Allow the peer's validated certificate chain to be returned in the custom verification handler (#553)

Motivation:

Users are currently able to register a custom callback in
`NIOSSLClientHandler` and `NIOSSLServerHandler` for verifiying the
certificates presented by the peer. However, there is no mechanism for
storing additional metadata for future use. This change adds support for
the peer's validated certificate chain to be returned from the custom
verification callback and later be accessed from the handler.

Modifications:

- Added a new custom verification callback type
`NIOSSLCustomVerificationCallbackWithMetadata`.
- This type is identical to the existing
`NIOSSLCustomVerificationCallback`, with the exception that callers must
complete the callback with a `NIOSSLVerificationResultWithMetadata`
(also introduced in this change). This result type can either be
initialized with no fields, or with a validated certificate chain.
- Added properties/methods to `NIOSSLHandler`, `Channel`, and
`ChannelPipeline` for accessing the validated certificate chain.

Result:

Users are now able to store the peer's validated certificate chain from
the custom verification callback and use the result downstream.

Author: aryan-25

Sources/NIOSSL/NIOSSLClientHandler.swift

@@ -67,7 +67,7 @@ public final class NIOSSLClientHandler: NIOSSLHandler {
         try self.init(
             context: context,
             serverHostname: serverHostname,
-            optionalCustomVerificationCallback: nil,
+            optionalCustomVerificationCallbackManager: nil,
             optionalAdditionalPeerCertificateVerificationCallback: nil
         )
     }
@@ -119,6 +119,10 @@ public final class NIOSSLClientHandler: NIOSSLHandler {
     ///
     ///         If set, this callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed them. The callback will not be used if the
     ///         ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.
+    ///
+    /// - Note: Use ``init(context:serverHostname:customVerificationCallbackWithMetadata:)`` to provide a custom
+    ///   verification callback where the peer's *validated* certificate chain can be returned. This data can then be
+    ///   accessed from the handler.
     public convenience init(
         context: NIOSSLContext,
         serverHostname: String?,
@@ -127,7 +131,39 @@ public final class NIOSSLClientHandler: NIOSSLHandler {
         try self.init(
             context: context,
             serverHostname: serverHostname,
-            optionalCustomVerificationCallback: customVerificationCallback,
+            optionalCustomVerificationCallbackManager: CustomVerifyManager(callback: customVerificationCallback),
+            optionalAdditionalPeerCertificateVerificationCallback: nil
+        )
+    }
+
+    /// Construct a new ``NIOSSLClientHandler`` with the given `context` and a specific `serverHostname`.
+    ///
+    /// - parameters:
+    ///     - context: The ``NIOSSLContext`` to use on this connection.
+    ///     - serverHostname: The hostname of the server we're trying to connect to, if known. This will be used in the SNI extension,
+    ///         and used to validate the server certificate.
+    ///     - customVerificationCallbackWithMetadata: A callback to use that will override NIOSSL's normal verification
+    ///         logic. If validation is successful, the peer's validated certificate chain can be returned, and later
+    ///         accessed via ``NIOSSLHandler/peerValidatedCertificateChain``. The callback will not be used if the
+    ///         ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has
+    ///         ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.
+    ///
+    ///       - This callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed
+    ///       them. Therefore, a validated chain must be derived *within* this callback (potentially involving fetching
+    ///       additional intermediate certificates). The *validated* certificate chain returned in the promise result
+    ///       **must** be a verified path to a trusted root. Importantly, the certificates presented by the peer should
+    ///       not be assumed to be valid.
+    public convenience init(
+        context: NIOSSLContext,
+        serverHostname: String?,
+        customVerificationCallbackWithMetadata: @escaping NIOSSLCustomVerificationCallbackWithMetadata
+    ) throws {
+        try self.init(
+            context: context,
+            serverHostname: serverHostname,
+            optionalCustomVerificationCallbackManager: CustomVerifyManager(
+                callback: customVerificationCallbackWithMetadata
+            ),
             optionalAdditionalPeerCertificateVerificationCallback: nil
         )
     }
@@ -143,6 +179,10 @@ public final class NIOSSLClientHandler: NIOSSLHandler {
     ///         If set, this callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed them. The callback will not be used if the
     ///         ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.
     ///     - configuration: Configuration for this handler.
+    ///
+    /// - Note: Use ``init(context:serverHostname:configuration:customVerificationCallbackWithMetadata:)`` to provide a
+    ///   custom verification callback where the peer's *validated* certificate chain can be returned. This data can
+    ///   then be accessed from the handler.
     public convenience init(
         context: NIOSSLContext,
         serverHostname: String?,
@@ -152,7 +192,42 @@ public final class NIOSSLClientHandler: NIOSSLHandler {
         try self.init(
             context: context,
             serverHostname: serverHostname,
-            optionalCustomVerificationCallback: customVerificationCallback,
+            optionalCustomVerificationCallbackManager: customVerificationCallback.map(CustomVerifyManager.init),
+            optionalAdditionalPeerCertificateVerificationCallback: nil,
+            configuration: configuration
+        )
+    }
+
+    /// Construct a new ``NIOSSLClientHandler`` with the given `context` and a specific `serverHostname`.
+    ///
+    /// - parameters:
+    ///     - context: The ``NIOSSLContext`` to use on this connection.
+    ///     - serverHostname: The hostname of the server we're trying to connect to, if known. This will be used in the SNI extension,
+    ///         and used to validate the server certificate.
+    ///     - configuration: Configuration for this handler.
+    ///     - customVerificationCallbackWithMetadata: A callback to use that will override NIOSSL's normal verification
+    ///         logic. If validation is successful, the peer's validated certificate chain can be returned, and later
+    ///         accessed via ``NIOSSLHandler/peerValidatedCertificateChain``. The callback will not be used if the
+    ///         ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has
+    ///         ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.
+    ///
+    ///       - This callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed
+    ///       them. Therefore, a validated chain must be derived *within* this callback (potentially involving fetching
+    ///       additional intermediate certificates). The *validated* certificate chain returned in the promise result
+    ///       **must** be a verified path to a trusted root. Importantly, the certificates presented by the peer should
+    ///       not be assumed to be valid.
+    public convenience init(
+        context: NIOSSLContext,
+        serverHostname: String?,
+        configuration: Configuration,
+        customVerificationCallbackWithMetadata: @escaping NIOSSLCustomVerificationCallbackWithMetadata
+    ) throws {
+        try self.init(
+            context: context,
+            serverHostname: serverHostname,
+            optionalCustomVerificationCallbackManager: CustomVerifyManager(
+                callback: customVerificationCallbackWithMetadata
+            ),
             optionalAdditionalPeerCertificateVerificationCallback: nil,
             configuration: configuration
         )
@@ -167,7 +242,7 @@ public final class NIOSSLClientHandler: NIOSSLHandler {
         try .init(
             context: context,
             serverHostname: serverHostname,
-            optionalCustomVerificationCallback: nil,
+            optionalCustomVerificationCallbackManager: nil,
             optionalAdditionalPeerCertificateVerificationCallback: additionalPeerCertificateVerificationCallback
         )
     }
@@ -176,7 +251,7 @@ public final class NIOSSLClientHandler: NIOSSLHandler {
     internal init(
         context: NIOSSLContext,
         serverHostname: String?,
-        optionalCustomVerificationCallback: NIOSSLCustomVerificationCallback?,
+        optionalCustomVerificationCallbackManager: CustomVerifyManager?,
         optionalAdditionalPeerCertificateVerificationCallback: _NIOAdditionalPeerCertificateVerificationCallback?,
         maxWriteSize: Int = defaultMaxWriteSize,
         configuration: Configuration = .init()
@@ -199,8 +274,8 @@ public final class NIOSSLClientHandler: NIOSSLHandler {
             }
         }
 
-        if let verificationCallback = optionalCustomVerificationCallback {
-            connection.setCustomVerificationCallback(CustomVerifyManager(callback: verificationCallback))
+        if let verificationCallbackManager = optionalCustomVerificationCallbackManager {
+            connection.setCustomVerificationCallback(verificationCallbackManager)
         }
 
         super.init(

Sources/NIOSSL/NIOSSLHandler.swift

@@ -817,6 +817,26 @@ extension NIOSSLHandler {
     public var peerCertificate: NIOSSLCertificate? {
         self.connection.getPeerCertificate()
     }
+
+    /// Return the *validated* certificate chain from the verified peer after handshake has completed.
+    ///
+    /// This property will only contain a value if the handler was initialized with a custom certificate verification
+    /// callback (``NIOSSLCustomVerificationCallbackWithMetadata``) *and* if the promise in the callback was
+    /// successfully completed with ``NIOSSLVerificationResultWithMetadata/certificateVerified(_:)`` (containing a
+    /// ``VerificationMetadata`` instance with a ``ValidatedCertificateChain``). If either of these conditions are not
+    /// met, this property will be `nil`.
+    ///
+    /// To create a `NIOSSLClientHandler` handler with a custom verification callback that can return the certificate
+    /// chain, use:
+    /// - ``NIOSSLClientHandler/init(context:serverHostname:customVerificationCallbackWithMetadata:)`` or
+    /// - ``NIOSSLClientHandler/init(context:serverHostname:configuration:customVerificationCallbackWithMetadata:)``
+    /// For `NIOSSLServerHandler`, use:
+    /// - ``NIOSSLServerHandler/init(context:customVerificationCallbackWithMetadata:)`` or
+    /// - ``NIOSSLServerHandler/init(context:configuration:customVerificationCallbackWithMetadata:)``
+    ///
+    public var peerValidatedCertificateChain: ValidatedCertificateChain? {
+        self.connection.customVerificationManager?.verificationMetadata?.validatedCertificateChain
+    }
 }
 
 extension Channel {
@@ -834,6 +854,12 @@ extension Channel {
         }
     }
 
+    /// API to retrieve the *validated* certificate chain of the peer. See ``NIOSSLHandler/peerValidatedCertificateChain``.
+    public func nioSSL_peerValidatedCertificateChain() -> EventLoopFuture<ValidatedCertificateChain?> {
+        self.pipeline.handler(type: NIOSSLHandler.self).map {
+            $0.peerValidatedCertificateChain
+        }
+    }
 }
 
 extension ChannelPipeline.SynchronousOperations {
@@ -848,6 +874,12 @@ extension ChannelPipeline.SynchronousOperations {
         let handler = try self.handler(type: NIOSSLHandler.self)
         return handler.peerCertificate
     }
+
+    /// API to retrieve the *validated* certificate chain of the peer. See ``NIOSSLHandler/peerValidatedCertificateChain``.
+    public func nioSSL_peerValidatedCertificateChain() throws -> ValidatedCertificateChain? {
+        let handler = try self.handler(type: NIOSSLHandler.self)
+        return handler.peerValidatedCertificateChain
+    }
 }
 
 // MARK:- Extension APIs for users.

Sources/NIOSSL/NIOSSLServerHandler.swift

@@ -25,7 +25,7 @@ public final class NIOSSLServerHandler: NIOSSLHandler {
     public convenience init(context: NIOSSLContext) {
         self.init(
             context: context,
-            optionalCustomVerificationCallback: nil,
+            optionalCustomVerificationCallbackManager: nil,
             optionalAdditionalPeerCertificateVerificationCallback: nil
         )
     }
@@ -59,13 +59,45 @@ public final class NIOSSLServerHandler: NIOSSLHandler {
     ///
     ///         If set, this callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed them. The callback will not be used if the
     ///         ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.
+    ///
+    /// - Note: Use ``init(context:customVerificationCallbackWithMetadata:)`` to provide a custom verification
+    ///   callback where the peer's *validated* certificate chain can be returned. This data can then be accessed from
+    ///   the handler.
     public convenience init(
         context: NIOSSLContext,
         customVerificationCallback: @escaping NIOSSLCustomVerificationCallback
     ) {
         self.init(
             context: context,
-            optionalCustomVerificationCallback: customVerificationCallback,
+            optionalCustomVerificationCallbackManager: CustomVerifyManager(callback: customVerificationCallback),
+            optionalAdditionalPeerCertificateVerificationCallback: nil
+        )
+    }
+
+    /// Construct a new ``NIOSSLServerHandler`` with the given `context` and a specific `serverHostname`.
+    ///
+    /// - parameters:
+    ///     - context: The ``NIOSSLContext`` to use on this connection.
+    ///     - customVerificationCallbackWithMetadata: A callback to use that will override NIOSSL's normal verification
+    ///         logic. If validation is successful, the peer's validated certificate chain can be returned, and later
+    ///         accessed via ``NIOSSLHandler/peerValidatedCertificateChain``. The callback will not be used if the
+    ///         ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has
+    ///         ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.
+    ///
+    ///       - This callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed
+    ///       them. Therefore, a validated chain must be derived *within* this callback (potentially involving fetching
+    ///       additional intermediate certificates). The *validated* certificate chain returned in the promise result
+    ///       **must** be a verified path to a trusted root. Importantly, the certificates presented by the peer should
+    ///       not be assumed to be valid.
+    public convenience init(
+        context: NIOSSLContext,
+        customVerificationCallbackWithMetadata: @escaping NIOSSLCustomVerificationCallbackWithMetadata
+    ) {
+        self.init(
+            context: context,
+            optionalCustomVerificationCallbackManager: CustomVerifyManager(
+                callback: customVerificationCallbackWithMetadata
+            ),
             optionalAdditionalPeerCertificateVerificationCallback: nil
         )
     }
@@ -79,14 +111,49 @@ public final class NIOSSLServerHandler: NIOSSLHandler {
     ///         If set, this callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed them. The callback will not be used if the
     ///         ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.
     ///     - configuration: Configuration for this handler.
+    ///
+    /// - Note: Use ``init(context:configuration:customVerificationCallbackWithMetadata:)`` to provide a custom
+    ///   verification callback where the peer's *validated* certificate chain can be returned. This data can then be
+    ///   accessed from the handler.
     public convenience init(
         context: NIOSSLContext,
         customVerificationCallback: NIOSSLCustomVerificationCallback? = nil,
         configuration: Configuration
     ) {
         self.init(
             context: context,
-            optionalCustomVerificationCallback: customVerificationCallback,
+            optionalCustomVerificationCallbackManager: customVerificationCallback.map(CustomVerifyManager.init),
+            optionalAdditionalPeerCertificateVerificationCallback: nil,
+            configuration: configuration
+        )
+    }
+
+    /// Construct a new ``NIOSSLServerHandler`` with the given `context` and a specific `serverHostname`.
+    ///
+    /// - parameters:
+    ///     - context: The ``NIOSSLContext`` to use on this connection.
+    ///     - configuration: Configuration for this handler.
+    ///     - customVerificationCallbackWithMetadata: A callback to use that will override NIOSSL's normal verification
+    ///         logic. If validation is successful, the peer's validated certificate chain can be returned, and later
+    ///         accessed via ``NIOSSLHandler/peerValidatedCertificateChain``. The callback will not be used if the
+    ///         ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has
+    ///         ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.
+    ///
+    ///       - This callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed
+    ///       them. Therefore, a validated chain must be derived *within* this callback (potentially involving fetching
+    ///       additional intermediate certificates). The *validated* certificate chain returned in the promise result
+    ///       **must** be a verified path to a trusted root. Importantly, the certificates presented by the peer should
+    ///       not be assumed to be valid.
+    public convenience init(
+        context: NIOSSLContext,
+        configuration: Configuration,
+        customVerificationCallbackWithMetadata: @escaping NIOSSLCustomVerificationCallbackWithMetadata
+    ) {
+        self.init(
+            context: context,
+            optionalCustomVerificationCallbackManager: CustomVerifyManager(
+                callback: customVerificationCallbackWithMetadata
+            ),
             optionalAdditionalPeerCertificateVerificationCallback: nil,
             configuration: configuration
         )
@@ -99,15 +166,15 @@ public final class NIOSSLServerHandler: NIOSSLHandler {
     ) -> Self {
         .init(
             context: context,
-            optionalCustomVerificationCallback: nil,
+            optionalCustomVerificationCallbackManager: nil,
             optionalAdditionalPeerCertificateVerificationCallback: additionalPeerCertificateVerificationCallback
         )
     }
 
     /// This exists to handle the explosion of initializers I got when I deprecated the first one.
     private init(
         context: NIOSSLContext,
-        optionalCustomVerificationCallback: NIOSSLCustomVerificationCallback?,
+        optionalCustomVerificationCallbackManager: CustomVerifyManager?,
         optionalAdditionalPeerCertificateVerificationCallback: _NIOAdditionalPeerCertificateVerificationCallback?,
         configuration: Configuration = .init()
     ) {
@@ -117,8 +184,8 @@ public final class NIOSSLServerHandler: NIOSSLHandler {
 
         connection.setAcceptState()
 
-        if let customVerificationCallback = optionalCustomVerificationCallback {
-            connection.setCustomVerificationCallback(.init(callback: customVerificationCallback))
+        if let customVerificationCallbackManager = optionalCustomVerificationCallbackManager {
+            connection.setCustomVerificationCallback(customVerificationCallbackManager)
         }
 
         super.init(