1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
// -*- C++ -*-
#include <openssl/x509.h>
#include "Foo_i.h"
ACE_RCSID (Secure_Invocation,
Foo_i,
"$Id$")
Foo_i::Foo_i (CORBA::ORB_ptr orb,
SecurityLevel2::Current_ptr current)
: orb_ (CORBA::ORB::_duplicate (orb)),
current_ (SecurityLevel2::Current::_duplicate (current))
{
}
void
Foo_i::baz (CORBA::Environment &ACE_TRY_ENV)
ACE_THROW_SPEC ((CORBA::SystemException))
{
Security::AttributeType desired_attribute;
desired_attribute.attribute_family.family_definer = 0;
desired_attribute.attribute_family.family = 1; // privilege attribute
desired_attribute.attribute_type = Security::AccessId;
// Set up the AttributeTypeList that requests the AccessId from the
// "SecurityCurrent" object.
Security::AttributeTypeList attribute_type_list;
attribute_type_list.length (1);
attribute_type_list[0] = desired_attribute;
// Get the desired security attributes
Security::AttributeList_var attribute_list =
this->current_->get_attributes (attribute_type_list,
ACE_TRY_ENV);
ACE_CHECK;
// If the SecurityLevel1::Current::get_attributes() call above
// succeeds, then it is likely that some security context
// information is available for this upcall. The following code
// verifies that this is actually the case.
// Assume X.509 certificates are in use.
const char x509[] = "x509";
Security::OID x509_defining_authority;
x509_defining_authority.length (sizeof (x509));
CORBA::Octet *buf =
x509_defining_authority.get_buffer ();
ACE_OS_String::memcpy (buf, x509, sizeof (x509));
CORBA::ULong len = attribute_list->length ();
for (CORBA::ULong i = 0; i < len; ++i)
{
Security::SecAttribute &attribute = attribute_list[i];
if (attribute.attribute_type.attribute_type == Security::AccessId
&& x509_defining_authority == attribute.defining_authority)
{
// Obtain the underlying buffer from the
// SecAttribute.
CORBA::Octet *der_cert = attribute.value.get_buffer ();
char buf[BUFSIZ];
// Convert the DER encoded X.509 certificate into OpenSSL's
// internal format.
X509 *peer = ::d2i_X509 (0,
&der_cert,
attribute.value.length ());
::X509_NAME_oneline (::X509_get_issuer_name (peer),
buf,
BUFSIZ);
ACE_DEBUG ((LM_DEBUG,
"(%P|%t) SecAttribute %u -- "
"Certificate issuer: %s\n",
i,
buf));
::X509_free (peer);
}
else
{
ACE_DEBUG ((LM_WARNING,
"(%P|%t) WARNING: Unknown attribute type <%u> or "
"defining authority in SecAttribute %u.\n",
attribute.attribute_type,
i));
}
}
}
void
Foo_i::shutdown (CORBA::Environment &ACE_TRY_ENV)
ACE_THROW_SPEC ((CORBA::SystemException))
{
this->orb_->shutdown (0, ACE_TRY_ENV);
}
|
