net.http: in memory cert verification

pull/11089/head
Alexander Medvednikov 2021-09-09 19:55:49 +03:00
parent c8d4a64512
commit d1e9aa49ea
3 changed files with 34 additions and 11 deletions

View File

@ -5,6 +5,8 @@ module http
import strings import strings
import net.openssl import net.openssl
import os
import time
const ( const (
is_used = openssl.is_used is_used = openssl.is_used
@ -22,21 +24,39 @@ fn (req &Request) ssl_do(port int, method Method, host_name string, path string)
flags := C.SSL_OP_NO_SSLv2 | C.SSL_OP_NO_SSLv3 | C.SSL_OP_NO_COMPRESSION flags := C.SSL_OP_NO_SSLv2 | C.SSL_OP_NO_SSLv3 | C.SSL_OP_NO_COMPRESSION
C.SSL_CTX_set_options(ctx, flags) C.SSL_CTX_set_options(ctx, flags)
// Support client certificates: // Support client certificates:
mut verify := req.verify
mut cert := req.cert
mut cert_key := req.cert_key
if req.in_memory_verification {
now := time.now().unix.str()
verify = os.temp_dir() + '/v_verify' + now
cert = os.temp_dir() + '/v_cert' + now
cert_key = os.temp_dir() + '/v_cert_key' + now
if req.verify != '' {
os.write_file(verify, req.verify) ?
}
if req.cert != '' {
os.write_file(cert, req.cert) ?
}
if req.cert_key != '' {
os.write_file(cert_key, req.cert_key) ?
}
}
mut res := 0 mut res := 0
if req.verify != '' { if req.verify != '' {
res = C.SSL_CTX_load_verify_locations(ctx, &char(req.verify.str), 0) res = C.SSL_CTX_load_verify_locations(ctx, &char(verify.str), 0)
if req.validate && res != 1 { if req.validate && res != 1 {
return error('http: openssl: SSL_CTX_load_verify_locations failed') return error('http: openssl: SSL_CTX_load_verify_locations failed')
} }
} }
if req.cert != '' { if req.cert != '' {
res = C.SSL_CTX_use_certificate_file(ctx, &char(req.cert.str), C.SSL_FILETYPE_PEM) res = C.SSL_CTX_use_certificate_file(ctx, &char(cert.str), C.SSL_FILETYPE_PEM)
if req.validate && res != 1 { if req.validate && res != 1 {
return error('http: openssl: SSL_CTX_use_certificate_file failed, res: $res') return error('http: openssl: SSL_CTX_use_certificate_file failed, res: $res')
} }
} }
if req.cert_key != '' { if req.cert_key != '' {
res = C.SSL_CTX_use_PrivateKey_file(ctx, &char(req.cert_key.str), C.SSL_FILETYPE_PEM) res = C.SSL_CTX_use_PrivateKey_file(ctx, &char(cert_key.str), C.SSL_FILETYPE_PEM)
if req.validate && res != 1 { if req.validate && res != 1 {
return error('http: openssl: SSL_CTX_use_PrivateKey_file failed, res: $res') return error('http: openssl: SSL_CTX_use_PrivateKey_file failed, res: $res')
} }

View File

@ -23,10 +23,11 @@ pub mut:
user_agent string = 'v.http' user_agent string = 'v.http'
verbose bool verbose bool
// //
validate bool // set this to true, if you want to stop requests, when their certificates are found to be invalid validate bool // set this to true, if you want to stop requests, when their certificates are found to be invalid
verify string // the path to a rootca.pem file, containing trusted CA certificate(s) verify string // the path to a rootca.pem file, containing trusted CA certificate(s)
cert string // the path to a cert.pem file, containing client certificate(s) for the request cert string // the path to a cert.pem file, containing client certificate(s) for the request
cert_key string // the path to a key.pem file, containing private keys for the client certificate(s) cert_key string // the path to a key.pem file, containing private keys for the client certificate(s)
in_memory_verification bool // if true, verify, cert, and cert_key are read from memory, not from a file
} }
pub fn new_request(method Method, url_ string, data string) ?Request { pub fn new_request(method Method, url_ string, data string) ?Request {
@ -128,6 +129,7 @@ pub fn fetch(config FetchConfig) ?Response {
verify: config.verify verify: config.verify
cert: config.cert cert: config.cert
cert_key: config.cert_key cert_key: config.cert_key
in_memory_verification: config.in_memory_verification
} }
res := req.do() ? res := req.do() ?
return res return res

View File

@ -27,10 +27,11 @@ pub mut:
read_timeout i64 = 30 * time.second read_timeout i64 = 30 * time.second
write_timeout i64 = 30 * time.second write_timeout i64 = 30 * time.second
// //
validate bool // when true, certificate failures will stop further processing validate bool // when true, certificate failures will stop further processing
verify string verify string
cert string cert string
cert_key string cert_key string
in_memory_verification bool // if true, verify, cert, and cert_key are read from memory, not from a file
} }
fn (mut req Request) free() { fn (mut req Request) free() {