NativeConnectionInfoPtr
IceSSL::TransceiverI::getNativeConnectionInfo() const
{
NativeConnectionInfoPtr info = new NativeConnectionInfo();
IceInternal::fdToAddressAndPort(_fd, info->localAddress, info->localPort, info->remoteAddress, info->remotePort);
if(_ssl != 0)
{
//
// On the client side, SSL_get_peer_cert_chain returns the entire chain of certs.
// On the server side, the peer certificate must be obtained separately.
//
// Since we have no clear idea whether the connection is server or client side,
// the peer certificate is obtained separately and compared against the first
// certificate in the chain. If they are not the same, it is added to the chain.
//
X509* cert = SSL_get_peer_certificate(_ssl);
STACK_OF(X509)* chain = SSL_get_peer_cert_chain(_ssl);
if(cert != 0 && (chain == 0 || sk_X509_num(chain) == 0 || cert != sk_X509_value(chain, 0)))
{
CertificatePtr certificate = new Certificate(cert);
info->nativeCerts.push_back(certificate);
info->certs.push_back(certificate->encode());
}
else
{
X509_free(cert);
}
if(chain != 0)
{
for(int i = 0; i < sk_X509_num(chain); ++i)
{
//
// Duplicate the certificate since the stack comes straight from the SSL connection.
//
CertificatePtr certificate = new Certificate(X509_dup(sk_X509_value(chain, i)));
info->nativeCerts.push_back(certificate);
info->certs.push_back(certificate->encode());
}
}
info->cipher = SSL_get_cipher_name(_ssl); // Nothing needs to be free'd.
}
info->adapterName = _adapterName;
info->incoming = _incoming;
return info;
}
NativeConnectionInfoPtr
IceSSL::TransceiverI::getNativeConnectionInfo() const
{
NativeConnectionInfoPtr info = new NativeConnectionInfo();
IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress,
info->remotePort);
if(_ssl)
{
for(int i = 0, count = SecTrustGetCertificateCount(_trust); i < count; ++i)
{
SecCertificateRef cert = SecTrustGetCertificateAtIndex(_trust, i);
CFRetain(cert);
CertificatePtr certificate = new Certificate(cert);
info->nativeCerts.push_back(certificate);
info->certs.push_back(certificate->encode());
}
SSLCipherSuite cipher;
SSLGetNegotiatedCipher(_ssl, &cipher);
info->cipher = _engine->getCipherName(cipher);
}
info->adapterName = _adapterName;
info->incoming = _incoming;
return info;
}
void
IceSSL::TransceiverI::fillConnectionInfo(const ConnectionInfoPtr& info, std::vector<CertificatePtr>& nativeCerts) const
{
IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress,
info->remotePort);
if(_stream->fd() != INVALID_SOCKET)
{
info->rcvSize = IceInternal::getRecvBufferSize(_stream->fd());
info->sndSize = IceInternal::getSendBufferSize(_stream->fd());
}
if(_ssl)
{
for(int i = 0, count = SecTrustGetCertificateCount(_trust); i < count; ++i)
{
SecCertificateRef cert = SecTrustGetCertificateAtIndex(_trust, i);
CFRetain(cert);
CertificatePtr certificate = ICE_MAKE_SHARED(Certificate, cert);
nativeCerts.push_back(certificate);
info->certs.push_back(certificate->encode());
}
SSLCipherSuite cipher;
SSLGetNegotiatedCipher(_ssl, &cipher);
info->cipher = _engine->getCipherName(cipher);
info->verified = _verified;
}
else
{
info->verified = false;
}
info->adapterName = _adapterName;
info->incoming = _incoming;
}
void
IceSSL::TransceiverI::fillConnectionInfo(const ConnectionInfoPtr& info, vector<CertificatePtr>& nativeCerts) const
{
IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress,
info->remotePort);
if(_stream->fd() != INVALID_SOCKET)
{
info->rcvSize = IceInternal::getRecvBufferSize(_stream->fd());
info->sndSize = IceInternal::getSendBufferSize(_stream->fd());
}
info->verified = _verified;
if(_sslInitialized)
{
CtxtHandle* ssl = const_cast<CtxtHandle*>(&_ssl);
PCCERT_CONTEXT cert = 0;
PCCERT_CHAIN_CONTEXT certChain = 0;
SECURITY_STATUS err = QueryContextAttributes(ssl, SECPKG_ATTR_REMOTE_CERT_CONTEXT, &cert);
if(err == SEC_E_OK)
{
assert(cert);
CERT_CHAIN_PARA chainP;
memset(&chainP, 0, sizeof(chainP));
chainP.cbSize = sizeof(chainP);
if(CertGetCertificateChain(_engine->chainEngine(), cert, 0, 0, &chainP,
CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY, 0, &certChain))
{
CERT_SIMPLE_CHAIN* simpleChain = certChain->rgpChain[0];
for(DWORD i = 0; i < simpleChain->cElement; ++i)
{
PCCERT_CONTEXT c = simpleChain->rgpElement[i]->pCertContext;
PCERT_SIGNED_CONTENT_INFO cc;
DWORD length = 0;
if(!CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, X509_CERT, c->pbCertEncoded,
c->cbCertEncoded, CRYPT_DECODE_ALLOC_FLAG, 0, &cc, &length))
{
CertFreeCertificateChain(certChain);
CertFreeCertificateContext(cert);
throw SecurityException(__FILE__, __LINE__,
"IceSSL: error decoding peer certificate chain:\n" +
IceUtilInternal::lastErrorToString());
}
CertificatePtr certificate = ICE_MAKE_SHARED(Certificate, cc);
nativeCerts.push_back(certificate);
info->certs.push_back(certificate->encode());
}
CertFreeCertificateChain(certChain);
}
CertFreeCertificateContext(cert);
}
else if(err != SEC_E_NO_CREDENTIALS)
{
throw SecurityException(__FILE__, __LINE__, "IceSSL: error reading peer certificate:" +
IceUtilInternal::lastErrorToString());
}
SecPkgContext_ConnectionInfo connInfo;
if(QueryContextAttributes(ssl, SECPKG_ATTR_CONNECTION_INFO, &connInfo) == SEC_E_OK)
{
info->cipher = _engine->getCipherName(connInfo.aiCipher);
}
else
{
throw SecurityException(__FILE__, __LINE__, "IceSSL: error reading cipher info:" +
IceUtilInternal::lastErrorToString());
}
}
info->adapterName = _adapterName;
info->incoming = _incoming;
}
