ICESSL使用备忘

1、任何ICE的程序如果试图使用SSL的安全连接,那么对应的应用必须加载SSL插件
2、配置程序在启动过程中加载SSL插件:
   Ice.Plugin.IceSSL=IceSSL:createIceSSL
   IceSSL.DefaultDir=/opt/certs
   IceSSL.CertFile=pubkey.pem
   IceSSL.KeyFile=privkey.pem
   IceSSL.CertAuthFile=ca.pem
   IceSSL.Password=password
   Ice.Override.Secure=1
3、程序中获取ssl插件对象:
   Ice::PluginManagerPtr pluginMgr = communicator->getPluginManager();
   Ice::PluginPtr plugin = pluginMgr->getPlugin("IceSSL");
   IceSSL::PluginPtr sslPlugin = IceSSL::PluginPtr::dynamicCast(plugin);   
4、设置个性化的ssl校验机制:
   class Verifier : public IceSSL::CertificateVerifier
   {
   public:
       bool verify(const IceSSL::NativeConnectionInfo& info)
       {
          if (!info.nativeCerts.empty())
          {
              string dn = info.nativeCerts[0].getIssuerDN();
              transform(dn.begin(), dn.end(), dn.begin(), ::tolower);
              if (dn.find("zeroc") != string::npos)
              {
                 return true;
              }
          }
          return false;
        }
    };
   sslPlugin->setCertificateVerifier(new Verifier);
5、在NativeConnectionInfo中包含了对应的SSL证书信息,其结构如下:
   class NativeConnectionInfo : public ConnectionInfo 
   {
   public:
       std::vector<CertificatePtr> nativeCerts;
   };   
   
   class Certificate : public IceUtil::Shared
   {
   public:
      Certificate(X509*);
      static CertificatePtr load(const string&);
      static CertificatePtr decode(const string&);
      bool operator==(const Certificate&) const;
      bool operator!=(const Certificate&) const;
      PublicKeyPtr getPublicKey() const;
      bool verify(const PublicKeyPtr&) const;
      string encode() const;
      bool checkValidity() const;
      bool checkValidity(const IceUtil::Time&) const;
      IceUtil::Time getNotAfter() const;
      IceUtil::Time getNotBefore() const;
      string getSerialNumber() const;
      DistinguishedName getIssuerDN() const;
      vector<pair<int, string> > getIssuerAlternativeNames();
      DistinguishedName getSubjectDN() const;
      vector<pair<int, string> > getSubjectAlternativeNames();
      int getVersion() const;
      string toString() const;
      X509* getCert() const;
   };
6、动态密码的设置(设置属性Ice.InitPlugins=0)
   class PasswordPrompt : public IceUtil::Shared
   {
   public:
       virtual std::string getPassword() = 0;
   };
   
   Ice::PluginManagerPtr pluginMgr = communicator->getPluginManager();
   Ice::PluginPtr plugin = pluginMgr->getPlugin("IceSSL");
   IceSSL::PluginPtr sslPlugin = IceSSL::PluginPtr::dynamicCast(plugin);
   sslPlugin->setPasswordPrompt(new Prompt);
   pluginMgr->initializePlugins();   
7、证书的申请创建(注意设置环境变量ICE_CA_HOME)
   python iceca init [--no-password] [--overwrite]
   python iceca request [--overwrite] [--no-password] file common-name [email]
   python iceca sign [--overwrite] --in <req> --out <cert> [--ip <ip> --dns <dns>]
阅读更多

没有更多推荐了,返回首页