Broker check certificate load error and perform periodic reloading

kleunen · kleunen · commit 996a3063f203 · 2021-01-04T21:31:11.000+01:00
diff --git a/example/CMakeLists.txt b/example/CMakeLists.txt
@@ -50,6 +50,11 @@ FOREACH (source_file ${exec_PROGRAMS})
     GET_FILENAME_COMPONENT (source_file_we ${source_file} NAME_WE)
     ADD_EXECUTABLE (${source_file_we} ${source_file})
     TARGET_LINK_LIBRARIES (${source_file_we} mqtt_cpp_iface)
+
+    IF (MSVC AND MQTT_USE_STATIC_OPENSSL)
+        TARGET_LINK_LIBRARIES (${source_file_we} Crypt32)
+    ENDIF ()
+
     IF (MQTT_USE_LOG)
         TARGET_COMPILE_DEFINITIONS (${source_file_we} PUBLIC $<IF:$<BOOL:${MQTT_USE_STATIC_BOOST}>,,BOOST_LOG_DYN_LINK>)
         TARGET_LINK_LIBRARIES (${source_file_we} Boost::log)
@@ -58,19 +63,16 @@ FOREACH (source_file ${exec_PROGRAMS})
     TARGET_LINK_LIBRARIES (${source_file_we} Boost::program_options)
 ENDFOREACH ()
 
-FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/../example/broker.conf DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/broker.conf DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/../test/certs/mosquitto.org.crt DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
 FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/../test/certs/server.crt.pem DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
 FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/../test/certs/server.key.pem DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
 FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/../test/certs/cacert.pem DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
 
 IF ("${CMAKE_CXX_COMPILER_ID}" STREQUAL "MSVC")
+   FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/broker.conf DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/Release)
    FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/../test/certs/mosquitto.org.crt DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/Release)
    FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/../test/certs/server.crt.pem DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/Release)
    FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/../test/certs/server.key.pem DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/Release)
    FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/../test/certs/cacert.pem DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/Release)
-ELSE ()
-   FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/../test/certs/mosquitto.org.crt DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
-   FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/../test/certs/server.crt.pem DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
-   FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/../test/certs/server.key.pem DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
-   FILE(COPY ${CMAKE_CURRENT_SOURCE_DIR}/../test/certs/cacert.pem DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
 ENDIF ()
diff --git a/example/broker.conf b/example/broker.conf
@@ -1,7 +1,7 @@
 # Default configuration for MQTT-CPP Broker
 verbose=1
-certificate=broker.crt.pem
-private_key=broker.key.pem
+certificate=server.crt.pem
+private_key=server.key.pem
 
 # Configuration for TCP 
 [tcp]
@@ -17,4 +17,4 @@ port=1883
 
 # Configuration for Websocket with TLS
 [wss]
-# port=10433
+# port=10443
diff --git a/example/broker.cpp b/example/broker.cpp
@@ -16,18 +16,45 @@
 #include <fstream>
 
 #if defined(MQTT_USE_TLS)
-boost::asio::ssl::context init_ctx(boost::program_options::variables_map const& vm)
+constexpr std::size_t certificate_reload_interval_seconds = 3600;
+
+template<typename ServerPtr>
+void reload_ctx(boost::asio::io_context &ioc, ServerPtr server, boost::program_options::variables_map const& vm, std::string const &name)
 {
+    MQTT_LOG("mqtt_broker", info) << "Reloading certificates for server " << name;
+
     if (vm.count("certificate") == 0 && vm.count("private_key") == 0) {
         throw std::runtime_error("TLS requested but certificate and/or private_key not specified");
     }
 
+    boost::system::error_code ec;
+    server->get_ssl_context().use_certificate_file(vm["certificate"].as<std::string>(), boost::asio::ssl::context::pem, ec);
+    if (ec) {
+        throw std::runtime_error("Failed to load certificate file: " + ec.message());
+    }
+
+    server->get_ssl_context().use_private_key_file(vm["private_key"].as<std::string>(), boost::asio::ssl::context::pem, ec);
+    if (ec) {
+        throw std::runtime_error("Failed to load private key file: " + ec.message());
+    }
+
+    auto reload_timer = std::make_shared<boost::asio::deadline_timer>(ioc, boost::posix_time::seconds(certificate_reload_interval_seconds));
+    reload_timer->async_wait([&, server = server, reload_timer = reload_timer, name = name](boost::system::error_code const &e) {
+        BOOST_ASSERT(!e || e == boost::asio::error::operation_aborted);
+
+        if(!e) {
+            reload_ctx(ioc, server, vm, name);
+        }
+    });
+}
+
+boost::asio::ssl::context init_ctx(boost::program_options::variables_map const& vm)
+{
     boost::asio::ssl::context ctx(boost::asio::ssl::context::tlsv12);
     ctx.set_options(
         boost::asio::ssl::context::default_workarounds |
         boost::asio::ssl::context::single_dh_use);
-    ctx.use_certificate_file(vm["certificate"].as<std::string>(), boost::asio::ssl::context::pem);
-    ctx.use_private_key_file(vm["private_key"].as<std::string>(), boost::asio::ssl::context::pem);
+
     return ctx;
 }
 #endif // defined(MQTT_USE_TLS)
@@ -51,16 +78,18 @@ void run_broker(boost::program_options::variables_map const& vm)
 #endif // defined(MQTT_USE_WS)
 
 #if defined(MQTT_USE_TLS)
-        std::unique_ptr<test_server_tls> s_tls;
+        std::shared_ptr<test_server_tls> s_tls;
         if (vm.count("tls.port")) {
-            s_tls = std::make_unique<test_server_tls>(ioc, init_ctx(vm), b, vm["tls.port"].as<uint16_t>());
+            s_tls = std::make_shared<test_server_tls>(ioc, init_ctx(vm), b, vm["tls.port"].as<uint16_t>());
+            reload_ctx(ioc, s_tls, vm, "TLS");
         }
 #endif // defined(MQTT_USE_TLS)
 
-#if defined(MQTT_USE_TLS) && defined(MQTT_USE_WS)
-        std::unique_ptr<test_server_tls_ws> s_tls_ws;
+#if defined(MQTT_USE_TLS) && defined(MQTT_USE_WS)        
+        std::shared_ptr<test_server_tls_ws> s_tls_ws;
         if (vm.count("wss.port")) {
-            s_tls_ws = std::make_unique<test_server_tls_ws>(ioc, init_ctx(vm), b, vm["wss.port"].as<uint16_t>());
+            s_tls_ws = std::make_shared<test_server_tls_ws>(ioc, init_ctx(vm), b, vm["wss.port"].as<uint16_t>());
+            reload_ctx(ioc, s_tls_ws, vm, "WSS");
         }
 #endif // defined(MQTT_USE_TLS) && defined(MQTT_USE_WS)
 
diff --git a/test/system/CMakeLists.txt b/test/system/CMakeLists.txt
@@ -83,6 +83,10 @@ FOREACH (source_file ${check_PROGRAMS})
     TARGET_LINK_LIBRARIES (
         ${source_file_we} mqtt_cpp_iface Boost::unit_test_framework
     )
+    IF (MSVC AND MQTT_USE_STATIC_OPENSSL)
+        TARGET_LINK_LIBRARIES (${source_file_we} Crypt32)
+    ENDIF ()
+
     IF (MQTT_USE_LOG)
         TARGET_COMPILE_DEFINITIONS (${source_file_we} PUBLIC $<IF:$<BOOL:${MQTT_USE_STATIC_BOOST}>,,BOOST_LOG_DYN_LINK>)
         TARGET_LINK_LIBRARIES (
diff --git a/test/system/test_server_tls.hpp b/test/system/test_server_tls.hpp
@@ -59,6 +59,22 @@ class test_server_tls {
         server_.close();
     }
 
+    /**
+     * @brief Get boost asio ssl context.
+     * @return ssl context
+     */
+    MQTT_NS::tls::context& get_ssl_context() {
+        return server_.get_ssl_context();
+    }
+
+    /**
+     * @brief Get boost asio ssl context.
+     * @return ssl context
+     */
+    MQTT_NS::tls::context const& get_ssl_context() const {
+        return server_.get_ssl_context();
+    }
+
 private:
     MQTT_NS::server_tls<> server_;
     MQTT_NS::broker::broker_t& b_;
diff --git a/test/system/test_server_tls_ws.hpp b/test/system/test_server_tls_ws.hpp
@@ -60,6 +60,22 @@ class test_server_tls_ws {
         server_.close();
     }
 
+    /**
+     * @brief Get boost asio ssl context.
+     * @return ssl context
+     */
+    MQTT_NS::tls::context& get_ssl_context() {
+        return server_.get_ssl_context();
+    }
+
+    /**
+     * @brief Get boost asio ssl context.
+     * @return ssl context
+     */
+    MQTT_NS::tls::context const& get_ssl_context() const {
+        return server_.get_ssl_context();
+    }
+
 private:
     MQTT_NS::server_tls_ws<> server_;
     MQTT_NS::broker::broker_t& b_;
diff --git a/test/unit/CMakeLists.txt b/test/unit/CMakeLists.txt
@@ -39,6 +39,10 @@ FOREACH (source_file ${check_PROGRAMS})
     TARGET_LINK_LIBRARIES (
         ${source_file_we} mqtt_cpp_iface Boost::unit_test_framework
     )
+    IF (MSVC AND MQTT_USE_STATIC_OPENSSL)
+        TARGET_LINK_LIBRARIES (${source_file_we} Crypt32)
+    ENDIF ()
+
     IF (MQTT_USE_LOG)
         TARGET_COMPILE_DEFINITIONS (${source_file_we} PUBLIC $<IF:$<BOOL:${MQTT_USE_STATIC_BOOST}>,,BOOST_LOG_DYN_LINK>)
         TARGET_LINK_LIBRARIES (
