diff options
| author | Jose <jose@zeroc.com> | 2016-11-24 10:11:45 +0100 |
|---|---|---|
| committer | Jose <jose@zeroc.com> | 2016-11-24 10:11:45 +0100 |
| commit | cd0a9e3caeeb5ef8cee34a3f87a9566fc1a3ff8e (patch) | |
| tree | b3b2d10411a29ae8f584f3f349d34547dab0fe49 /cpp/src/IceSSL | |
| parent | Check PCCERT_CHAIN_CONTEXT TrustStatus rather than CERT_SIMPLE_CHAIN TrustStatus (diff) | |
| download | ice-cd0a9e3caeeb5ef8cee34a3f87a9566fc1a3ff8e.tar.bz2 ice-cd0a9e3caeeb5ef8cee34a3f87a9566fc1a3ff8e.tar.xz ice-cd0a9e3caeeb5ef8cee34a3f87a9566fc1a3ff8e.zip | |
Port IceSSL/configuration test to UWP and fixes to UWP IceSSL implementation
Diffstat (limited to 'cpp/src/IceSSL')
| -rwxr-xr-x | cpp/src/IceSSL/Certificate.cpp | 43 | ||||
| -rw-r--r-- | cpp/src/IceSSL/SSLEngine.h | 2 | ||||
| -rwxr-xr-x | cpp/src/IceSSL/Util.cpp | 1 | ||||
| -rwxr-xr-x | cpp/src/IceSSL/WinRTEngine.cpp | 20 | ||||
| -rwxr-xr-x | cpp/src/IceSSL/WinRTTransceiverI.cpp | 37 |
5 files changed, 71 insertions, 32 deletions
diff --git a/cpp/src/IceSSL/Certificate.cpp b/cpp/src/IceSSL/Certificate.cpp index c325d51ec24..5c4f268f67d 100755 --- a/cpp/src/IceSSL/Certificate.cpp +++ b/cpp/src/IceSSL/Certificate.cpp @@ -611,21 +611,24 @@ vector<pair<int, string> > certificateAltNames(Windows::Security::Cryptography::Certificates::SubjectAlternativeNameInfo^ subAltNames) { vector<pair<int, string> > altNames; - for(auto iter = subAltNames->EmailName->First(); iter->HasCurrent; iter->MoveNext()) + if(subAltNames) { - altNames.push_back(make_pair(AltNameEmail, wstringToString(iter->Current->Data()))); - } - for(auto iter = subAltNames->DnsName->First(); iter->HasCurrent; iter->MoveNext()) - { - altNames.push_back(make_pair(AltNameDNS, wstringToString(iter->Current->Data()))); - } - for(auto iter = subAltNames->Url->First(); iter->HasCurrent; iter->MoveNext()) - { - altNames.push_back(make_pair(AltNameURL, wstringToString(iter->Current->Data()))); - } - for(auto iter = subAltNames->IPAddress->First(); iter->HasCurrent; iter->MoveNext()) - { - altNames.push_back(make_pair(AltNAmeIP, wstringToString(iter->Current->Data()))); + for(auto iter = subAltNames->EmailName->First(); iter->HasCurrent; iter->MoveNext()) + { + altNames.push_back(make_pair(AltNameEmail, wstringToString(iter->Current->Data()))); + } + for(auto iter = subAltNames->DnsName->First(); iter->HasCurrent; iter->MoveNext()) + { + altNames.push_back(make_pair(AltNameDNS, wstringToString(iter->Current->Data()))); + } + for(auto iter = subAltNames->Url->First(); iter->HasCurrent; iter->MoveNext()) + { + altNames.push_back(make_pair(AltNameURL, wstringToString(iter->Current->Data()))); + } + for(auto iter = subAltNames->IPAddress->First(); iter->HasCurrent; iter->MoveNext()) + { + altNames.push_back(make_pair(AltNAmeIP, wstringToString(iter->Current->Data()))); + } } return altNames; } @@ -1139,13 +1142,13 @@ Certificate::load(const string& file) create_task(StorageFile::GetFileFromApplicationUriAsync( ref new Uri(ref new String(stringToWstring(file).c_str())))).then([](StorageFile^ file) { - return FileIO::ReadBufferAsync(file); + return FileIO::ReadTextAsync(file); }, - task_continuation_context::use_arbitrary()).then([&result, &file](task<IBuffer^> previous) + task_continuation_context::use_arbitrary()).then([&result, &file](task<String^> previous) { try { - result.set_value(make_shared<Certificate>(ref new Certificates::Certificate(previous.get()))); + result.set_value(Certificate::decode(wstringToString(previous.get()->Data()))); } catch(Platform::Exception^ ex) { @@ -1273,7 +1276,7 @@ Certificate::operator==(const Certificate& other) const #elif defined(ICE_USE_OPENSSL) return X509_cmp(_cert, other._cert) == 0; #elif defined(ICE_OS_WINRT) - return _cert->Equals(other._cert); + return CryptographicBuffer::Compare(_cert->GetCertificateBlob(), other._cert->GetCertificateBlob()); #else # error "Unknown platform" #endif @@ -1669,7 +1672,9 @@ Certificate::getIssuerDN() const #elif defined(ICE_USE_OPENSSL) return DistinguishedName(RFC2253::parseStrict(convertX509NameToString(X509_get_issuer_name(_cert)))); #elif defined(ICE_OS_WINRT) - return DistinguishedName(wstringToString(_cert->Issuer->Data())); + ostringstream os; + os << "CN=" << wstringToString(_cert->Issuer->Data()); + return DistinguishedName(os.str()); #else # error "Unknown platform" #endif diff --git a/cpp/src/IceSSL/SSLEngine.h b/cpp/src/IceSSL/SSLEngine.h index c8b84fcd31b..1ceca9e7b16 100644 --- a/cpp/src/IceSSL/SSLEngine.h +++ b/cpp/src/IceSSL/SSLEngine.h @@ -236,10 +236,12 @@ public: virtual void initialize(); virtual bool initialized() const; virtual void destroy(); + //virtual std::shared_ptr<Certificate> ca(); virtual std::shared_ptr<Certificate> certificate(); private: + //std::shared_ptr<Certificate> _ca; std::shared_ptr<Certificate> _certificate; bool _initialized; std::mutex _mutex; diff --git a/cpp/src/IceSSL/Util.cpp b/cpp/src/IceSSL/Util.cpp index 6fbd2f46109..6979e34cd7b 100755 --- a/cpp/src/IceSSL/Util.cpp +++ b/cpp/src/IceSSL/Util.cpp @@ -1699,6 +1699,7 @@ IceSSL::findCertificates(const string& name, const string& value) CertificateQuery^ query = ref new CertificateQuery(); query->StoreName = ref new String(stringToWstring(name).c_str()); query->IncludeDuplicates = true; + query->IncludeExpiredCertificates = true; if(value != "*") { diff --git a/cpp/src/IceSSL/WinRTEngine.cpp b/cpp/src/IceSSL/WinRTEngine.cpp index 651fd2ace53..b2bbf069e34 100755 --- a/cpp/src/IceSSL/WinRTEngine.cpp +++ b/cpp/src/IceSSL/WinRTEngine.cpp @@ -41,16 +41,26 @@ WinRTEngine::initialize() const auto properties = communicator()->getProperties(); // + // Load CAs + // + //string ca = properties->getProperty("IceSSL.CAs"); + //if(!ca.empty()) + //{ + // _ca = Certificate::load(ca); + //} + + // // Load client certificate // string findCert = properties->getProperty("IceSSL.FindCert"); if(!findCert.empty()) { auto certs = findCertificates(properties->getPropertyWithDefault("IceSSL.CertStore", "My"), findCert); - if(certs->Size > 0) + if(certs->Size == 0) { - _certificate = make_shared<IceSSL::Certificate>(certs->GetAt(0)); + throw Ice::PluginInitializationException(__FILE__, __LINE__, "IceSSL: no certificates found"); } + _certificate = make_shared<IceSSL::Certificate>(certs->GetAt(0)); } _initialized = true; } @@ -61,6 +71,12 @@ WinRTEngine::initialized() const return _initialized; } +//shared_ptr<Certificate> +//WinRTEngine::ca() +//{ +// return _ca; +//} + shared_ptr<Certificate> WinRTEngine::certificate() { diff --git a/cpp/src/IceSSL/WinRTTransceiverI.cpp b/cpp/src/IceSSL/WinRTTransceiverI.cpp index 6aad729e957..2e974c1725d 100755 --- a/cpp/src/IceSSL/WinRTTransceiverI.cpp +++ b/cpp/src/IceSSL/WinRTTransceiverI.cpp @@ -133,7 +133,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B try { auto fd = safe_cast<StreamSocket^>(_delegate->getNativeInfo()->fd()); - if (fd->Information->ServerCertificate) + if(fd->Information->ServerCertificate) { // // Build the certificate chain @@ -143,9 +143,17 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B params->CurrentTimeValidationEnabled = true; params->NetworkRetrievalEnabled = false; params->RevocationCheckEnabled = false; + + // + // BUGFIX: It is currently not possible to set ExclusiveTrustRoots programatically + // it is causing a read access exception see:https://goo.gl/B6OaNx + // + //if(_engine->ca()) + //{ + // params->ExclusiveTrustRoots->Append(_engine->ca()->getCert()); + //} promise<CertificateChain^> p; - create_task(fd->Information->ServerCertificate->BuildChainAsync( fd->Information->ServerIntermediateCertificates, params)).then( [&](task<CertificateChain^> previous) @@ -154,7 +162,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B { p.set_value(previous.get()); } - catch (Platform::Exception^ ex) + catch(Platform::Exception^ ex) { try { @@ -250,10 +258,16 @@ IceSSL::TransceiverI::startWrite(IceInternal::Buffer& buf) HostName^ host = ref new HostName(ref new String(IceUtil::stringToWstring(_host).c_str())); // - // We ignre SSL invalid name errors at this point, the certificate name will be later verify - // by SSLEngine veryPeer implementation. + // We ignore SSL Certificate errors at this point, the certificate chain will be validated + // when the chain is constructed in IceSSL::Transceiver::initialize // + stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::Expired); + stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::IncompleteChain); stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::InvalidName); + stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::RevocationFailure); + stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::RevocationInformationMissing); + stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::Untrusted); + stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::WrongUsage); if(_engine->certificate()) { @@ -324,13 +338,14 @@ IceSSL::TransceiverI::getInfo() const { NativeConnectionInfoPtr info = ICE_MAKE_SHARED(NativeConnectionInfo); StreamSocket^ stream = safe_cast<StreamSocket^>(_delegate->getNativeInfo()->fd()); - info->nativeCerts.push_back(ICE_MAKE_SHARED(Certificate, stream->Information->ServerCertificate)); - info->certs.push_back(info->nativeCerts.back()->encode()); - auto certs = _chain ? _chain->GetCertificates(true) : stream->Information->ServerIntermediateCertificates; - for(auto iter = certs->First(); iter->HasCurrent; iter->MoveNext()) + if(_chain) { - info->nativeCerts.push_back(ICE_MAKE_SHARED(Certificate, iter->Current)); - info->certs.push_back(info->nativeCerts.back()->encode()); + auto certs = _chain->GetCertificates(true); + for(auto iter = certs->First(); iter->HasCurrent; iter->MoveNext()) + { + info->nativeCerts.push_back(ICE_MAKE_SHARED(Certificate, iter->Current)); + info->certs.push_back(info->nativeCerts.back()->encode()); + } } info->verified = _verified; info->adapterName = _adapterName; |