aboutsummaryrefslogtreecommitdiff
path: root/src/rpc/rpc_args.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/rpc/rpc_args.cpp')
-rw-r--r--src/rpc/rpc_args.cpp82
1 files changed, 80 insertions, 2 deletions
diff --git a/src/rpc/rpc_args.cpp b/src/rpc/rpc_args.cpp
index f2be94f51..4479bd1f1 100644
--- a/src/rpc/rpc_args.cpp
+++ b/src/rpc/rpc_args.cpp
@@ -33,28 +33,95 @@
#include <boost/bind.hpp>
#include "common/command_line.h"
#include "common/i18n.h"
+#include "hex.h"
namespace cryptonote
{
+ namespace
+ {
+ boost::optional<epee::net_utils::ssl_options_t> do_process_ssl(const boost::program_options::variables_map& vm, const rpc_args::descriptors& arg, const bool any_cert_option)
+ {
+ bool ssl_required = false;
+ epee::net_utils::ssl_options_t ssl_options = epee::net_utils::ssl_support_t::e_ssl_support_enabled;
+ if (any_cert_option && command_line::get_arg(vm, arg.rpc_ssl_allow_any_cert))
+ ssl_options.verification = epee::net_utils::ssl_verification_t::none;
+ else
+ {
+ std::string ssl_ca_file = command_line::get_arg(vm, arg.rpc_ssl_ca_certificates);
+ const std::vector<std::string> ssl_allowed_fingerprints = command_line::get_arg(vm, arg.rpc_ssl_allowed_fingerprints);
+
+ std::vector<std::vector<uint8_t>> allowed_fingerprints{ ssl_allowed_fingerprints.size() };
+ std::transform(ssl_allowed_fingerprints.begin(), ssl_allowed_fingerprints.end(), allowed_fingerprints.begin(), epee::from_hex::vector);
+ for (const auto &fpr: allowed_fingerprints)
+ {
+ if (fpr.size() != SSL_FINGERPRINT_SIZE)
+ {
+ MERROR("SHA-256 fingerprint should be " BOOST_PP_STRINGIZE(SSL_FINGERPRINT_SIZE) " bytes long.");
+ return boost::none;
+ }
+ }
+
+ if (!allowed_fingerprints.empty() || !ssl_ca_file.empty())
+ {
+ ssl_required = true;
+ ssl_options = epee::net_utils::ssl_options_t{
+ std::move(allowed_fingerprints), std::move(ssl_ca_file)
+ };
+
+ if (command_line::get_arg(vm, arg.rpc_ssl_allow_chained))
+ ssl_options.verification = epee::net_utils::ssl_verification_t::user_ca;
+ }
+ }
+
+ // user specified CA file or fingeprints implies enabled SSL by default
+ if (!ssl_required && !epee::net_utils::ssl_support_from_string(ssl_options.support, command_line::get_arg(vm, arg.rpc_ssl)))
+ {
+ MERROR("Invalid argument for " << std::string(arg.rpc_ssl.name));
+ return boost::none;
+ }
+
+ ssl_options.auth = epee::net_utils::ssl_authentication_t{
+ command_line::get_arg(vm, arg.rpc_ssl_private_key), command_line::get_arg(vm, arg.rpc_ssl_certificate)
+ };
+
+ return {std::move(ssl_options)};
+ }
+ } // anonymous
+
rpc_args::descriptors::descriptors()
: rpc_bind_ip({"rpc-bind-ip", rpc_args::tr("Specify IP to bind RPC server"), "127.0.0.1"})
, rpc_login({"rpc-login", rpc_args::tr("Specify username[:password] required for RPC server"), "", true})
, confirm_external_bind({"confirm-external-bind", rpc_args::tr("Confirm rpc-bind-ip value is NOT a loopback (local) IP")})
, rpc_access_control_origins({"rpc-access-control-origins", rpc_args::tr("Specify a comma separated list of origins to allow cross origin resource sharing"), ""})
+ , rpc_ssl({"rpc-ssl", rpc_args::tr("Enable SSL on RPC connections: enabled|disabled|autodetect"), "autodetect"})
+ , rpc_ssl_private_key({"rpc-ssl-private-key", rpc_args::tr("Path to a PEM format private key"), ""})
+ , rpc_ssl_certificate({"rpc-ssl-certificate", rpc_args::tr("Path to a PEM format certificate"), ""})
+ , rpc_ssl_ca_certificates({"rpc-ssl-ca-certificates", rpc_args::tr("Path to file containing concatenated PEM format certificate(s) to replace system CA(s)."), ""})
+ , rpc_ssl_allowed_fingerprints({"rpc-ssl-allowed-fingerprints", rpc_args::tr("List of certificate fingerprints to allow")})
+ , rpc_ssl_allow_chained({"rpc-ssl-allow-chained", rpc_args::tr("Allow user (via --rpc-ssl-certificates) chain certificates"), false})
+ , rpc_ssl_allow_any_cert({"rpc-ssl-allow-any-cert", rpc_args::tr("Allow any peer certificate"), false})
{}
const char* rpc_args::tr(const char* str) { return i18n_translate(str, "cryptonote::rpc_args"); }
- void rpc_args::init_options(boost::program_options::options_description& desc)
+ void rpc_args::init_options(boost::program_options::options_description& desc, const bool any_cert_option)
{
const descriptors arg{};
command_line::add_arg(desc, arg.rpc_bind_ip);
command_line::add_arg(desc, arg.rpc_login);
command_line::add_arg(desc, arg.confirm_external_bind);
command_line::add_arg(desc, arg.rpc_access_control_origins);
+ command_line::add_arg(desc, arg.rpc_ssl);
+ command_line::add_arg(desc, arg.rpc_ssl_private_key);
+ command_line::add_arg(desc, arg.rpc_ssl_certificate);
+ command_line::add_arg(desc, arg.rpc_ssl_ca_certificates);
+ command_line::add_arg(desc, arg.rpc_ssl_allowed_fingerprints);
+ command_line::add_arg(desc, arg.rpc_ssl_allow_chained);
+ if (any_cert_option)
+ command_line::add_arg(desc, arg.rpc_ssl_allow_any_cert);
}
- boost::optional<rpc_args> rpc_args::process(const boost::program_options::variables_map& vm)
+ boost::optional<rpc_args> rpc_args::process(const boost::program_options::variables_map& vm, const bool any_cert_option)
{
const descriptors arg{};
rpc_args config{};
@@ -118,6 +185,17 @@ namespace cryptonote
config.access_control_origins = std::move(access_control_origins);
}
+ auto ssl_options = do_process_ssl(vm, arg, any_cert_option);
+ if (!ssl_options)
+ return boost::none;
+ config.ssl_options = std::move(*ssl_options);
+
return {std::move(config)};
}
+
+ boost::optional<epee::net_utils::ssl_options_t> rpc_args::process_ssl(const boost::program_options::variables_map& vm, const bool any_cert_option)
+ {
+ const descriptors arg{};
+ return do_process_ssl(vm, arg, any_cert_option);
+ }
}