diff options
| author | Benoit Foucher <benoit@zeroc.com> | 2015-04-28 19:27:04 +0200 |
|---|---|---|
| committer | Benoit Foucher <benoit@zeroc.com> | 2015-04-28 19:27:04 +0200 |
| commit | e6e102cc642e78cf9da55645c82f5bfe6eacb76d (patch) | |
| tree | ab5861ee9ad2a909fa0dc8f25b1b12e0dd1d6527 /cpp | |
| parent | Fixed ICE-6443 and other SSL fixes (diff) | |
| download | ice-e6e102cc642e78cf9da55645c82f5bfe6eacb76d.tar.bz2 ice-e6e102cc642e78cf9da55645c82f5bfe6eacb76d.tar.xz ice-e6e102cc642e78cf9da55645c82f5bfe6eacb76d.zip | |
Fixed previous commit which was incomplete
Diffstat (limited to 'cpp')
34 files changed, 668 insertions, 481 deletions
diff --git a/cpp/include/IceSSL/Plugin.h b/cpp/include/IceSSL/Plugin.h index 5a7e7ea86cc..367fd73c5dd 100644 --- a/cpp/include/IceSSL/Plugin.h +++ b/cpp/include/IceSSL/Plugin.h @@ -55,14 +55,14 @@ #ifdef ICE_USE_OPENSSL // -// Pointer to an opaque SSL session context object. ssl_ctx_st is the +// Pointer to an opaque SSL session context object. ssl_ctx_st is the // OpenSSL type that holds configuration settings for all SSL // connections. // typedef struct ssl_ctx_st SSL_CTX; // -// Pointer to an opaque certificate object. X509_st is the OpenSSL +// Pointer to an opaque certificate object. X509_st is the OpenSSL // type that represents a certificate. // typedef struct x509_st* X509CertificateRef; @@ -185,7 +185,7 @@ class ICE_SSL_API PublicKey : public IceUtil::Shared public: ~PublicKey(); - + // // Retrieve the native public key value wrapped by this object. // @@ -202,7 +202,7 @@ private: CertificatePtr _cert; KeyRef _key; - + }; typedef IceUtil::Handle<PublicKey> PublicKeyPtr; @@ -282,7 +282,7 @@ class ICE_SSL_API Certificate : public IceUtil::Shared public: // - // Construct a certificate using a native certificate. + // Construct a certificate using a native certificate. // // The Certificate class assumes ownership of the given native // certificate. @@ -321,7 +321,7 @@ public: // public key. Returns true if signed, false otherwise. // bool verify(const CertificatePtr&) const; - + #ifdef ICE_USE_OPENSSL // // Verify that this certificate was signed by the given public @@ -331,10 +331,10 @@ public: // engines that require a certificate and not just a public key to // verify the certificate signature. // - ICE_DEPRECATED_API("verify(const PublicKeyPtr&) is deprecated, use verify(const CertificatePtr&) instead") + ICE_DEPRECATED_API("verify(const PublicKeyPtr&) is deprecated, use verify(const CertificatePtr&) instead") bool verify(const PublicKeyPtr&) const; #endif - + // // Return a string encoding of the certificate in PEM format. // Raises CertificateEncodingException if an error occurs. @@ -433,7 +433,7 @@ public: // // Retrieve the native X509 certificate value wrapped by this - // object. + // object. // // The returned reference is only valid for the lifetime of this // object. With SecureTransport you can increment the reference @@ -470,6 +470,23 @@ public: typedef IceUtil::Handle<NativeConnectionInfo> NativeConnectionInfoPtr; // +// WSSNativeConnectionInfo is an extension of IceSSL::WSSConnectionInfo +// that provides access to native certificates. +// +class ICE_SSL_API WSSNativeConnectionInfo : public WSSConnectionInfo +{ +public: + + // + // The certificate chain. This may be empty if the peer did not + // supply a certificate. The peer's certificate (if any) is the + // first one in the chain. + // + std::vector<CertificatePtr> nativeCerts; +}; +typedef IceUtil::Handle<WSSNativeConnectionInfo> WSSNativeConnectionInfoPtr; + +// // An application can customize the certificate verification process // by implementing the CertificateVerifier interface. // @@ -528,7 +545,7 @@ public: // the plug-in is initialized. // virtual void setPasswordPrompt(const PasswordPromptPtr&) = 0; - + #ifdef ICE_USE_OPENSSL // // Establish the OpenSSL context. This must be done before the @@ -539,7 +556,7 @@ public: // When the application supplies its own OpenSSL context, the // plug-in ignores configuration properties related to certificates, // keys, and passwords. - // + // // Note that the plugin assumes ownership of the given context. // virtual void setContext(SSL_CTX*) = 0; @@ -548,7 +565,7 @@ public: // Obtain the SSL context. Use caution when modifying this value. // Changes made to this value have no effect on existing connections. // - virtual SSL_CTX* getContext() = 0; + virtual SSL_CTX* getContext() = 0; #endif }; typedef IceUtil::Handle<Plugin> PluginPtr; diff --git a/cpp/src/Ice/EndpointI.h b/cpp/src/Ice/EndpointI.h index 8c9eb5fa055..df41372bd82 100644 --- a/cpp/src/Ice/EndpointI.h +++ b/cpp/src/Ice/EndpointI.h @@ -160,6 +160,38 @@ inline bool operator<(const EndpointI& l, const EndpointI& r) return static_cast<const ::Ice::LocalObject&>(l) < static_cast<const ::Ice::LocalObject&>(r); } +template<typename T> class InfoI : public T +{ +public: + + InfoI(const EndpointIPtr& endpoint) : _endpoint(endpoint) + { + } + + virtual Ice::Short + type() const + { + return _endpoint->type(); + } + + virtual bool + datagram() const + { + return _endpoint->datagram(); + } + + virtual bool + secure() const + { + return _endpoint->secure(); + } + +private: + + const EndpointIPtr _endpoint; +}; + + } #endif diff --git a/cpp/src/Ice/OpaqueEndpointI.cpp b/cpp/src/Ice/OpaqueEndpointI.cpp index e2f478c7231..c061eb0acfa 100644 --- a/cpp/src/Ice/OpaqueEndpointI.cpp +++ b/cpp/src/Ice/OpaqueEndpointI.cpp @@ -56,11 +56,11 @@ IceInternal::OpaqueEndpointI::OpaqueEndpointI(Short type, BasicStream* s) : _typ namespace { -class InfoI : public Ice::OpaqueEndpointInfo +class OpaqueEndpointInfoI : public Ice::OpaqueEndpointInfo { public: - InfoI(Ice::Short type, const Ice::EncodingVersion& rawEncoding, const Ice::ByteSeq& rawByes); + OpaqueEndpointInfoI(Ice::Short type, const Ice::EncodingVersion& rawEncoding, const Ice::ByteSeq& rawByes); virtual Ice::Short type() const @@ -89,7 +89,8 @@ private: // // COMPILERFIX: inlining this constructor causes crashes with gcc 4.0.1. // -InfoI::InfoI(Ice::Short type, const Ice::EncodingVersion& rawEncoding, const Ice::ByteSeq& rawBytes) : +OpaqueEndpointInfoI::OpaqueEndpointInfoI(Ice::Short type, const Ice::EncodingVersion& rawEncoding, + const Ice::ByteSeq& rawBytes) : Ice::OpaqueEndpointInfo(-1, false, rawEncoding, rawBytes), _type(type) { @@ -106,7 +107,7 @@ IceInternal::OpaqueEndpointI::streamWrite(BasicStream* s) const Ice::EndpointInfoPtr IceInternal::OpaqueEndpointI::getInfo() const { - return new InfoI(_type, _rawEncoding, _rawBytes); + return new OpaqueEndpointInfoI(_type, _rawEncoding, _rawBytes); } Short diff --git a/cpp/src/Ice/PropertyNames.cpp b/cpp/src/Ice/PropertyNames.cpp index 95cf61169a8..11b035d47df 100644 --- a/cpp/src/Ice/PropertyNames.cpp +++ b/cpp/src/Ice/PropertyNames.cpp @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Thu Mar 19 17:54:51 2015 +// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 17:34:50 2015 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -998,8 +998,9 @@ const IceInternal::PropertyArray const IceInternal::Property IceSSLPropsData[] = { IceInternal::Property("IceSSL.Alias", false, 0), - IceInternal::Property("IceSSL.CertAuthDir", false, 0), - IceInternal::Property("IceSSL.CertAuthFile", false, 0), + IceInternal::Property("IceSSL.CAs", false, 0), + IceInternal::Property("IceSSL.CertAuthDir", true, 0), + IceInternal::Property("IceSSL.CertAuthFile", true, 0), IceInternal::Property("IceSSL.CertStore", false, 0), IceInternal::Property("IceSSL.CertFile", false, 0), IceInternal::Property("IceSSL.CertVerifier", false, 0), @@ -1011,10 +1012,10 @@ const IceInternal::Property IceSSLPropsData[] = IceInternal::Property("IceSSL.DHParams", false, 0), IceInternal::Property("IceSSL.EntropyDaemon", false, 0), IceInternal::Property("IceSSL.FindCert", false, 0), - IceInternal::Property("IceSSL.FindCert.*", false, 0), + IceInternal::Property("IceSSL.FindCert.*", true, 0), IceInternal::Property("IceSSL.ImportCert.*", true, 0), IceInternal::Property("IceSSL.InitOpenSSL", false, 0), - IceInternal::Property("IceSSL.KeyFile", false, 0), + IceInternal::Property("IceSSL.KeyFile", true, 0), IceInternal::Property("IceSSL.KeySet", false, 0), IceInternal::Property("IceSSL.Keychain", false, 0), IceInternal::Property("IceSSL.KeychainPassword", false, 0), @@ -1037,6 +1038,7 @@ const IceInternal::Property IceSSLPropsData[] = IceInternal::Property("IceSSL.Truststore", false, 0), IceInternal::Property("IceSSL.TruststorePassword", false, 0), IceInternal::Property("IceSSL.TruststoreType", false, 0), + IceInternal::Property("IceSSL.UsePlatformCAs", false, 0), IceInternal::Property("IceSSL.VerifyDepthMax", false, 0), IceInternal::Property("IceSSL.VerifyPeer", false, 0), }; diff --git a/cpp/src/Ice/PropertyNames.h b/cpp/src/Ice/PropertyNames.h index 28b47265af6..cf92a38d43f 100644 --- a/cpp/src/Ice/PropertyNames.h +++ b/cpp/src/Ice/PropertyNames.h @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Thu Mar 19 17:54:51 2015 +// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 17:34:50 2015 // IMPORTANT: Do not edit this file -- any edits made here will be lost! diff --git a/cpp/src/Ice/TcpEndpointI.cpp b/cpp/src/Ice/TcpEndpointI.cpp index 606a442e94a..5e744c394bb 100644 --- a/cpp/src/Ice/TcpEndpointI.cpp +++ b/cpp/src/Ice/TcpEndpointI.cpp @@ -62,39 +62,17 @@ IceInternal::TcpEndpointI::TcpEndpointI(const ProtocolInstancePtr& instance, Bas EndpointInfoPtr IceInternal::TcpEndpointI::getInfo() const { - class InfoI : public Ice::TCPEndpointInfo - { - public: - - InfoI(const EndpointIPtr& endpoint) : _endpoint(endpoint) - { - } - - virtual Ice::Short - type() const - { - return _endpoint->type(); - } - - virtual bool - datagram() const - { - return _endpoint->datagram(); - } - - virtual bool - secure() const - { - return _endpoint->secure(); - } - - private: - - const EndpointIPtr _endpoint; - }; + TCPEndpointInfoPtr info = new InfoI<Ice::TCPEndpointInfo>(const_cast<TcpEndpointI*>(this)); + fillEndpointInfo(info.get()); + return info; +} - TCPEndpointInfoPtr info = new InfoI(const_cast<TcpEndpointI*>(this)); +EndpointInfoPtr +IceInternal::TcpEndpointI::getWSInfo(const string& resource) const +{ + WSEndpointInfoPtr info = new InfoI<Ice::WSEndpointInfo>(const_cast<TcpEndpointI*>(this)); fillEndpointInfo(info.get()); + info->resource = resource; return info; } diff --git a/cpp/src/Ice/TcpEndpointI.h b/cpp/src/Ice/TcpEndpointI.h index 2525d940168..d29498fc181 100644 --- a/cpp/src/Ice/TcpEndpointI.h +++ b/cpp/src/Ice/TcpEndpointI.h @@ -14,11 +14,12 @@ #include <Ice/IPEndpointI.h> #include <Ice/EndpointFactory.h> #include <Ice/Network.h> // for IceIternal::Address +#include <Ice/WSEndpoint.h> namespace IceInternal { -class TcpEndpointI : public IPEndpointI +class TcpEndpointI : public IPEndpointI, public WSEndpointDelegate { public: @@ -28,6 +29,7 @@ public: TcpEndpointI(const ProtocolInstancePtr&, BasicStream*); virtual Ice::EndpointInfoPtr getInfo() const; + virtual Ice::EndpointInfoPtr getWSInfo(const std::string&) const; virtual Ice::Int timeout() const; virtual EndpointIPtr timeout(Ice::Int) const; diff --git a/cpp/src/Ice/TcpTransceiver.cpp b/cpp/src/Ice/TcpTransceiver.cpp index ee022c639e9..4fa6d0bce2d 100644 --- a/cpp/src/Ice/TcpTransceiver.cpp +++ b/cpp/src/Ice/TcpTransceiver.cpp @@ -105,13 +105,17 @@ IceInternal::TcpTransceiver::toDetailedString() const Ice::ConnectionInfoPtr IceInternal::TcpTransceiver::getInfo() const { - Ice::TCPConnectionInfoPtr info = new Ice::TCPConnectionInfo(); - fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress, info->remotePort); - if(_stream->fd() != INVALID_SOCKET) - { - info->rcvSize = getRecvBufferSize(_stream->fd()); - info->sndSize = getSendBufferSize(_stream->fd()); - } + TCPConnectionInfoPtr info = new TCPConnectionInfo(); + fillConnectionInfo(info); + return info; +} + +Ice::ConnectionInfoPtr +IceInternal::TcpTransceiver::getWSInfo(const Ice::HeaderDict& headers) const +{ + WSConnectionInfoPtr info = new WSConnectionInfo(); + fillConnectionInfo(info); + info->headers = headers; return info; } @@ -136,3 +140,13 @@ IceInternal::TcpTransceiver::~TcpTransceiver() { } +void +IceInternal::TcpTransceiver::fillConnectionInfo(const TCPConnectionInfoPtr& info) const +{ + fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress, info->remotePort); + if(_stream->fd() != INVALID_SOCKET) + { + info->rcvSize = getRecvBufferSize(_stream->fd()); + info->sndSize = getSendBufferSize(_stream->fd()); + } +} diff --git a/cpp/src/Ice/TcpTransceiver.h b/cpp/src/Ice/TcpTransceiver.h index ee6c57214d9..16845238ae4 100644 --- a/cpp/src/Ice/TcpTransceiver.h +++ b/cpp/src/Ice/TcpTransceiver.h @@ -14,6 +14,7 @@ #include <Ice/Transceiver.h> #include <Ice/Network.h> #include <Ice/StreamSocket.h> +#include <Ice/WSTransceiver.h> namespace IceInternal { @@ -21,7 +22,7 @@ namespace IceInternal class TcpConnector; class TcpAcceptor; -class TcpTransceiver : public Transceiver +class TcpTransceiver : public Transceiver, public WSTransceiverDelegate { public: @@ -42,6 +43,7 @@ public: virtual std::string toString() const; virtual std::string toDetailedString() const; virtual Ice::ConnectionInfoPtr getInfo() const; + virtual Ice::ConnectionInfoPtr getWSInfo(const Ice::HeaderDict&) const; virtual void checkSendSize(const Buffer&); virtual void setBufferSize(int rcvSize, int sndSize); @@ -50,6 +52,8 @@ private: TcpTransceiver(const ProtocolInstancePtr&, const StreamSocketPtr&); virtual ~TcpTransceiver(); + void fillConnectionInfo(const Ice::TCPConnectionInfoPtr&) const; + friend class TcpConnector; friend class TcpAcceptor; diff --git a/cpp/src/Ice/UdpEndpointI.cpp b/cpp/src/Ice/UdpEndpointI.cpp index 6b0584fb2ba..019ff02a368 100644 --- a/cpp/src/Ice/UdpEndpointI.cpp +++ b/cpp/src/Ice/UdpEndpointI.cpp @@ -76,38 +76,7 @@ IceInternal::UdpEndpointI::UdpEndpointI(const ProtocolInstancePtr& instance, Bas EndpointInfoPtr IceInternal::UdpEndpointI::getInfo() const { - class InfoI : public Ice::UDPEndpointInfo - { - public: - - InfoI(const EndpointIPtr& endpoint) : _endpoint(endpoint) - { - } - - virtual Ice::Short - type() const - { - return _endpoint->type(); - } - - virtual bool - datagram() const - { - return _endpoint->datagram(); - } - - virtual bool - secure() const - { - return _endpoint->secure(); - } - - private: - - const EndpointIPtr _endpoint; - }; - - Ice::UDPEndpointInfoPtr info = new InfoI(const_cast<UdpEndpointI*>(this)); + Ice::UDPEndpointInfoPtr info = new InfoI<Ice::UDPEndpointInfo>(const_cast<UdpEndpointI*>(this)); fillEndpointInfo(info.get()); return info; } diff --git a/cpp/src/Ice/WSEndpoint.cpp b/cpp/src/Ice/WSEndpoint.cpp index 54acdef77c4..d23b952b6b5 100644 --- a/cpp/src/Ice/WSEndpoint.cpp +++ b/cpp/src/Ice/WSEndpoint.cpp @@ -47,41 +47,8 @@ IceInternal::WSEndpoint::WSEndpoint(const ProtocolInstancePtr& instance, const E Ice::EndpointInfoPtr IceInternal::WSEndpoint::getInfo() const { - class InfoI : public WSEndpointInfo - { - public: - - InfoI(const EndpointIPtr& e) : _endpoint(e) - { - } - - virtual Short - type() const - { - return _endpoint->type(); - } - - virtual bool - datagram() const - { - return _endpoint->datagram(); - } - - virtual bool - secure() const - { - return _endpoint->secure(); - } - - private: - - const EndpointIPtr _endpoint; - }; - - WSEndpointInfoPtr info = new InfoI(const_cast<WSEndpoint*>(this)); - _delegate->fillEndpointInfo(info.get()); - info->resource = _resource; - return info; + assert(dynamic_cast<WSEndpointDelegate*>(_delegate.get())); + return dynamic_cast<WSEndpointDelegate*>(_delegate.get())->getWSInfo(_resource); } Ice::Short diff --git a/cpp/src/Ice/WSEndpoint.h b/cpp/src/Ice/WSEndpoint.h index 255bcf6cc1b..6fb08211a84 100644 --- a/cpp/src/Ice/WSEndpoint.h +++ b/cpp/src/Ice/WSEndpoint.h @@ -20,6 +20,17 @@ namespace IceInternal { +// +// Delegate interface implemented by TcpEndpoint or IceSSL::Endpoint or any endpoint that WS can +// delegate to. +// +class ICE_API WSEndpointDelegate : virtual public IceUtil::Shared +{ +public: + + virtual Ice::EndpointInfoPtr getWSInfo(const std::string&) const = 0; +}; + class WSEndpoint : public EndpointI { public: diff --git a/cpp/src/Ice/WSTransceiver.cpp b/cpp/src/Ice/WSTransceiver.cpp index d476b52a67e..08764fbc267 100644 --- a/cpp/src/Ice/WSTransceiver.cpp +++ b/cpp/src/Ice/WSTransceiver.cpp @@ -803,17 +803,8 @@ IceInternal::WSTransceiver::toDetailedString() const Ice::ConnectionInfoPtr IceInternal::WSTransceiver::getInfo() const { - IPConnectionInfoPtr di = IPConnectionInfoPtr::dynamicCast(_delegate->getInfo()); - assert(di); - WSConnectionInfoPtr info = new WSConnectionInfo(); - info->localAddress = di->localAddress; - info->localPort = di->localPort; - info->remoteAddress = di->remoteAddress; - info->remotePort = di->remotePort; - info->rcvSize = di->rcvSize; - info->sndSize = di->sndSize; - info->headers = _parser->getHeaders(); - return info; + assert(dynamic_cast<WSTransceiverDelegate*>(_delegate.get())); + return dynamic_cast<WSTransceiverDelegate*>(_delegate.get())->getWSInfo(_parser->getHeaders()); } void diff --git a/cpp/src/Ice/WSTransceiver.h b/cpp/src/Ice/WSTransceiver.h index 2273f51a683..c3d8d760e22 100644 --- a/cpp/src/Ice/WSTransceiver.h +++ b/cpp/src/Ice/WSTransceiver.h @@ -24,6 +24,17 @@ namespace IceInternal class ConnectorI; class AcceptorI; +// +// Delegate interface implemented by TcpTransceiver or IceSSL::Transceiver or any transport that WS can +// delegate to. +// +class ICE_API WSTransceiverDelegate : virtual public IceUtil::Shared +{ +public: + + virtual Ice::ConnectionInfoPtr getWSInfo(const Ice::HeaderDict&) const = 0; +}; + class WSTransceiver : public Transceiver { public: diff --git a/cpp/src/Ice/winrt/StreamEndpointI.cpp b/cpp/src/Ice/winrt/StreamEndpointI.cpp index 60aca535bdd..bdd3dc0295d 100644 --- a/cpp/src/Ice/winrt/StreamEndpointI.cpp +++ b/cpp/src/Ice/winrt/StreamEndpointI.cpp @@ -44,43 +44,6 @@ createIceSSL(const CommunicatorPtr& com, const string&, const StringSeq&) } -namespace -{ - -template<class T> class InfoI : public T -{ -public: - - InfoI(const ProtocolInstancePtr& instance, Ice::Int to, bool comp, const string& host, Ice::Int port) : - T(to, comp, host, port, ""), _instance(instance) - { - } - - virtual Ice::Short - type() const - { - return _instance->type(); - } - - virtual bool - datagram() const - { - return false; - } - - virtual bool - secure() const - { - return _instance->secure(); - } - -private: - - ProtocolInstancePtr _instance; -}; - -} - IceUtil::Shared* IceInternal::upCast(StreamEndpointI* p) { return p; } IceInternal::StreamEndpointI::StreamEndpointI(const ProtocolInstancePtr& instance, const string& ho, Int po, Int ti, @@ -110,14 +73,37 @@ IceInternal::StreamEndpointI::StreamEndpointI(const ProtocolInstancePtr& instanc EndpointInfoPtr IceInternal::StreamEndpointI::getInfo() const { + IPEndpointInfoPtr info; + if(_instance->secure()) + { + info = new InfoI<IceSSL::EndpointInfo>(const_cast<StreamEndpointI*>(this)); + } + else + { + info = new InfoI<Ice::TCPEndpointInfo>(const_cast<StreamEndpointI*>(this)); + } + fillEndpointInfo(info.get()); + return info; +} + +EndpointInfoPtr +IceInternal::StreamEndpointI::getWSInfo(const string& resource) const +{ + IPEndpointInfoPtr info; if(_instance->secure()) { - return new InfoI<IceSSL::EndpointInfo>(_instance, _timeout, _compress, _host, _port); + IceSSL::WSSEndpointInfoPtr i = new InfoI<IceSSL::WSSEndpointInfo>(const_cast<StreamEndpointI*>(this)); + i->resource = resource; + info = i; } else { - return new InfoI<Ice::TCPEndpointInfo>(_instance, _timeout, _compress, _host, _port); + Ice::WSEndpointInfoPtr i = new InfoI<Ice::WSEndpointInfo>(const_cast<StreamEndpointI*>(this)); + i->resource = resource; + info = i; } + fillEndpointInfo(info.get()); + return info; } Int @@ -180,8 +166,7 @@ IceInternal::StreamEndpointI::datagram() const bool IceInternal::StreamEndpointI::secure() const { - return _instance->type() == IceSSL::EndpointType || - _instance->type() == WSSEndpointType; + return _instance->type() == IceSSL::EndpointType || _instance->type() == WSSEndpointType; } TransceiverPtr diff --git a/cpp/src/Ice/winrt/StreamEndpointI.h b/cpp/src/Ice/winrt/StreamEndpointI.h index 8e77b2d1397..d3f9f1bbe66 100644 --- a/cpp/src/Ice/winrt/StreamEndpointI.h +++ b/cpp/src/Ice/winrt/StreamEndpointI.h @@ -13,13 +13,14 @@ #include <IceUtil/Config.h> #include <Ice/IPEndpointI.h> #include <Ice/EndpointFactory.h> +#include <Ice/WSEndpoint.h> #include <Ice/Network.h> // for IceIternal::Address #include <Ice/winrt/StreamF.h> namespace IceInternal { -class StreamEndpointI : public IPEndpointI +class StreamEndpointI : public IPEndpointI, WSEndpointDelegate { public: @@ -28,6 +29,7 @@ public: StreamEndpointI(const ProtocolInstancePtr&, BasicStream*); virtual Ice::EndpointInfoPtr getInfo() const; + virtual Ice::EndpointInfoPtr getWSInfo(const std::string&) const; virtual Ice::Int timeout() const; virtual EndpointIPtr timeout(Ice::Int) const; diff --git a/cpp/src/Ice/winrt/StreamTransceiver.cpp b/cpp/src/Ice/winrt/StreamTransceiver.cpp index 3c4a30f8cc6..7cf9946ed9c 100644 --- a/cpp/src/Ice/winrt/StreamTransceiver.cpp +++ b/cpp/src/Ice/winrt/StreamTransceiver.cpp @@ -302,12 +302,29 @@ IceInternal::StreamTransceiver::getInfo() const { info = new Ice::TCPConnectionInfo(); } - fdToAddressAndPort(_fd, info->localAddress, info->localPort, info->remoteAddress, info->remotePort); - info->rcvSize = getRecvBufferSize(_fd); - info->sndSize = getSendBufferSize(_fd); + fillConnectionInfo(info); return info; } +Ice::ConnectionInfoPtr +IceInternal::StreamTransceiver::getWSInfo(const Ice::HeaderDict& headers) const +{ + if(_instance->secure()) + { + IceSSL::WSSConnectionInfoPtr info = new IceSSL::WSSConnectionInfo(); + fillConnectionInfo(info); + info->headers = headers; + return info; + } + else + { + Ice::WSConnectionInfoPtr info = new Ice::WSConnectionInfo(); + fillConnectionInfo(info); + info->headers = headers; + return info; + } +} + void IceInternal::StreamTransceiver::checkSendSize(const Buffer&) { @@ -387,3 +404,12 @@ IceInternal::StreamTransceiver::checkIfErrorOrCompleted(SocketOperation op, IAsy return true; // Prevent compiler warning. } } + +void +IceInternal::StreamTransceiver::fillConnectionInfo(const Ice::IPConnectionInfoPtr& info) const +{ + fdToAddressAndPort(_fd, info->localAddress, info->localPort, info->remoteAddress, info->remotePort); + info->rcvSize = getRecvBufferSize(_fd); + info->sndSize = getSendBufferSize(_fd); +} + diff --git a/cpp/src/Ice/winrt/StreamTransceiver.h b/cpp/src/Ice/winrt/StreamTransceiver.h index 4a32cfd10e8..6d7effd8e49 100644 --- a/cpp/src/Ice/winrt/StreamTransceiver.h +++ b/cpp/src/Ice/winrt/StreamTransceiver.h @@ -13,6 +13,7 @@ #include <Ice/ProtocolInstanceF.h> #include <Ice/Transceiver.h> #include <Ice/Network.h> +#include <Ice/WSTransceiver.h> namespace IceInternal { @@ -20,7 +21,7 @@ namespace IceInternal class StreamConnector; class StreamAcceptor; -class StreamTransceiver : public Transceiver, public NativeInfo +class StreamTransceiver : public Transceiver, public NativeInfo, public WSTransceiverDelegate { enum State { @@ -49,6 +50,7 @@ public: virtual std::string toString() const; virtual std::string toDetailedString() const; virtual Ice::ConnectionInfoPtr getInfo() const; + virtual Ice::ConnectionInfoPtr getWSInfo(const Ice::HeaderDict&) const; virtual void checkSendSize(const Buffer&); virtual void setBufferSize(int rcvSize, int sndSize); @@ -58,8 +60,8 @@ private: virtual ~StreamTransceiver(); void connect(const Address&); - bool checkIfErrorOrCompleted(SocketOperation, Windows::Foundation::IAsyncInfo^, int = 0); + void fillConnectionInfo(const Ice::IPConnectionInfoPtr&) const; friend class StreamConnector; friend class StreamAcceptor; diff --git a/cpp/src/IceSSL/EndpointI.cpp b/cpp/src/IceSSL/EndpointI.cpp index 124c63dc645..6893db0e117 100644 --- a/cpp/src/IceSSL/EndpointI.cpp +++ b/cpp/src/IceSSL/EndpointI.cpp @@ -53,39 +53,17 @@ IceSSL::EndpointI::EndpointI(const InstancePtr& instance, IceInternal::BasicStre Ice::EndpointInfoPtr IceSSL::EndpointI::getInfo() const { - class InfoI : public EndpointInfo - { - public: - - InfoI(const IceInternal::EndpointIPtr& endpoint) : _endpoint(endpoint) - { - } - - virtual Ice::Short - type() const - { - return _endpoint->type(); - } - - virtual bool - datagram() const - { - return _endpoint->datagram(); - } - - virtual bool - secure() const - { - return _endpoint->secure(); - } - - private: - - const IceInternal::EndpointIPtr _endpoint; - }; + EndpointInfoPtr info = new IceInternal::InfoI<EndpointInfo>(const_cast<EndpointI*>(this)); + fillEndpointInfo(info.get()); + return info; +} - IPEndpointInfoPtr info = new InfoI(const_cast<EndpointI*>(this)); +Ice::EndpointInfoPtr +IceSSL::EndpointI::getWSInfo(const string& resource) const +{ + WSSEndpointInfoPtr info = new IceInternal::InfoI<WSSEndpointInfo>(const_cast<EndpointI*>(this)); fillEndpointInfo(info.get()); + info->resource = resource; return info; } diff --git a/cpp/src/IceSSL/EndpointI.h b/cpp/src/IceSSL/EndpointI.h index b3a154a6ad4..74f04d1665a 100644 --- a/cpp/src/IceSSL/EndpointI.h +++ b/cpp/src/IceSSL/EndpointI.h @@ -12,6 +12,7 @@ #include <Ice/IPEndpointI.h> #include <Ice/EndpointFactory.h> +#include <Ice/WSEndpoint.h> #include <IceSSL/InstanceF.h> #include <IceSSL/EndpointInfo.h> #include <Ice/Network.h> @@ -19,7 +20,7 @@ namespace IceSSL { -class EndpointI : public IceInternal::IPEndpointI +class EndpointI : public IceInternal::IPEndpointI, public IceInternal::WSEndpointDelegate { public: @@ -29,6 +30,7 @@ public: EndpointI(const InstancePtr&, IceInternal::BasicStream*); virtual Ice::EndpointInfoPtr getInfo() const; + virtual Ice::EndpointInfoPtr getWSInfo(const std::string&) const; virtual Ice::Int timeout() const; virtual IceInternal::EndpointIPtr timeout(Ice::Int) const; diff --git a/cpp/src/IceSSL/OpenSSLEngine.cpp b/cpp/src/IceSSL/OpenSSLEngine.cpp index c47e19eb99f..cc617008547 100644 --- a/cpp/src/IceSSL/OpenSSLEngine.cpp +++ b/cpp/src/IceSSL/OpenSSLEngine.cpp @@ -395,8 +395,22 @@ OpenSSLEngine::initialize() // Establish the location of CA certificates. // { - string caFile = properties->getProperty(propPrefix + "CertAuthFile"); - string caDir = properties->getPropertyWithDefault(propPrefix + "CertAuthDir", defaultDir); + string caFile = properties->getProperty(propPrefix + "CAs"); + string caDir; + if(!caFile.empty()) + { + if(!checkPath(caFile, defaultDir, false) && checkPath(caFile, defaultDir, true)) + { + caDir = caFile; + caFile = ""; + } + } + else + { + // Deprecated properties + caFile = properties->getProperty(propPrefix + "CertAuthFile"); + caDir = properties->getProperty(propPrefix + "CertAuthDir"); + } const char* file = 0; const char* dir = 0; if(!caFile.empty()) @@ -452,6 +466,10 @@ OpenSSLEngine::initialize() throw PluginInitializationException(__FILE__, __LINE__, msg); } } + else if(properties->getPropertyAsInt("IceSSL.UsePlatformCAs") > 0) + { + SSL_CTX_set_default_verify_paths(_ctx); + } } // diff --git a/cpp/src/IceSSL/OpenSSLTransceiverI.cpp b/cpp/src/IceSSL/OpenSSLTransceiverI.cpp index bed46b3b8b4..2b40c62a4b6 100644 --- a/cpp/src/IceSSL/OpenSSLTransceiverI.cpp +++ b/cpp/src/IceSSL/OpenSSLTransceiverI.cpp @@ -276,11 +276,12 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B throw ex; } } - else if(_info) + else { - _info->verified = true; + _verified = true; } - _engine->verifyPeer(_stream->fd(), _host, getNativeConnectionInfo()); + + _engine->verifyPeer(_stream->fd(), _host, NativeConnectionInfoPtr::dynamicCast(getInfo())); if(_engine->securityTraceLevel() >= 1) { @@ -573,7 +574,18 @@ IceSSL::TransceiverI::toDetailedString() const Ice::ConnectionInfoPtr IceSSL::TransceiverI::getInfo() const { - return getNativeConnectionInfo(); + NativeConnectionInfoPtr info = new NativeConnectionInfo(); + fillConnectionInfo(info, info->nativeCerts); + return info; +} + +Ice::ConnectionInfoPtr +IceSSL::TransceiverI::getWSInfo(const Ice::HeaderDict& headers) const +{ + WSSNativeConnectionInfoPtr info = new WSSNativeConnectionInfo(); + fillConnectionInfo(info, info->nativeCerts); + info->headers = headers; + return info; } void @@ -609,17 +621,18 @@ IceSSL::TransceiverI::verifyCallback(int ok, X509_STORE_CTX* c) } // - // Initialize the native connection info with the verified - // certificate chain. SSL_get_peer_cert_chain doesn't return the - // verified chain, it returns the chain sent by the peer. + // Initialize the native certs with the verified certificate chain. SSL_get_peer_cert_chain + // doesn't return the verified chain, it returns the chain sent by the peer. // - try - { - _info = initNativeConnectionInfo(c); - } - catch(const Ice::Exception&) + STACK_OF(X509)* chain = X509_STORE_CTX_get1_chain(c); + if(chain != 0) { - // Ignore + _nativeCerts.clear(); + for(int i = 0; i < sk_X509_num(chain); ++i) + { + _nativeCerts.push_back(new Certificate(X509_dup(sk_X509_value(chain, i)))); + } + sk_X509_pop_free(chain, X509_free); } // @@ -639,6 +652,7 @@ IceSSL::TransceiverI::TransceiverI(const InstancePtr& instance, const IceInterna _adapterName(incoming ? hostOrAdapterName : ""), _incoming(incoming), _stream(stream), + _verified(false), _ssl(0) { } @@ -647,20 +661,9 @@ IceSSL::TransceiverI::~TransceiverI() { } -NativeConnectionInfoPtr -IceSSL::TransceiverI::getNativeConnectionInfo() const -{ - if(!_info) - { - return initNativeConnectionInfo(0); - } - return _info; -} - -NativeConnectionInfoPtr -IceSSL::TransceiverI::initNativeConnectionInfo(X509_STORE_CTX* ctx) const +void +IceSSL::TransceiverI::fillConnectionInfo(const ConnectionInfoPtr& info, std::vector<CertificatePtr>& nativeCerts) const { - NativeConnectionInfoPtr info = new NativeConnectionInfo(); IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress, info->remotePort); if(_stream->fd() != INVALID_SOCKET) @@ -670,57 +673,11 @@ IceSSL::TransceiverI::initNativeConnectionInfo(X509_STORE_CTX* ctx) const } info->adapterName = _adapterName; info->incoming = _incoming; - info->verified = false; - - STACK_OF(X509)* chain = 0; - if(ctx) - { - // - // This is called from the verify callback where OpenSSL provides the verified - // certificate chain. - // - chain = X509_STORE_CTX_get1_chain(ctx); - } - - if(chain == 0 && _ssl != 0) - { - // - // On the client side, SSL_get_peer_cert_chain returns the entire chain of certs. - // On the server side, the peer certificate must be obtained separately. - // - // Since we have no clear idea whether the connection is server or client side, - // the peer certificate is obtained separately and compared against the first - // certificate in the chain. If they are not the same, it is added to the chain. - // - X509* cert = SSL_get_peer_certificate(_ssl); - chain = SSL_get_peer_cert_chain(_ssl); - if(cert != 0 && (chain == 0 || sk_X509_num(chain) == 0 || cert != sk_X509_value(chain, 0))) - { - CertificatePtr certificate = new Certificate(cert); - info->nativeCerts.push_back(certificate); - info->certs.push_back(certificate->encode()); - } - else - { - X509_free(cert); - } - } - - if(chain != 0) + info->verified = _verified; + nativeCerts = _nativeCerts; + for(vector<CertificatePtr>::const_iterator p = _nativeCerts.begin(); p != _nativeCerts.end(); ++p) { - for(int i = 0; i < sk_X509_num(chain); ++i) - { - // - // Duplicate the certificate since the stack comes straight from the SSL connection. - // - CertificatePtr certificate = new Certificate(X509_dup(sk_X509_value(chain, i))); - info->nativeCerts.push_back(certificate); - info->certs.push_back(certificate->encode()); - } - if(ctx) - { - sk_X509_pop_free(chain, X509_free); - } + info->certs.push_back((*p)->encode()); } if(_ssl != 0) { @@ -728,7 +685,6 @@ IceSSL::TransceiverI::initNativeConnectionInfo(X509_STORE_CTX* ctx) const } info->adapterName = _adapterName; info->incoming = _incoming; - return info; } #endif diff --git a/cpp/src/IceSSL/OpenSSLTransceiverI.h b/cpp/src/IceSSL/OpenSSLTransceiverI.h index 85fa55d4548..a64e932a0f5 100644 --- a/cpp/src/IceSSL/OpenSSLTransceiverI.h +++ b/cpp/src/IceSSL/OpenSSLTransceiverI.h @@ -19,6 +19,7 @@ #include <Ice/Transceiver.h> #include <Ice/Network.h> #include <Ice/StreamSocket.h> +#include <Ice/WSTransceiver.h> #ifdef ICE_USE_OPENSSL @@ -31,7 +32,7 @@ namespace IceSSL class ConnectorI; class AcceptorI; -class TransceiverI : public IceInternal::Transceiver +class TransceiverI : public IceInternal::Transceiver, public IceInternal::WSTransceiverDelegate { public: @@ -46,6 +47,7 @@ public: virtual std::string toString() const; virtual std::string toDetailedString() const; virtual Ice::ConnectionInfoPtr getInfo() const; + virtual Ice::ConnectionInfoPtr getWSInfo(const Ice::HeaderDict&) const; virtual void checkSendSize(const IceInternal::Buffer&); virtual void setBufferSize(int rcvSize, int sndSize); @@ -56,8 +58,7 @@ private: TransceiverI(const InstancePtr&, const IceInternal::StreamSocketPtr&, const std::string&, bool); virtual ~TransceiverI(); - virtual NativeConnectionInfoPtr getNativeConnectionInfo() const; - NativeConnectionInfoPtr initNativeConnectionInfo(X509_STORE_CTX*) const; + void fillConnectionInfo(const ConnectionInfoPtr&, std::vector<CertificatePtr>&) const; friend class ConnectorI; friend class AcceptorI; @@ -68,7 +69,8 @@ private: const std::string _adapterName; const bool _incoming; const IceInternal::StreamSocketPtr _stream; - NativeConnectionInfoPtr _info; + bool _verified; + std::vector<CertificatePtr> _nativeCerts; SSL* _ssl; }; diff --git a/cpp/src/IceSSL/SChannelEngine.cpp b/cpp/src/IceSSL/SChannelEngine.cpp index efb3b099ce3..ddc47619373 100644 --- a/cpp/src/IceSSL/SChannelEngine.cpp +++ b/cpp/src/IceSSL/SChannelEngine.cpp @@ -56,7 +56,7 @@ struct CertChainEngineConfig # endif void -addCertificateToStore(const string& file, HCERTSTORE store, PCCERT_CONTEXT* cert = 0) +addCertificatesToStore(const string& file, HCERTSTORE store, PCCERT_CONTEXT* cert = 0) { vector<char> buffer; readFile(file, buffer); @@ -65,29 +65,50 @@ addCertificateToStore(const string& file, HCERTSTORE store, PCCERT_CONTEXT* cert throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: certificate file is empty:\n" + file); } - vector<BYTE> outBuffer; - outBuffer.resize(buffer.size()); - DWORD outLength = static_cast<DWORD>(outBuffer.size()); - - if(!CryptStringToBinary(&buffer[0], static_cast<DWORD>(buffer.size()), CRYPT_STRING_BASE64HEADER, - &outBuffer[0], &outLength, 0, 0)) + string strbuf(buffer.begin(), buffer.end()); + string::size_type size, startpos, endpos = 0; + bool first = true; + while(true) { - // - // Base64 data should always be bigger than binary - // - assert(GetLastError() != ERROR_MORE_DATA); - throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: error decoding certificate:\n" + lastErrorToString()); - } + startpos = strbuf.find("-----BEGIN CERTIFICATE-----", endpos); + if(startpos != string::npos) + { + endpos = strbuf.find("-----END CERTIFICATE-----", startpos); + size = endpos - startpos + sizeof("-----END CERTIFICATE-----"); + } + else if(first) + { + startpos = 0; + endpos = string::npos; + size = strbuf.size(); + } + else + { + break; + } - if(!CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &outBuffer[0], - outLength, CERT_STORE_ADD_NEW, cert)) - { - if(GetLastError() != static_cast<DWORD>(CRYPT_E_EXISTS)) + vector<BYTE> outBuffer; + outBuffer.resize(size); + DWORD outLength = static_cast<DWORD>(outBuffer.size()); + if(!CryptStringToBinary(&buffer[startpos], static_cast<DWORD>(size), CRYPT_STRING_ANY, &outBuffer[0], + &outLength, 0, 0)) { + assert(GetLastError() != ERROR_MORE_DATA); // Base64 data should always be bigger than binary throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: error decoding certificate:\n" + lastErrorToString()); + "IceSSL: error decoding certificate:\n" + lastErrorToString()); + } + + if(!CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &outBuffer[0], + outLength, CERT_STORE_ADD_NEW, first ? cert : 0)) + { + if(GetLastError() != static_cast<DWORD>(CRYPT_E_EXISTS)) + { + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: error decoding certificate:\n" + lastErrorToString()); + } } + + first = false; } } @@ -244,8 +265,12 @@ SChannelEngine::initialize() // // Create trusted CA store with contents of CertAuthFile // - string caFile = properties->getProperty(prefix + "CertAuthFile"); - if(!caFile.empty()) + string caFile = properties->getProperty(prefix + "CAs"); + if(caFile.empty()) + { + caFile = properties->getProperty(prefix + "CertAuthFile"); + } + if(!caFile.empty() || properties->getPropertyAsInt("IceSSL.UsePlatformCAs") <= 0) { _rootStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 0, 0); if(!_rootStore) @@ -253,15 +278,20 @@ SChannelEngine::initialize() throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: error creating in memory certificate store:\n" + lastErrorToString()); } - + } + if(!caFile.empty()) + { if(!checkPath(caFile, defaultDir, false)) { throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: CA certificate file not found:\n" + caFile); } - addCertificateToStore(caFile, _rootStore); + addCertificatesToStore(caFile, _rootStore); + } + if(_rootStore) + { // // Create a chain engine that uses our Trusted Root Store // @@ -410,26 +440,8 @@ SChannelEngine::initialize() "IceSSL: certificate error:\n" + lastErrorToString()); } - // - // If we found a certificate, add it to a new memory store. We - // can't use directly the certificate context from the PFX - // store: while it works for certificates without - // intermediates, it doesn't if the certificate has - // intermediates, the intermediates certificates aren't being - // sent. - // - HCERTSTORE newStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 0, 0); - PCCERT_CONTEXT newCert; - if(!CertAddCertificateContextToStore(newStore, cert, CERT_STORE_ADD_ALWAYS, &newCert)) - { - CertCloseStore(newStore, 0); - throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: certificate error:\n" + lastErrorToString()); - } - _certs.push_back(newCert); - _stores.push_back(newStore); - CertFreeCertificateContext(cert); - CertCloseStore(store, 0); + _certs.push_back(cert); + _stores.push_back(store); continue; } @@ -560,7 +572,7 @@ SChannelEngine::initialize() "store:\n" + lastErrorToString()); } - addCertificateToStore(certFile, store, &cert); + addCertificatesToStore(certFile, store, &cert); // // Associate key & certificate @@ -705,6 +717,17 @@ SChannelEngine::newCredentialsHandle(bool incoming) // the root certificate either way. // cred.dwFlags = SCH_CRED_NO_SYSTEM_MAPPER; + + // + // There's no way to prevent SChannel from sending "CA names" to the + // client. Recent Windows versions don't CA names but older ones do + // send all the trusted root CA names. We provide the root store to + // ensure that for these older Windows versions, we also include the + // CA names of your trusted roots. IceSSL for Java will only send a + // client certificate if the client certificate CA matches one of the + // CA names sent by the server. + // + cred.hRootStore = _rootStore; } else { diff --git a/cpp/src/IceSSL/SChannelTransceiverI.cpp b/cpp/src/IceSSL/SChannelTransceiverI.cpp index 74d9d840ed2..126a966f6b3 100644 --- a/cpp/src/IceSSL/SChannelTransceiverI.cpp +++ b/cpp/src/IceSSL/SChannelTransceiverI.cpp @@ -715,7 +715,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B } } - _engine->verifyPeer(_stream->fd(), _host, getNativeConnectionInfo()); + _engine->verifyPeer(_stream->fd(), _host, NativeConnectionInfoPtr::dynamicCast(getInfo())); _state = StateHandshakeComplete; if(_instance->engine()->securityTraceLevel() >= 1) @@ -948,7 +948,18 @@ IceSSL::TransceiverI::toDetailedString() const Ice::ConnectionInfoPtr IceSSL::TransceiverI::getInfo() const { - return getNativeConnectionInfo(); + NativeConnectionInfoPtr info = new NativeConnectionInfo(); + fillConnectionInfo(info, info->nativeCerts); + return info; +} + +Ice::ConnectionInfoPtr +IceSSL::TransceiverI::getWSInfo(const Ice::HeaderDict& headers) const +{ + WSSNativeConnectionInfoPtr info = new WSSNativeConnectionInfo(); + fillConnectionInfo(info, info->nativeCerts); + info->headers = headers; + return info; } void @@ -984,10 +995,9 @@ IceSSL::TransceiverI::~TransceiverI() { } -NativeConnectionInfoPtr -IceSSL::TransceiverI::getNativeConnectionInfo() const +void +IceSSL::TransceiverI::fillConnectionInfo(const ConnectionInfoPtr& info, vector<CertificatePtr>& nativeCerts) const { - NativeConnectionInfoPtr info = new NativeConnectionInfo(); IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress, info->remotePort); if(_stream->fd() != INVALID_SOCKET) @@ -1032,7 +1042,7 @@ IceSSL::TransceiverI::getNativeConnectionInfo() const } CertificatePtr certificate = new Certificate(cc); - info->nativeCerts.push_back(certificate); + nativeCerts.push_back(certificate); info->certs.push_back(certificate->encode()); } CertFreeCertificateChain(certChain); @@ -1059,7 +1069,6 @@ IceSSL::TransceiverI::getNativeConnectionInfo() const info->adapterName = _adapterName; info->incoming = _incoming; - return info; } bool diff --git a/cpp/src/IceSSL/SChannelTransceiverI.h b/cpp/src/IceSSL/SChannelTransceiverI.h index a029cf596bf..f60d54ff6d6 100644 --- a/cpp/src/IceSSL/SChannelTransceiverI.h +++ b/cpp/src/IceSSL/SChannelTransceiverI.h @@ -19,6 +19,7 @@ #include <Ice/Network.h> #include <Ice/Buffer.h> #include <Ice/StreamSocket.h> +#include <Ice/WSTransceiver.h> #ifdef ICE_USE_SCHANNEL @@ -42,7 +43,7 @@ namespace IceSSL class ConnectorI; class AcceptorI; -class TransceiverI : public IceInternal::Transceiver +class TransceiverI : public IceInternal::Transceiver, public IceInternal::WSTransceiverDelegate { public: @@ -63,6 +64,7 @@ public: virtual std::string toString() const; virtual std::string toDetailedString() const; virtual Ice::ConnectionInfoPtr getInfo() const; + virtual Ice::ConnectionInfoPtr getWSInfo(const Ice::HeaderDict&) const; virtual void checkSendSize(const IceInternal::Buffer&); virtual void setBufferSize(int rcvSize, int sndSize); @@ -71,7 +73,7 @@ private: TransceiverI(const InstancePtr&, const IceInternal::StreamSocketPtr&, const std::string&, bool); virtual ~TransceiverI(); - virtual NativeConnectionInfoPtr getNativeConnectionInfo() const; + void fillConnectionInfo(const ConnectionInfoPtr&, std::vector<CertificatePtr>&) const; IceInternal::SocketOperation sslHandshake(); diff --git a/cpp/src/IceSSL/SecureTransportEngine.cpp b/cpp/src/IceSSL/SecureTransportEngine.cpp index 9264bf252aa..a7102f64279 100644 --- a/cpp/src/IceSSL/SecureTransportEngine.cpp +++ b/cpp/src/IceSSL/SecureTransportEngine.cpp @@ -905,7 +905,11 @@ IceSSL::SecureTransportEngine::initialize() // try { - string caFile = properties->getProperty("IceSSL.CertAuthFile"); + string caFile = properties->getProperty("IceSSL.CAs"); + if(caFile.empty()) + { + caFile = properties->getProperty("IceSSL.CertAuthFile"); + } if(!caFile.empty()) { if(!checkPath(caFile, defaultDir, false)) @@ -915,6 +919,11 @@ IceSSL::SecureTransportEngine::initialize() } _certificateAuthorities = loadCACertificates(caFile); } + else if(properties->getPropertyAsInt("IceSSL.UsePlatformCAs") <= 0) + { + // Setup an empty list of Root CAs to not use the system root CAs. + _certificateAuthorities = CFArrayCreate(0, 0, 0, 0); + } } catch(const CertificateReadException& ce) { diff --git a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp index 3ff588cd9e2..211a4ca3fe8 100644 --- a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp +++ b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp @@ -258,7 +258,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B << "remote address = " << desc << "\n" << errorToString(err); throw ProtocolException(__FILE__, __LINE__, os.str()); } - _engine->verifyPeer(_stream->fd(), _host, getNativeConnectionInfo()); + _engine->verifyPeer(_stream->fd(), _host, NativeConnectionInfoPtr::dynamicCast(getInfo())); if(_instance->engine()->securityTraceLevel() >= 1) { @@ -485,7 +485,18 @@ IceSSL::TransceiverI::toDetailedString() const Ice::ConnectionInfoPtr IceSSL::TransceiverI::getInfo() const { - return getNativeConnectionInfo(); + NativeConnectionInfoPtr info = new NativeConnectionInfo(); + fillConnectionInfo(info, info->nativeCerts); + return info; +} + +Ice::ConnectionInfoPtr +IceSSL::TransceiverI::getWSInfo(const Ice::HeaderDict& headers) const +{ + WSSNativeConnectionInfoPtr info = new WSSNativeConnectionInfo(); + fillConnectionInfo(info, info->nativeCerts); + info->headers = headers; + return info; } void @@ -526,10 +537,9 @@ IceSSL::TransceiverI::~TransceiverI() { } -NativeConnectionInfoPtr -IceSSL::TransceiverI::getNativeConnectionInfo() const +void +IceSSL::TransceiverI::fillConnectionInfo(const ConnectionInfoPtr& info, std::vector<CertificatePtr>& nativeCerts) const { - NativeConnectionInfoPtr info = new NativeConnectionInfo(); IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress, info->remotePort); if(_stream->fd() != INVALID_SOCKET) @@ -546,7 +556,7 @@ IceSSL::TransceiverI::getNativeConnectionInfo() const CFRetain(cert); CertificatePtr certificate = new Certificate(cert); - info->nativeCerts.push_back(certificate); + nativeCerts.push_back(certificate); info->certs.push_back(certificate->encode()); } @@ -562,7 +572,6 @@ IceSSL::TransceiverI::getNativeConnectionInfo() const info->adapterName = _adapterName; info->incoming = _incoming; - return info; } OSStatus diff --git a/cpp/src/IceSSL/SecureTransportTransceiverI.h b/cpp/src/IceSSL/SecureTransportTransceiverI.h index aaf232c4032..c81ee7aaef1 100644 --- a/cpp/src/IceSSL/SecureTransportTransceiverI.h +++ b/cpp/src/IceSSL/SecureTransportTransceiverI.h @@ -18,6 +18,7 @@ #include <Ice/Transceiver.h> #include <Ice/Network.h> #include <Ice/StreamSocket.h> +#include <Ice/WSTransceiver.h> #ifdef ICE_USE_SECURE_TRANSPORT @@ -30,7 +31,7 @@ namespace IceSSL class ConnectorI; class AcceptorI; -class TransceiverI : public IceInternal::Transceiver +class TransceiverI : public IceInternal::Transceiver, public IceInternal::WSTransceiverDelegate { public: @@ -46,6 +47,7 @@ public: virtual std::string toString() const; virtual std::string toDetailedString() const; virtual Ice::ConnectionInfoPtr getInfo() const; + virtual Ice::ConnectionInfoPtr getWSInfo(const Ice::HeaderDict&) const; virtual void checkSendSize(const IceInternal::Buffer&); virtual void setBufferSize(int rcvSize, int sndSize); @@ -57,7 +59,7 @@ private: TransceiverI(const InstancePtr&, const IceInternal::StreamSocketPtr&, const std::string&, bool); virtual ~TransceiverI(); - virtual NativeConnectionInfoPtr getNativeConnectionInfo() const; + void fillConnectionInfo(const ConnectionInfoPtr&, std::vector<CertificatePtr>&) const; friend class ConnectorI; friend class AcceptorI; diff --git a/cpp/test/Ice/info/AllTests.cpp b/cpp/test/Ice/info/AllTests.cpp index 80a3bd258de..f8094effbae 100644 --- a/cpp/test/Ice/info/AllTests.cpp +++ b/cpp/test/Ice/info/AllTests.cpp @@ -44,7 +44,7 @@ allTests(const Ice::CommunicatorPtr& communicator) test((ipEndpoint->type() == Ice::TCPEndpointType && Ice::TCPEndpointInfoPtr::dynamicCast(ipEndpoint)) || (ipEndpoint->type() == IceSSL::EndpointType && IceSSL::EndpointInfoPtr::dynamicCast(ipEndpoint)) || (ipEndpoint->type() == Ice::WSEndpointType && Ice::WSEndpointInfoPtr::dynamicCast(ipEndpoint)) || - (ipEndpoint->type() == Ice::WSSEndpointType && Ice::WSEndpointInfoPtr::dynamicCast(ipEndpoint))); + (ipEndpoint->type() == Ice::WSSEndpointType && IceSSL::WSSEndpointInfoPtr::dynamicCast(ipEndpoint))); Ice::UDPEndpointInfoPtr udpEndpoint = Ice::UDPEndpointInfoPtr::dynamicCast(endps[1]->getInfo()); test(udpEndpoint); @@ -184,13 +184,26 @@ allTests(const Ice::CommunicatorPtr& communicator) if(base->ice_getConnection()->type() == "ws" || base->ice_getConnection()->type() == "wss") { - Ice::WSConnectionInfoPtr wsinfo = Ice::WSConnectionInfoPtr::dynamicCast(info); - test(wsinfo); + Ice::HeaderDict headers; - test(wsinfo->headers["Upgrade"] == "websocket"); - test(wsinfo->headers["Connection"] == "Upgrade"); - test(wsinfo->headers["Sec-WebSocket-Protocol"] == "ice.zeroc.com"); - test(wsinfo->headers.find("Sec-WebSocket-Accept") != wsinfo->headers.end()); + Ice::WSConnectionInfoPtr wsinfo = Ice::WSConnectionInfoPtr::dynamicCast(info); + if(wsinfo) + { + headers = wsinfo->headers; + } + + IceSSL::WSSConnectionInfoPtr wssinfo = IceSSL::WSSConnectionInfoPtr::dynamicCast(info); + if(wssinfo) + { + headers = wssinfo->headers; + test(wssinfo->verified); + test(!wssinfo->certs.empty()); + } + + test(headers["Upgrade"] == "websocket"); + test(headers["Connection"] == "Upgrade"); + test(headers["Sec-WebSocket-Protocol"] == "ice.zeroc.com"); + test(headers.find("Sec-WebSocket-Accept") != headers.end()); test(ctx["ws.Upgrade"] == "websocket"); test(ctx["ws.Connection"] == "Upgrade"); diff --git a/cpp/test/Ice/info/TestI.cpp b/cpp/test/Ice/info/TestI.cpp index ba63bf96744..11588b29294 100644 --- a/cpp/test/Ice/info/TestI.cpp +++ b/cpp/test/Ice/info/TestI.cpp @@ -84,5 +84,14 @@ TestI::getConnectionInfoAsContext(const Ice::Current& c) } } + IceSSL::WSSConnectionInfoPtr wssinfo = IceSSL::WSSConnectionInfoPtr::dynamicCast(info); + if(wssinfo) + { + for(Ice::HeaderDict::const_iterator p = wssinfo->headers.begin(); p != wssinfo->headers.end(); ++p) + { + ctx["ws." + p->first] = p->second; + } + } + return ctx; } diff --git a/cpp/test/IceSSL/certs/makecerts.py b/cpp/test/IceSSL/certs/makecerts.py index 3c241767a1c..57bfdfcfeba 100755 --- a/cpp/test/IceSSL/certs/makecerts.py +++ b/cpp/test/IceSSL/certs/makecerts.py @@ -74,6 +74,12 @@ dsaca = IceCertUtils.OpenSSLCertificateFactory(home=ca1.home, keyalg="dsa", keys # if force or not os.path.exists("cacert1.pem"): ca1.getCA().save("cacert1.pem") if force or not os.path.exists("cacert2.pem"): ca2.getCA().save("cacert2.pem") +if force or not os.path.exists("cacert1.der"): ca1.getCA().save("cacert1.der") +if force or not os.path.exists("cacerts.pem"): + pem = "" + with open("cacert1.pem", "r") as f: pem += f.read() + with open("cacert2.pem", "r") as f: pem += f.read() + with open("cacerts.pem", "w") as f: f.write(pem); # Also export the ca2 self-signed certificate, it's used by the tests to test self-signed certificates if force or not os.path.exists("cacert2_pub.pem"): ca2.getCA().save("cacert2_pub.pem") diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp index 448eb075a0f..4a51b3416f1 100644 --- a/cpp/test/IceSSL/configuration/AllTests.cpp +++ b/cpp/test/IceSSL/configuration/AllTests.cpp @@ -39,43 +39,113 @@ readFile(const string& file, vector<char>& buffer) } #ifdef ICE_USE_SCHANNEL -void -findCertsCleanup(HCERTSTORE store, const vector<HCERTSTORE>& stores, const vector<PCCERT_CONTEXT>& certs) +class ImportCerts { - for(vector<PCCERT_CONTEXT>::const_iterator i = certs.begin(); i != certs.end(); ++i) - { - PCCERT_CONTEXT cert = *i; - +public: - DWORD size = 0; + ImportCerts(const string& defaultDir, const char* certificates[]) + { // - // Retrieve the certificate CERT_KEY_PROV_INFO_PROP_ID property, we use the CRYPT_KEY_PROV_INFO - // data to then remove the key set associated with the certificate. + // First we need to import some certificates in the user store. // - if(CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, 0, &size)) + _store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER, L"MY"); + test(_store); + + for(int i = 0; certificates[i] != 0; ++i) { - vector<char> buf(size); - if(CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, &buf[0], &size)) + vector<char> buffer; + readFile(defaultDir + certificates[i], buffer); + + CRYPT_DATA_BLOB p12Blob; + p12Blob.cbData = static_cast<DWORD>(buffer.size()); + p12Blob.pbData = reinterpret_cast<BYTE*>(&buffer[0]); + + HCERTSTORE p12 = PFXImportCertStore(&p12Blob, L"password", CRYPT_USER_KEYSET); + _stores.push_back(p12); + + PCCERT_CONTEXT next = 0; + PCCERT_CONTEXT newCert = 0; + do { - CRYPT_KEY_PROV_INFO* keyProvInfo = reinterpret_cast<CRYPT_KEY_PROV_INFO*>(&buf[0]); - HCRYPTPROV cryptProv = 0; - if(CryptAcquireContextW(&cryptProv, keyProvInfo->pwszContainerName, keyProvInfo->pwszProvName, - keyProvInfo->dwProvType, 0)) + if((next = CertFindCertificateInStore(p12, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, + CERT_FIND_ANY, 0, next))) { - CryptAcquireContextW(&cryptProv, keyProvInfo->pwszContainerName, keyProvInfo->pwszProvName, - keyProvInfo->dwProvType, CRYPT_DELETEKEYSET); + if(CertAddCertificateContextToStore(_store, next, CERT_STORE_ADD_ALWAYS, &newCert)) + { + _certs.push_back(newCert); + } + } + } + while(next); + } + } + + ~ImportCerts() + { + cleanup(); + } + + void cleanup() + { + for(vector<PCCERT_CONTEXT>::const_iterator i = _certs.begin(); i != _certs.end(); ++i) + { + PCCERT_CONTEXT cert = *i; + + // Retrieve the certificate CERT_KEY_PROV_INFO_PROP_ID property, we use the CRYPT_KEY_PROV_INFO + // data to then remove the key set associated with the certificate. + // + DWORD size = 0; + if(CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, 0, &size)) + { + vector<char> buf(size); + if(CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, &buf[0], &size)) + { + CRYPT_KEY_PROV_INFO* keyProvInfo = reinterpret_cast<CRYPT_KEY_PROV_INFO*>(&buf[0]); + HCRYPTPROV cryptProv = 0; + if(CryptAcquireContextW(&cryptProv, keyProvInfo->pwszContainerName, keyProvInfo->pwszProvName, + keyProvInfo->dwProvType, 0)) + { + CryptAcquireContextW(&cryptProv, keyProvInfo->pwszContainerName, keyProvInfo->pwszProvName, + keyProvInfo->dwProvType, CRYPT_DELETEKEYSET); + } } } CertDeleteCertificateFromStore(cert); } + _certs.clear(); + for(vector<HCERTSTORE>::const_iterator i = _stores.begin(); i != _stores.end(); ++i) + { + CertCloseStore(*i, 0); + } + _stores.clear(); + if(_store) + { + CertCloseStore(_store, 0); + _store = 0; + } + } + +private: + + HCERTSTORE _store; + vector<HCERTSTORE> _stores; + vector<PCCERT_CONTEXT> _certs; +}; +#else +class ImportCerts +{ +public: + ImportCerts(const string& defaultDir, const char* certificates[]) + { + // Nothing to do. } - for(vector<HCERTSTORE>::const_iterator i = stores.begin(); i != stores.end(); ++i) + + void cleanup() { - CertCloseStore(*i, 0); } -} +}; #endif class PasswordPromptI : public IceSSL::PasswordPrompt @@ -240,7 +310,10 @@ createServerProps(const Ice::PropertiesPtr& defaultProps, const string& defaultD { Test::Properties result; result["Ice.Plugin.IceSSL"] = "IceSSL:createIceSSL"; - result["IceSSL.DefaultDir"] = defaultDir; + if(!defaultDir.empty()) + { + result["IceSSL.DefaultDir"] = defaultDir; + } if(!defaultProps->getProperty("Ice.IPv6").empty()) { result["Ice.IPv6"] = defaultProps->getProperty("Ice.IPv6"); @@ -273,28 +346,22 @@ createServerProps(const Ice::PropertiesPtr& defaultProps, const string& defaultD // If no CA is specified, we don't set IceSSL.DefaultDir since // with OpenSSL the CAs might still be found. // - string pfx; - if(ca.empty()) - { - d = createServerProps(defaultProps, "", defaultHost, p12); - pfx = defaultDir + "/"; - } - else + d = createServerProps(defaultProps, defaultDir, defaultHost, p12); + if(!ca.empty()) { - d = createServerProps(defaultProps, defaultDir, defaultHost, p12); - d["IceSSL.CertAuthFile"] = ca + ".pem"; + d["IceSSL.CAs"] = ca + ".pem"; } if(!cert.empty()) { if(p12) { - d["IceSSL.CertFile"] = pfx + cert + ".p12"; + d["IceSSL.CertFile"] = cert + ".p12"; } else { - d["IceSSL.CertFile"] = pfx + cert + "_pub.pem"; - d["IceSSL.KeyFile"] = pfx + cert + "_priv.pem"; + d["IceSSL.CertFile"] = cert + "_pub.pem"; + d["IceSSL.KeyFile"] = cert + "_priv.pem"; } } return d; @@ -306,32 +373,22 @@ createClientProps(const Ice::PropertiesPtr& defaultProps, const string& defaultD { Ice::PropertiesPtr properties; - // - // If no CA is specified, we don't set IceSSL.DefaultDir since - // with OpenSSL the CAs might still be found. - // - string pfx; - if(ca.empty()) + properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); + if(!ca.empty()) { - properties = createClientProps(defaultProps, "", defaultHost, p12); - pfx = defaultDir + "/"; - } - else - { - properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); - properties->setProperty("IceSSL.CertAuthFile", ca + ".pem"); + properties->setProperty("IceSSL.CAs", ca + ".pem"); } if(!cert.empty()) { if(p12) { - properties->setProperty("IceSSL.CertFile", pfx + cert + ".p12"); + properties->setProperty("IceSSL.CertFile", cert + ".p12"); } else { - properties->setProperty("IceSSL.CertFile", pfx + cert + "_pub.pem"); - properties->setProperty("IceSSL.KeyFile", pfx + cert + "_priv.pem"); + properties->setProperty("IceSSL.CertFile", cert + "_pub.pem"); + properties->setProperty("IceSSL.KeyFile", cert + "_priv.pem"); } } return properties; @@ -456,8 +513,9 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b server->noCert(); test(!IceSSL::ConnectionInfoPtr::dynamicCast(server->ice_getConnection()->getInfo())->verified); } - catch(const LocalException&) + catch(const LocalException& ex) { + cerr << ex << endl; test(false); } fact->destroyServer(server); @@ -821,6 +879,9 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b cout << "testing certificate chains... " << flush; { + const char* certificates[] = {"/s_rsa_cai2.p12", 0}; + ImportCerts import(defaultDir, certificates); + InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12, "", ""); initData.properties->setProperty("IceSSL.VerifyPeer", "0"); @@ -843,9 +904,9 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b test(info->nativeCerts.size() == 1); test(!info->verified); } - catch(const Ice::LocalException& ex) + catch(const Ice::LocalException&) { - cerr << ex << endl; + import.cleanup(); test(false); } fact->destroyServer(server); @@ -870,6 +931,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b catch(const Ice::LocalException& ex) { cerr << ex << endl; + import.cleanup(); test(false); } fact->destroyServer(server); @@ -897,6 +959,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b catch(const Ice::LocalException& ex) { cerr << ex << endl; + import.cleanup(); test(false); } fact->destroyServer(server); @@ -926,6 +989,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b catch(const Ice::LocalException& ex) { cerr << ex << endl; + import.cleanup(); test(false); } fact->destroyServer(server); @@ -950,6 +1014,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b try { IceSSL::NativeConnectionInfoPtr::dynamicCast(server->ice_getConnection()->getInfo()); + import.cleanup(); test(false); } catch(const Ice::SecurityException&) @@ -959,6 +1024,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b catch(const Ice::LocalException& ex) { cerr << ex << endl; + import.cleanup(); test(false); } fact->destroyServer(server); @@ -988,6 +1054,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b } catch(const Ice::LocalException&) { + import.cleanup(); test(false); } fact->destroyServer(server); @@ -1000,6 +1067,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b try { IceSSL::NativeConnectionInfoPtr::dynamicCast(server->ice_getConnection()->getInfo()); + import.cleanup(); test(false); } catch(const Ice::SecurityException&) @@ -1033,6 +1101,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b } catch(const Ice::LocalException&) { + import.cleanup(); test(false); } fact->destroyServer(server); @@ -1058,6 +1127,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b try { server->ice_getConnection(); + import.cleanup(); test(false); } catch(const Ice::ProtocolException&) @@ -1070,6 +1140,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b } catch(const Ice::LocalException&) { + import.cleanup(); test(false); } fact->destroyServer(server); @@ -1086,12 +1157,14 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b } catch(const Ice::LocalException&) { + import.cleanup(); test(false); } fact->destroyServer(server); } comm->destroy(); + import.cleanup(); } cout << "ok" << endl; @@ -1538,17 +1611,17 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b cout << "testing CA certificate directory... " << flush; { // - // Don't specify CertAuthFile explicitly; we let OpenSSL find the CA + // Don't specify CAs explicitly; we let OpenSSL find the CA // certificate in the default directory. // InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12, "c_rsa_ca1", ""); - initData.properties->setProperty("IceSSL.DefaultDir", defaultDir); + initData.properties->setProperty("IceSSL.CAs", defaultDir); CommunicatorPtr comm = initialize(initData); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_ca1", ""); - d["IceSSL.DefaultDir"] = defaultDir; + d["IceSSL.CAs"] = defaultDir; Test::ServerPrx server = fact->createServer(d); try { @@ -1565,6 +1638,56 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b cout << "ok" << endl; #endif + cout << "testing multiple CA certificates... " << flush; + { + InitializationData initData; + initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12, "c_rsa_ca1", "cacerts"); + CommunicatorPtr comm = initialize(initData); + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_ca2", "cacerts"); + d["IceSSL.VerifyPeer"] = "2"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + } + catch(const Ice::LocalException&) + { + test(false); + } + fact->destroyServer(server); + comm->destroy(); + } + cout << "ok" << endl; + +#ifndef ICE_USE_OPENSSL + cout << "testing DER CA certificate... " << flush; + { + InitializationData initData; + initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12, "c_rsa_ca1", ""); + initData.properties->setProperty("IceSSL.CAs", "cacert1.der"); + CommunicatorPtr comm = initialize(initData); + Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); + test(fact); + Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_ca1", ""); + d["IceSSL.VerifyPeer"] = "2"; + d["IceSSL.CAs"] = "cacert1.der"; + Test::ServerPrx server = fact->createServer(d); + try + { + server->ice_ping(); + } + catch(const Ice::LocalException&) + { + test(false); + } + fact->destroyServer(server); + comm->destroy(); + } + cout << "ok" << endl; +#endif + // // SChannel doesn't support PEM Password protected certificates certificates // @@ -2806,7 +2929,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b { #if defined(ICE_USE_SCHANNEL) - cerr << "testing IceSSL.FindCert... " << flush; + cout << "testing IceSSL.FindCert... " << flush; const char* clientFindCertProperties[] = { "SUBJECTDN:'CN=Client, OU=Ice, O=\"ZeroC, Inc.\", L=Jupiter, S=Florida, C=US, E=info@zeroc.com'", @@ -2842,50 +2965,13 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b }; const char* certificates[] = {"/s_rsa_ca1.p12", "/c_rsa_ca1.p12", 0}; - - // - // First we need to import some certificates in the user store. - // - HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER, L"MY"); - test(store); - - vector<HCERTSTORE> stores; - vector<PCCERT_CONTEXT> certs; - - for(int i = 0; certificates[i] != 0; ++i) - { - vector<char> buffer; - readFile(defaultDir + certificates[i], buffer); - - CRYPT_DATA_BLOB p12Blob; - p12Blob.cbData = static_cast<DWORD>(buffer.size()); - p12Blob.pbData = reinterpret_cast<BYTE*>(&buffer[0]); - - HCERTSTORE p12 = PFXImportCertStore(&p12Blob, L"password", CRYPT_USER_KEYSET); - - PCCERT_CONTEXT next = 0; - PCCERT_CONTEXT newCert = 0; - do - { - if((next = CertFindCertificateInStore(p12, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, - CERT_FIND_ANY, 0, next))) - { - if(CertAddCertificateContextToStore(store, next, CERT_STORE_ADD_ALWAYS, &newCert)) - { - certs.push_back(newCert); - } - } - } - while(next); - - stores.push_back(p12); - } + ImportCerts import(defaultDir, certificates); for(int i = 0; clientFindCertProperties[i] != 0; i++) { InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); - initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CAs", "cacert1.pem"); initData.properties->setProperty("IceSSL.FindCert.CurrentUser.My", clientFindCertProperties[i]); // // Use TrustOnly to ensure the peer has pick the expected certificate. @@ -2897,7 +2983,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_ca1", "cacert1"); - d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CAs"] = "cacert1.pem"; d["IceSSL.FindCert.CurrentUser.My"] = serverFindCertProperties[i]; // // Use TrustOnly to ensure the peer has pick the expected certificate. @@ -2912,7 +2998,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b catch(const LocalException& ex) { cerr << ex << endl; - findCertsCleanup(store, stores, certs); + import.cleanup(); test(false); } fact->destroyServer(server); @@ -2926,12 +3012,12 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b { InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); - initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CAs", "cacert1.pem"); initData.properties->setProperty("IceSSL.FindCert.CurrentUser.My", failFindCertProperties[i]); try { CommunicatorPtr comm = initialize(initData); - findCertsCleanup(store, stores, certs); + import.cleanup(); test(false); } catch(const PluginInitializationException&) @@ -2941,12 +3027,12 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b catch(const Ice::LocalException& ex) { cerr << ex << endl; - findCertsCleanup(store, stores, certs); + import.cleanup(); test(false); } } - findCertsCleanup(store, stores, certs); + import.cleanup(); // // These must fail because we have already remove the certificates. @@ -2955,7 +3041,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b { InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); - initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CAs", "cacert1.pem"); initData.properties->setProperty("IceSSL.FindCert.CurrentUser.My", clientFindCertProperties[i]); try { @@ -2972,9 +3058,9 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b test(false); } } - cerr << "ok" << endl; + cout << "ok" << endl; #elif defined(ICE_USE_SECURE_TRANSPORT) - cerr << "testing IceSSL.FindCert... " << flush; + cout << "testing IceSSL.FindCert... " << flush; const char* clientFindCertProperties[] = { "SUBJECT:Client", @@ -3012,7 +3098,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b { InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); - initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem"); + initData.properties->setProperty("IceSSL.CAs", "cacert1.pem"); initData.properties->setProperty("IceSSL.Keychain", "../certs/Find.keychain"); initData.properties->setProperty("IceSSL.KeychainPassword", "password"); initData.properties->setProperty("IceSSL.FindCert", clientFindCertProperties[i]); @@ -3026,7 +3112,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12); - d["IceSSL.CertAuthFile"] = "cacert1.pem"; + d["IceSSL.CAs"] = "cacert1.pem"; d["IceSSL.Keychain"] = "../certs/Find.keychain"; d["IceSSL.KeychainPassword"] = "password"; d["IceSSL.FindCert"] = serverFindCertProperties[i]; @@ -3071,10 +3157,55 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b test(false); } } - cerr << "ok" << endl; + cout << "ok" << endl; #endif } + cout << "testing system CAs... " << flush; + { + InitializationData initData; + initData.properties = createClientProps(defaultProps, "", defaultHost, false); + initData.properties->setProperty("IceSSL.VerifyDepthMax", "4"); + initData.properties->setProperty("Ice.Override.Timeout", "5000"); // 5s timeout + CommunicatorPtr comm = initialize(initData); + Ice::ObjectPrx p = comm->stringToProxy("dummy:wss -h demo.zeroc.com -p 5064"); + try + { + p->ice_ping(); + test(false); + } + catch(const Ice::SecurityException&) + { + // Expected, by default we don't check for system CAs. + } + catch(const Ice::LocalException& ex) + { + cerr << "warning: unable to connect to demo.zeroc.com to check system CA:\n" << ex << endl; + } + comm->destroy(); + + initData.properties = createClientProps(defaultProps, "", defaultHost, false); + initData.properties->setProperty("IceSSL.VerifyDepthMax", "4"); + initData.properties->setProperty("Ice.Override.Timeout", "5000"); // 5s timeout + initData.properties->setProperty("IceSSL.UsePlatformCAs", "1"); + comm = initialize(initData); + p = comm->stringToProxy("dummy:wss -h demo.zeroc.com -p 5064"); + + IceSSL::WSSConnectionInfoPtr info; + try + { + info = IceSSL::WSSConnectionInfoPtr::dynamicCast(p->ice_getConnection()->getInfo()); + test(info->verified); + } + catch(const Ice::LocalException& ex) + { + cerr << ex << endl; + test(false); + } + comm->destroy(); + } + cout << "ok" << endl; + if(shutdown) { factory->shutdown(); diff --git a/cpp/test/IceSSL/configuration/run.py b/cpp/test/IceSSL/configuration/run.py index 58c6b79a9e6..e877d3bf802 100755 --- a/cpp/test/IceSSL/configuration/run.py +++ b/cpp/test/IceSSL/configuration/run.py @@ -8,7 +8,7 @@ # # ********************************************************************** -import os, sys, atexit +import os, sys, atexit, re path = [ ".", "..", "../..", "../../..", "../../../.." ] head = os.path.dirname(sys.argv[0]) @@ -20,6 +20,10 @@ if len(path) == 0: sys.path.append(os.path.join(path[0], "scripts")) import TestUtil +# Filter-out the deprecated property warnings +TestUtil.clientTraceFilters = [ lambda x: re.sub("-! .* warning: deprecated property: IceSSL.KeyFile\n", "", x) ] +TestUtil.serverTraceFilters = [ lambda x: re.sub("-! .* warning: deprecated property: IceSSL.KeyFile\n", "", x) ] + certsPath = os.path.abspath(os.path.join(os.getcwd(), "..", "certs")) keychainPath = os.path.abspath(os.path.join(certsPath, "Find.keychain")) |