private IDictionary ExtendUnsignedAttributes(IDictionary unsignedAttrs, X509Certificate signingCertificate, DateTime signingDate, ICertificateSource optionalCertificateSource)
{
var validationContext = CertificateVerifier.ValidateCertificate(signingCertificate, signingDate, optionalCertificateSource, null, null);
List <X509CertificateStructure> certificateValues = new List <X509CertificateStructure>();
List <CertificateList> crlValues = new List <CertificateList>();
List <BasicOcspResponse> ocspValues = new List <BasicOcspResponse>();
foreach (CertificateAndContext c in validationContext.NeededCertificates)
{
if (!c.Equals(signingCertificate))
{
certificateValues.Add(X509CertificateStructure.GetInstance(((Asn1Sequence)Asn1Object.FromByteArray(c.Certificate.GetEncoded()))));
}
}
foreach (X509Crl relatedcrl in validationContext.NeededCRL)
{
crlValues.Add(CertificateList.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(relatedcrl.GetEncoded())));
}
foreach (BasicOcspResp relatedocspresp in validationContext.NeededOCSPResp)
{
ocspValues.Add((BasicOcspResponse.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(relatedocspresp.GetEncoded()))));
}
RevocationValues revocationValues = new RevocationValues(crlValues.ToArray(), ocspValues.ToArray(), null);
unsignedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new BcCms.Attribute(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new DerSet(revocationValues)));
unsignedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsCertValues, new BcCms.Attribute(PkcsObjectIdentifiers.IdAAEtsCertValues, new DerSet(new DerSequence(certificateValues.ToArray()))));
return(unsignedAttrs);
}
private GitSsl(Func <SystemCertificateStore> createCertificateStore, CertificateVerifier certificateVerifier, PhysicalFileSystem fileSystem)
{
this.fileSystem = fileSystem ?? new PhysicalFileSystem();
this.createCertificateStore = createCertificateStore ?? (() => new SystemCertificateStore());
this.certificateVerifier = certificateVerifier ?? new CertificateVerifier();
this.certificatePathOrSubjectCommonName = null;
this.isCertificatePasswordProtected = false;
// True by default, both to have good default security settings and to match git behavior.
// https://git-scm.com/docs/git-config#git-config-httpsslVerify
this.ShouldVerify = true;
}
public GitSsl(
IDictionary <string, GitConfigSetting> configSettings,
Func <SystemCertificateStore> createCertificateStore = null,
CertificateVerifier certificateVerifier = null,
PhysicalFileSystem fileSystem = null) : this(createCertificateStore, certificateVerifier, fileSystem)
{
if (configSettings != null)
{
if (configSettings.TryGetValue(GitConfigSetting.HttpSslCert, out GitConfigSetting sslCerts))
{
this.certificatePathOrSubjectCommonName = sslCerts.Values.Last();
}
this.isCertificatePasswordProtected = SetBoolSettingOrThrow(configSettings, GitConfigSetting.HttpSslCertPasswordProtected, this.isCertificatePasswordProtected);
this.ShouldVerify = SetBoolSettingOrThrow(configSettings, GitConfigSetting.HttpSslVerify, this.ShouldVerify);
}
}
internal void setCertificateVerifier(CertificateVerifier verifier)
{
_verifier = verifier;
}
public override void setCertificateVerifier(CertificateVerifier verifier)
{
instance_.setCertificateVerifier(verifier);
}
/// <summary> /// Establish the certificate verifier object. This must be /// done before any connections are established. /// </summary> /// <param name="verifier">The certificate verifier.</param> abstract public void setCertificateVerifier(CertificateVerifier verifier);
public override void setCertificateVerifier(CertificateVerifier verifier)
{
_engine.setCertificateVerifier(verifier);
}
internal void setCertificateVerifier(CertificateVerifier verifier)
{
_verifier = verifier;
}
internal void initialize()
{
if(_initialized)
{
return;
}
const string prefix = "IceSSL.";
Ice.Properties properties = communicator().getProperties();
//
// Check for a default directory. We look in this directory for
// files mentioned in the configuration.
//
_defaultDir = properties.getProperty(prefix + "DefaultDir");
string certStoreLocation = properties.getPropertyWithDefault(prefix + "CertStoreLocation", "CurrentUser");
StoreLocation storeLocation;
if(certStoreLocation == "CurrentUser")
{
storeLocation = StoreLocation.CurrentUser;
}
else if(certStoreLocation == "LocalMachine")
{
storeLocation = StoreLocation.LocalMachine;
}
else
{
_logger.warning("Invalid IceSSL.CertStoreLocation value `" + certStoreLocation +
"' adjusted to `CurrentUser'");
storeLocation = StoreLocation.CurrentUser;
}
_useMachineContext = certStoreLocation == "LocalMachine";
#if !UNITY
X509KeyStorageFlags keyStorageFlags;
if(_useMachineContext)
{
keyStorageFlags = X509KeyStorageFlags.MachineKeySet;
}
else
{
keyStorageFlags = X509KeyStorageFlags.UserKeySet;
}
string keySet = properties.getProperty(prefix + "KeySet"); // Deprecated property
if(keySet.Length > 0)
{
if(keySet.Equals("DefaultKeySet"))
{
keyStorageFlags = X509KeyStorageFlags.DefaultKeySet;
}
else if(keySet.Equals("UserKeySet"))
{
keyStorageFlags = X509KeyStorageFlags.UserKeySet;
}
else if(keySet.Equals("MachineKeySet"))
{
keyStorageFlags = X509KeyStorageFlags.MachineKeySet;
}
else
{
_logger.warning("Invalid IceSSL.KeySet value `" + keySet + "' adjusted to `DefaultKeySet'");
keyStorageFlags = X509KeyStorageFlags.DefaultKeySet;
}
}
if(properties.getPropertyAsIntWithDefault(prefix + "PersistKeySet", 0) > 0) // Deprecated property
{
keyStorageFlags |= X509KeyStorageFlags.PersistKeySet;
}
//
// Process IceSSL.ImportCert.* properties.
//
Dictionary<string, string> certs = properties.getPropertiesForPrefix(prefix + "ImportCert.");
foreach(KeyValuePair<string, string> entry in certs)
{
string name = entry.Key;
string val = entry.Value;
if(val.Length > 0)
{
importCertificate(name, val, keyStorageFlags);
}
}
#endif
//
// Protocols selects which protocols to enable, by default we only enable TLS1.0
// TLS1.1 and TLS1.2 to avoid security issues with SSLv3
//
_protocols = parseProtocols(
properties.getPropertyAsListWithDefault(prefix + "Protocols",
#if UNITY
new string[]{"TLS1_0"}));
#else
_tls12Support ? new string[]{"TLS1_0", "TLS1_1", "TLS1_2"} :
new string[]{"TLS1_0", "TLS1_1"}));
#endif
//
// CheckCertName determines whether we compare the name in a peer's
// certificate against its hostname.
//
_checkCertName = properties.getPropertyAsIntWithDefault(prefix + "CheckCertName", 0) > 0;
//
// VerifyDepthMax establishes the maximum length of a peer's certificate
// chain, including the peer's certificate. A value of 0 means there is
// no maximum.
//
_verifyDepthMax = properties.getPropertyAsIntWithDefault(prefix + "VerifyDepthMax", 3);
//
// CheckCRL determines whether the certificate revocation list is checked, and how strictly.
//
_checkCRL = properties.getPropertyAsIntWithDefault(prefix + "CheckCRL", 0);
#if !UNITY
//
// Check for a certificate verifier.
//
string certVerifierClass = properties.getProperty(prefix + "CertVerifier");
if(certVerifierClass.Length > 0)
{
if(_verifier != null)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: certificate verifier already installed";
throw e;
}
Type cls = _facade.findType(certVerifierClass);
if(cls == null)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: unable to load certificate verifier class " + certVerifierClass;
throw e;
}
try
{
_verifier = (CertificateVerifier)IceInternal.AssemblyUtil.createInstance(cls);
}
catch(Exception ex)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex);
e.reason = "IceSSL: unable to instantiate certificate verifier class " + certVerifierClass;
throw e;
}
if(_verifier == null)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: unable to instantiate certificate verifier class " + certVerifierClass;
throw e;
}
}
//
// Check for a password callback.
//
string passwordCallbackClass = properties.getProperty(prefix + "PasswordCallback");
if(passwordCallbackClass.Length > 0)
{
if(_passwordCallback != null)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: password callback already installed";
throw e;
}
Type cls = _facade.findType(passwordCallbackClass);
if(cls == null)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: unable to load password callback class " + passwordCallbackClass;
throw e;
}
try
{
_passwordCallback = (PasswordCallback)IceInternal.AssemblyUtil.createInstance(cls);
}
catch(Exception ex)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex);
e.reason = "IceSSL: unable to load password callback class " + passwordCallbackClass;
throw e;
}
if(_passwordCallback == null)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: unable to load password callback class " + passwordCallbackClass;
throw e;
}
}
//
// If the user hasn't supplied a certificate collection, we need to examine
// the property settings.
//
if(_certs == null)
{
//
// If IceSSL.CertFile is defined, load a certificate from a file and
// add it to the collection.
//
// TODO: tracing?
_certs = new X509Certificate2Collection();
string certFile = properties.getProperty(prefix + "CertFile");
string passwordStr = properties.getProperty(prefix + "Password");
string findCert = properties.getProperty(prefix + "FindCert");
const string findPrefix = prefix + "FindCert.";
Dictionary<string, string> findCertProps = properties.getPropertiesForPrefix(findPrefix);
if(certFile.Length > 0)
{
if(!checkPath(ref certFile))
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: certificate file not found: " + certFile;
throw e;
}
SecureString password = null;
if(passwordStr.Length > 0)
{
password = createSecureString(passwordStr);
}
else if(_passwordCallback != null)
{
password = _passwordCallback.getPassword(certFile);
}
try
{
X509Certificate2 cert;
X509KeyStorageFlags importFlags;
if(_useMachineContext)
{
importFlags = X509KeyStorageFlags.MachineKeySet;
}
else
{
importFlags = X509KeyStorageFlags.UserKeySet;
}
if(password != null)
{
cert = new X509Certificate2(certFile, password, importFlags);
}
else
{
cert = new X509Certificate2(certFile, "", importFlags);
}
_certs.Add(cert);
}
catch(CryptographicException ex)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex);
e.reason = "IceSSL: error while attempting to load certificate from " + certFile;
throw e;
}
}
else if(findCert.Length > 0)
{
string certStore = properties.getPropertyWithDefault("IceSSL.CertStore", "My");
_certs.AddRange(findCertificates("IceSSL.FindCert", storeLocation, certStore, findCert));
if(_certs.Count == 0)
{
throw new Ice.PluginInitializationException("IceSSL: no certificates found");
}
}
else if(findCertProps.Count > 0)
{
//
// If IceSSL.FindCert.* properties are defined, add the selected certificates
// to the collection.
//
foreach(KeyValuePair<string, string> entry in findCertProps)
{
string name = entry.Key;
string val = entry.Value;
if(val.Length > 0)
{
string storeSpec = name.Substring(findPrefix.Length);
StoreLocation storeLoc = 0;
StoreName storeName = 0;
string sname = null;
parseStore(name, storeSpec, ref storeLoc, ref storeName, ref sname);
if(sname == null)
{
sname = storeName.ToString();
}
X509Certificate2Collection coll = findCertificates(name, storeLoc, sname, val);
_certs.AddRange(coll);
}
}
if(_certs.Count == 0)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: no certificates found";
throw e;
}
}
}
if(_caCerts == null)
{
string certAuthFile = properties.getProperty(prefix + "CAs");
if(certAuthFile.Length == 0)
{
certAuthFile = properties.getProperty(prefix + "CertAuthFile");
}
if(certAuthFile.Length > 0 || properties.getPropertyAsInt(prefix + "UsePlatformCAs") <= 0)
{
_caCerts = new X509Certificate2Collection();
}
if(certAuthFile.Length > 0)
{
if(!checkPath(ref certAuthFile))
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: CA certificate file not found: " + certAuthFile;
throw e;
}
try
{
using(System.IO.FileStream fs = System.IO.File.OpenRead(certAuthFile))
{
byte[] data = new byte[fs.Length];
fs.Read(data, 0, data.Length);
string strbuf = "";
try
{
strbuf = System.Text.Encoding.UTF8.GetString(data);
}
catch(Exception)
{
// Ignore
}
if(strbuf.Length == data.Length)
{
int size, startpos, endpos = 0;
bool first = true;
while(true)
{
startpos = strbuf.IndexOf("-----BEGIN CERTIFICATE-----", endpos);
if(startpos != -1)
{
endpos = strbuf.IndexOf("-----END CERTIFICATE-----", startpos);
size = endpos - startpos + "-----END CERTIFICATE-----".Length;
}
else if(first)
{
startpos = 0;
endpos = strbuf.Length;
size = strbuf.Length;
}
else
{
break;
}
byte[] cert = new byte[size];
System.Buffer.BlockCopy(data, startpos, cert, 0, size);
_caCerts.Import(cert);
first = false;
}
}
else
{
_caCerts.Import(data);
}
}
}
catch(Exception ex)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex);
e.reason = "IceSSL: error while attempting to load CA certificate from " + certAuthFile;
throw e;
}
}
}
#endif
_initialized = true;
}
/// <param name="certificateVerifier">the certificateVerifier to set</param>
public virtual void SetCertificateVerifier(CertificateVerifier certificateVerifier
)
{
this.certificateVerifier = certificateVerifier;
}
public MyVerifier(CertificateVerifier verifier) : base(verifier)
{
}
public override void setCertificateVerifier(CertificateVerifier verifier)
{
instance_.setCertificateVerifier(verifier);
}
public override void setCertificateVerifier(CertificateVerifier verifier)
{
_engine.setCertificateVerifier(verifier);
}
/// <summary> /// Establish the certificate verifier object. This must be /// done before any connections are established. /// </summary> /// <param name="verifier">The certificate verifier.</param> public abstract void setCertificateVerifier(CertificateVerifier verifier);
/// <param name="certificateVerifier">the certificateVerifier to set</param>
public virtual void SetCertificateVerifier(CertificateVerifier certificateVerifier
)
{
this.certificateVerifier = certificateVerifier;
}
internal void initialize()
{
if(_initialized)
{
return;
}
const string prefix = "IceSSL.";
Ice.Properties properties = communicator().getProperties();
//
// Check for a default directory. We look in this directory for
// files mentioned in the configuration.
//
_defaultDir = properties.getProperty(prefix + "DefaultDir");
//
// Process IceSSL.ImportCert.* properties.
//
Dictionary<string, string> certs = properties.getPropertiesForPrefix(prefix + "ImportCert.");
foreach(KeyValuePair<string, string> entry in certs)
{
string name = entry.Key;
string val = entry.Value;
if(val.Length > 0)
{
importCertificate(name, val);
}
}
//
// Select protocols.
//
_protocols = parseProtocols(prefix + "Protocols");
//
// CheckCertName determines whether we compare the name in a peer's
// certificate against its hostname.
//
_checkCertName = properties.getPropertyAsIntWithDefault(prefix + "CheckCertName", 0) > 0;
//
// VerifyDepthMax establishes the maximum length of a peer's certificate
// chain, including the peer's certificate. A value of 0 means there is
// no maximum.
//
_verifyDepthMax = properties.getPropertyAsIntWithDefault(prefix + "VerifyDepthMax", 2);
//
// CheckCRL determines whether the certificate revocation list is checked, and how strictly.
//
_checkCRL = properties.getPropertyAsIntWithDefault(prefix + "CheckCRL", 0);
//
// Check for a certificate verifier.
//
string certVerifierClass = properties.getProperty(prefix + "CertVerifier");
if(certVerifierClass.Length > 0)
{
if(_verifier != null)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: certificate verifier already installed";
throw e;
}
Type cls = _facade.findType(certVerifierClass);
if(cls == null)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: unable to load certificate verifier class " + certVerifierClass;
throw e;
}
try
{
_verifier = (CertificateVerifier)IceInternal.AssemblyUtil.createInstance(cls);
}
catch(Exception ex)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex);
e.reason = "IceSSL: unable to instantiate certificate verifier class " + certVerifierClass;
throw e;
}
if(_verifier == null)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: unable to instantiate certificate verifier class " + certVerifierClass;
throw e;
}
}
//
// Check for a password callback.
//
string passwordCallbackClass = properties.getProperty(prefix + "PasswordCallback");
if(passwordCallbackClass.Length > 0)
{
if(_passwordCallback != null)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: password callback already installed";
throw e;
}
Type cls = _facade.findType(passwordCallbackClass);
if(cls == null)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: unable to load password callback class " + passwordCallbackClass;
throw e;
}
try
{
_passwordCallback = (PasswordCallback)IceInternal.AssemblyUtil.createInstance(cls);
}
catch(Exception ex)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex);
e.reason = "IceSSL: unable to load password callback class " + passwordCallbackClass;
throw e;
}
if(_passwordCallback == null)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: unable to load password callback class " + passwordCallbackClass;
throw e;
}
}
//
// If the user hasn't supplied a certificate collection, we need to examine
// the property settings.
//
if(_certs == null)
{
//
// If IceSSL.CertFile is defined, load a certificate from a file and
// add it to the collection.
//
// TODO: tracing?
_certs = new X509Certificate2Collection();
string certFile = properties.getProperty(prefix + "CertFile");
string passwordStr = properties.getProperty(prefix + "Password");
if(certFile.Length > 0)
{
if(!checkPath(ref certFile))
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: certificate file not found: " + certFile;
throw e;
}
SecureString password = null;
if(passwordStr.Length > 0)
{
password = createSecureString(passwordStr);
}
else if(_passwordCallback != null)
{
password = _passwordCallback.getPassword(certFile);
}
try
{
X509Certificate2 cert;
if(password != null)
{
cert = new X509Certificate2(certFile, password);
}
else
{
cert = new X509Certificate2(certFile);
}
_certs.Add(cert);
}
catch(CryptographicException ex)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex);
e.reason = "IceSSL: error while attempting to load certificate from " + certFile;
throw e;
}
}
//
// If IceSSL.FindCert.* properties are defined, add the selected certificates
// to the collection.
//
// TODO: tracing?
const string findPrefix = prefix + "FindCert.";
Dictionary<string, string> certProps = properties.getPropertiesForPrefix(findPrefix);
if(certProps.Count > 0)
{
foreach(KeyValuePair<string, string> entry in certProps)
{
string name = entry.Key;
string val = entry.Value;
if(val.Length > 0)
{
string storeSpec = name.Substring(findPrefix.Length);
X509Certificate2Collection coll = findCertificates(name, storeSpec, val);
_certs.AddRange(coll);
}
}
if(_certs.Count == 0)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: no certificates found";
throw e;
}
}
}
_initialized = true;
}
