/*
- * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
+ * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
#include "ssl/bio.h"
#include "ssl/gadgets.h"
-/// load a signing certificate from certFile
+/// load the signing certificate and its chain, if any, from certFile
+/// \return true if the signing certificate was obtained
bool
-Security::KeyData::loadX509CertFromFile()
+Security::KeyData::loadCertificates()
{
debugs(83, DBG_IMPORTANT, "Using certificate in " << certFile);
cert.reset(); // paranoid: ensure cert is unset
try {
cert = Ssl::ReadCertificate(bio);
- return true;
+ debugs(83, DBG_PARSE_NOTE(2), "Loaded signing certificate: " << *cert);
}
catch (...) {
// TODO: Convert the rest of this method to throw on errors instead.
return false;
}
+ try {
+ // Squid sends `cert` (loaded above) followed by certificates in `chain`
+ // (formed below by loading and sorting the remaining certificates).
+
+ // load all the remaining configured certificates
+ CertList candidates;
+ while (const auto c = Ssl::ReadOptionalCertificate(bio))
+ candidates.emplace_back(c);
+
+ // Push certificates into `chain` in on-the-wire order, as defined by
+ // RFC 8446 Section 4.4.2: "Each following certificate SHOULD directly
+ // certify the one immediately preceding it."
+ while (!candidates.empty()) {
+ const auto precedingCert = chain.empty() ? cert : chain.back();
+
+ // We cannot chain any certificate after a self-signed certificate.
+ // This check also protects the IssuedBy() search below from adding
+ // duplicated (i.e. listed multiple times) self-signed certificates.
+ if (SelfSigned(*precedingCert))
+ break;
+
+ const auto issuerPos = std::find_if(candidates.begin(), candidates.end(), [&](const CertPointer &i) {
+ return IssuedBy(*precedingCert, *i);
+ });
+ if (issuerPos == candidates.end())
+ break;
+
+ const auto &issuer = *issuerPos;
+ debugs(83, DBG_PARSE_NOTE(3), "Adding CA certificate: " << *issuer);
+ chain.emplace_back(issuer);
+ candidates.erase(issuerPos);
+ }
+
+ for (const auto &c: candidates)
+ debugs(83, DBG_IMPORTANT, "WARNING: Ignoring certificate that does not extend the chain: " << *c);
+ }
+ catch (...) {
+ // TODO: Reject configs with malformed intermediate certs instead.
+ debugs(83, DBG_IMPORTANT, "ERROR: Failure while loading intermediate certificate(s) from '" << certFile << "':" <<
+ Debug::Extra << "problem: " << CurrentException);
+ }
+
#elif USE_GNUTLS
const char *certFilename = certFile.c_str();
gnutls_datum_t data;
});
}
+ // XXX: implement chain loading
+ debugs(83, 2, "Loading certificate chain from PEM files not implemented in this Squid.");
+
#else
// do nothing.
#endif
return bool(cert);
}
-/// load any intermediate certs that form the chain with the loaded signing cert
-void
-Security::KeyData::loadX509ChainFromFile()
-{
-#if USE_OPENSSL
- const char *certFilename = certFile.c_str();
- Ssl::BIO_Pointer bio(BIO_new(BIO_s_file()));
- if (!bio || !BIO_read_filename(bio.get(), certFilename)) {
- const auto x = ERR_get_error();
- debugs(83, DBG_IMPORTANT, "ERROR: unable to load chain file '" << certFile << "': " << ErrorString(x));
- return;
- }
-
-#if TLS_CHAIN_NO_SELFSIGNED // ignore self-signed certs in the chain
- if (SelfSigned(*cert)) {
- debugs(83, DBG_PARSE_NOTE(2), "Certificate is self-signed, will not be chained: " << *cert);
- } else
-#endif
- {
- debugs(83, DBG_PARSE_NOTE(3), "Using certificate chain in " << certFile);
- // and add to the chain any other certificate exist in the file
- CertPointer latestCert = cert;
-
- while (const auto ca = Ssl::ReadOptionalCertificate(bio)) {
-
-#if TLS_CHAIN_NO_SELFSIGNED // ignore self-signed certs in the chain
- // self-signed certificates are not valid in a sent chain
- if (SelfSigned(*ca)) {
- debugs(83, DBG_PARSE_NOTE(2), "CA certificate is self-signed, will not be chained: " << *ca);
- continue;
- }
-#endif
- // checks that the chained certs are actually part of a chain for validating cert
- if (IssuedBy(*latestCert, *ca)) {
- debugs(83, DBG_PARSE_NOTE(3), "Adding issuer CA: " << *ca);
- // OpenSSL API requires that we order certificates such that the
- // chain can be appended directly into the on-wire traffic.
- latestCert = CertPointer(ca);
- chain.emplace_back(latestCert);
- } else {
- debugs(83, DBG_PARSE_NOTE(2), certFile << ": Ignoring non-issuer CA " << *ca);
- }
- }
- }
-
-#elif USE_GNUTLS
- // XXX: implement chain loading
- debugs(83, 2, "Loading certificate chain from PEM files not implemented in this Squid.");
-
-#else
- // nothing to do.
-#endif
-}
-
/**
* Read X.509 private key from file.
*/
Security::KeyData::loadFromFiles(const AnyP::PortCfg &port, const char *portType)
{
char buf[128];
- if (!loadX509CertFromFile()) {
+ if (!loadCertificates()) {
debugs(83, DBG_IMPORTANT, "WARNING: '" << portType << "_port " << port.s.toUrl(buf, sizeof(buf)) << "' missing certificate in '" << certFile << "'");
return;
}
- // certificate chain in the PEM file is optional
- try {
- loadX509ChainFromFile();
- }
- catch (...) {
- // XXX: Reject malformed configurations by letting exceptions propagate.
- debugs(83, DBG_CRITICAL, "ERROR: '" << portType << "_port " << port.s.toUrl(buf, sizeof(buf)) << "' cannot load intermediate certificates from '" << certFile << "':" <<
- Debug::Extra << "problem: " << CurrentException);
- }
-
// pkey is mandatory, not having it makes cert and chain pointless.
if (!loadX509PrivateKeyFromFile()) {
debugs(83, DBG_IMPORTANT, "WARNING: '" << portType << "_port " << port.s.toUrl(buf, sizeof(buf)) << "' missing private key in '" << privateKeyFile << "'");