/* * Copyright (c) Facebook, Inc. and its affiliates. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #pragma once #include #include #include namespace folly { /** * CertificateIdentityVerifier implementations are used during TLS handshakes to * extract and verify end-entity certificate identities. AsyncSSLSocket first * performs OpenSSL certificate chain validation and then invokes any registered * HandshakeCB's handshakeVer() method. Only if both of these succeed, it then * calls the verifyLeaf method to further verify a peer's certificate. * * TLS connections must pass all these checks in order for an AsyncSSLSocket's * registered HandshakeCB to receive handshakeSuc(). * * Instances can be shared across AsyncSSLSockets so implementations should be * thread-safe. */ class CertificateIdentityVerifier { public: virtual ~CertificateIdentityVerifier() = default; /** * AsyncSSLSocket calls verifyLeaf() during a TLS handshake after chain * verification, only if certificate verification is required/requested, * with the peer's leaf certificate provided as an argument. * * Returns an Try with a CertificateIdentityVerifierException set if * verification fails. * * @param leafCertificate leaf X509 certificate of the connected peer */ FOLLY_NODISCARD virtual Try verifyLeaf( const AsyncTransportCertificate& leafCertificate) const noexcept = 0; }; /** * Base of exception hierarchy for CertificateIdentityVerifier failure reasons. */ class FOLLY_EXPORT CertificateIdentityVerifierException : public std::runtime_error { public: using std::runtime_error::runtime_error; }; } // namespace folly