예제 #1
0
NativeConnectionInfoPtr
IceSSL::TransceiverI::getNativeConnectionInfo() const
{
    NativeConnectionInfoPtr info = new NativeConnectionInfo();
    IceInternal::fdToAddressAndPort(_fd, info->localAddress, info->localPort, info->remoteAddress, info->remotePort);

    if(_ssl != 0)
    {
        //
        // On the client side, SSL_get_peer_cert_chain returns the entire chain of certs.
        // On the server side, the peer certificate must be obtained separately.
        //
        // Since we have no clear idea whether the connection is server or client side,
        // the peer certificate is obtained separately and compared against the first
        // certificate in the chain. If they are not the same, it is added to the chain.
        //
        X509* cert = SSL_get_peer_certificate(_ssl);
        STACK_OF(X509)* chain = SSL_get_peer_cert_chain(_ssl);
        if(cert != 0 && (chain == 0 || sk_X509_num(chain) == 0 || cert != sk_X509_value(chain, 0)))
        {
            CertificatePtr certificate = new Certificate(cert);
            info->nativeCerts.push_back(certificate);
            info->certs.push_back(certificate->encode());
        }
        else
        {
            X509_free(cert);
        }
        
        if(chain != 0)
        {
            for(int i = 0; i < sk_X509_num(chain); ++i)
            {
                //
                // Duplicate the certificate since the stack comes straight from the SSL connection.
                //
                CertificatePtr certificate = new Certificate(X509_dup(sk_X509_value(chain, i)));
                info->nativeCerts.push_back(certificate);
                info->certs.push_back(certificate->encode());
            }
        }

        info->cipher = SSL_get_cipher_name(_ssl); // Nothing needs to be free'd.
    }

    info->adapterName = _adapterName;
    info->incoming = _incoming;
    return info;
}
NativeConnectionInfoPtr
IceSSL::TransceiverI::getNativeConnectionInfo() const
{
    NativeConnectionInfoPtr info = new NativeConnectionInfo();
    IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress, 
                                    info->remotePort);

    if(_ssl)
    {
        for(int i = 0, count = SecTrustGetCertificateCount(_trust); i < count; ++i)
        {
            SecCertificateRef cert = SecTrustGetCertificateAtIndex(_trust, i);
            CFRetain(cert);

            CertificatePtr certificate = new Certificate(cert);
            info->nativeCerts.push_back(certificate);
            info->certs.push_back(certificate->encode());
        }

        SSLCipherSuite cipher;
        SSLGetNegotiatedCipher(_ssl, &cipher);
        info->cipher = _engine->getCipherName(cipher);
    }

    info->adapterName = _adapterName;
    info->incoming = _incoming;
    return info;
}
void
IceSSL::TransceiverI::fillConnectionInfo(const ConnectionInfoPtr& info, std::vector<CertificatePtr>& nativeCerts) const
{
    IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress,
                                    info->remotePort);
    if(_stream->fd() != INVALID_SOCKET)
    {
        info->rcvSize = IceInternal::getRecvBufferSize(_stream->fd());
        info->sndSize = IceInternal::getSendBufferSize(_stream->fd());
    }

    if(_ssl)
    {
        for(int i = 0, count = SecTrustGetCertificateCount(_trust); i < count; ++i)
        {
            SecCertificateRef cert = SecTrustGetCertificateAtIndex(_trust, i);
            CFRetain(cert);

            CertificatePtr certificate = ICE_MAKE_SHARED(Certificate, cert);
            nativeCerts.push_back(certificate);
            info->certs.push_back(certificate->encode());
        }

        SSLCipherSuite cipher;
        SSLGetNegotiatedCipher(_ssl, &cipher);
        info->cipher = _engine->getCipherName(cipher);
        info->verified = _verified;
    }
    else
    {
        info->verified = false;
    }

    info->adapterName = _adapterName;
    info->incoming = _incoming;
}
예제 #4
0
void
IceSSL::TransceiverI::fillConnectionInfo(const ConnectionInfoPtr& info, vector<CertificatePtr>& nativeCerts) const
{
    IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress,
                                    info->remotePort);
    if(_stream->fd() != INVALID_SOCKET)
    {
        info->rcvSize = IceInternal::getRecvBufferSize(_stream->fd());
        info->sndSize = IceInternal::getSendBufferSize(_stream->fd());
    }

    info->verified = _verified;

    if(_sslInitialized)
    {
        CtxtHandle* ssl = const_cast<CtxtHandle*>(&_ssl);
        PCCERT_CONTEXT cert = 0;
        PCCERT_CHAIN_CONTEXT certChain = 0;
        SECURITY_STATUS err = QueryContextAttributes(ssl, SECPKG_ATTR_REMOTE_CERT_CONTEXT, &cert);
        if(err == SEC_E_OK)
        {
            assert(cert);
            CERT_CHAIN_PARA chainP;
            memset(&chainP, 0, sizeof(chainP));
            chainP.cbSize = sizeof(chainP);

            if(CertGetCertificateChain(_engine->chainEngine(), cert, 0, 0, &chainP,
                                       CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY, 0, &certChain))
            {
                CERT_SIMPLE_CHAIN* simpleChain = certChain->rgpChain[0];
                for(DWORD i = 0; i < simpleChain->cElement; ++i)
                {
                    PCCERT_CONTEXT c = simpleChain->rgpElement[i]->pCertContext;
                    PCERT_SIGNED_CONTENT_INFO cc;

                    DWORD length = 0;
                    if(!CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, X509_CERT, c->pbCertEncoded,
                                            c->cbCertEncoded, CRYPT_DECODE_ALLOC_FLAG, 0, &cc, &length))
                    {
                        CertFreeCertificateChain(certChain);
                        CertFreeCertificateContext(cert);
                        throw SecurityException(__FILE__, __LINE__,
                                                "IceSSL: error decoding peer certificate chain:\n" +
                                                IceUtilInternal::lastErrorToString());
                    }

                    CertificatePtr certificate = ICE_MAKE_SHARED(Certificate, cc);
                    nativeCerts.push_back(certificate);
                    info->certs.push_back(certificate->encode());
                }
                CertFreeCertificateChain(certChain);
            }
            CertFreeCertificateContext(cert);
        }
        else if(err != SEC_E_NO_CREDENTIALS)
        {
            throw SecurityException(__FILE__, __LINE__, "IceSSL: error reading peer certificate:" +
                                    IceUtilInternal::lastErrorToString());
        }

        SecPkgContext_ConnectionInfo connInfo;
        if(QueryContextAttributes(ssl, SECPKG_ATTR_CONNECTION_INFO, &connInfo) == SEC_E_OK)
        {
            info->cipher = _engine->getCipherName(connInfo.aiCipher);
        }
        else
        {
            throw SecurityException(__FILE__, __LINE__, "IceSSL: error reading cipher info:" +
                                    IceUtilInternal::lastErrorToString());
        }
    }

    info->adapterName = _adapterName;
    info->incoming = _incoming;
}