|
13 | 13 | // limitations under the License. |
14 | 14 |
|
15 | 15 | #include <filesystem> |
| 16 | +#include <fstream> |
| 17 | +#include <functional> |
16 | 18 | #include <string> |
17 | 19 | #include <utility> |
18 | 20 | #include <unordered_map> |
| 21 | +#include <vector> |
19 | 22 |
|
20 | 23 | #include "rmw_dds_common/security.hpp" |
21 | 24 |
|
22 | 25 | namespace rmw_dds_common |
23 | 26 | { |
24 | 27 |
|
| 28 | +// Processor for security attributes with FILE URI |
| 29 | +static bool process_file_uri_security_file( |
| 30 | + bool /*supports_pkcs11*/, |
| 31 | + const std::string & prefix, |
| 32 | + const std::filesystem::path & full_path, |
| 33 | + std::string & result) |
| 34 | +{ |
| 35 | + if (!std::filesystem::is_regular_file(full_path)) { |
| 36 | + return false; |
| 37 | + } |
| 38 | + result = prefix + full_path.generic_string(); |
| 39 | + return true; |
| 40 | +} |
| 41 | + |
| 42 | +// Processor for security attributes with PKCS#11 URI |
| 43 | +static bool process_pkcs_uri_security_file( |
| 44 | + bool supports_pkcs11, |
| 45 | + const std::string & /*prefix*/, |
| 46 | + const std::filesystem::path & full_path, |
| 47 | + std::string & result) |
| 48 | +{ |
| 49 | + if (!supports_pkcs11) { |
| 50 | + return false; |
| 51 | + } |
| 52 | + |
| 53 | + const std::string p11_prefix("pkcs11:"); |
| 54 | + |
| 55 | + std::ifstream ifs(full_path); |
| 56 | + if (!ifs.is_open()) { |
| 57 | + return false; |
| 58 | + } |
| 59 | + |
| 60 | + if (!(ifs >> result)) { |
| 61 | + return false; |
| 62 | + } |
| 63 | + if (result.find(p11_prefix) != 0) { |
| 64 | + return false; |
| 65 | + } |
| 66 | + |
| 67 | + return true; |
| 68 | +} |
| 69 | + |
25 | 70 | bool get_security_files( |
26 | 71 | const std::string & prefix, const std::string & secure_root, |
27 | 72 | std::unordered_map<std::string, std::string> & result) |
28 | 73 | { |
29 | | - const std::unordered_map<std::string, std::string> required_files{ |
30 | | - {"IDENTITY_CA", "identity_ca.cert.pem"}, |
31 | | - {"CERTIFICATE", "cert.pem"}, |
32 | | - {"PRIVATE_KEY", "key.pem"}, |
33 | | - {"PERMISSIONS_CA", "permissions_ca.cert.pem"}, |
34 | | - {"GOVERNANCE", "governance.p7s"}, |
35 | | - {"PERMISSIONS", "permissions.p7s"}, |
| 74 | + return get_security_files(false, prefix, secure_root, result); |
| 75 | +} |
| 76 | + |
| 77 | +bool get_security_files( |
| 78 | + bool supports_pkcs11, |
| 79 | + const std::string & prefix, |
| 80 | + const std::string & secure_root, |
| 81 | + std::unordered_map<std::string, std::string> & result) |
| 82 | +{ |
| 83 | + using std::placeholders::_1; |
| 84 | + using std::placeholders::_2; |
| 85 | + using std::placeholders::_3; |
| 86 | + using std::placeholders::_4; |
| 87 | + using security_file_processor = |
| 88 | + std::function<bool (bool, const std::string &, const std::filesystem::path &, std::string &)>; |
| 89 | + using processor_vector = |
| 90 | + std::vector<std::pair<std::string, security_file_processor>>; |
| 91 | + |
| 92 | + // Key: the security attribute |
| 93 | + // Value: ordered sequence of pairs. Each pair contains one possible file name |
| 94 | + // for the attribute and the corresponding processor method |
| 95 | + // Pairs are ordered by priority: the first one matching is used. |
| 96 | + const std::unordered_map<std::string, processor_vector> required_files{ |
| 97 | + {"IDENTITY_CA", { |
| 98 | + {"identity_ca.cert.p11", std::bind(process_pkcs_uri_security_file, _1, _2, _3, _4)}, |
| 99 | + {"identity_ca.cert.pem", std::bind(process_file_uri_security_file, _1, _2, _3, _4)}}}, |
| 100 | + {"CERTIFICATE", { |
| 101 | + {"cert.p11", std::bind(process_pkcs_uri_security_file, _1, _2, _3, _4)}, |
| 102 | + {"cert.pem", std::bind(process_file_uri_security_file, _1, _2, _3, _4)}}}, |
| 103 | + {"PRIVATE_KEY", { |
| 104 | + {"key.p11", std::bind(process_pkcs_uri_security_file, _1, _2, _3, _4)}, |
| 105 | + {"key.pem", std::bind(process_file_uri_security_file, _1, _2, _3, _4)}}}, |
| 106 | + {"PERMISSIONS_CA", { |
| 107 | + {"permissions_ca.cert.p11", std::bind(process_pkcs_uri_security_file, _1, _2, _3, _4)}, |
| 108 | + {"permissions_ca.cert.pem", std::bind(process_file_uri_security_file, _1, _2, _3, _4)}}}, |
| 109 | + {"GOVERNANCE", { |
| 110 | + {"governance.p7s", std::bind(process_file_uri_security_file, _1, _2, _3, _4)}}}, |
| 111 | + {"PERMISSIONS", { |
| 112 | + {"permissions.p7s", std::bind(process_file_uri_security_file, _1, _2, _3, _4)}}}, |
36 | 113 | }; |
37 | 114 |
|
38 | 115 | const std::unordered_map<std::string, std::string> optional_files{ |
39 | 116 | {"CRL", "crl.pem"}, |
40 | 117 | }; |
41 | 118 |
|
42 | | - for (const std::pair<const std::string, std::string> & el : required_files) { |
43 | | - std::filesystem::path full_path(secure_root); |
44 | | - full_path /= el.second; |
45 | | - if (!std::filesystem::is_regular_file(full_path)) { |
| 119 | + for (const std::pair<const std::string, |
| 120 | + std::vector<std::pair<std::string, security_file_processor>>> & el : required_files) |
| 121 | + { |
| 122 | + std::string attribute_value; |
| 123 | + bool processed = false; |
| 124 | + for (auto & proc : el.second) { |
| 125 | + std::filesystem::path full_path(secure_root); |
| 126 | + full_path /= proc.first; |
| 127 | + if (proc.second(supports_pkcs11, prefix, full_path, attribute_value)) { |
| 128 | + processed = true; |
| 129 | + break; |
| 130 | + } |
| 131 | + } |
| 132 | + if (!processed) { |
46 | 133 | result.clear(); |
47 | 134 | return false; |
48 | 135 | } |
49 | | - |
50 | | - result[el.first] = prefix + full_path.generic_string(); |
| 136 | + result[el.first] = attribute_value; |
51 | 137 | } |
52 | 138 |
|
53 | 139 | for (const std::pair<const std::string, std::string> & el : optional_files) { |
|
0 commit comments