// Note that unlike the C++ & Java implementation this returns unescaped data.
void parse(string value, List <List <RFC2253.RDNPair> > reject, List <List <RFC2253.RDNPair> > accept)
{
//
// As with the Java implementation, the DN that comes from
// the X500DistinguishedName does not necessarily match
// the user's input form. Therefore we need to normalize the
// data to match the C# forms.
//
List <RFC2253.RDNEntry> l = RFC2253.parse(value);
for (int i = 0; i < l.Count; ++i)
{
List <RFC2253.RDNPair> dn = l[i].rdn;
for (int j = 0; j < dn.Count; ++j)
{
RFC2253.RDNPair pair = dn[j];
// Normalize the RDN key.
if (pair.key == "emailAddress")
{
pair.key = "E";
}
else if (pair.key == "ST")
{
pair.key = "S";
}
// Unescape the value.
pair.value = RFC2253.unescape(pair.value);
dn[j] = pair;
}
if (l[i].negate)
{
reject.Add(l[i].rdn);
}
else
{
accept.Add(l[i].rdn);
}
}
}
internal bool verify(NativeConnectionInfo info)
{
List <List <List <RFC2253.RDNPair> > > reject = new List <List <List <RFC2253.RDNPair> > >(),
accept = new List <List <List <RFC2253.RDNPair> > >();
if (rejectAll_.Count != 0)
{
reject.Add(rejectAll_);
}
if (info.incoming)
{
if (rejectAllServer_.Count != 0)
{
reject.Add(rejectAllServer_);
}
if (info.adapterName.Length > 0)
{
List <List <RFC2253.RDNPair> > p = null;
if (rejectServer_.TryGetValue(info.adapterName, out p))
{
reject.Add(p);
}
}
}
else
{
if (rejectClient_.Count != 0)
{
reject.Add(rejectClient_);
}
}
if (acceptAll_.Count != 0)
{
accept.Add(acceptAll_);
}
if (info.incoming)
{
if (acceptAllServer_.Count != 0)
{
accept.Add(acceptAllServer_);
}
if (info.adapterName.Length > 0)
{
List <List <RFC2253.RDNPair> > p = null;
if (acceptServer_.TryGetValue(info.adapterName, out p))
{
accept.Add(p);
}
}
}
else
{
if (acceptClient_.Count != 0)
{
accept.Add(acceptClient_);
}
}
//
// If there is nothing to match against, then we accept the cert.
//
if (reject.Count == 0 && accept.Count == 0)
{
return(true);
}
//
// If there is no certificate then we match false.
//
if (info.nativeCerts != null && info.nativeCerts.Length > 0)
{
X500DistinguishedName subjectDN = info.nativeCerts[0].SubjectName;
string subjectName = subjectDN.Name;
Debug.Assert(subjectName != null);
try
{
//
// Decompose the subject DN into the RDNs.
//
if (traceLevel_ > 0)
{
if (info.incoming)
{
communicator_.getLogger().trace("Security", "trust manager evaluating client:\n" +
"subject = " + subjectName + "\n" +
"adapter = " + info.adapterName + "\n" +
"local addr = " + info.localAddress + ":" + info.localPort + "\n" +
"remote addr = " + info.remoteAddress + ":" + info.remotePort);
}
else
{
communicator_.getLogger().trace("Security", "trust manager evaluating server:\n" +
"subject = " + subjectName + "\n" +
"local addr = " + info.localAddress + ":" + info.localPort + "\n" +
"remote addr = " + info.remoteAddress + ":" + info.remotePort);
}
}
List <RFC2253.RDNPair> dn = RFC2253.parseStrict(subjectName);
//
// Unescape the DN. Note that this isn't done in
// the parser in order to keep the various RFC2253
// implementations as close as possible.
//
for (int i = 0; i < dn.Count; ++i)
{
RFC2253.RDNPair p = dn[i];
p.value = RFC2253.unescape(p.value);
dn[i] = p;
}
//
// Fail if we match anything in the reject set.
//
foreach (List <List <RFC2253.RDNPair> > matchSet in reject)
{
if (traceLevel_ > 0)
{
StringBuilder s = new StringBuilder("trust manager rejecting PDNs:\n");
stringify(matchSet, s);
communicator_.getLogger().trace("Security", s.ToString());
}
if (match(matchSet, dn))
{
return(false);
}
}
//
// Succeed if we match anything in the accept set.
//
foreach (List <List <RFC2253.RDNPair> > matchSet in accept)
{
if (traceLevel_ > 0)
{
StringBuilder s = new StringBuilder("trust manager accepting PDNs:\n");
stringify(matchSet, s);
communicator_.getLogger().trace("Security", s.ToString());
}
if (match(matchSet, dn))
{
return(true);
}
}
}
catch (RFC2253.ParseException e)
{
communicator_.getLogger().warning(
"IceSSL: unable to parse certificate DN `" + subjectName + "'\nreason: " + e.reason);
}
//
// At this point we accept the connection if there are no explicit accept rules.
//
return(accept.Count == 0);
}
return(false);
}
internal bool Verify(IceSSL.ConnectionInfo info, string desc)
{
List <List <List <RFC2253.RDNPair> > > reject = new List <List <List <RFC2253.RDNPair> > >(),
accept = new List <List <List <RFC2253.RDNPair> > >();
if (_rejectAll.Count != 0)
{
reject.Add(_rejectAll);
}
if (info.Incoming)
{
if (_rejectAllServer.Count != 0)
{
reject.Add(_rejectAllServer);
}
if (info.AdapterName !.Length > 0)
{
if (_rejectServer.TryGetValue(info.AdapterName, out List <List <RFC2253.RDNPair> >?p))
{
reject.Add(p);
}
}
}
else
{
if (_rejectClient.Count != 0)
{
reject.Add(_rejectClient);
}
}
if (_acceptAll.Count != 0)
{
accept.Add(_acceptAll);
}
if (info.Incoming)
{
if (_acceptAllServer.Count != 0)
{
accept.Add(_acceptAllServer);
}
if (info.AdapterName !.Length > 0)
{
if (_acceptServer.TryGetValue(info.AdapterName, out List <List <RFC2253.RDNPair> >?p))
{
accept.Add(p);
}
}
}
else
{
if (_acceptClient.Count != 0)
{
accept.Add(_acceptClient);
}
}
//
// If there is nothing to match against, then we accept the cert.
//
if (reject.Count == 0 && accept.Count == 0)
{
return(true);
}
//
// If there is no certificate then we match false.
//
if (info.Certs != null && info.Certs.Length > 0)
{
X500DistinguishedName subjectDN = info.Certs[0].SubjectName;
string subjectName = subjectDN.Name;
Debug.Assert(subjectName != null);
try
{
//
// Decompose the subject DN into the RDNs.
//
if (_traceLevel > 0)
{
if (info.Incoming)
{
_communicator.Logger.Trace("Security", "trust manager evaluating client:\n" +
"subject = " + subjectName + "\n" + "adapter = " + info.AdapterName + "\n" + desc);
}
else
{
_communicator.Logger.Trace("Security", "trust manager evaluating server:\n" +
"subject = " + subjectName + "\n" + desc);
}
}
List <RFC2253.RDNPair> dn = RFC2253.ParseStrict(subjectName);
//
// Unescape the DN. Note that this isn't done in
// the parser in order to keep the various RFC2253
// implementations as close as possible.
//
for (int i = 0; i < dn.Count; ++i)
{
RFC2253.RDNPair p = dn[i];
p.Value = RFC2253.Unescape(p.Value);
dn[i] = p;
}
//
// Fail if we match anything in the reject set.
//
foreach (List <List <RFC2253.RDNPair> > matchSet in reject)
{
if (_traceLevel > 0)
{
var s = new StringBuilder("trust manager rejecting PDNs:\n");
Stringify(matchSet, s);
_communicator.Logger.Trace("Security", s.ToString());
}
if (Match(matchSet, dn))
{
return(false);
}
}
//
// Succeed if we match anything in the accept set.
//
foreach (List <List <RFC2253.RDNPair> > matchSet in accept)
{
if (_traceLevel > 0)
{
var s = new StringBuilder("trust manager accepting PDNs:\n");
Stringify(matchSet, s);
_communicator.Logger.Trace("Security", s.ToString());
}
if (Match(matchSet, dn))
{
return(true);
}
}
}
catch (FormatException e)
{
_communicator.Logger.Warning(
$"IceSSL: unable to parse certificate DN `{subjectName}'\nreason: {e.Message}");
}
//
// At this point we accept the connection if there are no explicit accept rules.
//
return(accept.Count == 0);
}
return(false);
}