Use the platform native APIs with C++ SSL transport

cpp/include/Ice/Certificate.h

@@ -18,58 +18,6 @@
 
 namespace IceSSL
 {
-    /**
-     * The reason for an IceSSL certificate verification failure.
-     */
-    enum class TrustError : std::uint8_t
-    {
-        /** The certification verification succeed  */
-        NoError = 0,
-        /** The certificate chain length is greater than the specified maximum depth **/
-        ChainTooLong,
-        /** The X509 chain is invalid because a certificate has excluded a name constraint **/
-        HasExcludedNameConstraint,
-        /** The certificate has an undefined name constraint **/
-        HasNonDefinedNameConstraint,
-        /** The certificate has a non permitted name constraint **/
-        HasNonPermittedNameConstraint,
-        /** The certificate does not support a critical extension **/
-        HasNonSupportedCriticalExtension,
-        /** The certificate does not have a supported name constraint or has a name constraint that is unsupported **/
-        HasNonSupportedNameConstraint,
-        /** A host name mismatch has occurred **/
-        HostNameMismatch,
-        /** The X509 chain is invalid due to invalid basic constraints **/
-        InvalidBasicConstraints,
-        /** The X509 chain is invalid due to an invalid extension **/
-        InvalidExtension,
-        /** The X509 chain is invalid due to invalid name constraints **/
-        InvalidNameConstraints,
-        /** The X509 chain is invalid due to invalid policy constraints **/
-        InvalidPolicyConstraints,
-        /** The supplied certificate cannot be used for the specified purpose **/
-        InvalidPurpose,
-        /** The X509 chain is invalid due to an invalid certificate signature **/
-        InvalidSignature,
-        /** The X509 chain is not valid due to an invalid time value, such as a value that indicates an expired
-            certificate **/
-        InvalidTime,
-        /** The certificate is explicitly not trusted **/
-        NotTrusted,
-        /** The X509 chain could not be built up to the root certificate **/
-        PartialChain,
-        /** It is not possible to determine whether the certificate has been revoked **/
-        RevocationStatusUnknown,
-        /** The X509 chain is invalid due to a revoked certificate **/
-        Revoked,
-        /** The X509 chain is invalid due to an untrusted root certificate **/
-        UntrustedRoot,
-        /** The X509 chain is invalid due to other unknown failure **/
-        UnknownTrustFailure,
-    };
-
-    ICE_API std::string getTrustErrorDescription(TrustError);
-
     /**
      * The key usage "digitalSignature" bit is set
      */

cpp/include/Ice/ClientAuthenticationOptions.h

@@ -0,0 +1,106 @@
+//
+// Copyright (c) ZeroC, Inc. All rights reserved.
+//
+
+#ifndef ICE_CLIENT_AUTHENTICATION_OPTIONS_H
+#define ICE_CLIENT_AUTHENTICATION_OPTIONS_H
+
+#include "SSLConnectionInfo.h"
+
+#include <functional>
+
+#if defined(_WIN32)
+// We need to include windows.h before wincrypt.h.
+// clang-format off
+#    ifndef NOMINMAX
+#        define NOMINMAX
+#    endif
+#    include <windows.h>
+#    include <wincrypt.h>
+// clang-format on
+// SECURITY_WIN32 or SECURITY_KERNEL, must be defined before including security.h indicating who is compiling the code.
+#    ifdef SECURITY_WIN32
+#        undef SECURITY_WIN32
+#    endif
+#    ifdef SECURITY_KERNEL
+#        undef SECURITY_KERNEL
+#    endif
+#    define SECURITY_WIN32 1
+#    include <schannel.h>
+#    include <security.h>
+#    include <sspi.h>
+#    undef SECURITY_WIN32
+#elif defined(__APPLE__)
+#    include <Security/SecureTransport.h>
+#    include <Security/Security.h>
+#else
+#    include <openssl/ssl.h>
+#endif
+
+namespace Ice::SSL
+{
+    /**
+     * The SSL configuration properties for client connections.
+     */
+    struct ClientAuthenticationOptions
+    {
+#if defined(_WIN32)
+        /**
+         * The credentials handler to configure SSL client connections on Windows. When set the SSL transport would
+         * ignore all the IceSSL configuration properties and use the provided credentials handle.
+         *
+         * [See Schannel
+         * Credentials](https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-sch_credentials).
+         */
+        CredHandle clientCredentials;
+
+        /**
+         * A callback that allows selecting the credentials based on the target server's host name. When the
+         * callback is set it has preference over the credentials set in clientCredentials.
+         */
+        std::function<CredHandle(const std::string& host)> clientCredentialsSelectionCallback;
+
+        /**
+         * A callback that allows to manually validate the server certificate during SSL handshake on Windows. When the
+         * callback is not provided the server certificate will be validated using the platform default validation
+         * mechanism.
+         *
+         * @param context A security context is an opaque data structure that contains security data relevant to the
+         * current connection.
+         * @return true if the certificate is valid, false otherwise.
+         *
+         * [See Manually Validating Schannel
+         * Credentials](https://learn.microsoft.com/en-us/windows/win32/secauthn/manually-validating-schannel-credentials).
+         */
+        std::function<bool(CtxtHandle context, const IceSSL::ConnectionInfoPtr& info)>
+            serverCertificateValidationCallback;
+#elif defined(__APPLE__)
+        // The client's certificate chain.
+        CFArrayRef clientCertificateChain;
+
+        // A callback that allows selecting a certificate chain based on the target server's host name. When the
+        // callback is set it has preference over a certificate chain set in clientCertificateChain.
+        std::function<CFArrayRef(const std::string& host)> clientCertificateSelectionCallback;
+
+        // The trusted root certificates. If set, the server's certificate chain is validated against these
+        // certificates. If not set the system's root certificates are used.
+        CFArrayRef trustedRootCertificates;
+
+        // A callback that allows validating the server certificate chain. When set trustedRootCertificates are
+        // not used.
+        std::function<bool(SecTrustRef trust, const IceSSL::ConnectionInfoPtr& info)>
+            serverCertificateValidationCallback;
+
+        // A callback that is called before ssl handshake is started. The callback can be used to set additional SSL
+        // context parameters.
+        std::function<void(SSLContextRef)> sslContextSetup;
+#else
+        SSL_CTX* sslContext;
+        std::function<int(int, X509_STORE_CTX*, const IceSSL::ConnectionInfoPtr& info)>
+            serverCertificateVerificationCallback;
+        std::function<void(::SSL* ssl, const std::string& host)> sslNewSessionCallback;
+#endif
+    };
+}
+
+#endif

cpp/include/Ice/Communicator.h

@@ -15,6 +15,7 @@
 #include "Plugin.h"
 #include "Properties.h"
 #include "Proxy.h"
+#include "ServerAuthenticationOptions.h"
 
 #ifdef ICE_SWIFT
 #    include <dispatch/dispatch.h>
@@ -141,12 +142,15 @@ namespace Ice
          * communicator as is used by the adapter. Attempts to create a named object adapter for which no configuration
          * can be found raise InitializationException.
          * @param name The object adapter name.
+         * @param serverAuthenticationOptions The SSL configuration properties for server connections.
          * @return The new object adapter.
          * @see #createObjectAdapterWithEndpoints
          * @see ObjectAdapter
          * @see Properties
          */
-        ObjectAdapterPtr createObjectAdapter(const std::string& name);
+        ObjectAdapterPtr createObjectAdapter(
+            const std::string& name,
+            const std::optional<SSL::ServerAuthenticationOptions>& serverAuthenticationOptions = std::nullopt);
 
         /**
          * Create a new object adapter with endpoints. This operation sets the property
@@ -155,12 +159,16 @@ namespace Ice
          * name.
          * @param name The object adapter name.
          * @param endpoints The endpoints for the object adapter.
+         * @param serverAuthenticationOptions The SSL configuration properties for server connections.
          * @return The new object adapter.
          * @see #createObjectAdapter
          * @see ObjectAdapter
          * @see Properties
          */
-        ObjectAdapterPtr createObjectAdapterWithEndpoints(const std::string& name, const std::string& endpoints);
+        ObjectAdapterPtr createObjectAdapterWithEndpoints(
+            const std::string& name,
+            const std::string& endpoints,
+            const std::optional<SSL::ServerAuthenticationOptions>& serverAuthenticationOptions = std::nullopt);
 
         /**
          * Create a new object adapter with a router. This operation creates a routed object adapter.

cpp/include/Ice/Ice.h

@@ -20,6 +20,7 @@
 // We don't need to see the following headers when building the generated code.
 
 #    include "Certificate.h"
+#    include "ClientAuthenticationOptions.h"
 #    include "Communicator.h"
 #    include "Connection.h"
 #    include "IconvStringConverter.h"
@@ -38,6 +39,7 @@
 #    include "SSLConnectionInfo.h"
 #    include "SSLEndpointInfo.h"
 #    include "ServantLocator.h"
+#    include "ServerAuthenticationOptions.h"
 #    include "SlicedData.h"
 #    include "StringConverter.h"
 #    include "UUID.h"

cpp/include/Ice/Initialize.h

@@ -6,6 +6,7 @@
 #define ICE_INITIALIZE_H
 
 #include "BatchRequest.h"
+#include "ClientAuthenticationOptions.h"
 #include "CommunicatorF.h"
 #include "Connection.h"
 #include "Ice/BuiltinSequences.h"
@@ -330,6 +331,12 @@ namespace Ice
          * The value factory manager.
          */
         ValueFactoryManagerPtr valueFactoryManager;
+
+        /**
+         * The authentication options for SSL client connections. When set, the SSL transport ignores all IceSSL
+         * configuration properties and uses the provided options.
+         */
+        std::optional<SSL::ClientAuthenticationOptions> clientAuthenticationOptions;
     };
 
     /**

cpp/include/Ice/SSLConnectionInfo.h

@@ -33,43 +33,31 @@ namespace IceSSL
          * @param incoming Whether or not the connection is an incoming or outgoing connection.
          * @param adapterName The name of the adapter associated with the connection.
          * @param connectionId The connection id.
-         * @param cipher The negotiated cipher suite.
          * @param certs The certificate chain.
-         * @param verified The certificate chain verification status.
+         * @param host The host name.
          */
         ConnectionInfo(
             const Ice::ConnectionInfoPtr& underlying,
             bool incoming,
             const std::string& adapterName,
             const std::string& connectionId,
-            const std::string& cipher,
             const std::vector<CertificatePtr>& certs,
-            bool verified)
+            const std::string& host)
             : Ice::ConnectionInfo(underlying, incoming, adapterName, connectionId),
-              cipher(cipher),
               certs(certs),
-              verified(verified)
+              host(host)
         {
         }
 
         ConnectionInfo(const ConnectionInfo&) = delete;
         ConnectionInfo& operator=(const ConnectionInfo&) = delete;
 
-        /**
-         * The negotiated cipher suite.
-         */
-        std::string cipher;
         /**
          * The certificate chain.
          */
         std::vector<CertificatePtr> certs;
-        /**
-         * The certificate chain verification status.
-         */
-        bool verified;
-
-        TrustError errorCode;
         std::string host;
+        std::string desc;
     };
 }