Support for http proxy during ocsp check

Change-Id: I4966c6dc08411491b419809be402ac8808027478
author: Bartlomiej Grzelewski <b.grzelewski@samsung.com> 2017-10-17 16:47:59 +0200
committer: Tomasz Swierczek <t.swierczek@samsung.com> 2017-12-20 05:55:03 +0000
commit: 11e039c51bb16e04ced894813a56946bff58c9ac (patch)
tree: 269af06e716e7a1cb63f54afe6d83ba9c1d793a6
parent: b5096132b2b5aac5f654cb7a06e6bd5cb044e7dc (diff)
download: key-manager-11e039c51bb16e04ced894813a56946bff58c9ac.tar.gz
key-manager-11e039c51bb16e04ced894813a56946bff58c9ac.tar.bz2
key-manager-11e039c51bb16e04ced894813a56946bff58c9ac.zip
3 files changed, 43 insertions, 32 deletions
diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec
index b229120d..e037f122 100644
--- a/packaging/key-manager.spec
+++ b/packaging/key-manager.spec
@@ -29,6 +29,7 @@ BuildRequires: pkgconfig(cynara-creds-socket)
 BuildRequires: pkgconfig(libtzplatform-config)
 BuildRequires: pkgconfig(glib-2.0)
 BuildRequires: pkgconfig(pkgmgr)
+BuildRequires: pkgconfig(vconf)
 %if 0%{?watchdog_enabled}
 BuildRequires: pkgconfig(argos_watchdog)
 %endif
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index a784d15b..d4dfddbb 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -19,6 +19,7 @@ PKG_CHECK_MODULES(KEY_MANAGER_DEP
     cynara-client-async
     cynara-creds-socket
     pkgmgr
+    vconf
     ${EXTRA_KM_DEPS}
     )
 FIND_PACKAGE(Threads REQUIRED)
diff --git a/src/manager/service/ocsp.cpp b/src/manager/service/ocsp.cpp
index 0b51bf5a..dcccf2ac 100644
--- a/src/manager/service/ocsp.cpp
+++ b/src/manager/service/ocsp.cpp
@@ -32,6 +32,7 @@
 #include <certificate-impl.h>
 #include <openssl_utils.h>
 #include <ckm/ckm-error.h>
+#include <vconf.h>
 
 /* Maximum leeway in validity period: default 5 minutes */
 #define MAX_VALIDITY_PERIOD     (5 * 60)
@@ -134,7 +135,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
 	OCSP_CERTID *certid = NULL;
 	BIO *cbio = NULL;
 	SSL_CTX *use_ssl_ctx = NULL;
-	char *host = NULL, *port = NULL, *path = NULL;
+	std::string host, port, path;
 	ASN1_GENERALIZEDTIME *rev = NULL;
 	ASN1_GENERALIZEDTIME *thisupd = NULL;
 	ASN1_GENERALIZEDTIME *nextupd = NULL;
@@ -151,16 +152,48 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
 	std::vector<char> url(constUrl.begin(), constUrl.end());
 	url.push_back(0);
 
-	if (!OCSP_parse_url(url.data(), &host, &port, &path, &use_ssl))
-		/* report error */
-		return CKM_API_OCSP_STATUS_INVALID_URL;
+	{
+		char *chost = NULL, *cport = NULL, *cpath = NULL;
+
+		if (!OCSP_parse_url(url.data(), &chost, &cport, &cpath, &use_ssl))
+			/* report error */
+			return CKM_API_OCSP_STATUS_INVALID_URL;
+
+		if (chost) host = chost;
+		if (cport) port = cport;
+		if (cpath) path = cpath;
+
+		OPENSSL_free(chost);
+		OPENSSL_free(cport);
+		OPENSSL_free(cpath);
+	}
 
 	LogDebug("Host: " << host);
 	LogDebug("Port: " << port);
 	LogDebug("Path: " << path);
 	LogDebug("Use_ssl: " << use_ssl);
 
-	cbio = BIO_new_connect(host);
+	std::unique_ptr<char, decltype(free)*> proxy(vconf_get_str(VCONFKEY_NETWORK_PROXY), free);
+
+	if (proxy && strlen(proxy.get()) > 0) {
+		char *phost = NULL, *pport = NULL, *ppath = NULL;
+
+		LogDebug("Using proxy: " << proxy.get());
+
+		if (!OCSP_parse_url(proxy.get(), &phost, &pport, &ppath, &use_ssl)) {
+			return CKM_API_OCSP_STATUS_INVALID_URL;
+		}
+
+		path = url.data();
+		if (phost) host = phost;
+		if (pport) port = pport;
+
+		OPENSSL_free(phost);
+		OPENSSL_free(pport);
+		OPENSSL_free(ppath);
+	}
+
+	cbio = BIO_new_connect(host.c_str());
 
 	if (cbio == NULL) {
 		/*BIO_printf(bio_err, "Error creating connect BIO\n");*/
@@ -168,8 +201,8 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
 		return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
 	}
 
-	if (port != NULL)
-		BIO_set_conn_port(cbio, port);
+	if (!port.empty())
+		BIO_set_conn_port(cbio, port.c_str());
 
 	if (use_ssl == 1) {
 		BIO *sbio = NULL;
@@ -201,18 +234,6 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
 		ERR_print_errors(bioLogger.get());
 		/* report error */
 
-		/* free stuff */
-		if (host != NULL)
-			OPENSSL_free(host);
-
-		if (port != NULL)
-			OPENSSL_free(port);
-
-		if (path != NULL)
-			OPENSSL_free(path);
-
-		host = port = path = NULL;
-
 		if (use_ssl && use_ssl_ctx)
 			SSL_CTX_free(use_ssl_ctx);
 
@@ -245,19 +266,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
 		return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
 	}
 
-	resp = OCSP_sendreq_bio(cbio, path, req);
-
-	/* free some stuff we no longer need */
-	if (host != NULL)
-		OPENSSL_free(host);
-
-	if (port != NULL)
-		OPENSSL_free(port);
-
-	if (path != NULL)
-		OPENSSL_free(path);
-
-	host = port = path = NULL;
+	resp = OCSP_sendreq_bio(cbio, path.c_str(), req);
 
 	if (use_ssl && use_ssl_ctx)
 		SSL_CTX_free(use_ssl_ctx);
author	Bartlomiej Grzelewski <b.grzelewski@samsung.com>	2017-10-17 16:47:59 +0200
committer	Tomasz Swierczek <t.swierczek@samsung.com>	2017-12-20 05:55:03 +0000
commit	11e039c51bb16e04ced894813a56946bff58c9ac (patch)
tree	269af06e716e7a1cb63f54afe6d83ba9c1d793a6
parent	b5096132b2b5aac5f654cb7a06e6bd5cb044e7dc (diff)
download	key-manager-11e039c51bb16e04ced894813a56946bff58c9ac.tar.gz key-manager-11e039c51bb16e04ced894813a56946bff58c9ac.tar.bz2 key-manager-11e039c51bb16e04ced894813a56946bff58c9ac.zip