diff options
| author | Anthony Neal <aneal@zeroc.com> | 2002-07-17 19:47:30 +0000 |
|---|---|---|
| committer | Anthony Neal <aneal@zeroc.com> | 2002-07-17 19:47:30 +0000 |
| commit | 5f05821a9aed2607b82ae40a0964ab86252a0b78 (patch) | |
| tree | acb63fae4434b822099045fc5e689e90e01ffb5d /cpp | |
| parent | Use IceStorm service (diff) | |
| download | ice-5f05821a9aed2607b82ae40a0964ab86252a0b78.tar.bz2 ice-5f05821a9aed2607b82ae40a0964ab86252a0b78.tar.xz ice-5f05821a9aed2607b82ae40a0964ab86252a0b78.zip | |
Have added new capabilities to Glacier to adjust the issued time to allow
for a certain 'grace' period for clients whose clocks are off. This is
Glacier.Starter.Certificate.IssuedAdjust.
Diffstat (limited to 'cpp')
| -rw-r--r-- | cpp/include/IceSSL/RSACertificateGen.h | 3 | ||||
| -rw-r--r-- | cpp/src/Glacier/StarterI.cpp | 2 | ||||
| -rw-r--r-- | cpp/src/IceSSL/OpenSSLUtils.cpp | 63 | ||||
| -rw-r--r-- | cpp/src/IceSSL/OpenSSLUtils.h | 2 | ||||
| -rw-r--r-- | cpp/src/IceSSL/RSACertificateGen.cpp | 17 | ||||
| -rw-r--r-- | cpp/src/IceSSL/SslConnectionOpenSSLClient.cpp | 2 |
6 files changed, 86 insertions, 3 deletions
diff --git a/cpp/include/IceSSL/RSACertificateGen.h b/cpp/include/IceSSL/RSACertificateGen.h index 18f5f738ef4..e073c2b7904 100644 --- a/cpp/include/IceSSL/RSACertificateGen.h +++ b/cpp/include/IceSSL/RSACertificateGen.h @@ -63,6 +63,7 @@ public: void setBitStrength(int); void setSecondsValid(long); + void setIssuedAdjustment(long); // Distinguished Name (getters) methods. unsigned char* getCountry() const; @@ -74,6 +75,7 @@ public: int getModulusLength() const; long getSecondsValid() const; + long getIssuedAdjustment() const; private: @@ -85,6 +87,7 @@ private: std::string _commonName; int _modulusLength; long _secondsValid; + long _issuedAdjustment; }; class ICE_SSL_API RSACertificateGen diff --git a/cpp/src/Glacier/StarterI.cpp b/cpp/src/Glacier/StarterI.cpp index 0dfdfee5229..cec7d940c45 100644 --- a/cpp/src/Glacier/StarterI.cpp +++ b/cpp/src/Glacier/StarterI.cpp @@ -46,6 +46,7 @@ Glacier::StarterI::StarterI(const CommunicatorPtr& communicator, const PasswordV "Glacier.Starter.Certificate.BitStrength", 1024); Int secondsValid = _properties->getPropertyAsIntWithDefault( "Glacier.Starter.Certificate.SecondsValid", IceSSL::OpenSSL::RSACertificateGenContext::daysToSeconds(1)); + Int issuedAdjust = _properties->getPropertyAsIntWithDefault("Glacier.Starter.Certificate.IssuedAdjust", 0); _certContext.setCountry(country); _certContext.setStateProvince(stateProv); @@ -55,6 +56,7 @@ Glacier::StarterI::StarterI(const CommunicatorPtr& communicator, const PasswordV _certContext.setCommonName(commonName); _certContext.setBitStrength(bitStrength); _certContext.setSecondsValid(secondsValid); + _certContext.setSecondsValid(issuedAdjust); } void diff --git a/cpp/src/IceSSL/OpenSSLUtils.cpp b/cpp/src/IceSSL/OpenSSLUtils.cpp index e5dd3646f47..2a230096eaf 100644 --- a/cpp/src/IceSSL/OpenSSLUtils.cpp +++ b/cpp/src/IceSSL/OpenSSLUtils.cpp @@ -409,6 +409,69 @@ IceSSL::OpenSSL::sslGetErrors() return errorMessage; } +string +IceSSL::OpenSSL::getVerificationError(int errorCode) +{ + static char* errorStrings[] = + { + "Unable to get issuer's certificate.", + "Unable to get certificate revocation list.", + "Unable to decrypt certificate signature.", + "Unable to decrypt certificate revocation list signature.", + "Unable to decode issuer's public key.", + "Certificate signature failure.", + "Certificate revocation list signature failure.", + "Certificate not yet valid.", + "Certificate has expired.", + "Certificate revocation list not yet valid.", + "Certificate revocation list has expired.", + "Error in certificate's \"not before\" field", + "Error in certificate's \"not after\" field", + "Error in the certificate revocation list's \"last update\" field", + "Error in the certificate revocation list's \"next update\" field", + "Out of memory failure.", + "Encountered a zero-depth self-signed certificate.", + "Encountered self-signed certificate in the certificate chain.", + "Unable to get issuer certificate locally.", + "Unable to verify leaf signature.", + "Certificate chain too long.", + "Certificate has been revoked.", + "Invalid certificate authority.", + "Certificate Authority path length exceeded.", + "Invalid certificate purpose.", + "Certificate is untrusted.", + "Certificate is rejected.", + "Subject and Issuer do not match.", + "AKID/SKID mismatch.", + "AKID and Issuer Serial mismatch.", + "Key usage precludes certifiicate signing.", + "Application verification." + }; + + string errString; + + if(errorCode > X509_V_ERR_KEYUSAGE_NO_CERTSIGN) + { + if(errorCode == X509_V_ERR_APPLICATION_VERIFICATION) + { + errString = "Application Verification error."; + } + else + { + ostringstream errStream; + errStream << "Unknown error code: " << dec << errorCode << "."; + errString = errStream.str(); + } + } + else + { + errorCode -= 2; + errString = errorStrings[errorCode]; + } + + return errString; +} + extern "C" { diff --git a/cpp/src/IceSSL/OpenSSLUtils.h b/cpp/src/IceSSL/OpenSSLUtils.h index 32d34354e69..87c6bd2a5cb 100644 --- a/cpp/src/IceSSL/OpenSSLUtils.h +++ b/cpp/src/IceSSL/OpenSSLUtils.h @@ -34,6 +34,8 @@ DH* getTempDH4096(); std::string sslGetErrors(); +std::string getVerificationError(int); + } } diff --git a/cpp/src/IceSSL/RSACertificateGen.cpp b/cpp/src/IceSSL/RSACertificateGen.cpp index 5a596b71e97..a0a21d33cad 100644 --- a/cpp/src/IceSSL/RSACertificateGen.cpp +++ b/cpp/src/IceSSL/RSACertificateGen.cpp @@ -56,7 +56,8 @@ IceSSL::OpenSSL::RSACertificateGenContext::yearsToSeconds(long years) IceSSL::OpenSSL::RSACertificateGenContext::RSACertificateGenContext() : _modulusLength(0), - _secondsValid(0) + _secondsValid(0), + _issuedAdjustment(0) { } @@ -112,6 +113,12 @@ IceSSL::OpenSSL::RSACertificateGenContext::setSecondsValid(long secondsValid) _secondsValid = secondsValid; } +void +IceSSL::OpenSSL::RSACertificateGenContext::setIssuedAdjustment(long issuedAdjustment) +{ + _issuedAdjustment = issuedAdjustment; +} + unsigned char* IceSSL::OpenSSL::RSACertificateGenContext::getCountry() const { @@ -184,6 +191,12 @@ IceSSL::OpenSSL::RSACertificateGenContext::getSecondsValid() const return _secondsValid; } +long +IceSSL::OpenSSL::RSACertificateGenContext::getIssuedAdjustment() const +{ + return _issuedAdjustment; +} + IceSSL::OpenSSL::RSACertificateGen::RSACertificateGen() { ERR_load_crypto_strings(); @@ -233,7 +246,7 @@ IceSSL::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& con struct X509_name_st* subjectName = X509_REQ_get_subject_name(signingRequest); // Set valid time period. - X509_gmtime_adj(X509_get_notBefore(x509SelfSigned), 0); + X509_gmtime_adj(X509_get_notBefore(x509SelfSigned), context.getIssuedAdjustment()); X509_gmtime_adj(X509_get_notAfter(x509SelfSigned), context.getSecondsValid()); // Set up subject/issuer Distinguished Name (DN). diff --git a/cpp/src/IceSSL/SslConnectionOpenSSLClient.cpp b/cpp/src/IceSSL/SslConnectionOpenSSLClient.cpp index 69c4161c08c..c2d82b52ff3 100644 --- a/cpp/src/IceSSL/SslConnectionOpenSSLClient.cpp +++ b/cpp/src/IceSSL/SslConnectionOpenSSLClient.cpp @@ -169,7 +169,7 @@ IceSSL::OpenSSL::ClientConnection::handshake(int timeout) { CertificateVerificationException certVerEx(__FILE__, __LINE__); - certVerEx._message = "ssl certificate verification error"; + certVerEx._message = getVerificationError(verifyError); string errors = sslGetErrors(); |