--- Ice-3.4.2.orig/cpp/src/IceGrid/InternalRegistryI.cpp 2011-06-15 21:43:59.000000000 +0200
+++ Ice-3.4.2/cpp/src/IceGrid/InternalRegistryI.cpp 2012-03-04 19:55:44.000000000 +0100
@@ -19,6 +19,8 @@
#include <IceGrid/ReplicaSessionI.h>
#include <IceGrid/ReplicaSessionManager.h>
#include <IceGrid/FileCache.h>
+#include <IceSSL/IceSSL.h>
+#include <IceSSL/RFC2253.h>
using namespace std;
using namespace IceGrid;
@@ -38,6 +40,8 @@
Ice::PropertiesPtr properties = database->getCommunicator()->getProperties();
_nodeSessionTimeout = properties->getPropertyAsIntWithDefault("IceGrid.Registry.NodeSessionTimeout", 30);
_replicaSessionTimeout = properties->getPropertyAsIntWithDefault("IceGrid.Registry.ReplicaSessionTimeout", 30);
+ _requireNodeCertCN = properties->getPropertyAsIntWithDefault("IceGrid.Registry.RequireNodeCertCN", 0);
+ _requireReplicaCertCN = properties->getPropertyAsIntWithDefault("IceGrid.Registry.RequireReplicaCertCN", 0);
}
InternalRegistryI::~InternalRegistryI()
@@ -50,7 +54,56 @@
const LoadInfo& load,
const Ice::Current& current)
{
- const Ice::LoggerPtr logger = _database->getTraceLevels()->logger;
+ const TraceLevelsPtr traceLevels = _database->getTraceLevels();
+ const Ice::LoggerPtr logger = traceLevels->logger;
+ if(!info || !node)
+ {
+ return 0;
+ }
+
+ if(_requireNodeCertCN)
+ {
+ try
+ {
+ IceSSL::ConnectionInfoPtr sslConnInfo = IceSSL::ConnectionInfoPtr::dynamicCast(current.con->getInfo());
+ if(sslConnInfo)
+ {
+ if (sslConnInfo->certs.empty() ||
+ !IceSSL::Certificate::decode(sslConnInfo->certs[0])->getSubjectDN().match("CN=" + info->name))
+ {
+ if(traceLevels->node > 0)
+ {
+ Ice::Trace out(logger, traceLevels->nodeCat);
+ out << "certificate CN doesn't match node name `" << info->name << "'";
+ }
+ throw PermissionDeniedException("certificate CN doesn't match node name `" + info->name + "'");
+ }
+ }
+ else
+ {
+ if(traceLevels->node > 0)
+ {
+ Ice::Trace out(logger, traceLevels->nodeCat);
+ out << "node certificate for `" << info->name << "' is required to connect to this registry";
+ }
+ throw PermissionDeniedException("node certificate is required to connect to this registry");
+ }
+ }
+ catch(const PermissionDeniedException& ex)
+ {
+ throw ex;
+ }
+ catch(const IceUtil::Exception&)
+ {
+ if(traceLevels->node > 0)
+ {
+ Ice::Trace out(logger, traceLevels->nodeCat);
+ out << "unexpected exception while verifying certificate for node `" << info->name << "'";
+ }
+ throw PermissionDeniedException("unable to verify certificate for node `" + info->name + "'");
+ }
+ }
+
try
{
NodeSessionIPtr session = new NodeSessionI(_database, node, info, _nodeSessionTimeout, load);
@@ -68,7 +121,56 @@
const InternalRegistryPrx& prx,
const Ice::Current& current)
{
- const Ice::LoggerPtr logger = _database->getTraceLevels()->logger;
+ const TraceLevelsPtr traceLevels = _database->getTraceLevels();
+ const Ice::LoggerPtr logger = traceLevels->logger;
+ if(!info || !prx)
+ {
+ return 0;
+ }
+
+ if(_requireReplicaCertCN)
+ {
+ try
+ {
+ IceSSL::ConnectionInfoPtr sslConnInfo = IceSSL::ConnectionInfoPtr::dynamicCast(current.con->getInfo());
+ if(sslConnInfo)
+ {
+ if (sslConnInfo->certs.empty() ||
+ !IceSSL::Certificate::decode(sslConnInfo->certs[0])->getSubjectDN().match("CN=" + info->name))
+ {
+ if(traceLevels->replica > 0)
+ {
+ Ice::Trace out(logger, traceLevels->replicaCat);
+ out << "certificate CN doesn't match replica name `" << info->name << "'";
+ }
+ throw PermissionDeniedException("certificate CN doesn't match replica name `" + info->name + "'");
+ }
+ }
+ else
+ {
+ if(traceLevels->replica > 0)
+ {
+ Ice::Trace out(logger, traceLevels->replicaCat);
+ out << "replica certificate for `" << info->name << "' is required to connect to this registry";
+ }
+ throw PermissionDeniedException("replica certificate is required to connect to this registry");
+ }
+ }
+ catch(const PermissionDeniedException& ex)
+ {
+ throw ex;
+ }
+ catch(const IceUtil::Exception&)
+ {
+ if(traceLevels->replica > 0)
+ {
+ Ice::Trace out(logger, traceLevels->replicaCat);
+ out << "unexpected exception while verifying certificate for replica `" << info->name << "'";
+ }
+ throw PermissionDeniedException("unable to verify certificate for replica `" + info->name + "'");
+ }
+ }
+
try
{
ReplicaSessionIPtr s = new ReplicaSessionI(_database, _wellKnownObjects, info, prx, _replicaSessionTimeout);