internal bool Verify(IceSSL.ConnectionInfo info, string desc) { List <List <List <RFC2253.RDNPair> > > reject = new List <List <List <RFC2253.RDNPair> > >(), accept = new List <List <List <RFC2253.RDNPair> > >(); if (_rejectAll.Count != 0) { reject.Add(_rejectAll); } if (info.Incoming) { if (_rejectAllServer.Count != 0) { reject.Add(_rejectAllServer); } if (info.AdapterName !.Length > 0) { if (_rejectServer.TryGetValue(info.AdapterName, out List <List <RFC2253.RDNPair> >?p)) { reject.Add(p); } } } else { if (_rejectClient.Count != 0) { reject.Add(_rejectClient); } } if (_acceptAll.Count != 0) { accept.Add(_acceptAll); } if (info.Incoming) { if (_acceptAllServer.Count != 0) { accept.Add(_acceptAllServer); } if (info.AdapterName !.Length > 0) { if (_acceptServer.TryGetValue(info.AdapterName, out List <List <RFC2253.RDNPair> >?p)) { accept.Add(p); } } } else { if (_acceptClient.Count != 0) { accept.Add(_acceptClient); } } // // If there is nothing to match against, then we accept the cert. // if (reject.Count == 0 && accept.Count == 0) { return(true); } // // If there is no certificate then we match false. // if (info.Certs != null && info.Certs.Length > 0) { X500DistinguishedName subjectDN = info.Certs[0].SubjectName; string subjectName = subjectDN.Name; Debug.Assert(subjectName != null); try { // // Decompose the subject DN into the RDNs. // if (_traceLevel > 0) { if (info.Incoming) { _communicator.Logger.Trace("Security", "trust manager evaluating client:\n" + "subject = " + subjectName + "\n" + "adapter = " + info.AdapterName + "\n" + desc); } else { _communicator.Logger.Trace("Security", "trust manager evaluating server:\n" + "subject = " + subjectName + "\n" + desc); } } List <RFC2253.RDNPair> dn = RFC2253.ParseStrict(subjectName); // // Unescape the DN. Note that this isn't done in // the parser in order to keep the various RFC2253 // implementations as close as possible. // for (int i = 0; i < dn.Count; ++i) { RFC2253.RDNPair p = dn[i]; p.Value = RFC2253.Unescape(p.Value); dn[i] = p; } // // Fail if we match anything in the reject set. // foreach (List <List <RFC2253.RDNPair> > matchSet in reject) { if (_traceLevel > 0) { var s = new StringBuilder("trust manager rejecting PDNs:\n"); Stringify(matchSet, s); _communicator.Logger.Trace("Security", s.ToString()); } if (Match(matchSet, dn)) { return(false); } } // // Succeed if we match anything in the accept set. // foreach (List <List <RFC2253.RDNPair> > matchSet in accept) { if (_traceLevel > 0) { var s = new StringBuilder("trust manager accepting PDNs:\n"); Stringify(matchSet, s); _communicator.Logger.Trace("Security", s.ToString()); } if (Match(matchSet, dn)) { return(true); } } } catch (FormatException e) { _communicator.Logger.Warning( $"IceSSL: unable to parse certificate DN `{subjectName}'\nreason: {e.Message}"); } // // At this point we accept the connection if there are no explicit accept rules. // return(accept.Count == 0); } return(false); }