public SslStream(Stream innerStream, bool leaveInnerStreamOpen, RemoteCertificateValidationCallback?userCertificateValidationCallback, LocalCertificateSelectionCallback?userCertificateSelectionCallback, EncryptionPolicy encryptionPolicy) : base(innerStream, leaveInnerStreamOpen) { if (encryptionPolicy != EncryptionPolicy.RequireEncryption && encryptionPolicy != EncryptionPolicy.AllowNoEncryption && encryptionPolicy != EncryptionPolicy.NoEncryption) { throw new ArgumentException(SR.Format(SR.net_invalid_enum, "EncryptionPolicy"), nameof(encryptionPolicy)); } _userCertificateValidationCallback = userCertificateValidationCallback; _userCertificateSelectionCallback = userCertificateSelectionCallback; _encryptionPolicy = encryptionPolicy; _certValidationDelegate = new RemoteCertValidationCallback(UserCertValidationCallbackWrapper); _certSelectionDelegate = userCertificateSelectionCallback == null ? null : new LocalCertSelectionCallback(UserCertSelectionCallbackWrapper); _innerStream = innerStream; }
public SslStream(Stream innerStream, bool leaveInnerStreamOpen, RemoteCertificateValidationCallback?userCertificateValidationCallback, LocalCertificateSelectionCallback?userCertificateSelectionCallback, EncryptionPolicy encryptionPolicy) : base(innerStream, leaveInnerStreamOpen) { #pragma warning disable SYSLIB0040 // NoEncryption and AllowNoEncryption are obsolete if (encryptionPolicy != EncryptionPolicy.RequireEncryption && encryptionPolicy != EncryptionPolicy.AllowNoEncryption && encryptionPolicy != EncryptionPolicy.NoEncryption) { throw new ArgumentException(SR.Format(SR.net_invalid_enum, "EncryptionPolicy"), nameof(encryptionPolicy)); } #pragma warning restore SYSLIB0040 _sslAuthenticationOptions.EncryptionPolicy = encryptionPolicy; _sslAuthenticationOptions.CertValidationDelegate = userCertificateValidationCallback; _sslAuthenticationOptions.CertSelectionDelegate = userCertificateSelectionCallback; if (NetEventSource.Log.IsEnabled()) { NetEventSource.Log.SslStreamCtor(this, innerStream); } }
/// <summary>Creates a SessionFactory object.</summary> /// <param name="callback">The callback for notifications about session establishment.</param> /// <param name="properties">Optional properties used for communicator initialization.</param> /// <param name="logger">Optional logger used for communicator initialization.</param> /// <param name="observer">Optional communicator observer used for communicator initialization.</param> /// <param name="certificates">Optional certificates used by secure transports.</param> /// <param name="caCertificates">Optional CA certificates used by secure transports.</param> /// /// <param name="certificateSelectionCallback">Optional certificate selection callback used by secure /// transports.</param> /// <param name="certificateValidationCallback">Optional certificate validation callback used by secure /// transports.</param> /// <param name="passwordCallback">Optional password callback used by secure transports.</param> public SessionFactoryHelper( ISessionCallback callback, Dictionary <string, string> properties, ILogger?logger = null, ICommunicatorObserver?observer = null, X509Certificate2Collection?certificates = null, X509Certificate2Collection?caCertificates = null, LocalCertificateSelectionCallback?certificateSelectionCallback = null, RemoteCertificateValidationCallback?certificateValidationCallback = null, IPasswordCallback?passwordCallback = null) { _callback = callback; _properties = properties; _logger = logger; _observer = observer; _certificates = certificates; _caCertificates = caCertificates; _certificateSelectionCallback = certificateSelectionCallback; _certificateValidationCallback = certificateValidationCallback; _passwordCallback = passwordCallback; _properties["Ice.RetryIntervals"] = "-1"; }
internal SessionHelper(ISessionCallback callback, string finderStr, bool useCallbacks, Dictionary <string, string> properties, ILogger?logger, ICommunicatorObserver?observer, X509Certificate2Collection?certificates, X509Certificate2Collection?caCertificates, LocalCertificateSelectionCallback?certificateSelectionCallback, RemoteCertificateValidationCallback?certificateValidationCallback, IPasswordCallback?passwordCallback) { _callback = callback; _finderStr = finderStr; _useCallbacks = useCallbacks; _properties = properties; _logger = logger; _observer = observer; _certificates = certificates; _caCertificates = caCertificates; _certificateSelectionCallback = certificateSelectionCallback; _certificateValidationCallback = certificateValidationCallback; _passwordCallback = passwordCallback; }
public SslStream(Stream innerStream, bool leaveInnerStreamOpen, RemoteCertificateValidationCallback?userCertificateValidationCallback, LocalCertificateSelectionCallback?userCertificateSelectionCallback) : this(innerStream, leaveInnerStreamOpen, userCertificateValidationCallback, userCertificateSelectionCallback, EncryptionPolicy.RequireEncryption) { }
internal SslEngine( Communicator communicator, X509Certificate2Collection?certificates, X509Certificate2Collection?caCertificates, LocalCertificateSelectionCallback?certificateSelectionCallback, RemoteCertificateValidationCallback?certificateValidationCallback, IPasswordCallback?passwordCallback) { _logger = communicator.Logger; SecurityTraceLevel = communicator.GetPropertyAsInt("IceSSL.Trace.Security") ?? 0; _trustManager = new SslTrustManager(communicator); CertificateSelectionCallback = certificateSelectionCallback; RemoteCertificateValidationCallback = certificateValidationCallback; PasswordCallback = passwordCallback; Certs = certificates; CaCerts = caCertificates; // Check for a default directory. We look in this directory for files mentioned in the configuration. _defaultDir = communicator.GetProperty("IceSSL.DefaultDir") ?? ""; string?certStoreLocation = communicator.GetProperty("IceSSL.CertStoreLocation"); if (certStoreLocation != null && CertificateSelectionCallback != null) { throw new InvalidConfigurationException( "the property `IceSSL.CertStoreLocation' is incompatible with the certificate selection callback"); } certStoreLocation ??= "CurrentUser"; StoreLocation storeLocation; if (certStoreLocation == "CurrentUser") { storeLocation = StoreLocation.CurrentUser; } else if (certStoreLocation == "LocalMachine") { storeLocation = StoreLocation.LocalMachine; } else { _logger.Warning($"Invalid IceSSL.CertStoreLocation value `{certStoreLocation}' adjusted to `CurrentUser'"); storeLocation = StoreLocation.CurrentUser; } UseMachineContext = certStoreLocation == "LocalMachine"; // Protocols selects which protocols to enable SslProtocols = ParseProtocols(communicator.GetPropertyAsList("IceSSL.Protocols")); // VerifyDepthMax establishes the maximum length of a peer's certificate chain, including the peer's // certificate. A value of 0 means there is no maximum. int?verifyDepthMax = communicator.GetPropertyAsInt("IceSSL.VerifyDepthMax"); if (verifyDepthMax != null && RemoteCertificateValidationCallback != null) { throw new InvalidConfigurationException( "the property `IceSSL.VerifyDepthMax' check is incompatible with the custom remote certificate validation callback"); } _verifyDepthMax = verifyDepthMax ?? 3; // CheckCRL determines whether the certificate revocation list is checked, and how strictly. CheckCRL = communicator.GetPropertyAsInt("IceSSL.CheckCRL") ?? 0; // If the user hasn't supplied a certificate collection, we need to examine the property settings. if (Certs == null) { // If IceSSL.CertFile is defined, load a certificate from a file and add it to the collection. // TODO: tracing? string?certFile = communicator.GetProperty("IceSSL.CertFile"); if (certFile != null && CertificateSelectionCallback != null) { throw new InvalidConfigurationException( "the property `IceSSL.CertFile' is incompatible with the certificate selection callback"); } string?passwordStr = communicator.GetProperty("IceSSL.Password"); if (passwordStr != null && CertificateSelectionCallback != null) { throw new InvalidConfigurationException( "the property `IceSSL.Password' is incompatible with the certificate selection callback"); } string?findCert = communicator.GetProperty("IceSSL.FindCert"); if (findCert != null && CertificateSelectionCallback != null) { throw new InvalidConfigurationException( "the property `IceSSL.FindCert' is incompatible with the certificate selection callback"); } Certs = new X509Certificate2Collection(); const string findPrefix = "IceSSL.FindCert."; Dictionary <string, string> findCertProps = communicator.GetProperties(forPrefix: findPrefix); if (certFile != null) { if (!CheckPath(ref certFile)) { throw new FileNotFoundException($"certificate file not found: `{certFile}'", certFile); } SecureString?password = null; if (passwordStr != null) { password = CreateSecureString(passwordStr); } else if (PasswordCallback != null) { password = PasswordCallback(certFile); } try { X509Certificate2 cert; X509KeyStorageFlags importFlags; if (UseMachineContext) { importFlags = X509KeyStorageFlags.MachineKeySet; } else { importFlags = X509KeyStorageFlags.UserKeySet; } if (password != null) { cert = new X509Certificate2(certFile, password, importFlags); } else { cert = new X509Certificate2(certFile, "", importFlags); } Certs.Add(cert); } catch (CryptographicException ex) { throw new InvalidConfigurationException( $"error while attempting to load certificate from `{certFile}'", ex); } } else if (findCert != null) { string certStore = communicator.GetProperty("IceSSL.CertStore") ?? "My"; Certs.AddRange(FindCertificates("IceSSL.FindCert", storeLocation, certStore, findCert)); if (Certs.Count == 0) { throw new InvalidConfigurationException("no certificates found"); } } } if (CaCerts == null) { string?certAuthFile = communicator.GetProperty("IceSSL.CAs"); if (certAuthFile != null && RemoteCertificateValidationCallback != null) { throw new InvalidConfigurationException( "the property `IceSSL.CAs' is incompatible with the custom remote certificate validation callback"); } bool?usePlatformCAs = communicator.GetPropertyAsBool("IceSSL.UsePlatformCAs"); if (usePlatformCAs != null && RemoteCertificateValidationCallback != null) { throw new InvalidConfigurationException( "the property `IceSSL.UsePlatformCAs' is incompatible with the custom remote certificate validation callback"); } if (RemoteCertificateValidationCallback == null) { if (certAuthFile != null || !(usePlatformCAs ?? false)) { CaCerts = new X509Certificate2Collection(); } if (certAuthFile != null) { if (!CheckPath(ref certAuthFile)) { throw new FileNotFoundException("CA certificate file not found: `{certAuthFile}'", certAuthFile); } try { using FileStream fs = File.OpenRead(certAuthFile); byte[] data = new byte[fs.Length]; fs.Read(data, 0, data.Length); string strbuf = ""; try { strbuf = System.Text.Encoding.UTF8.GetString(data); } catch (Exception) { // Ignore } if (strbuf.Length == data.Length) { int size, startpos, endpos = 0; bool first = true; while (true) { startpos = strbuf.IndexOf("-----BEGIN CERTIFICATE-----", endpos); if (startpos != -1) { endpos = strbuf.IndexOf("-----END CERTIFICATE-----", startpos); size = endpos - startpos + "-----END CERTIFICATE-----".Length; } else if (first) { startpos = 0; endpos = strbuf.Length; size = strbuf.Length; } else { break; } byte[] cert = new byte[size]; Buffer.BlockCopy(data, startpos, cert, 0, size); CaCerts !.Import(cert); first = false; } } else { CaCerts !.Import(data); } } catch (Exception ex) { throw new InvalidConfigurationException( $"error while attempting to load CA certificate from {certAuthFile}", ex); } } } } }
private void ValidateCreateContext(SslClientAuthenticationOptions sslClientAuthenticationOptions, RemoteCertificateValidationCallback?remoteCallback, LocalCertificateSelectionCallback?localCallback) { // Without setting (or using) these members you will get a build exception in the unit test project. // The code that normally uses these in the main solution is in the implementation of SslStream. if (_nestedWrite == 0) { } _exception = null; _nestedWrite = 0; _handshakeCompleted = false; }