Port IceSSL/configuration test to UWP and fixes to UWP IceSSL implementation

author: Jose <jose@zeroc.com> 2016-11-24 10:11:45 +0100
committer: Jose <jose@zeroc.com> 2016-11-24 10:11:45 +0100
commit: cd0a9e3caeeb5ef8cee34a3f87a9566fc1a3ff8e (patch)
tree: b3b2d10411a29ae8f584f3f349d34547dab0fe49 /cpp/src
parent: Check PCCERT_CHAIN_CONTEXT TrustStatus rather than CERT_SIMPLE_CHAIN TrustStatus (diff)
download: ice-cd0a9e3caeeb5ef8cee34a3f87a9566fc1a3ff8e.tar.bz2
ice-cd0a9e3caeeb5ef8cee34a3f87a9566fc1a3ff8e.tar.xz
ice-cd0a9e3caeeb5ef8cee34a3f87a9566fc1a3ff8e.zip
5 files changed, 71 insertions, 32 deletions
diff --git a/cpp/src/IceSSL/Certificate.cpp b/cpp/src/IceSSL/Certificate.cpp
index c325d51ec24..5c4f268f67d 100755
--- a/cpp/src/IceSSL/Certificate.cpp
+++ b/cpp/src/IceSSL/Certificate.cpp
@@ -611,21 +611,24 @@ vector<pair<int, string> >
 certificateAltNames(Windows::Security::Cryptography::Certificates::SubjectAlternativeNameInfo^ subAltNames)
 {
     vector<pair<int, string> > altNames;
-    for(auto iter = subAltNames->EmailName->First(); iter->HasCurrent; iter->MoveNext())
+    if(subAltNames)
     {
-        altNames.push_back(make_pair(AltNameEmail, wstringToString(iter->Current->Data())));
-    }
-    for(auto iter = subAltNames->DnsName->First(); iter->HasCurrent; iter->MoveNext())
-    {
-        altNames.push_back(make_pair(AltNameDNS, wstringToString(iter->Current->Data())));
-    }
-    for(auto iter = subAltNames->Url->First(); iter->HasCurrent; iter->MoveNext())
-    {
-        altNames.push_back(make_pair(AltNameURL, wstringToString(iter->Current->Data())));
-    }
-    for(auto iter = subAltNames->IPAddress->First(); iter->HasCurrent; iter->MoveNext())
-    {
-        altNames.push_back(make_pair(AltNAmeIP, wstringToString(iter->Current->Data())));
+        for(auto iter = subAltNames->EmailName->First(); iter->HasCurrent; iter->MoveNext())
+        {
+            altNames.push_back(make_pair(AltNameEmail, wstringToString(iter->Current->Data())));
+        }
+        for(auto iter = subAltNames->DnsName->First(); iter->HasCurrent; iter->MoveNext())
+        {
+            altNames.push_back(make_pair(AltNameDNS, wstringToString(iter->Current->Data())));
+        }
+        for(auto iter = subAltNames->Url->First(); iter->HasCurrent; iter->MoveNext())
+        {
+            altNames.push_back(make_pair(AltNameURL, wstringToString(iter->Current->Data())));
+        }
+        for(auto iter = subAltNames->IPAddress->First(); iter->HasCurrent; iter->MoveNext())
+        {
+            altNames.push_back(make_pair(AltNAmeIP, wstringToString(iter->Current->Data())));
+        }
     }
     return altNames;
 }
@@ -1139,13 +1142,13 @@ Certificate::load(const string& file)
     create_task(StorageFile::GetFileFromApplicationUriAsync(
             ref new Uri(ref new String(stringToWstring(file).c_str())))).then([](StorageFile^ file)
         {
-            return FileIO::ReadBufferAsync(file);
+            return FileIO::ReadTextAsync(file);
         },
-        task_continuation_context::use_arbitrary()).then([&result, &file](task<IBuffer^> previous)
+        task_continuation_context::use_arbitrary()).then([&result, &file](task<String^> previous)
         {
             try
             {
-                result.set_value(make_shared<Certificate>(ref new Certificates::Certificate(previous.get())));
+                result.set_value(Certificate::decode(wstringToString(previous.get()->Data())));
             }
             catch(Platform::Exception^ ex)
             {
@@ -1273,7 +1276,7 @@ Certificate::operator==(const Certificate& other) const
 #elif defined(ICE_USE_OPENSSL)
     return X509_cmp(_cert, other._cert) == 0;
 #elif defined(ICE_OS_WINRT)
-    return _cert->Equals(other._cert);
+    return CryptographicBuffer::Compare(_cert->GetCertificateBlob(), other._cert->GetCertificateBlob());
 #else
 #   error "Unknown platform"
 #endif
@@ -1669,7 +1672,9 @@ Certificate::getIssuerDN() const
 #elif defined(ICE_USE_OPENSSL)
     return DistinguishedName(RFC2253::parseStrict(convertX509NameToString(X509_get_issuer_name(_cert))));
 #elif defined(ICE_OS_WINRT)
-    return DistinguishedName(wstringToString(_cert->Issuer->Data()));
+    ostringstream os;
+    os << "CN=" << wstringToString(_cert->Issuer->Data());
+    return DistinguishedName(os.str());
 #else
 #   error "Unknown platform"
 #endif
diff --git a/cpp/src/IceSSL/SSLEngine.h b/cpp/src/IceSSL/SSLEngine.h
index c8b84fcd31b..1ceca9e7b16 100644
--- a/cpp/src/IceSSL/SSLEngine.h
+++ b/cpp/src/IceSSL/SSLEngine.h
@@ -236,10 +236,12 @@ public:
     virtual void initialize();
     virtual bool initialized() const;
     virtual void destroy();
+    //virtual std::shared_ptr<Certificate> ca();
     virtual std::shared_ptr<Certificate> certificate();
 
 private:
 
+    //std::shared_ptr<Certificate> _ca;
     std::shared_ptr<Certificate> _certificate;
     bool _initialized;
     std::mutex _mutex;
diff --git a/cpp/src/IceSSL/Util.cpp b/cpp/src/IceSSL/Util.cpp
index 6fbd2f46109..6979e34cd7b 100755
--- a/cpp/src/IceSSL/Util.cpp
+++ b/cpp/src/IceSSL/Util.cpp
@@ -1699,6 +1699,7 @@ IceSSL::findCertificates(const string& name, const string& value)
     CertificateQuery^ query = ref new CertificateQuery();
     query->StoreName = ref new String(stringToWstring(name).c_str());
     query->IncludeDuplicates = true;
+    query->IncludeExpiredCertificates = true;
 
     if(value != "*")
     {
diff --git a/cpp/src/IceSSL/WinRTEngine.cpp b/cpp/src/IceSSL/WinRTEngine.cpp
index 651fd2ace53..b2bbf069e34 100755
--- a/cpp/src/IceSSL/WinRTEngine.cpp
+++ b/cpp/src/IceSSL/WinRTEngine.cpp
@@ -41,16 +41,26 @@ WinRTEngine::initialize()
     const auto properties = communicator()->getProperties();
 
     //
+    // Load CAs
+    //
+    //string ca = properties->getProperty("IceSSL.CAs");
+    //if(!ca.empty())
+    //{
+    //  _ca = Certificate::load(ca);
+    //}
+
+    //
     // Load client certificate
     //
     string findCert = properties->getProperty("IceSSL.FindCert");
     if(!findCert.empty())
     {
         auto certs = findCertificates(properties->getPropertyWithDefault("IceSSL.CertStore", "My"), findCert);
-        if(certs->Size > 0)
+        if(certs->Size == 0)
         {
-            _certificate = make_shared<IceSSL::Certificate>(certs->GetAt(0));
+            throw Ice::PluginInitializationException(__FILE__, __LINE__, "IceSSL: no certificates found");
         }
+        _certificate = make_shared<IceSSL::Certificate>(certs->GetAt(0));
     }
     _initialized = true;
 }
@@ -61,6 +71,12 @@ WinRTEngine::initialized() const
     return _initialized;
 }
 
+//shared_ptr<Certificate>
+//WinRTEngine::ca()
+//{
+//    return _ca;
+//}
+
 shared_ptr<Certificate>
 WinRTEngine::certificate()
 {
diff --git a/cpp/src/IceSSL/WinRTTransceiverI.cpp b/cpp/src/IceSSL/WinRTTransceiverI.cpp
index 6aad729e957..2e974c1725d 100755
--- a/cpp/src/IceSSL/WinRTTransceiverI.cpp
+++ b/cpp/src/IceSSL/WinRTTransceiverI.cpp
@@ -133,7 +133,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
         try
         {
             auto fd = safe_cast<StreamSocket^>(_delegate->getNativeInfo()->fd());
-            if (fd->Information->ServerCertificate)
+            if(fd->Information->ServerCertificate)
             {
                 //
                 // Build the certificate chain
@@ -143,9 +143,17 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
                 params->CurrentTimeValidationEnabled = true;
                 params->NetworkRetrievalEnabled = false;
                 params->RevocationCheckEnabled = false;
+                
+                //
+                // BUGFIX: It is currently not possible to set ExclusiveTrustRoots programatically
+                // it is causing a read access exception see:https://goo.gl/B6OaNx
+                //
+                //if(_engine->ca())
+                //{
+                // params->ExclusiveTrustRoots->Append(_engine->ca()->getCert());
+                //}
 
                 promise<CertificateChain^> p;
-                
                 create_task(fd->Information->ServerCertificate->BuildChainAsync(
                                 fd->Information->ServerIntermediateCertificates, params)).then(
                         [&](task<CertificateChain^> previous)
@@ -154,7 +162,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
                             {
                                 p.set_value(previous.get());
                             }
-                            catch (Platform::Exception^ ex)
+                            catch(Platform::Exception^ ex)
                             {
                                 try
                                 {
@@ -250,10 +258,16 @@ IceSSL::TransceiverI::startWrite(IceInternal::Buffer& buf)
         HostName^ host = ref new HostName(ref new String(IceUtil::stringToWstring(_host).c_str()));
 
         //
-        // We ignre SSL invalid name errors at this point, the certificate name will be later verify
-        // by SSLEngine veryPeer implementation.
+        // We ignore SSL Certificate errors at this point, the certificate chain will be validated
+        // when the chain is constructed in IceSSL::Transceiver::initialize
         //
+        stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::Expired);
+        stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::IncompleteChain);
         stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::InvalidName);
+        stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::RevocationFailure);
+        stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::RevocationInformationMissing);
+        stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::Untrusted);
+        stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::WrongUsage);
 
         if(_engine->certificate())
         {
@@ -324,13 +338,14 @@ IceSSL::TransceiverI::getInfo() const
 {
     NativeConnectionInfoPtr info = ICE_MAKE_SHARED(NativeConnectionInfo);
     StreamSocket^ stream = safe_cast<StreamSocket^>(_delegate->getNativeInfo()->fd());
-    info->nativeCerts.push_back(ICE_MAKE_SHARED(Certificate, stream->Information->ServerCertificate));
-    info->certs.push_back(info->nativeCerts.back()->encode());
-    auto certs = _chain ? _chain->GetCertificates(true) : stream->Information->ServerIntermediateCertificates;
-    for(auto iter = certs->First(); iter->HasCurrent; iter->MoveNext())
+    if(_chain)
     {
-        info->nativeCerts.push_back(ICE_MAKE_SHARED(Certificate, iter->Current));
-        info->certs.push_back(info->nativeCerts.back()->encode());
+        auto certs = _chain->GetCertificates(true);
+        for(auto iter = certs->First(); iter->HasCurrent; iter->MoveNext())
+        {
+            info->nativeCerts.push_back(ICE_MAKE_SHARED(Certificate, iter->Current));
+            info->certs.push_back(info->nativeCerts.back()->encode());
+        }
     }
     info->verified = _verified;
     info->adapterName = _adapterName;
author	Jose <jose@zeroc.com>	2016-11-24 10:11:45 +0100
committer	Jose <jose@zeroc.com>	2016-11-24 10:11:45 +0100
commit	cd0a9e3caeeb5ef8cee34a3f87a9566fc1a3ff8e (patch)
tree	b3b2d10411a29ae8f584f3f349d34547dab0fe49 /cpp/src
parent	Check PCCERT_CHAIN_CONTEXT TrustStatus rather than CERT_SIMPLE_CHAIN TrustStatus (diff)
download	ice-cd0a9e3caeeb5ef8cee34a3f87a9566fc1a3ff8e.tar.bz2 ice-cd0a9e3caeeb5ef8cee34a3f87a9566fc1a3ff8e.tar.xz ice-cd0a9e3caeeb5ef8cee34a3f87a9566fc1a3ff8e.zip