CPP-825 Cloud should be verifying the peer certificate's CN (#308)

* Fix bug in OpenSSL DNS verification code where certain certificate's CN
  wouldn't be matched correctly
* Fix bug in Socket DNS unit tests
* Fix client certificate validation in unit tests

Author: mpenick

cpp-driver/gtests/src/unit/http_server.cpp

@@ -57,9 +57,9 @@ void Server::close() {
   }
 }
 
-bool Server::use_ssl(const String& key, const String& cert, const String& password /*= ""*/,
-                     const String& client_cert /*= ""*/) {
-  return server_connection_->use_ssl(key, cert, password, client_cert);
+bool Server::use_ssl(const String& key, const String& cert, const String& ca_cert /*= ""*/,
+                     bool require_client_cert /*= false*/) {
+  return server_connection_->use_ssl(key, cert, ca_cert, require_client_cert);
 }
 
 Server::ClientConnection::ClientConnection(internal::ServerConnection* server_connection,

cpp-driver/gtests/src/unit/http_server.hpp

@@ -17,7 +17,8 @@
 #ifndef HTTP_MOCK_SERVER_HPP
 #define HTTP_MOCK_SERVER_HPP
 
-#define HTTP_MOCK_SERVER_IP "127.0.0.1"
+#define HTTP_MOCK_HOSTNAME "cpp-driver.hostname."
+#define HTTP_MOCK_SERVER_IP "127.254.254.254"
 #define HTTP_MOCK_SERVER_PORT 30443
 
 #include "http_parser.h"
@@ -61,8 +62,8 @@ class Server {
     close_connnection_after_request_ = enable;
   }
 
-  bool use_ssl(const String& key, const String& cert, const String& password = "",
-               const String& client_cert = "");
+  bool use_ssl(const String& key, const String& cert, const String& ca_cert = "",
+               bool require_client_cert = false);
 
   void listen();
   void close();

cpp-driver/gtests/src/unit/http_test.cpp

@@ -0,0 +1,61 @@
+/*
+  Copyright (c) DataStax, Inc.
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+*/
+
+#include "http_test.hpp"
+
+using namespace datastax;
+using namespace datastax::internal::core;
+
+SocketSettings HttpTest::use_ssl(const String& cn, bool is_server_using_ssl /*= true*/) {
+  SocketSettings settings;
+
+#ifdef HAVE_OPENSSL
+  String ca_key = mockssandra::Ssl::generate_key();
+  ca_cert_ = mockssandra::Ssl::generate_cert(ca_key, "CA");
+
+  key_ = mockssandra::Ssl::generate_key();
+  cert_ = mockssandra::Ssl::generate_cert(key_, cn, ca_cert_, ca_key);
+
+  String client_key = mockssandra::Ssl::generate_key();
+  String client_cert = mockssandra::Ssl::generate_cert(client_key, cn, ca_cert_, ca_key);
+
+  SslContext::Ptr ssl_context(SslContextFactory::create());
+
+  ssl_context->set_cert(client_cert.c_str(), client_cert.size());
+  ssl_context->set_private_key(client_key.c_str(), client_key.size(), "",
+                               0); // No password expected for the private key
+
+  ssl_context->add_trusted_cert(ca_cert_.c_str(), ca_cert_.size());
+
+  settings.ssl_context = ssl_context;
+
+  if (is_server_using_ssl) {
+    server_.use_ssl(key_, cert_, ca_cert_, true);
+  }
+#endif
+
+  return settings;
+}
+
+void HttpTest::use_ssl(const String& ca_cert, const String& ca_key, const String& cn) {
+#ifdef HAVE_OPENSSL
+  key_ = mockssandra::Ssl::generate_key();
+  cert_ = mockssandra::Ssl::generate_cert(key_, cn, ca_cert, ca_key);
+  ca_cert_ = ca_cert;
+
+  server_.use_ssl(key_, cert_, ca_cert_, true);
+#endif
+}

cpp-driver/gtests/src/unit/http_test.hpp

@@ -50,47 +50,16 @@ class HttpTest : public LoopTest {
   void start_http_server() { server_.listen(); }
   void stop_http_server() { server_.close(); }
 
-  datastax::internal::core::SocketSettings use_ssl(String cn = "127.0.0.1",
-                                                   bool is_server_using_ssl = true) {
-    datastax::internal::core::SocketSettings settings;
-
-#ifdef HAVE_OPENSSL
-    datastax::String ca_key = mockssandra::Ssl::generate_key();
-    ca_cert_ = mockssandra::Ssl::generate_cert(ca_key, cn);
-    key_ = mockssandra::Ssl::generate_key();
-    cert_ = mockssandra::Ssl::generate_cert(key_, cn, ca_cert_, ca_key);
-
-    datastax::internal::core::SslContext::Ptr ssl_context(
-        datastax::internal::core::SslContextFactory::create());
-    ssl_context->set_cert(cert().c_str(), cert().size());
-    ssl_context->set_private_key(key().c_str(), key().size(), "",
-                                 0); // No password expected for the private key
-    ssl_context->add_trusted_cert(ca_cert().c_str(), ca_cert().size());
-
-    settings.ssl_context = ssl_context;
-
-    if (is_server_using_ssl) {
-      server_.use_ssl(ca_key, ca_cert_, "", cert_);
-    }
-#endif
-
-    return settings;
-  }
+  datastax::internal::core::SocketSettings use_ssl(const String& cn = HTTP_MOCK_HOSTNAME,
+                                                   bool is_server_using_ssl = true);
 
-  void use_ssl(const String& key, const String& cert, const String& ca_key, const String& ca_cert) {
-#ifdef HAVE_OPENSSL
-    key_ = key;
-    cert_ = cert;
-    ca_cert_ = ca_cert;
-
-    server_.use_ssl(ca_key, ca_cert_, "", cert_);
-#endif
-  }
+  void use_ssl(const String& ca_cert, const String& ca_key, const String& cn);
 
 private:
   datastax::String ca_cert_;
   datastax::String cert_;
   datastax::String key_;
+
   mockssandra::http::Server server_;
 };
 

cpp-driver/gtests/src/unit/mockssandra.cpp

@@ -27,6 +27,7 @@
 
 #include <openssl/bio.h>
 #include <openssl/dh.h>
+#include <openssl/x509v3.h>
 
 #ifdef WIN32
 #include "winsock.h"
@@ -157,6 +158,8 @@ String Ssl::generate_cert(const String& key, String cn, String ca_cert, String c
     { // Read CA from string
       BIO* bio = BIO_new_mem_buf(const_cast<char*>(ca_cert.c_str()), ca_cert.length());
       if (!PEM_read_bio_X509(bio, &x509_ca, NULL, NULL)) {
+        X509_free(x509);
+        X509_REQ_free(x509_req);
         BIO_free(bio);
         return "";
       }
@@ -169,6 +172,9 @@ String Ssl::generate_cert(const String& key, String cn, String ca_cert, String c
       BIO* bio = BIO_new_mem_buf(const_cast<char*>(ca_key.c_str()), ca_key.length());
       if (!PEM_read_bio_PrivateKey(bio, &pkey_ca, NULL, NULL)) {
         BIO_free(bio);
+        X509_free(x509);
+        X509_free(x509_ca);
+        X509_REQ_free(x509_req);
         return "";
       }
       BIO_free(bio);
@@ -178,6 +184,21 @@ String Ssl::generate_cert(const String& key, String cn, String ca_cert, String c
     X509_free(x509_ca);
     EVP_PKEY_free(pkey_ca);
   } else {
+    if (cn == "CA") { // Set the purpose as a CA certificate.
+      X509_EXTENSION* x509_ex;
+      X509V3_CTX x509v3_ctx;
+      X509V3_set_ctx_nodb(&x509v3_ctx);
+      X509V3_set_ctx(&x509v3_ctx, x509, x509, NULL, NULL, 0);
+      x509_ex = X509V3_EXT_conf_nid(NULL, &x509v3_ctx, NID_basic_constraints,
+                                    const_cast<char*>("critical,CA:TRUE"));
+      if (!x509_ex) {
+        X509_free(x509);
+        X509_EXTENSION_free(x509_ex);
+        return "";
+      }
+      X509_add_ext(x509, x509_ex, -1);
+      X509_EXTENSION_free(x509_ex);
+    }
     X509_NAME* name = X509_get_subject_name(x509);
     X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
                                reinterpret_cast<const unsigned char*>("US"), -1, -1, 0);
@@ -214,6 +235,18 @@ static void print_ssl_error() {
   fprintf(stderr, "%s\n", buf);
 }
 
+static X509* load_cert(const String& cert) {
+  X509* x509 = NULL;
+  BIO* bio = BIO_new_mem_buf(const_cast<char*>(cert.c_str()), cert.length());
+  if (PEM_read_bio_X509(bio, &x509, NULL, NULL) == NULL) {
+    print_ssl_error();
+    BIO_free(bio);
+    return NULL;
+  }
+  BIO_free(bio);
+  return x509;
+}
+
 struct WriteReq {
   WriteReq(const char* data, size_t len, ClientConnection* connection)
       : data(data, len)
@@ -450,8 +483,8 @@ uv_loop_t* ServerConnection::loop() {
 }
 
 bool ServerConnection::use_ssl(const String& key, const String& cert,
-                               const String& password /*= ""*/,
-                               const String& client_cert /*= ""*/) {
+                               const String& ca_cert /*= ""*/,
+                               bool require_client_cert /*= false*/) {
   if (ssl_context_) {
     SSL_CTX_free(ssl_context_);
   }
@@ -461,31 +494,43 @@ bool ServerConnection::use_ssl(const String& key, const String& cert,
     return false;
   }
 
-  SSL_CTX_set_default_passwd_cb_userdata(ssl_context_, (void*)password.c_str());
+  SSL_CTX_set_default_passwd_cb_userdata(ssl_context_, (void*)"");
   SSL_CTX_set_default_passwd_cb(ssl_context_, on_password);
+  SSL_CTX_set_verify(ssl_context_, SSL_VERIFY_NONE, NULL);
 
-  X509* x509 = NULL;
-  { // Read cert from string
-    BIO* bio = BIO_new_mem_buf(const_cast<char*>(cert.c_str()), cert.length());
-    if (PEM_read_bio_X509(bio, &x509, NULL, NULL) == NULL) {
+  { // Load server certificate
+    X509* x509 = load_cert(cert);
+    if (!x509) return false;
+    if (SSL_CTX_use_certificate(ssl_context_, x509) <= 0) {
       print_ssl_error();
-      BIO_free(bio);
+      X509_free(x509);
       return false;
     }
-    BIO_free(bio);
+    X509_free(x509);
   }
 
-  if (SSL_CTX_use_certificate(ssl_context_, x509) <= 0) {
-    print_ssl_error();
-    X509_free(x509);
-    return false;
+  if (!ca_cert.empty()) { // Load CA certificate
+    X509* x509 = load_cert(ca_cert);
+    if (!x509) return false;
+    if (SSL_CTX_add_extra_chain_cert(ssl_context_, x509) <= 0) { // Certificate freed by function
+      print_ssl_error();
+      X509_free(x509);
+      return false;
+    }
+    if (require_client_cert) {
+      X509_STORE* cert_store = SSL_CTX_get_cert_store(ssl_context_);
+      if (X509_STORE_add_cert(cert_store, x509) <= 0) {
+        print_ssl_error();
+        return false;
+      }
+      SSL_CTX_set_verify(ssl_context_, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+    }
   }
-  X509_free(x509);
 
   EVP_PKEY* pkey = NULL;
   { // Read key from string
     BIO* bio = BIO_new_mem_buf(const_cast<char*>(key.c_str()), key.length());
-    if (PEM_read_bio_PrivateKey(bio, &pkey, on_password, (void*)password.c_str()) == NULL) {
+    if (PEM_read_bio_PrivateKey(bio, &pkey, on_password, (void*)"") == NULL) {
       print_ssl_error();
       BIO_free(bio);
       return false;
@@ -508,43 +553,6 @@ bool ServerConnection::use_ssl(const String& key, const String& cert,
   }
   DH_free(dh);
 
-  if (!client_cert.empty()) {
-    X509_STORE* trust_store = SSL_CTX_get_cert_store(static_cast<const SSL_CTX*>(ssl_context_));
-    STACK_OF(X509_INFO) * stack_info;
-
-    { // Read cert from string
-      BIO* bio = BIO_new_mem_buf(const_cast<char*>(client_cert.c_str()), client_cert.size());
-      if ((stack_info = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)) == NULL) {
-        print_ssl_error();
-        BIO_free(bio);
-        return false;
-      }
-      BIO_free(bio);
-    }
-
-    if (stack_info) {
-      for (int i = 0; i < sk_X509_INFO_num(stack_info); i++) {
-        X509_INFO* info = sk_X509_INFO_value(stack_info, i);
-        if (info->x509) {
-          if (X509_STORE_add_cert(trust_store, info->x509) <= 0) {
-            print_ssl_error();
-            return false;
-          }
-        }
-        if (info->crl) {
-          if (X509_STORE_add_crl(trust_store, info->crl) <= -0) {
-            print_ssl_error();
-            return false;
-          }
-        }
-      }
-    }
-
-    sk_X509_INFO_pop_free(stack_info, X509_INFO_free);
-  }
-
-  SSL_CTX_set_verify(ssl_context_, SSL_VERIFY_NONE, 0);
-
   return true;
 }
 

cpp-driver/gtests/src/unit/mockssandra.hpp

@@ -174,8 +174,8 @@ class ServerConnection : public RefCounted<ServerConnection> {
   SSL_CTX* ssl_context() { return ssl_context_; }
   const ClientConnections& clients() const { return clients_; }
 
-  bool use_ssl(const String& key, const String& cert, const String& password = "",
-               const String& client_cert = "");
+  bool use_ssl(const String& key, const String& cert, const String& ca_cert = "",
+               bool require_client_cert = false);
 
   void listen(EventLoopGroup* event_loop_group);
   int wait_listen();

cpp-driver/gtests/src/unit/tests/test_cloud_secure_connect_config.cpp

@@ -47,9 +47,9 @@
 #endif
 
 #define SNI_LOCAL_DC "dc1"
-#define SNI_HOST "localhost"
+#define SNI_HOST HTTP_MOCK_HOSTNAME
 #define SNI_PORT 30002
-#define SNI_HOST_AND_PORT "localhost:30002"
+#define SNI_HOST_AND_PORT HTTP_MOCK_HOSTNAME ":30002"
 #define SNI_HOST_ID_1 "276b1694-64c4-4ba8-afb4-e33915a02f1e"
 #define SNI_HOST_ID_2 "8c29f723-5c1c-4ffd-a4ef-8c683a7fc02b"
 #define SNI_HOST_ID_3 "fb91d3ff-47cb-447d-b31d-c5721ca8d7ab"
@@ -91,9 +91,9 @@ class CloudSecureConnectionConfigTest : public HttpTest {
     tmp_zip_file_ = String(tmp, tmp_length) + PATH_SEPARATOR + CREDS_V1_ZIP_FILE;
 
     ca_key_ = Ssl::generate_key();
-    ca_cert_ = Ssl::generate_cert(ca_key_);
+    ca_cert_ = Ssl::generate_cert(ca_key_, "CA");
     key_ = Ssl::generate_key();
-    cert_ = Ssl::generate_cert(key_, "localhost", ca_cert_, ca_key_);
+    cert_ = Ssl::generate_cert(key_, "", ca_cert_, ca_key_);
   }
 
   const String& creds_zip_file() const { return tmp_zip_file_; }
@@ -335,11 +335,11 @@ class CloudMetadataServerTest : public CloudSecureConnectionConfigTest {
     CloudSecureConnectionConfigTest::SetUp();
 
     StringBuffer buffer;
-    full_config_credsv1(buffer, HTTP_MOCK_SERVER_IP, HTTP_MOCK_SERVER_PORT);
+    full_config_credsv1(buffer, HTTP_MOCK_HOSTNAME, HTTP_MOCK_SERVER_PORT);
     create_zip_file(buffer.GetString());
     cloud_config_.load(creds_zip_file(), &config_);
 
-    use_ssl(key(), cert(), ca_key(), ca_cert()); // Ensure HttpServer is configured to use SSL
+    use_ssl(ca_cert(), ca_key(), HTTP_MOCK_HOSTNAME); // Ensure HttpServer is configured to use SSL
 
     ClusterSettings settings(config_);
     resolver_ = config_.cluster_metadata_resolver_factory()->new_instance(settings);