Updated with a couple of minor bug fixes (ContextOpenSSL.cpp and

    SystemOpenSSL.cpp) and the addition of the initial tests for IceSSL.

4 files changed, 165 insertions, 91 deletions

diff --git a/cpp/src/Ice/ContextOpenSSL.cpp b/cpp/src/Ice/ContextOpenSSL.cpp
index 1e0ce4e6a81..edf5f9c58fb 100644
--- a/cpp/src/Ice/ContextOpenSSL.cpp
+++ b/cpp/src/Ice/ContextOpenSSL.cpp
@@ -14,13 +14,13 @@
 #include <Ice/DefaultCertificateVerifier.h>

 #include <Ice/SslException.h>

 #include <Ice/RSAKeyPair.h>

-#include <Ice/RSAPublicKey.h>

 #include <Ice/CertificateDesc.h>

 #include <Ice/SslConnectionOpenSSL.h>

 #include <Ice/ContextOpenSSL.h>

 

 #include <Ice/OpenSSLJanitors.h>

 #include <Ice/OpenSSLUtils.h>

+#include <openssl/err.h>

 

 using IceSSL::ConnectionPtr;

 

@@ -52,87 +52,29 @@ IceSSL::OpenSSL::Context::setCertificateVerifier(const CertificateVerifierPtr& v
 void

 IceSSL::OpenSSL::Context::addTrustedCertificateBase64(const std::string& trustedCertString)

 {

-    if (_sslContext == 0)

-    {

-        IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__);

-

-        contextConfigEx._message = "SSL Context not configured.";

-

-        throw contextConfigEx;

-    }

-

     RSAPublicKey pubKey(trustedCertString);

 

-    X509_STORE* certStore = SSL_CTX_get_cert_store(_sslContext);

-

-    assert(certStore != 0);

-

-    if (X509_STORE_add_cert(certStore, pubKey.getX509PublicKey()) == 0)

-    {

-        IceSSL::OpenSSL::TrustedCertificateAddException trustEx(__FILE__, __LINE__);

-

-        trustEx._message = sslGetErrors();

-

-        throw trustEx;

-    }

+    addTrustedCertificate(pubKey);

 }

 

 void

 IceSSL::OpenSSL::Context::addTrustedCertificate(const Ice::ByteSeq& trustedCert)

 {

-    if (_sslContext == 0)

-    {

-        IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__);

-

-        contextConfigEx._message = "SSL Context not configured.";

-

-        throw contextConfigEx;

-    }

-

     RSAPublicKey pubKey(trustedCert);

 

-    X509_STORE* certStore = SSL_CTX_get_cert_store(_sslContext);

-

-    assert(certStore != 0);

-

-    if (X509_STORE_add_cert(certStore, pubKey.getX509PublicKey()) == 0)

-    {

-        IceSSL::OpenSSL::TrustedCertificateAddException trustEx(__FILE__, __LINE__);

-

-        trustEx._message = sslGetErrors();

-

-        throw trustEx;

-    }

+    addTrustedCertificate(pubKey);

 }

 

 void

 IceSSL::OpenSSL::Context::setRSAKeysBase64(const std::string& privateKey,

                                            const std::string& publicKey)

 {

-    if (_sslContext == 0)

-    {

-        IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__);

-

-        contextConfigEx._message = "SSL Context not configured.";

-

-        throw contextConfigEx;

-    }

-

     addKeyCert(privateKey, publicKey);

 }

 

 void

 IceSSL::OpenSSL::Context::setRSAKeys(const Ice::ByteSeq& privateKey, const Ice::ByteSeq& publicKey)

 {

-    if (_sslContext == 0)

-    {

-        IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__);

-

-        contextConfigEx._message = "SSL Context not configured.";

-

-        throw contextConfigEx;

-    }

-

     addKeyCert(privateKey, publicKey);

 }

 

@@ -368,6 +310,32 @@ IceSSL::OpenSSL::Context::checkKeyCert()
 }

 

 void

+IceSSL::OpenSSL::Context::addTrustedCertificate(const RSAPublicKey& trustedCertificate)

+{

+    if (_sslContext == 0)

+    {

+        IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__);

+

+        contextConfigEx._message = "SSL Context not configured.";

+

+        throw contextConfigEx;

+    }

+

+    X509_STORE* certStore = SSL_CTX_get_cert_store(_sslContext);

+

+    assert(certStore != 0);

+

+    if (X509_STORE_add_cert(certStore, trustedCertificate.getX509PublicKey()) == 0)

+    {

+        IceSSL::OpenSSL::TrustedCertificateAddException trustEx(__FILE__, __LINE__);

+

+        trustEx._message = sslGetErrors();

+

+        throw trustEx;

+    }

+}

+

+void

 IceSSL::OpenSSL::Context::addKeyCert(const CertificateFile& privateKey, const CertificateFile& publicCert)

 {

     assert(_sslContext != 0);

@@ -387,7 +355,7 @@ IceSSL::OpenSSL::Context::addKeyCert(const CertificateFile& privateKey, const Ce
         {

             IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__);

 

-            certLoadEx._message = "Unable to get certificate from '";

+            certLoadEx._message = "Unable to load certificate from '";

             certLoadEx._message += publicFile;

             certLoadEx._message += "'\n";

             certLoadEx._message += sslGetErrors();

@@ -409,14 +377,36 @@ IceSSL::OpenSSL::Context::addKeyCert(const CertificateFile& privateKey, const Ce
         // Set which Private Key file to use.

         if (SSL_CTX_use_PrivateKey_file(_sslContext, privKeyFile, privKeyFileType) <= 0)

         {

-            IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__);

+            int errCode = ERR_GET_REASON(ERR_peek_error());

+

+            // Note: Because OpenSSL currently (V0.9.6b) performs a check to see if the

+            //       key matches the private key when calling SSL_CTX_use_PrivateKey_file().

+            if (errCode == X509_R_KEY_VALUES_MISMATCH || errCode == X509_R_KEY_TYPE_MISMATCH)

+            {

+                IceSSL::OpenSSL::CertificateKeyMatchException certKeyMatchEx(__FILE__, __LINE__);

+

+                certKeyMatchEx._message = "Private key does not match the certificate public key.";

+                std::string sslError = sslGetErrors();

 

-            pklEx._message = "Unable to get private key from '";

-            pklEx._message += privKeyFile;

-            pklEx._message += "'\n";

-            pklEx._message += sslGetErrors();

+                if (!sslError.empty())

+                {

+                    certKeyMatchEx._message += "\n";

+                    certKeyMatchEx._message += sslError;

+                }

 

-	    throw pklEx;

+                throw certKeyMatchEx;

+            }

+            else

+            {

+                IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__);

+

+                pklEx._message = "Unable to load private key from '";

+                pklEx._message += privKeyFile;

+                pklEx._message += "'\n";

+                pklEx._message += sslGetErrors();

+

+	        throw pklEx;

+            }

         }

 

         checkKeyCert();

@@ -426,12 +416,22 @@ IceSSL::OpenSSL::Context::addKeyCert(const CertificateFile& privateKey, const Ce
 void

 IceSSL::OpenSSL::Context::addKeyCert(const RSAKeyPair& keyPair)

 {

-    // Janitors to ensure that everything gets cleaned up properly

-    RSAJanitor rsaJanitor(keyPair.getRSAPrivateKey());

-    X509Janitor x509Janitor(keyPair.getX509PublicKey());

+    if (_sslContext == 0)

+    {

+        IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__);

+

+        contextConfigEx._message = "SSL Context not configured.";

+

+        throw contextConfigEx;

+    }

+

+    // Note: Normally I would use an X509Janitor and RSAJanitor to ensure that

+    //       memory was being freed properly when exceptions are thrown, but

+    //       both SSL_CTX_use_certificate and SSL_CTX_use_RSAPrivateKey free

+    //       certificate/key memory regardless if the call succeeded.

 

     // Set which Public Key file to use.

-    if (SSL_CTX_use_certificate(_sslContext, x509Janitor.get()) <= 0)

+    if (SSL_CTX_use_certificate(_sslContext, keyPair.getX509PublicKey()) <= 0)

     {

         IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__);

 

@@ -447,26 +447,44 @@ IceSSL::OpenSSL::Context::addKeyCert(const RSAKeyPair& keyPair)
         throw certLoadEx;

     }

 

-    x509Janitor.clear();

-

     // Set which Private Key file to use.

-    if (SSL_CTX_use_RSAPrivateKey(_sslContext, rsaJanitor.get()) <= 0)

+    if (SSL_CTX_use_RSAPrivateKey(_sslContext, keyPair.getRSAPrivateKey()) <= 0)

     {

-        IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__);

+        int errCode = ERR_GET_REASON(ERR_peek_error());

 

-        pklEx._message = "Unable to set private key from memory.";

-        std::string sslError = sslGetErrors();

-

-        if (!sslError.empty())

+        // Note: Because OpenSSL currently (V0.9.6b) performs a check to see if the

+        //       key matches the private key when calling SSL_CTX_use_PrivateKey_file().

+        if (errCode == X509_R_KEY_VALUES_MISMATCH || errCode == X509_R_KEY_TYPE_MISMATCH)

         {

-            pklEx._message += "\n";

-            pklEx._message += sslError;

+            IceSSL::OpenSSL::CertificateKeyMatchException certKeyMatchEx(__FILE__, __LINE__);

+

+            certKeyMatchEx._message = "Private key does not match the certificate public key.";

+            std::string sslError = sslGetErrors();

+

+            if (!sslError.empty())

+            {

+                certKeyMatchEx._message += "\n";

+                certKeyMatchEx._message += sslError;

+            }

+

+            throw certKeyMatchEx;

         }

+        else

+        {

+            IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__);

 

-        throw pklEx;

-    }

+            pklEx._message = "Unable to set private key from memory.";

+            std::string sslError = sslGetErrors();

 

-    rsaJanitor.clear();

+            if (!sslError.empty())

+            {

+                pklEx._message += "\n";

+                pklEx._message += sslError;

+            }

+

+            throw pklEx;

+        }

+    }

 

     checkKeyCert();

 }

diff --git a/cpp/src/Ice/ContextOpenSSL.h b/cpp/src/Ice/ContextOpenSSL.h
index cbab0409776..07030bce9d7 100644
--- a/cpp/src/Ice/ContextOpenSSL.h
+++ b/cpp/src/Ice/ContextOpenSSL.h
@@ -31,6 +31,7 @@
 #include <Ice/SslConnectionF.h>

 #include <Ice/SslConnectionOpenSSLF.h>

 #include <Ice/ContextOpenSSLF.h>

+#include <Ice/RSAPublicKey.h>

 

 namespace IceSSL

 {

@@ -78,6 +79,8 @@ protected:
 

     void checkKeyCert();

 

+    void addTrustedCertificate(const IceSSL::OpenSSL::RSAPublicKey&);

+

     void addKeyCert(const IceSSL::CertificateFile&, const IceSSL::CertificateFile&);

 

     void addKeyCert(const RSAKeyPair&);

diff --git a/cpp/src/Ice/RSACertificateGen.cpp b/cpp/src/Ice/RSACertificateGen.cpp
index 26f508e693f..4eac9363f96 100644
--- a/cpp/src/Ice/RSACertificateGen.cpp
+++ b/cpp/src/Ice/RSACertificateGen.cpp
@@ -15,6 +15,7 @@
 #include <Ice/RSAPrivateKey.h>

 #include <Ice/RSAPublicKey.h>

 #include <Ice/SslException.h>

+#include <Ice/OpenSSLUtils.h>

 #include <openssl/err.h>

 #include <openssl/ssl.h>

 

@@ -192,7 +193,7 @@ IceSSL::OpenSSL::RSACertificateGen::~RSACertificateGen()
 {

 }

 

-IceSSL::OpenSSL::RSAKeyPair*

+IceSSL::OpenSSL::RSAKeyPairPtr

 IceSSL::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& context)

 {

     // Generate an RSA key pair.

@@ -265,7 +266,6 @@ IceSSL::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& con
     // Nasty Hack: Getting the pkey to let go of our rsaKeyPair - we own that.

     pkey->pkey.ptr = 0;

 

-    // Constructing our object.

     RSAPrivateKeyPtr privKeyPtr = new RSAPrivateKey(rsaKeyPair);

     RSAPublicKeyPtr pubKeyPtr = new RSAPublicKey(x509SelfSigned);

     RSAKeyPair* keyPairPtr = new RSAKeyPair(privKeyPtr, pubKeyPtr);

@@ -277,3 +277,58 @@ IceSSL::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& con
     return keyPairPtr;

 }

 

+IceSSL::OpenSSL::RSAKeyPairPtr

+IceSSL::OpenSSL::RSACertificateGen::loadKeyPair(const std::string& keyFile, const std::string& certFile)

+{

+    //

+    // Read in the X509 Certificate Structure

+    //

+    BIO* certBIO = BIO_new_file(certFile.c_str(), "r");

+    if (certBIO == 0)

+    {

+        IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__);

+

+        certLoadEx._message = "Unable to load certificate from '";

+        certLoadEx._message += certFile;

+        certLoadEx._message += "'\n";

+        certLoadEx._message += sslGetErrors();

+

+        throw certLoadEx;

+    }

+

+    X509Janitor x509Janitor(PEM_read_bio_X509(certBIO, 0, 0, 0));

+    BIO_free(certBIO);

+

+    //

+    // Read in the RSA Private Key Structure

+    //

+    BIO* keyBIO = BIO_new_file(keyFile.c_str(), "r");

+    if (keyBIO == 0)

+    {

+        IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__);

+

+        pklEx._message = "Unable to load private key from '";

+        pklEx._message += keyFile;

+        pklEx._message += "'\n";

+        pklEx._message += sslGetErrors();

+

+        throw pklEx;

+    }

+

+    RSAJanitor rsaJanitor(PEM_read_bio_RSAPrivateKey(keyBIO, 0, 0, 0));

+    BIO_free(keyBIO);

+

+    //

+    // Construct our RSAKeyPair

+    //

+

+    RSAPrivateKeyPtr privKeyPtr = new RSAPrivateKey(rsaJanitor.get());

+    RSAPublicKeyPtr pubKeyPtr = new RSAPublicKey(x509Janitor.get());

+    RSAKeyPair* keyPairPtr = new RSAKeyPair(privKeyPtr, pubKeyPtr);

+

+    // Don't let them clean up, we're keeping those around.

+    rsaJanitor.clear();

+    x509Janitor.clear();

+

+    return keyPairPtr;

+}

diff --git a/cpp/src/Ice/SystemOpenSSL.cpp b/cpp/src/Ice/SystemOpenSSL.cpp
index 9a242da85ce..aca6301513e 100644
--- a/cpp/src/Ice/SystemOpenSSL.cpp
+++ b/cpp/src/Ice/SystemOpenSSL.cpp
@@ -178,9 +178,6 @@ IceSSL::OpenSSL::System::configure(ContextType contextType)
         }
     }
 }

-

-

-
 
 void
 IceSSL::OpenSSL::System::loadConfig(ContextType contextType,
@@ -399,7 +396,8 @@ IceSSL::OpenSSL::System::setCertificateVerifier(ContextType contextType,
 {
     IceUtil::RecMutex::Lock sync(_configMutex);

 

-    CertificateVerifierPtr castVerifier = CertificateVerifierPtr::dynamicCast(verifier);
+    IceSSL::OpenSSL::CertificateVerifierPtr castVerifier;

+    castVerifier = IceSSL::OpenSSL::CertificateVerifierPtr::dynamicCast(verifier);
 
     if (!castVerifier.get())
     {