You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by st...@apache.org on 2014/03/03 18:28:11 UTC

svn commit: r1573625 - in /subversion/trunk/subversion: include/svn_config.h libsvn_subr/ssl_server_trust_providers.c

Author: stsp
Date: Mon Mar  3 17:28:10 2014
New Revision: 1573625

URL: http://svn.apache.org/r1573625
Log:
Store human-readable information about SSL certificates in the auth store.

This info will later be displayed by 'svn auth', which currently parses
cached SSL certificates to obtain the same information. This new information
can also be accessed by third party clients more easily.

Suggested by: rhuijben

* subversion/include/svn_config.h
  (SVN_CONFIG_AUTHN_HOSTNAME_KEY,
   SVN_CONFIG_AUTHN_FINGERPRINT_KEY,
   SVN_CONFIG_AUTHN_VALID_FROM_KEY,
   SVN_CONFIG_AUTHN_VALID_UNTIL_KEY,
   SVN_CONFIG_AUTHN_ISSUER_DN_KEY): New hash key contants. Adjust the docstring
    for this group of constants which implied that all contants defined here
    were already present before 1.9.

* subversion/libsvn_subr/ssl_server_trust_providers.c
  (ssl_server_trust_file_first_credentials): When reading a cert hash which
   lacks the new human-readable info, add the info and save the cert.
   The idea is to update existing data if possible. However, in practice
   this function will only be called if verification of a cached cert
   suddenly fails. So in most cases only newly saved certs will have
   human-readable information.
  (ssl_server_trust_file_save_credentials): Save new human-readable cert info.

Modified:
    subversion/trunk/subversion/include/svn_config.h
    subversion/trunk/subversion/libsvn_subr/ssl_server_trust_providers.c

Modified: subversion/trunk/subversion/include/svn_config.h
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/include/svn_config.h?rev=1573625&r1=1573624&r2=1573625&view=diff
==============================================================================
--- subversion/trunk/subversion/include/svn_config.h (original)
+++ subversion/trunk/subversion/include/svn_config.h Mon Mar  3 17:28:10 2014
@@ -676,8 +676,9 @@ svn_config_ensure(const char *config_dir
  *
  * The values of these keys are C strings.
  *
- * @note These hash keys were also used in versions < 1.9 but were
- *       not part of the public API (except #SVN_CONFIG_REALMSTRING_KEY).
+ * @note Some of these hash keys were also used in versions < 1.9 but were
+ *       not part of the public API (except #SVN_CONFIG_REALMSTRING_KEY which
+ *       has been present since 1.0).
  *
  * @defgroup cached_authentication_data_attributes
  * @{
@@ -728,6 +729,32 @@ svn_config_ensure(const char *config_dir
  */
 #define SVN_CONFIG_AUTHN_FAILURES_KEY           "failures"
 
+/** A hash-key for a hostname, such as hostnames in SSL certificates.
+ * @since New in 1.9.
+ */
+#define SVN_CONFIG_AUTHN_HOSTNAME_KEY           "hostname"
+
+/** A hash-key for a fingerprint, such as fingerprints in SSL certificates.
+ * @since New in 1.9.
+ */
+#define SVN_CONFIG_AUTHN_FINGERPRINT_KEY        "fingerprint"
+
+/** A hash-key for a valid-from date, such as dates in SSL certificates.
+ * @since New in 1.9.
+ */
+#define SVN_CONFIG_AUTHN_VALID_FROM_KEY         "valid_from"
+
+/** A hash-key for a valid-to date, such as dates in SSL certificates.
+ * @since New in 1.9.
+ */
+#define SVN_CONFIG_AUTHN_VALID_UNTIL_KEY        "valid_until"
+
+/** A hash-key for an issuer distinguished name, such as issuer names
+ * in SSL certificates.
+ * @since New in 1.9.
+ */
+#define SVN_CONFIG_AUTHN_ISSUER_DN_KEY        "issuer_dn"
+
 /** @} */
 
 /** Use @a cred_kind and @a realmstring to locate a file within the

Modified: subversion/trunk/subversion/libsvn_subr/ssl_server_trust_providers.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/ssl_server_trust_providers.c?rev=1573625&r1=1573624&r2=1573625&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_subr/ssl_server_trust_providers.c (original)
+++ subversion/trunk/subversion/libsvn_subr/ssl_server_trust_providers.c Mon Mar  3 17:28:10 2014
@@ -75,13 +75,57 @@ ssl_server_trust_file_first_credentials(
       if (failstr)
         SVN_ERR(svn_cstring_atoui(&last_failures, failstr->data));
 
-      /* If the cert is trusted and there are no new failures, we
-       * accept it by clearing all failures. */
       if (trusted_cert &&
-          svn_string_compare(this_cert, trusted_cert) &&
-          (*failures & ~last_failures) == 0)
+          svn_string_compare(this_cert, trusted_cert))
         {
-          *failures = 0;
+          svn_boolean_t save_cert = FALSE;
+
+          /* If the cert is trusted and there are no new failures, we
+           * accept it by clearing all failures. */
+          if ((*failures & ~last_failures) == 0)
+            {
+              *failures = 0;
+            }
+
+          /* If the on-disk cert info is lacking new-in-1.9 human-readable
+             info, add the info now and save the cert. */
+          if (!svn_hash_gets(creds_hash, SVN_CONFIG_AUTHN_HOSTNAME_KEY))
+            {
+              svn_hash_sets(creds_hash, SVN_CONFIG_AUTHN_HOSTNAME_KEY,
+                            svn_string_create(cert_info->hostname, pool));
+              save_cert = TRUE;
+            }
+          if (!svn_hash_gets(creds_hash, SVN_CONFIG_AUTHN_FINGERPRINT_KEY))
+            {
+              svn_hash_sets(creds_hash, SVN_CONFIG_AUTHN_FINGERPRINT_KEY,
+                            svn_string_create(cert_info->fingerprint, pool));
+              save_cert = TRUE;
+            }
+          if (!svn_hash_gets(creds_hash, SVN_CONFIG_AUTHN_VALID_FROM_KEY))
+            {
+              svn_hash_sets(creds_hash, SVN_CONFIG_AUTHN_VALID_FROM_KEY,
+                            svn_string_create(cert_info->valid_from, pool));
+              save_cert = TRUE;
+            }
+          if (!svn_hash_gets(creds_hash, SVN_CONFIG_AUTHN_VALID_UNTIL_KEY))
+            {
+              svn_hash_sets(creds_hash, SVN_CONFIG_AUTHN_VALID_UNTIL_KEY,
+                            svn_string_create(cert_info->valid_until, pool));
+              save_cert = TRUE;
+            }
+          if (!svn_hash_gets(creds_hash, SVN_CONFIG_AUTHN_ISSUER_DN_KEY))
+            {
+              svn_hash_sets(creds_hash, SVN_CONFIG_AUTHN_ISSUER_DN_KEY,
+                            svn_string_create(cert_info->issuer_dname, pool));
+              save_cert = TRUE;
+            }
+
+          if (save_cert)
+            SVN_ERR(svn_config_write_auth_data(creds_hash,
+                                               SVN_AUTH_CRED_SSL_SERVER_TRUST,
+                                               realmstring,
+                                               config_dir,
+                                               pool));
         }
     }
 
@@ -124,6 +168,16 @@ ssl_server_trust_file_save_credentials(s
   svn_hash_sets(creds_hash, SVN_CONFIG_AUTHN_FAILURES_KEY,
                 svn_string_createf(pool, "%lu",
                                    (unsigned long)creds->accepted_failures));
+  svn_hash_sets(creds_hash, SVN_CONFIG_AUTHN_HOSTNAME_KEY,
+                svn_string_create(cert_info->hostname, pool));
+  svn_hash_sets(creds_hash, SVN_CONFIG_AUTHN_FINGERPRINT_KEY,
+                svn_string_create(cert_info->fingerprint, pool));
+  svn_hash_sets(creds_hash, SVN_CONFIG_AUTHN_VALID_FROM_KEY,
+                svn_string_create(cert_info->valid_from, pool));
+  svn_hash_sets(creds_hash, SVN_CONFIG_AUTHN_VALID_UNTIL_KEY,
+                svn_string_create(cert_info->valid_until, pool));
+  svn_hash_sets(creds_hash, SVN_CONFIG_AUTHN_ISSUER_DN_KEY,
+                svn_string_create(cert_info->issuer_dname, pool));
 
   SVN_ERR(svn_config_write_auth_data(creds_hash,
                                      SVN_AUTH_CRED_SSL_SERVER_TRUST,