Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net: detect DigiCert Global Root G2 ca #966

Merged
merged 2 commits into from
May 22, 2024
Merged

net: detect DigiCert Global Root G2 ca #966

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
573b626
net: detect DigiCert Global Root G2 ca as well
Chilledheart May 22, 2024
1e8a0a9
net: fix dos line ending issue in mingw build
Chilledheart May 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions .github/workflows/releases-mingw.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,10 +164,11 @@ jobs:
vcredist_x64.exe /install /quiet /norestart
del vcredist_x64.exe
- name: Run unittests
shell: bash
run: |
cd build-mingw
yass_test
yass_benchmark
./yass_test
./yass_benchmark
- name: Upload dist tarball
if: ${{ github.event_name == 'release' }}
env:
Expand Down
33 changes: 21 additions & 12 deletions src/net/asio_ssl.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,6 +259,7 @@ bool IsNotAcceptableIntermediate(const bssl::ParsedCertificate* cert, const CFSt

static bool found_isrg_root_x1 = false;
static bool found_isrg_root_x2 = false;
static bool found_digicert_root_g2 = false;

void print_openssl_error() {
const char* file;
Expand Down Expand Up @@ -287,16 +288,20 @@ static bool load_ca_cert_to_x509_trust(X509_STORE* store, bssl::UniquePtr<X509>
X509_NAME_ENTRY* entry = X509_NAME_get_entry(X509_get_subject_name(cert.get()), lastpos);

const ASN1_STRING* value = X509_NAME_ENTRY_get_data(entry);
std::string commonName((const char*)ASN1_STRING_get0_data(value), ASN1_STRING_length(value));
// TODO check commonName with "ISRG Root X1" and "ISRG Root X2"
if (commonName == "ISRG Root X1") {
LOG(INFO) << "Loading ISRG Root X1 CA";
std::string_view commonName((const char*)ASN1_STRING_get0_data(value), ASN1_STRING_length(value));
using std::string_view_literals::operator""sv;
if (commonName == "ISRG Root X1"sv) {
VLOG(1) << "Loading ISRG Root X1 CA";
found_isrg_root_x1 = true;
}
if (commonName == "ISRG Root X2") {
LOG(INFO) << "Loading ISRG Root X2 CA";
if (commonName == "ISRG Root X2"sv) {
VLOG(1) << "Loading ISRG Root X2 CA";
found_isrg_root_x2 = true;
}
if (commonName == "DigiCert Global Root G2"sv) {
VLOG(1) << "Loading DigiCert Global Root G2 CA";
found_digicert_root_g2 = true;
}
}

if (X509_STORE_add_cert(store, cert.get()) == 1) {
Expand All @@ -323,8 +328,8 @@ static bool load_ca_content_to_x509_trust(X509_STORE* store, std::string_view ca
return load_ca_cert_to_x509_trust(store, std::move(cert));
}

static const char kEndCertificateMark[] = "-----END CERTIFICATE-----\n";
static int load_ca_to_ssl_ctx_from_mem(SSL_CTX* ssl_ctx, const std::string_view& cadata) {
static constexpr std::string_view kEndCertificateMark = "-----END CERTIFICATE-----";
static int load_ca_to_ssl_ctx_from_mem(SSL_CTX* ssl_ctx, std::string_view cadata) {
X509_STORE* store = nullptr;
int count = 0;
store = SSL_CTX_get_cert_store(ssl_ctx);
Expand All @@ -339,7 +344,7 @@ static int load_ca_to_ssl_ctx_from_mem(SSL_CTX* ssl_ctx, const std::string_view&
}
end += sizeof(kEndCertificateMark) - 1;

std::string_view cacert(cadata.data() + pos, end - pos);
std::string_view cacert = cadata.substr(pos, end);
if (load_ca_content_to_x509_trust(store, cacert)) {
++count;
}
Expand Down Expand Up @@ -670,6 +675,7 @@ static int load_ca_to_ssl_ctx_system(SSL_CTX* ssl_ctx) {
void load_ca_to_ssl_ctx(SSL_CTX* ssl_ctx) {
found_isrg_root_x1 = false;
found_isrg_root_x2 = false;
found_digicert_root_g2 = false;
load_ca_to_ssl_ctx_cacert(ssl_ctx);

#ifdef HAVE_BUILTIN_CA_BUNDLE_CRT
Expand All @@ -696,12 +702,15 @@ void load_ca_to_ssl_ctx(SSL_CTX* ssl_ctx) {
}

// TODO we can add the missing CA if required
if (!found_isrg_root_x1 || !found_isrg_root_x2) {
if (!found_isrg_root_x1 || !found_isrg_root_x2 || !found_digicert_root_g2) {
if (!found_isrg_root_x1) {
LOG(WARNING) << "Missing ISRG Root X1 CA";
LOG(INFO) << "Missing ISRG Root X1 CA";
}
if (!found_isrg_root_x2) {
LOG(WARNING) << "Missing ISRG Root X2 CA";
LOG(INFO) << "Missing ISRG Root X2 CA";
}
if (!found_digicert_root_g2) {
LOG(INFO) << "Missing DigiCert Global Root G2 CA";
}
std::string_view ca_content(_binary_supplementary_ca_bundle_crt_start,
_binary_supplementary_ca_bundle_crt_end - _binary_supplementary_ca_bundle_crt_start);
Expand Down
Loading