public static void ValidateProperties(string prefix, Ice.Communicator communicator)
{
Dictionary <string, string> props = communicator.GetProperties(forPrefix: prefix);
var unknownProps = new List <string>();
foreach (string prop in props.Keys)
{
bool valid = false;
foreach (string suffix in _suffixes)
{
if (IceUtilInternal.StringUtil.Match(prop, prefix + suffix, false))
{
valid = true;
break;
}
}
if (!valid)
{
unknownProps.Add(prop);
}
}
if (unknownProps.Count != 0 && (communicator.GetPropertyAsBool("Ice.Warn.UnknownProperties") ?? true))
{
var message = new StringBuilder("found unknown IceMX properties for `");
message.Append(prefix[0..^ 1]);
internal void Initialize()
{
if (_initialized)
{
return;
}
Ice.Communicator ic = Communicator();
//
// Check for a default directory. We look in this directory for
// files mentioned in the configuration.
//
_defaultDir = ic.GetProperty("IceSSL.DefaultDir") ?? "";
string certStoreLocation = ic.GetProperty("IceSSL.CertStoreLocation") ?? "CurrentUser";
StoreLocation storeLocation;
if (certStoreLocation == "CurrentUser")
{
storeLocation = StoreLocation.CurrentUser;
}
else if (certStoreLocation == "LocalMachine")
{
storeLocation = StoreLocation.LocalMachine;
}
else
{
_logger.Warning($"Invalid IceSSL.CertStoreLocation value `{certStoreLocation}' adjusted to `CurrentUser'");
storeLocation = StoreLocation.CurrentUser;
}
_useMachineContext = certStoreLocation == "LocalMachine";
//
// Protocols selects which protocols to enable
//
string[]? protocols = ic.GetPropertyAsList("IceSSL.Protocols");
if (protocols != null)
{
_protocols = ParseProtocols(protocols);
}
//
// CheckCertName determines whether we compare the name in a peer's
// certificate against its hostname.
//
_checkCertName = ic.GetPropertyAsBool("IceSSL.CheckCertName") ?? false;
//
// VerifyDepthMax establishes the maximum length of a peer's certificate
// chain, including the peer's certificate. A value of 0 means there is
// no maximum.
//
_verifyDepthMax = ic.GetPropertyAsInt("IceSSL.VerifyDepthMax") ?? 3;
//
// CheckCRL determines whether the certificate revocation list is checked, and how strictly.
//
_checkCRL = ic.GetPropertyAsInt("IceSSL.CheckCRL") ?? 0;
//
// Check for a certificate verifier.
//
string?certVerifierClass = ic.GetProperty("IceSSL.CertVerifier");
if (certVerifierClass != null)
{
if (_verifier != null)
{
throw new InvalidOperationException("IceSSL: certificate verifier already installed");
}
Type?cls = _facade.FindType(certVerifierClass);
if (cls == null)
{
throw new InvalidConfigurationException(
$"IceSSL: unable to load certificate verifier class `{certVerifierClass}'");
}
try
{
_verifier = (ICertificateVerifier?)Activator.CreateInstance(cls);
}
catch (Exception ex)
{
throw new LoadException(
$"IceSSL: unable to instantiate certificate verifier class `{certVerifierClass}", ex);
}
}
//
// Check for a password callback.
//
string?passwordCallbackClass = ic.GetProperty("IceSSL.PasswordCallback");
if (passwordCallbackClass != null)
{
if (_passwordCallback != null)
{
throw new InvalidOperationException("IceSSL: password callback already installed");
}
Type?cls = _facade.FindType(passwordCallbackClass);
if (cls == null)
{
throw new InvalidConfigurationException(
$"IceSSL: unable to load password callback class `{passwordCallbackClass}'");
}
try
{
_passwordCallback = (IPasswordCallback?)Activator.CreateInstance(cls);
}
catch (Exception ex)
{
throw new LoadException(
$"IceSSL: unable to load password callback class {passwordCallbackClass}", ex);
}
}
//
// If the user hasn't supplied a certificate collection, we need to examine
// the property settings.
//
if (_certs == null)
{
//
// If IceSSL.CertFile is defined, load a certificate from a file and
// add it to the collection.
//
// TODO: tracing?
_certs = new X509Certificate2Collection();
string? certFile = ic.GetProperty("IceSSL.CertFile");
string? passwordStr = ic.GetProperty("IceSSL.Password");
string? findCert = ic.GetProperty("IceSSL.FindCert");
const string findPrefix = "IceSSL.FindCert.";
Dictionary <string, string> findCertProps = ic.GetProperties(forPrefix: findPrefix);
if (certFile != null)
{
if (!CheckPath(ref certFile))
{
throw new FileNotFoundException($"IceSSL: certificate file not found: `{certFile}'", certFile);
}
SecureString?password = null;
if (passwordStr != null)
{
password = CreateSecureString(passwordStr);
}
else if (_passwordCallback != null)
{
password = _passwordCallback.GetPassword(certFile);
}
try
{
X509Certificate2 cert;
X509KeyStorageFlags importFlags;
if (_useMachineContext)
{
importFlags = X509KeyStorageFlags.MachineKeySet;
}
else
{
importFlags = X509KeyStorageFlags.UserKeySet;
}
if (password != null)
{
cert = new X509Certificate2(certFile, password, importFlags);
}
else
{
cert = new X509Certificate2(certFile, "", importFlags);
}
_certs.Add(cert);
}
catch (CryptographicException ex)
{
throw new InvalidConfigurationException(
$"IceSSL: error while attempting to load certificate from `{certFile}'", ex);
}
}
else if (findCert != null)
{
string certStore = ic.GetProperty("IceSSL.CertStore") ?? "My";
_certs.AddRange(FindCertificates("IceSSL.FindCert", storeLocation, certStore, findCert));
if (_certs.Count == 0)
{
throw new InvalidConfigurationException("IceSSL: no certificates found");
}
}
else if (findCertProps.Count > 0)
{
//
// If IceSSL.FindCert.* properties are defined, add the selected certificates
// to the collection.
//
foreach (KeyValuePair <string, string> entry in findCertProps)
{
string name = entry.Key;
string val = entry.Value;
if (val.Length > 0)
{
string storeSpec = name.Substring(findPrefix.Length);
StoreLocation storeLoc = 0;
StoreName storeName = 0;
string? sname = null;
ParseStore(name, storeSpec, ref storeLoc, ref storeName, ref sname);
if (sname == null)
{
sname = storeName.ToString();
}
X509Certificate2Collection coll = FindCertificates(name, storeLoc, sname, val);
_certs.AddRange(coll);
}
}
if (_certs.Count == 0)
{
throw new InvalidConfigurationException("IceSSL: no certificates found");
}
}
}
if (_caCerts == null)
{
string?certAuthFile = ic.GetProperty("IceSSL.CAs");
if (certAuthFile == null)
{
certAuthFile = ic.GetProperty("IceSSL.CertAuthFile");
}
if (certAuthFile != null || !(ic.GetPropertyAsBool("IceSSL.UsePlatformCAs") ?? false))
{
_caCerts = new X509Certificate2Collection();
}
if (certAuthFile != null)
{
if (!CheckPath(ref certAuthFile))
{
throw new FileNotFoundException("IceSSL: CA certificate file not found: `{certAuthFile}'",
certAuthFile);
}
try
{
using FileStream fs = File.OpenRead(certAuthFile);
byte[] data = new byte[fs.Length];
fs.Read(data, 0, data.Length);
string strbuf = "";
try
{
strbuf = System.Text.Encoding.UTF8.GetString(data);
}
catch (Exception)
{
// Ignore
}
if (strbuf.Length == data.Length)
{
int size, startpos, endpos = 0;
bool first = true;
while (true)
{
startpos = strbuf.IndexOf("-----BEGIN CERTIFICATE-----", endpos);
if (startpos != -1)
{
endpos = strbuf.IndexOf("-----END CERTIFICATE-----", startpos);
size = endpos - startpos + "-----END CERTIFICATE-----".Length;
}
else if (first)
{
startpos = 0;
endpos = strbuf.Length;
size = strbuf.Length;
}
else
{
break;
}
byte[] cert = new byte[size];
Buffer.BlockCopy(data, startpos, cert, 0, size);
_caCerts !.Import(cert);
first = false;
}
}
else
{
_caCerts !.Import(data);
}
}
catch (Exception ex)
{
throw new InvalidConfigurationException(
$"IceSSL: error while attempting to load CA certificate from {certAuthFile}", ex);
}
}
}
_initialized = true;
}