private IDictionary ExtendUnsignedAttributes(IDictionary unsignedAttrs, X509Certificate signingCertificate, DateTime signingDate, ICertificateSource optionalCertificateSource) { var validationContext = CertificateVerifier.ValidateCertificate(signingCertificate, signingDate, optionalCertificateSource, null, null); List <X509CertificateStructure> certificateValues = new List <X509CertificateStructure>(); List <CertificateList> crlValues = new List <CertificateList>(); List <BasicOcspResponse> ocspValues = new List <BasicOcspResponse>(); foreach (CertificateAndContext c in validationContext.NeededCertificates) { if (!c.Equals(signingCertificate)) { certificateValues.Add(X509CertificateStructure.GetInstance(((Asn1Sequence)Asn1Object.FromByteArray(c.Certificate.GetEncoded())))); } } foreach (X509Crl relatedcrl in validationContext.NeededCRL) { crlValues.Add(CertificateList.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(relatedcrl.GetEncoded()))); } foreach (BasicOcspResp relatedocspresp in validationContext.NeededOCSPResp) { ocspValues.Add((BasicOcspResponse.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(relatedocspresp.GetEncoded())))); } RevocationValues revocationValues = new RevocationValues(crlValues.ToArray(), ocspValues.ToArray(), null); unsignedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new BcCms.Attribute(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new DerSet(revocationValues))); unsignedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsCertValues, new BcCms.Attribute(PkcsObjectIdentifiers.IdAAEtsCertValues, new DerSet(new DerSequence(certificateValues.ToArray())))); return(unsignedAttrs); }
private GitSsl(Func <SystemCertificateStore> createCertificateStore, CertificateVerifier certificateVerifier, PhysicalFileSystem fileSystem) { this.fileSystem = fileSystem ?? new PhysicalFileSystem(); this.createCertificateStore = createCertificateStore ?? (() => new SystemCertificateStore()); this.certificateVerifier = certificateVerifier ?? new CertificateVerifier(); this.certificatePathOrSubjectCommonName = null; this.isCertificatePasswordProtected = false; // True by default, both to have good default security settings and to match git behavior. // https://git-scm.com/docs/git-config#git-config-httpsslVerify this.ShouldVerify = true; }
public GitSsl( IDictionary <string, GitConfigSetting> configSettings, Func <SystemCertificateStore> createCertificateStore = null, CertificateVerifier certificateVerifier = null, PhysicalFileSystem fileSystem = null) : this(createCertificateStore, certificateVerifier, fileSystem) { if (configSettings != null) { if (configSettings.TryGetValue(GitConfigSetting.HttpSslCert, out GitConfigSetting sslCerts)) { this.certificatePathOrSubjectCommonName = sslCerts.Values.Last(); } this.isCertificatePasswordProtected = SetBoolSettingOrThrow(configSettings, GitConfigSetting.HttpSslCertPasswordProtected, this.isCertificatePasswordProtected); this.ShouldVerify = SetBoolSettingOrThrow(configSettings, GitConfigSetting.HttpSslVerify, this.ShouldVerify); } }
internal void setCertificateVerifier(CertificateVerifier verifier) { _verifier = verifier; }
public override void setCertificateVerifier(CertificateVerifier verifier) { instance_.setCertificateVerifier(verifier); }
/// <summary> /// Establish the certificate verifier object. This must be /// done before any connections are established. /// </summary> /// <param name="verifier">The certificate verifier.</param> abstract public void setCertificateVerifier(CertificateVerifier verifier);
public override void setCertificateVerifier(CertificateVerifier verifier) { _engine.setCertificateVerifier(verifier); }
internal void initialize() { if(_initialized) { return; } const string prefix = "IceSSL."; Ice.Properties properties = communicator().getProperties(); // // Check for a default directory. We look in this directory for // files mentioned in the configuration. // _defaultDir = properties.getProperty(prefix + "DefaultDir"); string certStoreLocation = properties.getPropertyWithDefault(prefix + "CertStoreLocation", "CurrentUser"); StoreLocation storeLocation; if(certStoreLocation == "CurrentUser") { storeLocation = StoreLocation.CurrentUser; } else if(certStoreLocation == "LocalMachine") { storeLocation = StoreLocation.LocalMachine; } else { _logger.warning("Invalid IceSSL.CertStoreLocation value `" + certStoreLocation + "' adjusted to `CurrentUser'"); storeLocation = StoreLocation.CurrentUser; } _useMachineContext = certStoreLocation == "LocalMachine"; #if !UNITY X509KeyStorageFlags keyStorageFlags; if(_useMachineContext) { keyStorageFlags = X509KeyStorageFlags.MachineKeySet; } else { keyStorageFlags = X509KeyStorageFlags.UserKeySet; } string keySet = properties.getProperty(prefix + "KeySet"); // Deprecated property if(keySet.Length > 0) { if(keySet.Equals("DefaultKeySet")) { keyStorageFlags = X509KeyStorageFlags.DefaultKeySet; } else if(keySet.Equals("UserKeySet")) { keyStorageFlags = X509KeyStorageFlags.UserKeySet; } else if(keySet.Equals("MachineKeySet")) { keyStorageFlags = X509KeyStorageFlags.MachineKeySet; } else { _logger.warning("Invalid IceSSL.KeySet value `" + keySet + "' adjusted to `DefaultKeySet'"); keyStorageFlags = X509KeyStorageFlags.DefaultKeySet; } } if(properties.getPropertyAsIntWithDefault(prefix + "PersistKeySet", 0) > 0) // Deprecated property { keyStorageFlags |= X509KeyStorageFlags.PersistKeySet; } // // Process IceSSL.ImportCert.* properties. // Dictionary<string, string> certs = properties.getPropertiesForPrefix(prefix + "ImportCert."); foreach(KeyValuePair<string, string> entry in certs) { string name = entry.Key; string val = entry.Value; if(val.Length > 0) { importCertificate(name, val, keyStorageFlags); } } #endif // // Protocols selects which protocols to enable, by default we only enable TLS1.0 // TLS1.1 and TLS1.2 to avoid security issues with SSLv3 // _protocols = parseProtocols( properties.getPropertyAsListWithDefault(prefix + "Protocols", #if UNITY new string[]{"TLS1_0"})); #else _tls12Support ? new string[]{"TLS1_0", "TLS1_1", "TLS1_2"} : new string[]{"TLS1_0", "TLS1_1"})); #endif // // CheckCertName determines whether we compare the name in a peer's // certificate against its hostname. // _checkCertName = properties.getPropertyAsIntWithDefault(prefix + "CheckCertName", 0) > 0; // // VerifyDepthMax establishes the maximum length of a peer's certificate // chain, including the peer's certificate. A value of 0 means there is // no maximum. // _verifyDepthMax = properties.getPropertyAsIntWithDefault(prefix + "VerifyDepthMax", 3); // // CheckCRL determines whether the certificate revocation list is checked, and how strictly. // _checkCRL = properties.getPropertyAsIntWithDefault(prefix + "CheckCRL", 0); #if !UNITY // // Check for a certificate verifier. // string certVerifierClass = properties.getProperty(prefix + "CertVerifier"); if(certVerifierClass.Length > 0) { if(_verifier != null) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: certificate verifier already installed"; throw e; } Type cls = _facade.findType(certVerifierClass); if(cls == null) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: unable to load certificate verifier class " + certVerifierClass; throw e; } try { _verifier = (CertificateVerifier)IceInternal.AssemblyUtil.createInstance(cls); } catch(Exception ex) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex); e.reason = "IceSSL: unable to instantiate certificate verifier class " + certVerifierClass; throw e; } if(_verifier == null) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: unable to instantiate certificate verifier class " + certVerifierClass; throw e; } } // // Check for a password callback. // string passwordCallbackClass = properties.getProperty(prefix + "PasswordCallback"); if(passwordCallbackClass.Length > 0) { if(_passwordCallback != null) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: password callback already installed"; throw e; } Type cls = _facade.findType(passwordCallbackClass); if(cls == null) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: unable to load password callback class " + passwordCallbackClass; throw e; } try { _passwordCallback = (PasswordCallback)IceInternal.AssemblyUtil.createInstance(cls); } catch(Exception ex) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex); e.reason = "IceSSL: unable to load password callback class " + passwordCallbackClass; throw e; } if(_passwordCallback == null) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: unable to load password callback class " + passwordCallbackClass; throw e; } } // // If the user hasn't supplied a certificate collection, we need to examine // the property settings. // if(_certs == null) { // // If IceSSL.CertFile is defined, load a certificate from a file and // add it to the collection. // // TODO: tracing? _certs = new X509Certificate2Collection(); string certFile = properties.getProperty(prefix + "CertFile"); string passwordStr = properties.getProperty(prefix + "Password"); string findCert = properties.getProperty(prefix + "FindCert"); const string findPrefix = prefix + "FindCert."; Dictionary<string, string> findCertProps = properties.getPropertiesForPrefix(findPrefix); if(certFile.Length > 0) { if(!checkPath(ref certFile)) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: certificate file not found: " + certFile; throw e; } SecureString password = null; if(passwordStr.Length > 0) { password = createSecureString(passwordStr); } else if(_passwordCallback != null) { password = _passwordCallback.getPassword(certFile); } try { X509Certificate2 cert; X509KeyStorageFlags importFlags; if(_useMachineContext) { importFlags = X509KeyStorageFlags.MachineKeySet; } else { importFlags = X509KeyStorageFlags.UserKeySet; } if(password != null) { cert = new X509Certificate2(certFile, password, importFlags); } else { cert = new X509Certificate2(certFile, "", importFlags); } _certs.Add(cert); } catch(CryptographicException ex) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex); e.reason = "IceSSL: error while attempting to load certificate from " + certFile; throw e; } } else if(findCert.Length > 0) { string certStore = properties.getPropertyWithDefault("IceSSL.CertStore", "My"); _certs.AddRange(findCertificates("IceSSL.FindCert", storeLocation, certStore, findCert)); if(_certs.Count == 0) { throw new Ice.PluginInitializationException("IceSSL: no certificates found"); } } else if(findCertProps.Count > 0) { // // If IceSSL.FindCert.* properties are defined, add the selected certificates // to the collection. // foreach(KeyValuePair<string, string> entry in findCertProps) { string name = entry.Key; string val = entry.Value; if(val.Length > 0) { string storeSpec = name.Substring(findPrefix.Length); StoreLocation storeLoc = 0; StoreName storeName = 0; string sname = null; parseStore(name, storeSpec, ref storeLoc, ref storeName, ref sname); if(sname == null) { sname = storeName.ToString(); } X509Certificate2Collection coll = findCertificates(name, storeLoc, sname, val); _certs.AddRange(coll); } } if(_certs.Count == 0) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: no certificates found"; throw e; } } } if(_caCerts == null) { string certAuthFile = properties.getProperty(prefix + "CAs"); if(certAuthFile.Length == 0) { certAuthFile = properties.getProperty(prefix + "CertAuthFile"); } if(certAuthFile.Length > 0 || properties.getPropertyAsInt(prefix + "UsePlatformCAs") <= 0) { _caCerts = new X509Certificate2Collection(); } if(certAuthFile.Length > 0) { if(!checkPath(ref certAuthFile)) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: CA certificate file not found: " + certAuthFile; throw e; } try { using(System.IO.FileStream fs = System.IO.File.OpenRead(certAuthFile)) { byte[] data = new byte[fs.Length]; fs.Read(data, 0, data.Length); string strbuf = ""; try { strbuf = System.Text.Encoding.UTF8.GetString(data); } catch(Exception) { // Ignore } if(strbuf.Length == data.Length) { int size, startpos, endpos = 0; bool first = true; while(true) { startpos = strbuf.IndexOf("-----BEGIN CERTIFICATE-----", endpos); if(startpos != -1) { endpos = strbuf.IndexOf("-----END CERTIFICATE-----", startpos); size = endpos - startpos + "-----END CERTIFICATE-----".Length; } else if(first) { startpos = 0; endpos = strbuf.Length; size = strbuf.Length; } else { break; } byte[] cert = new byte[size]; System.Buffer.BlockCopy(data, startpos, cert, 0, size); _caCerts.Import(cert); first = false; } } else { _caCerts.Import(data); } } } catch(Exception ex) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex); e.reason = "IceSSL: error while attempting to load CA certificate from " + certAuthFile; throw e; } } } #endif _initialized = true; }
/// <param name="certificateVerifier">the certificateVerifier to set</param> public virtual void SetCertificateVerifier(CertificateVerifier certificateVerifier ) { this.certificateVerifier = certificateVerifier; }
public MyVerifier(CertificateVerifier verifier) : base(verifier) { }
/// <summary> /// Establish the certificate verifier object. This must be /// done before any connections are established. /// </summary> /// <param name="verifier">The certificate verifier.</param> public abstract void setCertificateVerifier(CertificateVerifier verifier);
internal void initialize() { if(_initialized) { return; } const string prefix = "IceSSL."; Ice.Properties properties = communicator().getProperties(); // // Check for a default directory. We look in this directory for // files mentioned in the configuration. // _defaultDir = properties.getProperty(prefix + "DefaultDir"); // // Process IceSSL.ImportCert.* properties. // Dictionary<string, string> certs = properties.getPropertiesForPrefix(prefix + "ImportCert."); foreach(KeyValuePair<string, string> entry in certs) { string name = entry.Key; string val = entry.Value; if(val.Length > 0) { importCertificate(name, val); } } // // Select protocols. // _protocols = parseProtocols(prefix + "Protocols"); // // CheckCertName determines whether we compare the name in a peer's // certificate against its hostname. // _checkCertName = properties.getPropertyAsIntWithDefault(prefix + "CheckCertName", 0) > 0; // // VerifyDepthMax establishes the maximum length of a peer's certificate // chain, including the peer's certificate. A value of 0 means there is // no maximum. // _verifyDepthMax = properties.getPropertyAsIntWithDefault(prefix + "VerifyDepthMax", 2); // // CheckCRL determines whether the certificate revocation list is checked, and how strictly. // _checkCRL = properties.getPropertyAsIntWithDefault(prefix + "CheckCRL", 0); // // Check for a certificate verifier. // string certVerifierClass = properties.getProperty(prefix + "CertVerifier"); if(certVerifierClass.Length > 0) { if(_verifier != null) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: certificate verifier already installed"; throw e; } Type cls = _facade.findType(certVerifierClass); if(cls == null) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: unable to load certificate verifier class " + certVerifierClass; throw e; } try { _verifier = (CertificateVerifier)IceInternal.AssemblyUtil.createInstance(cls); } catch(Exception ex) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex); e.reason = "IceSSL: unable to instantiate certificate verifier class " + certVerifierClass; throw e; } if(_verifier == null) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: unable to instantiate certificate verifier class " + certVerifierClass; throw e; } } // // Check for a password callback. // string passwordCallbackClass = properties.getProperty(prefix + "PasswordCallback"); if(passwordCallbackClass.Length > 0) { if(_passwordCallback != null) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: password callback already installed"; throw e; } Type cls = _facade.findType(passwordCallbackClass); if(cls == null) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: unable to load password callback class " + passwordCallbackClass; throw e; } try { _passwordCallback = (PasswordCallback)IceInternal.AssemblyUtil.createInstance(cls); } catch(Exception ex) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex); e.reason = "IceSSL: unable to load password callback class " + passwordCallbackClass; throw e; } if(_passwordCallback == null) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: unable to load password callback class " + passwordCallbackClass; throw e; } } // // If the user hasn't supplied a certificate collection, we need to examine // the property settings. // if(_certs == null) { // // If IceSSL.CertFile is defined, load a certificate from a file and // add it to the collection. // // TODO: tracing? _certs = new X509Certificate2Collection(); string certFile = properties.getProperty(prefix + "CertFile"); string passwordStr = properties.getProperty(prefix + "Password"); if(certFile.Length > 0) { if(!checkPath(ref certFile)) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: certificate file not found: " + certFile; throw e; } SecureString password = null; if(passwordStr.Length > 0) { password = createSecureString(passwordStr); } else if(_passwordCallback != null) { password = _passwordCallback.getPassword(certFile); } try { X509Certificate2 cert; if(password != null) { cert = new X509Certificate2(certFile, password); } else { cert = new X509Certificate2(certFile); } _certs.Add(cert); } catch(CryptographicException ex) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex); e.reason = "IceSSL: error while attempting to load certificate from " + certFile; throw e; } } // // If IceSSL.FindCert.* properties are defined, add the selected certificates // to the collection. // // TODO: tracing? const string findPrefix = prefix + "FindCert."; Dictionary<string, string> certProps = properties.getPropertiesForPrefix(findPrefix); if(certProps.Count > 0) { foreach(KeyValuePair<string, string> entry in certProps) { string name = entry.Key; string val = entry.Value; if(val.Length > 0) { string storeSpec = name.Substring(findPrefix.Length); X509Certificate2Collection coll = findCertificates(name, storeSpec, val); _certs.AddRange(coll); } } if(_certs.Count == 0) { Ice.PluginInitializationException e = new Ice.PluginInitializationException(); e.reason = "IceSSL: no certificates found"; throw e; } } } _initialized = true; }