zeroc-ice 3.7.5 → 3.7.6

data/ext/ice/cpp/src/IceSSL/OpenSSLTransceiverI.h

@@ -71,6 +71,7 @@ private:
     std::string _cipher;
     std::vector<IceSSL::CertificatePtr> _certs;
     bool _verified;
+    TrustError _trustError;
 
     SSL* _ssl;
     BIO* _memBio;

data/ext/ice/cpp/src/IceSSL/PluginI.cpp

@@ -130,3 +130,117 @@ ICEregisterIceSSL(bool loadOnInitialize)
 {
     Ice::registerIceSSL(loadOnInitialize);
 }
+
+IceSSL::TrustError
+IceSSL::getTrustError(const IceSSL::ConnectionInfoPtr& info)
+{
+    ExtendedConnectionInfoPtr extendedInfo = ICE_DYNAMIC_CAST(ExtendedConnectionInfo, info);
+    if (extendedInfo)
+    {
+        return extendedInfo->errorCode;
+    }
+    return info->verified ? IceSSL::ICE_ENUM(TrustError, NoError) : IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure);
+}
+
+std::string
+IceSSL::getTrustErrorDescription(TrustError error)
+{
+    switch(error)
+    {
+        case  IceSSL::ICE_ENUM(TrustError, NoError):
+        {
+            return "no error";
+        }
+        case IceSSL::ICE_ENUM(TrustError, ChainTooLong):
+        {
+            return "the certificate chain length is greater than the specified maximum depth";
+        }
+        case IceSSL::ICE_ENUM(TrustError, HasExcludedNameConstraint):
+        {
+            return "the X509 chain is invalid because a certificate has excluded a name constraint";
+        }
+        case IceSSL::ICE_ENUM(TrustError, HasNonDefinedNameConstraint):
+        {
+            return "the certificate has an undefined name constraint";
+        }
+        case IceSSL::ICE_ENUM(TrustError, HasNonPermittedNameConstraint):
+        {
+            return "the certificate has a non permitted name constrain";
+        }
+        case IceSSL::ICE_ENUM(TrustError, HasNonSupportedCriticalExtension):
+        {
+            return "the certificate does not support a critical extension";
+        }
+        case IceSSL::ICE_ENUM(TrustError, HasNonSupportedNameConstraint):
+        {
+            return "the certificate does not have a supported name constraint or has a name constraint that "
+                   "is unsupported";
+        }
+        case IceSSL::ICE_ENUM(TrustError, HostNameMismatch):
+        {
+            return "a host name mismatch has occurred";
+        }
+        case IceSSL::ICE_ENUM(TrustError, InvalidBasicConstraints):
+        {
+            return "the X509 chain is invalid due to invalid basic constraints";
+        }
+        case IceSSL::ICE_ENUM(TrustError, InvalidExtension):
+        {
+            return "the X509 chain is invalid due to an invalid extension";
+        }
+        case IceSSL::ICE_ENUM(TrustError, InvalidNameConstraints):
+        {
+            return "the X509 chain is invalid due to invalid name constraints";
+        }
+        case IceSSL::ICE_ENUM(TrustError, InvalidPolicyConstraints):
+        {
+            return "the X509 chain is invalid due to invalid policy constraints";
+        }
+        case IceSSL::ICE_ENUM(TrustError, InvalidPurpose):
+        {
+            return "the supplied certificate cannot be used for the specified purpose";
+        }
+        case IceSSL::ICE_ENUM(TrustError, InvalidSignature):
+        {
+            return "the X509 chain is invalid due to an invalid certificate signature";
+        }
+        case IceSSL::ICE_ENUM(TrustError, InvalidTime):
+        {
+            return "the X509 chain is not valid due to an invalid time value, such as a value that indicates an "
+                   "expired certificate";
+        }
+        case IceSSL::ICE_ENUM(TrustError, NotTrusted):
+        {
+            return "the certificate is explicitly distrusted";
+        }
+        case IceSSL::ICE_ENUM(TrustError, PartialChain):
+        {
+            return "the X509 chain could not be built up to the root certificate";
+        }
+        case IceSSL::ICE_ENUM(TrustError, RevocationStatusUnknown):
+        {
+            return "it is not possible to determine whether the certificate has been revoked";
+        }
+        case IceSSL::ICE_ENUM(TrustError, Revoked):
+        {
+            return "the X509 chain is invalid due to a revoked certificate";
+        }
+        case IceSSL::ICE_ENUM(TrustError, UntrustedRoot):
+        {
+            return "the X509 chain is invalid due to an untrusted root certificate";
+        }
+        case IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure):
+        {
+            return "unknown failure";
+        }
+    }
+    assert(false);
+    return "unknown failure";
+}
+
+std::string
+IceSSL::getHost(const IceSSL::ConnectionInfoPtr& info)
+{
+    ExtendedConnectionInfoPtr extendedInfo = ICE_DYNAMIC_CAST(ExtendedConnectionInfo, info);
+    return extendedInfo ? extendedInfo->host : "";
+}

data/ext/ice/cpp/src/IceSSL/PluginI.h

@@ -7,11 +7,21 @@
 
 #include <IceSSL/Plugin.h>
 #include <IceSSL/SSLEngineF.h>
+#include <IceSSL/ConnectionInfo.h>
 #include <Ice/CommunicatorF.h>
 
 namespace IceSSL
 {
 
+class ExtendedConnectionInfo : public ConnectionInfo
+{
+public:
+
+    TrustError errorCode;
+    std::string host;
+};
+ICE_DEFINE_PTR(ExtendedConnectionInfoPtr, ExtendedConnectionInfo);
+
 class ICESSL_API PluginI : public virtual IceSSL::Plugin
 {
 public:

data/ext/ice/cpp/src/IceSSL/SChannelTransceiverI.cpp

@@ -9,6 +9,7 @@
 #include <IceSSL/ConnectionInfo.h>
 #include <IceSSL/Instance.h>
 #include <IceSSL/SChannelEngine.h>
+#include <IceSSL/PluginI.h>
 #include <IceSSL/Util.h>
 #include <Ice/Communicator.h>
 #include <Ice/LoggerUtil.h>
@@ -47,6 +48,96 @@ protocolName(DWORD protocol)
     }
 }
 
+TrustError
+trustStatusToTrustError(DWORD status)
+{
+    if (status & CERT_TRUST_NO_ERROR)
+    {
+        return IceSSL::ICE_ENUM(TrustError, NoError);
+    }
+    if (status & CERT_TRUST_IS_NOT_TIME_VALID)
+    {
+        return IceSSL::ICE_ENUM(TrustError, InvalidTime);
+    }
+    if (status & CERT_TRUST_IS_REVOKED)
+    {
+        return IceSSL::ICE_ENUM(TrustError, Revoked);
+    }
+    if (status & CERT_TRUST_IS_NOT_SIGNATURE_VALID)
+    {
+        return IceSSL::ICE_ENUM(TrustError, InvalidSignature);
+    }
+    if (status & CERT_TRUST_IS_NOT_VALID_FOR_USAGE)
+    {
+        return IceSSL::ICE_ENUM(TrustError, InvalidPurpose);
+    }
+    if ((status & CERT_TRUST_IS_UNTRUSTED_ROOT) ||
+        (status & CERT_TRUST_IS_CYCLIC) ||
+        (status & CERT_TRUST_CTL_IS_NOT_TIME_VALID) ||
+        (status & CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID) ||
+        (status & CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE))
+    {
+        return IceSSL::ICE_ENUM(TrustError, UntrustedRoot);
+    }
+    if (status & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
+    {
+        return IceSSL::ICE_ENUM(TrustError, RevocationStatusUnknown);
+    }
+    if (status & CERT_TRUST_INVALID_EXTENSION)
+    {
+        return IceSSL::ICE_ENUM(TrustError, InvalidExtension);
+    }
+    if (status & CERT_TRUST_INVALID_POLICY_CONSTRAINTS)
+    {
+        return IceSSL::ICE_ENUM(TrustError, InvalidPolicyConstraints);
+    }
+    if (status & CERT_TRUST_INVALID_BASIC_CONSTRAINTS)
+    {
+        return IceSSL::ICE_ENUM(TrustError, InvalidBasicConstraints);
+    }
+    if (status & CERT_TRUST_INVALID_NAME_CONSTRAINTS)
+    {
+        return IceSSL::ICE_ENUM(TrustError, InvalidNameConstraints);
+    }
+    if (status & CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT)
+    {
+        return IceSSL::ICE_ENUM(TrustError, HasNonSupportedNameConstraint);
+    }
+    if (status & CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT)
+    {
+        return IceSSL::ICE_ENUM(TrustError, HasNonDefinedNameConstraint);
+    }
+    if (status & CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT)
+    {
+        return IceSSL::ICE_ENUM(TrustError, HasNonPermittedNameConstraint);
+    }
+    if (status & CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT)
+    {
+        return IceSSL::ICE_ENUM(TrustError, HasExcludedNameConstraint);
+    }
+    if (status & CERT_TRUST_IS_OFFLINE_REVOCATION)
+    {
+        return IceSSL::ICE_ENUM(TrustError, RevocationStatusUnknown);
+    }
+    if (status & CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY)
+    {
+        return IceSSL::ICE_ENUM(TrustError, InvalidPolicyConstraints);
+    }
+    if (status & CERT_TRUST_IS_EXPLICIT_DISTRUST)
+    {
+        return IceSSL::ICE_ENUM(TrustError, NotTrusted);
+    }
+    if (status & CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT)
+    {
+        return IceSSL::ICE_ENUM(TrustError, HasNonSupportedCriticalExtension);
+    }
+    if (status & CERT_TRUST_IS_PARTIAL_CHAIN)
+    {
+        return IceSSL::ICE_ENUM(TrustError, PartialChain);
+    }
+    return IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure);
+}
+
 string
 trustStatusToString(DWORD status)
 {
@@ -674,21 +765,24 @@ SChannel::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal:
 
         string trustError;
         PCCERT_CHAIN_CONTEXT certChain;
-        if(!CertGetCertificateChain(_engine->chainEngine(), cert, 0, 0, &chainP,
+        if(!CertGetCertificateChain(_engine->chainEngine(), cert, 0, cert->hCertStore, &chainP,
                                     CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY, 0, &certChain))
         {
             CertFreeCertificateContext(cert);
             trustError = IceUtilInternal::lastErrorToString();
+            _trustError = IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure);
         }
         else
         {
             if(certChain->TrustStatus.dwErrorStatus != CERT_TRUST_NO_ERROR)
             {
                 trustError = trustStatusToString(certChain->TrustStatus.dwErrorStatus);
+                _trustError = trustStatusToTrustError(certChain->TrustStatus.dwErrorStatus);
             }
             else
             {
                 _verified = true;
+                _trustError = IceSSL::ICE_ENUM(TrustError, NoError);
             }
 
             CERT_SIMPLE_CHAIN* simpleChain = certChain->rgpChain[0];
@@ -753,7 +847,10 @@ SChannel::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal:
     }
     catch(const Ice::SecurityException&)
     {
+        _trustError = IceSSL::ICE_ENUM(TrustError, HostNameMismatch);
         _verified = false;
+        ICE_DYNAMIC_CAST(ExtendedConnectionInfo, info)->errorCode = IceSSL::ICE_ENUM(TrustError, HostNameMismatch);
+        info->verified = false;
         if(_engine->getVerifyPeer() > 0)
         {
             throw;
@@ -1001,13 +1098,15 @@ SChannel::TransceiverI::toDetailedString() const
 Ice::ConnectionInfoPtr
 SChannel::TransceiverI::getInfo() const
 {
-    ConnectionInfoPtr info = ICE_MAKE_SHARED(ConnectionInfo);
+    ExtendedConnectionInfoPtr info = ICE_MAKE_SHARED(ExtendedConnectionInfo);
     info->underlying = _delegate->getInfo();
     info->incoming = _incoming;
     info->adapterName = _adapterName;
     info->cipher = _cipher;
     info->certs = _certs;
     info->verified = _verified;
+    info->errorCode = _trustError;
+    info->host = _incoming ? "" : _host;
     return info;
 }
 

data/ext/ice/cpp/src/IceSSL/SChannelTransceiverI.h

@@ -120,6 +120,7 @@ private:
     std::string _cipher;
     std::vector<IceSSL::CertificatePtr> _certs;
     bool _verified;
+    TrustError _trustError;
 };
 typedef IceUtil::Handle<TransceiverI> TransceiverIPtr;
 

data/ext/ice/cpp/src/IceSSL/SecureTransportTransceiverI.cpp

@@ -4,6 +4,7 @@
 
 #include <IceSSL/SecureTransportTransceiverI.h>
 #include <IceSSL/Instance.h>
+#include <IceSSL/PluginI.h>
 #include <IceSSL/SecureTransportEngine.h>
 #include <IceSSL/SecureTransportUtil.h>
 #include <IceSSL/ConnectionInfo.h>
@@ -20,36 +21,6 @@ using namespace IceSSL::SecureTransport;
 namespace
 {
 
-string
-trustResultDescription(SecTrustResultType result)
-{
-    switch(result)
-    {
-        case kSecTrustResultInvalid:
-        {
-            return "Invalid setting or result";
-        }
-        case kSecTrustResultDeny:
-        {
-            return "The user specified that the certificate should not be trusted";
-        }
-        case kSecTrustResultRecoverableTrustFailure:
-        case kSecTrustResultFatalTrustFailure:
-        {
-            return "Trust denied";
-        }
-        case kSecTrustResultOtherError:
-        {
-            return "Other error internal error";
-        }
-        default:
-        {
-            assert(false);
-            return "";
-        }
-    }
-}
-
 string
 protocolName(SSLProtocol protocol)
 {
@@ -92,14 +63,96 @@ socketRead(SSLConnectionRef connection, void* data, size_t* length)
     return transceiver->readRaw(reinterpret_cast<char*>(data), length);
 }
 
-bool
+TrustError errorToTrustError(CFErrorRef err)
+{
+    long errorCode = CFErrorGetCode(err);
+    switch (errorCode)
+    {
+        case errSecPathLengthConstraintExceeded:
+        {
+            return IceSSL::ICE_ENUM(TrustError, ChainTooLong);
+        }
+        case errSecUnknownCRLExtension:
+        case errSecUnknownCriticalExtensionFlag:
+        {
+            return IceSSL::ICE_ENUM(TrustError, HasNonSupportedCriticalExtension);
+        }
+        case errSecHostNameMismatch:
+        {
+            return IceSSL::ICE_ENUM(TrustError, HostNameMismatch);
+        }
+        case errSecCodeSigningNoBasicConstraints:
+        case errSecNoBasicConstraints:
+        case errSecNoBasicConstraintsCA:
+        {
+            return IceSSL::ICE_ENUM(TrustError, InvalidBasicConstraints);
+        }
+        case errSecMissingRequiredExtension:
+        case errSecUnknownCertExtension:
+        {
+            return IceSSL::ICE_ENUM(TrustError, InvalidExtension);
+        }
+        case errSecCertificateNameNotAllowed:
+        case errSecInvalidName:
+        {
+            return IceSSL::ICE_ENUM(TrustError, InvalidNameConstraints);
+        }
+        case errSecCertificatePolicyNotAllowed:
+        case errSecInvalidPolicyIdentifiers:
+        case errSecInvalidCertificateRef:
+        case errSecInvalidDigestAlgorithm:
+        case errSecUnsupportedKeySize:
+        {
+            return IceSSL::ICE_ENUM(TrustError, InvalidPolicyConstraints);
+        }
+        case errSecInvalidExtendedKeyUsage:
+        case errSecInvalidKeyUsageForPolicy:
+        {
+            return IceSSL::ICE_ENUM(TrustError, InvalidPurpose);
+        }
+        case errSecInvalidSignature:
+        {
+            return IceSSL::ICE_ENUM(TrustError, InvalidSignature);
+        }
+        case errSecCertificateExpired:
+        case errSecCertificateNotValidYet:
+        case errSecCertificateValidityPeriodTooLong:
+        {
+            return IceSSL::ICE_ENUM(TrustError, InvalidTime);
+        }
+        case errSecCreateChainFailed:
+        {
+            return IceSSL::ICE_ENUM(TrustError, PartialChain);
+        }
+        case errSecCertificateRevoked:
+        {
+            return IceSSL::ICE_ENUM(TrustError, Revoked);
+        }
+        case errSecIncompleteCertRevocationCheck:
+        case errSecOCSPNotTrustedToAnchor:
+        {
+            return IceSSL::ICE_ENUM(TrustError, RevocationStatusUnknown);
+        }
+        case errSecNotTrusted:
+        case errSecVerifyActionFailed:
+        {
+            return IceSSL::ICE_ENUM(TrustError, UntrustedRoot);
+        }
+        default:
+        {
+            return IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure);
+        }
+    }
+}
+
+TrustError
 checkTrustResult(SecTrustRef trust,
                  const IceSSL::SecureTransport::SSLEnginePtr& engine,
                  const IceSSL::InstancePtr& instance,
                  const string& host)
 {
     OSStatus err = noErr;
-    SecTrustResultType trustResult = kSecTrustResultOtherError;
+    UniqueRef<CFErrorRef> trustErr;
     if(trust)
     {
         if((err = SecTrustSetAnchorCertificates(trust, engine->getCertificateAuthorities())))
@@ -138,53 +191,38 @@ checkTrustResult(SecTrustRef trust,
         //
         // Evaluate the trust
         //
-        if((err = SecTrustEvaluate(trust, &trustResult)))
+        if(SecTrustEvaluateWithError(trust, &trustErr.get()))
         {
-            throw SecurityException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + sslErrorToString(err));
+            return IceSSL::ICE_ENUM(TrustError, NoError);
         }
-    }
-
-    switch(trustResult)
-    {
-    case kSecTrustResultUnspecified:
-    case kSecTrustResultProceed:
-    {
-        //
-        // Trust verify success.
-        //
-        return true;
-    }
-    default:
-    // case kSecTrustResultInvalid:
-    // case kSecTrustResultConfirm: // Used in old macOS versions
-    // case kSecTrustResultDeny:
-    // case kSecTrustResultRecoverableTrustFailure:
-    // case kSecTrustResultFatalTrustFailure:
-    // case kSecTrustResultOtherError:
-    {
-        if(engine->getVerifyPeer() == 0)
+        else
         {
-            if(instance->traceLevel() >= 1)
+            TrustError trustError = errorToTrustError(trustErr.get());
+            if(engine->getVerifyPeer() == 0)
             {
-                ostringstream os;
-                os << "IceSSL: ignoring certificate verification failure:\n" << trustResultDescription(trustResult);
-                instance->logger()->trace(instance->traceCategory(), os.str());
+                if(instance->traceLevel() >= 1)
+                {
+                    ostringstream os;
+                    os << "IceSSL: ignoring certificate verification failure:\n"
+                       << getTrustErrorDescription(trustError);
+                    instance->logger()->trace(instance->traceCategory(), os.str());
+                }
+                return trustError;
             }
-            return false;
-        }
-        else
-        {
-            ostringstream os;
-            os << "IceSSL: certificate verification failure:\n" << trustResultDescription(trustResult);
-            string msg = os.str();
-            if(instance->traceLevel() >= 1)
+            else
             {
-                instance->logger()->trace(instance->traceCategory(), msg);
+                ostringstream os;
+                os << "IceSSL: certificate verification failure:\n" << getTrustErrorDescription(trustError);
+                string msg = os.str();
+                if(instance->traceLevel() >= 1)
+                {
+                    instance->logger()->trace(instance->traceCategory(), msg);
+                }
+                throw SecurityException(__FILE__, __LINE__, msg);
             }
-            throw SecurityException(__FILE__, __LINE__, msg);
         }
     }
-    }
+    return IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure);
 }
 }
 
@@ -288,7 +326,8 @@ IceSSL::SecureTransport::TransceiverI::initialize(IceInternal::Buffer& readBuffe
             }
             if(err == noErr)
             {
-                _verified = checkTrustResult(_trust.get(), _engine, _instance, _host);
+                _trustError = checkTrustResult(_trust.get(), _engine, _instance, _host);
+                _verified = _trustError == IceSSL::ICE_ENUM(TrustError, NoError);
                 continue; // Call SSLHandshake to resume the handsake.
             }
             // Let it fall through, this will raise a SecurityException with the SSLCopyPeerTrust error.
@@ -546,13 +585,15 @@ IceSSL::SecureTransport::TransceiverI::toDetailedString() const
 Ice::ConnectionInfoPtr
 IceSSL::SecureTransport::TransceiverI::getInfo() const
 {
-    IceSSL::ConnectionInfoPtr info = ICE_MAKE_SHARED(IceSSL::ConnectionInfo);
+    IceSSL::ExtendedConnectionInfoPtr info = ICE_MAKE_SHARED(IceSSL::ExtendedConnectionInfo);
     info->underlying = _delegate->getInfo();
     info->incoming = _incoming;
     info->adapterName = _adapterName;
     info->cipher = _cipher;
     info->certs = _certs;
     info->verified = _verified;
+    info->errorCode = _trustError;
+    info->host = _incoming ? "" : _host;
     return info;
 }