From 97c3dc6bf550c04dbfbcc07b213eeaccc3d099a7 Mon Sep 17 00:00:00 2001 From: Jose Date: Fri, 3 May 2024 12:21:29 +0200 Subject: [PATCH] More review fixes --- cpp/include/Ice/ClientAuthenticationOptions.h | 66 ++++----- cpp/include/Ice/ServerAuthenticationOptions.h | 138 +++++++++--------- 2 files changed, 98 insertions(+), 106 deletions(-) diff --git a/cpp/include/Ice/ClientAuthenticationOptions.h b/cpp/include/Ice/ClientAuthenticationOptions.h index 465842998c1..2ca27b70b7e 100644 --- a/cpp/include/Ice/ClientAuthenticationOptions.h +++ b/cpp/include/Ice/ClientAuthenticationOptions.h @@ -57,35 +57,6 @@ namespace Ice::SSL */ std::function clientCertificateSelectionCallback; - /** - * The trusted root certificates used for validating the server's certificate chain. If this field is set, the - * server's certificate chain is validated against these certificates; otherwise, the system's default root - * certificates are used. - * - * @remarks The trusted root certificates are used by both the default validation callback, and by custom - * validation callback set in clientCertificateValidationCallback. - * - * The application must ensure that the certificate store remains valid during the setup of the Communicator. It - * is also the application's responsibility to release the certificate store object after the Communicator has - * been created to prevent memory leaks. - * - * Example of setting trustedRootCertificates: - * ```cpp - * HCERTSTORE rootCerts = ...; // Populate with X.509 certificates - * - * auto initData = Ice::InitializationData { - * ... - * .clientAuthenticationOptions = ClientAuthenticationOptions { - * .trustedRootCertificates = rootCerts; - * } - * }; - * - * auto communicator = Ice::initialize(initData); - * CertCloseStore(rootCerts); // It is safe to close the rootCerts store now. - * ``` - */ - HCERTSTORE trustedRootCertificates = nullptr; - /** * A callback that is invoked before initiating a new SSL handshake. This callback provides an opportunity to * customize the SSL parameters for the session based on specific client settings or requirements. @@ -120,6 +91,31 @@ namespace Ice::SSL */ std::function sslNewSessionCallback; + /** + * The trusted root certificates used for validating the server's certificate chain. If this field is set, the + * server's certificate chain is validated against these certificates; otherwise, the system's default root + * certificates are used. + * + * @remarks The trusted root certificates are used by both the default validation callback, and by custom + * validation callback set in clientCertificateValidationCallback. + * + * Example of setting trustedRootCertificates: + * ```cpp + * HCERTSTORE rootCerts = ...; // Populate with X.509 certificates + * + * auto initData = Ice::InitializationData { + * ... + * .clientAuthenticationOptions = ClientAuthenticationOptions { + * .trustedRootCertificates = rootCerts; + * } + * }; + * + * auto communicator = Ice::initialize(initData); + * CertCloseStore(rootCerts); // It is safe to close the rootCerts store now. + * ``` + */ + HCERTSTORE trustedRootCertificates = nullptr; + /** * A callback that allows manually validating the server certificate chain. When the verification callback * returns false, the connection will be aborted with an Ice::SecurityException. @@ -221,10 +217,6 @@ namespace Ice::SSL * [SecTrustSetAnchorCertificatesOnly](https://developer.apple.com/documentation/security/1399071-sectrustsetanchorcertificatesonl?language=objc) * with the `anchorCertificatesOnly` parameter set to true. * - * The application must ensure that the CFArrayRef remains valid during the setup of the Communicator. It is - * also the application's responsibility to release the CFArrayRef object after the Communicator has been - * created to prevent memory leaks. - * * Example of setting trustedRootCertificates: * ```cpp * CFArrayRef rootCerts = CFArrayCreate(...); // Populate with X.509 certificates @@ -323,13 +315,13 @@ namespace Ice::SSL * * @remarks This callback is used to associate a specific SSL configuration with an outgoing connection * identified by the target host name. The callback must return a pointer to a valid SSL_CTX object which was - * previously initialized using OpenSSL API. The SSL transport takes ownership of the returned SSL_CTX pointer - * and releases it after closing the connection. + * previously initialized using the OpenSSL API. The SSL transport takes ownership of the returned SSL_CTX + * pointer and releases it after closing the connection. * * If the application does not provide a callback, the Ice SSL transport will use a SSL_CTX object created - * with SSL_CTX_new() for the connection, which uses the systems default OpenSSL configuration. + * with SSL_CTX_new() for the connection, which uses the default OpenSSL configuration. * - * The SSL transports calls this callback for each new outgoing connection to obtain the SSL_CTX object before + * The SSL transport calls this callback for each new outgoing connection to obtain the SSL_CTX object before * it starts the SSL handshake. * * @param host The target host name. diff --git a/cpp/include/Ice/ServerAuthenticationOptions.h b/cpp/include/Ice/ServerAuthenticationOptions.h index d230c6bac19..21235d63cae 100644 --- a/cpp/include/Ice/ServerAuthenticationOptions.h +++ b/cpp/include/Ice/ServerAuthenticationOptions.h @@ -56,39 +56,6 @@ namespace Ice::SSL */ std::function serverCertificateSelectionCallback; - /** - * The trusted root certificates used for validating the client's certificate chain. If this field is set, the - * server's certificate chain is validated against these certificates; otherwise, the system's default root - * certificates are used. - * - * @remarks The trusted root certificates are only used by the default validation callback, they are ignored by - * custom validation callbacks set with clientCertificateValidationCallback. - * - * The application must ensure that the certificate store remains valid during the setup of the ObjectAdapter. - * It is also the application's responsibility to release the certificate store object after the ObjectAdapter - * has been created to prevent memory leaks. - * - * Example of setting trustedRootCertificates: - * ```cpp - * HCERTSTORE rootCerts = ...; // Populate with X.509 certificates - * - * communicator->createObjectAdapterWithEndpoints( - * "Hello", - * "ssl -h 127.0.0.1 -p 10000", - * ServerAuthenticationOptions { .trustedRootCertificates = rootCerts; } - * }); - * - * auto communicator = Ice::initialize(initData); - * CertCloseStore(rootCerts); // It is safe to close the rootCerts store now. - * ``` - */ - HCERTSTORE trustedRootCertificates = nullptr; - - /** - * Whether or not the client must provide a certificate. The default value is false. - */ - bool clientCertificateRequired = false; - /** * A callback that is invoked before initiating a new SSL handshake. This callback provides an opportunity to * customize the SSL parameters for the session based on specific server settings or requirements. @@ -122,6 +89,39 @@ namespace Ice::SSL */ std::function sslNewSessionCallback; + /** + * Whether or not the client must provide a certificate. The default value is false. + */ + bool clientCertificateRequired = false; + + /** + * The trusted root certificates used for validating the client's certificate chain. If this field is set, the + * server's certificate chain is validated against these certificates; otherwise, the system's default root + * certificates are used. + * + * @remarks The trusted root certificates are only used by the default validation callback; they are ignored by + * custom validation callbacks set with clientCertificateValidationCallback. + * + * The application must ensure that the certificate store remains valid during the setup of the ObjectAdapter. + * It is also the application's responsibility to release the certificate store object after the ObjectAdapter + * has been created to prevent memory leaks. + * + * Example of setting trustedRootCertificates: + * ```cpp + * HCERTSTORE rootCerts = ...; // Populate with X.509 certificates + * + * communicator->createObjectAdapterWithEndpoints( + * "Hello", + * "ssl -h 127.0.0.1 -p 10000", + * ServerAuthenticationOptions { .trustedRootCertificates = rootCerts; } + * }); + * + * auto communicator = Ice::initialize(initData); + * CertCloseStore(rootCerts); // It is safe to close the rootCerts store now. + * ``` + */ + HCERTSTORE trustedRootCertificates = nullptr; + /** * A callback that allows manually validating the client certificate chain. When the verification callback * returns false, the connection will be aborted with an Ice::SecurityException. @@ -206,6 +206,42 @@ namespace Ice::SSL */ std::function serverCertificateSelectionCallback; + /** + * A callback that is invoked before initiating a new SSL handshake. This callback provides an opportunity to + * customize the SSL parameters for the session based on specific server settings or requirements. + * + * Example of setting sslNewSessionCallback: + * ```cpp + * communicator->createObjectAdapterWithEndpoints( + * "Hello", + * "ssl -h 127.0.0.1 -p 10000", + * ServerAuthenticationOptions{ + * .sslNewSessionCallback = + * [](SSLContextRef context, const std::string& adapterName) + * { + * // Customize the ssl context using SecureTransport API. + * OSStatus status = SSLSetProtocolVersionMin(context, kTLSProtocol13); + * if(status != noErr) + * { + * // Handle error + * } + * ... + * } + * }); + * ``` + * + * @param context An opaque type that represents an SSL session context object. + * @param adapterName The name of the object adapter that accepted the connection. + */ + std::function sslNewSessionCallback; + + /** + * The requirements for client-side authentication. The default is kNeverAuthenticate. + * + * [see SSLAuthenticate](https://developer.apple.com/documentation/security/sslauthenticate) + */ + SSLAuthenticate clientCertificateRequired = kNeverAuthenticate; + /** * The trusted root certificates used for validating the client's certificate chain. If this field is set, the * client's certificate chain is validated against these certificates; otherwise, the system's default root @@ -236,42 +272,6 @@ namespace Ice::SSL */ CFArrayRef trustedRootCertificates = nullptr; - /** - * The requirements for client-side authentication. The default is kNeverAuthenticate. - * - * [see SSLAuthenticate](https://developer.apple.com/documentation/security/sslauthenticate) - */ - SSLAuthenticate clientCertificateRequired = kNeverAuthenticate; - - /** - * A callback that is invoked before initiating a new SSL handshake. This callback provides an opportunity to - * customize the SSL parameters for the session based on specific server settings or requirements. - * - * Example of setting sslNewSessionCallback: - * ```cpp - * communicator->createObjectAdapterWithEndpoints( - * "Hello", - * "ssl -h 127.0.0.1 -p 10000", - * ServerAuthenticationOptions{ - * .sslNewSessionCallback = - * [](SSLContextRef context, const std::string& adapterName) - * { - * // Customize the ssl context using SecureTransport API. - * OSStatus status = SSLSetProtocolVersionMin(context, kTLSProtocol13); - * if(status != noErr) - * { - * // Handle error - * } - * ... - * } - * }); - * ``` - * - * @param context An opaque type that represents an SSL session context object. - * @param adapterName The name of the object adapter that accepted the connection. - */ - std::function sslNewSessionCallback; - /** * A callback that allows manually validating the client certificate chain. When the verification callback * returns false, the connection will be aborted with an Ice::SecurityException.