diff options
Diffstat (limited to '')
-rw-r--r-- | src/mbedTLS++/CMakeLists.txt | 1 | ||||
-rw-r--r-- | src/mbedTLS++/RootCA.h | 97 | ||||
-rw-r--r-- | src/mbedTLS++/SslConfig.cpp | 14 | ||||
-rw-r--r-- | src/mbedTLS++/SslContext.cpp | 4 | ||||
-rw-r--r-- | src/mbedTLS++/SslContext.h | 2 |
5 files changed, 108 insertions, 10 deletions
diff --git a/src/mbedTLS++/CMakeLists.txt b/src/mbedTLS++/CMakeLists.txt index 42e0fc8b2..dcb5d23a0 100644 --- a/src/mbedTLS++/CMakeLists.txt +++ b/src/mbedTLS++/CMakeLists.txt @@ -25,6 +25,7 @@ target_sources( EntropyContext.h ErrorCodes.h RsaPrivateKey.h + RootCA.h SslConfig.h SslContext.h Sha1Checksum.h diff --git a/src/mbedTLS++/RootCA.h b/src/mbedTLS++/RootCA.h new file mode 100644 index 000000000..3e0d654bd --- /dev/null +++ b/src/mbedTLS++/RootCA.h @@ -0,0 +1,97 @@ + +// This file contains the public keys for different root CAs + +#include "Globals.h" +#include "mbedTLS++/X509Cert.h" + +static cX509CertPtr GetCACerts(void) +{ + static const char CertString[] = + // DigiCert Global Root CA (sessionserver.mojang.com) + // Downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm + + // DigiCert Global Root CA + "-----BEGIN CERTIFICATE-----\n" + "MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\n" + "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" + "d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n" + "QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT\n" + "MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n" + "b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG\n" + "9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB\n" + "CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97\n" + "nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt\n" + "43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P\n" + "T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4\n" + "gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO\n" + "BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR\n" + "TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw\n" + "DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr\n" + "hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg\n" + "06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF\n" + "PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\n" + "YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\n" + "CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n" + "-----END CERTIFICATE-----\n" + + // Amazon Root CA 1 (api.mojang.com) + // Downloaded from https://www.amazontrust.com/repository/ + "-----BEGIN CERTIFICATE-----\n" + "MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF\n" + "ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6\n" + "b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL\n" + "MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv\n" + "b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj\n" + "ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM\n" + "9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw\n" + "IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6\n" + "VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L\n" + "93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm\n" + "jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" + "AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA\n" + "A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI\n" + "U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs\n" + "N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv\n" + "o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU\n" + "5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy\n" + "rqXRfboQnoZsG4q5WTP468SQvvG5\n" + "-----END CERTIFICATE-----\n" + + // AAA Certificate Services (authserver.ely.by GH#4832) + // Downloaded from https://www.tbs-certificates.co.uk/FAQ/en/Comodo_AAA_Certificate_Services.html + "-----BEGIN CERTIFICATE-----\n" + "MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb\n" + "MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow\n" + "GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj\n" + "YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL\n" + "MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE\n" + "BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM\n" + "GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" + "ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua\n" + "BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe\n" + "3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4\n" + "YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR\n" + "rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm\n" + "ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU\n" + "oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF\n" + "MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v\n" + "QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t\n" + "b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF\n" + "AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q\n" + "GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz\n" + "Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2\n" + "G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi\n" + "l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3\n" + "smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==\n" + "-----END CERTIFICATE-----\n" + ; + +static auto X509Cert = [&]() +{ + auto Cert = std::make_shared<cX509Cert>(); + VERIFY(0 == Cert->Parse(CertString, sizeof(CertString))); + return Cert; +}(); + +return X509Cert; +} diff --git a/src/mbedTLS++/SslConfig.cpp b/src/mbedTLS++/SslConfig.cpp index 8ea850c9f..054d63980 100644 --- a/src/mbedTLS++/SslConfig.cpp +++ b/src/mbedTLS++/SslConfig.cpp @@ -1,11 +1,11 @@ #include "Globals.h" -#include "SslConfig.h" -#include "EntropyContext.h" -#include "CtrDrbgContext.h" -#include "CryptoKey.h" -#include "X509Cert.h" +#include "mbedTLS++/SslConfig.h" + +#include "mbedTLS++/CryptoKey.h" +#include "mbedTLS++/EntropyContext.h" +#include "mbedTLS++/RootCA.h" // This allows us to debug SSL and certificate problems, but produce way too much output, @@ -225,7 +225,6 @@ void cSslConfig::SetCACerts(cX509CertPtr a_CACert) std::shared_ptr<cSslConfig> cSslConfig::MakeDefaultConfig(bool a_IsClient) { - // TODO: Default CA chain and SetAuthMode(eSslAuthMode::Required) auto Ret = std::make_shared<cSslConfig>(); Ret->InitDefaults(a_IsClient); @@ -236,7 +235,8 @@ std::shared_ptr<cSslConfig> cSslConfig::MakeDefaultConfig(bool a_IsClient) Ret->SetRng(std::move(CtrDrbg)); } - Ret->SetAuthMode(eSslAuthMode::None); // We cannot verify because we don't have a CA chain + Ret->SetAuthMode(eSslAuthMode::Required); + Ret->SetCACerts(GetCACerts()); #ifndef NDEBUG #ifdef ENABLE_SSL_DEBUG_MSG diff --git a/src/mbedTLS++/SslContext.cpp b/src/mbedTLS++/SslContext.cpp index 4847e9322..83bb1955e 100644 --- a/src/mbedTLS++/SslContext.cpp +++ b/src/mbedTLS++/SslContext.cpp @@ -82,10 +82,10 @@ int cSslContext::Initialize(bool a_IsClient) -void cSslContext::SetExpectedPeerName(const AString & a_ExpectedPeerName) +void cSslContext::SetExpectedPeerName(const std::string_view a_ExpectedPeerName) { ASSERT(m_IsValid); // Call Initialize() first - mbedtls_ssl_set_hostname(&m_Ssl, a_ExpectedPeerName.c_str()); + mbedtls_ssl_set_hostname(&m_Ssl, a_ExpectedPeerName.data()); } diff --git a/src/mbedTLS++/SslContext.h b/src/mbedTLS++/SslContext.h index 033749bf3..6343f7e43 100644 --- a/src/mbedTLS++/SslContext.h +++ b/src/mbedTLS++/SslContext.h @@ -54,7 +54,7 @@ public: /** Sets the SSL peer name expected for this context. Must be called after Initialize(). \param a_ExpectedPeerName CommonName that we expect the SSL peer to have in its cert, if it is different, the verification will fail. An empty string will disable the CN check. */ - void SetExpectedPeerName(const AString & a_ExpectedPeerName); + void SetExpectedPeerName(const std::string_view a_ExpectedPeerName); /** Writes data to be encrypted and sent to the SSL peer. Will perform SSL handshake, if needed. Returns the number of bytes actually written, or mbedTLS error code. |