internal void verifyPeer(string address, IceSSL.ConnectionInfo info, string desc)
{
if (_verifyDepthMax > 0 && info.certs != null && info.certs.Length > _verifyDepthMax)
{
string msg = (info.incoming ? "incoming" : "outgoing") + " connection rejected:\n" +
"length of peer's certificate chain (" + info.certs.Length + ") exceeds maximum of " +
_verifyDepthMax + "\n" + desc;
if (_securityTraceLevel >= 1)
{
_logger.trace(_securityTraceCategory, msg);
}
Ice.SecurityException ex = new Ice.SecurityException();
ex.reason = msg;
throw ex;
}
if (!_trustManager.verify(info, desc))
{
string msg = (info.incoming ? "incoming" : "outgoing") + " connection rejected by trust manager\n" +
desc;
if (_securityTraceLevel >= 1)
{
_logger.trace(_securityTraceCategory, msg);
}
Ice.SecurityException ex = new Ice.SecurityException();
ex.reason = "IceSSL: " + msg;
throw ex;
}
if (_verifier != null && !_verifier.verify(info))
{
string msg = (info.incoming ? "incoming" : "outgoing") +
" connection rejected by certificate verifier\n" + desc;
if (_securityTraceLevel >= 1)
{
_logger.trace(_securityTraceCategory, msg);
}
Ice.SecurityException ex = new Ice.SecurityException();
ex.reason = "IceSSL: " + msg;
throw ex;
}
}
public bool Verify(IceSSL.ConnectionInfo info)
{
_hadCert = info.Certs != null;
_invoked = true;
return(_returnValue);
}
internal bool Verify(IceSSL.ConnectionInfo info, string desc)
{
List <List <List <RFC2253.RDNPair> > > reject = new List <List <List <RFC2253.RDNPair> > >(),
accept = new List <List <List <RFC2253.RDNPair> > >();
if (_rejectAll.Count != 0)
{
reject.Add(_rejectAll);
}
if (info.Incoming)
{
if (_rejectAllServer.Count != 0)
{
reject.Add(_rejectAllServer);
}
if (info.AdapterName !.Length > 0)
{
if (_rejectServer.TryGetValue(info.AdapterName, out List <List <RFC2253.RDNPair> >?p))
{
reject.Add(p);
}
}
}
else
{
if (_rejectClient.Count != 0)
{
reject.Add(_rejectClient);
}
}
if (_acceptAll.Count != 0)
{
accept.Add(_acceptAll);
}
if (info.Incoming)
{
if (_acceptAllServer.Count != 0)
{
accept.Add(_acceptAllServer);
}
if (info.AdapterName !.Length > 0)
{
if (_acceptServer.TryGetValue(info.AdapterName, out List <List <RFC2253.RDNPair> >?p))
{
accept.Add(p);
}
}
}
else
{
if (_acceptClient.Count != 0)
{
accept.Add(_acceptClient);
}
}
//
// If there is nothing to match against, then we accept the cert.
//
if (reject.Count == 0 && accept.Count == 0)
{
return(true);
}
//
// If there is no certificate then we match false.
//
if (info.Certs != null && info.Certs.Length > 0)
{
X500DistinguishedName subjectDN = info.Certs[0].SubjectName;
string subjectName = subjectDN.Name;
Debug.Assert(subjectName != null);
try
{
//
// Decompose the subject DN into the RDNs.
//
if (_traceLevel > 0)
{
if (info.Incoming)
{
_communicator.Logger.Trace("Security", "trust manager evaluating client:\n" +
"subject = " + subjectName + "\n" + "adapter = " + info.AdapterName + "\n" + desc);
}
else
{
_communicator.Logger.Trace("Security", "trust manager evaluating server:\n" +
"subject = " + subjectName + "\n" + desc);
}
}
List <RFC2253.RDNPair> dn = RFC2253.ParseStrict(subjectName);
//
// Unescape the DN. Note that this isn't done in
// the parser in order to keep the various RFC2253
// implementations as close as possible.
//
for (int i = 0; i < dn.Count; ++i)
{
RFC2253.RDNPair p = dn[i];
p.Value = RFC2253.Unescape(p.Value);
dn[i] = p;
}
//
// Fail if we match anything in the reject set.
//
foreach (List <List <RFC2253.RDNPair> > matchSet in reject)
{
if (_traceLevel > 0)
{
var s = new StringBuilder("trust manager rejecting PDNs:\n");
Stringify(matchSet, s);
_communicator.Logger.Trace("Security", s.ToString());
}
if (Match(matchSet, dn))
{
return(false);
}
}
//
// Succeed if we match anything in the accept set.
//
foreach (List <List <RFC2253.RDNPair> > matchSet in accept)
{
if (_traceLevel > 0)
{
var s = new StringBuilder("trust manager accepting PDNs:\n");
Stringify(matchSet, s);
_communicator.Logger.Trace("Security", s.ToString());
}
if (Match(matchSet, dn))
{
return(true);
}
}
}
catch (FormatException e)
{
_communicator.Logger.Warning(
$"IceSSL: unable to parse certificate DN `{subjectName}'\nreason: {e.Message}");
}
//
// At this point we accept the connection if there are no explicit accept rules.
//
return(accept.Count == 0);
}
return(false);
}
internal void verifyPeer(string address, IceSSL.ConnectionInfo info, string desc)
{
_engine.verifyPeer(address, info, desc);
}
