43179a7ef4
Summary: RSocket plays nicely with Folly and OpenSSL. Flipper WebSocket-client uses SocketRocket which instead relies on Apple's NSInputStream and NSOutputStream types. SSL options can be set to secure the communication in both. Unfortunately, Apple APIs are a bit limited on the supported cryptographic formats it can accept as arguments. SSL options require the client certificate to be set in PKCS #12 format, contrary to the existing PEM format used by RSocket. This change adds a method to the ConnectionContext which converts and saves the client certificate in PKCS #12 format. The method is always expected to succeed as it will only be called once a valid client certificate is available. An unlikely failure will raise an exception. Reviewed By: fabiomassimo Differential Revision: D30074334 fbshipit-source-id: 91a475d080569cc339b649c7302b1f28793c7de7
206 lines
6.3 KiB
C++
206 lines
6.3 KiB
C++
/*
|
|
* Copyright (c) Facebook, Inc. and its affiliates.
|
|
*
|
|
* This source code is licensed under the MIT license found in the
|
|
* LICENSE file in the root directory of this source tree.
|
|
*/
|
|
|
|
#include "ConnectionContextStore.h"
|
|
#include <folly/json.h>
|
|
#include <folly/portability/SysStat.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/pem.h>
|
|
#include <openssl/pkcs12.h>
|
|
#include <openssl/x509.h>
|
|
#include <fstream>
|
|
#include <iostream>
|
|
#include <sstream>
|
|
#include <stdexcept>
|
|
#include <utility>
|
|
#include "CertificateUtils.h"
|
|
#include "Log.h"
|
|
namespace facebook {
|
|
namespace flipper {
|
|
|
|
static constexpr auto CSR_FILE_NAME = "app.csr";
|
|
static constexpr auto FLIPPER_CA_FILE_NAME = "sonarCA.crt";
|
|
static constexpr auto CLIENT_CERT_FILE_NAME = "device.crt";
|
|
static constexpr auto PRIVATE_KEY_FILE = "privateKey.pem";
|
|
static constexpr auto CERTIFICATE_FILE_NAME = "device.p12";
|
|
static constexpr auto CERTIFICATE_PASSWORD = "fl1pp3r";
|
|
static constexpr auto CONNECTION_CONFIG_FILE = "connection_config.json";
|
|
|
|
bool fileExists(std::string fileName);
|
|
std::string loadStringFromFile(std::string fileName);
|
|
void writeStringToFile(std::string content, std::string fileName);
|
|
|
|
ConnectionContextStore::ConnectionContextStore(DeviceData deviceData)
|
|
: deviceData_(deviceData) {}
|
|
|
|
bool ConnectionContextStore::hasRequiredFiles() {
|
|
std::string caCert =
|
|
loadStringFromFile(absoluteFilePath(FLIPPER_CA_FILE_NAME));
|
|
std::string clientCert =
|
|
loadStringFromFile(absoluteFilePath(CLIENT_CERT_FILE_NAME));
|
|
std::string privateKey =
|
|
loadStringFromFile(absoluteFilePath(PRIVATE_KEY_FILE));
|
|
std::string config =
|
|
loadStringFromFile(absoluteFilePath(CONNECTION_CONFIG_FILE));
|
|
|
|
if (caCert == "" || clientCert == "" || privateKey == "" || config == "") {
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
std::string ConnectionContextStore::getCertificateSigningRequest() {
|
|
// Use in-memory CSR if already loaded
|
|
if (csr != "") {
|
|
return csr;
|
|
}
|
|
|
|
// Attempt to load existing CSR from previous run of the app
|
|
csr = loadStringFromFile(absoluteFilePath(CSR_FILE_NAME));
|
|
if (csr != "") {
|
|
return csr;
|
|
}
|
|
|
|
// Clean all state and generate a new one
|
|
resetState();
|
|
bool success = facebook::flipper::generateCertSigningRequest(
|
|
deviceData_.appId.c_str(),
|
|
absoluteFilePath(CSR_FILE_NAME).c_str(),
|
|
absoluteFilePath(PRIVATE_KEY_FILE).c_str());
|
|
if (!success) {
|
|
throw new std::runtime_error("Failed to generate CSR");
|
|
}
|
|
csr = loadStringFromFile(absoluteFilePath(CSR_FILE_NAME));
|
|
|
|
return csr;
|
|
}
|
|
|
|
std::shared_ptr<folly::SSLContext> ConnectionContextStore::getSSLContext() {
|
|
std::shared_ptr<folly::SSLContext> sslContext =
|
|
std::make_shared<folly::SSLContext>();
|
|
sslContext->loadTrustedCertificates(
|
|
absoluteFilePath(FLIPPER_CA_FILE_NAME).c_str());
|
|
sslContext->setVerificationOption(
|
|
folly::SSLContext::SSLVerifyPeerEnum::VERIFY);
|
|
sslContext->loadCertKeyPairFromFiles(
|
|
absoluteFilePath(CLIENT_CERT_FILE_NAME).c_str(),
|
|
absoluteFilePath(PRIVATE_KEY_FILE).c_str());
|
|
sslContext->authenticate(true, false);
|
|
return sslContext;
|
|
}
|
|
|
|
std::string ConnectionContextStore::getDeviceId() {
|
|
/* On android we can't reliably get the serial of the current device
|
|
So rely on our locally written config, which is provided by the
|
|
desktop app.
|
|
For backwards compatibility, when this isn't present, fall back to the
|
|
unreliable source. */
|
|
try {
|
|
std::string config =
|
|
loadStringFromFile(absoluteFilePath(CONNECTION_CONFIG_FILE));
|
|
auto maybeDeviceId = folly::parseJson(config)["deviceId"];
|
|
return maybeDeviceId.isString() ? maybeDeviceId.getString()
|
|
: deviceData_.deviceId;
|
|
} catch (std::exception&) {
|
|
return deviceData_.deviceId;
|
|
}
|
|
}
|
|
|
|
void ConnectionContextStore::storeConnectionConfig(folly::dynamic& config) {
|
|
std::string json = folly::toJson(config);
|
|
writeStringToFile(json, absoluteFilePath(CONNECTION_CONFIG_FILE));
|
|
}
|
|
|
|
std::string ConnectionContextStore::absoluteFilePath(const char* filename) {
|
|
return std::string(deviceData_.privateAppDirectory + "/sonar/" + filename);
|
|
}
|
|
|
|
std::string ConnectionContextStore::getCertificateDirectoryPath() {
|
|
return absoluteFilePath("");
|
|
}
|
|
|
|
bool ConnectionContextStore::resetState() {
|
|
// Clear in-memory state
|
|
csr = "";
|
|
|
|
// Delete state from disk
|
|
std::string dirPath = absoluteFilePath("");
|
|
struct stat info;
|
|
if (stat(dirPath.c_str(), &info) != 0) {
|
|
int ret = mkdir(dirPath.c_str(), S_IRUSR | S_IWUSR | S_IXUSR);
|
|
return ret == 0;
|
|
} else if (info.st_mode & S_IFDIR) {
|
|
for (auto file :
|
|
{CSR_FILE_NAME,
|
|
FLIPPER_CA_FILE_NAME,
|
|
CLIENT_CERT_FILE_NAME,
|
|
PRIVATE_KEY_FILE,
|
|
CONNECTION_CONFIG_FILE,
|
|
CERTIFICATE_FILE_NAME}) {
|
|
std::remove(absoluteFilePath(file).c_str());
|
|
}
|
|
return true;
|
|
} else {
|
|
log("ERROR: Flipper path exists but is not a directory: " + dirPath);
|
|
return false;
|
|
}
|
|
}
|
|
|
|
std::pair<std::string, std::string> ConnectionContextStore::getCertificate() {
|
|
auto cacertFilepath = absoluteFilePath(FLIPPER_CA_FILE_NAME);
|
|
auto certFilepath = absoluteFilePath(CLIENT_CERT_FILE_NAME);
|
|
auto keyFilepath = absoluteFilePath(PRIVATE_KEY_FILE);
|
|
auto certificate_path = absoluteFilePath(CERTIFICATE_FILE_NAME);
|
|
|
|
if (fileExists(certificate_path.c_str())) {
|
|
std::remove(certificate_path.c_str());
|
|
}
|
|
|
|
if (!facebook::flipper::generateCertPKCS12(
|
|
cacertFilepath.c_str(),
|
|
certFilepath.c_str(),
|
|
keyFilepath.c_str(),
|
|
certificate_path.c_str(),
|
|
CERTIFICATE_FILE_NAME,
|
|
CERTIFICATE_PASSWORD)) {
|
|
log("ERROR: Unable to genereate certificate pkcs#12");
|
|
return std::make_pair("", "");
|
|
}
|
|
|
|
return std::make_pair(certificate_path, std::string(CERTIFICATE_PASSWORD));
|
|
}
|
|
|
|
std::string loadStringFromFile(std::string fileName) {
|
|
if (!fileExists(fileName)) {
|
|
return "";
|
|
}
|
|
std::stringstream buffer;
|
|
std::ifstream stream;
|
|
std::string line;
|
|
stream.open(fileName.c_str());
|
|
if (!stream) {
|
|
log("ERROR: Unable to open ifstream: " + fileName);
|
|
return "";
|
|
}
|
|
buffer << stream.rdbuf();
|
|
std::string s = buffer.str();
|
|
return s;
|
|
}
|
|
|
|
void writeStringToFile(std::string content, std::string fileName) {
|
|
std::ofstream out(fileName);
|
|
out << content;
|
|
}
|
|
|
|
bool fileExists(std::string fileName) {
|
|
struct stat buffer;
|
|
return stat(fileName.c_str(), &buffer) == 0;
|
|
}
|
|
|
|
} // namespace flipper
|
|
} // namespace facebook
|