Refactored SSL and iAP transports, support for running SSL on top

of TCP/iAP/Bluetooth.

1 files changed, 516 insertions, 90 deletions

diff --git a/cpp/src/IceSSL/Certificate.cpp b/cpp/src/IceSSL/Certificate.cpp
index 61597bdd0fe..5429a96b2e9 100644..100755
--- a/cpp/src/IceSSL/Certificate.cpp
+++ b/cpp/src/IceSSL/Certificate.cpp
@@ -15,6 +15,7 @@
 #include <IceSSL/Util.h>
 #include <IceSSL/RFC2253.h>
 #include <Ice/Object.h>
+#include <Ice/Base64.h>
 
 #if defined(ICE_USE_OPENSSL)
 #  include <openssl/x509v3.h>
@@ -42,12 +43,12 @@ extern "C" typedef void (*FreeFunc)(void*);
 
 #endif
 
-
 using namespace std;
 using namespace Ice;
 using namespace IceSSL;
 
 #if defined(ICE_USE_SECURE_TRANSPORT) || defined(ICE_USE_SCHANNEL)
+
 //
 // Map a certificate OID to its alias
 //
@@ -80,7 +81,6 @@ const int certificateOIDSSize = sizeof(certificateOIDS) / sizeof(CertificateOID)
 
 #endif
 
-
 #if defined(ICE_USE_SECURE_TRANSPORT)
 
 string
@@ -98,29 +98,6 @@ certificateOIDAlias(const string& name)
     return name;
 }
 
-//
-// Map alternative name alias to its types.
-//
-const char* certificateAlternativeNameTypes[] = {"", "Email Address", "DNS Name", "", "Directory Name", "", "URI",
-                                                 "IP Address"};
-const int certificateAlternativeNameTypesSize = sizeof(certificateAlternativeNameTypes) / sizeof(char*);
-
-int
-certificateAlternativeNameType(const string& alias)
-{
-    if(!alias.empty())
-    {
-        for(int i = 0; i < certificateAlternativeNameTypesSize; ++i)
-        {
-            if(alias == certificateAlternativeNameTypes[i])
-            {
-                return i;
-            }
-        }
-    }
-    return -1; // Not supported
-}
-
 string
 escapeX509Name(const string& name)
 {
@@ -149,6 +126,31 @@ escapeX509Name(const string& name)
     return os.str();
 }
 
+#if !defined(ICE_USE_SECURE_TRANSPORT_IOS)
+
+//
+// Map alternative name alias to its types.
+//
+const char* certificateAlternativeNameTypes[] = {"", "Email Address", "DNS Name", "", "Directory Name", "", "URI",
+                                                 "IP Address"};
+const int certificateAlternativeNameTypesSize = sizeof(certificateAlternativeNameTypes) / sizeof(char*);
+
+int
+certificateAlternativeNameType(const string& alias)
+{
+    if(!alias.empty())
+    {
+        for(int i = 0; i < certificateAlternativeNameTypesSize; ++i)
+        {
+            if(alias == certificateAlternativeNameTypes[i])
+            {
+                return i;
+            }
+        }
+    }
+    return -1; // Not supported
+}
+
 DistinguishedName
 getX509Name(SecCertificateRef cert, CFTypeRef key)
 {
@@ -256,8 +258,158 @@ getX509String(SecCertificateRef cert, CFTypeRef key)
     return value;
 }
 
-#elif defined(ICE_USE_SCHANNEL)
+#else // IOS
+
+//
+// ASN1Parser to pase the subject/issuer ASN.1 DER encoded attributes on iOS.
+//
+class ASN1Parser
+{
+public:
+
+    ASN1Parser(CFDataRef data) : _data(CFDataGetBytePtr(data)), _length(CFDataGetLength(data)), _p(_data), _next(0)
+    {
+    }
+
+    list<pair<string, string> >
+    parse()
+    {
+        list<pair<string, string> > rdns;
+        while(_p < _data + _length)
+        {
+            switch(parseByte())
+            {
+                case 0x06: // OID
+                {
+                    _rdn.first = parseOID();
+                    break;
+                }
+                case 0x12: // NumericString
+                case 0x13: // PrintableString
+                case 0x0C: // UTF8String
+                case 0x16: // IA5String
+                {
+                    _rdn.second = escapeX509Name(parseUTF8String());
+                    break;
+                }
+                case 0x30: // SEQUENCE
+                case 0x31: // SET
+                {
+                    int length = parseLength(0);
+                    _next = _p + length;
+                    if(_next > _data + _length)
+                    {
+                        throw CertificateEncodingException(__FILE__, __LINE__, "invalid length");
+                    }
+                    break;
+                }
+                default:
+                {
+                    // Unsupported tag, skip the SET.
+                    if(!_next)
+                    {
+                        return rdns;
+                    }
+                    _p = _next;
+                    _next = 0;
+                    break;
+                }
+            }
+            if(_p == _next)
+            {
+                rdns.push_back(_rdn);
+            }
+        }
+        return rdns;
+    }
+
+    string
+    parseOID()
+    {
+        int length = parseLength(1);
+        ostringstream oid;
+        unsigned char c = parseByte();
+        oid << c / 40 << "." << c % 40;
+        while(--length > 0)
+        {
+            if((*_p & 0x80) == 0)
+            {
+                oid << "." << static_cast<int>(parseByte());
+            }
+            else
+            {
+                uint64_t result = (uint64_t)(*_p & 127);
+                while(parseByte() & 128)
+                {
+                    result = (result << 7) | (uint64_t)(*_p & 127);
+                    --length;
+                }
+                oid << "." << result;
+            }
+        }
+        return certificateOIDAlias(oid.str());
+    }
+
+    string
+    parseUTF8String()
+    {
+        int length = parseLength(0);
+        string v(reinterpret_cast<const char*>(_p), length);
+        _p += length;
+        return v;
+    }
 
+    int
+    parseLength(int required)
+    {
+        int length = 0;
+        if((*_p & 0x80) == 0)
+        {
+            length = static_cast<int>(parseByte());
+        }
+        else
+        {
+            int nbytes = static_cast<int>(parseByte());
+            for(int i = 0; i < nbytes; ++i)
+            {
+                length = length * 256 + parseByte();
+            }
+        }
+        if((required > 0 && length < required) || (_p + length > _data + _length))
+        {
+            throw CertificateEncodingException(__FILE__, __LINE__, "invalid length");
+        }
+        return length;
+    }
+
+    unsigned char
+    parseByte()
+    {
+        if(_p >= _data + _length)
+        {
+            throw CertificateEncodingException(__FILE__, __LINE__, "invalid length");
+        }
+        unsigned char b = *_p++;
+        return b;
+    }
+
+private:
+
+    const unsigned char* _data;
+    const size_t _length;
+    const unsigned char* _p;
+    const unsigned char* _next;
+    pair<string, string> _rdn;
+    list<pair<string, string> > _rdns;
+};
+#endif
+
+#elif defined(ICE_USE_SCHANNEL) || defined(ICE_OS_WINRT)
+
+const Ice::Long TICKS_PER_MSECOND = 10000LL;
+const Ice::Long MSECS_TO_EPOCH = 11644473600000LL;
+
+#if defined(ICE_USE_SCHANNEL)
 void
 loadCertificate(PCERT_SIGNED_CONTENT_INFO* cert, const char* buffer, DWORD length)
 {
@@ -294,9 +446,6 @@ loadCertificate(PCERT_SIGNED_CONTENT_INFO* cert, const string& file)
     loadCertificate(cert, &buffer[0], static_cast<DWORD>(buffer.size()));
 }
 
-const Ice::Long TICKS_PER_MSECOND = 10000LL;
-const Ice::Long MSECS_TO_EPOCH = 11644473600000LL;
-
 IceUtil::Time
 filetimeToTime(FILETIME ftime)
 {
@@ -419,6 +568,32 @@ certificateAltNames(CERT_INFO* certInfo, LPCSTR altNameOID)
     }
     return altNames;
 }
+#else
+
+vector<pair<int, string> >
+certificateAltNames(Windows::Security::Cryptography::Certificates::SubjectAlternativeNameInfo^ subAltNames)
+{
+	vector<pair<int, string> > altNames;
+	for (auto iter = subAltNames->EmailName->First(); iter->HasCurrent; iter->MoveNext())
+	{
+		altNames.push_back(make_pair(AltNameEmail, IceUtil::wstringToString(iter->Current->Data())));
+	}
+	for (auto iter = subAltNames->DnsName->First(); iter->HasCurrent; iter->MoveNext())
+	{
+		altNames.push_back(make_pair(AltNameDNS, IceUtil::wstringToString(iter->Current->Data())));
+	}
+	for (auto iter = subAltNames->Url->First(); iter->HasCurrent; iter->MoveNext())
+	{
+		altNames.push_back(make_pair(AltNameURL, IceUtil::wstringToString(iter->Current->Data())));
+	}
+	for (auto iter = subAltNames->IPAddress->First(); iter->HasCurrent; iter->MoveNext())
+	{
+		altNames.push_back(make_pair(AltNAmeIP, IceUtil::wstringToString(iter->Current->Data())));
+	}
+	return altNames;
+}
+#endif
+
 #endif
 
 CertificateReadException::CertificateReadException(const char* file, int line, const string& r) :
@@ -700,21 +875,25 @@ ParseException::ice_throw() const
 }
 
 #ifdef ICE_USE_OPENSSL
-DistinguishedName::DistinguishedName(X509NAME* name) :
-    _rdns(RFC2253::parseStrict(convertX509NameToString(name)))
+DistinguishedName::DistinguishedName(X509NAME* name) : _rdns(RFC2253::parseStrict(convertX509NameToString(name)))
 {
     unescape();
 }
 #endif
 
-DistinguishedName::DistinguishedName(const string& dn) :
-    _rdns(RFC2253::parseStrict(dn))
+#if defined(ICE_USE_SECURE_TRANSPORT_IOS)
+DistinguishedName::DistinguishedName(CFDataRef data) : _rdns(ASN1Parser(data).parse())
 {
     unescape();
 }
+#endif
 
-DistinguishedName::DistinguishedName(const list<pair<string, string> >& rdns) :
-    _rdns(rdns)
+DistinguishedName::DistinguishedName(const string& dn) : _rdns(RFC2253::parseStrict(dn))
+{
+    unescape();
+}
+
+DistinguishedName::DistinguishedName(const list<pair<string, string> >& rdns) : _rdns(rdns)
 {
     unescape();
 }
@@ -810,7 +989,7 @@ PublicKey::~PublicKey()
     {
 #   if defined(ICE_USE_SECURE_TRANSPORT)
         CFRelease(_key);
-#   else
+#   elif defined(ICE_USE_OPENSSL)
         EVP_PKEY_free(_key);
 #   endif
     }
@@ -827,9 +1006,6 @@ PublicKey::key() const
 // The caller is responsible for incrementing the reference count.
 //
 Certificate::Certificate(X509CertificateRef cert) : _cert(cert)
-#ifdef ICE_USE_SCHANNEL
-    , _certInfo(0)
-#endif
 {
     if(!_cert)
     {
@@ -837,6 +1013,7 @@ Certificate::Certificate(X509CertificateRef cert) : _cert(cert)
     }
 
 #ifdef ICE_USE_SCHANNEL
+    _certInfo = 0;
     try
     {
         //
@@ -856,13 +1033,28 @@ Certificate::Certificate(X509CertificateRef cert) : _cert(cert)
         throw;
     }
 #endif
+
+#if defined(ICE_USE_SECURE_TRANSPORT_IOS)
+    _subject = NULL;
+    _issuer = NULL;
+#endif
 }
 
 Certificate::~Certificate()
 {
     if(_cert)
     {
-#if defined(ICE_USE_SECURE_TRANSPORT)
+#if defined(ICE_USE_SECURE_TRANSPORT_IOS)
+        if(_subject)
+        {
+            CFRelease(_subject);
+        }
+        if(_issuer)
+        {
+            CFRelease(_issuer);
+        }
+        CFRelease(_cert);
+#elif defined(ICE_USE_SECURE_TRANSPORT_MACOS)
         CFRelease(_cert);
 #elif defined(ICE_USE_SCHANNEL)
         LocalFree(_cert);
@@ -870,7 +1062,7 @@ Certificate::~Certificate()
         {
             LocalFree(_certInfo);
         }
-#else
+#elif defined(ICE_USE_OPENSSL)
         X509_free(_cert);
 #endif
     }
@@ -880,12 +1072,20 @@ CertificatePtr
 Certificate::load(const string& file)
 {
 #if defined(ICE_USE_SECURE_TRANSPORT)
-    return ICE_MAKE_SHARED(Certificate, loadCertificate(file));
+    string resolved;
+    if(checkPath(file, "", false, resolved))
+    {
+        return ICE_MAKE_SHARED(Certificate, loadCertificate(resolved));
+    }
+    else
+    {
+        throw CertificateReadException(__FILE__, __LINE__, "error opening file " + file);
+    }
 #elif defined(ICE_USE_SCHANNEL)
     CERT_SIGNED_CONTENT_INFO* cert;
     loadCertificate(&cert, file);
     return ICE_MAKE_SHARED(Certificate, cert);
-#else
+#elif defined(ICE_USE_OPENSSL)
     BIO *cert = BIO_new(BIO_s_file());
     if(BIO_read_filename(cert, file.c_str()) <= 0)
     {
@@ -901,16 +1101,45 @@ Certificate::load(const string& file)
     }
     BIO_free(cert);
     return ICE_MAKE_SHARED(Certificate, x);
+#elif defined(ICE_OS_WINRT)
+    // TODO
+    return ICE_NULLPTR;
+#else
+#   error "Unknown platform"
 #endif
 }
 
 CertificatePtr
 Certificate::decode(const string& encoding)
 {
-#if defined(ICE_USE_SECURE_TRANSPORT)
+#if defined(ICE_USE_SECURE_TRANSPORT_IOS)
+    string::size_type size, startpos, endpos = 0;
+    startpos = encoding.find("-----BEGIN CERTIFICATE-----", endpos);
+    if(startpos != string::npos)
+    {
+        startpos += sizeof("-----BEGIN CERTIFICATE-----");
+        endpos = encoding.find("-----END CERTIFICATE-----", startpos);
+        size = endpos - startpos;
+    }
+    else
+    {
+        startpos = 0;
+        endpos = string::npos;
+        size = encoding.size();
+    }
+
+    vector<unsigned char> data(IceInternal::Base64::decode(string(&encoding[startpos], size)));
+    UniqueRef<CFDataRef> certdata(CFDataCreate(kCFAllocatorDefault, &data[0], data.size()));
+    SecCertificateRef cert = SecCertificateCreateWithData(0, certdata.get());
+    if(!cert)
+    {
+        assert(false);
+        throw CertificateEncodingException(__FILE__, __LINE__, "certificate is not a valid PEM-encoded certificate");
+    }
+    return ICE_MAKE_SHARED(Certificate, cert);
+#elif defined(ICE_USE_SECURE_TRANSPORT_MACOS)
     CFDataRef data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, reinterpret_cast<const UInt8*>(encoding.c_str()),
                                                  encoding.size(), kCFAllocatorNull);
-
     SecExternalFormat format = kSecFormatUnknown;
     SecExternalItemType type = kSecItemTypeCertificate;
 
@@ -929,14 +1158,13 @@ Certificate::decode(const string& encoding)
     SecKeychainItemRef item = (SecKeychainItemRef)CFArrayGetValueAtIndex(items, 0);
     CFRetain(item);
     CFRelease(items);
-
     assert(SecCertificateGetTypeID() == CFGetTypeID(item));
     return ICE_MAKE_SHARED(Certificate, (SecCertificateRef)item);
 #elif defined(ICE_USE_SCHANNEL)
     CERT_SIGNED_CONTENT_INFO* cert;
     loadCertificate(&cert, encoding.c_str(), static_cast<DWORD>(encoding.size()));
     return ICE_MAKE_SHARED(Certificate, cert);
-#else
+#elif defined(ICE_USE_OPENSSL)
     BIO *cert = BIO_new_mem_buf(static_cast<void*>(const_cast<char*>(&encoding[0])), static_cast<int>(encoding.size()));
     X509CertificateRef x = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
     if(x == NULL)
@@ -946,6 +1174,11 @@ Certificate::decode(const string& encoding)
     }
     BIO_free(cert);
     return ICE_MAKE_SHARED(Certificate, x);
+#elif defined(ICE_OS_WINRT)
+    // TODO
+    return ICE_NULLPTR;
+#else
+#   error "Unknown platform"
 #endif
 }
 
@@ -956,27 +1189,27 @@ Certificate::operator==(const Certificate& other) const
     return CFEqual(_cert, other._cert);
 #elif defined(ICE_USE_SCHANNEL)
     return CertCompareCertificate(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, _certInfo, other._certInfo);
-#else
+#elif defined(ICE_USE_OPENSSL)
     return X509_cmp(_cert, other._cert) == 0;
+#elif defined(ICE_OS_WINRT)
+    return _cert->Equals(other._cert);
+#else
+#   error "Unknown platform"
 #endif
 }
 
 bool
 Certificate::operator!=(const Certificate& other) const
 {
-#if defined(ICE_USE_SECURE_TRANSPORT)
-    return !CFEqual(_cert, other._cert);
-#elif defined(ICE_USE_SCHANNEL)
-    return !CertCompareCertificate(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, _certInfo, other._certInfo);
-#else
-    return X509_cmp(_cert, other._cert) != 0;
-#endif
+    return !operator==(other);
 }
 
 PublicKeyPtr
 Certificate::getPublicKey() const
 {
-#if defined(ICE_USE_SECURE_TRANSPORT)
+#if defined(ICE_USE_SECURE_TRANSPORT_IOS)
+    return ICE_NULLPTR; // Not supported
+#elif defined(ICE_USE_SECURE_TRANSPORT_MACOS)
     SecKeyRef key;
     OSStatus err = SecCertificateCopyPublicKey(_cert, &key);
     if(err)
@@ -986,8 +1219,12 @@ Certificate::getPublicKey() const
     return ICE_MAKE_SHARED(PublicKey, shared_from_this(), key);
 #elif defined(ICE_USE_SCHANNEL)
     return ICE_MAKE_SHARED(PublicKey, shared_from_this(), &_certInfo->SubjectPublicKeyInfo);
-#else
+#elif defined(ICE_USE_OPENSSL)
     return ICE_MAKE_SHARED(PublicKey, shared_from_this(), X509_get_pubkey(_cert));
+#elif defined(ICE_OS_WINRT)
+    return ICE_NULLPTR; // Not supported
+#else
+#   error "Unknown platform"
 #endif
 }
 
@@ -996,17 +1233,20 @@ Certificate::verify(const CertificatePtr& cert) const
 {
 #if defined(ICE_USE_SECURE_TRANSPORT)
     //
-    // We first check if the given certificate subject match
-    // our certificate issuer. Otherwhise when use SecTrustEvaluate
-    // and check a certificate against itself will always return
-    // that is valid.
+    // We first check if the given certificate subject match our certificate
+    // issuer. Otherwhise when checking a certificate against itself
+    // SecTrustEvaluate always returns it is valid.
     //
     bool valid = false;
 
-    CFErrorRef error = 0;
+#if defined(ICE_USE_SECURE_TRANSPORT_IOS)
+    initializeAttributes();
+    cert->initializeAttributes();
+    valid = CFEqual(_issuer, cert->_subject);
+#else
     CFDataRef issuer = 0;
     CFDataRef subject = 0;
-
+    CFErrorRef error = 0;
     try
     {
         issuer = SecCertificateCopyNormalizedIssuerContent(_cert, &error);
@@ -1042,7 +1282,7 @@ Certificate::verify(const CertificatePtr& cert) const
 
     CFRelease(issuer);
     CFRelease(subject);
-
+#endif
     if(valid)
     {
         SecPolicyRef policy = 0;
@@ -1107,8 +1347,12 @@ Certificate::verify(const CertificatePtr& cert) const
     bool result = CryptVerifyCertificateSignature(0, X509_ASN_ENCODING, buffer, length, cert->getPublicKey()->key());
     LocalFree(buffer);
     return result;
-#else
+#elif defined(ICE_USE_OPENSSL)
     return X509_verify(_cert, cert->getPublicKey()->key()) > 0;
+#elif defined(ICE_OS_WINRT)
+    return false;
+#else
+#   error "Unknown platform"
 #endif
 }
 
@@ -1123,7 +1367,15 @@ Certificate::verify(const PublicKeyPtr& key) const
 string
 Certificate::encode() const
 {
-#if defined(ICE_USE_SECURE_TRANSPORT)
+#if defined(ICE_USE_SECURE_TRANSPORT_IOS)
+    UniqueRef<CFDataRef> c(SecCertificateCopyData(_cert));
+    vector<unsigned char> data(CFDataGetBytePtr(c.get()), CFDataGetBytePtr(c.get()) + CFDataGetLength(c.get()));
+    ostringstream os;
+    os << "-----BEGIN CERTIFICATE-----\n";
+    os << IceInternal::Base64::encode(data);
+    os << "-----END CERTIFICATE-----\n";
+    return os.str();
+#elif defined(ICE_USE_SECURE_TRANSPORT_MACOS)
     CFDataRef exported;
     OSStatus err = SecItemExport(_cert, kSecFormatPEMSequence, kSecItemPemArmour, 0, &exported);
     if(err != noErr)
@@ -1170,7 +1422,7 @@ Certificate::encode() const
         throw;
     }
     return s;
-#else
+#elif defined(ICE_USE_OPENSSL)
     BIO* out = BIO_new(BIO_s_mem());
     int i = PEM_write_bio_X509_AUX(out, _cert);
     if(i <= 0)
@@ -1183,9 +1435,25 @@ Certificate::encode() const
     string result = string(p->data, p->length);
     BIO_free(out);
     return result;
+#elif defined(ICE_OS_WINRT)
+	auto reader = Windows::Storage::Streams::DataReader::FromBuffer(_cert->GetCertificateBlob());
+	std::vector<unsigned char> data(reader->UnconsumedBufferLength);
+	if (!data.empty())
+	{
+		reader->ReadBytes(Platform::ArrayReference<unsigned char>(&data[0], data.size()));
+	}
+    ostringstream os;
+    os << "-----BEGIN CERTIFICATE-----\n";
+    os << IceInternal::Base64::encode(data);
+    os << "-----END CERTIFICATE-----\n";
+    return os.str();
+#else
+#   error "Unknown platform"
 #endif
 }
 
+#if !defined(ICE_USE_SECURE_TRANSPORT_IOS)
+
 bool
 Certificate::checkValidity() const
 {
@@ -1206,8 +1474,13 @@ Certificate::getNotAfter() const
     return getX509Date(_cert, kSecOIDX509V1ValidityNotAfter);
 #elif defined(ICE_USE_SCHANNEL)
     return filetimeToTime(_certInfo->NotAfter);
-#else
+#elif defined(ICE_USE_OPENSSL)
     return ASMUtcTimeToIceUtilTime(X509_get_notAfter(_cert));
+#elif defined(ICE_OS_WINRT)
+    // Convert 100ns time from January 1, 1601 to ms from January 1, 1970
+    return IceUtil::Time::milliSeconds(_cert->ValidTo.UniversalTime / TICKS_PER_MSECOND - MSECS_TO_EPOCH);
+#else
+#   error "Unknown platform"
 #endif
 }
 
@@ -1218,15 +1491,25 @@ Certificate::getNotBefore() const
     return getX509Date(_cert, kSecOIDX509V1ValidityNotBefore);
 #elif defined(ICE_USE_SCHANNEL)
     return filetimeToTime(_certInfo->NotBefore);
-#else
+#elif defined(ICE_USE_OPENSSL)
     return ASMUtcTimeToIceUtilTime(X509_get_notBefore(_cert));
+#elif defined(ICE_OS_WINRT)
+    // Convert 100ns time from January 1, 1601 to ms from January 1, 1970
+    return IceUtil::Time::milliSeconds(_cert->ValidFrom.UniversalTime / TICKS_PER_MSECOND - MSECS_TO_EPOCH);
+#else
+#   error "Unknown platform"
 #endif
 }
 
+#endif
+
 string
 Certificate::getSerialNumber() const
 {
-#if defined(ICE_USE_SECURE_TRANSPORT)
+#if defined(ICE_USE_SECURE_TRANSPORT_IOS)
+    initializeAttributes();
+    return _serial;
+#elif defined(ICE_USE_SECURE_TRANSPORT_MACOS)
     return getX509String(_cert, kSecOIDX509V1SerialNumber);
 #elif defined(ICE_USE_SCHANNEL)
     ostringstream os;
@@ -1235,14 +1518,14 @@ Certificate::getSerialNumber() const
         unsigned char c = _certInfo->SerialNumber.pbData[i];
         os.fill('0');
         os.width(2);
-        os << hex << (int)c;
+        os << hex << static_cast<int>(c);
         if(i)
         {
             os << ' ';
         }
     }
     return IceUtilInternal::toUpper(os.str());
-#else
+#elif defined(ICE_USE_OPENSSL)
     BIGNUM* bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(_cert), 0);
     char* dec = BN_bn2dec(bn);
     string result = dec;
@@ -1250,31 +1533,40 @@ Certificate::getSerialNumber() const
     BN_free(bn);
 
     return result;
+#elif defined(ICE_OS_WINRT)
+    ostringstream os;
+	os.fill(0);
+	os.width(2);
+	for (unsigned int i = 0; i < _cert->SerialNumber->Length; i++)
+	{
+		os << hex << static_cast<int>(_cert->SerialNumber[i]);
+	}
+    return IceUtilInternal::toUpper(os.str());
+#else
+#   error "Unknown platform"
 #endif
 }
 
-//string
-//Certificate::getSigAlgName() const
-//{
-//}
-
-//string
-//Certificate::getSigAlgOID() const
-//{
-//}
-
 DistinguishedName
 Certificate::getIssuerDN() const
 {
-#if defined(ICE_USE_SECURE_TRANSPORT)
+#if defined(ICE_USE_SECURE_TRANSPORT_IOS)
+    initializeAttributes();
+    return _issuer ? DistinguishedName(_issuer) : DistinguishedName("");
+#elif defined(ICE_USE_SECURE_TRANSPORT_MACOS)
     return getX509Name(_cert, kSecOIDX509V1IssuerName);
 #elif defined(ICE_USE_SCHANNEL)
     return DistinguishedName(certNameToString(&_certInfo->Issuer));
-#else
+#elif defined(ICE_USE_OPENSSL)
     return DistinguishedName(RFC2253::parseStrict(convertX509NameToString(X509_get_issuer_name(_cert))));
+#elif defined(ICE_OS_WINRT)
+    return DistinguishedName(IceUtil::wstringToString(_cert->Issuer->Data()));
+#else
+#   error "Unknown platform"
 #endif
 }
 
+#if !defined(ICE_USE_SECURE_TRANSPORT_IOS)
 vector<pair<int, string> >
 Certificate::getIssuerAlternativeNames()
 {
@@ -1282,23 +1574,45 @@ Certificate::getIssuerAlternativeNames()
     return getX509AltName(_cert, kSecOIDIssuerAltName);
 #elif defined(ICE_USE_SCHANNEL)
     return certificateAltNames(_certInfo, szOID_ISSUER_ALT_NAME2);
-#else
+#elif defined(ICE_USE_OPENSSL)
     return convertGeneralNames(reinterpret_cast<GENERAL_NAMES*>(X509_get_ext_d2i(_cert, NID_issuer_alt_name, 0, 0)));
+#elif defined(ICE_OS_WINRT)
+    return vector<pair<int, string> >(); // Not supported
+#else
+#   error "Unknown platform"
 #endif
 }
+#endif
 
 DistinguishedName
 Certificate::getSubjectDN() const
 {
-#if defined(ICE_USE_SECURE_TRANSPORT)
+#if defined(ICE_USE_SECURE_TRANSPORT_IOS)
+    initializeAttributes();
+    if(_subject)
+    {
+        return DistinguishedName(_subject);
+    }
+    else
+    {
+        string s = "CN=";
+        s += fromCFString(UniqueRef<CFStringRef>(SecCertificateCopySubjectSummary(_cert)).get());
+        return DistinguishedName(s);
+    }
+#elif defined(ICE_USE_SECURE_TRANSPORT_MACOS)
     return getX509Name(_cert, kSecOIDX509V1SubjectName);
 #elif defined(ICE_USE_SCHANNEL)
     return DistinguishedName(certNameToString(&_certInfo->Subject));
-#else
+#elif defined(ICE_USE_OPENSSL)
     return DistinguishedName(RFC2253::parseStrict(convertX509NameToString(X509_get_subject_name(_cert))));
+#elif defined(ICE_OS_WINRT)
+    return DistinguishedName(IceUtil::wstringToString(_cert->Subject->Data()));
+#else
+#   error "Unknown platform"
 #endif
 }
 
+#if !defined(ICE_USE_SECURE_TRANSPORT_IOS)
 vector<pair<int, string> >
 Certificate::getSubjectAlternativeNames()
 {
@@ -1306,20 +1620,32 @@ Certificate::getSubjectAlternativeNames()
     return getX509AltName(_cert, kSecOIDSubjectAltName);
 #elif defined(ICE_USE_SCHANNEL)
     return certificateAltNames(_certInfo, szOID_SUBJECT_ALT_NAME2);
-#else
+#elif defined(ICE_USE_OPENSSL)
     return convertGeneralNames(reinterpret_cast<GENERAL_NAMES*>(X509_get_ext_d2i(_cert, NID_subject_alt_name, 0, 0)));
+#elif defined(ICE_OS_WINRT)
+    return certificateAltNames(_cert->SubjectAlternativeName);
+#else
+#   error "Unknown platform"
 #endif
 }
+#endif
 
 int
 Certificate::getVersion() const
 {
-#if defined(ICE_USE_SECURE_TRANSPORT)
+#if defined(ICE_USE_SECURE_TRANSPORT_IOS)
+    initializeAttributes();
+    return _version;
+#elif defined(ICE_USE_SECURE_TRANSPORT_MACOS)
     return atoi(getX509String(_cert, kSecOIDX509V1Version).c_str()) - 1;
 #elif defined(ICE_USE_SCHANNEL)
     return _certInfo->dwVersion;
-#else
+#elif defined(ICE_USE_OPENSSL)
     return static_cast<int>(X509_get_version(_cert));
+#elif defined(ICE_OS_WINRT)
+    return -1; // Not supported
+#else
+#   error "Unknown platform"
 #endif
 }
 
@@ -1330,8 +1656,10 @@ Certificate::toString() const
     os << "serial: " << getSerialNumber() << "\n";
     os << "issuer: " << string(getIssuerDN()) << "\n";
     os << "subject: " << string(getSubjectDN()) << "\n";
+#if !defined(ICE_USE_SECURE_TRANSPORT_IOS)
     os << "notBefore: " << getNotBefore().toDateTime() << "\n";
     os << "notAfter: " << getNotAfter().toDateTime();
+#endif
     return os.str();
 }
 
@@ -1340,3 +1668,101 @@ Certificate::getCert() const
 {
     return _cert;
 }
+
+#if defined(ICE_USE_SECURE_TRANSPORT_IOS)
+
+namespace
+{
+
+IceUtil::Mutex* globalMutex = 0;
+
+class Init
+{
+public:
+
+    Init()
+    {
+        globalMutex = new IceUtil::Mutex;
+    }
+
+    ~Init()
+    {
+        delete globalMutex;
+        globalMutex = 0;
+    }
+};
+
+Init init;
+
+}
+
+void
+Certificate::initializeAttributes() const
+{
+    if(_subject)
+    {
+        return;
+    }
+
+    //
+    // We need to temporarily add the certificate to the keychain in order to
+    // retrieve its attributes. Unfortunately kSecMatchItemList doesn't work
+    // on iOS. We make sure only one thread adds/removes a cert at a time here.
+    //
+    IceUtilInternal::MutexPtrLock<IceUtil::Mutex> lock(globalMutex);
+
+    CFMutableDictionaryRef query;
+
+    query = CFDictionaryCreateMutable(0, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+    CFDictionarySetValue(query, kSecValueRef, _cert);
+    CFDictionarySetValue(query, kSecReturnAttributes, kCFBooleanTrue);
+    CFDictionaryRef attributes;
+    OSStatus err;
+    if((err = SecItemAdd(query, (CFTypeRef*)&attributes)) == errSecDuplicateItem)
+    {
+        CFDictionarySetValue(query, kSecClass, kSecClassCertificate);
+        err = SecItemCopyMatching(query, (CFTypeRef*)&attributes);
+    }
+    else
+    {
+        CFRelease(query);
+        query = CFDictionaryCreateMutable(0, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+        CFDictionarySetValue(query, kSecClass, kSecClassCertificate);
+        CFDictionarySetValue(query, kSecValueRef, _cert);
+        err = SecItemDelete(query);
+    }
+    CFRelease(query);
+    if(err != noErr)
+    {
+        _subject = 0;
+        _issuer = 0;
+        return;
+    }
+
+    _subject = (CFDataRef)CFDictionaryGetValue(attributes, kSecAttrSubject);
+    _issuer = (CFDataRef)CFDictionaryGetValue(attributes, kSecAttrIssuer);
+    CFDataRef serial = (CFDataRef)CFDictionaryGetValue(attributes, kSecAttrSerialNumber);
+    ostringstream os;
+    for(int i = 0; i < CFDataGetLength(serial); ++i)
+    {
+        int c = static_cast<int>(CFDataGetBytePtr(serial)[i]);
+        if(i)
+        {
+            os << ' ';
+        }
+        os.fill('0');
+        os.width(2);
+        os << hex << c;
+    }
+    _serial = os.str();
+    CFNumberRef version = (CFNumberRef)CFDictionaryGetValue(attributes, kSecAttrCertificateType);
+    if(!CFNumberGetValue(version, kCFNumberIntType, &_version))
+    {
+        _version = -1;
+    }
+    CFRetain(_subject);
+    CFRetain(_issuer);
+
+    CFRelease(attributes);
+}
+#endif
\ No newline at end of file