Ejemplo n.º 1
0
 /// <summary>
 /// Sets the certificate store for the context - calls SSL_CTX_set_cert_store
 /// The X509Store object and contents will be freed when the context is disposed.
 /// Ensure that the store object and it's contents have IsOwner set to false
 /// before assigning them into the context.
 /// </summary>
 /// <param name="store"></param>
 public void SetCertificateStore(X509Store store)
 {
     // Remove the native pointer ownership from the object
     // Reference counts don't work for the X509_STORE, so
     // we just remove ownership from the X509Store object
     store.IsOwner = false;
     Native.SSL_CTX_set_cert_store(this.ptr, store.Handle);
 }
Ejemplo n.º 2
0
		protected void InitializeClientContext(X509List certificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation)
		{
			// Initialize the context with the specified ssl version
			// Initialize the context
			sslContext = new SslContext(SslMethod.SSLv23_client_method);

			// Remove support for protocols not specified in the enabledSslProtocols
			if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2)
			{
				sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2;
			}
			if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 &&
				((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default))
			{
				// no SSLv3 support
				sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3;
			}
			if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls &&
				(enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)
			{
				sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1;
			}

			// Set the Local certificate selection callback
			sslContext.SetClientCertCallback(this.internalCertificateSelectionCallback);
			// Set the enabled cipher list
			sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength));
			// Set the callbacks for remote cert verification and local cert selection
			if (remoteCertificateSelectionCallback != null)
			{
				sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback);
			}
			// Set the CA list into the store
			if (caCertificates != null)
			{
				X509Store store = new X509Store(caCertificates);
				sslContext.SetCertificateStore(store);
			}
			// Set up the read/write bio's
			read_bio = BIO.MemoryBuffer(false);
			write_bio = BIO.MemoryBuffer(false);
			ssl = new Ssl(sslContext);
			ssl.SetBIO(read_bio, write_bio);
			read_bio.SetClose(BIO.CloseOption.Close);
			write_bio.SetClose(BIO.CloseOption.Close);
			// Set the Ssl object into Client mode
			ssl.SetConnectState();
		}
Ejemplo n.º 3
0
        private void InitializeServerContext(
            X509Certificate serverCertificate,
            bool clientCertificateRequired,
            X509Chain caCerts,
            SslProtocols enabledSslProtocols,
            SslStrength sslStrength,
            bool checkCertificateRevocation)
        {
            if (serverCertificate == null)
            {
                throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null");
            }
            if (!serverCertificate.HasPrivateKey)
            {
                throw new ArgumentException("Server certificate must have a private key", "serverCertificate");
            }

            // Initialize the context
            sslContext = new SslContext(SslMethod.TLSv1_server_method, ConnectionEnd.Server, true, new[] { Protocols.Http2, Protocols.Http1 });

            // Remove support for protocols not specified in the enabledSslProtocols
            if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2)
            {
                sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2;
            }
            if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 &&
                ((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default))
            {
                // no SSLv3 support
                sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3;
            }
            if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls &&
                (enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)
            {
                sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1;
            }

            // Set the context mode
            sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY;
            // Set the workaround options
            sslContext.Options = SslOptions.SSL_OP_ALL;
            // Set the client certificate verification callback if we are requiring client certs
            if (clientCertificateRequired)
            {
                sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback);
            }
            else
            {
                sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null);
            }

            // Set the client certificate max verification depth
            sslContext.SetVerifyDepth(10);
            // Set the certificate store and ca list
            if (caCerts != null)
            {
                // Don't take ownership of the X509Store IntPtr.  When we
                // SetCertificateStore, the context takes ownership of the store pointer.
                var cert_store = new X509Store(caCerts, false);
                sslContext.SetCertificateStore(cert_store);
                Stack<X509Name> name_stack = new Core.Stack<X509Name>();
                foreach (X509Certificate cert in caCerts)
                {
                    X509Name subject = cert.Subject;
                    name_stack.Add(subject);
                }
                // Assign the stack to the context
                sslContext.CAList = name_stack;
            }
            // Set the cipher string
            sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength));
            // Set the certificate
            sslContext.UseCertificate(serverCertificate);
            // Set the private key
            sslContext.UsePrivateKey(serverCertificate.PrivateKey);
            // Set the session id context
            sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes("AppDomainHost: UnitTests12345678"/*AppDomain.CurrentDomain.FriendlyName*/));
        }
Ejemplo n.º 4
0
		/// <summary>
		/// Calls X509_STORE_CTX_init()
		/// </summary>
		/// <param name="store"></param>
		/// <param name="cert"></param>
		/// <param name="uchain"></param>
		public void Init(X509Store store, X509Certificate cert, X509Chain uchain)
		{
			Native.ExpectSuccess(Native.X509_STORE_CTX_init(
				this.ptr,
				store.Handle,
				cert != null ? cert.Handle : IntPtr.Zero,
				uchain.Handle));
		}
Ejemplo n.º 5
0
		/// <summary>
		/// Verify that the specified chain can be trusted.
		/// </summary>
		/// <param name="chain"></param>
		/// <param name="error"></param>
		/// <returns></returns>
		public bool VerifyResponse(X509Chain chain, out string error)
		{
			cert = chain[0];
			var store = new X509Store(chain);
			return store.Verify(cert, out error);
		}
Ejemplo n.º 6
0
		/// <summary>
		///     Sets the certificate store for the context - calls SSL_CTX_set_cert_store
		///     The X509Store object and contents will be freed when the context is disposed.
		///     Ensure that the store object and it's contents have IsOwner set to false
		///     before assigning them into the context.
		/// </summary>
		/// <param name="store"></param>
		public void SetCertificateStore(X509Store store)
		{
			store.AddRef();
			Native.SSL_CTX_set_cert_store(ptr, store.Handle);
		}
Ejemplo n.º 7
0
		protected void InitializeClientContext(
			X509List certificates,
			SslProtocols enabledSslProtocols,
			SslStrength sslStrength,
			bool checkCertificateRevocation)
		{
			// Initialize the context with specified TLS version
			sslContext = new SslContext(SslMethod.TLSv12_client_method, ConnectionEnd.Client, new[] {
				Protocols.Http2,
				Protocols.Http1
			});
            
			var options = sslContext.Options;

			// Remove support for protocols not specified in the enabledSslProtocols
			if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2))
			{
				options |= SslOptions.SSL_OP_NO_SSLv2;
			}

			if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3))
			{
				options |= SslOptions.SSL_OP_NO_SSLv3;
			}

			if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls))
			{
				options |= SslOptions.SSL_OP_NO_TLSv1;
			}

			sslContext.Options = options;

			// Set the Local certificate selection callback
			sslContext.SetClientCertCallback(OnClientCertificate);
			// Set the enabled cipher list
			sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength));
			// Set the callbacks for remote cert verification and local cert selection
			if (OnRemoteCertificate != null)
			{
				sslContext.SetVerify(
					VerifyMode.SSL_VERIFY_PEER |
					VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 
					OnRemoteCertificate);
			}
			// Set the CA list into the store
			if (caCertificates != null)
			{
				var store = new X509Store(caCertificates);
				sslContext.SetCertificateStore(store);
			}
			// Set up the read/write bio's
			read_bio = BIO.MemoryBuffer(false);
			write_bio = BIO.MemoryBuffer(false);
			ssl = new Ssl(sslContext);

			sniCb = sniExt.ClientSniCb;
			sniExt.AttachSniExtensionClient(ssl.Handle, sslContext.Handle, sniCb);

			ssl.SetBIO(read_bio, write_bio);
			read_bio.SetClose(BIO.CloseOption.Close);
			write_bio.SetClose(BIO.CloseOption.Close);
			// Set the Ssl object into Client mode
			ssl.SetConnectState();
		}
Ejemplo n.º 8
0
 public OpenSslCertificateHandler(string cert_dir, string local_id) :
     base(cert_dir, local_id)
 {
     Store = new ox509.X509Store();
 }
Ejemplo n.º 9
0
 public OpenSslCertificateHandler(string cert_dir, string local_id) :
   base(cert_dir, local_id)
 {
   Store = new ox509.X509Store();
 }