zeroc-ice 3.6b1 → 3.6.0

data/ext/ice/cpp/src/IceSSL/SecureTransportTransceiverI.cpp

@@ -1,6 +1,6 @@
 // **********************************************************************
 //
-// Copyright (c) 2003-2014 ZeroC, Inc. All rights reserved.
+// Copyright (c) 2003-2015 ZeroC, Inc. All rights reserved.
 //
 // This copy of Ice is licensed to you under the terms described in the
 // ICE_LICENSE file included in this distribution.
@@ -95,7 +95,7 @@ socketRead(SSLConnectionRef connection, void* data, size_t* length)
     return transceiver->readRaw(reinterpret_cast<char*>(data), length);
 }
 
-void
+bool
 checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, const InstancePtr& instance)
 {
     OSStatus err = noErr;
@@ -112,7 +112,7 @@ checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, cons
         //
         if((err = SecTrustSetNetworkFetchAllowed(trust, false)))
         {
-            throw ProtocolException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + errorToString(err));
+            throw SecurityException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + errorToString(err));
         }
 
         //
@@ -120,7 +120,7 @@ checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, cons
         //
         if((err = SecTrustEvaluate(trust, &trustResult)))
         {
-            throw ProtocolException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + errorToString(err));
+            throw SecurityException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + errorToString(err));
         }
     }
 
@@ -132,14 +132,15 @@ checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, cons
         //
         // Trust verify success.
         //
-        break;
+        return true;
     }
-    case kSecTrustResultInvalid:
-    //case kSecTrustResultConfirm: // Used in old OS X versions
-    case kSecTrustResultDeny:
-    case kSecTrustResultRecoverableTrustFailure:
-    case kSecTrustResultFatalTrustFailure:
-    case kSecTrustResultOtherError:
+    default:
+    // case kSecTrustResultInvalid:
+    // //case kSecTrustResultConfirm: // Used in old OS X versions
+    // case kSecTrustResultDeny:
+    // case kSecTrustResultRecoverableTrustFailure:
+    // case kSecTrustResultFatalTrustFailure:
+    // case kSecTrustResultOtherError:
     {
         if(engine->getVerifyPeer() == 0)
         {
@@ -149,7 +150,7 @@ checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, cons
                 os << "IceSSL: ignoring certificate verification failure\n" << trustResultDescription(trustResult);
                 instance->logger()->trace(instance->traceCategory(), os.str());
             }
-            break;
+            return false;
         }
         else
         {
@@ -160,7 +161,7 @@ checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, cons
             {
                 instance->logger()->trace(instance->traceCategory(), msg);
             }
-            throw ProtocolException(__FILE__, __LINE__, msg);
+            throw SecurityException(__FILE__, __LINE__, msg);
         }
     }
     }
@@ -197,7 +198,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
 
         if((err = SSLSetConnection(_ssl, reinterpret_cast<SSLConnectionRef>(this))))
         {
-            throw SecurityException(__FILE__, __LINE__, "IceSSL: setting SSL connection failed\n" + 
+            throw SecurityException(__FILE__, __LINE__, "IceSSL: setting SSL connection failed\n" +
                                     errorToString(err));
         }
     }
@@ -226,14 +227,17 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
             err = SSLCopyPeerTrust(_ssl, &_trust);
             if(_incoming && err == errSSLBadCert && _engine->getVerifyPeer() == 1)
             {
-                // This happens in 10.10 when the client doesn't provide
-                // a certificate and the server is configured to try
-                // authenticate
+                //
+                // This is expected if the client doesn't provide a
+                // certificate (occurs since 10.10). The server is
+                // configured to verify to not require the client
+                // certificate so we ignore the failure.
+                //
                 continue;
             }
             if(err == noErr)
             {
-                checkTrustResult(_trust, _engine, _instance);
+                _verified = checkTrustResult(_trust, _engine, _instance);
                 continue; // Call SSLHandshake to resume the handsake.
             }
             // Let it fall through, this will raise a SecurityException with the SSLCopyPeerTrust error.
@@ -254,7 +258,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
            << "remote address = " << desc << "\n" << errorToString(err);
         throw ProtocolException(__FILE__, __LINE__, os.str());
     }
-    _engine->verifyPeer(_stream->fd(), _host, getNativeConnectionInfo());
+    _engine->verifyPeer(_stream->fd(), _host, NativeConnectionInfoPtr::dynamicCast(getInfo()));
 
     if(_instance->engine()->securityTraceLevel() >= 1)
     {
@@ -481,7 +485,18 @@ IceSSL::TransceiverI::toDetailedString() const
 Ice::ConnectionInfoPtr
 IceSSL::TransceiverI::getInfo() const
 {
-    return getNativeConnectionInfo();
+    NativeConnectionInfoPtr info = new NativeConnectionInfo();
+    fillConnectionInfo(info, info->nativeCerts);
+    return info;
+}
+
+Ice::ConnectionInfoPtr
+IceSSL::TransceiverI::getWSInfo(const Ice::HeaderDict& headers) const
+{
+    WSSNativeConnectionInfoPtr info = new WSSNativeConnectionInfo();
+    fillConnectionInfo(info, info->nativeCerts);
+    info->headers = headers;
+    return info;
 }
 
 void
@@ -489,9 +504,15 @@ IceSSL::TransceiverI::checkSendSize(const IceInternal::Buffer&)
 {
 }
 
-IceSSL::TransceiverI::TransceiverI(const InstancePtr& instance, 
-                                   const IceInternal::StreamSocketPtr& stream, 
-                                   const string& hostOrAdapterName, 
+void
+IceSSL::TransceiverI::setBufferSize(int rcvSize, int sndSize)
+{
+    _stream->setBufferSize(rcvSize, sndSize);
+}
+
+IceSSL::TransceiverI::TransceiverI(const InstancePtr& instance,
+                                   const IceInternal::StreamSocketPtr& stream,
+                                   const string& hostOrAdapterName,
                                    bool incoming) :
     _instance(instance),
     _engine(SecureTransportEnginePtr::dynamicCast(instance->engine())),
@@ -501,6 +522,7 @@ IceSSL::TransceiverI::TransceiverI(const InstancePtr& instance,
     _stream(stream),
     _ssl(0),
     _trust(0),
+    _verified(false),
     _buffered(0)
 {
     //
@@ -515,12 +537,16 @@ IceSSL::TransceiverI::~TransceiverI()
 {
 }
 
-NativeConnectionInfoPtr
-IceSSL::TransceiverI::getNativeConnectionInfo() const
+void
+IceSSL::TransceiverI::fillConnectionInfo(const ConnectionInfoPtr& info, std::vector<CertificatePtr>& nativeCerts) const
 {
-    NativeConnectionInfoPtr info = new NativeConnectionInfo();
-    IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress, 
+    IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress,
                                     info->remotePort);
+    if(_stream->fd() != INVALID_SOCKET)
+    {
+        info->rcvSize = IceInternal::getRecvBufferSize(_stream->fd());
+        info->sndSize = IceInternal::getSendBufferSize(_stream->fd());
+    }
 
     if(_ssl)
     {
@@ -530,18 +556,22 @@ IceSSL::TransceiverI::getNativeConnectionInfo() const
             CFRetain(cert);
 
             CertificatePtr certificate = new Certificate(cert);
-            info->nativeCerts.push_back(certificate);
+            nativeCerts.push_back(certificate);
             info->certs.push_back(certificate->encode());
         }
 
         SSLCipherSuite cipher;
         SSLGetNegotiatedCipher(_ssl, &cipher);
         info->cipher = _engine->getCipherName(cipher);
+        info->verified = _verified;
+    }
+    else
+    {
+        info->verified = false;
     }
 
     info->adapterName = _adapterName;
     info->incoming = _incoming;
-    return info;
 }
 
 OSStatus

data/ext/ice/cpp/src/IceSSL/SecureTransportTransceiverI.h

@@ -1,6 +1,6 @@
 // **********************************************************************
 //
-// Copyright (c) 2003-2014 ZeroC, Inc. All rights reserved.
+// Copyright (c) 2003-2015 ZeroC, Inc. All rights reserved.
 //
 // This copy of Ice is licensed to you under the terms described in the
 // ICE_LICENSE file included in this distribution.
@@ -18,6 +18,7 @@
 #include <Ice/Transceiver.h>
 #include <Ice/Network.h>
 #include <Ice/StreamSocket.h>
+#include <Ice/WSTransceiver.h>
 
 #ifdef ICE_USE_SECURE_TRANSPORT
 
@@ -30,7 +31,7 @@ namespace IceSSL
 class ConnectorI;
 class AcceptorI;
 
-class TransceiverI : public IceInternal::Transceiver
+class TransceiverI : public IceInternal::Transceiver, public IceInternal::WSTransceiverDelegate
 {
 public:
 
@@ -46,7 +47,9 @@ public:
     virtual std::string toString() const;
     virtual std::string toDetailedString() const;
     virtual Ice::ConnectionInfoPtr getInfo() const;
+    virtual Ice::ConnectionInfoPtr getWSInfo(const Ice::HeaderDict&) const;
     virtual void checkSendSize(const IceInternal::Buffer&);
+    virtual void setBufferSize(int rcvSize, int sndSize);
 
     OSStatus writeRaw(const char*, size_t*) const;
     OSStatus readRaw(char*, size_t*) const;
@@ -56,7 +59,7 @@ private:
     TransceiverI(const InstancePtr&, const IceInternal::StreamSocketPtr&, const std::string&, bool);
     virtual ~TransceiverI();
 
-    virtual NativeConnectionInfoPtr getNativeConnectionInfo() const;
+    void fillConnectionInfo(const ConnectionInfoPtr&, std::vector<CertificatePtr>&) const;
 
     friend class ConnectorI;
     friend class AcceptorI;
@@ -70,7 +73,8 @@ private:
 
     SSLContextRef _ssl;
     SecTrustRef _trust;
-
+    bool _verified;
+    
     size_t _buffered;
     enum SSLWantFlags
     {

data/ext/ice/cpp/src/IceSSL/TrustManager.cpp

@@ -1,6 +1,6 @@
 // **********************************************************************
 //
-// Copyright (c) 2003-2014 ZeroC, Inc. All rights reserved.
+// Copyright (c) 2003-2015 ZeroC, Inc. All rights reserved.
 //
 // This copy of Ice is licensed to you under the terms described in the
 // ICE_LICENSE file included in this distribution.

data/ext/ice/cpp/src/IceSSL/TrustManager.h

@@ -1,6 +1,6 @@
 // **********************************************************************
 //
-// Copyright (c) 2003-2014 ZeroC, Inc. All rights reserved.
+// Copyright (c) 2003-2015 ZeroC, Inc. All rights reserved.
 //
 // This copy of Ice is licensed to you under the terms described in the
 // ICE_LICENSE file included in this distribution.

data/ext/ice/cpp/src/IceSSL/TrustManagerF.h

@@ -1,6 +1,6 @@
 // **********************************************************************
 //
-// Copyright (c) 2003-2014 ZeroC, Inc. All rights reserved.
+// Copyright (c) 2003-2015 ZeroC, Inc. All rights reserved.
 //
 // This copy of Ice is licensed to you under the terms described in the
 // ICE_LICENSE file included in this distribution.

data/ext/ice/cpp/src/IceSSL/Util.cpp

@@ -1,6 +1,6 @@
 // **********************************************************************
 //
-// Copyright (c) 2003-2014 ZeroC, Inc. All rights reserved.
+// Copyright (c) 2003-2015 ZeroC, Inc. All rights reserved.
 //
 // This copy of Ice is licensed to you under the terms described in the
 // ICE_LICENSE file included in this distribution.
@@ -24,7 +24,7 @@
 #   include <openssl/err.h>
 //
 // Avoid old style cast warnings from OpenSSL macros
-// 
+//
 #  pragma GCC diagnostic ignored "-Wold-style-cast"
 #endif
 
@@ -41,22 +41,26 @@ IceSSL::readFile(const string& file, vector<char>& buffer)
     {
         throw CertificateReadException(__FILE__, __LINE__, "error opening file " + file);
     }
-    
+
     is.seekg(0, is.end);
     buffer.resize(static_cast<int>(is.tellg()));
     is.seekg(0, is.beg);
-    
-    is.read(&buffer[0], buffer.size());
-    
-    if(!is.good())
+
+    if(!buffer.empty())
     {
-        throw CertificateReadException(__FILE__, __LINE__, "error reading file " + file);
+        is.read(&buffer[0], buffer.size());
+        if(!is.good())
+        {
+            throw CertificateReadException(__FILE__, __LINE__, "error reading file " + file);
+        }
     }
 }
 
 #ifndef ICE_USE_OPENSSL
+
 namespace
 {
+
 bool
 parseBytes(const string& arg, vector<unsigned char>& buffer)
 {
@@ -95,10 +99,13 @@ parseBytes(const string& arg, vector<unsigned char>& buffer)
     }
     return true;
 }
+
 }
+
 #endif
 
-#ifdef ICE_USE_OPENSSL
+#if defined(ICE_USE_OPENSSL)
+
 namespace
 {
 
@@ -426,7 +433,7 @@ IceSSL::errorToString(OSStatus status)
     return os.str();
 }
 
-std::string 
+std::string
 IceSSL::fromCFString(CFStringRef v)
 {
     string s;
@@ -448,13 +455,13 @@ IceSSL::getCertificateProperty(SecCertificateRef cert, CFTypeRef key)
     CFErrorRef err = 0;
     CFDictionaryRef values = SecCertificateCopyValues(cert, keys, &err);
     CFRelease(keys);
-    
     if(err)
     {
-        CertificateEncodingException ex(__FILE__, __LINE__, err);
-        throw ex;
+        ostringstream os;
+        os << "IceSSL: error getting property for certificate:\n" << errorToString(err);
+        throw CertificateReadException(__FILE__, __LINE__, os.str());
     }
-    
+
     assert(values);
     CFDictionaryRef property = (CFDictionaryRef)CFDictionaryGetValue(values, key);
     if(property)
@@ -468,540 +475,351 @@ IceSSL::getCertificateProperty(SecCertificateRef cert, CFTypeRef key)
 namespace
 {
 
-//
-// Retrive the certificate subject key identifier, the caller must release the returned CFData 
-// object.
-//
-CFDataRef
-getSubjectKeyIdentifier(SecCertificateRef cert)
-{
-    CFDataRef data = 0;
-    CFDictionaryRef property = getCertificateProperty(cert, kSecOIDSubjectKeyIdentifier);
-    if(property)
-    {
-        CFArrayRef propertyValues = (CFArrayRef)CFDictionaryGetValue(property, kSecPropertyKeyValue);
-        for(int i = 0, length = CFArrayGetCount(propertyValues); i < length; ++i)
-        {
-            CFDictionaryRef dict = (CFDictionaryRef)CFArrayGetValueAtIndex(propertyValues, i);
-            CFStringRef label = (CFStringRef)CFDictionaryGetValue(dict, kSecPropertyKeyLabel);
-            if(CFEqual(label, CFSTR("Key Identifier")))
-            {
-                data = (CFDataRef)CFDictionaryGetValue(dict, kSecPropertyKeyValue);
-                CFRetain(data);
-                break;
-            }
-        }
-        CFRelease(property);
-    }
-    return data;
-}
-
 //
 // Check the certificate basic constraints to check if the certificate is marked as a CA.
 //
 bool
 isCA(SecCertificateRef cert)
 {
-    bool ca = false;
-    CFDictionaryRef property = getCertificateProperty(cert, kSecOIDBasicConstraints);
+    UniqueRef<CFDictionaryRef> property(getCertificateProperty(cert, kSecOIDBasicConstraints));
     if(property)
     {
-        CFArrayRef propertyValues = (CFArrayRef)CFDictionaryGetValue(property, kSecPropertyKeyValue);
+        CFArrayRef propertyValues = (CFArrayRef)CFDictionaryGetValue(property.get(), kSecPropertyKeyValue);
         for(int i = 0, size = CFArrayGetCount(propertyValues); i < size; ++i)
         {
             CFDictionaryRef dict = (CFDictionaryRef)CFArrayGetValueAtIndex(propertyValues, i);
             CFStringRef label = (CFStringRef)CFDictionaryGetValue(dict, kSecPropertyKeyLabel);
             if(CFEqual(label, CFSTR("Certificate Authority")))
             {
-                CFStringRef value = (CFStringRef)CFDictionaryGetValue(dict, kSecPropertyKeyValue);
-                if(CFEqual(value, CFSTR("Yes")))
-                {
-                    ca = true;
-                }
-                break;
+                return CFEqual((CFStringRef)CFDictionaryGetValue(dict, kSecPropertyKeyValue), CFSTR("Yes"));
             }
         }
-        CFRelease(property);
-    }
-    return ca;
-}
-
-//
-// Search the keychain for an existing item with the same hash and type,
-// the hash is the certificate subject key identifier. For private key
-// items the hash should match kSecAttrApplicationLabel attribute, for 
-// certificate items it should match the kSecAttrSubjectKeyID attribute.
-//
-SecKeychainItemRef
-copyMatching(SecKeychainRef keychain, CFDataRef hash, CFTypeRef type)
-{
-    assert(keychain);
-    assert(hash);
-    assert(type == kSecClassKey || type == kSecClassCertificate);
-    
-    const void* values[] = {keychain};
-    CFArrayRef searchList = CFArrayCreate(kCFAllocatorDefault, values, 1, &kCFTypeArrayCallBacks);
-    
-    CFMutableDictionaryRef query =
-        CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-    
-    CFDictionarySetValue(query, kSecClass, type);
-    CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitOne);
-    CFDictionarySetValue(query, kSecMatchSearchList, searchList);
-    CFDictionarySetValue(query, type == kSecClassKey ? kSecAttrApplicationLabel : kSecAttrSubjectKeyID, hash);
-    CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
-    
-    SecKeychainItemRef item = 0;
-    OSStatus err = SecItemCopyMatching(query, (CFTypeRef*)&item);
-    
-    CFRelease(searchList);
-    CFRelease(query);
-    
-    if(err != noErr && err != errSecItemNotFound)
-    {
-        throw CertificateReadException(__FILE__, __LINE__, 
-                                       "Error searching for keychain items\n" + errorToString(err));
     }
-    
-    return item;
-}
-
-//
-// Add an item to the keychain, if the keychain already has this item return the existing item,
-// otherwise return the new added item.
-//
-SecKeychainItemRef
-addToKeychain(SecKeychainRef keychain, SecKeychainItemRef item, CFDataRef hash, CFTypeRef type)
-{
-    assert(keychain);
-    assert(item);
-    assert(hash);
-    
-    SecKeychainItemRef newItem = copyMatching(keychain, hash, type);
-    if(!newItem)
-    {
-        CFMutableDictionaryRef query = CFDictionaryCreateMutable(kCFAllocatorDefault,
-                                                            0,
-                                                            &kCFTypeDictionaryKeyCallBacks,
-                                                            &kCFTypeDictionaryValueCallBacks);
-        
-        CFDictionarySetValue(query, kSecUseKeychain, keychain);
-        CFDictionarySetValue(query, kSecClass, type);
-        CFDictionarySetValue(query, kSecValueRef, item);
-        CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
-        
-        CFArrayRef added = 0;
-        OSStatus err = SecItemAdd(query, (CFTypeRef*)&added);
-        CFRelease(query);
-        
-        if(err != noErr)
-        {
-            ostringstream os;
-            os << "Failure adding " << (type == kSecClassKey ? "key" : "certificate") 
-               << " to keychain\n" << errorToString(err);
-            throw CertificateReadException(__FILE__, __LINE__, os.str());
-        }
-        newItem = (SecKeychainItemRef)CFArrayGetValueAtIndex(added, 0);
-        CFRetain(newItem);
-        CFRelease(added);
-    }
-    
-    assert(newItem);
-    
-    return newItem;
+    return false;
 }
 
 //
 // Load keychain items (Certificates or Private Keys) from a file. On return items param contain
 // the list of items, the caller must release it.
 //
-void
-loadKeychainItems(CFArrayRef* items, CFTypeRef type, const string& file, SecExternalFormat* format, 
-                  SecKeychainRef keychain, const string& passphrase, const PasswordPromptPtr& prompt,
-                  int passwordRetryMax)
+CFArrayRef
+loadKeychainItems(const string& file, SecExternalItemType type, SecKeychainRef keychain, const string& passphrase,
+                  const PasswordPromptPtr& prompt, int retryMax)
 {
-    assert(type == kSecClassCertificate || type == kSecClassKey);
     vector<char> buffer;
     readFile(file, buffer);
-    
-    CFDataRef data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, 
-                                                 reinterpret_cast<const UInt8*>(&buffer[0]), 
-                                                 buffer.size(),
-                                                 kCFAllocatorNull);
-    
-    SecExternalItemType itemType = kSecItemTypeUnknown;
-    
+    UniqueRef<CFDataRef> data(CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
+                                                          reinterpret_cast<const UInt8*>(&buffer[0]),
+                                                          buffer.size(),
+                                                          kCFAllocatorNull));
+
     SecItemImportExportKeyParameters params;
     memset(&params, 0, sizeof(params));
     params.version =  SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
-    
+    params.flags |= kSecKeyNoAccessControl;
+    if(!passphrase.empty())
     {
-        const void* values[] = {kSecACLAuthorizationAny};
-        params.keyUsage = CFArrayCreate(0, values, 1, 0);
+        params.passphrase = toCFString(passphrase);
     }
-    
-    params.flags |= kSecKeyNoAccessControl;
 
-    OSStatus err = noErr;
-    int count = 0;
-    
-    while(true)
+    CFArrayRef items;
+    SecExternalItemType importType = type;
+    SecExternalFormat format = type == kSecItemTypeUnknown ? kSecFormatPKCS12 : kSecFormatUnknown;
+    UniqueRef<CFStringRef> path(toCFString(file));
+    OSStatus err = SecItemImport(data.get(), path.get(), &format, &importType, 0, &params, keychain, &items);
+
+    //
+    // If passphrase failure and no password was configured, we obtain
+    // the password from the given prompt or configure the import to
+    // prompt the user with an alert dialog.
+    //
+    if(passphrase.empty() &&
+       (err == errSecPassphraseRequired || err == errSecInvalidData || err == errSecPkcs12VerifyFailure))
     {
-        if(!passphrase.empty())
-        {
-            assert(!params.passphrase);
-            params.passphrase = toCFString(passphrase);
-        }
-        err = SecItemImport(data, 0, format, &itemType, 0, &params, *format == kSecFormatPKCS12 ? keychain : 0, 
-                            items);
-        if(params.passphrase)
-        {
-            CFRelease(params.passphrase);
-            params.passphrase = 0;
-        }
-        
-        if(err == noErr)
-        {
-            break;
-        }
-        
-        //
-        // Try PKCS12 format.
-        //
-        if(err == errSecUnknownFormat && *format != kSecFormatPKCS12)
-        {
-            *format = kSecFormatPKCS12;
-            itemType = kSecItemTypeAggregate;
-            continue;
-        }
-        
-        //
-        // Error
-        //
-        if(!passphrase.empty() || (err != errSecPassphraseRequired && 
-                                   err != errSecInvalidData &&
-                                   err != errSecPkcs12VerifyFailure))
-        {
-            break;
-        }
-        
-        if(prompt && count < passwordRetryMax)
-        {
-            params.passphrase = toCFString(prompt->getPassword());
-        }
-        //
-        // Configure the default OS X password prompt if passphrase is required
-        // and the user doesn't provide a passphrase or password prompt.
-        //
-        else if(!prompt && !(params.flags & kSecKeySecurePassphrase))
+        if(!prompt)
         {
             params.flags |= kSecKeySecurePassphrase;
             ostringstream os;
             os << "Enter the password for\n" << file;
             params.alertPrompt = toCFString(os.str());
-            continue;
         }
-        //
-        // Password retry.
-        //
-        if(++count >= passwordRetryMax)
+
+        int count = 0;
+        while((err == errSecPassphraseRequired || err == errSecInvalidData || err == errSecPkcs12VerifyFailure) &&
+              count < retryMax)
         {
-            break;
+            if(prompt)
+            {
+                if(params.passphrase)
+                {
+                    CFRelease(params.passphrase);
+                }
+                params.passphrase = toCFString(prompt->getPassword());
+            }
+            err = SecItemImport(data.get(), path.get(), &format, &importType, 0, &params, keychain, &items);
+            ++count;
+        }
+
+        if(params.alertPrompt)
+        {
+            CFRelease(params.alertPrompt);
         }
     }
-    
-    if(params.alertPrompt)
+
+    if(params.passphrase)
     {
-        CFRelease(params.alertPrompt);
+        CFRelease(params.passphrase);
     }
-    
-    CFRelease(data);
-    
+
     if(err != noErr)
     {
         ostringstream os;
-        os << "Error reading " << (type == kSecClassCertificate ? "certificate " : "private key ")
-           << "from file: `" << file << "'\n" << errorToString(err);
+        os << "IceSSL: error reading " << (type == kSecItemTypePrivateKey ? "private key" : "certificate");
+        os << " `" << file << "':\n" << errorToString(err);
         throw CertificateReadException(__FILE__, __LINE__, os.str());
     }
-}
-
-}
 
-//
-// Helper function to generate the private key label (display name) used
-// in the keychain.
-//
-string
-IceSSL::keyLabel(SecCertificateRef cert)
-{
-    CFStringRef commonName;
-    OSStatus err = SecCertificateCopyCommonName(cert, &commonName);
-    if(err != noErr)
+    if(type != kSecItemTypeUnknown && importType != kSecItemTypeAggregate && importType != type)
     {
-        throw CertificateReadException(__FILE__, __LINE__, "certificate error:\n" + errorToString(err));
+        CFRelease(items);
+        ostringstream os;
+        os << "IceSSL: error reading " << (type == kSecItemTypePrivateKey ? "private key" : "certificate");
+        os << " `" << file << "' doesn't contain the expected item";
+        throw CertificateReadException(__FILE__, __LINE__, os.str());
     }
-    string label = fromCFString(commonName);
-    CFRelease(commonName);
-    return label.empty() ? "Imported Private Key" : (label + " - Private Key");
+
+    return items;
+}
+
 }
 
 //
 // Imports a certificate private key and optionally add it to a keychain.
 //
-void
-IceSSL::loadPrivateKey(SecKeyRef* key, const string& label, CFDataRef hash, SecKeychainRef keychain,
-                       const string& file, const string& passphrase, const PasswordPromptPtr& prompt,
-                       int passwordRetryMax)
+SecIdentityRef
+IceSSL::loadPrivateKey(const string& file, SecCertificateRef cert, SecKeychainRef keychain, const string& password,
+                       const PasswordPromptPtr& prompt, int retryMax)
 {
-    assert(key);
-    CFArrayRef items = 0;
-    try
+    //
+    // Check if we already imported the certificate
+    //
+    UniqueRef<CFDataRef> hash;
+    UniqueRef<CFDictionaryRef> subjectKeyProperty(getCertificateProperty(cert, kSecOIDSubjectKeyIdentifier));
+    if(subjectKeyProperty)
     {
-        SecExternalFormat format = kSecFormatUnknown;
-        loadKeychainItems(&items, kSecClassKey, file, &format, keychain, passphrase, prompt, passwordRetryMax);
-        if(items)
+        CFArrayRef values = (CFArrayRef)CFDictionaryGetValue(subjectKeyProperty.get(), kSecPropertyKeyValue);
+        for(int i = 0; i < CFArrayGetCount(values); ++i)
         {
-            int count = CFArrayGetCount(items);
-            for(int i = 0; i < count; ++i)
+            CFDictionaryRef dict = (CFDictionaryRef)CFArrayGetValueAtIndex(values, i);
+            if(CFEqual(CFDictionaryGetValue(dict, kSecPropertyKeyLabel), CFSTR("Key Identifier")))
             {
-                SecKeychainItemRef item = (SecKeychainItemRef)CFArrayGetValueAtIndex(items, 0);
-                if(SecKeyGetTypeID() == CFGetTypeID(item))
-                {
-                    CFRetain(item);
-                    *key = (SecKeyRef)item;
-                    
-                    CFRelease(items);
-                    items = 0;
-                    
-                    if(keychain)
-                    {
-                        SecKeychainItemRef newItem = addToKeychain(keychain, item, hash, kSecClassKey);
-                        assert(newItem);
-                        CFRelease(*key);
-                        *key = (SecKeyRef)newItem;
-                        if(hash)
-                        {
-                            //
-                            // Create the association between the private  key and the certificate, 
-                            // kSecKeyLabel attribute should match the subject key identifier.
-                            //
-                            SecKeychainAttribute attr;
-                            attr.tag = kSecKeyLabel;
-                            attr.data = (void*)CFDataGetBytePtr(hash);
-                            attr.length = CFDataGetLength(hash);
-                            
-                            SecKeychainAttributeList attrs;
-                            attrs.attr = &attr;
-                            attrs.count = 1;
-                            
-                            SecKeychainItemModifyAttributesAndData(newItem, &attrs, 0, 0);
-                        }
-                        
-                        if(!label.empty())
-                        {
-                            //
-                            // kSecKeyPrintName attribute correspond to the keychain display
-                            // name.
-                            //
-                            SecKeychainAttribute att;
-                            att.tag = kSecKeyPrintName;
-                            att.data = (void*)label.c_str();
-                            att.length = label.size();
-                            
-                            SecKeychainAttributeList attrs;
-                            attrs.attr = &att;
-                            attrs.count = 1;
-                            
-                            SecKeychainItemModifyAttributesAndData(newItem, &attrs, 0, 0);
-                        }
-                    }
-                    break;
-                }
+                hash.retain(CFDictionaryGetValue(dict, kSecPropertyKeyValue));
+                break;
             }
         }
-        
-        if(!*key)
-        {
-            throw CertificateReadException(__FILE__, __LINE__, 
-                                            "Certificate error:\n error importing certificate from " + file);
-        }
     }
-    catch(...)
-    {        
-        if(items)
+
+    const void* values[] = { keychain };
+    UniqueRef<CFArrayRef> searchList(CFArrayCreate(kCFAllocatorDefault, values, 1, &kCFTypeArrayCallBacks));
+
+    UniqueRef<CFMutableDictionaryRef> query(CFDictionaryCreateMutable(0,
+                                                                      0,
+                                                                      &kCFTypeDictionaryKeyCallBacks,
+                                                                      &kCFTypeDictionaryValueCallBacks));
+
+    CFDictionarySetValue(query.get(), kSecClass, kSecClassCertificate);
+    CFDictionarySetValue(query.get(), kSecMatchLimit, kSecMatchLimitOne);
+    CFDictionarySetValue(query.get(), kSecMatchSearchList, searchList.get());
+    CFDictionarySetValue(query.get(), kSecAttrSubjectKeyID, hash.get());
+    CFDictionarySetValue(query.get(), kSecReturnRef, kCFBooleanTrue);
+
+    CFTypeRef value = 0;
+    OSStatus err = SecItemCopyMatching(query.get(), &value);
+    UniqueRef<SecCertificateRef> item(value);
+    if(err == noErr)
+    {
+        //
+        // If the certificate has already been imported, create the
+        // identity. The key should also have been imported.
+        //
+        SecIdentityRef identity;
+        err = SecIdentityCreateWithCertificate(keychain, item.get(), &identity);
+        if(err != noErr)
         {
-            CFRelease(items);
+            ostringstream os;
+            os << "IceSSL: error creating certificate identity:\n" << errorToString(err);
+            throw CertificateReadException(__FILE__, __LINE__, os.str());
         }
-        
-        if(*key)
+        return identity;
+    }
+    else if(err != errSecItemNotFound)
+    {
+        ostringstream os;
+        os << "IceSSL: error searching for keychain items:\n" << errorToString(err);
+        throw CertificateReadException(__FILE__, __LINE__, os.str());
+    }
+
+    //
+    // If the certificate isn't already in the keychain, load the
+    // private key into the keychain and add the certificate.
+    //
+    UniqueRef<CFArrayRef> items(loadKeychainItems(file, kSecItemTypePrivateKey, keychain, password, prompt, retryMax));
+    int count = CFArrayGetCount(items.get());
+    UniqueRef<SecKeyRef> key;
+    for(int i = 0; i < count; ++i)
+    {
+        SecKeychainItemRef item = (SecKeychainItemRef)CFArrayGetValueAtIndex(items.get(), 0);
+        if(SecKeyGetTypeID() == CFGetTypeID(item))
         {
-            CFRelease(*key);
-            *key = 0;
+            key.retain(item);
+            break;
         }
-        
-        throw;
     }
+    if(!key)
+    {
+        throw CertificateReadException(__FILE__, __LINE__, "IceSSL: no key in file `" + file + "'");
+    }
+
+    //
+    // Add the certificate to the keychain
+    //
+    query.reset(CFDictionaryCreateMutable(kCFAllocatorDefault,
+                                          0,
+                                          &kCFTypeDictionaryKeyCallBacks,
+                                          &kCFTypeDictionaryValueCallBacks));
+
+    CFDictionarySetValue(query.get(), kSecUseKeychain, keychain);
+    CFDictionarySetValue(query.get(), kSecClass, kSecClassCertificate);
+    CFDictionarySetValue(query.get(), kSecValueRef, cert);
+    CFDictionarySetValue(query.get(), kSecReturnRef, kCFBooleanTrue);
+
+    value = 0;
+    err = SecItemAdd(query.get(), (CFTypeRef*)&value);
+    UniqueRef<CFArrayRef> added(value);
+    if(err != noErr)
+    {
+        ostringstream os;
+        os << "IceSSL: failure adding certificate to keychain\n" << errorToString(err);
+        throw CertificateReadException(__FILE__, __LINE__, os.str());
+    }
+    item.retain(CFArrayGetValueAtIndex(added.get(), 0));
+
+    //
+    // Create the association between the private  key and the certificate,
+    // kSecKeyLabel attribute should match the subject key identifier.
+    //
+    vector<SecKeychainAttribute> attributes;
+    if(hash)
+    {
+        SecKeychainAttribute attr;
+        attr.tag = kSecKeyLabel;
+        attr.data = (void*)CFDataGetBytePtr(hash.get());
+        attr.length = CFDataGetLength(hash.get());
+        attributes.push_back(attr);
+    }
+
+    //
+    // kSecKeyPrintName attribute correspond to the keychain display
+    // name.
+    //
+    string label;
+    CFStringRef commonName = 0;
+    if(SecCertificateCopyCommonName(item.get(), &commonName) == noErr)
+    {
+        label = fromCFString(commonName);
+        CFRelease(commonName);
+
+        SecKeychainAttribute attr;
+        attr.tag = kSecKeyPrintName;
+        attr.data = (void*)label.c_str();
+        attr.length = label.size();
+        attributes.push_back(attr);
+    }
+
+    SecKeychainAttributeList attrs;
+    attrs.attr = &attributes[0];
+    attrs.count = attributes.size();
+    SecKeychainItemModifyAttributesAndData((SecKeychainItemRef)key.get(), &attrs, 0, 0);
+
+    SecIdentityRef identity;
+    err = SecIdentityCreateWithCertificate(keychain, item.get(), &identity);
+    if(err != noErr)
+    {
+        ostringstream os;
+        os << "IceSSL: error creating certificate identity:\n" << errorToString(err);
+        throw CertificateReadException(__FILE__, __LINE__, os.str());
+    }
+    return identity;
 }
 
 //
-// Imports a certificate and private key and optionally add then to a keychain.
+// Imports a certificate (it might contain an identity or certificate depending on the format).
 //
-void
-IceSSL::loadCertificate(SecCertificateRef* cert, CFDataRef* hash, SecKeyRef* key, SecKeychainRef keychain, 
-                        const string& file, const string& passphrase, const PasswordPromptPtr& prompt,
-                        int passwordRetryMax)
+CFArrayRef
+IceSSL::loadCertificateChain(const string& file, const string& keyFile, SecKeychainRef keychain,
+                             const string& password, const PasswordPromptPtr& prompt, int retryMax)
 {
-    assert(cert);
-    CFArrayRef items = 0;
-    SecIdentityRef identity = 0;
-    
-    try
+    if(keyFile.empty())
     {
-        SecExternalFormat format = kSecFormatUnknown;
-        loadKeychainItems(&items, kSecClassCertificate, file, &format, keychain, passphrase, prompt, passwordRetryMax);
-        
-        if(items)
-        {
-            int count = CFArrayGetCount(items);
-            
-            for(int i = 0; i < count; ++i)
-            {
-                SecKeychainItemRef item = (SecKeychainItemRef)CFArrayGetValueAtIndex(items, i);
-                if(format == kSecFormatPKCS12)
-                {
-                    OSStatus err = noErr;
-                    if(SecIdentityGetTypeID() == CFGetTypeID(item))
-                    {
-                        if((err = SecIdentityCopyCertificate((SecIdentityRef)item, cert)) != noErr)
-                        {
-                            throw CertificateReadException(__FILE__, __LINE__, "Certificate error:\n" + 
-                                                        errorToString(err));
-                        }
-                        
-                        if((err = SecIdentityCopyPrivateKey((SecIdentityRef)item, key)) != noErr)
-                        {
-                            throw CertificateReadException(__FILE__, __LINE__, "Certificate error:\n" + 
-                                                        errorToString(err));
-                        }
-                        break;
-                    }
-                    else if(SecCertificateGetTypeID() == CFGetTypeID(item))
-                    {
-                        CFRetain(item);
-                        *cert = (SecCertificateRef)item;
-                        
-                        if((err = SecIdentityCreateWithCertificate(keychain, *cert, &identity)) != noErr)
-                        {
-                            throw CertificateReadException(__FILE__, __LINE__, "Certificate error:\n" + 
-                                                        errorToString(err));
-                        }
-                        if((err = SecIdentityCopyPrivateKey(identity, key)) != noErr)
-                        {
-                            throw CertificateReadException(__FILE__, __LINE__, "Certificate error:\n" + 
-                                                        errorToString(err));
-                        }
-                        
-                        CFRelease(identity);
-                        identity = 0;
-                        break;
-                    }
-                }
-                else if(SecCertificateGetTypeID() == CFGetTypeID(item))
-                {
-                    CFRetain(item);
-                    *cert = (SecCertificateRef)item;
-                    
-                    //
-                    // Copy the public key hash, that is used when added the private key
-                    // to create an association between the certificate and the corresponding
-                    // private key.
-                    //
-                    if(hash)
-                    {
-                        *hash = getSubjectKeyIdentifier(*cert);
-                        
-                        if(keychain)
-                        {
-                            SecKeychainItemRef newItem = addToKeychain(keychain, item, *hash, kSecClassCertificate);
-                            assert(newItem);
-                            CFRelease(*cert);
-                            *cert = (SecCertificateRef)newItem;
-                        }
-                    }
-                    break;
-                }
-            }
-            
-            CFRelease(items);
-            items = 0;
-        }
-        
-        if(!*cert)
-        {
-            throw CertificateReadException(__FILE__, __LINE__, 
-                                            "Certificate error:\n error importing certificate from " + file);
-        }
+        return loadKeychainItems(file, kSecItemTypeUnknown, keychain, password, prompt, retryMax);
     }
-    catch(...)
+    else
     {
-        if(*cert)
-        {
-            CFRelease(*cert);
-            *cert = 0;
-        }
-        
-        if(hash && *hash)
-        {
-            CFRelease(*hash);
-            *hash = 0;
-        }
-        
-        if(items)
-        {
-            CFRelease(items);
-        }
-        
-        if(identity)
-        {
-            CFRelease(identity);
-        }
-        
-        if(key && *key)
+        //
+        // Load the certificate, don't load into the keychain as it
+        // might already have been imported.
+        //
+        UniqueRef<CFArrayRef> items(loadKeychainItems(file, kSecItemTypeCertificate, 0, password, prompt, retryMax));
+        SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(items.get(), 0);
+        if(SecCertificateGetTypeID() != CFGetTypeID(cert))
         {
-            CFRelease(*key);
-            *key = 0;
+            ostringstream os;
+            os << "IceSSL: couldn't find certificate in `" << file << "'";
+            throw CertificateReadException(__FILE__, __LINE__, os.str());
         }
-        
-        throw;
+
+        //
+        // Load the private key for the given certificate. This will
+        // add the certificate/key to the keychain if they aren't
+        // already present in the keychain.
+        //
+        UniqueRef<SecIdentityRef> identity(loadPrivateKey(keyFile, cert, keychain, password, prompt, retryMax));
+        CFMutableArrayRef a = CFArrayCreateMutableCopy(kCFAllocatorDefault, 0, items.get());
+        CFArraySetValueAtIndex(a, 0, identity.get());
+        return a;
     }
 }
 
+SecCertificateRef
+IceSSL::loadCertificate(const string& file)
+{
+    CFArrayRef items = loadKeychainItems(file, kSecItemTypeCertificate, 0, "", 0, 0);
+    SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(items, 0);
+    CFRetain(cert);
+    CFRelease(items);
+    return cert;
+}
+
 CFArrayRef
-IceSSL::loadCACertificates(const string& file, const string& passphrase, const PasswordPromptPtr& prompt,
-                           int passwordRetryMax)
+IceSSL::loadCACertificates(const string& file)
 {
-    CFArrayRef items = 0;
-    SecExternalFormat format = kSecFormatUnknown;
-    loadKeychainItems(&items, kSecClassCertificate, file, &format, 0, passphrase, prompt, passwordRetryMax);
+    UniqueRef<CFArrayRef> items(loadKeychainItems(file, kSecItemTypeCertificate, 0, "", 0, 0));
     CFMutableArrayRef certificateAuthorities = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
-    if(items)
+    int count = CFArrayGetCount(items.get());
+    for(CFIndex i = 0; i < count; ++i)
     {
-        for(CFIndex i = 0, size = CFArrayGetCount(items); i < size; ++i)
+        SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(items.get(), i);
+        assert(SecCertificateGetTypeID() == CFGetTypeID(cert));
+        if(isCA(cert))
         {
-            SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(items, i);
-            if(isCA(cert))
-            {
-                CFArrayAppendValue(certificateAuthorities, cert);
-            }
+            CFArrayAppendValue(certificateAuthorities, cert);
         }
-        CFRelease(items);
     }
     return certificateAuthorities;
 }
 
 SecCertificateRef
-IceSSL::findCertificates(SecKeychainRef keychain, const string& prop, const string& value)
+IceSSL::findCertificate(SecKeychainRef keychain, const string& value)
 {
     //
     //  Search the keychain using key:value pairs. The following keys are supported:
@@ -1013,17 +831,19 @@ IceSSL::findCertificates(SecKeychainRef keychain, const string& prop, const stri
     //
     //   A value must be enclosed in single or double quotes if it contains whitespace.
     //
-    CFMutableDictionaryRef query =
-        CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-    
+    UniqueRef<CFMutableDictionaryRef> query(CFDictionaryCreateMutable(0,
+                                                                      0,
+                                                                      &kCFTypeDictionaryKeyCallBacks,
+                                                                      &kCFTypeDictionaryValueCallBacks));
+
     const void* values[] = { keychain };
-    CFArrayRef searchList = CFArrayCreate(kCFAllocatorDefault, values, 1, &kCFTypeArrayCallBacks);
-    
-    CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitOne);
-    CFDictionarySetValue(query, kSecMatchSearchList, searchList);
-    CFDictionarySetValue(query, kSecClass, kSecClassCertificate);
-    CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
-    CFDictionarySetValue(query, kSecMatchCaseInsensitive, kCFBooleanTrue);
+    UniqueRef<CFArrayRef> searchList(CFArrayCreate(kCFAllocatorDefault, values, 1, &kCFTypeArrayCallBacks));
+
+    CFDictionarySetValue(query.get(), kSecMatchLimit, kSecMatchLimitOne);
+    CFDictionarySetValue(query.get(), kSecMatchSearchList, searchList.get());
+    CFDictionarySetValue(query.get(), kSecClass, kSecClassCertificate);
+    CFDictionarySetValue(query.get(), kSecReturnRef, kCFBooleanTrue);
+    CFDictionarySetValue(query.get(), kSecMatchCaseInsensitive, kCFBooleanTrue);
 
     size_t start = 0;
     size_t pos;
@@ -1031,145 +851,107 @@ IceSSL::findCertificates(SecKeychainRef keychain, const string& prop, const stri
     {
         string field = IceUtilInternal::toUpper(IceUtilInternal::trim(value.substr(start, pos - start)));
         string arg;
-        try
+        if(field != "LABEL" && field != "SERIAL" && field != "SUBJECT" && field != "SUBJECTKEYID")
         {
-            if(field != "LABEL" && field != "SERIAL" && field != "SUBJECT" && field != "SUBJECTKEYID")
-            {
-                throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unknown key in `" + value + "'");
-            }
+            throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unknown key in `" + value + "'");
+        }
 
-            start = pos + 1;
-            while(start < value.size() && (value[start] == ' ' || value[start] == '\t'))
-            {
-                ++start;
-            }
-            
-            if(start == value.size())
-            {
-                throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: missing argument in `" + value + "'");
-            }
+        start = pos + 1;
+        while(start < value.size() && (value[start] == ' ' || value[start] == '\t'))
+        {
+            ++start;
+        }
+
+        if(start == value.size())
+        {
+            throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: missing argument in `" + value + "'");
+        }
 
-            if(value[start] == '"' || value[start] == '\'')
+        if(value[start] == '"' || value[start] == '\'')
+        {
+            size_t end = start;
+            ++end;
+            while(end < value.size())
             {
-                size_t end = start;
-                ++end;
-                while(end < value.size())
-                {
-                    if(value[end] == value[start] && value[end - 1] != '\\')
-                    {
-                        break;
-                    }
-                    ++end;
-                }
-                if(end == value.size() || value[end] != value[start])
+                if(value[end] == value[start] && value[end - 1] != '\\')
                 {
-                    throw PluginInitializationException(__FILE__, __LINE__, 
-                                                        "IceSSL: unmatched quote in `" + value + "'");
+                    break;
                 }
-                ++start;
-                arg = value.substr(start, end - start);
-                start = end + 1;
+                ++end;
             }
-            else
+            if(end == value.size() || value[end] != value[start])
             {
-                size_t end = value.find_first_of(" \t", start);
-                if(end == string::npos)
-                {
-                    arg = value.substr(start);
-                    start = value.size();
-                }
-                else
-                {
-                    arg = value.substr(start, end - start);
-                    start = end + 1;
-                }
+                throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unmatched quote in `" + value + "'");
             }
+            ++start;
+            arg = value.substr(start, end - start);
+            start = end + 1;
         }
-        catch(...)
+        else
         {
-            CFRelease(searchList);
-            CFRelease(query);
-            throw;
+            size_t end = value.find_first_of(" \t", start);
+            if(end == string::npos)
+            {
+                arg = value.substr(start);
+                start = value.size();
+            }
+            else
+            {
+                arg = value.substr(start, end - start);
+                start = end + 1;
+            }
         }
 
         if(field == "SUBJECT" || field == "LABEL")
         {
-            CFDictionarySetValue(query, field == "LABEL" ? kSecAttrLabel : kSecMatchSubjectContains, toCFString(arg));
+            UniqueRef<CFStringRef> v(toCFString(arg));
+            CFDictionarySetValue(query.get(), field == "LABEL" ? kSecAttrLabel : kSecMatchSubjectContains, v.get());
         }
         else if(field == "SUBJECTKEYID" || field == "SERIAL")
         {
             vector<unsigned char> buffer;
             if(!parseBytes(arg, buffer))
             {
-                throw PluginInitializationException(__FILE__, __LINE__, 
-                                            "IceSSL: invalid value `" + value + "' for property `" + prop + "'");
+                throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: invalid value `" + value + "'");
             }
-            CFDataRef data = CFDataCreate(kCFAllocatorDefault, &buffer[0], buffer.size());
-            CFDictionarySetValue(query, field == "SUBJECTKEYID" ? kSecAttrSubjectKeyID : kSecAttrSerialNumber, data);
+            UniqueRef<CFDataRef> v(CFDataCreate(kCFAllocatorDefault, &buffer[0], buffer.size()));
+            CFDictionarySetValue(query.get(), field == "SUBJECTKEYID" ? kSecAttrSubjectKeyID : kSecAttrSerialNumber,
+                                 v.get());
         }
     }
 
-    SecKeychainItemRef item = 0;
-    OSStatus err = SecItemCopyMatching(query, (CFTypeRef*)&item);
-    CFRelease(searchList);
-    CFRelease(query);
-    if(err != noErr && err != errSecItemNotFound)
+    if(CFDictionaryGetCount(query.get()) == 5)
     {
-        throw PluginInitializationException(__FILE__, __LINE__, 
-                                            "Error searching for keychain items\n" + errorToString(err));
+        throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: invalid value `" + value + "'");
     }
-    return (SecCertificateRef)item;
-}
-#elif defined(ICE_USE_SCHANNEL)
 
-namespace
-{
-//
-// Parse a string of the form "location.name" into two parts.
-//
-void
-parseStore(const string& prop, const string& store, DWORD& loc, string& sname)
-{
-    size_t pos = store.find('.');
-    if(pos == string::npos)
+    SecCertificateRef cert = 0;
+    OSStatus err = SecItemCopyMatching(query.get(), (CFTypeRef*)&cert);
+    if(err != noErr)
     {
-        throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: property `" + prop + "' has invalid format");
+        throw PluginInitializationException(__FILE__, __LINE__,
+                                            "IceSSL: find certificate `" + value + "' failed:\n" + errorToString(err));
     }
+    return cert;
+}
 
-    const string sloc = IceUtilInternal::toUpper(store.substr(0, pos));
-    if(sloc == "CURRENTUSER")
-    {
-        loc = CERT_SYSTEM_STORE_CURRENT_USER;
-    }
-    else if(sloc == "LOCALMACHINE")
-    {
-        loc = CERT_SYSTEM_STORE_LOCAL_MACHINE;
-    }
-    else
-    {
-        throw PluginInitializationException(__FILE__, __LINE__, 
-                                            "IceSSL: unknown store location `" + sloc + "' in " + prop);
-    }
+#elif defined(ICE_USE_SCHANNEL)
 
-    sname = store.substr(pos + 1);
-    if(sname.empty())
-    {
-        throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: invalid store name in " + prop);
-    }
-}
+namespace
+{
 
 void
 addMatchingCertificates(HCERTSTORE source, HCERTSTORE target, DWORD findType, const void* findParam)
 {
     PCCERT_CONTEXT next = 0;
     do
-    { 
-        if((next = CertFindCertificateInStore(source, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, 
+    {
+        if((next = CertFindCertificateInStore(source, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
                                               findType, findParam, next)))
         {
             if(!CertAddCertificateContextToStore(target, next, CERT_STORE_ADD_ALWAYS, 0))
             {
-                throw PluginInitializationException(__FILE__, __LINE__, 
+                throw PluginInitializationException(__FILE__, __LINE__,
                     "IceSSL: error adding certificate to store:\n" + IceUtilInternal::lastErrorToString());
             }
         }
@@ -1179,18 +961,24 @@ addMatchingCertificates(HCERTSTORE source, HCERTSTORE target, DWORD findType, co
 
 }
 
-vector<PCCERT_CONTEXT> 
-IceSSL::findCertificates(const string& prop, const string& storeSpec, const string& value, vector<HCERTSTORE>& stores)
+vector<PCCERT_CONTEXT>
+IceSSL::findCertificates(const string& location, const string& name, const string& value, vector<HCERTSTORE>& stores)
 {
-    DWORD storeLoc = 0;
-    string storeName;
-    parseStore(prop, storeSpec, storeLoc, storeName);
+    DWORD storeLoc;
+    if(location == "CurrentUser")
+    {
+        storeLoc = CERT_SYSTEM_STORE_CURRENT_USER;
+    }
+    else
+    {
+        storeLoc = CERT_SYSTEM_STORE_LOCAL_MACHINE;
+    }
 
-    HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, storeLoc, stringToWstring(storeName).c_str());
+    HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, storeLoc, stringToWstring(name).c_str());
     if(!store)
     {
-        throw PluginInitializationException(__FILE__, __LINE__, 
-            "IceSSL: failure while opening store specified by " + prop + ":\n" + IceUtilInternal::lastErrorToString());
+        throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: failed to open certificate store `" + name +
+                                            "':\n" + IceUtilInternal::lastErrorToString());
     }
 
     //
@@ -1214,12 +1002,16 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri
     {
         if(value != "*")
         {
+            if(value.find(':', 0) == string::npos)
+            {
+                throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: no key in `" + value + "'");
+            }
             size_t start = 0;
             size_t pos;
             while((pos = value.find(':', start)) != string::npos)
             {
                 string field = IceUtilInternal::toUpper(IceUtilInternal::trim(value.substr(start, pos - start)));
-                if(field != "SUBJECT" && field != "SUBJECTDN" && field != "ISSUER" && field != "ISSUERDN" && 
+                if(field != "SUBJECT" && field != "SUBJECTDN" && field != "ISSUER" && field != "ISSUERDN" &&
                    field != "THUMBPRINT" && field != "SUBJECTKEYID" && field != "SERIAL")
                 {
                     throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unknown key in `" + value + "'");
@@ -1230,10 +1022,11 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri
                 {
                     ++start;
                 }
-                
+
                 if(start == value.size())
                 {
-                    throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: missing argument in `" + value + "'");
+                    throw PluginInitializationException(__FILE__, __LINE__,
+                                                        "IceSSL: missing argument in `" + value + "'");
                 }
 
                 string arg;
@@ -1251,7 +1044,7 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri
                     }
                     if(end == value.size() || value[end] != value[start])
                     {
-                        throw PluginInitializationException(__FILE__, __LINE__, 
+                        throw PluginInitializationException(__FILE__, __LINE__,
                                                             "IceSSL: unmatched quote in `" + value + "'");
                     }
                     ++start;
@@ -1276,7 +1069,7 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri
                 tmpStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 0, 0);
                 if(!tmpStore)
                 {
-                    throw PluginInitializationException(__FILE__, __LINE__, 
+                    throw PluginInitializationException(__FILE__, __LINE__,
                                 "IceSSL: error adding certificate to store:\n" + IceUtilInternal::lastErrorToString());
                 }
 
@@ -1289,35 +1082,45 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri
                 else if(field == "SUBJECTDN" || field == "ISSUERDN")
                 {
                     const wstring argW = stringToWstring(arg);
-                    DWORD length = 0;
-                    if(!CertStrToNameW(X509_ASN_ENCODING, argW.c_str(), CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
-                                       0, 0, &length, 0))
+                    DWORD flags[] = {
+                        CERT_OID_NAME_STR,
+                        CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
+                        CERT_OID_NAME_STR | CERT_NAME_STR_FORCE_UTF8_DIR_STR_FLAG,
+                        CERT_OID_NAME_STR | CERT_NAME_STR_FORCE_UTF8_DIR_STR_FLAG | CERT_NAME_STR_REVERSE_FLAG
+                    };
+                    for(size_t i = 0; i < sizeof(flags) / sizeof(DWORD); ++i)
                     {
-                        throw PluginInitializationException(__FILE__, __LINE__, 
-                                                "IceSSL: invalid value `" + value + "' for property `" + prop + "'\n" +
-                                                IceUtilInternal::lastErrorToString());
-                    }
+                        DWORD length = 0;
+                        if(!CertStrToNameW(X509_ASN_ENCODING, argW.c_str(), flags[i], 0, 0, &length, 0))
+                        {
+                            throw PluginInitializationException(
+                                __FILE__, __LINE__,
+                                "IceSSL: invalid value `" + value + "' for `IceSSL.FindCert' property:\n" +
+                                IceUtilInternal::lastErrorToString());
+                        }
 
-                    vector<BYTE> buffer(length);
-                    if(!CertStrToNameW(X509_ASN_ENCODING, argW.c_str(), CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
-                                       0, &buffer[0], &length, 0))
-                    {
-                        throw PluginInitializationException(__FILE__, __LINE__, 
-                                                "IceSSL: invalid value `" + value + "' for property `" + prop + "'\n" +
-                                                IceUtilInternal::lastErrorToString());
-                    }
+                        vector<BYTE> buffer(length);
+                        if(!CertStrToNameW(X509_ASN_ENCODING, argW.c_str(), flags[i], 0, &buffer[0], &length, 0))
+                        {
+                            throw PluginInitializationException(
+                                __FILE__, __LINE__,
+                                "IceSSL: invalid value `" + value + "' for `IceSSL.FindCert' property:\n" +
+                                IceUtilInternal::lastErrorToString());
+                        }
 
-                    CERT_NAME_BLOB name = { length, &buffer[0] };
-                    DWORD findType = field == "SUBJECTDN" ? CERT_FIND_SUBJECT_NAME : CERT_FIND_ISSUER_NAME;
-                    addMatchingCertificates(store, tmpStore, findType, &name);
+                        CERT_NAME_BLOB name = { length, &buffer[0] };
+
+                        DWORD findType = field == "SUBJECTDN" ? CERT_FIND_SUBJECT_NAME : CERT_FIND_ISSUER_NAME;
+                        addMatchingCertificates(store, tmpStore, findType, &name);
+                    }
                 }
                 else if(field == "THUMBPRINT" || field == "SUBJECTKEYID")
                 {
                     vector<BYTE> buffer;
                     if(!parseBytes(arg, buffer))
                     {
-                        throw PluginInitializationException(__FILE__, __LINE__, 
-                                                "IceSSL: invalid value `" + value + "' for property `" + prop + "'");
+                        throw PluginInitializationException(__FILE__, __LINE__,
+                                                "IceSSL: invalid `IceSSL.FindCert' property: can't decode the value");
                     }
 
                     CRYPT_HASH_BLOB hash = { static_cast<DWORD>(buffer.size()), &buffer[0] };
@@ -1329,22 +1132,22 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri
                     vector<BYTE> buffer;
                     if(!parseBytes(arg, buffer))
                     {
-                        throw PluginInitializationException(__FILE__, __LINE__, 
-                                                "IceSSL: invalid value `" + value + "' for property `" + prop + "'");
+                        throw PluginInitializationException(__FILE__, __LINE__,
+                                                "IceSSL: invalid value `" + value + "' for `IceSSL.FindCert' property");
                     }
-                    
+
                     CRYPT_INTEGER_BLOB serial = { static_cast<DWORD>(buffer.size()), &buffer[0] };
                     PCCERT_CONTEXT next = 0;
                     do
                     {
-                        if((next = CertFindCertificateInStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, 
+                        if((next = CertFindCertificateInStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
                                                               CERT_FIND_ANY, 0, next)))
                         {
                             if(CertCompareIntegerBlob(&serial, &next->pCertInfo->SerialNumber))
                             {
                                 if(!CertAddCertificateContextToStore(tmpStore, next, CERT_STORE_ADD_ALWAYS, 0))
                                 {
-                                    throw PluginInitializationException(__FILE__, __LINE__, 
+                                    throw PluginInitializationException(__FILE__, __LINE__,
                                                                     "IceSSL: error adding certificate to store:\n" +
                                                                     IceUtilInternal::lastErrorToString());
                                 }
@@ -1378,8 +1181,8 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri
     {
         PCCERT_CONTEXT next = 0;
         do
-        { 
-            if((next = CertFindCertificateInStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, 0, 
+        {
+            if((next = CertFindCertificateInStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, 0,
                                                   next)))
             {
                 certs.push_back(next);
@@ -1393,31 +1196,35 @@ IceSSL::findCertificates(const string& prop, const string& storeSpec, const stri
 #endif
 
 bool
-IceSSL::checkPath(string& path, const string& defaultDir, bool dir)
+IceSSL::checkPath(const string& path, const string& defaultDir, bool dir, string& resolved)
 {
-    //
-    // Check if file exists. If not, try prepending the default
-    // directory and check again. If the path exists, the string
-    // argument is modified and true is returned. Otherwise
-    // false is returned.
-    //
-    IceUtilInternal::structstat st;
-    int err = IceUtilInternal::stat(path, &st);
-    if(err == 0)
+    if(IceUtilInternal::isAbsolutePath(path))
     {
-        return dir ? S_ISDIR(st.st_mode) != 0 : S_ISREG(st.st_mode) != 0;
+        if((dir && IceUtilInternal::directoryExists(path)) || (!dir && IceUtilInternal::fileExists(path)))
+        {
+            resolved = path;
+            return true;
+        }
+        return false;
     }
 
+    //
+    // If a default directory is provided, the given path is relative to the default directory.
+    //
+    string tmp;
     if(!defaultDir.empty())
     {
-        string s = defaultDir + IceUtilInternal::separator + path;
-        err = ::IceUtilInternal::stat(s.c_str(), &st);
-        if(err == 0 && ((!dir && S_ISREG(st.st_mode)) || (dir && S_ISDIR(st.st_mode))))
-        {
-            path = s;
-            return true;
-        }
+        tmp = defaultDir + IceUtilInternal::separator + path;
+    }
+    else
+    {
+        tmp = path;
     }
 
+    if((dir && IceUtilInternal::directoryExists(tmp)) || (!dir && IceUtilInternal::fileExists(tmp)))
+    {
+        resolved = tmp;
+        return true;
+    }
     return false;
 }