userver-framework · aklyuchev · Nov 12, 2024 · Nov 12, 2024 · Nov 13, 2024 · Jan 5, 2025
@@ -42,6 +42,7 @@ class [[nodiscard]] TlsWrapper final : public RwBase {
   static TlsWrapper StartTlsServer(
       Socket&& socket, const crypto::Certificate& cert,
       const crypto::PrivateKey& key, Deadline deadline,
+      const std::string& certificate_chain_path = "",
       const std::vector<crypto::Certificate>& extra_cert_authorities = {});
 
   ~TlsWrapper() override;

@@ -63,6 +63,7 @@ namespace components {
 /// task_processor | task processor to process incoming requests | -
 /// backlog | max count of new connections pending acceptance | 1024
 /// tls.ca | paths to TLS CAs for client authentication | -
+/// tls.cert-chain | path to TLS server certificate chain | -
 /// tls.cert | path to TLS server certificate | -
 /// tls.private-key | path to TLS server certificate private key | -
 /// tls.private-key-passphrase-name | passphrase name located in secdist's "passphrases" section | -

@@ -527,6 +527,7 @@ TlsWrapper TlsWrapper::StartTlsClient(
 TlsWrapper TlsWrapper::StartTlsServer(
     Socket&& socket, const crypto::Certificate& cert,
     const crypto::PrivateKey& key, Deadline deadline,
+    const std::string& certificate_chain_path,
     const std::vector<crypto::Certificate>& extra_cert_authorities) {
   auto ssl_ctx = MakeSslCtx();
 
@@ -540,9 +541,16 @@ TlsWrapper TlsWrapper::StartTlsServer(
     LOG_INFO() << "Client SSL cert will not be verified";
   }
 
-  if (1 != SSL_CTX_use_certificate(ssl_ctx.get(), cert.GetNative())) {
-    throw TlsException(crypto::FormatSslError(
-        "Failed to set up server TLS wrapper: SSL_CTX_use_certificate"));
+  if(!certificate_chain_path.empty()) {
+      if(1 !=SSL_CTX_use_certificate_chain_file(ssl_ctx.get(), certificate_chain_path.c_str()))
+	  {
+          throw TlsException(crypto::FormatSslError("Failed to set up server TLS wrapper: SSL_CTX_use_certificate_chain_file"));
+      }
+  }
+  else {
+      if (1 != SSL_CTX_use_certificate(ssl_ctx.get(), cert.GetNative())) {
+          throw TlsException(crypto::FormatSslError("Failed to set up server TLS wrapper: SSL_CTX_use_certificate"));
+      }
   }
 
   if (1 != SSL_CTX_use_PrivateKey(ssl_ctx.get(), key.GetNative())) {

@@ -128,6 +128,10 @@ additionalProperties: false
                     cert:
                         type: string
                         description: path to TLS certificate
+                    cert-chain:
+                        type: string
+                        description: path to TLS certificates chain
+                        defaultDescription: empty string
                     private-key:
                         type: string
                         description: path to TLS certificate private key

@@ -38,6 +38,7 @@ ListenerConfig Parse(const yaml_config::YamlConfig& value,
     throw std::runtime_error("Invalid backlog value in " + value.GetPath());
   }
 
+  auto cert_chain_path = value["tls"]["cert-chain"].As<std::string>({});
   auto cert_path = value["tls"]["cert"].As<std::string>({});
   auto pkey_path = value["tls"]["private-key"].As<std::string>({});
   auto pkey_pass_name =
@@ -51,6 +52,12 @@ ListenerConfig Parse(const yaml_config::YamlConfig& value,
     config.tls_cert = crypto::Certificate::LoadFromString(contents);
     config.tls = true;
   }
+
+  if (!cert_chain_path.empty()) {
+      config.tls_certificate_chain_path = cert_chain_path;
+      config.tls = true;
+  }
+
   if (!pkey_path.empty()) {
     config.tls_private_key_path = pkey_path;
   }

@@ -27,6 +27,7 @@ struct ListenerConfig {
 
   bool tls{false};
   crypto::Certificate tls_cert;
+  std::string tls_certificate_chain_path;
   std::string tls_private_key_path;
   std::string tls_private_key_passphrase_name;
   crypto::PrivateKey tls_private_key;

@@ -105,6 +105,7 @@ void ListenerImpl::ProcessConnection(engine::io::Socket peer_socket) {
     socket = std::make_unique<engine::io::TlsWrapper>(
         engine::io::TlsWrapper::StartTlsServer(
             std::move(peer_socket), config.tls_cert, config.tls_private_key, {},
+            config.tls_certificate_chain_path,
             config.tls_certificate_authorities));
   } else {
     socket = std::make_unique<engine::io::Socket>(std::move(peer_socket));