httpclient-fixcerts 2.8.5

data/lib/httpclient/ssl_config.rb

@@ -0,0 +1,433 @@
+# HTTPClient - HTTP client library.
+# Copyright (C) 2000-2015  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>.
+#
+# This program is copyrighted free software by NAKAMURA, Hiroshi.  You can
+# redistribute it and/or modify it under the same terms of Ruby's license;
+# either the dual license version in 2003, or any later version.
+
+
+class HTTPClient
+
+  begin
+    require 'openssl'
+    SSLEnabled = true
+  rescue LoadError
+    SSLEnabled = false
+  end
+
+  # Represents SSL configuration for HTTPClient instance.
+  # The implementation depends on OpenSSL.
+  #
+  # == Trust Anchor Control
+  #
+  # SSLConfig loads 'httpclient/cacert.pem' as a trust anchor
+  # (trusted certificate(s)) with add_trust_ca in initialization time.
+  # This means that HTTPClient instance trusts some CA certificates by default,
+  # like Web browsers.  'httpclient/cacert.pem' is downloaded from curl web
+  # site by the author and included in released package.
+  #
+  # On JRuby, HTTPClient uses Java runtime's trusted CA certificates, not
+  # cacert.pem by default. You can load cacert.pem by calling
+  # SSLConfig#load_trust_ca manually like:
+  #
+  #   HTTPClient.new { self.ssl_config.load_trust_ca }.get("https://...")
+  #
+  # You may want to change trust anchor by yourself.  Call clear_cert_store
+  # then add_trust_ca for that purpose.
+  class SSLConfig
+    include HTTPClient::Util
+    if SSLEnabled
+      include OpenSSL
+
+      if defined? JRUBY_VERSION
+        module ::OpenSSL
+          module X509
+            class Store
+              attr_reader :_httpclient_cert_store_items
+
+              # TODO: use prepend instead when we drop JRuby + 1.9.x support
+              wrapped = {}
+
+              wrapped[:initialize] = instance_method(:initialize)
+              define_method(:initialize) do |*args|
+                wrapped[:initialize].bind(self).call(*args)
+                @_httpclient_cert_store_items = [ENV['SSL_CERT_FILE'] || :default]
+              end
+
+              [:add_cert, :add_file, :add_path].each do |m|
+                wrapped[m] = instance_method(m)
+                define_method(m) do |cert|
+                  res = wrapped[m].bind(self).call(cert)
+                  @_httpclient_cert_store_items << cert
+                  res
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+
+    class << self
+    private
+      def attr_config(symbol)
+        name = symbol.to_s
+        ivar_name = "@#{name}"
+        define_method(name) {
+          instance_variable_get(ivar_name)
+        }
+        define_method("#{name}=") { |rhs|
+          if instance_variable_get(ivar_name) != rhs
+            instance_variable_set(ivar_name, rhs)
+            change_notify
+          end
+        }
+        symbol
+      end
+    end
+
+
+    CIPHERS_DEFAULT = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
+
+    # Which TLS protocol version (also called method) will be used. Defaults
+    # to :auto which means that OpenSSL decides (In my tests this resulted
+    # with always the highest available protocol being used).
+    # String name of OpenSSL's SSL version method name: TLSv1_2, TLSv1_1, TLSv1,
+    # SSLv2, SSLv23, SSLv3 or :auto (and nil) to allow version negotiation (default).
+    # See {OpenSSL::SSL::SSLContext::METHODS} for a list of available versions
+    # in your specific Ruby environment.
+    attr_config :ssl_version
+    # OpenSSL::X509::Certificate:: certificate for SSL client authentication.
+    # nil by default. (no client authentication)
+    attr_config :client_cert
+    # OpenSSL::PKey::PKey:: private key for SSL client authentication.
+    # nil by default. (no client authentication)
+    attr_config :client_key
+    # OpenSSL::PKey::PKey:: private key pass phrase for client_key.
+    # nil by default. (no pass phrase)
+    attr_config :client_key_pass
+
+    # A number which represents OpenSSL's verify mode.  Default value is
+    # OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT.
+    attr_config :verify_mode
+    # A number of verify depth.  Certification path which length is longer than
+    # this depth is not allowed.
+    # CAUTION: this is OpenSSL specific option and ignored on JRuby.
+    attr_config :verify_depth
+    # A callback handler for custom certificate verification.  nil by default.
+    # If the handler is set, handler.call is invoked just after general
+    # OpenSSL's verification.  handler.call is invoked with 2 arguments,
+    # ok and ctx; ok is a result of general OpenSSL's verification.  ctx is a
+    # OpenSSL::X509::StoreContext.
+    attr_config :verify_callback
+    # SSL timeout in sec.  nil by default.
+    attr_config :timeout
+    # A number of OpenSSL's SSL options.  Default value is
+    # OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2
+    # CAUTION: this is OpenSSL specific option and ignored on JRuby.
+    # Use ssl_version to specify the TLS version you want to use.
+    attr_config :options
+    # A String of OpenSSL's cipher configuration.  Default value is
+    # ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH
+    # See ciphers(1) man in OpenSSL for more detail.
+    attr_config :ciphers
+
+    # OpenSSL::X509::X509::Store used for verification.  You can reset the
+    # store with clear_cert_store and set the new store with cert_store=.
+    attr_reader :cert_store # don't use if you don't know what it is.
+
+    # For server side configuration.  Ignore this.
+    attr_config :client_ca # :nodoc:
+
+    # These array keeps original files/dirs that was added to @cert_store
+    if defined? JRUBY_VERSION
+      def cert_store_items; @cert_store._httpclient_cert_store_items; end
+    end
+    attr_reader :cert_store_crl_items
+
+    # Creates a SSLConfig.
+    def initialize(client)
+      return unless SSLEnabled
+      @client = client
+      @cert_store = X509::Store.new
+      @cert_store_crl_items = []
+      @client_cert = @client_key = @client_key_pass = @client_ca = nil
+      @verify_mode = SSL::VERIFY_PEER | SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+      @verify_depth = nil
+      @verify_callback = nil
+      @dest = nil
+      @timeout = nil
+      @ssl_version = :auto
+      # Follow ruby-ossl's definition
+      @options = OpenSSL::SSL::OP_ALL
+      @options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
+      @options |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
+      @options |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
+      @options |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+      # OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
+      @ciphers = CIPHERS_DEFAULT
+      @cacerts_loaded = false
+    end
+
+    # Sets certificate and private key for SSL client authentication.
+    # cert_file:: must be a filename of PEM/DER formatted file.
+    # key_file:: must be a filename of PEM/DER formatted file.  Key must be an
+    #            RSA key.  If you want to use other PKey algorithm,
+    #            use client_key=.
+    #
+    # Calling this method resets all existing sessions if value is changed.
+    def set_client_cert_file(cert_file, key_file, pass = nil)
+      if (@client_cert != cert_file) || (@client_key != key_file) || (@client_key_pass != pass)
+        @client_cert, @client_key, @client_key_pass = cert_file, key_file, pass
+        change_notify
+      end
+    end
+
+    # Sets OpenSSL's default trusted CA certificates.  Generally, OpenSSL is
+    # configured to use OS's trusted CA certificates located at
+    # /etc/pki/certs or /etc/ssl/certs.  Unfortunately OpenSSL's Windows build
+    # does not work with Windows Certificate Storage.
+    #
+    # On Windows or when you build OpenSSL manually, you can set the
+    # CA certificates directory by SSL_CERT_DIR env variable at runtime.
+    #
+    #   SSL_CERT_DIR=/etc/ssl/certs ruby -rhttpclient -e "..."
+    #
+    # Calling this method resets all existing sessions.
+    def set_default_paths
+      @cacerts_loaded = true # avoid lazy override
+      @cert_store = X509::Store.new
+      @cert_store.set_default_paths
+      change_notify
+    end
+
+    # Drops current certificate store (OpenSSL::X509::Store) for SSL and create
+    # new one for the next session.
+    #
+    # Calling this method resets all existing sessions.
+    def clear_cert_store
+      @cacerts_loaded = true # avoid lazy override
+      @cert_store = X509::Store.new
+      if defined? JRUBY_VERSION
+        @cert_store._httpclient_cert_store_items.clear
+      end
+      change_notify
+    end
+
+    # Sets new certificate store (OpenSSL::X509::Store).
+    # don't use if you don't know what it is.
+    #
+    # Calling this method resets all existing sessions.
+    def cert_store=(cert_store)
+      # This is object equality check, since OpenSSL::X509::Store doesn't overload ==
+      if !@cacerts_loaded || (@cert_store != cert_store)
+        @cacerts_loaded = true # avoid lazy override
+        @cert_store = cert_store
+        change_notify
+      end
+    end
+
+    # Sets trust anchor certificate(s) for verification.
+    # trust_ca_file_or_hashed_dir:: a filename of a PEM/DER formatted
+    #                               OpenSSL::X509::Certificate or
+    #                               a 'c-rehash'eddirectory name which stores
+    #                               trusted certificate files.
+    #
+    # Calling this method resets all existing sessions.
+    def add_trust_ca(trust_ca_file_or_hashed_dir)
+      unless File.exist?(trust_ca_file_or_hashed_dir)
+        trust_ca_file_or_hashed_dir = File.join(File.dirname(__FILE__), trust_ca_file_or_hashed_dir)
+      end
+      @cacerts_loaded = true # avoid lazy override
+      add_trust_ca_to_store(@cert_store, trust_ca_file_or_hashed_dir)
+      change_notify
+    end
+    alias set_trust_ca add_trust_ca
+
+    def add_trust_ca_to_store(cert_store, trust_ca_file_or_hashed_dir)
+      if FileTest.directory?(trust_ca_file_or_hashed_dir)
+        cert_store.add_path(trust_ca_file_or_hashed_dir)
+      else
+        cert_store.add_file(trust_ca_file_or_hashed_dir)
+      end
+    end
+
+    # Loads default trust anchors.
+    # Calling this method resets all existing sessions.
+    def load_trust_ca
+      load_cacerts(@cert_store)
+      change_notify
+    end
+
+    # Adds CRL for verification.
+    # crl:: a OpenSSL::X509::CRL or a filename of a PEM/DER formatted
+    #       OpenSSL::X509::CRL.
+    #
+    # On JRuby, instead of setting CRL by yourself you can set following
+    # options to let HTTPClient to perform revocation check with CRL and OCSP:
+    # -J-Dcom.sun.security.enableCRLDP=true -J-Dcom.sun.net.ssl.checkRevocation=true
+    # ex. jruby -J-Dcom.sun.security.enableCRLDP=true -J-Dcom.sun.net.ssl.checkRevocation=true app.rb
+    #
+    # Revoked cert example: https://test-sspev.verisign.com:2443/test-SSPEV-revoked-verisign.html
+    #
+    # Calling this method resets all existing sessions.
+    def add_crl(crl)
+      unless crl.is_a?(X509::CRL)
+        crl = X509::CRL.new(File.open(crl) { |f| f.read })
+      end
+      @cert_store.add_crl(crl)
+      @cert_store_crl_items << crl
+      @cert_store.flags = X509::V_FLAG_CRL_CHECK | X509::V_FLAG_CRL_CHECK_ALL
+      change_notify
+    end
+    alias set_crl add_crl
+
+    def verify?
+      @verify_mode && (@verify_mode & OpenSSL::SSL::VERIFY_PEER != 0)
+    end
+
+    # interfaces for SSLSocket.
+    def set_context(ctx) # :nodoc:
+      load_trust_ca unless @cacerts_loaded
+      @cacerts_loaded = true
+      # Verification: Use Store#verify_callback instead of SSLContext#verify*?
+      ctx.cert_store = @cert_store
+      ctx.verify_mode = @verify_mode
+      ctx.verify_depth = @verify_depth if @verify_depth
+      ctx.verify_callback = @verify_callback || method(:default_verify_callback)
+      # SSL config
+      if @client_cert
+        ctx.cert = @client_cert.is_a?(X509::Certificate) ?  @client_cert :
+          X509::Certificate.new(File.open(@client_cert) { |f| f.read })
+      end
+      if @client_key
+        ctx.key = @client_key.is_a?(PKey::PKey) ? @client_key :
+          PKey::RSA.new(File.open(@client_key) { |f| f.read }, @client_key_pass)
+      end
+      ctx.client_ca = @client_ca
+      ctx.timeout = @timeout
+      ctx.options = @options
+      ctx.ciphers = @ciphers
+      ctx.ssl_version = @ssl_version unless @ssl_version == :auto
+    end
+
+    # post connection check proc for ruby < 1.8.5.
+    # this definition must match with the one in ext/openssl/lib/openssl/ssl.rb
+    def post_connection_check(peer_cert, hostname) # :nodoc:
+      check_common_name = true
+      cert = peer_cert
+      cert.extensions.each{|ext|
+        next if ext.oid != "subjectAltName"
+        ext.value.split(/,\s+/).each{|general_name|
+          if /\ADNS:(.*)/ =~ general_name
+            check_common_name = false
+            reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
+            return true if /\A#{reg}\z/i =~ hostname
+          elsif /\AIP Address:(.*)/ =~ general_name
+            check_common_name = false
+            return true if $1 == hostname
+          end
+        }
+      }
+      if check_common_name
+        cert.subject.to_a.each{|oid, value|
+          if oid == "CN"
+            reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
+            return true if /\A#{reg}\z/i =~ hostname
+          end
+        }
+      end
+      raise SSL::SSLError, "hostname was not match with the server certificate"
+    end
+
+    # Default callback for verification: only dumps error.
+    def default_verify_callback(is_ok, ctx)
+      if $DEBUG
+        if is_ok
+          warn("ok: #{ctx.current_cert.subject.to_s.dump}")
+        else
+          warn("ng: #{ctx.current_cert.subject.to_s.dump} at depth #{ctx.error_depth} - #{ctx.error}: #{ctx.error_string} in #{ctx.chain.inspect}")
+        end
+        warn(ctx.current_cert.to_text)
+        warn(ctx.current_cert.to_pem)
+      end
+      if !is_ok
+        depth = ctx.error_depth
+        code = ctx.error
+        msg = ctx.error_string
+        warn("at depth #{depth} - #{code}: #{msg}") if $DEBUG
+      end
+      is_ok
+    end
+
+    # Sample callback method:  CAUTION: does not check CRL/ARL.
+    def sample_verify_callback(is_ok, ctx)
+      unless is_ok
+        depth = ctx.error_depth
+        code = ctx.error
+        msg = ctx.error_string
+        warn("at depth #{depth} - #{code}: #{msg}") if $DEBUG
+        return false
+      end
+
+      cert = ctx.current_cert
+      self_signed = false
+      ca = false
+      pathlen = nil
+      server_auth = true
+      self_signed = (cert.subject.cmp(cert.issuer) == 0)
+
+      # Check extensions whatever its criticality is. (sample)
+      cert.extensions.each do |ex|
+        case ex.oid
+        when 'basicConstraints'
+          /CA:(TRUE|FALSE), pathlen:(\d+)/ =~ ex.value
+          ca = ($1 == 'TRUE')
+          pathlen = $2.to_i
+        when 'keyUsage'
+          usage = ex.value.split(/\s*,\s*/)
+          ca = usage.include?('Certificate Sign')
+          server_auth = usage.include?('Key Encipherment')
+        when 'extendedKeyUsage'
+          usage = ex.value.split(/\s*,\s*/)
+          server_auth = usage.include?('Netscape Server Gated Crypto')
+        when 'nsCertType'
+          usage = ex.value.split(/\s*,\s*/)
+          ca = usage.include?('SSL CA')
+          server_auth = usage.include?('SSL Server')
+        end
+      end
+
+      if self_signed
+        warn('self signing CA') if $DEBUG
+        return true
+      elsif ca
+        warn('middle level CA') if $DEBUG
+        return true
+      elsif server_auth
+        warn('for server authentication') if $DEBUG
+        return true
+      end
+
+      if pathlen > 2
+        warn('pathlen > 2') if $DEBUG
+      end
+      return false
+    end
+
+  private
+
+    def change_notify
+      @client.reset_all
+      nil
+    end
+
+    # Use 2048 bit certs trust anchor
+    def load_cacerts(cert_store)
+      file = File.join(File.dirname(__FILE__), 'cacert.pem')
+      add_trust_ca_to_store(cert_store, file)
+    end
+  end
+
+
+end

data/lib/httpclient/ssl_socket.rb

@@ -0,0 +1,150 @@
+# HTTPClient - HTTP client library.
+# Copyright (C) 2000-2015  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>.
+#
+# This program is copyrighted free software by NAKAMURA, Hiroshi.  You can
+# redistribute it and/or modify it under the same terms of Ruby's license;
+# either the dual license version in 2003, or any later version.
+
+
+require 'httpclient/ssl_config'
+
+
+class HTTPClient
+
+  # Wraps up OpenSSL::SSL::SSLSocket and offers debugging features.
+  class SSLSocket
+    def self.create_socket(session)
+      opts = {
+        :debug_dev => session.debug_dev
+      }
+      site = session.proxy || session.dest
+      socket = session.create_socket(site.host, site.port)
+      begin
+        if session.proxy
+          session.connect_ssl_proxy(socket, Util.urify(session.dest.to_s))
+        end
+        new(socket, session.dest, session.ssl_config, opts)
+      rescue
+        socket.close
+        raise
+      end
+    end
+
+    def initialize(socket, dest, config, opts = {})
+      unless SSLEnabled
+        raise ConfigurationError.new('Ruby/OpenSSL module is required')
+      end
+      @socket = socket
+      @config = config
+      @ssl_socket = create_openssl_socket(@socket)
+      @debug_dev = opts[:debug_dev]
+      ssl_connect(dest.host)
+    end
+
+    def peer_cert
+      @ssl_socket.peer_cert
+    end
+
+    def close
+      @ssl_socket.close
+      @socket.close
+    end
+
+    def closed?
+      @socket.closed?
+    end
+
+    def eof?
+      @ssl_socket.eof?
+    end
+
+    def gets(rs)
+      str = @ssl_socket.gets(rs)
+      debug(str)
+      str
+    end
+
+    def read(size, buf = nil)
+      str = @ssl_socket.read(size, buf)
+      debug(str)
+      str
+    end
+
+    def readpartial(size, buf = nil)
+      str = @ssl_socket.readpartial(size, buf)
+      debug(str)
+      str
+    end
+
+    def <<(str)
+      rv = @ssl_socket.write(str)
+      debug(str)
+      rv
+    end
+
+    def flush
+      @ssl_socket.flush
+    end
+
+    def sync
+      @ssl_socket.sync
+    end
+
+    def sync=(sync)
+      @ssl_socket.sync = sync
+    end
+
+  private
+
+    def ssl_connect(hostname = nil)
+      if hostname && @ssl_socket.respond_to?(:hostname=)
+        @ssl_socket.hostname = hostname
+      end
+      @ssl_socket.connect
+      if $DEBUG
+        if @ssl_socket.respond_to?(:ssl_version)
+          warn("Protocol version: #{@ssl_socket.ssl_version}")
+        end
+        warn("Cipher: #{@ssl_socket.cipher.inspect}")
+      end
+      post_connection_check(hostname)
+    end
+
+    def post_connection_check(hostname)
+      verify_mode = @config.verify_mode || OpenSSL::SSL::VERIFY_NONE
+      if verify_mode == OpenSSL::SSL::VERIFY_NONE
+        return
+      elsif @ssl_socket.peer_cert.nil? and
+        check_mask(verify_mode, OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT)
+        raise OpenSSL::SSL::SSLError.new('no peer cert')
+      end
+      if @ssl_socket.respond_to?(:post_connection_check) and RUBY_VERSION > "1.8.4"
+        @ssl_socket.post_connection_check(hostname)
+      else
+        @config.post_connection_check(@ssl_socket.peer_cert, hostname)
+      end
+    end
+
+    def check_mask(value, mask)
+      value & mask == mask
+    end
+
+    def create_openssl_socket(socket)
+      ssl_socket = nil
+      if OpenSSL::SSL.const_defined?("SSLContext")
+        ctx = OpenSSL::SSL::SSLContext.new
+        @config.set_context(ctx)
+        ssl_socket = OpenSSL::SSL::SSLSocket.new(socket, ctx)
+      else
+        ssl_socket = OpenSSL::SSL::SSLSocket.new(socket)
+        @config.set_context(ssl_socket)
+      end
+      ssl_socket
+    end
+
+    def debug(str)
+      @debug_dev << str if @debug_dev && str
+    end
+  end
+
+end