TcpClientImpl support SSL client certificate (#190)

Author: marty1885

trantor/net/TcpClient.cc

@@ -206,11 +206,14 @@ void TcpClient::enableSSL(
     bool useOldTLS,
     bool validateCert,
     std::string hostname,
-    const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
+    const std::vector<std::pair<std::string, std::string>> &sslConfCmds,
+    const std::string &certPath,
+    const std::string &keyPath)
 {
 #ifdef USE_OPENSSL
     /* Create a new OpenSSL context */
-    sslCtxPtr_ = newSSLContext(useOldTLS, validateCert, sslConfCmds);
+    sslCtxPtr_ = newSSLClientContext(
+        useOldTLS, validateCert, certPath, keyPath, sslConfCmds);
     validateCert_ = validateCert;
     if (!hostname.empty())
     {
@@ -228,6 +231,8 @@ void TcpClient::enableSSL(
     (void)validateCert;
     (void)hostname;
     (void)sslConfCmds;
+    (void)certPath;
+    (void)keyPath;
 
     LOG_FATAL << "OpenSSL is not found in your system!";
     abort();

trantor/net/TcpClient.h

@@ -199,14 +199,18 @@ class TRANTOR_EXPORT TcpClient : NonCopyable
      * not used.
      * @param sslConfCmds The commands used to call the SSL_CONF_cmd function in
      * OpenSSL.
+     * @param certPath The path of the certificate file.
+     * @param keyPath The path of the private key file.
      * @note It's well known that TLS 1.0 and 1.1 are not considered secure in
      * 2020. And it's a good practice to only use TLS 1.2 and above.
      */
     void enableSSL(bool useOldTLS = false,
                    bool validateCert = true,
                    std::string hostname = "",
                    const std::vector<std::pair<std::string, std::string>>
-                       &sslConfCmds = {});
+                       &sslConfCmds = {},
+                   const std::string &certPath = "",
+                   const std::string &keyPath = "");
 
   private:
     /// Not thread safe, but in loop

trantor/net/inner/TcpConnectionImpl.cc

@@ -347,6 +347,43 @@ std::shared_ptr<SSLContext> newSSLServerContext(
     }
     return ctx;
 }
+std::shared_ptr<SSLContext> newSSLClientContext(
+    bool useOldTLS,
+    bool validateCert,
+    const std::string &certPath,
+    const std::string &keyPath,
+    const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
+{
+    auto ctx = newSSLContext(useOldTLS, validateCert, sslConfCmds);
+    if (certPath.empty() || keyPath.empty())
+        return ctx;
+
+    auto r = SSL_CTX_use_certificate_chain_file(ctx->get(), certPath.c_str());
+    char errbuf[BUFSIZ];
+    if (!r)
+    {
+        ERR_error_string_n(ERR_get_error(), errbuf, sizeof(errbuf));
+        LOG_FATAL << "Reading certificate: " << errbuf;
+        abort();
+    }
+    r = SSL_CTX_use_PrivateKey_file(ctx->get(),
+                                    keyPath.c_str(),
+                                    SSL_FILETYPE_PEM);
+    if (!r)
+    {
+        ERR_error_string_n(ERR_get_error(), errbuf, sizeof(errbuf));
+        LOG_FATAL << "Reading private key: " << errbuf;
+        abort();
+    }
+    r = SSL_CTX_check_private_key(ctx->get());
+    if (!r)
+    {
+        ERR_error_string_n(ERR_get_error(), errbuf, sizeof(errbuf));
+        LOG_FATAL << "Checking private key matches certificate: " << errbuf;
+        abort();
+    }
+    return ctx;
+}
 }  // namespace trantor
 #else
 namespace trantor

trantor/net/inner/TcpConnectionImpl.h

@@ -47,6 +47,13 @@ std::shared_ptr<SSLContext> newSSLServerContext(
     const std::string &keyPath,
     bool useOldTLS,
     const std::vector<std::pair<std::string, std::string>> &sslConfCmds);
+std::shared_ptr<SSLContext> newSSLClientContext(
+    bool useOldTLS,
+    bool validateCert,
+    const std::string &certPath = "",
+    const std::string &keyPath = "",
+    const std::vector<std::pair<std::string, std::string>> &sslConfCmds = {});
+
 // void initServerSSLContext(const std::shared_ptr<SSLContext> &ctx,
 //                           const std::string &certPath,
 //                           const std::string &keyPath);