httpclient 2.3.0.1 → 2.8.3

data/lib/httpclient/ssl_config.rb

@@ -1,5 +1,5 @@
 # HTTPClient - HTTP client library.
-# Copyright (C) 2000-2009  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>.
+# Copyright (C) 2000-2015  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>.
 #
 # This program is copyrighted free software by NAKAMURA, Hiroshi.  You can
 # redistribute it and/or modify it under the same terms of Ruby's license;
@@ -20,112 +20,163 @@ class HTTPClient
   #
   # == Trust Anchor Control
   #
-  # SSLConfig loads 'httpclient/cacert.p7s' as a trust anchor
+  # SSLConfig loads 'httpclient/cacert.pem' as a trust anchor
   # (trusted certificate(s)) with add_trust_ca in initialization time.
   # This means that HTTPClient instance trusts some CA certificates by default,
-  # like Web browsers.  'httpclient/cacert.p7s' is created by the author and
-  # included in released package.
+  # like Web browsers.  'httpclient/cacert.pem' is downloaded from curl web
+  # site by the author and included in released package.
   #
-  # 'cacert.p7s' is automatically generated from JDK 1.6.
+  # On JRuby, HTTPClient uses Java runtime's trusted CA certificates, not
+  # cacert.pem by default. You can load cacert.pem by calling
+  # SSLConfig#load_trust_ca manually like:
+  #
+  #   HTTPClient.new { self.ssl_config.load_trust_ca }.get("https://...")
   #
   # You may want to change trust anchor by yourself.  Call clear_cert_store
   # then add_trust_ca for that purpose.
   class SSLConfig
-    include OpenSSL if SSLEnabled
+    include HTTPClient::Util
+    if SSLEnabled
+      include OpenSSL
+
+      module ::OpenSSL
+        module X509
+          class Store
+            attr_reader :_httpclient_cert_store_items
+
+            # TODO: use prepend instead when we drop JRuby + 1.9.x support
+            wrapped = {}
+
+            wrapped[:initialize] = instance_method(:initialize)
+            define_method(:initialize) do |*args|
+              wrapped[:initialize].bind(self).call(*args)
+              @_httpclient_cert_store_items = [ENV['SSL_CERT_FILE'] || :default]
+            end
+
+            [:add_cert, :add_file, :add_path].each do |m|
+              wrapped[m] = instance_method(m)
+              define_method(m) do |cert|
+                res = wrapped[m].bind(self).call(cert)
+                @_httpclient_cert_store_items << cert
+                res
+              end
+            end
+          end
+        end
+      end
+    end
 
-    # String name of OpenSSL's SSL version method name: SSLv2, SSLv23 or SSLv3
-    attr_reader :ssl_version
-    # OpenSSL::X509::Certificate:: certificate for SSL client authenticateion.
-    # nil by default. (no client authenticateion)
-    attr_reader :client_cert
+    class << self
+    private
+      def attr_config(symbol)
+        name = symbol.to_s
+        ivar_name = "@#{name}"
+        define_method(name) {
+          instance_variable_get(ivar_name)
+        }
+        define_method("#{name}=") { |rhs|
+          if instance_variable_get(ivar_name) != rhs
+            instance_variable_set(ivar_name, rhs)
+            change_notify
+          end
+        }
+        symbol
+      end
+    end
+
+
+    CIPHERS_DEFAULT = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
+
+    # Which TLS protocol version (also called method) will be used. Defaults
+    # to :auto which means that OpenSSL decides (In my tests this resulted
+    # with always the highest available protocol being used).
+    # String name of OpenSSL's SSL version method name: TLSv1_2, TLSv1_1, TLSv1,
+    # SSLv2, SSLv23, SSLv3 or :auto (and nil) to allow version negotiation (default).
+    # See {OpenSSL::SSL::SSLContext::METHODS} for a list of available versions
+    # in your specific Ruby environment.
+    attr_config :ssl_version
+    # OpenSSL::X509::Certificate:: certificate for SSL client authentication.
+    # nil by default. (no client authentication)
+    attr_config :client_cert
     # OpenSSL::PKey::PKey:: private key for SSL client authentication.
-    # nil by default. (no client authenticateion)
-    attr_reader :client_key
+    # nil by default. (no client authentication)
+    attr_config :client_key
+    # OpenSSL::PKey::PKey:: private key pass phrase for client_key.
+    # nil by default. (no pass phrase)
+    attr_config :client_key_pass
 
     # A number which represents OpenSSL's verify mode.  Default value is
     # OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT.
-    attr_reader :verify_mode
+    attr_config :verify_mode
     # A number of verify depth.  Certification path which length is longer than
     # this depth is not allowed.
-    attr_reader :verify_depth
+    # CAUTION: this is OpenSSL specific option and ignored on JRuby.
+    attr_config :verify_depth
     # A callback handler for custom certificate verification.  nil by default.
     # If the handler is set, handler.call is invoked just after general
     # OpenSSL's verification.  handler.call is invoked with 2 arguments,
     # ok and ctx; ok is a result of general OpenSSL's verification.  ctx is a
     # OpenSSL::X509::StoreContext.
-    attr_reader :verify_callback
+    attr_config :verify_callback
     # SSL timeout in sec.  nil by default.
-    attr_reader :timeout
+    attr_config :timeout
     # A number of OpenSSL's SSL options.  Default value is
     # OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2
-    attr_reader :options
+    # CAUTION: this is OpenSSL specific option and ignored on JRuby.
+    # Use ssl_version to specify the TLS version you want to use.
+    attr_config :options
     # A String of OpenSSL's cipher configuration.  Default value is
     # ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH
     # See ciphers(1) man in OpenSSL for more detail.
-    attr_reader :ciphers
+    attr_config :ciphers
 
     # OpenSSL::X509::X509::Store used for verification.  You can reset the
     # store with clear_cert_store and set the new store with cert_store=.
     attr_reader :cert_store # don't use if you don't know what it is.
 
     # For server side configuration.  Ignore this.
-    attr_reader :client_ca # :nodoc:
+    attr_config :client_ca # :nodoc:
+
+    # These array keeps original files/dirs that was added to @cert_store
+    def cert_store_items; @cert_store._httpclient_cert_store_items; end
+    attr_reader :cert_store_crl_items
 
     # Creates a SSLConfig.
     def initialize(client)
       return unless SSLEnabled
       @client = client
       @cert_store = X509::Store.new
-      @client_cert = @client_key = @client_ca = nil
+      @cert_store_crl_items = []
+      @client_cert = @client_key = @client_key_pass = @client_ca = nil
       @verify_mode = SSL::VERIFY_PEER | SSL::VERIFY_FAIL_IF_NO_PEER_CERT
       @verify_depth = nil
       @verify_callback = nil
       @dest = nil
       @timeout = nil
-      @ssl_version = "SSLv3"
-      @options = defined?(SSL::OP_ALL) ? SSL::OP_ALL | SSL::OP_NO_SSLv2 : nil
+      @ssl_version = :auto
+      # Follow ruby-ossl's definition
+      @options = OpenSSL::SSL::OP_ALL
+      @options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
+      @options |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
+      @options |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
+      @options |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
       # OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
-      @ciphers = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
+      @ciphers = CIPHERS_DEFAULT
       @cacerts_loaded = false
     end
 
-    # Sets SSL version method String.  Possible values: "SSLv2" for SSL2,
-    # "SSLv3" for SSL3 and TLS1.x, "SSLv23" for SSL3 with fallback to SSL2.
-    def ssl_version=(ssl_version)
-      @ssl_version = ssl_version
-      change_notify
-    end
-
-    # Sets certificate (OpenSSL::X509::Certificate) for SSL client
-    # authentication.
-    # client_key and client_cert must be a pair.
-    #
-    # Calling this method resets all existing sessions.
-    def client_cert=(client_cert)
-      @client_cert = client_cert
-      change_notify
-    end
-
-    # Sets private key (OpenSSL::PKey::PKey) for SSL client authentication.
-    # client_key and client_cert must be a pair.
-    #
-    # Calling this method resets all existing sessions.
-    def client_key=(client_key)
-      @client_key = client_key
-      change_notify
-    end
-
     # Sets certificate and private key for SSL client authentication.
     # cert_file:: must be a filename of PEM/DER formatted file.
     # key_file:: must be a filename of PEM/DER formatted file.  Key must be an
     #            RSA key.  If you want to use other PKey algorithm,
     #            use client_key=.
     #
-    # Calling this method resets all existing sessions.
-    def set_client_cert_file(cert_file, key_file)
-      @client_cert = X509::Certificate.new(File.open(cert_file) { |f| f.read })
-      @client_key = PKey::RSA.new(File.open(key_file) { |f| f.read })
-      change_notify
+    # Calling this method resets all existing sessions if value is changed.
+    def set_client_cert_file(cert_file, key_file, pass = nil)
+      if (@client_cert != cert_file) || (@client_key != key_file) || (@client_key_pass != pass)
+        @client_cert, @client_key, @client_key_pass = cert_file, key_file, pass
+        change_notify
+      end
     end
 
     # Sets OpenSSL's default trusted CA certificates.  Generally, OpenSSL is
@@ -153,6 +204,7 @@ class HTTPClient
     def clear_cert_store
       @cacerts_loaded = true # avoid lazy override
       @cert_store = X509::Store.new
+      @cert_store._httpclient_cert_store_items.clear
       change_notify
     end
 
@@ -161,9 +213,12 @@ class HTTPClient
     #
     # Calling this method resets all existing sessions.
     def cert_store=(cert_store)
-      @cacerts_loaded = true # avoid lazy override
-      @cert_store = cert_store
-      change_notify
+      # This is object equality check, since OpenSSL::X509::Store doesn't overload ==
+      if !@cacerts_loaded || (@cert_store != cert_store)
+        @cacerts_loaded = true # avoid lazy override
+        @cert_store = cert_store
+        change_notify
+      end
     end
 
     # Sets trust anchor certificate(s) for verification.
@@ -174,6 +229,9 @@ class HTTPClient
     #
     # Calling this method resets all existing sessions.
     def add_trust_ca(trust_ca_file_or_hashed_dir)
+      unless File.exist?(trust_ca_file_or_hashed_dir)
+        trust_ca_file_or_hashed_dir = File.join(File.dirname(__FILE__), trust_ca_file_or_hashed_dir)
+      end
       @cacerts_loaded = true # avoid lazy override
       add_trust_ca_to_store(@cert_store, trust_ca_file_or_hashed_dir)
       change_notify
@@ -199,74 +257,30 @@ class HTTPClient
     # crl:: a OpenSSL::X509::CRL or a filename of a PEM/DER formatted
     #       OpenSSL::X509::CRL.
     #
+    # On JRuby, instead of setting CRL by yourself you can set following
+    # options to let HTTPClient to perform revocation check with CRL and OCSP:
+    # -J-Dcom.sun.security.enableCRLDP=true -J-Dcom.sun.net.ssl.checkRevocation=true
+    # ex. jruby -J-Dcom.sun.security.enableCRLDP=true -J-Dcom.sun.net.ssl.checkRevocation=true app.rb
+    #
+    # Revoked cert example: https://test-sspev.verisign.com:2443/test-SSPEV-revoked-verisign.html
+    #
     # Calling this method resets all existing sessions.
     def add_crl(crl)
       unless crl.is_a?(X509::CRL)
         crl = X509::CRL.new(File.open(crl) { |f| f.read })
       end
       @cert_store.add_crl(crl)
+      @cert_store_crl_items << crl
       @cert_store.flags = X509::V_FLAG_CRL_CHECK | X509::V_FLAG_CRL_CHECK_ALL
       change_notify
     end
     alias set_crl add_crl
 
-    # Sets verify mode of OpenSSL.  New value must be a combination of
-    # constants OpenSSL::SSL::VERIFY_*
-    #
-    # Calling this method resets all existing sessions.
-    def verify_mode=(verify_mode)
-      @verify_mode = verify_mode
-      change_notify
-    end
-
-    # Sets verify depth.  New value must be a number.
-    #
-    # Calling this method resets all existing sessions.
-    def verify_depth=(verify_depth)
-      @verify_depth = verify_depth
-      change_notify
+    def verify?
+      @verify_mode && (@verify_mode & OpenSSL::SSL::VERIFY_PEER != 0)
     end
 
-    # Sets callback handler for custom certificate verification.
-    # See verify_callback.
-    #
-    # Calling this method resets all existing sessions.
-    def verify_callback=(verify_callback)
-      @verify_callback = verify_callback
-      change_notify
-    end
-
-    # Sets SSL timeout in sec.
-    #
-    # Calling this method resets all existing sessions.
-    def timeout=(timeout)
-      @timeout = timeout
-      change_notify
-    end
-
-    # Sets SSL options.  New value must be a combination of # constants
-    # OpenSSL::SSL::OP_*
-    #
-    # Calling this method resets all existing sessions.
-    def options=(options)
-      @options = options
-      change_notify
-    end
-
-    # Sets cipher configuration.  New value must be a String.
-    #
-    # Calling this method resets all existing sessions.
-    def ciphers=(ciphers)
-      @ciphers = ciphers
-      change_notify
-    end
-
-    def client_ca=(client_ca) # :nodoc:
-      @client_ca = client_ca
-      change_notify
-    end
-
-    # interfaces for SSLSocketWrap.
+    # interfaces for SSLSocket.
     def set_context(ctx) # :nodoc:
       load_trust_ca unless @cacerts_loaded
       @cacerts_loaded = true
@@ -276,13 +290,19 @@ class HTTPClient
       ctx.verify_depth = @verify_depth if @verify_depth
       ctx.verify_callback = @verify_callback || method(:default_verify_callback)
       # SSL config
-      ctx.cert = @client_cert
-      ctx.key = @client_key
+      if @client_cert
+        ctx.cert = @client_cert.is_a?(X509::Certificate) ?  @client_cert :
+          X509::Certificate.new(File.open(@client_cert) { |f| f.read })
+      end
+      if @client_key
+        ctx.key = @client_key.is_a?(PKey::PKey) ? @client_key :
+          PKey::RSA.new(File.open(@client_key) { |f| f.read }, @client_key_pass)
+      end
       ctx.client_ca = @client_ca
       ctx.timeout = @timeout
       ctx.options = @options
       ctx.ciphers = @ciphers
-      ctx.ssl_version = @ssl_version
+      ctx.ssl_version = @ssl_version unless @ssl_version == :auto
     end
 
     # post connection check proc for ruby < 1.8.5.
@@ -329,7 +349,7 @@ class HTTPClient
         depth = ctx.error_depth
         code = ctx.error
         msg = ctx.error_string
-        warn("at depth #{depth} - #{code}: #{msg}")
+        warn("at depth #{depth} - #{code}: #{msg}") if $DEBUG
       end
       is_ok
     end
@@ -390,81 +410,14 @@ class HTTPClient
 
     def change_notify
       @client.reset_all
+      nil
     end
 
+    # Use 2048 bit certs trust anchor
     def load_cacerts(cert_store)
-      [
-        [DIST_CERT, 'cacert.p7s'],
-        [DIST_CERT_SHA1, 'cacert_sha1.p7s']
-      ].each do |cert_str, ca_file|
-        file = File.join(File.dirname(__FILE__), ca_file)
-        if File.exist?(file)
-          p7 = PKCS7.read_smime(File.open(file) { |f| f.read })
-          selfcert = X509::Certificate.new(cert_str)
-          store = X509::Store.new
-          store.add_cert(selfcert)
-          if (p7.verify(nil, store, p7.data, 0))
-            add_trust_ca_to_store(cert_store, file)
-            return
-          end
-        end
-      end
-      warn("cacerts loading failed")
+      file = File.join(File.dirname(__FILE__), 'cacert.pem')
+      add_trust_ca_to_store(cert_store, file)
     end
-
-    DIST_CERT =<<__DIST_CERT__
------BEGIN CERTIFICATE-----
-MIID/TCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQ0FADBLMQswCQYDVQQGEwJKUDER
-MA8GA1UECgwIY3Rvci5vcmcxFDASBgNVBAsMC0RldmVsb3BtZW50MRMwEQYDVQQD
-DApodHRwY2xpZW50MB4XDTA5MDUyMTEyMzkwNVoXDTM3MTIzMTIzNTk1OVowSzEL
-MAkGA1UEBhMCSlAxETAPBgNVBAoMCGN0b3Iub3JnMRQwEgYDVQQLDAtEZXZlbG9w
-bWVudDETMBEGA1UEAwwKaHR0cGNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAM2PlkdTH97zvIHoPIMj87wnNvpqIQUD7L/hlysO0XBsmR/XZUeU
-ZKB10JQqMXviWpTnU9KU6xGTx3EI4wfd2dpLwH/d4d7K4LngW1kY7kJlZeJhakno
-GzQ40RSI9WkQ0R9KOE888f7OkTBafcL8UyWFVIMhQBw2d9iNl4Jc69QojayCDoSX
-XbbEP0n8yi7HwIU3RFuX6DtMpOx4/1K7Z002ccOGJ3J9kHgeDQSQtF42cQYC7qj2
-67I/OQgnB7ycxTCP0E7bdXQg+zqsngrhaoNn/+I+CoO7nD4t4uQ+B4agALh4PPxs
-bQD9MCL+VurNGLYv0HVd+ZlLblpddC9PLTsCAwEAAaOB6zCB6DAPBgNVHRMBAf8E
-BTADAQH/MDEGCWCGSAGG+EIBDQQkFiJSdWJ5L09wZW5TU0wgR2VuZXJhdGVkIENl
-cnRpZmljYXRlMB0GA1UdDgQWBBRAnB6XlMoOcm7HVAw+JWxY205PHTAOBgNVHQ8B
-Af8EBAMCAQYwcwYDVR0jBGwwaoAUQJwel5TKDnJux1QMPiVsWNtOTx2hT6RNMEsx
-CzAJBgNVBAYTAkpQMREwDwYDVQQKDAhjdG9yLm9yZzEUMBIGA1UECwwLRGV2ZWxv
-cG1lbnQxEzARBgNVBAMMCmh0dHBjbGllbnSCAQEwDQYJKoZIhvcNAQENBQADggEB
-ABVFepybD5XqsBnOn/oDHvK0xAPMF4Ap4Ht1yMQLObg8paVhANSdqIevPlCr/mPL
-DRjcy+J1fCnE6lCfsfLdTgAjirqt8pm92NccxmJ8hTmMd3LWC1n+eYWaolqTCVRM
-Bpe8UY9enyXrFoudHlr9epr18E6As6VrCSfpXFZkD9WHVSWpzkB3qATu5qcDCzCH
-bI0755Mdm/1hKJCD4l69h3J3OhRIEUPJfHnPvM5wtiyC2dcE9itwE/wdVzBJeIBX
-JQm+Qj+K8qXcRTzZZGIBjw2n46xJgW6YncNCHU/WWfNCYwdkngHS/aN8IbEjhCwf
-viXFisVrDN/+pZZGMf67ZaY=
------END CERTIFICATE-----
-__DIST_CERT__
-
-    DIST_CERT_SHA1 =<<__DIST_CERT__
------BEGIN CERTIFICATE-----
-MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJKUDER
-MA8GA1UECgwIY3Rvci5vcmcxFDASBgNVBAsMC0RldmVsb3BtZW50MRMwEQYDVQQD
-DApodHRwY2xpZW50MB4XDTEwMTIxMzEzNTYyOVoXDTEzMDExNDIzNTk1OVowSzEL
-MAkGA1UEBhMCSlAxETAPBgNVBAoMCGN0b3Iub3JnMRQwEgYDVQQLDAtEZXZlbG9w
-bWVudDETMBEGA1UEAwwKaHR0cGNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAM2PlkdTH97zvIHoPIMj87wnNvpqIQUD7L/hlysO0XBsmR/XZUeU
-ZKB10JQqMXviWpTnU9KU6xGTx3EI4wfd2dpLwH/d4d7K4LngW1kY7kJlZeJhakno
-GzQ40RSI9WkQ0R9KOE888f7OkTBafcL8UyWFVIMhQBw2d9iNl4Jc69QojayCDoSX
-XbbEP0n8yi7HwIU3RFuX6DtMpOx4/1K7Z002ccOGJ3J9kHgeDQSQtF42cQYC7qj2
-67I/OQgnB7ycxTCP0E7bdXQg+zqsngrhaoNn/+I+CoO7nD4t4uQ+B4agALh4PPxs
-bQD9MCL+VurNGLYv0HVd+ZlLblpddC9PLTsCAwEAAaOB6zCB6DAPBgNVHRMBAf8E
-BTADAQH/MDEGCWCGSAGG+EIBDQQkFiJSdWJ5L09wZW5TU0wgR2VuZXJhdGVkIENl
-cnRpZmljYXRlMB0GA1UdDgQWBBRAnB6XlMoOcm7HVAw+JWxY205PHTAOBgNVHQ8B
-Af8EBAMCAQYwcwYDVR0jBGwwaoAUQJwel5TKDnJux1QMPiVsWNtOTx2hT6RNMEsx
-CzAJBgNVBAYTAkpQMREwDwYDVQQKDAhjdG9yLm9yZzEUMBIGA1UECwwLRGV2ZWxv
-cG1lbnQxEzARBgNVBAMMCmh0dHBjbGllbnSCAQIwDQYJKoZIhvcNAQEFBQADggEB
-AA0kgOPnEDE+Zi/8GmZGmLthazdmigsuMN0pyYd4AJY6RkVeCRUSF4avqBj+lodg
-VPC5hgL1k6sMfE3OPTlUMjqaNecWcm9N46VQT2QLYeC6bwpEAgN1KVQ0n6lcUrG+
-8umYZJ+MsdwmBkwSIzIu3ZGwO8IILpNL5fwSMjg7K1T76Po4kPlqmWlcdDUYz5ZY
-42jx3BCFf/w3fuk3mOacZjLu3+AmpHWb+mpXg+jQHfrmVRFCsEkiA2DBLYjE92nB
-QmRI2pgn1yHHy7uia+3WHOm72ai3fLSpChctNXTkhFyIB7Q7LYR277fb+GWcvACZ
-WHLqjiy2yLPZy9JZwnCi4yE=
------END CERTIFICATE-----
-__DIST_CERT__
   end