diff options
| -rw-r--r-- | CHANGELOG-3.6.md | 6 | ||||
| -rw-r--r-- | config/PropertyNames.xml | 11 | ||||
| -rw-r--r-- | cpp/src/Ice/PropertyNames.cpp | 13 | ||||
| -rw-r--r-- | cpp/src/Ice/PropertyNames.h | 2 | ||||
| -rw-r--r-- | cpp/src/IceSSL/SChannelEngine.cpp | 142 | ||||
| -rw-r--r-- | cpp/src/IceSSL/SSLEngine.h | 3 | ||||
| -rw-r--r-- | cpp/src/IceSSL/Util.cpp | 62 | ||||
| -rw-r--r-- | cpp/test/IceSSL/configuration/AllTests.cpp | 11 | ||||
| -rw-r--r-- | csharp/src/Ice/PropertyNames.cs | 13 | ||||
| -rw-r--r-- | csharp/src/IceSSL/SSLEngine.cs | 131 | ||||
| -rw-r--r-- | csharp/src/IceSSL/TransceiverI.cs | 2 | ||||
| -rw-r--r-- | csharp/test/IceSSL/configuration/AllTests.cs | 7 | ||||
| -rwxr-xr-x | csharp/test/IceSSL/configuration/run.py | 5 | ||||
| -rw-r--r-- | java/src/Ice/src/main/java/IceInternal/PropertyNames.java | 13 | ||||
| -rw-r--r-- | js/src/Ice/PropertyNames.js | 2 | ||||
| -rwxr-xr-x | scripts/Expect.py | 3 |
16 files changed, 223 insertions, 203 deletions
diff --git a/CHANGELOG-3.6.md b/CHANGELOG-3.6.md index a2f8c5d272b..36d97dbb1b6 100644 --- a/CHANGELOG-3.6.md +++ b/CHANGELOG-3.6.md @@ -19,6 +19,12 @@ These are the changes since Ice 3.5.1. ## General Changes +- Deprecated the `IceSSL.PersisteKeySet` which is now only used when importing certificates with the deprecated `IceSSL.ImportCert` property. + +- Deprecated the `IceSSL.KeySet` property, use the `IceSSL.CertStoreLocation` property instead. + +- Added `IceSSL.CertStoreLocation` property. This is a Windows specific property to specify the location of the certificate store or key set for IceSSL operation. The LocalMachine and CurrentUser locations are supported. + - Added `IceSSL::WSSConnectionInfo` local Slice class to provide information on a WSS connection. This class extends the `IceSSL::ConnectionInfo` class. The `IceSSL::WSSNativeConnectionInfo` was also added to provide the language mapping specific certificates associated with the SSL connection. - Added `IceSSL::WSSEndpointInfo` local Slice class to provide WSS endpoint information. This class extends the `IceSSL::EndpointInfo` class. diff --git a/config/PropertyNames.xml b/config/PropertyNames.xml index 2432f3bc19f..42a3fa62b2c 100644 --- a/config/PropertyNames.xml +++ b/config/PropertyNames.xml @@ -561,9 +561,10 @@ generated from the section label. <section name="IceSSL"> <property name="Alias" /> <property name="CAs"/> - <property name="CertAuthDir" deprecated="true"/> - <property name="CertAuthFile" deprecated="true"/> + <property name="CertAuthDir" deprecatedBy="IceSSL.CAs"/> + <property name="CertAuthFile" deprecatedBy="IceSSL.CAs"/> <property name="CertStore" /> + <property name="CertStoreLocation" /> <property name="CertFile" /> <property name="CertVerifier" /> <property name="CheckCertName" /> @@ -574,11 +575,11 @@ generated from the section label. <property name="DHParams" /> <property name="EntropyDaemon" /> <property name="FindCert" /> - <property name="FindCert.[any]" deprecated="true"/> + <property name="FindCert.[any]" deprecatedBy="IceSSL.FindCert"/> <property name="ImportCert.[any]" deprecated="true"/> <property name="InitOpenSSL" /> <property name="KeyFile" deprecated="true"/> - <property name="KeySet"/> + <property name="KeySet" deprecatedBy="IceSSL.CertStoreLocation" /> <property name="Keychain"/> <property name="KeychainPassword"/> <property name="Keystore" /> @@ -587,7 +588,7 @@ generated from the section label. <property name="Password" /> <property name="PasswordCallback" /> <property name="PasswordRetryMax" /> - <property name="PersistKeySet"/> + <property name="PersistKeySet" deprecated="true"/> <property name="Protocols" /> <property name="ProtocolVersionMax" /> <property name="ProtocolVersionMin" /> diff --git a/cpp/src/Ice/PropertyNames.cpp b/cpp/src/Ice/PropertyNames.cpp index 11b035d47df..85a3a74b44f 100644 --- a/cpp/src/Ice/PropertyNames.cpp +++ b/cpp/src/Ice/PropertyNames.cpp @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 17:34:50 2015 +// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 22:03:41 2015 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -999,9 +999,10 @@ const IceInternal::Property IceSSLPropsData[] = { IceInternal::Property("IceSSL.Alias", false, 0), IceInternal::Property("IceSSL.CAs", false, 0), - IceInternal::Property("IceSSL.CertAuthDir", true, 0), - IceInternal::Property("IceSSL.CertAuthFile", true, 0), + IceInternal::Property("IceSSL.CertAuthDir", true, "IceSSL.CAs"), + IceInternal::Property("IceSSL.CertAuthFile", true, "IceSSL.CAs"), IceInternal::Property("IceSSL.CertStore", false, 0), + IceInternal::Property("IceSSL.CertStoreLocation", false, 0), IceInternal::Property("IceSSL.CertFile", false, 0), IceInternal::Property("IceSSL.CertVerifier", false, 0), IceInternal::Property("IceSSL.CheckCertName", false, 0), @@ -1012,11 +1013,11 @@ const IceInternal::Property IceSSLPropsData[] = IceInternal::Property("IceSSL.DHParams", false, 0), IceInternal::Property("IceSSL.EntropyDaemon", false, 0), IceInternal::Property("IceSSL.FindCert", false, 0), - IceInternal::Property("IceSSL.FindCert.*", true, 0), + IceInternal::Property("IceSSL.FindCert.*", true, "IceSSL.FindCert"), IceInternal::Property("IceSSL.ImportCert.*", true, 0), IceInternal::Property("IceSSL.InitOpenSSL", false, 0), IceInternal::Property("IceSSL.KeyFile", true, 0), - IceInternal::Property("IceSSL.KeySet", false, 0), + IceInternal::Property("IceSSL.KeySet", true, "IceSSL.CertStoreLocation"), IceInternal::Property("IceSSL.Keychain", false, 0), IceInternal::Property("IceSSL.KeychainPassword", false, 0), IceInternal::Property("IceSSL.Keystore", false, 0), @@ -1025,7 +1026,7 @@ const IceInternal::Property IceSSLPropsData[] = IceInternal::Property("IceSSL.Password", false, 0), IceInternal::Property("IceSSL.PasswordCallback", false, 0), IceInternal::Property("IceSSL.PasswordRetryMax", false, 0), - IceInternal::Property("IceSSL.PersistKeySet", false, 0), + IceInternal::Property("IceSSL.PersistKeySet", true, 0), IceInternal::Property("IceSSL.Protocols", false, 0), IceInternal::Property("IceSSL.ProtocolVersionMax", false, 0), IceInternal::Property("IceSSL.ProtocolVersionMin", false, 0), diff --git a/cpp/src/Ice/PropertyNames.h b/cpp/src/Ice/PropertyNames.h index cf92a38d43f..263f20d1008 100644 --- a/cpp/src/Ice/PropertyNames.h +++ b/cpp/src/Ice/PropertyNames.h @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 17:34:50 2015 +// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 22:03:41 2015 // IMPORTANT: Do not edit this file -- any edits made here will be lost! diff --git a/cpp/src/IceSSL/SChannelEngine.cpp b/cpp/src/IceSSL/SChannelEngine.cpp index ddc47619373..89774a7b8f1 100644 --- a/cpp/src/IceSSL/SChannelEngine.cpp +++ b/cpp/src/IceSSL/SChannelEngine.cpp @@ -255,11 +255,12 @@ SChannelEngine::initialize() getLogger()->trace(securityTraceCategory(), os.str()); } - string certStore = properties->getPropertyWithDefault(prefix + "CertStore", "CurrentUser"); - if(certStore != "CurrentUser" && certStore != "LocalMachine") + string certStoreLocation = properties->getPropertyWithDefault(prefix + "CertStoreLocation", "CurrentUser"); + if(certStoreLocation != "CurrentUser" && certStoreLocation != "LocalMachine") { - getLogger()->warning("Invalid IceSSL.CertStore value `" + certStore + "' adjusted to `CurrentUser'"); - certStore = "CurrentUser"; + getLogger()->warning("invalid IceSSL.CertStoreLocation value `" + certStoreLocation + + "' adjusted to `CurrentUser'"); + certStoreLocation = "CurrentUser"; } // @@ -276,7 +277,8 @@ SChannelEngine::initialize() if(!_rootStore) { throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: error creating in memory certificate store:\n" + lastErrorToString()); + "IceSSL: error creating in memory certificate store:\n" + + lastErrorToString()); } } if(!caFile.empty()) @@ -310,7 +312,7 @@ SChannelEngine::initialize() // Build the chain using the LocalMachine registry location as opposed // to the CurrentUser location. // - if(certStore == "LocalMachine") + if(certStoreLocation == "LocalMachine") { config.dwFlags = CERT_CHAIN_USE_LOCAL_MACHINE_STORE; } @@ -322,28 +324,18 @@ SChannelEngine::initialize() #endif { throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: error creating certificate chain engine:\n" + lastErrorToString()); + "IceSSL: error creating certificate chain engine:\n" + + lastErrorToString()); } } else { - _chainEngine = (certStore == "LocalMachine") ? HCCE_LOCAL_MACHINE : HCCE_CURRENT_USER; + _chainEngine = (certStoreLocation == "LocalMachine") ? HCCE_LOCAL_MACHINE : HCCE_CURRENT_USER; } - // - // Import the application certificate and private keys. - // - string keySet = properties->getPropertyWithDefault(prefix + "KeySet", "DefaultKeySet"); - if(keySet != "DefaultKeySet" && keySet != "UserKeySet" && keySet != "MachineKeySet") - { - getLogger()->warning("Invalid IceSSL.KeySet value `" + keySet + "' adjusted to `DefaultKeySet'"); - keySet = "DefaultKeySet"; - } - - DWORD importFlags = (keySet == "MachineKeySet") ? CRYPT_MACHINE_KEYSET : CRYPT_USER_KEYSET; - string certFile = properties->getProperty(prefix + "CertFile"); - string keyFile = properties->getPropertyWithDefault(prefix + "KeyFile", certFile); + string keyFile = properties->getProperty(prefix + "KeyFile"); + string findCert = properties->getProperty("IceSSL.FindCert"); if(!certFile.empty()) { @@ -355,16 +347,19 @@ SChannelEngine::initialize() } vector<string> keyFiles; - if(!splitString(keyFile, IceUtilInternal::pathsep, keyFiles) || keyFiles.size() > 2) + if(!keyFile.empty()) { - throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: invalid value for " + prefix + "KeyFile:\n" + keyFile); - } + if(!splitString(keyFile, IceUtilInternal::pathsep, keyFiles) || keyFiles.size() > 2) + { + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: invalid value for " + prefix + "KeyFile:\n" + keyFile); + } - if(certFiles.size() != keyFiles.size()) - { - throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: " + prefix + "KeyFile does not agree with " + prefix + "CertFile"); + if(certFiles.size() != keyFiles.size()) + { + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: " + prefix + "KeyFile does not agree with " + prefix + "CertFile"); + } } for(size_t i = 0; i < certFiles.size(); ++i) @@ -392,6 +387,7 @@ SChannelEngine::initialize() PCCERT_CONTEXT cert = 0; int err = 0; int count = 0; + DWORD importFlags = (certStoreLocation == "LocalMachine") ? CRYPT_MACHINE_KEYSET : CRYPT_USER_KEYSET; do { string s = password(false); @@ -433,20 +429,17 @@ SChannelEngine::initialize() { cert = CertFindCertificateInStore(store, X509_ASN_ENCODING, 0, CERT_FIND_ANY, 0, cert); } - if(!cert) { throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: certificate error:\n" + lastErrorToString()); } - - _certs.push_back(cert); + _allCerts.push_back(cert); _stores.push_back(store); continue; } assert(err); - if(err != CRYPT_E_BAD_ENCODE) { throw PluginInitializationException(__FILE__, __LINE__, @@ -456,6 +449,11 @@ SChannelEngine::initialize() // // Try to load certificate & key as PEM files. // + if(keyFiles.empty()) + { + throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: no key file specified"); + } + err = 0; keyFile = keyFiles[i]; if(!checkPath(keyFile, defaultDir, false)) @@ -486,7 +484,6 @@ SChannelEngine::initialize() PCRYPT_PRIVATE_KEY_INFO keyInfo = 0; BYTE* key = 0; HCRYPTKEY hKey = 0; - try { // @@ -538,8 +535,11 @@ SChannelEngine::initialize() const wstring keySetName = stringToWstring(generateUUID()); HCRYPTPROV cryptProv = 0; - DWORD contextFlags = (keySet == "MachineKeySet") ? CRYPT_MACHINE_KEYSET | CRYPT_NEWKEYSET : - CRYPT_NEWKEYSET; + DWORD contextFlags = CRYPT_NEWKEYSET; + if(certStoreLocation == "LocalMachine") + { + contextFlags |= CRYPT_MACHINE_KEYSET; + } ; if(!CryptAcquireContextW(&cryptProv, keySetName.c_str(), MS_ENHANCED_PROV_W, PROV_RSA_FULL, contextFlags)) @@ -583,14 +583,14 @@ SChannelEngine::initialize() keyProvInfo.pwszProvName = const_cast<wchar_t*>(MS_DEF_PROV_W); keyProvInfo.dwProvType = PROV_RSA_FULL; keyProvInfo.dwKeySpec = AT_KEYEXCHANGE; - if(!CertSetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, 0, &keyProvInfo)) { throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: error seting certificate " "property:\n" + lastErrorToString()); } - _certs.push_back(cert); + _importedCerts.push_back(cert); + _allCerts.push_back(cert); _stores.push_back(store); } catch(...) @@ -622,31 +622,16 @@ SChannelEngine::initialize() throw; } } - - _allCerts.insert(_allCerts.end(), _certs.begin(), _certs.end()); } - - const string findPrefix = prefix + "FindCert."; - map<string, string> certProps = properties->getPropertiesForPrefix(findPrefix); - if(!certProps.empty()) + else if(!findCert.empty()) { - for(map<string, string>::const_iterator i = certProps.begin(); i != certProps.end(); ++i) - { - const string name = i->first; - const string val = i->second; - - if(!val.empty()) - { - string storeSpec = name.substr(findPrefix.size()); - vector<PCCERT_CONTEXT> certs = findCertificates(name, storeSpec, val, _stores); - _allCerts.insert(_allCerts.end(), certs.begin(), certs.end()); - } - } - - if(_allCerts.empty()) + string certStore = properties->getPropertyWithDefault(prefix + "CertStore", "My"); + vector<PCCERT_CONTEXT> certs = findCertificates(certStoreLocation, certStore, findCert, _stores); + if(certs.empty()) { throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: no certificates found"); } + _allCerts.insert(_allCerts.end(), certs.begin(), certs.end()); } _initialized = true; } @@ -789,33 +774,30 @@ SChannelEngine::destroy() CertCloseStore(_rootStore, 0); } - for(vector<PCCERT_CONTEXT>::const_iterator i = _allCerts.begin(); i != _allCerts.end(); ++i) + for(vector<PCCERT_CONTEXT>::const_iterator i = _importedCerts.begin(); i != _importedCerts.end(); ++i) { - PCCERT_CONTEXT cert = *i; - // - // Only remove the keysets we create. + // Retrieve the certificate CERT_KEY_PROV_INFO_PROP_ID property, we use the CRYPT_KEY_PROV_INFO + // data to remove the key set associated with the certificate. // - if(find(_certs.begin(), _certs.end(), cert) != _certs.end()) + DWORD length = 0; + if(!CertGetCertificateContextProperty(*i, CERT_KEY_PROV_INFO_PROP_ID, 0, &length)) { - // - // Retrieve the certificate CERT_KEY_PROV_INFO_PROP_ID property, we use the CRYPT_KEY_PROV_INFO - // data to then remove the key set associated with the certificate. - // - DWORD length = 0; - if(CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, 0, &length)) - { - vector<char> buf(length); - if(CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, &buf[0], &length)) - { - CRYPT_KEY_PROV_INFO* keyProvInfo = reinterpret_cast<CRYPT_KEY_PROV_INFO*>(&buf[0]); - HCRYPTPROV cryptProv = 0; - CryptAcquireContextW(&cryptProv, keyProvInfo->pwszContainerName, keyProvInfo->pwszProvName, - keyProvInfo->dwProvType, CRYPT_DELETEKEYSET); - } - CertFreeCertificateContext(cert); - } + continue; } + vector<char> buf(length); + if(!CertGetCertificateContextProperty(*i, CERT_KEY_PROV_INFO_PROP_ID, &buf[0], &length)) + { + continue; + } + CRYPT_KEY_PROV_INFO* key = reinterpret_cast<CRYPT_KEY_PROV_INFO*>(&buf[0]); + HCRYPTPROV prov = 0; + CryptAcquireContextW(&prov, key->pwszContainerName, key->pwszProvName, key->dwProvType, CRYPT_DELETEKEYSET); + } + + for(vector<PCCERT_CONTEXT>::const_iterator i = _allCerts.begin(); i != _allCerts.end(); ++i) + { + CertFreeCertificateContext(*i); } for(vector<HCERTSTORE>::const_iterator i = _stores.begin(); i != _stores.end(); ++i) diff --git a/cpp/src/IceSSL/SSLEngine.h b/cpp/src/IceSSL/SSLEngine.h index f2c36566f9a..09f060cbabb 100644 --- a/cpp/src/IceSSL/SSLEngine.h +++ b/cpp/src/IceSSL/SSLEngine.h @@ -208,12 +208,11 @@ private: bool _initialized; std::vector<PCCERT_CONTEXT> _allCerts; - std::vector<PCCERT_CONTEXT> _certs; + std::vector<PCCERT_CONTEXT> _importedCerts; DWORD _protocols; IceUtil::Mutex _mutex; std::vector<HCERTSTORE> _stores; - HCERTSTORE _rootStore; HCERTCHAINENGINE _chainEngine; diff --git a/cpp/src/IceSSL/Util.cpp b/cpp/src/IceSSL/Util.cpp index 2e3287c1c35..a95ef6ff8d5 100644 --- a/cpp/src/IceSSL/Util.cpp +++ b/cpp/src/IceSSL/Util.cpp @@ -940,40 +940,6 @@ IceSSL::findCertificate(SecKeychainRef keychain, const string& value) namespace { -// -// Parse a string of the form "location.name" into two parts. -// -void -parseStore(const string& prop, const string& store, DWORD& loc, string& sname) -{ - size_t pos = store.find('.'); - if(pos == string::npos) - { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: property `" + prop + "' has invalid format"); - } - - const string sloc = IceUtilInternal::toUpper(store.substr(0, pos)); - if(sloc == "CURRENTUSER") - { - loc = CERT_SYSTEM_STORE_CURRENT_USER; - } - else if(sloc == "LOCALMACHINE") - { - loc = CERT_SYSTEM_STORE_LOCAL_MACHINE; - } - else - { - throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: unknown store location `" + sloc + "' in " + prop); - } - - sname = store.substr(pos + 1); - if(sname.empty()) - { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: invalid store name in " + prop); - } -} - void addMatchingCertificates(HCERTSTORE source, HCERTSTORE target, DWORD findType, const void* findParam) { @@ -996,17 +962,23 @@ addMatchingCertificates(HCERTSTORE source, HCERTSTORE target, DWORD findType, co } vector<PCCERT_CONTEXT> -IceSSL::findCertificates(const string& prop, const string& storeSpec, const string& value, vector<HCERTSTORE>& stores) +IceSSL::findCertificates(const string& location, const string& name, const string& value, vector<HCERTSTORE>& stores) { - DWORD storeLoc = 0; - string storeName; - parseStore(prop, storeSpec, storeLoc, storeName); + DWORD storeLoc; + if(location == "CurrentUser") + { + storeLoc = CERT_SYSTEM_STORE_CURRENT_USER; + } + else + { + storeLoc = CERT_SYSTEM_STORE_LOCAL_MACHINE; + } - HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, storeLoc, stringToWstring(storeName).c_str()); + HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, storeLoc, stringToWstring(name).c_str()); if(!store) { - throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: failure while opening store specified by " + prop + ":\n" + IceUtilInternal::lastErrorToString()); + throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: failed to open certificate store `" + name + + "':\n" + IceUtilInternal::lastErrorToString()); } // @@ -1123,7 +1095,7 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri { throw PluginInitializationException( __FILE__, __LINE__, - "IceSSL: invalid value `" + value + "' for property `" + prop + "'\n" + + "IceSSL: invalid value `" + value + "' for `IceSSL.FindCert' property:\n" + IceUtilInternal::lastErrorToString()); } @@ -1132,7 +1104,7 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri { throw PluginInitializationException( __FILE__, __LINE__, - "IceSSL: invalid value `" + value + "' for property `" + prop + "'\n" + + "IceSSL: invalid value `" + value + "' for `IceSSL.FindCert' property:\n" + IceUtilInternal::lastErrorToString()); } @@ -1148,7 +1120,7 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri if(!parseBytes(arg, buffer)) { throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: invalid value `" + value + "' for property `" + prop + "'"); + "IceSSL: invalid `IceSSL.FindCert' property: can't decode the value"); } CRYPT_HASH_BLOB hash = { static_cast<DWORD>(buffer.size()), &buffer[0] }; @@ -1161,7 +1133,7 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri if(!parseBytes(arg, buffer)) { throw PluginInitializationException(__FILE__, __LINE__, - "IceSSL: invalid value `" + value + "' for property `" + prop + "'"); + "IceSSL: invalid value `" + value + "' for `IceSSL.FindCert' property"); } CRYPT_INTEGER_BLOB serial = { static_cast<DWORD>(buffer.size()), &buffer[0] }; diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp index 4a51b3416f1..256d4d33812 100644 --- a/cpp/test/IceSSL/configuration/AllTests.cpp +++ b/cpp/test/IceSSL/configuration/AllTests.cpp @@ -2972,7 +2972,9 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); initData.properties->setProperty("IceSSL.CAs", "cacert1.pem"); - initData.properties->setProperty("IceSSL.FindCert.CurrentUser.My", clientFindCertProperties[i]); + initData.properties->setProperty("IceSSL.CertStore", "My"); + initData.properties->setProperty("IceSSL.CertStoreLocation", "CurrentUser"); + initData.properties->setProperty("IceSSL.FindCert", clientFindCertProperties[i]); // // Use TrustOnly to ensure the peer has pick the expected certificate. // @@ -2984,7 +2986,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b test(fact); Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_ca1", "cacert1"); d["IceSSL.CAs"] = "cacert1.pem"; - d["IceSSL.FindCert.CurrentUser.My"] = serverFindCertProperties[i]; + d["IceSSL.FindCert"] = serverFindCertProperties[i]; // // Use TrustOnly to ensure the peer has pick the expected certificate. // @@ -3013,10 +3015,11 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); initData.properties->setProperty("IceSSL.CAs", "cacert1.pem"); - initData.properties->setProperty("IceSSL.FindCert.CurrentUser.My", failFindCertProperties[i]); + initData.properties->setProperty("IceSSL.FindCert", failFindCertProperties[i]); try { CommunicatorPtr comm = initialize(initData); + cerr << failFindCertProperties[i] << endl; import.cleanup(); test(false); } @@ -3042,7 +3045,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); initData.properties->setProperty("IceSSL.CAs", "cacert1.pem"); - initData.properties->setProperty("IceSSL.FindCert.CurrentUser.My", clientFindCertProperties[i]); + initData.properties->setProperty("IceSSL.FindCert", clientFindCertProperties[i]); try { CommunicatorPtr comm = initialize(initData); diff --git a/csharp/src/Ice/PropertyNames.cs b/csharp/src/Ice/PropertyNames.cs index cd2190d1f47..a59d6f16042 100644 --- a/csharp/src/Ice/PropertyNames.cs +++ b/csharp/src/Ice/PropertyNames.cs @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 17:34:50 2015 +// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 22:03:41 2015 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -971,9 +971,10 @@ namespace IceInternal { new Property(@"^IceSSL\.Alias$", false, null), new Property(@"^IceSSL\.CAs$", false, null), - new Property(@"^IceSSL\.CertAuthDir$", true, null), - new Property(@"^IceSSL\.CertAuthFile$", true, null), + new Property(@"^IceSSL\.CertAuthDir$", true, @"IceSSL.CAs"), + new Property(@"^IceSSL\.CertAuthFile$", true, @"IceSSL.CAs"), new Property(@"^IceSSL\.CertStore$", false, null), + new Property(@"^IceSSL\.CertStoreLocation$", false, null), new Property(@"^IceSSL\.CertFile$", false, null), new Property(@"^IceSSL\.CertVerifier$", false, null), new Property(@"^IceSSL\.CheckCertName$", false, null), @@ -984,11 +985,11 @@ namespace IceInternal new Property(@"^IceSSL\.DHParams$", false, null), new Property(@"^IceSSL\.EntropyDaemon$", false, null), new Property(@"^IceSSL\.FindCert$", false, null), - new Property(@"^IceSSL\.FindCert\.[^\s]+$", true, null), + new Property(@"^IceSSL\.FindCert\.[^\s]+$", true, @"IceSSL.FindCert"), new Property(@"^IceSSL\.ImportCert\.[^\s]+$", true, null), new Property(@"^IceSSL\.InitOpenSSL$", false, null), new Property(@"^IceSSL\.KeyFile$", true, null), - new Property(@"^IceSSL\.KeySet$", false, null), + new Property(@"^IceSSL\.KeySet$", true, @"IceSSL.CertStoreLocation"), new Property(@"^IceSSL\.Keychain$", false, null), new Property(@"^IceSSL\.KeychainPassword$", false, null), new Property(@"^IceSSL\.Keystore$", false, null), @@ -997,7 +998,7 @@ namespace IceInternal new Property(@"^IceSSL\.Password$", false, null), new Property(@"^IceSSL\.PasswordCallback$", false, null), new Property(@"^IceSSL\.PasswordRetryMax$", false, null), - new Property(@"^IceSSL\.PersistKeySet$", false, null), + new Property(@"^IceSSL\.PersistKeySet$", true, null), new Property(@"^IceSSL\.Protocols$", false, null), new Property(@"^IceSSL\.ProtocolVersionMax$", false, null), new Property(@"^IceSSL\.ProtocolVersionMin$", false, null), diff --git a/csharp/src/IceSSL/SSLEngine.cs b/csharp/src/IceSSL/SSLEngine.cs index 7a0180d3fcf..4f99f959ecd 100644 --- a/csharp/src/IceSSL/SSLEngine.cs +++ b/csharp/src/IceSSL/SSLEngine.cs @@ -61,34 +61,57 @@ namespace IceSSL // _defaultDir = properties.getProperty(prefix + "DefaultDir"); -#if UNITY - _certStore = null; -#else - string keySet = properties.getPropertyWithDefault(prefix + "KeySet", "DefaultKeySet"); - if(!keySet.Equals("DefaultKeySet") && !keySet.Equals("UserKeySet") && !keySet.Equals("MachineKeySet")) + string certStoreLocation = properties.getPropertyWithDefault(prefix + "CertStoreLocation", "CurrentUser"); + StoreLocation storeLocation; + if(certStoreLocation == "CurrentUser") { - _logger.warning("Invalid IceSSL.KeySet value `" + keySet + "' adjusted to `DefaultKeySet'"); - keySet = "DefaultKeySet"; + storeLocation = StoreLocation.CurrentUser; } - - _certStore = properties.getPropertyWithDefault(prefix + "CertStore", "CurrentUser"); - if(_certStore != "CurrentUser" && _certStore != "LocalMachine") + else if(certStoreLocation == "LocalMachine") + { + storeLocation = StoreLocation.LocalMachine; + } + else { - _logger.warning("Invalid IceSSL.CertStore value `" + _certStore + "' adjusted to `CurrentUser'"); - _certStore = "CurrentUser"; + _logger.warning("Invalid IceSSL.CertStore value `" + certStoreLocation + "' adjusted to `CurrentUser'"); + storeLocation = StoreLocation.CurrentUser; } + _useMachineContext = certStoreLocation == "LocalMachine"; - X509KeyStorageFlags keyStorageFlags = X509KeyStorageFlags.DefaultKeySet; - if(keySet.Equals("UserKeySet")) +#if !UNITY + X509KeyStorageFlags keyStorageFlags; + if(_useMachineContext) + { + keyStorageFlags = X509KeyStorageFlags.MachineKeySet; + } + else { keyStorageFlags = X509KeyStorageFlags.UserKeySet; } - else if(keySet.Equals("MachineKeySet")) + + string keySet = properties.getProperty(prefix + "KeySet"); // Deprecated property + if(keySet.Length > 0) { - keyStorageFlags = X509KeyStorageFlags.MachineKeySet; + if(keySet.Equals("DefaultKeySet")) + { + keyStorageFlags = X509KeyStorageFlags.DefaultKeySet; + } + else if(keySet.Equals("UserKeySet")) + { + keyStorageFlags = X509KeyStorageFlags.UserKeySet; + } + else if(keySet.Equals("MachineKeySet")) + { + keyStorageFlags = X509KeyStorageFlags.MachineKeySet; + } + else + { + _logger.warning("Invalid IceSSL.KeySet value `" + keySet + "' adjusted to `DefaultKeySet'"); + keyStorageFlags = X509KeyStorageFlags.DefaultKeySet; + } } - if(properties.getPropertyAsIntWithDefault(prefix + "PersistKeySet", 0) > 0) + if(properties.getPropertyAsIntWithDefault(prefix + "PersistKeySet", 0) > 0) // Deprecated property { keyStorageFlags |= X509KeyStorageFlags.PersistKeySet; } @@ -233,6 +256,9 @@ namespace IceSSL _certs = new X509Certificate2Collection(); string certFile = properties.getProperty(prefix + "CertFile"); string passwordStr = properties.getProperty(prefix + "Password"); + string findCert = properties.getProperty(prefix + "FindCert"); + const string findPrefix = prefix + "FindCert."; + Dictionary<string, string> findCertProps = properties.getPropertiesForPrefix(findPrefix); if(certFile.Length > 0) { @@ -256,13 +282,23 @@ namespace IceSSL try { X509Certificate2 cert; + X509KeyStorageFlags importFlags; + if(_useMachineContext) + { + importFlags = X509KeyStorageFlags.MachineKeySet; + } + else + { + importFlags = X509KeyStorageFlags.UserKeySet; + } + if(password != null) { - cert = new X509Certificate2(certFile, password, keyStorageFlags); + cert = new X509Certificate2(certFile, password, importFlags); } else { - cert = new X509Certificate2(certFile, "", keyStorageFlags); + cert = new X509Certificate2(certFile, "", importFlags); } _certs.Add(cert); } @@ -273,24 +309,37 @@ namespace IceSSL throw e; } } - - // - // If IceSSL.FindCert.* properties are defined, add the selected certificates - // to the collection. - // - // TODO: tracing? - const string findPrefix = prefix + "FindCert."; - Dictionary<string, string> certProps = properties.getPropertiesForPrefix(findPrefix); - if(certProps.Count > 0) + else if(findCert.Length > 0) + { + string certStore = properties.getPropertyWithDefault("IceSSL.CertStore", "My"); + _certs.AddRange(findCertificates("IceSSL.FindCert", storeLocation, certStore, findCert)); + if(_certs.Count == 0) + { + throw new Ice.PluginInitializationException("IceSSL: no certificates found"); + } + } + else if(findCertProps.Count > 0) { - foreach(KeyValuePair<string, string> entry in certProps) + // + // If IceSSL.FindCert.* properties are defined, add the selected certificates + // to the collection. + // + foreach(KeyValuePair<string, string> entry in findCertProps) { string name = entry.Key; string val = entry.Value; if(val.Length > 0) { string storeSpec = name.Substring(findPrefix.Length); - X509Certificate2Collection coll = findCertificates(name, storeSpec, val); + StoreLocation storeLoc = 0; + StoreName storeName = 0; + string sname = null; + parseStore(name, storeSpec, ref storeLoc, ref storeName, ref sname); + if(sname == null) + { + sname = storeName.ToString(); + } + X509Certificate2Collection coll = findCertificates(name, storeLoc, sname, val); _certs.AddRange(coll); } } @@ -388,9 +437,9 @@ namespace IceSSL _initialized = true; } - internal string certStore() + internal bool useMachineContext() { - return _certStore; + return _useMachineContext; } internal X509Certificate2Collection caCerts() @@ -1072,26 +1121,22 @@ namespace IceSSL } #if !UNITY - private static X509Certificate2Collection findCertificates(string prop, string storeSpec, string value) + private static X509Certificate2Collection findCertificates(string prop, StoreLocation storeLocation, + string name, string value) { - StoreLocation storeLoc = 0; - StoreName storeName = 0; - string storeNameStr = null; - parseStore(prop, storeSpec, ref storeLoc, ref storeName, ref storeNameStr); - // // Open the X509 certificate store. // X509Store store = null; try { - if(storeNameStr != null) + try { - store = new X509Store(storeNameStr, storeLoc); + store = new X509Store((StoreName)Enum.Parse(typeof(StoreName), name, true), storeLocation); } - else + catch(ArgumentException) { - store = new X509Store(storeName, storeLoc); + store = new X509Store(name, storeLocation); } store.Open(OpenFlags.ReadOnly); } @@ -1326,7 +1371,7 @@ namespace IceSSL private int _verifyDepthMax; private int _checkCRL; private X509Certificate2Collection _certs; - private string _certStore; + private bool _useMachineContext; private X509Certificate2Collection _caCerts; private CertificateVerifier _verifier; private PasswordCallback _passwordCallback; diff --git a/csharp/src/IceSSL/TransceiverI.cs b/csharp/src/IceSSL/TransceiverI.cs index 85ec68d0e4f..c60179e9f05 100644 --- a/csharp/src/IceSSL/TransceiverI.cs +++ b/csharp/src/IceSSL/TransceiverI.cs @@ -354,7 +354,7 @@ namespace IceSSL _verifyPeer = _instance.properties().getPropertyAsIntWithDefault("IceSSL.VerifyPeer", 2); - _chain = new X509Chain(_instance.engine().certStore() == "LocalMachine"); + _chain = new X509Chain(_instance.engine().useMachineContext()); if(_instance.checkCRL() == 0) { diff --git a/csharp/test/IceSSL/configuration/AllTests.cs b/csharp/test/IceSSL/configuration/AllTests.cs index d81617df54c..30b0a2bb476 100644 --- a/csharp/test/IceSSL/configuration/AllTests.cs +++ b/csharp/test/IceSSL/configuration/AllTests.cs @@ -2149,7 +2149,9 @@ public class AllTests for(int i = 0; i < clientFindCertProperties.Length; ++i) { initData = createClientProps(defaultProperties, defaultDir, defaultHost, "", "cacert1"); - initData.properties.setProperty("IceSSL.FindCert.CurrentUser.My", clientFindCertProperties[i]); + initData.properties.setProperty("IceSSL.CertStore", "My"); + initData.properties.setProperty("IceSSL.CertStoreLocation", "CurrentUser"); + initData.properties.setProperty("IceSSL.FindCert", clientFindCertProperties[i]); // // Use TrustOnly to ensure the peer has pick the expected certificate. // @@ -2158,6 +2160,7 @@ public class AllTests Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); d = createServerProps(defaultProperties, defaultDir, defaultHost, "", "cacert1"); + // Use deprecated property here to test it d["IceSSL.FindCert.CurrentUser.My"] = serverFindCertProperties[i]; // // Use TrustOnly to ensure the peer has pick the expected certificate. @@ -2185,7 +2188,7 @@ public class AllTests try { initData = createClientProps(defaultProperties, defaultDir, defaultHost); - initData.properties.setProperty("IceSSL.FindCert.CurrentUser.My", s); + initData.properties.setProperty("IceSSL.FindCert", s); Ice.Communicator comm = Ice.Util.initialize(ref args, initData); test(false); } diff --git a/csharp/test/IceSSL/configuration/run.py b/csharp/test/IceSSL/configuration/run.py index 60bb03f8c86..59a97dd0550 100755 --- a/csharp/test/IceSSL/configuration/run.py +++ b/csharp/test/IceSSL/configuration/run.py @@ -8,7 +8,7 @@ # # ********************************************************************** -import os, sys, getopt +import os, sys, getopt, re path = [ ".", "..", "../..", "../../..", "../../../.." ] head = os.path.dirname(sys.argv[0]) @@ -20,6 +20,9 @@ if len(path) == 0: sys.path.append(os.path.join(path[0], "scripts")) import TestUtil +# Filter-out the deprecated property warnings +TestUtil.clientTraceFilters = [ lambda x: re.sub("-! .* warning: deprecated property: IceSSL.FindCert.*\n", "", x) ] +TestUtil.serverTraceFilters = [ lambda x: re.sub("-! .* warning: deprecated property: IceSSL.FindCert.*\n", "", x) ] # # The drive letter needs to be removed on Windows or loading the SSL # plug-in will not work. diff --git a/java/src/Ice/src/main/java/IceInternal/PropertyNames.java b/java/src/Ice/src/main/java/IceInternal/PropertyNames.java index 54868a2488f..52c143b4085 100644 --- a/java/src/Ice/src/main/java/IceInternal/PropertyNames.java +++ b/java/src/Ice/src/main/java/IceInternal/PropertyNames.java @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 17:34:50 2015 +// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 22:03:41 2015 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -971,9 +971,10 @@ public final class PropertyNames { new Property("IceSSL\\.Alias", false, null), new Property("IceSSL\\.CAs", false, null), - new Property("IceSSL\\.CertAuthDir", true, null), - new Property("IceSSL\\.CertAuthFile", true, null), + new Property("IceSSL\\.CertAuthDir", true, "IceSSL.CAs"), + new Property("IceSSL\\.CertAuthFile", true, "IceSSL.CAs"), new Property("IceSSL\\.CertStore", false, null), + new Property("IceSSL\\.CertStoreLocation", false, null), new Property("IceSSL\\.CertFile", false, null), new Property("IceSSL\\.CertVerifier", false, null), new Property("IceSSL\\.CheckCertName", false, null), @@ -984,11 +985,11 @@ public final class PropertyNames new Property("IceSSL\\.DHParams", false, null), new Property("IceSSL\\.EntropyDaemon", false, null), new Property("IceSSL\\.FindCert", false, null), - new Property("IceSSL\\.FindCert\\.[^\\s]+", true, null), + new Property("IceSSL\\.FindCert\\.[^\\s]+", true, "IceSSL.FindCert"), new Property("IceSSL\\.ImportCert\\.[^\\s]+", true, null), new Property("IceSSL\\.InitOpenSSL", false, null), new Property("IceSSL\\.KeyFile", true, null), - new Property("IceSSL\\.KeySet", false, null), + new Property("IceSSL\\.KeySet", true, "IceSSL.CertStoreLocation"), new Property("IceSSL\\.Keychain", false, null), new Property("IceSSL\\.KeychainPassword", false, null), new Property("IceSSL\\.Keystore", false, null), @@ -997,7 +998,7 @@ public final class PropertyNames new Property("IceSSL\\.Password", false, null), new Property("IceSSL\\.PasswordCallback", false, null), new Property("IceSSL\\.PasswordRetryMax", false, null), - new Property("IceSSL\\.PersistKeySet", false, null), + new Property("IceSSL\\.PersistKeySet", true, null), new Property("IceSSL\\.Protocols", false, null), new Property("IceSSL\\.ProtocolVersionMax", false, null), new Property("IceSSL\\.ProtocolVersionMin", false, null), diff --git a/js/src/Ice/PropertyNames.js b/js/src/Ice/PropertyNames.js index 4b1fe5b144a..9dad40a3657 100644 --- a/js/src/Ice/PropertyNames.js +++ b/js/src/Ice/PropertyNames.js @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 17:34:50 2015 +// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 22:03:41 2015 // IMPORTANT: Do not edit this file -- any edits made here will be lost! diff --git a/scripts/Expect.py b/scripts/Expect.py index c367b5b63a9..2e0c87cf101 100755 --- a/scripts/Expect.py +++ b/scripts/Expect.py @@ -337,6 +337,9 @@ atexit.register(cleanup) def signal_handler(signal, frame): cleanup() sys.exit(0) + +if win32: + signal.signal(signal.SIGINT, signal_handler) signal.signal(signal.SIGTERM, signal_handler) class Expect (object): |