1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
// **********************************************************************
//
// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved.
//
// This copy of Ice is licensed to you under the terms described in the
// ICE_LICENSE file included in this distribution.
//
// **********************************************************************
#include <IceSSL/TrustManager.h>
#include <IceSSL/RFC2253.h>
#include <Ice/Properties.h>
#include <Ice/Communicator.h>
#include <Ice/LocalException.h>
#include <Ice/Logger.h>
#include <Ice/LoggerUtil.h>
using namespace std;
using namespace IceSSL;
void IceInternal::incRef(IceSSL::TrustManager* p) { p->__incRef(); }
void IceInternal::decRef(IceSSL::TrustManager* p) { p->__decRef(); }
TrustManager::TrustManager(const Ice::CommunicatorPtr& communicator) :
_communicator(communicator)
{
Ice::PropertiesPtr properties = communicator->getProperties();
_traceLevel = properties->getPropertyAsIntWithDefault("IceSSL.TrustOnly.Trace", 0);
string key;
try
{
key = "IceSSL.TrustOnly";
_all = RFC2253::parse(properties->getProperty(key));
key = "IceSSL.TrustOnly.Client";
_client = RFC2253::parse(properties->getProperty(key));
key = "IceSSL.TrustOnly.Server";
_allServer = RFC2253::parse(properties->getProperty(key));
Ice::PropertyDict dict = properties->getPropertiesForPrefix("IceSSL.TrustOnly.Server.");
for(Ice::PropertyDict::const_iterator p = dict.begin(); p != dict.end(); ++p)
{
string name = p->first.substr(string("IceSSL.TrustOnly.Server.").size());
key = p->first;
_server[name] = RFC2253::parse(p->second);
}
}
catch(const RFC2253::ParseException& e)
{
Ice::PluginInitializationException ex(__FILE__, __LINE__);
ex.reason = "IceSSL: invalid property " + key + ":\n" + e.reason;
throw ex;
}
}
bool
TrustManager::verify(const ConnectionInfo& info)
{
list< list< list< pair<string, string> > > > trustset;
if(_all.size() > 0)
{
trustset.push_back(_all);
}
if(info.incoming)
{
if(_allServer.size() > 0)
{
trustset.push_back(_allServer);
}
if(info.adapterName.size() > 0)
{
map<string, list< list< pair<string, string> > > >::
const_iterator p = _server.find(info.adapterName);
if(p != _server.end())
{
trustset.push_back(p->second);
}
}
}
else
{
if(_client.size() > 0)
{
trustset.push_back(_client);
}
}
//
// If there is nothing to match against, then we accept the cert.
//
if(trustset.size() == 0)
{
return true;
}
//
// If there is no certificate then we match false.
//
if(info.certs.size() != 0)
{
try
{
//
// Decompose the subject DN into the RDNs.
//
if(_traceLevel > 0)
{
Ice::Trace trace(_communicator->getLogger(), "TrustManager");
trace << "peer DN: " << info.certs[0]->getSubjectDN();
}
list< list<pair<string, string> > > alldn = RFC2253::parse(info.certs[0]->getSubjectDN());
if(alldn.size() != 1)
{
Ice::Warning warn(_communicator->getLogger());
warn << "IceSSL: certificate contains more than one DN:\n" + info.certs[0]->getSubjectDN();
return false;
}
list<pair<string, string> > dn = alldn.front();
//
// Try matching against everything in the trust set.
//
for(list< list< list<pair<string, string> > > >::const_iterator p = trustset.begin();
p != trustset.end(); ++p)
{
if(match(*p, dn))
{
return true;
}
}
}
catch(const RFC2253::ParseException& e)
{
Ice::Warning warn(_communicator->getLogger());
warn << "IceSSL: unable to parse certificate DN `" + info.certs[0]->getSubjectDN() + "'\nreason: " +
e.reason;
}
}
return false;
}
bool
TrustManager::match(const list< list< pair<string, string> > >& matchRDNset,
const list< pair<string, string> >& subjectRDNs) const
{
for(list< list< pair<string, string> > >::const_iterator r = matchRDNset.begin(); r != matchRDNset.end(); ++r)
{
for(list< pair<string, string> >::const_iterator p = r->begin(); p != r->end(); ++p)
{
bool found = false;
for(list< pair<string, string> >::const_iterator q = subjectRDNs.begin(); q != subjectRDNs.end(); ++q)
{
if(p->first == q->first)
{
found = true;
if(p->second != q->second)
{
return false;
}
}
}
if(!found)
{
return false;
}
}
}
return true;
}
|
