public static void CreateNewIdentity(string friendlyName, string hostNameOrAddress, int port,
out PublicIdentity publicIdentity, out PrivateIdentity privateIdentity)
{
var key = RSA.Create(4096);
var subject = string.Format("CN = {0}", friendlyName);
var req = new CertificateRequest(subject, key, HashAlgorithmName.SHA256, RSASignaturePadding.Pss);
var now = DateTime.Now;
var expiry = now.AddYears(10);
var cert = req.CreateSelfSigned(now, expiry);
var pkcs12 = cert.Export(X509ContentType.Pkcs12, "" /* empty password */);
publicIdentity = new PublicIdentity {
FriendlyName = friendlyName,
PublicKey = IoScheduler.GetCertificatePublicKey(cert),
HostNameOrAddress = hostNameOrAddress,
Port = port
};
privateIdentity = new PrivateIdentity {
FriendlyName = friendlyName,
Pkcs12 = pkcs12,
HostNameOrAddress = hostNameOrAddress,
Port = port
};
}
public bool ValidateSSLCertificate(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
const SslPolicyErrors ignoredErrors = SslPolicyErrors.RemoteCertificateChainErrors;
if ((sslPolicyErrors & ~ignoredErrors) != SslPolicyErrors.None)
{
Console.Error.WriteLine("Could not validate SSL certificate for {0} due to errors {1}",
IoScheduler.GetCertificatePublicKey(certificate as X509Certificate2),
sslPolicyErrors & ~ignoredErrors);
return(false);
}
var cert2 = certificate as X509Certificate2;
// If we were expecting a specific public identity, check that
// the key in the certificate matches what we were expecting.
if (expectedPublicIdentity != null)
{
if (!ByteArrayComparer.Default().Equals(IoScheduler.GetCertificatePublicKey(cert2), expectedPublicIdentity.PublicKey))
{
Console.Error.WriteLine("Connected to {0} expecting public key {1} but found public key {2}, so disconnecting.",
IoScheduler.PublicIdentityToString(expectedPublicIdentity),
IoScheduler.PublicKeyToString(expectedPublicIdentity.PublicKey),
IoScheduler.PublicKeyToString(IoScheduler.GetCertificatePublicKey(cert2)));
return(false);
}
if (cert2.SubjectName.Name != "CN=" + expectedPublicIdentity.FriendlyName)
{
Console.Error.WriteLine("Connected to {0} expecting subject CN={1} but found {2}, so disconnecting.",
IoScheduler.PublicIdentityToString(expectedPublicIdentity),
expectedPublicIdentity.FriendlyName,
cert2.SubjectName.Name);
return(false);
}
}
else
{
// If we weren't expecting any particular public identity,
// consider the expected public identity to be the known one
// matching the public key in the certificate we got. If
// there is no known one, then this is just an anonymous
// client, which is fine. Otherwise, check that the subject
// matches what we expect. This is just a paranoid check; it
// should never fail.
expectedPublicIdentity = scheduler.LookupPublicKey(IoScheduler.GetCertificatePublicKey(cert2));
if (expectedPublicIdentity != null)
{
if (cert2.SubjectName.Name != "CN=" + expectedPublicIdentity.FriendlyName)
{
Console.Error.WriteLine("Received a certificate we expected to have subject CN={1} but found {2}, so disconnecting.",
IoScheduler.PublicIdentityToString(expectedPublicIdentity),
expectedPublicIdentity.FriendlyName,
cert2.SubjectName.Name);
return(false);
}
}
}
return(true);
}
public CertificateValidator(IoScheduler i_scheduler, PublicIdentity i_expectedPublicIdentity = null)
{
scheduler = i_scheduler;
expectedPublicIdentity = i_expectedPublicIdentity;
}
public static string PublicIdentityToString(PublicIdentity id)
{
return(string.Format("{0} (key {1}) @ {2}:{3}", id.FriendlyName, PublicKeyToString(id.PublicKey),
id.HostNameOrAddress, id.Port));
}
