You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by ta...@apache.org on 2010/05/13 23:54:28 UTC
svn commit: r944025 -
/activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLContextSpi.cpp
Author: tabish
Date: Thu May 13 21:54:28 2010
New Revision: 944025
URL: http://svn.apache.org/viewvc?rev=944025&view=rev
Log:
https://issues.apache.org/activemq/browse/AMQCPP-140
Make an attempt to setup the KeyStore and TrustStore for OpenSSL based on decaf properties.
Modified:
activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLContextSpi.cpp
Modified: activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLContextSpi.cpp
URL: http://svn.apache.org/viewvc/activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLContextSpi.cpp?rev=944025&r1=944024&r2=944025&view=diff
==============================================================================
--- activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLContextSpi.cpp (original)
+++ activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLContextSpi.cpp Thu May 13 21:54:28 2010
@@ -194,13 +194,39 @@ void OpenSSLContextSpi::providerInit( Se
throw OpenSSLSocketException( __FILE__, __LINE__ );
}
- // Here we load the configured KeyStore and TrustStore files
- std::string keyStorePath = System::getenv( "decaf.net.ssl.keyStore" );
- std::string keyStoreFile = System::getenv( "decaf.net.ssl.keyStoreFile" );
- std::string keyStorePassword = System::getenv( "decaf.net.ssl.keyStorePassword" );
- std::string trustStorePath = System::getenv( "decaf.net.ssl.trustStore" );
- std::string trustStoreFile = System::getenv( "decaf.net.ssl.trustStoreFile" );
- std::string trustStorePassword = System::getenv( "decaf.net.ssl.trustStorePassword" );
+ // Here we load the configured KeyStore, this is where the client and server certificate are
+ // stored, a client doesn't necessary need this if the server doesn't enforce client authentication.
+ std::string keyStorePath = System::getProperty( "decaf.net.ssl.keyStore" );
+ this->data->password = System::getProperty( "decaf.net.ssl.keyStorePassword" );
+
+ // We assume the Public and Private keys are in the same file.
+ if( !keyStorePath.empty() ) {
+ if( SSL_CTX_use_certificate_chain_file( this->data->openSSLContext, keyStorePath.c_str() ) != 1 ) {
+ throw OpenSSLSocketException( __FILE__, __LINE__ );
+ }
+ if( SSL_CTX_use_PrivateKey_file( this->data->openSSLContext, keyStorePath.c_str(), SSL_FILETYPE_PEM ) != 1 ) {
+ throw OpenSSLSocketException( __FILE__, __LINE__ );
+ }
+ }
+
+ // Here we load the configured TrustStore, this is where the trusted certificates are stored
+ // and are used to validate that we trust the Certificate sent by the server or client.
+ // A server might not need this if its not going to enforce client authentication.
+ std::string trustStorePath = System::getProperty( "decaf.net.ssl.trustStore" );
+
+ // OpenSSL sort of assumes that the trust store files won't require a password so we just
+ // ignore the trustStorePassword for now.
+ // std::string trustStorePassword = System::getProperty( "decaf.net.ssl.trustStorePassword" );
+
+ // We only consider trust store's that consist of a PEM encoded file, we could try and
+ // check for the extension and assume its a directory if not there, but the OpenSSL
+ // directory restrictions for Certificates make using a directory rather complicated
+ // for the user so only do it if someone asks really nicely.
+ if( !trustStorePath.empty() ) {
+ if( SSL_CTX_load_verify_locations( this->data->openSSLContext, trustStorePath.c_str(), NULL ) != 1 ) {
+ throw OpenSSLSocketException( __FILE__, __LINE__ );
+ }
+ }
// Now seed the OpenSSL RNG.
std::vector<unsigned char> seed( 128 );