IceSSL::SSLEngine::verifyPeer(const string& /*address*/, const ConnectionInfoPtr& info, const string& desc)
    const CertificateVerifierPtr verifier = getCertificateVerifier();
    if(_verifyDepthMax > 0 && static_cast<int>(info->certs.size()) > _verifyDepthMax)
        ostringstream ostr;
        ostr << (info->incoming ? "incoming" : "outgoing") << " connection rejected:\n"
                << "length of peer's certificate chain (" << info->certs.size() << ") exceeds maximum of "
                << _verifyDepthMax;
        string msg = ostr.str();
        if(_securityTraceLevel >= 1)
            _logger->trace(_securityTraceCategory, msg + "\n" + desc);
        throw SecurityException(__FILE__, __LINE__, msg);

    if(!_trustManager->verify(info, desc))
        string msg = string(info->incoming ? "incoming" : "outgoing") + " connection rejected by trust manager";
        if(_securityTraceLevel >= 1)
            _logger->trace(_securityTraceCategory, msg + "\n" + desc);
        throw SecurityException(__FILE__, __LINE__, msg);

    if(verifier && !verifier->verify(info))
        string msg = string(info->incoming ? "incoming" : "outgoing") + " connection rejected by certificate verifier";
        if(_securityTraceLevel >= 1)
            _logger->trace(_securityTraceCategory, msg + "\n" + desc);
        throw SecurityException(__FILE__, __LINE__, msg);
Beispiel #2
IceSSL::SSLEngine::verifyPeer(const string& address, const NativeConnectionInfoPtr& info, const string& desc)
    const CertificateVerifierPtr verifier = getCertificateVerifier();

    // For an outgoing connection, we compare the proxy address (if any) against
    // fields in the server's certificate (if any).
    if(!info->nativeCerts.empty() && !address.empty())
        const CertificatePtr cert = info->nativeCerts[0];
        // Extract the IP addresses and the DNS names from the subject
        // alternative names.
        vector<pair<int, string> > subjectAltNames = cert->getSubjectAlternativeNames();
        vector<string> ipAddresses;
        vector<string> dnsNames;
        for(vector<pair<int, string> >::const_iterator p = subjectAltNames.begin(); p != subjectAltNames.end(); ++p)
            if(p->first == AltNAmeIP)
            else if(p->first == AltNameDNS)

        // Compare the peer's address against the common name.
        bool certNameOK = false;
        string dn;
        string addrLower = IceUtilInternal::toLower(address);
            DistinguishedName d = cert->getSubjectDN();
            dn = IceUtilInternal::toLower(string(d));
            string cn = "cn=" + addrLower;
            string::size_type pos = dn.find(cn);
            if(pos != string::npos)
                // Ensure we match the entire common name.
                certNameOK = (pos + cn.size() == dn.size()) || (dn[pos + cn.size()] == ',');

        // Compare the peer's address against the dnsName and ipAddress
        // values in the subject alternative name.
            certNameOK = find(ipAddresses.begin(), ipAddresses.end(), addrLower) != ipAddresses.end();
            certNameOK = find(dnsNames.begin(), dnsNames.end(), addrLower) != dnsNames.end();

        // Log a message if the name comparison fails. If CheckCertName is defined,
        // we also raise an exception to abort the connection. Don't log a message if
        // CheckCertName is not defined and a verifier is present.
        if(!certNameOK && (_checkCertName || (_securityTraceLevel >= 1 && !verifier)))
            ostringstream ostr;
            ostr << "IceSSL: ";
                ostr << "ignoring ";
            ostr << "certificate validation failure:\npeer certificate does not have `" << address
                 << "' as its commonName or in its subjectAltName extension";
                ostr << "\nSubject DN: " << dn;
                ostr << "\nDNS names found in certificate: ";
                for(vector<string>::const_iterator p = dnsNames.begin(); p != dnsNames.end(); ++p)
                    if(p != dnsNames.begin())
                        ostr << ", ";
                    ostr << *p;
                ostr << "\nIP addresses found in certificate: ";
                for(vector<string>::const_iterator p = ipAddresses.begin(); p != ipAddresses.end(); ++p)
                    if(p != ipAddresses.begin())
                        ostr << ", ";
                    ostr << *p;
            string msg = ostr.str();
            if(_securityTraceLevel >= 1)
                Trace out(_logger, _securityTraceCategory);
                out << msg;
                SecurityException ex(__FILE__, __LINE__);
                ex.reason = msg;
                throw ex;

    if(_verifyDepthMax > 0 && static_cast<int>(info->certs.size()) > _verifyDepthMax)
        ostringstream ostr;
        ostr << (info->incoming ? "incoming" : "outgoing") << " connection rejected:\n"
             << "length of peer's certificate chain (" << info->certs.size() << ") exceeds maximum of "
             << _verifyDepthMax;
        string msg = ostr.str();
        if(_securityTraceLevel >= 1)
            _logger->trace(_securityTraceCategory, msg + "\n" + desc);
        SecurityException ex(__FILE__, __LINE__);
        ex.reason = msg;
        throw ex;

    if(!_trustManager->verify(info, desc))
        string msg = string(info->incoming ? "incoming" : "outgoing") + " connection rejected by trust manager";
        if(_securityTraceLevel >= 1)
            _logger->trace(_securityTraceCategory, msg + "\n" + desc);
        SecurityException ex(__FILE__, __LINE__);
        ex.reason = msg;
        throw ex;

    if(verifier && !verifier->verify(info))
        string msg = string(info->incoming ? "incoming" : "outgoing") + " connection rejected by certificate verifier";
        if(_securityTraceLevel >= 1)
            _logger->trace(_securityTraceCategory, msg + "\n" + desc);
        SecurityException ex(__FILE__, __LINE__);
        ex.reason = msg;
        throw ex;