server-side support for client certificates

2025-04-21 22:25:55 +03:00 · 2019-06-05 02:21:37 +08:00 · 2019-06-05 02:21:37 +08:00 · d630c116df
commit d630c116df
parent 48af26e332
1 changed files with 21 additions and 4 deletions
--- a/httplib.h
+++ b/httplib.h
@ -374,7 +374,7 @@ private:

 class SSLServer : public Server {
 public:
-  SSLServer(const char *cert_path, const char *private_key_path);
+  SSLServer(const char *cert_path, const char *private_key_path, const char *client_cert_path);

  virtual ~SSLServer();

@ -385,6 +385,7 @@ private:

  SSL_CTX *ctx_;
  std::mutex ctx_mutex_;
+  const char *client_cert_path_;
 };

 class SSLClient : public Client {
@ -2228,7 +2229,8 @@ read_and_close_socket_ssl(socket_t sock, size_t keep_alive_max_count,
                          // TODO: OpenSSL 1.0.2 occasionally crashes...
                          // The upcoming 1.1.0 is going to be thread safe.
                          SSL_CTX *ctx, std::mutex &ctx_mutex,
-                          U SSL_connect_or_accept, V setup, T callback) {
+                          U SSL_connect_or_accept, V setup, T callback,
+                          const char* client_cert_path = nullptr) {
  SSL *ssl = nullptr;
  {
    std::lock_guard<std::mutex> guard(ctx_mutex);
@ -2254,6 +2256,13 @@ read_and_close_socket_ssl(socket_t sock, size_t keep_alive_max_count,
    return false;
  }

+  if(client_cert_path){
+    STACK_OF(X509_NAME)* list;
+    list = SSL_load_client_CA_file(client_cert_path);
+    SSL_set_client_CA_list(ssl, list);
+    SSL_CTX_load_verify_locations(ctx,client_cert_path,nullptr);
+  }
+
  bool ret = false;

  if (SSL_connect_or_accept(ssl) == 1) {
@ -2327,7 +2336,9 @@ inline std::string SSLSocketStream::get_remote_addr() const {

 // SSL HTTP server implementation
 inline SSLServer::SSLServer(const char *cert_path,
-                            const char *private_key_path) {
+                            const char *private_key_path,
+                            const char *client_cert_path = nullptr)
+  : client_cert_path_(client_cert_path){
  ctx_ = SSL_CTX_new(SSLv23_server_method());

  if (ctx_) {
@ -2345,6 +2356,11 @@ inline SSLServer::SSLServer(const char *cert_path,
            1) {
      SSL_CTX_free(ctx_);
      ctx_ = nullptr;
+    } else if(client_cert_path_) {
+      SSL_CTX_set_verify(ctx_,
+        SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, //SSL_VERIFY_CLIENT_ONCE,
+        nullptr
+      );
    }
  }
 }
@ -2361,7 +2377,8 @@ inline bool SSLServer::read_and_close_socket(socket_t sock) {
      [](SSL * /*ssl*/) { return true; },
      [this](Stream &strm, bool last_connection, bool &connection_close) {
        return process_request(strm, last_connection, connection_close);
-      });
+      },
+      client_cert_path_);
 }

 // SSL HTTP client implementation