diff options
| author | Benoit Foucher <benoit@zeroc.com> | 2015-04-28 22:32:02 +0200 |
|---|---|---|
| committer | Benoit Foucher <benoit@zeroc.com> | 2015-04-28 22:32:02 +0200 |
| commit | 8fe52c0cd380c685040d95be59abba478b8fe6a9 (patch) | |
| tree | 18e0c1ded5f2c150607385f5ca1b0448debb4f60 /cpp | |
| parent | ICE-5865 Added license info to pom files (diff) | |
| download | ice-8fe52c0cd380c685040d95be59abba478b8fe6a9.tar.bz2 ice-8fe52c0cd380c685040d95be59abba478b8fe6a9.tar.xz ice-8fe52c0cd380c685040d95be59abba478b8fe6a9.zip | |
Fixed ICE-6464 and deprecated various IceSSL properties
Diffstat (limited to 'cpp')
| -rw-r--r-- | cpp/src/Ice/PropertyNames.cpp | 13 | ||||
| -rw-r--r-- | cpp/src/Ice/PropertyNames.h | 2 | ||||
| -rw-r--r-- | cpp/src/IceSSL/SChannelEngine.cpp | 142 | ||||
| -rw-r--r-- | cpp/src/IceSSL/SSLEngine.h | 3 | ||||
| -rw-r--r-- | cpp/src/IceSSL/Util.cpp | 62 | ||||
| -rw-r--r-- | cpp/test/IceSSL/configuration/AllTests.cpp | 11 |
6 files changed, 95 insertions, 138 deletions
diff --git a/cpp/src/Ice/PropertyNames.cpp b/cpp/src/Ice/PropertyNames.cpp index 11b035d47df..85a3a74b44f 100644 --- a/cpp/src/Ice/PropertyNames.cpp +++ b/cpp/src/Ice/PropertyNames.cpp @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 17:34:50 2015 +// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 22:03:41 2015 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -999,9 +999,10 @@ const IceInternal::Property IceSSLPropsData[] = { IceInternal::Property("IceSSL.Alias", false, 0), IceInternal::Property("IceSSL.CAs", false, 0), - IceInternal::Property("IceSSL.CertAuthDir", true, 0), - IceInternal::Property("IceSSL.CertAuthFile", true, 0), + IceInternal::Property("IceSSL.CertAuthDir", true, "IceSSL.CAs"), + IceInternal::Property("IceSSL.CertAuthFile", true, "IceSSL.CAs"), IceInternal::Property("IceSSL.CertStore", false, 0), + IceInternal::Property("IceSSL.CertStoreLocation", false, 0), IceInternal::Property("IceSSL.CertFile", false, 0), IceInternal::Property("IceSSL.CertVerifier", false, 0), IceInternal::Property("IceSSL.CheckCertName", false, 0), @@ -1012,11 +1013,11 @@ const IceInternal::Property IceSSLPropsData[] = IceInternal::Property("IceSSL.DHParams", false, 0), IceInternal::Property("IceSSL.EntropyDaemon", false, 0), IceInternal::Property("IceSSL.FindCert", false, 0), - IceInternal::Property("IceSSL.FindCert.*", true, 0), + IceInternal::Property("IceSSL.FindCert.*", true, "IceSSL.FindCert"), IceInternal::Property("IceSSL.ImportCert.*", true, 0), IceInternal::Property("IceSSL.InitOpenSSL", false, 0), IceInternal::Property("IceSSL.KeyFile", true, 0), - IceInternal::Property("IceSSL.KeySet", false, 0), + IceInternal::Property("IceSSL.KeySet", true, "IceSSL.CertStoreLocation"), IceInternal::Property("IceSSL.Keychain", false, 0), IceInternal::Property("IceSSL.KeychainPassword", false, 0), IceInternal::Property("IceSSL.Keystore", false, 0), @@ -1025,7 +1026,7 @@ const IceInternal::Property IceSSLPropsData[] = IceInternal::Property("IceSSL.Password", false, 0), IceInternal::Property("IceSSL.PasswordCallback", false, 0), IceInternal::Property("IceSSL.PasswordRetryMax", false, 0), - IceInternal::Property("IceSSL.PersistKeySet", false, 0), + IceInternal::Property("IceSSL.PersistKeySet", true, 0), IceInternal::Property("IceSSL.Protocols", false, 0), IceInternal::Property("IceSSL.ProtocolVersionMax", false, 0), IceInternal::Property("IceSSL.ProtocolVersionMin", false, 0), diff --git a/cpp/src/Ice/PropertyNames.h b/cpp/src/Ice/PropertyNames.h index cf92a38d43f..263f20d1008 100644 --- a/cpp/src/Ice/PropertyNames.h +++ b/cpp/src/Ice/PropertyNames.h @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 17:34:50 2015 +// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 22:03:41 2015 // IMPORTANT: Do not edit this file -- any edits made here will be lost! diff --git a/cpp/src/IceSSL/SChannelEngine.cpp b/cpp/src/IceSSL/SChannelEngine.cpp index ddc47619373..89774a7b8f1 100644 --- a/cpp/src/IceSSL/SChannelEngine.cpp +++ b/cpp/src/IceSSL/SChannelEngine.cpp @@ -255,11 +255,12 @@ SChannelEngine::initialize() getLogger()->trace(securityTraceCategory(), os.str()); } - string certStore = properties->getPropertyWithDefault(prefix + "CertStore", "CurrentUser"); - if(certStore != "CurrentUser" && certStore != "LocalMachine") + string certStoreLocation = properties->getPropertyWithDefault(prefix + "CertStoreLocation", "CurrentUser"); + if(certStoreLocation != "CurrentUser" && certStoreLocation != "LocalMachine") { - getLogger()->warning("Invalid IceSSL.CertStore value `" + certStore + "' adjusted to `CurrentUser'"); - certStore = "CurrentUser"; + getLogger()->warning("invalid IceSSL.CertStoreLocation value `" + certStoreLocation + + "' adjusted to `CurrentUser'"); + certStoreLocation = "CurrentUser"; } // @@ -276,7 +277,8 @@ SChannelEngine::initialize() if(!_rootStore) { throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: error creating in memory certificate store:\n" + lastErrorToString()); + "IceSSL: error creating in memory certificate store:\n" + + lastErrorToString()); } } if(!caFile.empty()) @@ -310,7 +312,7 @@ SChannelEngine::initialize() // Build the chain using the LocalMachine registry location as opposed // to the CurrentUser location. // - if(certStore == "LocalMachine") + if(certStoreLocation == "LocalMachine") { config.dwFlags = CERT_CHAIN_USE_LOCAL_MACHINE_STORE; } @@ -322,28 +324,18 @@ SChannelEngine::initialize() #endif { throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: error creating certificate chain engine:\n" + lastErrorToString()); + "IceSSL: error creating certificate chain engine:\n" + + lastErrorToString()); } } else { - _chainEngine = (certStore == "LocalMachine") ? HCCE_LOCAL_MACHINE : HCCE_CURRENT_USER; + _chainEngine = (certStoreLocation == "LocalMachine") ? HCCE_LOCAL_MACHINE : HCCE_CURRENT_USER; } - // - // Import the application certificate and private keys. - // - string keySet = properties->getPropertyWithDefault(prefix + "KeySet", "DefaultKeySet"); - if(keySet != "DefaultKeySet" && keySet != "UserKeySet" && keySet != "MachineKeySet") - { - getLogger()->warning("Invalid IceSSL.KeySet value `" + keySet + "' adjusted to `DefaultKeySet'"); - keySet = "DefaultKeySet"; - } - - DWORD importFlags = (keySet == "MachineKeySet") ? CRYPT_MACHINE_KEYSET : CRYPT_USER_KEYSET; - string certFile = properties->getProperty(prefix + "CertFile"); - string keyFile = properties->getPropertyWithDefault(prefix + "KeyFile", certFile); + string keyFile = properties->getProperty(prefix + "KeyFile"); + string findCert = properties->getProperty("IceSSL.FindCert"); if(!certFile.empty()) { @@ -355,16 +347,19 @@ SChannelEngine::initialize() } vector<string> keyFiles; - if(!splitString(keyFile, IceUtilInternal::pathsep, keyFiles) || keyFiles.size() > 2) + if(!keyFile.empty()) { - throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: invalid value for " + prefix + "KeyFile:\n" + keyFile); - } + if(!splitString(keyFile, IceUtilInternal::pathsep, keyFiles) || keyFiles.size() > 2) + { + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: invalid value for " + prefix + "KeyFile:\n" + keyFile); + } - if(certFiles.size() != keyFiles.size()) - { - throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: " + prefix + "KeyFile does not agree with " + prefix + "CertFile"); + if(certFiles.size() != keyFiles.size()) + { + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: " + prefix + "KeyFile does not agree with " + prefix + "CertFile"); + } } for(size_t i = 0; i < certFiles.size(); ++i) @@ -392,6 +387,7 @@ SChannelEngine::initialize() PCCERT_CONTEXT cert = 0; int err = 0; int count = 0; + DWORD importFlags = (certStoreLocation == "LocalMachine") ? CRYPT_MACHINE_KEYSET : CRYPT_USER_KEYSET; do { string s = password(false); @@ -433,20 +429,17 @@ SChannelEngine::initialize() { cert = CertFindCertificateInStore(store, X509_ASN_ENCODING, 0, CERT_FIND_ANY, 0, cert); } - if(!cert) { throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: certificate error:\n" + lastErrorToString()); } - - _certs.push_back(cert); + _allCerts.push_back(cert); _stores.push_back(store); continue; } assert(err); - if(err != CRYPT_E_BAD_ENCODE) { throw PluginInitializationException(__FILE__, __LINE__, @@ -456,6 +449,11 @@ SChannelEngine::initialize() // // Try to load certificate & key as PEM files. // + if(keyFiles.empty()) + { + throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: no key file specified"); + } + err = 0; keyFile = keyFiles[i]; if(!checkPath(keyFile, defaultDir, false)) @@ -486,7 +484,6 @@ SChannelEngine::initialize() PCRYPT_PRIVATE_KEY_INFO keyInfo = 0; BYTE* key = 0; HCRYPTKEY hKey = 0; - try { // @@ -538,8 +535,11 @@ SChannelEngine::initialize() const wstring keySetName = stringToWstring(generateUUID()); HCRYPTPROV cryptProv = 0; - DWORD contextFlags = (keySet == "MachineKeySet") ? CRYPT_MACHINE_KEYSET | CRYPT_NEWKEYSET : - CRYPT_NEWKEYSET; + DWORD contextFlags = CRYPT_NEWKEYSET; + if(certStoreLocation == "LocalMachine") + { + contextFlags |= CRYPT_MACHINE_KEYSET; + } ; if(!CryptAcquireContextW(&cryptProv, keySetName.c_str(), MS_ENHANCED_PROV_W, PROV_RSA_FULL, contextFlags)) @@ -583,14 +583,14 @@ SChannelEngine::initialize() keyProvInfo.pwszProvName = const_cast<wchar_t*>(MS_DEF_PROV_W); keyProvInfo.dwProvType = PROV_RSA_FULL; keyProvInfo.dwKeySpec = AT_KEYEXCHANGE; - if(!CertSetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, 0, &keyProvInfo)) { throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: error seting certificate " "property:\n" + lastErrorToString()); } - _certs.push_back(cert); + _importedCerts.push_back(cert); + _allCerts.push_back(cert); _stores.push_back(store); } catch(...) @@ -622,31 +622,16 @@ SChannelEngine::initialize() throw; } } - - _allCerts.insert(_allCerts.end(), _certs.begin(), _certs.end()); } - - const string findPrefix = prefix + "FindCert."; - map<string, string> certProps = properties->getPropertiesForPrefix(findPrefix); - if(!certProps.empty()) + else if(!findCert.empty()) { - for(map<string, string>::const_iterator i = certProps.begin(); i != certProps.end(); ++i) - { - const string name = i->first; - const string val = i->second; - - if(!val.empty()) - { - string storeSpec = name.substr(findPrefix.size()); - vector<PCCERT_CONTEXT> certs = findCertificates(name, storeSpec, val, _stores); - _allCerts.insert(_allCerts.end(), certs.begin(), certs.end()); - } - } - - if(_allCerts.empty()) + string certStore = properties->getPropertyWithDefault(prefix + "CertStore", "My"); + vector<PCCERT_CONTEXT> certs = findCertificates(certStoreLocation, certStore, findCert, _stores); + if(certs.empty()) { throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: no certificates found"); } + _allCerts.insert(_allCerts.end(), certs.begin(), certs.end()); } _initialized = true; } @@ -789,33 +774,30 @@ SChannelEngine::destroy() CertCloseStore(_rootStore, 0); } - for(vector<PCCERT_CONTEXT>::const_iterator i = _allCerts.begin(); i != _allCerts.end(); ++i) + for(vector<PCCERT_CONTEXT>::const_iterator i = _importedCerts.begin(); i != _importedCerts.end(); ++i) { - PCCERT_CONTEXT cert = *i; - // - // Only remove the keysets we create. + // Retrieve the certificate CERT_KEY_PROV_INFO_PROP_ID property, we use the CRYPT_KEY_PROV_INFO + // data to remove the key set associated with the certificate. // - if(find(_certs.begin(), _certs.end(), cert) != _certs.end()) + DWORD length = 0; + if(!CertGetCertificateContextProperty(*i, CERT_KEY_PROV_INFO_PROP_ID, 0, &length)) { - // - // Retrieve the certificate CERT_KEY_PROV_INFO_PROP_ID property, we use the CRYPT_KEY_PROV_INFO - // data to then remove the key set associated with the certificate. - // - DWORD length = 0; - if(CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, 0, &length)) - { - vector<char> buf(length); - if(CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, &buf[0], &length)) - { - CRYPT_KEY_PROV_INFO* keyProvInfo = reinterpret_cast<CRYPT_KEY_PROV_INFO*>(&buf[0]); - HCRYPTPROV cryptProv = 0; - CryptAcquireContextW(&cryptProv, keyProvInfo->pwszContainerName, keyProvInfo->pwszProvName, - keyProvInfo->dwProvType, CRYPT_DELETEKEYSET); - } - CertFreeCertificateContext(cert); - } + continue; } + vector<char> buf(length); + if(!CertGetCertificateContextProperty(*i, CERT_KEY_PROV_INFO_PROP_ID, &buf[0], &length)) + { + continue; + } + CRYPT_KEY_PROV_INFO* key = reinterpret_cast<CRYPT_KEY_PROV_INFO*>(&buf[0]); + HCRYPTPROV prov = 0; + CryptAcquireContextW(&prov, key->pwszContainerName, key->pwszProvName, key->dwProvType, CRYPT_DELETEKEYSET); + } + + for(vector<PCCERT_CONTEXT>::const_iterator i = _allCerts.begin(); i != _allCerts.end(); ++i) + { + CertFreeCertificateContext(*i); } for(vector<HCERTSTORE>::const_iterator i = _stores.begin(); i != _stores.end(); ++i) diff --git a/cpp/src/IceSSL/SSLEngine.h b/cpp/src/IceSSL/SSLEngine.h index f2c36566f9a..09f060cbabb 100644 --- a/cpp/src/IceSSL/SSLEngine.h +++ b/cpp/src/IceSSL/SSLEngine.h @@ -208,12 +208,11 @@ private: bool _initialized; std::vector<PCCERT_CONTEXT> _allCerts; - std::vector<PCCERT_CONTEXT> _certs; + std::vector<PCCERT_CONTEXT> _importedCerts; DWORD _protocols; IceUtil::Mutex _mutex; std::vector<HCERTSTORE> _stores; - HCERTSTORE _rootStore; HCERTCHAINENGINE _chainEngine; diff --git a/cpp/src/IceSSL/Util.cpp b/cpp/src/IceSSL/Util.cpp index 2e3287c1c35..a95ef6ff8d5 100644 --- a/cpp/src/IceSSL/Util.cpp +++ b/cpp/src/IceSSL/Util.cpp @@ -940,40 +940,6 @@ IceSSL::findCertificate(SecKeychainRef keychain, const string& value) namespace { -// -// Parse a string of the form "location.name" into two parts. -// -void -parseStore(const string& prop, const string& store, DWORD& loc, string& sname) -{ - size_t pos = store.find('.'); - if(pos == string::npos) - { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: property `" + prop + "' has invalid format"); - } - - const string sloc = IceUtilInternal::toUpper(store.substr(0, pos)); - if(sloc == "CURRENTUSER") - { - loc = CERT_SYSTEM_STORE_CURRENT_USER; - } - else if(sloc == "LOCALMACHINE") - { - loc = CERT_SYSTEM_STORE_LOCAL_MACHINE; - } - else - { - throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: unknown store location `" + sloc + "' in " + prop); - } - - sname = store.substr(pos + 1); - if(sname.empty()) - { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: invalid store name in " + prop); - } -} - void addMatchingCertificates(HCERTSTORE source, HCERTSTORE target, DWORD findType, const void* findParam) { @@ -996,17 +962,23 @@ addMatchingCertificates(HCERTSTORE source, HCERTSTORE target, DWORD findType, co } vector<PCCERT_CONTEXT> -IceSSL::findCertificates(const string& prop, const string& storeSpec, const string& value, vector<HCERTSTORE>& stores) +IceSSL::findCertificates(const string& location, const string& name, const string& value, vector<HCERTSTORE>& stores) { - DWORD storeLoc = 0; - string storeName; - parseStore(prop, storeSpec, storeLoc, storeName); + DWORD storeLoc; + if(location == "CurrentUser") + { + storeLoc = CERT_SYSTEM_STORE_CURRENT_USER; + } + else + { + storeLoc = CERT_SYSTEM_STORE_LOCAL_MACHINE; + } - HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, storeLoc, stringToWstring(storeName).c_str()); + HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, storeLoc, stringToWstring(name).c_str()); if(!store) { - throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: failure while opening store specified by " + prop + ":\n" + IceUtilInternal::lastErrorToString()); + throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: failed to open certificate store `" + name + + "':\n" + IceUtilInternal::lastErrorToString()); } // @@ -1123,7 +1095,7 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri { throw PluginInitializationException( __FILE__, __LINE__, - "IceSSL: invalid value `" + value + "' for property `" + prop + "'\n" + + "IceSSL: invalid value `" + value + "' for `IceSSL.FindCert' property:\n" + IceUtilInternal::lastErrorToString()); } @@ -1132,7 +1104,7 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri { throw PluginInitializationException( __FILE__, __LINE__, - "IceSSL: invalid value `" + value + "' for property `" + prop + "'\n" + + "IceSSL: invalid value `" + value + "' for `IceSSL.FindCert' property:\n" + IceUtilInternal::lastErrorToString()); } @@ -1148,7 +1120,7 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri if(!parseBytes(arg, buffer)) { throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: invalid value `" + value + "' for property `" + prop + "'"); + "IceSSL: invalid `IceSSL.FindCert' property: can't decode the value"); } CRYPT_HASH_BLOB hash = { static_cast<DWORD>(buffer.size()), &buffer[0] }; @@ -1161,7 +1133,7 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri if(!parseBytes(arg, buffer)) { throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: invalid value `" + value + "' for property `" + prop + "'"); + "IceSSL: invalid value `" + value + "' for `IceSSL.FindCert' property"); } CRYPT_INTEGER_BLOB serial = { static_cast<DWORD>(buffer.size()), &buffer[0] }; diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp index 4a51b3416f1..256d4d33812 100644 --- a/cpp/test/IceSSL/configuration/AllTests.cpp +++ b/cpp/test/IceSSL/configuration/AllTests.cpp @@ -2972,7 +2972,9 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); initData.properties->setProperty("IceSSL.CAs", "cacert1.pem"); - initData.properties->setProperty("IceSSL.FindCert.CurrentUser.My", clientFindCertProperties[i]); + initData.properties->setProperty("IceSSL.CertStore", "My"); + initData.properties->setProperty("IceSSL.CertStoreLocation", "CurrentUser"); + initData.properties->setProperty("IceSSL.FindCert", clientFindCertProperties[i]); // // Use TrustOnly to ensure the peer has pick the expected certificate. // @@ -2984,7 +2986,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b test(fact); Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_ca1", "cacert1"); d["IceSSL.CAs"] = "cacert1.pem"; - d["IceSSL.FindCert.CurrentUser.My"] = serverFindCertProperties[i]; + d["IceSSL.FindCert"] = serverFindCertProperties[i]; // // Use TrustOnly to ensure the peer has pick the expected certificate. // @@ -3013,10 +3015,11 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); initData.properties->setProperty("IceSSL.CAs", "cacert1.pem"); - initData.properties->setProperty("IceSSL.FindCert.CurrentUser.My", failFindCertProperties[i]); + initData.properties->setProperty("IceSSL.FindCert", failFindCertProperties[i]); try { CommunicatorPtr comm = initialize(initData); + cerr << failFindCertProperties[i] << endl; import.cleanup(); test(false); } @@ -3042,7 +3045,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); initData.properties->setProperty("IceSSL.CAs", "cacert1.pem"); - initData.properties->setProperty("IceSSL.FindCert.CurrentUser.My", clientFindCertProperties[i]); + initData.properties->setProperty("IceSSL.FindCert", clientFindCertProperties[i]); try { CommunicatorPtr comm = initialize(initData); |