert_aki.has(CERT_AUTHORITY_KEY_IDENTIFIER_ID))
{
cert_search_params[CERT_SUBJECT_KEY_IDENTFIER] = cert_aki[CERT_AUTHORITY_KEY_IDENTIFIER_ID];
@@ -1087,11 +1130,10 @@ void LLBasicCertificateChain::validate(int validation_policy,
cert_search_params[CERT_SERIAL_NUMBER] = cert_aki[CERT_AUTHORITY_KEY_IDENTIFIER_SERIAL];
}
}
- found_store_cert = ca_store->find(cert_search_params);
+ found_store_cert = find(cert_search_params);
- if(found_store_cert != ca_store->end())
+ if(found_store_cert != end())
{
- LLSD foo = (*found_store_cert)->getLLSD();
// validate the store cert against the depth
_validateCert(validation_policy & VALIDATION_POLICY_CA_BASIC_CONSTRAINTS,
(*found_store_cert),
@@ -1105,11 +1147,16 @@ void LLBasicCertificateChain::validate(int validation_policy,
throw LLCertValidationInvalidSignatureException(*current_cert);
}
// successfully validated.
+ mTrustedCertCache[sha1_hash] = std::pair<LLDate, LLDate>(from_time, to_time);
return;
}
previous_cert = (*current_cert);
current_cert++;
- depth++;
+ depth++;
+ if(current_cert != current_cert != cert_chain->end())
+ {
+ (*current_cert)->getLLSD(current_cert_info);
+ }
}
if (validation_policy & VALIDATION_POLICY_TRUSTED)
{
@@ -1118,6 +1165,7 @@ void LLBasicCertificateChain::validate(int validation_policy,
throw LLCertValidationTrustException((*this)[size()-1]);
}
+ mTrustedCertCache[sha1_hash] = std::pair<LLDate, LLDate>(from_time, to_time);
}
@@ -1155,7 +1203,7 @@ void LLSecAPIBasicHandler::init()
"CA.pem");
- LL_INFOS("SECAPI") << "Loading certificate store from " << store_file << LL_ENDL;
+ LL_DEBUGS("SECAPI") << "Loading certificate store from " << store_file << LL_ENDL;
mStore = new LLBasicCertificateStore(store_file);
// grab the application CA.pem file that contains the well-known certs shipped
@@ -1465,7 +1513,7 @@ void LLSecAPIBasicHandler::saveCredential(LLPointer<LLCredential> cred, bool sav
{
credential["authenticator"] = cred->getAuthenticator();
}
- LL_INFOS("SECAPI") << "Saving Credential " << cred->getGrid() << ":" << cred->userID() << " " << save_authenticator << LL_ENDL;
+ LL_DEBUGS("SECAPI") << "Saving Credential " << cred->getGrid() << ":" << cred->userID() << " " << save_authenticator << LL_ENDL;
setProtectedData("credential", cred->getGrid(), credential);
//*TODO: If we're saving Agni credentials, should we write the
// credentials to the legacy password.dat/etc?
diff --git a/indra/newview/llsechandler_basic.h b/indra/newview/llsechandler_basic.h
index 4bbb73f062..3ddd36a81a 100644
--- a/indra/newview/llsechandler_basic.h
+++ b/indra/newview/llsechandler_basic.h
@@ -59,12 +59,13 @@ public:
virtual std::string getPem() const;
virtual std::vector<U8> getBinary() const;
- virtual LLSD getLLSD() const;
+ virtual void getLLSD(LLSD &llsd);
virtual X509* getOpenSSLX509() const;
// set llsd elements for testing
void setLLSD(const std::string name, const LLSD& value) { mLLSDInfo[name] = value; }
+
protected:
// certificates are stored as X509 objects, as validation and
@@ -173,8 +174,21 @@ public:
// return the store id
virtual std::string storeId() const;
+ // validate a certificate chain against a certificate store, using the
+ // given validation policy.
+ virtual void validate(int validation_policy,
+ LLPointer<LLCertificateChain> ca_chain,
+ const LLSD& validation_params);
+
protected:
- std::vector<LLPointer<LLCertificate> >mCerts;
+ std::vector<LLPointer<LLCertificate> > mCerts;
+
+ // cache of cert sha1 hashes to from/to date pairs, to improve
+ // performance of cert trust. Note, these are not the CA certs,
+ // but the certs that have been validated against this store.
+ typedef std::map<std::string, std::pair<LLDate, LLDate> > t_cert_cache;
+ t_cert_cache mTrustedCertCache;
+
std::string mFilename;
};
@@ -189,11 +203,6 @@ public:
virtual ~LLBasicCertificateChain() {}
- // validate a certificate chain against a certificate store, using the
- // given validation policy.
- virtual void validate(int validation_policy,
- LLPointer<LLCertificateStore> ca_store,
- const LLSD& validation_params);
};
diff --git a/indra/newview/llstartup.cpp b/indra/newview/llstartup.cpp
index 0a464b3b6c..7022d83868 100644
--- a/indra/newview/llstartup.cpp
+++ b/indra/newview/llstartup.cpp
@@ -2702,7 +2702,8 @@ LLSD transform_cert_args(LLPointer<LLCertificate> cert)
{
LLSD args = LLSD::emptyMap();
std::string value;
- LLSD cert_info = cert->getLLSD();
+ LLSD cert_info;
+ cert->getLLSD(cert_info);
// convert all of the elements in the cert into
// args for the xml dialog, so we have flexability to
// display various parts of the cert by only modifying
diff --git a/indra/newview/llxmlrpctransaction.cpp b/indra/newview/llxmlrpctransaction.cpp
index da61840761..bc1a48e26a 100644
--- a/indra/newview/llxmlrpctransaction.cpp
+++ b/indra/newview/llxmlrpctransaction.cpp
@@ -247,7 +247,8 @@ int LLXMLRPCTransaction::Impl::_sslCertVerifyCallback(X509_STORE_CTX *ctx, void
validation_params[CERT_HOSTNAME] = uri.hostName();
try
{
- chain->validate(VALIDATION_POLICY_SSL, store, validation_params);
+ // don't validate hostname. Let libcurl do it instead. That way, it'll handle redirects
+ store->validate(VALIDATION_POLICY_SSL & (~VALIDATION_POLICY_HOSTNAME), chain, validation_params);
}
catch (LLCertValidationTrustException& cert_exception)
{
diff --git a/indra/newview/tests/llsechandler_basic_test.cpp b/indra/newview/tests/llsechandler_basic_test.cpp
index fd680b24f0..d1330e2270 100644
--- a/indra/newview/tests/llsechandler_basic_test.cpp
+++ b/indra/newview/tests/llsechandler_basic_test.cpp
@@ -950,15 +950,15 @@ namespace tut
test_chain->add(new LLBasicCertificate(mX509IntermediateCert));
- test_chain->validate(0, test_store, validation_params);
+ test_store->validate(0, test_chain, validation_params);
// add the root certificate to the chain and revalidate
test_chain->add(new LLBasicCertificate(mX509RootCert));
- test_chain->validate(0, test_store, validation_params);
+ test_store->validate(0, test_chain, validation_params);
// add the child cert at the head of the chain, and revalidate (3 deep chain)
test_chain->insert(test_chain->begin(), new LLBasicCertificate(mX509ChildCert));
- test_chain->validate(0, test_store, validation_params);
+ test_store->validate(0, test_chain, validation_params);
// basic failure cases
test_chain = new LLBasicCertificateChain(NULL);
@@ -967,14 +967,14 @@ namespace tut
ensure_throws("no CA, with only a child cert",
LLCertValidationTrustException,
(*test_chain)[0],
- test_chain->validate,
+ test_store->validate,
VALIDATION_POLICY_TRUSTED,
- test_store,
+ test_chain,
validation_params);
// validate without the trust flag.
- test_chain->validate(0, test_store, validation_params);
+ test_store->validate(0, test_chain, validation_params);
// clear out the store
test_store = new LLBasicCertificateStore("mycertstore.pem");
@@ -983,9 +983,9 @@ namespace tut
ensure_throws("no CA, with child and intermediate certs",
LLCertValidationTrustException,
(*test_chain)[1],
- test_chain->validate,
+ test_store->validate,
VALIDATION_POLICY_TRUSTED,
- test_store,
+ test_chain,
validation_params);
// validate without the trust flag
test_chain->validate(0, test_store, validation_params);
@@ -994,7 +994,7 @@ namespace tut
LLSD child_info = (*test_chain)[0]->getLLSD();
validation_params = LLSD::emptyMap();
validation_params[CERT_VALIDATION_DATE] = LLDate(child_info[CERT_VALID_FROM].asDate().secondsSinceEpoch() + 1.0);
- test_chain->validate(VALIDATION_POLICY_TIME, test_store, validation_params);
+ test_store->validate(VALIDATION_POLICY_TIME, test_chain, validation_params);
validation_params = LLSD::emptyMap();
validation_params[CERT_VALIDATION_DATE] = child_info[CERT_VALID_FROM].asDate();
@@ -1005,9 +1005,9 @@ namespace tut
ensure_throws("Child cert not yet valid" ,
LLCertValidationExpirationException,
(*test_chain)[0],
- test_chain->validate,
+ test_store->validate,
VALIDATION_POLICY_TIME,
- test_store,
+ test_chain,
validation_params);
validation_params = LLSD::emptyMap();
validation_params[CERT_VALIDATION_DATE] = LLDate(child_info[CERT_VALID_TO].asDate().secondsSinceEpoch() + 1.0);
@@ -1016,9 +1016,9 @@ namespace tut
ensure_throws("Child cert expired",
LLCertValidationExpirationException,
(*test_chain)[0],
- test_chain->validate,
+ test_store->validate,
VALIDATION_POLICY_TIME,
- test_store,
+ test_chain,
validation_params);
// test SSL KU
@@ -1026,7 +1026,7 @@ namespace tut
test_chain = new LLBasicCertificateChain(NULL);
test_chain->add(new LLBasicCertificate(mX509ChildCert));
test_chain->add(new LLBasicCertificate(mX509IntermediateCert));
- test_chain->validate(VALIDATION_POLICY_SSL_KU, test_store, validation_params);
+ test_store->validate(VALIDATION_POLICY_SSL_KU, test_chain, validation_params);
test_chain = new LLBasicCertificateChain(NULL);
test_chain->add(new LLBasicCertificate(mX509TestCert));
@@ -1034,9 +1034,9 @@ namespace tut
ensure_throws("Cert doesn't have ku",
LLCertKeyUsageValidationException,
(*test_chain)[0],
- test_chain->validate,
+ test_store->validate,
VALIDATION_POLICY_SSL_KU,
- test_store,
+ test_chain,
validation_params);
// test sha1RSA validation
@@ -1044,7 +1044,7 @@ namespace tut
test_chain->add(new LLBasicCertificate(mSha1RSATestCert));
test_chain->add(new LLBasicCertificate(mSha1RSATestCA));
- test_chain->validate(0, test_store, validation_params);
+ test_store->validate(0, test_chain, validation_params);
}
};