OSStatus addTrustedSecCert( SSLContextRef ctx, SecCertificateRef secCert, bool replaceAnchors) { OSStatus ortn; CFMutableArrayRef array; if(secCert == NULL) { printf("***addTrustedSecCert screwup\n"); return errSecParam; } array = CFArrayCreateMutable(kCFAllocatorDefault, (CFIndex)1, &kCFTypeArrayCallBacks); if(array == NULL) { return errSecAllocate; } CFArrayAppendValue(array, secCert); ortn = SSLSetTrustedRoots(ctx, array, replaceAnchors ? true : false); if(ortn) { printSslErrStr("SSLSetTrustedRoots", ortn); } CFRelease(array); return ortn; }
bool mongoc_secure_transport_setup_ca ( mongoc_stream_tls_secure_transport_t *secure_transport, mongoc_ssl_opt_t *opt) { if (opt->ca_file) { CFArrayRef items; SecExternalItemType type = kSecItemTypeCertificate; bool success = _mongoc_secure_transport_import_pem ( opt->ca_file, NULL, &items, &type); if (!success) { MONGOC_ERROR ("Can't find certificate in \"%s\"", opt->ca_file); return false; } if (type == kSecItemTypeAggregate) { CFMutableArrayRef anchors = CFArrayCreateMutable ( kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); for (CFIndex i = 0; i < CFArrayGetCount (items); ++i) { CFTypeID item_id = CFGetTypeID (CFArrayGetValueAtIndex (items, i)); if (item_id == SecCertificateGetTypeID ()) { CFArrayAppendValue (anchors, CFArrayGetValueAtIndex (items, i)); } } secure_transport->anchors = anchors; CFRelease (items); } else if (type == kSecItemTypeCertificate) { secure_transport->anchors = items; } else { CFRelease (items); } /* This should be SSLSetCertificateAuthorities But the /TLS/ tests fail * when it is */ success = !SSLSetTrustedRoots ( secure_transport->ssl_ctx_ref, secure_transport->anchors, true); TRACE ("Setting certificate authority %s (%s)", success ? "succeeded" : "failed", opt->ca_file); return true; } TRACE ("%s", "No CA provided, using defaults"); return false; }
Connection::Connection(Context& ctx, std::ios& ios, OpenMode omode) : _ctx(&ctx) , _context(0) , _ios(&ios) , _iocount(0) , _connected(false) , _wantRead(false) , _isReading(false) , _isWriting(false) , _receivedShutdown(false) , _sentShutdown(false) { Boolean isServer = (omode == Accept); SSLNewContext(isServer, &_context); SSLSetConnection(_context, (SSLConnectionRef) this); SSLSetIOFuncs(_context, &Connection::sslReadCallback, &Connection::sslWriteCallback); SSLSetProtocolVersionEnabled(_context, kSSLProtocolAll, false); switch(_ctx->protocol()) { case SSLv2: SSLSetProtocolVersionEnabled(_context, kSSLProtocol2, true); break; case SSLv3or2: SSLSetProtocolVersionEnabled(_context, kSSLProtocol2, true); SSLSetProtocolVersionEnabled(_context, kSSLProtocol3, true); break; default: case SSLv3: SSLSetProtocolVersionEnabled(_context, kSSLProtocol3, true); break; case TLSv1: SSLSetProtocolVersionEnabled(_context, kTLSProtocol1, true); break; } if(isServer) { #ifdef PT_IOS SSLSetEnableCertVerify(_context, false); SSLSetSessionOption(_context, kSSLSessionOptionBreakOnClientAuth, true); #else if(_ctx->verifyMode() == NoVerify) { SSLSetClientSideAuthenticate(_context, kNeverAuthenticate); } else if(_ctx->verifyMode() == TryVerify) { SSLSetClientSideAuthenticate(_context, kTryAuthenticate); } else if(_ctx->verifyMode() == AlwaysVerify) { SSLSetClientSideAuthenticate(_context, kAlwaysAuthenticate); } CFArrayRef caArr = _ctx->impl()->caCertificates(); SSLSetCertificateAuthorities(_context, caArr, true); SSLSetTrustedRoots(_context, caArr, true); #endif } else { SSLSetEnableCertVerify(_context, false); SSLSetSessionOption(_context, kSSLSessionOptionBreakOnServerAuth, true); } // certificates to present to peer CFArrayRef certs = _ctx->impl()->certificates(); if(certs) { log_debug("using " << CFArrayGetCount(certs) << " certificates"); SSLSetCertificate(_context, certs); } }