/////////////////////////////////////////////////////////////////////// private static void DisableLegacyCertificatePolicy() { lock (syncRoot) /* TRANSACTIONAL */ { // // NOTE: Restore the previously saved certificate policy, // if any. // if (!haveSavedCertificatePolicy) { return; } // // NOTE: Restore the saved ICertificatePolicy. // ServicePointManager.CertificatePolicy = savedCertificatePolicy; // // NOTE: Clear the saved ICertificatePolicy. // haveSavedCertificatePolicy = false; savedCertificatePolicy = null; } }
/// <summary> /// Check Connection /// </summary> void CheckConnection() { Console.Write("Checking connection..."); // swap policy ICertificatePolicy policy = ServicePointManager.CertificatePolicy; ServicePointManager.CertificatePolicy = new TrustAllCertificatePolicy(); UriBuilder url = new UriBuilder(simiasUrl.Value); url.Path = "/simias10/iFolderAdmin.asmx?WSDL"; // connect HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(url.Uri); try { request.GetResponse(); Console.WriteLine("Done"); } catch { Console.WriteLine("Failed"); } // restore policy ServicePointManager.CertificatePolicy = policy; }
public CimomRequest(string uri, ICertificatePolicy certificatePolicy) { // Build a CimomRequest off of a new HttpRequest httpReq = (HttpWebRequest)WebRequest.Create(uri); httpReq.KeepAlive = true; //Needed for https connections // The namespace needs a 2 digit number between 00 and 99 nameSpaceValue = rand.Next(10).ToString() + rand.Next(10).ToString(); // Setup the http request httpReq.PreAuthenticate = false; httpReq.ProtocolVersion = HttpVersion.Version11; httpReq.Method = "POST"; httpReq.ContentType = "application/xml;charset=\"UTF-8\""; httpReq.Accept = "text/html, text/xml, application/xml"; ServicePointManager.Expect100Continue = false; // I get an "Unknown Extension URI" when I try to use this URL :( //Headers.Add("Man", "http://www.dmtf.org/standards/documents/WBEM/DSP200.html;ns=" + nameSpaceValue); // Add the Http/CIM headers //Headers.Add("Man", "http://www.dmtf.org/cim/mapping/http/v1.0;ns=" + nameSpaceValue); Headers.Add("CIMProtocolVersion", "1.0"); if (certificatePolicy == null) ServicePointManager.CertificatePolicy = new AcceptAllCertificatePolicy(); else ServicePointManager.CertificatePolicy = certificatePolicy; }
static CertificatePolicy() { _certs = new Hashtable(); _sync = new object(); _old_policy = ServicePointManager.CertificatePolicy; ServicePointManager.CertificatePolicy = new CertificatePolicy(); }
public static void Restore() { Logger.Warn("Restoring SSL verification!"); ServicePointManager.ServerCertificateValidationCallback = ServerCertificateValidationCallbackBackup; ServicePointManager.CertificatePolicy = CertificatePolicyBackup; CertificatePolicyBackup = null; ServerCertificateValidationCallbackBackup = null; Logger.Warn("Restored SSL verification!"); }
public SslProxyFactory(IViewAccessAdapter viewAdapter) { ErrorLog.Singleton.LogSuccess("enter Ssl fac"); _rsProxy = new ReportingService(); ErrorLog.Singleton.LogSuccess("initialize ReportingService"); _policy = new SslValidation(viewAdapter); ErrorLog.Singleton.LogSuccess("initialize SslValidation"); }
public static void Disable() { Logger.Warn("Disabling SSL verification!"); CertificatePolicyBackup = ServicePointManager.CertificatePolicy; ServerCertificateValidationCallbackBackup = ServicePointManager.ServerCertificateValidationCallback; ServicePointManager.CertificatePolicy = new NoCheckCertificatePolicy(); ServicePointManager.ServerCertificateValidationCallback = CertificateValidationCallback; Logger.Warn("Disabled SSL verification!"); }
public HttpClient(ICertificatePolicy certificatePolicy) { if (certificatePolicy != null) { #pragma warning disable 0618 ServicePointManager.CertificatePolicy = certificatePolicy; #pragma warning restore 0618 } }
static ServicePointManager() { servicePoints = new HybridDictionary(); policy = new DefaultCertificatePolicy(); defaultConnectionLimit = 2; maxServicePointIdleTime = 900000; maxServicePoints = 0; _checkCRL = false; _securityProtocol = (SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls); expectContinue = true; }
//public CertificatePolicy(Dictionary<string, string> x509NameDictionary) //{ // // don't bother initializing if no data // if (x509NameDictionary != null && !x509NameDictionary.Any()) // { // this.X509NameDictionary = null; // } // else // { // this.X509NameDictionary = x509NameDictionary; // } //} public void Load(ICertificatePolicy input) { this.CommonName = input.CommonName; this.ValidForDays = input.ValidForDays; this.CertificateAuthorityThumbprint = input.CertificateAuthorityThumbprint; this.X509NameDictionary = input.X509NameDictionary; this.ClientAuthentication = input.ClientAuthentication; this.ServerAuthentication = input.ServerAuthentication; this.CodeSigning = input.CodeSigning; this.AllPurposes = input.AllPurposes; }
public HttpClient(ICertificatePolicy certificatePolicy) { if (certificatePolicy != null) { #pragma warning disable 0618 ServicePointManager.CertificatePolicy = certificatePolicy; #pragma warning restore 0618 } this.TimeProvider = new TimeProvider(); }
public HttpClient(ICertificatePolicy certificatePolicy, IReynaLogger logger) { if (certificatePolicy != null) { #pragma warning disable 0618 ServicePointManager.CertificatePolicy = certificatePolicy; #pragma warning restore 0618 } this.TimeProvider = new TimeProvider(); this.Logger = logger; this.StatusGetter = new HttpStatusGetter(); }
public static string Send(string http_payload, Encoding enc, int timeout, out HttpWebResponse responseOut) { // variabel för indata StringBuilder sb = new StringBuilder(); // buffer för inläsning byte[] buf = new byte[8092]; #pragma warning disable 618 // ServicePointManager.CertificatePolicy is obsoleted, but is the only thing that works on both windows and mono. //Needed to avoid errors from homegrown SSL cert. ICertificatePolicy oldPolicy = ServicePointManager.CertificatePolicy; ServicePointManager.CertificatePolicy = new HTTPSender(); // anropa websidan med aktuella data HttpWebRequest request = (HttpWebRequest)WebRequest.Create(http_payload); if (timeout > -1) { request.Timeout = timeout; } // ta emot svarskoder HttpWebResponse response = (HttpWebResponse)request.GetResponse(); responseOut = response; ServicePointManager.CertificatePolicy = oldPolicy; #pragma warning restore 618 // läs in dataströmmen via responsmetoden Stream resStream = response.GetResponseStream(); string tempString = null; int count = 0; do { // fyll bufferten count = resStream.Read(buf, 0, buf.Length); // kontrollera att data finns att läsa if (count != 0) { // koda som ISO text tempString = enc.GetString(buf, 0, count); // bygg upp svarssträngen sb.Append(tempString); } } while (count > 0); // finns mer data att läsa? return(tempString); }
public static void CertificatePolicy_Roundtrips() { ICertificatePolicy cp = ServicePointManager.CertificatePolicy; Assert.NotNull(cp); Assert.True(cp.CheckValidationResult(null, null, null, 0)); Assert.False(cp.CheckValidationResult(null, null, null, 1)); ServicePointManager.CertificatePolicy = null; Assert.Null(ServicePointManager.CertificatePolicy); ServicePointManager.CertificatePolicy = cp; Assert.Same(cp, ServicePointManager.CertificatePolicy); }
public static void CertificatePolicy_Roundtrips() { #pragma warning disable CS0618 // obsolete warnings ICertificatePolicy cp = ServicePointManager.CertificatePolicy; Assert.NotNull(cp); Assert.True(cp.CheckValidationResult(null, null, null, 0)); Assert.False(cp.CheckValidationResult(null, null, null, 1)); ServicePointManager.CertificatePolicy = null; Assert.Null(ServicePointManager.CertificatePolicy); ServicePointManager.CertificatePolicy = cp; Assert.Same(cp, ServicePointManager.CertificatePolicy); #pragma warning restore CS0619 }
/////////////////////////////////////////////////////////////////////// private static void EnableLegacyCertificatePolicy() { lock (syncRoot) /* TRANSACTIONAL */ { // // NOTE: First, save the current certificate policy for // possible later restoration. // savedCertificatePolicy = ServicePointManager.CertificatePolicy; haveSavedCertificatePolicy = true; // // NOTE: Next, set the certificate policy to the one we // use for software updates. // ServicePointManager.CertificatePolicy = certificatePolicy; } }
public void TrustUsingOldPolicy() { // Three similar tests exists in dontlink, linkall and linksdk to test 3 different cases // untrusted, custom ICertificatePolicy and ServerCertificateValidationCallback without // having caching issues (in S.Net or the SSL handshake cache) ICertificatePolicy old = ServicePointManager.CertificatePolicy; try { ServicePointManager.CertificatePolicy = test_policy; WebClient wc = new WebClient(); Assert.IsNotNull(wc.DownloadString("https://wrench.internalx.com/Wrench/Login.aspx")); // caching means it will be called at least for the first run, but it might not // be called again in subsequent requests (unless it expires) Assert.That(test_policy.CheckCount, Is.GreaterThan(0), "policy checked"); } finally { ServicePointManager.CertificatePolicy = old; } }
public ReynaService(byte[] password, ICertificatePolicy certificatePolicy) { this.Password = password; this.VolatileStore = new InMemoryQueue(); this.PersistentStore = new SQLiteRepository(password); this.HttpClient = new HttpClient(certificatePolicy); this.EncryptionChecker = new EncryptionChecker(); this.StoreWaitHandle = new AutoResetEventAdapter(false); this.ForwardWaitHandle = new AutoResetEventAdapter(false); this.NetworkWaitHandle = new NamedWaitHandle(false, Reyna.NetworkStateService.NetworkConnectedNamedEvent); this.SystemNotifier = new SystemNotifier(); this.NetworkStateService = new NetworkStateService(this.SystemNotifier, this.NetworkWaitHandle); this.StoreService = new StoreService(this.VolatileStore, this.PersistentStore, this.StoreWaitHandle); this.ForwardService = new ForwardService(this.PersistentStore, this.HttpClient, this.NetworkStateService, this.ForwardWaitHandle, Preferences.ForwardServiceTemporaryErrorBackout, Preferences.ForwardServiceMessageBackout); }
public void TrustUsingOldPolicy() { #if __WATCHOS__ Assert.Ignore("WatchOS doesn't support BSD sockets, which our network stack currently requires."); #endif // Three similar tests exists in dontlink, linkall and linksdk to test 3 different cases // untrusted, custom ICertificatePolicy and ServerCertificateValidationCallback without // having caching issues (in S.Net or the SSL handshake cache) ICertificatePolicy old = ServicePointManager.CertificatePolicy; try { ServicePointManager.CertificatePolicy = test_policy; WebClient wc = new WebClient(); Assert.IsNotNull(wc.DownloadString(NetworkResources.XamarinUrl)); // caching means it will be called at least for the first run, but it might not // be called again in subsequent requests (unless it expires) Assert.That(test_policy.CheckCount, Is.GreaterThan(0), "policy checked"); } finally { ServicePointManager.CertificatePolicy = old; } }
public ReynaService(byte[] password, ICertificatePolicy certificatePolicy, bool useNetworkState, IReynaLogger logger) { this.Password = password; this.Logger = logger; this.PersistentStore = new SQLiteRepository(password); this.HttpClient = new HttpClient(certificatePolicy); this.EncryptionChecker = new EncryptionChecker(); this.ForwardWaitHandle = new AutoResetEventAdapter(false); if (useNetworkState) { this.SystemNotifier = new SystemNotifier(); this.NetworkWaitHandle = new NamedWaitHandle(false, Reyna.NetworkStateService.NetworkConnectedNamedEvent); this.NetworkStateService = new NetworkStateService(this.SystemNotifier, this.NetworkWaitHandle); } var preferences = new Preferences(); this.StoreService = new StoreService(this.PersistentStore, logger); this.ForwardService = new ForwardService(this.PersistentStore, this.HttpClient, this.NetworkStateService, this.ForwardWaitHandle, Preferences.ForwardServiceTemporaryErrorBackout, Preferences.ForwardServiceMessageBackout, preferences.BatchUpload, logger); }
private const long MinimumStorageLimit = 1867776; // 1Mb 800Kb public ReynaService(byte[] password, ICertificatePolicy certificatePolicy, bool useNetworkState, IReynaLogger logger) { this.Password = password; this.Logger = logger; this.PersistentStore = new SQLiteRepository(logger, password); this.HttpClient = new HttpClient(certificatePolicy, logger); this.EncryptionChecker = new EncryptionChecker(); this.ForwardWaitHandle = new AutoResetEventAdapter(false); if (useNetworkState) { this.SystemNotifier = new SystemNotifier(); this.NetworkWaitHandle = new NamedWaitHandle(false, Reyna.NetworkStateService.NetworkConnectedNamedEvent); this.NetworkStateService = new NetworkStateService(this.SystemNotifier, this.NetworkWaitHandle); } var preferences = new Preferences(); this.StoreService = new StoreService(this.PersistentStore, logger); this.ForwardService = new ForwardService(this.PersistentStore, this.HttpClient, this.NetworkStateService, this.ForwardWaitHandle, Preferences.ForwardServiceTemporaryErrorBackout, Preferences.ForwardServiceMessageBackout, preferences.BatchUpload, logger); }
//private X509Certificate2 _x5092; #region properties #endregion #region .ctors #endregion #region methods public async Task<ProtectedX509Certificate2> IssueNewCertificateAsync(IPublicKey keyProtector, ICertificatePolicy certificatePolicy) { if (keyProtector == null) { throw new ArgumentNullException("keyProtectorPublicKey"); } //if (keyProtector.PublicKey == null) //{ // throw new ArgumentNullException("keyProtectorPublicKey.PublicKey"); //} //var publicKeyProvider = keyProtector.PublicKey.Key as RSACryptoServiceProvider; //if (publicKeyProvider == null) //{ // throw new NotImplementedException("keyProtectorPublicKey.PublicKey.Key must be a valid RSACryptoServiceProvider"); //} string thumbprint; string pemPublicCert; byte[] pkcs12Data; System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2; GenerateSigningCertificate(certificatePolicy, out thumbprint, out pemPublicCert, out pkcs12Data, out x509Certificate2); // encrypt the password using our primary certificate var encryptor = new AsymmetricEncryptor() { AsymmetricStrategy = AsymmetricStrategyOption.Aes256_1000 }; var asymEncObj = encryptor.EncryptObjectAsync(pkcs12Data, keyProtector).GetAwaiter().GetResult(); if (string.IsNullOrEmpty(asymEncObj.KeyId) || asymEncObj.KeyId.Length != 40) { throw new InvalidOperationException("AsymmetricEncryptor.EncryptObject returned without KeyId populated."); } var protectedKey = new ProtectedX509Certificate2(x509Certificate2.Thumbprint.ToLower(), asymEncObj); return await Task.FromResult(protectedKey); }
public ReynaService(byte[] password, ICertificatePolicy certificatePolicy, IReynaLogger logger) : this(password, certificatePolicy, true, logger) { }
internal CertPolicyValidationCallback() { m_CertificatePolicy = new DefaultCertPolicy(); m_Context = null; }
internal CertPolicyValidationCallback(ICertificatePolicy certificatePolicy) { m_CertificatePolicy = certificatePolicy; m_Context = ExecutionContext.Capture(); }
private static void GenerateSigningCertificate(ICertificatePolicy certificatePolicy, out string thumbprint, out string pemPublicCert, out byte[] pkcs12Data, out System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2) { // Generating Random Numbers var randomGenerator = new CryptoApiRandomGenerator(); var random = new SecureRandom(randomGenerator); var kpgen = new RsaKeyPairGenerator(); kpgen.Init(new KeyGenerationParameters(random, 2048)); var subjectKeyPair = kpgen.GenerateKeyPair(); var gen = new X509V3CertificateGenerator(); X509Name certName; if (certificatePolicy.X509NameDictionary == null || !certificatePolicy.X509NameDictionary.Any()) { certName = new X509Name("CN=" + certificatePolicy.CommonName); } else { var list = new Dictionary <string, string>(); AddSubjectNameItem(list, "CN", certificatePolicy.CommonName); foreach (var item in certificatePolicy.X509NameDictionary) { AddSubjectNameItem(list, item.Key, item.Value); } certName = new X509Name(GetSubjectNameItemString(list)); } BigInteger serialNo; serialNo = BigInteger.ProbablePrime(120, random); gen.SetSerialNumber(serialNo); gen.SetSubjectDN(certName); gen.SetIssuerDN(certName); gen.SetNotBefore(DateTime.UtcNow.AddHours(-2)); // go back 2 hours just to be safe gen.SetNotAfter(DateTime.UtcNow.AddDays(certificatePolicy.ValidForDays)); gen.SetSignatureAlgorithm("SHA256WithRSA"); gen.SetPublicKey(subjectKeyPair.Public); gen.AddExtension( X509Extensions.BasicConstraints.Id, true, new BasicConstraints(false)); gen.AddExtension(X509Extensions.KeyUsage.Id, true, new KeyUsage(KeyUsage.DigitalSignature)); // handle our key purposes if (!certificatePolicy.AllPurposes) { var purposes = new List <KeyPurposeID>(); if (certificatePolicy.ServerAuthentication) { purposes.Add(KeyPurposeID.IdKPServerAuth); } if (certificatePolicy.ClientAuthentication) { purposes.Add(KeyPurposeID.IdKPClientAuth); } if (certificatePolicy.CodeSigning) { purposes.Add(KeyPurposeID.IdKPCodeSigning); } if (purposes.Any()) { gen.AddExtension( X509Extensions.ExtendedKeyUsage.Id, true, new ExtendedKeyUsage(purposes.ToArray())); } } var certificate = gen.Generate(subjectKeyPair.Private, random); PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private); var seq = (Asn1Sequence)Asn1Object.FromByteArray(info.PrivateKey.GetDerEncoded()); if (seq.Count != 9) { throw new PemException("Malformed sequence in RSA private key."); } var rsa = new RsaPrivateKeyStructure(seq); RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters( rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient); // this is exportable to get the bytes of the key to our file system in an encrypted manner RSAParameters rsaParameters = DotNetUtilities.ToRSAParameters(rsaparams); CspParameters cspParameters = new CspParameters(); cspParameters.KeyContainerName = Guid.NewGuid().ToString(); RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider(2048, cspParameters); rsaKey.PersistKeyInCsp = false; // do not persist rsaKey.ImportParameters(rsaParameters); var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded()); x509.PrivateKey = rsaKey; // this is non-exportable CspParameters cspParametersNoExport = new CspParameters(); cspParametersNoExport.KeyContainerName = Guid.NewGuid().ToString(); cspParametersNoExport.Flags = CspProviderFlags.UseNonExportableKey; RSACryptoServiceProvider rsaKey2 = new RSACryptoServiceProvider(2048, cspParametersNoExport); rsaKey2.PersistKeyInCsp = false; // do not persist rsaKey2.ImportParameters(rsaParameters); x509Certificate2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded()); x509Certificate2.PrivateKey = rsaKey2; //// Generating Random Numbers //var chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-()#$%^&@+=!"; //var rnd = new Random(); //password = new string( // Enumerable.Repeat(chars, 15) // .Select(s => s[rnd.Next(s.Length)]) // .ToArray()); thumbprint = x509.Thumbprint.ToLower(); var publicKeyPem = new StringBuilder(); var utf8WithoutBom = new System.Text.UTF8Encoding(false); var publicKeyPemWriter = new PemWriter(new StringWriterWithEncoding(publicKeyPem, utf8WithoutBom)); publicKeyPemWriter.WriteObject(certificate); publicKeyPemWriter.Writer.Flush(); pemPublicCert = publicKeyPem.ToString(); pemPublicCert = pemPublicCert.Replace(Environment.NewLine, "\n"); //only use newline and not returns pkcs12Data = x509.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pfx); }
internal PolicyWrapper(ICertificatePolicy policy, ServicePoint sp, WebRequest wr) { this.fwdPolicy = policy; srvPoint = sp; request = wr; }
//private X509Certificate2 _x5092; #region properties #endregion #region .ctors #endregion #region methods public async Task <ProtectedX509Certificate2> IssueNewCertificateAsync(IPublicKey keyProtector, ICertificatePolicy certificatePolicy) { if (keyProtector == null) { throw new ArgumentNullException("keyProtectorPublicKey"); } //if (keyProtector.PublicKey == null) //{ // throw new ArgumentNullException("keyProtectorPublicKey.PublicKey"); //} //var publicKeyProvider = keyProtector.PublicKey.Key as RSACryptoServiceProvider; //if (publicKeyProvider == null) //{ // throw new NotImplementedException("keyProtectorPublicKey.PublicKey.Key must be a valid RSACryptoServiceProvider"); //} string thumbprint; string pemPublicCert; byte[] pkcs12Data; System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2; GenerateSigningCertificate(certificatePolicy, out thumbprint, out pemPublicCert, out pkcs12Data, out x509Certificate2); // encrypt the password using our primary certificate var encryptor = new AsymmetricEncryptor() { AsymmetricStrategy = AsymmetricStrategyOption.Aes256_1000 }; var asymEncObj = encryptor.EncryptObjectAsync(pkcs12Data, keyProtector).GetAwaiter().GetResult(); if (string.IsNullOrEmpty(asymEncObj.KeyId) || asymEncObj.KeyId.Length != 40) { throw new InvalidOperationException("AsymmetricEncryptor.EncryptObject returned without KeyId populated."); } var protectedKey = new ProtectedX509Certificate2(x509Certificate2.Thumbprint.ToLower(), asymEncObj); return(await Task.FromResult(protectedKey)); }
// Used when the obsolete ICertificatePolicy is set to DefaultCertificatePolicy // and the new ServerCertificateValidationCallback is not null internal ValidationResult ValidateChain(MSX.X509CertificateCollection certs) { // user_denied is true if the user callback is called and returns false bool user_denied = false; if (certs == null || certs.Count == 0) { return(null); } ICertificatePolicy policy = ServicePointManager.CertificatePolicy; X509Certificate2 leaf = new X509Certificate2(certs [0].RawData); int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback SslPolicyErrors errors = 0; X509Chain chain = null; bool result = false; #if MONOTOUCH // The X509Chain is not really usable with MonoTouch (since the decision is not based on this data) // However if someone wants to override the results (good or bad) from iOS then they will want all // the certificates that the server provided (which generally does not include the root) so, only // if there's a user callback, we'll create the X509Chain but won't build it // ref: https://bugzilla.xamarin.com/show_bug.cgi?id=7245 if (ServerCertificateValidationCallback != null) { #endif chain = new X509Chain(); chain.ChainPolicy = new X509ChainPolicy(); #if !MONOTOUCH chain.ChainPolicy.RevocationMode = revocation_mode; #endif for (int i = 1; i < certs.Count; i++) { X509Certificate2 c2 = new X509Certificate2(certs [i].RawData); chain.ChainPolicy.ExtraStore.Add(c2); } #if MONOTOUCH } #else try { if (!chain.Build(leaf)) { errors |= GetErrorsFromChain(chain); } } catch (Exception e) { Console.Error.WriteLine("ERROR building certificate chain: {0}", e); Console.Error.WriteLine("Please, report this problem to the Mono team"); errors |= SslPolicyErrors.RemoteCertificateChainErrors; } // for OSX and iOS we're using the native API to check for the SSL server policy and host names if (!is_macosx) { if (!CheckCertificateUsage(leaf)) { errors |= SslPolicyErrors.RemoteCertificateChainErrors; status11 = -2146762490; //CERT_E_PURPOSE 0x800B0106 } if (!CheckServerIdentity(certs [0], host)) { errors |= SslPolicyErrors.RemoteCertificateNameMismatch; status11 = -2146762481; // CERT_E_CN_NO_MATCH 0x800B010F } } else { #endif // Attempt to use OSX certificates // Ideally we should return the SecTrustResult OSX509Certificates.SecTrustResult trustResult = OSX509Certificates.SecTrustResult.Deny; try { trustResult = OSX509Certificates.TrustEvaluateSsl(certs, host); // We could use the other values of trustResult to pass this extra information // to the .NET 2 callback for values like SecTrustResult.Confirm result = (trustResult == OSX509Certificates.SecTrustResult.Proceed || trustResult == OSX509Certificates.SecTrustResult.Unspecified); } catch { // Ignore } if (result) { // TrustEvaluateSsl was successful so there's no trust error // IOW we discard our own chain (since we trust OSX one instead) errors = 0; } else { // callback and DefaultCertificatePolicy needs this since 'result' is not specified status11 = (int)trustResult; errors |= SslPolicyErrors.RemoteCertificateChainErrors; } #if !MONOTOUCH } #endif #if MONODROID && SECURITY_DEP result = AndroidPlatform.TrustEvaluateSsl(certs, sender, leaf, chain, errors); if (result) { // chain.Build() + GetErrorsFromChain() (above) will ALWAYS fail on // Android (there are no mozroots or preinstalled root certificates), // thus `errors` will ALWAYS have RemoteCertificateChainErrors. // Android just verified the chain; clear RemoteCertificateChainErrors. errors &= ~SslPolicyErrors.RemoteCertificateChainErrors; } #endif if (policy != null && (!(policy is DefaultCertificatePolicy) || cb == null)) { ServicePoint sp = null; HttpWebRequest req = sender as HttpWebRequest; if (req != null) { sp = req.ServicePointNoLock; } if (status11 == 0 && errors != 0) { status11 = GetStatusFromChain(chain); } // pre 2.0 callback result = policy.CheckValidationResult(sp, leaf, req, status11); user_denied = !result && !(policy is DefaultCertificatePolicy); } // If there's a 2.0 callback, it takes precedence if (ServerCertificateValidationCallback != null) { result = ServerCertificateValidationCallback(sender, leaf, chain, errors); user_denied = !result; } return(new ValidationResult(result, user_denied, status11)); }
/// <summary> /// Initializes an instance of the object. /// </summary> public CertPolicy() { defaultCertPolicy = ServicePointManager.CertificatePolicy; ServicePointManager.CertificatePolicy = this; }
/// <summary> /// Setup SSL /// </summary> void SetupSsl() { Console.Write("Installing certificate..."); Uri url = new Uri(simiasUrl.Value); if (url.Scheme == Uri.UriSchemeHttps) { // swap policy ICertificatePolicy policy = ServicePointManager.CertificatePolicy; ServicePointManager.CertificatePolicy = new TrustAllCertificatePolicy(); // connect HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(url); try { request.GetResponse(); } catch { // ignore } // restore policy ServicePointManager.CertificatePolicy = policy; // service point ServicePoint sp = request.ServicePoint; if ((sp != null) && (sp.Certificate != null)) { string path = Path.GetFullPath(Path.Combine(webPath, "Web.config")); string certRawDetail = Convert.ToBase64String(sp.Certificate.GetRawCertData()); string certDetail = sp.Certificate.ToString(true); XmlDocument doc = new XmlDocument(); doc.Load(path); XmlElement cert = (XmlElement)doc.DocumentElement.SelectSingleNode("//configuration/appSettings/add[@key='SimiasCert']"); BoolOption iFolderCertAcc = new BoolOption("iFolder-cert-acceptance", "Accept iFolder Server Certificate", certDetail, false, true); iFolderCertAcc.Prompt = true; Prompt.ForOption(iFolderCertAcc); if (iFolderCertAcc.Value == true) { if (cert != null) { cert.Attributes["value"].Value = certRawDetail; doc.Save(path); Console.WriteLine("Done"); } else { throw new Exception(String.Format("Unable to find \"SimiasCert\" tag in the {0} file.", path)); } } else { Console.WriteLine("Failed (Install Certificate)"); throw new Exception(string.Format("User Certificate validation failed ")); } } else { throw new Exception("Unable to retrieve the certificate from the iFolder server."); } } else { Console.WriteLine("Skipped (Not Required)"); } }
ValidationResult ValidateChain(string host, X509Certificate2Collection certs, SslPolicyErrors errors) { // user_denied is true if the user callback is called and returns false bool user_denied = false; bool result = false; var hasCallback = certValidationCallback != null || callbackWrapper != null; X509Certificate2 leaf; if (certs == null || certs.Count == 0) { leaf = null; } else { leaf = certs [0]; } if (tlsStream != null) { request.ServicePoint.SetServerCertificate(leaf); } if (leaf == null) { errors |= SslPolicyErrors.RemoteCertificateNotAvailable; if (hasCallback) { if (callbackWrapper != null) { result = callbackWrapper.Invoke(certValidationCallback, leaf, null, (MonoSslPolicyErrors)errors); } else { result = certValidationCallback.Invoke(sender, leaf, null, errors); } user_denied = !result; } return(new ValidationResult(result, user_denied, 0, (MonoSslPolicyErrors)errors)); } bool needsChain; bool skipSystemValidators = false; if (!CertificateValidationHelper.SupportsX509Chain || is_mobile || is_macosx) { needsChain = false; } else if (settings != null) { skipSystemValidators = settings.SkipSystemValidators; needsChain = !settings.SkipSystemValidators || settings.CallbackNeedsCertificateChain; } else { needsChain = true; } ICertificatePolicy policy = ServicePointManager.GetLegacyCertificatePolicy(); int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback X509Chain chain = null; if (needsChain) { chain = new X509Chain(); chain.ChainPolicy = new X509ChainPolicy(); #if !MONOTOUCH chain.ChainPolicy.RevocationMode = revocation_mode; #endif for (int i = 1; i < certs.Count; i++) { chain.ChainPolicy.ExtraStore.Add(certs [i]); } } #if !MONOTOUCH if (needsChain) { try { if (!chain.Build(leaf)) { errors |= GetErrorsFromChain(chain); } } catch (Exception e) { Console.Error.WriteLine("ERROR building certificate chain: {0}", e); Console.Error.WriteLine("Please, report this problem to the Mono team"); errors |= SslPolicyErrors.RemoteCertificateChainErrors; } } // for OSX and iOS we're using the native API to check for the SSL server policy and host names if (!is_macosx) { if (!CheckCertificateUsage(leaf)) { errors |= SslPolicyErrors.RemoteCertificateChainErrors; status11 = -2146762490; //CERT_E_PURPOSE 0x800B0106 } if (host != null && !CheckServerIdentity(leaf, host)) { errors |= SslPolicyErrors.RemoteCertificateNameMismatch; status11 = -2146762481; // CERT_E_CN_NO_MATCH 0x800B010F } } #endif if (is_macosx && !skipSystemValidators) { // Attempt to use OSX certificates // Ideally we should return the SecTrustResult OSX509Certificates.SecTrustResult trustResult = OSX509Certificates.SecTrustResult.Deny; try { trustResult = OSX509Certificates.TrustEvaluateSsl(certs, host); // We could use the other values of trustResult to pass this extra information // to the .NET 2 callback for values like SecTrustResult.Confirm result = (trustResult == OSX509Certificates.SecTrustResult.Proceed || trustResult == OSX509Certificates.SecTrustResult.Unspecified); } catch { // Ignore } if (result) { // TrustEvaluateSsl was successful so there's no trust error // IOW we discard our own chain (since we trust OSX one instead) errors = 0; } else { // callback and DefaultCertificatePolicy needs this since 'result' is not specified status11 = (int)trustResult; errors |= SslPolicyErrors.RemoteCertificateChainErrors; } } #if MONODROID && SECURITY_DEP if (!skipSystemValidators) { result = AndroidPlatform.TrustEvaluateSsl(certs, sender, leaf, chain, errors); if (result) { // chain.Build() + GetErrorsFromChain() (above) will ALWAYS fail on // Android (there are no mozroots or preinstalled root certificates), // thus `errors` will ALWAYS have RemoteCertificateChainErrors. // Android just verified the chain; clear RemoteCertificateChainErrors. errors &= ~SslPolicyErrors.RemoteCertificateChainErrors; } } #endif if (policy != null && (!(policy is DefaultCertificatePolicy) || certValidationCallback == null)) { ServicePoint sp = null; if (request != null) { sp = request.ServicePointNoLock; } if (status11 == 0 && errors != 0) { status11 = GetStatusFromChain(chain); } // pre 2.0 callback result = policy.CheckValidationResult(sp, leaf, request, status11); user_denied = !result && !(policy is DefaultCertificatePolicy); } // If there's a 2.0 callback, it takes precedence if (hasCallback) { if (callbackWrapper != null) { result = callbackWrapper.Invoke(certValidationCallback, leaf, chain, (MonoSslPolicyErrors)errors); } else { result = certValidationCallback.Invoke(sender, leaf, chain, errors); } user_denied = !result; } return(new ValidationResult(result, user_denied, status11, (MonoSslPolicyErrors)errors)); }
ValidationResult ValidateChain(string host, bool server, X509Certificate leaf, ref X509Chain chain, X509CertificateCollection certs, SslPolicyErrors errors) { // user_denied is true if the user callback is called and returns false bool user_denied = false; bool result = false; var hasCallback = certValidationCallback != null || callbackWrapper != null; if (tlsStream != null) { request.ServicePoint.UpdateServerCertificate(leaf); } if (leaf == null) { errors |= SslPolicyErrors.RemoteCertificateNotAvailable; if (hasCallback) { if (callbackWrapper != null) { result = callbackWrapper.Invoke(certValidationCallback, leaf, null, (MonoSslPolicyErrors)errors); } else { result = certValidationCallback.Invoke(sender, leaf, null, errors); } user_denied = !result; } return(new ValidationResult(result, user_denied, 0, (MonoSslPolicyErrors)errors)); } // Ignore port number when validating certificates. if (!string.IsNullOrEmpty(host)) { var pos = host.IndexOf(':'); if (pos > 0) { host = host.Substring(0, pos); } } ICertificatePolicy policy = ServicePointManager.GetLegacyCertificatePolicy(); int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback bool wantsChain = SystemCertificateValidator.NeedsChain(settings); if (!wantsChain && hasCallback) { if (settings == null || settings.CallbackNeedsCertificateChain) { wantsChain = true; } } var xerrors = (MonoSslPolicyErrors)errors; result = provider.ValidateCertificate(this, host, server, certs, wantsChain, ref chain, ref xerrors, ref status11); errors = (SslPolicyErrors)xerrors; if (status11 == 0 && errors != 0) { // TRUST_E_FAIL status11 = unchecked ((int)0x800B010B); } if (policy != null && (!(policy is DefaultCertificatePolicy) || certValidationCallback == null)) { ServicePoint sp = null; if (request != null) { sp = request.ServicePointNoLock; } // pre 2.0 callback result = policy.CheckValidationResult(sp, leaf, request, status11); user_denied = !result && !(policy is DefaultCertificatePolicy); } // If there's a 2.0 callback, it takes precedence if (hasCallback) { if (callbackWrapper != null) { result = callbackWrapper.Invoke(certValidationCallback, leaf, chain, (MonoSslPolicyErrors)errors); } else { result = certValidationCallback.Invoke(sender, leaf, chain, errors); } user_denied = !result; } return(new ValidationResult(result, user_denied, status11, (MonoSslPolicyErrors)errors)); }
public static HttpWebRequest StartRequest(string url) { if (oldpol == null) oldpol = ServicePointManager.CertificatePolicy; ServicePointManager.CertificatePolicy = new BlindlyAccept(); HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url); SetRequest(req); return (req); }
internal ValidationResult ValidateChain(Mono.Security.X509.X509CertificateCollection certs) { bool user_denied = false; if (certs == null || certs.Count == 0) { return(null); } ICertificatePolicy certificatePolicy = ServicePointManager.CertificatePolicy; System.Net.Security.RemoteCertificateValidationCallback serverCertificateValidationCallback = ServicePointManager.ServerCertificateValidationCallback; System.Security.Cryptography.X509Certificates.X509Chain x509Chain = new System.Security.Cryptography.X509Certificates.X509Chain(); x509Chain.ChainPolicy = new System.Security.Cryptography.X509Certificates.X509ChainPolicy(); for (int i = 1; i < certs.Count; i++) { System.Security.Cryptography.X509Certificates.X509Certificate2 certificate = new System.Security.Cryptography.X509Certificates.X509Certificate2(certs[i].RawData); x509Chain.ChainPolicy.ExtraStore.Add(certificate); } System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate = new System.Security.Cryptography.X509Certificates.X509Certificate2(certs[0].RawData); int num = 0; System.Net.Security.SslPolicyErrors sslPolicyErrors = System.Net.Security.SslPolicyErrors.None; try { if (!x509Chain.Build(x509Certificate)) { sslPolicyErrors |= ServicePointManager.ChainValidationHelper.GetErrorsFromChain(x509Chain); } } catch (Exception arg) { Console.Error.WriteLine("ERROR building certificate chain: {0}", arg); Console.Error.WriteLine("Please, report this problem to the Mono team"); sslPolicyErrors |= System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors; } if (!ServicePointManager.ChainValidationHelper.CheckCertificateUsage(x509Certificate)) { sslPolicyErrors |= System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors; num = -2146762490; } if (!ServicePointManager.ChainValidationHelper.CheckServerIdentity(certs[0], this.Host)) { sslPolicyErrors |= System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch; num = -2146762481; } bool flag = false; try { OSX509Certificates.SecTrustResult secTrustResult = OSX509Certificates.TrustEvaluateSsl(certs); flag = (secTrustResult == OSX509Certificates.SecTrustResult.Proceed || secTrustResult == OSX509Certificates.SecTrustResult.Unspecified); } catch { } if (flag) { num = 0; sslPolicyErrors = System.Net.Security.SslPolicyErrors.None; } if (certificatePolicy != null && (!(certificatePolicy is DefaultCertificatePolicy) || serverCertificateValidationCallback == null)) { ServicePoint srvPoint = null; HttpWebRequest httpWebRequest = this.sender as HttpWebRequest; if (httpWebRequest != null) { srvPoint = httpWebRequest.ServicePoint; } if (num == 0 && sslPolicyErrors != System.Net.Security.SslPolicyErrors.None) { num = ServicePointManager.ChainValidationHelper.GetStatusFromChain(x509Chain); } flag = certificatePolicy.CheckValidationResult(srvPoint, x509Certificate, httpWebRequest, num); user_denied = (!flag && !(certificatePolicy is DefaultCertificatePolicy)); } if (serverCertificateValidationCallback != null) { flag = serverCertificateValidationCallback(this.sender, x509Certificate, x509Chain, sslPolicyErrors); user_denied = !flag; } return(new ValidationResult(flag, user_denied, num)); }
ValidationResult ValidateChain(string host, XX509CertificateCollection certs, SslPolicyErrors errors) { // user_denied is true if the user callback is called and returns false bool user_denied = false; bool result = false; var hasCallback = certValidationCallback != null || callbackWrapper != null; var anchors = settings != null ? settings.TrustAnchors : null; var systemValidator = GetSystemCertificateValidator(); X509Certificate leaf; if (certs == null || certs.Count == 0) { leaf = null; } else { leaf = certs [0]; } if (tlsStream != null) { request.ServicePoint.SetServerCertificate(leaf); } if (leaf == null) { errors |= SslPolicyErrors.RemoteCertificateNotAvailable; if (hasCallback) { if (callbackWrapper != null) { result = callbackWrapper.Invoke(certValidationCallback, leaf, null, (MonoSslPolicyErrors)errors); } else { result = certValidationCallback.Invoke(sender, leaf, null, errors); } user_denied = !result; } return(new ValidationResult(result, user_denied, 0, (MonoSslPolicyErrors)errors)); } bool needsChain; bool skipSystemValidators = false; if (!CertificateValidationHelper.SupportsX509Chain || is_mobile || is_macosx) { needsChain = false; } else if (settings != null) { skipSystemValidators = settings.SkipSystemValidators; needsChain = !settings.SkipSystemValidators || settings.CallbackNeedsCertificateChain; } else { needsChain = true; } ICertificatePolicy policy = ServicePointManager.GetLegacyCertificatePolicy(); int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback X509Chain chain = null; #if !MOBILE if (needsChain) { chain = systemValidator.ComputeX509Chain(certs, ref errors, ref status11); } #endif systemValidator.CheckUsage(certs, host, ref errors, ref status11); if (!skipSystemValidators) { result = systemValidator.EvaluateSystem(certs, anchors, host, chain, ref errors, ref status11); } if (policy != null && (!(policy is DefaultCertificatePolicy) || certValidationCallback == null)) { ServicePoint sp = null; if (request != null) { sp = request.ServicePointNoLock; } if (status11 == 0 && errors != 0) { // TRUST_E_FAIL status11 = unchecked ((int)0x800B010B); } // pre 2.0 callback result = policy.CheckValidationResult(sp, leaf, request, status11); user_denied = !result && !(policy is DefaultCertificatePolicy); } // If there's a 2.0 callback, it takes precedence if (hasCallback) { if (callbackWrapper != null) { result = callbackWrapper.Invoke(certValidationCallback, leaf, chain, (MonoSslPolicyErrors)errors); } else { result = certValidationCallback.Invoke(sender, leaf, chain, errors); } user_denied = !result; } return(new ValidationResult(result, user_denied, status11, (MonoSslPolicyErrors)errors)); }
internal PolicyWrapper(ICertificatePolicy policy, ServicePoint sp, WebRequest wr) { this.fwdPolicy = policy; this.srvPoint = sp; this.request = wr; }
ValidationResult ValidateChain(string host, bool server, XX509CertificateCollection certs, SslPolicyErrors errors) { // user_denied is true if the user callback is called and returns false bool user_denied = false; bool result = false; var hasCallback = certValidationCallback != null || callbackWrapper != null; X509Certificate leaf; if (certs == null || certs.Count == 0) { leaf = null; } else { leaf = certs [0]; } if (tlsStream != null) { request.ServicePoint.SetServerCertificate(leaf); } if (leaf == null) { errors |= SslPolicyErrors.RemoteCertificateNotAvailable; if (hasCallback) { if (callbackWrapper != null) { result = callbackWrapper.Invoke(certValidationCallback, leaf, null, (MonoSslPolicyErrors)errors); } else { result = certValidationCallback.Invoke(sender, leaf, null, errors); } user_denied = !result; } return(new ValidationResult(result, user_denied, 0, (MonoSslPolicyErrors)errors)); } ICertificatePolicy policy = ServicePointManager.GetLegacyCertificatePolicy(); int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback X509Chain chain = null; bool wantsChain = SystemCertificateValidator.NeedsChain(settings); if (!wantsChain && hasCallback) { if (settings == null || settings.CallbackNeedsCertificateChain) { wantsChain = true; } } if (wantsChain) { chain = SystemCertificateValidator.CreateX509Chain(certs); } if (wantsChain || SystemCertificateValidator.NeedsChain(settings)) { SystemCertificateValidator.BuildX509Chain(certs, chain, ref errors, ref status11); } bool providerValidated = false; if (provider != null && provider.HasCustomSystemCertificateValidator) { var xerrors = (MonoSslPolicyErrors)errors; var xchain = (XX509Chain)(object)chain; providerValidated = provider.InvokeSystemCertificateValidator(this, host, server, certs, xchain, out result, ref xerrors, ref status11); errors = (SslPolicyErrors)xerrors; } if (!providerValidated) { result = SystemCertificateValidator.Evaluate(settings, host, certs, chain, ref errors, ref status11); } if (policy != null && (!(policy is DefaultCertificatePolicy) || certValidationCallback == null)) { ServicePoint sp = null; if (request != null) { sp = request.ServicePointNoLock; } if (status11 == 0 && errors != 0) { // TRUST_E_FAIL status11 = unchecked ((int)0x800B010B); } // pre 2.0 callback result = policy.CheckValidationResult(sp, leaf, request, status11); user_denied = !result && !(policy is DefaultCertificatePolicy); } // If there's a 2.0 callback, it takes precedence if (hasCallback) { if (callbackWrapper != null) { result = callbackWrapper.Invoke(certValidationCallback, leaf, chain, (MonoSslPolicyErrors)errors); } else { result = certValidationCallback.Invoke(sender, leaf, chain, errors); } user_denied = !result; } return(new ValidationResult(result, user_denied, status11, (MonoSslPolicyErrors)errors)); }
// Used when the obsolete ICertificatePolicy is set to DefaultCertificatePolicy // and the new ServerCertificateValidationCallback is not null internal ValidationResult ValidateChain(Mono.Security.X509.X509CertificateCollection certs) { // user_denied is true if the user callback is called and returns false bool user_denied = false; if (certs == null || certs.Count == 0) { return(null); } ICertificatePolicy policy = ServicePointManager.CertificatePolicy; RemoteCertificateValidationCallback cb = ServicePointManager.ServerCertificateValidationCallback; X509Chain chain = new X509Chain(); chain.ChainPolicy = new X509ChainPolicy(); for (int i = 1; i < certs.Count; i++) { X509Certificate2 c2 = new X509Certificate2(certs [i].RawData); chain.ChainPolicy.ExtraStore.Add(c2); } X509Certificate2 leaf = new X509Certificate2(certs [0].RawData); int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback SslPolicyErrors errors = 0; try { if (!chain.Build(leaf)) { errors |= GetErrorsFromChain(chain); } } catch (Exception e) { Console.Error.WriteLine("ERROR building certificate chain: {0}", e); Console.Error.WriteLine("Please, report this problem to the Mono team"); errors |= SslPolicyErrors.RemoteCertificateChainErrors; } if (!CheckCertificateUsage(leaf)) { errors |= SslPolicyErrors.RemoteCertificateChainErrors; status11 = -2146762490; //CERT_E_PURPOSE 0x800B0106 } if (!CheckServerIdentity(certs [0], Host)) { errors |= SslPolicyErrors.RemoteCertificateNameMismatch; status11 = -2146762481; // CERT_E_CN_NO_MATCH 0x800B010F } bool result = false; // No certificate root found means no mozroots or monotouch #if !MONOTOUCH if (is_macosx) { #endif // Attempt to use OSX certificates // Ideally we should return the SecTrustResult MSX.OSX509Certificates.SecTrustResult trustResult; try { trustResult = MSX.OSX509Certificates.TrustEvaluateSsl(certs); // We could use the other values of trustResult to pass this extra information // to the .NET 2 callback for values like SecTrustResult.Confirm result = (trustResult == MSX.OSX509Certificates.SecTrustResult.Proceed || trustResult == MSX.OSX509Certificates.SecTrustResult.Unspecified); } catch { // Ignore } // Clear error status if the OS told us to trust the certificate if (result) { status11 = 0; errors = 0; } #if !MONOTOUCH } #endif if (policy != null && (!(policy is DefaultCertificatePolicy) || cb == null)) { ServicePoint sp = null; HttpWebRequest req = sender as HttpWebRequest; if (req != null) { sp = req.ServicePoint; } if (status11 == 0 && errors != 0) { status11 = GetStatusFromChain(chain); } // pre 2.0 callback result = policy.CheckValidationResult(sp, leaf, req, status11); user_denied = !result && !(policy is DefaultCertificatePolicy); } // If there's a 2.0 callback, it takes precedence if (cb != null) { result = cb(sender, leaf, chain, errors); user_denied = !result; } return(new ValidationResult(result, user_denied, status11)); }
private static void GenerateSigningCertificate(ICertificatePolicy certificatePolicy, out string thumbprint, out string pemPublicCert, out byte[] pkcs12Data, out System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2) { // Generating Random Numbers var randomGenerator = new CryptoApiRandomGenerator(); var random = new SecureRandom(randomGenerator); var kpgen = new RsaKeyPairGenerator(); kpgen.Init(new KeyGenerationParameters(random, 2048)); var subjectKeyPair = kpgen.GenerateKeyPair(); var gen = new X509V3CertificateGenerator(); X509Name certName; if (certificatePolicy.X509NameDictionary == null || !certificatePolicy.X509NameDictionary.Any()) { certName = new X509Name("CN=" + certificatePolicy.CommonName); } else { var list = new Dictionary<string, string>(); AddSubjectNameItem(list, "CN", certificatePolicy.CommonName); foreach (var item in certificatePolicy.X509NameDictionary) { AddSubjectNameItem(list, item.Key, item.Value); } certName = new X509Name(GetSubjectNameItemString(list)); } BigInteger serialNo; serialNo = BigInteger.ProbablePrime(120, random); gen.SetSerialNumber(serialNo); gen.SetSubjectDN(certName); gen.SetIssuerDN(certName); gen.SetNotBefore(DateTime.UtcNow.AddHours(-2)); // go back 2 hours just to be safe gen.SetNotAfter(DateTime.UtcNow.AddDays(certificatePolicy.ValidForDays)); gen.SetSignatureAlgorithm("SHA256WithRSA"); gen.SetPublicKey(subjectKeyPair.Public); gen.AddExtension( X509Extensions.BasicConstraints.Id, true, new BasicConstraints(false)); gen.AddExtension(X509Extensions.KeyUsage.Id, true, new KeyUsage(KeyUsage.DigitalSignature)); // handle our key purposes if (!certificatePolicy.AllPurposes) { var purposes = new List<KeyPurposeID>(); if (certificatePolicy.ServerAuthentication) { purposes.Add(KeyPurposeID.IdKPServerAuth); } if (certificatePolicy.ClientAuthentication) { purposes.Add(KeyPurposeID.IdKPClientAuth); } if (certificatePolicy.CodeSigning) { purposes.Add(KeyPurposeID.IdKPCodeSigning); } if (purposes.Any()) { gen.AddExtension( X509Extensions.ExtendedKeyUsage.Id, true, new ExtendedKeyUsage(purposes.ToArray())); } } var certificate = gen.Generate(subjectKeyPair.Private, random); PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private); var seq = (Asn1Sequence)Asn1Object.FromByteArray(info.PrivateKey.GetDerEncoded()); if (seq.Count != 9) { throw new PemException("Malformed sequence in RSA private key."); } var rsa = new RsaPrivateKeyStructure(seq); RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters( rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient); // this is exportable to get the bytes of the key to our file system in an encrypted manner RSAParameters rsaParameters = DotNetUtilities.ToRSAParameters(rsaparams); CspParameters cspParameters = new CspParameters(); cspParameters.KeyContainerName = Guid.NewGuid().ToString(); RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider(2048, cspParameters); rsaKey.PersistKeyInCsp = false; // do not persist rsaKey.ImportParameters(rsaParameters); var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded()); x509.PrivateKey = rsaKey; // this is non-exportable CspParameters cspParametersNoExport = new CspParameters(); cspParametersNoExport.KeyContainerName = Guid.NewGuid().ToString(); cspParametersNoExport.Flags = CspProviderFlags.UseNonExportableKey; RSACryptoServiceProvider rsaKey2 = new RSACryptoServiceProvider(2048, cspParametersNoExport); rsaKey2.PersistKeyInCsp = false; // do not persist rsaKey2.ImportParameters(rsaParameters); x509Certificate2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded()); x509Certificate2.PrivateKey = rsaKey2; //// Generating Random Numbers //var chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-()#$%^&@+=!"; //var rnd = new Random(); //password = new string( // Enumerable.Repeat(chars, 15) // .Select(s => s[rnd.Next(s.Length)]) // .ToArray()); thumbprint = x509.Thumbprint.ToLower(); var publicKeyPem = new StringBuilder(); var utf8WithoutBom = new System.Text.UTF8Encoding(false); var publicKeyPemWriter = new PemWriter(new StringWriterWithEncoding(publicKeyPem, utf8WithoutBom)); publicKeyPemWriter.WriteObject(certificate); publicKeyPemWriter.Writer.Flush(); pemPublicCert = publicKeyPem.ToString(); pemPublicCert = pemPublicCert.Replace(Environment.NewLine, "\n"); //only use newline and not returns pkcs12Data = x509.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pfx); }