// The GitHub SSL certificate is corrupt, or something? Who cares.
public static bool Validator(
object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors
)
{
return true;
}
public static void BuildChain()
{
using (var microsoftDotCom = new X509Certificate2(TestData.MicrosoftDotComSslCertBytes))
using (var microsoftDotComIssuer = new X509Certificate2(TestData.MicrosoftDotComIssuerBytes))
using (var microsoftDotComRoot = new X509Certificate2(TestData.MicrosoftDotComRootBytes))
using (var unrelated = new X509Certificate2(TestData.DssCer))
{
X509Chain chain = new X509Chain();
chain.ChainPolicy.ExtraStore.Add(unrelated);
chain.ChainPolicy.ExtraStore.Add(microsoftDotComRoot);
chain.ChainPolicy.ExtraStore.Add(microsoftDotComIssuer);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
// Halfway between microsoftDotCom's NotBefore and NotAfter
// This isn't a boundary condition test.
chain.ChainPolicy.VerificationTime = new DateTime(2015, 10, 15, 12, 01, 01, DateTimeKind.Local);
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
bool valid = chain.Build(microsoftDotCom);
Assert.True(valid, "Chain built validly");
// The chain should have 3 members
Assert.Equal(3, chain.ChainElements.Count);
// These are the three specific members.
Assert.Equal(microsoftDotCom, chain.ChainElements[0].Certificate);
Assert.Equal(microsoftDotComIssuer, chain.ChainElements[1].Certificate);
Assert.Equal(microsoftDotComRoot, chain.ChainElements[2].Certificate);
}
}
internal static bool TrustEvaluateSsl (X509Certificate2Collection collection, object sender, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors errors)
{
var certsRawData = new List <byte[]> (collection.Count);
foreach (var cert in collection)
certsRawData.Add (cert.RawData);
return trustEvaluateSsl (certsRawData);
}
public virtual X509Chain ComputeX509Chain (XX509CertificateCollection certs, ref SslPolicyErrors errors, ref int status11)
{
#if MOBILE
return null;
#else
if (is_macosx)
return null;
var chain = new X509Chain ();
chain.ChainPolicy = new X509ChainPolicy ();
chain.ChainPolicy.RevocationMode = revocation_mode;
for (int i = 1; i < certs.Count; i++) {
chain.ChainPolicy.ExtraStore.Add (certs [i]);
}
var leaf = (X509Certificate2)certs [0];
try {
if (!chain.Build (leaf))
errors |= GetErrorsFromChain (chain);
} catch (Exception e) {
Console.Error.WriteLine ("ERROR building certificate chain: {0}", e);
Console.Error.WriteLine ("Please, report this problem to the Mono team");
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
status11 = GetStatusFromChain (chain);
return chain;
#endif
}
public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
return true;
}
byte[] receivedCertificateHash = certificate.GetCertHash();
//If length differs, obviously different hash.
if (receivedCertificateHash.Length != hardCodedServerCertificateHash.Length)
{
return false;
}
//Check that each byte is the same
for (int i = 0; i < hardCodedServerCertificateHash.Length; i++)
{
if (receivedCertificateHash[i] != hardCodedServerCertificateHash[i])
{
return false;
}
}
//Equality of the certificates confirmed.
return true;
}
static bool BuildX509Chain (XX509CertificateCollection certs, X509Chain chain, ref SslPolicyErrors errors, ref int status11)
{
#if MOBILE
return false;
#else
if (is_macosx)
return false;
var leaf = (X509Certificate2)certs [0];
bool ok;
try {
ok = chain.Build (leaf);
if (!ok)
errors |= GetErrorsFromChain (chain);
} catch (Exception e) {
Console.Error.WriteLine ("ERROR building certificate chain: {0}", e);
Console.Error.WriteLine ("Please, report this problem to the Mono team");
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
ok = false;
}
try {
status11 = GetStatusFromChain (chain);
} catch {
status11 = -2146762485; // TRUST_E_FAIL - generic
}
return ok;
#endif
}
public SslStreamServer(
Stream stream,
bool ownStream,
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation,
RemoteCertificateValidationHandler remote_callback)
: base(stream, ownStream)
{
this.checkCertificateRevocationStatus = checkCertificateRevocation;
this.remoteCertificateSelectionCallback = remote_callback;
// Initialize the SslContext object
InitializeServerContext(serverCertificate, clientCertificateRequired, caCerts, enabledSslProtocols, sslStrength, checkCertificateRevocation);
ssl = new Ssl(sslContext);
// Initialze the read/write bio
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
// Set the read/write bio's into the the Ssl object
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into server mode
ssl.SetAcceptState();
}
public static void VerifyCrlCache()
{
string crlDirectory = PersistedFiles.GetUserFeatureDirectory("cryptography", "crls");
string crlFile = Path.Combine(crlDirectory,MicrosoftDotComRootCrlFilename);
Directory.CreateDirectory(crlDirectory);
File.Delete(crlFile);
using (var microsoftDotComIssuer = new X509Certificate2(TestData.MicrosoftDotComIssuerBytes))
using (var microsoftDotComRoot = new X509Certificate2(TestData.MicrosoftDotComRootBytes))
using (var unrelated = new X509Certificate2(TestData.DssCer))
{
X509Chain chain = new X509Chain();
chain.ChainPolicy.ExtraStore.Add(unrelated);
chain.ChainPolicy.ExtraStore.Add(microsoftDotComRoot);
// The very start of the CRL period.
chain.ChainPolicy.VerificationTime = new DateTime(2015, 6, 17, 0, 0, 0, DateTimeKind.Utc);
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly;
chain.ChainPolicy.VerificationFlags |= X509VerificationFlags.AllowUnknownCertificateAuthority;
bool valid = chain.Build(microsoftDotComIssuer);
Assert.True(valid, "Precondition: Chain builds with no revocation checks");
int initialErrorCount = chain.ChainStatus.Length;
Assert.InRange(initialErrorCount, 0, 1);
if (initialErrorCount > 0)
{
Assert.Equal(X509ChainStatusFlags.UntrustedRoot, chain.ChainStatus[0].Status);
}
chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
valid = chain.Build(microsoftDotComIssuer);
Assert.False(valid, "Chain should not build validly");
Assert.Equal(initialErrorCount + 1, chain.ChainStatus.Length);
Assert.Equal(X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus[0].Status);
File.WriteAllText(crlFile, MicrosoftDotComRootCrlPem, Encoding.ASCII);
valid = chain.Build(microsoftDotComIssuer);
Assert.True(valid, "Chain should build validly now");
Assert.Equal(initialErrorCount, chain.ChainStatus.Length);
// Rewind one second, the CRL is not "not yet valid"
chain.ChainPolicy.VerificationTime = chain.ChainPolicy.VerificationTime.Subtract(TimeSpan.FromSeconds(1));
valid = chain.Build(microsoftDotComIssuer);
Assert.False(valid, "Chain should not build validly, CRL is not yet valid");
Assert.Equal(initialErrorCount + 1, chain.ChainStatus.Length);
Assert.Equal(X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus[0].Status);
}
}
static bool CertificateValidation (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors certificateErrors)
{
Console.WriteLine ("CertificateValidation");
Console.WriteLine (certificate.ToString (true));
Console.WriteLine ("Chain");
Console.WriteLine (chain);
Console.WriteLine ("\tError(s)");
Console.WriteLine (certificateErrors);
Console.WriteLine ();
return true;
}
public static X509Chain CreateX509Chain (XX509CertificateCollection certs)
{
var chain = new X509Chain ();
chain.ChainPolicy = new X509ChainPolicy ((X509CertificateCollection)(object)certs);
#if !MOBILE
chain.ChainPolicy.RevocationMode = revocation_mode;
#endif
return chain;
}
static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
foreach (X509ChainElement element in chain.ChainElements) {
Console.WriteLine ("Element issuer name: {0}", element.Certificate.Issuer);
}
if (chain.ChainElements != null && chain.ChainElements.Count != 0) {
X509ChainElement chainElement = chain.ChainElements[chain.ChainElements.Count - 1];
data = chainElement.Certificate.Export(X509ContentType.Cert);
}
return true;
}
public static X509Chain CreateX509Chain (XX509CertificateCollection certs)
{
var chain = new X509Chain ();
chain.ChainPolicy = new X509ChainPolicy ();
#if !MOBILE
chain.ChainPolicy.RevocationMode = revocation_mode;
#endif
for (int i = 1; i < certs.Count; i++) {
chain.ChainPolicy.ExtraStore.Add (certs [i]);
}
return chain;
}
public MoagentClient(string host, int port, bool useSsl)
{
_server = host;
_port = port;
_useSsl = useSsl;
_client = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
if (_useSsl)
{
var certBio = BIO.File(@".\agentClientCert.p12", "r");
X509Certificate clientCert = X509Certificate.FromPKCS12(certBio, string.Empty);
var serverBio = BIO.File(@".\ProactiveContactCA.cer", "r");
X509Certificate serverCert = X509Certificate.FromDER(serverBio);
_xList = new X509List {clientCert};
_xChain = new X509Chain {serverCert};
}
}
public static void BuildChainExtraStoreUntrustedRoot()
{
using (var testCert = new X509Certificate2(Path.Combine("TestData", "test.pfx"), TestData.ChainPfxPassword))
{
X509Certificate2Collection collection = new X509Certificate2Collection();
collection.Import(Path.Combine("TestData", "test.pfx"), TestData.ChainPfxPassword, X509KeyStorageFlags.DefaultKeySet);
X509Chain chain = new X509Chain();
chain.ChainPolicy.ExtraStore.AddRange(collection);
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationTime = new DateTime(2015, 9, 22, 12, 25, 0);
bool valid = chain.Build(testCert);
Assert.False(valid);
Assert.Contains(chain.ChainStatus, s => s.Status == X509ChainStatusFlags.UntrustedRoot);
}
}
public static void Test(X509IncludeOption include)
{
cert = EndCert ;
X509Chain chain = new X509Chain() ;
chain.Build( cert ) ;
X509ChainElementCollection lmnts = chain.ChainElements ;
KeyInfoX509Data data = new KeyInfoX509Data( cert, include ) ;
ArrayList al = data.Certificates ;
if( al == null ) return ;
for( int i = 0 ; i < al.Count ; i++ )
{
rv = lmnts[i].Certificate.ToString(true) == ((X509Certificate) al[i]).ToString(true) ;
if( !rv )
Console.WriteLine( "i = " + i.ToString() + " and include=" + include.ToString() ) ;
}
Console.WriteLine( "*************************************************************" ) ;
}
public static bool MyRemoteCertificateValidationCallback(System.Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
bool isOk = true;
// If there are errors in the certificate chain, look at each error to determine the cause.
if (sslPolicyErrors != SslPolicyErrors.None) {
for (int i=0; i<chain.ChainStatus.Length; i++) {
if (chain.ChainStatus [i].Status != X509ChainStatusFlags.RevocationStatusUnknown) {
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan (0, 1, 0);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
bool chainIsValid = chain.Build ((X509Certificate2)certificate);
if (!chainIsValid) {
isOk = false;
}
}
}
}
return isOk;
}
public SslStreamClient(Stream stream,
bool ownStream,
string targetHost,
X509List clientCertificates,
X509Chain caCertificates,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocationStatus,
RemoteCertificateValidationHandler remoteCallback,
LocalCertificateSelectionHandler localCallback)
: base(stream, ownStream)
{
this.targetHost = targetHost;
this.clientCertificates = clientCertificates;
this.caCertificates = caCertificates;
this.checkCertificateRevocationStatus = checkCertificateRevocationStatus;
this.remoteCertificateSelectionCallback = remoteCallback;
this.localCertificateSelectionCallback = localCallback;
this.internalCertificateSelectionCallback = new ClientCertCallbackHandler(InternalClientCertificateSelectionCallback);
InitializeClientContext(clientCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocationStatus);
}
/// <summary>
/// The following method is invoked by the RemoteCertificateValidationDelegate.
/// This allows you to check the certificate and accept or reject it
/// return true will accept the certificate
/// </summary>
/// <param name="sender"></param>
/// <param name="certificate"></param>
/// <param name="chain"></param>
/// <param name="sslPolicyErrors"></param>
/// <returns></returns>
private static bool ValidateServerCertificate(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
// Accept all certificates
return true;
}
/// <summary>
/// Certificate validation callback.
/// </summary>
private static bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return(true); // for expediency/trusted cert
// If the certificate is a valid, signed certificate, return true.
//if ( error == System.Net.Security.SslPolicyErrors.None )
//{
// return true;
//}
//Console.WriteLine( "X509Certificate [{cert.Subject}] Policy Error: '{error.ToString()}'";
//return false;
}
private bool TcpClientBase_ValidateServerCertificateEvent(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return(ValidateServerCertificate(certificate, chain, sslPolicyErrors));
}
private static bool OnCertificateValidation(HttpRequestMessage request, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
#endif
{
Log.Info("Validating certificate [IgnoreRemoteCertificateNameMismatch={0}]: {1}", ClientConfiguration.IgnoreRemoteCertificateNameMismatch, sslPolicyErrors);
if (ClientConfiguration.IgnoreRemoteCertificateNameMismatch)
{
if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateNameMismatch)
{
return(true);
}
}
return(sslPolicyErrors == SslPolicyErrors.None);
}
private bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
#if DEBUG
return(true);
#endif
return(Settings.ServerCertificate.Equals(certificate));
}
private bool CertificateChainValidator <T>(
T sender,
X509Certificate2 cert,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (cert == null ||
sslPolicyErrors == SslPolicyErrors.RemoteCertificateNotAvailable)
{
Trace.WriteWarning(
TraceType,
"Unauthorized request by sender - {0} using null certificate.",
sender);
return(false);
}
IList <string> serverCertThumbprints = null;
IList <KeyValuePair <string, string> > x509NamesAndIssuers = null;
if (TryGetServerCertThumbprints(out serverCertThumbprints) &&
serverCertThumbprints != null &&
serverCertThumbprints.Count > 0)
{
var certThumbprint = cert.Thumbprint;
if (certThumbprint != null &&
!serverCertThumbprints.Contains(certThumbprint, StringComparer.OrdinalIgnoreCase))
{
var serverCerts = new StringBuilder();
foreach (var serverCert in serverCertThumbprints)
{
serverCerts.Append(serverCert).Append("|");
}
Trace.WriteWarning(
TraceType,
"Unauthorized request by sender - {0} using certificate - {1}- Thumbprint {2} vs expected thumbprint {3}",
sender,
cert.ToString(),
cert.Thumbprint,
serverCerts.ToString());
return(false);
}
}
//// TODO current SFRP only use thumbprint, so we may ingore this for now
//// we should add chain validation
else if (TryGetServerX509Names(out x509NamesAndIssuers) &&
x509NamesAndIssuers != null &&
x509NamesAndIssuers.Count > 0)
{
foreach (var x509NamesKvp in x509NamesAndIssuers)
{
var simpleName = cert.GetNameInfo(X509NameType.SimpleName, false);
var dnsAlternativeName = cert.GetNameInfo(X509NameType.DnsFromAlternativeName, false);
var dnsName = cert.GetNameInfo(X509NameType.DnsName, false);
if (cert.Subject.Equals(x509NamesKvp.Key, StringComparison.OrdinalIgnoreCase) ||
(simpleName != null && simpleName.Equals(x509NamesKvp.Key, StringComparison.OrdinalIgnoreCase)) ||
(dnsAlternativeName != null && dnsAlternativeName.Equals(x509NamesKvp.Key, StringComparison.OrdinalIgnoreCase)) ||
(dnsName != null && dnsName.Equals(x509NamesKvp.Key, StringComparison.OrdinalIgnoreCase)))
{
return(true);
}
}
var serverCerts = new StringBuilder();
foreach (var serverCert in x509NamesAndIssuers)
{
serverCerts.Append(string.Concat(serverCert.Key, " ", serverCert.Value)).Append("|");
}
Trace.WriteWarning(
TraceType,
"Unauthorized request by sender - {0} using certificate - {1}- Names {2} vs expected Names {3}",
sender,
cert.ToString(),
cert.SubjectName.Name,
serverCerts.ToString());
return(false);
}
return(true);
}
/// <summary>
/// 远程证书验证,固定返回true
/// </summary>
private static bool RemoteCertificateValidate(object sender, X509Certificate cert,
X509Chain chain, SslPolicyErrors error)
{
return(true);
}
public Setting HashAndcheckval(object setting, string signature)
{
X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
Setting _setting = setting as Setting;
BOLLogs BOLlogs = new BOLLogs();
Users ValidUser = BOLUsers.GetDataByUsername(_setting.UserName);
string hashData = DoHash(_setting.Pass);
hashData = "<login><Password>" + hashData + "</Password><UserName>" + _setting.UserName + "</UserName><Captcha>" +
_setting.CaptchaText + "</Captcha></login>";
string strlogContent = "<login><UserName>" + _setting.UserName + "</UserName><Password>" + _setting.Pass + "</Password></login>";
SignedData mySD = new SignedData();
try
{
mySD.Verify(signature, false, CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_ONLY);
if (mySD.Content != hashData)
{
_setting.MsgText = "محتوای امضا تغییر یافته است";
_setting.MsgVisible = true;
//BOLlogs.InsertIntoLogs((int)Enums.LogTypes.enm_ErrorInVerify, ValidUser.Code, strlogContent, _setting.RawUrl, _setting.UrlHost);
return(_setting);
}
int count = mySD.Certificates.Count;
string thump;
Boolean IsValidThump = false;
for (int i = 1; i <= count; i++)
{
Certificate cr = (Certificate)mySD.Certificates[i];
thump = cr.Thumbprint;
if (!IsValidThump)
{
if (_setting.Tumbprint.ToUpper() == thump)
{
IsValidThump = true;
}
}
}
if (IsValidThump)
{
Login(setting);
}
else
{
_setting.MsgText = " با گواهی مربوطه امضا نشده است";
_setting.MsgVisible = true;
//BOLlogs.InsertIntoLogs((int)Enums.LogTypes.enm_SignedWithAnotherCertificate, ValidUser.Code, strlogContent, _setting.RawUrl, _setting.UrlHost);
}
}
catch (Exception e)
{
//_setting.MsgText = "امضا نامعتبر است";
//_setting.MsgVisible = true;
//BOLlogs.InsertIntoLogs((int)Enums.LogTypes.enm_InvalidSign, ValidUser.Code, strlogContent, _setting.RawUrl, _setting.UrlHost);
}
SetCaptcha(_setting);
return(_setting);
}
// Allow self-signed certificates, expired certificates, etc.
private static bool AcceptCertificate(object sender,
X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
return(true);
}
private static bool HandleServerCertificateValidation(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error)
{
return(true);
}
private static bool CheckValidationResult(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
{
return true; //总是接受
}
private bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
IsAuthenticatedByDane = false;
switch (_tlsaRecords.ValidationResult)
{
case DnsSecValidationResult.Signed:
if (_tlsaRecords.Records.Count == 0)
{
return(!_enforceTlsaValidation && (sslPolicyErrors == SslPolicyErrors.None));
}
foreach (var tlsaRecord in _tlsaRecords.Records)
{
if (ValidateCertificateByTlsa(tlsaRecord, certificate, chain, sslPolicyErrors))
{
IsAuthenticatedByDane = true;
return(true);
}
}
return(false);
case DnsSecValidationResult.Bogus:
return(false);
default:
return(!_enforceTlsaValidation && (sslPolicyErrors == SslPolicyErrors.None));
}
}
private static bool OnValidateCertificate(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
return true;
}
// TODO HPKP / Expect-CT
private bool ServerCertificateValidation(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
{
return(errors == SslPolicyErrors.None);
}
private bool SslUserCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
// Raise an event to decide whether the certificate is valid.
var eventArgs = new IrcValidateSslCertificateEventArgs(certificate, chain, sslPolicyErrors);
eventArgs.IsValid = true;
OnValidateSslCertificate(eventArgs);
return eventArgs.IsValid;
}
private static bool OnCertificateValidation(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
public static void BuildChain_WithApplicationPolicy_Match()
{
using (var msCer = new X509Certificate2(TestData.MsCertificate))
using (X509Chain chain = new X509Chain())
{
// Code Signing
chain.ChainPolicy.ApplicationPolicy.Add(new Oid("1.3.6.1.5.5.7.3.3"));
chain.ChainPolicy.VerificationTime = msCer.NotBefore.AddHours(2);
chain.ChainPolicy.VerificationFlags =
X509VerificationFlags.AllowUnknownCertificateAuthority;
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
bool valid = chain.Build(msCer);
Assert.True(valid, "Chain built validly");
}
}
/// <summary>
/// Callback routine that validates server TLS certificate.
/// As we do not perform certificate validation, we just return true.
/// </summary>
/// <param name="sender"><see cref="System.Net.Security.RemoteCertificateValidationCallback"/> Delegate.</param>
/// <param name="certificate"><see cref="System.Net.Security.RemoteCertificateValidationCallback"/> Delegate.</param>
/// <param name="chain"><see cref="System.Net.Security.RemoteCertificateValidationCallback"/> Delegate.</param>
/// <param name="sslPolicyErrors"><see cref="System.Net.Security.RemoteCertificateValidationCallback"/> Delegate.</param>
/// <returns><see cref="System.Net.Security.RemoteCertificateValidationCallback"/> Delegate.</returns>
public static bool PeerCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return(true);
}
public static void BuildChain_WithCertificatePolicy_NoMatch()
{
using (var cert = new X509Certificate2(TestData.CertWithPolicies))
using (X509Chain chain = new X509Chain())
{
chain.ChainPolicy.CertificatePolicy.Add(new Oid("2.999"));
chain.ChainPolicy.VerificationFlags =
X509VerificationFlags.AllowUnknownCertificateAuthority;
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationTime = cert.NotBefore.AddHours(2);
bool valid = chain.Build(cert);
Assert.False(valid, "Chain built validly");
Assert.InRange(chain.ChainElements.Count, 1, int.MaxValue);
Assert.NotSame(cert, chain.ChainElements[0].Certificate);
Assert.Equal(cert, chain.ChainElements[0].Certificate);
X509ChainStatus[] chainElementStatus = chain.ChainElements[0].ChainElementStatus;
Assert.InRange(chainElementStatus.Length, 1, int.MaxValue);
Assert.Contains(chainElementStatus, x => x.Status == X509ChainStatusFlags.NotValidForUsage);
}
}
private bool AllowRemoteCertificateNameMismatch(HttpRequestMessage httpMessage, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors errors)
{
if (errors == SslPolicyErrors.RemoteCertificateNameMismatch)
{
return(true);
}
return(false);
}
protected override bool ValidateChain(ICmsSignature signer, X509Chain chain, SignatureLogger verboseWriter)
{
return(ValidateStrongChain(signer, chain, verboseWriter));
}
protected virtual bool ValidateServerCertificate(X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return(true);
}
private static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
return true;
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
if (chain != null && chain.ChainStatus != null)
{
X509Certificate2 cert2 = new X509Certificate2(certificate);
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
//chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
//chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(1000);
//chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
//chain.ChainPolicy.VerificationTime = DateTime.Now;
chain.Build(cert2);
foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
{
if ((certificate.Subject == certificate.Issuer) &&
(status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
{
// Self-signed certificates with an untrusted root are valid.
continue;
}
else
{
if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
{
// If there are any other errors in the certificate chain, the certificate is invalid,
// so the method returns false.
return false;
}
}
}
}
return true;
}
// Do not allow this client to communicate with unauthenticated servers.
return false;
}
private bool ValidateCertificateByTlsa(TlsaRecord tlsaRecord, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
switch (tlsaRecord.CertificateUsage)
{
case TlsaRecord.TlsaCertificateUsage.PkixTA:
return(chain.ChainElements.Cast <X509ChainElement>().Any(x => ValidateCertificateByTlsa(tlsaRecord, x.Certificate)) && (sslPolicyErrors == SslPolicyErrors.None));
case TlsaRecord.TlsaCertificateUsage.PkixEE:
return(ValidateCertificateByTlsa(tlsaRecord, certificate) && (sslPolicyErrors == SslPolicyErrors.None));
case TlsaRecord.TlsaCertificateUsage.DaneTA:
return(chain.ChainElements.Cast <X509ChainElement>().Any(x => ValidateCertificateByTlsa(tlsaRecord, x.Certificate)) && ((sslPolicyErrors | SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors));
case TlsaRecord.TlsaCertificateUsage.DaneEE:
return(ValidateCertificateByTlsa(tlsaRecord, certificate) && ((sslPolicyErrors | SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors));
default:
throw new NotSupportedException();
}
}
private bool AcceptCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return(_settings.AcceptInvalidCertificates);
}
// Token: 0x0600006F RID: 111 RVA: 0x00004E7A File Offset: 0x0000307A
private static bool PinPublicKey(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return(certificate != null && certificate.GetPublicKeyString() == "046EECD33E469E9E1958D6BEEDE0A71843202724A5758BD1723F6C340C5E98EDE06FF5C21B35F359C65B850744729B3AA999B0B6392DA69EDB278EB31DBCE85774");
}
public static IList <X509Certificate2> GetCertificatesFromChain(X509Chain chainCert) => chainCert.ChainElements.Cast <X509ChainElement>().Select(element => element.Certificate).ToList();
private void LogVerifyErrors(X509Certificate2 cert, string testName)
{
// Emulate cert.Verify() implementation in order to capture and log errors.
try
{
using (var chain = new X509Chain())
{
if (!chain.Build(cert))
{
foreach (X509ChainStatus chainStatus in chain.ChainStatus)
{
_log.WriteLine(string.Format($"X509Certificate2.Verify error: {testName}, {chainStatus.Status}, {chainStatus.StatusInformation}"));
}
}
else
{
_log.WriteLine(string.Format($"X509Certificate2.Verify expected error; received none: {testName}"));
}
}
}
catch (Exception e)
{
_log.WriteLine($"X509Certificate2.Verify exception: {testName}, {e}");
}
}
internal bool ServerCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
return(Kubernetes.CertificateValidationCallBack(sender, this.CaCerts, certificate, chain, sslPolicyErrors));
}
/// <summary>
/// Calls X509_STORE_CTX_init()
/// </summary>
/// <param name="store"></param>
/// <param name="cert"></param>
/// <param name="uchain"></param>
public void Init(X509Store store, X509Certificate cert, X509Chain uchain)
{
Native.ExpectSuccess(Native.X509_STORE_CTX_init(
this.ptr,
store.Handle,
cert != null ? cert.Handle : IntPtr.Zero,
uchain.Handle));
}
//------------------------------------------------------------>
/*
* Validacion de un certificado (Creado por una Autoridad de certificación - AC)
*/
public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return(true); //Temp. Validacion fija al usar un certificado autogenerado (Para entorno de depuracion/pruebas)
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
Console.WriteLine("Certificate error: {0}" + sslPolicyErrors);
return(false);
}
internal int OnVerifyCertThunk(int ok, IntPtr store_ctx)
{
X509StoreContext ctx = new X509StoreContext(store_ctx, false);
X509Certificate cert = ctx.CurrentCert;
int depth = ctx.ErrorDepth;
VerifyResult result = (VerifyResult)ctx.Error;
// build the X509Chain from the store
X509Store store = ctx.Store;
Core.Stack<X509Object> objStack = store.Objects;
X509Chain chain = new X509Chain();
foreach (X509Object obj in objStack)
{
X509Certificate objCert = obj.Certificate;
if (objCert != null)
{
chain.Add(objCert);
}
}
// Call the managed delegate
if (OnVerifyCert(this, cert, chain, depth, result))
{
return 1;
}
else
{
return 0;
}
}
/// <summary>
/// 回调验证证书问题
/// </summary>
/// <param name="sender">流对象</param>
/// <param name="certificate">证书</param>
/// <param name="chain">X509Chain</param>
/// <param name="errors">SslPolicyErrors</param>
/// <returns>bool</returns>
public bool CheckValidationResult(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
{
return(true);
}
public static void BuildChain_WithCertificatePolicy_Match()
{
using (var cert = new X509Certificate2(TestData.CertWithPolicies))
using (X509Chain chain = new X509Chain())
{
// Code Signing
chain.ChainPolicy.CertificatePolicy.Add(new Oid("2.18.19"));
chain.ChainPolicy.VerificationFlags =
X509VerificationFlags.AllowUnknownCertificateAuthority;
chain.ChainPolicy.VerificationTime = cert.NotBefore.AddHours(2);
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
bool valid = chain.Build(cert);
Assert.True(valid, "Chain built validly");
}
}
private static bool CheckValidationResult(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
{
if (errors == SslPolicyErrors.None)
{
return(true);
}
return(false);
}
public static void VerifyExpiration_LocalTime(DateTime verificationTime, bool shouldBeValid, DateTimeKind kind)
{
using (var microsoftDotCom = new X509Certificate2(TestData.MicrosoftDotComSslCertBytes))
using (var microsoftDotComIssuer = new X509Certificate2(TestData.MicrosoftDotComIssuerBytes))
using (var microsoftDotComRoot = new X509Certificate2(TestData.MicrosoftDotComRootBytes))
{
X509Chain chain = new X509Chain();
chain.ChainPolicy.ExtraStore.Add(microsoftDotComIssuer);
chain.ChainPolicy.ExtraStore.Add(microsoftDotComRoot);
// Ignore anything except NotTimeValid
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags & ~X509VerificationFlags.IgnoreNotTimeValid;
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationTime = verificationTime;
bool builtSuccessfully = chain.Build(microsoftDotCom);
Assert.Equal(shouldBeValid, builtSuccessfully);
// If we failed to build the chain, ensure that NotTimeValid is one of the reasons.
if (!shouldBeValid)
{
Assert.Contains(chain.ChainStatus, s => s.Status == X509ChainStatusFlags.NotTimeValid);
}
}
}
/// <summary>
/// Validates the SSL server certificate.
/// </summary>
/// <param name="sender">An object that contains state information for this
/// validation.</param>
/// <param name="cert">The certificate used to authenticate the remote party.</param>
/// <param name="chain">The chain of certificate authorities associated with the
/// remote certificate.</param>
/// <param name="sslPolicyErrors">One or more errors associated with the remote
/// certificate.</param>
/// <returns>Returns a boolean value that determines whether the specified
/// certificate is accepted for authentication; true to accept or false to
/// reject.</returns>
public override bool ValidateServerCertficate(
object sender,
X509Certificate cert,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
// Good certificate.
return(true);
}
string msg = string.Format(P4VS.Resources.SSLCertificateHandler_SSLCertificateError, sslPolicyErrors);
P4VS.P4VsOutputWindow.AppendMessage(msg);
P4VS.FileLogger.LogMessage(3, "SwarmAPI", msg);
string certHash = cert.GetCertHashString();
if (certHash == CertHash)
{
// same certificate we looked at before
if (ExceptionApproved == true)
{
// Already approved
return(true);
}
if (ExceptionRejected == true)
{
//Already rejected
return(false);
}
}
if ((!ExceptionRejected) && ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNotAvailable) == 0))
{
// likely a self signed certificate.
string serverName = ServerUrl;
int slashIdx = ServerUrl.LastIndexOf('/');
if (slashIdx > 0)
{
serverName = ServerUrl.Substring(slashIdx + 1);
}
string key = string.Format("SSlCertificateException_{0}", serverName.Replace(':', '_'));
CertHash = P4VS.Preferences.LocalSettings.GetString(key, null);
if ((CertHash == null) || (certHash != CertHash))
{
// haven't seen one for this URL or it's a different certificate
SSLCertificateErrorDlg dlg = new SSLCertificateErrorDlg();
dlg.CertificateText = cert.ToString(true);
List <string> certErrors = new List <string>();
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNameMismatch) != 0)
{
certErrors.Add(Resources.P4ScmProvider_RemoteCertificateNameMismatch);
}
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
foreach (X509ChainStatus err in chain.ChainStatus)
{
certErrors.Add(err.StatusInformation);
}
}
dlg.CertificateErrors = certErrors;
if (System.Windows.Forms.DialogResult.Yes == dlg.ShowDialog())
{
// add the exeption
P4VS.Preferences.LocalSettings[key] = certHash;
ExceptionApproved = true;
return(true);
}
ExceptionRejected = true;
return(false);
}
ExceptionApproved = true;
return(true);
}
// Return true => allow unauthenticated server,
// false => disallow unauthenticated server.
return(false);
}
/// <summary>
/// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or,
/// if the is no delegate attached to it by using the default hostname verifier.
/// </summary>
/// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns>
/// <param name="hostname"></param>
/// <param name="session"></param>
static bool verifyServerCertificate(string hostname, ISSLSession session)
{
var defaultVerifier = HttpsURLConnection.DefaultHostnameVerifier;
if (ServicePointManager.ServerCertificateValidationCallback == null)
{
return(defaultVerifier.Verify(hostname, session));
}
// Convert java certificates to .NET certificates and build cert chain from root certificate
var certificates = session.GetPeerCertificateChain();
var chain = new X509Chain();
X509Certificate2 root = null;
var errors = System.Net.Security.SslPolicyErrors.None;
// Build certificate chain and check for errors
if (certificates == null || certificates.Length == 0) //no cert at all
{
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNotAvailable;
goto bail;
}
if (certificates.Length == 1) //no root?
{
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors;
goto bail;
}
var netCerts = certificates.Select(x => new X509Certificate2(x.GetEncoded())).ToArray();
for (int i = 1; i < netCerts.Length; i++)
{
chain.ChainPolicy.ExtraStore.Add(netCerts[i]);
}
root = netCerts[0];
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
if (!chain.Build(root))
{
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors;
goto bail;
}
var subject = root.Subject;
var subjectCn = cnRegex.Match(subject).Groups[1].Value;
if (String.IsNullOrWhiteSpace(subjectCn) || !Utility.MatchHostnameToPattern(hostname, subjectCn))
{
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch;
goto bail;
}
bail:
// Call the delegate to validate
return(ServicePointManager.ServerCertificateValidationCallback(hostname, root, chain, errors));
}
public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return(true);
}
public static void X509CertStoreChain()
{
X509Store store = new X509Store("My", StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
// can't guarantee there is a certificate in store
if (store.Certificates.Count > 0)
{
X509Chain chain = new X509Chain();
Assert.NotNull(chain.SafeHandle);
Assert.Same(chain.SafeHandle, chain.SafeHandle);
Assert.True(chain.SafeHandle.IsInvalid);
foreach (X509Certificate2 c in store.Certificates)
{
// can't guarantee success, so no Assert
if (chain.Build(c))
{
foreach (X509ChainElement k in chain.ChainElements)
{
Assert.NotNull(k.Certificate.IssuerName.Name);
}
}
}
}
}
public static bool Validator( object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors policyErrors)
{
Debug.Log("Validation successful!");
return true;
}
private bool ShouldByPassValidationError(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
var request = sender as HttpWebRequest;
if (request == null)
{
return(true);
}
var cert2 = certificate as X509Certificate2;
if (cert2 != null && request != null && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
{
_logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", request.RequestUri.Authority);
}
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
if (request.RequestUri.Host == "localhost" || request.RequestUri.Host == "127.0.0.1")
{
return(true);
}
var ipAddresses = GetIPAddresses(request.RequestUri.Host);
var certificateValidation = _configService.CertificateValidation;
if (certificateValidation == CertificateValidationType.Disabled)
{
return(true);
}
if (certificateValidation == CertificateValidationType.DisabledForLocalAddresses &&
ipAddresses.All(i => i.IsLocalAddress()))
{
return(true);
}
_logger.Error("Certificate validation for {0} failed. {1}", request.Address, sslPolicyErrors);
return(false);
}
public static bool Validator(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors policyErrors )
{
// Just accept and move on...
return true;
}
