Esempi di codice in C# (CSharp) per X509Chain.Create

Esempio n. 1

0

Mostra file

File: SecurityExtensions.cs Progetto: santedb/santedb-api

        /// <summary>
        /// Returns true if the certificate <paramref name="me"/> is trusted by a SanteSuite certificate
        /// </summary>
        public static bool IsTrustedIntern(this X509Certificate2 me, X509Certificate2Collection extraCerts, out IEnumerable <X509ChainStatus> chainStatus)
        {
            var chain = X509Chain.Create();

            chain.ChainPolicy = new X509ChainPolicy()
            {
                RevocationMode = X509RevocationMode.NoCheck
            };

            if (extraCerts != null)
            {
                chain.ChainPolicy.ExtraStore.AddRange(extraCerts);
            }
            chain.ChainPolicy.ExtraStore.AddRange(GetInternalCertificates().ToArray());

            var retVal = chain.Build(me);

            chainStatus = chain.ChainStatus;

            if (!retVal)
            {
                using (var trustedPublisherStore = new X509Store(StoreName.TrustedPublisher, StoreLocation.LocalMachine))
                {
                    trustedPublisherStore.Open(OpenFlags.ReadOnly);
                    retVal = trustedPublisherStore.Certificates.Find(X509FindType.FindBySubjectName, me.Subject, false).Count > 0;
                }
            }
            return(retVal || HasTrustedRootCert(chain));
        }

Esempio n. 2

0

Mostra file

        /// <summary>
        /// 校验证书链是否可信
        /// </summary>
        /// <param name="certificate">需要验证的目标证书或者证书链</param>
        /// <param name="rootCertificate">可信根证书</param>
        public static bool IsTrusted(string certificate, string rootCertificate)
        {
            var rootCertificates = ReadPemCertChain(rootCertificate);
            var certificates     = ReadPemCertChain(certificate);

            using (var chain = X509Chain.Create())
            {
                chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
                chain.ChainPolicy.RevocationFlag    = X509RevocationFlag.ExcludeRoot;
                chain.ChainPolicy.RevocationMode    = X509RevocationMode.NoCheck;

                foreach (var rootCert in rootCertificates)
                {
                    chain.ChainPolicy.ExtraStore.Add(rootCert);
                }

                foreach (var cert in certificates)
                {
                    if (!chain.Build(cert))
                    {
                        return(false);
                    }
                }
            }

            return(true);
        }

Esempio n. 3

0

Mostra file

 private static void AddServerCertificateInfo(HttpResponseMessage response, SslPolicyErrors sslPolicyErrors)
 {
     response.RequestMessage.Properties[nameof(ServerCertificateInfo)]
         = new ServerCertificateInfo("X509CertificateName",
                                     X509Chain.Create(),
                                     sslPolicyErrors);
 }

Esempio n. 4

0

Mostra file

File: FileCertVerifier.cs Progetto: h0useRus/StarCitizen

        /// <summary>
        /// Verify file is signed only with one self-signed certificate and verify this certificate chain.
        /// </summary>
        /// <param name="filename">An filename to verify.</param>
        /// <returns>true if the file signed with certificate; otherwise, false.</returns>
        /// <exception cref="ArgumentNullException">The filename is null.</exception>
        /// <exception cref="CryptographicException">The certificate is unreadable.</exception>
        public bool VerifyFileCertificate(string filename)
        {
            if (filename == null)
            {
                throw new ArgumentNullException(nameof(filename));
            }
            _logger.Info("Verify file certificate");
            using var fileCertificateCollection = DynamicDisposable <X509Certificate2Collection> .CreateNonNull(new X509Certificate2Collection ());

            fileCertificateCollection.Object.Import(filename);
            if (fileCertificateCollection.Object.Count != 1)
            {
                _logger.Error($"Invalid certificates count: {fileCertificateCollection.Object.Count}");
                return(false);
            }
            var fileCertificate = fileCertificateCollection.Object[0];

            if (fileCertificate.RawData.SequenceEqual(_fileSignCertificate.RawData))
            {
                using var chain = DynamicDisposable <X509Chain> .CreateNonNull(X509Chain.Create());

                if (_rootCertificate != null)
                {
                    chain.Object.ChainPolicy.ExtraStore.Add(_rootCertificate);           // add CA cert for verification
                }
                chain.Object.ChainPolicy.RevocationMode    = X509RevocationMode.NoCheck; // no revocation checking
                chain.Object.ChainPolicy.RevocationFlag    = X509RevocationFlag.ExcludeRoot;
                chain.Object.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
                return(chain.Object.Build(fileCertificate) && VerifyChain(chain.Object));
            }
            _logger.Error("Invalid certificate data");
            return(false);
        }

Esempio n. 5

0

Mostra file

File: ClientCertificateValidatorServiceTests.cs Progetto: Azure/iotedge-lorawan-starterkit

        public async Task ValidateAsync_ReturnsFalse_WithInvalidCNCertificate()
        {
            var clientCertificateWithInvalidEuiPath = await BasicsStationNetworkServerTests.CreatePfxCertificateAsync(false, InvalidStationEui);

            try
            {
                using var cert  = new X509Certificate2(clientCertificateWithInvalidEuiPath);
                using var chain = X509Chain.Create();

                _ = this.stationConfigService.Setup(x => x.GetAllowedClientThumbprintsAsync(It.IsAny <StationEui>(), It.IsAny <CancellationToken>()))
                    .Returns(Task.FromResult(new[] { cert.Thumbprint }));

                var result = await this.clientCertValidatorSvc.ValidateAsync(cert, chain, System.Net.Security.SslPolicyErrors.None, default);

                Assert.False(result);
                Assert.Contains(this.logger.Invocations, i => i.Arguments.Any(a => a.ToString() !.Contains(InvalidStationEui, StringComparison.OrdinalIgnoreCase)));
            }
            finally
            {
                if (!string.IsNullOrEmpty(clientCertificateWithInvalidEuiPath))
                {
                    File.Delete(clientCertificateWithInvalidEuiPath);
                }
            }
        }

Esempio n. 6

0

Mostra file

File: FileCertVerifier.cs Progetto: Shin0by/StarCitizen-Helper

        /// <summary>
        /// Verify file is signed only with one self-signed certificate and verify this certificate chain.
        /// </summary>
        /// <param name="filename">An filename to verify.</param>
        /// <returns>true if the file signed with certificate; otherwise, false.</returns>
        /// <exception cref="ArgumentNullException">The filename is null.</exception>
        /// <exception cref="CryptographicException">The certificate is unreadable.</exception>
        public bool VerifyFileCertificate(string filename)
        {
            if (filename == null)
            {
                throw new ArgumentNullException("filename");
            }
            X509Certificate2Collection fileCertificateCollection = new X509Certificate2Collection();

            fileCertificateCollection.Import(filename);
            if (fileCertificateCollection.Count == 1)
            {
                X509Certificate2 fileCertificate = fileCertificateCollection[0];
                if (fileCertificate.RawData.SequenceEqual(fileSignCertificate.RawData))
                {
                    X509Chain chain = X509Chain.Create();
                    if (rootCertificate != null)
                    {
                        chain.ChainPolicy.ExtraStore.Add(rootCertificate);            // add CA cert for verification
                    }
                    chain.ChainPolicy.RevocationMode    = X509RevocationMode.NoCheck; // no revocation checking
                    chain.ChainPolicy.RevocationFlag    = X509RevocationFlag.ExcludeRoot;
                    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
                    return(chain.Build(fileCertificate) && VerifyChain(chain));
                }
            }
            return(false);
        }

Esempio n. 7

0

Mostra file

File: ChainTests.cs Progetto: joemitchard/corefx

 public static void BuildChainInvalidValues()
 {
     using (var chain = X509Chain.Create())
     {
         AssertExtensions.Throws <ArgumentException>("certificate", () => chain.Build(null));
         AssertExtensions.Throws <ArgumentException>("certificate", () => chain.Build(new X509Certificate2()));
     }
 }

Esempio n. 8

0

Mostra file

        private static X509Chain GetCertificateChain(X509Certificate2 cert)
        {
            var certificateChain = X509Chain.Create();

            certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
            certificateChain.Build(cert);
            return(certificateChain);
        }

Esempio n. 9

0

Mostra file

        private SignRequest Create2StepSignRequest(Document document, SignatureRequestProperties properties)
        {
            var documentId = "doc-" + Guid.NewGuid().ToString();

            byte[][] x509Chain;
            if (SignerChain.Length == 1 && SignerChain[0].Issuer != SignerChain[0].Subject)
            {
                var chain = X509Chain.Create();
                chain.ChainPolicy.RevocationMode    = X509RevocationMode.NoCheck;
                chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
                chain.Build(SignerChain[0]);

                x509Chain = chain.ChainElements
                            .Cast <X509ChainElement>()
                            .AsQueryable()
                            .Select(x => x.Certificate.RawData)
                            .ToArray();
            }
            else
            {
                x509Chain = SignerChain.AsQueryable()
                            .Select(x => x.RawData)
                            .ToArray();
            }

            return(new SignRequest()
            {
                Profile = "http://docs.oasis-open.org/dss-x/ns/localsig",
                OptionalInputs = new OptionalInputs()
                {
                    SignatureType = SignatureType,
                    ServicePolicy = "http://docs.oasis-open.org/dss-x/ns/localsig/two-step-approach",
                    SignaturePlacement = CreateEnvelopedSignature(documentId),
                    RequestDocumentHash = new RequestDocumentHash()
                    {
                        MaintainRequestState = true,
                        MaintainRequestStateSpecified = true
                    },
                    KeySelector = new KeySelector()
                    {
                        KeyInfo = new KeyInfoType()
                        {
                            X509Data = x509Chain
                        }
                    },
                    VisibleSignatureConfiguration = properties?.Configuration
                },
                InputDocuments = new InputDocuments()
                {
                    Document = new DocumentType[]
                    {
                        CreateDocumentType(documentId, document)
                    }
                }
            });
        }

Esempio n. 10

0

Mostra file

File: X509ChainTest.cs Progetto: sumitsethtest/playscript-mono

        public void StaticCreation()
        {
            X509Chain c = X509Chain.Create();

#if MOBILE
            Assert.IsNull(c);
#else
            CheckDefaultChain(c);
#endif
        }

Esempio n. 11

0

Mostra file

File: x509build.cs Progetto: zlxy/Genesis-3D

    static int Main(string[] args)
    {
        if (args.Length == 0)
        {
            Console.WriteLine("Usage: mono x509build.exe filename");
            return(2);
        }
        string filename = args [0];

        X509Certificate2 cert = new X509Certificate2(filename);
        // using X509Chain.Create will use the X509Chain defined in machine.config
        X509Chain chain  = X509Chain.Create();
        bool      result = chain.Build(cert);

        Console.WriteLine("Build: {0}", result);
        Console.WriteLine();

        Console.WriteLine("ChainStatus:");
        if (chain.ChainStatus.Length > 0)
        {
            foreach (X509ChainStatus st in chain.ChainStatus)
            {
                Console.WriteLine("\t{0}", st.Status);
            }
        }
        else
        {
            Console.WriteLine("\t{0}", X509ChainStatusFlags.NoError);
        }
        Console.WriteLine();

        int n = 1;

        Console.WriteLine("ChainElements:");
        foreach (X509ChainElement ce in chain.ChainElements)
        {
            Console.WriteLine("{0}. Certificate: {1}", n++, ce.Certificate);
            Console.WriteLine("\tChainStatus:");
            if (ce.ChainElementStatus.Length > 0)
            {
                foreach (X509ChainStatus st in ce.ChainElementStatus)
                {
                    Console.WriteLine("\t\t{0}", st.Status);
                }
            }
            else
            {
                Console.WriteLine("\t\t{0}", X509ChainStatusFlags.NoError);
            }
            Console.WriteLine();
        }

        return(result ? 0 : 1);
    }

Esempio n. 12

0

Mostra file

        public void ValidateSelfSignedAllowedNoViolation()
        {
            var path        = Path.Combine(Environment.CurrentDirectory, "security", "TestValidationCertificate.pfx");
            var certificate = new X509Certificate2(path, "abc123");
            var chain       = X509Chain.Create();

            chain.ChainPolicy.RevocationMode    = X509RevocationMode.NoCheck;
            chain.ChainPolicy.RevocationFlag    = X509RevocationFlag.EndCertificateOnly;
            chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
            chain.Build(certificate);

            var isValid = CertificateValidation.CertificateValidationCallBackAllowsSelfSigned(this, certificate, chain, SslPolicyErrors.None);

            Assert.IsTrue(isValid, "The certificate is expected to pass validation");
        }

Esempio n. 13

0

Mostra file

File: ClientCertificateValidatorServiceTests.cs Progetto: Azure/iotedge-lorawan-starterkit

        public async Task ValidateAsync_ReturnsFalse_WithNonExpectedThumbprint()
        {
            if (string.IsNullOrEmpty(this.clientCertificateWithEuiPath))
            {
                throw new InvalidOperationException("Client certificate was not properly initialized.");
            }

            using var cert  = new X509Certificate2(this.clientCertificateWithEuiPath);
            using var chain = X509Chain.Create();

            _ = this.stationConfigService.Setup(x => x.GetAllowedClientThumbprintsAsync(It.IsAny <StationEui>(), It.IsAny <CancellationToken>()))
                .Returns(Task.FromResult(new[] { "AnotherThumbprint" }));

            var result = await this.clientCertValidatorSvc.ValidateAsync(cert, chain, System.Net.Security.SslPolicyErrors.None, default);

            Assert.False(result);
        }

Esempio n. 14

0

Mostra file

File: PluginManager.cs Progetto: philips2955/Kill-Update

        private static bool IsModuleSignedOneTry(Module module)
        {
            try
            {
                X509Certificate certificate = module.GetSignerCertificate();
                if (certificate == null)
                {
                    // File is not signed.
                    return(false);
                }

                X509Certificate2 certificate2 = new X509Certificate2(certificate);

                using (X509Chain CertificateChain = X509Chain.Create())
                {
                    CertificateChain.ChainPolicy.RevocationFlag      = X509RevocationFlag.EndCertificateOnly;
                    CertificateChain.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromSeconds(60);
                    CertificateChain.ChainPolicy.RevocationMode      = X509RevocationMode.Online;
                    bool IsEndCertificateValid = CertificateChain.Build(certificate2);

                    if (!IsEndCertificateValid)
                    {
                        return(false);
                    }

                    CertificateChain.ChainPolicy.RevocationFlag      = X509RevocationFlag.EntireChain;
                    CertificateChain.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromSeconds(60);
                    CertificateChain.ChainPolicy.RevocationMode      = X509RevocationMode.Online;
                    CertificateChain.ChainPolicy.VerificationFlags   = X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown;
                    bool IsCertificateChainValid = CertificateChain.Build(certificate2);

                    if (!IsCertificateChainValid)
                    {
                        return(false);
                    }

                    return(true);
                }
            }
            catch
            {
                return(false);
            }
        }

Esempio n. 15

0

Mostra file

        /// <summary>
        ///
        /// </summary>
        /// <param name="name">The name of the certificate to retrieve</param>
        /// <returns>Returns the first instance of the certificate matching the name</returns>
        public static X509Certificate2 GetRootCertificate(string name)
        {
            if (string.IsNullOrEmpty(name))
            {
                throw new ArgumentException("Certificate name must be provided!", nameof(name));
            }

            try
            {
                X509Certificate2 CAroot = null;
                var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
                store.Open(OpenFlags.ReadOnly);
                var cers = store.Certificates.Find(X509FindType.FindBySubjectName, name, false);

                if (cers.Count > 0)
                {
                    foreach (var certificate in cers)
                    {
                        var chain = X509Chain.Create();
                        chain.ChainPolicy.RevocationMode    = X509RevocationMode.Offline;
                        chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
                        if (chain.Build(certificate))
                        {
                            CAroot = certificate;
                            Log.Entry(LogName, name + " cert found");
                        }
                    }
                }
                else
                {
                    throw new ArgumentException(name + " NOT found in keystore");
                }
                store.Close();

                return(CAroot);
            }
            catch (Exception ex)
            {
                Log.Error(LogName, "Unable to retrieve " + name);
                Log.Error(LogName, ex);
            }

            return(null);
        }

Esempio n. 16

0

Mostra file

File: ManualConfigSettingsProcessor.cs Progetto: mikeydee36/confluent-kafka-dotnet

        private static X509Certificate2 AttemptToResolveCACertificateFromUserCertificate(X509Certificate2 userCertificate)
        {
#if NET45
            X509Chain certificateChain = X509Chain.Create();
#elif NETSTANDARD1_3
            using (var certificateChain = new X509Chain())
#else
            using (var certificateChain = new X509Chain(true))
#endif
            {
                certificateChain.Build(userCertificate);

                return(certificateChain.ChainElements.Count > 1
                    ?
                       certificateChain.ChainElements[certificateChain.ChainElements.Count - 1].Certificate
                    :
                       null);
            }
        }

Esempio n. 17

0

Mostra file

File: ClientCertificateValidatorServiceTests.cs Progetto: Azure/iotedge-lorawan-starterkit

        public async Task ValidateAsync_ReturnsFalse_WithUntrustedRoot()
        {
            if (string.IsNullOrEmpty(this.clientCertificateWithEuiPath))
            {
                throw new InvalidOperationException("Client certificate was not properly initialized.");
            }

            using var cert  = new X509Certificate2(this.clientCertificateWithEuiPath);
            using var chain = X509Chain.Create();
            _ = chain.Build(cert);

            _ = this.stationConfigService.Setup(x => x.GetAllowedClientThumbprintsAsync(It.IsAny <StationEui>(), It.IsAny <CancellationToken>()))
                .Returns(Task.FromResult(new[] { cert.Thumbprint }));

            var result = await this.clientCertValidatorSvc.ValidateAsync(cert, chain, System.Net.Security.SslPolicyErrors.None, default);

            Assert.False(result);
            Assert.Contains(this.logger.Invocations, i => i.Arguments.Any(a => a.ToString() !.Contains(X509ChainStatusFlags.UntrustedRoot.ToString(), StringComparison.OrdinalIgnoreCase)));
        }

Esempio n. 18

0

Mostra file

 public override void Validate(X509Certificate2 cert)
 {
     if (check_peer)
     {
         X509Store store = new X509Store();
         store.Open(OpenFlags.ReadOnly);
         foreach (X509Certificate2 c in store.Certificates)
         {
             if (c.Thumbprint == cert.Thumbprint)
             {
                 return;
             }
         }
     }
     if (check_chain)
     {
         if (chain == null)
         {
             if (use_machine_ctx)
             {
                 chain = X509Chain.Create();
             }
             else
             {
                 chain = new X509Chain();
             }
             chain.ChainPolicy = policy;
         }
         else
         {
             chain.Reset();
         }
         if (chain.Build(cert))
         {
             return;
         }
     }
     throw new ArgumentException("The argument certificate is invalid.");
 }

Esempio n. 19

0

Mostra file

        private static bool IsModuleSignedOneTry(Module module, OidCollection oidCheckList, out int signedExitCode)
        {
#if DEBUG
            bool Success = true;
#else
            bool Success = false;
#endif
            signedExitCode = 0;

            try
            {
                using X509Certificate Certificate = GetSignerCertificate(module);
                if (Certificate == null)
                {
                    // File is not signed.
                    signedExitCode = -7;
                    return(Success);
                }

                using (X509Certificate2 Certificate2 = new X509Certificate2(Certificate))
                {
                    using (X509Chain CertificateChain = X509Chain.Create())
                    {
                        Success = true;
                        CheckCertificateChain(Certificate2, CertificateChain, oidCheckList, X509RevocationFlag.EndCertificateOnly, X509VerificationFlags.IgnoreEndRevocationUnknown, -8, ref Success, ref signedExitCode);
                        CheckCertificateChain(Certificate2, CertificateChain, oidCheckList, X509RevocationFlag.EntireChain, X509VerificationFlags.IgnoreEndRevocationUnknown | X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown, -9, ref Success, ref signedExitCode);
                    }
                }
            }
            catch
            {
                signedExitCode = -10;
            }

            return(Success);
        }

Esempio n. 20

0

Mostra file

File: RestSession.cs Progetto: drolean/Arctium-RE

 static X509Chain smethod_8()
 {
     return(X509Chain.Create());
 }

Esempio n. 21

0

Mostra file

File: PdfDocumentSignerService.cs Progetto: M4nvx/SmardCard

        /// <summary>
        /// Signs the PDF-document using the provided parameters.
        /// </summary>
        /// <param name="src">
        /// The source document.
        /// </param>
        /// <param name="destFilename">
        /// The destination filename.
        /// </param>
        internal static void SignDocumentStream(Stream src, string destFilename, string l_issuerName)
        {
            const string l_fieldname        = "Signature1";
            var          l_reason           = "Aprovant el document";
            var          l_location         = "Barcelona";
            var          l_pin              = "1234";
            var          l_signatureVisible = true;
            var          l_x = 5;
            var          l_y = 5;
            var          l_w = 200;
            var          l_h = 200;

            var l_cert = GetCertificate(l_issuerName);

            // This is risky business. The private key part of the certificate is protected by a pin-code.
            // This solution reads the pin-code from web.config and enters it automatically. This circumvention
            // of the built-in security-layer must be mitigated by thorough security in the infrastructure
            // where the solution runs.
            var l_key = GetKey(l_cert, l_pin);

            // Find the number of pages in the document
            var l_document  = new PdfDocument(new PdfReader(src), new PdfWriter(destFilename + "_temp"));
            var l_pageCount = l_document.GetNumberOfPages();

            l_document.Close();



            // Create certificate chain (might add validation)
            var l_ch = X509Chain.Create();

            l_ch.Build(l_cert);

            // Convert chain to BC classes
            var l_chain         = new X509Certificate[l_ch.ChainElements.Count];
            var l_chainElements = new X509ChainElement[l_ch.ChainElements.Count];

            l_ch.ChainElements.CopyTo(l_chainElements, 0);
            for (var l_i = 0; l_i < l_ch.ChainElements.Count; l_i++)
            {
                l_chain[l_i] = DotNetUtilities.FromX509Certificate(l_chainElements[l_i].Certificate);
            }

            var l_reader = new PdfReader(destFilename + "_temp");
            var l_signer = new PdfSigner(l_reader, new FileStream(destFilename, FileMode.OpenOrCreate), false);

            // Creating the appearance
            var l_appearance =
                l_signer.GetSignatureAppearance()
                .SetReason(l_reason)
                .SetLocation(l_location)
                .SetReuseAppearance(false);

            if (l_signatureVisible)
            {
                // Define rectangle for visible signature
                //var l_rect = new Rectangle(l_x, l_y, l_w, l_h);
                //l_appearance.SetPageRect(l_rect).SetPageNumber(l_pageCount);

                //l_appearance.SetLocationCaption("Signatura_Direccio");
            }

            l_signer.SetFieldName("Signatura_Direccio");

            // Creating the signature, providing our own implementation of IExternalSignature
            IExternalSignature l_pks = new TokenSigner(l_key, DigestAlgorithms.SHA256);

            l_signer.SignDetached(l_pks, l_chain, null, null, null, 0, PdfSigner.CryptoStandard.CADES);
        }

Esempio n. 22

0

Mostra file

File: ChainTests.cs Progetto: joemitchard/corefx

 public static void Create()
 {
     using (var chain = X509Chain.Create())
         Assert.NotNull(chain);
 }

Esempio n. 23

0

Mostra file

        ///////////////////////////////////////////////////////////////////////

        public static ReturnCode VerifyChain(
            Assembly assembly,
            X509Certificate2 certificate2,
            X509VerificationFlags verificationFlags,
            X509RevocationMode revocationMode,
            X509RevocationFlag revocationFlag,
            ref Result error
            )
        {
            if (certificate2 != null)
            {
                try
                {
                    X509Chain chain = X509Chain.Create();

                    if (chain != null)
                    {
                        X509ChainPolicy chainPolicy = chain.ChainPolicy;

                        if (chainPolicy != null)
                        {
                            //
                            // NOTE: Setup the chain policy settings as specified
                            //       by the caller.
                            //
                            chainPolicy.VerificationFlags = verificationFlags;
                            chainPolicy.RevocationMode    = revocationMode;
                            chainPolicy.RevocationFlag    = revocationFlag;

                            if (chain.Build(certificate2))
                            {
                                return(ReturnCode.Ok);
                            }
                            else
                            {
                                StringList list = new StringList();

                                if (chain.ChainStatus != null)
                                {
                                    foreach (X509ChainStatus status in chain.ChainStatus)
                                    {
                                        list.Add(
                                            status.Status.ToString(),
                                            status.StatusInformation);
                                    }

                                    if (assembly != null)
                                    {
                                        error = String.Format(
                                            "assembly {0}: {1}",
                                            FormatOps.WrapOrNull(assembly),
                                            list.ToString());
                                    }
                                    else
                                    {
                                        error = list;
                                    }
                                }
                                else
                                {
                                    if (assembly != null)
                                    {
                                        error = String.Format(
                                            "assembly {0}: invalid chain status",
                                            FormatOps.WrapOrNull(assembly));
                                    }
                                    else
                                    {
                                        error = "invalid chain status";
                                    }
                                }
                            }
                        }
                        else
                        {
                            if (assembly != null)
                            {
                                error = String.Format(
                                    "assembly {0}: invalid chain policy",
                                    FormatOps.WrapOrNull(assembly));
                            }
                            else
                            {
                                error = "invalid chain policy";
                            }
                        }
                    }
                    else
                    {
                        if (assembly != null)
                        {
                            error = String.Format(
                                "assembly {0}: invalid chain",
                                FormatOps.WrapOrNull(assembly));
                        }
                        else
                        {
                            error = "invalid chain";
                        }
                    }
                }
                catch (Exception e)
                {
                    if (assembly != null)
                    {
                        error = String.Format(
                            "assembly {0}: {1}",
                            FormatOps.WrapOrNull(assembly), e);
                    }
                    else
                    {
                        error = e;
                    }
                }
            }
            else
            {
                if (assembly != null)
                {
                    error = String.Format(
                        "assembly {0}: invalid certificate",
                        FormatOps.WrapOrNull(assembly));
                }
                else
                {
                    error = "invalid certificate";
                }
            }

            return(ReturnCode.Error);
        }

Esempio n. 24

0

Mostra file

File: X509ChainTest.cs Progetto: pmq20/mono_forked

        public void StaticCreation()
        {
            X509Chain c = X509Chain.Create();

            CheckDefaultChain(c);
        }

Esempio n. 25

0

Mostra file

File: SslDiagDialog.cs Progetto: ahweb/JexusManager

        public SslDiagDialog(IServiceProvider provider, ServerManager server)
            : base(provider)
        {
            InitializeComponent();

            // from https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ikya100/sigalg.htm
            var wellKnownSignatureAlgorithms = new Dictionary <string, bool>
            {
                { "1.2.840.113549.1.1.5", false }, // sha1RSA, not secure
                { "1.2.840.113549.1.1.14", true }, // sha224RSA, secure
                { "1.2.840.113549.1.1.11", true }, // sha256RSA, secure
                { "1.2.840.113549.1.1.12", true }, // sha384RSA, secure
                { "1.2.840.113549.1.1.13", true }, // sha512RSA, secure
                { "1.2.840.10040.4.3", false },    // sha1DSA, not secure
                { "1.2.840.10045.4.1", false },    // sha1ECDSA, not secure
                { "1.2.840.10045.4.3.1", true },   // sha224ECDSA, secure
                { "1.2.840.10045.4.3.2", true },   // sha256ECDSA, secure
                { "1.2.840.10045.4.3.3", true },   // sha384ECDSA, secure
                { "1.2.840.10045.4.3.4", true },   // sha512ECDSA, secure
            };

            var container = new CompositeDisposable();

            FormClosed += (sender, args) => container.Dispose();

            container.Add(
                Observable.FromEventPattern <EventArgs>(btnGenerate, "Click")
                .ObserveOn(System.Threading.SynchronizationContext.Current)
                .Subscribe(evt =>
            {
                txtResult.Clear();
                try
                {
                    Warn("IMPORTANT: This report might contain confidential information. Mask such before sharing to others.");
                    Warn("-----");

                    Debug($"System Time: {DateTime.Now}");
                    Debug($"Processor Architecture: {Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE")}");
                    Debug($"OS: {Environment.OSVersion}");
                    Debug($"Server Type: {server.Mode.AsString(EnumFormat.Description)}");
                    Debug(string.Empty);
                    Debug($"SERVER SSL PROTOCOLS{Environment.NewLine}");
                    bool ssl10Enabled = GetProtocol("PCT 1.0");
                    Debug($"PCT 1.0: {ssl10Enabled}");
                    if (ssl10Enabled)
                    {
                        Warn("PCT 1.0 is not secure. Please disable it.");
                    }

                    bool ssl20Enabled = GetProtocol("SSL 2.0");
                    Debug($"SSL 2.0: {ssl20Enabled}");
                    if (ssl20Enabled)
                    {
                        Warn("SSL 2.0 is not secure. Please disable it.");
                    }

                    bool ssl30Enabled = GetProtocol("SSL 3.0");
                    Debug($"SSL 3.0: {ssl30Enabled}");
                    if (ssl30Enabled)
                    {
                        Warn("SSL 3.0 is not secure. Please disable it.");
                    }

                    Debug($"TLS 1.0: {GetProtocol("TLS 1.0")}");
                    Debug($"TLS 1.1: {GetProtocol("TLS 1.1")}");
                    Debug($"TLS 1.2: {GetProtocol("TLS 1.2")}");
                    Debug($"SChannel EventLogging: {GetEventLogging()} (hex)");
                    Warn($"To tune TLS related settings, try out IIS Crypto from https://www.nartac.com/Products/IISCrypto/.");
                    Debug("-----");

                    foreach (Site site in server.Sites)
                    {
                        Debug($"[W3SVC/{site.Id}]");
                        Debug($"ServerComment  : {site.Name}");
                        Debug($"ServerAutoStart: {site.ServerAutoStart}");
                        Debug($"ServerState    : {site.State}");
                        Debug(string.Empty);
                        foreach (Binding binding in site.Bindings)
                        {
                            Info($"BINDING: {binding.Protocol} {binding}");
                            if (binding.Protocol == "https")
                            {
                                if (binding.CertificateHash == null)
                                {
                                    // SNI mapping missing.
                                    Debug($"SSL Flags: {binding.SslFlags}");
                                    if (binding.SslFlags == SslFlags.Sni)
                                    {
                                        Error(
                                            $"Cannot find {binding.Host}:{binding.EndPoint.Port} combination for this SNI binding.");
                                    }
                                    else
                                    {
                                        var querySslCertificateInfo = Microsoft.Web.Administration.NativeMethods.QuerySslCertificateInfo(
                                            binding.EndPoint);
                                        Error(
                                            querySslCertificateInfo == null
                                                    ? $"Cannot find {binding.EndPoint} combination for this IP based binding."
                                                    : $"Cannot find certificate with thumpprint {querySslCertificateInfo.Hash} in store {querySslCertificateInfo.StoreName}.");
                                    }

                                    Debug(string.Empty);
                                    continue;
                                }

                                var hashString = Hex.ToHexString(binding.CertificateHash);
                                Debug($"SSLCertHash: {hashString}");
                                if (site.Server.SupportsSni)
                                {
                                    Debug($"SSL Flags: {binding.SslFlags}");
                                }

                                Debug("Testing EndPoint: 127.0.0.1");

                                var personal = new X509Store(binding.CertificateStoreName, StoreLocation.LocalMachine);
                                try
                                {
                                    personal.Open(OpenFlags.MaxAllowed);
                                    var selectedItem = personal.Certificates.Find(X509FindType.FindByThumbprint, hashString, false);
                                    if (selectedItem.Count == 0)
                                    {
                                        Error($"Cannot find certificate with thumbprint {hashString} in store {binding.CertificateStoreName}.");
                                    }
                                    else
                                    {
                                        var cert = selectedItem[0];
                                        Debug($"#CertName: {cert.FriendlyName}");
                                        Debug($"#Version: {cert.Version}");
                                        if (cert.HasPrivateKey)
                                        {
                                            if (PublicNativeMethods.IsProcessElevated)
                                            {
                                                var newHandle     = IntPtr.Zero;
                                                int newCount      = 0;
                                                var shouldRelease = false;
                                                if (NativeMethods.CryptAcquireCertificatePrivateKey(
                                                        cert.Handle, 0, IntPtr.Zero, ref newHandle, ref newCount,
                                                        ref shouldRelease))
                                                {
                                                    Debug(
                                                        "#You have a private key that corresponds to this certificate.");
                                                }
                                                else
                                                {
                                                    Error("#You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed.");
                                                    Rollbar.RollbarLocator.RollbarInstance.Error(
                                                        "CryptAcquireCertificatePrivateKey failed");
                                                }

                                                if (shouldRelease)
                                                {
                                                    NativeMethods.CloseHandle(newHandle);
                                                }
                                            }
                                            else
                                            {
                                                Warn("It seems that you have a private key that corresponds to this certificate. Please run Jexus Manager as administrator and SSL Diag can report in more details.");
                                            }
                                        }
                                        else
                                        {
                                            Error(
                                                "#You don't have a private key that corresponds to this certificate.");
                                        }

                                        var key = cert.PublicKey.Key;
                                        var signatureAlgorithm = cert.SignatureAlgorithm;
                                        Debug($"#Signature Algorithm: {signatureAlgorithm.FriendlyName}");
                                        if (wellKnownSignatureAlgorithms.ContainsKey(signatureAlgorithm.Value))
                                        {
                                            if (!wellKnownSignatureAlgorithms[signatureAlgorithm.Value])
                                            {
                                                Warn("Modern web browsers require signature algorithm to be secure. This signature algorithm is not secure, and might trigger warnings and/or errors.");
                                            }
                                        }
                                        else
                                        {
                                            Warn("This certificate uses a not-well-known signature algorithm, which might not be supported by all web browsers and servers.");
                                        }

                                        Debug($"#Key Exchange Algorithm: {key.KeyExchangeAlgorithm} Key Size: {key.KeySize}");
                                        Debug($"#Subject: {cert.Subject}");
                                        Debug($"#Issuer: {cert.Issuer}");
                                        Debug($"#Validity: From {cert.NotBefore:G} To {cert.NotAfter:G}");
                                        var now = DateTime.UtcNow;
                                        if (now < cert.NotBefore)
                                        {
                                            Warn("This certificate is not yet valid.");
                                        }

                                        if (cert.NotAfter < now)
                                        {
                                            Error("This certificate is already expired.");
                                        }

                                        Debug($"#Serial Number: {cert.SerialNumber}");
                                        Debug($"DS Mapper Usage: {(binding.UseDsMapper ? "Enabled" : "Disabled")}");
                                        Debug($"Archived: {cert.Archived}");

                                        var hasSAN = false;
                                        foreach (var extension in cert.Extensions)
                                        {
                                            if (extension.Oid.Value == "2.5.29.15")
                                            {
                                                Debug($"#Key Usage: {((X509KeyUsageExtension)extension).KeyUsages}");
                                                continue;
                                            }

                                            if (extension.Oid.Value == "2.5.29.37")
                                            {
                                                var usages           = ((X509EnhancedKeyUsageExtension)extension).EnhancedKeyUsages;
                                                var enhancedKeyUsage = usages.Cast <Oid>().Select(usage => $"{usage.FriendlyName} ({usage.Value})")
                                                                       .Combine(",");

                                                Debug($"#Enhanced Key Usage: {enhancedKeyUsage}");
                                                continue;
                                            }

                                            if (extension.Oid.Value == "2.5.29.17")
                                            {
                                                var name = extension.Format(true).TrimEnd();
                                                Debug($"#Subject Alternative Name: {name}");
                                                hasSAN = true;
                                                continue;
                                            }

                                            if (extension.Oid.FriendlyName == "Basic Constraints")
                                            {
                                                var ext = (X509BasicConstraintsExtension)extension;
                                                Debug(
                                                    $"#Basic Constraints: Subject Type={(ext.CertificateAuthority ? "CA" : "End Entity")}, Path Length Constraint={(ext.HasPathLengthConstraint ? ext.PathLengthConstraint.ToString() : "None")}");
                                            }
                                        }

                                        if (!hasSAN)
                                        {
                                            Warn("Modern web browsers require Subject Alternative Name extension to present. This certificate does not have SAN extension, so might trigger warnings and/or errors.");
                                        }

                                        X509Chain chain   = X509Chain.Create();
                                        chain.ChainPolicy = new X509ChainPolicy
                                        {
                                            RevocationMode = X509RevocationMode.Online
                                        };
                                        bool valid = chain.Build(cert);
                                        if (valid)
                                        {
                                            Debug("Certificate verified.");
                                        }
                                        else
                                        {
                                            Error("Certificate validation failed.");
                                        }

                                        foreach (var item in chain.ChainStatus)
                                        {
                                            Warn(item.StatusInformation);
                                        }
                                    }

                                    personal.Close();
                                }
                                catch (CryptographicException ex)
                                {
                                    Error($"Problems detected on certificate store {binding.CertificateStoreName}.");
                                    if (ex.HResult != Microsoft.Web.Administration.NativeMethods.NonExistingStore)
                                    {
                                        throw;
                                    }

                                    Error($"Invalid certificate store {binding.CertificateStoreName}.");
                                }
                            }

                            Debug(string.Empty);
                        }
                    }
                }
                catch (CryptographicException ex)
                {
                    Debug(ex.ToString());
                    Rollbar.RollbarLocator.RollbarInstance.Error(ex, custom: new Dictionary <string, object> {
                        { "hResult", ex.HResult }
                    });
                }
                catch (Exception ex)
                {
                    Debug(ex.ToString());
                    Rollbar.RollbarLocator.RollbarInstance.Error(ex);
                }
            }));

            container.Add(
                Observable.FromEventPattern <EventArgs>(btnSave, "Click")
                .ObserveOn(System.Threading.SynchronizationContext.Current)
                .Subscribe(evt =>
            {
                var fileName = DialogHelper.ShowSaveFileDialog(null, "Text Files|*.txt|All Files|*.*", null);
                if (string.IsNullOrEmpty(fileName))
                {
                    return;
                }

                File.WriteAllText(fileName, txtResult.Text);
            }));

            container.Add(
                Observable.FromEventPattern <EventArgs>(btnVerify, "Click")
                .ObserveOn(System.Threading.SynchronizationContext.Current)
                .Subscribe(evt =>
            {
                txtResult.Clear();
            }));
        }

Esempio n. 26

0

Mostra file

File: WebSocketWrapper.cs Progetto: arrestle/couchbase-lite-net

        private bool ValidateServerCert(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
        {
            if (certificate is X509Certificate2 c2)
            {
                PeerCertificateReceived?.Invoke(this, new TlsCertificateReceivedEventArgs(c2));
            }

            if (_options.PinnedServerCertificate != null)
            {
                var retVal = certificate.Equals(_options.PinnedServerCertificate);
                if (!retVal)
                {
                    WriteLog.To.Sync.W(Tag, "Server certificate did not match the pinned one!");
                    _validationException = new TlsCertificateException("The certificate does not match the pinned certificate",
                                                                       C4NetworkErrorCode.TLSCertUnknownRoot, X509ChainStatusFlags.ExplicitDistrust);
                }

                return(retVal);
            }

            // Mono doesn't pass chain information?
            if (chain?.ChainElements?.Count == 0 && certificate is X509Certificate2 cert2)
            {
                chain = X509Chain.Create();
                chain.Build(cert2);
            }

#if COUCHBASE_ENTERPRISE
            var onlySelfSigned = _options.AcceptOnlySelfSignedServerCertificate;
            #else
            var onlySelfSigned = false;
            #endif

            if (!onlySelfSigned && sslPolicyErrors != SslPolicyErrors.None)
            {
                WriteLog.To.Sync.W(Tag, $"Error validating TLS chain: {sslPolicyErrors}");
                if (chain.ChainElements != null)
                {
                    foreach (var element in chain.ChainElements)
                    {
                        if (element.ChainElementStatus != null)
                        {
                            foreach (var status in element.ChainElementStatus)
                            {
                                if (status.Status != X509ChainStatusFlags.NoError)
                                {
                                    WriteLog.To.Sync.V(Tag,
                                                       $"Error {status.Status} ({status.StatusInformation}) for certificate:{Environment.NewLine}{element.Certificate}");
                                    if (status.Status == X509ChainStatusFlags.UntrustedRoot)
                                    {
                                        _validationException = new TlsCertificateException("The certificate does not terminate in a trusted root CA.",
                                                                                           C4NetworkErrorCode.TLSCertUnknownRoot, X509ChainStatusFlags.UntrustedRoot);
                                        return(false);
                                    }
                                }
                            }
                        }
                    }
                }

                if (chain.ChainStatus != null)
                {
                    foreach (var status in chain.ChainStatus)
                    {
                        if (status.Status == X509ChainStatusFlags.PartialChain)
                        {
                            _validationException = new TlsCertificateException("The certificate does not terminate in a trusted root CA.",
                                                                               C4NetworkErrorCode.TLSCertUnknownRoot, X509ChainStatusFlags.PartialChain);
                            return(false);
                        }
                    }
                }
            }
            else if (onlySelfSigned)
            {
                if (chain.ChainElements.Count != 1)
                {
                    _validationException = new TlsCertificateException("A non self-signed certificate was received in self-signed mode.",
                                                                       C4NetworkErrorCode.TLSCertUnknownRoot, X509ChainStatusFlags.ExplicitDistrust);
                    return(false);
                }

                if (chain.ChainStatus[0].Status != X509ChainStatusFlags.UntrustedRoot &&
                    chain.ChainStatus[0].Status != X509ChainStatusFlags.PartialChain &&
                    chain.ChainStatus[0].Status != X509ChainStatusFlags.NoError)
                {
                    _validationException = new TlsCertificateException("Certificate verification failed",
                                                                       C4NetworkErrorCode.TLSCertUnknownRoot, chain.ChainStatus[0].Status);
                    return(false);
                }

                if (chain.ChainElements[0].Certificate.IssuerName.Name
                    != chain.ChainElements[0].Certificate.SubjectName.Name)
                {
                    _validationException = new TlsCertificateException("A non self-signed certificate was received in self-signed mode.",
                                                                       C4NetworkErrorCode.TLSCertUnknownRoot, X509ChainStatusFlags.ExplicitDistrust);
                    return(false);
                }

                return(true);
            }

            if (sslPolicyErrors == SslPolicyErrors.None)
            {
                return(true);
            }

            _validationException = new TlsCertificateException("Certificate verification failed",
                                                               C4NetworkErrorCode.TLSCertUntrusted, sslPolicyErrors);
            return(false);
        }

Esempio n. 27

0

Mostra file

        async Task RequestAsync(int id)
        {
            var handler = new HttpClientHandler();

            handler.ClientCertificateOptions = ClientCertificateOption.Manual;
            //handler.SslProtocols = SslProtocols.Tls12;
            if (!string.IsNullOrEmpty(_configuration["SSLCertThmbprint"]))
            {
                //Perfome SSL Pinning. It is required to get SHA1 thumbprint of the SSL Server Certificate
                //and put it in the appSettings
                //Maybe the Key Identifier should be used. But the first version we should simply use SHA1 thumbprint.
                handler.ServerCertificateCustomValidationCallback = (sender, cert, chain, error) =>
                {
                    var fixedSID = _configuration["SSLCertThmbprint"];
                    var ch       = X509Chain.Create();
                    ch.ChainPolicy = new X509ChainPolicy
                    {
                        RevocationFlag = X509RevocationFlag.EndCertificateOnly,
                        RevocationMode = X509RevocationMode.NoCheck
                    };

                    //It is required to build the certificate chain upto the TRUSTED ROOT located in
                    //TRUST ROOT Certficate Store
                    if (ch.Build(cert as X509Certificate2))
                    {
                        foreach (var s in ch.ChainStatus)
                        {
                            if (s.Status != X509ChainStatusFlags.NoError)
                            {
                                return(false);
                            }
                        }
                    }
                    else
                    {
                        return(false);
                    }

                    //And finally compare the thumbprints.
                    var    cert2    = cert as X509Certificate2;
                    string sidValue = cert2.Thumbprint.ToLower();

                    if (string.IsNullOrEmpty(sidValue))
                    {
                        sidValue = BitConverter.ToString(
                            (new SHA1Managed()).ComputeHash(cert2.GetPublicKey())).Replace("-", string.Empty).ToLower();
                    }

                    if (string.IsNullOrEmpty(sidValue))
                    {
                        return(false);
                    }

                    if (sidValue == fixedSID)
                    {
                        return(true);
                    }
                    return(false);
                };
            }

            //Loading the client certificate to setup SSL Client Authentication.
            var clientCertFile    = _configuration["SSLClientCert"];
            var clientCertFilePwd = _configuration["SSLClientCertPwd"];
            var clientCert        = new X509Certificate2(clientCertFile, clientCertFilePwd);

            handler.ClientCertificates.Add(clientCert);

            var client      = new HttpClient(handler);
            var url         = _apiUrl + id;
            var outgoing    = new Uri(url);
            var httpRequest = new HttpRequestMessage(HttpMethod.Get, outgoing);
            var response    = await client.SendAsync(httpRequest).ConfigureAwait(false);

            _statusCode = response.StatusCode;
            _rawMessage = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
        }

Esempio n. 28

0

Mostra file

        public SslDiagDialog(IServiceProvider provider, ServerManager server)
            : base(provider)
        {
            InitializeComponent();

            var container = new CompositeDisposable();

            FormClosed += (sender, args) => container.Dispose();

            container.Add(
                Observable.FromEventPattern <EventArgs>(btnGenerate, "Click")
                .ObserveOn(System.Threading.SynchronizationContext.Current)
                .Subscribe(evt =>
            {
                txtResult.Clear();
                try
                {
                    Debug($"System Time: {DateTime.Now}");
                    Debug($"Processor Architecture: {Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE")}");
                    Debug($"OS: {Environment.OSVersion}");
                    Debug($"{server.Type}");
                    Debug(Environment.NewLine);
                    Debug($"SERVER SSL PROTOCOLS{Environment.NewLine}");
                    Debug($"PCT 1.0: {GetProtocol("PCT 1.0")}");
                    Debug($"SSL 2.0: {GetProtocol("SSL 2.0")}");
                    Debug($"SSL 3.0: {GetProtocol("SSL 3.0")}");
                    Debug($"TLS 1.0: {GetProtocol("TLS 1.0")}");
                    Debug($"TLS 1.1: {GetProtocol("TLS 1.1")}");
                    Debug($"TLS 1.2: {GetProtocol("TLS 1.2")}");

                    Debug($"SChannel EventLogging: {GetEventLogging()} (hex)");
                    Debug("-----");

                    foreach (Site site in server.Sites)
                    {
                        Debug($"[W3SVC/{site.Id}]");
                        Debug($"ServerComment  : {site.Name}");
                        Debug($"ServerAutoStart: {site.ServerAutoStart}");
                        Debug($"ServerState    : {site.State}");
                        Debug(string.Empty);
                        foreach (Binding binding in site.Bindings)
                        {
                            Info($"BINDING: {binding.Protocol} {binding}");
                            if (binding.Protocol == "https")
                            {
                                if (binding.CertificateHash == null)
                                {
                                    // SNI mapping missing.
                                    Debug($"SSL Flags: {binding.SslFlags}");
                                    if (binding.SslFlags == SslFlags.Sni)
                                    {
                                        Error(
                                            $"Cannot find {binding.Host}:{binding.EndPoint.Port} combination for this binding.");
                                    }
                                    else
                                    {
                                        var querySslCertificateInfo = Microsoft.Web.Administration.NativeMethods.QuerySslCertificateInfo(
                                            binding.EndPoint);
                                        Error(
                                            querySslCertificateInfo == null
                                                    ? $"Cannot find {binding.EndPoint} combination for this binding."
                                                    : $"Cannot find certificate with thumpprint {querySslCertificateInfo.Hash} in store {querySslCertificateInfo.StoreName}.");
                                    }

                                    Debug(string.Empty);
                                    continue;
                                }

                                var hashString = Hex.ToHexString(binding.CertificateHash);
                                Debug($"SSLCertHash: {hashString}");
                                if (site.Server.SupportsSni)
                                {
                                    Debug($"SSL Flags: {binding.SslFlags}");
                                }

                                Debug("Testing EndPoint: 127.0.0.1");

                                var personal = new X509Store(binding.CertificateStoreName, StoreLocation.LocalMachine);
                                try
                                {
                                    personal.Open(OpenFlags.MaxAllowed);
                                    var selectedItem = personal.Certificates.Find(X509FindType.FindByThumbprint, hashString, false);
                                    if (selectedItem.Count == 0)
                                    {
                                        Error($"Cannot find certificate with thumbprint {hashString} in store {binding.CertificateStoreName}.");
                                    }
                                    else
                                    {
                                        var cert = selectedItem[0];
                                        Debug($"#CertName: {cert.FriendlyName}");
                                        Debug($"#Version: {cert.Version}");
                                        if (cert.HasPrivateKey)
                                        {
                                            var newHandle     = IntPtr.Zero;
                                            int newCount      = 0;
                                            var shouldRelease = false;
                                            if (NativeMethods.CryptAcquireCertificatePrivateKey(
                                                    cert.Handle, 0, IntPtr.Zero, ref newHandle, ref newCount,
                                                    ref shouldRelease))
                                            {
                                                Debug(
                                                    "#You have a private key that corresponds to this certificate.");
                                            }
                                            else
                                            {
                                                Error("#You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed.");
                                                RollbarDotNet.Rollbar.Report(
                                                    "CryptAcquireCertificatePrivateKey failed");
                                            }

                                            if (shouldRelease)
                                            {
                                                NativeMethods.CloseHandle(newHandle);
                                            }
                                        }
                                        else
                                        {
                                            Error(
                                                "#You don't have a private key that corresponds to this certificate.");
                                        }

                                        var key = cert.PublicKey.Key;
                                        Debug($"#Signature Algorithm: {cert.SignatureAlgorithm.FriendlyName}");
                                        Debug($"#Key Exchange Algorithm: {key.KeyExchangeAlgorithm} Key Size: {key.KeySize}");
                                        Debug($"#Subject: {cert.Subject}");
                                        Debug($"#Issuer: {cert.Issuer}");
                                        Debug($"#Validity: From {cert.NotBefore:G} To {cert.NotAfter:G}");
                                        Debug($"#Serial Number: {cert.SerialNumber}");
                                        Debug($"DS Mapper Usage: {(binding.UseDsMapper ? "Enabled" : "Disabled")}");
                                        Debug($"Archived: {cert.Archived}");

                                        foreach (var extension in cert.Extensions)
                                        {
                                            if (extension.Oid.FriendlyName == "Key Usage")
                                            {
                                                Debug($"#Key Usage: {((X509KeyUsageExtension)extension).KeyUsages}");
                                                continue;
                                            }

                                            if (extension.Oid.FriendlyName == "Enhanced Key Usage")
                                            {
                                                var usages           = ((X509EnhancedKeyUsageExtension)extension).EnhancedKeyUsages;
                                                var enhancedKeyUsage = usages.Cast <Oid>().Select(usage => $"{usage.FriendlyName} ({usage.Value})")
                                                                       .Combine(",");

                                                Debug($"#Enhanced Key Usage: {enhancedKeyUsage}");
                                                continue;
                                            }

                                            if (extension.Oid.FriendlyName == "Basic Constraints")
                                            {
                                                var ext = (X509BasicConstraintsExtension)extension;
                                                Debug(
                                                    $"#Basic Constraints: Subject Type={(ext.CertificateAuthority ? "CA" : "End Entity")}, Path Length Constraint={(ext.HasPathLengthConstraint ? ext.PathLengthConstraint.ToString() : "None")}");
                                            }
                                        }

                                        X509Chain chain   = X509Chain.Create();
                                        chain.ChainPolicy = new X509ChainPolicy
                                        {
                                            RevocationMode = X509RevocationMode.Online
                                        };
                                        bool valid = chain.Build(cert);
                                        if (valid)
                                        {
                                            Debug("Certificate verified.");
                                        }
                                        else
                                        {
                                            Error("Certificate validation failed.");
                                        }

                                        foreach (var item in chain.ChainStatus)
                                        {
                                            Warn(item.StatusInformation);
                                        }
                                    }

                                    personal.Close();
                                }
                                catch (CryptographicException ex)
                                {
                                    if (ex.HResult != Microsoft.Web.Administration.NativeMethods.NonExistingStore)
                                    {
                                        throw;
                                    }

                                    Error($"Invalid certificate store {binding.CertificateStoreName}.");
                                }
                            }

                            Debug(string.Empty);
                        }
                    }
                }
                catch (CryptographicException ex)
                {
                    Debug(ex.ToString());
                    RollbarDotNet.Rollbar.Report(ex, custom: new Dictionary <string, object> {
                        { "hResult", ex.HResult }
                    });
                }
                catch (Exception ex)
                {
                    Debug(ex.ToString());
                    RollbarDotNet.Rollbar.Report(ex);
                }
            }));

            container.Add(
                Observable.FromEventPattern <EventArgs>(btnSave, "Click")
                .ObserveOn(System.Threading.SynchronizationContext.Current)
                .Subscribe(evt =>
            {
                var fileName = DialogHelper.ShowSaveFileDialog(null, "Text Files|*.txt|All Files|*.*");
                if (string.IsNullOrEmpty(fileName))
                {
                    return;
                }

                File.WriteAllText(fileName, txtResult.Text);
            }));

            container.Add(
                Observable.FromEventPattern <EventArgs>(btnVerify, "Click")
                .ObserveOn(System.Threading.SynchronizationContext.Current)
                .Subscribe(evt =>
            {
                txtResult.Clear();
            }));
        }

Esempio n. 29

0

Mostra file

        private void BtnGenerateClick(object sender, System.EventArgs e)
        {
            txtResult.Clear();
            Debug(string.Format("System Time: {0}", DateTime.Now));
            Debug(string.Format("Processor Architecture: {0}", Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE")));
            Debug(string.Format("OS: {0}", Environment.OSVersion));
            Debug(string.Format("{0}", _server.Type));
            Debug(Environment.NewLine);
            Debug(string.Format("SERVER SSL PROTOCOLS{0}", Environment.NewLine));
            Debug(string.Format("PCT 1.0: {0}", GetProtocol("PCT 1.0")));
            Debug(string.Format("SSL 2.0: {0}", GetProtocol("SSL 2.0")));
            Debug(string.Format("SSL 3.0: {0}", GetProtocol("SSL 3.0")));
            Debug(string.Format("TLS 1.0: {0}", GetProtocol("TLS 1.0")));
            Debug(string.Format("TLS 1.1: {0}", GetProtocol("TLS 1.1")));
            Debug(string.Format("TLS 1.2: {0}", GetProtocol("TLS 1.2")));

            Debug(string.Format("SChannel EventLogging: {0} (hex)", GetEventLogging()));
            Debug("-----");

            foreach (Site site in _server.Sites)
            {
                Debug(string.Format("[W3SVC/{0}]", site.Id));
                Debug(string.Format("ServerComment  : {0}", site.Name));
                Debug(string.Format("ServerAutoStart: {0}", site.ServerAutoStart));
                Debug(string.Format("ServerState    : {0}", site.State));
                Debug(string.Empty);
                foreach (Binding binding in site.Bindings)
                {
                    Info(string.Format("BINDING: {0} {1}", binding.Protocol, binding));
                    if (binding.Protocol == "https")
                    {
                        var hashString = Hex.ToHexString(binding.CertificateHash);
                        Debug(string.Format("SSLCertHash: {0}", hashString));
                        Debug(string.Format("SSL Flags: {0}", binding.SslFlags));
                        Debug("Testing EndPoint: 127.0.0.1");

                        var personal = new X509Store(binding.CertificateStoreName, StoreLocation.LocalMachine);
                        personal.Open(OpenFlags.MaxAllowed);
                        var selectedItem = personal.Certificates.Find(X509FindType.FindByThumbprint, hashString, false);
                        var cert         = selectedItem[0];
                        Debug(string.Format("#CertName: {0}", cert.FriendlyName));
                        Debug(string.Format("#Version: {0}", cert.Version));
                        if (cert.HasPrivateKey)
                        {
                            Debug("#You have a private key that corresponds to this certificate.");
                        }
                        else
                        {
                            Error("#You don't have a private key that corresponds to this certificate.");
                        }

                        var key = cert.PublicKey.Key;
                        Debug(string.Format("#Signature Algorithm: {0}", cert.SignatureAlgorithm.FriendlyName));
                        Debug(string.Format("#Key Exchange Algorithm: {0} Key Size: {1}", key.KeyExchangeAlgorithm, key.KeySize));
                        Debug(string.Format("#Subject: {0}", cert.Subject));
                        Debug(string.Format("#Issuer: {0}", cert.Issuer));
                        Debug(string.Format("#Validity: From {0} To {1}", cert.NotBefore.ToString("U"), cert.NotAfter.ToString("U")));
                        Debug(string.Format("#Serial Number: {0}", cert.SerialNumber));
                        Debug(string.Format("DS Mapper Usage: {0}", binding.UseDsMapper ? "Enabled" : "Disabled"));
                        Debug(string.Format("Archived: {0}", cert.Archived));

                        foreach (var extension in cert.Extensions)
                        {
                            if (extension.Oid.FriendlyName == "Key Usage")
                            {
                                Debug(string.Format("#Key Usage: {0}", ((X509KeyUsageExtension)extension).KeyUsages));
                                continue;
                            }

                            if (extension.Oid.FriendlyName == "Enhanced Key Usage")
                            {
                                var enhancedKeyUsage = new StringBuilder();
                                var usages           = ((X509EnhancedKeyUsageExtension)extension).EnhancedKeyUsages;
                                foreach (var usage in usages)
                                {
                                    enhancedKeyUsage.AppendFormat("{0} ({1}), ", usage.FriendlyName, usage.Value);
                                }

                                if (enhancedKeyUsage.Length > 0)
                                {
                                    enhancedKeyUsage.Length -= 2;
                                }

                                Debug(string.Format("#Enhanced Key Usage: {0}", enhancedKeyUsage));
                                continue;
                            }

                            if (extension.Oid.FriendlyName == "Basic Constraints")
                            {
                                var ext = (X509BasicConstraintsExtension)extension;
                                Debug(
                                    string.Format(
                                        "#Basic Constraints: Subject Type={0}, Path Length Constraint={1}",
                                        ext.CertificateAuthority ? "CA" : "End Entity",
                                        ext.HasPathLengthConstraint ? ext.PathLengthConstraint.ToString() : "None"));
                                continue;
                            }
                        }

                        X509Chain       chain  = X509Chain.Create();
                        X509ChainPolicy policy = new X509ChainPolicy();
                        policy.RevocationMode = X509RevocationMode.NoCheck;
                        chain.ChainPolicy     = policy;
                        bool valid = chain.Build(cert);
                        if (valid)
                        {
                            Debug("Certificate verified.");
                        }
                        else
                        {
                            Error("Certificate valication failed.");
                        }

                        foreach (var item in chain.ChainStatus)
                        {
                            Warn(item.StatusInformation);
                        }

                        personal.Close();
                    }

                    Debug(string.Empty);
                }
            }
        }

Esempi in C# (CSharp) per X509Chain.Create