public Task <X509Certificate2?> LoadAsync(string name, string certificatePassword, CancellationToken cancellationToken)
{
var certs = _store.Certificates.Find(
X509FindType.FindBySubjectDistinguishedName,
"CN=" + name,
validOnly: !_options.AllowInvalidCerts);
if (certs == null || certs.Count == 0)
{
return(Task.FromResult <X509Certificate2>(null));
}
if (_logger.IsEnabled(LogLevel.Trace))
{
foreach (var cert in certs)
{
_logger.LogTrace("Found certificate {subject}", cert.SubjectName.Name);
}
}
X509Certificate2?certWithMostTtl = null;
foreach (var cert in certs)
{
if (certWithMostTtl == null || cert.NotAfter > certWithMostTtl.NotAfter)
{
certWithMostTtl = cert;
}
}
return(Task.FromResult(certWithMostTtl));
}
public X509Certificate2?GetCertificate(string domainName)
{
var certs = _store.Certificates.Find(
X509FindType.FindBySubjectDistinguishedName,
"CN=" + domainName,
validOnly: !AllowInvalidCerts);
if (certs == null || certs.Count == 0)
{
return(null);
}
if (_logger.IsEnabled(LogLevel.Trace))
{
foreach (var cert in certs)
{
_logger.LogTrace("Found certificate {subject}", cert.SubjectName.Name);
}
}
X509Certificate2?certWithMostTtl = null;
foreach (var cert in certs)
{
if (certWithMostTtl == null || cert.NotAfter > certWithMostTtl.NotAfter)
{
certWithMostTtl = cert;
}
}
return(certWithMostTtl);
}
private X509Certificate2?GetSignerCertificate(X509Certificate2Collection?extraCandidates)
{
Debug.Assert(_signerInfo != null, "_signerInfo != null");
X509Certificate2?signerCert = _signerInfo.Certificate;
if (signerCert != null)
{
if (CheckCertificate(signerCert, _signerInfo, in _essCertId, in _essCertIdV2, TokenInfo))
{
return(signerCert);
}
// SignedCms will not try another certificate in this state, so just fail.
return(null);
}
if (extraCandidates == null || extraCandidates.Count == 0)
{
return(null);
}
foreach (X509Certificate2 candidate in extraCandidates)
{
if (CheckCertificate(candidate, _signerInfo, in _essCertId, in _essCertIdV2, TokenInfo))
{
return(candidate);
}
}
return(null);
}
internal byte[]? DecryptCek(X509Certificate2?cert, RSA?privateKey, out Exception?exception)
{
ReadOnlyMemory <byte>?parameters = _asn.KeyEncryptionAlgorithm.Parameters;
string?keyEncryptionAlgorithm = _asn.KeyEncryptionAlgorithm.Algorithm;
switch (keyEncryptionAlgorithm)
{
case Oids.Rsa:
if (parameters != null &&
!parameters.Value.Span.SequenceEqual(s_rsaPkcsParameters))
{
exception = new CryptographicException(SR.Cryptography_Der_Invalid_Encoding);
return(null);
}
break;
case Oids.RsaOaep:
break;
default:
exception = new CryptographicException(
SR.Cryptography_Cms_UnknownAlgorithm,
_asn.KeyEncryptionAlgorithm.Algorithm);
return(null);
}
return(DecryptCekCore(cert, privateKey, _asn.EncryptedKey.Span, keyEncryptionAlgorithm, parameters, out exception));
}
public CmsSigner(SubjectIdentifierType signerIdentifierType, X509Certificate2?certificate, AsymmetricAlgorithm?privateKey)
{
switch (signerIdentifierType)
{
case SubjectIdentifierType.Unknown:
_signerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber;
IncludeOption = X509IncludeOption.ExcludeRoot;
break;
case SubjectIdentifierType.IssuerAndSerialNumber:
_signerIdentifierType = signerIdentifierType;
IncludeOption = X509IncludeOption.ExcludeRoot;
break;
case SubjectIdentifierType.SubjectKeyIdentifier:
_signerIdentifierType = signerIdentifierType;
IncludeOption = X509IncludeOption.ExcludeRoot;
break;
case SubjectIdentifierType.NoSignature:
_signerIdentifierType = signerIdentifierType;
IncludeOption = X509IncludeOption.None;
break;
default:
_signerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber;
IncludeOption = X509IncludeOption.ExcludeRoot;
break;
}
Certificate = certificate;
DigestAlgorithm = s_defaultAlgorithm.CopyOid();
PrivateKey = privateKey;
}
private bool StartAuthenticate(AsyncCallback callback, object state)
{
Debug.Assert(_sslStream != null);
try
{
_writeCallback = callback;
if (!_incoming)
{
//
// Client authentication.
//
_writeResult = _sslStream.BeginAuthenticateAsClient(_host,
_engine.Certs,
_engine.SslProtocols,
_engine.CheckCRL > 0,
WriteCompleted,
state);
}
else
{
//
// Server authentication.
//
// Get the certificate collection and select the first one.
//
X509Certificate2Collection?certs = _engine.Certs;
X509Certificate2? cert = null;
if (certs != null && certs.Count > 0)
{
cert = certs[0];
}
_writeResult = _sslStream.BeginAuthenticateAsServer(cert,
_verifyPeer > 0,
_engine.SslProtocols,
_engine.CheckCRL > 0,
WriteCompleted,
state);
}
}
catch (IOException ex)
{
if (Network.ConnectionLost(ex))
{
//
// This situation occurs when connectToSelf is called; the "remote" end
// closes the socket immediately.
//
throw new ConnectionLostException();
}
throw new TransportException(ex);
}
catch (AuthenticationException ex)
{
throw new TransportException(ex);
}
Debug.Assert(_writeResult != null);
return(_writeResult.CompletedSynchronously);
}
public async Task Start()
{
if (!_config.Model.SocketSettings.EnableHubSocket || _isRunning)
{
return;
}
try
{
_socketServer = new SocketServer(_logger);
X509Certificate2?cert = null;
if (!string.IsNullOrWhiteSpace(_config.Model.SocketSettings.SslCertLocation) && File.Exists(_config.Model.SocketSettings.SslCertLocation))
{
if (!string.IsNullOrWhiteSpace(_config.Model.SocketSettings.SslCertPassword))
{
cert = new X509Certificate2(_config.Model.SocketSettings.SslCertLocation, _config.Model.SocketSettings.SslCertPassword);
}
else
{
cert = new X509Certificate2(_config.Model.SocketSettings.SslCertLocation);
}
}
//Console.WriteLine($"Loaded X509Certificate2 {cert}");
await _socketServer.Start(_config.Model.SocketSettings.ListenIp.ToString(), _config.Model.SocketSettings.ListenPort, _config.Model.SocketSettings.AspnetConsoleLog, cert, _config.Model.SocketSettings.SslProtocol);
_socketServer.OnClientMessage += HandleClientCommand;
_isRunning = true;
}
catch (Exception ex)
{
//Console.WriteLine($"ex {ex}");
_ = Task.Run(() => { _logger?.WriteLog(ex.ToString()); });
}
}
public Connector(X509Certificate2Collection clientCertificates, X509Certificate2?trustedCertificateAuthority, bool verifyCertificateAuthority, bool verifyCertificateName)
{
_clientCertificates = clientCertificates;
_trustedCertificateAuthority = trustedCertificateAuthority;
_verifyCertificateAuthority = verifyCertificateAuthority;
_verifyCertificateName = verifyCertificateName;
}
private IApiClient GetApiClient(ITestConfigurationProvider testConfig)
{
if (TestConfig.GetBooleanValue("mockHttp").GetValueOrDefault(false))
{
MockHttpMessageHandler?mockHttp = new MockHttpMessageHandler();
OpenIdConfiguration?openIdConfigData = TestConfig.GetOpenBankingOpenIdConfiguration();
string?openIdConfig = JsonConvert.SerializeObject(openIdConfigData);
mockHttp.When(method: HttpMethod.Get, url: "https://issuer.com/.well-known/openid-configuration")
.Respond(mediaType: "application/json", content: openIdConfig);
mockHttp.When(method: HttpMethod.Get, url: "").Respond(mediaType: "application/json", content: "{}");
mockHttp.When(method: HttpMethod.Post, url: "").Respond(mediaType: "application/json", content: "{}");
HttpClient?client = mockHttp.ToHttpClient();
return(new ApiClient(instrumentation: Substitute.For <IInstrumentationClient>(), httpClient: client));
}
X509Certificate2?certificate = CertificateFactories.GetCertificate2FromPem(
privateKey: TestConfig.GetValue("transportcertificatekey"),
pem: TestConfig.GetValue("transportCertificate"));
HttpMessageHandler?handler = new HttpRequestBuilder()
.SetClientCertificate(certificate)
.CreateMessageHandler();
return(ApiClientFactory.CreateApiClient(handler));
}
public static void AddCertificateForwarding(WebApplicationBuilder builder)
{
// <snippet_AddCertificateForwarding>
builder.Services.AddCertificateForwarding(options =>
{
options.CertificateHeader = "X-SSL-CERT";
options.HeaderConverter = headerValue =>
{
X509Certificate2?clientCertificate = null;
if (!string.IsNullOrWhiteSpace(headerValue))
{
clientCertificate = new X509Certificate2(StringToByteArray(headerValue));
}
return(clientCertificate !);
static byte[] StringToByteArray(string hex)
{
var numberChars = hex.Length;
var bytes = new byte[numberChars / 2];
for (int i = 0; i < numberChars; i += 2)
{
bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
}
return(bytes);
}
};
});
private X509Certificate2 makeCertificate(string sSubjectCN,
bool switchToMTAIfNeeded, X509Certificate2?signingCertificate = null,
CancellationToken cancellationToken = default)
{
if (switchToMTAIfNeeded && Thread.CurrentThread.GetApartmentState() != ApartmentState.MTA)
{
return(Task.Run(() => makeCertificate(sSubjectCN, false, signingCertificate),
cancellationToken).Result);
}
// Subject
string fullSubject = $"CN={sSubjectCN}";
// Sig Algo
const string hashAlgo = "SHA256";
// Grace Days
const int graceDays = -366;
// ValiDays
const int validDays = 1825;
// KeyLength
const int keyLength = 2048;
var now = DateTime.UtcNow;
var graceTime = now.AddDays(graceDays);
var certificate = makeCertificate(sSubjectCN, fullSubject, keyLength, hashAlgo, graceTime,
now.AddDays(validDays), signingCertificate);
return(certificate);
}
public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapterOptions options, ILoggerFactory loggerFactory)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
if (options.ServerCertificate == null && options.ServerCertificateSelector == null)
{
throw new ArgumentException(CoreStrings.ServerCertificateRequired, nameof(options));
}
_next = next;
_handshakeTimeout = options.HandshakeTimeout;
_logger = loggerFactory.CreateLogger <HttpsConnectionMiddleware>();
// Something similar to the following could allow us to remove more duplicate logic, but we need https://github.com/dotnet/runtime/issues/40402 to be fixed first.
//var sniOptionsSelector = new SniOptionsSelector("", new Dictionary<string, SniConfig> { { "*", new SniConfig() } }, new NoopCertificateConfigLoader(), options, options.HttpProtocols, _logger);
//_httpsOptionsCallback = SniOptionsSelector.OptionsCallback;
//_httpsOptionsCallbackState = sniOptionsSelector;
//_sslStreamFactory = s => new SslStream(s);
_options = options;
_options.HttpProtocols = ValidateAndNormalizeHttpProtocols(_options.HttpProtocols, _logger);
// capture the certificate now so it can't be switched after validation
_serverCertificate = options.ServerCertificate;
_serverCertificateSelector = options.ServerCertificateSelector;
// If a selector is provided then ignore the cert, it may be a default cert.
if (_serverCertificateSelector != null)
{
// SslStream doesn't allow both.
_serverCertificate = null;
}
else
{
Debug.Assert(_serverCertificate != null);
EnsureCertificateIsAllowedForServerAuth(_serverCertificate);
var certificate = _serverCertificate;
if (!certificate.HasPrivateKey)
{
// SslStream historically has logic to deal with certificate missing private keys.
// By resolving the SslStreamCertificateContext eagerly, we circumvent this logic so
// try to resolve the certificate from the store if there's no private key in the cert.
certificate = LocateCertificateWithPrivateKey(certificate);
}
// This might be do blocking IO but it'll resolve the certificate chain up front before any connections are
// made to the server
_serverCertificateContext = SslStreamCertificateContext.Create(certificate, additionalCertificates: null);
}
var remoteCertificateValidationCallback = _options.ClientCertificateMode == ClientCertificateMode.NoCertificate ?
(RemoteCertificateValidationCallback?)null : RemoteCertificateValidationCallback;
_sslStreamFactory = s => new SslStream(s, leaveInnerStreamOpen: false, userCertificateValidationCallback: remoteCertificateValidationCallback);
}
/// <summary>
/// Attempt to decrypt the CMS using the specified "cert". If successful, return the ContentInfo that contains the decrypted content. If unsuccessful, return null and set "exception"
/// to a valid Exception object. Do not throw the exception as EnvelopedCms will want to continue decryption attempts against other recipients. Only if all the recipients fail to
/// decrypt will then EnvelopedCms throw the exception from the last failed attempt.
/// </summary>
public abstract ContentInfo?TryDecrypt(
RecipientInfo recipientInfo,
X509Certificate2?cert,
AsymmetricAlgorithm?privateKey,
X509Certificate2Collection originatorCerts,
X509Certificate2Collection extraStore,
out Exception?exception);
internal SocketClient(ClientConfigurationData conf, DnsEndPoint server, string hostName, ILoggingAdapter logger)
{
_server = server;
if (conf.ClientCertificates != null)
{
_clientCertificates = conf.ClientCertificates;
}
if (conf.Authentication is AuthenticationTls tls)
{
_clientCertificates = tls.AuthData.TlsCertificates;
}
if (conf.TrustedCertificateAuthority != null)
{
_trustedCertificateAuthority = conf.TrustedCertificateAuthority;
}
_encrypt = conf.UseTls;
_serviceUrl = conf.ServiceUrl;
_clientConfiguration = conf;
_logger = logger;
_targetServerName = hostName;
//_heartbeat.Start();
//_connectonId = $"{_networkstream.}";
}
public async Task <Option <GrantedToken> > GetTokenByRefreshTokenGrantType(
RefreshTokenGrantTypeParameter refreshTokenGrantTypeParameter,
AuthenticationHeaderValue?authenticationHeaderValue,
X509Certificate2?certificate,
string issuerName,
CancellationToken cancellationToken)
{
// Read this RFC for more information
if (string.IsNullOrWhiteSpace(refreshTokenGrantTypeParameter.RefreshToken))
{
return(new ErrorDetails
{
Status = HttpStatusCode.BadRequest,
Title = ErrorCodes.InvalidRequest,
Detail = string.Format(
Strings.MissingParameter,
StandardTokenRequestParameterNames.RefreshToken)
});
}
return(await _getTokenByRefreshTokenGrantTypeAction.Execute(
refreshTokenGrantTypeParameter,
authenticationHeaderValue,
certificate,
issuerName,
cancellationToken).ConfigureAwait(false));
}
Task <X509Certificate2?> ITlsConnectionFeature.GetClientCertificateAsync(CancellationToken cancellationToken)
{
if (_clientCertTask != null)
{
return(_clientCertTask);
}
var tlsFeature = (ITlsConnectionFeature)this;
var clientCert = tlsFeature.ClientCertificate; // Lazy initialized
if (clientCert != null ||
Server.Options.ClientCertificateMethod != ClientCertificateMethod.AllowRenegotation
// Delayed client cert negotiation is not allowed on HTTP/2.
|| Request.ProtocolVersion >= HttpVersion.Version20)
{
return(_clientCertTask = Task.FromResult(clientCert));
}
return(_clientCertTask = GetCertificateAsync(cancellationToken));
async Task <X509Certificate2?> GetCertificateAsync(CancellationToken cancellation)
{
return(_clientCert = await Request.GetClientCertificateAsync(cancellation));
}
}
public async Task <Option <GrantedToken> > GetTokenByClientCredentialsGrantType(
ClientCredentialsGrantTypeParameter clientCredentialsGrantTypeParameter,
AuthenticationHeaderValue?authenticationHeaderValue,
X509Certificate2?certificate,
string issuerName,
CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(clientCredentialsGrantTypeParameter.Scope))
{
return(new ErrorDetails
{
Status = HttpStatusCode.BadRequest,
Title = ErrorCodes.InvalidRequest,
Detail = string.Format(Strings.MissingParameter, StandardTokenRequestParameterNames.ScopeName)
});
}
// 1. Authenticate the client
var instruction = authenticationHeaderValue.GetAuthenticateInstruction(
clientCredentialsGrantTypeParameter,
certificate);
var authResult = await _authenticateClient.Authenticate(instruction, issuerName, cancellationToken)
.ConfigureAwait(false);
var client = authResult.Client;
if (client == null)
{
return(new ErrorDetails
{
Status = HttpStatusCode.BadRequest,
Title = ErrorCodes.InvalidClient,
Detail = authResult.ErrorMessage !
});
public X509Certificate2?GetCertificateByThumbprint(string thumbprint, bool refreshCache, StoreName storeName)
{
Validation.ThrowIfNullOrWhiteSpace(thumbprint, nameof(thumbprint));
X509Certificate2?matchingCertificate = null;
foreach (CertificateInformation info in LoadCertificates(storeName, refreshCache))
{
if (string.Equals(info.Certificate.Thumbprint, thumbprint, StringComparison.OrdinalIgnoreCase))
{
matchingCertificate = info.Certificate;
break;
}
}
if (matchingCertificate == null)
{
m_logger.LogError(Tag.Create(), "Could not find certificate with {0} thumbprint.", thumbprint);
}
else
{
m_logger.LogDebug(Tag.Create(), "Found certificate with {0} thumbprint.", thumbprint);
}
return(matchingCertificate);
}
internal static SslPolicyErrors VerifyCertificateProperties(
SafeDeleteContext securityContext,
X509Chain chain,
X509Certificate2?remoteCertificate,
bool checkCertName,
bool isServer,
string?hostName)
{
if (remoteCertificate == null)
{
return(SslPolicyErrors.RemoteCertificateNotAvailable);
}
SslPolicyErrors errors = chain.Build(remoteCertificate)
? SslPolicyErrors.None
: SslPolicyErrors.RemoteCertificateChainErrors;
if (checkCertName)
{
System.Diagnostics.Debug.Assert(hostName != null);
SafeDeleteSslContext sslContext = (SafeDeleteSslContext)securityContext;
if (!Interop.AndroidCrypto.SSLStreamVerifyHostname(sslContext.SslContext, hostName !))
{
errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
}
}
return(errors);
}
public SafeFreeSslCredentials(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy)
: base(IntPtr.Zero, true)
{
Debug.Assert(
certificate == null || certificate is X509Certificate2,
"Only X509Certificate2 certificates are supported at this time");
X509Certificate2?cert = (X509Certificate2?)certificate;
if (cert != null)
{
Debug.Assert(cert.HasPrivateKey, "cert.HasPrivateKey");
// Make a defensive copy of the certificate. In some async cases the
// certificate can have been disposed before being provided to the handshake.
//
// This meshes with the Unix (OpenSSL) PAL, because it extracts the private key
// and cert handle (which get up-reffed) to match the API expectations.
cert = new X509Certificate2(cert);
Debug.Assert(cert.HasPrivateKey, "cert clone.HasPrivateKey");
}
Certificate = cert;
Protocols = protocols;
Policy = policy;
}
public HttpConnection(Socket sock, HttpEndPointListener epl, bool secure, X509Certificate cert)
{
_socket = sock;
_epl = epl;
_secure = secure;
_cert = cert;
if (secure == false)
{
_stream = new NetworkStream(sock, false);
}
else
{
#pragma warning disable CA5359
_sslStream = HttpListener.CreateSslStream(new NetworkStream(sock, false), false, (t, c, ch, e) =>
{
if (c == null)
{
return(true);
}
_clientCert = c as X509Certificate2 ?? new X509Certificate2(c.GetRawCertData());
_clientCertErrors = new int[] { (int)e };
return(true);
});
#pragma warning restore CA5359
_stream = _sslStream;
}
_timer = new Timer(OnTimeout, null, Timeout.Infinite, Timeout.Infinite);
_sslStream?.AuthenticateAsServer(_cert, true, (SslProtocols)ServicePointManager.SecurityProtocol, false);
Init();
}
public void GetCertificateByThumbprint_ReturnsCerts()
{
StoreName storeName = StoreName.CertificateAuthority;
X509Certificate2 expected = CreateCert("someName");
(ICertificateReader reader, Action <Times, string> verify) = CreateReader(
storeName,
CreateCert("dummyCert"),
expected,
CreateCert("anotherDummyCert")
);
X509Certificate2?actual = reader.GetCertificateByThumbprint(expected.Thumbprint, storeName: storeName);
X509Certificate2?actualFirstCall = reader.GetCertificateByThumbprint(expected.Thumbprint, storeName: storeName);
Assert.AreEqual(expected, actualFirstCall, "Fist call to GetCertificateByThumbprint returned wrong data");
verify(Times.Once(), "Certificate store should be called once to get certificates");
X509Certificate2?actualSecondCall = reader.GetCertificateByThumbprint(expected.Thumbprint, storeName: storeName);
Assert.AreEqual(expected, actualFirstCall, "Second call to GetCertificateByThumbprint returned wrong data");
verify(Times.Never(), "Certificate store should not be called when certificates taken from cache");
X509Certificate2?actualNoCacheCall = reader.GetCertificateByThumbprint(expected.Thumbprint, refreshCache: true, storeName: storeName);
Assert.AreEqual(expected, actualFirstCall, "Call of GetCertificateByThumbprint (without cache) returned wrong data");
verify(Times.Once(), "Certificate store should when cache not used");
X509Certificate2?missingCert = reader.GetCertificateByThumbprint(expected.Thumbprint + "9", storeName: storeName);
Assert.IsNull(missingCert, "GetCertificateByThumbprint should return null when certificate not found");
}
/// <summary>
/// Makes the certificate internal.
/// </summary>
/// <param name="subject">The s subject cn.</param>
/// <param name="switchToMtaIfNeeded">if set to <c>true</c> [switch to MTA if needed].</param>
/// <param name="signingCert">The signing cert.</param>
/// <returns>X509Certificate2.</returns>
private X509Certificate2 makeCertificateInternal(string subject,
bool switchToMtaIfNeeded, X509Certificate2?signingCert = null)
{
return(makeCertificateInternal(subject, $"CN={subject}",
DateTime.UtcNow.AddDays(-certificateGraceDays), DateTime.UtcNow.AddDays(certificateValidDays),
signingCert));
}
public async Task <Option <GrantedToken> > GetTokenByTicketId(
GetTokenViaTicketIdParameter parameter,
AuthenticationHeaderValue?authenticationHeaderValue,
X509Certificate2?certificate,
string issuerName,
CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
_logger.LogError("Ticket is null or empty");
return(new ErrorDetails
{
Status = HttpStatusCode.BadRequest,
Title = ErrorCodes.InvalidRequest,
Detail = string.Format(Strings.MissingParameter, UmaConstants.RptClaims.Ticket)
});
}
var instruction = authenticationHeaderValue.GetAuthenticateInstruction(parameter, certificate);
var authResult = await _authenticateClient.Authenticate(instruction, issuerName, cancellationToken)
.ConfigureAwait(false);
var client = authResult.Client;
if (client == null)
{
_logger.LogError("Client not found.");
return(new ErrorDetails
{
Status = HttpStatusCode.BadRequest,
Title = ErrorCodes.InvalidClient,
Detail = authResult.ErrorMessage !
});
protected override async Task <StreamPair> CreateWrappedConnectedStreamsAsync(StreamPair wrapped, bool leaveOpen = false)
{
X509Certificate2?cert = Test.Common.Configuration.Certificates.GetServerCertificate();
var ssl1 = new SslStream(wrapped.Stream1, leaveOpen, delegate { return(true); });
var ssl2 = new SslStream(wrapped.Stream2, leaveOpen, delegate { return(true); });
await new[]
{
ssl1.AuthenticateAsClientAsync(cert.GetNameInfo(X509NameType.SimpleName, false), null, GetSslProtocols(), false),
ssl2.AuthenticateAsServerAsync(cert, false, GetSslProtocols(), false)
}.WhenAllOrAnyFailed().ConfigureAwait(false);
if (GetSslProtocols() == SslProtocols.Tls13)
{
// TLS 1.3 can generate some extra messages and we may get reset if test sends unidirectional traffic
// and extra packet stays in socket buffer.
// This ping-ping should flush leftovers from the handshake.
// We use sync method to preserve socket in default blocking state
// (as we don't go back once Async is used at least once)
ssl1.Write(new byte[1]);
ssl2.Write(new byte[1]);
Assert.Equal(1, ssl2.Read(new byte[1]));
Assert.Equal(1, ssl1.Read(new byte[1]));
}
return(new StreamPair(ssl1, ssl2));
}
private PixivProxyServer(X509Certificate2 certificate, TcpListener tcpListener)
{
_certificate = certificate;
_tcpListener = tcpListener;
_tcpListener.Start();
_tcpListener.BeginAcceptTcpClient(AcceptTcpClientCallback, _tcpListener);
}
public bool VerifySignatureForHash(
ReadOnlySpan <byte> hash,
Oid hashAlgorithmId,
[NotNullWhen(true)] out X509Certificate2?signerCertificate,
X509Certificate2Collection?extraCandidates = null)
{
if (hashAlgorithmId == null)
{
throw new ArgumentNullException(nameof(hashAlgorithmId));
}
signerCertificate = null;
X509Certificate2?cert = GetSignerCertificate(extraCandidates);
if (cert == null)
{
return(false);
}
if (VerifyHash(hash, hashAlgorithmId.Value))
{
// REVIEW: Should this return the cert, or new X509Certificate2(cert.RawData)?
// SignedCms.SignerInfos builds new objects each call, which makes
// ReferenceEquals(cms.SignerInfos[0].Certificate, cms.SignerInfos[0].Certificate) be false.
// So maybe it's weird to give back a cert we've copied from that?
signerCertificate = cert;
return(true);
}
return(false);
}
/// <summary>
/// Creates SecureMailAddress object instance
/// </summary>
/// <param name="address">Email address</param>
/// <param name="displayName">Email owner display name</param>
/// <param name="encryptionCertificate">Certificate used for email encryption</param>
/// <param name="signingCertificate">Certificate used for email signing</param>
public SecureMailAddress(string address, string displayName,
X509Certificate2?encryptionCertificate = null, X509Certificate2?signingCertificate = null)
: base(address, displayName)
{
EncryptionCertificate = encryptionCertificate;
SigningCertificate = signingCertificate;
}
/// <summary>
/// Load certificate from disk
/// </summary>
/// <param name="fi"></param>
/// <returns></returns>
private X509Certificate2?LoadCertificate(FileInfo fi)
{
X509Certificate2?cert = null;
if (!fi.Exists)
{
return(cert);
}
try
{
cert = new X509Certificate2(fi.FullName, _password);
}
catch (CryptographicException)
{
try
{
cert = new X509Certificate2(fi.FullName, "");
}
catch
{
_log.Warning("Unable to scan certificate {name}", fi.FullName);
}
}
return(cert);
}
/// <summary>
/// Gets the result of the <see cref="HttpRequestMessage"/>.
/// </summary>
/// <typeparam name="T">The <see cref="Type"/> of data downloaded.</typeparam>
/// <param name="request">The download request.</param>
/// <param name="token">The authorization token for the request.</param>
/// <param name="certificate">The <see cref="X509Certificate2"/> to include in request.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> for the async operation.</param>
/// <returns></returns>
protected async Task <Option <T> > GetResult <T>(
HttpRequestMessage request,
AuthenticationHeaderValue?token,
X509Certificate2?certificate = null,
CancellationToken cancellationToken = default)
where T : class
{
request = PrepareRequest(request, token, certificate);
var result = await _client().SendAsync(request, cancellationToken).ConfigureAwait(false);
#if NET5_0
var content = await result.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
#else
var content = await result.Content.ReadAsStringAsync().ConfigureAwait(false);
#endif
if (result.IsSuccessStatusCode && result.StatusCode != HttpStatusCode.NoContent)
{
return(Serializer.Default.Deserialize <T>(content) !);
}
var genericResult = string.IsNullOrWhiteSpace(content)
? new ErrorDetails {
Status = result.StatusCode
}
: Serializer.Default.Deserialize <ErrorDetails>(content);
return(genericResult !);
}
