Beispiel #1
0
        internal bool Verify(IceSSL.ConnectionInfo info, string desc)
        {
            List <List <List <RFC2253.RDNPair> > > reject = new List <List <List <RFC2253.RDNPair> > >(),
                                                   accept = new List <List <List <RFC2253.RDNPair> > >();

            if (_rejectAll.Count != 0)
            {
                reject.Add(_rejectAll);
            }
            if (info.Incoming)
            {
                if (_rejectAllServer.Count != 0)
                {
                    reject.Add(_rejectAllServer);
                }
                if (info.AdapterName !.Length > 0)
                {
                    if (_rejectServer.TryGetValue(info.AdapterName, out List <List <RFC2253.RDNPair> >?p))
                    {
                        reject.Add(p);
                    }
                }
            }
            else
            {
                if (_rejectClient.Count != 0)
                {
                    reject.Add(_rejectClient);
                }
            }

            if (_acceptAll.Count != 0)
            {
                accept.Add(_acceptAll);
            }
            if (info.Incoming)
            {
                if (_acceptAllServer.Count != 0)
                {
                    accept.Add(_acceptAllServer);
                }
                if (info.AdapterName !.Length > 0)
                {
                    if (_acceptServer.TryGetValue(info.AdapterName, out List <List <RFC2253.RDNPair> >?p))
                    {
                        accept.Add(p);
                    }
                }
            }
            else
            {
                if (_acceptClient.Count != 0)
                {
                    accept.Add(_acceptClient);
                }
            }

            //
            // If there is nothing to match against, then we accept the cert.
            //
            if (reject.Count == 0 && accept.Count == 0)
            {
                return(true);
            }

            //
            // If there is no certificate then we match false.
            //
            if (info.Certs != null && info.Certs.Length > 0)
            {
                X500DistinguishedName subjectDN = info.Certs[0].SubjectName;
                string subjectName = subjectDN.Name;
                Debug.Assert(subjectName != null);
                try
                {
                    //
                    // Decompose the subject DN into the RDNs.
                    //
                    if (_traceLevel > 0)
                    {
                        if (info.Incoming)
                        {
                            _communicator.Logger.Trace("Security", "trust manager evaluating client:\n" +
                                                       "subject = " + subjectName + "\n" + "adapter = " + info.AdapterName + "\n" + desc);
                        }
                        else
                        {
                            _communicator.Logger.Trace("Security", "trust manager evaluating server:\n" +
                                                       "subject = " + subjectName + "\n" + desc);
                        }
                    }

                    List <RFC2253.RDNPair> dn = RFC2253.ParseStrict(subjectName);

                    //
                    // Unescape the DN. Note that this isn't done in
                    // the parser in order to keep the various RFC2253
                    // implementations as close as possible.
                    //
                    for (int i = 0; i < dn.Count; ++i)
                    {
                        RFC2253.RDNPair p = dn[i];
                        p.Value = RFC2253.Unescape(p.Value);
                        dn[i]   = p;
                    }

                    //
                    // Fail if we match anything in the reject set.
                    //
                    foreach (List <List <RFC2253.RDNPair> > matchSet in reject)
                    {
                        if (_traceLevel > 0)
                        {
                            var s = new StringBuilder("trust manager rejecting PDNs:\n");
                            Stringify(matchSet, s);
                            _communicator.Logger.Trace("Security", s.ToString());
                        }
                        if (Match(matchSet, dn))
                        {
                            return(false);
                        }
                    }

                    //
                    // Succeed if we match anything in the accept set.
                    //
                    foreach (List <List <RFC2253.RDNPair> > matchSet in accept)
                    {
                        if (_traceLevel > 0)
                        {
                            var s = new StringBuilder("trust manager accepting PDNs:\n");
                            Stringify(matchSet, s);
                            _communicator.Logger.Trace("Security", s.ToString());
                        }
                        if (Match(matchSet, dn))
                        {
                            return(true);
                        }
                    }
                }
                catch (FormatException e)
                {
                    _communicator.Logger.Warning(
                        $"IceSSL: unable to parse certificate DN `{subjectName}'\nreason: {e.Message}");
                }

                //
                // At this point we accept the connection if there are no explicit accept rules.
                //
                return(accept.Count == 0);
            }

            return(false);
        }