Skip to content

Commit

Permalink
More review fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@pepone
pepone committed May 3, 2024
1 parent ed26e4e commit 97c3dc6
Show file tree
Hide file tree
Showing 2 changed files with 98 additions and 106 deletions.
66 changes: 29 additions & 37 deletions cpp/include/Ice/ClientAuthenticationOptions.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,35 +57,6 @@ namespace Ice::SSL
*/
std::function<PCCERT_CONTEXT(const std::string& host)> clientCertificateSelectionCallback;

/**
* The trusted root certificates used for validating the server's certificate chain. If this field is set, the
* server's certificate chain is validated against these certificates; otherwise, the system's default root
* certificates are used.
*
* @remarks The trusted root certificates are used by both the default validation callback, and by custom
* validation callback set in clientCertificateValidationCallback.
*
* The application must ensure that the certificate store remains valid during the setup of the Communicator. It
* is also the application's responsibility to release the certificate store object after the Communicator has
* been created to prevent memory leaks.
*
* Example of setting trustedRootCertificates:
* ```cpp
* HCERTSTORE rootCerts = ...; // Populate with X.509 certificates
*
* auto initData = Ice::InitializationData {
* ...
* .clientAuthenticationOptions = ClientAuthenticationOptions {
* .trustedRootCertificates = rootCerts;
* }
* };
*
* auto communicator = Ice::initialize(initData);
* CertCloseStore(rootCerts); // It is safe to close the rootCerts store now.
* ```
*/
HCERTSTORE trustedRootCertificates = nullptr;

/**
* A callback that is invoked before initiating a new SSL handshake. This callback provides an opportunity to
* customize the SSL parameters for the session based on specific client settings or requirements.
Expand Down Expand Up @@ -120,6 +91,31 @@ namespace Ice::SSL
*/
std::function<void(CtxtHandle context, const std::string& host)> sslNewSessionCallback;

/**
* The trusted root certificates used for validating the server's certificate chain. If this field is set, the
* server's certificate chain is validated against these certificates; otherwise, the system's default root
* certificates are used.
*
* @remarks The trusted root certificates are used by both the default validation callback, and by custom
* validation callback set in clientCertificateValidationCallback.
*
* Example of setting trustedRootCertificates:
* ```cpp
* HCERTSTORE rootCerts = ...; // Populate with X.509 certificates
*
* auto initData = Ice::InitializationData {
* ...
* .clientAuthenticationOptions = ClientAuthenticationOptions {
* .trustedRootCertificates = rootCerts;
* }
* };
*
* auto communicator = Ice::initialize(initData);
* CertCloseStore(rootCerts); // It is safe to close the rootCerts store now.
* ```
*/
HCERTSTORE trustedRootCertificates = nullptr;

/**
* A callback that allows manually validating the server certificate chain. When the verification callback
* returns false, the connection will be aborted with an Ice::SecurityException.
Expand Down Expand Up @@ -221,10 +217,6 @@ namespace Ice::SSL
* [SecTrustSetAnchorCertificatesOnly](https://developer.apple.com/documentation/security/1399071-sectrustsetanchorcertificatesonl?language=objc)
* with the `anchorCertificatesOnly` parameter set to true.
*
* The application must ensure that the CFArrayRef remains valid during the setup of the Communicator. It is
* also the application's responsibility to release the CFArrayRef object after the Communicator has been
* created to prevent memory leaks.
*
* Example of setting trustedRootCertificates:
* ```cpp
* CFArrayRef rootCerts = CFArrayCreate(...); // Populate with X.509 certificates
Expand Down Expand Up @@ -323,13 +315,13 @@ namespace Ice::SSL
*
* @remarks This callback is used to associate a specific SSL configuration with an outgoing connection
* identified by the target host name. The callback must return a pointer to a valid SSL_CTX object which was
* previously initialized using OpenSSL API. The SSL transport takes ownership of the returned SSL_CTX pointer
* and releases it after closing the connection.
* previously initialized using the OpenSSL API. The SSL transport takes ownership of the returned SSL_CTX
* pointer and releases it after closing the connection.
*
* If the application does not provide a callback, the Ice SSL transport will use a SSL_CTX object created
* with SSL_CTX_new() for the connection, which uses the systems default OpenSSL configuration.
* with SSL_CTX_new() for the connection, which uses the default OpenSSL configuration.
*
* The SSL transports calls this callback for each new outgoing connection to obtain the SSL_CTX object before
* The SSL transport calls this callback for each new outgoing connection to obtain the SSL_CTX object before
* it starts the SSL handshake.
*
* @param host The target host name.
Expand Down
138 changes: 69 additions & 69 deletions cpp/include/Ice/ServerAuthenticationOptions.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,39 +56,6 @@ namespace Ice::SSL
*/
std::function<PCCERT_CONTEXT(const std::string& host)> serverCertificateSelectionCallback;

/**
* The trusted root certificates used for validating the client's certificate chain. If this field is set, the
* server's certificate chain is validated against these certificates; otherwise, the system's default root
* certificates are used.
*
* @remarks The trusted root certificates are only used by the default validation callback, they are ignored by
* custom validation callbacks set with clientCertificateValidationCallback.
*
* The application must ensure that the certificate store remains valid during the setup of the ObjectAdapter.
* It is also the application's responsibility to release the certificate store object after the ObjectAdapter
* has been created to prevent memory leaks.
*
* Example of setting trustedRootCertificates:
* ```cpp
* HCERTSTORE rootCerts = ...; // Populate with X.509 certificates
*
* communicator->createObjectAdapterWithEndpoints(
* "Hello",
* "ssl -h 127.0.0.1 -p 10000",
* ServerAuthenticationOptions { .trustedRootCertificates = rootCerts; }
* });
*
* auto communicator = Ice::initialize(initData);
* CertCloseStore(rootCerts); // It is safe to close the rootCerts store now.
* ```
*/
HCERTSTORE trustedRootCertificates = nullptr;

/**
* Whether or not the client must provide a certificate. The default value is false.
*/
bool clientCertificateRequired = false;

/**
* A callback that is invoked before initiating a new SSL handshake. This callback provides an opportunity to
* customize the SSL parameters for the session based on specific server settings or requirements.
Expand Down Expand Up @@ -122,6 +89,39 @@ namespace Ice::SSL
*/
std::function<void(CtxtHandle context, const std::string& adapterName)> sslNewSessionCallback;

/**
* Whether or not the client must provide a certificate. The default value is false.
*/
bool clientCertificateRequired = false;

/**
* The trusted root certificates used for validating the client's certificate chain. If this field is set, the
* server's certificate chain is validated against these certificates; otherwise, the system's default root
* certificates are used.
*
* @remarks The trusted root certificates are only used by the default validation callback; they are ignored by
* custom validation callbacks set with clientCertificateValidationCallback.
*
* The application must ensure that the certificate store remains valid during the setup of the ObjectAdapter.
* It is also the application's responsibility to release the certificate store object after the ObjectAdapter
* has been created to prevent memory leaks.
*
* Example of setting trustedRootCertificates:
* ```cpp
* HCERTSTORE rootCerts = ...; // Populate with X.509 certificates
*
* communicator->createObjectAdapterWithEndpoints(
* "Hello",
* "ssl -h 127.0.0.1 -p 10000",
* ServerAuthenticationOptions { .trustedRootCertificates = rootCerts; }
* });
*
* auto communicator = Ice::initialize(initData);
* CertCloseStore(rootCerts); // It is safe to close the rootCerts store now.
* ```
*/
HCERTSTORE trustedRootCertificates = nullptr;

/**
* A callback that allows manually validating the client certificate chain. When the verification callback
* returns false, the connection will be aborted with an Ice::SecurityException.
Expand Down Expand Up @@ -206,6 +206,42 @@ namespace Ice::SSL
*/
std::function<CFArrayRef(const std::string& adapterName)> serverCertificateSelectionCallback;

/**
* A callback that is invoked before initiating a new SSL handshake. This callback provides an opportunity to
* customize the SSL parameters for the session based on specific server settings or requirements.
*
* Example of setting sslNewSessionCallback:
* ```cpp
* communicator->createObjectAdapterWithEndpoints(
* "Hello",
* "ssl -h 127.0.0.1 -p 10000",
* ServerAuthenticationOptions{
* .sslNewSessionCallback =
* [](SSLContextRef context, const std::string& adapterName)
* {
* // Customize the ssl context using SecureTransport API.
* OSStatus status = SSLSetProtocolVersionMin(context, kTLSProtocol13);
* if(status != noErr)
* {
* // Handle error
* }
* ...
* }
* });
* ```
*
* @param context An opaque type that represents an SSL session context object.
* @param adapterName The name of the object adapter that accepted the connection.
*/
std::function<void(SSLContextRef context, const std::string& adapterName)> sslNewSessionCallback;

/**
* The requirements for client-side authentication. The default is kNeverAuthenticate.
*
* [see SSLAuthenticate](https://developer.apple.com/documentation/security/sslauthenticate)
*/
SSLAuthenticate clientCertificateRequired = kNeverAuthenticate;

/**
* The trusted root certificates used for validating the client's certificate chain. If this field is set, the
* client's certificate chain is validated against these certificates; otherwise, the system's default root
Expand Down Expand Up @@ -236,42 +272,6 @@ namespace Ice::SSL
*/
CFArrayRef trustedRootCertificates = nullptr;

/**
* The requirements for client-side authentication. The default is kNeverAuthenticate.
*
* [see SSLAuthenticate](https://developer.apple.com/documentation/security/sslauthenticate)
*/
SSLAuthenticate clientCertificateRequired = kNeverAuthenticate;

/**
* A callback that is invoked before initiating a new SSL handshake. This callback provides an opportunity to
* customize the SSL parameters for the session based on specific server settings or requirements.
*
* Example of setting sslNewSessionCallback:
* ```cpp
* communicator->createObjectAdapterWithEndpoints(
* "Hello",
* "ssl -h 127.0.0.1 -p 10000",
* ServerAuthenticationOptions{
* .sslNewSessionCallback =
* [](SSLContextRef context, const std::string& adapterName)
* {
* // Customize the ssl context using SecureTransport API.
* OSStatus status = SSLSetProtocolVersionMin(context, kTLSProtocol13);
* if(status != noErr)
* {
* // Handle error
* }
* ...
* }
* });
* ```
*
* @param context An opaque type that represents an SSL session context object.
* @param adapterName The name of the object adapter that accepted the connection.
*/
std::function<void(SSLContextRef context, const std::string& adapterName)> sslNewSessionCallback;

/**
* A callback that allows manually validating the client certificate chain. When the verification callback
* returns false, the connection will be aborted with an Ice::SecurityException.
Expand Down

0 comments on commit 97c3dc6

Please sign in to comment.