Adds SecurityContext.useCertificateChainBytes

runtime/bin/secure_socket.cc

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #include "bin/secure_socket.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/stat.h>
 #include <stdio.h>
@@ skipping 358 matching lines @@
     int error = ERR_get_error();
     Log::PrintErr("Failed: %s status %d", message, status);
     char error_string[SSL_ERROR_MESSAGE_BUFFER_SIZE];
     ERR_error_string_n(error, error_string, SSL_ERROR_MESSAGE_BUFFER_SIZE);
     Log::PrintErr("ERROR: %d %s\n", error, error_string);
   }
   ThrowIOException(status, type, message);
 }
 
 
-void FUNCTION_NAME(SecurityContext_UsePrivateKeyAsBytes)(
+void FUNCTION_NAME(SecurityContext_UsePrivateKeyBytes)(
     Dart_NativeArguments args) {
   SSL_CTX* context = GetSecurityContext(args);
 
   Dart_Handle key_object = ThrowIfError(Dart_GetNativeArgument(args, 1));
   if (!Dart_IsTypedData(key_object) && !Dart_IsList(key_object)) {
     Dart_ThrowException(DartUtils::NewDartArgumentError(
-        "keyBytes argument to SecurityContext.usePrivateKey "
+        "keyBytes argument to SecurityContext.usePrivateKeyBytes "
         "is not a List<int>"));
   }
 
   Dart_Handle password_object = ThrowIfError(Dart_GetNativeArgument(args, 2));
   const char* password = NULL;
   if (Dart_IsString(password_object)) {
     ThrowIfError(Dart_StringToCString(password_object, &password));
     if (strlen(password) > PEM_BUFSIZE - 1) {
       Dart_ThrowException(DartUtils::NewDartArgumentError(
         "SecurityContext.usePrivateKey password length is greater than"
@@ skipping 37 matching lines @@
   BIO_free(bio);
   if (is_typed_data) {
     ThrowIfError(Dart_TypedDataReleaseData(key_object));
   } else {
     delete[] key_bytes;
   }
 
   // TODO(24184): Handle different expected errors here - file missing,
   // incorrect password, file not a PEM, and throw exceptions.
   // CheckStatus should also throw an exception in uncaught cases.
-  CheckStatus(status, "TlsException", "Failure in usePrivateKey");
+  CheckStatus(status, "TlsException", "Failure in usePrivateKeyBytes");
 }
 
 
 void FUNCTION_NAME(SecurityContext_SetTrustedCertificates)(
     Dart_NativeArguments args) {
   SSL_CTX* context = GetSecurityContext(args);
   Dart_Handle filename_object = ThrowIfError(Dart_GetNativeArgument(args, 1));
   const char* filename = NULL;
   if (Dart_IsString(filename_object)) {
     ThrowIfError(Dart_StringToCString(filename_object, &filename));
@@ skipping 27 matching lines @@
   // PEM_read_bio_X509 reads PEM-encoded certificates from a bio (in our case,
   // backed by a memory buffer), and returns X509 objects, one by one.
   // When the end of the bio is reached, it returns null.
   while ((root_cert = PEM_read_bio_X509(roots_bio, NULL, NULL, NULL))) {
     X509_STORE_add_cert(store, root_cert);
   }
   BIO_free(roots_bio);
 }
 
 
-void FUNCTION_NAME(SecurityContext_UseCertificateChain)(
-    Dart_NativeArguments args) {
-  SSL_CTX* context = GetSecurityContext(args);
-  Dart_Handle filename_object = ThrowIfError(Dart_GetNativeArgument(args, 1));
-  const char* filename = NULL;
-  if (Dart_IsString(filename_object)) {
-    ThrowIfError(Dart_StringToCString(filename_object, &filename));
+static int UseChainBytes(
+    SSL_CTX* context, uint8_t* chain_bytes, intptr_t chain_bytes_len) {
+  int status = 0;
+  BIO* bio = BIO_new_mem_buf(chain_bytes, chain_bytes_len);
+  if (bio == NULL) {
+    return 0;
+  }
+
+  X509* x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
+  if (x509 == NULL) {
+    BIO_free(bio);
+    return 0;
+  }
+
+  status = SSL_CTX_use_certificate(context, x509);
+  if (ERR_peek_error() != 0) {
+    // Key/certificate mismatch doesn't imply status is 0.
+    status = 0;
+  }
+  if (status == 0) {
+    X509_free(x509);
+    BIO_free(bio);
+    return status;
+  }
+
+  SSL_CTX_clear_chain_certs(context);
+
+  while (true) {
+    X509* ca = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+    if (ca == NULL) {
+      break;
+    }
+    status = SSL_CTX_add0_chain_cert(context, ca);
+    if (status == 0) {
+      X509_free(ca);
+      X509_free(x509);
+      BIO_free(bio);
+      return status;
+    }
+    // Note that we must not free `ca` if it was successfully added to the
+    // chain. We must free the main certificate x509, though since its reference
+    // count is increased by SSL_CTX_use_certificate.
+  }
+
+  uint32_t err = ERR_peek_last_error();
+  if ((ERR_GET_LIB(err) == ERR_LIB_PEM) &&
+      (ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
+    // Reached the end of the buffer.
+    ERR_clear_error();
   } else {
-    Dart_ThrowException(DartUtils::NewDartArgumentError(
-        "file argument in SecurityContext.useCertificateChain"
-        " is not a String"));
+    // Some real error happened.
+    status = 0;
   }
-  int status = SSL_CTX_use_certificate_chain_file(context, filename);
-  CheckStatus(status,
-              "TlsException",
-              "Failure in useCertificateChain");
+
+  X509_free(x509);
+  BIO_free(bio);
+  return status;
 }
 
 
+void FUNCTION_NAME(SecurityContext_UseCertificateChainBytes)(
+    Dart_NativeArguments args) {
+  SSL_CTX* context = GetSecurityContext(args);
+
+  Dart_Handle chain_object = ThrowIfError(Dart_GetNativeArgument(args, 1));
+  if (!Dart_IsTypedData(chain_object) && !Dart_IsList(chain_object)) {
+    Dart_ThrowException(DartUtils::NewDartArgumentError(
+        "chainBytes argument to SecurityContext.useCertificateChainBytes "
+        "is not a List<int>"));
+  }
+
+  uint8_t* chain_bytes = NULL;
+  intptr_t chain_bytes_len = 0;
+  bool is_typed_data = false;
+  if (Dart_IsTypedData(chain_object)) {
+    is_typed_data = true;
+    Dart_TypedData_Type typ;
+    ThrowIfError(Dart_TypedDataAcquireData(
+        chain_object,
+        &typ,
+        reinterpret_cast<void**>(&chain_bytes),
+        &chain_bytes_len));
+  } else {
+    ASSERT(Dart_IsList(chain_object));
+    ThrowIfError(Dart_ListLength(chain_object, &chain_bytes_len));
+    chain_bytes = new uint8_t[chain_bytes_len];
+    Dart_Handle err =
+        Dart_ListGetAsBytes(chain_object, 0, chain_bytes, chain_bytes_len);
+    if (Dart_IsError(err)) {
+      delete[] chain_bytes;
+      Dart_PropagateError(err);
+    }
+  }
+  ASSERT(chain_bytes != NULL);
+
+  int status = UseChainBytes(context, chain_bytes, chain_bytes_len);
+
+  if (is_typed_data) {
+    ThrowIfError(Dart_TypedDataReleaseData(chain_object));
+  } else {
+    delete[] chain_bytes;
+  }
+  CheckStatus(status,
+              "TlsException",
+              "Failure in useCertificateChainBytes");
+}
+
+
 void FUNCTION_NAME(SecurityContext_SetClientAuthorities)(
     Dart_NativeArguments args) {
   SSL_CTX* context = GetSecurityContext(args);
   Dart_Handle filename_object = ThrowIfError(Dart_GetNativeArgument(args, 1));
   const char* filename = NULL;
   if (Dart_IsString(filename_object)) {
     ThrowIfError(Dart_StringToCString(filename_object, &filename));
   } else {
     Dart_ThrowException(DartUtils::NewDartArgumentError(
          "file argument in SecurityContext.setClientAuthorities"
@@ skipping 626 matching lines @@
     } else {
       if (SSL_LOG_DATA) Log::Print(
           "WriteEncrypted  BIO_read wrote %d bytes\n", bytes_processed);
     }
   }
   return bytes_processed;
 }
 
 }  // namespace bin
 }  // namespace dart