// The GitHub SSL certificate is corrupt, or something? Who cares. public static bool Validator( object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors ) { return true; }
public static void BuildChain() { using (var microsoftDotCom = new X509Certificate2(TestData.MicrosoftDotComSslCertBytes)) using (var microsoftDotComIssuer = new X509Certificate2(TestData.MicrosoftDotComIssuerBytes)) using (var microsoftDotComRoot = new X509Certificate2(TestData.MicrosoftDotComRootBytes)) using (var unrelated = new X509Certificate2(TestData.DssCer)) { X509Chain chain = new X509Chain(); chain.ChainPolicy.ExtraStore.Add(unrelated); chain.ChainPolicy.ExtraStore.Add(microsoftDotComRoot); chain.ChainPolicy.ExtraStore.Add(microsoftDotComIssuer); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; // Halfway between microsoftDotCom's NotBefore and NotAfter // This isn't a boundary condition test. chain.ChainPolicy.VerificationTime = new DateTime(2015, 10, 15, 12, 01, 01, DateTimeKind.Local); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; bool valid = chain.Build(microsoftDotCom); Assert.True(valid, "Chain built validly"); // The chain should have 3 members Assert.Equal(3, chain.ChainElements.Count); // These are the three specific members. Assert.Equal(microsoftDotCom, chain.ChainElements[0].Certificate); Assert.Equal(microsoftDotComIssuer, chain.ChainElements[1].Certificate); Assert.Equal(microsoftDotComRoot, chain.ChainElements[2].Certificate); } }
internal static bool TrustEvaluateSsl (X509Certificate2Collection collection, object sender, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors errors) { var certsRawData = new List <byte[]> (collection.Count); foreach (var cert in collection) certsRawData.Add (cert.RawData); return trustEvaluateSsl (certsRawData); }
public virtual X509Chain ComputeX509Chain (XX509CertificateCollection certs, ref SslPolicyErrors errors, ref int status11) { #if MOBILE return null; #else if (is_macosx) return null; var chain = new X509Chain (); chain.ChainPolicy = new X509ChainPolicy (); chain.ChainPolicy.RevocationMode = revocation_mode; for (int i = 1; i < certs.Count; i++) { chain.ChainPolicy.ExtraStore.Add (certs [i]); } var leaf = (X509Certificate2)certs [0]; try { if (!chain.Build (leaf)) errors |= GetErrorsFromChain (chain); } catch (Exception e) { Console.Error.WriteLine ("ERROR building certificate chain: {0}", e); Console.Error.WriteLine ("Please, report this problem to the Mono team"); errors |= SslPolicyErrors.RemoteCertificateChainErrors; } status11 = GetStatusFromChain (chain); return chain; #endif }
public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors == SslPolicyErrors.None) { return true; } byte[] receivedCertificateHash = certificate.GetCertHash(); //If length differs, obviously different hash. if (receivedCertificateHash.Length != hardCodedServerCertificateHash.Length) { return false; } //Check that each byte is the same for (int i = 0; i < hardCodedServerCertificateHash.Length; i++) { if (receivedCertificateHash[i] != hardCodedServerCertificateHash[i]) { return false; } } //Equality of the certificates confirmed. return true; }
static bool BuildX509Chain (XX509CertificateCollection certs, X509Chain chain, ref SslPolicyErrors errors, ref int status11) { #if MOBILE return false; #else if (is_macosx) return false; var leaf = (X509Certificate2)certs [0]; bool ok; try { ok = chain.Build (leaf); if (!ok) errors |= GetErrorsFromChain (chain); } catch (Exception e) { Console.Error.WriteLine ("ERROR building certificate chain: {0}", e); Console.Error.WriteLine ("Please, report this problem to the Mono team"); errors |= SslPolicyErrors.RemoteCertificateChainErrors; ok = false; } try { status11 = GetStatusFromChain (chain); } catch { status11 = -2146762485; // TRUST_E_FAIL - generic } return ok; #endif }
public SslStreamServer( Stream stream, bool ownStream, X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCerts, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation, RemoteCertificateValidationHandler remote_callback) : base(stream, ownStream) { this.checkCertificateRevocationStatus = checkCertificateRevocation; this.remoteCertificateSelectionCallback = remote_callback; // Initialize the SslContext object InitializeServerContext(serverCertificate, clientCertificateRequired, caCerts, enabledSslProtocols, sslStrength, checkCertificateRevocation); ssl = new Ssl(sslContext); // Initialze the read/write bio read_bio = BIO.MemoryBuffer(false); write_bio = BIO.MemoryBuffer(false); // Set the read/write bio's into the the Ssl object ssl.SetBIO(read_bio, write_bio); read_bio.SetClose(BIO.CloseOption.Close); write_bio.SetClose(BIO.CloseOption.Close); // Set the Ssl object into server mode ssl.SetAcceptState(); }
public static void VerifyCrlCache() { string crlDirectory = PersistedFiles.GetUserFeatureDirectory("cryptography", "crls"); string crlFile = Path.Combine(crlDirectory,MicrosoftDotComRootCrlFilename); Directory.CreateDirectory(crlDirectory); File.Delete(crlFile); using (var microsoftDotComIssuer = new X509Certificate2(TestData.MicrosoftDotComIssuerBytes)) using (var microsoftDotComRoot = new X509Certificate2(TestData.MicrosoftDotComRootBytes)) using (var unrelated = new X509Certificate2(TestData.DssCer)) { X509Chain chain = new X509Chain(); chain.ChainPolicy.ExtraStore.Add(unrelated); chain.ChainPolicy.ExtraStore.Add(microsoftDotComRoot); // The very start of the CRL period. chain.ChainPolicy.VerificationTime = new DateTime(2015, 6, 17, 0, 0, 0, DateTimeKind.Utc); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly; chain.ChainPolicy.VerificationFlags |= X509VerificationFlags.AllowUnknownCertificateAuthority; bool valid = chain.Build(microsoftDotComIssuer); Assert.True(valid, "Precondition: Chain builds with no revocation checks"); int initialErrorCount = chain.ChainStatus.Length; Assert.InRange(initialErrorCount, 0, 1); if (initialErrorCount > 0) { Assert.Equal(X509ChainStatusFlags.UntrustedRoot, chain.ChainStatus[0].Status); } chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline; valid = chain.Build(microsoftDotComIssuer); Assert.False(valid, "Chain should not build validly"); Assert.Equal(initialErrorCount + 1, chain.ChainStatus.Length); Assert.Equal(X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus[0].Status); File.WriteAllText(crlFile, MicrosoftDotComRootCrlPem, Encoding.ASCII); valid = chain.Build(microsoftDotComIssuer); Assert.True(valid, "Chain should build validly now"); Assert.Equal(initialErrorCount, chain.ChainStatus.Length); // Rewind one second, the CRL is not "not yet valid" chain.ChainPolicy.VerificationTime = chain.ChainPolicy.VerificationTime.Subtract(TimeSpan.FromSeconds(1)); valid = chain.Build(microsoftDotComIssuer); Assert.False(valid, "Chain should not build validly, CRL is not yet valid"); Assert.Equal(initialErrorCount + 1, chain.ChainStatus.Length); Assert.Equal(X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus[0].Status); } }
static bool CertificateValidation (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors certificateErrors) { Console.WriteLine ("CertificateValidation"); Console.WriteLine (certificate.ToString (true)); Console.WriteLine ("Chain"); Console.WriteLine (chain); Console.WriteLine ("\tError(s)"); Console.WriteLine (certificateErrors); Console.WriteLine (); return true; }
public static X509Chain CreateX509Chain (XX509CertificateCollection certs) { var chain = new X509Chain (); chain.ChainPolicy = new X509ChainPolicy ((X509CertificateCollection)(object)certs); #if !MOBILE chain.ChainPolicy.RevocationMode = revocation_mode; #endif return chain; }
static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { foreach (X509ChainElement element in chain.ChainElements) { Console.WriteLine ("Element issuer name: {0}", element.Certificate.Issuer); } if (chain.ChainElements != null && chain.ChainElements.Count != 0) { X509ChainElement chainElement = chain.ChainElements[chain.ChainElements.Count - 1]; data = chainElement.Certificate.Export(X509ContentType.Cert); } return true; }
public static X509Chain CreateX509Chain (XX509CertificateCollection certs) { var chain = new X509Chain (); chain.ChainPolicy = new X509ChainPolicy (); #if !MOBILE chain.ChainPolicy.RevocationMode = revocation_mode; #endif for (int i = 1; i < certs.Count; i++) { chain.ChainPolicy.ExtraStore.Add (certs [i]); } return chain; }
public MoagentClient(string host, int port, bool useSsl) { _server = host; _port = port; _useSsl = useSsl; _client = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); if (_useSsl) { var certBio = BIO.File(@".\agentClientCert.p12", "r"); X509Certificate clientCert = X509Certificate.FromPKCS12(certBio, string.Empty); var serverBio = BIO.File(@".\ProactiveContactCA.cer", "r"); X509Certificate serverCert = X509Certificate.FromDER(serverBio); _xList = new X509List {clientCert}; _xChain = new X509Chain {serverCert}; } }
public static void BuildChainExtraStoreUntrustedRoot() { using (var testCert = new X509Certificate2(Path.Combine("TestData", "test.pfx"), TestData.ChainPfxPassword)) { X509Certificate2Collection collection = new X509Certificate2Collection(); collection.Import(Path.Combine("TestData", "test.pfx"), TestData.ChainPfxPassword, X509KeyStorageFlags.DefaultKeySet); X509Chain chain = new X509Chain(); chain.ChainPolicy.ExtraStore.AddRange(collection); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.VerificationTime = new DateTime(2015, 9, 22, 12, 25, 0); bool valid = chain.Build(testCert); Assert.False(valid); Assert.Contains(chain.ChainStatus, s => s.Status == X509ChainStatusFlags.UntrustedRoot); } }
public static void Test(X509IncludeOption include) { cert = EndCert ; X509Chain chain = new X509Chain() ; chain.Build( cert ) ; X509ChainElementCollection lmnts = chain.ChainElements ; KeyInfoX509Data data = new KeyInfoX509Data( cert, include ) ; ArrayList al = data.Certificates ; if( al == null ) return ; for( int i = 0 ; i < al.Count ; i++ ) { rv = lmnts[i].Certificate.ToString(true) == ((X509Certificate) al[i]).ToString(true) ; if( !rv ) Console.WriteLine( "i = " + i.ToString() + " and include=" + include.ToString() ) ; } Console.WriteLine( "*************************************************************" ) ; }
public static bool MyRemoteCertificateValidationCallback(System.Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { bool isOk = true; // If there are errors in the certificate chain, look at each error to determine the cause. if (sslPolicyErrors != SslPolicyErrors.None) { for (int i=0; i<chain.ChainStatus.Length; i++) { if (chain.ChainStatus [i].Status != X509ChainStatusFlags.RevocationStatusUnknown) { chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan (0, 1, 0); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags; bool chainIsValid = chain.Build ((X509Certificate2)certificate); if (!chainIsValid) { isOk = false; } } } } return isOk; }
public SslStreamClient(Stream stream, bool ownStream, string targetHost, X509List clientCertificates, X509Chain caCertificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocationStatus, RemoteCertificateValidationHandler remoteCallback, LocalCertificateSelectionHandler localCallback) : base(stream, ownStream) { this.targetHost = targetHost; this.clientCertificates = clientCertificates; this.caCertificates = caCertificates; this.checkCertificateRevocationStatus = checkCertificateRevocationStatus; this.remoteCertificateSelectionCallback = remoteCallback; this.localCertificateSelectionCallback = localCallback; this.internalCertificateSelectionCallback = new ClientCertCallbackHandler(InternalClientCertificateSelectionCallback); InitializeClientContext(clientCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocationStatus); }
/// <summary> /// The following method is invoked by the RemoteCertificateValidationDelegate. /// This allows you to check the certificate and accept or reject it /// return true will accept the certificate /// </summary> /// <param name="sender"></param> /// <param name="certificate"></param> /// <param name="chain"></param> /// <param name="sslPolicyErrors"></param> /// <returns></returns> private static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { // Accept all certificates return true; }
/// <summary> /// Certificate validation callback. /// </summary> private static bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return(true); // for expediency/trusted cert // If the certificate is a valid, signed certificate, return true. //if ( error == System.Net.Security.SslPolicyErrors.None ) //{ // return true; //} //Console.WriteLine( "X509Certificate [{cert.Subject}] Policy Error: '{error.ToString()}'"; //return false; }
private bool TcpClientBase_ValidateServerCertificateEvent(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return(ValidateServerCertificate(certificate, chain, sslPolicyErrors)); }
private static bool OnCertificateValidation(HttpRequestMessage request, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) #endif { Log.Info("Validating certificate [IgnoreRemoteCertificateNameMismatch={0}]: {1}", ClientConfiguration.IgnoreRemoteCertificateNameMismatch, sslPolicyErrors); if (ClientConfiguration.IgnoreRemoteCertificateNameMismatch) { if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateNameMismatch) { return(true); } } return(sslPolicyErrors == SslPolicyErrors.None); }
private bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { #if DEBUG return(true); #endif return(Settings.ServerCertificate.Equals(certificate)); }
private bool CertificateChainValidator <T>( T sender, X509Certificate2 cert, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (cert == null || sslPolicyErrors == SslPolicyErrors.RemoteCertificateNotAvailable) { Trace.WriteWarning( TraceType, "Unauthorized request by sender - {0} using null certificate.", sender); return(false); } IList <string> serverCertThumbprints = null; IList <KeyValuePair <string, string> > x509NamesAndIssuers = null; if (TryGetServerCertThumbprints(out serverCertThumbprints) && serverCertThumbprints != null && serverCertThumbprints.Count > 0) { var certThumbprint = cert.Thumbprint; if (certThumbprint != null && !serverCertThumbprints.Contains(certThumbprint, StringComparer.OrdinalIgnoreCase)) { var serverCerts = new StringBuilder(); foreach (var serverCert in serverCertThumbprints) { serverCerts.Append(serverCert).Append("|"); } Trace.WriteWarning( TraceType, "Unauthorized request by sender - {0} using certificate - {1}- Thumbprint {2} vs expected thumbprint {3}", sender, cert.ToString(), cert.Thumbprint, serverCerts.ToString()); return(false); } } //// TODO current SFRP only use thumbprint, so we may ingore this for now //// we should add chain validation else if (TryGetServerX509Names(out x509NamesAndIssuers) && x509NamesAndIssuers != null && x509NamesAndIssuers.Count > 0) { foreach (var x509NamesKvp in x509NamesAndIssuers) { var simpleName = cert.GetNameInfo(X509NameType.SimpleName, false); var dnsAlternativeName = cert.GetNameInfo(X509NameType.DnsFromAlternativeName, false); var dnsName = cert.GetNameInfo(X509NameType.DnsName, false); if (cert.Subject.Equals(x509NamesKvp.Key, StringComparison.OrdinalIgnoreCase) || (simpleName != null && simpleName.Equals(x509NamesKvp.Key, StringComparison.OrdinalIgnoreCase)) || (dnsAlternativeName != null && dnsAlternativeName.Equals(x509NamesKvp.Key, StringComparison.OrdinalIgnoreCase)) || (dnsName != null && dnsName.Equals(x509NamesKvp.Key, StringComparison.OrdinalIgnoreCase))) { return(true); } } var serverCerts = new StringBuilder(); foreach (var serverCert in x509NamesAndIssuers) { serverCerts.Append(string.Concat(serverCert.Key, " ", serverCert.Value)).Append("|"); } Trace.WriteWarning( TraceType, "Unauthorized request by sender - {0} using certificate - {1}- Names {2} vs expected Names {3}", sender, cert.ToString(), cert.SubjectName.Name, serverCerts.ToString()); return(false); } return(true); }
/// <summary> /// 远程证书验证,固定返回true /// </summary> private static bool RemoteCertificateValidate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors error) { return(true); }
public Setting HashAndcheckval(object setting, string signature) { X509Chain chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline; Setting _setting = setting as Setting; BOLLogs BOLlogs = new BOLLogs(); Users ValidUser = BOLUsers.GetDataByUsername(_setting.UserName); string hashData = DoHash(_setting.Pass); hashData = "<login><Password>" + hashData + "</Password><UserName>" + _setting.UserName + "</UserName><Captcha>" + _setting.CaptchaText + "</Captcha></login>"; string strlogContent = "<login><UserName>" + _setting.UserName + "</UserName><Password>" + _setting.Pass + "</Password></login>"; SignedData mySD = new SignedData(); try { mySD.Verify(signature, false, CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_ONLY); if (mySD.Content != hashData) { _setting.MsgText = "محتوای امضا تغییر یافته است"; _setting.MsgVisible = true; //BOLlogs.InsertIntoLogs((int)Enums.LogTypes.enm_ErrorInVerify, ValidUser.Code, strlogContent, _setting.RawUrl, _setting.UrlHost); return(_setting); } int count = mySD.Certificates.Count; string thump; Boolean IsValidThump = false; for (int i = 1; i <= count; i++) { Certificate cr = (Certificate)mySD.Certificates[i]; thump = cr.Thumbprint; if (!IsValidThump) { if (_setting.Tumbprint.ToUpper() == thump) { IsValidThump = true; } } } if (IsValidThump) { Login(setting); } else { _setting.MsgText = " با گواهی مربوطه امضا نشده است"; _setting.MsgVisible = true; //BOLlogs.InsertIntoLogs((int)Enums.LogTypes.enm_SignedWithAnotherCertificate, ValidUser.Code, strlogContent, _setting.RawUrl, _setting.UrlHost); } } catch (Exception e) { //_setting.MsgText = "امضا نامعتبر است"; //_setting.MsgVisible = true; //BOLlogs.InsertIntoLogs((int)Enums.LogTypes.enm_InvalidSign, ValidUser.Code, strlogContent, _setting.RawUrl, _setting.UrlHost); } SetCaptcha(_setting); return(_setting); }
// Allow self-signed certificates, expired certificates, etc. private static bool AcceptCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return(true); }
private static bool HandleServerCertificateValidation(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error) { return(true); }
private static bool CheckValidationResult(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors) { return true; //总是接受 }
private bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { IsAuthenticatedByDane = false; switch (_tlsaRecords.ValidationResult) { case DnsSecValidationResult.Signed: if (_tlsaRecords.Records.Count == 0) { return(!_enforceTlsaValidation && (sslPolicyErrors == SslPolicyErrors.None)); } foreach (var tlsaRecord in _tlsaRecords.Records) { if (ValidateCertificateByTlsa(tlsaRecord, certificate, chain, sslPolicyErrors)) { IsAuthenticatedByDane = true; return(true); } } return(false); case DnsSecValidationResult.Bogus: return(false); default: return(!_enforceTlsaValidation && (sslPolicyErrors == SslPolicyErrors.None)); } }
private static bool OnValidateCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; }
// TODO HPKP / Expect-CT private bool ServerCertificateValidation(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors) { return(errors == SslPolicyErrors.None); }
private bool SslUserCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { // Raise an event to decide whether the certificate is valid. var eventArgs = new IrcValidateSslCertificateEventArgs(certificate, chain, sslPolicyErrors); eventArgs.IsValid = true; OnValidateSslCertificate(eventArgs); return eventArgs.IsValid; }
private static bool OnCertificateValidation(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
public static void BuildChain_WithApplicationPolicy_Match() { using (var msCer = new X509Certificate2(TestData.MsCertificate)) using (X509Chain chain = new X509Chain()) { // Code Signing chain.ChainPolicy.ApplicationPolicy.Add(new Oid("1.3.6.1.5.5.7.3.3")); chain.ChainPolicy.VerificationTime = msCer.NotBefore.AddHours(2); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; bool valid = chain.Build(msCer); Assert.True(valid, "Chain built validly"); } }
/// <summary> /// Callback routine that validates server TLS certificate. /// As we do not perform certificate validation, we just return true. /// </summary> /// <param name="sender"><see cref="System.Net.Security.RemoteCertificateValidationCallback"/> Delegate.</param> /// <param name="certificate"><see cref="System.Net.Security.RemoteCertificateValidationCallback"/> Delegate.</param> /// <param name="chain"><see cref="System.Net.Security.RemoteCertificateValidationCallback"/> Delegate.</param> /// <param name="sslPolicyErrors"><see cref="System.Net.Security.RemoteCertificateValidationCallback"/> Delegate.</param> /// <returns><see cref="System.Net.Security.RemoteCertificateValidationCallback"/> Delegate.</returns> public static bool PeerCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return(true); }
public static void BuildChain_WithCertificatePolicy_NoMatch() { using (var cert = new X509Certificate2(TestData.CertWithPolicies)) using (X509Chain chain = new X509Chain()) { chain.ChainPolicy.CertificatePolicy.Add(new Oid("2.999")); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.VerificationTime = cert.NotBefore.AddHours(2); bool valid = chain.Build(cert); Assert.False(valid, "Chain built validly"); Assert.InRange(chain.ChainElements.Count, 1, int.MaxValue); Assert.NotSame(cert, chain.ChainElements[0].Certificate); Assert.Equal(cert, chain.ChainElements[0].Certificate); X509ChainStatus[] chainElementStatus = chain.ChainElements[0].ChainElementStatus; Assert.InRange(chainElementStatus.Length, 1, int.MaxValue); Assert.Contains(chainElementStatus, x => x.Status == X509ChainStatusFlags.NotValidForUsage); } }
private bool AllowRemoteCertificateNameMismatch(HttpRequestMessage httpMessage, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors errors) { if (errors == SslPolicyErrors.RemoteCertificateNameMismatch) { return(true); } return(false); }
protected override bool ValidateChain(ICmsSignature signer, X509Chain chain, SignatureLogger verboseWriter) { return(ValidateStrongChain(signer, chain, verboseWriter)); }
protected virtual bool ValidateServerCertificate(X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return(true); }
private static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors == SslPolicyErrors.None) return true; if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0) { if (chain != null && chain.ChainStatus != null) { X509Certificate2 cert2 = new X509Certificate2(certificate); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; //chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; //chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(1000); //chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags; //chain.ChainPolicy.VerificationTime = DateTime.Now; chain.Build(cert2); foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus) { if ((certificate.Subject == certificate.Issuer) && (status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot)) { // Self-signed certificates with an untrusted root are valid. continue; } else { if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError) { // If there are any other errors in the certificate chain, the certificate is invalid, // so the method returns false. return false; } } } } return true; } // Do not allow this client to communicate with unauthenticated servers. return false; }
private bool ValidateCertificateByTlsa(TlsaRecord tlsaRecord, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { switch (tlsaRecord.CertificateUsage) { case TlsaRecord.TlsaCertificateUsage.PkixTA: return(chain.ChainElements.Cast <X509ChainElement>().Any(x => ValidateCertificateByTlsa(tlsaRecord, x.Certificate)) && (sslPolicyErrors == SslPolicyErrors.None)); case TlsaRecord.TlsaCertificateUsage.PkixEE: return(ValidateCertificateByTlsa(tlsaRecord, certificate) && (sslPolicyErrors == SslPolicyErrors.None)); case TlsaRecord.TlsaCertificateUsage.DaneTA: return(chain.ChainElements.Cast <X509ChainElement>().Any(x => ValidateCertificateByTlsa(tlsaRecord, x.Certificate)) && ((sslPolicyErrors | SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors)); case TlsaRecord.TlsaCertificateUsage.DaneEE: return(ValidateCertificateByTlsa(tlsaRecord, certificate) && ((sslPolicyErrors | SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors)); default: throw new NotSupportedException(); } }
private bool AcceptCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return(_settings.AcceptInvalidCertificates); }
// Token: 0x0600006F RID: 111 RVA: 0x00004E7A File Offset: 0x0000307A private static bool PinPublicKey(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return(certificate != null && certificate.GetPublicKeyString() == "046EECD33E469E9E1958D6BEEDE0A71843202724A5758BD1723F6C340C5E98EDE06FF5C21B35F359C65B850744729B3AA999B0B6392DA69EDB278EB31DBCE85774"); }
public static IList <X509Certificate2> GetCertificatesFromChain(X509Chain chainCert) => chainCert.ChainElements.Cast <X509ChainElement>().Select(element => element.Certificate).ToList();
private void LogVerifyErrors(X509Certificate2 cert, string testName) { // Emulate cert.Verify() implementation in order to capture and log errors. try { using (var chain = new X509Chain()) { if (!chain.Build(cert)) { foreach (X509ChainStatus chainStatus in chain.ChainStatus) { _log.WriteLine(string.Format($"X509Certificate2.Verify error: {testName}, {chainStatus.Status}, {chainStatus.StatusInformation}")); } } else { _log.WriteLine(string.Format($"X509Certificate2.Verify expected error; received none: {testName}")); } } } catch (Exception e) { _log.WriteLine($"X509Certificate2.Verify exception: {testName}, {e}"); } }
internal bool ServerCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return(Kubernetes.CertificateValidationCallBack(sender, this.CaCerts, certificate, chain, sslPolicyErrors)); }
/// <summary> /// Calls X509_STORE_CTX_init() /// </summary> /// <param name="store"></param> /// <param name="cert"></param> /// <param name="uchain"></param> public void Init(X509Store store, X509Certificate cert, X509Chain uchain) { Native.ExpectSuccess(Native.X509_STORE_CTX_init( this.ptr, store.Handle, cert != null ? cert.Handle : IntPtr.Zero, uchain.Handle)); }
//------------------------------------------------------------> /* * Validacion de un certificado (Creado por una Autoridad de certificación - AC) */ public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return(true); //Temp. Validacion fija al usar un certificado autogenerado (Para entorno de depuracion/pruebas) if (sslPolicyErrors == SslPolicyErrors.None) { return(true); } Console.WriteLine("Certificate error: {0}" + sslPolicyErrors); return(false); }
internal int OnVerifyCertThunk(int ok, IntPtr store_ctx) { X509StoreContext ctx = new X509StoreContext(store_ctx, false); X509Certificate cert = ctx.CurrentCert; int depth = ctx.ErrorDepth; VerifyResult result = (VerifyResult)ctx.Error; // build the X509Chain from the store X509Store store = ctx.Store; Core.Stack<X509Object> objStack = store.Objects; X509Chain chain = new X509Chain(); foreach (X509Object obj in objStack) { X509Certificate objCert = obj.Certificate; if (objCert != null) { chain.Add(objCert); } } // Call the managed delegate if (OnVerifyCert(this, cert, chain, depth, result)) { return 1; } else { return 0; } }
/// <summary> /// 回调验证证书问题 /// </summary> /// <param name="sender">流对象</param> /// <param name="certificate">证书</param> /// <param name="chain">X509Chain</param> /// <param name="errors">SslPolicyErrors</param> /// <returns>bool</returns> public bool CheckValidationResult(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors) { return(true); }
public static void BuildChain_WithCertificatePolicy_Match() { using (var cert = new X509Certificate2(TestData.CertWithPolicies)) using (X509Chain chain = new X509Chain()) { // Code Signing chain.ChainPolicy.CertificatePolicy.Add(new Oid("2.18.19")); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; chain.ChainPolicy.VerificationTime = cert.NotBefore.AddHours(2); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; bool valid = chain.Build(cert); Assert.True(valid, "Chain built validly"); } }
private static bool CheckValidationResult(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors) { if (errors == SslPolicyErrors.None) { return(true); } return(false); }
public static void VerifyExpiration_LocalTime(DateTime verificationTime, bool shouldBeValid, DateTimeKind kind) { using (var microsoftDotCom = new X509Certificate2(TestData.MicrosoftDotComSslCertBytes)) using (var microsoftDotComIssuer = new X509Certificate2(TestData.MicrosoftDotComIssuerBytes)) using (var microsoftDotComRoot = new X509Certificate2(TestData.MicrosoftDotComRootBytes)) { X509Chain chain = new X509Chain(); chain.ChainPolicy.ExtraStore.Add(microsoftDotComIssuer); chain.ChainPolicy.ExtraStore.Add(microsoftDotComRoot); // Ignore anything except NotTimeValid chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags & ~X509VerificationFlags.IgnoreNotTimeValid; chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.VerificationTime = verificationTime; bool builtSuccessfully = chain.Build(microsoftDotCom); Assert.Equal(shouldBeValid, builtSuccessfully); // If we failed to build the chain, ensure that NotTimeValid is one of the reasons. if (!shouldBeValid) { Assert.Contains(chain.ChainStatus, s => s.Status == X509ChainStatusFlags.NotTimeValid); } } }
/// <summary> /// Validates the SSL server certificate. /// </summary> /// <param name="sender">An object that contains state information for this /// validation.</param> /// <param name="cert">The certificate used to authenticate the remote party.</param> /// <param name="chain">The chain of certificate authorities associated with the /// remote certificate.</param> /// <param name="sslPolicyErrors">One or more errors associated with the remote /// certificate.</param> /// <returns>Returns a boolean value that determines whether the specified /// certificate is accepted for authentication; true to accept or false to /// reject.</returns> public override bool ValidateServerCertficate( object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors == SslPolicyErrors.None) { // Good certificate. return(true); } string msg = string.Format(P4VS.Resources.SSLCertificateHandler_SSLCertificateError, sslPolicyErrors); P4VS.P4VsOutputWindow.AppendMessage(msg); P4VS.FileLogger.LogMessage(3, "SwarmAPI", msg); string certHash = cert.GetCertHashString(); if (certHash == CertHash) { // same certificate we looked at before if (ExceptionApproved == true) { // Already approved return(true); } if (ExceptionRejected == true) { //Already rejected return(false); } } if ((!ExceptionRejected) && ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNotAvailable) == 0)) { // likely a self signed certificate. string serverName = ServerUrl; int slashIdx = ServerUrl.LastIndexOf('/'); if (slashIdx > 0) { serverName = ServerUrl.Substring(slashIdx + 1); } string key = string.Format("SSlCertificateException_{0}", serverName.Replace(':', '_')); CertHash = P4VS.Preferences.LocalSettings.GetString(key, null); if ((CertHash == null) || (certHash != CertHash)) { // haven't seen one for this URL or it's a different certificate SSLCertificateErrorDlg dlg = new SSLCertificateErrorDlg(); dlg.CertificateText = cert.ToString(true); List <string> certErrors = new List <string>(); if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNameMismatch) != 0) { certErrors.Add(Resources.P4ScmProvider_RemoteCertificateNameMismatch); } if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0) { foreach (X509ChainStatus err in chain.ChainStatus) { certErrors.Add(err.StatusInformation); } } dlg.CertificateErrors = certErrors; if (System.Windows.Forms.DialogResult.Yes == dlg.ShowDialog()) { // add the exeption P4VS.Preferences.LocalSettings[key] = certHash; ExceptionApproved = true; return(true); } ExceptionRejected = true; return(false); } ExceptionApproved = true; return(true); } // Return true => allow unauthenticated server, // false => disallow unauthenticated server. return(false); }
/// <summary> /// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or, /// if the is no delegate attached to it by using the default hostname verifier. /// </summary> /// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns> /// <param name="hostname"></param> /// <param name="session"></param> static bool verifyServerCertificate(string hostname, ISSLSession session) { var defaultVerifier = HttpsURLConnection.DefaultHostnameVerifier; if (ServicePointManager.ServerCertificateValidationCallback == null) { return(defaultVerifier.Verify(hostname, session)); } // Convert java certificates to .NET certificates and build cert chain from root certificate var certificates = session.GetPeerCertificateChain(); var chain = new X509Chain(); X509Certificate2 root = null; var errors = System.Net.Security.SslPolicyErrors.None; // Build certificate chain and check for errors if (certificates == null || certificates.Length == 0) //no cert at all { errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNotAvailable; goto bail; } if (certificates.Length == 1) //no root? { errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors; goto bail; } var netCerts = certificates.Select(x => new X509Certificate2(x.GetEncoded())).ToArray(); for (int i = 1; i < netCerts.Length; i++) { chain.ChainPolicy.ExtraStore.Add(netCerts[i]); } root = netCerts[0]; chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; if (!chain.Build(root)) { errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors; goto bail; } var subject = root.Subject; var subjectCn = cnRegex.Match(subject).Groups[1].Value; if (String.IsNullOrWhiteSpace(subjectCn) || !Utility.MatchHostnameToPattern(hostname, subjectCn)) { errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch; goto bail; } bail: // Call the delegate to validate return(ServicePointManager.ServerCertificateValidationCallback(hostname, root, chain, errors)); }
public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return(true); }
public static void X509CertStoreChain() { X509Store store = new X509Store("My", StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); // can't guarantee there is a certificate in store if (store.Certificates.Count > 0) { X509Chain chain = new X509Chain(); Assert.NotNull(chain.SafeHandle); Assert.Same(chain.SafeHandle, chain.SafeHandle); Assert.True(chain.SafeHandle.IsInvalid); foreach (X509Certificate2 c in store.Certificates) { // can't guarantee success, so no Assert if (chain.Build(c)) { foreach (X509ChainElement k in chain.ChainElements) { Assert.NotNull(k.Certificate.IssuerName.Name); } } } } }
public static bool Validator( object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors policyErrors) { Debug.Log("Validation successful!"); return true; }
private bool ShouldByPassValidationError(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { var request = sender as HttpWebRequest; if (request == null) { return(true); } var cert2 = certificate as X509Certificate2; if (cert2 != null && request != null && cert2.SignatureAlgorithm.FriendlyName == "md5RSA") { _logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", request.RequestUri.Authority); } if (sslPolicyErrors == SslPolicyErrors.None) { return(true); } if (request.RequestUri.Host == "localhost" || request.RequestUri.Host == "127.0.0.1") { return(true); } var ipAddresses = GetIPAddresses(request.RequestUri.Host); var certificateValidation = _configService.CertificateValidation; if (certificateValidation == CertificateValidationType.Disabled) { return(true); } if (certificateValidation == CertificateValidationType.DisabledForLocalAddresses && ipAddresses.All(i => i.IsLocalAddress())) { return(true); } _logger.Error("Certificate validation for {0} failed. {1}", request.Address, sslPolicyErrors); return(false); }
public static bool Validator( object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors policyErrors ) { // Just accept and move on... return true; }