net.http: in memory cert verification

pull/11089/head
Alexander Medvednikov 2021-09-09 19:55:49 +03:00
parent c8d4a64512
commit d1e9aa49ea
3 changed files with 34 additions and 11 deletions

View File

@ -5,6 +5,8 @@ module http
import strings
import net.openssl
import os
import time
const (
is_used = openssl.is_used
@ -22,21 +24,39 @@ fn (req &Request) ssl_do(port int, method Method, host_name string, path string)
flags := C.SSL_OP_NO_SSLv2 | C.SSL_OP_NO_SSLv3 | C.SSL_OP_NO_COMPRESSION
C.SSL_CTX_set_options(ctx, flags)
// Support client certificates:
mut verify := req.verify
mut cert := req.cert
mut cert_key := req.cert_key
if req.in_memory_verification {
now := time.now().unix.str()
verify = os.temp_dir() + '/v_verify' + now
cert = os.temp_dir() + '/v_cert' + now
cert_key = os.temp_dir() + '/v_cert_key' + now
if req.verify != '' {
os.write_file(verify, req.verify) ?
}
if req.cert != '' {
os.write_file(cert, req.cert) ?
}
if req.cert_key != '' {
os.write_file(cert_key, req.cert_key) ?
}
}
mut res := 0
if req.verify != '' {
res = C.SSL_CTX_load_verify_locations(ctx, &char(req.verify.str), 0)
res = C.SSL_CTX_load_verify_locations(ctx, &char(verify.str), 0)
if req.validate && res != 1 {
return error('http: openssl: SSL_CTX_load_verify_locations failed')
}
}
if req.cert != '' {
res = C.SSL_CTX_use_certificate_file(ctx, &char(req.cert.str), C.SSL_FILETYPE_PEM)
res = C.SSL_CTX_use_certificate_file(ctx, &char(cert.str), C.SSL_FILETYPE_PEM)
if req.validate && res != 1 {
return error('http: openssl: SSL_CTX_use_certificate_file failed, res: $res')
}
}
if req.cert_key != '' {
res = C.SSL_CTX_use_PrivateKey_file(ctx, &char(req.cert_key.str), C.SSL_FILETYPE_PEM)
res = C.SSL_CTX_use_PrivateKey_file(ctx, &char(cert_key.str), C.SSL_FILETYPE_PEM)
if req.validate && res != 1 {
return error('http: openssl: SSL_CTX_use_PrivateKey_file failed, res: $res')
}

View File

@ -23,10 +23,11 @@ pub mut:
user_agent string = 'v.http'
verbose bool
//
validate bool // set this to true, if you want to stop requests, when their certificates are found to be invalid
verify string // the path to a rootca.pem file, containing trusted CA certificate(s)
cert string // the path to a cert.pem file, containing client certificate(s) for the request
cert_key string // the path to a key.pem file, containing private keys for the client certificate(s)
validate bool // set this to true, if you want to stop requests, when their certificates are found to be invalid
verify string // the path to a rootca.pem file, containing trusted CA certificate(s)
cert string // the path to a cert.pem file, containing client certificate(s) for the request
cert_key string // the path to a key.pem file, containing private keys for the client certificate(s)
in_memory_verification bool // if true, verify, cert, and cert_key are read from memory, not from a file
}
pub fn new_request(method Method, url_ string, data string) ?Request {
@ -128,6 +129,7 @@ pub fn fetch(config FetchConfig) ?Response {
verify: config.verify
cert: config.cert
cert_key: config.cert_key
in_memory_verification: config.in_memory_verification
}
res := req.do() ?
return res

View File

@ -27,10 +27,11 @@ pub mut:
read_timeout i64 = 30 * time.second
write_timeout i64 = 30 * time.second
//
validate bool // when true, certificate failures will stop further processing
verify string
cert string
cert_key string
validate bool // when true, certificate failures will stop further processing
verify string
cert string
cert_key string
in_memory_verification bool // if true, verify, cert, and cert_key are read from memory, not from a file
}
fn (mut req Request) free() {