static bool MyServerCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
{
// Check if there are any errors.
bool ok = errors.Equals(SslPolicyErrors.None);
//this.AddLogEntry(string.Format("SSL Authentication was {0} successful", (ok ? "" : "NOT ")));
// We decide to allow communication with the server even if it isn't authenticated (not recommended).
return true;
}
static bool MyServerCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
{
// Check if there are any errors.
bool ok = errors.Equals(SslPolicyErrors.None);
//this.AddLogEntry(string.Format("SSL Authentication was {0} successful", (ok ? "" : "NOT ")));
// We decide to allow communication with the server even if it isn't authenticated (not recommended).
return(true);
}
static bool CertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors.Equals(SslPolicyErrors.RemoteCertificateChainErrors))
{
return(true);
}
Console.WriteLine(sslPolicyErrors);
return(false);
}
private bool ValidateServerCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
// we can perform additional certificate checks here
return(true);
}
// Do not allow this client to communicate with unauthenticated servers.
// log the certificate error into the error log.
var s = "SSL certificate error: ";
s += sslPolicyErrors;
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNameMismatch) != 0)
{
// if name mismatch error is reported, and the stored name is not empty
// then the remote certificate is not acceptable.
string s2 = "CN=";
s2 += Certificate.Name.ToUpper();
s = certificate.Subject.ToUpper();
if (Certificate.Name.Length != 0 && (!s.Contains(s2)))
{
Console.WriteLine("SSL certificate name " + certificate.Subject + " unexpected with given certificate " + Certificate.Name + ". Rejecting ...");
return(false);
}
}
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
// if there is a certificate chain error, then we accept the certificate
// if its hash matches what we expect, or if stored hash is "-"
s = certificate.GetCertHashString();
if (s != null)
{
if ((!s.Equals(Certificate.Hash, StringComparison.OrdinalIgnoreCase)) && Certificate.Hash.Length != 0)
{
Console.WriteLine("SSL certificate hash " + s + " unexpected with given hash " + Certificate.Hash + ". Rejecting ...");
return(false);
}
}
}
return(true);
}
private static bool certValidationCallback(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
{
if (errors.Equals(SslPolicyErrors.None))
{
return(true);
}
lock (rejectedCerts) {
if (rejectedCerts.Contains(certificate.GetCertHashString()))
{
return(false);
}
if (allowedCerts.Contains(certificate.GetCertHashString()))
{
return(true);
}
// PLVS-117: search for installed certs. If found, allow it, whether issuer is kosher or not
// (this lets self-signed certs be treated as good enough)
X509Store store = new X509Store();
try {
store.Open(OpenFlags.ReadOnly);
if (store.Certificates.Cast <X509Certificate2>().Any(cert => cert.Equals(certificate)))
{
X509Certificate2 c2 = new X509Certificate2(certificate);
if (DateTime.Now.CompareTo(c2.NotBefore) >= 0 && DateTime.Now.CompareTo(c2.NotAfter) <= 0)
{
allowedCerts.Add(certificate.GetCertHashString());
return(true);
}
}
} finally {
store.Close();
}
BadCertificateDialog dlg = new BadCertificateDialog(sender, new X509Certificate2(certificate));
bool result = false;
AtlassianPanel.Instance.safeInvoke(new MethodInvoker(() => {
if (dlg.ShowDialog(AtlassianPanel.Instance) != DialogResult.Yes)
{
rejectedCerts.Add(certificate.GetCertHashString());
result = false;
}
else
{
allowedCerts.Add(certificate.GetCertHashString());
result = true;
}
}));
return(result);
}
}
public bool AppCertificateValidation(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors.Equals(SslPolicyErrors.RemoteCertificateNotAvailable))
{
logger.Log(this, "Remote certificate not available.", true);
return(false);
}
if (!X509Certificate2Utils.ExportToPem(certificate).Equals(acceptedPublicKey))
{
logger.Log(this, $"Remote certificate has other public key.\n{X509Certificate2Utils.ExportToPem(certificate)}", true);
return(false);
}
return(true);
}
//The following validation function was based on https://github.com/kubernetes-client/csharp repository implementation.
private bool ServerCertificateValidationCallback(object sender, X509Certificate x509Certificate, X509Chain x509Chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors.Equals(SslPolicyErrors.None))
{
return(true); //No errors.
}
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) > 0)
{
x509Chain.ChainPolicy.ExtraStore.Add(_caCertificate); //CA Kube Cert.
x509Chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; //Allow not Store added CAs.
return(x509Chain.Build((X509Certificate2)x509Certificate)); //Builds and checks the certificate chain is guaranteed by some CA.
}
return(false); //Some error.
}
/// <summary>
/// Validates the web certificates.
/// </summary>
/// <returns>
/// <c>true</c>, if web certificates was validated, <c>false</c> otherwise.
/// </returns>
/// <param name='sender'>
/// <c>Object</c> usually parsed as WebRequest or HttpWebRequest.
/// </param>
/// <param name='endCert'>
/// Certificate consumed in the request.
/// </param>
/// <param name='chain'>
/// Certificate chain total or partial.
/// </param>
/// <param name='Errors'>
/// Policy errors found during the chain build process.
/// </param>
public static bool ValidateWebCertificates(Object sender, System.Security.Cryptography.X509Certificates.X509Certificate endCert, System.Security.Cryptography.X509Certificates.X509Chain chain, SslPolicyErrors Errors)
{
var request = sender as WebRequest;
string requestUri = request.RequestUri.ToString();
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation");
bool bErrorsFound = false;
try {
X509Certificate BCCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(endCert);
if (!CertificateIsTheSame(BCCert))
{
chain.Build(new System.Security.Cryptography.X509Certificates.X509Certificate2(endCert.GetRawCertData()));
if (Errors.Equals(SslPolicyErrors.None))
{
if (chain == null || chain.ChainElements == null || chain.ChainElements.Count == 0)
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Chain is empty");
bErrorsFound = true;
}
else
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Chain Element count: " + chain.ChainElements.Count);
}
if (CertIsSelfSigned(BCCert))
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. End Certificate is Self Signed");
bErrorsFound = true;
}
else
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. End Certificate NOT Self Signed");
}
if (ValidateFingerprints)
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. VALIDATING Fingerprint");
if (!VerifyFingerprint(endCert, requestUri))
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Invalid Fingerprint");
bErrorsFound = true;
}
else
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Valid Fingerprint");
}
}
else
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. DO NOT validate Fingerprint");
}
/*foreach (System.Security.Cryptography.X509Certificates.X509ChainElement cert in chain.ChainElements) {
* X509Certificate BCCerto = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate (cert.Certificate);
* if(CertIsSelfSigned(BCCerto)){
* SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** SELF SIGNED Certificate: CERT NAME " + BCCerto.SubjectDN.ToString() + " ;ID = " + BCCerto.SerialNumber);
* if(cert.Certificate.SerialNumber.Equals(chain.ChainElements[chain.ChainElements.Count-1].Certificate.SerialNumber)){
* string[] stringSeparators = new string[] {";"};
* string[] valids = _VALIDROOTAUTHORITIES.Split(stringSeparators, StringSplitOptions.RemoveEmptyEntries);
* foreach(String validRoot in valids){
* SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** SELF SIGNED Certificate check ["+validRoot+"]: "+cert.Certificate.SerialNumber+":"+chain.ChainElements[chain.ChainElements.Count-1].Certificate.SerialNumber);
* if(BCCerto.SubjectDN.ToString().Contains(validRoot)){
* bErrorsFound = false;
* } else {
* bErrorsFound = true;
* }
* }
* }else {
* bErrorsFound = true;
* }
*
*
* }else{
* SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** CERT NAME " + BCCerto.SubjectDN.ToString() + " ;ID = " + BCCerto.SerialNumber);
* }
*
* if(!CertIsValidNow(BCCerto)) bErrorsFound = true;
* }*/
//if (chain.ChainElements.Count > 1 && !VerifyCertificateOCSP(chain)) bCertIsOk = true;
//if (chain.ChainElements.Count > 1) bCertIsOk = true;
// DO NOT check OCSP revocation URLs. The time consuming this is expensive.
// TODO make this configurable and asynchronously in the case of enabled
// !VerifyCertificateOCSP(chain) ---> ASYNC
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** OCSP Verification (certificate revocation check) is DISABLED for this build");
if (!bErrorsFound)
{
myCertificateList.Add(BCCert.GetHashCode(), DateTime.Now);
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Valid Certificate");
return(true);
}
else
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Invalid Certificate");
return(false);
}
}
else if (Errors.Equals(SslPolicyErrors.RemoteCertificateChainErrors))
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Errors found in the certificate chain.");
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Checking chain status information for each element in the chain");
foreach (System.Security.Cryptography.X509Certificates.X509ChainElement element in chain.ChainElements)
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Checking chain element... " + element.Information);
if (chain.ChainStatus != null && chain.ChainStatus.Length >= 0)
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Chain Status array is not empty");
for (int index = 0; index < element.ChainElementStatus.Length; index++)
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: chain element status: "
+ element.ChainElementStatus[index].Status);
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: chain element status information: "
+ element.ChainElementStatus[index].StatusInformation);
}
}
}
}
else if (Errors.Equals(SslPolicyErrors.RemoteCertificateNameMismatch))
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: The certificate contains errors.");
}
else if (Errors.Equals(SslPolicyErrors.RemoteCertificateNotAvailable))
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: The certificate is not available");
}
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Policy Errors: " + Errors);
return(false);
}
else //Trusted certificate
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Trusted Certificate");
return(true);
}
} catch (Exception e) {
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Unhandled exception: " + e.Message);
return(false);
}
}
/// <summary>
/// Validates the web certificates.
/// </summary>
/// <returns>
/// <c>true</c>, if web certificates was validated, <c>false</c> otherwise.
/// </returns>
/// <param name='sender'>
/// <c>Object</c> usually parsed as WebRequest or HttpWebRequest.
/// </param>
/// <param name='endCert'>
/// Certificate consumed in the request.
/// </param>
/// <param name='chain'>
/// Certificate chain total or partial.
/// </param>
/// <param name='Errors'>
/// Policy errors found during the chain build process.
/// </param>
public static bool ValidateWebCertificates(Object sender, System.Security.Cryptography.X509Certificates.X509Certificate endCert, System.Security.Cryptography.X509Certificates.X509Chain chain, SslPolicyErrors Errors)
{
var request = sender as WebRequest;
string requestUri = request.RequestUri.ToString();
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation");
bool bErrorsFound = false;
try {
X509Certificate BCCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate (endCert);
if (!CertificateIsTheSame (BCCert)) {
chain.Build (new System.Security.Cryptography.X509Certificates.X509Certificate2 (endCert.GetRawCertData ()));
if(Errors.Equals(SslPolicyErrors.None))
{
if(chain== null || chain.ChainElements== null || chain.ChainElements.Count == 0){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Chain is empty");
bErrorsFound = true;
}else
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Chain Element count: " + chain.ChainElements.Count);
if(CertIsSelfSigned(BCCert)){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. End Certificate is Self Signed");
bErrorsFound = true;
}else
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. End Certificate NOT Self Signed");
if(ValidateFingerprints){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. VALIDATING Fingerprint");
if(!VerifyFingerprint(endCert, requestUri)){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Invalid Fingerprint");
bErrorsFound = true;
}else
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Valid Fingerprint");
}else{
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. DO NOT validate Fingerprint");
}
if(ValidatePublicKey){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. VALIDATING Public Key");
if(!VerifyPublicKey(endCert, requestUri)){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Invalid Public Key");
bErrorsFound = true;
}else
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Valid Public Key");
}else{
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. DO NOT validate Public Key");
}
/*foreach (System.Security.Cryptography.X509Certificates.X509ChainElement cert in chain.ChainElements) {
X509Certificate BCCerto = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate (cert.Certificate);
if(CertIsSelfSigned(BCCerto)){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** SELF SIGNED Certificate: CERT NAME " + BCCerto.SubjectDN.ToString() + " ;ID = " + BCCerto.SerialNumber);
if(cert.Certificate.SerialNumber.Equals(chain.ChainElements[chain.ChainElements.Count-1].Certificate.SerialNumber)){
string[] stringSeparators = new string[] {";"};
string[] valids = _VALIDROOTAUTHORITIES.Split(stringSeparators, StringSplitOptions.RemoveEmptyEntries);
foreach(String validRoot in valids){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** SELF SIGNED Certificate check ["+validRoot+"]: "+cert.Certificate.SerialNumber+":"+chain.ChainElements[chain.ChainElements.Count-1].Certificate.SerialNumber);
if(BCCerto.SubjectDN.ToString().Contains(validRoot)){
bErrorsFound = false;
} else {
bErrorsFound = true;
}
}
}else {
bErrorsFound = true;
}
}else{
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** CERT NAME " + BCCerto.SubjectDN.ToString() + " ;ID = " + BCCerto.SerialNumber);
}
if(!CertIsValidNow(BCCerto)) bErrorsFound = true;
}*/
//if (chain.ChainElements.Count > 1 && !VerifyCertificateOCSP(chain)) bCertIsOk = true;
//if (chain.ChainElements.Count > 1) bCertIsOk = true;
// DO NOT check OCSP revocation URLs. The time consuming this is expensive.
// TODO make this configurable and asynchronously in the case of enabled
// !VerifyCertificateOCSP(chain) ---> ASYNC
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** OCSP Verification (certificate revocation check) is DISABLED for this build");
if (!bErrorsFound) {
myCertificateList.Add (BCCert.GetHashCode(), DateTime.Now);
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Valid Certificate");
return true;
} else{
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Invalid Certificate");
return false;
}
}else if(Errors.Equals(SslPolicyErrors.RemoteCertificateChainErrors)){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Errors found in the certificate chain.");
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Checking chain status information for each element in the chain");
foreach (System.Security.Cryptography.X509Certificates.X509ChainElement element in chain.ChainElements)
{
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Checking chain element... " + element.Information);
if (chain.ChainStatus!=null && chain.ChainStatus.Length >= 0)
{
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Chain Status array is not empty");
for (int index = 0; index < element.ChainElementStatus.Length; index++)
{
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation: chain element status: "
+ element.ChainElementStatus[index].Status);
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation: chain element status information: "
+ element.ChainElementStatus[index].StatusInformation);
}
}
}
}
else if(Errors.Equals(SslPolicyErrors.RemoteCertificateNameMismatch)){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation: The certificate contains errors.");
}
else if(Errors.Equals(SslPolicyErrors.RemoteCertificateNotAvailable)){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation: The certificate is not available");
}
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Policy Errors: " + Errors);
return false;
} else{ //Trusted certificate
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Trusted Certificate");
return true;
}
} catch (Exception e) {
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Unhandled exception: " + e.Message);
return false;
}
}
/// <summary>
/// Validates the web certificates.
/// </summary>
/// <returns>
/// <c>true</c>, if web certificates was validated, <c>false</c> otherwise.
/// </returns>
/// <param name='sender'>
/// <c>Object</c> usually parsed as WebRequest or HttpWebRequest.
/// </param>
/// <param name='endCert'>
/// Certificate consumed in the request.
/// </param>
/// <param name='chain'>
/// Certificate chain total or partial.
/// </param>
/// <param name='Errors'>
/// Policy errors found during the chain build process.
/// </param>
public static bool ValidateWebCertificates(Object sender, System.Security.Cryptography.X509Certificates.X509Certificate endCert, System.Security.Cryptography.X509Certificates.X509Chain chain, SslPolicyErrors Errors)
{
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation");
try {
X509Certificate BCCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate (endCert);
if (!CertificateIsTheSame (BCCert)) {
chain.Build (new System.Security.Cryptography.X509Certificates.X509Certificate2 (endCert.GetRawCertData ()));
if(Errors.Equals(SslPolicyErrors.None))
{
if(chain== null || chain.ChainElements== null || chain.ChainElements.Count==0)
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Chain is empty");
bool bCertIsOk = false;
if (CertIsValidNow (BCCert))
if (chain.ChainElements.Count > 1 && !VerifyCertificateOCSP(chain)) bCertIsOk = true;
if (bCertIsOk) {
myCertificateList.Add (BCCert.GetHashCode(), DateTime.Now);
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Valid Certificate");
return true;
} else{
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Invalid Certificate");
return false;
}
}else if(Errors.Equals(SslPolicyErrors.RemoteCertificateChainErrors)){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Errors found in the certificate chain.");
}
else if(Errors.Equals(SslPolicyErrors.RemoteCertificateNameMismatch)){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation: The certificate contains errors.");
}
else if(Errors.Equals(SslPolicyErrors.RemoteCertificateNotAvailable)){
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation: The certificate is not available");
}
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Policy Errors: " + Errors);
return false;
} else{ //Trusted certificate
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Trusted Certificate");
return true;
}
} catch (Exception e) {
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Unhandled exception: " + e.Message);
return false;
}
}
