1*ec63e07aSXin Li // Copyright 2020 Google LLC
2*ec63e07aSXin Li //
3*ec63e07aSXin Li // Licensed under the Apache License, Version 2.0 (the "License");
4*ec63e07aSXin Li // you may not use this file except in compliance with the License.
5*ec63e07aSXin Li // You may obtain a copy of the License at
6*ec63e07aSXin Li //
7*ec63e07aSXin Li // https://www.apache.org/licenses/LICENSE-2.0
8*ec63e07aSXin Li //
9*ec63e07aSXin Li // Unless required by applicable law or agreed to in writing, software
10*ec63e07aSXin Li // distributed under the License is distributed on an "AS IS" BASIS,
11*ec63e07aSXin Li // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12*ec63e07aSXin Li // See the License for the specific language governing permissions and
13*ec63e07aSXin Li // limitations under the License.
14*ec63e07aSXin Li
15*ec63e07aSXin Li // Sandboxed version of simplessl.c
16*ec63e07aSXin Li // HTTPS GET request
17*ec63e07aSXin Li
18*ec63e07aSXin Li #include <cstdlib>
19*ec63e07aSXin Li
20*ec63e07aSXin Li #include "../curl_util.h" // NOLINT(build/include)
21*ec63e07aSXin Li #include "../sandbox.h" // NOLINT(build/include)
22*ec63e07aSXin Li #include "curl_sapi.sapi.h" // NOLINT(build/include)
23*ec63e07aSXin Li #include "absl/strings/str_cat.h"
24*ec63e07aSXin Li #include "sandboxed_api/util/status_macros.h"
25*ec63e07aSXin Li
26*ec63e07aSXin Li namespace {
27*ec63e07aSXin Li
28*ec63e07aSXin Li class CurlSapiSandboxEx3 : public curl::CurlSapiSandbox {
29*ec63e07aSXin Li public:
CurlSapiSandboxEx3(std::string ssl_certificate,std::string ssl_key,std::string ca_certificates)30*ec63e07aSXin Li CurlSapiSandboxEx3(std::string ssl_certificate, std::string ssl_key,
31*ec63e07aSXin Li std::string ca_certificates)
32*ec63e07aSXin Li : ssl_certificate(std::move(ssl_certificate)),
33*ec63e07aSXin Li ssl_key(std::move(ssl_key)),
34*ec63e07aSXin Li ca_certificates(std::move(ca_certificates)) {}
35*ec63e07aSXin Li
36*ec63e07aSXin Li private:
ModifyPolicy(sandbox2::PolicyBuilder *)37*ec63e07aSXin Li std::unique_ptr<sandbox2::Policy> ModifyPolicy(
38*ec63e07aSXin Li sandbox2::PolicyBuilder*) override {
39*ec63e07aSXin Li // Add the syscalls and files missing in CurlSandbox to a new PolicyBuilder
40*ec63e07aSXin Li auto policy_builder = std::make_unique<sandbox2::PolicyBuilder>();
41*ec63e07aSXin Li (*policy_builder)
42*ec63e07aSXin Li .AllowGetPIDs()
43*ec63e07aSXin Li .AllowGetRandom()
44*ec63e07aSXin Li .AllowHandleSignals()
45*ec63e07aSXin Li .AddFile(ssl_certificate)
46*ec63e07aSXin Li .AddFile(ssl_key)
47*ec63e07aSXin Li .AddFile(ca_certificates);
48*ec63e07aSXin Li // Provide the new PolicyBuilder to ModifyPolicy in CurlSandbox
49*ec63e07aSXin Li return curl::CurlSapiSandbox::ModifyPolicy(policy_builder.get());
50*ec63e07aSXin Li }
51*ec63e07aSXin Li
52*ec63e07aSXin Li std::string ssl_certificate;
53*ec63e07aSXin Li std::string ssl_key;
54*ec63e07aSXin Li std::string ca_certificates;
55*ec63e07aSXin Li };
56*ec63e07aSXin Li
Example3(const std::string & ssl_certificate,const std::string & ssl_key,const std::string & ssl_key_password,const std::string & ca_certificates)57*ec63e07aSXin Li absl::Status Example3(const std::string& ssl_certificate,
58*ec63e07aSXin Li const std::string& ssl_key,
59*ec63e07aSXin Li const std::string& ssl_key_password,
60*ec63e07aSXin Li const std::string& ca_certificates) {
61*ec63e07aSXin Li // Initialize sandbox2 and sapi
62*ec63e07aSXin Li CurlSapiSandboxEx3 sandbox(ssl_certificate, ssl_key, ca_certificates);
63*ec63e07aSXin Li SAPI_RETURN_IF_ERROR(sandbox.Init());
64*ec63e07aSXin Li curl::CurlApi api(&sandbox);
65*ec63e07aSXin Li
66*ec63e07aSXin Li int curl_code;
67*ec63e07aSXin Li
68*ec63e07aSXin Li // Initialize curl (CURL_GLOBAL_DEFAULT = 3)
69*ec63e07aSXin Li SAPI_ASSIGN_OR_RETURN(curl_code, api.curl_global_init(3l));
70*ec63e07aSXin Li if (curl_code != 0) {
71*ec63e07aSXin Li return absl::UnavailableError(absl::StrCat(
72*ec63e07aSXin Li "curl_global_init failed: ", curl::StrError(&api, curl_code)));
73*ec63e07aSXin Li }
74*ec63e07aSXin Li
75*ec63e07aSXin Li // Initialize curl easy handle
76*ec63e07aSXin Li curl::CURL* curl_handle;
77*ec63e07aSXin Li SAPI_ASSIGN_OR_RETURN(curl_handle, api.curl_easy_init());
78*ec63e07aSXin Li sapi::v::RemotePtr curl(curl_handle);
79*ec63e07aSXin Li if (!curl_handle) {
80*ec63e07aSXin Li return absl::UnavailableError("curl_easy_init failed: Invalid curl handle");
81*ec63e07aSXin Li }
82*ec63e07aSXin Li
83*ec63e07aSXin Li // Specify URL to get (using HTTPS)
84*ec63e07aSXin Li sapi::v::ConstCStr url("https://example.com");
85*ec63e07aSXin Li SAPI_ASSIGN_OR_RETURN(
86*ec63e07aSXin Li curl_code,
87*ec63e07aSXin Li api.curl_easy_setopt_ptr(&curl, curl::CURLOPT_URL, url.PtrBefore()));
88*ec63e07aSXin Li if (curl_code != 0) {
89*ec63e07aSXin Li return absl::UnavailableError(absl::StrCat(
90*ec63e07aSXin Li "curl_easy_setopt_ptr failed: ", curl::StrError(&api, curl_code)));
91*ec63e07aSXin Li }
92*ec63e07aSXin Li
93*ec63e07aSXin Li // Set the SSL certificate type to "PEM"
94*ec63e07aSXin Li sapi::v::ConstCStr ssl_cert_type("PEM");
95*ec63e07aSXin Li SAPI_ASSIGN_OR_RETURN(
96*ec63e07aSXin Li curl_code, api.curl_easy_setopt_ptr(&curl, curl::CURLOPT_SSLCERTTYPE,
97*ec63e07aSXin Li ssl_cert_type.PtrBefore()));
98*ec63e07aSXin Li if (curl_code != 0) {
99*ec63e07aSXin Li return absl::UnavailableError(absl::StrCat(
100*ec63e07aSXin Li "curl_easy_setopt_ptr failed: ", curl::StrError(&api, curl_code)));
101*ec63e07aSXin Li }
102*ec63e07aSXin Li
103*ec63e07aSXin Li // Set the certificate for client authentication
104*ec63e07aSXin Li sapi::v::ConstCStr sapi_ssl_certificate(ssl_certificate.c_str());
105*ec63e07aSXin Li SAPI_ASSIGN_OR_RETURN(
106*ec63e07aSXin Li curl_code, api.curl_easy_setopt_ptr(&curl, curl::CURLOPT_SSLCERT,
107*ec63e07aSXin Li sapi_ssl_certificate.PtrBefore()));
108*ec63e07aSXin Li if (curl_code != 0) {
109*ec63e07aSXin Li return absl::UnavailableError(absl::StrCat(
110*ec63e07aSXin Li "curl_easy_setopt_ptr failed: ", curl::StrError(&api, curl_code)));
111*ec63e07aSXin Li }
112*ec63e07aSXin Li
113*ec63e07aSXin Li // Set the private key for client authentication
114*ec63e07aSXin Li sapi::v::ConstCStr sapi_ssl_key(ssl_key.c_str());
115*ec63e07aSXin Li SAPI_ASSIGN_OR_RETURN(curl_code,
116*ec63e07aSXin Li api.curl_easy_setopt_ptr(&curl, curl::CURLOPT_SSLKEY,
117*ec63e07aSXin Li sapi_ssl_key.PtrBefore()));
118*ec63e07aSXin Li if (curl_code != 0) {
119*ec63e07aSXin Li return absl::UnavailableError(absl::StrCat(
120*ec63e07aSXin Li "curl_easy_setopt_ptr failed: ", curl::StrError(&api, curl_code)));
121*ec63e07aSXin Li }
122*ec63e07aSXin Li
123*ec63e07aSXin Li // Set the password used to protect the private key
124*ec63e07aSXin Li sapi::v::ConstCStr sapi_ssl_key_password(ssl_key_password.c_str());
125*ec63e07aSXin Li SAPI_ASSIGN_OR_RETURN(
126*ec63e07aSXin Li curl_code, api.curl_easy_setopt_ptr(&curl, curl::CURLOPT_KEYPASSWD,
127*ec63e07aSXin Li sapi_ssl_key_password.PtrBefore()));
128*ec63e07aSXin Li if (curl_code != 0) {
129*ec63e07aSXin Li return absl::UnavailableError(absl::StrCat(
130*ec63e07aSXin Li "curl_easy_setopt_ptr failed: ", curl::StrError(&api, curl_code)));
131*ec63e07aSXin Li }
132*ec63e07aSXin Li
133*ec63e07aSXin Li // Set the file with the certificates vaildating the server
134*ec63e07aSXin Li sapi::v::ConstCStr sapi_ca_certificates(ca_certificates.c_str());
135*ec63e07aSXin Li SAPI_ASSIGN_OR_RETURN(
136*ec63e07aSXin Li curl_code, api.curl_easy_setopt_ptr(&curl, curl::CURLOPT_CAINFO,
137*ec63e07aSXin Li sapi_ca_certificates.PtrBefore()));
138*ec63e07aSXin Li if (curl_code != 0) {
139*ec63e07aSXin Li return absl::UnavailableError(absl::StrCat(
140*ec63e07aSXin Li "curl_easy_setopt_ptr failed: ", curl::StrError(&api, curl_code)));
141*ec63e07aSXin Li }
142*ec63e07aSXin Li
143*ec63e07aSXin Li // Verify the authenticity of the server
144*ec63e07aSXin Li SAPI_ASSIGN_OR_RETURN(
145*ec63e07aSXin Li curl_code,
146*ec63e07aSXin Li api.curl_easy_setopt_long(&curl, curl::CURLOPT_SSL_VERIFYPEER, 1L));
147*ec63e07aSXin Li if (curl_code != 0) {
148*ec63e07aSXin Li return absl::UnavailableError(absl::StrCat(
149*ec63e07aSXin Li "curl_easy_setopt_long failed: ", curl::StrError(&api, curl_code)));
150*ec63e07aSXin Li }
151*ec63e07aSXin Li
152*ec63e07aSXin Li // Perform the request
153*ec63e07aSXin Li SAPI_ASSIGN_OR_RETURN(curl_code, api.curl_easy_perform(&curl));
154*ec63e07aSXin Li if (curl_code != 0) {
155*ec63e07aSXin Li return absl::UnavailableError(absl::StrCat(
156*ec63e07aSXin Li "curl_easy_perform failed: ", curl::StrError(&api, curl_code)));
157*ec63e07aSXin Li }
158*ec63e07aSXin Li
159*ec63e07aSXin Li // Cleanup curl easy handle
160*ec63e07aSXin Li SAPI_RETURN_IF_ERROR(api.curl_easy_cleanup(&curl));
161*ec63e07aSXin Li
162*ec63e07aSXin Li // Cleanup curl
163*ec63e07aSXin Li SAPI_RETURN_IF_ERROR(api.curl_global_cleanup());
164*ec63e07aSXin Li
165*ec63e07aSXin Li return absl::OkStatus();
166*ec63e07aSXin Li }
167*ec63e07aSXin Li
168*ec63e07aSXin Li } // namespace
169*ec63e07aSXin Li
main(int argc,char * argv[])170*ec63e07aSXin Li int main(int argc, char* argv[]) {
171*ec63e07aSXin Li gflags::ParseCommandLineFlags(&argc, &argv, true);
172*ec63e07aSXin Li sapi::InitLogging(argv[0]);
173*ec63e07aSXin Li
174*ec63e07aSXin Li // Get input parameters (should be absolute paths)
175*ec63e07aSXin Li if (argc != 5) {
176*ec63e07aSXin Li LOG(ERROR) << "wrong number of arguments (4 expected)";
177*ec63e07aSXin Li return EXIT_FAILURE;
178*ec63e07aSXin Li }
179*ec63e07aSXin Li
180*ec63e07aSXin Li if (absl::Status status = Example3(argv[1], argv[2], argv[3], argv[4]);
181*ec63e07aSXin Li !status.ok()) {
182*ec63e07aSXin Li LOG(ERROR) << "Example3 failed: " << status.ToString();
183*ec63e07aSXin Li return EXIT_FAILURE;
184*ec63e07aSXin Li }
185*ec63e07aSXin Li
186*ec63e07aSXin Li return EXIT_SUCCESS;
187*ec63e07aSXin Li }
188