Esempio n. 1
0
		internal static bool TrustEvaluateSsl (MSX.X509CertificateCollection collection, object sender, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors errors)
		{
			var certsRawData = new List <byte[]> (collection.Count);
			foreach (MSX.X509Certificate cert in collection)
				certsRawData.Add (cert.RawData);
			return trustEvaluateSsl (certsRawData);
		}
 public static ox509.X509Certificate MonoX509ToOpenSsl(mx509.X509Certificate cert)
 {
   BIO bio = BIO.MemoryBuffer(true);
   bio.Write(cert.RawData);
   var ocert = ox509.X509Certificate.FromDER(bio);
   bio.Dispose();
   return ocert;
 }
    override public bool AddCACertificate(mx509.X509Certificate cert)
    {
      if(!base.AddCACertificate(cert)) {
        return false;
      }

      Store.AddTrusted(MonoX509ToOpenSsl(cert));
      return true;
    }
    override public bool AddSignedCertificate(mx509.X509Certificate cert)
    {
      if(!base.AddSignedCertificate(cert)) {
        return false;
      }

      _local_certificate = MonoX509ToOpenSsl(cert);
      return true;
    }
Esempio n. 5
0
		public TlsConfiguration (TlsProtocols protocols, TlsSettings settings, MX.X509Certificate certificate, AsymmetricAlgorithm privateKey)
		{
			supportedProtocols = protocols;
			requestedProtocol = CheckProtocol (ref supportedProtocols, true);
			TlsSettings = settings ?? new TlsSettings ();
			Certificate = certificate;
			PrivateKey = privateKey;

			RenegotiationFlags = DefaultRenegotiationFlags;
		}
Esempio n. 6
0
		public TlsConfiguration (TlsProtocols protocols, MonoTlsSettings settings, MX.X509Certificate certificate, AsymmetricAlgorithm privateKey)
		{
			supportedProtocols = protocols;
			requestedProtocol = CheckProtocol (settings, ref supportedProtocols, true);
			TlsSettings = settings;
			Certificate = certificate;
			PrivateKey = privateKey;

			if (settings != null)
				UserSettings = (UserSettings)settings.UserSettings;
			if (UserSettings == null)
				UserSettings = new UserSettings ();

			RenegotiationFlags = DefaultRenegotiationFlags;
		}
Esempio n. 7
0
        bool NetscapeCertType(MSX.PKCS12 pfx)
        {
            foreach (MSX.X509Certificate cert in pfx.Certificates) {
                MSX.X509Extension xtn = cert.Extensions ["2.16.840.1.113730.1.1"];
                if (xtn == null)
                    continue;

                var ct = new NetscapeCertTypeExtension (xtn);
                if (!ct.Support (NetscapeCertTypeExtension.CertTypes.SslServer))
                    continue;

                key = GetKeyMatchingCertificate (pfx, cert);
                if (key == null)
                    continue;

                x509 = new X509Certificate (cert.RawData);
                break;
            }

            // complete ?
            return ((x509 != null) && (key != null));
        }
Esempio n. 8
0
        bool KeyUsage(MSX.PKCS12 pfx)
        {
            foreach (MSX.X509Certificate cert in pfx.Certificates) {
                MSX.X509Extension xtn = cert.Extensions ["2.5.29.15"];
                if (xtn == null)
                    continue;

                var ku = new KeyUsageExtension (xtn);
                if (!ku.Support (KeyUsages.digitalSignature) && !ku.Support (KeyUsages.keyEncipherment))
                    continue;

                key = GetKeyMatchingCertificate (pfx, cert);
                if (key == null)
                    continue;

                x509 = new X509Certificate (cert.RawData);
                break;
            }

            // complete ?
            return ((x509 != null) && (key != null));
        }
Esempio n. 9
0
		private bool ProcessCrlExtensions (MX.X509Crl crl)
		{
			foreach (MX.X509Extension ext in crl.Extensions) {
				if (ext.Critical) {
					switch (ext.Oid) {
					case "2.5.29.20": // cRLNumber
					case "2.5.29.35": // authorityKeyIdentifier
						// we processed/know about this extension
						break;
					default:
						return false;
					}
				}
			}
			return true;
		}
Esempio n. 10
0
		static string GetAuthorityKeyIdentifier (MX.X509Extension ext)
		{
			if (ext == null)
				return String.Empty;
			MX.Extensions.AuthorityKeyIdentifierExtension aki = new MX.Extensions.AuthorityKeyIdentifierExtension (ext);
			byte[] id = aki.Identifier;
			if (id == null)	
				return String.Empty;
			StringBuilder sb = new StringBuilder ();
			foreach (byte b in id)
				sb.Append (b.ToString ("X02"));
			return sb.ToString ();
		}
Esempio n. 11
0
			// RFC2818 - HTTP Over TLS, Section 3.1
			// http://www.ietf.org/rfc/rfc2818.txt
			// 
			// 1.	if present MUST use subjectAltName dNSName as identity
			// 1.1.		if multiples entries a match of any one is acceptable
			// 1.2.		wildcard * is acceptable
			// 2.	URI may be an IP address -> subjectAltName.iPAddress
			// 2.1.		exact match is required
			// 3.	Use of the most specific Common Name (CN=) in the Subject
			// 3.1		Existing practice but DEPRECATED
			static bool CheckServerIdentity (MSX.X509Certificate cert, string targetHost) 
			{
				try {
					MSX.X509Extension ext = cert.Extensions ["2.5.29.17"];
					// 1. subjectAltName
					if (ext != null) {
						SubjectAltNameExtension subjectAltName = new SubjectAltNameExtension (ext);
						// 1.1 - multiple dNSName
						foreach (string dns in subjectAltName.DNSNames) {
							// 1.2 TODO - wildcard support
							if (Match (targetHost, dns))
								return true;
						}
						// 2. ipAddress
						foreach (string ip in subjectAltName.IPAddresses) {
							// 2.1. Exact match required
							if (ip == targetHost)
								return true;
						}
					}
					// 3. Common Name (CN=)
					return CheckDomainName (cert.SubjectName, targetHost);
				} catch (Exception e) {
					Console.Error.WriteLine ("ERROR processing certificate: {0}", e);
					Console.Error.WriteLine ("Please, report this problem to the Mono team");
					return false;
				}
			}
Esempio n. 12
0
		internal static bool TrustEvaluateSsl (MSX.X509CertificateCollection collection, object sender, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors errors)
		{
			if (trustEvaluateSsl2 != null)
				return trustEvaluateSsl2 (collection, sender, certificate, chain, errors);
			return trustEvaluateSsl (collection);
		}
Esempio n. 13
0
		public void SetCertificate (MX.X509Certificate certificate, AsymmetricAlgorithm privateKey)
		{
			Certificate = certificate;
			#if !BOOTSTRAP_BASIC
			if (PrivateKey != null && PrivateKey != privateKey)
				PrivateKey.Dispose ();
			#endif
			PrivateKey = privateKey;
		}
Esempio n. 14
0
		static SecTrustResult _TrustEvaluateSsl (MSX.X509CertificateCollection certificates, string hostName)
		{
			int certCount = certificates.Count;
			IntPtr [] cfDataPtrs = new IntPtr [certCount];
			IntPtr [] secCerts = new IntPtr [certCount];
			IntPtr certArray = IntPtr.Zero;
			IntPtr sslsecpolicy = IntPtr.Zero;
			IntPtr host = IntPtr.Zero;
			IntPtr sectrust = IntPtr.Zero;
			SecTrustResult result = SecTrustResult.Deny;

			try {
				for (int i = 0; i < certCount; i++)
					cfDataPtrs [i] = MakeCFData (certificates [i].RawData);
				
				for (int i = 0; i < certCount; i++){
					secCerts [i] = SecCertificateCreateWithData (IntPtr.Zero, cfDataPtrs [i]);
					if (secCerts [i] == IntPtr.Zero)
						return SecTrustResult.Deny;
				}
				certArray = FromIntPtrs (secCerts);
				host = CFStringCreateWithCharacters (IntPtr.Zero, hostName, (IntPtr) hostName.Length);
				sslsecpolicy = SecPolicyCreateSSL (true, host);

				int code = SecTrustCreateWithCertificates (certArray, sslsecpolicy, out sectrust);
				if (code == 0)
					code = SecTrustEvaluate (sectrust, out result);
				return result;
			} finally {
				for (int i = 0; i < certCount; i++)
					if (cfDataPtrs [i] != IntPtr.Zero)
						CFRelease (cfDataPtrs [i]);

				if (certArray != IntPtr.Zero)
					CFRelease (certArray);
				
				for (int i = 0; i < certCount; i++)
					if (secCerts [i] != IntPtr.Zero)
						CFRelease (secCerts [i]);

				if (sslsecpolicy != IntPtr.Zero)
					CFRelease (sslsecpolicy);
				if (host != IntPtr.Zero)
					CFRelease (host);
				if (sectrust != IntPtr.Zero)
					CFRelease (sectrust);
			}
		}
Esempio n. 15
0
        bool Simple(MSX.PKCS12 pfx)
        {
            int ncerts = pfx.Certificates.Count;
            if (ncerts == 0)
                throw new Exception ("No certificates are present in the PKCS#12 file.");

            int nkeys = pfx.Keys.Count;
            if (nkeys == 0)
                throw new Exception ("No keypair is present in the PKCS#12 file.");

            if (ncerts == 1) {
                MSX.X509Certificate cert = pfx.Certificates [0];
                // only one certificate, find matching key
                if (nkeys == 1) {
                    // only one key
                    key = (pfx.Keys [0] as RSA);
                } else {
                    // many keys (strange case)
                    key = GetKeyMatchingCertificate (pfx, cert);
                }
                // complete ?
                if ((key != null) && (cert != null)) {
                    x509 = new X509Certificate (cert.RawData);
                    return true;
                }
            }

            return false;
        }
Esempio n. 16
0
		public X509CertificateImplMono (MX.X509Certificate x509)
		{
			this.x509 = x509;
		}
Esempio n. 17
0
		static IList<byte[]> CreateArray (MSX.X509CertificateCollection certificates)
		{
			var list = new List<byte[]> (certificates.Count);
			for (int i = 0; i < certificates.Count; i++)
				list.Add (certificates [i].RawData);
			return list;
		}
Esempio n. 18
0
			// Used when the obsolete ICertificatePolicy is set to DefaultCertificatePolicy
			// and the new ServerCertificateValidationCallback is not null
			internal ValidationResult ValidateChain (MSX.X509CertificateCollection certs)
			{
				// user_denied is true if the user callback is called and returns false
				bool user_denied = false;
				if (certs == null || certs.Count == 0)
					return null;

				ICertificatePolicy policy = ServicePointManager.CertificatePolicy;

				X509Certificate2 leaf = new X509Certificate2 (certs [0].RawData);
				int status11 = 0; // Error code passed to the obsolete ICertificatePolicy callback
				SslPolicyErrors errors = 0;
				X509Chain chain = null;
				bool result = false;
#if MONOTOUCH
				// The X509Chain is not really usable with MonoTouch (since the decision is not based on this data)
				// However if someone wants to override the results (good or bad) from iOS then they will want all
				// the certificates that the server provided (which generally does not include the root) so, only  
				// if there's a user callback, we'll create the X509Chain but won't build it
				// ref: https://bugzilla.xamarin.com/show_bug.cgi?id=7245
				if (ServerCertificateValidationCallback != null) {
#endif
				chain = new X509Chain ();
				chain.ChainPolicy = new X509ChainPolicy ();
#if !MONOTOUCH
				chain.ChainPolicy.RevocationMode = revocation_mode;
#endif
				for (int i = 1; i < certs.Count; i++) {
					X509Certificate2 c2 = new X509Certificate2 (certs [i].RawData);
					chain.ChainPolicy.ExtraStore.Add (c2);
				}
#if MONOTOUCH
				}
#else
				try {
					if (!chain.Build (leaf))
						errors |= GetErrorsFromChain (chain);
				} catch (Exception e) {
					Console.Error.WriteLine ("ERROR building certificate chain: {0}", e);
					Console.Error.WriteLine ("Please, report this problem to the Mono team");
					errors |= SslPolicyErrors.RemoteCertificateChainErrors;
				}

				// for OSX and iOS we're using the native API to check for the SSL server policy and host names
				if (!is_macosx) {
					if (!CheckCertificateUsage (leaf)) {
						errors |= SslPolicyErrors.RemoteCertificateChainErrors;
						status11 = -2146762490; //CERT_E_PURPOSE 0x800B0106
					}

					if (!CheckServerIdentity (certs [0], host)) {
						errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
						status11 = -2146762481; // CERT_E_CN_NO_MATCH 0x800B010F
					}
				} else {
#endif
					// Attempt to use OSX certificates
					// Ideally we should return the SecTrustResult
					OSX509Certificates.SecTrustResult trustResult = OSX509Certificates.SecTrustResult.Deny;
					try {
						trustResult = OSX509Certificates.TrustEvaluateSsl (certs, host);
						// We could use the other values of trustResult to pass this extra information
						// to the .NET 2 callback for values like SecTrustResult.Confirm
						result = (trustResult == OSX509Certificates.SecTrustResult.Proceed ||
								  trustResult == OSX509Certificates.SecTrustResult.Unspecified);
					} catch {
						// Ignore
					}
					
					if (result) {
						// TrustEvaluateSsl was successful so there's no trust error
						// IOW we discard our own chain (since we trust OSX one instead)
						errors = 0;
					} else {
						// callback and DefaultCertificatePolicy needs this since 'result' is not specified
						status11 = (int) trustResult;
						errors |= SslPolicyErrors.RemoteCertificateChainErrors;
					}
#if !MONOTOUCH
				}
#endif

#if MONODROID && SECURITY_DEP
				result = AndroidPlatform.TrustEvaluateSsl (certs, sender, leaf, chain, errors);
				if (result) {
					// chain.Build() + GetErrorsFromChain() (above) will ALWAYS fail on
					// Android (there are no mozroots or preinstalled root certificates),
					// thus `errors` will ALWAYS have RemoteCertificateChainErrors.
					// Android just verified the chain; clear RemoteCertificateChainErrors.
					errors  &= ~SslPolicyErrors.RemoteCertificateChainErrors;
				}
#endif

				if (policy != null && (!(policy is DefaultCertificatePolicy) || cb == null)) {
					ServicePoint sp = null;
					HttpWebRequest req = sender as HttpWebRequest;
					if (req != null)
						sp = req.ServicePointNoLock;
					if (status11 == 0 && errors != 0)
						status11 = GetStatusFromChain (chain);

					// pre 2.0 callback
					result = policy.CheckValidationResult (sp, leaf, req, status11);
					user_denied = !result && !(policy is DefaultCertificatePolicy);
				}
				// If there's a 2.0 callback, it takes precedence
				if (ServerCertificateValidationCallback != null) {
					result = ServerCertificateValidationCallback (sender, leaf, chain, errors);
					user_denied = !result;
				}
				return new ValidationResult (result, user_denied, status11);
			}
Esempio n. 19
0
		public static SecTrustResult TrustEvaluateSsl (MSX.X509CertificateCollection certificates, string host)
		{
			if (certificates == null)
				return SecTrustResult.Deny;

			try {
				var certArray = CreateArray (certificates);
				return _TrustEvaluateSsl (certArray, host);
			} catch {
				return SecTrustResult.Deny;
			}
		}
Esempio n. 20
0
		// but anyway System.dll v2 doesn't expose CRL in any way so...
		static string GetAuthorityKeyIdentifier (MX.X509Crl crl)
		{
			return GetAuthorityKeyIdentifier (crl.Extensions ["2.5.29.35"]);
		}
Esempio n. 21
0
        bool BruteForce(MSX.PKCS12 pfx)
        {
            foreach (object o in pfx.Keys) {
                key = (o as RSA);
                if (key == null)
                    continue;

                string s = key.ToXmlString (false);
                foreach (MSX.X509Certificate cert in pfx.Certificates) {
                    if (s == cert.RSA.ToXmlString (false))
                        x509 = new X509Certificate (cert.RawData);
                }

                // complete ?
                if ((x509 != null) && (key != null))
                    return true;
            }
            return false;
        }
Esempio n. 22
0
		static MX.X509Crl CheckCrls (string subject, string ski, MX.X509Store store)
		{
			if (store == null)
				return null;

			var crls = store.Crls;
			foreach (MX.X509Crl crl in crls) {
				if (crl.IssuerName == subject && (ski.Length == 0 || ski == GetAuthorityKeyIdentifier (crl)))
					return crl;
			}
			return null; // No CRL found
		}
Esempio n. 23
0
        bool ExtendedKeyUsage(MSX.PKCS12 pfx)
        {
            foreach (MSX.X509Certificate cert in pfx.Certificates) {
                MSX.X509Extension xtn = cert.Extensions ["2.5.29.37"];
                if (xtn == null)
                    continue;

                var eku = new ExtendedKeyUsageExtension (xtn);
                if (!eku.KeyPurpose.Contains ("1.3.6.1.5.5.7.3.1"))
                    continue;

                key = GetKeyMatchingCertificate (pfx, cert);
                if (key == null)
                    continue;

                x509 = new X509Certificate (cert.RawData);
                break;
            }

            // complete ?
            return ((x509 != null) && (key != null));
        }
Esempio n. 24
0
		private bool ProcessCrlEntryExtensions (MX.X509Crl.X509CrlEntry entry)
		{
			foreach (MX.X509Extension ext in entry.Extensions) {
				if (ext.Critical) {
					switch (ext.Oid) {
					case "2.5.29.21": // cRLReason
						// we processed/know about this extension
						break;
					default:
						return false;
					}
				}
			}
			return true;
		}
Esempio n. 25
0
 RSA GetKeyMatchingCertificate(MSX.PKCS12 pfx, MSX.X509Certificate cert)
 {
     IDictionary attributes = pfx.GetAttributes (cert);
     return (pfx.GetAsymmetricAlgorithm (attributes) as RSA);
 }