public override int Start()
{
#pragma warning disable 0219
Certificate c = null;
#pragma warning restore 0219
try {
c = CertificateStore.CreateFromPfxFile(@"certs\server.pfx", "test").FindCertificateByUsage(new string[] {"1.3.6.1.5.5.7.3.1"});
} catch {
AddError("CC-S-0");
return 1;
}
int tests = 0;
// test constructor
try {
#pragma warning disable 0219
CertificateChain cc = new CertificateChain(null);
#pragma warning restore 0219
AddError("CC-S-1");
} catch (ArgumentNullException) {
} catch {
AddError("CC-S-2");
}
tests += 2;
// do other tests
tests = TestBuildChain();
tests += TestVerifyCert();
return tests;
}
/// <summary>
/// Initializes a new CertificateVerificationResult instance.
/// </summary>
/// <param name="chain">The <see cref="CertificateChain"/> that has to be verified.</param>
/// <param name="server">The server to which the <see cref="Certificate"/> has been issued.</param>
/// <param name="type">One of the <see cref="AuthType"/> values.</param>
/// <param name="flags">One of the <see cref="VerificationFlags"/> values.</param>
/// <param name="callback">The delegate to call when the verification finishes.</param>
/// <param name="asyncState">User-defined state data.</param>
public CertificateVerificationResult(CertificateChain chain, string server, AuthType type, VerificationFlags flags, AsyncCallback callback, object asyncState) {
m_Chain = chain;
m_Server = server;
m_Type = type;
m_Flags = flags;
m_AsyncState = asyncState;
m_Callback = callback;
m_WaitHandle = null;
m_HasEnded = false;
}
/// <summary>
/// Initializes a new CertificateVerificationResult instance.
/// </summary>
/// <param name="chain">The <see cref="CertificateChain"/> that has to be verified.</param>
/// <param name="server">The server to which the <see cref="Certificate"/> has been issued.</param>
/// <param name="type">One of the <see cref="AuthType"/> values.</param>
/// <param name="flags">One of the <see cref="VerificationFlags"/> values.</param>
/// <param name="callback">The delegate to call when the verification finishes.</param>
/// <param name="asyncState">User-defined state data.</param>
public CertificateVerificationResult(CertificateChain chain, string server, AuthType type, VerificationFlags flags, AsyncCallback callback, object asyncState)
{
m_Chain = chain;
m_Server = server;
m_Type = type;
m_Flags = flags;
m_AsyncState = asyncState;
m_Callback = callback;
m_WaitHandle = null;
m_HasEnded = false;
}
static void Main(string[] args)
{
Console.WriteLine("This example shows how you can validate a certificate.");
// load the certificate from a file
Certificate cert = Certificate.CreateFromCerFile(@"client.cer");
// build a certificate chain
CertificateChain cc = new CertificateChain(cert);
// validate the chain
CertificateStatus status = cc.VerifyChain(null, AuthType.Client);
// interpret the result
if (status == CertificateStatus.ValidCertificate) {
Console.WriteLine("The certificate is valid.");
} else {
Console.WriteLine("The certificate is not valid [" + status.ToString() + "].");
}
}
protected SslHandshakeStatus ProcessCertificate(HandshakeMessage message, bool client)
{
if (client) {
if (m_State != HandshakeType.ServerHello)
throw new SslException(AlertDescription.UnexpectedMessage, "Certificate message must be preceded by a ServerHello message.");
} else { // server
if (m_State != HandshakeType.ClientHello)
throw new SslException(AlertDescription.UnexpectedMessage, "Certificate message must be preceded by a ClientHello message.");
}
UpdateHashes(message, HashUpdate.All); // input message
Certificate[] certs = null;
try {
certs = ParseCertificateList(message.fragment);
if (certs.Length == 0) {
if (!m_MutualAuthentication)
return new SslHandshakeStatus(SslStatus.MessageIncomplete, null);
}
} catch (SslException t) {
throw t;
} catch (Exception f) {
throw new SslException(f, AlertDescription.InternalError, "The Certificate message is invalid.");
}
CertificateChain chain = null;
m_RemoteCertificate = null;
if (certs.Length != 0) {
m_RemoteCertificate = certs[0];
if (m_RemoteCertificate.GetPublicKeyLength() < 512) {
throw new SslException(AlertDescription.HandshakeFailure, "The pulic key should be at least 512 bits.");
}
CertificateStore cs = new CertificateStore(certs);
for(int i = 0; i < certs.Length; i++) {
certs[i].Store = cs;
}
chain = new CertificateChain(m_RemoteCertificate, cs);
}
VerifyChain(chain, client);
return new SslHandshakeStatus(SslStatus.MessageIncomplete, null);
}
protected void VerifyChain(CertificateChain chain, bool client)
{
VerifyEventArgs e = new VerifyEventArgs();
switch(m_Options.VerificationType) {
case CredentialVerification.Manual:
try {
m_Options.Verifier(Parent, m_RemoteCertificate, chain, e);
} catch (Exception de) {
throw new SslException(de, AlertDescription.InternalError, "The code inside the CertVerifyEventHandler delegate threw an exception.");
}
break;
case CredentialVerification.Auto:
if (chain != null)
e.Valid = (chain.VerifyChain(m_Options.CommonName, client ? AuthType.Client : AuthType.Server) == CertificateStatus.ValidCertificate);
else
e.Valid = false;
break;
case CredentialVerification.AutoWithoutCName:
if (chain != null)
e.Valid = (chain.VerifyChain(m_Options.CommonName, client ? AuthType.Client : AuthType.Server, VerificationFlags.IgnoreInvalidName) == CertificateStatus.ValidCertificate);
else
e.Valid = false;
break;
case CredentialVerification.None:
default:
e.Valid = true;
break;
}
if (!e.Valid) {
throw new SslException(AlertDescription.CertificateUnknown, "The certificate could not be verified.");
}
}
private void CheckClientCertAtServer(SecureSocket socket, Certificate clientCertificate, CertificateChain allClientCertificates,
VerifyEventArgs args) {
Debug.WriteLine("check the client certificate event");
if (allClientCertificates != null) {
args.Valid = m_serverAuth.IsValidClientCertificate(clientCertificate,
allClientCertificates, ((IPEndPoint)socket.RemoteEndPoint).Address);
} else {
args.Valid = !((m_requiredOptions & SecurityAssociationOptions.EstablishTrustInClient) > 0);
}
}
private void stream_OnCertVerify(SecureSocket sock, Certificate cert, CertificateChain chain, VerifyEventArgs e)
{
isSecurityChanging = false;
raiseCertificateVerifiedEvent(EventArgs.Empty);
}
public virtual bool IsValidClientCertificate(Certificate clientCert, CertificateChain allClientCertsReceived,
IPAddress clientAddress) {
return IsValidCertificate(allClientCertsReceived, null, AuthType.Client);
}
private void CheckServerCertAtClient(SecureSocket socket, Certificate cert, CertificateChain chain, VerifyEventArgs args) {
Debug.WriteLine("check the server certificate event");
args.Valid = m_clientAuth.IsValidServerCertificate(cert, chain, ((IPEndPoint)socket.RemoteEndPoint).Address);
}
private void verifyLevel3Authentication( SecureSocket socket,
Certificate cert,
CertificateChain chain,
VerifyEventArgs e
)
{
try
{
// Verify level 2 first
verifyLevel2Authentication( socket, cert, chain, e );
if ( !e.Valid )
{
return;
}
// Verify that the host name or IP matches the subject on the certificate
// ( Level3 authentication )
// First, get the "CN=" name from the certificate
string commonName = null;
DistinguishedName certificateName = cert.GetDistinguishedName();
for ( int a = 0; a < certificateName.Count; a++ )
{
NameAttribute part = certificateName[a];
if ( part.ObjectID == OID_CN )
{
commonName = part.Value;
break;
}
}
if ( commonName == null )
{
if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 )
{
log.Warn
( "Client Certificate fails SIF Level 3 Authentication: common name attribute not found." );
}
e.Valid = false;
return;
}
if( String.Compare( commonName, "localhost", true ) == 0 )
{
commonName = "127.0.0.1";
}
// Does it match the IP Address?
IPEndPoint remoteEndPoint = (IPEndPoint) socket.RemoteEndPoint;
if ( remoteEndPoint.Address.ToString() == commonName )
{
e.Valid = true;
return;
}
// Does it match the common name of the client machine?
IPHostEntry entry = GetHostByAddress( remoteEndPoint.Address );
if ( entry == null )
{
if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 )
{
log.Warn
( "Client Certificate fails SIF Level 3 Authentication: Host Name not found for Address " +
remoteEndPoint.Address.ToString() );
}
e.Valid = false;
return;
}
if ( string.Compare( commonName, entry.HostName, true ) == 0 )
{
e.Valid = true;
return;
}
// No match was found
e.Valid = false;
if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 )
{
log.Warn
( "Client Certificate fails SIF Level 3 Authentication: Certificate Common Name=" +
commonName + ". Does not match client IP / Host: " +
remoteEndPoint.Address.ToString() + " / " + socket.CommonName );
}
}
catch ( Exception ex )
{
if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 )
{
log.Warn
( "Client Certificate fails SIF Level 3 Authentication: " + ex.Message, ex );
}
e.Valid = false;
}
}
public void OnVerify(SecureSocket socket, Certificate remote, CertificateChain chain, VerifyEventArgs e)
{
Console.WriteLine("\r\nThe certificate of the FTP server:");
Console.WriteLine(remote.ToString(true) + "\r\n");
// certificate chain verification can be placed here
}
private void verifyLevel2Authentication( SecureSocket socket,
Certificate cert,
CertificateChain chain,
VerifyEventArgs e
)
{
// Verify level 1 first
verifyLevel1Authentication( socket, cert, chain, e );
if ( !e.Valid )
{
return;
}
CertificateStatus certStatus =
chain.VerifyChain( null, AuthType.Client, VerificationFlags.IgnoreInvalidName );
if ( certStatus != CertificateStatus.ValidCertificate )
{
if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 )
{
log.Warn
( "Client Certificate is not trusted and fails SIF Level 2 Authentication: " +
certStatus.ToString() );
}
e.Valid = false;
}
else
{
e.Valid = true;
}
}
private void verifyLevel1Authentication( SecureSocket socket,
Certificate cert,
CertificateChain chain,
VerifyEventArgs e
)
{
if ( cert == null )
{
if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 )
{
log.Warn( "Client Certificate is missing and fails SIF Level 1 Authentication" );
}
e.Valid = false;
}
else if ( !cert.IsCurrent )
{
if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 )
{
log.Warn( "Client Certificate is invalid and fails SIF Level 1 Authentication" );
}
e.Valid = false;
}
else
{
e.Valid = true;
}
}
/// <summary>
/// This method is called when the SecureSocket received the remote
/// certificate and when the certificate validation type is set to Manual.
/// </summary>
/// <param name="socket">The <see cref="SecureSocket"/> that received the certificate to verify.</param>
/// <param name="remote">The <see cref="Certificate"/> of the remote party to verify.</param>
/// <param name="chain">The <see cref="CertificateChain"/> associated with the remote certificate.</param>
/// <param name="e">A <see cref="VerifyEventArgs"/> instance used to (in)validate the certificate.</param>
/// <remarks>If an error is thrown by the code in the delegate, the SecureSocket will close the connection.</remarks>
protected void OnVerify(SecureSocket socket, Certificate remote, CertificateChain chain, VerifyEventArgs e)
{
// get all the certificates from the certificate chain ..
Certificate[] certs = chain.GetCertificates();
// .. and print them out in the console
for(int i = 0; i < certs.Length; i++) {
Console.WriteLine(certs[i].ToString(true));
}
// print out the result of the chain verification
Console.WriteLine(chain.VerifyChain(socket.CommonName, AuthType.Server));
}
/// <summary>
/// Verifies a certificate received from the remote host.
/// </summary>
/// <param name="socket">The SecureSocket that received the certificate.</param>
/// <param name="remote">The received certificate.</param>
/// <param name="e">The event parameters.</param>
protected void OnVerify(SecureSocket socket, Certificate remote, CertificateChain chain, VerifyEventArgs e)
{
CertificateChain cc = new CertificateChain(remote);
Console.WriteLine("\r\nServer Certificate:\r\n-------------------");
Console.WriteLine(remote.ToString(true));
Console.Write("\r\nServer Certificate Verification:\r\n--------------------------------\r\n -> ");
Console.WriteLine(cc.VerifyChain(socket.CommonName, AuthType.Server).ToString() + "\r\n");
}
/// <summary>
/// verifies the certificate chain against the certificate store
/// </summary>
/// <param name="allCertsReceived">the chain to verify</param>
/// <param name="expectedCNName">the expected CN; may be null</param>
/// <param name="authType">the authtype: is the certificate to verify a client or server certificate;
/// i.e when verifying a client cert, pass AuthType.Client; when verifying a server cert: pass AuthType.Server</param>ram>
/// <returns></returns>
protected bool IsValidCertificate(CertificateChain allCertsReceived, string expectedCNName, AuthType authType) {
VerificationFlags verificationFlags = VerificationFlags.None;
if (expectedCNName == null) {
verificationFlags = VerificationFlags.IgnoreInvalidName;
}
CertificateStatus status = allCertsReceived.VerifyChain(expectedCNName, authType, verificationFlags);
return status == CertificateStatus.ValidCertificate;
}
/// <summary>
/// Returns a <see cref="CertificateChain"/> where the leaf certificate corresponds to this <see cref="Certificate"/>.
/// </summary>
/// <returns>The CertificateChain corresponding to this Certificate.</returns>
/// <exception cref="CertificateException">An error occurs while building the certificate chain.</exception>
public CertificateChain GetCertificateChain()
{
if (m_Chain == null)
m_Chain = new CertificateChain(this, Store);
return m_Chain;
}
/// <summary>
/// see <see cref="Ch.Elca.Iiop.Security.Ssl.IClientSideAuthentication.IsValidServerCertificate"/>
/// </summary>
public virtual bool IsValidServerCertificate(Certificate serverCert, CertificateChain allServerCertsReceived, IPAddress serverAddress) {
return IsValidCertificate(allServerCertsReceived, m_expectedServerCName, AuthType.Server);
}
