File: ssl_domain.rb

package info (click to toggle)
qpid-proton 0.37.0-7
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 18,384 kB
  • sloc: ansic: 37,828; cpp: 37,140; python: 15,302; ruby: 6,018; xml: 477; sh: 320; pascal: 52; makefile: 18
file content (154 lines) | stat: -rw-r--r-- 6,377 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
 
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.


module Qpid::Proton

  # The top-level object that stores the configuration used by one or more
  # SSL sessions.
  #
  # @see SSL
  #
  class SSLDomain

    # The local connection endpoint is an SSL client.
    # @private
    MODE_CLIENT = Cproton::PN_SSL_MODE_CLIENT
    # The local connection endpoint is an SSL server.
    # @private
    MODE_SERVER = Cproton::PN_SSL_MODE_SERVER

    # Require the peer to provide a valid identifying certificate.
    VERIFY_PEER = Cproton::PN_SSL_VERIFY_PEER
    # Do no require a certificate nor a cipher authorization.
    ANONYMOUS_PEER = Cproton::PN_SSL_ANONYMOUS_PEER
    # Require a valid certficate and matching name.
    VERIFY_PEER_NAME = Cproton::PN_SSL_VERIFY_PEER_NAME

    # @private
    include Util::ErrorHandler

    # @private
    attr_reader :impl

    # @private
    def initialize(mode)
      @impl = Cproton.pn_ssl_domain(mode)
      raise Qpid::Proton::SSLError, "SSL Unavailable" if @impl.nil?
    end

    # Set the certificate that identifies the local node to the remote.
    #
    # This certificate establishes the identity for thelocal node for all SSL
    # sessions created from this domain. It will be sent to the remote if the
    # remote needs to verify the dientify of this node. This may be used for
    # both SSL servers and SSL clients (if client authentication is required by
    # the server).
    #
    # *NOTE:* This setting affects only those instances of SSL created *after*
    # this call returns. SSL objects created before invoking this method will
    # use the domain's previous settings.
    #
    # @param cert_file [String] The filename containing the identify
    #  certificate. For OpenSSL users, this is a PEM file. For Windows SChannel
    #  users, this is the PKCS\#12 file or system store.
    # @param key_file [String] An option key to access the identifying
    #  certificate. For OpenSSL users, this is an optional PEM file containing
    #  the private key used to sign the certificate. For Windows SChannel users,
    #  this is the friendly name of the self-identifying certficate if there are
    #  multiple certfificates in the store.
    # @param password [String] The password used to sign the key, or *nil* if
    #  the key is not protected.
    #
    # @raise [SSLError] If an error occurs.
    #
    def credentials(cert_file, key_file, password)
      Cproton.pn_ssl_domain_set_credentials(@impl,
                                            cert_file, key_file, password)
    end

    # Configures the set of trusted CA certificates used by this domain to
    # verify peers.
    #
    # If the local SSL client/server needs to verify the identify of the remote,
    # it must validate the signature of the remote's certificate. This function
    # sets the database of trusted CAs that will be used to verify the signature
    # of the remote's certificate.
    #
    # *NOTE:# This setting affects only those SSL instances created *after* this
    # call returns. SSL objects created before invoking this method will use the
    # domain's previous setting.
    #
    # @param certificate_db [String] The filename for the databse of trusted
    #   CAs, used to authenticate the peer.
    #
    # @raise [SSLError] If an error occurs.
    #
    def trusted_ca_db(certificate_db)
      Cproton.pn_ssl_domain_set_trusted_ca_db(@impl, certificate_db)
    end

    # Configures the level of verification used on the peer certificate.
    #
    # This method congtrols how the peer's certificate is validated, if at all.
    # By default, servers do not attempt to verify their peers
    # (*ANONYMOUS_PEER*) but clients attempt to verify both the certificate and
    # peer name (*VERIFY_PEER_NAME*). Once certficates and trusted CAs are
    # configured, peer verification can be enabled.
    #
    # *NOTE:* In order to verify a peer, a trusted CA must be configured.
    #
    # *NOTE:* Servers must provide their own certficate when verifying a peer.
    #
    # *NOTE:* This setting affects only those SSL instances created after this
    # call returns. SSL instances created before invoking this method will use
    # the domain's previous setting.
    #
    # @param verify_mode [Integer] The level of validation to apply to the peer.
    # @param trusted_CAs [String] The path to a database of trusted CAs that
    #   the server will advertise to the peer client if the server has been
    #   configured to verify its peer.
    #
    # @see VERIFY_PEER
    # @see ANONYMOUS_PEER
    # @see VERIFY_PEER_NAME
    #
    # @raise [SSLError] If an error occurs.
    #
    def peer_authentication(verify_mode, trusted_CAs = nil)
      Cproton.pn_ssl_domain_set_peer_authentication(@impl,
                                                    verify_mode, trusted_CAs)
    end

    # Permit a server to accept connection requests from non-SSL clients.
    #
    # This configures the server to "sniff" the incomfing client data stream and
    # dynamically determine whether SSL/TLS is being used. This option is
    # disabled by default: only clients using SSL/TLS are accepted by default.
    #
    # @raise [SSLError] If an error occurs.
    #
    def allow_unsecured_client
      Cproton.pn_ssl_domain_allow_unsecured_client(@impl);
    end

    can_raise_error :credentials, :error_class => Qpid::Proton::SSLError
    can_raise_error :trusted_ca_db, :error_class => Qpid::Proton::SSLError
    can_raise_error :peer_authentication, :error_class => Qpid::Proton::SSLError
    can_raise_error :allow_unsecured_client, :error_class => Qpid::Proton::SSLError
  end
end