///////////////////////////////////////////////////////////////////////
private static void DisableLegacyCertificatePolicy()
{
lock (syncRoot) /* TRANSACTIONAL */
{
//
// NOTE: Restore the previously saved certificate policy,
// if any.
//
if (!haveSavedCertificatePolicy)
{
return;
}
//
// NOTE: Restore the saved ICertificatePolicy.
//
ServicePointManager.CertificatePolicy = savedCertificatePolicy;
//
// NOTE: Clear the saved ICertificatePolicy.
//
haveSavedCertificatePolicy = false;
savedCertificatePolicy = null;
}
}
/// <summary>
/// Check Connection
/// </summary>
void CheckConnection()
{
Console.Write("Checking connection...");
// swap policy
ICertificatePolicy policy = ServicePointManager.CertificatePolicy;
ServicePointManager.CertificatePolicy = new TrustAllCertificatePolicy();
UriBuilder url = new UriBuilder(simiasUrl.Value);
url.Path = "/simias10/iFolderAdmin.asmx?WSDL";
// connect
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(url.Uri);
try
{
request.GetResponse();
Console.WriteLine("Done");
}
catch
{
Console.WriteLine("Failed");
}
// restore policy
ServicePointManager.CertificatePolicy = policy;
}
public CimomRequest(string uri, ICertificatePolicy certificatePolicy)
{
// Build a CimomRequest off of a new HttpRequest
httpReq = (HttpWebRequest)WebRequest.Create(uri);
httpReq.KeepAlive = true; //Needed for https connections
// The namespace needs a 2 digit number between 00 and 99
nameSpaceValue = rand.Next(10).ToString() + rand.Next(10).ToString();
// Setup the http request
httpReq.PreAuthenticate = false;
httpReq.ProtocolVersion = HttpVersion.Version11;
httpReq.Method = "POST";
httpReq.ContentType = "application/xml;charset=\"UTF-8\"";
httpReq.Accept = "text/html, text/xml, application/xml";
ServicePointManager.Expect100Continue = false;
// I get an "Unknown Extension URI" when I try to use this URL :(
//Headers.Add("Man", "http://www.dmtf.org/standards/documents/WBEM/DSP200.html;ns=" + nameSpaceValue);
// Add the Http/CIM headers
//Headers.Add("Man", "http://www.dmtf.org/cim/mapping/http/v1.0;ns=" + nameSpaceValue);
Headers.Add("CIMProtocolVersion", "1.0");
if (certificatePolicy == null)
ServicePointManager.CertificatePolicy = new AcceptAllCertificatePolicy();
else
ServicePointManager.CertificatePolicy = certificatePolicy;
}
static CertificatePolicy()
{
_certs = new Hashtable();
_sync = new object();
_old_policy = ServicePointManager.CertificatePolicy;
ServicePointManager.CertificatePolicy = new CertificatePolicy();
}
static CertificatePolicy()
{
_certs = new Hashtable();
_sync = new object();
_old_policy = ServicePointManager.CertificatePolicy;
ServicePointManager.CertificatePolicy = new CertificatePolicy();
}
public static void Restore()
{
Logger.Warn("Restoring SSL verification!");
ServicePointManager.ServerCertificateValidationCallback = ServerCertificateValidationCallbackBackup;
ServicePointManager.CertificatePolicy = CertificatePolicyBackup;
CertificatePolicyBackup = null; ServerCertificateValidationCallbackBackup = null;
Logger.Warn("Restored SSL verification!");
}
public SslProxyFactory(IViewAccessAdapter viewAdapter)
{
ErrorLog.Singleton.LogSuccess("enter Ssl fac");
_rsProxy = new ReportingService();
ErrorLog.Singleton.LogSuccess("initialize ReportingService");
_policy = new SslValidation(viewAdapter);
ErrorLog.Singleton.LogSuccess("initialize SslValidation");
}
public static void Disable()
{
Logger.Warn("Disabling SSL verification!");
CertificatePolicyBackup = ServicePointManager.CertificatePolicy;
ServerCertificateValidationCallbackBackup = ServicePointManager.ServerCertificateValidationCallback;
ServicePointManager.CertificatePolicy = new NoCheckCertificatePolicy();
ServicePointManager.ServerCertificateValidationCallback = CertificateValidationCallback;
Logger.Warn("Disabled SSL verification!");
}
public HttpClient(ICertificatePolicy certificatePolicy)
{
if (certificatePolicy != null)
{
#pragma warning disable 0618
ServicePointManager.CertificatePolicy = certificatePolicy;
#pragma warning restore 0618
}
}
static ServicePointManager()
{
servicePoints = new HybridDictionary();
policy = new DefaultCertificatePolicy();
defaultConnectionLimit = 2;
maxServicePointIdleTime = 900000;
maxServicePoints = 0;
_checkCRL = false;
_securityProtocol = (SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls);
expectContinue = true;
}
//public CertificatePolicy(Dictionary<string, string> x509NameDictionary)
//{
// // don't bother initializing if no data
// if (x509NameDictionary != null && !x509NameDictionary.Any())
// {
// this.X509NameDictionary = null;
// }
// else
// {
// this.X509NameDictionary = x509NameDictionary;
// }
//}
public void Load(ICertificatePolicy input)
{
this.CommonName = input.CommonName;
this.ValidForDays = input.ValidForDays;
this.CertificateAuthorityThumbprint = input.CertificateAuthorityThumbprint;
this.X509NameDictionary = input.X509NameDictionary;
this.ClientAuthentication = input.ClientAuthentication;
this.ServerAuthentication = input.ServerAuthentication;
this.CodeSigning = input.CodeSigning;
this.AllPurposes = input.AllPurposes;
}
public HttpClient(ICertificatePolicy certificatePolicy)
{
if (certificatePolicy != null)
{
#pragma warning disable 0618
ServicePointManager.CertificatePolicy = certificatePolicy;
#pragma warning restore 0618
}
this.TimeProvider = new TimeProvider();
}
//public CertificatePolicy(Dictionary<string, string> x509NameDictionary)
//{
// // don't bother initializing if no data
// if (x509NameDictionary != null && !x509NameDictionary.Any())
// {
// this.X509NameDictionary = null;
// }
// else
// {
// this.X509NameDictionary = x509NameDictionary;
// }
//}
public void Load(ICertificatePolicy input)
{
this.CommonName = input.CommonName;
this.ValidForDays = input.ValidForDays;
this.CertificateAuthorityThumbprint = input.CertificateAuthorityThumbprint;
this.X509NameDictionary = input.X509NameDictionary;
this.ClientAuthentication = input.ClientAuthentication;
this.ServerAuthentication = input.ServerAuthentication;
this.CodeSigning = input.CodeSigning;
this.AllPurposes = input.AllPurposes;
}
public HttpClient(ICertificatePolicy certificatePolicy, IReynaLogger logger)
{
if (certificatePolicy != null)
{
#pragma warning disable 0618
ServicePointManager.CertificatePolicy = certificatePolicy;
#pragma warning restore 0618
}
this.TimeProvider = new TimeProvider();
this.Logger = logger;
this.StatusGetter = new HttpStatusGetter();
}
public static string Send(string http_payload, Encoding enc, int timeout, out HttpWebResponse responseOut)
{
// variabel för indata
StringBuilder sb = new StringBuilder();
// buffer för inläsning
byte[] buf = new byte[8092];
#pragma warning disable 618
// ServicePointManager.CertificatePolicy is obsoleted, but is the only thing that works on both windows and mono.
//Needed to avoid errors from homegrown SSL cert.
ICertificatePolicy oldPolicy = ServicePointManager.CertificatePolicy;
ServicePointManager.CertificatePolicy = new HTTPSender();
// anropa websidan med aktuella data
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(http_payload);
if (timeout > -1)
{
request.Timeout = timeout;
}
// ta emot svarskoder
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
responseOut = response;
ServicePointManager.CertificatePolicy = oldPolicy;
#pragma warning restore 618
// läs in dataströmmen via responsmetoden
Stream resStream = response.GetResponseStream();
string tempString = null;
int count = 0;
do
{
// fyll bufferten
count = resStream.Read(buf, 0, buf.Length);
// kontrollera att data finns att läsa
if (count != 0)
{
// koda som ISO text
tempString = enc.GetString(buf, 0, count);
// bygg upp svarssträngen
sb.Append(tempString);
}
} while (count > 0); // finns mer data att läsa?
return(tempString);
}
public static void CertificatePolicy_Roundtrips()
{
ICertificatePolicy cp = ServicePointManager.CertificatePolicy;
Assert.NotNull(cp);
Assert.True(cp.CheckValidationResult(null, null, null, 0));
Assert.False(cp.CheckValidationResult(null, null, null, 1));
ServicePointManager.CertificatePolicy = null;
Assert.Null(ServicePointManager.CertificatePolicy);
ServicePointManager.CertificatePolicy = cp;
Assert.Same(cp, ServicePointManager.CertificatePolicy);
}
public static void CertificatePolicy_Roundtrips()
{
#pragma warning disable CS0618 // obsolete warnings
ICertificatePolicy cp = ServicePointManager.CertificatePolicy;
Assert.NotNull(cp);
Assert.True(cp.CheckValidationResult(null, null, null, 0));
Assert.False(cp.CheckValidationResult(null, null, null, 1));
ServicePointManager.CertificatePolicy = null;
Assert.Null(ServicePointManager.CertificatePolicy);
ServicePointManager.CertificatePolicy = cp;
Assert.Same(cp, ServicePointManager.CertificatePolicy);
#pragma warning restore CS0619
}
///////////////////////////////////////////////////////////////////////
private static void EnableLegacyCertificatePolicy()
{
lock (syncRoot) /* TRANSACTIONAL */
{
//
// NOTE: First, save the current certificate policy for
// possible later restoration.
//
savedCertificatePolicy = ServicePointManager.CertificatePolicy;
haveSavedCertificatePolicy = true;
//
// NOTE: Next, set the certificate policy to the one we
// use for software updates.
//
ServicePointManager.CertificatePolicy = certificatePolicy;
}
}
public void TrustUsingOldPolicy()
{
// Three similar tests exists in dontlink, linkall and linksdk to test 3 different cases
// untrusted, custom ICertificatePolicy and ServerCertificateValidationCallback without
// having caching issues (in S.Net or the SSL handshake cache)
ICertificatePolicy old = ServicePointManager.CertificatePolicy;
try {
ServicePointManager.CertificatePolicy = test_policy;
WebClient wc = new WebClient();
Assert.IsNotNull(wc.DownloadString("https://wrench.internalx.com/Wrench/Login.aspx"));
// caching means it will be called at least for the first run, but it might not
// be called again in subsequent requests (unless it expires)
Assert.That(test_policy.CheckCount, Is.GreaterThan(0), "policy checked");
}
finally {
ServicePointManager.CertificatePolicy = old;
}
}
public ReynaService(byte[] password, ICertificatePolicy certificatePolicy)
{
this.Password = password;
this.VolatileStore = new InMemoryQueue();
this.PersistentStore = new SQLiteRepository(password);
this.HttpClient = new HttpClient(certificatePolicy);
this.EncryptionChecker = new EncryptionChecker();
this.StoreWaitHandle = new AutoResetEventAdapter(false);
this.ForwardWaitHandle = new AutoResetEventAdapter(false);
this.NetworkWaitHandle = new NamedWaitHandle(false, Reyna.NetworkStateService.NetworkConnectedNamedEvent);
this.SystemNotifier = new SystemNotifier();
this.NetworkStateService = new NetworkStateService(this.SystemNotifier, this.NetworkWaitHandle);
this.StoreService = new StoreService(this.VolatileStore, this.PersistentStore, this.StoreWaitHandle);
this.ForwardService = new ForwardService(this.PersistentStore, this.HttpClient, this.NetworkStateService, this.ForwardWaitHandle, Preferences.ForwardServiceTemporaryErrorBackout, Preferences.ForwardServiceMessageBackout);
}
public void TrustUsingOldPolicy()
{
#if __WATCHOS__
Assert.Ignore("WatchOS doesn't support BSD sockets, which our network stack currently requires.");
#endif
// Three similar tests exists in dontlink, linkall and linksdk to test 3 different cases
// untrusted, custom ICertificatePolicy and ServerCertificateValidationCallback without
// having caching issues (in S.Net or the SSL handshake cache)
ICertificatePolicy old = ServicePointManager.CertificatePolicy;
try {
ServicePointManager.CertificatePolicy = test_policy;
WebClient wc = new WebClient();
Assert.IsNotNull(wc.DownloadString(NetworkResources.XamarinUrl));
// caching means it will be called at least for the first run, but it might not
// be called again in subsequent requests (unless it expires)
Assert.That(test_policy.CheckCount, Is.GreaterThan(0), "policy checked");
} finally {
ServicePointManager.CertificatePolicy = old;
}
}
public ReynaService(byte[] password, ICertificatePolicy certificatePolicy, bool useNetworkState, IReynaLogger logger)
{
this.Password = password;
this.Logger = logger;
this.PersistentStore = new SQLiteRepository(password);
this.HttpClient = new HttpClient(certificatePolicy);
this.EncryptionChecker = new EncryptionChecker();
this.ForwardWaitHandle = new AutoResetEventAdapter(false);
if (useNetworkState)
{
this.SystemNotifier = new SystemNotifier();
this.NetworkWaitHandle = new NamedWaitHandle(false, Reyna.NetworkStateService.NetworkConnectedNamedEvent);
this.NetworkStateService = new NetworkStateService(this.SystemNotifier, this.NetworkWaitHandle);
}
var preferences = new Preferences();
this.StoreService = new StoreService(this.PersistentStore, logger);
this.ForwardService = new ForwardService(this.PersistentStore, this.HttpClient, this.NetworkStateService, this.ForwardWaitHandle, Preferences.ForwardServiceTemporaryErrorBackout, Preferences.ForwardServiceMessageBackout, preferences.BatchUpload, logger);
}
private const long MinimumStorageLimit = 1867776; // 1Mb 800Kb
public ReynaService(byte[] password, ICertificatePolicy certificatePolicy, bool useNetworkState, IReynaLogger logger)
{
this.Password = password;
this.Logger = logger;
this.PersistentStore = new SQLiteRepository(logger, password);
this.HttpClient = new HttpClient(certificatePolicy, logger);
this.EncryptionChecker = new EncryptionChecker();
this.ForwardWaitHandle = new AutoResetEventAdapter(false);
if (useNetworkState)
{
this.SystemNotifier = new SystemNotifier();
this.NetworkWaitHandle = new NamedWaitHandle(false, Reyna.NetworkStateService.NetworkConnectedNamedEvent);
this.NetworkStateService = new NetworkStateService(this.SystemNotifier, this.NetworkWaitHandle);
}
var preferences = new Preferences();
this.StoreService = new StoreService(this.PersistentStore, logger);
this.ForwardService = new ForwardService(this.PersistentStore, this.HttpClient, this.NetworkStateService, this.ForwardWaitHandle, Preferences.ForwardServiceTemporaryErrorBackout, Preferences.ForwardServiceMessageBackout, preferences.BatchUpload, logger);
}
//private X509Certificate2 _x5092;
#region properties
#endregion
#region .ctors
#endregion
#region methods
public async Task<ProtectedX509Certificate2> IssueNewCertificateAsync(IPublicKey keyProtector, ICertificatePolicy certificatePolicy)
{
if (keyProtector == null)
{
throw new ArgumentNullException("keyProtectorPublicKey");
}
//if (keyProtector.PublicKey == null)
//{
// throw new ArgumentNullException("keyProtectorPublicKey.PublicKey");
//}
//var publicKeyProvider = keyProtector.PublicKey.Key as RSACryptoServiceProvider;
//if (publicKeyProvider == null)
//{
// throw new NotImplementedException("keyProtectorPublicKey.PublicKey.Key must be a valid RSACryptoServiceProvider");
//}
string thumbprint;
string pemPublicCert;
byte[] pkcs12Data;
System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2;
GenerateSigningCertificate(certificatePolicy, out thumbprint, out pemPublicCert, out pkcs12Data, out x509Certificate2);
// encrypt the password using our primary certificate
var encryptor = new AsymmetricEncryptor() { AsymmetricStrategy = AsymmetricStrategyOption.Aes256_1000 };
var asymEncObj = encryptor.EncryptObjectAsync(pkcs12Data, keyProtector).GetAwaiter().GetResult();
if (string.IsNullOrEmpty(asymEncObj.KeyId) || asymEncObj.KeyId.Length != 40)
{
throw new InvalidOperationException("AsymmetricEncryptor.EncryptObject returned without KeyId populated.");
}
var protectedKey = new ProtectedX509Certificate2(x509Certificate2.Thumbprint.ToLower(), asymEncObj);
return await Task.FromResult(protectedKey);
}
public ReynaService(byte[] password, ICertificatePolicy certificatePolicy, IReynaLogger logger)
: this(password, certificatePolicy, true, logger)
{
}
internal CertPolicyValidationCallback()
{
m_CertificatePolicy = new DefaultCertPolicy();
m_Context = null;
}
internal CertPolicyValidationCallback(ICertificatePolicy certificatePolicy)
{
m_CertificatePolicy = certificatePolicy;
m_Context = ExecutionContext.Capture();
}
private static void GenerateSigningCertificate(ICertificatePolicy certificatePolicy, out string thumbprint, out string pemPublicCert, out byte[] pkcs12Data, out System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2)
{
// Generating Random Numbers
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var kpgen = new RsaKeyPairGenerator();
kpgen.Init(new KeyGenerationParameters(random, 2048));
var subjectKeyPair = kpgen.GenerateKeyPair();
var gen = new X509V3CertificateGenerator();
X509Name certName;
if (certificatePolicy.X509NameDictionary == null || !certificatePolicy.X509NameDictionary.Any())
{
certName = new X509Name("CN=" + certificatePolicy.CommonName);
}
else
{
var list = new Dictionary <string, string>();
AddSubjectNameItem(list, "CN", certificatePolicy.CommonName);
foreach (var item in certificatePolicy.X509NameDictionary)
{
AddSubjectNameItem(list, item.Key, item.Value);
}
certName = new X509Name(GetSubjectNameItemString(list));
}
BigInteger serialNo;
serialNo = BigInteger.ProbablePrime(120, random);
gen.SetSerialNumber(serialNo);
gen.SetSubjectDN(certName);
gen.SetIssuerDN(certName);
gen.SetNotBefore(DateTime.UtcNow.AddHours(-2)); // go back 2 hours just to be safe
gen.SetNotAfter(DateTime.UtcNow.AddDays(certificatePolicy.ValidForDays));
gen.SetSignatureAlgorithm("SHA256WithRSA");
gen.SetPublicKey(subjectKeyPair.Public);
gen.AddExtension(
X509Extensions.BasicConstraints.Id,
true,
new BasicConstraints(false));
gen.AddExtension(X509Extensions.KeyUsage.Id,
true,
new KeyUsage(KeyUsage.DigitalSignature));
// handle our key purposes
if (!certificatePolicy.AllPurposes)
{
var purposes = new List <KeyPurposeID>();
if (certificatePolicy.ServerAuthentication)
{
purposes.Add(KeyPurposeID.IdKPServerAuth);
}
if (certificatePolicy.ClientAuthentication)
{
purposes.Add(KeyPurposeID.IdKPClientAuth);
}
if (certificatePolicy.CodeSigning)
{
purposes.Add(KeyPurposeID.IdKPCodeSigning);
}
if (purposes.Any())
{
gen.AddExtension(
X509Extensions.ExtendedKeyUsage.Id,
true,
new ExtendedKeyUsage(purposes.ToArray()));
}
}
var certificate = gen.Generate(subjectKeyPair.Private, random);
PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
var seq = (Asn1Sequence)Asn1Object.FromByteArray(info.PrivateKey.GetDerEncoded());
if (seq.Count != 9)
{
throw new PemException("Malformed sequence in RSA private key.");
}
var rsa = new RsaPrivateKeyStructure(seq);
RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(
rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
// this is exportable to get the bytes of the key to our file system in an encrypted manner
RSAParameters rsaParameters = DotNetUtilities.ToRSAParameters(rsaparams);
CspParameters cspParameters = new CspParameters();
cspParameters.KeyContainerName = Guid.NewGuid().ToString();
RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider(2048, cspParameters);
rsaKey.PersistKeyInCsp = false; // do not persist
rsaKey.ImportParameters(rsaParameters);
var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());
x509.PrivateKey = rsaKey;
// this is non-exportable
CspParameters cspParametersNoExport = new CspParameters();
cspParametersNoExport.KeyContainerName = Guid.NewGuid().ToString();
cspParametersNoExport.Flags = CspProviderFlags.UseNonExportableKey;
RSACryptoServiceProvider rsaKey2 = new RSACryptoServiceProvider(2048, cspParametersNoExport);
rsaKey2.PersistKeyInCsp = false; // do not persist
rsaKey2.ImportParameters(rsaParameters);
x509Certificate2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());
x509Certificate2.PrivateKey = rsaKey2;
//// Generating Random Numbers
//var chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-()#$%^&@+=!";
//var rnd = new Random();
//password = new string(
// Enumerable.Repeat(chars, 15)
// .Select(s => s[rnd.Next(s.Length)])
// .ToArray());
thumbprint = x509.Thumbprint.ToLower();
var publicKeyPem = new StringBuilder();
var utf8WithoutBom = new System.Text.UTF8Encoding(false);
var publicKeyPemWriter = new PemWriter(new StringWriterWithEncoding(publicKeyPem, utf8WithoutBom));
publicKeyPemWriter.WriteObject(certificate);
publicKeyPemWriter.Writer.Flush();
pemPublicCert = publicKeyPem.ToString();
pemPublicCert = pemPublicCert.Replace(Environment.NewLine, "\n"); //only use newline and not returns
pkcs12Data = x509.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pfx);
}
internal PolicyWrapper(ICertificatePolicy policy, ServicePoint sp, WebRequest wr) {
this.fwdPolicy = policy;
srvPoint = sp;
request = wr;
}
internal CertPolicyValidationCallback()
{
m_CertificatePolicy = new DefaultCertPolicy();
m_Context = null;
}
//private X509Certificate2 _x5092;
#region properties
#endregion
#region .ctors
#endregion
#region methods
public async Task <ProtectedX509Certificate2> IssueNewCertificateAsync(IPublicKey keyProtector, ICertificatePolicy certificatePolicy)
{
if (keyProtector == null)
{
throw new ArgumentNullException("keyProtectorPublicKey");
}
//if (keyProtector.PublicKey == null)
//{
// throw new ArgumentNullException("keyProtectorPublicKey.PublicKey");
//}
//var publicKeyProvider = keyProtector.PublicKey.Key as RSACryptoServiceProvider;
//if (publicKeyProvider == null)
//{
// throw new NotImplementedException("keyProtectorPublicKey.PublicKey.Key must be a valid RSACryptoServiceProvider");
//}
string thumbprint;
string pemPublicCert;
byte[] pkcs12Data;
System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2;
GenerateSigningCertificate(certificatePolicy, out thumbprint, out pemPublicCert, out pkcs12Data, out x509Certificate2);
// encrypt the password using our primary certificate
var encryptor = new AsymmetricEncryptor()
{
AsymmetricStrategy = AsymmetricStrategyOption.Aes256_1000
};
var asymEncObj = encryptor.EncryptObjectAsync(pkcs12Data, keyProtector).GetAwaiter().GetResult();
if (string.IsNullOrEmpty(asymEncObj.KeyId) || asymEncObj.KeyId.Length != 40)
{
throw new InvalidOperationException("AsymmetricEncryptor.EncryptObject returned without KeyId populated.");
}
var protectedKey = new ProtectedX509Certificate2(x509Certificate2.Thumbprint.ToLower(), asymEncObj);
return(await Task.FromResult(protectedKey));
}
// Used when the obsolete ICertificatePolicy is set to DefaultCertificatePolicy
// and the new ServerCertificateValidationCallback is not null
internal ValidationResult ValidateChain(MSX.X509CertificateCollection certs)
{
// user_denied is true if the user callback is called and returns false
bool user_denied = false;
if (certs == null || certs.Count == 0)
{
return(null);
}
ICertificatePolicy policy = ServicePointManager.CertificatePolicy;
X509Certificate2 leaf = new X509Certificate2(certs [0].RawData);
int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback
SslPolicyErrors errors = 0;
X509Chain chain = null;
bool result = false;
#if MONOTOUCH
// The X509Chain is not really usable with MonoTouch (since the decision is not based on this data)
// However if someone wants to override the results (good or bad) from iOS then they will want all
// the certificates that the server provided (which generally does not include the root) so, only
// if there's a user callback, we'll create the X509Chain but won't build it
// ref: https://bugzilla.xamarin.com/show_bug.cgi?id=7245
if (ServerCertificateValidationCallback != null)
{
#endif
chain = new X509Chain();
chain.ChainPolicy = new X509ChainPolicy();
#if !MONOTOUCH
chain.ChainPolicy.RevocationMode = revocation_mode;
#endif
for (int i = 1; i < certs.Count; i++)
{
X509Certificate2 c2 = new X509Certificate2(certs [i].RawData);
chain.ChainPolicy.ExtraStore.Add(c2);
}
#if MONOTOUCH
}
#else
try {
if (!chain.Build(leaf))
{
errors |= GetErrorsFromChain(chain);
}
} catch (Exception e) {
Console.Error.WriteLine("ERROR building certificate chain: {0}", e);
Console.Error.WriteLine("Please, report this problem to the Mono team");
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
// for OSX and iOS we're using the native API to check for the SSL server policy and host names
if (!is_macosx)
{
if (!CheckCertificateUsage(leaf))
{
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
status11 = -2146762490; //CERT_E_PURPOSE 0x800B0106
}
if (!CheckServerIdentity(certs [0], host))
{
errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
status11 = -2146762481; // CERT_E_CN_NO_MATCH 0x800B010F
}
}
else
{
#endif
// Attempt to use OSX certificates
// Ideally we should return the SecTrustResult
OSX509Certificates.SecTrustResult trustResult = OSX509Certificates.SecTrustResult.Deny;
try {
trustResult = OSX509Certificates.TrustEvaluateSsl(certs, host);
// We could use the other values of trustResult to pass this extra information
// to the .NET 2 callback for values like SecTrustResult.Confirm
result = (trustResult == OSX509Certificates.SecTrustResult.Proceed ||
trustResult == OSX509Certificates.SecTrustResult.Unspecified);
} catch {
// Ignore
}
if (result)
{
// TrustEvaluateSsl was successful so there's no trust error
// IOW we discard our own chain (since we trust OSX one instead)
errors = 0;
}
else
{
// callback and DefaultCertificatePolicy needs this since 'result' is not specified
status11 = (int)trustResult;
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
#if !MONOTOUCH
}
#endif
#if MONODROID && SECURITY_DEP
result = AndroidPlatform.TrustEvaluateSsl(certs, sender, leaf, chain, errors);
if (result)
{
// chain.Build() + GetErrorsFromChain() (above) will ALWAYS fail on
// Android (there are no mozroots or preinstalled root certificates),
// thus `errors` will ALWAYS have RemoteCertificateChainErrors.
// Android just verified the chain; clear RemoteCertificateChainErrors.
errors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
}
#endif
if (policy != null && (!(policy is DefaultCertificatePolicy) || cb == null))
{
ServicePoint sp = null;
HttpWebRequest req = sender as HttpWebRequest;
if (req != null)
{
sp = req.ServicePointNoLock;
}
if (status11 == 0 && errors != 0)
{
status11 = GetStatusFromChain(chain);
}
// pre 2.0 callback
result = policy.CheckValidationResult(sp, leaf, req, status11);
user_denied = !result && !(policy is DefaultCertificatePolicy);
}
// If there's a 2.0 callback, it takes precedence
if (ServerCertificateValidationCallback != null)
{
result = ServerCertificateValidationCallback(sender, leaf, chain, errors);
user_denied = !result;
}
return(new ValidationResult(result, user_denied, status11));
}
/// <summary>
/// Initializes an instance of the object.
/// </summary>
public CertPolicy()
{
defaultCertPolicy = ServicePointManager.CertificatePolicy;
ServicePointManager.CertificatePolicy = this;
}
/// <summary>
/// Setup SSL
/// </summary>
void SetupSsl()
{
Console.Write("Installing certificate...");
Uri url = new Uri(simiasUrl.Value);
if (url.Scheme == Uri.UriSchemeHttps)
{
// swap policy
ICertificatePolicy policy = ServicePointManager.CertificatePolicy;
ServicePointManager.CertificatePolicy = new TrustAllCertificatePolicy();
// connect
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(url);
try
{
request.GetResponse();
}
catch
{
// ignore
}
// restore policy
ServicePointManager.CertificatePolicy = policy;
// service point
ServicePoint sp = request.ServicePoint;
if ((sp != null) && (sp.Certificate != null))
{
string path = Path.GetFullPath(Path.Combine(webPath, "Web.config"));
string certRawDetail = Convert.ToBase64String(sp.Certificate.GetRawCertData());
string certDetail = sp.Certificate.ToString(true);
XmlDocument doc = new XmlDocument();
doc.Load(path);
XmlElement cert = (XmlElement)doc.DocumentElement.SelectSingleNode("//configuration/appSettings/add[@key='SimiasCert']");
BoolOption iFolderCertAcc = new BoolOption("iFolder-cert-acceptance", "Accept iFolder Server Certificate", certDetail, false, true);
iFolderCertAcc.Prompt = true;
Prompt.ForOption(iFolderCertAcc);
if (iFolderCertAcc.Value == true)
{
if (cert != null)
{
cert.Attributes["value"].Value = certRawDetail;
doc.Save(path);
Console.WriteLine("Done");
}
else
{
throw new Exception(String.Format("Unable to find \"SimiasCert\" tag in the {0} file.", path));
}
}
else
{
Console.WriteLine("Failed (Install Certificate)");
throw new Exception(string.Format("User Certificate validation failed "));
}
}
else
{
throw new Exception("Unable to retrieve the certificate from the iFolder server.");
}
}
else
{
Console.WriteLine("Skipped (Not Required)");
}
}
ValidationResult ValidateChain(string host, X509Certificate2Collection certs, SslPolicyErrors errors)
{
// user_denied is true if the user callback is called and returns false
bool user_denied = false;
bool result = false;
var hasCallback = certValidationCallback != null || callbackWrapper != null;
X509Certificate2 leaf;
if (certs == null || certs.Count == 0)
{
leaf = null;
}
else
{
leaf = certs [0];
}
if (tlsStream != null)
{
request.ServicePoint.SetServerCertificate(leaf);
}
if (leaf == null)
{
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
if (hasCallback)
{
if (callbackWrapper != null)
{
result = callbackWrapper.Invoke(certValidationCallback, leaf, null, (MonoSslPolicyErrors)errors);
}
else
{
result = certValidationCallback.Invoke(sender, leaf, null, errors);
}
user_denied = !result;
}
return(new ValidationResult(result, user_denied, 0, (MonoSslPolicyErrors)errors));
}
bool needsChain;
bool skipSystemValidators = false;
if (!CertificateValidationHelper.SupportsX509Chain || is_mobile || is_macosx)
{
needsChain = false;
}
else if (settings != null)
{
skipSystemValidators = settings.SkipSystemValidators;
needsChain = !settings.SkipSystemValidators || settings.CallbackNeedsCertificateChain;
}
else
{
needsChain = true;
}
ICertificatePolicy policy = ServicePointManager.GetLegacyCertificatePolicy();
int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback
X509Chain chain = null;
if (needsChain)
{
chain = new X509Chain();
chain.ChainPolicy = new X509ChainPolicy();
#if !MONOTOUCH
chain.ChainPolicy.RevocationMode = revocation_mode;
#endif
for (int i = 1; i < certs.Count; i++)
{
chain.ChainPolicy.ExtraStore.Add(certs [i]);
}
}
#if !MONOTOUCH
if (needsChain)
{
try {
if (!chain.Build(leaf))
{
errors |= GetErrorsFromChain(chain);
}
} catch (Exception e) {
Console.Error.WriteLine("ERROR building certificate chain: {0}", e);
Console.Error.WriteLine("Please, report this problem to the Mono team");
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
}
// for OSX and iOS we're using the native API to check for the SSL server policy and host names
if (!is_macosx)
{
if (!CheckCertificateUsage(leaf))
{
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
status11 = -2146762490; //CERT_E_PURPOSE 0x800B0106
}
if (host != null && !CheckServerIdentity(leaf, host))
{
errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
status11 = -2146762481; // CERT_E_CN_NO_MATCH 0x800B010F
}
}
#endif
if (is_macosx && !skipSystemValidators)
{
// Attempt to use OSX certificates
// Ideally we should return the SecTrustResult
OSX509Certificates.SecTrustResult trustResult = OSX509Certificates.SecTrustResult.Deny;
try {
trustResult = OSX509Certificates.TrustEvaluateSsl(certs, host);
// We could use the other values of trustResult to pass this extra information
// to the .NET 2 callback for values like SecTrustResult.Confirm
result = (trustResult == OSX509Certificates.SecTrustResult.Proceed ||
trustResult == OSX509Certificates.SecTrustResult.Unspecified);
} catch {
// Ignore
}
if (result)
{
// TrustEvaluateSsl was successful so there's no trust error
// IOW we discard our own chain (since we trust OSX one instead)
errors = 0;
}
else
{
// callback and DefaultCertificatePolicy needs this since 'result' is not specified
status11 = (int)trustResult;
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
}
#if MONODROID && SECURITY_DEP
if (!skipSystemValidators)
{
result = AndroidPlatform.TrustEvaluateSsl(certs, sender, leaf, chain, errors);
if (result)
{
// chain.Build() + GetErrorsFromChain() (above) will ALWAYS fail on
// Android (there are no mozroots or preinstalled root certificates),
// thus `errors` will ALWAYS have RemoteCertificateChainErrors.
// Android just verified the chain; clear RemoteCertificateChainErrors.
errors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
}
}
#endif
if (policy != null && (!(policy is DefaultCertificatePolicy) || certValidationCallback == null))
{
ServicePoint sp = null;
if (request != null)
{
sp = request.ServicePointNoLock;
}
if (status11 == 0 && errors != 0)
{
status11 = GetStatusFromChain(chain);
}
// pre 2.0 callback
result = policy.CheckValidationResult(sp, leaf, request, status11);
user_denied = !result && !(policy is DefaultCertificatePolicy);
}
// If there's a 2.0 callback, it takes precedence
if (hasCallback)
{
if (callbackWrapper != null)
{
result = callbackWrapper.Invoke(certValidationCallback, leaf, chain, (MonoSslPolicyErrors)errors);
}
else
{
result = certValidationCallback.Invoke(sender, leaf, chain, errors);
}
user_denied = !result;
}
return(new ValidationResult(result, user_denied, status11, (MonoSslPolicyErrors)errors));
}
ValidationResult ValidateChain(string host, bool server, X509Certificate leaf,
ref X509Chain chain, X509CertificateCollection certs,
SslPolicyErrors errors)
{
// user_denied is true if the user callback is called and returns false
bool user_denied = false;
bool result = false;
var hasCallback = certValidationCallback != null || callbackWrapper != null;
if (tlsStream != null)
{
request.ServicePoint.UpdateServerCertificate(leaf);
}
if (leaf == null)
{
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
if (hasCallback)
{
if (callbackWrapper != null)
{
result = callbackWrapper.Invoke(certValidationCallback, leaf, null, (MonoSslPolicyErrors)errors);
}
else
{
result = certValidationCallback.Invoke(sender, leaf, null, errors);
}
user_denied = !result;
}
return(new ValidationResult(result, user_denied, 0, (MonoSslPolicyErrors)errors));
}
// Ignore port number when validating certificates.
if (!string.IsNullOrEmpty(host))
{
var pos = host.IndexOf(':');
if (pos > 0)
{
host = host.Substring(0, pos);
}
}
ICertificatePolicy policy = ServicePointManager.GetLegacyCertificatePolicy();
int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback
bool wantsChain = SystemCertificateValidator.NeedsChain(settings);
if (!wantsChain && hasCallback)
{
if (settings == null || settings.CallbackNeedsCertificateChain)
{
wantsChain = true;
}
}
var xerrors = (MonoSslPolicyErrors)errors;
result = provider.ValidateCertificate(this, host, server, certs, wantsChain, ref chain, ref xerrors, ref status11);
errors = (SslPolicyErrors)xerrors;
if (status11 == 0 && errors != 0)
{
// TRUST_E_FAIL
status11 = unchecked ((int)0x800B010B);
}
if (policy != null && (!(policy is DefaultCertificatePolicy) || certValidationCallback == null))
{
ServicePoint sp = null;
if (request != null)
{
sp = request.ServicePointNoLock;
}
// pre 2.0 callback
result = policy.CheckValidationResult(sp, leaf, request, status11);
user_denied = !result && !(policy is DefaultCertificatePolicy);
}
// If there's a 2.0 callback, it takes precedence
if (hasCallback)
{
if (callbackWrapper != null)
{
result = callbackWrapper.Invoke(certValidationCallback, leaf, chain, (MonoSslPolicyErrors)errors);
}
else
{
result = certValidationCallback.Invoke(sender, leaf, chain, errors);
}
user_denied = !result;
}
return(new ValidationResult(result, user_denied, status11, (MonoSslPolicyErrors)errors));
}
public static HttpWebRequest StartRequest(string url)
{
if (oldpol == null)
oldpol = ServicePointManager.CertificatePolicy;
ServicePointManager.CertificatePolicy = new BlindlyAccept();
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
SetRequest(req);
return (req);
}
internal ValidationResult ValidateChain(Mono.Security.X509.X509CertificateCollection certs)
{
bool user_denied = false;
if (certs == null || certs.Count == 0)
{
return(null);
}
ICertificatePolicy certificatePolicy = ServicePointManager.CertificatePolicy;
System.Net.Security.RemoteCertificateValidationCallback serverCertificateValidationCallback = ServicePointManager.ServerCertificateValidationCallback;
System.Security.Cryptography.X509Certificates.X509Chain x509Chain = new System.Security.Cryptography.X509Certificates.X509Chain();
x509Chain.ChainPolicy = new System.Security.Cryptography.X509Certificates.X509ChainPolicy();
for (int i = 1; i < certs.Count; i++)
{
System.Security.Cryptography.X509Certificates.X509Certificate2 certificate = new System.Security.Cryptography.X509Certificates.X509Certificate2(certs[i].RawData);
x509Chain.ChainPolicy.ExtraStore.Add(certificate);
}
System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate = new System.Security.Cryptography.X509Certificates.X509Certificate2(certs[0].RawData);
int num = 0;
System.Net.Security.SslPolicyErrors sslPolicyErrors = System.Net.Security.SslPolicyErrors.None;
try
{
if (!x509Chain.Build(x509Certificate))
{
sslPolicyErrors |= ServicePointManager.ChainValidationHelper.GetErrorsFromChain(x509Chain);
}
}
catch (Exception arg)
{
Console.Error.WriteLine("ERROR building certificate chain: {0}", arg);
Console.Error.WriteLine("Please, report this problem to the Mono team");
sslPolicyErrors |= System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors;
}
if (!ServicePointManager.ChainValidationHelper.CheckCertificateUsage(x509Certificate))
{
sslPolicyErrors |= System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors;
num = -2146762490;
}
if (!ServicePointManager.ChainValidationHelper.CheckServerIdentity(certs[0], this.Host))
{
sslPolicyErrors |= System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch;
num = -2146762481;
}
bool flag = false;
try
{
OSX509Certificates.SecTrustResult secTrustResult = OSX509Certificates.TrustEvaluateSsl(certs);
flag = (secTrustResult == OSX509Certificates.SecTrustResult.Proceed || secTrustResult == OSX509Certificates.SecTrustResult.Unspecified);
}
catch
{
}
if (flag)
{
num = 0;
sslPolicyErrors = System.Net.Security.SslPolicyErrors.None;
}
if (certificatePolicy != null && (!(certificatePolicy is DefaultCertificatePolicy) || serverCertificateValidationCallback == null))
{
ServicePoint srvPoint = null;
HttpWebRequest httpWebRequest = this.sender as HttpWebRequest;
if (httpWebRequest != null)
{
srvPoint = httpWebRequest.ServicePoint;
}
if (num == 0 && sslPolicyErrors != System.Net.Security.SslPolicyErrors.None)
{
num = ServicePointManager.ChainValidationHelper.GetStatusFromChain(x509Chain);
}
flag = certificatePolicy.CheckValidationResult(srvPoint, x509Certificate, httpWebRequest, num);
user_denied = (!flag && !(certificatePolicy is DefaultCertificatePolicy));
}
if (serverCertificateValidationCallback != null)
{
flag = serverCertificateValidationCallback(this.sender, x509Certificate, x509Chain, sslPolicyErrors);
user_denied = !flag;
}
return(new ValidationResult(flag, user_denied, num));
}
ValidationResult ValidateChain(string host, XX509CertificateCollection certs, SslPolicyErrors errors)
{
// user_denied is true if the user callback is called and returns false
bool user_denied = false;
bool result = false;
var hasCallback = certValidationCallback != null || callbackWrapper != null;
var anchors = settings != null ? settings.TrustAnchors : null;
var systemValidator = GetSystemCertificateValidator();
X509Certificate leaf;
if (certs == null || certs.Count == 0)
{
leaf = null;
}
else
{
leaf = certs [0];
}
if (tlsStream != null)
{
request.ServicePoint.SetServerCertificate(leaf);
}
if (leaf == null)
{
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
if (hasCallback)
{
if (callbackWrapper != null)
{
result = callbackWrapper.Invoke(certValidationCallback, leaf, null, (MonoSslPolicyErrors)errors);
}
else
{
result = certValidationCallback.Invoke(sender, leaf, null, errors);
}
user_denied = !result;
}
return(new ValidationResult(result, user_denied, 0, (MonoSslPolicyErrors)errors));
}
bool needsChain;
bool skipSystemValidators = false;
if (!CertificateValidationHelper.SupportsX509Chain || is_mobile || is_macosx)
{
needsChain = false;
}
else if (settings != null)
{
skipSystemValidators = settings.SkipSystemValidators;
needsChain = !settings.SkipSystemValidators || settings.CallbackNeedsCertificateChain;
}
else
{
needsChain = true;
}
ICertificatePolicy policy = ServicePointManager.GetLegacyCertificatePolicy();
int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback
X509Chain chain = null;
#if !MOBILE
if (needsChain)
{
chain = systemValidator.ComputeX509Chain(certs, ref errors, ref status11);
}
#endif
systemValidator.CheckUsage(certs, host, ref errors, ref status11);
if (!skipSystemValidators)
{
result = systemValidator.EvaluateSystem(certs, anchors, host, chain, ref errors, ref status11);
}
if (policy != null && (!(policy is DefaultCertificatePolicy) || certValidationCallback == null))
{
ServicePoint sp = null;
if (request != null)
{
sp = request.ServicePointNoLock;
}
if (status11 == 0 && errors != 0)
{
// TRUST_E_FAIL
status11 = unchecked ((int)0x800B010B);
}
// pre 2.0 callback
result = policy.CheckValidationResult(sp, leaf, request, status11);
user_denied = !result && !(policy is DefaultCertificatePolicy);
}
// If there's a 2.0 callback, it takes precedence
if (hasCallback)
{
if (callbackWrapper != null)
{
result = callbackWrapper.Invoke(certValidationCallback, leaf, chain, (MonoSslPolicyErrors)errors);
}
else
{
result = certValidationCallback.Invoke(sender, leaf, chain, errors);
}
user_denied = !result;
}
return(new ValidationResult(result, user_denied, status11, (MonoSslPolicyErrors)errors));
}
internal PolicyWrapper(ICertificatePolicy policy, ServicePoint sp, WebRequest wr)
{
this.fwdPolicy = policy;
this.srvPoint = sp;
this.request = wr;
}
ValidationResult ValidateChain(string host, bool server, XX509CertificateCollection certs, SslPolicyErrors errors)
{
// user_denied is true if the user callback is called and returns false
bool user_denied = false;
bool result = false;
var hasCallback = certValidationCallback != null || callbackWrapper != null;
X509Certificate leaf;
if (certs == null || certs.Count == 0)
{
leaf = null;
}
else
{
leaf = certs [0];
}
if (tlsStream != null)
{
request.ServicePoint.SetServerCertificate(leaf);
}
if (leaf == null)
{
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
if (hasCallback)
{
if (callbackWrapper != null)
{
result = callbackWrapper.Invoke(certValidationCallback, leaf, null, (MonoSslPolicyErrors)errors);
}
else
{
result = certValidationCallback.Invoke(sender, leaf, null, errors);
}
user_denied = !result;
}
return(new ValidationResult(result, user_denied, 0, (MonoSslPolicyErrors)errors));
}
ICertificatePolicy policy = ServicePointManager.GetLegacyCertificatePolicy();
int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback
X509Chain chain = null;
bool wantsChain = SystemCertificateValidator.NeedsChain(settings);
if (!wantsChain && hasCallback)
{
if (settings == null || settings.CallbackNeedsCertificateChain)
{
wantsChain = true;
}
}
if (wantsChain)
{
chain = SystemCertificateValidator.CreateX509Chain(certs);
}
if (wantsChain || SystemCertificateValidator.NeedsChain(settings))
{
SystemCertificateValidator.BuildX509Chain(certs, chain, ref errors, ref status11);
}
bool providerValidated = false;
if (provider != null && provider.HasCustomSystemCertificateValidator)
{
var xerrors = (MonoSslPolicyErrors)errors;
var xchain = (XX509Chain)(object)chain;
providerValidated = provider.InvokeSystemCertificateValidator(this, host, server, certs, xchain, out result, ref xerrors, ref status11);
errors = (SslPolicyErrors)xerrors;
}
if (!providerValidated)
{
result = SystemCertificateValidator.Evaluate(settings, host, certs, chain, ref errors, ref status11);
}
if (policy != null && (!(policy is DefaultCertificatePolicy) || certValidationCallback == null))
{
ServicePoint sp = null;
if (request != null)
{
sp = request.ServicePointNoLock;
}
if (status11 == 0 && errors != 0)
{
// TRUST_E_FAIL
status11 = unchecked ((int)0x800B010B);
}
// pre 2.0 callback
result = policy.CheckValidationResult(sp, leaf, request, status11);
user_denied = !result && !(policy is DefaultCertificatePolicy);
}
// If there's a 2.0 callback, it takes precedence
if (hasCallback)
{
if (callbackWrapper != null)
{
result = callbackWrapper.Invoke(certValidationCallback, leaf, chain, (MonoSslPolicyErrors)errors);
}
else
{
result = certValidationCallback.Invoke(sender, leaf, chain, errors);
}
user_denied = !result;
}
return(new ValidationResult(result, user_denied, status11, (MonoSslPolicyErrors)errors));
}
internal CertPolicyValidationCallback(ICertificatePolicy certificatePolicy)
{
m_CertificatePolicy = certificatePolicy;
m_Context = ExecutionContext.Capture();
}
// Used when the obsolete ICertificatePolicy is set to DefaultCertificatePolicy
// and the new ServerCertificateValidationCallback is not null
internal ValidationResult ValidateChain(Mono.Security.X509.X509CertificateCollection certs)
{
// user_denied is true if the user callback is called and returns false
bool user_denied = false;
if (certs == null || certs.Count == 0)
{
return(null);
}
ICertificatePolicy policy = ServicePointManager.CertificatePolicy;
RemoteCertificateValidationCallback cb = ServicePointManager.ServerCertificateValidationCallback;
X509Chain chain = new X509Chain();
chain.ChainPolicy = new X509ChainPolicy();
for (int i = 1; i < certs.Count; i++)
{
X509Certificate2 c2 = new X509Certificate2(certs [i].RawData);
chain.ChainPolicy.ExtraStore.Add(c2);
}
X509Certificate2 leaf = new X509Certificate2(certs [0].RawData);
int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback
SslPolicyErrors errors = 0;
try {
if (!chain.Build(leaf))
{
errors |= GetErrorsFromChain(chain);
}
} catch (Exception e) {
Console.Error.WriteLine("ERROR building certificate chain: {0}", e);
Console.Error.WriteLine("Please, report this problem to the Mono team");
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
if (!CheckCertificateUsage(leaf))
{
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
status11 = -2146762490; //CERT_E_PURPOSE 0x800B0106
}
if (!CheckServerIdentity(certs [0], Host))
{
errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
status11 = -2146762481; // CERT_E_CN_NO_MATCH 0x800B010F
}
bool result = false;
// No certificate root found means no mozroots or monotouch
#if !MONOTOUCH
if (is_macosx)
{
#endif
// Attempt to use OSX certificates
// Ideally we should return the SecTrustResult
MSX.OSX509Certificates.SecTrustResult trustResult;
try {
trustResult = MSX.OSX509Certificates.TrustEvaluateSsl(certs);
// We could use the other values of trustResult to pass this extra information
// to the .NET 2 callback for values like SecTrustResult.Confirm
result = (trustResult == MSX.OSX509Certificates.SecTrustResult.Proceed ||
trustResult == MSX.OSX509Certificates.SecTrustResult.Unspecified);
}
catch {
// Ignore
}
// Clear error status if the OS told us to trust the certificate
if (result)
{
status11 = 0;
errors = 0;
}
#if !MONOTOUCH
}
#endif
if (policy != null && (!(policy is DefaultCertificatePolicy) || cb == null))
{
ServicePoint sp = null;
HttpWebRequest req = sender as HttpWebRequest;
if (req != null)
{
sp = req.ServicePoint;
}
if (status11 == 0 && errors != 0)
{
status11 = GetStatusFromChain(chain);
}
// pre 2.0 callback
result = policy.CheckValidationResult(sp, leaf, req, status11);
user_denied = !result && !(policy is DefaultCertificatePolicy);
}
// If there's a 2.0 callback, it takes precedence
if (cb != null)
{
result = cb(sender, leaf, chain, errors);
user_denied = !result;
}
return(new ValidationResult(result, user_denied, status11));
}
private static void GenerateSigningCertificate(ICertificatePolicy certificatePolicy, out string thumbprint, out string pemPublicCert, out byte[] pkcs12Data, out System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2)
{
// Generating Random Numbers
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var kpgen = new RsaKeyPairGenerator();
kpgen.Init(new KeyGenerationParameters(random, 2048));
var subjectKeyPair = kpgen.GenerateKeyPair();
var gen = new X509V3CertificateGenerator();
X509Name certName;
if (certificatePolicy.X509NameDictionary == null || !certificatePolicy.X509NameDictionary.Any())
{
certName = new X509Name("CN=" + certificatePolicy.CommonName);
}
else
{
var list = new Dictionary<string, string>();
AddSubjectNameItem(list, "CN", certificatePolicy.CommonName);
foreach (var item in certificatePolicy.X509NameDictionary)
{
AddSubjectNameItem(list, item.Key, item.Value);
}
certName = new X509Name(GetSubjectNameItemString(list));
}
BigInteger serialNo;
serialNo = BigInteger.ProbablePrime(120, random);
gen.SetSerialNumber(serialNo);
gen.SetSubjectDN(certName);
gen.SetIssuerDN(certName);
gen.SetNotBefore(DateTime.UtcNow.AddHours(-2)); // go back 2 hours just to be safe
gen.SetNotAfter(DateTime.UtcNow.AddDays(certificatePolicy.ValidForDays));
gen.SetSignatureAlgorithm("SHA256WithRSA");
gen.SetPublicKey(subjectKeyPair.Public);
gen.AddExtension(
X509Extensions.BasicConstraints.Id,
true,
new BasicConstraints(false));
gen.AddExtension(X509Extensions.KeyUsage.Id,
true,
new KeyUsage(KeyUsage.DigitalSignature));
// handle our key purposes
if (!certificatePolicy.AllPurposes)
{
var purposes = new List<KeyPurposeID>();
if (certificatePolicy.ServerAuthentication)
{
purposes.Add(KeyPurposeID.IdKPServerAuth);
}
if (certificatePolicy.ClientAuthentication)
{
purposes.Add(KeyPurposeID.IdKPClientAuth);
}
if (certificatePolicy.CodeSigning)
{
purposes.Add(KeyPurposeID.IdKPCodeSigning);
}
if (purposes.Any())
{
gen.AddExtension(
X509Extensions.ExtendedKeyUsage.Id,
true,
new ExtendedKeyUsage(purposes.ToArray()));
}
}
var certificate = gen.Generate(subjectKeyPair.Private, random);
PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
var seq = (Asn1Sequence)Asn1Object.FromByteArray(info.PrivateKey.GetDerEncoded());
if (seq.Count != 9)
{
throw new PemException("Malformed sequence in RSA private key.");
}
var rsa = new RsaPrivateKeyStructure(seq);
RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(
rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
// this is exportable to get the bytes of the key to our file system in an encrypted manner
RSAParameters rsaParameters = DotNetUtilities.ToRSAParameters(rsaparams);
CspParameters cspParameters = new CspParameters();
cspParameters.KeyContainerName = Guid.NewGuid().ToString();
RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider(2048, cspParameters);
rsaKey.PersistKeyInCsp = false; // do not persist
rsaKey.ImportParameters(rsaParameters);
var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());
x509.PrivateKey = rsaKey;
// this is non-exportable
CspParameters cspParametersNoExport = new CspParameters();
cspParametersNoExport.KeyContainerName = Guid.NewGuid().ToString();
cspParametersNoExport.Flags = CspProviderFlags.UseNonExportableKey;
RSACryptoServiceProvider rsaKey2 = new RSACryptoServiceProvider(2048, cspParametersNoExport);
rsaKey2.PersistKeyInCsp = false; // do not persist
rsaKey2.ImportParameters(rsaParameters);
x509Certificate2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());
x509Certificate2.PrivateKey = rsaKey2;
//// Generating Random Numbers
//var chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-()#$%^&@+=!";
//var rnd = new Random();
//password = new string(
// Enumerable.Repeat(chars, 15)
// .Select(s => s[rnd.Next(s.Length)])
// .ToArray());
thumbprint = x509.Thumbprint.ToLower();
var publicKeyPem = new StringBuilder();
var utf8WithoutBom = new System.Text.UTF8Encoding(false);
var publicKeyPemWriter = new PemWriter(new StringWriterWithEncoding(publicKeyPem, utf8WithoutBom));
publicKeyPemWriter.WriteObject(certificate);
publicKeyPemWriter.Writer.Flush();
pemPublicCert = publicKeyPem.ToString();
pemPublicCert = pemPublicCert.Replace(Environment.NewLine, "\n"); //only use newline and not returns
pkcs12Data = x509.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pfx);
}
