}
}
+void SSLContext::loadCertKeyPairFromBufferPEM(
+ folly::StringPiece cert,
+ folly::StringPiece pkey) {
+ loadCertificateFromBufferPEM(cert);
+ loadPrivateKeyFromBufferPEM(pkey);
+}
+
+void SSLContext::loadCertKeyPairFromFiles(
+ const char* certPath,
+ const char* keyPath,
+ const char* certFormat,
+ const char* keyFormat) {
+ loadCertificate(certPath, certFormat);
+ loadPrivateKey(keyPath, keyFormat);
+}
+
+bool SSLContext::isCertKeyPairValid() const {
+ return SSL_CTX_check_private_key(ctx_) == 1;
+}
+
void SSLContext::loadTrustedCertificates(const char* path) {
if (path == nullptr) {
throw std::invalid_argument("loadTrustedCertificates: <path> is nullptr");
* @param cert A PEM formatted certificate
*/
virtual void loadCertificateFromBufferPEM(folly::StringPiece cert);
+
/**
* Load private key.
*
* @param pkey A PEM formatted key
*/
virtual void loadPrivateKeyFromBufferPEM(folly::StringPiece pkey);
+
+ /**
+ * Load cert and key from PEM buffers. Guaranteed to throw if cert and
+ * private key mismatch so no need to call isCertKeyPairValid.
+ *
+ * @param cert A PEM formatted certificate
+ * @param pkey A PEM formatted key
+ */
+ virtual void loadCertKeyPairFromBufferPEM(
+ folly::StringPiece cert,
+ folly::StringPiece pkey);
+
+ /**
+ * Load cert and key from files. Guaranteed to throw if cert and key mismatch.
+ * Equivalent to calling loadCertificate() and loadPrivateKey().
+ *
+ * @param certPath Path to the certificate file
+ * @param keyPath Path to the private key file
+ * @param certFormat Certificate file format
+ * @param keyFormat Private key file format
+ */
+ virtual void loadCertKeyPairFromFiles(
+ const char* certPath,
+ const char* keyPath,
+ const char* certFormat = "PEM",
+ const char* keyFormat = "PEM");
+
+ /**
+ * Call after both cert and key are loaded to check if cert matches key.
+ * Must call if private key is loaded before loading the cert.
+ * No need to call if cert is loaded first before private key.
+ * @return true if matches, or false if mismatch.
+ */
+ virtual bool isCertKeyPairValid() const;
+
/**
* Load trusted certificates from specified file.
*
*/
#include <folly/io/async/SSLContext.h>
+#include <folly/FileUtil.h>
#include <folly/portability/GTest.h>
#include <folly/ssl/OpenSSLPtrTypes.h>
ctx.setCipherList(ciphers);
verifySSLCipherList(ciphers);
}
+
+TEST_F(SSLContextTest, TestLoadCertKey) {
+ std::string certData, keyData, anotherKeyData;
+ const char* certPath = "folly/io/async/test/certs/tests-cert.pem";
+ const char* keyPath = "folly/io/async/test/certs/tests-key.pem";
+ const char* anotherKeyPath = "folly/io/async/test/certs/client_key.pem";
+ folly::readFile(certPath, certData);
+ folly::readFile(keyPath, keyData);
+ folly::readFile(anotherKeyPath, anotherKeyData);
+
+ {
+ SCOPED_TRACE("Valid cert/key pair from buffer");
+ SSLContext tmpCtx;
+ tmpCtx.loadCertificateFromBufferPEM(certData);
+ tmpCtx.loadPrivateKeyFromBufferPEM(keyData);
+ EXPECT_TRUE(tmpCtx.isCertKeyPairValid());
+ }
+
+ {
+ SCOPED_TRACE("Valid cert/key pair from files");
+ SSLContext tmpCtx;
+ tmpCtx.loadCertificate(certPath);
+ tmpCtx.loadPrivateKey(keyPath);
+ EXPECT_TRUE(tmpCtx.isCertKeyPairValid());
+ }
+
+ {
+ SCOPED_TRACE("Invalid cert/key pair from file. Load cert first");
+ SSLContext tmpCtx;
+ tmpCtx.loadCertificate(certPath);
+ EXPECT_THROW(tmpCtx.loadPrivateKey(anotherKeyPath), std::runtime_error);
+ }
+
+ {
+ SCOPED_TRACE("Invalid cert/key pair from file. Load key first");
+ SSLContext tmpCtx;
+ tmpCtx.loadPrivateKey(anotherKeyPath);
+ tmpCtx.loadCertificate(certPath);
+ EXPECT_FALSE(tmpCtx.isCertKeyPairValid());
+ }
+
+ {
+ SCOPED_TRACE("Invalid key/cert pair from buf. Load cert first");
+ SSLContext tmpCtx;
+ tmpCtx.loadCertificateFromBufferPEM(certData);
+ EXPECT_THROW(
+ tmpCtx.loadPrivateKeyFromBufferPEM(anotherKeyData), std::runtime_error);
+ }
+
+ {
+ SCOPED_TRACE("Invalid key/cert pair from buf. Load key first");
+ SSLContext tmpCtx;
+ tmpCtx.loadPrivateKeyFromBufferPEM(anotherKeyData);
+ tmpCtx.loadCertificateFromBufferPEM(certData);
+ EXPECT_FALSE(tmpCtx.isCertKeyPairValid());
+ }
+
+ {
+ SCOPED_TRACE(
+ "loadCertKeyPairFromBufferPEM() must throw when cert/key mismatch");
+ SSLContext tmpCtx;
+ EXPECT_THROW(
+ tmpCtx.loadCertKeyPairFromBufferPEM(certData, anotherKeyData),
+ std::runtime_error);
+ }
+
+ {
+ SCOPED_TRACE(
+ "loadCertKeyPairFromBufferPEM() must succeed when cert/key match");
+ SSLContext tmpCtx;
+ tmpCtx.loadCertKeyPairFromBufferPEM(certData, keyData);
+ }
+
+ {
+ SCOPED_TRACE(
+ "loadCertKeyPairFromFiles() must throw when cert/key mismatch");
+ SSLContext tmpCtx;
+ EXPECT_THROW(
+ tmpCtx.loadCertKeyPairFromFiles(certPath, anotherKeyPath),
+ std::runtime_error);
+ }
+
+ {
+ SCOPED_TRACE("loadCertKeyPairFromFiles() must succeed when cert/key match");
+ SSLContext tmpCtx;
+ tmpCtx.loadCertKeyPairFromFiles(certPath, keyPath);
+ }
+}
} // namespace folly
projects / folly.git / commitdiff