private static bool ValidateServerCertificateChain(object sender, X509Certificate pfxFormattedCertificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
System.Console.WriteLine("Certificate error: {0}", sslPolicyErrors);
var serverCert = _spineConfiguration.server_ca_certchain;
var serverCertData = CertificateHelper.ExtractCertInstances(serverCert);
var x509ServerCertificateSubCa = new X509Certificate2(serverCertData[0]);
var x509ServerCertificateRootCa = new X509Certificate2(serverCertData[1]);
chain.Reset();
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreRootRevocationUnknown;
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.ExtraStore.Add(x509ServerCertificateSubCa);
chain.ChainPolicy.ExtraStore.Add(x509ServerCertificateRootCa);
//if (chain.Build(pfxFormattedCertificate)) return true;
if (chain.ChainStatus.Where(chainStatus => chainStatus.Status != X509ChainStatusFlags.NoError).All(chainStatus => chainStatus.Status != X509ChainStatusFlags.UntrustedRoot))
{
return(false);
}
var providedRoot = chain.ChainElements[^ 1];
private HttpMessageHandler CreateHttpMessageHandler(IWebHostEnvironment env)
{
var httpClientHandler = new HttpClientHandler();
if (_spineConfig.UseSSP)
{
httpClientHandler.SslProtocols = SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
var clientCertData = CertificateHelper.ExtractCertInstances(_spineConfig.ClientCert);
var clientPrivateKeyData = CertificateHelper.ExtractKeyInstance(_spineConfig.ClientPrivateKey);
var x509ClientCertificate = new X509Certificate2(clientCertData.FirstOrDefault());
var privateKey = RSA.Create();
privateKey.ImportRSAPrivateKey(clientPrivateKeyData, out _);
var x509CertificateWithPrivateKey = x509ClientCertificate.CopyWithPrivateKey(privateKey);
var pfxFormattedCertificate = new X509Certificate2(x509CertificateWithPrivateKey.Export(X509ContentType.Pfx, string.Empty), string.Empty);
var serverCertData = CertificateHelper.ExtractCertInstances(_spineConfig.ServerCACertChain);
var x509ServerCertificateSubCa = new X509Certificate2(serverCertData[0]);
var x509ServerCertificateRootCa = new X509Certificate2(serverCertData[1]);
httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => ValidateServerCertificateChain(chain, x509ServerCertificateSubCa, x509ServerCertificateRootCa, pfxFormattedCertificate);
httpClientHandler.ClientCertificates.Add(pfxFormattedCertificate);
httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
return(httpClientHandler);
}
return(httpClientHandler);
}
private static HttpMessageHandler CreateHttpMessageHandler(IConfiguration configuration, IWebHostEnvironment env)
{
var clientCert = configuration.GetSection("spine:client_cert").GetConfigurationString();
var serverCert = configuration.GetSection("spine:server_ca_certchain").GetConfigurationString();
var clientPrivateKey = configuration.GetSection("spine:client_private_key").GetConfigurationString();
var httpClientHandler = new HttpClientHandler();
if (bool.Parse(configuration.GetSection("spine:use_ssp").GetConfigurationString("false")) &&
!string.IsNullOrEmpty(clientCert) && !string.IsNullOrEmpty(clientPrivateKey) &&
!string.IsNullOrEmpty(configuration.GetSection("spine:nhsMHSEndPoint").GetConfigurationString()))
{
httpClientHandler.SslProtocols = SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
var clientCertData = CertificateHelper.ExtractCertInstances(clientCert);
var clientPrivateKeyData = CertificateHelper.ExtractKeyInstance(clientPrivateKey);
var x509ClientCertificate = new X509Certificate2(clientCertData.FirstOrDefault());
var privateKey = RSA.Create();
privateKey.ImportRSAPrivateKey(clientPrivateKeyData, out _);
var x509CertificateWithPrivateKey = x509ClientCertificate.CopyWithPrivateKey(privateKey);
var pfxFormattedCertificate = new X509Certificate2(x509CertificateWithPrivateKey.Export(X509ContentType.Pfx, string.Empty), string.Empty);
var serverCertData = CertificateHelper.ExtractCertInstances(serverCert);
var x509ServerCertificateSubCa = new X509Certificate2(serverCertData[0]);
var x509ServerCertificateRootCa = new X509Certificate2(serverCertData[1]);
httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => ValidateServerCertificateChain(chain, x509ServerCertificateSubCa, x509ServerCertificateRootCa, pfxFormattedCertificate);
httpClientHandler.ClientCertificates.Add(pfxFormattedCertificate);
httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
return(httpClientHandler);
}
return(httpClientHandler);
}
private static void RunLdapQueries(int numberOfGoes)
{
string[] odsCodes = { "A20047", "X26", "J82132", "B82619", "B82617", "B82614", "J82132", "RR8" };
var query = _ldapQueries.FirstOrDefault(x => x.query_name == "GetOrganisationDetailsByOdsCode");
for (var i = 0; i < numberOfGoes; i++)
{
for (var j = 0; j < odsCodes.Length; j++)
{
var filter = query.query_text.Replace("{odsCode}", odsCodes[j]);
var results = new Dictionary <string, object>();
using (LdapConnection ldapConnection = new LdapConnection())
{
ldapConnection.SecureSocketLayer = _spineConfiguration.sds_use_ldaps;
ldapConnection.ConnectionTimeout = _spineConfiguration.timeout_seconds * 1000;
if (_spineConfiguration.sds_use_mutualauth)
{
System.Console.WriteLine("Using Mutual Auth");
var clientCertData = CertificateHelper.ExtractCertInstances(_spineConfiguration.client_cert);
var clientPrivateKeyData = CertificateHelper.ExtractKeyInstance(_spineConfiguration.client_private_key);
var x509ClientCertificate = new X509Certificate2(clientCertData.FirstOrDefault());
var privateKey = RSA.Create();
privateKey.ImportRSAPrivateKey(clientPrivateKeyData, out _);
var x509CertificateWithPrivateKey = x509ClientCertificate.CopyWithPrivateKey(privateKey);
var pfxFormattedCertificate = new X509Certificate2(x509CertificateWithPrivateKey.Export(X509ContentType.Pfx, string.Empty), string.Empty);
_clientCertificate = pfxFormattedCertificate;
ldapConnection.UserDefinedServerCertValidationDelegate += ValidateServerCertificateChain;
ldapConnection.UserDefinedClientCertSelectionDelegate += SelectLocalCertificate;
}
ldapConnection.Connect(_spineConfiguration.sds_hostname, _spineConfiguration.sds_port);
var searchResults = ldapConnection.Search(query.search_base, LdapConnection.ScopeSub, filter, null, false);
while (searchResults.HasMore())
{
var nextEntry = searchResults.Next();
var attributeSet = nextEntry.GetAttributeSet();
foreach (var attribute in attributeSet)
{
results.TryAdd(attribute.Name, attribute.StringValue);
}
}
}
System.Console.WriteLine($"For query {filter} - iteration {i + 1}, result count is {results.Count}");
}
}
}
protected void SetupMutualAuth()
{
if (_spineOptionsDelegate.CurrentValue.SdsUseMutualAuth)
{
var clientCertData = CertificateHelper.ExtractCertInstances(_spineOptionsDelegate.CurrentValue.ClientCert);
var clientPrivateKeyData = CertificateHelper.ExtractKeyInstance(_spineOptionsDelegate.CurrentValue.ClientPrivateKey);
var x509ClientCertificate = new X509Certificate2(clientCertData.FirstOrDefault());
var privateKey = RSA.Create();
privateKey.ImportRSAPrivateKey(clientPrivateKeyData, out _);
var x509CertificateWithPrivateKey = x509ClientCertificate.CopyWithPrivateKey(privateKey);
var pfxFormattedCertificate = new X509Certificate(x509CertificateWithPrivateKey.Export(X509ContentType.Pfx, string.Empty), string.Empty);
_clientCertificate = pfxFormattedCertificate;
}
}
private static T RunLdapQuery <T>(string odsCode, string queryName, string partyKey = "") where T : class
{
var query = _ldapQueries.FirstOrDefault(x => x.query_name == queryName);
T result = null;
using (var ldapConnection = new LdapConnection
{
SecureSocketLayer = _spineConfiguration.SdsUseLdaps,
ConnectionTimeout = _spineConfiguration.TimeoutMilliseconds
})
{
if (_spineConfiguration.SdsUseMutualAuth)
{
System.Console.WriteLine("Using Mutual Auth");
var clientCertData = CertificateHelper.ExtractCertInstances(_spineConfiguration.ClientCert);
var clientPrivateKeyData = CertificateHelper.ExtractKeyInstance(_spineConfiguration.ClientPrivateKey);
var x509ClientCertificate = new X509Certificate2(clientCertData.FirstOrDefault());
var privateKey = RSA.Create();
privateKey.ImportRSAPrivateKey(clientPrivateKeyData, out _);
var x509CertificateWithPrivateKey = x509ClientCertificate.CopyWithPrivateKey(privateKey);
var pfxFormattedCertificate = new X509Certificate2(x509CertificateWithPrivateKey.Export(X509ContentType.Pfx, string.Empty), string.Empty);
_clientCertificate = pfxFormattedCertificate;
//ldapConnection.UserDefinedServerCertValidationDelegate += ValidateServerCertificateChain;
//ldapConnection.UserDefinedClientCertSelectionDelegate += SelectLocalCertificate;
}
ldapConnection.Connect(_spineConfiguration.SdsHostname, _spineConfiguration.SdsPort);
ldapConnection.Bind(string.Empty, string.Empty);
var searchResults = RunSearch(ldapConnection, query, odsCode, partyKey);
var jsonDictionary = JsonConvert.SerializeObject(searchResults);
if (searchResults.Count > 0)
{
result = JsonConvert.DeserializeObject <T>(jsonDictionary);
}
ldapConnection.Disconnect();
ldapConnection.Dispose();
}
return(result);
}
public T ExecuteLdapQuery <T>(string searchBase, string filter, string[] attributes) where T : class
{
try
{
var sw = new Stopwatch();
T result = null;
sw.Start();
var logMessage = new SpineMessage
{
RequestPayload = $"{searchBase} {filter} [{string.Join(",", attributes)}]",
SpineMessageTypeId = (int)GPConnect.Constants.SpineMessageTypes.SpineLdapQuery
};
var results = new Dictionary <string, object>();
var useLdaps = bool.Parse(_configuration.GetSection("Spine:sds_use_ldaps").Value);
var useSdsMutualAuth = bool.Parse(_configuration.GetSection("Spine:sds_use_mutualauth").Value);
Novell.Directory.Ldap.LdapConnectionOptions ldapConnectionOptions = new LdapConnectionOptions();
if (useLdaps)
{
SslProtocols sslProtocol = ParseTlsVersion(_configuration.GetSection("Spine:sds_tls_version").Value);
ldapConnectionOptions.ConfigureSslProtocols(SslProtocols.Tls12);
ldapConnectionOptions.UseSsl();
ldapConnectionOptions.ConfigureLocalCertificateSelectionCallback(SelectLocalCertificate);
ldapConnectionOptions.ConfigureRemoteCertificateValidationCallback(ValidateServerCertificate);
}
using (var ldapConnection = new LdapConnection(ldapConnectionOptions)
{
ConnectionTimeout = int.Parse(_configuration.GetSection("Spine:timeout_seconds").Value) * 1000
})
{
if (useSdsMutualAuth)
{
var clientCert = _configuration.GetSection("spine:client_cert").GetConfigurationString();
var serverCert = _configuration.GetSection("spine:server_ca_certchain").GetConfigurationString();
var clientPrivateKey = _configuration.GetSection("spine:client_private_key").GetConfigurationString();
var clientCertData = CertificateHelper.ExtractCertInstances(clientCert);
var clientPrivateKeyData = CertificateHelper.ExtractKeyInstance(clientPrivateKey);
var x509ClientCertificate = new X509Certificate2(clientCertData.FirstOrDefault());
var privateKey = RSA.Create();
privateKey.ImportRSAPrivateKey(clientPrivateKeyData, out _);
var x509CertificateWithPrivateKey = x509ClientCertificate.CopyWithPrivateKey(privateKey);
var pfxFormattedCertificate = new X509Certificate(x509CertificateWithPrivateKey.Export(X509ContentType.Pfx, string.Empty), string.Empty);
_clientCertificate = pfxFormattedCertificate;
}
var hostName = _configuration.GetSection("Spine:sds_hostname").Value;
var hostPort = int.Parse(_configuration.GetSection("Spine:sds_port").Value);
ldapConnection.Connect(hostName, hostPort);
ldapConnection.Bind(string.Empty, string.Empty);
LogTlsVersionOnStartup(ldapConnection);
var searchResults = ldapConnection.Search(searchBase, LdapConnection.ScopeSub, filter, attributes, false);
while (searchResults.HasMore())
{
var nextEntry = searchResults.Next();
var attributeSet = nextEntry.GetAttributeSet();
foreach (var attribute in attributeSet)
{
results.TryAdd(attribute.Name, attribute.StringValue);
}
}
ldapConnection.Disconnect();
ldapConnection.Dispose();
}
var jsonDictionary = JsonConvert.SerializeObject(results);
if (results.Count > 0)
{
result = JsonConvert.DeserializeObject <T>(jsonDictionary);
}
logMessage.ResponsePayload = jsonDictionary;
logMessage.RoundTripTimeMs = sw.ElapsedMilliseconds;
_logService.AddSpineMessageLog(logMessage);
return(result);
}
catch (LdapException ldapException)
{
_logger.LogError(ldapException, "An LdapException has occurred while attempting to execute an LDAP query");
throw;
}
catch (Exception exc)
{
_logger.LogError(exc, "An Exception has occurred while attempting to execute an LDAP query");
throw;
}
}
