| | | 1 | | // Copyright (c) ZeroC, Inc. |
| | | 2 | | |
| | | 3 | | using Ice.Internal; |
| | | 4 | | using System.Diagnostics; |
| | | 5 | | using System.Net.Security; |
| | | 6 | | using System.Security; |
| | | 7 | | using System.Security.Cryptography; |
| | | 8 | | using System.Security.Cryptography.X509Certificates; |
| | | 9 | | using System.Text; |
| | | 10 | | |
| | | 11 | | namespace Ice.SSL; |
| | | 12 | | |
| | | 13 | | internal class SSLEngine |
| | | 14 | | { |
| | 1 | 15 | | internal SSLEngine(Ice.Communicator communicator) |
| | | 16 | | { |
| | 1 | 17 | | _communicator = communicator; |
| | 1 | 18 | | _logger = communicator.getLogger(); |
| | 1 | 19 | | _securityTraceLevel = _communicator.getProperties().getIcePropertyAsInt("IceSSL.Trace.Security"); |
| | 1 | 20 | | _securityTraceCategory = "Security"; |
| | 1 | 21 | | _trustManager = new TrustManager(_communicator); |
| | 1 | 22 | | } |
| | | 23 | | |
| | | 24 | | internal void initialize() |
| | | 25 | | { |
| | 1 | 26 | | Ice.Properties properties = communicator().getProperties(); |
| | | 27 | | |
| | | 28 | | // Check for a default directory. We look in this directory for files mentioned in the configuration. |
| | 1 | 29 | | _defaultDir = properties.getIceProperty("IceSSL.DefaultDir"); |
| | | 30 | | |
| | 1 | 31 | | _verifyPeer = properties.getIcePropertyAsInt("IceSSL.VerifyPeer"); |
| | | 32 | | |
| | | 33 | | // CheckCRL determines whether the certificate revocation list is checked, and how strictly. |
| | 1 | 34 | | _checkCRL = properties.getIcePropertyAsInt("IceSSL.CheckCRL"); |
| | | 35 | | |
| | 1 | 36 | | string certStoreLocation = properties.getIceProperty("IceSSL.CertStoreLocation"); |
| | | 37 | | StoreLocation storeLocation; |
| | 1 | 38 | | if (certStoreLocation == "CurrentUser") |
| | | 39 | | { |
| | 1 | 40 | | storeLocation = StoreLocation.CurrentUser; |
| | | 41 | | } |
| | 0 | 42 | | else if (certStoreLocation == "LocalMachine") |
| | | 43 | | { |
| | 0 | 44 | | storeLocation = StoreLocation.LocalMachine; |
| | | 45 | | } |
| | | 46 | | else |
| | | 47 | | { |
| | 0 | 48 | | _logger.warning( |
| | 0 | 49 | | "Invalid IceSSL.CertStoreLocation value `" + certStoreLocation + "' adjusted to `CurrentUser'"); |
| | 0 | 50 | | storeLocation = StoreLocation.CurrentUser; |
| | | 51 | | } |
| | 1 | 52 | | _useMachineContext = certStoreLocation == "LocalMachine"; |
| | | 53 | | |
| | | 54 | | // CheckCertName determines whether we compare the name in a peer's certificate against its hostname. |
| | 1 | 55 | | _checkCertName = properties.getIcePropertyAsInt("IceSSL.CheckCertName") > 0; |
| | | 56 | | |
| | | 57 | | Debug.Assert(_certs == null); |
| | | 58 | | // If IceSSL.CertFile is defined, load a certificate from a file and add it to the collection. |
| | 1 | 59 | | _certs = []; |
| | 1 | 60 | | string certFile = properties.getIceProperty("IceSSL.CertFile"); |
| | 1 | 61 | | string passwordStr = properties.getIceProperty("IceSSL.Password"); |
| | 1 | 62 | | string findCert = properties.getIceProperty("IceSSL.FindCert"); |
| | | 63 | | |
| | 1 | 64 | | if (certFile.Length > 0) |
| | | 65 | | { |
| | 1 | 66 | | if (!checkPath(ref certFile)) |
| | | 67 | | { |
| | 0 | 68 | | throw new Ice.InitializationException($"IceSSL: certificate file not found: {certFile}"); |
| | | 69 | | } |
| | | 70 | | |
| | | 71 | | try |
| | | 72 | | { |
| | | 73 | | X509Certificate2 cert; |
| | | 74 | | X509KeyStorageFlags importFlags; |
| | 1 | 75 | | if (_useMachineContext) |
| | | 76 | | { |
| | 0 | 77 | | importFlags = X509KeyStorageFlags.MachineKeySet; |
| | | 78 | | } |
| | | 79 | | else |
| | | 80 | | { |
| | 1 | 81 | | importFlags = X509KeyStorageFlags.UserKeySet; |
| | | 82 | | } |
| | | 83 | | |
| | 1 | 84 | | if (passwordStr.Length > 0) |
| | | 85 | | { |
| | 1 | 86 | | using SecureString password = createSecureString(passwordStr); |
| | 1 | 87 | | cert = new X509Certificate2(certFile, password, importFlags); |
| | | 88 | | } |
| | | 89 | | else |
| | | 90 | | { |
| | 1 | 91 | | cert = new X509Certificate2(certFile, (string)null, importFlags); |
| | | 92 | | } |
| | 1 | 93 | | _certs.Add(cert); |
| | 1 | 94 | | } |
| | 0 | 95 | | catch (CryptographicException ex) |
| | | 96 | | { |
| | 0 | 97 | | throw new Ice.InitializationException( |
| | 0 | 98 | | $"IceSSL: error while attempting to load certificate from {certFile}", |
| | 0 | 99 | | ex); |
| | | 100 | | } |
| | | 101 | | } |
| | 1 | 102 | | else if (findCert.Length > 0) |
| | | 103 | | { |
| | 1 | 104 | | string certStore = properties.getIceProperty("IceSSL.CertStore"); |
| | 1 | 105 | | _certs.AddRange(findCertificates("IceSSL.FindCert", storeLocation, certStore, findCert)); |
| | 1 | 106 | | if (_certs.Count == 0) |
| | | 107 | | { |
| | 1 | 108 | | throw new Ice.InitializationException("IceSSL: no certificates found"); |
| | | 109 | | } |
| | | 110 | | } |
| | | 111 | | |
| | | 112 | | Debug.Assert(_caCerts == null); |
| | 1 | 113 | | string certAuthFile = properties.getIceProperty("IceSSL.CAs"); |
| | 1 | 114 | | if (certAuthFile.Length > 0 || properties.getIcePropertyAsInt("IceSSL.UsePlatformCAs") <= 0) |
| | | 115 | | { |
| | 1 | 116 | | _caCerts = []; |
| | | 117 | | } |
| | | 118 | | |
| | 1 | 119 | | if (certAuthFile.Length > 0) |
| | | 120 | | { |
| | 1 | 121 | | if (!checkPath(ref certAuthFile)) |
| | | 122 | | { |
| | 0 | 123 | | throw new Ice.InitializationException($"IceSSL: CA certificate file not found: {certAuthFile}"); |
| | | 124 | | } |
| | | 125 | | try |
| | | 126 | | { |
| | | 127 | | try |
| | | 128 | | { |
| | | 129 | | // First try to import as a PEM file, which supports importing multiple certificates from a PEM |
| | | 130 | | // encoded file |
| | 1 | 131 | | _caCerts.ImportFromPemFile(certAuthFile); |
| | 1 | 132 | | } |
| | 0 | 133 | | catch (CryptographicException) |
| | | 134 | | { |
| | | 135 | | // Expected if the file is not in PEM format. |
| | 0 | 136 | | } |
| | | 137 | | |
| | 1 | 138 | | if (_caCerts.Count == 0) |
| | | 139 | | { |
| | | 140 | | // Fallback to Import which handles DER/PFX. |
| | 1 | 141 | | _caCerts.Import(certAuthFile); |
| | | 142 | | } |
| | 1 | 143 | | } |
| | 0 | 144 | | catch (Exception ex) |
| | | 145 | | { |
| | 0 | 146 | | throw new Ice.InitializationException( |
| | 0 | 147 | | $"IceSSL: error while attempting to load CA certificate from {certAuthFile}", |
| | 0 | 148 | | ex); |
| | | 149 | | } |
| | | 150 | | } |
| | 1 | 151 | | } |
| | | 152 | | |
| | 0 | 153 | | internal bool useMachineContext() => _useMachineContext; |
| | | 154 | | |
| | 0 | 155 | | internal X509Certificate2Collection caCerts() => _caCerts; |
| | | 156 | | |
| | 1 | 157 | | internal Ice.Communicator communicator() => _communicator; |
| | | 158 | | |
| | 1 | 159 | | internal int securityTraceLevel() => _securityTraceLevel; |
| | | 160 | | |
| | 1 | 161 | | internal string securityTraceCategory() => _securityTraceCategory; |
| | | 162 | | |
| | 1 | 163 | | internal X509Certificate2Collection certs() => _certs; |
| | | 164 | | |
| | | 165 | | internal void traceStream(SslStream stream, string connInfo) |
| | | 166 | | { |
| | 0 | 167 | | var s = new StringBuilder(); |
| | 0 | 168 | | s.Append("SSL connection summary"); |
| | 0 | 169 | | if (connInfo.Length > 0) |
| | | 170 | | { |
| | 0 | 171 | | s.Append('\n'); |
| | 0 | 172 | | s.Append(connInfo); |
| | | 173 | | } |
| | 0 | 174 | | s.Append("\nauthenticated = " + (stream.IsAuthenticated ? "yes" : "no")); |
| | 0 | 175 | | s.Append("\nencrypted = " + (stream.IsEncrypted ? "yes" : "no")); |
| | 0 | 176 | | s.Append("\nsigned = " + (stream.IsSigned ? "yes" : "no")); |
| | 0 | 177 | | s.Append("\nmutually authenticated = " + (stream.IsMutuallyAuthenticated ? "yes" : "no")); |
| | 0 | 178 | | s.Append("\ncipher = " + stream.NegotiatedCipherSuite); |
| | 0 | 179 | | s.Append("\nprotocol = " + stream.SslProtocol); |
| | 0 | 180 | | _logger.trace(_securityTraceCategory, s.ToString()); |
| | 0 | 181 | | } |
| | | 182 | | |
| | | 183 | | internal void verifyPeer(ConnectionInfo info, string description) |
| | | 184 | | { |
| | 1 | 185 | | if (!_trustManager.verify(info, description)) |
| | | 186 | | { |
| | 1 | 187 | | string msg = (info.incoming ? "incoming" : "outgoing") + " connection rejected by trust manager\n" + |
| | 1 | 188 | | description; |
| | 1 | 189 | | if (_securityTraceLevel >= 1) |
| | | 190 | | { |
| | 0 | 191 | | _logger.trace(_securityTraceCategory, msg); |
| | | 192 | | } |
| | | 193 | | |
| | 1 | 194 | | throw new SecurityException($"IceSSL: {msg}"); |
| | | 195 | | } |
| | 1 | 196 | | } |
| | | 197 | | |
| | | 198 | | internal SslClientAuthenticationOptions createClientAuthenticationOptions( |
| | | 199 | | RemoteCertificateValidationCallback remoteCertificateValidationCallback, |
| | | 200 | | string host) |
| | | 201 | | { |
| | 1 | 202 | | var authenticationOptions = new SslClientAuthenticationOptions |
| | 1 | 203 | | { |
| | 1 | 204 | | ClientCertificates = _certs, |
| | 1 | 205 | | LocalCertificateSelectionCallback = (sender, targetHost, certs, remoteCertificate, acceptableIssuers) => |
| | 1 | 206 | | { |
| | 1 | 207 | | if (certs == null || certs.Count == 0) |
| | 1 | 208 | | { |
| | 1 | 209 | | return null; |
| | 1 | 210 | | } |
| | 1 | 211 | | else if (certs.Count == 1) |
| | 1 | 212 | | { |
| | 1 | 213 | | return certs[0]; |
| | 1 | 214 | | } |
| | 1 | 215 | | |
| | 1 | 216 | | // Use the first certificate that match the acceptable issuers. |
| | 0 | 217 | | if (acceptableIssuers != null && acceptableIssuers.Length > 0) |
| | 1 | 218 | | { |
| | 0 | 219 | | foreach (X509Certificate certificate in certs) |
| | 1 | 220 | | { |
| | 0 | 221 | | if (Array.IndexOf(acceptableIssuers, certificate.Issuer) != -1) |
| | 1 | 222 | | { |
| | 0 | 223 | | return certificate; |
| | 1 | 224 | | } |
| | 1 | 225 | | } |
| | 1 | 226 | | } |
| | 0 | 227 | | return certs[0]; |
| | 0 | 228 | | }, |
| | 1 | 229 | | RemoteCertificateValidationCallback = remoteCertificateValidationCallback, |
| | 1 | 230 | | TargetHost = host, |
| | 1 | 231 | | }; |
| | | 232 | | |
| | 1 | 233 | | authenticationOptions.CertificateChainPolicy = new X509ChainPolicy(); |
| | 1 | 234 | | if (_caCerts is null) |
| | | 235 | | { |
| | 1 | 236 | | authenticationOptions.CertificateChainPolicy.TrustMode = X509ChainTrustMode.System; |
| | | 237 | | } |
| | | 238 | | else |
| | | 239 | | { |
| | 1 | 240 | | authenticationOptions.CertificateChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; |
| | 1 | 241 | | foreach (X509Certificate certificate in _caCerts) |
| | | 242 | | { |
| | 1 | 243 | | authenticationOptions.CertificateChainPolicy.CustomTrustStore.Add(certificate); |
| | | 244 | | } |
| | | 245 | | } |
| | | 246 | | |
| | 1 | 247 | | if (!_checkCertName) |
| | | 248 | | { |
| | 1 | 249 | | authenticationOptions.CertificateChainPolicy.VerificationFlags |= X509VerificationFlags.IgnoreInvalidName; |
| | | 250 | | } |
| | | 251 | | |
| | 1 | 252 | | if (_checkCRL == 1) |
| | | 253 | | { |
| | 0 | 254 | | authenticationOptions.CertificateChainPolicy.VerificationFlags |= |
| | 0 | 255 | | X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown; |
| | | 256 | | } |
| | 1 | 257 | | authenticationOptions.CertificateChainPolicy.RevocationMode = |
| | 1 | 258 | | _checkCRL == 0 ? X509RevocationMode.NoCheck : X509RevocationMode.Online; |
| | 1 | 259 | | return authenticationOptions; |
| | | 260 | | } |
| | | 261 | | |
| | | 262 | | internal SslServerAuthenticationOptions createServerAuthenticationOptions( |
| | | 263 | | RemoteCertificateValidationCallback remoteCertificateValidationCallback) |
| | | 264 | | { |
| | | 265 | | // Get the certificate collection and select the first one. |
| | 1 | 266 | | X509Certificate2 cert = null; |
| | 1 | 267 | | if (_certs.Count > 0) |
| | | 268 | | { |
| | 1 | 269 | | cert = _certs[0]; |
| | | 270 | | } |
| | | 271 | | |
| | 1 | 272 | | var authenticationOptions = new SslServerAuthenticationOptions |
| | 1 | 273 | | { |
| | 1 | 274 | | ServerCertificate = cert, |
| | 1 | 275 | | ClientCertificateRequired = _verifyPeer > 0, |
| | 1 | 276 | | RemoteCertificateValidationCallback = remoteCertificateValidationCallback, |
| | 1 | 277 | | CertificateRevocationCheckMode = X509RevocationMode.NoCheck |
| | 1 | 278 | | }; |
| | | 279 | | |
| | 1 | 280 | | authenticationOptions.CertificateChainPolicy = new X509ChainPolicy(); |
| | 1 | 281 | | if (_caCerts is null) |
| | | 282 | | { |
| | 0 | 283 | | authenticationOptions.CertificateChainPolicy.TrustMode = X509ChainTrustMode.System; |
| | | 284 | | } |
| | | 285 | | else |
| | | 286 | | { |
| | 1 | 287 | | authenticationOptions.CertificateChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; |
| | 1 | 288 | | foreach (X509Certificate certificate in _caCerts) |
| | | 289 | | { |
| | 1 | 290 | | authenticationOptions.CertificateChainPolicy.CustomTrustStore.Add(certificate); |
| | | 291 | | } |
| | | 292 | | } |
| | 1 | 293 | | authenticationOptions.CertificateChainPolicy.RevocationMode = |
| | 1 | 294 | | _checkCRL == 0 ? X509RevocationMode.NoCheck : X509RevocationMode.Online; |
| | 1 | 295 | | if (_checkCRL == 1) |
| | | 296 | | { |
| | 0 | 297 | | authenticationOptions.CertificateChainPolicy.VerificationFlags |= |
| | 0 | 298 | | X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown; |
| | | 299 | | } |
| | 1 | 300 | | return authenticationOptions; |
| | | 301 | | } |
| | | 302 | | |
| | | 303 | | private static bool isAbsolutePath(string path) |
| | | 304 | | { |
| | | 305 | | // Skip whitespace |
| | 1 | 306 | | path = path.Trim(); |
| | | 307 | | |
| | 1 | 308 | | if (AssemblyUtil.isWindows) |
| | | 309 | | { |
| | | 310 | | // We need at least 3 non-whitespace characters to have an absolute path |
| | 0 | 311 | | if (path.Length < 3) |
| | | 312 | | { |
| | 0 | 313 | | return false; |
| | | 314 | | } |
| | | 315 | | |
| | | 316 | | // Check for X:\ path ('\' may have been converted to '/') |
| | 0 | 317 | | if ((path[0] >= 'A' && path[0] <= 'Z') || (path[0] >= 'a' && path[0] <= 'z')) |
| | | 318 | | { |
| | 0 | 319 | | return path[1] == ':' && (path[2] == '\\' || path[2] == '/'); |
| | | 320 | | } |
| | | 321 | | } |
| | | 322 | | // Check for UNC path |
| | 1 | 323 | | return (path[0] == '\\' && path[1] == '\\') || path[0] == '/'; |
| | | 324 | | } |
| | | 325 | | |
| | | 326 | | private static X509Certificate2Collection findCertificates( |
| | | 327 | | string prop, |
| | | 328 | | StoreLocation storeLocation, |
| | | 329 | | string name, |
| | | 330 | | string value) |
| | | 331 | | { |
| | | 332 | | // Open the X509 certificate store. |
| | | 333 | | X509Store store; |
| | | 334 | | try |
| | | 335 | | { |
| | | 336 | | try |
| | | 337 | | { |
| | 1 | 338 | | store = new X509Store(Enum.Parse<StoreName>(name, true), storeLocation); |
| | 1 | 339 | | } |
| | 0 | 340 | | catch (ArgumentException) |
| | | 341 | | { |
| | 0 | 342 | | store = new X509Store(name, storeLocation); |
| | 0 | 343 | | } |
| | 1 | 344 | | store.Open(OpenFlags.ReadOnly); |
| | 1 | 345 | | } |
| | 0 | 346 | | catch (Exception ex) |
| | | 347 | | { |
| | 0 | 348 | | throw new Ice.InitializationException($"IceSSL: failure while opening store specified by {prop}", ex); |
| | | 349 | | } |
| | | 350 | | |
| | | 351 | | // Start with all of the certificates in the collection and filter as necessary. |
| | | 352 | | // |
| | | 353 | | // - If the value is "*", return all certificates. |
| | | 354 | | // - Otherwise, search using key:value pairs. The following keys are supported: |
| | | 355 | | // |
| | | 356 | | // Issuer |
| | | 357 | | // IssuerDN |
| | | 358 | | // Serial |
| | | 359 | | // Subject |
| | | 360 | | // SubjectDN |
| | | 361 | | // SubjectKeyId |
| | | 362 | | // Thumbprint |
| | | 363 | | // |
| | | 364 | | // A value must be enclosed in single or double quotes if it contains whitespace. |
| | 1 | 365 | | X509Certificate2Collection result = [.. store.Certificates]; |
| | | 366 | | try |
| | | 367 | | { |
| | 1 | 368 | | if (value != "*") |
| | | 369 | | { |
| | 1 | 370 | | if (!value.Contains(':', StringComparison.Ordinal)) |
| | | 371 | | { |
| | 1 | 372 | | throw new Ice.InitializationException($"IceSSL: no key in `{value}'"); |
| | | 373 | | } |
| | 1 | 374 | | int start = 0; |
| | | 375 | | int pos; |
| | 1 | 376 | | while ((pos = value.IndexOf(':', start)) != -1) |
| | | 377 | | { |
| | | 378 | | // Parse the X509FindType. |
| | 1 | 379 | | string field = value[start..pos].Trim().ToUpperInvariant(); |
| | | 380 | | X509FindType findType; |
| | 1 | 381 | | if (field == "SUBJECT") |
| | | 382 | | { |
| | 1 | 383 | | findType = X509FindType.FindBySubjectName; |
| | | 384 | | } |
| | 1 | 385 | | else if (field == "SUBJECTDN") |
| | | 386 | | { |
| | 1 | 387 | | findType = X509FindType.FindBySubjectDistinguishedName; |
| | | 388 | | } |
| | 1 | 389 | | else if (field == "ISSUER") |
| | | 390 | | { |
| | 1 | 391 | | findType = X509FindType.FindByIssuerName; |
| | | 392 | | } |
| | 1 | 393 | | else if (field == "ISSUERDN") |
| | | 394 | | { |
| | 1 | 395 | | findType = X509FindType.FindByIssuerDistinguishedName; |
| | | 396 | | } |
| | 1 | 397 | | else if (field == "THUMBPRINT") |
| | | 398 | | { |
| | 1 | 399 | | findType = X509FindType.FindByThumbprint; |
| | | 400 | | } |
| | 1 | 401 | | else if (field == "SUBJECTKEYID") |
| | | 402 | | { |
| | 1 | 403 | | findType = X509FindType.FindBySubjectKeyIdentifier; |
| | | 404 | | } |
| | 1 | 405 | | else if (field == "SERIAL") |
| | | 406 | | { |
| | 1 | 407 | | findType = X509FindType.FindBySerialNumber; |
| | | 408 | | } |
| | | 409 | | else |
| | | 410 | | { |
| | 1 | 411 | | throw new Ice.InitializationException($"IceSSL: unknown key in `{value}'"); |
| | | 412 | | } |
| | | 413 | | |
| | | 414 | | // Parse the argument. |
| | 1 | 415 | | start = pos + 1; |
| | 1 | 416 | | while (start < value.Length && (value[start] == ' ' || value[start] == '\t')) |
| | | 417 | | { |
| | 0 | 418 | | ++start; |
| | | 419 | | } |
| | | 420 | | |
| | 1 | 421 | | if (start == value.Length) |
| | | 422 | | { |
| | 0 | 423 | | throw new Ice.InitializationException($"IceSSL: missing argument in `{value}'"); |
| | | 424 | | } |
| | | 425 | | |
| | | 426 | | string arg; |
| | 1 | 427 | | if (value[start] == '"' || value[start] == '\'') |
| | | 428 | | { |
| | 1 | 429 | | int end = start; |
| | 1 | 430 | | ++end; |
| | 1 | 431 | | while (end < value.Length) |
| | | 432 | | { |
| | 1 | 433 | | if (value[end] == value[start] && value[end - 1] != '\\') |
| | | 434 | | { |
| | | 435 | | break; |
| | | 436 | | } |
| | 1 | 437 | | ++end; |
| | | 438 | | } |
| | 1 | 439 | | if (end == value.Length || value[end] != value[start]) |
| | | 440 | | { |
| | 0 | 441 | | throw new Ice.InitializationException($"IceSSL: unmatched quote in `{value}'"); |
| | | 442 | | } |
| | 1 | 443 | | ++start; |
| | 1 | 444 | | arg = value[start..end]; |
| | 1 | 445 | | start = end + 1; |
| | | 446 | | } |
| | | 447 | | else |
| | | 448 | | { |
| | 1 | 449 | | char[] ws = [' ', '\t']; |
| | 1 | 450 | | int end = value.IndexOfAny(ws, start); |
| | 1 | 451 | | if (end == -1) |
| | | 452 | | { |
| | 1 | 453 | | arg = value[start..]; |
| | 1 | 454 | | start = value.Length; |
| | | 455 | | } |
| | | 456 | | else |
| | | 457 | | { |
| | 1 | 458 | | arg = value[start..end]; |
| | 1 | 459 | | start = end + 1; |
| | | 460 | | } |
| | | 461 | | } |
| | | 462 | | |
| | | 463 | | // Execute the query. |
| | | 464 | | // |
| | | 465 | | // TODO: allow user to specify a value for validOnly? |
| | 1 | 466 | | bool validOnly = false; |
| | 1 | 467 | | if (findType == X509FindType.FindBySubjectDistinguishedName || |
| | 1 | 468 | | findType == X509FindType.FindByIssuerDistinguishedName) |
| | | 469 | | { |
| | 1 | 470 | | X500DistinguishedNameFlags[] flags = [ |
| | 1 | 471 | | X500DistinguishedNameFlags.None, |
| | 1 | 472 | | X500DistinguishedNameFlags.Reversed, |
| | 1 | 473 | | ]; |
| | 1 | 474 | | var dn = new X500DistinguishedName(arg); |
| | 1 | 475 | | X509Certificate2Collection r = result; |
| | 1 | 476 | | for (int i = 0; i < flags.Length; ++i) |
| | | 477 | | { |
| | 1 | 478 | | r = result.Find(findType, dn.Decode(flags[i]), validOnly); |
| | 1 | 479 | | if (r.Count > 0) |
| | | 480 | | { |
| | | 481 | | break; |
| | | 482 | | } |
| | | 483 | | } |
| | 1 | 484 | | result = r; |
| | | 485 | | } |
| | | 486 | | else |
| | | 487 | | { |
| | 1 | 488 | | result = result.Find(findType, arg, validOnly); |
| | | 489 | | } |
| | | 490 | | } |
| | | 491 | | } |
| | 1 | 492 | | } |
| | | 493 | | finally |
| | | 494 | | { |
| | 1 | 495 | | store.Close(); |
| | 1 | 496 | | } |
| | | 497 | | |
| | 1 | 498 | | return result; |
| | | 499 | | } |
| | | 500 | | |
| | | 501 | | private static SecureString createSecureString(string s) |
| | | 502 | | { |
| | 1 | 503 | | var result = new SecureString(); |
| | 1 | 504 | | foreach (char ch in s) |
| | | 505 | | { |
| | 1 | 506 | | result.AppendChar(ch); |
| | | 507 | | } |
| | 1 | 508 | | return result; |
| | | 509 | | } |
| | | 510 | | |
| | | 511 | | private bool checkPath(ref string path) |
| | | 512 | | { |
| | 1 | 513 | | if (File.Exists(path)) |
| | | 514 | | { |
| | 0 | 515 | | return true; |
| | | 516 | | } |
| | | 517 | | |
| | 1 | 518 | | if (_defaultDir.Length > 0 && !isAbsolutePath(path)) |
| | | 519 | | { |
| | 1 | 520 | | string s = _defaultDir + Path.DirectorySeparatorChar + path; |
| | 1 | 521 | | if (File.Exists(s)) |
| | | 522 | | { |
| | 1 | 523 | | path = s; |
| | 1 | 524 | | return true; |
| | | 525 | | } |
| | | 526 | | } |
| | 0 | 527 | | return false; |
| | | 528 | | } |
| | | 529 | | |
| | | 530 | | private readonly Ice.Communicator _communicator; |
| | | 531 | | private readonly Ice.Logger _logger; |
| | | 532 | | private readonly int _securityTraceLevel; |
| | | 533 | | private readonly string _securityTraceCategory; |
| | | 534 | | private string _defaultDir; |
| | | 535 | | private bool _checkCertName; |
| | | 536 | | private int _verifyPeer; |
| | | 537 | | private int _checkCRL; |
| | | 538 | | private X509Certificate2Collection _certs; |
| | | 539 | | private bool _useMachineContext; |
| | | 540 | | private X509Certificate2Collection _caCerts; |
| | | 541 | | private readonly TrustManager _trustManager; |
| | | 542 | | } |