| | | 1 | | // Copyright (c) ZeroC, Inc. |
| | | 2 | | |
| | | 3 | | using Ice.Internal; |
| | | 4 | | using System.Diagnostics; |
| | | 5 | | using System.Net.Security; |
| | | 6 | | using System.Security; |
| | | 7 | | using System.Security.Cryptography; |
| | | 8 | | using System.Security.Cryptography.X509Certificates; |
| | | 9 | | using System.Text; |
| | | 10 | | |
| | | 11 | | namespace Ice.SSL; |
| | | 12 | | |
| | | 13 | | internal class SSLEngine |
| | | 14 | | { |
| | 1 | 15 | | internal SSLEngine(Ice.Communicator communicator) |
| | | 16 | | { |
| | 1 | 17 | | _communicator = communicator; |
| | 1 | 18 | | _logger = communicator.getLogger(); |
| | 1 | 19 | | _securityTraceLevel = _communicator.getProperties().getIcePropertyAsInt("IceSSL.Trace.Security"); |
| | 1 | 20 | | _securityTraceCategory = "Security"; |
| | 1 | 21 | | _trustManager = new TrustManager(_communicator); |
| | 1 | 22 | | } |
| | | 23 | | |
| | | 24 | | internal void initialize() |
| | | 25 | | { |
| | 1 | 26 | | Ice.Properties properties = communicator().getProperties(); |
| | | 27 | | |
| | | 28 | | // Check for a default directory. We look in this directory for files mentioned in the configuration. |
| | 1 | 29 | | _defaultDir = properties.getIceProperty("IceSSL.DefaultDir"); |
| | | 30 | | |
| | 1 | 31 | | _verifyPeer = properties.getIcePropertyAsInt("IceSSL.VerifyPeer"); |
| | 1 | 32 | | if (_verifyPeer < 0 || _verifyPeer > 2) |
| | | 33 | | { |
| | 0 | 34 | | throw new Ice.InitializationException("SSL transport: invalid value for IceSSL.VerifyPeer"); |
| | | 35 | | } |
| | | 36 | | |
| | | 37 | | // CheckCRL determines whether the certificate revocation list is checked, and how strictly. |
| | 1 | 38 | | _checkCRL = properties.getIcePropertyAsInt("IceSSL.CheckCRL"); |
| | | 39 | | |
| | 1 | 40 | | string certStoreLocation = properties.getIceProperty("IceSSL.CertStoreLocation"); |
| | | 41 | | StoreLocation storeLocation; |
| | 1 | 42 | | if (certStoreLocation == "CurrentUser") |
| | | 43 | | { |
| | 1 | 44 | | storeLocation = StoreLocation.CurrentUser; |
| | | 45 | | } |
| | 0 | 46 | | else if (certStoreLocation == "LocalMachine") |
| | | 47 | | { |
| | 0 | 48 | | storeLocation = StoreLocation.LocalMachine; |
| | | 49 | | } |
| | | 50 | | else |
| | | 51 | | { |
| | 0 | 52 | | _logger.warning( |
| | 0 | 53 | | "Invalid IceSSL.CertStoreLocation value `" + certStoreLocation + "' adjusted to `CurrentUser'"); |
| | 0 | 54 | | storeLocation = StoreLocation.CurrentUser; |
| | | 55 | | } |
| | 1 | 56 | | _useMachineContext = certStoreLocation == "LocalMachine"; |
| | | 57 | | |
| | | 58 | | // CheckCertName determines whether we compare the name in a peer's certificate against its hostname. |
| | 1 | 59 | | _checkCertName = properties.getIcePropertyAsInt("IceSSL.CheckCertName") > 0; |
| | | 60 | | |
| | | 61 | | Debug.Assert(_certs == null); |
| | | 62 | | // If IceSSL.CertFile is defined, load a certificate from a file and add it to the collection. |
| | 1 | 63 | | _certs = []; |
| | 1 | 64 | | string certFile = properties.getIceProperty("IceSSL.CertFile"); |
| | 1 | 65 | | string passwordStr = properties.getIceProperty("IceSSL.Password"); |
| | 1 | 66 | | string findCert = properties.getIceProperty("IceSSL.FindCert"); |
| | | 67 | | |
| | 1 | 68 | | if (certFile.Length > 0) |
| | | 69 | | { |
| | 1 | 70 | | if (!checkPath(ref certFile)) |
| | | 71 | | { |
| | 0 | 72 | | throw new Ice.InitializationException($"IceSSL: certificate file not found: {certFile}"); |
| | | 73 | | } |
| | | 74 | | |
| | | 75 | | try |
| | | 76 | | { |
| | | 77 | | X509Certificate2 cert; |
| | | 78 | | X509KeyStorageFlags importFlags; |
| | 1 | 79 | | if (_useMachineContext) |
| | | 80 | | { |
| | 0 | 81 | | importFlags = X509KeyStorageFlags.MachineKeySet; |
| | | 82 | | } |
| | | 83 | | else |
| | | 84 | | { |
| | 1 | 85 | | importFlags = X509KeyStorageFlags.UserKeySet; |
| | | 86 | | } |
| | | 87 | | |
| | 1 | 88 | | if (passwordStr.Length > 0) |
| | | 89 | | { |
| | 1 | 90 | | using SecureString password = createSecureString(passwordStr); |
| | 1 | 91 | | cert = new X509Certificate2(certFile, password, importFlags); |
| | | 92 | | } |
| | | 93 | | else |
| | | 94 | | { |
| | 1 | 95 | | cert = new X509Certificate2(certFile, (string)null, importFlags); |
| | | 96 | | } |
| | 1 | 97 | | _certs.Add(cert); |
| | 1 | 98 | | } |
| | 0 | 99 | | catch (CryptographicException ex) |
| | | 100 | | { |
| | 0 | 101 | | throw new Ice.InitializationException( |
| | 0 | 102 | | $"IceSSL: error while attempting to load certificate from {certFile}", |
| | 0 | 103 | | ex); |
| | | 104 | | } |
| | | 105 | | } |
| | 1 | 106 | | else if (findCert.Length > 0) |
| | | 107 | | { |
| | 1 | 108 | | string certStore = properties.getIceProperty("IceSSL.CertStore"); |
| | 1 | 109 | | _certs.AddRange(findCertificates("IceSSL.FindCert", storeLocation, certStore, findCert)); |
| | 1 | 110 | | if (_certs.Count == 0) |
| | | 111 | | { |
| | 1 | 112 | | throw new Ice.InitializationException("IceSSL: no certificates found"); |
| | | 113 | | } |
| | | 114 | | } |
| | | 115 | | |
| | | 116 | | Debug.Assert(_caCerts == null); |
| | 1 | 117 | | string certAuthFile = properties.getIceProperty("IceSSL.CAs"); |
| | 1 | 118 | | if (certAuthFile.Length > 0 || properties.getIcePropertyAsInt("IceSSL.UsePlatformCAs") <= 0) |
| | | 119 | | { |
| | 1 | 120 | | _caCerts = []; |
| | | 121 | | } |
| | | 122 | | |
| | 1 | 123 | | if (certAuthFile.Length > 0) |
| | | 124 | | { |
| | 1 | 125 | | if (!checkPath(ref certAuthFile)) |
| | | 126 | | { |
| | 0 | 127 | | throw new Ice.InitializationException($"IceSSL: CA certificate file not found: {certAuthFile}"); |
| | | 128 | | } |
| | | 129 | | try |
| | | 130 | | { |
| | | 131 | | try |
| | | 132 | | { |
| | | 133 | | // First try to import as a PEM file, which supports importing multiple certificates from a PEM |
| | | 134 | | // encoded file |
| | 1 | 135 | | _caCerts.ImportFromPemFile(certAuthFile); |
| | 1 | 136 | | } |
| | 0 | 137 | | catch (CryptographicException) |
| | | 138 | | { |
| | | 139 | | // Expected if the file is not in PEM format. |
| | 0 | 140 | | } |
| | | 141 | | |
| | 1 | 142 | | if (_caCerts.Count == 0) |
| | | 143 | | { |
| | | 144 | | // Fallback to Import which handles DER/PFX. |
| | 1 | 145 | | _caCerts.Import(certAuthFile); |
| | | 146 | | } |
| | 1 | 147 | | } |
| | 0 | 148 | | catch (Exception ex) |
| | | 149 | | { |
| | 0 | 150 | | throw new Ice.InitializationException( |
| | 0 | 151 | | $"IceSSL: error while attempting to load CA certificate from {certAuthFile}", |
| | 0 | 152 | | ex); |
| | | 153 | | } |
| | | 154 | | } |
| | 1 | 155 | | } |
| | | 156 | | |
| | 0 | 157 | | internal bool useMachineContext() => _useMachineContext; |
| | | 158 | | |
| | 0 | 159 | | internal X509Certificate2Collection caCerts() => _caCerts; |
| | | 160 | | |
| | 1 | 161 | | internal Ice.Communicator communicator() => _communicator; |
| | | 162 | | |
| | 1 | 163 | | internal int securityTraceLevel() => _securityTraceLevel; |
| | | 164 | | |
| | 1 | 165 | | internal string securityTraceCategory() => _securityTraceCategory; |
| | | 166 | | |
| | 1 | 167 | | internal X509Certificate2Collection certs() => _certs; |
| | | 168 | | |
| | | 169 | | internal void traceStream(SslStream stream, string connInfo) |
| | | 170 | | { |
| | 0 | 171 | | var s = new StringBuilder(); |
| | 0 | 172 | | s.Append("SSL connection summary"); |
| | 0 | 173 | | if (connInfo.Length > 0) |
| | | 174 | | { |
| | 0 | 175 | | s.Append('\n'); |
| | 0 | 176 | | s.Append(connInfo); |
| | | 177 | | } |
| | 0 | 178 | | s.Append("\nauthenticated = " + (stream.IsAuthenticated ? "yes" : "no")); |
| | 0 | 179 | | s.Append("\nencrypted = " + (stream.IsEncrypted ? "yes" : "no")); |
| | 0 | 180 | | s.Append("\nsigned = " + (stream.IsSigned ? "yes" : "no")); |
| | 0 | 181 | | s.Append("\nmutually authenticated = " + (stream.IsMutuallyAuthenticated ? "yes" : "no")); |
| | 0 | 182 | | s.Append("\ncipher = " + stream.NegotiatedCipherSuite); |
| | 0 | 183 | | s.Append("\nprotocol = " + stream.SslProtocol); |
| | 0 | 184 | | _logger.trace(_securityTraceCategory, s.ToString()); |
| | 0 | 185 | | } |
| | | 186 | | |
| | | 187 | | internal void verifyPeer(ConnectionInfo info, string description) |
| | | 188 | | { |
| | 1 | 189 | | if (!_trustManager.verify(info, description)) |
| | | 190 | | { |
| | 1 | 191 | | string msg = (info.incoming ? "incoming" : "outgoing") + " connection rejected by trust manager\n" + |
| | 1 | 192 | | description; |
| | 1 | 193 | | if (_securityTraceLevel >= 1) |
| | | 194 | | { |
| | 0 | 195 | | _logger.trace(_securityTraceCategory, msg); |
| | | 196 | | } |
| | | 197 | | |
| | 1 | 198 | | throw new SecurityException($"IceSSL: {msg}"); |
| | | 199 | | } |
| | 1 | 200 | | } |
| | | 201 | | |
| | | 202 | | internal SslClientAuthenticationOptions createClientAuthenticationOptions( |
| | | 203 | | RemoteCertificateValidationCallback remoteCertificateValidationCallback, |
| | | 204 | | string host) |
| | | 205 | | { |
| | 1 | 206 | | var authenticationOptions = new SslClientAuthenticationOptions |
| | 1 | 207 | | { |
| | 1 | 208 | | ClientCertificates = _certs, |
| | 1 | 209 | | LocalCertificateSelectionCallback = (sender, targetHost, certs, remoteCertificate, acceptableIssuers) => |
| | 1 | 210 | | { |
| | 1 | 211 | | if (certs == null || certs.Count == 0) |
| | 1 | 212 | | { |
| | 1 | 213 | | return null; |
| | 1 | 214 | | } |
| | 1 | 215 | | else if (certs.Count == 1) |
| | 1 | 216 | | { |
| | 1 | 217 | | return certs[0]; |
| | 1 | 218 | | } |
| | 1 | 219 | | |
| | 1 | 220 | | // Use the first certificate that match the acceptable issuers. |
| | 0 | 221 | | if (acceptableIssuers != null && acceptableIssuers.Length > 0) |
| | 1 | 222 | | { |
| | 0 | 223 | | foreach (X509Certificate certificate in certs) |
| | 1 | 224 | | { |
| | 0 | 225 | | if (Array.IndexOf(acceptableIssuers, certificate.Issuer) != -1) |
| | 1 | 226 | | { |
| | 0 | 227 | | return certificate; |
| | 1 | 228 | | } |
| | 1 | 229 | | } |
| | 1 | 230 | | } |
| | 0 | 231 | | return certs[0]; |
| | 0 | 232 | | }, |
| | 1 | 233 | | RemoteCertificateValidationCallback = remoteCertificateValidationCallback, |
| | 1 | 234 | | TargetHost = host, |
| | 1 | 235 | | }; |
| | | 236 | | |
| | 1 | 237 | | authenticationOptions.CertificateChainPolicy = new X509ChainPolicy(); |
| | 1 | 238 | | if (_caCerts is null) |
| | | 239 | | { |
| | 0 | 240 | | authenticationOptions.CertificateChainPolicy.TrustMode = X509ChainTrustMode.System; |
| | | 241 | | } |
| | | 242 | | else |
| | | 243 | | { |
| | 1 | 244 | | authenticationOptions.CertificateChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; |
| | 1 | 245 | | foreach (X509Certificate certificate in _caCerts) |
| | | 246 | | { |
| | 1 | 247 | | authenticationOptions.CertificateChainPolicy.CustomTrustStore.Add(certificate); |
| | | 248 | | } |
| | | 249 | | } |
| | | 250 | | |
| | 1 | 251 | | if (!_checkCertName) |
| | | 252 | | { |
| | 1 | 253 | | authenticationOptions.CertificateChainPolicy.VerificationFlags |= X509VerificationFlags.IgnoreInvalidName; |
| | | 254 | | } |
| | | 255 | | |
| | 1 | 256 | | if (_checkCRL == 1) |
| | | 257 | | { |
| | 0 | 258 | | authenticationOptions.CertificateChainPolicy.VerificationFlags |= |
| | 0 | 259 | | X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown; |
| | | 260 | | } |
| | 1 | 261 | | authenticationOptions.CertificateChainPolicy.RevocationMode = |
| | 1 | 262 | | _checkCRL == 0 ? X509RevocationMode.NoCheck : X509RevocationMode.Online; |
| | 1 | 263 | | return authenticationOptions; |
| | | 264 | | } |
| | | 265 | | |
| | | 266 | | internal SslServerAuthenticationOptions createServerAuthenticationOptions( |
| | | 267 | | RemoteCertificateValidationCallback remoteCertificateValidationCallback) |
| | | 268 | | { |
| | | 269 | | // Get the certificate collection and select the first one. |
| | 1 | 270 | | X509Certificate2 cert = null; |
| | 1 | 271 | | if (_certs.Count > 0) |
| | | 272 | | { |
| | 1 | 273 | | cert = _certs[0]; |
| | | 274 | | } |
| | | 275 | | |
| | 1 | 276 | | var authenticationOptions = new SslServerAuthenticationOptions |
| | 1 | 277 | | { |
| | 1 | 278 | | ServerCertificate = cert, |
| | 1 | 279 | | ClientCertificateRequired = _verifyPeer > 0, |
| | 1 | 280 | | RemoteCertificateValidationCallback = remoteCertificateValidationCallback, |
| | 1 | 281 | | }; |
| | | 282 | | |
| | 1 | 283 | | authenticationOptions.CertificateChainPolicy = new X509ChainPolicy(); |
| | 1 | 284 | | if (_caCerts is null) |
| | | 285 | | { |
| | 0 | 286 | | authenticationOptions.CertificateChainPolicy.TrustMode = X509ChainTrustMode.System; |
| | | 287 | | } |
| | | 288 | | else |
| | | 289 | | { |
| | 1 | 290 | | authenticationOptions.CertificateChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; |
| | 1 | 291 | | foreach (X509Certificate certificate in _caCerts) |
| | | 292 | | { |
| | 1 | 293 | | authenticationOptions.CertificateChainPolicy.CustomTrustStore.Add(certificate); |
| | | 294 | | } |
| | | 295 | | } |
| | 1 | 296 | | authenticationOptions.CertificateChainPolicy.RevocationMode = |
| | 1 | 297 | | _checkCRL == 0 ? X509RevocationMode.NoCheck : X509RevocationMode.Online; |
| | 1 | 298 | | if (_checkCRL == 1) |
| | | 299 | | { |
| | 0 | 300 | | authenticationOptions.CertificateChainPolicy.VerificationFlags |= |
| | 0 | 301 | | X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown; |
| | | 302 | | } |
| | 1 | 303 | | return authenticationOptions; |
| | | 304 | | } |
| | | 305 | | |
| | | 306 | | private static bool isAbsolutePath(string path) |
| | | 307 | | { |
| | | 308 | | // Skip whitespace |
| | 1 | 309 | | path = path.Trim(); |
| | 1 | 310 | | if (path.Length == 0) |
| | | 311 | | { |
| | 0 | 312 | | return false; |
| | | 313 | | } |
| | | 314 | | |
| | 1 | 315 | | if (AssemblyUtil.isWindows) |
| | | 316 | | { |
| | | 317 | | // We need at least 3 non-whitespace characters to have an absolute path |
| | 0 | 318 | | if (path.Length < 3) |
| | | 319 | | { |
| | 0 | 320 | | return false; |
| | | 321 | | } |
| | | 322 | | |
| | | 323 | | // Check for X:\ path ('\' may have been converted to '/') |
| | 0 | 324 | | if ((path[0] >= 'A' && path[0] <= 'Z') || (path[0] >= 'a' && path[0] <= 'z')) |
| | | 325 | | { |
| | 0 | 326 | | return path[1] == ':' && (path[2] == '\\' || path[2] == '/'); |
| | | 327 | | } |
| | | 328 | | } |
| | | 329 | | // Check for UNC path or Unix absolute path |
| | 1 | 330 | | return (path.Length >= 2 && path[0] == '\\' && path[1] == '\\') || path[0] == '/'; |
| | | 331 | | } |
| | | 332 | | |
| | | 333 | | private static X509Certificate2Collection findCertificates( |
| | | 334 | | string prop, |
| | | 335 | | StoreLocation storeLocation, |
| | | 336 | | string name, |
| | | 337 | | string value) |
| | | 338 | | { |
| | | 339 | | // Open the X509 certificate store. |
| | | 340 | | X509Store store; |
| | | 341 | | try |
| | | 342 | | { |
| | | 343 | | try |
| | | 344 | | { |
| | 1 | 345 | | store = new X509Store(Enum.Parse<StoreName>(name, true), storeLocation); |
| | 1 | 346 | | } |
| | 0 | 347 | | catch (ArgumentException) |
| | | 348 | | { |
| | 0 | 349 | | store = new X509Store(name, storeLocation); |
| | 0 | 350 | | } |
| | 1 | 351 | | store.Open(OpenFlags.ReadOnly); |
| | 1 | 352 | | } |
| | 0 | 353 | | catch (Exception ex) |
| | | 354 | | { |
| | 0 | 355 | | throw new Ice.InitializationException($"IceSSL: failure while opening store specified by {prop}", ex); |
| | | 356 | | } |
| | | 357 | | |
| | | 358 | | // Start with all of the certificates in the collection and filter as necessary. |
| | | 359 | | // |
| | | 360 | | // - If the value is "*", return all certificates. |
| | | 361 | | // - Otherwise, search using key:value pairs. The following keys are supported: |
| | | 362 | | // |
| | | 363 | | // Issuer |
| | | 364 | | // IssuerDN |
| | | 365 | | // Serial |
| | | 366 | | // Subject |
| | | 367 | | // SubjectDN |
| | | 368 | | // SubjectKeyId |
| | | 369 | | // Thumbprint |
| | | 370 | | // |
| | | 371 | | // A value must be enclosed in single or double quotes if it contains whitespace. |
| | 1 | 372 | | X509Certificate2Collection result = [.. store.Certificates]; |
| | | 373 | | try |
| | | 374 | | { |
| | 1 | 375 | | if (value != "*") |
| | | 376 | | { |
| | 1 | 377 | | if (!value.Contains(':', StringComparison.Ordinal)) |
| | | 378 | | { |
| | 1 | 379 | | throw new Ice.InitializationException($"IceSSL: no key in `{value}'"); |
| | | 380 | | } |
| | 1 | 381 | | int start = 0; |
| | | 382 | | int pos; |
| | 1 | 383 | | while ((pos = value.IndexOf(':', start)) != -1) |
| | | 384 | | { |
| | | 385 | | // Parse the X509FindType. |
| | 1 | 386 | | string field = value[start..pos].Trim().ToUpperInvariant(); |
| | | 387 | | X509FindType findType; |
| | 1 | 388 | | if (field == "SUBJECT") |
| | | 389 | | { |
| | 1 | 390 | | findType = X509FindType.FindBySubjectName; |
| | | 391 | | } |
| | 1 | 392 | | else if (field == "SUBJECTDN") |
| | | 393 | | { |
| | 1 | 394 | | findType = X509FindType.FindBySubjectDistinguishedName; |
| | | 395 | | } |
| | 1 | 396 | | else if (field == "ISSUER") |
| | | 397 | | { |
| | 1 | 398 | | findType = X509FindType.FindByIssuerName; |
| | | 399 | | } |
| | 1 | 400 | | else if (field == "ISSUERDN") |
| | | 401 | | { |
| | 1 | 402 | | findType = X509FindType.FindByIssuerDistinguishedName; |
| | | 403 | | } |
| | 1 | 404 | | else if (field == "THUMBPRINT") |
| | | 405 | | { |
| | 1 | 406 | | findType = X509FindType.FindByThumbprint; |
| | | 407 | | } |
| | 1 | 408 | | else if (field == "SUBJECTKEYID") |
| | | 409 | | { |
| | 1 | 410 | | findType = X509FindType.FindBySubjectKeyIdentifier; |
| | | 411 | | } |
| | 1 | 412 | | else if (field == "SERIAL") |
| | | 413 | | { |
| | 1 | 414 | | findType = X509FindType.FindBySerialNumber; |
| | | 415 | | } |
| | | 416 | | else |
| | | 417 | | { |
| | 1 | 418 | | throw new Ice.InitializationException($"IceSSL: unknown key in `{value}'"); |
| | | 419 | | } |
| | | 420 | | |
| | | 421 | | // Parse the argument. |
| | 1 | 422 | | start = pos + 1; |
| | 1 | 423 | | while (start < value.Length && (value[start] == ' ' || value[start] == '\t')) |
| | | 424 | | { |
| | 0 | 425 | | ++start; |
| | | 426 | | } |
| | | 427 | | |
| | 1 | 428 | | if (start == value.Length) |
| | | 429 | | { |
| | 0 | 430 | | throw new Ice.InitializationException($"IceSSL: missing argument in `{value}'"); |
| | | 431 | | } |
| | | 432 | | |
| | | 433 | | string arg; |
| | 1 | 434 | | if (value[start] == '"' || value[start] == '\'') |
| | | 435 | | { |
| | 1 | 436 | | int end = start; |
| | 1 | 437 | | ++end; |
| | 1 | 438 | | while (end < value.Length) |
| | | 439 | | { |
| | 1 | 440 | | if (value[end] == value[start] && value[end - 1] != '\\') |
| | | 441 | | { |
| | | 442 | | break; |
| | | 443 | | } |
| | 1 | 444 | | ++end; |
| | | 445 | | } |
| | 1 | 446 | | if (end == value.Length || value[end] != value[start]) |
| | | 447 | | { |
| | 0 | 448 | | throw new Ice.InitializationException($"IceSSL: unmatched quote in `{value}'"); |
| | | 449 | | } |
| | 1 | 450 | | ++start; |
| | 1 | 451 | | arg = value[start..end]; |
| | 1 | 452 | | start = end + 1; |
| | | 453 | | } |
| | | 454 | | else |
| | | 455 | | { |
| | 1 | 456 | | char[] ws = [' ', '\t']; |
| | 1 | 457 | | int end = value.IndexOfAny(ws, start); |
| | 1 | 458 | | if (end == -1) |
| | | 459 | | { |
| | 1 | 460 | | arg = value[start..]; |
| | 1 | 461 | | start = value.Length; |
| | | 462 | | } |
| | | 463 | | else |
| | | 464 | | { |
| | 1 | 465 | | arg = value[start..end]; |
| | 1 | 466 | | start = end + 1; |
| | | 467 | | } |
| | | 468 | | } |
| | | 469 | | |
| | | 470 | | // Execute the query. |
| | | 471 | | // |
| | | 472 | | // TODO: allow user to specify a value for validOnly? |
| | 1 | 473 | | bool validOnly = false; |
| | 1 | 474 | | if (findType == X509FindType.FindBySubjectDistinguishedName || |
| | 1 | 475 | | findType == X509FindType.FindByIssuerDistinguishedName) |
| | | 476 | | { |
| | 1 | 477 | | X500DistinguishedNameFlags[] flags = [ |
| | 1 | 478 | | X500DistinguishedNameFlags.None, |
| | 1 | 479 | | X500DistinguishedNameFlags.Reversed, |
| | 1 | 480 | | ]; |
| | 1 | 481 | | var dn = new X500DistinguishedName(arg); |
| | 1 | 482 | | X509Certificate2Collection r = result; |
| | 1 | 483 | | for (int i = 0; i < flags.Length; ++i) |
| | | 484 | | { |
| | 1 | 485 | | r = result.Find(findType, dn.Decode(flags[i]), validOnly); |
| | 1 | 486 | | if (r.Count > 0) |
| | | 487 | | { |
| | | 488 | | break; |
| | | 489 | | } |
| | | 490 | | } |
| | 1 | 491 | | result = r; |
| | | 492 | | } |
| | | 493 | | else |
| | | 494 | | { |
| | 1 | 495 | | result = result.Find(findType, arg, validOnly); |
| | | 496 | | } |
| | | 497 | | } |
| | | 498 | | } |
| | 1 | 499 | | } |
| | | 500 | | finally |
| | | 501 | | { |
| | 1 | 502 | | store.Close(); |
| | 1 | 503 | | } |
| | | 504 | | |
| | 1 | 505 | | return result; |
| | | 506 | | } |
| | | 507 | | |
| | | 508 | | private static SecureString createSecureString(string s) |
| | | 509 | | { |
| | 1 | 510 | | var result = new SecureString(); |
| | 1 | 511 | | foreach (char ch in s) |
| | | 512 | | { |
| | 1 | 513 | | result.AppendChar(ch); |
| | | 514 | | } |
| | 1 | 515 | | return result; |
| | | 516 | | } |
| | | 517 | | |
| | | 518 | | private bool checkPath(ref string path) |
| | | 519 | | { |
| | 1 | 520 | | if (File.Exists(path)) |
| | | 521 | | { |
| | 0 | 522 | | return true; |
| | | 523 | | } |
| | | 524 | | |
| | 1 | 525 | | if (_defaultDir.Length > 0 && !isAbsolutePath(path)) |
| | | 526 | | { |
| | 1 | 527 | | string s = _defaultDir + Path.DirectorySeparatorChar + path; |
| | 1 | 528 | | if (File.Exists(s)) |
| | | 529 | | { |
| | 1 | 530 | | path = s; |
| | 1 | 531 | | return true; |
| | | 532 | | } |
| | | 533 | | } |
| | 0 | 534 | | return false; |
| | | 535 | | } |
| | | 536 | | |
| | | 537 | | private readonly Ice.Communicator _communicator; |
| | | 538 | | private readonly Ice.Logger _logger; |
| | | 539 | | private readonly int _securityTraceLevel; |
| | | 540 | | private readonly string _securityTraceCategory; |
| | | 541 | | private string _defaultDir; |
| | | 542 | | private bool _checkCertName; |
| | | 543 | | private int _verifyPeer; |
| | | 544 | | private int _checkCRL; |
| | | 545 | | private X509Certificate2Collection _certs; |
| | | 546 | | private bool _useMachineContext; |
| | | 547 | | private X509Certificate2Collection _caCerts; |
| | | 548 | | private readonly TrustManager _trustManager; |
| | | 549 | | } |