public bool Verify(string hostname, ISSLSession session) { #pragma warning disable 0612 return(verifyServerCertificate(hostname, session) & verifyClientCiphers(hostname, session)); #pragma warning restore 0612 }
public bool Verify(string hostname, ISSLSession session) { if (hostname.Equals("10.0.2.2")) { return(true); } return(false); }
/// <summary> /// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or, /// if the is no delegate attached to it by using the default hostname verifier. /// </summary> /// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns> /// <param name="hostname"></param> /// <param name="session"></param> static bool verifyServerCertificate(string hostname, ISSLSession session) { var defaultVerifier = HttpsURLConnection.DefaultHostnameVerifier; if (ServicePointManager.ServerCertificateValidationCallback == null) { return(defaultVerifier.Verify(hostname, session)); } // Convert java certificates to .NET certificates and build cert chain from root certificate var certificates = session.GetPeerCertificateChain(); var chain = new X509Chain(); X509Certificate2 root = null; var errors = System.Net.Security.SslPolicyErrors.None; // Build certificate chain and check for errors if (certificates == null || certificates.Length == 0) { //no cert at all errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNotAvailable; goto bail; } if (certificates.Length == 1) { //no root? errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors; goto bail; } var netCerts = certificates.Select(x => new X509Certificate2(x.GetEncoded())).ToArray(); for (int i = 1; i < netCerts.Length; i++) { chain.ChainPolicy.ExtraStore.Add(netCerts[i]); } root = netCerts[0]; chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; if (!chain.Build(root)) { errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors; goto bail; } var subject = root.Subject; var subjectCn = cnRegex.Match(subject).Groups[1].Value; if (String.IsNullOrWhiteSpace(subjectCn) || !Utility.MatchHostnameToPattern(hostname, subjectCn)) { errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch; goto bail; } bail: // Call the delegate to validate return(ServicePointManager.ServerCertificateValidationCallback(hostname, root, chain, errors)); }
/// <summary> /// Verifies client ciphers and is only available in Mono and Xamarin products. /// </summary> /// <returns><c>true</c>, if client ciphers was verifyed, <c>false</c> otherwise.</returns> /// <param name="hostname"></param> /// <param name="session"></param> bool verifyClientCiphers(string hostname, ISSLSession session) { var callback = ServicePointManager.ClientCipherSuitesCallback; if (callback == null) { return(true); } var protocol = session.Protocol.StartsWith("SSL", StringComparison.InvariantCulture) ? SecurityProtocolType.Ssl3 : SecurityProtocolType.Tls; var acceptedCiphers = callback(protocol, new[] { session.CipherSuite }); return(acceptedCiphers.Contains(session.CipherSuite)); }
/// <summary> /// Verifies client ciphers and is only available in Mono and Xamarin products. /// </summary> /// <returns><c>true</c>, if client ciphers was verifyed, <c>false</c> otherwise.</returns> /// <param name="hostname"></param> /// <param name="session"></param> static bool verifyClientCiphers(string hostname, ISSLSession session) { //This API has been deprecated by Xamarin & Mono return(true); /* * var callback = ServicePointManager.ClientCipherSuitesCallback; * if (callback == null) return true; * * var protocol = session.Protocol.StartsWith("SSL", StringComparison.InvariantCulture) ? SecurityProtocolType.Ssl3 : SecurityProtocolType.Tls; * var acceptedCiphers = callback(protocol, new[] { session.CipherSuite }); * * return acceptedCiphers.Contains(session.CipherSuite); */ }
public bool Verify(string hostname, ISSLSession session) { var certChain = _certCleaner.Clean(session.GetPeerCertificates().OfType <X509Certificate>()); if (certChain.Any()) { var dotNetCertChain = certChain.Select(c => c.ToDotNetX509Certificate()).ToArray(); var ctValueTask = _verifier.IsValidAsync(hostname, dotNetCertChain, default); var ctResult = ctValueTask.IsCompleted ? ctValueTask.Result : ctValueTask.AsTask().Result; var customResult = _verifyResultFunc?.Invoke(hostname, dotNetCertChain, ctResult); return(customResult ?? ctResult.IsValid); } return(false); }
/// <summary> /// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or, /// if the is no delegate attached to it by using the default hostname verifier. /// </summary> /// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns> /// <param name="hostname"></param> /// <param name="session"></param> static bool verifyServerCertificate(string hostname, ISSLSession session) { var defaultVerifier = HttpsURLConnection.DefaultHostnameVerifier; if (ServicePointManager.ServerCertificateValidationCallback == null) { return(defaultVerifier.Verify(hostname, session)); } // Convert java certificates to .NET certificates and build cert chain from root certificate var certificates = session.GetPeerCertificateChain(); var chain = new X509Chain(); var netCerts = certificates.Select(x => new X509Certificate2(x.GetEncoded())).ToArray(); for (int i = 1; i < netCerts.Length; i++) { chain.ChainPolicy.ExtraStore.Add(netCerts [i]); } X509Certificate2 root = netCerts [0]; chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; chain.Build(root); //If the callback returns true, then we want it to continue with the default validation. The call back is only responsible for //certificate pinning. Nothing else. //Unless, of course, you want to use a self-signed cert in which case the above comment is incorrect. if (ServicePointManager.ServerCertificateValidationCallback(hostname, root, chain, System.Net.Security.SslPolicyErrors.None)) { return(true); } return(false); }
public bool Verify(string hostname, ISSLSession session) { return(verifyServerCertificate(hostname, session) & verifyClientCiphers(hostname, session)); }
public bool Verify(string hostname, ISSLSession session) { return(true); }
/// <summary> /// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or, /// if the is no delegate attached to it by using the default hostname verifier. /// </summary> /// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns> /// <param name="hostname"></param> /// <param name="session"></param> public bool Verify(string hostname, ISSLSession session) { var errors = SslPolicyErrors.None; if (nativeHandler.TLSConfig.DangerousAcceptAnyServerCertificateValidator) { goto sslErrorVerify; } // Convert java certificates to .NET certificates and build cert chain from root certificate var serverCertChain = session.GetPeerCertificateChain(); var netCerts = serverCertChain.Select(x => new X509Certificate2(x.GetEncoded())).ToList(); switch (nativeHandler.PinningMode) { case "CertificateOnly": var chain = new X509Chain(); X509Certificate2 root = null; // Build certificate chain and check for errors if (serverCertChain == null || serverCertChain.Length == 0) { //no cert at all errors = SslPolicyErrors.RemoteCertificateNotAvailable; PinningFailureMessage = FailureMessages.NoCertAtAll; goto sslErrorVerify; } if (serverCertChain.Length == 1) { //no root? errors = SslPolicyErrors.RemoteCertificateChainErrors; PinningFailureMessage = FailureMessages.NoRoot; goto sslErrorVerify; } for (int i = 1; i < netCerts.Count; i++) { chain.ChainPolicy.ExtraStore.Add(netCerts[i]); } chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; root = netCerts[0]; if (!chain.Build(root)) { errors = SslPolicyErrors.RemoteCertificateChainErrors; PinningFailureMessage = FailureMessages.ChainError; goto sslErrorVerify; } var subject = root.Subject; var subjectCn = cnRegex.Match(subject).Groups[1].Value; if (string.IsNullOrWhiteSpace(subjectCn) || !Utility.MatchHostnameToPattern(hostname, subjectCn)) { var subjectAn = root.ParseSubjectAlternativeName(); if (subjectAn.FirstOrDefault(s => Utility.MatchHostnameToPattern(hostname, s)) == null) { errors = SslPolicyErrors.RemoteCertificateNameMismatch; PinningFailureMessage = FailureMessages.SubjectNameMismatch; goto sslErrorVerify; } } break; case "PublicKeysOnly": if (nativeHandler.CertificatePinner != null) { if (!nativeHandler.CertificatePinner.HasPins(hostname)) { errors = SslPolicyErrors.RemoteCertificateNameMismatch; PinningFailureMessage = FailureMessages.NoPinsProvided + " " + hostname; } // CertificatePinner.Check will be done by Square.OkHttp3.CertificatePinner } break; } sslErrorVerify: return(errors == SslPolicyErrors.None); }
/// <summary> /// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or, /// if the is no delegate attached to it by using the default hostname verifier. /// </summary> /// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns> /// <param name="hostname"></param> /// <param name="session"></param> bool verifyServerCertificate(string hostname, ISSLSession session) { var defaultVerifier = HttpsURLConnection.DefaultHostnameVerifier; if (ServicePointManager.ServerCertificateValidationCallback == null) return defaultVerifier.Verify(hostname, session); // Convert java certificates to .NET certificates and build cert chain from root certificate var certificates = session.GetPeerCertificateChain(); var chain = new System.Security.Cryptography.X509Certificates.X509Chain(); System.Security.Cryptography.X509Certificates.X509Certificate2 root = null; var errors = System.Net.Security.SslPolicyErrors.None; // Build certificate chain and check for errors if (certificates == null || certificates.Length == 0) {//no cert at all errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNotAvailable; goto bail; } if (certificates.Length == 1) {//no root? errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors; goto bail; } var netCerts = certificates.Select(x => new System.Security.Cryptography.X509Certificates.X509Certificate2(x.GetEncoded())).ToArray(); for (int i = 1; i < netCerts.Length; i++) { chain.ChainPolicy.ExtraStore.Add(netCerts[i]); } root = netCerts[0]; chain.ChainPolicy.RevocationFlag = System.Security.Cryptography.X509Certificates.X509RevocationFlag.EntireChain; chain.ChainPolicy.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck; chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0); chain.ChainPolicy.VerificationFlags = System.Security.Cryptography.X509Certificates.X509VerificationFlags.AllowUnknownCertificateAuthority; if (!chain.Build(root)) { errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors; goto bail; } var subject = root.Subject; var subjectCn = cnRegex.Match(subject).Groups[1].Value; if (String.IsNullOrWhiteSpace(subjectCn) || !match(hostname, subjectCn)) { errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch; goto bail; } bail: // Call the delegate to validate return ServicePointManager.ServerCertificateValidationCallback(this, root, chain, errors); }
public bool Verify(string hostname, ISSLSession session) { // everything goes through // all host names are valid return(true); }
public bool Verify(string hostname, ISSLSession session) { return verify(hostname, session); }
public bool Verify(string hostname, ISSLSession session) { System.Diagnostics.Debug.WriteLine("HostnameVerifier.Verify returns true"); return(true); }
/// <summary> /// Verifies client ciphers and is only available in Mono and Xamarin products. /// </summary> /// <returns><c>true</c>, if client ciphers was verifyed, <c>false</c> otherwise.</returns> /// <param name="hostname"></param> /// <param name="session"></param> static bool verifyClientCiphers(string hostname, ISSLSession session) { return(true); }
/// <summary> /// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or, /// if the is no delegate attached to it by using the default hostname verifier. /// </summary> /// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns> /// <param name="hostname"></param> /// <param name="session"></param> static bool verifyServerCertificate(string hostname, ISSLSession session) { var defaultVerifier = HttpsURLConnection.DefaultHostnameVerifier; if (ServicePointManager.ServerCertificateValidationCallback == null) return defaultVerifier.Verify(hostname, session); // Convert java certificates to .NET certificates and build cert chain from root certificate var certificates = session.GetPeerCertificateChain(); var chain = new X509Chain(); var netCerts = certificates.Select(x => new X509Certificate2(x.GetEncoded())).ToArray(); for (int i = 1; i < netCerts.Length; i++) { chain.ChainPolicy.ExtraStore.Add(netCerts[i]); } X509Certificate2 root = netCerts[0]; chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; chain.Build(root); //If the callback returns true, then we want it to continue with the default validation. The call back is only responsible for //certificate pinning. Nothing else. if (ServicePointManager.ServerCertificateValidationCallback(hostname, root, chain, System.Net.Security.SslPolicyErrors.None)) { return defaultVerifier.Verify(hostname, session); } return false; }
public bool Verify(string hostname, ISSLSession session) { return verifyServerCertificate(hostname, session) & verifyClientCiphers(hostname, session); }
public bool Verify(string hostname, ISSLSession session) { return(verify(hostname, session)); }
/// <summary> /// Verifies client ciphers and is only available in Mono and Xamarin products. /// </summary> /// <returns><c>true</c>, if client ciphers was verifyed, <c>false</c> otherwise.</returns> /// <param name="hostname"></param> /// <param name="session"></param> bool verifyClientCiphers(string hostname, ISSLSession session) { var callback = ServicePointManager.ClientCipherSuitesCallback; if (callback == null) return true; var protocol = session.Protocol.StartsWith("SSL", StringComparison.InvariantCulture) ? SecurityProtocolType.Ssl3 : SecurityProtocolType.Tls; var acceptedCiphers = callback(protocol, new[] { session.CipherSuite }); return acceptedCiphers.Contains(session.CipherSuite); }
/// <summary> /// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or, /// if the is no delegate attached to it by using the default hostname verifier. /// </summary> /// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns> /// <param name="hostname"></param> /// <param name="session"></param> public bool Verify(string hostname, ISSLSession session) { var errors = SslPolicyErrors.None; // Convert java certificates to .NET certificates and build cert chain from root certificate /*var serverCertChain = session.GetPeerCertificateChain(); * var chain = new X509Chain(); * X509Certificate2 root = null; * var errors = SslPolicyErrors.None; * * // Build certificate chain and check for errors * if (serverCertChain == null || serverCertChain.Length == 0) * {//no cert at all * errors = SslPolicyErrors.RemoteCertificateNotAvailable; * PinningFailureMessage = FailureMessages.NoCertAtAll; * goto sslErrorVerify; * } * * if (serverCertChain.Length == 1) * {//no root? * errors = SslPolicyErrors.RemoteCertificateChainErrors; * PinningFailureMessage = FailureMessages.NoRoot; * goto sslErrorVerify; * } * * var netCerts = serverCertChain.Select(x => new X509Certificate2(x.GetEncoded())).ToArray(); * * for (int i = 1; i < netCerts.Length; i++) * { * chain.ChainPolicy.ExtraStore.Add(netCerts[i]); * } * * root = netCerts[0]; * * chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; * chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; * chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0); * chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; * * if (!chain.Build(root)) * { * errors = SslPolicyErrors.RemoteCertificateChainErrors; * PinningFailureMessage = FailureMessages.ChainError; * goto sslErrorVerify; * } * * var subject = root.Subject; * var subjectCn = cnRegex.Match(subject).Groups[1].Value; * * if (string.IsNullOrWhiteSpace(subjectCn) || !Utility.MatchHostnameToPattern(hostname, subjectCn)) * { * errors = SslPolicyErrors.RemoteCertificateNameMismatch; * PinningFailureMessage = FailureMessages.SubjectNameMismatch; * goto sslErrorVerify; * }*/ if (Pins.FirstOrDefault((pin) => pin.Hostname == hostname) == null) { errors = SslPolicyErrors.RemoteCertificateNameMismatch; PinningFailureMessage = FailureMessages.NoPinsProvided + " " + hostname; } //sslErrorVerify: return(errors == SslPolicyErrors.None); }