[omniORB-dev] Patch providing new omniORB 4.0.5 SSL certificate management options

Wed Aug 3 15:28:23 BST 2005

Attached is a patch to omniORB 4.0.5 that provides two new features:

1.  Not setting a private SSL certificate or private key in the 
sslContext object is no longer treated as a fatal error.  This allows 
omniORB applications to use SSL in contexts where client-side 
authentication via certificates is not necessary.  In our application, 
for example, authentication is done with a specific IDL operation which 
returns a token that is provided in future invocations as a GIOP context 
via a client request interceptor.

2.  Adds a peeridentity() function to giopConnection that returns the 
subject name embedded in the peer's certificate if the connection is 
running over SSL and a certificate was received.  Otherwise it returns a 
null pointer.  This allows an omniORB interceptor to determine if the 
connection peer authenticated with a certificate, and if so, what its 
principal's name is.  Our application uses this feature to distinguish 
between clients that can authenticate with a certificate and those that 
must authenticate via other means.  It also allows our application to 
authorize access to IDL operations based on how the client 
authenticationed itself and the client's identity.

-- 
Jon Biggar
Levanta
jon at levanta.com
-------------- next part --------------

--- omniORB-4.0.5/src/lib/omniORB/orbcore/ssl/sslContext.cc.orig	2004-02-11 07:44:54.000000000 -0800
+++ omniORB-4.0.5/src/lib/omniORB/orbcore/ssl/sslContext.cc	2005-06-16 13:08:44.000000000 -0700
@@ -197,12 +197,12 @@
   {
     struct stat buf;
     if (!pd_keyfile || stat(pd_keyfile,&buf) < 0) {
-      if (omniORB::trace(1)) {
+      if (omniORB::trace(5)) {
 	omniORB::logger log;
-	log << "Error: sslContext certificate file is not set "
+	log << "sslContext certificate file is not set "
 	    << "or cannot be found\n";
       }
-      OMNIORB_THROW(INITIALIZE,INITIALIZE_TransportError,CORBA::COMPLETED_NO);
+      return;
     }
   }
 
@@ -234,11 +234,11 @@
 sslContext::set_privatekey() {
 
   if (!pd_password) {
-    if (omniORB::trace(1)) {
+    if (omniORB::trace(5)) {
       omniORB::logger log;
-      log << "Error: sslContext private key file is not set\n";
+      log << "sslContext private key is not set\n";
     }
-    OMNIORB_THROW(INITIALIZE,INITIALIZE_TransportError,CORBA::COMPLETED_NO);
+    return;
   }
 
   ssl_password = pd_password;
--- omniORB-4.0.5/src/lib/omniORB/orbcore/ssl/sslConnection.h.orig	2004-04-08 03:02:21.000000000 -0700
+++ omniORB-4.0.5/src/lib/omniORB/orbcore/ssl/sslConnection.h	2005-06-16 13:47:54.000000000 -0700
@@ -80,6 +80,8 @@
 
   const char* peeraddress();
 
+  const char *peeridentity();
+
   void setSelectable(CORBA::Boolean now = 0,CORBA::Boolean data_in_buffer = 0);
 
   void clearSelectable();
@@ -101,7 +103,7 @@
   SocketCollection* pd_belong_to;
   CORBA::String_var pd_myaddress;
   CORBA::String_var pd_peeraddress;
-
+  CORBA::String_var pd_peeridentity;
 };
 
 
--- omniORB-4.0.5/src/lib/omniORB/orbcore/ssl/sslConnection.cc.orig	2004-04-08 03:02:21.000000000 -0700
+++ omniORB-4.0.5/src/lib/omniORB/orbcore/ssl/sslConnection.cc	2005-06-16 14:07:01.000000000 -0700
@@ -329,6 +329,10 @@
   return (const char*)pd_peeraddress;
 }
 
+const char*
+sslConnection::peeridentity() {
+  return (const char *)pd_peeridentity;
+}
 /////////////////////////////////////////////////////////////////////////
 sslConnection::sslConnection(SocketHandle_t sock,::SSL* ssl, 
 			     SocketCollection* belong_to) : 
@@ -361,6 +365,22 @@
   SocketSetCloseOnExec(sock);
 
   belong_to->addSocket(this);
+
+  // determine our peer identity, if there is one
+  X509 *peer_cert = SSL_get_peer_certificate(pd_ssl);
+
+  if (peer_cert) {
+    if (SSL_get_verify_result(pd_ssl) != X509_V_OK)
+      return;
+
+    char	buf[1024];
+
+    X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert),
+			      NID_commonName, buf, sizeof(buf));
+
+    pd_peeridentity = CORBA::string_dup(buf);
+    X509_free(peer_cert);
+  }
 }
 
 /////////////////////////////////////////////////////////////////////////
--- omniORB-4.0.5/include/omniORB4/giopEndpoint.h.orig	2004-04-08 03:02:18.000000000 -0700
+++ omniORB-4.0.5/include/omniORB4/giopEndpoint.h	2005-06-16 14:07:56.000000000 -0700
@@ -94,7 +94,7 @@
 
   virtual const char* myaddress() = 0;
   virtual const char* peeraddress() = 0;
-
+  virtual const char *peeridentity() { return 0; }
 
   virtual void setSelectable(_CORBA_Boolean now = 0,
 			     _CORBA_Boolean data_in_buffer = 0) = 0;
