summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Spruiell <mes@zeroc.com>2009-07-14 14:04:08 -0700
committerMark Spruiell <mes@zeroc.com>2009-07-14 14:04:08 -0700
commit0c3cd182015ed9f00663af9077ad7adb100c72b5 (patch)
treee3c2d8196ea12d3c882b8baf9ce9b33ada6cf863
parentbug 3464: C++ & Java changes for IceSSL.CheckCertName (diff)
downloadice-0c3cd182015ed9f00663af9077ad7adb100c72b5.tar.bz2
ice-0c3cd182015ed9f00663af9077ad7adb100c72b5.tar.xz
ice-0c3cd182015ed9f00663af9077ad7adb100c72b5.zip
bug 3464: C# changes for IceSSL.CheckCertName
Diffstat
-rw-r--r--cs/src/IceSSL/Instance.cs230
-rw-r--r--cs/src/IceSSL/TransceiverI.cs30
-rw-r--r--cs/test/IceSSL/certs/c_rsa_nopass_ca1.pfxbin2069 -> 1949 bytes
-rw-r--r--cs/test/IceSSL/certs/c_rsa_nopass_ca1_exp.pfxbin2069 -> 1949 bytes
-rw-r--r--cs/test/IceSSL/certs/c_rsa_nopass_ca2.pfxbin2069 -> 1949 bytes
-rw-r--r--cs/test/IceSSL/certs/cacert1.pem45
-rw-r--r--cs/test/IceSSL/certs/cacert2.pem45
-rwxr-xr-xcs/test/IceSSL/certs/makecerts.py6
-rw-r--r--cs/test/IceSSL/certs/s_rsa_nopass_ca1.pfxbin2069 -> 1949 bytes
-rw-r--r--cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn1.pfxbin0 -> 1925 bytes
-rw-r--r--cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn2.pfxbin0 -> 1925 bytes
-rw-r--r--cs/test/IceSSL/certs/s_rsa_nopass_ca1_exp.pfxbin2069 -> 1949 bytes
-rw-r--r--cs/test/IceSSL/certs/s_rsa_nopass_ca2.pfxbin2069 -> 1949 bytes
-rw-r--r--cs/test/IceSSL/configuration/AllTests.cs101
14 files changed, 379 insertions, 78 deletions
diff --git a/cs/src/IceSSL/Instance.cs b/cs/src/IceSSL/Instance.cs
index 9229b3a0d61..5ecedaa8cf4 100644
--- a/cs/src/IceSSL/Instance.cs
+++ b/cs/src/IceSSL/Instance.cs
@@ -17,6 +17,7 @@ namespace IceSSL
using System.Security.Authentication;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
+ using System.Text;
internal class Instance
{
@@ -373,8 +374,200 @@ namespace IceSSL
communicator().getLogger().trace(_securityTraceCategory, s.ToString());
}
- internal void verifyPeer(ConnectionInfo info, System.Net.Sockets.Socket fd, bool incoming)
+ internal void verifyPeer(ConnectionInfo info, System.Net.Sockets.Socket fd, string address, bool incoming)
{
+ //
+ // For an outgoing connection, we compare the proxy address (if any) against
+ // fields in the server's certificate (if any).
+ //
+ if(info.certs != null && info.certs.Length > 0 && address.Length > 0)
+ {
+ //
+ // Extract the IP addresses and the DNS names from the subject
+ // alternative names.
+ //
+ List<string> dnsNames = null;
+ List<string> ipAddresses = null;
+
+ //
+ // Search for "subject alternative name" extensions. The OID value
+ // of interest is 2.5.29.17 and the encoded data has the following
+ // ASN.1 syntax:
+ //
+ // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ //
+ // GeneralName ::= CHOICE {
+ // otherName [0] OtherName,
+ // rfc822Name [1] IA5String,
+ // dNSName [2] IA5String,
+ // x400Address [3] ORAddress,
+ // directoryName [4] Name,
+ // ediPartyName [5] EDIPartyName,
+ // uniformResourceIdentifier [6] IA5String,
+ // iPAddress [7] OCTET STRING,
+ // registeredID [8] OBJECT IDENTIFIER
+ // }
+ //
+ foreach(X509Extension ext in info.certs[0].Extensions)
+ {
+ if(ext.Oid.Value.Equals("2.5.29.17") && ext.RawData.Length > 0)
+ {
+ byte[] data = ext.RawData;
+ if(data.Length < 2 || data[0] != 0x30) // ASN.1 sequence
+ {
+ continue;
+ }
+
+ int seqLen, pos;
+ if(!decodeASN1Length(data, 1, out seqLen, out pos))
+ {
+ continue;
+ }
+
+ while(pos < data.Length)
+ {
+ int tag = data[pos];
+
+ int len;
+ if(!decodeASN1Length(data, pos + 1, out len, out pos))
+ {
+ break;
+ }
+
+ if(tag == 0x82)
+ {
+ //
+ // Extract DNS name.
+ //
+ StringBuilder b = new StringBuilder();
+ for(int j = pos; j < pos + len; ++j)
+ {
+ b.Append((char)data[j]);
+ }
+ if(dnsNames == null)
+ {
+ dnsNames = new List<string>();
+ }
+ dnsNames.Add(b.ToString().ToLower());
+ }
+ else if(tag == 0x87)
+ {
+ //
+ // Extract IP address.
+ //
+ char sep = len == 4 ? '.' : ':';
+ StringBuilder b = new StringBuilder();
+ for(int j = pos; j < pos + len; ++j)
+ {
+ if(j > pos)
+ {
+ b.Append(sep);
+ }
+ b.Append(data[j].ToString());
+ }
+ if(ipAddresses == null)
+ {
+ ipAddresses = new List<string>();
+ }
+ ipAddresses.Add(b.ToString().ToLower());
+ }
+
+ pos += len;
+ }
+ }
+ }
+
+ //
+ // Compare the peer's address against the common name as well as
+ // the dnsName and ipAddress values in the subject alternative name.
+ //
+ string dn = info.certs[0].Subject;
+ string addrLower = address.ToLower();
+ bool certNameOK = false;
+ {
+ string cn = "cn=" + addrLower;
+ int pos = dn.ToLower().IndexOf(cn);
+ if(pos >= 0)
+ {
+ //
+ // Ensure we match the entire common name.
+ //
+ certNameOK = (pos + cn.Length == dn.Length) || (dn[pos + cn.Length] == ',');
+ }
+ }
+
+ //
+ // Compare the peer's address against the the dnsName and ipAddress
+ // values in the subject alternative name.
+ //
+ if(!certNameOK && ipAddresses != null)
+ {
+ certNameOK = ipAddresses.Contains(addrLower);
+ }
+ if(!certNameOK && dnsNames != null)
+ {
+ certNameOK = dnsNames.Contains(addrLower);
+ }
+
+ //
+ // Log a message if the name comparison fails. If CheckCertName is defined,
+ // we also raise an exception to abort the connection. Don't log a message if
+ // CheckCertName is not defined and a verifier is present.
+ //
+ if(!certNameOK && (_checkCertName || (_securityTraceLevel >= 1 && _verifier == null)))
+ {
+ StringBuilder sb = new StringBuilder();
+ sb.Append("IceSSL: ");
+ if(!_checkCertName)
+ {
+ sb.Append("ignoring ");
+ }
+ sb.Append("certificate validation failure:\npeer certificate does not have `");
+ sb.Append(address);
+ sb.Append("' as its commonName or in its subjectAltName extension");
+ if(dn.Length > 0)
+ {
+ sb.Append("\nSubject DN: ");
+ sb.Append(dn);
+ }
+ if(dnsNames != null)
+ {
+ sb.Append("\nDNS names found in certificate: ");
+ for(int j = 0; j < dnsNames.Count; ++j)
+ {
+ if(j > 0)
+ {
+ sb.Append(", ");
+ }
+ sb.Append(dnsNames[j]);
+ }
+ }
+ if(ipAddresses != null)
+ {
+ sb.Append("\nIP addresses found in certificate: ");
+ for(int j = 0; j < ipAddresses.Count; ++j)
+ {
+ if(j > 0)
+ {
+ sb.Append(", ");
+ }
+ sb.Append(ipAddresses[j]);
+ }
+ }
+ string msg = sb.ToString();
+ if(_securityTraceLevel >= 1)
+ {
+ _logger.trace(_securityTraceCategory, msg);
+ }
+ if(_checkCertName)
+ {
+ Ice.SecurityException ex = new Ice.SecurityException();
+ ex.reason = msg;
+ throw ex;
+ }
+ }
+ }
+
if(_verifyDepthMax > 0 && info.certs != null && info.certs.Length > _verifyDepthMax)
{
string msg = (incoming ? "incoming" : "outgoing") + " connection rejected:\n" +
@@ -866,6 +1059,41 @@ namespace IceSSL
return result;
}
+ private static bool decodeASN1Length(byte[] data, int start, out int len, out int next)
+ {
+ len = 0;
+ next = 0;
+
+ if(start + 1 > data.Length)
+ {
+ return false;
+ }
+
+ len = data[start];
+ int len2 = 0;
+ if(len > 0x80) // Composed length
+ {
+ len2 = len - 0x80;
+ if(start + len2 + 1 > data.Length)
+ {
+ return false;
+ }
+ len = 0;
+ for(int i = 0; i < len2; i++)
+ {
+ len *= 256;
+ len += data[start + i + 1];
+ }
+ }
+ else if(len == 0x80) // Undefined length encoding
+ {
+ return false;
+ }
+
+ next = start + len2 + 1;
+ return (next + len <= data.Length);
+ }
+
private Ice.Logger _logger;
private IceInternal.ProtocolPluginFacade _facade;
private int _securityTraceLevel;
diff --git a/cs/src/IceSSL/TransceiverI.cs b/cs/src/IceSSL/TransceiverI.cs
index 87d4e63b2b8..59d954b9bcf 100644
--- a/cs/src/IceSSL/TransceiverI.cs
+++ b/cs/src/IceSSL/TransceiverI.cs
@@ -483,7 +483,7 @@ namespace IceSSL
_initializeResult = null;
_info = Util.populateConnectionInfo(_stream, _fd, _chain, _adapterName, _adapterName != null);
- _instance.verifyPeer(_info, _fd, _adapterName != null);
+ _instance.verifyPeer(_info, _fd, _host, _adapterName != null);
if(_instance.networkTraceLevel() >= 1)
{
@@ -579,30 +579,10 @@ namespace IceSSL
if((errors & (int)SslPolicyErrors.RemoteCertificateNameMismatch) > 0)
{
- if(_adapterName == null)
- {
- if(!_instance.checkCertName())
- {
- errors ^= (int)SslPolicyErrors.RemoteCertificateNameMismatch;
- message = message + "\nremote certificate name mismatch (ignored)";
- }
- else
- {
- if(_instance.securityTraceLevel() >= 1)
- {
- _logger.trace(_instance.securityTraceCategory(),
- "SSL certificate validation failed - remote certificate name mismatch");
- }
- return false;
- }
- }
- else
- {
- //
- // This condition is not expected in a server.
- //
- Debug.Assert(false);
- }
+ //
+ // Ignore this error here; we'll check the peer certificate in verifyPeer().
+ //
+ errors ^= (int)SslPolicyErrors.RemoteCertificateNameMismatch;
}
if((errors & (int)SslPolicyErrors.RemoteCertificateChainErrors) > 0)
diff --git a/cs/test/IceSSL/certs/c_rsa_nopass_ca1.pfx b/cs/test/IceSSL/certs/c_rsa_nopass_ca1.pfx
index 5bb83dc5d45..a0cc75d09c4 100644
--- a/cs/test/IceSSL/certs/c_rsa_nopass_ca1.pfx
+++ b/cs/test/IceSSL/certs/c_rsa_nopass_ca1.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/c_rsa_nopass_ca1_exp.pfx b/cs/test/IceSSL/certs/c_rsa_nopass_ca1_exp.pfx
index 1a0e1e48e47..a0637637fbb 100644
--- a/cs/test/IceSSL/certs/c_rsa_nopass_ca1_exp.pfx
+++ b/cs/test/IceSSL/certs/c_rsa_nopass_ca1_exp.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/c_rsa_nopass_ca2.pfx b/cs/test/IceSSL/certs/c_rsa_nopass_ca2.pfx
index 8d5bf988d7f..cc9c09fd6ce 100644
--- a/cs/test/IceSSL/certs/c_rsa_nopass_ca2.pfx
+++ b/cs/test/IceSSL/certs/c_rsa_nopass_ca2.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/cacert1.pem b/cs/test/IceSSL/certs/cacert1.pem
index 1dc6f4168ad..5b7dcbb8674 100644
--- a/cs/test/IceSSL/certs/cacert1.pem
+++ b/cs/test/IceSSL/certs/cacert1.pem
@@ -1,27 +1,22 @@
-----BEGIN CERTIFICATE-----
-MIIEqTCCA5GgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmTELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0Zsb3JpZGExGzAZBgNVBAcTElBhbG0gQmVhY2ggR2FyZGVuczEU
-MBIGA1UEChMLWmVyb0MsIEluYy4xDDAKBgNVBAsTA0ljZTEYMBYGA1UEAxMPWmVy
-b0MgVGVzdCBDQSAxMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0w
-NjAzMzExNjU1MTBaFw0xNjAzMjgxNjU1MTBaMIGZMQswCQYDVQQGEwJVUzEQMA4G
-A1UECBMHRmxvcmlkYTEbMBkGA1UEBxMSUGFsbSBCZWFjaCBHYXJkZW5zMRQwEgYD
-VQQKEwtaZXJvQywgSW5jLjEMMAoGA1UECxMDSWNlMRgwFgYDVQQDEw9aZXJvQyBU
-ZXN0IENBIDExHTAbBgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5XkmtP3Q/QTlOH3CJ8OtTCzAaCl7AP6o
-twy80xqYVtVLxdDGjQctzMB1XHsjlPrLSemGItSjdGziIqUa9mzNmGfii+UZguas
-iVokXdOQHDn78ErTkwhiUU0ppuXvOfmBJ0wjgbys5kjozxmfuxofD03z7KgumAjv
-dvHm01XcLevYLrC+5UOazqKSd5GgMAZi9SL8mhVEu6Y7zQ7DciPGvDHtKFWFyc/G
-GOBNTD5N6iZD2Q24JulFdOUJ0SzJ6MP681BGHuyJzG7jGw8DTZ1lSxwDhvD8EORA
-suYvAag31uQ+vliixO3zvoO5aJKMqxafCqQ0OPvii9Jr0hsVS5rPLQIDAQABo4H5
-MIH2MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFMsFBfA+oUqhywdvhouv7qXkymK9
-MIHGBgNVHSMEgb4wgbuAFMsFBfA+oUqhywdvhouv7qXkymK9oYGfpIGcMIGZMQsw
-CQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEbMBkGA1UEBxMSUGFsbSBCZWFj
-aCBHYXJkZW5zMRQwEgYDVQQKEwtaZXJvQywgSW5jLjEMMAoGA1UECxMDSWNlMRgw
-FgYDVQQDEw9aZXJvQyBUZXN0IENBIDExHTAbBgkqhkiG9w0BCQEWDmluZm9AemVy
-b2MuY29tggEAMA0GCSqGSIb3DQEBBAUAA4IBAQC6iwVvqM2MU1oO3JiiKKwhLLaX
-3MTPs18gCDwhmT7v9aR46u18op8JvM33I2BLUZQ5jfEO65jkUZuRJ5uJMRqbkKS2
-CnnH0GilqF0sdqVsTfFgaL1kvc20N6zq15Nd4D4oa+lUDoB6gaoZMKvO6vi9WAam
-znUtngOB5BX2HgkKJZ9K0tu/nd1f5M9F7OVodMxI27TBZ6KuIzbH7ipD99RovFwp
-ZTYoL6yuLJRkHS9wASt0r9k3R1fqYwVnDUVTsB2Pfs0U9MKMDdvlAsSgaETxQfXS
-yLUG4IgjgnQaXRlqvBQ4EEhFY7CZ44LKWRJ6DQ64H9/3WiNE5UqqfGGtmF4n
+MIIDtTCCAx6gAwIBAgIJAO5WE700IfeCMA0GCSqGSIb3DQEBBAUAMIGZMQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEbMBkGA1UEBxMSUGFsbSBCZWFjaCBH
+YXJkZW5zMRQwEgYDVQQKEwtaZXJvQywgSW5jLjEMMAoGA1UECxMDSWNlMRgwFgYD
+VQQDEw9aZXJvQyBUZXN0IENBIDExHTAbBgkqhkiG9w0BCQEWDmluZm9AemVyb2Mu
+Y29tMB4XDTA5MDcxNDE4MjUzMVoXDTE5MDcxMjE4MjUzMVowgZkxCzAJBgNVBAYT
+AlVTMRAwDgYDVQQIEwdGbG9yaWRhMRswGQYDVQQHExJQYWxtIEJlYWNoIEdhcmRl
+bnMxFDASBgNVBAoTC1plcm9DLCBJbmMuMQwwCgYDVQQLEwNJY2UxGDAWBgNVBAMT
+D1plcm9DIFRlc3QgQ0EgMTEdMBsGCSqGSIb3DQEJARYOaW5mb0B6ZXJvYy5jb20w
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMRsCbqmn7W9ukKeX/vIYIDHEbGq
+vHymPcR4HAyeUHxT29yI3Lq+R2dDXCNoAsvOr52iTwD9hKDeARfvv5NDI4qUzZff
+HkkJ6NPGgu6a7NIBiG7FbeMwHpR6weQUYUevmFXn/rjIDJMLRgm+zVvtwwcaffiN
+ZxY64HNQvFYHI0UvAgMBAAGjggEBMIH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYE
+FLHy5F3PmCNkx3Ea9sqLNXFhz/mkMIHOBgNVHSMEgcYwgcOAFLHy5F3PmCNkx3Ea
+9sqLNXFhz/mkoYGfpIGcMIGZMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlk
+YTEbMBkGA1UEBxMSUGFsbSBCZWFjaCBHYXJkZW5zMRQwEgYDVQQKEwtaZXJvQywg
+SW5jLjEMMAoGA1UECxMDSWNlMRgwFgYDVQQDEw9aZXJvQyBUZXN0IENBIDExHTAb
+BgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tggkA7lYTvTQh94IwDQYJKoZIhvcN
+AQEEBQADgYEAnljTgZ+U0DiBv8TWGdU5pbZfEuYmyG86dvoUK5maRBUSs4uBrdS/
+Ioo8KkR7qN6MU6I1AK5CoaqRdyQuR31APXNVRGFMHFKG5d9I6nsd2lo5RrWLdZwB
+EA2yD3yDRKSLJ7OmEAFtagR4eblFRywri1/8ChhiylfwrRkO7X6NMZk=
-----END CERTIFICATE-----
diff --git a/cs/test/IceSSL/certs/cacert2.pem b/cs/test/IceSSL/certs/cacert2.pem
index 0060ea06026..a6f33d10386 100644
--- a/cs/test/IceSSL/certs/cacert2.pem
+++ b/cs/test/IceSSL/certs/cacert2.pem
@@ -1,27 +1,22 @@
-----BEGIN CERTIFICATE-----
-MIIEqTCCA5GgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmTELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0Zsb3JpZGExGzAZBgNVBAcTElBhbG0gQmVhY2ggR2FyZGVuczEU
-MBIGA1UEChMLWmVyb0MsIEluYy4xDDAKBgNVBAsTA0ljZTEYMBYGA1UEAxMPWmVy
-b0MgVGVzdCBDQSAyMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0w
-NjAzMzExNjU1MTVaFw0xNjAzMjgxNjU1MTVaMIGZMQswCQYDVQQGEwJVUzEQMA4G
-A1UECBMHRmxvcmlkYTEbMBkGA1UEBxMSUGFsbSBCZWFjaCBHYXJkZW5zMRQwEgYD
-VQQKEwtaZXJvQywgSW5jLjEMMAoGA1UECxMDSWNlMRgwFgYDVQQDEw9aZXJvQyBU
-ZXN0IENBIDIxHTAbBgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3CQEV/wkBUC2zQQcuXevnUNNdm/QL71
-h1YIB4KzTigFR8NgPS7m3eMt71MI0XPzYO73dL0xZTkjFADzPjHVBupki8L6e5Gx
-9DgwXJ3hhJ73Afgw5ZpAEx4SmG8r5Jc+PbVZ/zhVEJtCyLIMXSCDbxMTuOroQmEr
-ExYcnKhJ1O3bqPpn+W89f4kyTb5PKl2oOiTrVBUKabsNR0vGbggHNqnEH9/B2v5J
-+O5lU5oY6ebbyauUffP5p9Lihb/hg85tgfror8QRJuI2XWwFOvxufcWzHCJzqzI9
-nDXflXJwH7w/LAkdB6lsKOq+mCLhlzJKptOFNG1ZA7R1C/XZiNTEwQIDAQABo4H5
-MIH2MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFC4/BHF+ovq/ySQGnJJDg2RwjWwT
-MIHGBgNVHSMEgb4wgbuAFC4/BHF+ovq/ySQGnJJDg2RwjWwToYGfpIGcMIGZMQsw
-CQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEbMBkGA1UEBxMSUGFsbSBCZWFj
-aCBHYXJkZW5zMRQwEgYDVQQKEwtaZXJvQywgSW5jLjEMMAoGA1UECxMDSWNlMRgw
-FgYDVQQDEw9aZXJvQyBUZXN0IENBIDIxHTAbBgkqhkiG9w0BCQEWDmluZm9AemVy
-b2MuY29tggEAMA0GCSqGSIb3DQEBBAUAA4IBAQBNoZdgApXHGEllEqXNPoEvYZ+b
-4kmeh6bnjGZ6/E+70vR9NCoSjfmp7nHDSKJExYPIx/EAPGzfN/MHAo7ZhZR2ltgb
-DLlMd8HKQAZw+hYQmaPUKfrQaDZgZ586OBWxyKY6izBD/2xyT8sptbB4VXsFE+sd
-pYXeOZiDO8AEDq0oPhuPqUBRJ6m5qWzN2IoudSJ8Sc0gFLA+3c+mR+WjBqVHMiOK
-xfIY/YbLMWGaJzAbiseggmrNM9wijlrMl8PP0/wa9zXR09AeMeuQFVnKFs559bl5
-SwiAULeDqFJVtZXriyJTTWoFowFBcXkJFPKGxtEpajXMt9L3tEOOa1topKPY
+MIIDtTCCAx6gAwIBAgIJAIvZtPvDtJoAMA0GCSqGSIb3DQEBBAUAMIGZMQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEbMBkGA1UEBxMSUGFsbSBCZWFjaCBH
+YXJkZW5zMRQwEgYDVQQKEwtaZXJvQywgSW5jLjEMMAoGA1UECxMDSWNlMRgwFgYD
+VQQDEw9aZXJvQyBUZXN0IENBIDIxHTAbBgkqhkiG9w0BCQEWDmluZm9AemVyb2Mu
+Y29tMB4XDTA5MDcxNDE4MjUzMVoXDTE5MDcxMjE4MjUzMVowgZkxCzAJBgNVBAYT
+AlVTMRAwDgYDVQQIEwdGbG9yaWRhMRswGQYDVQQHExJQYWxtIEJlYWNoIEdhcmRl
+bnMxFDASBgNVBAoTC1plcm9DLCBJbmMuMQwwCgYDVQQLEwNJY2UxGDAWBgNVBAMT
+D1plcm9DIFRlc3QgQ0EgMjEdMBsGCSqGSIb3DQEJARYOaW5mb0B6ZXJvYy5jb20w
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANTFTL3aQ6RaETjXply8VTtNI1bB
+A402dRVmX7VK9wq1VwnFCEN/qLEYROy+FWfIm+4fkDNfvL30H5LI4kfsoVfJWWlH
+8sRZ2vXbMbF9N85O+fCtrsP0+SoPgXQpc1DFuxLWNYLOcZIPNEhceekk3SfvqSS5
+HS+FJC0Q3QKue6PpAgMBAAGjggEBMIH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYE
+FMODbSaNktrEhSr777q4RBa32S2HMIHOBgNVHSMEgcYwgcOAFMODbSaNktrEhSr7
+77q4RBa32S2HoYGfpIGcMIGZMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlk
+YTEbMBkGA1UEBxMSUGFsbSBCZWFjaCBHYXJkZW5zMRQwEgYDVQQKEwtaZXJvQywg
+SW5jLjEMMAoGA1UECxMDSWNlMRgwFgYDVQQDEw9aZXJvQyBUZXN0IENBIDIxHTAb
+BgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tggkAi9m0+8O0mgAwDQYJKoZIhvcN
+AQEEBQADgYEA1KruErPZDajwP25hR5f/Mcm1UgXZoSpVSV29IxsonUCKQr193ehU
+8cJMdEiaLZWFUxGw+QhSaKz1HDWkpyD3Zay4KM/MyGFof8m7i3iqKXdqFYP+Y9yS
+LixBOkjaQEVa2PDyqsXbzA5nOzyIdOiBkrJ0hRwvXzyaXBBI6K/3K+s=
-----END CERTIFICATE-----
diff --git a/cs/test/IceSSL/certs/makecerts.py b/cs/test/IceSSL/certs/makecerts.py
index 69fda8cb85b..bbcd3aa36f3 100755
--- a/cs/test/IceSSL/certs/makecerts.py
+++ b/cs/test/IceSSL/certs/makecerts.py
@@ -12,12 +12,12 @@ import os, sys, shutil
for toplevel in [".", "..", "../..", "../../..", "../../../..", "../../../../.."]:
toplevel = os.path.normpath(toplevel)
- if os.path.exists(os.path.join(toplevel, "config", "TestUtil.py")):
+ if os.path.exists(os.path.join(toplevel, "scripts", "TestUtil.py")):
break
else:
raise "can't find toplevel directory!"
-sys.path.append(os.path.join(toplevel, "config"))
+sys.path.append(toplevel)
from scripts import *
#
@@ -62,6 +62,8 @@ certs = [\
"s_rsa_nopass_ca1_exp", \
"s_rsa_nopass_ca1", \
"s_rsa_nopass_ca2", \
+ "s_rsa_nopass_ca1_cn1", \
+ "s_rsa_nopass_ca1_cn2", \
]
for x in certs:
diff --git a/cs/test/IceSSL/certs/s_rsa_nopass_ca1.pfx b/cs/test/IceSSL/certs/s_rsa_nopass_ca1.pfx
index c73a269deb8..eb12139092a 100644
--- a/cs/test/IceSSL/certs/s_rsa_nopass_ca1.pfx
+++ b/cs/test/IceSSL/certs/s_rsa_nopass_ca1.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn1.pfx b/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn1.pfx
new file mode 100644
index 00000000000..03266b2fe69
--- /dev/null
+++ b/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn1.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn2.pfx b/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn2.pfx
new file mode 100644
index 00000000000..aae0fc0be33
--- /dev/null
+++ b/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn2.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/s_rsa_nopass_ca1_exp.pfx b/cs/test/IceSSL/certs/s_rsa_nopass_ca1_exp.pfx
index 4aa2c833656..a7a1e21e3b1 100644
--- a/cs/test/IceSSL/certs/s_rsa_nopass_ca1_exp.pfx
+++ b/cs/test/IceSSL/certs/s_rsa_nopass_ca1_exp.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/s_rsa_nopass_ca2.pfx b/cs/test/IceSSL/certs/s_rsa_nopass_ca2.pfx
index ff9befcb8c1..00bc94a26f2 100644
--- a/cs/test/IceSSL/certs/s_rsa_nopass_ca2.pfx
+++ b/cs/test/IceSSL/certs/s_rsa_nopass_ca2.pfx
Binary files differ
diff --git a/cs/test/IceSSL/configuration/AllTests.cs b/cs/test/IceSSL/configuration/AllTests.cs
index 57ac76ed823..b0b9b5aaa27 100644
--- a/cs/test/IceSSL/configuration/AllTests.cs
+++ b/cs/test/IceSSL/configuration/AllTests.cs
@@ -386,6 +386,107 @@ public class AllTests
// the server's certificate has the value "Server" and we can't use "Server" as a host
// name in an endpoint (it almost certainly wouldn't resolve correctly).
//
+
+ //
+ // Test IceSSL.CheckCertName. The test certificates for the server contain "127.0.0.1"
+ // as the common name or as a subject alternative name, so we only perform this test when
+ // the default host is "127.0.0.1".
+ //
+ if(defaultHost.Equals("127.0.0.1"))
+ {
+ //
+ // Test subject alternative name.
+ //
+ {
+ initData = createClientProps(defaultProperties, testDir, defaultHost);
+ initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx");
+ initData.properties.setProperty("IceSSL.Password", "password");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Ice.Util.initialize(ref args, initData);
+
+ fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, testDir, defaultHost);
+ d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx";
+ d["IceSSL.Password"] = "password";
+ d["IceSSL.CheckCertName"] = "1";
+ store.Add(caCert1);
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ }
+ catch(Ice.LocalException)
+ {
+ test(false);
+ }
+ fact.destroyServer(server);
+ store.Remove(caCert1);
+ comm.destroy();
+ }
+ //
+ // Test common name.
+ //
+ {
+ initData = createClientProps(defaultProperties, testDir, defaultHost);
+ initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx");
+ initData.properties.setProperty("IceSSL.Password", "password");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Ice.Util.initialize(ref args, initData);
+
+ fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, testDir, defaultHost);
+ d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1_cn1.pfx";
+ d["IceSSL.Password"] = "password";
+ d["IceSSL.CheckCertName"] = "1";
+ store.Add(caCert1);
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ }
+ catch(Ice.LocalException)
+ {
+ test(false);
+ }
+ fact.destroyServer(server);
+ store.Remove(caCert1);
+ comm.destroy();
+ }
+ //
+ // Test common name again. The certificate used in this test has "127.0.0.11" as its
+ // common name, therefore the address "127.0.0.1" must NOT match.
+ //
+ {
+ initData = createClientProps(defaultProperties, testDir, defaultHost);
+ initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx");
+ initData.properties.setProperty("IceSSL.Password", "password");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Ice.Util.initialize(ref args, initData);
+
+ fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, testDir, defaultHost);
+ d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1_cn2.pfx";
+ d["IceSSL.Password"] = "password";
+ d["IceSSL.CheckCertName"] = "1";
+ store.Add(caCert1);
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(Ice.LocalException)
+ {
+ // Expected.
+ }
+ fact.destroyServer(server);
+ store.Remove(caCert1);
+ comm.destroy();
+ }
+ }
}
Console.Out.WriteLine("ok");
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-04 01:46:14 +0000