<html><head><meta name="color-scheme" content="light dark"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">--- Ice-3.4.2.orig/cpp/src/IceGrid/InternalRegistryI.cpp	2011-06-15 21:43:59.000000000 +0200
+++ Ice-3.4.2/cpp/src/IceGrid/InternalRegistryI.cpp	2012-03-04 19:55:44.000000000 +0100
@@ -19,6 +19,8 @@
 #include &lt;IceGrid/ReplicaSessionI.h&gt;
 #include &lt;IceGrid/ReplicaSessionManager.h&gt;
 #include &lt;IceGrid/FileCache.h&gt;
+#include &lt;IceSSL/IceSSL.h&gt;
+#include &lt;IceSSL/RFC2253.h&gt;
 
 using namespace std;
 using namespace IceGrid;
@@ -38,6 +40,8 @@
     Ice::PropertiesPtr properties = database-&gt;getCommunicator()-&gt;getProperties();
     _nodeSessionTimeout = properties-&gt;getPropertyAsIntWithDefault("IceGrid.Registry.NodeSessionTimeout", 30);
     _replicaSessionTimeout = properties-&gt;getPropertyAsIntWithDefault("IceGrid.Registry.ReplicaSessionTimeout", 30);
+    _requireNodeCertCN = properties-&gt;getPropertyAsIntWithDefault("IceGrid.Registry.RequireNodeCertCN", 0);
+    _requireReplicaCertCN = properties-&gt;getPropertyAsIntWithDefault("IceGrid.Registry.RequireReplicaCertCN", 0);
 }
 
 InternalRegistryI::~InternalRegistryI()
@@ -50,7 +54,56 @@
                                 const LoadInfo&amp; load, 
                                 const Ice::Current&amp; current)
 {
-    const Ice::LoggerPtr logger = _database-&gt;getTraceLevels()-&gt;logger;
+    const TraceLevelsPtr traceLevels = _database-&gt;getTraceLevels();
+    const Ice::LoggerPtr logger = traceLevels-&gt;logger;
+    if(!info || !node)
+    {
+        return 0;
+    }
+
+    if(_requireNodeCertCN)
+    {
+        try
+        {
+            IceSSL::ConnectionInfoPtr sslConnInfo = IceSSL::ConnectionInfoPtr::dynamicCast(current.con-&gt;getInfo());
+            if(sslConnInfo)
+            {
+                if (sslConnInfo-&gt;certs.empty() ||
+                    !IceSSL::Certificate::decode(sslConnInfo-&gt;certs[0])-&gt;getSubjectDN().match("CN=" + info-&gt;name))
+                {
+                    if(traceLevels-&gt;node &gt; 0)
+                    {
+                        Ice::Trace out(logger, traceLevels-&gt;nodeCat);
+                        out &lt;&lt; "certificate CN doesn't match node name `" &lt;&lt; info-&gt;name &lt;&lt; "'";
+                    }
+                    throw PermissionDeniedException("certificate CN doesn't match node name `" + info-&gt;name + "'");
+                }
+            }
+            else
+            {
+                if(traceLevels-&gt;node &gt; 0)
+                {
+                    Ice::Trace out(logger, traceLevels-&gt;nodeCat);
+                    out &lt;&lt; "node certificate for `" &lt;&lt; info-&gt;name &lt;&lt; "' is required to connect to this registry";
+                }
+                throw PermissionDeniedException("node certificate is required to connect to this registry");
+            }
+        }
+        catch(const PermissionDeniedException&amp; ex)
+        {
+            throw ex;
+        }
+        catch(const IceUtil::Exception&amp;)
+        {
+            if(traceLevels-&gt;node &gt; 0)
+            {
+                Ice::Trace out(logger, traceLevels-&gt;nodeCat);
+                out &lt;&lt; "unexpected exception while verifying certificate for node `" &lt;&lt; info-&gt;name &lt;&lt; "'";
+            }
+            throw PermissionDeniedException("unable to verify certificate for node `" + info-&gt;name + "'");
+        }
+    }
+ 
     try
     {
         NodeSessionIPtr session = new NodeSessionI(_database, node, info, _nodeSessionTimeout, load);
@@ -68,7 +121,56 @@
                                    const InternalRegistryPrx&amp; prx,
                                    const Ice::Current&amp; current)
 {
-    const Ice::LoggerPtr logger = _database-&gt;getTraceLevels()-&gt;logger;
+    const TraceLevelsPtr traceLevels = _database-&gt;getTraceLevels();
+    const Ice::LoggerPtr logger = traceLevels-&gt;logger;
+    if(!info || !prx)
+    {
+        return 0;
+    }
+
+    if(_requireReplicaCertCN)
+    {
+        try
+        {
+            IceSSL::ConnectionInfoPtr sslConnInfo = IceSSL::ConnectionInfoPtr::dynamicCast(current.con-&gt;getInfo());
+            if(sslConnInfo)
+            {
+                if (sslConnInfo-&gt;certs.empty() ||
+                    !IceSSL::Certificate::decode(sslConnInfo-&gt;certs[0])-&gt;getSubjectDN().match("CN=" + info-&gt;name))
+                {
+                    if(traceLevels-&gt;replica &gt; 0)
+                    {
+                        Ice::Trace out(logger, traceLevels-&gt;replicaCat);
+                        out &lt;&lt; "certificate CN doesn't match replica name `" &lt;&lt; info-&gt;name &lt;&lt; "'";
+                    }
+                    throw PermissionDeniedException("certificate CN doesn't match replica name `" + info-&gt;name + "'");
+                }
+            }
+            else
+            {
+                if(traceLevels-&gt;replica &gt; 0)
+                {
+                    Ice::Trace out(logger, traceLevels-&gt;replicaCat);
+                    out &lt;&lt; "replica certificate for `" &lt;&lt; info-&gt;name &lt;&lt; "' is required to connect to this registry";
+                }
+                throw PermissionDeniedException("replica certificate is required to connect to this registry");
+            }
+        }
+        catch(const PermissionDeniedException&amp; ex)
+        {
+            throw ex;
+        }
+        catch(const IceUtil::Exception&amp;)
+        {
+            if(traceLevels-&gt;replica &gt; 0)
+            {
+                Ice::Trace out(logger, traceLevels-&gt;replicaCat);
+                out &lt;&lt; "unexpected exception while verifying certificate for replica `" &lt;&lt; info-&gt;name &lt;&lt; "'";
+            }
+            throw PermissionDeniedException("unable to verify certificate for replica `" + info-&gt;name + "'");
+        }
+    }
+    
     try
     {
         ReplicaSessionIPtr s = new ReplicaSessionI(_database, _wellKnownObjects, info, prx, _replicaSessionTimeout);
</pre></body></html>