void IceSSL::SSLEngine::verifyPeerCertName(const string& address, const ConnectionInfoPtr& info) { // // For an outgoing connection, we compare the proxy address (if any) against // fields in the server's certificate (if any). // if(_checkCertName && !info->certs.empty() && !address.empty()) { const CertificatePtr cert = info->certs[0]; // // Extract the IP addresses and the DNS names from the subject // alternative names. // vector<pair<int, string> > subjectAltNames = cert->getSubjectAlternativeNames(); vector<string> ipAddresses; vector<string> dnsNames; for(vector<pair<int, string> >::const_iterator p = subjectAltNames.begin(); p != subjectAltNames.end(); ++p) { if(p->first == AltNAmeIP) { ipAddresses.push_back(IceUtilInternal::toLower(p->second)); } else if(p->first == AltNameDNS) { dnsNames.push_back(IceUtilInternal::toLower(p->second)); } } bool certNameOK = false; string addrLower = IceUtilInternal::toLower(address); bool isIpAddress = IceInternal::isIpAddress(address); // // If address is an IP address, compare it to the subject alternative names IP adddress // if(isIpAddress) { certNameOK = find(ipAddresses.begin(), ipAddresses.end(), addrLower) != ipAddresses.end(); } else { // // If subjectAlt is empty compare it ot the subject CN, othewise // compare it to the to the subject alt name dnsNames // if(dnsNames.empty()) { DistinguishedName d = cert->getSubjectDN(); string dn = IceUtilInternal::toLower(string(d)); string cn = "cn=" + addrLower; string::size_type pos = dn.find(cn); if(pos != string::npos) { // // Ensure we match the entire common name. // certNameOK = (pos + cn.size() == dn.size()) || (dn[pos + cn.size()] == ','); } } else { certNameOK = find(dnsNames.begin(), dnsNames.end(), addrLower) != dnsNames.end(); } } if(!certNameOK) { ostringstream ostr; ostr << "IceSSL: certificate validation failure: " << (isIpAddress ? "IP address mismatch" : "Hostname mismatch"); string msg = ostr.str(); if(_securityTraceLevel >= 1) { Trace out(_logger, _securityTraceCategory); out << msg; } if(_verifyPeer > 0) { throw SecurityException(__FILE__, __LINE__, msg); } } } }
void IceSSL::SSLEngine::verifyPeer(const string& address, const NativeConnectionInfoPtr& info, const string& desc) { const CertificateVerifierPtr verifier = getCertificateVerifier(); #if !defined(ICE_USE_SECURE_TRANSPORT_IOS) // // For an outgoing connection, we compare the proxy address (if any) against // fields in the server's certificate (if any). // if(!info->nativeCerts.empty() && !address.empty()) { const CertificatePtr cert = info->nativeCerts[0]; // // Extract the IP addresses and the DNS names from the subject // alternative names. // vector<pair<int, string> > subjectAltNames = cert->getSubjectAlternativeNames(); vector<string> ipAddresses; vector<string> dnsNames; for(vector<pair<int, string> >::const_iterator p = subjectAltNames.begin(); p != subjectAltNames.end(); ++p) { if(p->first == AltNAmeIP) { ipAddresses.push_back(IceUtilInternal::toLower(p->second)); } else if(p->first == AltNameDNS) { dnsNames.push_back(IceUtilInternal::toLower(p->second)); } } // // Compare the peer's address against the common name. // bool certNameOK = false; string dn; string addrLower = IceUtilInternal::toLower(address); { DistinguishedName d = cert->getSubjectDN(); dn = IceUtilInternal::toLower(string(d)); string cn = "cn=" + addrLower; string::size_type pos = dn.find(cn); if(pos != string::npos) { // // Ensure we match the entire common name. // certNameOK = (pos + cn.size() == dn.size()) || (dn[pos + cn.size()] == ','); } } // // Compare the peer's address against the dnsName and ipAddress // values in the subject alternative name. // if(!certNameOK) { certNameOK = find(ipAddresses.begin(), ipAddresses.end(), addrLower) != ipAddresses.end(); } if(!certNameOK) { certNameOK = find(dnsNames.begin(), dnsNames.end(), addrLower) != dnsNames.end(); } // // Log a message if the name comparison fails. If CheckCertName is defined, // we also raise an exception to abort the connection. Don't log a message if // CheckCertName is not defined and a verifier is present. // if(!certNameOK && (_checkCertName || (_securityTraceLevel >= 1 && !verifier))) { ostringstream ostr; ostr << "IceSSL: "; if(!_checkCertName) { ostr << "ignoring "; } ostr << "certificate validation failure:\npeer certificate does not have `" << address << "' as its commonName or in its subjectAltName extension"; if(!dn.empty()) { ostr << "\nSubject DN: " << dn; } if(!dnsNames.empty()) { ostr << "\nDNS names found in certificate: "; for(vector<string>::const_iterator p = dnsNames.begin(); p != dnsNames.end(); ++p) { if(p != dnsNames.begin()) { ostr << ", "; } ostr << *p; } } if(!ipAddresses.empty()) { ostr << "\nIP addresses found in certificate: "; for(vector<string>::const_iterator p = ipAddresses.begin(); p != ipAddresses.end(); ++p) { if(p != ipAddresses.begin()) { ostr << ", "; } ostr << *p; } } string msg = ostr.str(); if(_securityTraceLevel >= 1) { Trace out(_logger, _securityTraceCategory); out << msg; } if(_checkCertName) { SecurityException ex(__FILE__, __LINE__); ex.reason = msg; throw ex; } } } #endif if(_verifyDepthMax > 0 && static_cast<int>(info->certs.size()) > _verifyDepthMax) { ostringstream ostr; ostr << (info->incoming ? "incoming" : "outgoing") << " connection rejected:\n" << "length of peer's certificate chain (" << info->certs.size() << ") exceeds maximum of " << _verifyDepthMax; string msg = ostr.str(); if(_securityTraceLevel >= 1) { _logger->trace(_securityTraceCategory, msg + "\n" + desc); } SecurityException ex(__FILE__, __LINE__); ex.reason = msg; throw ex; } if(!_trustManager->verify(info, desc)) { string msg = string(info->incoming ? "incoming" : "outgoing") + " connection rejected by trust manager"; if(_securityTraceLevel >= 1) { _logger->trace(_securityTraceCategory, msg + "\n" + desc); } SecurityException ex(__FILE__, __LINE__); ex.reason = msg; throw ex; } if(verifier && !verifier->verify(info)) { string msg = string(info->incoming ? "incoming" : "outgoing") + " connection rejected by certificate verifier"; if(_securityTraceLevel >= 1) { _logger->trace(_securityTraceCategory, msg + "\n" + desc); } SecurityException ex(__FILE__, __LINE__); ex.reason = msg; throw ex; } }