internal static MonoSslStream CreateSslStream ( Stream innerStream, bool leaveInnerStreamOpen, ICertificateValidator certificateValidator, MonoTlsSettings settings = null) { var stream = new MonoNewTlsStream (innerStream, leaveInnerStreamOpen, certificateValidator, settings); return new MonoSslStreamImpl (stream); }
internal static void AddCertificateValidator (MSI.MonoTlsSettings settings, ICertificateValidator validator) { if (validator == null) return; settings.RemoteCertificateValidationCallback = (s, c, ch, e) => { return ((CertificateValidator)validator).ValidationCallback (s, c, ch, (SslPolicyErrors)e); }; }
internal static MSI.ICertificateValidator GetCertificateValidator (ICertificateValidator validator) { if (validator == null) return null; var settings = new MSI.MonoTlsSettings (); settings.ServerCertificateValidationCallback = (s, c, ch, e) => { return ((CertificateValidator)validator).ValidationCallback (s, c, ch, (SslPolicyErrors)e); }; return MSI.CertificateValidationHelper.CreateDefaultValidator (settings); }
public static MonoNewTlsStream CreateClient ( Stream innerStream, bool leaveOpen, ICertificateValidator certificateValidator, TlsSettings settings, string targetHost, PSSCX.X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation) { var stream = new MonoNewTlsStream (innerStream, leaveOpen, certificateValidator, settings); try { stream.AuthenticateAsClient (targetHost, clientCertificates, enabledSslProtocols, checkCertificateRevocation); } catch (Exception ex) { var tlsEx = stream.LastError; if (tlsEx != null) throw new AggregateException (ex, tlsEx); throw; } return stream; }
public CertificateProvider( LetsEncryptOptions options, ICertificateValidator certificateValidator, IPersistenceService persistenceService, ILetsEncryptClientFactory clientFactory, ILogger <CertificateProvider> logger) { var domains = options.Domains?.Distinct().ToArray(); if (domains == null || domains.Length == 0) { throw new ArgumentException("Domains configuration invalid"); } _domains = domains; _persistenceService = persistenceService; _clientFactory = clientFactory; _certificateValidator = certificateValidator; _logger = logger; }
public WsFedCachingSecurityTokenProvider(string metadataEndpoint, ICertificateValidator backchannelCertificateValidator, TimeSpan backchannelTimeout, HttpMessageHandler backchannelHttpHandler) { _metadataEndpoint = metadataEndpoint; _backchannelTimeout = backchannelTimeout; _backchannelHttpHandler = backchannelHttpHandler ?? new WebRequestHandler(); if (backchannelCertificateValidator != null) { // Set the cert validate callback var webRequestHandler = _backchannelHttpHandler as WebRequestHandler; if (webRequestHandler == null) { throw new InvalidOperationException(Properties.Resources.Exception_ValidatorHandlerMismatch); } webRequestHandler.ServerCertificateValidationCallback = backchannelCertificateValidator.Validate; } RetrieveMetadata(); }
private static HttpMessageHandler ResolveHttpMessageHandler(TwitterAuthenticationOptions options) { HttpMessageHandler handler = options.BackchannelHttpHandler ?? new WebRequestHandler(); WebRequestHandler handler2 = handler as WebRequestHandler; if (handler2 == null) { if (options.BackchannelCertificateValidator != null) { throw new InvalidOperationException("Microsoft.Owin.Resources.Exception_ValidatorHandlerMismatch"); } return(handler); } if (options.BackchannelCertificateValidator != null) { ICertificateValidator backchannelCertificateValidator = options.BackchannelCertificateValidator; handler2.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(backchannelCertificateValidator.Validate); } return(handler); }
public WsFedCachingSecurityKeyProvider(string metadataEndpoint, ICertificateValidator backchannelCertificateValidator, TimeSpan backchannelTimeout, HttpMessageHandler backchannelHttpHandler) { _metadataEndpoint = metadataEndpoint; _backchannelTimeout = backchannelTimeout; _backchannelHttpHandler = backchannelHttpHandler ?? new WebRequestHandler(); if (backchannelCertificateValidator != null) { // Set the cert validate callback var webRequestHandler = _backchannelHttpHandler as WebRequestHandler; if (webRequestHandler == null) { throw new InvalidOperationException(Properties.Resources.Exception_ValidatorHandlerMismatch); } webRequestHandler.ServerCertificateValidationCallback = backchannelCertificateValidator.Validate; } RetrieveMetadata(); }
public DiscoveryCachingSecurityTokenProvider(string discoveryEndpoint, ICertificateValidator backchannelCertificateValidator, HttpMessageHandler backchannelHttpHandler) { _discoveryEndpoint = discoveryEndpoint; _backchannelHttpHandler = backchannelHttpHandler ?? new WebRequestHandler(); if (backchannelCertificateValidator != null) { // Set the cert validate callback var webRequestHandler = _backchannelHttpHandler as WebRequestHandler; if (webRequestHandler == null) { throw new InvalidOperationException("Invalid certificate validator"); } webRequestHandler.ServerCertificateValidationCallback = backchannelCertificateValidator.Validate; } _configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(_discoveryEndpoint, new HttpClient(_backchannelHttpHandler)); RetrieveMetadata(); }
/// <summary> /// Create the transport listener for the service host endpoint. /// </summary> /// <param name="endpointUri">The endpoint Uri.</param> /// <param name="endpoints">The description of the endpoints.</param> /// <param name="endpointConfiguration">The configuration of the endpoints.</param> /// <param name="listener">The transport listener.</param> /// <param name="certificateValidator">The certificate validator for the transport.</param> public virtual void CreateServiceHostEndpoint( Uri endpointUri, EndpointDescriptionCollection endpoints, EndpointConfiguration endpointConfiguration, ITransportListener listener, ICertificateValidator certificateValidator ) { // create the stack listener. try { TransportListenerSettings settings = new TransportListenerSettings(); settings.Descriptions = endpoints; settings.Configuration = endpointConfiguration; settings.ServerCertificate = InstanceCertificate; settings.CertificateValidator = certificateValidator; settings.NamespaceUris = MessageContext.NamespaceUris; settings.Factory = MessageContext.Factory; listener.Open( endpointUri, settings, GetEndpointInstance(this)); TransportListeners.Add(listener); listener.ConnectionStatusChanged += OnConnectionStatusChanged; } catch (Exception e) { string message = $"Could not load {endpointUri.Scheme} Stack Listener."; if (e.InnerException != null) { message += (" " + e.InnerException.Message); } Utils.Trace(e, message); throw; } }
void CheckValidationResult( ICertificateValidator validator, string targetHost, bool serverMode, X509CertificateCollection certificates, bool wantsChain, X509Chain chain, MonoBtlsX509StoreCtx storeCtx, bool success, ref MonoSslPolicyErrors errors, ref int status11) { status11 = unchecked ((int)0); if (success) { return; } errors = MonoSslPolicyErrors.RemoteCertificateChainErrors; if (!wantsChain || storeCtx == null || chain == null) { status11 = unchecked ((int)0x800B010B); return; } var error = storeCtx.GetError(); switch (error) { case Mono.Btls.MonoBtlsX509Error.OK: errors = MonoSslPolicyErrors.None; break; case Mono.Btls.MonoBtlsX509Error.CRL_NOT_YET_VALID: break; case MonoBtlsX509Error.HOSTNAME_MISMATCH: errors = MonoSslPolicyErrors.RemoteCertificateNameMismatch; chain.Impl.AddStatus(X509ChainStatusFlags.UntrustedRoot); status11 = unchecked ((int)0x800B010B); break; default: chain.Impl.AddStatus(MapVerifyErrorToChainStatus(error)); status11 = unchecked ((int)0x800B010B); break; } }
public MonoTlsSettings CloneWithValidator(ICertificateValidator validator) { if (cloned) { this.certificateValidator = validator; return(this); } var copy = new MonoTlsSettings(); copy.ServerCertificateValidationCallback = ServerCertificateValidationCallback; copy.ClientCertificateSelectionCallback = ClientCertificateSelectionCallback; copy.checkCertName = checkCertName; copy.checkCertRevocationStatus = checkCertRevocationStatus; copy.UseServicePointManagerCallback = useServicePointManagerCallback; copy.skipSystemValidators = skipSystemValidators; copy.callbackNeedsChain = callbackNeedsChain; copy.UserSettings = UserSettings; copy.certificateValidator = validator; copy.cloned = true; return(copy); }
public void Initialize() { var persistenceService = Substitute.For <IPersistenceService>(); var options = new LetsEncryptOptions { Domains = new[] { "test.com" }, Email = "*****@*****.**", KeyAlgorithm = KeyAlgorithm.ES512, UseStaging = true, }; var certificateValidator = Substitute.For <ICertificateValidator>(); certificateValidator.IsCertificateValid(null).Returns(false); certificateValidator.IsCertificateValid(RefEq(InvalidCert)).Returns(false); certificateValidator.IsCertificateValid(RefEq(ValidCert)).Returns(true); var client = Substitute.For <ILetsEncryptClient>(); var factory = Substitute.For <ILetsEncryptClientFactory>(); factory.GetClient().Returns(Task.FromResult(client)); var sut = new CertificateProvider( options, certificateValidator, persistenceService, factory, NullLogger <CertificateProvider> .Instance); PersistenceService = persistenceService; CertificateValidator = certificateValidator; LetsEncryptClientFactory = factory; LetsEncryptClient = client; Sut = sut; }
public LegacySslStream(Stream innerStream, bool leaveInnerStreamOpen, MonoTlsSettings settings) : base(innerStream, leaveInnerStreamOpen) { this.settings = settings; this.certificateValidator = settings.CertificateValidator; }
public TokenHandlerConfigurationProvider(IFederationPartyContextBuilder federationPartyContextBuilder, ICertificateValidator certificateValidator) { this._federationPartyContextBuilder = federationPartyContextBuilder; this._certificateValidator = certificateValidator; }
public FederationMetadataSerialiser(ICertificateValidator certificateValidator, ILogProvider logProvider) { this._certificateValidator = certificateValidator; base.CertificateValidator = (X509CertificateValidator)certificateValidator; this._logProvider = logProvider; }
/// <summary> /// Creates a new LightBuzz secure HTTPS handler with the specified parameters. /// </summary> /// <param name="validator">The certificate validator</param> public LightBuzzHttpsHandler(ICertificateValidator validator) : this(DefaultContentType, DefaultZumoApiVersion, DefaultEncoding, DefaultTimeout, validator) { }
public LegacySslStream(Stream innerStream, bool leaveInnerStreamOpen, MonoTlsProvider provider, MonoTlsSettings settings) : base(innerStream, leaveInnerStreamOpen) { this.provider = provider; certificateValidator = ChainValidationHelper.GetDefaultValidator(provider, settings); }
/// <summary> /// Constructor /// </summary> /// <param name="config">An IWeemoConfig implementation; the props should have valid values</param> /// <param name="certValidator">An ICertificateValidator implementation to use to validate the response certificate</param> public RestSharpWeemoClient(IWeemoConfig config, ICertificateValidator certValidator) { this.config = config; this.certValidator = certValidator; }
internal MonoNewTlsStream (Stream innerStream, bool leaveOpen, ICertificateValidator certificateValidator, MonoTlsSettings settings) : base (innerStream, leaveOpen, certificateValidator, EncryptionPolicy.RequireEncryption, settings) { }
public MonoTlsSettings CloneWithValidator (ICertificateValidator validator) { if (cloned) { this.certificateValidator = validator; return this; } var copy = new MonoTlsSettings (); copy.RemoteCertificateValidationCallback = RemoteCertificateValidationCallback; copy.ClientCertificateSelectionCallback = ClientCertificateSelectionCallback; copy.checkCertName = checkCertName; copy.checkCertRevocationStatus = checkCertRevocationStatus; copy.UseServicePointManagerCallback = useServicePointManagerCallback; copy.skipSystemValidators = skipSystemValidators; copy.callbackNeedsChain = callbackNeedsChain; copy.UserSettings = UserSettings; copy.certificateValidator = validator; copy.EnabledProtocols = EnabledProtocols; copy.TrustAnchors = TrustAnchors; copy.cloned = true; return copy; }
/// <summary> /// Constructor /// </summary> /// <param name="config">An IWeemoConfig implementation; the props should have valid values</param> /// <param name="certValidator">An ICertificateValidator implementation to use to validate the response certificate</param> public HttpWebRequestWeemoClient(IWeemoConfig config, ICertificateValidator certValidator) { this.config = config; this.certValidator = certValidator; }
public LookupClientBuilder CertificateValidator(ICertificateValidator certificateValidator) { this.validator = certificateValidator; return(this); }
/// <summary> /// Constructor /// </summary> /// <param name="config">An IWeemoConfig implementation; the props should have valid values</param> /// <param name="certValidator">An ICertificateValidator implementation to use to validate the response certificate</param> public RestSharpWeemoClient(IWeemoConfig config, ICertificateValidator certValidator) { this.config = config; this.certValidator = certValidator; }
public LegacySslStream (Stream innerStream, bool leaveInnerStreamOpen, MonoTlsSettings settings) : base (innerStream, leaveInnerStreamOpen) { this.settings = settings; this.certificateValidator = settings.CertificateValidator; }
/// <summary> /// Creates a new LightBuzz secure HTTPS handler with the specified parameters. /// </summary> /// <param name="contentType">The Content Type header type.</param> /// <param name="zumoApiVersion">The ZUMO API version number.</param> /// <param name="encoding">The encoding of the response message.</param> /// <param name="requestTimeout">The request timeout value in milliseconds.</param> /// <param name="validator">The certificate validator</param> public LightBuzzHttpsHandler(string contentType, string zumoApiVersion, Encoding encoding, int requestTimeout, ICertificateValidator validator) { AutomaticDecompression = DecompressionMethods.Deflate; ContentType = contentType; ZumoApiVersion = zumoApiVersion; Encoding = encoding; RequestTimeout = requestTimeout; Validator = validator; }
public LegacySslStream (Stream innerStream, bool leaveInnerStreamOpen, MonoTlsProvider provider, MonoTlsSettings settings) : base (innerStream, leaveInnerStreamOpen) { this.provider = provider; this.settings = settings; this.certificateValidator = ChainValidationHelper.GetDefaultValidator (provider, settings); }
public FederationMetadataSerialiser(ICertificateValidator certificateValidator) { base.CertificateValidator = (X509CertificateValidator)certificateValidator; base.CertificateValidationMode = certificateValidator.X509CertificateValidationMode; }
void CheckValidationResult ( ICertificateValidator validator, string targetHost, bool serverMode, X509CertificateCollection certificates, bool wantsChain, X509Chain chain, MonoBtlsX509StoreCtx storeCtx, bool success, ref MonoSslPolicyErrors errors, ref int status11) { if (!success) { errors = MonoSslPolicyErrors.RemoteCertificateChainErrors; status11 = unchecked((int)0x800B010B); } }
private async Task <ModuleClient> CreateInternalClientFromEnvironmentAsync() { IDictionary envVariables = Environment.GetEnvironmentVariables(); string connectionString = GetValueFromEnvironment(envVariables, EdgehubConnectionstringVariableName) ?? GetValueFromEnvironment(envVariables, IothubConnectionstringVariableName); // First try to create from connection string and if env variable for connection string is not found try to create from edgedUri if (!string.IsNullOrWhiteSpace(connectionString)) { string certPath = Environment.GetEnvironmentVariable(EdgeCaCertificateFileVariableName); ICertificateValidator certificateValidator = NullCertificateValidator.Instance; if (!string.IsNullOrWhiteSpace(certPath)) { Debug.WriteLine("EdgeModuleClientFactory setupTrustBundle from file"); var expectedRoot = new X509Certificate2(certPath); certificateValidator = GetCertificateValidator(new List <X509Certificate2>() { expectedRoot }); } return(new ModuleClient(CreateInternalClientFromConnectionString(connectionString, _options), certificateValidator)); } else { string edgedUri = GetValueFromEnvironment(envVariables, IotEdgedUriVariableName) ?? throw new InvalidOperationException($"Environment variable {IotEdgedUriVariableName} is required."); string deviceId = GetValueFromEnvironment(envVariables, DeviceIdVariableName) ?? throw new InvalidOperationException($"Environment variable {DeviceIdVariableName} is required."); string moduleId = GetValueFromEnvironment(envVariables, ModuleIdVariableName) ?? throw new InvalidOperationException($"Environment variable {ModuleIdVariableName} is required."); string hostname = GetValueFromEnvironment(envVariables, IotHubHostnameVariableName) ?? throw new InvalidOperationException($"Environment variable {IotHubHostnameVariableName} is required."); string authScheme = GetValueFromEnvironment(envVariables, AuthSchemeVariableName) ?? throw new InvalidOperationException($"Environment variable {AuthSchemeVariableName} is required."); string generationId = GetValueFromEnvironment(envVariables, ModuleGenerationIdVariableName) ?? throw new InvalidOperationException($"Environment variable {ModuleGenerationIdVariableName} is required."); string gateway = GetValueFromEnvironment(envVariables, GatewayHostnameVariableName); if (!string.Equals(authScheme, SasTokenAuthScheme, StringComparison.OrdinalIgnoreCase)) { throw new InvalidOperationException($"Unsupported authentication scheme. Supported scheme is {SasTokenAuthScheme}."); } ISignatureProvider signatureProvider = new HttpHsmSignatureProvider(edgedUri, DefaultApiVersion); TimeSpan sasTokenTimeToLive = _options?.SasTokenTimeToLive ?? default; int sasTokenRenewalBuffer = _options?.SasTokenRenewalBuffer ?? default; #pragma warning disable CA2000 // Dispose objects before losing scope - IDisposable ModuleAuthenticationWithHsm is disposed when the client is disposed. // Since the sdk creates the instance of disposable ModuleAuthenticationWithHsm, the sdk needs to dispose it once the client is disposed. var authMethod = new ModuleAuthenticationWithHsm(signatureProvider, deviceId, moduleId, generationId, sasTokenTimeToLive, sasTokenRenewalBuffer, disposeWithClient: true); #pragma warning restore CA2000 // Dispose objects before losing scope - IDisposable ModuleAuthenticationWithHsm is disposed when the client is disposed. Debug.WriteLine("EdgeModuleClientFactory setupTrustBundle from service"); ICertificateValidator certificateValidator = NullCertificateValidator.Instance; if (!string.IsNullOrEmpty(gateway)) { IList <X509Certificate2> certs = await _trustBundleProvider.GetTrustBundleAsync(new Uri(edgedUri), DefaultApiVersion).ConfigureAwait(false); certificateValidator = GetCertificateValidator(certs); } return(new ModuleClient(CreateInternalClientFromAuthenticationMethod(hostname, gateway, authMethod, _options), certificateValidator)); } }
public MonoTlsSettings CloneWithValidator (ICertificateValidator validator) { if (cloned) { this.certificateValidator = validator; return this; } var copy = new MonoTlsSettings (this); copy.certificateValidator = validator; return copy; }
public KestrelCertificateSelector(string named, ICertificateValidator certificateValidator) { _certificateValidator = certificateValidator ?? throw new ArgumentNullException(nameof(certificateValidator)); _named = named; }
public CertificateAuthenticationHandler(ICertificatePrincipalFactory certificatePrincipalFactory, ICertificateValidator certificateValidator, ILoggerFactory loggerFactory, IOptionsMonitor <CertificateAuthenticationOptions> options, ISystemClock systemClock, UrlEncoder urlEncoder) : base(options, loggerFactory, urlEncoder, systemClock) { this.CertificatePrincipalFactory = certificatePrincipalFactory ?? throw new ArgumentNullException(nameof(certificatePrincipalFactory)); this.CertificateValidator = certificateValidator ?? throw new ArgumentNullException(nameof(certificateValidator)); }
/// <summary> /// Constructor /// </summary> /// <param name="config">An IWeemoConfig implementation; the props should have valid values</param> /// <param name="certValidator">An ICertificateValidator implementation to use to validate the response certificate</param> public HttpWebRequestWeemoClient(IWeemoConfig config, ICertificateValidator certValidator) { this.config = config; this.certValidator = certValidator; }
/* * If @serverMode is true, then we're a server and want to validate a certificate * that we received from a client. * * Returns `true` if certificate validation has been performed and `false` to invoke the * default system validator. */ public virtual bool InvokeSystemCertificateValidator ( ICertificateValidator validator, string targetHost, bool serverMode, X509CertificateCollection certificates, out bool success, ref MonoSslPolicyErrors errors, ref int status11) { success = false; return false; }
public LegacySslStream(Stream innerStream, bool leaveInnerStreamOpen, MonoTlsSettings settings) : base(innerStream, leaveInnerStreamOpen) { this.settings = settings; this.certificateValidator = ChainValidationHelper.GetDefaultValidator(settings); }