Add options to verify SSL certificate

Author: attah

lib/curlrequester.cpp

@@ -6,7 +6,7 @@
 #include <cstring>
 #include <thread>
 
-CurlRequester::CurlRequester(const std::string& addr, bool ignoreSslErrors)
+CurlRequester::CurlRequester(const std::string& addr, const SslConfig& sslConfig)
   : _curl(curl_easy_init())
 {
   bool debugEnabled = LogController::instance().isEnabled(LogController::Debug);
@@ -15,13 +15,18 @@ CurlRequester::CurlRequester(const std::string& addr, bool ignoreSslErrors)
   curl_easy_setopt(_curl, CURLOPT_CONNECTTIMEOUT_MS, 2000);
   curl_easy_setopt(_curl, CURLOPT_FAILONERROR, 1);
 
-  if(ignoreSslErrors)
+  if(!sslConfig.verifySsl)
   {
     curl_easy_setopt(_curl, CURLOPT_SSL_VERIFYPEER, 0L);
     curl_easy_setopt(_curl, CURLOPT_SSL_VERIFYHOST, 0L);
     curl_easy_setopt(_curl, CURLOPT_SSL_VERIFYSTATUS, 0L);
   }
 
+  if(sslConfig.pinnedPublicKey != "")
+  {
+    curl_easy_setopt(_curl, CURLOPT_PINNEDPUBLICKEY, sslConfig.pinnedPublicKey.c_str());
+  }
+
   _opts = nullptr;
 #ifdef USER_AGENT
   _opts = curl_slist_append(_opts, "User-Agent: " USER_AGENT);
@@ -179,8 +184,8 @@ std::string http_url(const std::string& str)
   return url.toStr();
 }
 
-CurlIppPosterBase::CurlIppPosterBase(const std::string& addr, bool ignoreSslErrors)
-  : CurlRequester(http_url(addr), ignoreSslErrors)
+CurlIppPosterBase::CurlIppPosterBase(const std::string& addr, const SslConfig& sslConfig)
+  : CurlRequester(http_url(addr), sslConfig)
 {
   _canWrite.unlock();
   _canRead.lock();
@@ -208,23 +213,23 @@ CURLcode CurlIppPosterBase::await(Bytestream* data)
   return CurlRequester::await(data);
 }
 
-CurlIppPoster::CurlIppPoster(const std::string& addr, Bytestream&& data, bool ignoreSslErrors)
-  : CurlIppPosterBase(addr, ignoreSslErrors)
+CurlIppPoster::CurlIppPoster(const std::string& addr, Bytestream&& data, const SslConfig& sslConfig)
+  : CurlIppPosterBase(addr, sslConfig)
 {
   curl_easy_setopt(_curl, CURLOPT_POSTFIELDSIZE, data.size());
   write(std::move(data));
   doRun();
 }
 
-CurlIppStreamer::CurlIppStreamer(const std::string& addr, bool ignoreSslErrors)
-  : CurlIppPosterBase(addr, ignoreSslErrors)
+CurlIppStreamer::CurlIppStreamer(const std::string& addr, const SslConfig& sslConfig)
+  : CurlIppPosterBase(addr, sslConfig)
 {
   _opts = curl_slist_append(_opts, "Transfer-Encoding: chunked");
   doRun();
 }
 
-CurlHttpGetter::CurlHttpGetter(const std::string& addr, bool ignoreSslErrors)
-  : CurlRequester(addr, ignoreSslErrors)
+CurlHttpGetter::CurlHttpGetter(const std::string& addr, const SslConfig& sslConfig)
+  : CurlRequester(addr, sslConfig)
 {
   doRun();
 }

lib/curlrequester.h

@@ -21,6 +21,12 @@ enum class Compression
   Gzip
 };
 
+struct SslConfig
+{
+  bool verifySsl = true;
+  std::string pinnedPublicKey;
+};
+
 class CurlRequester
 {
 public:
@@ -33,7 +39,7 @@ class CurlRequester
 
 protected:
 
-  CurlRequester(const std::string& addr, bool ignoreSslErrors);
+  CurlRequester(const std::string& addr, const SslConfig& sslConfig=SslConfig());
 
   void doRun();
 
@@ -94,7 +100,7 @@ class CurlIppPosterBase : public CurlRequester
   }
 
 protected:
-  CurlIppPosterBase(const std::string& addr, bool ignoreSslErrors);
+  CurlIppPosterBase(const std::string& addr, const SslConfig& sslConfig=SslConfig());
 
 private:
   std::mutex _canWrite;
@@ -106,19 +112,19 @@ class CurlIppPosterBase : public CurlRequester
 class CurlIppPoster : public CurlIppPosterBase
 {
 public:
-  CurlIppPoster(const std::string& addr, Bytestream&& data, bool ignoreSslErrors = false);
+  CurlIppPoster(const std::string& addr, Bytestream&& data, const SslConfig& sslConfig=SslConfig());
 };
 
 class CurlIppStreamer : public CurlIppPosterBase
 {
 public:
-  CurlIppStreamer(const std::string& addr, bool ignoreSslErrors = false);
+  CurlIppStreamer(const std::string& addr, const SslConfig& sslConfig=SslConfig());
 };
 
 class CurlHttpGetter : public CurlRequester
 {
 public:
-  CurlHttpGetter(const std::string& addr, bool ignoreSslErrors = false);
+  CurlHttpGetter(const std::string& addr, const SslConfig& sslConfig=SslConfig());
 };
 
 #endif // CURLREQUESTER_H

lib/ippprinter.cpp

@@ -2,13 +2,12 @@
 
 #include "configdir.h"
 #include "log.h"
-#include "curlrequester.h"
 #include "stringutils.h"
 
 #include <filesystem>
 
-IppPrinter::IppPrinter(std::string addr, bool ignoreSslErrors)
-: _addr(std::move(addr)), _ignoreSslErrors(ignoreSslErrors)
+IppPrinter::IppPrinter(std::string addr, SslConfig sslConfig)
+: _addr(std::move(addr)), _sslConfig(std::move(sslConfig))
 {
   _error = refresh();
 }
@@ -141,7 +140,7 @@ Error IppPrinter::doPrint(IppPrintJob& job, const std::string& inFile, Bytestrea
                           const Converter::ConvertFun& convertFun, const ProgressFun& progressFun)
 {
   Error error;
-  CurlIppStreamer cr(_addr, true);
+  CurlIppStreamer cr(_addr, _sslConfig);
   cr.write(std::move(hdr));
 
   if(job.compression.get() == "gzip")
@@ -531,7 +530,7 @@ Error IppPrinter::_doRequest(const IppMsg& req, IppMsg& resp) const
   }
   DBG(<< "Printer attrs: " << req.getPrinterAttrs().toJSON().dump());
 
-  CurlIppPoster reqPoster(_addr, req.encode(), _ignoreSslErrors);
+  CurlIppPoster reqPoster(_addr, req.encode(), _sslConfig);
   Bytestream respBts;
   CURLcode res0 = reqPoster.await(&respBts);
   if(res0 == CURLE_OK)

lib/ippprinter.h

@@ -2,6 +2,7 @@
 #define IPPPRINTER_H
 
 #include "converter.h"
+#include "curlrequester.h"
 #include "error.h"
 #include "ippattr.h"
 #include "ippmsg.h"
@@ -38,7 +39,7 @@ class IppPrinter
     std::string stateMessage;
   };
 
-  IppPrinter(std::string addr, bool ignoreSslErrors=true);
+  IppPrinter(std::string addr, SslConfig sslConfig);
   IppPrinter(IppAttrs printerAttrs) : _printerAttrs(std::move(printerAttrs))
   {}
   Error refresh();
@@ -106,7 +107,7 @@ class IppPrinter
   void _applyOverrides();
 
   std::string _addr;
-  bool _ignoreSslErrors = true;
+  SslConfig _sslConfig;
   bool _printJobId = false;
 
   Error _error;

utils/ippclient.cpp

@@ -159,8 +159,11 @@ int main(int argc, char** argv)
 {
   bool help = false;
   bool verbose = false;
+  bool verifySsl = false;
+  std::string pinnedPublicKey;
   bool force = false;
   bool oneStage = false;
+
   std::string pages;
   int copies;
   std::string collatedCopies;
@@ -199,6 +202,8 @@ int main(int argc, char** argv)
 
   SwitchArg<bool> helpOpt(help, {"-h", "--help"}, "Print this help text");
   SwitchArg<bool> verboseOpt(verbose, {"-v", "--verbose"}, "Be verbose, print headers and progress");
+  SwitchArg<bool> verifySslOpt(verifySsl, {"--verify-ssl"}, "Verify the printer's SSL cerificate");
+  SwitchArg<std::string> pinnedPublicKeyOpt(pinnedPublicKey, {"--ssl-pubkey"}, "Require a certain SSL public key to match");
   SwitchArg<bool> forceOpt(force, {"-f", "--force"}, "Force use of unsupported options");
   SwitchArg<bool> oneStageOpt(oneStage, {"--one-stage"}, "Force use of one-stage print job");
 
@@ -248,7 +253,7 @@ int main(int argc, char** argv)
   PosArg attrsArg(attrs, "name=value[,name=value]");
   PosArg pdfArg(inFile, "input file");
 
-  SubArgGet args({&helpOpt, &verboseOpt},
+  SubArgGet args({&helpOpt, &verboseOpt, &verifySslOpt, &pinnedPublicKeyOpt},
                  {{"info", {{},
                             {&addrArg}}},
                   {"identify", {{},
@@ -288,7 +293,19 @@ int main(int argc, char** argv)
     LogController::instance().enable(LogController::Debug);
   }
 
-  IppPrinter printer(addr);
+  if(verifySslOpt.isSet() && !string_starts_with(addr, "ipps://"))
+  {
+    std::cerr << "--verify-ssl given, but address is not ipps." << std::endl;
+    return 1;
+  }
+
+  if(pinnedPublicKeyOpt.isSet() && !string_starts_with(addr, "ipps://"))
+  {
+    std::cerr << "--ssl-pubkey given, but address is not ipps." << std::endl;
+    return 1;
+  }
+
+  IppPrinter printer(addr, {verifySsl, pinnedPublicKey});
   Error error = printer.error();
   if(error)
   {