Glacier2::SessionPrx
AdminSSLSessionManagerI::create(const Glacier2::SSLInfo& info,
const Glacier2::SessionControlPrx& ctl,
const Ice::Current&)
{
string userDN;
if(!info.certs.empty()) // TODO: Require userDN?
{
try
{
IceSSL::CertificatePtr cert = IceSSL::Certificate::decode(info.certs[0]);
userDN = cert->getSubjectDN();
}
catch(const Ice::Exception& e)
{
// This shouldn't happen, the SSLInfo is supposed to be encoded by Glacier2.
Ice::Error out(_factory->getTraceLevels()->logger);
out << "SSL session manager couldn't decode SSL certificates:\n" << e;
Glacier2::CannotCreateSessionException ex;
ex.reason = "internal server error";
throw ex;
}
}
return _factory->createGlacier2Session(userDN, ctl);
}
virtual Glacier2::SessionPrx
create(const Glacier2::SSLInfo& info, const Glacier2::SessionControlPrx&, const Ice::Current& current)
{
testContext(true, current.ctx);
test(info.remoteHost == "127.0.0.1");
test(info.localHost == "127.0.0.1");
test(info.localPort == 12348);
try
{
IceSSL::CertificatePtr cert = IceSSL::Certificate::decode(info.certs[0]);
test(cert->getIssuerDN() == IceSSL::DistinguishedName(
"[email protected],CN=ZeroC Test CA,OU=Ice,O=ZeroC\\, Inc.,L=Palm Beach Gardens,"
"ST=Florida,C=US"));
test(cert->getSubjectDN() == IceSSL::DistinguishedName(
"CN=Client,[email protected],OU=Ice,O=ZeroC\\, Inc.,ST=Florida,C=US"));
test(cert->checkValidity());
}
catch(const IceSSL::CertificateReadException&)
{
test(false);
}
Glacier2::SessionPtr session = new SessionI(true, true);
return Glacier2::SessionPrx::uncheckedCast(current.adapter->addWithUUID(session));
}
virtual bool
authorize(const Glacier2::SSLInfo& info, string&, const Ice::Current& current) const
{
testContext(true, current.ctx);
IceSSL::CertificatePtr cert = IceSSL::Certificate::decode(info.certs[0]);
test(cert->getIssuerDN() == IceSSL::DistinguishedName(
"[email protected],CN=ZeroC Test CA,OU=Ice,O=ZeroC\\, Inc.,"
"L=Palm Beach Gardens,ST=Florida,C=US"));
test(cert->getSubjectDN() == IceSSL::DistinguishedName(
"CN=Client,[email protected],OU=Ice,O=ZeroC\\, Inc.,ST=Florida,C=US"));
test(cert->checkValidity());
return true;
}
virtual bool
authorize(const Glacier2::SSLInfo& info, string&, const Ice::Current& current) const
{
if(current.ctx.find("throw") != current.ctx.end())
{
throw Test::ExtendedPermissionDeniedException("reason");
}
test(info.certs.size() > 0);
IceSSL::CertificatePtr cert = IceSSL::Certificate::decode(info.certs[0]);
test(cert->getIssuerDN() == IceSSL::DistinguishedName(
"[email protected],C=US,ST=Florida,L=Jupiter,O=ZeroC\\, Inc.,OU=Ice,CN=Ice Tests CA"));
test(cert->getSubjectDN() == IceSSL::DistinguishedName(
"[email protected],C=US,ST=Florida,L=Jupiter,O=ZeroC\\, Inc.,OU=Ice,CN=client"));
test(cert->checkValidity());
return true;
}
virtual bool
authorize(const Glacier2::SSLInfo& info, string&, const Ice::Current& current) const
{
if(current.ctx.find("throw") != current.ctx.end())
{
throw Test::ExtendedPermissionDeniedException("reason");
}
IceSSL::CertificatePtr cert = IceSSL::Certificate::decode(info.certs[0]);
test(cert->getIssuerDN() == IceSSL::DistinguishedName(
"[email protected],CN=ZeroC Test CA,OU=Ice,O=ZeroC\\, Inc.,L=Palm Beach Gardens,"
"ST=Florida,C=US"));
test(cert->getSubjectDN() == IceSSL::DistinguishedName(
"CN=Client,[email protected],OU=Ice,O=ZeroC\\, Inc.,ST=Florida,C=US"));
test(cert->checkValidity());
return true;
}
bool
OpenSSLCertificateI::verify(const IceSSL::CertificatePtr& cert) const
{
OpenSSLCertificateI* c = dynamic_cast<OpenSSLCertificateI*>(cert.get());
if(c)
{
EVP_PKEY* key = X509_get_pubkey(c->_cert);
bool verified = X509_verify(_cert, key) > 0;
EVP_PKEY_free(key);
return verified;
}
return false;
}