UWP IceSSL implementation improvements

- Add support for IceSSL.CertFile - Add support for IceSSL password prompt
author: Jose <jose@zeroc.com> 2016-11-24 21:31:26 +0100
committer: Jose <jose@zeroc.com> 2016-11-24 21:31:26 +0100
commit: 64a9231b01a869bccd3585abeb9eec75d9697bcf (patch)
tree: 00b9d15949c5159dce8821339e458215570ff22a /cpp/src/IceSSL
parent: Port IceSSL/configuration test to UWP and fixes to UWP IceSSL implementation (diff)
download: ice-64a9231b01a869bccd3585abeb9eec75d9697bcf.tar.bz2
ice-64a9231b01a869bccd3585abeb9eec75d9697bcf.tar.xz
ice-64a9231b01a869bccd3585abeb9eec75d9697bcf.zip
3 files changed, 224 insertions, 18 deletions
diff --git a/cpp/src/IceSSL/Util.cpp b/cpp/src/IceSSL/Util.cpp
index 6979e34cd7b..0c227c7e279 100755
--- a/cpp/src/IceSSL/Util.cpp
+++ b/cpp/src/IceSSL/Util.cpp
@@ -1693,6 +1693,195 @@ IceSSL::findCertificates(const string& location, const string& name, const strin
     return certs;
 }
 #elif defined (ICE_OS_WINRT)
+
+namespace
+{
+
+//
+// Find a certificate in the Application Personal certificate store
+// with the given friendly name. Returns the matching certificate or
+// nullptr if none is found.
+//
+Certificates::Certificate^
+findPersonalCertificate(String^ friendlyName)
+{
+    std::promise<Certificates::Certificate^> p;
+
+    CertificateQuery^ query = ref new CertificateQuery();
+    query->IncludeDuplicates = true;
+    query->IncludeExpiredCertificates = true;
+    query->FriendlyName = friendlyName;
+    query->StoreName = StandardCertificateStoreNames::Personal;
+
+    create_task(CertificateStores::FindAllAsync(query))
+
+    .then([&p](IVectorView<Certificates::Certificate^>^ certificates)
+        {
+            if(certificates->Size > 0)
+            {
+                p.set_value(certificates->GetAt(0));
+            }
+            else
+            {
+                p.set_value(nullptr);
+            }
+        },
+        task_continuation_context::use_arbitrary())
+
+    .then([&](task<void> t)
+        {
+            try
+            {
+                t.get();
+            }
+            catch(Platform::Exception^ ex)
+            {
+                p.set_exception(make_exception_ptr(
+                    PluginInitializationException(__FILE__, __LINE__, "IceSSL: certificate error:\n" + 
+                                                                      wstringToString(ex->Message->Data()))));
+            }
+        },
+        task_continuation_context::use_arbitrary());
+
+    return p.get_future().get();
+}
+
+//
+// Import a certificate in the Application Personal certificate store
+// with the given friendly name. Returns true if there was a password
+// error and false otherwise. If the import fails because a different
+// error PluginInitializationException exception is throw.
+//
+bool
+importPfxData(String^ friendlyName, String^ data, String^ password)
+{
+    promise<bool> p;
+
+    create_task(CertificateEnrollmentManager::ImportPfxDataAsync(
+        data,
+        password,
+        ExportOption::NotExportable,
+        KeyProtectionLevel::NoConsent,
+        InstallOptions::None,
+        friendlyName))
+
+    .then([&p]()
+        {
+            p.set_value(false); // The import succcess
+        },
+        task_continuation_context::use_arbitrary())
+    
+    .then([&p](task<void> t)
+        {
+            try
+            {
+                t.get();
+            }
+            catch(Platform::Exception^ ex)
+            {
+                if(HRESULT_CODE(ex->HResult) == ERROR_DECRYPTION_FAILED)
+                {
+                    p.set_value(true); // Password error
+                }
+                else
+                {
+                    p.set_exception(make_exception_ptr(
+                        PluginInitializationException(__FILE__, __LINE__, "IceSSL: certificate error:\n" + 
+                                                      wstringToString(ex->Message->Data()))));
+                }
+            }
+        },
+        task_continuation_context::use_arbitrary());
+
+    return p.get_future().get();
+}
+
+}
+
+Certificates::Certificate^
+IceSSL::importPersonalCertificate(const string& file, function<string ()> password, bool passwordPrompt,
+                                  int passwordRetryMax)
+{
+    std::promise<Certificates::Certificate^> p;
+    auto uri = ref new Uri(ref new String(stringToWstring(file).c_str()));
+    create_task(StorageFile::GetFileFromApplicationUriAsync(uri))
+    
+    .then([](StorageFile^ file)
+        {
+            return FileIO::ReadBufferAsync(file);
+        },
+        task_continuation_context::use_arbitrary())
+
+    .then([&file, &password, &p, passwordPrompt, passwordRetryMax](IBuffer^ buffer)
+        {
+            //
+            // Create a hash of the certificate to use as a friendly name, this will allow us
+            // to uniquely identify the certificate in the store.
+            //
+            auto hasher = HashAlgorithmProvider::OpenAlgorithm(HashAlgorithmNames::Sha1);
+            auto hash = hasher->CreateHash();
+
+            hash->Append(buffer);
+            String^ friendlyName = CryptographicBuffer::EncodeToBase64String(hash->GetValueAndReset());
+
+            //
+            // If the certificate is already in the store we avoid importing it.
+            //
+            Certificates::Certificate^ cert = findPersonalCertificate(friendlyName);
+            if(cert)
+            {
+                p.set_value(cert);
+            }
+            else
+            {
+                String^ data = CryptographicBuffer::EncodeToBase64String(buffer);
+                int count = 0;
+                bool passwordErr = false;
+                do
+                {
+                    passwordErr = importPfxData(friendlyName, data,
+                                                ref new String(stringToWstring(password()).c_str()));
+                }
+                while(passwordPrompt && passwordErr && ++count < passwordRetryMax);
+                if(passwordErr)
+                {
+                    throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: error decoding certificate");
+                }
+                p.set_value(findPersonalCertificate(friendlyName));
+            }
+        },
+        task_continuation_context::use_arbitrary())
+    
+    .then([&p, &file](task<void> t)
+        {
+            try
+            {
+                t.get();
+            }
+            catch(Platform::Exception^ ex)
+            {
+                if(HRESULT_CODE(ex->HResult) == ERROR_FILE_NOT_FOUND)
+                {
+                    p.set_exception(make_exception_ptr(
+                        PluginInitializationException(__FILE__, __LINE__, "certificate file not found:\n" + file)));
+                }
+                else
+                {
+                    p.set_exception(make_exception_ptr(
+                        PluginInitializationException(__FILE__, __LINE__, "IceSSL: certificate error:\n" +
+                                                                          wstringToString(ex->Message->Data()))));
+                }
+            }
+            catch(...)
+            {
+                p.set_exception(current_exception());
+            }
+        },
+        task_continuation_context::use_arbitrary());
+
+    return p.get_future().get();
+}
+
 IVectorView<Certificates::Certificate^>^
 IceSSL::findCertificates(const string& name, const string& value)
 {
@@ -1786,26 +1975,25 @@ IceSSL::findCertificates(const string& name, const string& value)
     }
 
     std::promise<IVectorView<Certificates::Certificate^>^> p;
-    HRESULT error = 0;
-    create_task(CertificateStores::FindAllAsync(query)).then(
-        [&](task<IVectorView<Certificates::Certificate^>^> previous)
+    create_task(CertificateStores::FindAllAsync(query))
+
+    .then([&p](IVectorView<Certificates::Certificate^>^ certificates)
+        {
+            p.set_value(certificates);
+        },
+        task_continuation_context::use_arbitrary())
+
+    .then([&p](task<void> t)
         {
             try
             {
-                p.set_value(previous.get());
+                t.get();
             }
-            catch(Platform::Exception^ err)
+            catch(Platform::Exception^ ex)
             {
-                try
-                {
-                    Ice::SyscallException ex(__FILE__, __LINE__);
-                    ex.error = err->HResult;
-                    throw ex;
-                }
-                catch(...)
-                {
-                    p.set_exception(current_exception());
-                }
+                p.set_exception(
+                    make_exception_ptr(PluginInitializationException(__FILE__, __LINE__, "IceSSL: certificate error:\n" +
+                                                                     wstringToString(ex->Message->Data()))));
             }
         },
         task_continuation_context::use_arbitrary());
diff --git a/cpp/src/IceSSL/Util.h b/cpp/src/IceSSL/Util.h
index 59ff813a1a8..f10f5f25a72 100644
--- a/cpp/src/IceSSL/Util.h
+++ b/cpp/src/IceSSL/Util.h
@@ -181,12 +181,12 @@ toCFString(const std::string& s)
 std::string errorToString(CFErrorRef);
 std::string errorToString(OSStatus);
 
-#if !defined(__APPLE__) || TARGET_OS_IPHONE == 0
+#  if defined(ICE_USE_SECURE_TRANSPORT_MACOS)
 //
 // Retrieve a certificate property
 //
 CFDictionaryRef getCertificateProperty(SecCertificateRef, CFTypeRef);
-#endif
+#  endif
 
 //
 // Read certificate from a file.
@@ -203,6 +203,9 @@ CFArrayRef findCertificateChain(const std::string&, const std::string&, const st
 std::vector<PCCERT_CONTEXT>
 findCertificates(const std::string&, const std::string&, const std::string&, std::vector<HCERTSTORE>&);
 #elif defined(ICE_OS_WINRT)
+Windows::Security::Cryptography::Certificates::Certificate^
+importPersonalCertificate(const std::string&, std::function<std::string()>, bool, int);
+
 Windows::Foundation::Collections::IVectorView<Windows::Security::Cryptography::Certificates::Certificate^>^
 findCertificates(const std::string&, const std::string&);
 #endif
diff --git a/cpp/src/IceSSL/WinRTEngine.cpp b/cpp/src/IceSSL/WinRTEngine.cpp
index b2bbf069e34..b955c8ce4a1 100755
--- a/cpp/src/IceSSL/WinRTEngine.cpp
+++ b/cpp/src/IceSSL/WinRTEngine.cpp
@@ -52,8 +52,23 @@ WinRTEngine::initialize()
     //
     // Load client certificate
     //
+    const int passwordRetryMax = properties->getPropertyAsIntWithDefault("IceSSL.PasswordRetryMax", 3);
+    setPassword(properties->getProperty("IceSSL.Password"));
+
+    string certFile = properties->getProperty("IceSSL.CertFile");
     string findCert = properties->getProperty("IceSSL.FindCert");
-    if(!findCert.empty())
+    if(!certFile.empty())
+    {
+        _certificate = make_shared<IceSSL::Certificate>(importPersonalCertificate(
+            certFile, 
+            [this]()
+            {
+                return password(false);
+            }, 
+            getPasswordPrompt != nullptr, 
+            passwordRetryMax));
+    }
+    else if(!findCert.empty())
     {
         auto certs = findCertificates(properties->getPropertyWithDefault("IceSSL.CertStore", "My"), findCert);
         if(certs->Size == 0)
author	Jose <jose@zeroc.com>	2016-11-24 21:31:26 +0100
committer	Jose <jose@zeroc.com>	2016-11-24 21:31:26 +0100
commit	64a9231b01a869bccd3585abeb9eec75d9697bcf (patch)
tree	00b9d15949c5159dce8821339e458215570ff22a /cpp/src/IceSSL
parent	Port IceSSL/configuration test to UWP and fixes to UWP IceSSL implementation (diff)
download	ice-64a9231b01a869bccd3585abeb9eec75d9697bcf.tar.bz2 ice-64a9231b01a869bccd3585abeb9eec75d9697bcf.tar.xz ice-64a9231b01a869bccd3585abeb9eec75d9697bcf.zip