void
SChannelEngine::initialize()
{
Mutex::Lock lock(_mutex);
if(_initialized)
{
return;
}
SSLEngine::initialize();
const string prefix = "IceSSL.";
const PropertiesPtr properties = communicator()->getProperties();
//
// Protocols selects which protocols to enable, by default we only enable TLS1.0
// TLS1.1 and TLS1.2 to avoid security issues with SSLv3
//
vector<string> defaultProtocols;
defaultProtocols.push_back("tls1_0");
defaultProtocols.push_back("tls1_1");
defaultProtocols.push_back("tls1_2");
const_cast<DWORD&>(_protocols) =
parseProtocols(properties->getPropertyAsListWithDefault(prefix + "Protocols", defaultProtocols));
//
// Check for a default directory. We look in this directory for
// files mentioned in the configuration.
//
string defaultDir = properties->getProperty(prefix + "DefaultDir");
int passwordRetryMax = properties->getPropertyAsIntWithDefault(prefix + "PasswordRetryMax", 3);
PasswordPromptPtr passwordPrompt = getPasswordPrompt();
setPassword(properties->getProperty(prefix + "Password"));
string ciphers = properties->getProperty(prefix + "Ciphers");
if(!ciphers.empty())
{
parseCiphers(ciphers);
}
if(securityTraceLevel() >= 1)
{
ostringstream os;
os << "enabling SSL ciphersuites:";
if(_ciphers.empty())
{
for(int i = 0; i < supportedCiphersSize; ++i)
{
os << "\n " << getCipherName(supportedCiphers[i]);
}
}
else
{
for(vector<ALG_ID>::const_iterator i = _ciphers.begin(); i != _ciphers.end(); ++i)
{
os << "\n " << getCipherName(*i);
}
}
getLogger()->trace(securityTraceCategory(), os.str());
}
string certStore = properties->getPropertyWithDefault(prefix + "CertStore", "CurrentUser");
if(certStore != "CurrentUser" && certStore != "LocalMachine")
{
getLogger()->warning("Invalid IceSSL.CertStore value `" + certStore + "' adjusted to `CurrentUser'");
certStore = "CurrentUser";
}
//
// Create trusted CA store with contents of CertAuthFile
//
string caFile = properties->getProperty(prefix + "CertAuthFile");
if(!caFile.empty())
{
_rootStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 0, 0);
if(!_rootStore)
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: error creating in memory certificate store:\n" + lastErrorToString());
}
if(!checkPath(caFile, defaultDir, false))
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: CA certificate file not found:\n" + caFile);
}
addCertificateToStore(caFile, _rootStore);
//
// Create a chain engine that uses our Trusted Root Store
//
#ifdef __MINGW32__
CertChainEngineConfig config;
memset(&config, 0, sizeof(CertChainEngineConfig));
config.cbSize = sizeof(CertChainEngineConfig);
#else
CERT_CHAIN_ENGINE_CONFIG config;
memset(&config, 0, sizeof(CERT_CHAIN_ENGINE_CONFIG));
config.cbSize = sizeof(CERT_CHAIN_ENGINE_CONFIG);
#endif
config.hExclusiveRoot = _rootStore;
//
// Build the chain using the LocalMachine registry location as opposed
// to the CurrentUser location.
//
if(certStore == "LocalMachine")
{
config.dwFlags = CERT_CHAIN_USE_LOCAL_MACHINE_STORE;
}
#ifdef __MINGW32__
if(!CertCreateCertificateChainEngine(reinterpret_cast<CERT_CHAIN_ENGINE_CONFIG*>(&config), &_chainEngine))
#else
if(!CertCreateCertificateChainEngine(&config, &_chainEngine))
#endif
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: error creating certificate chain engine:\n" + lastErrorToString());
}
}
else
{
_chainEngine = (certStore == "LocalMachine") ? HCCE_LOCAL_MACHINE : HCCE_CURRENT_USER;
}
//
// Import the application certificate and private keys.
//
string keySet = properties->getPropertyWithDefault(prefix + "KeySet", "DefaultKeySet");
if(keySet != "DefaultKeySet" && keySet != "UserKeySet" && keySet != "MachineKeySet")
{
getLogger()->warning("Invalid IceSSL.KeySet value `" + keySet + "' adjusted to `DefaultKeySet'");
keySet = "DefaultKeySet";
}
DWORD importFlags = (keySet == "MachineKeySet") ? CRYPT_MACHINE_KEYSET : CRYPT_USER_KEYSET;
string certFile = properties->getProperty(prefix + "CertFile");
string keyFile = properties->getPropertyWithDefault(prefix + "KeyFile", certFile);
if(!certFile.empty())
{
vector<string> certFiles;
if(!splitString(certFile, IceUtilInternal::pathsep, certFiles) || certFiles.size() > 2)
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: invalid value for " + prefix + "CertFile:\n" + certFile);
}
vector<string> keyFiles;
if(!splitString(keyFile, IceUtilInternal::pathsep, keyFiles) || keyFiles.size() > 2)
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: invalid value for " + prefix + "KeyFile:\n" + keyFile);
}
if(certFiles.size() != keyFiles.size())
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: " + prefix + "KeyFile does not agree with " + prefix + "CertFile");
}
for(size_t i = 0; i < certFiles.size(); ++i)
{
string certFile = certFiles[i];
if(!checkPath(certFile, defaultDir, false))
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: certificate file not found:\n" + certFile);
}
vector<char> buffer;
readFile(certFile, buffer);
CRYPT_DATA_BLOB pfxBlob;
pfxBlob.cbData = static_cast<DWORD>(buffer.size());
pfxBlob.pbData = reinterpret_cast<BYTE*>(&buffer[0]);
HCERTSTORE store = 0;
PCCERT_CONTEXT cert = 0;
int err = 0;
int count = 0;
do
{
string s = password(false);
store = PFXImportCertStore(&pfxBlob, stringToWstring(s).c_str(), importFlags);
err = store ? 0 : GetLastError();
}
while(err == ERROR_INVALID_PASSWORD && passwordPrompt && ++count < passwordRetryMax);
if(store)
{
_stores.push_back(store);
cert = CertFindCertificateInStore(store, X509_ASN_ENCODING, 0, CERT_FIND_ANY, 0, cert);
if(!cert)
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: certificate error:\n" + lastErrorToString());
}
_certs.push_back(cert);
continue;
}
assert(err);
if(err != CRYPT_E_BAD_ENCODE)
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: error decoding certificate:\n" + lastErrorToString());
}
//
// Try to load certificate & key as PEM files.
//
err = 0;
keyFile = keyFiles[i];
if(!checkPath(keyFile, defaultDir, false))
{
throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: key file not found:\n" + keyFile);
}
readFile(keyFile, buffer);
vector<BYTE> outBuffer;
outBuffer.resize(buffer.size());
DWORD outLength = static_cast<DWORD>(buffer.size());
//
// Convert the PEM encoded buffer to DER binary format.
//
if(!CryptStringToBinary(&buffer[0], static_cast<DWORD>(buffer.size()), CRYPT_STRING_BASE64HEADER,
&outBuffer[0], &outLength, 0, 0))
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: error decoding key:\n" + lastErrorToString());
}
PCRYPT_PRIVATE_KEY_INFO keyInfo = 0;
BYTE* key = 0;
HCRYPTKEY hKey = 0;
try
{
DWORD decodedLength = 0;
if(!CryptDecodeObjectEx(X509_ASN_ENCODING, PKCS_PRIVATE_KEY_INFO, &outBuffer[0], outLength,
CRYPT_DECODE_ALLOC_FLAG, 0, &keyInfo, &decodedLength))
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: error decoding key:\n" + lastErrorToString());
}
//
// Check that we are using a RSA Key
//
if(strcmp(keyInfo->Algorithm.pszObjId, szOID_RSA_RSA))
{
throw PluginInitializationException(__FILE__, __LINE__,
string("IceSSL: error unknow key algorithm: `") + keyInfo->Algorithm.pszObjId + "'");
}
//
// Create a new RSA key set to store our key
//
const wstring keySetName = stringToWstring(generateUUID());
HCRYPTPROV cryptProv = 0;
DWORD contextFlags = (keySet == "MachineKeySet") ? CRYPT_MACHINE_KEYSET | CRYPT_NEWKEYSET :
CRYPT_NEWKEYSET;
if(!CryptAcquireContextW(&cryptProv, keySetName.c_str(), MS_DEF_PROV_W, PROV_RSA_FULL, contextFlags))
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: error acquiring cryptographic context:\n" + lastErrorToString());
}
//
// Decode the private key BLOB
//
if(!CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, PKCS_RSA_PRIVATE_KEY,
keyInfo->PrivateKey.pbData, keyInfo->PrivateKey.cbData,
CRYPT_DECODE_ALLOC_FLAG, 0, &key, &outLength))
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: error decoding key:\n" + lastErrorToString());
}
LocalFree(keyInfo);
keyInfo = 0;
//
// Import the private key
//
if(!CryptImportKey(cryptProv, key, outLength, 0, 0, &hKey))
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: error importing key:\n" + lastErrorToString());
}
LocalFree(key);
key = 0;
CryptDestroyKey(hKey);
hKey = 0;
//
// Create a new memory store to place the certificate
//
store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 0, 0);
if(!store)
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: error creating certificate store:\n" + lastErrorToString());
}
addCertificateToStore(certFile, store, &cert);
//
// Associate key & certificate
//
CRYPT_KEY_PROV_INFO keyProvInfo;
memset(&keyProvInfo, 0, sizeof(keyProvInfo));
keyProvInfo.pwszContainerName = const_cast<wchar_t*>(keySetName.c_str());
keyProvInfo.pwszProvName = const_cast<wchar_t*>(MS_DEF_PROV_W);
keyProvInfo.dwProvType = PROV_RSA_FULL;
keyProvInfo.dwKeySpec = AT_KEYEXCHANGE;
if(!CertSetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, 0, &keyProvInfo))
{
throw PluginInitializationException(__FILE__, __LINE__,
"IceSSL: error seting certificate property:\n" + lastErrorToString());
}
_certs.push_back(cert);
_stores.push_back(store);
}
catch(...)
{
if(keyInfo)
{
LocalFree(keyInfo);
}
if(key)
{
LocalFree(key);
}
if(hKey)
{
CryptDestroyKey(hKey);
}
if(cert)
{
CertFreeCertificateContext(cert);
}
if(store)
{
CertCloseStore(store, 0);
}
throw;
}
}
_allCerts.insert(_allCerts.end(), _certs.begin(), _certs.end());
}
const string findPrefix = prefix + "FindCert.";
map<string, string> certProps = properties->getPropertiesForPrefix(findPrefix);
if(!certProps.empty())
{
for(map<string, string>::const_iterator i = certProps.begin(); i != certProps.end(); ++i)
{
const string name = i->first;
const string val = i->second;
if(!val.empty())
{
string storeSpec = name.substr(findPrefix.size());
vector<PCCERT_CONTEXT> certs = findCertificates(name, storeSpec, val, _stores);
_allCerts.insert(_allCerts.end(), certs.begin(), certs.end());
}
}
if(_allCerts.empty())
{
throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: no certificates found");
}
}
_initialized = true;
}
