zeroc-ice 3.7.5 → 3.7.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ext/Config.h +3 -0
- data/ext/ice/cpp/include/Ice/Exception.h +3 -3
- data/ext/ice/cpp/include/Ice/IconvStringConverter.h +1 -1
- data/ext/ice/cpp/include/Ice/Object.h +5 -0
- data/ext/ice/cpp/include/Ice/Service.h +1 -1
- data/ext/ice/cpp/include/IceSSL/Plugin.h +58 -0
- data/ext/ice/cpp/include/IceUtil/Config.h +3 -2
- data/ext/ice/cpp/include/IceUtil/MutexPtrLock.h +4 -4
- data/ext/ice/cpp/include/IceUtil/ResourceConfig.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/BuiltinSequences.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Communicator.h +8 -2
- data/ext/ice/cpp/include/generated/Ice/CommunicatorF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Connection.h +45 -2
- data/ext/ice/cpp/include/generated/Ice/ConnectionF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Current.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Endpoint.h +38 -2
- data/ext/ice/cpp/include/generated/Ice/EndpointF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/EndpointTypes.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/FacetMap.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Identity.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ImplicitContext.h +8 -2
- data/ext/ice/cpp/include/generated/Ice/ImplicitContextF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Instrumentation.h +62 -2
- data/ext/ice/cpp/include/generated/Ice/InstrumentationF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/LocalException.h +464 -68
- data/ext/ice/cpp/include/generated/Ice/Locator.h +55 -7
- data/ext/ice/cpp/include/generated/Ice/LocatorF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Logger.h +8 -2
- data/ext/ice/cpp/include/generated/Ice/LoggerF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Metrics.h +63 -11
- data/ext/ice/cpp/include/generated/Ice/ObjectAdapter.h +8 -2
- data/ext/ice/cpp/include/generated/Ice/ObjectAdapterF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ObjectFactory.h +8 -2
- data/ext/ice/cpp/include/generated/Ice/Plugin.h +14 -2
- data/ext/ice/cpp/include/generated/Ice/PluginF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Process.h +8 -2
- data/ext/ice/cpp/include/generated/Ice/ProcessF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Properties.h +8 -2
- data/ext/ice/cpp/include/generated/Ice/PropertiesAdmin.h +8 -2
- data/ext/ice/cpp/include/generated/Ice/PropertiesF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/RemoteLogger.h +21 -3
- data/ext/ice/cpp/include/generated/Ice/Router.h +14 -2
- data/ext/ice/cpp/include/generated/Ice/RouterF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ServantLocator.h +8 -2
- data/ext/ice/cpp/include/generated/Ice/ServantLocatorF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/SliceChecksumDict.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ValueFactory.h +14 -2
- data/ext/ice/cpp/include/generated/Ice/Version.h +2 -2
- data/ext/ice/cpp/include/generated/IceSSL/ConnectionInfo.h +7 -2
- data/ext/ice/cpp/include/generated/IceSSL/ConnectionInfoF.h +2 -2
- data/ext/ice/cpp/include/generated/IceSSL/EndpointInfo.h +7 -2
- data/ext/ice/cpp/src/Ice/BuiltinSequences.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Communicator.cpp +2 -2
- data/ext/ice/cpp/src/Ice/CommunicatorF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Connection.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ConnectionF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Current.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Endpoint.cpp +2 -2
- data/ext/ice/cpp/src/Ice/EndpointF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/EndpointTypes.cpp +2 -2
- data/ext/ice/cpp/src/Ice/FacetMap.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Identity.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ImplicitContext.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ImplicitContextF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/InputStream.cpp +10 -10
- data/ext/ice/cpp/src/Ice/Instrumentation.cpp +2 -2
- data/ext/ice/cpp/src/Ice/InstrumentationF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/LocalException.cpp +398 -2
- data/ext/ice/cpp/src/Ice/Locator.cpp +32 -2
- data/ext/ice/cpp/src/Ice/LocatorF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Logger.cpp +2 -2
- data/ext/ice/cpp/src/Ice/LoggerF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Metrics.cpp +8 -2
- data/ext/ice/cpp/src/Ice/ObjectAdapter.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ObjectAdapterF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ObjectFactory.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Plugin.cpp +2 -2
- data/ext/ice/cpp/src/Ice/PluginF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Process.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ProcessF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Properties.cpp +2 -2
- data/ext/ice/cpp/src/Ice/PropertiesAdmin.cpp +2 -2
- data/ext/ice/cpp/src/Ice/PropertiesF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/PropertyNames.cpp +1 -2
- data/ext/ice/cpp/src/Ice/PropertyNames.h +1 -1
- data/ext/ice/cpp/src/Ice/RemoteLogger.cpp +8 -2
- data/ext/ice/cpp/src/Ice/Router.cpp +2 -2
- data/ext/ice/cpp/src/Ice/RouterF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ServantLocator.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ServantLocatorF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/SliceChecksumDict.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ValueFactory.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Version.cpp +2 -2
- data/ext/ice/cpp/src/IceDiscovery/IceDiscovery.cpp +2 -2
- data/ext/ice/cpp/src/IceDiscovery/IceDiscovery.h +14 -2
- data/ext/ice/cpp/src/IceLocatorDiscovery/IceLocatorDiscovery.cpp +2 -2
- data/ext/ice/cpp/src/IceLocatorDiscovery/IceLocatorDiscovery.h +14 -2
- data/ext/ice/cpp/src/IceSSL/ConnectionInfo.cpp +2 -2
- data/ext/ice/cpp/src/IceSSL/ConnectionInfoF.cpp +2 -2
- data/ext/ice/cpp/src/IceSSL/EndpointInfo.cpp +2 -2
- data/ext/ice/cpp/src/IceSSL/OpenSSLCertificateI.cpp +4 -1
- data/ext/ice/cpp/src/IceSSL/OpenSSLTransceiverI.cpp +104 -1
- data/ext/ice/cpp/src/IceSSL/OpenSSLTransceiverI.h +1 -0
- data/ext/ice/cpp/src/IceSSL/PluginI.cpp +114 -0
- data/ext/ice/cpp/src/IceSSL/PluginI.h +10 -0
- data/ext/ice/cpp/src/IceSSL/SChannelTransceiverI.cpp +101 -2
- data/ext/ice/cpp/src/IceSSL/SChannelTransceiverI.h +1 -0
- data/ext/ice/cpp/src/IceSSL/SecureTransportTransceiverI.cpp +113 -72
- data/ext/ice/cpp/src/IceSSL/SecureTransportTransceiverI.h +1 -0
- data/ext/ice/cpp/src/IceUtil/Time.cpp +2 -2
- data/ext/ice/cpp/src/Slice/CPlusPlusUtil.cpp +6 -2
- data/ext/ice/cpp/src/Slice/JavaUtil.cpp +8 -0
- data/ext/ice/cpp/src/Slice/PHPUtil.cpp +4 -0
- data/ext/ice/cpp/src/Slice/PythonUtil.cpp +4 -0
- data/ext/ice/cpp/src/Slice/Scanner.cpp +620 -368
- data/ext/ice/mcpp/CMakeLists.txt +80 -0
- data/ext/ice/mcpp/expand.c +6 -6
- data/ice.gemspec +1 -1
- data/lib/Glacier2/Metrics.rb +1 -1
- data/lib/Glacier2/PermissionsVerifier.rb +1 -1
- data/lib/Glacier2/PermissionsVerifierF.rb +1 -1
- data/lib/Glacier2/Router.rb +1 -1
- data/lib/Glacier2/RouterF.rb +1 -1
- data/lib/Glacier2/SSLInfo.rb +1 -1
- data/lib/Glacier2/Session.rb +1 -1
- data/lib/Ice/BuiltinSequences.rb +1 -1
- data/lib/Ice/Communicator.rb +1 -1
- data/lib/Ice/CommunicatorF.rb +1 -1
- data/lib/Ice/Connection.rb +1 -1
- data/lib/Ice/ConnectionF.rb +1 -1
- data/lib/Ice/Current.rb +1 -1
- data/lib/Ice/Endpoint.rb +1 -1
- data/lib/Ice/EndpointF.rb +1 -1
- data/lib/Ice/EndpointTypes.rb +1 -1
- data/lib/Ice/FacetMap.rb +1 -1
- data/lib/Ice/Identity.rb +1 -1
- data/lib/Ice/ImplicitContext.rb +1 -1
- data/lib/Ice/ImplicitContextF.rb +1 -1
- data/lib/Ice/Instrumentation.rb +1 -1
- data/lib/Ice/InstrumentationF.rb +1 -1
- data/lib/Ice/LocalException.rb +1 -1
- data/lib/Ice/Locator.rb +1 -1
- data/lib/Ice/LocatorF.rb +1 -1
- data/lib/Ice/Logger.rb +1 -1
- data/lib/Ice/LoggerF.rb +1 -1
- data/lib/Ice/Metrics.rb +1 -1
- data/lib/Ice/ObjectAdapter.rb +1 -1
- data/lib/Ice/ObjectAdapterF.rb +1 -1
- data/lib/Ice/ObjectFactory.rb +1 -1
- data/lib/Ice/Plugin.rb +1 -1
- data/lib/Ice/PluginF.rb +1 -1
- data/lib/Ice/Process.rb +1 -1
- data/lib/Ice/ProcessF.rb +1 -1
- data/lib/Ice/Properties.rb +1 -1
- data/lib/Ice/PropertiesAdmin.rb +1 -1
- data/lib/Ice/PropertiesF.rb +1 -1
- data/lib/Ice/RemoteLogger.rb +1 -1
- data/lib/Ice/Router.rb +1 -1
- data/lib/Ice/RouterF.rb +1 -1
- data/lib/Ice/ServantLocator.rb +1 -1
- data/lib/Ice/ServantLocatorF.rb +1 -1
- data/lib/Ice/SliceChecksumDict.rb +1 -1
- data/lib/Ice/ValueFactory.rb +1 -1
- data/lib/Ice/Version.rb +1 -1
- data/lib/IceBox/IceBox.rb +1 -1
- data/lib/IceGrid/Admin.rb +1 -1
- data/lib/IceGrid/Descriptor.rb +1 -1
- data/lib/IceGrid/Exception.rb +1 -1
- data/lib/IceGrid/FileParser.rb +1 -1
- data/lib/IceGrid/PluginFacade.rb +1 -1
- data/lib/IceGrid/Registry.rb +1 -1
- data/lib/IceGrid/Session.rb +1 -1
- data/lib/IceGrid/UserAccountMapper.rb +1 -1
- data/lib/IcePatch2/FileInfo.rb +1 -1
- data/lib/IcePatch2/FileServer.rb +1 -1
- data/lib/IceStorm/IceStorm.rb +1 -1
- data/lib/IceStorm/Metrics.rb +1 -1
- metadata +4 -4
@@ -130,3 +130,117 @@ ICEregisterIceSSL(bool loadOnInitialize)
|
|
130
130
|
{
|
131
131
|
Ice::registerIceSSL(loadOnInitialize);
|
132
132
|
}
|
133
|
+
|
134
|
+
IceSSL::TrustError
|
135
|
+
IceSSL::getTrustError(const IceSSL::ConnectionInfoPtr& info)
|
136
|
+
{
|
137
|
+
ExtendedConnectionInfoPtr extendedInfo = ICE_DYNAMIC_CAST(ExtendedConnectionInfo, info);
|
138
|
+
if (extendedInfo)
|
139
|
+
{
|
140
|
+
return extendedInfo->errorCode;
|
141
|
+
}
|
142
|
+
return info->verified ? IceSSL::ICE_ENUM(TrustError, NoError) : IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure);
|
143
|
+
}
|
144
|
+
|
145
|
+
std::string
|
146
|
+
IceSSL::getTrustErrorDescription(TrustError error)
|
147
|
+
{
|
148
|
+
switch(error)
|
149
|
+
{
|
150
|
+
case IceSSL::ICE_ENUM(TrustError, NoError):
|
151
|
+
{
|
152
|
+
return "no error";
|
153
|
+
}
|
154
|
+
case IceSSL::ICE_ENUM(TrustError, ChainTooLong):
|
155
|
+
{
|
156
|
+
return "the certificate chain length is greater than the specified maximum depth";
|
157
|
+
}
|
158
|
+
case IceSSL::ICE_ENUM(TrustError, HasExcludedNameConstraint):
|
159
|
+
{
|
160
|
+
return "the X509 chain is invalid because a certificate has excluded a name constraint";
|
161
|
+
}
|
162
|
+
case IceSSL::ICE_ENUM(TrustError, HasNonDefinedNameConstraint):
|
163
|
+
{
|
164
|
+
return "the certificate has an undefined name constraint";
|
165
|
+
}
|
166
|
+
case IceSSL::ICE_ENUM(TrustError, HasNonPermittedNameConstraint):
|
167
|
+
{
|
168
|
+
return "the certificate has a non permitted name constrain";
|
169
|
+
}
|
170
|
+
case IceSSL::ICE_ENUM(TrustError, HasNonSupportedCriticalExtension):
|
171
|
+
{
|
172
|
+
return "the certificate does not support a critical extension";
|
173
|
+
}
|
174
|
+
case IceSSL::ICE_ENUM(TrustError, HasNonSupportedNameConstraint):
|
175
|
+
{
|
176
|
+
return "the certificate does not have a supported name constraint or has a name constraint that "
|
177
|
+
"is unsupported";
|
178
|
+
}
|
179
|
+
case IceSSL::ICE_ENUM(TrustError, HostNameMismatch):
|
180
|
+
{
|
181
|
+
return "a host name mismatch has occurred";
|
182
|
+
}
|
183
|
+
case IceSSL::ICE_ENUM(TrustError, InvalidBasicConstraints):
|
184
|
+
{
|
185
|
+
return "the X509 chain is invalid due to invalid basic constraints";
|
186
|
+
}
|
187
|
+
case IceSSL::ICE_ENUM(TrustError, InvalidExtension):
|
188
|
+
{
|
189
|
+
return "the X509 chain is invalid due to an invalid extension";
|
190
|
+
}
|
191
|
+
case IceSSL::ICE_ENUM(TrustError, InvalidNameConstraints):
|
192
|
+
{
|
193
|
+
return "the X509 chain is invalid due to invalid name constraints";
|
194
|
+
}
|
195
|
+
case IceSSL::ICE_ENUM(TrustError, InvalidPolicyConstraints):
|
196
|
+
{
|
197
|
+
return "the X509 chain is invalid due to invalid policy constraints";
|
198
|
+
}
|
199
|
+
case IceSSL::ICE_ENUM(TrustError, InvalidPurpose):
|
200
|
+
{
|
201
|
+
return "the supplied certificate cannot be used for the specified purpose";
|
202
|
+
}
|
203
|
+
case IceSSL::ICE_ENUM(TrustError, InvalidSignature):
|
204
|
+
{
|
205
|
+
return "the X509 chain is invalid due to an invalid certificate signature";
|
206
|
+
}
|
207
|
+
case IceSSL::ICE_ENUM(TrustError, InvalidTime):
|
208
|
+
{
|
209
|
+
return "the X509 chain is not valid due to an invalid time value, such as a value that indicates an "
|
210
|
+
"expired certificate";
|
211
|
+
}
|
212
|
+
case IceSSL::ICE_ENUM(TrustError, NotTrusted):
|
213
|
+
{
|
214
|
+
return "the certificate is explicitly distrusted";
|
215
|
+
}
|
216
|
+
case IceSSL::ICE_ENUM(TrustError, PartialChain):
|
217
|
+
{
|
218
|
+
return "the X509 chain could not be built up to the root certificate";
|
219
|
+
}
|
220
|
+
case IceSSL::ICE_ENUM(TrustError, RevocationStatusUnknown):
|
221
|
+
{
|
222
|
+
return "it is not possible to determine whether the certificate has been revoked";
|
223
|
+
}
|
224
|
+
case IceSSL::ICE_ENUM(TrustError, Revoked):
|
225
|
+
{
|
226
|
+
return "the X509 chain is invalid due to a revoked certificate";
|
227
|
+
}
|
228
|
+
case IceSSL::ICE_ENUM(TrustError, UntrustedRoot):
|
229
|
+
{
|
230
|
+
return "the X509 chain is invalid due to an untrusted root certificate";
|
231
|
+
}
|
232
|
+
case IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure):
|
233
|
+
{
|
234
|
+
return "unknown failure";
|
235
|
+
}
|
236
|
+
}
|
237
|
+
assert(false);
|
238
|
+
return "unknown failure";
|
239
|
+
}
|
240
|
+
|
241
|
+
std::string
|
242
|
+
IceSSL::getHost(const IceSSL::ConnectionInfoPtr& info)
|
243
|
+
{
|
244
|
+
ExtendedConnectionInfoPtr extendedInfo = ICE_DYNAMIC_CAST(ExtendedConnectionInfo, info);
|
245
|
+
return extendedInfo ? extendedInfo->host : "";
|
246
|
+
}
|
@@ -7,11 +7,21 @@
|
|
7
7
|
|
8
8
|
#include <IceSSL/Plugin.h>
|
9
9
|
#include <IceSSL/SSLEngineF.h>
|
10
|
+
#include <IceSSL/ConnectionInfo.h>
|
10
11
|
#include <Ice/CommunicatorF.h>
|
11
12
|
|
12
13
|
namespace IceSSL
|
13
14
|
{
|
14
15
|
|
16
|
+
class ExtendedConnectionInfo : public ConnectionInfo
|
17
|
+
{
|
18
|
+
public:
|
19
|
+
|
20
|
+
TrustError errorCode;
|
21
|
+
std::string host;
|
22
|
+
};
|
23
|
+
ICE_DEFINE_PTR(ExtendedConnectionInfoPtr, ExtendedConnectionInfo);
|
24
|
+
|
15
25
|
class ICESSL_API PluginI : public virtual IceSSL::Plugin
|
16
26
|
{
|
17
27
|
public:
|
@@ -9,6 +9,7 @@
|
|
9
9
|
#include <IceSSL/ConnectionInfo.h>
|
10
10
|
#include <IceSSL/Instance.h>
|
11
11
|
#include <IceSSL/SChannelEngine.h>
|
12
|
+
#include <IceSSL/PluginI.h>
|
12
13
|
#include <IceSSL/Util.h>
|
13
14
|
#include <Ice/Communicator.h>
|
14
15
|
#include <Ice/LoggerUtil.h>
|
@@ -47,6 +48,96 @@ protocolName(DWORD protocol)
|
|
47
48
|
}
|
48
49
|
}
|
49
50
|
|
51
|
+
TrustError
|
52
|
+
trustStatusToTrustError(DWORD status)
|
53
|
+
{
|
54
|
+
if (status & CERT_TRUST_NO_ERROR)
|
55
|
+
{
|
56
|
+
return IceSSL::ICE_ENUM(TrustError, NoError);
|
57
|
+
}
|
58
|
+
if (status & CERT_TRUST_IS_NOT_TIME_VALID)
|
59
|
+
{
|
60
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidTime);
|
61
|
+
}
|
62
|
+
if (status & CERT_TRUST_IS_REVOKED)
|
63
|
+
{
|
64
|
+
return IceSSL::ICE_ENUM(TrustError, Revoked);
|
65
|
+
}
|
66
|
+
if (status & CERT_TRUST_IS_NOT_SIGNATURE_VALID)
|
67
|
+
{
|
68
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidSignature);
|
69
|
+
}
|
70
|
+
if (status & CERT_TRUST_IS_NOT_VALID_FOR_USAGE)
|
71
|
+
{
|
72
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidPurpose);
|
73
|
+
}
|
74
|
+
if ((status & CERT_TRUST_IS_UNTRUSTED_ROOT) ||
|
75
|
+
(status & CERT_TRUST_IS_CYCLIC) ||
|
76
|
+
(status & CERT_TRUST_CTL_IS_NOT_TIME_VALID) ||
|
77
|
+
(status & CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID) ||
|
78
|
+
(status & CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE))
|
79
|
+
{
|
80
|
+
return IceSSL::ICE_ENUM(TrustError, UntrustedRoot);
|
81
|
+
}
|
82
|
+
if (status & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
|
83
|
+
{
|
84
|
+
return IceSSL::ICE_ENUM(TrustError, RevocationStatusUnknown);
|
85
|
+
}
|
86
|
+
if (status & CERT_TRUST_INVALID_EXTENSION)
|
87
|
+
{
|
88
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidExtension);
|
89
|
+
}
|
90
|
+
if (status & CERT_TRUST_INVALID_POLICY_CONSTRAINTS)
|
91
|
+
{
|
92
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidPolicyConstraints);
|
93
|
+
}
|
94
|
+
if (status & CERT_TRUST_INVALID_BASIC_CONSTRAINTS)
|
95
|
+
{
|
96
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidBasicConstraints);
|
97
|
+
}
|
98
|
+
if (status & CERT_TRUST_INVALID_NAME_CONSTRAINTS)
|
99
|
+
{
|
100
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidNameConstraints);
|
101
|
+
}
|
102
|
+
if (status & CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT)
|
103
|
+
{
|
104
|
+
return IceSSL::ICE_ENUM(TrustError, HasNonSupportedNameConstraint);
|
105
|
+
}
|
106
|
+
if (status & CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT)
|
107
|
+
{
|
108
|
+
return IceSSL::ICE_ENUM(TrustError, HasNonDefinedNameConstraint);
|
109
|
+
}
|
110
|
+
if (status & CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT)
|
111
|
+
{
|
112
|
+
return IceSSL::ICE_ENUM(TrustError, HasNonPermittedNameConstraint);
|
113
|
+
}
|
114
|
+
if (status & CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT)
|
115
|
+
{
|
116
|
+
return IceSSL::ICE_ENUM(TrustError, HasExcludedNameConstraint);
|
117
|
+
}
|
118
|
+
if (status & CERT_TRUST_IS_OFFLINE_REVOCATION)
|
119
|
+
{
|
120
|
+
return IceSSL::ICE_ENUM(TrustError, RevocationStatusUnknown);
|
121
|
+
}
|
122
|
+
if (status & CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY)
|
123
|
+
{
|
124
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidPolicyConstraints);
|
125
|
+
}
|
126
|
+
if (status & CERT_TRUST_IS_EXPLICIT_DISTRUST)
|
127
|
+
{
|
128
|
+
return IceSSL::ICE_ENUM(TrustError, NotTrusted);
|
129
|
+
}
|
130
|
+
if (status & CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT)
|
131
|
+
{
|
132
|
+
return IceSSL::ICE_ENUM(TrustError, HasNonSupportedCriticalExtension);
|
133
|
+
}
|
134
|
+
if (status & CERT_TRUST_IS_PARTIAL_CHAIN)
|
135
|
+
{
|
136
|
+
return IceSSL::ICE_ENUM(TrustError, PartialChain);
|
137
|
+
}
|
138
|
+
return IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure);
|
139
|
+
}
|
140
|
+
|
50
141
|
string
|
51
142
|
trustStatusToString(DWORD status)
|
52
143
|
{
|
@@ -674,21 +765,24 @@ SChannel::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal:
|
|
674
765
|
|
675
766
|
string trustError;
|
676
767
|
PCCERT_CHAIN_CONTEXT certChain;
|
677
|
-
if(!CertGetCertificateChain(_engine->chainEngine(), cert, 0,
|
768
|
+
if(!CertGetCertificateChain(_engine->chainEngine(), cert, 0, cert->hCertStore, &chainP,
|
678
769
|
CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY, 0, &certChain))
|
679
770
|
{
|
680
771
|
CertFreeCertificateContext(cert);
|
681
772
|
trustError = IceUtilInternal::lastErrorToString();
|
773
|
+
_trustError = IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure);
|
682
774
|
}
|
683
775
|
else
|
684
776
|
{
|
685
777
|
if(certChain->TrustStatus.dwErrorStatus != CERT_TRUST_NO_ERROR)
|
686
778
|
{
|
687
779
|
trustError = trustStatusToString(certChain->TrustStatus.dwErrorStatus);
|
780
|
+
_trustError = trustStatusToTrustError(certChain->TrustStatus.dwErrorStatus);
|
688
781
|
}
|
689
782
|
else
|
690
783
|
{
|
691
784
|
_verified = true;
|
785
|
+
_trustError = IceSSL::ICE_ENUM(TrustError, NoError);
|
692
786
|
}
|
693
787
|
|
694
788
|
CERT_SIMPLE_CHAIN* simpleChain = certChain->rgpChain[0];
|
@@ -753,7 +847,10 @@ SChannel::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal:
|
|
753
847
|
}
|
754
848
|
catch(const Ice::SecurityException&)
|
755
849
|
{
|
850
|
+
_trustError = IceSSL::ICE_ENUM(TrustError, HostNameMismatch);
|
756
851
|
_verified = false;
|
852
|
+
ICE_DYNAMIC_CAST(ExtendedConnectionInfo, info)->errorCode = IceSSL::ICE_ENUM(TrustError, HostNameMismatch);
|
853
|
+
info->verified = false;
|
757
854
|
if(_engine->getVerifyPeer() > 0)
|
758
855
|
{
|
759
856
|
throw;
|
@@ -1001,13 +1098,15 @@ SChannel::TransceiverI::toDetailedString() const
|
|
1001
1098
|
Ice::ConnectionInfoPtr
|
1002
1099
|
SChannel::TransceiverI::getInfo() const
|
1003
1100
|
{
|
1004
|
-
|
1101
|
+
ExtendedConnectionInfoPtr info = ICE_MAKE_SHARED(ExtendedConnectionInfo);
|
1005
1102
|
info->underlying = _delegate->getInfo();
|
1006
1103
|
info->incoming = _incoming;
|
1007
1104
|
info->adapterName = _adapterName;
|
1008
1105
|
info->cipher = _cipher;
|
1009
1106
|
info->certs = _certs;
|
1010
1107
|
info->verified = _verified;
|
1108
|
+
info->errorCode = _trustError;
|
1109
|
+
info->host = _incoming ? "" : _host;
|
1011
1110
|
return info;
|
1012
1111
|
}
|
1013
1112
|
|
@@ -4,6 +4,7 @@
|
|
4
4
|
|
5
5
|
#include <IceSSL/SecureTransportTransceiverI.h>
|
6
6
|
#include <IceSSL/Instance.h>
|
7
|
+
#include <IceSSL/PluginI.h>
|
7
8
|
#include <IceSSL/SecureTransportEngine.h>
|
8
9
|
#include <IceSSL/SecureTransportUtil.h>
|
9
10
|
#include <IceSSL/ConnectionInfo.h>
|
@@ -20,36 +21,6 @@ using namespace IceSSL::SecureTransport;
|
|
20
21
|
namespace
|
21
22
|
{
|
22
23
|
|
23
|
-
string
|
24
|
-
trustResultDescription(SecTrustResultType result)
|
25
|
-
{
|
26
|
-
switch(result)
|
27
|
-
{
|
28
|
-
case kSecTrustResultInvalid:
|
29
|
-
{
|
30
|
-
return "Invalid setting or result";
|
31
|
-
}
|
32
|
-
case kSecTrustResultDeny:
|
33
|
-
{
|
34
|
-
return "The user specified that the certificate should not be trusted";
|
35
|
-
}
|
36
|
-
case kSecTrustResultRecoverableTrustFailure:
|
37
|
-
case kSecTrustResultFatalTrustFailure:
|
38
|
-
{
|
39
|
-
return "Trust denied";
|
40
|
-
}
|
41
|
-
case kSecTrustResultOtherError:
|
42
|
-
{
|
43
|
-
return "Other error internal error";
|
44
|
-
}
|
45
|
-
default:
|
46
|
-
{
|
47
|
-
assert(false);
|
48
|
-
return "";
|
49
|
-
}
|
50
|
-
}
|
51
|
-
}
|
52
|
-
|
53
24
|
string
|
54
25
|
protocolName(SSLProtocol protocol)
|
55
26
|
{
|
@@ -92,14 +63,96 @@ socketRead(SSLConnectionRef connection, void* data, size_t* length)
|
|
92
63
|
return transceiver->readRaw(reinterpret_cast<char*>(data), length);
|
93
64
|
}
|
94
65
|
|
95
|
-
|
66
|
+
TrustError errorToTrustError(CFErrorRef err)
|
67
|
+
{
|
68
|
+
long errorCode = CFErrorGetCode(err);
|
69
|
+
switch (errorCode)
|
70
|
+
{
|
71
|
+
case errSecPathLengthConstraintExceeded:
|
72
|
+
{
|
73
|
+
return IceSSL::ICE_ENUM(TrustError, ChainTooLong);
|
74
|
+
}
|
75
|
+
case errSecUnknownCRLExtension:
|
76
|
+
case errSecUnknownCriticalExtensionFlag:
|
77
|
+
{
|
78
|
+
return IceSSL::ICE_ENUM(TrustError, HasNonSupportedCriticalExtension);
|
79
|
+
}
|
80
|
+
case errSecHostNameMismatch:
|
81
|
+
{
|
82
|
+
return IceSSL::ICE_ENUM(TrustError, HostNameMismatch);
|
83
|
+
}
|
84
|
+
case errSecCodeSigningNoBasicConstraints:
|
85
|
+
case errSecNoBasicConstraints:
|
86
|
+
case errSecNoBasicConstraintsCA:
|
87
|
+
{
|
88
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidBasicConstraints);
|
89
|
+
}
|
90
|
+
case errSecMissingRequiredExtension:
|
91
|
+
case errSecUnknownCertExtension:
|
92
|
+
{
|
93
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidExtension);
|
94
|
+
}
|
95
|
+
case errSecCertificateNameNotAllowed:
|
96
|
+
case errSecInvalidName:
|
97
|
+
{
|
98
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidNameConstraints);
|
99
|
+
}
|
100
|
+
case errSecCertificatePolicyNotAllowed:
|
101
|
+
case errSecInvalidPolicyIdentifiers:
|
102
|
+
case errSecInvalidCertificateRef:
|
103
|
+
case errSecInvalidDigestAlgorithm:
|
104
|
+
case errSecUnsupportedKeySize:
|
105
|
+
{
|
106
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidPolicyConstraints);
|
107
|
+
}
|
108
|
+
case errSecInvalidExtendedKeyUsage:
|
109
|
+
case errSecInvalidKeyUsageForPolicy:
|
110
|
+
{
|
111
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidPurpose);
|
112
|
+
}
|
113
|
+
case errSecInvalidSignature:
|
114
|
+
{
|
115
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidSignature);
|
116
|
+
}
|
117
|
+
case errSecCertificateExpired:
|
118
|
+
case errSecCertificateNotValidYet:
|
119
|
+
case errSecCertificateValidityPeriodTooLong:
|
120
|
+
{
|
121
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidTime);
|
122
|
+
}
|
123
|
+
case errSecCreateChainFailed:
|
124
|
+
{
|
125
|
+
return IceSSL::ICE_ENUM(TrustError, PartialChain);
|
126
|
+
}
|
127
|
+
case errSecCertificateRevoked:
|
128
|
+
{
|
129
|
+
return IceSSL::ICE_ENUM(TrustError, Revoked);
|
130
|
+
}
|
131
|
+
case errSecIncompleteCertRevocationCheck:
|
132
|
+
case errSecOCSPNotTrustedToAnchor:
|
133
|
+
{
|
134
|
+
return IceSSL::ICE_ENUM(TrustError, RevocationStatusUnknown);
|
135
|
+
}
|
136
|
+
case errSecNotTrusted:
|
137
|
+
case errSecVerifyActionFailed:
|
138
|
+
{
|
139
|
+
return IceSSL::ICE_ENUM(TrustError, UntrustedRoot);
|
140
|
+
}
|
141
|
+
default:
|
142
|
+
{
|
143
|
+
return IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure);
|
144
|
+
}
|
145
|
+
}
|
146
|
+
}
|
147
|
+
|
148
|
+
TrustError
|
96
149
|
checkTrustResult(SecTrustRef trust,
|
97
150
|
const IceSSL::SecureTransport::SSLEnginePtr& engine,
|
98
151
|
const IceSSL::InstancePtr& instance,
|
99
152
|
const string& host)
|
100
153
|
{
|
101
154
|
OSStatus err = noErr;
|
102
|
-
|
155
|
+
UniqueRef<CFErrorRef> trustErr;
|
103
156
|
if(trust)
|
104
157
|
{
|
105
158
|
if((err = SecTrustSetAnchorCertificates(trust, engine->getCertificateAuthorities())))
|
@@ -138,53 +191,38 @@ checkTrustResult(SecTrustRef trust,
|
|
138
191
|
//
|
139
192
|
// Evaluate the trust
|
140
193
|
//
|
141
|
-
if((
|
194
|
+
if(SecTrustEvaluateWithError(trust, &trustErr.get()))
|
142
195
|
{
|
143
|
-
|
196
|
+
return IceSSL::ICE_ENUM(TrustError, NoError);
|
144
197
|
}
|
145
|
-
|
146
|
-
|
147
|
-
switch(trustResult)
|
148
|
-
{
|
149
|
-
case kSecTrustResultUnspecified:
|
150
|
-
case kSecTrustResultProceed:
|
151
|
-
{
|
152
|
-
//
|
153
|
-
// Trust verify success.
|
154
|
-
//
|
155
|
-
return true;
|
156
|
-
}
|
157
|
-
default:
|
158
|
-
// case kSecTrustResultInvalid:
|
159
|
-
// case kSecTrustResultConfirm: // Used in old macOS versions
|
160
|
-
// case kSecTrustResultDeny:
|
161
|
-
// case kSecTrustResultRecoverableTrustFailure:
|
162
|
-
// case kSecTrustResultFatalTrustFailure:
|
163
|
-
// case kSecTrustResultOtherError:
|
164
|
-
{
|
165
|
-
if(engine->getVerifyPeer() == 0)
|
198
|
+
else
|
166
199
|
{
|
167
|
-
|
200
|
+
TrustError trustError = errorToTrustError(trustErr.get());
|
201
|
+
if(engine->getVerifyPeer() == 0)
|
168
202
|
{
|
169
|
-
|
170
|
-
|
171
|
-
|
203
|
+
if(instance->traceLevel() >= 1)
|
204
|
+
{
|
205
|
+
ostringstream os;
|
206
|
+
os << "IceSSL: ignoring certificate verification failure:\n"
|
207
|
+
<< getTrustErrorDescription(trustError);
|
208
|
+
instance->logger()->trace(instance->traceCategory(), os.str());
|
209
|
+
}
|
210
|
+
return trustError;
|
172
211
|
}
|
173
|
-
|
174
|
-
}
|
175
|
-
else
|
176
|
-
{
|
177
|
-
ostringstream os;
|
178
|
-
os << "IceSSL: certificate verification failure:\n" << trustResultDescription(trustResult);
|
179
|
-
string msg = os.str();
|
180
|
-
if(instance->traceLevel() >= 1)
|
212
|
+
else
|
181
213
|
{
|
182
|
-
|
214
|
+
ostringstream os;
|
215
|
+
os << "IceSSL: certificate verification failure:\n" << getTrustErrorDescription(trustError);
|
216
|
+
string msg = os.str();
|
217
|
+
if(instance->traceLevel() >= 1)
|
218
|
+
{
|
219
|
+
instance->logger()->trace(instance->traceCategory(), msg);
|
220
|
+
}
|
221
|
+
throw SecurityException(__FILE__, __LINE__, msg);
|
183
222
|
}
|
184
|
-
throw SecurityException(__FILE__, __LINE__, msg);
|
185
223
|
}
|
186
224
|
}
|
187
|
-
|
225
|
+
return IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure);
|
188
226
|
}
|
189
227
|
}
|
190
228
|
|
@@ -288,7 +326,8 @@ IceSSL::SecureTransport::TransceiverI::initialize(IceInternal::Buffer& readBuffe
|
|
288
326
|
}
|
289
327
|
if(err == noErr)
|
290
328
|
{
|
291
|
-
|
329
|
+
_trustError = checkTrustResult(_trust.get(), _engine, _instance, _host);
|
330
|
+
_verified = _trustError == IceSSL::ICE_ENUM(TrustError, NoError);
|
292
331
|
continue; // Call SSLHandshake to resume the handsake.
|
293
332
|
}
|
294
333
|
// Let it fall through, this will raise a SecurityException with the SSLCopyPeerTrust error.
|
@@ -546,13 +585,15 @@ IceSSL::SecureTransport::TransceiverI::toDetailedString() const
|
|
546
585
|
Ice::ConnectionInfoPtr
|
547
586
|
IceSSL::SecureTransport::TransceiverI::getInfo() const
|
548
587
|
{
|
549
|
-
IceSSL::
|
588
|
+
IceSSL::ExtendedConnectionInfoPtr info = ICE_MAKE_SHARED(IceSSL::ExtendedConnectionInfo);
|
550
589
|
info->underlying = _delegate->getInfo();
|
551
590
|
info->incoming = _incoming;
|
552
591
|
info->adapterName = _adapterName;
|
553
592
|
info->cipher = _cipher;
|
554
593
|
info->certs = _certs;
|
555
594
|
info->verified = _verified;
|
595
|
+
info->errorCode = _trustError;
|
596
|
+
info->host = _incoming ? "" : _host;
|
556
597
|
return info;
|
557
598
|
}
|
558
599
|
|