summaryrefslogtreecommitdiff
path: root/cpp
diff options
context:
space:
mode:
authorBenoit Foucher <benoit@zeroc.com>2015-04-23 14:16:41 +0200
committerBenoit Foucher <benoit@zeroc.com>2015-04-23 14:16:41 +0200
commit330329321972e2e10adb04f52e9e7f95cd02ac2e (patch)
tree55a93b503a537e01765505e99f723fbf0b546bed /cpp
parent ICE-6433: config/makedepend.py: replace with sed? (diff)
downloadice-330329321972e2e10adb04f52e9e7f95cd02ac2e.tar.bz2
ice-330329321972e2e10adb04f52e9e7f95cd02ac2e.tar.xz
ice-330329321972e2e10adb04f52e9e7f95cd02ac2e.zip
Fixed ICE-6438, ICE-6439 and various inconsistencies between IceSSL implementations
Diffstat (limited to 'cpp')
-rw-r--r--cpp/src/IceSSL/OpenSSLTransceiverI.cpp57
-rw-r--r--cpp/src/IceSSL/SChannelEngine.cpp4
-rw-r--r--cpp/src/IceSSL/SChannelTransceiverI.cpp123
-rw-r--r--cpp/src/IceSSL/SChannelTransceiverI.h1
-rw-r--r--cpp/src/IceSSL/SSLEngine.cpp2
-rw-r--r--cpp/src/IceSSL/SecureTransportTransceiverI.cpp27
-rw-r--r--cpp/src/IceSSL/SecureTransportTransceiverI.h3
-rw-r--r--cpp/test/IceSSL/certs/db/.gitignore2
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/intermediate1/intermediate1/c_rsa_cai2.pem84
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/intermediate1/intermediate1/c_rsa_cai2_key.pem30
-rwxr-xr-xcpp/test/IceSSL/certs/makecerts.py3
-rw-r--r--cpp/test/IceSSL/configuration/AllTests.cpp58
-rw-r--r--cpp/test/IceSSL/configuration/TestI.cpp1
13 files changed, 286 insertions, 109 deletions
diff --git a/cpp/src/IceSSL/OpenSSLTransceiverI.cpp b/cpp/src/IceSSL/OpenSSLTransceiverI.cpp
index fa60bdaf5f7..bed46b3b8b4 100644
--- a/cpp/src/IceSSL/OpenSSLTransceiverI.cpp
+++ b/cpp/src/IceSSL/OpenSSLTransceiverI.cpp
@@ -258,8 +258,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
if(_engine->securityTraceLevel() >= 1)
{
ostringstream ostr;
- ostr << "IceSSL: ignoring certificate verification failure:\n"
- << X509_verify_cert_error_string(result);
+ ostr << "IceSSL: ignoring certificate verification failure:\n" << X509_verify_cert_error_string(result);
_instance->logger()->trace(_instance->traceCategory(), ostr.str());
}
}
@@ -277,6 +276,10 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
throw ex;
}
}
+ else if(_info)
+ {
+ _info->verified = true;
+ }
_engine->verifyPeer(_stream->fd(), _host, getNativeConnectionInfo());
if(_engine->securityTraceLevel() >= 1)
@@ -667,12 +670,18 @@ IceSSL::TransceiverI::initNativeConnectionInfo(X509_STORE_CTX* ctx) const
}
info->adapterName = _adapterName;
info->incoming = _incoming;
+ info->verified = false;
STACK_OF(X509)* chain = 0;
if(ctx)
{
+ //
+ // This is called from the verify callback where OpenSSL provides the verified
+ // certificate chain.
+ //
chain = X509_STORE_CTX_get1_chain(ctx);
}
+
if(chain == 0 && _ssl != 0)
{
//
@@ -685,37 +694,37 @@ IceSSL::TransceiverI::initNativeConnectionInfo(X509_STORE_CTX* ctx) const
//
X509* cert = SSL_get_peer_certificate(_ssl);
chain = SSL_get_peer_cert_chain(_ssl);
- if(cert != 0 && (chain == 0 || sk_X509_num(chain) == 0 || cert != sk_X509_value(chain, 0)))
- {
- CertificatePtr certificate = new Certificate(cert);
+ if(cert != 0 && (chain == 0 || sk_X509_num(chain) == 0 || cert != sk_X509_value(chain, 0)))
+ {
+ CertificatePtr certificate = new Certificate(cert);
info->nativeCerts.push_back(certificate);
info->certs.push_back(certificate->encode());
- }
- else
- {
- X509_free(cert);
- }
+ }
+ else
+ {
+ X509_free(cert);
+ }
}
if(chain != 0)
{
- for(int i = 0; i < sk_X509_num(chain); ++i)
- {
- //
- // Duplicate the certificate since the stack comes straight from the SSL connection.
- //
- CertificatePtr certificate = new Certificate(X509_dup(sk_X509_value(chain, i)));
- info->nativeCerts.push_back(certificate);
- info->certs.push_back(certificate->encode());
- }
- if(ctx)
- {
- sk_X509_pop_free(chain, X509_free);
- }
+ for(int i = 0; i < sk_X509_num(chain); ++i)
+ {
+ //
+ // Duplicate the certificate since the stack comes straight from the SSL connection.
+ //
+ CertificatePtr certificate = new Certificate(X509_dup(sk_X509_value(chain, i)));
+ info->nativeCerts.push_back(certificate);
+ info->certs.push_back(certificate->encode());
+ }
+ if(ctx)
+ {
+ sk_X509_pop_free(chain, X509_free);
+ }
}
if(_ssl != 0)
{
- info->cipher = SSL_get_cipher_name(_ssl); // Nothing needs to be free'd.
+ info->cipher = SSL_get_cipher_name(_ssl); // Nothing needs to be free'd.
}
info->adapterName = _adapterName;
info->incoming = _incoming;
diff --git a/cpp/src/IceSSL/SChannelEngine.cpp b/cpp/src/IceSSL/SChannelEngine.cpp
index 009714706f1..efb3b099ce3 100644
--- a/cpp/src/IceSSL/SChannelEngine.cpp
+++ b/cpp/src/IceSSL/SChannelEngine.cpp
@@ -705,10 +705,6 @@ SChannelEngine::newCredentialsHandle(bool incoming)
// the root certificate either way.
//
cred.dwFlags = SCH_CRED_NO_SYSTEM_MAPPER;
- if(_rootStore)
- {
- cred.hRootStore = _rootStore;
- }
}
else
{
diff --git a/cpp/src/IceSSL/SChannelTransceiverI.cpp b/cpp/src/IceSSL/SChannelTransceiverI.cpp
index 8f79d63df1d..74d9d840ed2 100644
--- a/cpp/src/IceSSL/SChannelTransceiverI.cpp
+++ b/cpp/src/IceSSL/SChannelTransceiverI.cpp
@@ -636,81 +636,85 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
return op;
}
- if(!_incoming || _engine->getVerifyPeer() > 0)
+ //
+ // Build the peer certificate chain and verify it.
+ //
+ PCCERT_CONTEXT cert = 0;
+ SECURITY_STATUS err = QueryContextAttributes(&_ssl, SECPKG_ATTR_REMOTE_CERT_CONTEXT, &cert);
+ if(err && err != SEC_E_NO_CREDENTIALS)
+ {
+ throw SecurityException(__FILE__, __LINE__, "IceSSL: certificate verification failure:" +
+ IceUtilInternal::lastErrorToString());
+ }
+
+ if(!cert && ((!_incoming && _engine->getVerifyPeer() > 0) || (_incoming && _engine->getVerifyPeer() == 2)))
{
//
- // Build the peer certificate chain and verify it.
+ // Clients require server certificate if VerifyPeer > 0 and servers require client
+ // certificate if VerifyPeer == 2
//
- PCCERT_CONTEXT cert = 0;
- SECURITY_STATUS err = QueryContextAttributes(&_ssl, SECPKG_ATTR_REMOTE_CERT_CONTEXT, &cert);
- if(err && err != SEC_E_NO_CREDENTIALS)
+ throw SecurityException(__FILE__, __LINE__, "IceSSL: certificate required:" +
+ IceUtilInternal::lastErrorToString());
+ }
+ else if(cert) // Verify the remote certificate
+ {
+ try
{
- throw SecurityException(__FILE__, __LINE__, "IceSSL: certificate verification failure:" +
- IceUtilInternal::lastErrorToString());
- }
+ CERT_CHAIN_PARA chainP;
+ memset(&chainP, 0, sizeof(chainP));
+ chainP.cbSize = sizeof(chainP);
- if(!cert && (!_incoming || _engine->getVerifyPeer() == 2))
- {
- // Clients require server certificate if VerifyPeer > 0
- // and servers require client certificate if VerifyPeer == 2
- throw SecurityException(__FILE__, __LINE__, "IceSSL: certificate required:" +
- IceUtilInternal::lastErrorToString());
- }
- else if(cert) // Verify the remote certificate
- {
- try
+ PCCERT_CHAIN_CONTEXT certChain;
+ if(!CertGetCertificateChain(_engine->chainEngine(), cert, 0, 0, &chainP,
+ CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY, 0, &certChain))
{
- CERT_CHAIN_PARA chainP;
- memset(&chainP, 0, sizeof(chainP));
- chainP.cbSize = sizeof(chainP);
-
- PCCERT_CHAIN_CONTEXT certChain;
- if(!CertGetCertificateChain(_engine->chainEngine(), cert, 0, 0, &chainP,
- CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY, 0, &certChain))
- {
- CertFreeCertificateContext(cert);
- throw IceUtilInternal::lastErrorToString();
- }
+ CertFreeCertificateContext(cert);
+ throw IceUtilInternal::lastErrorToString();
+ }
- CERT_SIMPLE_CHAIN* simpleChain = certChain->rgpChain[0];
+ CERT_SIMPLE_CHAIN* simpleChain = certChain->rgpChain[0];
- string trustError;
- if(simpleChain->TrustStatus.dwErrorStatus != CERT_TRUST_NO_ERROR)
- {
- trustError = trustStatusToString(certChain->TrustStatus.dwErrorStatus);
- }
+ string trustError;
+ if(simpleChain->TrustStatus.dwErrorStatus != CERT_TRUST_NO_ERROR)
+ {
+ trustError = trustStatusToString(certChain->TrustStatus.dwErrorStatus);
+ }
+ else
+ {
+ _verified = true;
+ }
- CertFreeCertificateChain(certChain);
- CertFreeCertificateContext(cert);
- if(!trustError.empty())
- {
- throw trustError;
- }
+ CertFreeCertificateChain(certChain);
+ CertFreeCertificateContext(cert);
+ if(!trustError.empty())
+ {
+ throw trustError;
}
- catch(const string& reason)
+ }
+ catch(const string& reason)
+ {
+ if(_engine->getVerifyPeer() == 0)
{
- if(_engine->getVerifyPeer() == 0)
+ if(_instance->traceLevel() >= 1)
{
- if(_instance->traceLevel() >= 1)
- {
- _instance->logger()->trace(_instance->traceCategory(),
- "IceSSL: ignoring certificate verification failure\n" + reason);
- }
+ _instance->logger()->trace(_instance->traceCategory(),
+ "IceSSL: ignoring certificate verification failure\n" + reason);
}
- else
+ }
+ else
+ {
+ ostringstream os;
+ os << "IceSSL: certificate verification failure\n" << reason;
+ string msg = os.str();
+ if(_instance->traceLevel() >= 1)
{
- ostringstream os;
- os << "IceSSL: certificate verification failure\n" << reason;
- string msg = os.str();
- if(_instance->traceLevel() >= 1)
- {
- _instance->logger()->trace(_instance->traceCategory(), msg);
- }
- throw SecurityException(__FILE__, __LINE__, msg);
+ _instance->logger()->trace(_instance->traceCategory(), msg);
}
+ throw SecurityException(__FILE__, __LINE__, msg);
}
}
}
+
_engine->verifyPeer(_stream->fd(), _host, getNativeConnectionInfo());
_state = StateHandshakeComplete;
@@ -971,7 +975,8 @@ IceSSL::TransceiverI::TransceiverI(const InstancePtr& instance,
_state(StateHandshakeNotStarted),
_bufferedW(0),
_sslInitialized(false),
- _credentialsInitialized(false)
+ _credentialsInitialized(false),
+ _verified(false)
{
}
@@ -991,6 +996,8 @@ IceSSL::TransceiverI::getNativeConnectionInfo() const
info->sndSize = IceInternal::getSendBufferSize(_stream->fd());
}
+ info->verified = _verified;
+
if(_sslInitialized)
{
CtxtHandle* ssl = const_cast<CtxtHandle*>(&_ssl);
diff --git a/cpp/src/IceSSL/SChannelTransceiverI.h b/cpp/src/IceSSL/SChannelTransceiverI.h
index bfc1b0e020f..a029cf596bf 100644
--- a/cpp/src/IceSSL/SChannelTransceiverI.h
+++ b/cpp/src/IceSSL/SChannelTransceiverI.h
@@ -121,6 +121,7 @@ private:
CredHandle _credentials;
bool _credentialsInitialized;
SecPkgContext_StreamSizes _sizes;
+ bool _verified;
};
typedef IceUtil::Handle<TransceiverI> TransceiverIPtr;
diff --git a/cpp/src/IceSSL/SSLEngine.cpp b/cpp/src/IceSSL/SSLEngine.cpp
index 2ad615f2f51..81518ee38ef 100644
--- a/cpp/src/IceSSL/SSLEngine.cpp
+++ b/cpp/src/IceSSL/SSLEngine.cpp
@@ -109,7 +109,7 @@ IceSSL::SSLEngine::initialize()
// chain, including the peer's certificate. A value of 0 means there is
// no maximum.
//
- _verifyDepthMax = properties->getPropertyAsIntWithDefault(propPrefix + "VerifyDepthMax", 2);
+ _verifyDepthMax = properties->getPropertyAsIntWithDefault(propPrefix + "VerifyDepthMax", 3);
//
// VerifyPeer determines whether certificate validation failures abort a connection.
diff --git a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
index 3feb7774e86..3ff588cd9e2 100644
--- a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
+++ b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
@@ -95,7 +95,7 @@ socketRead(SSLConnectionRef connection, void* data, size_t* length)
return transceiver->readRaw(reinterpret_cast<char*>(data), length);
}
-void
+bool
checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, const InstancePtr& instance)
{
OSStatus err = noErr;
@@ -132,14 +132,15 @@ checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, cons
//
// Trust verify success.
//
- break;
+ return true;
}
- case kSecTrustResultInvalid:
- //case kSecTrustResultConfirm: // Used in old OS X versions
- case kSecTrustResultDeny:
- case kSecTrustResultRecoverableTrustFailure:
- case kSecTrustResultFatalTrustFailure:
- case kSecTrustResultOtherError:
+ default:
+ // case kSecTrustResultInvalid:
+ // //case kSecTrustResultConfirm: // Used in old OS X versions
+ // case kSecTrustResultDeny:
+ // case kSecTrustResultRecoverableTrustFailure:
+ // case kSecTrustResultFatalTrustFailure:
+ // case kSecTrustResultOtherError:
{
if(engine->getVerifyPeer() == 0)
{
@@ -149,7 +150,7 @@ checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, cons
os << "IceSSL: ignoring certificate verification failure\n" << trustResultDescription(trustResult);
instance->logger()->trace(instance->traceCategory(), os.str());
}
- break;
+ return false;
}
else
{
@@ -236,7 +237,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
}
if(err == noErr)
{
- checkTrustResult(_trust, _engine, _instance);
+ _verified = checkTrustResult(_trust, _engine, _instance);
continue; // Call SSLHandshake to resume the handsake.
}
// Let it fall through, this will raise a SecurityException with the SSLCopyPeerTrust error.
@@ -510,6 +511,7 @@ IceSSL::TransceiverI::TransceiverI(const InstancePtr& instance,
_stream(stream),
_ssl(0),
_trust(0),
+ _verified(false),
_buffered(0)
{
//
@@ -551,6 +553,11 @@ IceSSL::TransceiverI::getNativeConnectionInfo() const
SSLCipherSuite cipher;
SSLGetNegotiatedCipher(_ssl, &cipher);
info->cipher = _engine->getCipherName(cipher);
+ info->verified = _verified;
+ }
+ else
+ {
+ info->verified = false;
}
info->adapterName = _adapterName;
diff --git a/cpp/src/IceSSL/SecureTransportTransceiverI.h b/cpp/src/IceSSL/SecureTransportTransceiverI.h
index afdcccc2018..aaf232c4032 100644
--- a/cpp/src/IceSSL/SecureTransportTransceiverI.h
+++ b/cpp/src/IceSSL/SecureTransportTransceiverI.h
@@ -71,7 +71,8 @@ private:
SSLContextRef _ssl;
SecTrustRef _trust;
-
+ bool _verified;
+
size_t _buffered;
enum SSLWantFlags
{
diff --git a/cpp/test/IceSSL/certs/db/.gitignore b/cpp/test/IceSSL/certs/db/.gitignore
new file mode 100644
index 00000000000..d76ff1326c0
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/.gitignore
@@ -0,0 +1,2 @@
+# Temporary files generated by IceCertUtils
+*.p12 \ No newline at end of file
diff --git a/cpp/test/IceSSL/certs/db/ca1/intermediate1/intermediate1/c_rsa_cai2.pem b/cpp/test/IceSSL/certs/db/ca1/intermediate1/intermediate1/c_rsa_cai2.pem
new file mode 100644
index 00000000000..8bf88ec43fc
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/intermediate1/intermediate1/c_rsa_cai2.pem
@@ -0,0 +1,84 @@
+-----BEGIN CERTIFICATE-----
+MIIEwjCCA6qgAwIBAgIJAKZt9i9ulj6oMA0GCSqGSIb3DQEBCwUAMIGbMSUwIwYD
+VQQDDBxaZXJvQyBUZXN0IEludGVybWVkaWF0ZSBDQSAyMQwwCgYDVQQLDANJY2Ux
+FDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAwDgYDVQQI
+DAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5mb0B6ZXJv
+Yy5jb20wHhcNMTUwNDE3MTEwOTQ4WhcNMjAwNDE1MTEwOTQ4WjCBhTEPMA0GA1UE
+AwwGQ2xpZW50MQwwCgYDVQQLDANJY2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAw
+DgYDVQQHDAdKdXBpdGVyMRAwDgYDVQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEd
+MBsGCSqGSIb3DQEJARYOaW5mb0B6ZXJvYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDX8uM0UWCAJXM+She19wWGHDoP7kOPKD+rMw9rCXPFngSA
+L/GvT0jiqgYpv6PcxrrNzC+t1b24H3q0C451B4pi38GeEM41fzqDAI1EdWFeJcIM
+uE0tQLBM7YpzaGJy+uU2jegbQREGVTVER1OQNGTsNrZwIZcARroUYIhsVwQvb5J6
+/8zrhQEFYr2gBxuA0r80Jd9MT0ZVz4BKw3z5f1oF2+ulhDyHhmpVgX3af9gYw27Q
+TvuZnYqAyfF0QRqxrCCEgQwlYICyDsdemFvUCtnxHItYSBs1778d77j9zoi19Q+M
+zieRhzWhYT8wq6HDL4vsaH8fO7OpLlduOs7XhChDAgMBAAGjggEbMIIBFzAdBgNV
+HQ4EFgQUW1AOsk5eGrxkR+Cxhlw0VVqRHFwwgc8GA1UdIwSBxzCBxIAUEONhazSl
+HzYKKnFD1/GG8MPYEdShgaGkgZ4wgZsxJTAjBgNVBAMMHFplcm9DIFRlc3QgSW50
+ZXJtZWRpYXRlIENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIElu
+Yy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYT
+AlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbYIIIsQP2vo83uEwCwYD
+VR0PBAQDAgXgMBcGA1UdEQQQMA6HBH8AAAGCBmNsaWVudDANBgkqhkiG9w0BAQsF
+AAOCAQEAVNwdy8aTB3/FfRjn9o8CQkOBXQRK9jQj11OY3h4t0/0Jj1L1qYMY2dqe
+Qu/Sb0XzTWnQ3jydGANmgHl5LzD5W/lhCpEZwOHkOoXqxLF/V19obtmztmEbyX4a
+17e2nXM3FFquIulC9tz1X9xsyNWsTbkfOqKOUv5vTel/DhuM1rnVHm3wPzhmERmd
+nycbknxwzCJ92M7Nv2if9nXiDsddsJhv/IWBLBzaeQHCn00xs0HO+tf2Ud9YQyWI
+yvlt2ACh5JlPvvmuLMsVXvnJgg8Ahkud/VrI3mGntX7SQHIEBi0bYrwRz/xPMVjD
+Asol3URRb+3vw5qVqXEMlB0TAM1sRA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEsDCCA5igAwIBAgIIIsQP2vo83uEwDQYJKoZIhvcNAQELBQAwgZsxJTAjBgNV
+BAMMHFplcm9DIFRlc3QgSW50ZXJtZWRpYXRlIENBIDExDDAKBgNVBAsMA0ljZTEU
+MBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgM
+B0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9j
+LmNvbTAeFw0xNTA0MTYxMjIyMzVaFw0yMDA0MTQxMjIyMzVaMIGbMSUwIwYDVQQD
+DBxaZXJvQyBUZXN0IEludGVybWVkaWF0ZSBDQSAyMQwwCgYDVQQLDANJY2UxFDAS
+BgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAwDgYDVQQIDAdG
+bG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5mb0B6ZXJvYy5j
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCztRo3bxb8ddw8l5w1
+aG2YNx9tgPzTDhSStbQdiKQ6pbFTK8oP7eNmyiHq4ZL/BiW9pwUqBZf7KlKLClv2
+8vDwaN1fV0/J7bJT7ogPDbcu6WxhIf9VQbg/urvL6TIk0mRthht0FZ06oUKfqjpY
+l9T9ytUen1TYd319Q81Zd7KyTVx6gnoDs6axDHOY4GrCaMh+lNWtgxXceG4nKrNv
+h/7tkuswx3XHP/PTB19m1MPx/d7a/c8aUbKIHe/KWa6W9ou58gXgz4Slduf+3QSE
+NhT8JsNiGra+DxFkfWlJOhl7l2zMHLmuLXopPG4e9o/ojWP+mo1WkOeK+pzTOHEa
++gDpAgMBAAGjgfUwgfIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUEONhazSlHzYK
+KnFD1/GG8MPYEdQwgcIGA1UdIwSBujCBt4AUUoxrQOhxctjEAfAwsxe9zn9IcWah
+gZSkgZEwgY4xGDAWBgNVBAMMD1plcm9DIFRlc3QgQ0EgMTEMMAoGA1UECwwDSWNl
+MRQwEgYDVQQKDAtaZXJvQywgSW5jLjEQMA4GA1UEBwwHSnVwaXRlcjEQMA4GA1UE
+CAwHRmxvcmlkYTELMAkGA1UEBhMCVVMxHTAbBgkqhkiG9w0BCQEWDmluZm9AemVy
+b2MuY29tggh+LYcQnlFBgjANBgkqhkiG9w0BAQsFAAOCAQEAhjWXKE5LZ5lf34x7
+7sjzPTLNeAZqs9PcsQdlBZdSrdFOiCnQI/+2N9jzoZWDJE/EVxKX8/UZwcCl0iFB
+FwObz2kmhLUB+++irMK/caZtkf6S5e2BJMkpheaa3kxO8YAytSbHsz/E0kZ3hm/m
+9VUXS2efloiO5DyTIqJa/2IEJxjj4vYmBi8XAsDuKGamel+pqQEBosns3qnGOb/f
+JCbfIJ00m4A048B/sDwEdBc4EQDqMM12+UHjgCkJHXXGqsTo9UDsOQQZMWbM04Tr
+2IBGbwWD4ZskDdc1yMxg/74mA47iztLXc+tDn8GIqj2jkUybmsWXlkCOjAxlpUbh
+5MaD4w==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEyDCCA7CgAwIBAgIIfi2HEJ5RQYIwDQYJKoZIhvcNAQELBQAwgY4xGDAWBgNV
+BAMMD1plcm9DIFRlc3QgQ0EgMTEMMAoGA1UECwwDSWNlMRQwEgYDVQQKDAtaZXJv
+QywgSW5jLjEQMA4GA1UEBwwHSnVwaXRlcjEQMA4GA1UECAwHRmxvcmlkYTELMAkG
+A1UEBhMCVVMxHTAbBgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tMB4XDTE1MDQx
+NjEyMjIzNVoXDTIwMDQxNDEyMjIzNVowgZsxJTAjBgNVBAMMHFplcm9DIFRlc3Qg
+SW50ZXJtZWRpYXRlIENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0Ms
+IEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNV
+BAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAMrpr5vuhfuce4fcPOOabrLXVMKvX3eBClxd
+kUxq2lPj2eCCcUnxpIMbqLH916/+0OXvq83B52bZxuAFx3q9sUWEj+Nk1QEUF0ei
+/4ptYrKm3gg9KvU6EZGWW39yz3V4slStiOE+Kh30I1QQNz8cxtsSfh/XZhsaSUhd
+Ym+40qxRfD9jD5XvmcjDkPfu2pPU/gLjPm6ZSP7neduvk/DcUqC1gYTycRUOP89N
+zJv9BXUzE6/9tlEK7hnKiSlP4zNueS7aIWs92UKNq8WMtF+Qu84GhEX/gC1Vp/mt
+59ShBAGV6d9dkSySevOsIr04KtNZWsEENse9U4NItoDkY43TEXUCAwEAAaOCARkw
+ggEVMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFFKMa0DocXLYxAHwMLMXvc5/SHFm
+MIHCBgNVHSMEgbowgbeAFP7XxgZVu03CluMlwNTgoS/oYmIZoYGUpIGRMIGOMRgw
+FgYDVQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwL
+WmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGEx
+CzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbYIIae4r
+8hQdO20wIQYDVR0SBBowGIcEfwAAAYEQaXNzdWVyQHplcm9jLmNvbTANBgkqhkiG
+9w0BAQsFAAOCAQEAkaARcA4D1FH6QsinmA4b1RTerBOjb2PMmEaWMw8GQ6viXLhZ
+ETFKlorXAeldmuQk/xmE7q6ZuwHVCDby5K8dZirqyjaAax838jaR30wB7HmWanJp
+iW2SNlqjyHBSjQ/OUg7adCgAES+/OPBDKORDC3pjdcyZEsO+9FcPagXUsCqTJANP
+JLSS9vMSanRUzfUudYRhi90T436rxPSYNfgyX8897rNLwHmaSa87nkl9FhCuJNrv
+jBbu7IwUTOeKUIG+cgIuJYFm/bbLGINDdOx0Kql8f4eakkZ/pOZgAyqnlhBmA42n
+R4qP4DtiAEIXdjOvfuiawWXoux1T2/q/0rqwHg==
+-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/intermediate1/intermediate1/c_rsa_cai2_key.pem b/cpp/test/IceSSL/certs/db/ca1/intermediate1/intermediate1/c_rsa_cai2_key.pem
new file mode 100644
index 00000000000..f986fcddf19
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/intermediate1/intermediate1/c_rsa_cai2_key.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,D4562F6C416E300B
+
+ELwSjx7MvekVN/V4xNwh6+6TalvjeSi/E3UhQH+swmlHPADer+0UDw143lQU8x/D
+LVNM0X63SHH0CyW2A2nchwcshmQYmISZIx7e2hJFbVPsRNcaA8Nf83TIETkd5BRS
+gadjLPch0YtyRgyUrLeHsdVf+G6IC5T8qMiMmsdIOzEgFYYUV46E+MzbQUnxhPfK
+hZGzqjLZ4I4UfIcUEV1c6bed8P7uF5mM69Hf6V4eKJyKJv9a5PtvmzkK+c/ii3kq
+NsbHUQ6lsBbmm1vupEue4115f3fQanarLjpP28eRpks4Cc9sQ+t3kUEDAvEWSpGQ
+vafp6TFze/ZCyTMlGV6/cfZQCsMg83b2HdEGTTMBpx/lfEyLOtjKw89itsfFmShg
+dOpmtDw2MZZaVFCeH8+ZGEScmPUE0/7QIwCa/X+Gq3XBdxe3QZrc2FOMhUDeUmDJ
+OqIbbqL35DJYOL42a/nOordx2tCvmHR6/YtMx9SQ2vCWLkrYLHBmC17LxxRPhH47
+h8ImSv8ImXB3+NGKu1vHwwPGsf6/dXvQjzYqm57mCoUCFulvCuuRHGyLrgXD0BOD
+CCwy8NdzqXGHKOz5s+MUOfXkcNGyKiypBZtW3IyPl0AZ7KJaQ5oZihrIlGoenn2L
+NM/NigefoYaKyG6rTvQvkYdu2EMTAANFc9jaFo/rtVCTwEKkrU2T0eTD0hO2uLhf
+IhAtLv8McOvxM13l+uhToMl7mPrMBrVwxIUZ5wyb30QFt5kzvCT3NLUWwRtPM1/y
+O9+Or8fzlpnIWBRiT0rUd9+TvyBQqWkf5lskldVZ+Vuxs4pe0NnlQLRHQ2FzhuTi
+blz5UudXj3YQV/oMW12YRUEsKMRnYV7lXcuEFfTtAHDSGRwColY4148q8OvwjSxG
+jRfFoBnvvTfLhlYHbKiWMXZfPsNHbI90ms1AjrUzi9dWADPfAvCtU8Id3R8O9RWM
+lvbOadlmLwBxLMfY+0xMhqVXIDi7JRsf9cbYJwpUjhfurqDuQehDXxg7QsqyEAn7
+lj/2uHAgZKslRq6L3aAFno26o3c/uKa8GsjJ+KH1yn37G/miV6UN/i/OQywi1z0p
+uOjQD9psa3luQcqFiW4FoX3feKuAPD4eI3BgVQ9P0BiNgV99CkJKgFZ3sZK8yJH5
+8F1lIxx6p2m+4U314JxogwHbF4o6QbWW2bmQ94e3hcTVsuHlUTfVEqGjYrW6slFI
+99fyMQb3+UDJLfK628fWDD3EhsQOdgm4n6CcCB0J2KX0ZY5OA9nj3qKQOmeRdRhS
+E5XIzhTkCiRlzqG122WWkbpsDXGP3vTvXf0DeJLLVYxMeiAGoqsN1o3a6Pdt3uHW
+ud7CQyjg8QgiGaITd8u8ghIyL1ptpObPPm7NiunMgYis2WcsKlwwPCdth3c7cMJD
+JRlYTx0fgLjhE3RmDi2YA8xW2RAquud+DnbAsVKiRATFhBObsek9mMaAzQY0yPci
+mV2dfsxItgXMkmJRQQzu2wbKaAnXJ0WfwsF4hvzmUOCohe8kpPLwvyNmuwVPNu51
+wEX5dOxkFIi8bsQRIawCLWj8BzO6JjVEoLGwd8Mm1GLkV8JpzlUY0w==
+-----END RSA PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/makecerts.py b/cpp/test/IceSSL/certs/makecerts.py
index 9e447e3e74c..3c241767a1c 100755
--- a/cpp/test/IceSSL/certs/makecerts.py
+++ b/cpp/test/IceSSL/certs/makecerts.py
@@ -88,9 +88,6 @@ cai2 = cai1.getIntermediateFactory("intermediate1")
if not cai2:
cai2 = cai1.createIntermediateFactory("intermediate1", cn = "ZeroC Test Intermediate CA 2")
-cai1.getCA().save("cacert_int1.pem")
-cai2.getCA().save("cacert_int2.pem")
-
#
# Create certificates (CA, alias, { creation parameters passed to ca.create(...) })
#
diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp
index 6a0360402f7..448eb075a0f 100644
--- a/cpp/test/IceSSL/configuration/AllTests.cpp
+++ b/cpp/test/IceSSL/configuration/AllTests.cpp
@@ -439,7 +439,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
{
//
// Test IceSSL.VerifyPeer=0. Client does not have a certificate,
- // but it still verifies the server's.
+ // and doesn't trust the server certificate.
//
InitializationData initData;
initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12, "", "");
@@ -454,10 +454,34 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
try
{
server->noCert();
+ test(!IceSSL::ConnectionInfoPtr::dynamicCast(server->ice_getConnection()->getInfo())->verified);
}
- catch(const LocalException& ex)
+ catch(const LocalException&)
+ {
+ test(false);
+ }
+ fact->destroyServer(server);
+ comm->destroy();
+
+ //
+ // Test IceSSL.VerifyPeer=0. Client does not have a certificate,
+ // but it still verifies the server's.
+ //
+ initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12, "", "cacert1");
+ comm = initialize(initData);
+ fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef));
+ test(fact);
+
+ d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_ca1", "");
+ d["IceSSL.VerifyPeer"] = "0";
+ server = fact->createServer(d);
+ try
+ {
+ server->noCert();
+ test(IceSSL::ConnectionInfoPtr::dynamicCast(server->ice_getConnection()->getInfo())->verified);
+ }
+ catch(const LocalException&)
{
- cerr << ex << endl;
test(false);
}
fact->destroyServer(server);
@@ -465,7 +489,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
//
// Test IceSSL.VerifyPeer=1. Client does not have a certificate.
//
- d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_ca1", "cacert1");
+ d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_ca1", "");
d["IceSSL.VerifyPeer"] = "1";
server = fact->createServer(d);
try
@@ -482,7 +506,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
// Test IceSSL.VerifyPeer=2. This should fail because the client
// does not supply a certificate.
//
- d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_ca1", "cacert1");
+ d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_ca1", "");
d["IceSSL.VerifyPeer"] = "2";
server = fact->createServer(d);
try
@@ -513,7 +537,6 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
// able to provide the certificate chain).
//
initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12, "c_rsa_ca1", "cacert1");
- initData.properties->setProperty("IceSSL.VerifyPeer", "0");
comm = initialize(initData);
fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef));
test(fact);
@@ -549,6 +572,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
info = IceSSL::NativeConnectionInfoPtr::dynamicCast(server->ice_getConnection()->getInfo());
test(info->nativeCerts.size() == 2);
+ test(info->verified);
test(caCert == info->nativeCerts[1]);
test(serverCert == info->nativeCerts[0]);
@@ -817,6 +841,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
{
info = IceSSL::NativeConnectionInfoPtr::dynamicCast(server->ice_getConnection()->getInfo());
test(info->nativeCerts.size() == 1);
+ test(!info->verified);
}
catch(const Ice::LocalException& ex)
{
@@ -840,6 +865,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
#else
test(info->nativeCerts.size() == 1);
#endif
+ test(!info->verified);
}
catch(const Ice::LocalException& ex)
{
@@ -866,6 +892,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
#else
test(info->nativeCerts.size() == 2);
#endif
+ test(!info->verified);
}
catch(const Ice::LocalException& ex)
{
@@ -894,6 +921,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
{
info = IceSSL::NativeConnectionInfoPtr::dynamicCast(server->ice_getConnection()->getInfo());
test(info->nativeCerts.size() == 2);
+ test(info->verified);
}
catch(const Ice::LocalException& ex)
{
@@ -902,6 +930,18 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
}
fact->destroyServer(server);
}
+ comm->destroy();
+
+ //
+ // Try certificate with one intermediate and VerifyDepthMax=2
+ //
+ initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12, "", "cacert1");
+ initData.properties->setProperty("IceSSL.VerifyPeer", "1");
+ initData.properties->setProperty("IceSSL.VerifyDepthMax", "2");
+ comm = initialize(initData);
+
+ fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef));
+ test(fact);
{
Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_cai1", "");
@@ -926,11 +966,11 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
comm->destroy();
//
- // Increase VerifyDepthMax to 3
+ // Try with VerifyDepthMax set to 3 (the default)
//
initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12, "", "cacert1");
initData.properties->setProperty("IceSSL.VerifyPeer", "1");
- initData.properties->setProperty("IceSSL.VerifyDepthMax", "3");
+ //initData.properties->setProperty("IceSSL.VerifyDepthMax", "3");
comm = initialize(initData);
fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef));
@@ -944,6 +984,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
{
info = IceSSL::NativeConnectionInfoPtr::dynamicCast(server->ice_getConnection()->getInfo());
test(info->nativeCerts.size() == 3);
+ test(info->verified);
}
catch(const Ice::LocalException&)
{
@@ -988,6 +1029,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
{
info = IceSSL::NativeConnectionInfoPtr::dynamicCast(server->ice_getConnection()->getInfo());
test(info->nativeCerts.size() == 4);
+ test(info->verified);
}
catch(const Ice::LocalException&)
{
diff --git a/cpp/test/IceSSL/configuration/TestI.cpp b/cpp/test/IceSSL/configuration/TestI.cpp
index 9ba3f0b7d56..1b3a4458e30 100644
--- a/cpp/test/IceSSL/configuration/TestI.cpp
+++ b/cpp/test/IceSSL/configuration/TestI.cpp
@@ -42,6 +42,7 @@ ServerI::checkCert(const string& subjectDN, const string& issuerDN, const Ice::C
try
{
IceSSL::NativeConnectionInfoPtr info = IceSSL::NativeConnectionInfoPtr::dynamicCast(c.con->getInfo());
+ test(info->verified);
test(info->nativeCerts.size() == 2 &&
info->nativeCerts[0]->getSubjectDN() == IceSSL::DistinguishedName(subjectDN) &&
info->nativeCerts[0]->getIssuerDN() == IceSSL::DistinguishedName(issuerDN));
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-05 18:57:34 +0000