Support for http proxy during ocsp check

Change-Id: I4966c6dc08411491b419809be402ac8808027478

diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec
index 480510b..09a5a19 100644 (file)
--- a/packaging/key-manager.spec
+++ b/packaging/key-manager.spec
@@ -29,6 +29,7 @@ BuildRequires: pkgconfig(cynara-creds-socket)
 BuildRequires: pkgconfig(libtzplatform-config)
 BuildRequires: pkgconfig(glib-2.0)
 BuildRequires: pkgconfig(pkgmgr)
+BuildRequires: pkgconfig(vconf)
 %if 0%{?watchdog_enabled}
 BuildRequires: pkgconfig(argos_watchdog)
 %endif

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 2e7291c..9eeaab7 100644 (file)
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -19,6 +19,7 @@ PKG_CHECK_MODULES(KEY_MANAGER_DEP
     cynara-client-async
     cynara-creds-socket
     pkgmgr
+    vconf
     ${EXTRA_KM_DEPS}
     )
 FIND_PACKAGE(Threads REQUIRED)

diff --git a/src/manager/service/ocsp.cpp b/src/manager/service/ocsp.cpp
index 25219fc..8c430f5 100644 (file)
--- a/src/manager/service/ocsp.cpp
+++ b/src/manager/service/ocsp.cpp
@@ -32,6 +32,7 @@
 #include <certificate-impl.h>
 #include <openssl_utils.h>
 #include <ckm/ckm-error.h>
+#include <vconf.h>
 
 /* Maximum leeway in validity period: default 5 minutes */
 #define MAX_VALIDITY_PERIOD     (5 * 60)
@@ -134,7 +135,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
        OCSP_CERTID *certid = NULL;
        BIO *cbio = NULL;
        SSL_CTX *use_ssl_ctx = NULL;
-       char *host = NULL, *port = NULL, *path = NULL;
+       std::string host, port, path;
        ASN1_GENERALIZEDTIME *rev = NULL;
        ASN1_GENERALIZEDTIME *thisupd = NULL;
        ASN1_GENERALIZEDTIME *nextupd = NULL;
@@ -151,16 +152,48 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
        std::vector<char> url(constUrl.begin(), constUrl.end());
        url.push_back(0);
 
-       if (!OCSP_parse_url(url.data(), &host, &port, &path, &use_ssl))
-               /* report error */
-               return CKM_API_OCSP_STATUS_INVALID_URL;
+       {
+               char *chost = NULL, *cport = NULL, *cpath = NULL;
+
+               if (!OCSP_parse_url(url.data(), &chost, &cport, &cpath, &use_ssl))
+                       /* report error */
+                       return CKM_API_OCSP_STATUS_INVALID_URL;
+
+               if (chost) host = chost;
+               if (cport) port = cport;
+               if (cpath) path = cpath;
+
+               OPENSSL_free(chost);
+               OPENSSL_free(cport);
+               OPENSSL_free(cpath);
+       }
 
        LogDebug("Host: " << host);
        LogDebug("Port: " << port);
        LogDebug("Path: " << path);
        LogDebug("Use_ssl: " << use_ssl);
 
-       cbio = BIO_new_connect(host);
+       std::unique_ptr<char, decltype(free)*> proxy(vconf_get_str(VCONFKEY_NETWORK_PROXY), free);
+
+       if (proxy && strlen(proxy.get()) > 0) {
+               char *phost = NULL, *pport = NULL, *ppath = NULL;
+
+               LogDebug("Using proxy: " << proxy.get());
+
+               if (!OCSP_parse_url(proxy.get(), &phost, &pport, &ppath, &use_ssl)) {
+                       return CKM_API_OCSP_STATUS_INVALID_URL;
+               }
+
+               path = url.data();
+               if (phost) host = phost;
+               if (pport) port = pport;
+
+               OPENSSL_free(phost);
+               OPENSSL_free(pport);
+               OPENSSL_free(ppath);
+       }
+
+       cbio = BIO_new_connect(host.c_str());
 
        if (cbio == NULL) {
                /*BIO_printf(bio_err, "Error creating connect BIO\n");*/
@@ -168,8 +201,8 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
                return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
        }
 
-       if (port != NULL)
-               BIO_set_conn_port(cbio, port);
+       if (!port.empty())
+               BIO_set_conn_port(cbio, port.c_str());
 
        if (use_ssl == 1) {
                BIO *sbio = NULL;
@@ -201,18 +234,6 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
                ERR_print_errors(bioLogger.get());
                /* report error */
 
-               /* free stuff */
-               if (host != NULL)
-                       OPENSSL_free(host);
-
-               if (port != NULL)
-                       OPENSSL_free(port);
-
-               if (path != NULL)
-                       OPENSSL_free(path);
-
-               host = port = path = NULL;
-
                if (use_ssl && use_ssl_ctx)
                        SSL_CTX_free(use_ssl_ctx);
 
@@ -245,19 +266,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
                return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
        }
 
-       resp = OCSP_sendreq_bio(cbio, path, req);
-
-       /* free some stuff we no longer need */
-       if (host != NULL)
-               OPENSSL_free(host);
-
-       if (port != NULL)
-               OPENSSL_free(port);
-
-       if (path != NULL)
-               OPENSSL_free(path);
-
-       host = port = path = NULL;
+       resp = OCSP_sendreq_bio(cbio, path.c_str(), req);
 
        if (use_ssl && use_ssl_ctx)
                SSL_CTX_free(use_ssl_ctx);