summaryrefslogtreecommitdiff
path: root/cpp/src/IceSSL
diff options
context:
space:
mode:
authorBenoit Foucher <benoit@zeroc.com>2015-04-28 19:27:04 +0200
committerBenoit Foucher <benoit@zeroc.com>2015-04-28 19:27:04 +0200
commite6e102cc642e78cf9da55645c82f5bfe6eacb76d (patch)
treeab5861ee9ad2a909fa0dc8f25b1b12e0dd1d6527 /cpp/src/IceSSL
parentFixed ICE-6443 and other SSL fixes (diff)
downloadice-e6e102cc642e78cf9da55645c82f5bfe6eacb76d.tar.bz2
ice-e6e102cc642e78cf9da55645c82f5bfe6eacb76d.tar.xz
ice-e6e102cc642e78cf9da55645c82f5bfe6eacb76d.zip
Fixed previous commit which was incomplete
Diffstat (limited to 'cpp/src/IceSSL')
-rw-r--r--cpp/src/IceSSL/EndpointI.cpp40
-rw-r--r--cpp/src/IceSSL/EndpointI.h4
-rw-r--r--cpp/src/IceSSL/OpenSSLEngine.cpp22
-rw-r--r--cpp/src/IceSSL/OpenSSLTransceiverI.cpp110
-rw-r--r--cpp/src/IceSSL/OpenSSLTransceiverI.h10
-rw-r--r--cpp/src/IceSSL/SChannelEngine.cpp111
-rw-r--r--cpp/src/IceSSL/SChannelTransceiverI.cpp23
-rw-r--r--cpp/src/IceSSL/SChannelTransceiverI.h6
-rw-r--r--cpp/src/IceSSL/SecureTransportEngine.cpp11
-rw-r--r--cpp/src/IceSSL/SecureTransportTransceiverI.cpp23
-rw-r--r--cpp/src/IceSSL/SecureTransportTransceiverI.h6
11 files changed, 188 insertions, 178 deletions
diff --git a/cpp/src/IceSSL/EndpointI.cpp b/cpp/src/IceSSL/EndpointI.cpp
index 124c63dc645..6893db0e117 100644
--- a/cpp/src/IceSSL/EndpointI.cpp
+++ b/cpp/src/IceSSL/EndpointI.cpp
@@ -53,39 +53,17 @@ IceSSL::EndpointI::EndpointI(const InstancePtr& instance, IceInternal::BasicStre
Ice::EndpointInfoPtr
IceSSL::EndpointI::getInfo() const
{
- class InfoI : public EndpointInfo
- {
- public:
-
- InfoI(const IceInternal::EndpointIPtr& endpoint) : _endpoint(endpoint)
- {
- }
-
- virtual Ice::Short
- type() const
- {
- return _endpoint->type();
- }
-
- virtual bool
- datagram() const
- {
- return _endpoint->datagram();
- }
-
- virtual bool
- secure() const
- {
- return _endpoint->secure();
- }
-
- private:
-
- const IceInternal::EndpointIPtr _endpoint;
- };
+ EndpointInfoPtr info = new IceInternal::InfoI<EndpointInfo>(const_cast<EndpointI*>(this));
+ fillEndpointInfo(info.get());
+ return info;
+}
- IPEndpointInfoPtr info = new InfoI(const_cast<EndpointI*>(this));
+Ice::EndpointInfoPtr
+IceSSL::EndpointI::getWSInfo(const string& resource) const
+{
+ WSSEndpointInfoPtr info = new IceInternal::InfoI<WSSEndpointInfo>(const_cast<EndpointI*>(this));
fillEndpointInfo(info.get());
+ info->resource = resource;
return info;
}
diff --git a/cpp/src/IceSSL/EndpointI.h b/cpp/src/IceSSL/EndpointI.h
index b3a154a6ad4..74f04d1665a 100644
--- a/cpp/src/IceSSL/EndpointI.h
+++ b/cpp/src/IceSSL/EndpointI.h
@@ -12,6 +12,7 @@
#include <Ice/IPEndpointI.h>
#include <Ice/EndpointFactory.h>
+#include <Ice/WSEndpoint.h>
#include <IceSSL/InstanceF.h>
#include <IceSSL/EndpointInfo.h>
#include <Ice/Network.h>
@@ -19,7 +20,7 @@
namespace IceSSL
{
-class EndpointI : public IceInternal::IPEndpointI
+class EndpointI : public IceInternal::IPEndpointI, public IceInternal::WSEndpointDelegate
{
public:
@@ -29,6 +30,7 @@ public:
EndpointI(const InstancePtr&, IceInternal::BasicStream*);
virtual Ice::EndpointInfoPtr getInfo() const;
+ virtual Ice::EndpointInfoPtr getWSInfo(const std::string&) const;
virtual Ice::Int timeout() const;
virtual IceInternal::EndpointIPtr timeout(Ice::Int) const;
diff --git a/cpp/src/IceSSL/OpenSSLEngine.cpp b/cpp/src/IceSSL/OpenSSLEngine.cpp
index c47e19eb99f..cc617008547 100644
--- a/cpp/src/IceSSL/OpenSSLEngine.cpp
+++ b/cpp/src/IceSSL/OpenSSLEngine.cpp
@@ -395,8 +395,22 @@ OpenSSLEngine::initialize()
// Establish the location of CA certificates.
//
{
- string caFile = properties->getProperty(propPrefix + "CertAuthFile");
- string caDir = properties->getPropertyWithDefault(propPrefix + "CertAuthDir", defaultDir);
+ string caFile = properties->getProperty(propPrefix + "CAs");
+ string caDir;
+ if(!caFile.empty())
+ {
+ if(!checkPath(caFile, defaultDir, false) && checkPath(caFile, defaultDir, true))
+ {
+ caDir = caFile;
+ caFile = "";
+ }
+ }
+ else
+ {
+ // Deprecated properties
+ caFile = properties->getProperty(propPrefix + "CertAuthFile");
+ caDir = properties->getProperty(propPrefix + "CertAuthDir");
+ }
const char* file = 0;
const char* dir = 0;
if(!caFile.empty())
@@ -452,6 +466,10 @@ OpenSSLEngine::initialize()
throw PluginInitializationException(__FILE__, __LINE__, msg);
}
}
+ else if(properties->getPropertyAsInt("IceSSL.UsePlatformCAs") > 0)
+ {
+ SSL_CTX_set_default_verify_paths(_ctx);
+ }
}
//
diff --git a/cpp/src/IceSSL/OpenSSLTransceiverI.cpp b/cpp/src/IceSSL/OpenSSLTransceiverI.cpp
index bed46b3b8b4..2b40c62a4b6 100644
--- a/cpp/src/IceSSL/OpenSSLTransceiverI.cpp
+++ b/cpp/src/IceSSL/OpenSSLTransceiverI.cpp
@@ -276,11 +276,12 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
throw ex;
}
}
- else if(_info)
+ else
{
- _info->verified = true;
+ _verified = true;
}
- _engine->verifyPeer(_stream->fd(), _host, getNativeConnectionInfo());
+
+ _engine->verifyPeer(_stream->fd(), _host, NativeConnectionInfoPtr::dynamicCast(getInfo()));
if(_engine->securityTraceLevel() >= 1)
{
@@ -573,7 +574,18 @@ IceSSL::TransceiverI::toDetailedString() const
Ice::ConnectionInfoPtr
IceSSL::TransceiverI::getInfo() const
{
- return getNativeConnectionInfo();
+ NativeConnectionInfoPtr info = new NativeConnectionInfo();
+ fillConnectionInfo(info, info->nativeCerts);
+ return info;
+}
+
+Ice::ConnectionInfoPtr
+IceSSL::TransceiverI::getWSInfo(const Ice::HeaderDict& headers) const
+{
+ WSSNativeConnectionInfoPtr info = new WSSNativeConnectionInfo();
+ fillConnectionInfo(info, info->nativeCerts);
+ info->headers = headers;
+ return info;
}
void
@@ -609,17 +621,18 @@ IceSSL::TransceiverI::verifyCallback(int ok, X509_STORE_CTX* c)
}
//
- // Initialize the native connection info with the verified
- // certificate chain. SSL_get_peer_cert_chain doesn't return the
- // verified chain, it returns the chain sent by the peer.
+ // Initialize the native certs with the verified certificate chain. SSL_get_peer_cert_chain
+ // doesn't return the verified chain, it returns the chain sent by the peer.
//
- try
- {
- _info = initNativeConnectionInfo(c);
- }
- catch(const Ice::Exception&)
+ STACK_OF(X509)* chain = X509_STORE_CTX_get1_chain(c);
+ if(chain != 0)
{
- // Ignore
+ _nativeCerts.clear();
+ for(int i = 0; i < sk_X509_num(chain); ++i)
+ {
+ _nativeCerts.push_back(new Certificate(X509_dup(sk_X509_value(chain, i))));
+ }
+ sk_X509_pop_free(chain, X509_free);
}
//
@@ -639,6 +652,7 @@ IceSSL::TransceiverI::TransceiverI(const InstancePtr& instance, const IceInterna
_adapterName(incoming ? hostOrAdapterName : ""),
_incoming(incoming),
_stream(stream),
+ _verified(false),
_ssl(0)
{
}
@@ -647,20 +661,9 @@ IceSSL::TransceiverI::~TransceiverI()
{
}
-NativeConnectionInfoPtr
-IceSSL::TransceiverI::getNativeConnectionInfo() const
-{
- if(!_info)
- {
- return initNativeConnectionInfo(0);
- }
- return _info;
-}
-
-NativeConnectionInfoPtr
-IceSSL::TransceiverI::initNativeConnectionInfo(X509_STORE_CTX* ctx) const
+void
+IceSSL::TransceiverI::fillConnectionInfo(const ConnectionInfoPtr& info, std::vector<CertificatePtr>& nativeCerts) const
{
- NativeConnectionInfoPtr info = new NativeConnectionInfo();
IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress,
info->remotePort);
if(_stream->fd() != INVALID_SOCKET)
@@ -670,57 +673,11 @@ IceSSL::TransceiverI::initNativeConnectionInfo(X509_STORE_CTX* ctx) const
}
info->adapterName = _adapterName;
info->incoming = _incoming;
- info->verified = false;
-
- STACK_OF(X509)* chain = 0;
- if(ctx)
- {
- //
- // This is called from the verify callback where OpenSSL provides the verified
- // certificate chain.
- //
- chain = X509_STORE_CTX_get1_chain(ctx);
- }
-
- if(chain == 0 && _ssl != 0)
- {
- //
- // On the client side, SSL_get_peer_cert_chain returns the entire chain of certs.
- // On the server side, the peer certificate must be obtained separately.
- //
- // Since we have no clear idea whether the connection is server or client side,
- // the peer certificate is obtained separately and compared against the first
- // certificate in the chain. If they are not the same, it is added to the chain.
- //
- X509* cert = SSL_get_peer_certificate(_ssl);
- chain = SSL_get_peer_cert_chain(_ssl);
- if(cert != 0 && (chain == 0 || sk_X509_num(chain) == 0 || cert != sk_X509_value(chain, 0)))
- {
- CertificatePtr certificate = new Certificate(cert);
- info->nativeCerts.push_back(certificate);
- info->certs.push_back(certificate->encode());
- }
- else
- {
- X509_free(cert);
- }
- }
-
- if(chain != 0)
+ info->verified = _verified;
+ nativeCerts = _nativeCerts;
+ for(vector<CertificatePtr>::const_iterator p = _nativeCerts.begin(); p != _nativeCerts.end(); ++p)
{
- for(int i = 0; i < sk_X509_num(chain); ++i)
- {
- //
- // Duplicate the certificate since the stack comes straight from the SSL connection.
- //
- CertificatePtr certificate = new Certificate(X509_dup(sk_X509_value(chain, i)));
- info->nativeCerts.push_back(certificate);
- info->certs.push_back(certificate->encode());
- }
- if(ctx)
- {
- sk_X509_pop_free(chain, X509_free);
- }
+ info->certs.push_back((*p)->encode());
}
if(_ssl != 0)
{
@@ -728,7 +685,6 @@ IceSSL::TransceiverI::initNativeConnectionInfo(X509_STORE_CTX* ctx) const
}
info->adapterName = _adapterName;
info->incoming = _incoming;
- return info;
}
#endif
diff --git a/cpp/src/IceSSL/OpenSSLTransceiverI.h b/cpp/src/IceSSL/OpenSSLTransceiverI.h
index 85fa55d4548..a64e932a0f5 100644
--- a/cpp/src/IceSSL/OpenSSLTransceiverI.h
+++ b/cpp/src/IceSSL/OpenSSLTransceiverI.h
@@ -19,6 +19,7 @@
#include <Ice/Transceiver.h>
#include <Ice/Network.h>
#include <Ice/StreamSocket.h>
+#include <Ice/WSTransceiver.h>
#ifdef ICE_USE_OPENSSL
@@ -31,7 +32,7 @@ namespace IceSSL
class ConnectorI;
class AcceptorI;
-class TransceiverI : public IceInternal::Transceiver
+class TransceiverI : public IceInternal::Transceiver, public IceInternal::WSTransceiverDelegate
{
public:
@@ -46,6 +47,7 @@ public:
virtual std::string toString() const;
virtual std::string toDetailedString() const;
virtual Ice::ConnectionInfoPtr getInfo() const;
+ virtual Ice::ConnectionInfoPtr getWSInfo(const Ice::HeaderDict&) const;
virtual void checkSendSize(const IceInternal::Buffer&);
virtual void setBufferSize(int rcvSize, int sndSize);
@@ -56,8 +58,7 @@ private:
TransceiverI(const InstancePtr&, const IceInternal::StreamSocketPtr&, const std::string&, bool);
virtual ~TransceiverI();
- virtual NativeConnectionInfoPtr getNativeConnectionInfo() const;
- NativeConnectionInfoPtr initNativeConnectionInfo(X509_STORE_CTX*) const;
+ void fillConnectionInfo(const ConnectionInfoPtr&, std::vector<CertificatePtr>&) const;
friend class ConnectorI;
friend class AcceptorI;
@@ -68,7 +69,8 @@ private:
const std::string _adapterName;
const bool _incoming;
const IceInternal::StreamSocketPtr _stream;
- NativeConnectionInfoPtr _info;
+ bool _verified;
+ std::vector<CertificatePtr> _nativeCerts;
SSL* _ssl;
};
diff --git a/cpp/src/IceSSL/SChannelEngine.cpp b/cpp/src/IceSSL/SChannelEngine.cpp
index efb3b099ce3..ddc47619373 100644
--- a/cpp/src/IceSSL/SChannelEngine.cpp
+++ b/cpp/src/IceSSL/SChannelEngine.cpp
@@ -56,7 +56,7 @@ struct CertChainEngineConfig
# endif
void
-addCertificateToStore(const string& file, HCERTSTORE store, PCCERT_CONTEXT* cert = 0)
+addCertificatesToStore(const string& file, HCERTSTORE store, PCCERT_CONTEXT* cert = 0)
{
vector<char> buffer;
readFile(file, buffer);
@@ -65,29 +65,50 @@ addCertificateToStore(const string& file, HCERTSTORE store, PCCERT_CONTEXT* cert
throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: certificate file is empty:\n" + file);
}
- vector<BYTE> outBuffer;
- outBuffer.resize(buffer.size());
- DWORD outLength = static_cast<DWORD>(outBuffer.size());
-
- if(!CryptStringToBinary(&buffer[0], static_cast<DWORD>(buffer.size()), CRYPT_STRING_BASE64HEADER,
- &outBuffer[0], &outLength, 0, 0))
+ string strbuf(buffer.begin(), buffer.end());
+ string::size_type size, startpos, endpos = 0;
+ bool first = true;
+ while(true)
{
- //
- // Base64 data should always be bigger than binary
- //
- assert(GetLastError() != ERROR_MORE_DATA);
- throw PluginInitializationException(__FILE__, __LINE__,
- "IceSSL: error decoding certificate:\n" + lastErrorToString());
- }
+ startpos = strbuf.find("-----BEGIN CERTIFICATE-----", endpos);
+ if(startpos != string::npos)
+ {
+ endpos = strbuf.find("-----END CERTIFICATE-----", startpos);
+ size = endpos - startpos + sizeof("-----END CERTIFICATE-----");
+ }
+ else if(first)
+ {
+ startpos = 0;
+ endpos = string::npos;
+ size = strbuf.size();
+ }
+ else
+ {
+ break;
+ }
- if(!CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &outBuffer[0],
- outLength, CERT_STORE_ADD_NEW, cert))
- {
- if(GetLastError() != static_cast<DWORD>(CRYPT_E_EXISTS))
+ vector<BYTE> outBuffer;
+ outBuffer.resize(size);
+ DWORD outLength = static_cast<DWORD>(outBuffer.size());
+ if(!CryptStringToBinary(&buffer[startpos], static_cast<DWORD>(size), CRYPT_STRING_ANY, &outBuffer[0],
+ &outLength, 0, 0))
{
+ assert(GetLastError() != ERROR_MORE_DATA); // Base64 data should always be bigger than binary
throw PluginInitializationException(__FILE__, __LINE__,
- "IceSSL: error decoding certificate:\n" + lastErrorToString());
+ "IceSSL: error decoding certificate:\n" + lastErrorToString());
+ }
+
+ if(!CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &outBuffer[0],
+ outLength, CERT_STORE_ADD_NEW, first ? cert : 0))
+ {
+ if(GetLastError() != static_cast<DWORD>(CRYPT_E_EXISTS))
+ {
+ throw PluginInitializationException(__FILE__, __LINE__,
+ "IceSSL: error decoding certificate:\n" + lastErrorToString());
+ }
}
+
+ first = false;
}
}
@@ -244,8 +265,12 @@ SChannelEngine::initialize()
//
// Create trusted CA store with contents of CertAuthFile
//
- string caFile = properties->getProperty(prefix + "CertAuthFile");
- if(!caFile.empty())
+ string caFile = properties->getProperty(prefix + "CAs");
+ if(caFile.empty())
+ {
+ caFile = properties->getProperty(prefix + "CertAuthFile");
+ }
+ if(!caFile.empty() || properties->getPropertyAsInt("IceSSL.UsePlatformCAs") <= 0)
{
_rootStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 0, 0);
if(!_rootStore)
@@ -253,15 +278,20 @@ SChannelEngine::initialize()
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: error creating in memory certificate store:\n" + lastErrorToString());
}
-
+ }
+ if(!caFile.empty())
+ {
if(!checkPath(caFile, defaultDir, false))
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: CA certificate file not found:\n" + caFile);
}
- addCertificateToStore(caFile, _rootStore);
+ addCertificatesToStore(caFile, _rootStore);
+ }
+ if(_rootStore)
+ {
//
// Create a chain engine that uses our Trusted Root Store
//
@@ -410,26 +440,8 @@ SChannelEngine::initialize()
"IceSSL: certificate error:\n" + lastErrorToString());
}
- //
- // If we found a certificate, add it to a new memory store. We
- // can't use directly the certificate context from the PFX
- // store: while it works for certificates without
- // intermediates, it doesn't if the certificate has
- // intermediates, the intermediates certificates aren't being
- // sent.
- //
- HCERTSTORE newStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 0, 0);
- PCCERT_CONTEXT newCert;
- if(!CertAddCertificateContextToStore(newStore, cert, CERT_STORE_ADD_ALWAYS, &newCert))
- {
- CertCloseStore(newStore, 0);
- throw PluginInitializationException(__FILE__, __LINE__,
- "IceSSL: certificate error:\n" + lastErrorToString());
- }
- _certs.push_back(newCert);
- _stores.push_back(newStore);
- CertFreeCertificateContext(cert);
- CertCloseStore(store, 0);
+ _certs.push_back(cert);
+ _stores.push_back(store);
continue;
}
@@ -560,7 +572,7 @@ SChannelEngine::initialize()
"store:\n" + lastErrorToString());
}
- addCertificateToStore(certFile, store, &cert);
+ addCertificatesToStore(certFile, store, &cert);
//
// Associate key & certificate
@@ -705,6 +717,17 @@ SChannelEngine::newCredentialsHandle(bool incoming)
// the root certificate either way.
//
cred.dwFlags = SCH_CRED_NO_SYSTEM_MAPPER;
+
+ //
+ // There's no way to prevent SChannel from sending "CA names" to the
+ // client. Recent Windows versions don't CA names but older ones do
+ // send all the trusted root CA names. We provide the root store to
+ // ensure that for these older Windows versions, we also include the
+ // CA names of your trusted roots. IceSSL for Java will only send a
+ // client certificate if the client certificate CA matches one of the
+ // CA names sent by the server.
+ //
+ cred.hRootStore = _rootStore;
}
else
{
diff --git a/cpp/src/IceSSL/SChannelTransceiverI.cpp b/cpp/src/IceSSL/SChannelTransceiverI.cpp
index 74d9d840ed2..126a966f6b3 100644
--- a/cpp/src/IceSSL/SChannelTransceiverI.cpp
+++ b/cpp/src/IceSSL/SChannelTransceiverI.cpp
@@ -715,7 +715,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
}
}
- _engine->verifyPeer(_stream->fd(), _host, getNativeConnectionInfo());
+ _engine->verifyPeer(_stream->fd(), _host, NativeConnectionInfoPtr::dynamicCast(getInfo()));
_state = StateHandshakeComplete;
if(_instance->engine()->securityTraceLevel() >= 1)
@@ -948,7 +948,18 @@ IceSSL::TransceiverI::toDetailedString() const
Ice::ConnectionInfoPtr
IceSSL::TransceiverI::getInfo() const
{
- return getNativeConnectionInfo();
+ NativeConnectionInfoPtr info = new NativeConnectionInfo();
+ fillConnectionInfo(info, info->nativeCerts);
+ return info;
+}
+
+Ice::ConnectionInfoPtr
+IceSSL::TransceiverI::getWSInfo(const Ice::HeaderDict& headers) const
+{
+ WSSNativeConnectionInfoPtr info = new WSSNativeConnectionInfo();
+ fillConnectionInfo(info, info->nativeCerts);
+ info->headers = headers;
+ return info;
}
void
@@ -984,10 +995,9 @@ IceSSL::TransceiverI::~TransceiverI()
{
}
-NativeConnectionInfoPtr
-IceSSL::TransceiverI::getNativeConnectionInfo() const
+void
+IceSSL::TransceiverI::fillConnectionInfo(const ConnectionInfoPtr& info, vector<CertificatePtr>& nativeCerts) const
{
- NativeConnectionInfoPtr info = new NativeConnectionInfo();
IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress,
info->remotePort);
if(_stream->fd() != INVALID_SOCKET)
@@ -1032,7 +1042,7 @@ IceSSL::TransceiverI::getNativeConnectionInfo() const
}
CertificatePtr certificate = new Certificate(cc);
- info->nativeCerts.push_back(certificate);
+ nativeCerts.push_back(certificate);
info->certs.push_back(certificate->encode());
}
CertFreeCertificateChain(certChain);
@@ -1059,7 +1069,6 @@ IceSSL::TransceiverI::getNativeConnectionInfo() const
info->adapterName = _adapterName;
info->incoming = _incoming;
- return info;
}
bool
diff --git a/cpp/src/IceSSL/SChannelTransceiverI.h b/cpp/src/IceSSL/SChannelTransceiverI.h
index a029cf596bf..f60d54ff6d6 100644
--- a/cpp/src/IceSSL/SChannelTransceiverI.h
+++ b/cpp/src/IceSSL/SChannelTransceiverI.h
@@ -19,6 +19,7 @@
#include <Ice/Network.h>
#include <Ice/Buffer.h>
#include <Ice/StreamSocket.h>
+#include <Ice/WSTransceiver.h>
#ifdef ICE_USE_SCHANNEL
@@ -42,7 +43,7 @@ namespace IceSSL
class ConnectorI;
class AcceptorI;
-class TransceiverI : public IceInternal::Transceiver
+class TransceiverI : public IceInternal::Transceiver, public IceInternal::WSTransceiverDelegate
{
public:
@@ -63,6 +64,7 @@ public:
virtual std::string toString() const;
virtual std::string toDetailedString() const;
virtual Ice::ConnectionInfoPtr getInfo() const;
+ virtual Ice::ConnectionInfoPtr getWSInfo(const Ice::HeaderDict&) const;
virtual void checkSendSize(const IceInternal::Buffer&);
virtual void setBufferSize(int rcvSize, int sndSize);
@@ -71,7 +73,7 @@ private:
TransceiverI(const InstancePtr&, const IceInternal::StreamSocketPtr&, const std::string&, bool);
virtual ~TransceiverI();
- virtual NativeConnectionInfoPtr getNativeConnectionInfo() const;
+ void fillConnectionInfo(const ConnectionInfoPtr&, std::vector<CertificatePtr>&) const;
IceInternal::SocketOperation sslHandshake();
diff --git a/cpp/src/IceSSL/SecureTransportEngine.cpp b/cpp/src/IceSSL/SecureTransportEngine.cpp
index 9264bf252aa..a7102f64279 100644
--- a/cpp/src/IceSSL/SecureTransportEngine.cpp
+++ b/cpp/src/IceSSL/SecureTransportEngine.cpp
@@ -905,7 +905,11 @@ IceSSL::SecureTransportEngine::initialize()
//
try
{
- string caFile = properties->getProperty("IceSSL.CertAuthFile");
+ string caFile = properties->getProperty("IceSSL.CAs");
+ if(caFile.empty())
+ {
+ caFile = properties->getProperty("IceSSL.CertAuthFile");
+ }
if(!caFile.empty())
{
if(!checkPath(caFile, defaultDir, false))
@@ -915,6 +919,11 @@ IceSSL::SecureTransportEngine::initialize()
}
_certificateAuthorities = loadCACertificates(caFile);
}
+ else if(properties->getPropertyAsInt("IceSSL.UsePlatformCAs") <= 0)
+ {
+ // Setup an empty list of Root CAs to not use the system root CAs.
+ _certificateAuthorities = CFArrayCreate(0, 0, 0, 0);
+ }
}
catch(const CertificateReadException& ce)
{
diff --git a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
index 3ff588cd9e2..211a4ca3fe8 100644
--- a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
+++ b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
@@ -258,7 +258,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
<< "remote address = " << desc << "\n" << errorToString(err);
throw ProtocolException(__FILE__, __LINE__, os.str());
}
- _engine->verifyPeer(_stream->fd(), _host, getNativeConnectionInfo());
+ _engine->verifyPeer(_stream->fd(), _host, NativeConnectionInfoPtr::dynamicCast(getInfo()));
if(_instance->engine()->securityTraceLevel() >= 1)
{
@@ -485,7 +485,18 @@ IceSSL::TransceiverI::toDetailedString() const
Ice::ConnectionInfoPtr
IceSSL::TransceiverI::getInfo() const
{
- return getNativeConnectionInfo();
+ NativeConnectionInfoPtr info = new NativeConnectionInfo();
+ fillConnectionInfo(info, info->nativeCerts);
+ return info;
+}
+
+Ice::ConnectionInfoPtr
+IceSSL::TransceiverI::getWSInfo(const Ice::HeaderDict& headers) const
+{
+ WSSNativeConnectionInfoPtr info = new WSSNativeConnectionInfo();
+ fillConnectionInfo(info, info->nativeCerts);
+ info->headers = headers;
+ return info;
}
void
@@ -526,10 +537,9 @@ IceSSL::TransceiverI::~TransceiverI()
{
}
-NativeConnectionInfoPtr
-IceSSL::TransceiverI::getNativeConnectionInfo() const
+void
+IceSSL::TransceiverI::fillConnectionInfo(const ConnectionInfoPtr& info, std::vector<CertificatePtr>& nativeCerts) const
{
- NativeConnectionInfoPtr info = new NativeConnectionInfo();
IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress,
info->remotePort);
if(_stream->fd() != INVALID_SOCKET)
@@ -546,7 +556,7 @@ IceSSL::TransceiverI::getNativeConnectionInfo() const
CFRetain(cert);
CertificatePtr certificate = new Certificate(cert);
- info->nativeCerts.push_back(certificate);
+ nativeCerts.push_back(certificate);
info->certs.push_back(certificate->encode());
}
@@ -562,7 +572,6 @@ IceSSL::TransceiverI::getNativeConnectionInfo() const
info->adapterName = _adapterName;
info->incoming = _incoming;
- return info;
}
OSStatus
diff --git a/cpp/src/IceSSL/SecureTransportTransceiverI.h b/cpp/src/IceSSL/SecureTransportTransceiverI.h
index aaf232c4032..c81ee7aaef1 100644
--- a/cpp/src/IceSSL/SecureTransportTransceiverI.h
+++ b/cpp/src/IceSSL/SecureTransportTransceiverI.h
@@ -18,6 +18,7 @@
#include <Ice/Transceiver.h>
#include <Ice/Network.h>
#include <Ice/StreamSocket.h>
+#include <Ice/WSTransceiver.h>
#ifdef ICE_USE_SECURE_TRANSPORT
@@ -30,7 +31,7 @@ namespace IceSSL
class ConnectorI;
class AcceptorI;
-class TransceiverI : public IceInternal::Transceiver
+class TransceiverI : public IceInternal::Transceiver, public IceInternal::WSTransceiverDelegate
{
public:
@@ -46,6 +47,7 @@ public:
virtual std::string toString() const;
virtual std::string toDetailedString() const;
virtual Ice::ConnectionInfoPtr getInfo() const;
+ virtual Ice::ConnectionInfoPtr getWSInfo(const Ice::HeaderDict&) const;
virtual void checkSendSize(const IceInternal::Buffer&);
virtual void setBufferSize(int rcvSize, int sndSize);
@@ -57,7 +59,7 @@ private:
TransceiverI(const InstancePtr&, const IceInternal::StreamSocketPtr&, const std::string&, bool);
virtual ~TransceiverI();
- virtual NativeConnectionInfoPtr getNativeConnectionInfo() const;
+ void fillConnectionInfo(const ConnectionInfoPtr&, std::vector<CertificatePtr>&) const;
friend class ConnectorI;
friend class AcceptorI;
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-03 14:12:20 +0000