diff options
| author | Mark Spruiell <mes@zeroc.com> | 2009-08-03 15:34:00 -0700 |
|---|---|---|
| committer | Mark Spruiell <mes@zeroc.com> | 2009-08-03 15:34:00 -0700 |
| commit | e54654cf238a719e5ed7632defe397931beb569f (patch) | |
| tree | 52ee683eed4232cb5e06c0f2013af2b13060edf2 | |
| parent | 4171 - Global namespace pollution (diff) | |
| download | ice-e54654cf238a719e5ed7632defe397931beb569f.tar.bz2 ice-e54654cf238a719e5ed7632defe397931beb569f.tar.xz ice-e54654cf238a719e5ed7632defe397931beb569f.zip | |
bug 4087 - anti-trust rule in IceSSL
| -rw-r--r-- | CHANGES | 3 | ||||
| -rw-r--r-- | config/PropertyNames.xml | 8 | ||||
| -rw-r--r-- | cpp/src/Ice/PropertyNames.cpp | 23 | ||||
| -rw-r--r-- | cpp/src/Ice/PropertyNames.h | 2 | ||||
| -rw-r--r-- | cpp/src/IceSSL/RFC2253.cpp | 24 | ||||
| -rw-r--r-- | cpp/src/IceSSL/RFC2253.h | 19 | ||||
| -rw-r--r-- | cpp/src/IceSSL/TrustManager.cpp | 125 | ||||
| -rw-r--r-- | cpp/src/IceSSL/TrustManager.h | 15 | ||||
| -rw-r--r-- | cpp/test/IceSSL/configuration/AllTests.cpp | 561 | ||||
| -rw-r--r-- | cs/src/Ice/PropertyNames.cs | 10 | ||||
| -rw-r--r-- | cs/src/IceSSL/RFC2253.cs | 83 | ||||
| -rw-r--r-- | cs/src/IceSSL/TrustManager.cs | 198 | ||||
| -rw-r--r-- | cs/test/IceSSL/configuration/AllTests.cs | 603 | ||||
| -rw-r--r-- | java/src/IceInternal/PropertyNames.java | 24 | ||||
| -rw-r--r-- | java/src/IceSSL/RFC2253.java | 28 | ||||
| -rw-r--r-- | java/src/IceSSL/TrustManager.java | 193 | ||||
| -rw-r--r-- | java/test/IceSSL/configuration/AllTests.java | 591 |
17 files changed, 2107 insertions, 403 deletions
@@ -33,6 +33,9 @@ General Changes These entries apply to all relevant language mappings unless otherwise noted. +- The IceSSL.TrustOnly properties support a new syntax that allows you + to reject a peer whose distinguished name matches certain criteria. + - IceSSL now compares the host name or IP address in a proxy endpoint (if any) against the common name of the server's certificate when the property IceSSL.CheckCertName is enabled. This is in addition to diff --git a/config/PropertyNames.xml b/config/PropertyNames.xml index 9fdc44295af..b8d55de0273 100644 --- a/config/PropertyNames.xml +++ b/config/PropertyNames.xml @@ -483,15 +483,15 @@ generated from the section label. <property name="Protocols" /> <property name="Random" /> <property name="Trace.Security" /> + <property name="TrustOnly" /> + <property name="TrustOnly.Client" /> + <property name="TrustOnly.Server" /> + <property name="TrustOnly.Server.[any]" /> <property name="Truststore" /> <property name="TruststorePassword" /> <property name="TruststoreType" /> <property name="VerifyDepthMax" /> <property name="VerifyPeer" /> - <property name="TrustOnly" /> - <property name="TrustOnly.Client" /> - <property name="TrustOnly.Server" /> - <property name="TrustOnly.Server.[any]" /> </section> <section name="IceStormAdmin"> diff --git a/cpp/src/Ice/PropertyNames.cpp b/cpp/src/Ice/PropertyNames.cpp index 28865e12b26..8837d3c740a 100644 --- a/cpp/src/Ice/PropertyNames.cpp +++ b/cpp/src/Ice/PropertyNames.cpp @@ -8,7 +8,7 @@ // ********************************************************************** // -// Generated by makeprops.py from file ../config/PropertyNames.xml, Mon May 18 11:29:29 2009 +// Generated by makeprops.py from file ../config/PropertyNames.xml, Wed Jul 29 10:07:20 2009 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -31,6 +31,7 @@ const IceInternal::Property IcePropsData[] = IceInternal::Property("Ice.Admin.ThreadPool.SizeWarn", false, 0), IceInternal::Property("Ice.Admin.ThreadPool.StackSize", false, 0), IceInternal::Property("Ice.Admin.ThreadPool.Serialize", false, 0), + IceInternal::Property("Ice.Admin.ThreadPool.ThreadPriority", false, 0), IceInternal::Property("Ice.Admin.DelayCreation", false, 0), IceInternal::Property("Ice.Admin.Facets", false, 0), IceInternal::Property("Ice.Admin.InstanceName", false, 0), @@ -153,6 +154,7 @@ const IceInternal::Property IceBoxPropsData[] = IceInternal::Property("IceBox.ServiceManager.ThreadPool.SizeWarn", false, 0), IceInternal::Property("IceBox.ServiceManager.ThreadPool.StackSize", false, 0), IceInternal::Property("IceBox.ServiceManager.ThreadPool.Serialize", false, 0), + IceInternal::Property("IceBox.ServiceManager.ThreadPool.ThreadPriority", false, 0), IceInternal::Property("IceBox.Trace.ServiceObserver", false, 0), IceInternal::Property("IceBox.UseSharedCommunicator.*", false, 0), }; @@ -208,6 +210,7 @@ const IceInternal::Property IceGridPropsData[] = IceInternal::Property("IceGrid.Node.ThreadPool.SizeWarn", false, 0), IceInternal::Property("IceGrid.Node.ThreadPool.StackSize", false, 0), IceInternal::Property("IceGrid.Node.ThreadPool.Serialize", false, 0), + IceInternal::Property("IceGrid.Node.ThreadPool.ThreadPriority", false, 0), IceInternal::Property("IceGrid.Node.AllowRunningServersAsRoot", false, 0), IceInternal::Property("IceGrid.Node.AllowEndpointsOverride", false, 0), IceInternal::Property("IceGrid.Node.CollocateRegistry", false, 0), @@ -258,6 +261,7 @@ const IceInternal::Property IceGridPropsData[] = IceInternal::Property("IceGrid.Registry.AdminSessionManager.ThreadPool.SizeWarn", false, 0), IceInternal::Property("IceGrid.Registry.AdminSessionManager.ThreadPool.StackSize", false, 0), IceInternal::Property("IceGrid.Registry.AdminSessionManager.ThreadPool.Serialize", false, 0), + IceInternal::Property("IceGrid.Registry.AdminSessionManager.ThreadPool.ThreadPriority", false, 0), IceInternal::Property("IceGrid.Registry.AdminSSLPermissionsVerifier.EndpointSelection", false, 0), IceInternal::Property("IceGrid.Registry.AdminSSLPermissionsVerifier.ConnectionCached", false, 0), IceInternal::Property("IceGrid.Registry.AdminSSLPermissionsVerifier.PreferSecure", false, 0), @@ -280,6 +284,7 @@ const IceInternal::Property IceGridPropsData[] = IceInternal::Property("IceGrid.Registry.Client.ThreadPool.SizeWarn", false, 0), IceInternal::Property("IceGrid.Registry.Client.ThreadPool.StackSize", false, 0), IceInternal::Property("IceGrid.Registry.Client.ThreadPool.Serialize", false, 0), + IceInternal::Property("IceGrid.Registry.Client.ThreadPool.ThreadPriority", false, 0), IceInternal::Property("IceGrid.Registry.CryptPasswords", false, 0), IceInternal::Property("IceGrid.Registry.Data", false, 0), IceInternal::Property("IceGrid.Registry.DefaultTemplates", false, 0), @@ -297,6 +302,7 @@ const IceInternal::Property IceGridPropsData[] = IceInternal::Property("IceGrid.Registry.Internal.ThreadPool.SizeWarn", false, 0), IceInternal::Property("IceGrid.Registry.Internal.ThreadPool.StackSize", false, 0), IceInternal::Property("IceGrid.Registry.Internal.ThreadPool.Serialize", false, 0), + IceInternal::Property("IceGrid.Registry.Internal.ThreadPool.ThreadPriority", false, 0), IceInternal::Property("IceGrid.Registry.NodeSessionTimeout", false, 0), IceInternal::Property("IceGrid.Registry.PermissionsVerifier.EndpointSelection", false, 0), IceInternal::Property("IceGrid.Registry.PermissionsVerifier.ConnectionCached", false, 0), @@ -322,6 +328,7 @@ const IceInternal::Property IceGridPropsData[] = IceInternal::Property("IceGrid.Registry.Server.ThreadPool.SizeWarn", false, 0), IceInternal::Property("IceGrid.Registry.Server.ThreadPool.StackSize", false, 0), IceInternal::Property("IceGrid.Registry.Server.ThreadPool.Serialize", false, 0), + IceInternal::Property("IceGrid.Registry.Server.ThreadPool.ThreadPriority", false, 0), IceInternal::Property("IceGrid.Registry.SessionFilters", false, 0), IceInternal::Property("IceGrid.Registry.SessionManager.AdapterId", false, 0), IceInternal::Property("IceGrid.Registry.SessionManager.Endpoints", false, 0), @@ -336,6 +343,7 @@ const IceInternal::Property IceGridPropsData[] = IceInternal::Property("IceGrid.Registry.SessionManager.ThreadPool.SizeWarn", false, 0), IceInternal::Property("IceGrid.Registry.SessionManager.ThreadPool.StackSize", false, 0), IceInternal::Property("IceGrid.Registry.SessionManager.ThreadPool.Serialize", false, 0), + IceInternal::Property("IceGrid.Registry.SessionManager.ThreadPool.ThreadPriority", false, 0), IceInternal::Property("IceGrid.Registry.SessionTimeout", false, 0), IceInternal::Property("IceGrid.Registry.SSLPermissionsVerifier.EndpointSelection", false, 0), IceInternal::Property("IceGrid.Registry.SSLPermissionsVerifier.ConnectionCached", false, 0), @@ -380,6 +388,7 @@ const IceInternal::Property IcePatch2PropsData[] = IceInternal::Property("IcePatch2.ThreadPool.SizeWarn", false, 0), IceInternal::Property("IcePatch2.ThreadPool.StackSize", false, 0), IceInternal::Property("IcePatch2.ThreadPool.Serialize", false, 0), + IceInternal::Property("IcePatch2.ThreadPool.ThreadPriority", false, 0), IceInternal::Property("IcePatch2.Admin.AdapterId", true, 0), IceInternal::Property("IcePatch2.Admin.Endpoints", true, 0), IceInternal::Property("IcePatch2.Admin.Locator", true, 0), @@ -427,15 +436,15 @@ const IceInternal::Property IceSSLPropsData[] = IceInternal::Property("IceSSL.Protocols", false, 0), IceInternal::Property("IceSSL.Random", false, 0), IceInternal::Property("IceSSL.Trace.Security", false, 0), + IceInternal::Property("IceSSL.TrustOnly", false, 0), + IceInternal::Property("IceSSL.TrustOnly.Client", false, 0), + IceInternal::Property("IceSSL.TrustOnly.Server", false, 0), + IceInternal::Property("IceSSL.TrustOnly.Server.*", false, 0), IceInternal::Property("IceSSL.Truststore", false, 0), IceInternal::Property("IceSSL.TruststorePassword", false, 0), IceInternal::Property("IceSSL.TruststoreType", false, 0), IceInternal::Property("IceSSL.VerifyDepthMax", false, 0), IceInternal::Property("IceSSL.VerifyPeer", false, 0), - IceInternal::Property("IceSSL.TrustOnly", false, 0), - IceInternal::Property("IceSSL.TrustOnly.Client", false, 0), - IceInternal::Property("IceSSL.TrustOnly.Server", false, 0), - IceInternal::Property("IceSSL.TrustOnly.Server.*", false, 0), }; const IceInternal::PropertyArray @@ -478,6 +487,7 @@ const IceInternal::Property Glacier2PropsData[] = IceInternal::Property("Glacier2.Client.ThreadPool.SizeWarn", false, 0), IceInternal::Property("Glacier2.Client.ThreadPool.StackSize", false, 0), IceInternal::Property("Glacier2.Client.ThreadPool.Serialize", false, 0), + IceInternal::Property("Glacier2.Client.ThreadPool.ThreadPriority", false, 0), IceInternal::Property("Glacier2.Client.AlwaysBatch", false, 0), IceInternal::Property("Glacier2.Client.Buffered", false, 0), IceInternal::Property("Glacier2.Client.ForwardContext", false, 0), @@ -527,6 +537,7 @@ const IceInternal::Property Glacier2PropsData[] = IceInternal::Property("Glacier2.Server.ThreadPool.SizeWarn", false, 0), IceInternal::Property("Glacier2.Server.ThreadPool.StackSize", false, 0), IceInternal::Property("Glacier2.Server.ThreadPool.Serialize", false, 0), + IceInternal::Property("Glacier2.Server.ThreadPool.ThreadPriority", false, 0), IceInternal::Property("Glacier2.Server.AlwaysBatch", false, 0), IceInternal::Property("Glacier2.Server.Buffered", false, 0), IceInternal::Property("Glacier2.Server.ForwardContext", false, 0), @@ -576,9 +587,7 @@ const IceInternal::Property FreezePropsData[] = IceInternal::Property("Freeze.Evictor.*.RollbackOnUserException", false, 0), IceInternal::Property("Freeze.Evictor.*.SavePeriod", false, 0), IceInternal::Property("Freeze.Evictor.*.SaveSizeTrigger", false, 0), - IceInternal::Property("Freeze.Evictor.*.SaveThreadPriority", false, 0), IceInternal::Property("Freeze.Evictor.*.StreamTimeout", false, 0), - IceInternal::Property("Freeze.Evictor.*.WatchDogThreadPriority", false, 0), IceInternal::Property("Freeze.Map.*.BtreeMinKey", false, 0), IceInternal::Property("Freeze.Map.*.Checksum", false, 0), IceInternal::Property("Freeze.Map.*.PageSize", false, 0), diff --git a/cpp/src/Ice/PropertyNames.h b/cpp/src/Ice/PropertyNames.h index 2d3377b148a..0c130f16ce3 100644 --- a/cpp/src/Ice/PropertyNames.h +++ b/cpp/src/Ice/PropertyNames.h @@ -8,7 +8,7 @@ // ********************************************************************** // -// Generated by makeprops.py from file ../config/PropertyNames.xml, Mon May 18 11:29:29 2009 +// Generated by makeprops.py from file ../config/PropertyNames.xml, Wed Jul 29 10:07:20 2009 // IMPORTANT: Do not edit this file -- any edits made here will be lost! diff --git a/cpp/src/IceSSL/RFC2253.cpp b/cpp/src/IceSSL/RFC2253.cpp index 67987d49dea..d622969448b 100644 --- a/cpp/src/IceSSL/RFC2253.cpp +++ b/cpp/src/IceSSL/RFC2253.cpp @@ -34,15 +34,26 @@ static string parsePair(const string&, size_t&); static string parseHexPair(const string&, size_t&, bool); static void eatWhite(const string&, size_t&); -IceSSL::RFC2253::RDNSeqSeq +IceSSL::RFC2253::RDNEntrySeq IceSSL::RFC2253::parse(const string& data) { - RDNSeqSeq results; - RDNSeq current; + RDNEntrySeq results; + RDNEntry current; + current.negate = false; size_t pos = 0; while(pos < data.size()) { - current.push_back(parseNameComponent(data, pos)); + eatWhite(data, pos); + if(pos < data.size() && data[pos] == '!') + { + if(!current.rdn.empty()) + { + throw ParseException(__FILE__, __LINE__, "negation symbol '!' must appear at start of list"); + } + ++pos; + current.negate = true; + } + current.rdn.push_back(parseNameComponent(data, pos)); eatWhite(data, pos); if(pos < data.size() && data[pos] == ',') { @@ -52,14 +63,15 @@ IceSSL::RFC2253::parse(const string& data) { ++pos; results.push_back(current); - current.clear(); + current.rdn.clear(); + current.negate = false; } else if(pos < data.size()) { throw ParseException(__FILE__, __LINE__, "expected ',' or ';' at `" + data.substr(pos) + "'"); } } - if(!current.empty()) + if(!current.rdn.empty()) { results.push_back(current); } diff --git a/cpp/src/IceSSL/RFC2253.h b/cpp/src/IceSSL/RFC2253.h index f3da3156dca..3dec2d00c19 100644 --- a/cpp/src/IceSSL/RFC2253.h +++ b/cpp/src/IceSSL/RFC2253.h @@ -32,19 +32,26 @@ namespace RFC2253 { typedef std::list< std::pair<std::string, std::string> > RDNSeq; -typedef std::list<RDNSeq> RDNSeqSeq; + +struct RDNEntry +{ + RDNSeq rdn; + bool negate; +}; +typedef std::list<RDNEntry> RDNEntrySeq; // -// This method separates DNs with the ';' character and returns -// a list of list of RDN pairs. Any failure in parsing results in a -// ParseException being thrown. +// This function separates DNs with the ';' character. A list of RDN +// pairs may optionally be prefixed with '!' to indicate a negation. +// The function returns a list of RDNEntry structures. Any failure in +// parsing results in a ParseException being thrown. // -RDNSeqSeq parse(const std::string&); +RDNEntrySeq parse(const std::string&); // // RDNs are separated with ',' and ';'. // -// This method returns a list of RDN pairs. Any failure in parsing +// This function returns a list of RDN pairs. Any failure in parsing // results in a ParseException being thrown. // RDNSeq parseStrict(const std::string&); diff --git a/cpp/src/IceSSL/TrustManager.cpp b/cpp/src/IceSSL/TrustManager.cpp index dbafb0a2aac..cc36d651ddc 100644 --- a/cpp/src/IceSSL/TrustManager.cpp +++ b/cpp/src/IceSSL/TrustManager.cpp @@ -31,17 +31,26 @@ TrustManager::TrustManager(const Ice::CommunicatorPtr& communicator) : try { key = "IceSSL.TrustOnly"; - _all = parse(properties->getProperty(key)); + parse(properties->getProperty(key), _rejectAll, _acceptAll); key = "IceSSL.TrustOnly.Client"; - _client = parse(properties->getProperty(key)); + parse(properties->getProperty(key), _rejectClient, _acceptClient); key = "IceSSL.TrustOnly.Server"; - _allServer = parse(properties->getProperty(key)); + parse(properties->getProperty(key), _rejectAllServer, _acceptAllServer); Ice::PropertyDict dict = properties->getPropertiesForPrefix("IceSSL.TrustOnly.Server."); for(Ice::PropertyDict::const_iterator p = dict.begin(); p != dict.end(); ++p) { string name = p->first.substr(string("IceSSL.TrustOnly.Server.").size()); key = p->first; - _server[name] = parse(p->second); + list<DistinguishedName> reject, accept; + parse(p->second, reject, accept); + if(!reject.empty()) + { + _rejectServer[name] = reject; + } + if(!accept.empty()) + { + _acceptServer[name] = accept; + } } } catch(const ParseException& e) @@ -55,39 +64,66 @@ TrustManager::TrustManager(const Ice::CommunicatorPtr& communicator) : bool TrustManager::verify(const ConnectionInfo& info) { - list<list<DistinguishedName> > trustset; - if(_all.size() > 0) + list<list<DistinguishedName> > reject, accept; + + if(_rejectAll.size() > 0) { - trustset.push_back(_all); + reject.push_back(_rejectAll); + } + if(info.incoming) + { + if(_rejectAllServer.size() > 0) + { + reject.push_back(_rejectAllServer); + } + if(info.adapterName.size() > 0) + { + map<string, list<DistinguishedName> >::const_iterator p = _rejectServer.find(info.adapterName); + if(p != _rejectServer.end()) + { + reject.push_back(p->second); + } + } + } + else + { + if(_rejectClient.size() > 0) + { + reject.push_back(_rejectClient); + } } + if(_acceptAll.size() > 0) + { + accept.push_back(_acceptAll); + } if(info.incoming) { - if(_allServer.size() > 0) + if(_acceptAllServer.size() > 0) { - trustset.push_back(_allServer); + accept.push_back(_acceptAllServer); } if(info.adapterName.size() > 0) { - map<string, list<DistinguishedName> >::const_iterator p = _server.find(info.adapterName); - if(p != _server.end()) + map<string, list<DistinguishedName> >::const_iterator p = _acceptServer.find(info.adapterName); + if(p != _acceptServer.end()) { - trustset.push_back(p->second); + accept.push_back(p->second); } } } else { - if(_client.size() > 0) + if(_acceptClient.size() > 0) { - trustset.push_back(_client); + accept.push_back(_acceptClient); } } // // If there is nothing to match against, then we accept the cert. // - if(trustset.size() == 0) + if(reject.empty() && accept.empty()) { return true; } @@ -141,16 +177,42 @@ TrustManager::verify(const ConnectionInfo& info) } } } - + + list<list<DistinguishedName> >::const_iterator p; + // - // Try matching against everything in the trust set. + // Fail if we match anything in the reject set. // - for(list<list<DistinguishedName> >::const_iterator p = trustset.begin(); p != trustset.end(); ++p) + for(p = reject.begin(); p != reject.end(); ++p) { if(_traceLevel > 1) { Ice::Trace trace(_communicator->getLogger(), "Security"); - trace << "trust manager matching PDNs:\n"; + trace << "trust manager rejecting PDNs:\n"; + for(list<DistinguishedName>::const_iterator r = p->begin(); r != p->end(); ++r) + { + if(r != p->begin()) + { + trace << ';'; + } + trace << string(*r); + } + } + if(match(*p, subject)) + { + return false; + } + } + + // + // Succeed if we match anything in the accept set. + // + for(p = accept.begin(); p != accept.end(); ++p) + { + if(_traceLevel > 1) + { + Ice::Trace trace(_communicator->getLogger(), "Security"); + trace << "trust manager accepting PDNs:\n"; for(list<DistinguishedName>::const_iterator r = p->begin(); r != p->end(); ++r) { if(r != p->begin()) @@ -165,6 +227,11 @@ TrustManager::verify(const ConnectionInfo& info) return true; } } + + // + // At this point we accept the connection if there are no explicit accept rules. + // + return accept.empty(); } return false; @@ -183,17 +250,23 @@ TrustManager::match(const list< DistinguishedName>& matchSet, const Distinguishe return false; } -list<DistinguishedName> -TrustManager::parse(const string& value) const +void +TrustManager::parse(const string& value, list<DistinguishedName>& reject, list<DistinguishedName>& accept) const { - list<DistinguishedName> result; if(!value.empty()) { - RFC2253::RDNSeqSeq dns = RFC2253::parse(value); - for(RFC2253::RDNSeqSeq::const_iterator p = dns.begin(); p != dns.end(); ++p) + RFC2253::RDNEntrySeq dns = RFC2253::parse(value); + + for(RFC2253::RDNEntrySeq::const_iterator p = dns.begin(); p != dns.end(); ++p) { - result.push_back(DistinguishedName(*p)); + if(p->negate) + { + reject.push_back(DistinguishedName(p->rdn)); + } + else + { + accept.push_back(DistinguishedName(p->rdn)); + } } } - return result; } diff --git a/cpp/src/IceSSL/TrustManager.h b/cpp/src/IceSSL/TrustManager.h index a98802d0db7..1e8eb09db2d 100644 --- a/cpp/src/IceSSL/TrustManager.h +++ b/cpp/src/IceSSL/TrustManager.h @@ -30,15 +30,20 @@ public: private: bool match(const std::list< DistinguishedName> &, const DistinguishedName&) const; - std::list<DistinguishedName> parse(const std::string&) const; + void parse(const std::string&, std::list<DistinguishedName>&, std::list<DistinguishedName>&) const; const Ice::CommunicatorPtr _communicator; int _traceLevel; - std::list<DistinguishedName> _all; - std::list<DistinguishedName> _client; - std::list<DistinguishedName> _allServer; - std::map<std::string, std::list<DistinguishedName> > _server; + std::list<DistinguishedName> _rejectAll; + std::list<DistinguishedName> _rejectClient; + std::list<DistinguishedName> _rejectAllServer; + std::map<std::string, std::list<DistinguishedName> > _rejectServer; + + std::list<DistinguishedName> _acceptAll; + std::list<DistinguishedName> _acceptClient; + std::list<DistinguishedName> _acceptAllServer; + std::map<std::string, std::list<DistinguishedName> > _acceptServer; }; } diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp index 8052d5c35c2..8253617ae75 100644 --- a/cpp/test/IceSSL/configuration/AllTests.cpp +++ b/cpp/test/IceSSL/configuration/AllTests.cpp @@ -1137,8 +1137,6 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.TrustOnly", "C=US, ST=Florida, O=ZeroC\\, Inc.," "OU=Ice, emailAddress=info@zeroc.com, CN=Server"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1164,11 +1162,37 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + initData.properties->setProperty("IceSSL.TrustOnly", "!C=US, ST=Florida, O=ZeroC\\, Inc.," + "OU=Ice, emailAddress=info@zeroc.com, CN=Server"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + test(false); + } + catch(const LocalException&) + { + } + fact->destroyServer(server); + comm->destroy(); + } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); initData.properties->setProperty("IceSSL.TrustOnly", "C=US, ST=Florida, O=\"ZeroC, Inc.\"," "OU=Ice, emailAddress=info@zeroc.com, CN=Server"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1196,8 +1220,6 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1225,10 +1247,35 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + d["IceSSL.TrustOnly"] = "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + test(false); + } + catch(const LocalException&) + { + } + fact->destroyServer(server); + comm->destroy(); + } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); initData.properties->setProperty("IceSSL.TrustOnly", "CN=Server"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1254,10 +1301,35 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + initData.properties->setProperty("IceSSL.TrustOnly", "!CN=Server"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + test(false); + } + catch(const LocalException&) + { + } + fact->destroyServer(server); + comm->destroy(); + } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1284,10 +1356,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); - initData.properties->setProperty("IceSSL.TrustOnly", "CN=Client"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1295,6 +1364,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) d["IceSSL.CertAuthFile"] = "cacert1.pem"; d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + d["IceSSL.TrustOnly"] = "!CN=Client"; Test::ServerPrx server = fact->createServer(d); try { @@ -1313,10 +1383,34 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + initData.properties->setProperty("IceSSL.TrustOnly", "CN=Client"); + CommunicatorPtr comm = initialize(initData); + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + test(false); + } + catch(const LocalException&) + { + } + fact->destroyServer(server); + comm->destroy(); + } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1345,8 +1439,6 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); initData.properties->setProperty("IceSSL.TrustOnly", "C=Canada,CN=Server"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1372,10 +1464,35 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + initData.properties->setProperty("IceSSL.TrustOnly", "!C=Canada,CN=Server"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + } + catch(const LocalException&) + { + test(false); + } + fact->destroyServer(server); + comm->destroy(); + } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); initData.properties->setProperty("IceSSL.TrustOnly", "C=Canada;CN=Server"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1396,6 +1513,87 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) comm->destroy(); } { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + initData.properties->setProperty("IceSSL.TrustOnly", "!C=Canada;!CN=Server"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + test(false); + } + catch(const LocalException&) + { + } + fact->destroyServer(server); + comm->destroy(); + } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + initData.properties->setProperty("IceSSL.TrustOnly", "!CN=Server1"); // Should not match "Server" + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + } + catch(const LocalException&) + { + test(false); + } + fact->destroyServer(server); + comm->destroy(); + } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + d["IceSSL.TrustOnly"] = "!CN=Client1"; // Should not match "Client" + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + } + catch(const LocalException&) + { + test(false); + } + fact->destroyServer(server); + comm->destroy(); + } + { // // Test rejection when client does not supply a certificate. // @@ -1404,8 +1602,6 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) CommunicatorPtr comm = initialize(initData); initData.properties->setProperty("IceSSL.Ciphers", "ADH"); initData.properties->setProperty("IceSSL.VerifyPeer", "0"); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1425,6 +1621,94 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) fact->destroyServer(server); comm->destroy(); } + { + // + // Test rejection when client does not supply a certificate. + // + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + CommunicatorPtr comm = initialize(initData); + initData.properties->setProperty("IceSSL.Ciphers", "ADH"); + initData.properties->setProperty("IceSSL.VerifyPeer", "0"); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.TrustOnly"] = "!C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Client"; + d["IceSSL.Ciphers"] = "ADH"; + d["IceSSL.VerifyPeer"] = "0"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + test(false); + } + catch(const LocalException&) + { + } + fact->destroyServer(server); + comm->destroy(); + } + { + // + // Rejection takes precedence (client). + // + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + initData.properties->setProperty("IceSSL.TrustOnly", "ST=Florida;!CN=Server;C=US"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + test(false); + } + catch(const LocalException&) + { + } + fact->destroyServer(server); + comm->destroy(); + } + { + // + // Rejection takes precedence (server). + // + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + d["IceSSL.TrustOnly"] = "C=US;!CN=Client;ST=Florida"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + test(false); + } + catch(const LocalException&) + { + } + fact->destroyServer(server); + comm->destroy(); + } cout << "ok" << endl; cout << "testing IceSSL.TrustOnly.Client... " << flush; @@ -1437,8 +1721,6 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.TrustOnly.Client", "C=US, ST=Florida, O=ZeroC\\, Inc.," "OU=Ice, emailAddress=info@zeroc.com, CN=Server"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1448,7 +1730,63 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; // Should have no effect. d["IceSSL.TrustOnly.Client"] = "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com," - "CN=Client"; + "CN=Server"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + } + catch(const LocalException&) + { + test(false); + } + fact->destroyServer(server); + comm->destroy(); + } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + initData.properties->setProperty("IceSSL.TrustOnly.Client", "!C=US, ST=Florida, O=ZeroC\\, Inc.," + "OU=Ice, emailAddress=info@zeroc.com, CN=Server"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + test(false); + } + catch(const LocalException&) + { + } + fact->destroyServer(server); + comm->destroy(); + } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + // Should have no effect. + d["IceSSL.TrustOnly.Client"] = "!CN=Client"; Test::ServerPrx server = fact->createServer(d); try { @@ -1469,8 +1807,6 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); initData.properties->setProperty("IceSSL.TrustOnly.Client", "CN=Client"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1490,6 +1826,33 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) fact->destroyServer(server); comm->destroy(); } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + initData.properties->setProperty("IceSSL.TrustOnly.Client", "!CN=Client"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + } + catch(const LocalException&) + { + test(false); + } + fact->destroyServer(server); + comm->destroy(); + } cout << "ok" << endl; cout << "testing IceSSL.TrustOnly.Server... " << flush; @@ -1503,8 +1866,6 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.TrustOnly.Server", "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice," "emailAddress=info@zeroc.com,CN=Client"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1533,8 +1894,62 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + d["IceSSL.TrustOnly.Server"] = + "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + test(false); + } + catch(const LocalException&) + { + } + fact->destroyServer(server); + comm->destroy(); + } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + // Should have no effect. + initData.properties->setProperty("IceSSL.TrustOnly.Server", "!CN=Server"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + } + catch(const LocalException&) + { + test(false); + } + fact->destroyServer(server); + comm->destroy(); + } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + CommunicatorPtr comm = initialize(initData); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1555,6 +1970,33 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) fact->destroyServer(server); comm->destroy(); } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + d["IceSSL.TrustOnly.Server"] = "!CN=Client"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + test(false); + } + catch(const LocalException&) + { + } + fact->destroyServer(server); + comm->destroy(); + } cout << "ok" << endl; cout << "testing IceSSL.TrustOnly.Server.<AdapterName>... " << flush; @@ -1565,8 +2007,6 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1596,8 +2036,34 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); CommunicatorPtr comm = initialize(initData); - IceSSL::PluginPtr plugin = IceSSL::PluginPtr::dynamicCast(comm->getPluginManager()->getPlugin("IceSSL")); - test(plugin); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + d["IceSSL.TrustOnly.Server.ServerAdapter"] = + "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + test(false); + } + catch(const LocalException&) + { + } + fact->destroyServer(server); + comm->destroy(); + } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + CommunicatorPtr comm = initialize(initData); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); @@ -1618,6 +2084,33 @@ allTests(const CommunicatorPtr& communicator, const string& testDir) fact->destroyServer(server); comm->destroy(); } + { + InitializationData initData; + initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem"); + initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem"); + CommunicatorPtr comm = initialize(initData); + + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost); + d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem"; + d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem"; + d["IceSSL.TrustOnly.Server.ServerAdapter"] = "!CN=bogus"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + } + catch(const LocalException&) + { + test(false); + } + fact->destroyServer(server); + comm->destroy(); + } cout << "ok" << endl; factory->shutdown(); diff --git a/cs/src/Ice/PropertyNames.cs b/cs/src/Ice/PropertyNames.cs index 28fb3fae9d4..fda60052942 100644 --- a/cs/src/Ice/PropertyNames.cs +++ b/cs/src/Ice/PropertyNames.cs @@ -8,7 +8,7 @@ // ********************************************************************** // -// Generated by makeprops.py from file PropertyNames.xml, Fri Jun 26 14:50:36 2009 +// Generated by makeprops.py from file ../config/PropertyNames.xml, Wed Jul 29 10:07:20 2009 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -420,15 +420,15 @@ namespace IceInternal new Property(@"^IceSSL\.Protocols$", false, null), new Property(@"^IceSSL\.Random$", false, null), new Property(@"^IceSSL\.Trace\.Security$", false, null), + new Property(@"^IceSSL\.TrustOnly$", false, null), + new Property(@"^IceSSL\.TrustOnly\.Client$", false, null), + new Property(@"^IceSSL\.TrustOnly\.Server$", false, null), + new Property(@"^IceSSL\.TrustOnly\.Server\.[^\s]+$", false, null), new Property(@"^IceSSL\.Truststore$", false, null), new Property(@"^IceSSL\.TruststorePassword$", false, null), new Property(@"^IceSSL\.TruststoreType$", false, null), new Property(@"^IceSSL\.VerifyDepthMax$", false, null), new Property(@"^IceSSL\.VerifyPeer$", false, null), - new Property(@"^IceSSL\.TrustOnly$", false, null), - new Property(@"^IceSSL\.TrustOnly\.Client$", false, null), - new Property(@"^IceSSL\.TrustOnly\.Server$", false, null), - new Property(@"^IceSSL\.TrustOnly\.Server\.[^\s]+$", false, null), null }; diff --git a/cs/src/IceSSL/RFC2253.cs b/cs/src/IceSSL/RFC2253.cs index c4be2e9057f..2de97a6a87f 100644 --- a/cs/src/IceSSL/RFC2253.cs +++ b/cs/src/IceSSL/RFC2253.cs @@ -14,6 +14,7 @@ namespace IceSSL { using System; using System.Collections; + using System.Collections.Generic; using System.Diagnostics; using System.Text; @@ -43,17 +44,32 @@ namespace IceSSL { internal string key; internal string value; - }; + } + + internal class RDNEntry + { + internal List<RDNPair> rdn = new List<RDNPair>(); + internal bool negate = false; + } - internal static ArrayList - parse(string data) + internal static List<RDNEntry> parse(string data) { - ArrayList results = new ArrayList(); - ArrayList current = new ArrayList(); + List<RDNEntry> results = new List<RDNEntry>(); + RDNEntry current = new RDNEntry(); int pos = 0; while(pos < data.Length) { - current.Add(parseNameComponent(data, ref pos)); + eatWhite(data, ref pos); + if(pos < data.Length && data[pos] == '!') + { + if(current.rdn.Count > 0) + { + throw new ParseException("negation symbol '!' must appear at start of list"); + } + ++pos; + current.negate = true; + } + current.rdn.Add(parseNameComponent(data, ref pos)); eatWhite(data, ref pos); if(pos < data.Length && data[pos] == ',') { @@ -63,14 +79,14 @@ namespace IceSSL { ++pos; results.Add(current); - current = new ArrayList(); + current = new RDNEntry(); } else if(pos < data.Length) { throw new ParseException("expected ',' or ';' at `" + data.Substring(pos) + "'"); } } - if(current.Count > 0) + if(current.rdn.Count > 0) { results.Add(current); } @@ -78,17 +94,15 @@ namespace IceSSL return results; } - internal static ArrayList - parseStrict(string data) + internal static List<RDNPair> parseStrict(string data) { - ArrayList results = new ArrayList(); + List<RDNPair> results = new List<RDNPair>(); int pos = 0; while(pos < data.Length) { results.Add(parseNameComponent(data, ref pos)); eatWhite(data, ref pos); - if(pos < data.Length && - (data[pos] == ',' || data[pos] == ';')) + if(pos < data.Length && (data[pos] == ',' || data[pos] == ';')) { ++pos; } @@ -99,9 +113,8 @@ namespace IceSSL } return results; } - - public static string - unescape(string data) + + public static string unescape(string data) { if(data.Length == 0) { @@ -119,7 +132,7 @@ namespace IceSSL // return data.Substring(1, data.Length - 2); } - + // // Unescape the entire string. // @@ -165,9 +178,8 @@ namespace IceSSL } return result.ToString(); } - - private static int - hexToInt(char v) + + private static int hexToInt(char v) { if(v >= '0' && v <= '9') { @@ -183,9 +195,8 @@ namespace IceSSL } throw new ParseException("unescape: invalid hex pair"); } - - private static char - unescapeHex(string data, int pos) + + private static char unescapeHex(string data, int pos) { Debug.Assert(pos < data.Length); if(pos + 2 >= data.Length) @@ -195,8 +206,7 @@ namespace IceSSL return (char)(hexToInt(data[pos]) * 16 + hexToInt(data[pos + 1])); } - private static RDNPair - parseNameComponent(string data, ref int pos) + private static RDNPair parseNameComponent(string data, ref int pos) { RDNPair result = parseAttributeTypeAndValue(data, ref pos); while(pos < data.Length) @@ -219,8 +229,7 @@ namespace IceSSL return result; } - private static RDNPair - parseAttributeTypeAndValue(string data, ref int pos) + private static RDNPair parseAttributeTypeAndValue(string data, ref int pos) { RDNPair p = new RDNPair(); p.key = parseAttributeType(data, ref pos); @@ -239,8 +248,7 @@ namespace IceSSL return p; } - private static string - parseAttributeType(string data, ref int pos) + private static string parseAttributeType(string data, ref int pos) { eatWhite(data, ref pos); if(pos >= data.Length) @@ -265,7 +273,7 @@ namespace IceSSL // // Here we must also check for "oid." and "OID." before parsing // according to the ALPHA KEYCHAR* rule. - // + // // First the OID case. // if(Char.IsDigit(data[pos]) || @@ -303,8 +311,7 @@ namespace IceSSL } } } - else if(Char.IsUpper(data[pos]) || - Char.IsLower(data[pos])) + else if(Char.IsUpper(data[pos]) || Char.IsLower(data[pos])) { // // The grammar is wrong in this case. It should be ALPHA @@ -331,8 +338,7 @@ namespace IceSSL return result; } - private static string - parseAttributeValue(string data, ref int pos) + private static string parseAttributeValue(string data, ref int pos) { eatWhite(data, ref pos); if(pos >= data.Length) @@ -425,8 +431,7 @@ namespace IceSSL // RFC2253: // pair = "\" ( special | "\" | QUOTATION | hexpair ) // - private static string - parsePair(string data, ref int pos) + private static string parsePair(string data, ref int pos) { string result = ""; @@ -453,8 +458,7 @@ namespace IceSSL // RFC 2253 // hexpair = hexchar hexchar // - private static string - parseHexPair(string data, ref int pos, bool allowEmpty) + private static string parseHexPair(string data, ref int pos, bool allowEmpty) { string result = ""; if(pos < data.Length && hexvalid.IndexOf(data[pos]) != -1) @@ -486,8 +490,7 @@ namespace IceSSL // and '+', between attributeType and '=', and between '=' and // attributeValue. These space characters are ignored when parsing. // - private static void - eatWhite(string data, ref int pos) + private static void eatWhite(string data, ref int pos) { while(pos < data.Length && data[pos] == ' ') { diff --git a/cs/src/IceSSL/TrustManager.cs b/cs/src/IceSSL/TrustManager.cs index e682783dc4d..bae942ebae7 100644 --- a/cs/src/IceSSL/TrustManager.cs +++ b/cs/src/IceSSL/TrustManager.cs @@ -10,7 +10,6 @@ namespace IceSSL { using System; - using System.Collections; using System.Collections.Generic; using System.Diagnostics; using System.Security.Cryptography.X509Certificates; @@ -28,17 +27,27 @@ namespace IceSSL try { key = "IceSSL.TrustOnly"; - all_ = parse(properties.getProperty(key)); + parse(properties.getProperty(key), rejectAll_, acceptAll_); key = "IceSSL.TrustOnly.Client"; - client_ = parse(properties.getProperty(key)); + parse(properties.getProperty(key), rejectClient_, acceptClient_); key = "IceSSL.TrustOnly.Server"; - allServer_ = parse(properties.getProperty(key)); + parse(properties.getProperty(key), rejectAllServer_, acceptAllServer_); Dictionary<string, string> dict = properties.getPropertiesForPrefix("IceSSL.TrustOnly.Server."); foreach(KeyValuePair<string, string> entry in dict) { - string dkey = entry.Key; - string dname = dkey.Substring("IceSSL.TrustOnly.Server.".Length); - server_[dname] = parse(entry.Value); + key = entry.Key; + string name = key.Substring("IceSSL.TrustOnly.Server.".Length); + List<List<RFC2253.RDNPair>> reject = new List<List<RFC2253.RDNPair>>(); + List<List<RFC2253.RDNPair>> accept = new List<List<RFC2253.RDNPair>>(); + parse(entry.Value, reject, accept); + if(reject.Count > 0) + { + rejectServer_[name] = reject; + } + if(accept.Count > 0) + { + acceptServer_[name] = accept; + } } } catch(RFC2253.ParseException e) @@ -49,42 +58,69 @@ namespace IceSSL } } - internal bool - verify(ConnectionInfo info) + internal bool verify(ConnectionInfo info) { - ArrayList trustset = new ArrayList(); - if(all_.Count != 0) + List<List<List<RFC2253.RDNPair>>> reject = new List<List<List<RFC2253.RDNPair>>>(), + accept = new List<List<List<RFC2253.RDNPair>>>(); + + if(rejectAll_.Count != 0) { - trustset.Add(all_); + reject.Add(rejectAll_); + } + if(info.incoming) + { + if(rejectAllServer_.Count != 0) + { + reject.Add(rejectAllServer_); + } + if(info.adapterName.Length > 0) + { + List<List<RFC2253.RDNPair>> p = null; + if(rejectServer_.TryGetValue(info.adapterName, out p)) + { + reject.Add(p); + } + } + } + else + { + if(rejectClient_.Count != 0) + { + reject.Add(rejectClient_); + } } + if(acceptAll_.Count != 0) + { + accept.Add(acceptAll_); + } if(info.incoming) { - if(allServer_.Count != 0) + if(acceptAllServer_.Count != 0) { - trustset.Add(allServer_); + accept.Add(acceptAllServer_); } if(info.adapterName.Length > 0) { - ArrayList p = (ArrayList)server_[info.adapterName]; - if(p != null) + List<List<RFC2253.RDNPair>> p = null; + if(acceptServer_.TryGetValue(info.adapterName, out p)) { - trustset.Add(p); + accept.Add(p); } } } else { - if(client_.Count != 0) + if(acceptClient_.Count != 0) { - trustset.Add(client_); + accept.Add(acceptClient_); } } // // If there is nothing to match against, then we accept the cert. // - if(trustset.Count == 0) + if(reject.Count == 0 && accept.Count == 0) { return true; } @@ -121,8 +157,8 @@ namespace IceSSL } } - ArrayList dn = RFC2253.parseStrict(subjectName); - + List<RFC2253.RDNPair> dn = RFC2253.parseStrict(subjectName); + // // Unescape the DN. Note that this isn't done in // the parser in order to keep the various RFC2253 @@ -130,40 +166,37 @@ namespace IceSSL // for(int i = 0; i < dn.Count; ++i) { - RFC2253.RDNPair p = (RFC2253.RDNPair)dn[i]; + RFC2253.RDNPair p = dn[i]; p.value = RFC2253.unescape(p.value); dn[i] = p; } // - // Try matching against everything in the trust set. + // Fail if we match anything in the reject set. // - foreach(ArrayList matchSet in trustset) + foreach(List<List<RFC2253.RDNPair>> matchSet in reject) { if(traceLevel_ > 0) { - StringBuilder s = new StringBuilder("trust manager matching PDNs:\n"); - bool addSemi = false; - foreach(ArrayList rdnSet in matchSet) - { - if(addSemi) - { - s.Append(';'); - } - addSemi = true; - bool addComma = false; - foreach(RFC2253.RDNPair rdn in rdnSet) - { - if(addComma) - { - s.Append(','); - } - addComma = true; - s.Append(rdn.key); - s.Append('='); - s.Append(rdn.value); - } - } + StringBuilder s = new StringBuilder("trust manager rejecting PDNs:\n"); + stringify(matchSet, s); + communicator_.getLogger().trace("Security", s.ToString()); + } + if(match(matchSet, dn)) + { + return false; + } + } + + // + // Succeed if we match anything in the accept set. + // + foreach(List<List<RFC2253.RDNPair>> matchSet in accept) + { + if(traceLevel_ > 0) + { + StringBuilder s = new StringBuilder("trust manager accepting PDNs:\n"); + stringify(matchSet, s); communicator_.getLogger().trace("Security", s.ToString()); } if(match(matchSet, dn)) @@ -177,15 +210,19 @@ namespace IceSSL communicator_.getLogger().warning( "IceSSL: unable to parse certificate DN `" + subjectName + "'\nreason: " + e.reason); } + + // + // At this point we accept the connection if there are no explicit accept rules. + // + return accept.Count == 0; } return false; } - private bool - match(ArrayList matchSet, ArrayList subject) + private bool match(List<List<RFC2253.RDNPair>> matchSet, List<RFC2253.RDNPair> subject) { - foreach(ArrayList item in matchSet) + foreach(List<RFC2253.RDNPair> item in matchSet) { if(matchRDNs(item, subject)) { @@ -195,8 +232,7 @@ namespace IceSSL return false; } - private bool - matchRDNs(ArrayList match, ArrayList subject) + private bool matchRDNs(List<RFC2253.RDNPair> match, List<RFC2253.RDNPair> subject) { foreach(RFC2253.RDNPair matchRDN in match) { @@ -221,8 +257,7 @@ namespace IceSSL } // Note that unlike the C++ & Java implementation this returns unescaped data. - ArrayList - parse(string value) + void parse(string value, List<List<RFC2253.RDNPair>> reject, List<List<RFC2253.RDNPair>> accept) { // // As with the Java implementation, the DN that comes from @@ -230,13 +265,13 @@ namespace IceSSL // the user's input form. Therefore we need to normalize the // data to match the C# forms. // - ArrayList l = RFC2253.parse(value); + List<RFC2253.RDNEntry> l = RFC2253.parse(value); for(int i = 0; i < l.Count; ++i) { - ArrayList dn = (ArrayList)l[i]; + List<RFC2253.RDNPair> dn = l[i].rdn; for(int j = 0; j < dn.Count; ++j) { - RFC2253.RDNPair pair = (RFC2253.RDNPair)dn[j]; + RFC2253.RDNPair pair = dn[j]; // Normalize the RDN key. if (pair.key == "emailAddress") { @@ -250,16 +285,55 @@ namespace IceSSL pair.value = RFC2253.unescape(pair.value); dn[j] = pair; } + if(l[i].negate) + { + reject.Add(l[i].rdn); + } + else + { + accept.Add(l[i].rdn); + } + } + } + + private static void stringify(List<List<RFC2253.RDNPair>> matchSet, StringBuilder s) + { + bool addSemi = false; + foreach(List<RFC2253.RDNPair> rdnSet in matchSet) + { + if(addSemi) + { + s.Append(';'); + } + addSemi = true; + bool addComma = false; + foreach(RFC2253.RDNPair rdn in rdnSet) + { + if(addComma) + { + s.Append(','); + } + addComma = true; + s.Append(rdn.key); + s.Append('='); + s.Append(rdn.value); + } } - return l; } private Ice.Communicator communicator_; private int traceLevel_; - private ArrayList all_; - private ArrayList client_; - private ArrayList allServer_; - private Hashtable server_ = new Hashtable(); + private List<List<RFC2253.RDNPair>> rejectAll_ = new List<List<RFC2253.RDNPair>>(); + private List<List<RFC2253.RDNPair>> rejectClient_ = new List<List<RFC2253.RDNPair>>(); + private List<List<RFC2253.RDNPair>> rejectAllServer_ = new List<List<RFC2253.RDNPair>>(); + private Dictionary<string, List<List<RFC2253.RDNPair>>> rejectServer_ = + new Dictionary<string, List<List<RFC2253.RDNPair>>>(); + + private List<List<RFC2253.RDNPair>> acceptAll_ = new List<List<RFC2253.RDNPair>>(); + private List<List<RFC2253.RDNPair>> acceptClient_ = new List<List<RFC2253.RDNPair>>(); + private List<List<RFC2253.RDNPair>> acceptAllServer_ = new List<List<RFC2253.RDNPair>>(); + private Dictionary<string, List<List<RFC2253.RDNPair>>> acceptServer_ = + new Dictionary<string, List<List<RFC2253.RDNPair>>>(); } } diff --git a/cs/test/IceSSL/configuration/AllTests.cs b/cs/test/IceSSL/configuration/AllTests.cs index b0b9b5aaa27..4548bda6a19 100644 --- a/cs/test/IceSSL/configuration/AllTests.cs +++ b/cs/test/IceSSL/configuration/AllTests.cs @@ -828,17 +828,13 @@ public class AllTests Console.Out.Flush(); { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.TrustOnly", "C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Server"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -848,7 +844,7 @@ public class AllTests { server.ice_ping(); } - catch (Ice.LocalException) + catch(Ice.LocalException) { test(false); } @@ -858,17 +854,13 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.TrustOnly", - "C=US, ST=Florida, O=\"ZeroC, Inc.\",OU=Ice, emailAddress=info@zeroc.com, CN=Server"); + "!C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Server"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -877,10 +869,10 @@ public class AllTests try { server.ice_ping(); + test(false); } - catch (Ice.LocalException) + catch(Ice.LocalException) { - test(false); } fact.destroyServer(server); store.Remove(caCert1); @@ -888,17 +880,13 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.TrustOnly", "C=US, ST=Florida, O=\"ZeroC, Inc.\",OU=Ice, emailAddress=info@zeroc.com, CN=Server"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -908,7 +896,7 @@ public class AllTests { server.ice_ping(); } - catch (Ice.LocalException) + catch(Ice.LocalException) { test(false); } @@ -918,15 +906,11 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -938,7 +922,7 @@ public class AllTests { server.ice_ping(); } - catch (Ice.LocalException) + catch(Ice.LocalException) { test(false); } @@ -948,16 +932,38 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + d["IceSSL.TrustOnly"] = + "!C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Client"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException) + { + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.TrustOnly", "CN=Server"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -967,7 +973,7 @@ public class AllTests { server.ice_ping(); } - catch (Ice.LocalException) + catch(Ice.LocalException) { test(false); } @@ -977,15 +983,36 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.TrustOnly", "!CN=Server"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException) + { + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -996,26 +1023,47 @@ public class AllTests { server.ice_ping(); } - catch (Ice.LocalException) + catch(Ice.LocalException) + { + test(false); + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + d["IceSSL.TrustOnly"] = "!CN=Client"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try { + server.ice_ping(); test(false); } + catch(Ice.LocalException) + { + } fact.destroyServer(server); store.Remove(caCert1); comm.destroy(); } { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.TrustOnly", "CN=Client"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -1026,7 +1074,7 @@ public class AllTests server.ice_ping(); test(false); } - catch (Ice.LocalException) + catch(Ice.LocalException) { } fact.destroyServer(server); @@ -1035,15 +1083,11 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -1055,7 +1099,7 @@ public class AllTests server.ice_ping(); test(false); } - catch (Ice.LocalException) + catch(Ice.LocalException) { } fact.destroyServer(server); @@ -1064,16 +1108,12 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.TrustOnly", "C=Canada,CN=Server"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -1084,7 +1124,7 @@ public class AllTests server.ice_ping(); test(false); } - catch (Ice.LocalException) + catch(Ice.LocalException) { } fact.destroyServer(server); @@ -1093,16 +1133,37 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.TrustOnly", "!C=Canada,CN=Server"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException) + { + test(false); + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.TrustOnly", "C=Canada;CN=Server"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -1112,7 +1173,7 @@ public class AllTests { server.ice_ping(); } - catch (Ice.LocalException) + catch(Ice.LocalException) { test(false); } @@ -1120,26 +1181,154 @@ public class AllTests store.Remove(caCert1); comm.destroy(); } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.TrustOnly", "!C=Canada;!CN=Server"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException) + { + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.TrustOnly", "!CN=Server1"); // Should not match "Server" + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException) + { + test(false); + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + d["IceSSL.TrustOnly"] = "!CN=Client1"; // Should not match "Client" + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException) + { + test(false); + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + // + // Rejection takes precedence (client). + // + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.TrustOnly", "ST=Florida;!CN=Server;C=US"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException) + { + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + // + // Rejection takes precedence (server). + // + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + d["IceSSL.TrustOnly"] = "C=US;!CN=Client;ST=Florida"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException) + { + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } Console.Out.WriteLine("ok"); Console.Out.Write("testing IceSSL.TrustOnly.Client... "); Console.Out.Flush(); { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.TrustOnly.Client", "C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Server"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; + // Should have no effect. d["IceSSL.TrustOnly.Client"] = "C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Server"; store.Add(caCert1); @@ -1148,7 +1337,59 @@ public class AllTests { server.ice_ping(); } - catch (Ice.LocalException) + catch(Ice.LocalException) + { + test(false); + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.TrustOnly.Client", + "!C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Server"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException) + { + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + // Should have no effect. + d["IceSSL.TrustOnly.Client"] = "!CN=Client"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException) { test(false); } @@ -1158,16 +1399,12 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.TrustOnly.Client", "CN=Client"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -1178,8 +1415,33 @@ public class AllTests server.ice_ping(); test(false); } - catch (Ice.LocalException) + catch(Ice.LocalException) + { + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.TrustOnly.Client", "!CN=Client"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException) { + test(false); } fact.destroyServer(server); store.Remove(caCert1); @@ -1191,17 +1453,14 @@ public class AllTests Console.Out.Flush(); { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); + // Should have no effect. initData.properties.setProperty("IceSSL.TrustOnly.Server", "C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Client"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -1213,7 +1472,7 @@ public class AllTests { server.ice_ping(); } - catch (Ice.LocalException) + catch(Ice.LocalException) { test(false); } @@ -1223,15 +1482,63 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + d["IceSSL.TrustOnly.Server"] = + "!C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Client"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException) + { + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + // Should have no effect. + initData.properties.setProperty("IceSSL.TrustOnly.Server", "!CN=Server"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException) + { + test(false); + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -1243,7 +1550,32 @@ public class AllTests server.ice_ping(); test(false); } - catch (Ice.LocalException) + catch(Ice.LocalException) + { + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + d["IceSSL.TrustOnly.Server"] = "!CN=Client"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException) { } fact.destroyServer(server); @@ -1256,15 +1588,11 @@ public class AllTests Console.Out.Flush(); { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -1277,7 +1605,7 @@ public class AllTests { server.ice_ping(); } - catch (Ice.LocalException) + catch(Ice.LocalException) { test(false); } @@ -1287,15 +1615,37 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); - initData.properties.setProperty("Ice.InitPlugins", "0"); initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); initData.properties.setProperty("IceSSL.Password", "password"); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); - Ice.PluginManager pm = comm.getPluginManager(); - pm.initializePlugins(); - Ice.ObjectPrx obj = comm.stringToProxy(factoryRef); - test(obj != null); - Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(obj); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + d["IceSSL.TrustOnly.Server.ServerAdapter"] = + "!C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Client"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException) + { + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; d["IceSSL.Password"] = "password"; @@ -1307,13 +1657,38 @@ public class AllTests server.ice_ping(); test(false); } - catch (Ice.LocalException) + catch(Ice.LocalException) { } fact.destroyServer(server); store.Remove(caCert1); comm.destroy(); } + { + Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost); + initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx"); + initData.properties.setProperty("IceSSL.Password", "password"); + Ice.Communicator comm = Ice.Util.initialize(ref args, initData); + + Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost); + d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx"; + d["IceSSL.Password"] = "password"; + d["IceSSL.TrustOnly.Server.ServerAdapter"] = "!CN=bogus"; + store.Add(caCert1); + Test.ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException) + { + test(false); + } + fact.destroyServer(server); + store.Remove(caCert1); + comm.destroy(); + } Console.Out.WriteLine("ok"); } finally diff --git a/java/src/IceInternal/PropertyNames.java b/java/src/IceInternal/PropertyNames.java index ab58a9d6731..15e20c6b9a5 100644 --- a/java/src/IceInternal/PropertyNames.java +++ b/java/src/IceInternal/PropertyNames.java @@ -8,7 +8,7 @@ // ********************************************************************** // -// Generated by makeprops.py from file ../config/PropertyNames.xml, Mon May 18 11:29:29 2009 +// Generated by makeprops.py from file ../config/PropertyNames.xml, Wed Jul 29 10:07:20 2009 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -33,6 +33,7 @@ public final class PropertyNames new Property("Ice\\.Admin\\.ThreadPool\\.SizeWarn", false, null), new Property("Ice\\.Admin\\.ThreadPool\\.StackSize", false, null), new Property("Ice\\.Admin\\.ThreadPool\\.Serialize", false, null), + new Property("Ice\\.Admin\\.ThreadPool\\.ThreadPriority", false, null), new Property("Ice\\.Admin\\.DelayCreation", false, null), new Property("Ice\\.Admin\\.Facets", false, null), new Property("Ice\\.Admin\\.InstanceName", false, null), @@ -99,11 +100,14 @@ public final class PropertyNames new Property("Ice\\.ThreadPool\\.Client\\.SizeWarn", false, null), new Property("Ice\\.ThreadPool\\.Client\\.StackSize", false, null), new Property("Ice\\.ThreadPool\\.Client\\.Serialize", false, null), + new Property("Ice\\.ThreadPool\\.Client\\.ThreadPriority", false, null), new Property("Ice\\.ThreadPool\\.Server\\.Size", false, null), new Property("Ice\\.ThreadPool\\.Server\\.SizeMax", false, null), new Property("Ice\\.ThreadPool\\.Server\\.SizeWarn", false, null), new Property("Ice\\.ThreadPool\\.Server\\.StackSize", false, null), new Property("Ice\\.ThreadPool\\.Server\\.Serialize", false, null), + new Property("Ice\\.ThreadPool\\.Server\\.ThreadPriority", false, null), + new Property("Ice\\.ThreadPriority", false, null), new Property("Ice\\.Trace\\.GC", false, null), new Property("Ice\\.Trace\\.Location", true, "Ice.Trace.Locator"), new Property("Ice\\.Trace\\.Locator", false, null), @@ -149,6 +153,7 @@ public final class PropertyNames new Property("IceBox\\.ServiceManager\\.ThreadPool\\.SizeWarn", false, null), new Property("IceBox\\.ServiceManager\\.ThreadPool\\.StackSize", false, null), new Property("IceBox\\.ServiceManager\\.ThreadPool\\.Serialize", false, null), + new Property("IceBox\\.ServiceManager\\.ThreadPool\\.ThreadPriority", false, null), new Property("IceBox\\.Trace\\.ServiceObserver", false, null), new Property("IceBox\\.UseSharedCommunicator\\.[^\\s]+", false, null), null @@ -195,6 +200,7 @@ public final class PropertyNames new Property("IceGrid\\.Node\\.ThreadPool\\.SizeWarn", false, null), new Property("IceGrid\\.Node\\.ThreadPool\\.StackSize", false, null), new Property("IceGrid\\.Node\\.ThreadPool\\.Serialize", false, null), + new Property("IceGrid\\.Node\\.ThreadPool\\.ThreadPriority", false, null), new Property("IceGrid\\.Node\\.AllowRunningServersAsRoot", false, null), new Property("IceGrid\\.Node\\.AllowEndpointsOverride", false, null), new Property("IceGrid\\.Node\\.CollocateRegistry", false, null), @@ -245,6 +251,7 @@ public final class PropertyNames new Property("IceGrid\\.Registry\\.AdminSessionManager\\.ThreadPool\\.SizeWarn", false, null), new Property("IceGrid\\.Registry\\.AdminSessionManager\\.ThreadPool\\.StackSize", false, null), new Property("IceGrid\\.Registry\\.AdminSessionManager\\.ThreadPool\\.Serialize", false, null), + new Property("IceGrid\\.Registry\\.AdminSessionManager\\.ThreadPool\\.ThreadPriority", false, null), new Property("IceGrid\\.Registry\\.AdminSSLPermissionsVerifier\\.EndpointSelection", false, null), new Property("IceGrid\\.Registry\\.AdminSSLPermissionsVerifier\\.ConnectionCached", false, null), new Property("IceGrid\\.Registry\\.AdminSSLPermissionsVerifier\\.PreferSecure", false, null), @@ -267,6 +274,7 @@ public final class PropertyNames new Property("IceGrid\\.Registry\\.Client\\.ThreadPool\\.SizeWarn", false, null), new Property("IceGrid\\.Registry\\.Client\\.ThreadPool\\.StackSize", false, null), new Property("IceGrid\\.Registry\\.Client\\.ThreadPool\\.Serialize", false, null), + new Property("IceGrid\\.Registry\\.Client\\.ThreadPool\\.ThreadPriority", false, null), new Property("IceGrid\\.Registry\\.CryptPasswords", false, null), new Property("IceGrid\\.Registry\\.Data", false, null), new Property("IceGrid\\.Registry\\.DefaultTemplates", false, null), @@ -284,6 +292,7 @@ public final class PropertyNames new Property("IceGrid\\.Registry\\.Internal\\.ThreadPool\\.SizeWarn", false, null), new Property("IceGrid\\.Registry\\.Internal\\.ThreadPool\\.StackSize", false, null), new Property("IceGrid\\.Registry\\.Internal\\.ThreadPool\\.Serialize", false, null), + new Property("IceGrid\\.Registry\\.Internal\\.ThreadPool\\.ThreadPriority", false, null), new Property("IceGrid\\.Registry\\.NodeSessionTimeout", false, null), new Property("IceGrid\\.Registry\\.PermissionsVerifier\\.EndpointSelection", false, null), new Property("IceGrid\\.Registry\\.PermissionsVerifier\\.ConnectionCached", false, null), @@ -309,6 +318,7 @@ public final class PropertyNames new Property("IceGrid\\.Registry\\.Server\\.ThreadPool\\.SizeWarn", false, null), new Property("IceGrid\\.Registry\\.Server\\.ThreadPool\\.StackSize", false, null), new Property("IceGrid\\.Registry\\.Server\\.ThreadPool\\.Serialize", false, null), + new Property("IceGrid\\.Registry\\.Server\\.ThreadPool\\.ThreadPriority", false, null), new Property("IceGrid\\.Registry\\.SessionFilters", false, null), new Property("IceGrid\\.Registry\\.SessionManager\\.AdapterId", false, null), new Property("IceGrid\\.Registry\\.SessionManager\\.Endpoints", false, null), @@ -323,6 +333,7 @@ public final class PropertyNames new Property("IceGrid\\.Registry\\.SessionManager\\.ThreadPool\\.SizeWarn", false, null), new Property("IceGrid\\.Registry\\.SessionManager\\.ThreadPool\\.StackSize", false, null), new Property("IceGrid\\.Registry\\.SessionManager\\.ThreadPool\\.Serialize", false, null), + new Property("IceGrid\\.Registry\\.SessionManager\\.ThreadPool\\.ThreadPriority", false, null), new Property("IceGrid\\.Registry\\.SessionTimeout", false, null), new Property("IceGrid\\.Registry\\.SSLPermissionsVerifier\\.EndpointSelection", false, null), new Property("IceGrid\\.Registry\\.SSLPermissionsVerifier\\.ConnectionCached", false, null), @@ -364,6 +375,7 @@ public final class PropertyNames new Property("IcePatch2\\.ThreadPool\\.SizeWarn", false, null), new Property("IcePatch2\\.ThreadPool\\.StackSize", false, null), new Property("IcePatch2\\.ThreadPool\\.Serialize", false, null), + new Property("IcePatch2\\.ThreadPool\\.ThreadPriority", false, null), new Property("IcePatch2\\.Admin\\.AdapterId", true, null), new Property("IcePatch2\\.Admin\\.Endpoints", true, null), new Property("IcePatch2\\.Admin\\.Locator", true, null), @@ -408,15 +420,15 @@ public final class PropertyNames new Property("IceSSL\\.Protocols", false, null), new Property("IceSSL\\.Random", false, null), new Property("IceSSL\\.Trace\\.Security", false, null), + new Property("IceSSL\\.TrustOnly", false, null), + new Property("IceSSL\\.TrustOnly\\.Client", false, null), + new Property("IceSSL\\.TrustOnly\\.Server", false, null), + new Property("IceSSL\\.TrustOnly\\.Server\\.[^\\s]+", false, null), new Property("IceSSL\\.Truststore", false, null), new Property("IceSSL\\.TruststorePassword", false, null), new Property("IceSSL\\.TruststoreType", false, null), new Property("IceSSL\\.VerifyDepthMax", false, null), new Property("IceSSL\\.VerifyPeer", false, null), - new Property("IceSSL\\.TrustOnly", false, null), - new Property("IceSSL\\.TrustOnly\\.Client", false, null), - new Property("IceSSL\\.TrustOnly\\.Server", false, null), - new Property("IceSSL\\.TrustOnly\\.Server\\.[^\\s]+", false, null), null }; @@ -453,6 +465,7 @@ public final class PropertyNames new Property("Glacier2\\.Client\\.ThreadPool\\.SizeWarn", false, null), new Property("Glacier2\\.Client\\.ThreadPool\\.StackSize", false, null), new Property("Glacier2\\.Client\\.ThreadPool\\.Serialize", false, null), + new Property("Glacier2\\.Client\\.ThreadPool\\.ThreadPriority", false, null), new Property("Glacier2\\.Client\\.AlwaysBatch", false, null), new Property("Glacier2\\.Client\\.Buffered", false, null), new Property("Glacier2\\.Client\\.ForwardContext", false, null), @@ -502,6 +515,7 @@ public final class PropertyNames new Property("Glacier2\\.Server\\.ThreadPool\\.SizeWarn", false, null), new Property("Glacier2\\.Server\\.ThreadPool\\.StackSize", false, null), new Property("Glacier2\\.Server\\.ThreadPool\\.Serialize", false, null), + new Property("Glacier2\\.Server\\.ThreadPool\\.ThreadPriority", false, null), new Property("Glacier2\\.Server\\.AlwaysBatch", false, null), new Property("Glacier2\\.Server\\.Buffered", false, null), new Property("Glacier2\\.Server\\.ForwardContext", false, null), diff --git a/java/src/IceSSL/RFC2253.java b/java/src/IceSSL/RFC2253.java index 13e701ba15d..50d65e17ef8 100644 --- a/java/src/IceSSL/RFC2253.java +++ b/java/src/IceSSL/RFC2253.java @@ -40,24 +40,40 @@ class RFC2253 String value; } + static class RDNEntry + { + java.util.List<RDNPair> rdn = new java.util.LinkedList<RDNPair>(); + boolean negate = false; + } + static private class ParseState { String data; int pos; } - public static java.util.List<java.util.List<RDNPair> > + public static java.util.List<RDNEntry> parse(String data) throws ParseException { - java.util.List<java.util.List<RDNPair> > results = new java.util.LinkedList<java.util.List<RDNPair> >(); - java.util.List<RDNPair> current = new java.util.LinkedList<RDNPair>(); + java.util.List<RDNEntry> results = new java.util.LinkedList<RDNEntry>(); + RDNEntry current = new RDNEntry(); ParseState state = new ParseState(); state.data = data; state.pos = 0; while(state.pos < state.data.length()) { - current.add(parseNameComponent(state)); + eatWhite(state); + if(state.pos < state.data.length() && state.data.charAt(state.pos) == '!') + { + if(!current.rdn.isEmpty()) + { + throw new ParseException("negation symbol '!' must appear at start of list"); + } + ++state.pos; + current.negate = true; + } + current.rdn.add(parseNameComponent(state)); eatWhite(state); if(state.pos < state.data.length() && state.data.charAt(state.pos) == ',') { @@ -67,14 +83,14 @@ class RFC2253 { ++state.pos; results.add(current); - current = new java.util.LinkedList<RDNPair>(); + current = new RDNEntry(); } else if(state.pos < state.data.length()) { throw new ParseException("expected ',' or ';' at `" + state.data.substring(state.pos) + "'"); } } - if(!current.isEmpty()) + if(!current.rdn.isEmpty()) { results.add(current); } diff --git a/java/src/IceSSL/TrustManager.java b/java/src/IceSSL/TrustManager.java index 5dceca0a1e0..b54b18d16e9 100644 --- a/java/src/IceSSL/TrustManager.java +++ b/java/src/IceSSL/TrustManager.java @@ -21,17 +21,29 @@ class TrustManager try { key = "IceSSL.TrustOnly"; - _all = parse(properties.getProperty(key)); + parse(properties.getProperty(key), _rejectAll, _acceptAll); key = "IceSSL.TrustOnly.Client"; - _client = parse(properties.getProperty(key)); + parse(properties.getProperty(key), _rejectClient, _acceptClient); key = "IceSSL.TrustOnly.Server"; - _allServer = parse(properties.getProperty(key)); + parse(properties.getProperty(key), _rejectAllServer, _acceptAllServer); java.util.Map<String, String> dict = properties.getPropertiesForPrefix("IceSSL.TrustOnly.Server."); for(java.util.Map.Entry<String, String> p : dict.entrySet()) { key = p.getKey(); String name = key.substring("IceSSL.TrustOnly.Server.".length()); - _server.put(name, parse(p.getValue())); + java.util.List<java.util.List<RFC2253.RDNPair> > reject = + new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >(); + java.util.List<java.util.List<RFC2253.RDNPair> > accept = + new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >(); + parse(p.getValue(), reject, accept); + if(!reject.isEmpty()) + { + _rejectServer.put(name, reject); + } + if(!accept.isEmpty()) + { + _acceptServer.put(name, accept); + } } } catch(RFC2253.ParseException e) @@ -45,40 +57,68 @@ class TrustManager boolean verify(ConnectionInfo info) { - java.util.List<java.util.List<java.util.List<RFC2253.RDNPair> > > trustset = - new java.util.LinkedList<java.util.List<java.util.List<RFC2253.RDNPair> > >(); - if(!_all.isEmpty()) + java.util.List<java.util.List<java.util.List<RFC2253.RDNPair> > > + reject = new java.util.LinkedList<java.util.List<java.util.List<RFC2253.RDNPair> > >(), + accept = new java.util.LinkedList<java.util.List<java.util.List<RFC2253.RDNPair> > >(); + + if(!_rejectAll.isEmpty()) + { + reject.add(_rejectAll); + } + if(info.incoming) + { + if(!_rejectAllServer.isEmpty()) + { + reject.add(_rejectAllServer); + } + if(info.adapterName.length() > 0) + { + java.util.List<java.util.List<RFC2253.RDNPair> > p = _rejectServer.get(info.adapterName); + if(p != null) + { + reject.add(p); + } + } + } + else { - trustset.add(_all); + if(!_rejectClient.isEmpty()) + { + reject.add(_rejectClient); + } } + if(!_acceptAll.isEmpty()) + { + accept.add(_acceptAll); + } if(info.incoming) { - if(!_allServer.isEmpty()) + if(!_acceptAllServer.isEmpty()) { - trustset.add(_allServer); + accept.add(_acceptAllServer); } if(info.adapterName.length() > 0) { - java.util.List<java.util.List<RFC2253.RDNPair> > p = _server.get(info.adapterName); + java.util.List<java.util.List<RFC2253.RDNPair> > p = _acceptServer.get(info.adapterName); if(p != null) { - trustset.add(p); + accept.add(p); } } } else { - if(!_client.isEmpty()) + if(!_acceptClient.isEmpty()) { - trustset.add(_client); + accept.add(_acceptClient); } } // // If there is nothing to match against, then we accept the cert. // - if(trustset.isEmpty()) + if(reject.isEmpty() && accept.isEmpty()) { return true; } @@ -118,34 +158,31 @@ class TrustManager java.util.List<RFC2253.RDNPair> dn = RFC2253.parseStrict(subjectName); // - // Try matching against everything in the trust set. + // Fail if we match anything in the reject set. // - for(java.util.List<java.util.List<RFC2253.RDNPair>> matchSet : trustset) + for(java.util.List<java.util.List<RFC2253.RDNPair>> matchSet : reject) { if(_traceLevel > 1) { - StringBuffer s = new StringBuffer("trust manager matching PDNs:\n"); - boolean addSemi = false; - for(java.util.List<RFC2253.RDNPair> rdnSet : matchSet) - { - if(addSemi) - { - s.append(';'); - } - addSemi = true; - boolean addComma = false; - for(RFC2253.RDNPair rdn : rdnSet) - { - if(addComma) - { - s.append(','); - } - addComma = true; - s.append(rdn.key); - s.append('='); - s.append(rdn.value); - } - } + StringBuilder s = new StringBuilder("trust manager rejecting PDNs:\n"); + stringify(matchSet, s); + _communicator.getLogger().trace("Security", s.toString()); + } + if(match(matchSet, dn)) + { + return false; + } + } + + // + // Succeed if we match anything in the accept set. + // + for(java.util.List<java.util.List<RFC2253.RDNPair>> matchSet : accept) + { + if(_traceLevel > 1) + { + StringBuilder s = new StringBuilder("trust manager accepting PDNs:\n"); + stringify(matchSet, s); _communicator.getLogger().trace("Security", s.toString()); } if(match(matchSet, dn)) @@ -159,6 +196,11 @@ class TrustManager _communicator.getLogger().warning( "IceSSL: unable to parse certificate DN `" + subjectName + "'\nreason: " + e.reason); } + + // + // At this point we accept the connection if there are no explicit accept rules. + // + return accept.isEmpty(); } return false; @@ -202,8 +244,9 @@ class TrustManager return true; } - java.util.List<java.util.List<RFC2253.RDNPair> > - parse(String value) + void + parse(String value, java.util.List<java.util.List<RFC2253.RDNPair> > reject, + java.util.List<java.util.List<RFC2253.RDNPair> > accept) throws RFC2253.ParseException { // @@ -229,7 +272,7 @@ class TrustManager // This means that the user input, unless it uses the // unfriendly OID format, will not directly match the // principal. - // + // // Two possible solutions: // // Have the RFC2253 parser convert anything that is not CN, L, @@ -245,14 +288,12 @@ class TrustManager // DNs on ';' which cannot be blindly split because of quotes, // \ and such. // - java.util.List<java.util.List<RFC2253.RDNPair> > l = RFC2253.parse(value); - java.util.List<java.util.List<RFC2253.RDNPair> > result = - new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >(); - for(java.util.List<RFC2253.RDNPair> dn : l) + java.util.List<RFC2253.RDNEntry> l = RFC2253.parse(value); + for(RFC2253.RDNEntry e : l) { - StringBuffer v = new StringBuffer(); + StringBuilder v = new StringBuilder(); boolean first = true; - for(RFC2253.RDNPair pair : dn) + for(RFC2253.RDNPair pair : e.rdn) { if(!first) { @@ -265,17 +306,61 @@ class TrustManager } javax.security.auth.x500.X500Principal princ = new javax.security.auth.x500.X500Principal(v.toString()); String subjectName = princ.getName(javax.security.auth.x500.X500Principal.RFC2253); - result.add(RFC2253.parseStrict(subjectName)); + if(e.negate) + { + reject.add(RFC2253.parseStrict(subjectName)); + } + else + { + accept.add(RFC2253.parseStrict(subjectName)); + } + } + } + + private static void + stringify(java.util.List<java.util.List<RFC2253.RDNPair>> matchSet, StringBuilder s) + { + boolean addSemi = false; + for(java.util.List<RFC2253.RDNPair> rdnSet : matchSet) + { + if(addSemi) + { + s.append(';'); + } + addSemi = true; + boolean addComma = false; + for(RFC2253.RDNPair rdn : rdnSet) + { + if(addComma) + { + s.append(','); + } + addComma = true; + s.append(rdn.key); + s.append('='); + s.append(rdn.value); + } } - return result; } private Ice.Communicator _communicator; private int _traceLevel; - private java.util.List<java.util.List<RFC2253.RDNPair> > _all; - private java.util.List<java.util.List<RFC2253.RDNPair> > _client; - private java.util.List<java.util.List<RFC2253.RDNPair> > _allServer; - private java.util.Map<String, java.util.List<java.util.List<RFC2253.RDNPair> > > _server = + private java.util.List<java.util.List<RFC2253.RDNPair> > _rejectAll = + new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >(); + private java.util.List<java.util.List<RFC2253.RDNPair> > _rejectClient = + new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >(); + private java.util.List<java.util.List<RFC2253.RDNPair> > _rejectAllServer = + new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >(); + private java.util.Map<String, java.util.List<java.util.List<RFC2253.RDNPair> > > _rejectServer = + new java.util.HashMap<String, java.util.List<java.util.List<RFC2253.RDNPair> > >(); + + private java.util.List<java.util.List<RFC2253.RDNPair> > _acceptAll = + new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >(); + private java.util.List<java.util.List<RFC2253.RDNPair> > _acceptClient = + new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >(); + private java.util.List<java.util.List<RFC2253.RDNPair> > _acceptAllServer = + new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >(); + private java.util.Map<String, java.util.List<java.util.List<RFC2253.RDNPair> > > _acceptServer = new java.util.HashMap<String, java.util.List<java.util.List<RFC2253.RDNPair> > >(); } diff --git a/java/test/IceSSL/configuration/AllTests.java b/java/test/IceSSL/configuration/AllTests.java index 4fc9da0fb31..bf7fba3f762 100644 --- a/java/test/IceSSL/configuration/AllTests.java +++ b/java/test/IceSSL/configuration/AllTests.java @@ -66,7 +66,7 @@ public class AllTests } return result; } - + public static ServerFactoryPrx allTests(test.Util.Application app, String testDir, PrintWriter out) { @@ -669,7 +669,7 @@ public class AllTests test(plugin != null); test(plugin.getCertificateVerifier() != null); comm.destroy(); - } + } out.println("ok"); out.print("testing protocols... "); @@ -843,8 +843,8 @@ public class AllTests out.print("testing passwords... "); out.flush(); - { - // + { + // // Test password failure. // Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); @@ -852,7 +852,7 @@ public class AllTests // Don't specify the password. //initData.properties.setProperty("IceSSL.Password", "password"); try - { + { Ice.Util.initialize(args, initData); test(false); } @@ -1139,13 +1139,13 @@ public class AllTests out.flush(); { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); initData.properties.setProperty("IceSSL.TrustOnly", - "C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Server"); + "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Server"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1166,11 +1166,65 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + initData.properties.setProperty("IceSSL.TrustOnly", + "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Server"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException ex) + { + } + fact.destroyServer(server); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + initData.properties.setProperty("IceSSL.TrustOnly", + "C=US, ST=Florida, O=\"ZeroC, Inc.\", OU=Ice, emailAddress=info@zeroc.com, CN=Server"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1178,7 +1232,7 @@ public class AllTests d.put("IceSSL.Password", "password"); d.put("IceSSL.Truststore", "cacert1.jks"); d.put("IceSSL.TrustOnly", - "C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Client"); + "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); ServerPrx server = fact.createServer(d); try { @@ -1193,12 +1247,39 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + d.put("IceSSL.TrustOnly", + "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException ex) + { + } + fact.destroyServer(server); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); initData.properties.setProperty("IceSSL.TrustOnly", "CN=Server"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1219,11 +1300,37 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + initData.properties.setProperty("IceSSL.TrustOnly", "!CN=Server"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException ex) + { + } + fact.destroyServer(server); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1245,12 +1352,38 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + d.put("IceSSL.TrustOnly", "!CN=Client"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException ex) + { + } + fact.destroyServer(server); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); initData.properties.setProperty("IceSSL.TrustOnly", "CN=Client"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1271,11 +1404,11 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1297,12 +1430,12 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); initData.properties.setProperty("IceSSL.TrustOnly", "C=Canada,CN=Server"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1323,12 +1456,38 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + initData.properties.setProperty("IceSSL.TrustOnly", "!C=Canada,CN=Server"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); initData.properties.setProperty("IceSSL.TrustOnly", "C=Canada;CN=Server"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1348,19 +1507,125 @@ public class AllTests comm.destroy(); } { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + initData.properties.setProperty("IceSSL.TrustOnly", "!C=Canada;!CN=Server"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException ex) + { + } + fact.destroyServer(server); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + initData.properties.setProperty("IceSSL.TrustOnly", "!CN=Server1"); // Should not match "Server" + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + d.put("IceSSL.TrustOnly", "!CN=Client1"); // Should not match "Client" + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } + { + // + // Test rejection when client does not supply a certificate. + // + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Ciphers", "NONE (.*DH_anon.*)"); + initData.properties.setProperty("IceSSL.VerifyPeer", "0"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.TrustOnly", + "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); + d.put("IceSSL.Ciphers", "NONE (.*DH_anon.*)"); + d.put("IceSSL.VerifyPeer", "0"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException ex) + { + } + fact.destroyServer(server); + comm.destroy(); + } + { // // Test rejection when client does not supply a certificate. // Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Ciphers", "NONE (.*DH_anon.*)"); initData.properties.setProperty("IceSSL.VerifyPeer", "0"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); d.put("IceSSL.TrustOnly", - "C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Client"); + "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); d.put("IceSSL.Ciphers", "NONE (.*DH_anon.*)"); d.put("IceSSL.VerifyPeer", "0"); ServerPrx server = fact.createServer(d); @@ -1375,19 +1640,77 @@ public class AllTests fact.destroyServer(server); comm.destroy(); } + { + // + // Rejection takes precedence (client). + // + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + initData.properties.setProperty("IceSSL.TrustOnly", "ST=Florida;!CN=Server;C=US"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException ex) + { + } + fact.destroyServer(server); + comm.destroy(); + } + { + // + // Rejection takes precedence (server). + // + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + d.put("IceSSL.TrustOnly", "ST=Florida;!CN=Client;C=US"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException ex) + { + } + fact.destroyServer(server); + comm.destroy(); + } out.println("ok"); out.print("testing IceSSL.TrustOnly.Client... "); out.flush(); { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); initData.properties.setProperty("IceSSL.TrustOnly.Client", - "C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Server"); + "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Server"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1396,7 +1719,61 @@ public class AllTests d.put("IceSSL.Truststore", "cacert1.jks"); // Should have no effect. d.put("IceSSL.TrustOnly.Client", - "C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Server"); + "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Server"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + initData.properties.setProperty("IceSSL.TrustOnly.Client", + "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Server"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException ex) + { + } + fact.destroyServer(server); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + // Should have no effect. + d.put("IceSSL.TrustOnly.Client", "CN=Client"); ServerPrx server = fact.createServer(d); try { @@ -1411,12 +1788,12 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); initData.properties.setProperty("IceSSL.TrustOnly.Client", "CN=Client"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1435,20 +1812,46 @@ public class AllTests fact.destroyServer(server); comm.destroy(); } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + initData.properties.setProperty("IceSSL.TrustOnly.Client", "!CN=Client"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } out.println("ok"); out.print("testing IceSSL.TrustOnly.Server... "); out.flush(); { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); // Should have no effect. initData.properties.setProperty("IceSSL.TrustOnly.Server", - "C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Client"); + "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1456,7 +1859,7 @@ public class AllTests d.put("IceSSL.Password", "password"); d.put("IceSSL.Truststore", "cacert1.jks"); d.put("IceSSL.TrustOnly.Server", - "C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Client"); + "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); ServerPrx server = fact.createServer(d); try { @@ -1471,11 +1874,65 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + d.put("IceSSL.TrustOnly.Server", + "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException ex) + { + } + fact.destroyServer(server); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + // Should have no effect. + initData.properties.setProperty("IceSSL.TrustOnly.Server", "!CN=Server"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1495,17 +1952,43 @@ public class AllTests fact.destroyServer(server); comm.destroy(); } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + d.put("IceSSL.TrustOnly.Server", "!CN=Client"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException ex) + { + } + fact.destroyServer(server); + comm.destroy(); + } out.println("ok"); out.print("testing IceSSL.TrustOnly.Server.<AdapterName>... "); out.flush(); { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1514,7 +1997,7 @@ public class AllTests d.put("IceSSL.Truststore", "cacert1.jks"); d.put("IceSSL.TrustOnly.Server", "CN=bogus"); d.put("IceSSL.TrustOnly.Server.ServerAdapter", - "C=US, ST=Florida, O=ZeroC\\, Inc.,OU=Ice, emailAddress=info@zeroc.com, CN=Client"); + "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); ServerPrx server = fact.createServer(d); try { @@ -1529,11 +2012,38 @@ public class AllTests } { Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData = createClientProps(defaultProperties, defaultDir, defaultHost); initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); initData.properties.setProperty("IceSSL.Password", "password"); initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); Ice.Communicator comm = Ice.Util.initialize(args, initData); + + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + d.put("IceSSL.TrustOnly.Server.ServerAdapter", + "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.LocalException ex) + { + } + fact.destroyServer(server); + comm.destroy(); + } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); test(fact != null); java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); @@ -1553,6 +2063,31 @@ public class AllTests fact.destroyServer(server); comm.destroy(); } + { + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_dsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + d.put("IceSSL.TrustOnly.Server.ServerAdapter", "!CN=bogus"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } out.println("ok"); return factory; |