Move C++ SSL transport to Ice core (#2048)

config/Make.rules.Darwin

@@ -91,21 +91,19 @@ unescape-ldflags = $(subst -framework+,-framework$(space),$1)
 Ice_system_libs := -ldl
 
 # Frameworks for macos
-IceSSL[macosx]_system_libs := -framework Security -framework CoreFoundation
+Ice[macosx]_system_libs := -framework Security -framework CoreFoundation
 
 # Frameworks requires for iphoneos
-Ice[iphoneos]_system_libs := -framework CFNetwork -framework UIKit -framework Foundation
-IceSSL[iphoneos]_system_libs := -framework Security
+Ice[iphoneos]_system_libs := -framework CFNetwork -framework UIKit -framework Foundation -framework Security
 IceIAP[iphoneos]_system_libs := -framework ExternalAccessory
 
 # Same frameworks as iphoneos for iphonesimulator
 Ice[iphonesimulator]_system_libs := $(Ice[iphoneos]_system_libs)
-IceSSL[iphonesimulator]_system_libs := $(IceSSL[iphoneos]_system_libs)
 IceIAP[iphonesimulator]_system_libs := $(IceIAP[iphoneos]_system_libs)
 
 icegridadmin[macosx]_system_libs := -ledit -lncurses
 icestormadmin[macosx]_system_libs := -ledit -lncurses
 
-Glacier2CryptPermissionsVerifier[macosx]_system_libs := $(IceSSL[macosx]_system_libs)
-Glacier2CryptPermissionsVerifier[iphoneos]_system_libs := $(IceSSL[iphoneos]_system_libs)
-Glacier2CryptPermissionsVerifier[iphonesimulator]_system_libs := $(IceSSL[iphonesimulator]_system_libs)
+Glacier2CryptPermissionsVerifier[macosx]_system_libs := $(Ice[macosx]_system_libs)
+Glacier2CryptPermissionsVerifier[iphoneos]_system_libs := $(Ice[iphoneos]_system_libs)
+Glacier2CryptPermissionsVerifier[iphonesimulator]_system_libs := $(Ice[iphonesimulator]_system_libs)

config/Make.rules.Linux

@@ -179,11 +179,10 @@ endif
 endif
 
 IceUtil_system_libs                             = -lrt $(if $(filter yes,$(libbacktrace)),-lbacktrace)
-Ice_system_libs                                 = -ldl -lcrypto $(IceUtil_system_libs)
+Ice_system_libs                                 = -ldl -lssl -lcrypto $(IceUtil_system_libs)
 ifeq ($(shell pkg-config --exists libsystemd 2> /dev/null && echo yes),yes)
 Ice_system_libs                                 += $(shell pkg-config --libs libsystemd)
 endif
-IceSSL_system_libs                              = -lssl -lcrypto
 Glacier2CryptPermissionsVerifier_system_libs    = -lcrypt
 
 icegridadmin_system_libs                        = -ledit
@@ -196,6 +195,6 @@ icestormadmin_system_libs                       = -ledit
 #
 ifneq ($(filter debian ubuntu yocto poky,$(linux_id)),)
 ifeq ($(shell pkg-config --exists bluez dbus-1 2> /dev/null && echo yes),yes)
-IceBT_system_libs                               = $(IceSSL_system_libs) $(shell pkg-config --libs dbus-1)
+IceBT_system_libs                               = $(shell pkg-config --libs dbus-1)
 endif
 endif

cpp/Makefile

@@ -13,7 +13,7 @@ include $(lang_srcdir)/config/Make.rules
 # that other projects might depend on so it's important to parse them first for the
 # generated headers variable to be defined when we load other projects.
 #
-load_first = Ice IceSSL IceBox Glacier2Lib IceGridLib IceStormLib
+load_first = Ice IceBox Glacier2Lib IceGridLib IceStormLib
 
 #
 # Create projects for all the Slice translators from src/slice2* and load source projects.

cpp/config/Make.rules

@@ -25,7 +25,6 @@ $(eval $(call validate-config))
 #
 coreandstub_components  = IceUtil \
                           Ice \
-                          IceSSL \
                           IceDiscovery \
                           IceLocatorDiscovery \
                           Glacier2 \
@@ -98,12 +97,11 @@ define create-cpp-test-project
 $1_srcext               := cpp
 $1_dependencies         := $$(or $$($1_dependencies),TestCommon Ice)
 
-# Also link with IceSSL and IceBT (Debian/Ubuntu/Yocto) when compiling the project with the static configuration
+# Also link with IceBT (Debian/Ubuntu/Yocto) when compiling the project with the static configuration
 $1[static]_cppflags     += $(if $(IceBT_system_libs),-DICE_HAS_BT)
-$1[static]_dependencies := IceSSL $(if $(IceBT_system_libs),IceBT)
+$1[static]_dependencies := $(if $(IceBT_system_libs),IceBT)
 
 # Dependencies and target dirs for Xcode SDK test projects
-$1[xcodesdk]_dependencies                       := IceSSL
 $1[iphoneos-xcodesdk]_targetdir                 := test/ios/bundles/Bundles-iphoneos/$(subst /,_,$1)
 $1[iphonesimulator-xcodesdk]_targetdir          := test/ios/bundles/Bundles-iphonesimulator/$(subst /,_,$1)
 

cpp/config/Make.xcodesdk.rules

@@ -15,7 +15,7 @@ xcodesdk_targetdir      = $(if $(filter %/build,$5),xcodesdk,$(if $(is-iostest-p
 xcodesdk_installdir     = $(if $(filter %/build,$5),xcodesdk,$(if $(is-iostest-program),,../sdk/$2.sdk/usr/lib))
 xcodesdk_targetrule     = $(if $(is-iostest-program),iostest,$(if $(filter-out program,$($1_target)),static))
 
-xcodesdk_components     = Ice IceSSL Glacier2 IceStorm IceGrid IceDiscovery IceLocatorDiscovery IceIAP TestCommon
+xcodesdk_components     = Ice Glacier2 IceStorm IceGrid IceDiscovery IceLocatorDiscovery IceIAP TestCommon
 xcodesdk_projects       = test/Ice/% test/IceSSL/configuration
 xcodesdk_excludes       = $(addprefix test/Ice/,background \
                                                 faultTolerance \

cpp/include/Ice/RegisterPlugins.h

@@ -55,9 +55,7 @@ namespace Ice
      * plug-in property is set to 1.
      */
     ICE_PLUGIN_REGISTER_DECLSPEC_IMPORT void registerIceWS(bool loadOnInitialize = true);
-#endif
 
-#ifndef ICESSL_API_EXPORTS
     /**
      * When using static libraries, calling this function ensures the SSL transport is
      * linked with the application.
@@ -119,7 +117,6 @@ namespace Ice
 #if defined(_MSC_VER) && !defined(ICE_BUILDING_SRC)
 #    pragma comment(lib, ICE_LIBNAME("IceDiscovery"))
 #    pragma comment(lib, ICE_LIBNAME("IceLocatorDiscovery"))
-#    pragma comment(lib, ICE_LIBNAME("IceSSL"))
 #endif
 }
 

cpp/include/IceSSL/Plugin.h → cpp/include/IceSSL/Certificate.h

@@ -5,8 +5,8 @@
 #ifndef ICESSL_PLUGIN_H
 #define ICESSL_PLUGIN_H
 
-#include "Config.h"
 #include "ConnectionInfoF.h"
+#include "Ice/Config.h"
 #include "Ice/Exception.h"
 #include "Ice/Plugin.h"
 
@@ -68,9 +68,7 @@ namespace IceSSL
         UnknownTrustFailure,
     };
 
-    ICESSL_API TrustError getTrustError(const IceSSL::ConnectionInfoPtr&);
-    ICESSL_API std::string getTrustErrorDescription(TrustError);
-    ICESSL_API std::string getHost(const IceSSL::ConnectionInfoPtr&);
+    ICE_API std::string getTrustErrorDescription(TrustError);
 
     /**
      * The key usage "digitalSignature" bit is set
@@ -108,7 +106,6 @@ namespace IceSSL
      * The key usage "decipherOnly" bit is set
      */
     const unsigned int KEY_USAGE_DECIPHER_ONLY = 1u << 8;
-
     /**
      * The extended key usage "anyKeyUsage" bit is set
      */
@@ -140,9 +137,8 @@ namespace IceSSL
 
     /**
      * Thrown if the certificate cannot be read.
-     * \headerfile IceSSL/IceSSL.h
      */
-    class ICESSL_API CertificateReadException : public Ice::Exception
+    class ICE_API CertificateReadException : public Ice::Exception
     {
     public:
         using Ice::Exception::Exception;
@@ -160,9 +156,8 @@ namespace IceSSL
 
     /**
      * Thrown if the certificate cannot be encoded.
-     * \headerfile IceSSL/IceSSL.h
      */
-    class ICESSL_API CertificateEncodingException : public Ice::Exception
+    class ICE_API CertificateEncodingException : public Ice::Exception
     {
     public:
         using Ice::Exception::Exception;
@@ -180,9 +175,8 @@ namespace IceSSL
 
     /**
      * This exception is thrown if a distinguished name cannot be parsed.
-     * \headerfile IceSSL/IceSSL.h
      */
-    class ICESSL_API ParseException : public Ice::Exception
+    class ICE_API ParseException : public Ice::Exception
     {
     public:
         using Ice::Exception::Exception;
@@ -209,9 +203,8 @@ namespace IceSSL
      * toString() always returns exactly the same information as was
      * provided in the constructor (i.e., "ZeroC, Inc." will not turn
      * into ZeroC\, Inc.).
-     * \headerfile IceSSL/IceSSL.h
      */
-    class ICESSL_API DistinguishedName
+    class ICE_API DistinguishedName
     {
     public:
         /**
@@ -233,12 +226,12 @@ namespace IceSSL
         /**
          * Performs an exact match. The order of the RDN components is important.
          */
-        friend ICESSL_API bool operator==(const DistinguishedName&, const DistinguishedName&);
+        friend ICE_API bool operator==(const DistinguishedName&, const DistinguishedName&);
 
         /**
          * Performs an exact match. The order of the RDN components is important.
          */
-        friend ICESSL_API bool operator<(const DistinguishedName&, const DistinguishedName&);
+        friend ICE_API bool operator<(const DistinguishedName&, const DistinguishedName&);
 
         /**
          * Performs a partial match with another DistinguishedName.
@@ -300,9 +293,8 @@ namespace IceSSL
 
     /**
      * Represents an X509 Certificate extension.
-     * \headerfile IceSSL/IceSSL.h
      */
-    class ICESSL_API X509Extension
+    class ICE_API X509Extension
     {
     public:
         /**
@@ -331,9 +323,8 @@ namespace IceSSL
     /**
      * This convenience class is a wrapper around a native certificate.
      * The interface is inspired by java.security.cert.X509Certificate.
-     * \headerfile IceSSL/IceSSL.h
      */
-    class ICESSL_API Certificate : public std::enable_shared_from_this<Certificate>
+    class ICE_API Certificate : public std::enable_shared_from_this<Certificate>
     {
     public:
         /**
@@ -394,7 +385,7 @@ namespace IceSSL
          * <b>KEY_USAGE_ENCIPHER_ONLY</b> and <b>KEY_USAGE_DECIPHER_ONLY</b> can be used to check what
          * key usage bits are set.
          */
-        unsigned int getKeyUsage() const;
+        virtual unsigned int getKeyUsage() const = 0;
 
         /**
          * Returns the value of the extended key usage extension. The flags <b>EXTENDED_KEY_USAGE_ANY_KEY_USAGE</b>,
@@ -403,7 +394,7 @@ namespace IceSSL
          * <b>EXTENDED_KEY_USAGE_TIME_STAMPING</b> and <b>EXTENDED_KEY_USAGE_OCSP_SIGNING</b> can be used to check what
          * extended key usage bits are set.
          */
-        unsigned int getExtendedKeyUsage() const;
+        virtual unsigned int getExtendedKeyUsage() const = 0;
 
         /**
          * Obtains the not-after validity time.
@@ -513,33 +504,6 @@ namespace IceSSL
          */
         static CertificatePtr decode(const std::string& str);
     };
-
-    /**
-     * Represents the IceSSL plug-in object.
-     * \headerfile IceSSL/IceSSL.h
-     */
-    class ICESSL_API Plugin : public Ice::Plugin
-    {
-    public:
-        virtual ~Plugin();
-
-        /**
-         * Load the certificate from a file. The certificate must use the
-         * PEM encoding format.
-         * @param file The certificate file.
-         * @throws CertificateReadException if the file cannot be read.
-         */
-        virtual CertificatePtr load(const std::string& file) const = 0;
-
-        /**
-         * Decode a certificate from a string that uses the PEM encoding
-         * format.
-         * @param str A string containing the encoded certificate.
-         * @throws CertificateEncodingException if an error occurs.
-         */
-        virtual CertificatePtr decode(const std::string& str) const = 0;
-    };
-    using PluginPtr = std::shared_ptr<Plugin>;
 }
 
 #endif

cpp/include/IceSSL/ConnectionInfo.h

@@ -5,9 +5,9 @@
 #ifndef ICESSL_CONNECTION_INFO_H
 #define ICESSL_CONNECTION_INFO_H
 
+#include "Certificate.h"
 #include "ConnectionInfoF.h"
 #include "Ice/Connection.h"
-#include "Plugin.h"
 
 #if defined(__clang__)
 #    pragma clang diagnostic push
@@ -20,8 +20,7 @@
 namespace IceSSL
 {
     /**
-     * Provides access to the connection details of an SSL connection
-     * \headerfile IceSSL/IceSSL.h
+     * Provides access to the connection details of an SSL connection.
      */
     class ConnectionInfo : public Ice::ConnectionInfo
     {
@@ -68,6 +67,9 @@ namespace IceSSL
          * The certificate chain verification status.
          */
         bool verified;
+
+        TrustError errorCode;
+        std::string host;
     };
 }
 

cpp/include/IceSSL/EndpointInfo.h

@@ -19,7 +19,6 @@ namespace IceSSL
 {
     /**
      * Provides access to an SSL endpoint information.
-     * \headerfile IceSSL/IceSSL.h
      */
     class EndpointInfo : public Ice::EndpointInfo
     {