internal void verifyPeer(string address, IceSSL.ConnectionInfo info, string desc) { if (_verifyDepthMax > 0 && info.certs != null && info.certs.Length > _verifyDepthMax) { string msg = (info.incoming ? "incoming" : "outgoing") + " connection rejected:\n" + "length of peer's certificate chain (" + info.certs.Length + ") exceeds maximum of " + _verifyDepthMax + "\n" + desc; if (_securityTraceLevel >= 1) { _logger.trace(_securityTraceCategory, msg); } Ice.SecurityException ex = new Ice.SecurityException(); ex.reason = msg; throw ex; } if (!_trustManager.verify(info, desc)) { string msg = (info.incoming ? "incoming" : "outgoing") + " connection rejected by trust manager\n" + desc; if (_securityTraceLevel >= 1) { _logger.trace(_securityTraceCategory, msg); } Ice.SecurityException ex = new Ice.SecurityException(); ex.reason = "IceSSL: " + msg; throw ex; } if (_verifier != null && !_verifier.verify(info)) { string msg = (info.incoming ? "incoming" : "outgoing") + " connection rejected by certificate verifier\n" + desc; if (_securityTraceLevel >= 1) { _logger.trace(_securityTraceCategory, msg); } Ice.SecurityException ex = new Ice.SecurityException(); ex.reason = "IceSSL: " + msg; throw ex; } }
public bool Verify(IceSSL.ConnectionInfo info) { _hadCert = info.Certs != null; _invoked = true; return(_returnValue); }
internal bool Verify(IceSSL.ConnectionInfo info, string desc) { List <List <List <RFC2253.RDNPair> > > reject = new List <List <List <RFC2253.RDNPair> > >(), accept = new List <List <List <RFC2253.RDNPair> > >(); if (_rejectAll.Count != 0) { reject.Add(_rejectAll); } if (info.Incoming) { if (_rejectAllServer.Count != 0) { reject.Add(_rejectAllServer); } if (info.AdapterName !.Length > 0) { if (_rejectServer.TryGetValue(info.AdapterName, out List <List <RFC2253.RDNPair> >?p)) { reject.Add(p); } } } else { if (_rejectClient.Count != 0) { reject.Add(_rejectClient); } } if (_acceptAll.Count != 0) { accept.Add(_acceptAll); } if (info.Incoming) { if (_acceptAllServer.Count != 0) { accept.Add(_acceptAllServer); } if (info.AdapterName !.Length > 0) { if (_acceptServer.TryGetValue(info.AdapterName, out List <List <RFC2253.RDNPair> >?p)) { accept.Add(p); } } } else { if (_acceptClient.Count != 0) { accept.Add(_acceptClient); } } // // If there is nothing to match against, then we accept the cert. // if (reject.Count == 0 && accept.Count == 0) { return(true); } // // If there is no certificate then we match false. // if (info.Certs != null && info.Certs.Length > 0) { X500DistinguishedName subjectDN = info.Certs[0].SubjectName; string subjectName = subjectDN.Name; Debug.Assert(subjectName != null); try { // // Decompose the subject DN into the RDNs. // if (_traceLevel > 0) { if (info.Incoming) { _communicator.Logger.Trace("Security", "trust manager evaluating client:\n" + "subject = " + subjectName + "\n" + "adapter = " + info.AdapterName + "\n" + desc); } else { _communicator.Logger.Trace("Security", "trust manager evaluating server:\n" + "subject = " + subjectName + "\n" + desc); } } List <RFC2253.RDNPair> dn = RFC2253.ParseStrict(subjectName); // // Unescape the DN. Note that this isn't done in // the parser in order to keep the various RFC2253 // implementations as close as possible. // for (int i = 0; i < dn.Count; ++i) { RFC2253.RDNPair p = dn[i]; p.Value = RFC2253.Unescape(p.Value); dn[i] = p; } // // Fail if we match anything in the reject set. // foreach (List <List <RFC2253.RDNPair> > matchSet in reject) { if (_traceLevel > 0) { var s = new StringBuilder("trust manager rejecting PDNs:\n"); Stringify(matchSet, s); _communicator.Logger.Trace("Security", s.ToString()); } if (Match(matchSet, dn)) { return(false); } } // // Succeed if we match anything in the accept set. // foreach (List <List <RFC2253.RDNPair> > matchSet in accept) { if (_traceLevel > 0) { var s = new StringBuilder("trust manager accepting PDNs:\n"); Stringify(matchSet, s); _communicator.Logger.Trace("Security", s.ToString()); } if (Match(matchSet, dn)) { return(true); } } } catch (FormatException e) { _communicator.Logger.Warning( $"IceSSL: unable to parse certificate DN `{subjectName}'\nreason: {e.Message}"); } // // At this point we accept the connection if there are no explicit accept rules. // return(accept.Count == 0); } return(false); }
internal void verifyPeer(string address, IceSSL.ConnectionInfo info, string desc) { _engine.verifyPeer(address, info, desc); }