Add BasicTransportCertificate

Summary: Add a basic transport cert with only the needed fields. Reviewed By: knekritz Differential Revision: D14429070 fbshipit-source-id: 6728310f75a17e3640025f689b69ffcc3f829522

Add BasicTransportCertificate
Summary: Add a basic transport cert with only the needed fields. Reviewed By: knekritz Differential Revision: D14429070 fbshipit-source-id: 6728310f75a17e3640025f689b69ffcc3f829522
72080476 · Neel Goyal · Facebook Github Bot · cc4f4f61 · 72080476 · 72080476
Commit 72080476 authored Mar 18, 2019 by Neel Goyal Committed by Facebook Github Bot Mar 18, 2019
3 changed files
--- a/folly/io/async/AsyncSSLSocket.cpp
+++ b/folly/io/async/AsyncSSLSocket.cpp
@@ -30,6 +30,7 @@
 #include <folly/SpinLock.h>
 #include <folly/io/Cursor.h>
 #include <folly/io/IOBuf.h>
+#include <folly/io/async/ssl/BasicTransportCertificate.h>
 #include <folly/lang/Bits.h>
 #include <folly/portability/OpenSSL.h>

@@ -70,25 +71,6 @@ inline bool zero_return(int error, int rc) {
  return (error == SSL_ERROR_ZERO_RETURN || (rc == 0 && errno == 0));
 }

-class AsyncSSLCertificate : public folly::AsyncTransportCertificate {
- public:
-  // assumed to be non null
-  explicit AsyncSSLCertificate(folly::ssl::X509UniquePtr x509)
-      : x509_(std::move(x509)) {}
-
-  folly::ssl::X509UniquePtr getX509() const override {
-    X509_up_ref(x509_.get());
-    return folly::ssl::X509UniquePtr(x509_.get());
-  }
-
-  std::string getIdentity() const override {
-    return OpenSSLUtils::getCommonName(x509_.get());
-  }
-
- private:
-  folly::ssl::X509UniquePtr x509_;
-};
-
 class AsyncSSLSocketConnector : public AsyncSocket::ConnectCallback,
                                public AsyncSSLSocket::HandshakeCB {
 private:
@@ -940,7 +922,9 @@ const AsyncTransportCertificate* AsyncSSLSocket::getPeerCertificate() const {
    if (peerX509) {
      // already up ref'd
      folly::ssl::X509UniquePtr peer(peerX509);
-      peerCertData_ = std::make_unique<AsyncSSLCertificate>(std::move(peer));
+      auto cn = OpenSSLUtils::getCommonName(peerX509);
+      peerCertData_ = std::make_unique<BasicTransportCertificate>(
+          std::move(cn), std::move(peer));
    }
  }
  return peerCertData_.get();
@@ -956,7 +940,9 @@ const AsyncTransportCertificate* AsyncSSLSocket::getSelfCertificate() const {
      // need to upref
      X509_up_ref(selfX509);
      folly::ssl::X509UniquePtr peer(selfX509);
-      selfCertData_ = std::make_unique<AsyncSSLCertificate>(std::move(peer));
+      auto cn = OpenSSLUtils::getCommonName(selfX509);
+      selfCertData_ = std::make_unique<BasicTransportCertificate>(
+          std::move(cn), std::move(peer));
    }
  }
  return selfCertData_.get();
@@ -1015,8 +1001,7 @@ bool AsyncSSLSocket::willBlock(
        return false;
      }

-      auto asyncPipeReader =
-          AsyncPipeReader::newReader(eventBase_, NetworkSocket(ofd).toFd());
+      auto asyncPipeReader = AsyncPipeReader::newReader(eventBase_, ofd);
      auto asyncPipeReaderPtr = asyncPipeReader.get();
      if (!asyncOperationFinishCallback_) {
        asyncOperationFinishCallback_.reset(

--- a/folly/io/async/ssl/BasicTransportCertificate.h
+++ b/folly/io/async/ssl/BasicTransportCertificate.h
+/*
+ * Copyright 2019-present Facebook, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <folly/io/async/AsyncTransportCertificate.h>
+#include <memory>
+
+namespace folly {
+namespace ssl {
+
+class BasicTransportCertificate : public folly::AsyncTransportCertificate {
+ public:
+  // Create a basic transport cert from an existing one.  Returns nullptr
+  // if cert is null.
+  static std::unique_ptr<BasicTransportCertificate> create(
+      const folly::AsyncTransportCertificate* cert) {
+    if (!cert) {
+      return nullptr;
+    }
+    return std::make_unique<BasicTransportCertificate>(
+        cert->getIdentity(), cert->getX509());
+  }
+
+  BasicTransportCertificate(
+      std::string identity,
+      folly::ssl::X509UniquePtr x509)
+      : identity_(std::move(identity)), x509_(std::move(x509)) {}
+
+  std::string getIdentity() const override {
+    return identity_;
+  }
+
+  folly::ssl::X509UniquePtr getX509() const override {
+    if (!x509_) {
+      return nullptr;
+    }
+    auto x509raw = x509_.get();
+    X509_up_ref(x509raw);
+    return folly::ssl::X509UniquePtr(x509raw);
+  }
+
+ private:
+  std::string identity_;
+  folly::ssl::X509UniquePtr x509_;
+};
+
+} // namespace ssl
+} // namespace folly
--- a/folly/io/async/ssl/test/BasicTransportCertificateTest.cpp
+++ b/folly/io/async/ssl/test/BasicTransportCertificateTest.cpp
+/*
+ * Copyright 2016-present Facebook, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <folly/io/async/ssl/BasicTransportCertificate.h>
+
+#include <folly/FileUtil.h>
+#include <folly/portability/GTest.h>
+#include <folly/ssl/Init.h>
+#include <folly/ssl/OpenSSLCertUtils.h>
+
+using namespace testing;
+using namespace folly;
+using namespace folly::ssl;
+
+const char* kTestCerts = "folly/io/async/test/certs/tests-cert.pem";
+
+TEST(BasicTransportCertificateTest, TestCerts) {
+  folly::ssl::init();
+  std::string certData;
+  EXPECT_TRUE(folly::readFile(kTestCerts, certData));
+  auto certs = OpenSSLCertUtils::readCertsFromBuffer(StringPiece(certData));
+  EXPECT_FALSE(certs.empty());
+  auto x509Ptr = std::move(certs[0]);
+  EXPECT_NE(x509Ptr, nullptr);
+
+  {
+    SCOPED_TRACE("create w/ null");
+    auto cert = BasicTransportCertificate::create(nullptr);
+    EXPECT_EQ(cert, nullptr);
+  }
+
+  {
+    SCOPED_TRACE("construct with empty cert");
+    BasicTransportCertificate cert("foo", nullptr);
+    EXPECT_EQ(cert.getX509(), nullptr);
+    EXPECT_EQ(cert.getIdentity(), "foo");
+    auto cloned = BasicTransportCertificate::create(&cert);
+    EXPECT_EQ(cloned->getX509(), nullptr);
+    EXPECT_EQ(cloned->getIdentity(), "foo");
+  }
+
+  {
+    SCOPED_TRACE("construct w/ x509");
+    auto x509Raw = x509Ptr.get();
+    EXPECT_NE(x509Raw, nullptr);
+    BasicTransportCertificate cert("x509", std::move(x509Ptr));
+    EXPECT_EQ(cert.getX509().get(), x509Raw);
+    EXPECT_EQ(cert.getIdentity(), "x509");
+
+    auto cloned = BasicTransportCertificate::create(&cert);
+    EXPECT_EQ(cloned->getX509().get(), x509Raw);
+    EXPECT_EQ(cloned->getIdentity(), "x509");
+  }
+}