qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Domen Vrankar (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (QPID-7130) qpid C++ with SSL authentication returning dummy string from Connection::getAuthenticatedUsername()
Date Tue, 08 Mar 2016 12:50:41 GMT

     [ https://issues.apache.org/jira/browse/QPID-7130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Domen Vrankar updated QPID-7130:
    Attachment: 0005-Deleted-old-getClientAuthId-function-that-was-replac.patch

> qpid C++ with SSL authentication returning dummy string from Connection::getAuthenticatedUsername()
> ---------------------------------------------------------------------------------------------------
>                 Key: QPID-7130
>                 URL: https://issues.apache.org/jira/browse/QPID-7130
>             Project: Qpid
>          Issue Type: Improvement
>    Affects Versions: qpid-cpp-0.34
>         Environment: Fedora 21 Linux
>            Reporter: Domen Vrankar
>            Priority: Minor
>              Labels: features, patch
>             Fix For: qpid-cpp-next
>         Attachments: 0001-qpid-messaging-Connection-getAuthenticatedUsername.patch, 0002-Added-getLocalAuthId-to-all-socket-classes.patch,
0003-Added-virtual-keyword-to-functions-BSDSocket-getKeyL.patch, 0004-Added-getPeerAuthId-as-an-alias-for-getClientAuthId-.patch,
> When using Qpid C++ without SASL or with authentication disabled you can do:
> qpid_message.setUserId(qpid_connection_.getAuthenticatedUsername());
> and message can be received on remote location.
> Without SASL "ANONYMOUS" string is returned.
> With SASL but without authentication "anonymous" string is returned.
> In both cases message isn't rejected by broker.
> With SASL and SLL authentication "dummy" is returned. This string is rejected by broker
and also doesn't help with identifying who sent the message.
> First patch fixes this by reading local certificate authentication id the same way as
SslSocket::getClientAuthId does but for local instead of peer certificate.
> Second patch adds getLocalAuthId to all other classes derived from Socket (not certain
if this is necessary that's why it's in a separate patch).
> Third patch adds virtual keyword to BSDSocket getKeyLen, getClientAuthId and ~BSDSocket()
functions since this class is parent class of SslSocket. (Since with C++11 and later compilers
final and override keywords can be used to find such errors perhaps two macros should be defined
and used throughout the code e.g.:
> create file qpid_cpp.hpp
> #if __cplusplus <= 199711L
>   #define QPID_CPP_FINAL
> #else
>   #define QPID_CPP_OVERRIDE override
>   #define QPID_CPP_FINAL final
> #endif
> and then used somewhere:
> #include "qpid_cpp.hpp"
> struct A {
>     virtual void foo() QPID_CPP_FINAL; // A::foo is final
>     virtual void bar();
>     virtual void bas();
> };
> struct B QPID_CPP_FINAL : A { // struct B is final
>     void foo(); // Error: foo cannot be overridden as it's final in A
>     void bar() QPID_CPP_OVERRIDE;
>     int bas() QPID_CPP_OVERRIDE; // Error: wrong bar signature used
>     void baf() QPID_CPP_OVERRIDE; // Error: function doesn't override anything 
> };
> struct C : B { // Error: B is final
> };
> )
> Fourth patch adds getPeerAuthId as alias for getClientAuthId since current name is meaningful
only on broker side (on client side it returns broker authentication id).
> Fifth patch removes getClientAuthId altogether (split into a separate patch as I am not
certain if this function can be accessed from outside Qpid internal implementation and should
remain as is).
> How to test:
> Build qpid with SASL and SSL.
> Create ssl certificate store.
> Run qpid with:
> qpidd --ssl-cert-db ${CERT_DB_DIR} --ssl-cert-password-file /tmp/password.txt --ssl-cert-name --ssl-require-client-authentication --acl-file ${ACL_DIR}/acl_file.acl --auth yes
> ACL file should contain:
> acl allow send@QPID all # sender cert
> acl allow receive@QPID all # receiver cert
> acl deny all all
> On sending client use:
> qpid_message.setUserId(qpid_connection_.getAuthenticatedUsername());
> On receiving client use:
> qpid_message.getUserId();
> Message should be delivered and Id's should be the same and matching sender certificate

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message