/// <summary>
/// Validates that the certificate thumbprints in the signing chain match at least one whitelisted thumbprint.
/// </summary>
/// <param name="sender">An object that contains state information for this validation.</param>
/// <param name="certificate">The certificate used to authenticate the remote party.</param>
/// <param name="chain">The chain of certificate authorities associated with the remote certificate.</param>
/// <param name="sslPolicyErrors">One or more errors associated with the remote certificate.</param>
/// <returns>A Boolean value that determines whether the specified certificate is accepted for authentication.</returns>
public bool Validate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors != SslPolicyErrors.None)
{
return false;
}
if (chain == null)
{
throw new ArgumentNullException("chain");
}
if (chain.ChainElements.Count < 2)
{
// Self signed.
return false;
}
foreach (var chainElement in chain.ChainElements)
{
string thumbprintToCheck = chainElement.Certificate.Thumbprint;
if (thumbprintToCheck == null)
{
continue;
}
if (_validCertificateThumbprints.Contains(thumbprintToCheck))
{
return true;
}
}
return false;
}
public bool ValidateServerCertficate (object sender, X509Certificate receivedCertificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
bool validRequest = true;
// var enumerator = chain.ChainPolicy.ExtraStore.GetEnumerator();
//
// while (enumerator.MoveNext ()) {
// var pem = ExportToPEM (loop.Current);
// }
//
if (receivedCertificate.Subject.IndexOf (".xamarin.com", 0, StringComparison.CurrentCultureIgnoreCase) == -1) { //not a request to an Xamarin server so verify certificate
//This is not an https request for Xamarin Insights
if (originalRootCertificate == null) {
validRequest = false;
} else {
//check if certificate chain contains original root certificate
validRequest = chain.ChainPolicy.ExtraStore.Contains (originalRootCertificate);
}
}
if (!validRequest) {
EventHandler handler = CertificateMismatchFound;
if (handler != null) {
handler (this, null);
}
}
return validRequest;
}
private long maxPacket = 524288;//512 kb
public override void Configure(IDictionary<string, string> properties)
{
try
{
if (properties.ContainsKey("bindPort"))
{
bindEndPoint = new IPEndPoint(IPAddress.Any, int.Parse(properties["bindPort"]));
}
if (properties.ContainsKey("certificate"))
{
if (File.Exists(properties["certificate"]))
{
try
{
certificate = X509Certificate.CreateFromCertFile(properties["certificate"]);
}
catch { }
}
}
if (properties.ContainsKey("maxpacket"))
long.TryParse(properties["maxpacket"], out maxPacket);
log.InfoFormat("Configure listener '{0}' on {1}", Name, bindEndPoint);
}
catch (Exception e)
{
log.ErrorFormat("Error configure listener '{0}': {1}", Name, e);
throw;
}
}
/// <summary>
/// Initializes a new instance of the <see cref="HttpListenerBase"/> class.
/// </summary>
/// <param name="address">IP Address to accept connections on</param>
/// <param name="port">TCP Port to listen on, default HTTPS port is 443</param>
/// <param name="factory">Factory used to create <see cref="IHttpClientContext"/>es.</param>
/// <param name="certificate">Certificate to use</param>
protected HttpListenerBase(IPAddress address, int port, IHttpContextFactory factory, X509Certificate certificate)
: this(address, port, factory)
{
Check.Require(certificate, "certificate");
_certificate = certificate;
}
public static bool ServerCertificateValidationCallback(
Object obj,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors errors)
{
bool result = false;
HttpWebRequest request = obj as HttpWebRequest;
if (request != null)
{
// Check for allowed UserAgent
lock (CertificateValidationHelper.uaLock)
{
if (CertificateValidationHelper.allowedUserAgents.Contains(request.UserAgent))
{
result = true;
}
}
// Check for allowed Url
lock (CertificateValidationHelper.urlLock)
{
if (CertificateValidationHelper.allowedUrls.Contains(request.RequestUri))
{
result = true;
}
}
}
return result;
}
public SafeFreeCredentials(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy)
: base(IntPtr.Zero, true)
{
Debug.Assert(
certificate == null || certificate is X509Certificate2,
"Only X509Certificate2 certificates are supported at this time");
X509Certificate2 cert = (X509Certificate2)certificate;
if (cert != null)
{
Debug.Assert(cert.HasPrivateKey, "cert.HasPrivateKey");
using (RSAOpenSsl rsa = (RSAOpenSsl)cert.GetRSAPrivateKey())
{
if (rsa != null)
{
_certKeyHandle = rsa.DuplicateKeyHandle();
Interop.libcrypto.CheckValidOpenSslHandle(_certKeyHandle);
}
}
// TODO (3390): Add support for ECDSA.
Debug.Assert(_certKeyHandle != null, "Failed to extract a private key handle");
_certHandle = Interop.libcrypto.X509_dup(cert.Handle);
Interop.libcrypto.CheckValidOpenSslHandle(_certHandle);
}
_protocols = protocols;
_policy = policy;
}
public ApplePushChannel(ApplePushChannelSettings channelSettings)
{
cancelToken = cancelTokenSrc.Token;
appleSettings = channelSettings;
certificate = this.appleSettings.Certificate;
certificates = new X509CertificateCollection();
if (appleSettings.AddLocalAndMachineCertificateStores)
{
var store = new X509Store(StoreLocation.LocalMachine);
certificates.AddRange(store.Certificates);
store = new X509Store(StoreLocation.CurrentUser);
certificates.AddRange(store.Certificates);
}
certificates.Add(certificate);
if (this.appleSettings.AdditionalCertificates != null)
foreach (var addlCert in this.appleSettings.AdditionalCertificates)
certificates.Add(addlCert);
timerCleanup = new Timer(state => Cleanup(), null, TimeSpan.FromMilliseconds(1000), TimeSpan.FromMilliseconds(1000));
}
// ICertificatePolicy
public bool CheckValidationResult(ServicePoint sp, X509Certificate cert, WebRequest request, int problem) {
if (problem == 0) {
// Check whether we have accumulated any problems so far:
ArrayList problemArray = (ArrayList) request2problems_[request];
if (problemArray == null) {
// No problems so far
return true;
}
string problemList = "";
foreach (uint problemCode in problemArray) {
string problemText = (string) problem2text_[problemCode];
if (problemText == null) {
problemText = "Unknown problem";
}
problemList += "* " + problemText + "\n\n";
}
request2problems_.Remove(request);
System.Console.WriteLine("There were one or more problems with the server certificate:\n\n" + problemList);
return true;
} else {
// Stash the problem in the problem array:
ArrayList problemArray = (ArrayList) request2problems_[request];
if (problemArray == null) {
problemArray = new ArrayList();
request2problems_[request] = problemArray;
}
problemArray.Add((uint) problem);
return true;
}
}
public NfeRetRecepcao2(string url, X509Certificate certificado, int timeOut)
{
SoapVersion = SoapProtocolVersion.Soap12;
Url = url;
Timeout = timeOut;
ClientCertificates.Add(certificado);
}
private static bool CertificateValidationCallBack(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
return true;
}
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
if (chain != null && chain.ChainStatus != null)
{
foreach (var status in chain.ChainStatus)
{
if ((certificate.Subject == certificate.Issuer) &&
(status.Status == X509ChainStatusFlags.UntrustedRoot))
{
continue;
}
else
{
if (status.Status != X509ChainStatusFlags.NoError)
{
return false;
}
}
}
}
return true;
}
else
{
return false;
}
}
public SslTransportHandler(ITransportLayerHandler next, X509Certificate serverCertificate)
{
_next = next;
_serverCertificate = serverCertificate;
_inputStream = new InputStream(this);
next.Callback = this;
}
public bool OnValidationCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors)
{
if (errors.ToString() != "None")
{
MessageBox.Show("Please click yes on the next dialog box.\nThis will allow us to install the Net7 certificate.", "Certificate Install",
MessageBoxButtons.OK, MessageBoxIcon.Exclamation);
try
{
X509Store Certificate = new X509Store(StoreName.Root);
X509Certificate2 cert2 = new X509Certificate2(cert);
Certificate.Open(OpenFlags.ReadWrite);
// Add Certificate
Certificate.Add(cert2);
Certificate.Close();
}
catch (Exception e)
{
MessageBox.Show("Error installing certificate: " + e.ToString());
}
}
else
{
MessageBox.Show("Certificate is installed!");
}
// Remove this message
ServicePointManager.ServerCertificateValidationCallback = null;
return true;
}
public CipherSuiteSelector(X509Certificate cert)
{
KeyExchangeAlgorithm[] keyExchanges;
string algo_oid = cert.GetKeyAlgorithm ();
if (algo_oid == "1.2.840.10045.2.1") {
keyExchanges = new KeyExchangeAlgorithm[] {
KeyExchangeAlgorithm.DH_anon,
KeyExchangeAlgorithm.ECDH_anon,
KeyExchangeAlgorithm.ECDH_ECDSA,
KeyExchangeAlgorithm.ECDHE_ECDSA
};
} else if (algo_oid == "1.2.840.10040.4.1") {
keyExchanges = new KeyExchangeAlgorithm[] {
KeyExchangeAlgorithm.DH_anon,
KeyExchangeAlgorithm.DH_DSS,
KeyExchangeAlgorithm.DHE_DSS,
KeyExchangeAlgorithm.ECDH_anon
};
} else if (algo_oid == "1.2.840.113549.1.1.1") {
keyExchanges = new KeyExchangeAlgorithm[] {
KeyExchangeAlgorithm.DH_anon,
KeyExchangeAlgorithm.DH_RSA,
KeyExchangeAlgorithm.DHE_RSA,
KeyExchangeAlgorithm.ECDH_anon,
KeyExchangeAlgorithm.ECDH_RSA,
KeyExchangeAlgorithm.ECDHE_RSA,
KeyExchangeAlgorithm.RSA
};
} else {
throw new NotSupportedException ();
}
_supports = SupportedCipherSuites.FilterKeyExchange (keyExchanges);
}
private void processClient(TcpClient client)
{
X509Certificate certificate = new X509Certificate("..\\..\\..\\Certificate\\Certificate.pfx", "KTYy77216");
// SslStream; leaveInnerStreamOpen = false;
SslStream stream = new SslStream(client.GetStream(), false);
try
{
// clientCertificateRequired = false
// checkCertificateRevocation = true;
stream.AuthenticateAsServer(certificate, false, SslProtocols.Tls, true);
Console.WriteLine("Waiting for client message ...");
// Read a message from the client
string input = readMessage(stream);
Console.WriteLine("Received: {0}", input);
// Write a message to the client
byte[] message = Encoding.UTF8.GetBytes("Hello client, this is a message from the server :)<EOF>");
Console.WriteLine("Sending message to client ...");
stream.Write(message);
}
catch (Exception e)
{
Console.WriteLine(e);
stream.Close();
client.Close();
return;
}
finally
{
stream.Close();
client.Close();
}
}
bool RemoveCertValidate(object sender, X509Certificate cert,
X509Chain chain, System.Net.Security.SslPolicyErrors error)
{
if (currentPolicy.subjectName == subjectName)
return true;
return false;
}
/// <summary>
/// Verifies the remote Secure Sockets Layer (SSL) certificate used for authentication.
/// </summary>
/// <param name="sender">An object that contains state information for this validation.</param>
/// <param name="certificate">The certificate used to authenticate the remote party.</param>
/// <param name="chain">The chain of certificate authorities associated with the remote certificate.</param>
/// <param name="sslPolicyErrors">One or more errors associated with the remote certificate.</param>
/// <returns>A Boolean value that determines whether the specified certificate is accepted for authentication.</returns>
public bool Validate(object sender, X509Certificate certificate, [NotNull] X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors != SslPolicyErrors.None)
{
return false;
}
if (chain.ChainElements.Count < 2)
{
// Self signed.
return false;
}
foreach (var chainElement in chain.ChainElements)
{
string subjectKeyIdentifier = GetSubjectKeyIdentifier(chainElement.Certificate);
if (string.IsNullOrWhiteSpace(subjectKeyIdentifier))
{
continue;
}
if (_validSubjectKeyIdentifiers.Contains(subjectKeyIdentifier))
{
return true;
}
}
return false;
}
/// <summary>
/// Validates at least one SPKI hash is known.
/// </summary>
/// <param name="sender">An object that contains state information for this validation.</param>
/// <param name="certificate">The certificate used to authenticate the remote party.</param>
/// <param name="chain">The chain of certificate authorities associated with the remote certificate.</param>
/// <param name="sslPolicyErrors">One or more errors associated with the remote certificate.</param>
/// <returns>A Boolean value that determines whether the specified certificate is accepted for authentication.</returns>
public bool Validate(object sender, X509Certificate certificate, [NotNull] X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors != SslPolicyErrors.None)
{
return false;
}
if (chain.ChainElements.Count < 2)
{
return false;
}
using (HashAlgorithm algorithm = CreateHashAlgorithm())
{
foreach (var chainElement in chain.ChainElements)
{
X509Certificate2 chainedCertificate = chainElement.Certificate;
string base64Spki = Convert.ToBase64String(algorithm.ComputeHash(ExtractSpkiBlob(chainedCertificate)));
if (_validBase64EncodedSubjectPublicKeyInfoHashes.Contains(base64Spki))
{
return true;
}
}
}
return false;
}
public static bool ManuallyVerifyCA(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
Console.WriteLine("ManuallyVerifyCA");
bool isValid = false;
if (sslPolicyErrors == SslPolicyErrors.None) return true;
if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateNameMismatch) return true;
if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors || (int)sslPolicyErrors == (int)SslPolicyErrors.RemoteCertificateNameMismatch + (int)SslPolicyErrors.RemoteCertificateChainErrors)
{
try
{
X509Chain chain0 = new X509Chain();
chain0.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
// add all your extra certificate chain
chain0.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
Console.WriteLine("t**s buckets");
chain0.ChainPolicy.ExtraStore.Add(new X509Certificate2("..\\..\\..\\ca.p7b"));
Console.WriteLine("piss buckets");
isValid = chain0.Build((X509Certificate2)certificate);
if (isValid) return true;
}
catch (Exception e)
{
Console.WriteLine("sslPolicyErrors: {0}", e.Message);
return false;
}
}
Console.WriteLine("Certificate error: {0}", sslPolicyErrors);
return false;
}
internal SecureChannel(string hostname, bool serverMode, SchProtocols protocolFlags, X509Certificate serverCertificate, X509CertificateCollection clientCertificates, bool remoteCertRequired, bool checkCertName,
bool checkCertRevocationStatus, EncryptionPolicy encryptionPolicy, LocalCertSelectionCallback certSelectionDelegate)
{
GlobalLog.Enter("SecureChannel#" + ValidationHelper.HashString(this) + "::.ctor", "hostname:" + hostname + " #clientCertificates=" + ((clientCertificates == null) ? "0" : clientCertificates.Count.ToString(NumberFormatInfo.InvariantInfo)));
if (Logging.On) Logging.PrintInfo(Logging.Web, this, ".ctor", "hostname=" + hostname + ", #clientCertificates=" + ((clientCertificates == null) ? "0" : clientCertificates.Count.ToString(NumberFormatInfo.InvariantInfo)) + ", encryptionPolicy=" + encryptionPolicy);
SSPIWrapper.GetVerifyPackageInfo(GlobalSSPI.SSPISecureChannel, SecurityPackage, true);
m_Destination = hostname;
GlobalLog.Assert(hostname != null, "SecureChannel#{0}::.ctor()|hostname == null", ValidationHelper.HashString(this));
m_HostName = hostname;
m_ServerMode = serverMode;
if (serverMode)
m_ProtocolFlags = (protocolFlags & SchProtocols.ServerMask);
else
m_ProtocolFlags = (protocolFlags & SchProtocols.ClientMask);
m_ServerCertificate = serverCertificate;
m_ClientCertificates = clientCertificates;
m_RemoteCertRequired = remoteCertRequired;
m_SecurityContext = null;
m_CheckCertRevocation = checkCertRevocationStatus;
m_CheckCertName = checkCertName;
m_CertSelectionDelegate = certSelectionDelegate;
m_RefreshCredentialNeeded = true;
m_EncryptionPolicy = encryptionPolicy;
GlobalLog.Leave("SecureChannel#" + ValidationHelper.HashString(this) + "::.ctor");
}
public SecureTcpServer(int listenPort, X509Certificate serverCertificate,
SecureConnectionResultsCallback callback,
RemoteCertificateValidationCallback certValidationCallback)
{
if (listenPort < 0 || listenPort > UInt16.MaxValue)
throw new ArgumentOutOfRangeException("listenPort");
if (serverCertificate == null)
throw new ArgumentNullException("serverCertificate");
if (callback == null)
throw new ArgumentNullException("callback");
onAcceptConnection = new AsyncCallback(OnAcceptConnection);
onAuthenticateAsServer = new AsyncCallback(OnAuthenticateAsServer);
this.serverCert = serverCertificate;
this.certValidationCallback = certValidationCallback;
this.connectionCallback = callback;
this.listenPort = listenPort;
this.disposed = 0;
this.checkCertifcateRevocation = false;
this.clientCertificateRequired = false;
this.sslProtocols = SslProtocols.Default;
}
public static void RunServer(string certificate)
{
//The certificate parameter specifies the name of the file containing the machine certificate
serverCertificate = X509Certificate.CreateFromCertFile(certificate);
}
static bool OnValidateCertificate (
object sender, X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
return true;
}
/// <summary>
/// Initializes a new instance of the <see cref="CheckCertificateEventArgs"/> class.
/// </summary>
/// <param name="certificate">The certificate.</param>
/// <param name="chain">The chain.</param>
/// <param name="sslpolicyerrors">The sslpolicyerrors.</param>
public CheckCertificateEventArgs(X509Certificate certificate, X509Chain chain, SslPolicyErrors sslpolicyerrors)
{
Certificate = certificate;
Chain = chain;
Sslpolicyerrors = sslpolicyerrors;
IsValid = true;
}
private static bool CertCheck(object sender,
X509Certificate cert,
X509Chain chain,
SslPolicyErrors error)
{
#if !BYPASS_SSL_CHECK
if (cert == null)
{
Console.WriteLine("Warning: Certificate is null!");
return false;
}
FileStream stream = Assembly.GetCallingAssembly().GetFile("PublicKey");
byte[] bytes = new byte[stream.Length];
stream.Read(bytes, 0, bytes.Length);
if (bytes.Length < cert.GetPublicKey().Length)
return false;
for (int i = 0; i < bytes.Length; i++)
{
if (bytes[i] != cert.GetPublicKey()[i])
{
return false;
}
}
#endif
return true;
}
public Certificate(string filename)
{
this.keys = "";
this.generatedCSR = "";
this.cert = new System.Security.Cryptography.X509Certificates.X509Certificate(filename);
this.path = System.IO.Path.GetTempPath() + "KBW";
}
public NfeInutilizacao(string url, X509Certificate certificado, int timeOut)
{
SoapVersion = SoapProtocolVersion.Soap11;
Url = url;
Timeout = timeOut;
ClientCertificates.Add(certificado);
}
public XSPWorker(Socket client, EndPoint localEP, ApplicationServer server,
bool secureConnection,
Mono.Security.Protocol.Tls.SecurityProtocolType SecurityProtocol,
X509Certificate cert,
PrivateKeySelectionCallback keyCB,
bool allowClientCert,
bool requireClientCert)
{
if (secureConnection) {
ssl = new SslInformation ();
ssl.AllowClientCertificate = allowClientCert;
ssl.RequireClientCertificate = requireClientCert;
ssl.RawServerCertificate = cert.GetRawCertData ();
netStream = new LingeringNetworkStream (client, true);
SslServerStream s = new SslServerStream (netStream, cert, requireClientCert, false);
s.PrivateKeyCertSelectionDelegate += keyCB;
s.ClientCertValidationDelegate += new CertificateValidationCallback (ClientCertificateValidation);
stream = s;
} else {
netStream = new LingeringNetworkStream (client, false);
stream = netStream;
}
sock = client;
this.server = server;
this.remoteEP = (IPEndPoint) client.RemoteEndPoint;
this.localEP = (IPEndPoint) localEP;
}
/// <summary>
/// Wait until a network stream is trying to connect, and return the accepted stream.
/// </summary>
/// <param name="certificateName">Certificate name of authenticated connections.</param>
/// <param name="noDelay">No delay?</param>
/// <param name="token">Cancellation token.</param>
/// <returns>Connected network stream.</returns>
public async Task<INetworkStream> AcceptNetworkStreamAsync(
string certificateName,
bool noDelay,
CancellationToken token)
{
try
{
var awaiter =
await
Task.WhenAny(this.listener.AcceptTcpClientAsync(), Task.Delay(-1, token)).ConfigureAwait(false);
var tcpClientTask = awaiter as Task<TcpClient>;
if (tcpClientTask != null)
{
var tcpClient = tcpClientTask.Result;
tcpClient.NoDelay = noDelay;
if (!string.IsNullOrEmpty(certificateName) && this.certificate == null)
{
this.certificate = GetX509Certificate(certificateName);
}
return new DesktopNetworkStream(tcpClient, this.certificate);
}
return null;
}
catch (TaskCanceledException)
{
return null;
}
}
private void ConfigureCertificates()
{
_certificate = _appleSettings.Certificate;
_certificates = new X509CertificateCollection();
if (_appleSettings.AddLocalAndMachineCertificateStores)
{
var store = new X509Store(StoreLocation.LocalMachine);
_certificates.AddRange(store.Certificates);
store = new X509Store(StoreLocation.CurrentUser);
_certificates.AddRange(store.Certificates);
}
_certificates.Add(_certificate);
if (_appleSettings.AdditionalCertificates != null)
{
foreach (var additionalCertificate in _appleSettings.AdditionalCertificates)
{
_certificates.Add(additionalCertificate);
}
}
}
static byte[] GetRawData(X509Certificate certificate)
{
if (certificate == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate");
return certificate.GetRawCertData();
}
/// <summary>
/// Check Validation Result
/// </summary>
/// <param name="srvPoint"></param>
/// <param name="certificate"></param>
/// <param name="request"></param>
/// <param name="certificateProblem"></param>
/// <returns></returns>
public bool CheckValidationResult(ServicePoint srvPoint,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
WebRequest request,
int certificateProblem)
{
bool result = false;
if ((certificateProblem == 0) || CertificateProblem.CertEXPIRED.Equals(certificateProblem) ||
((certificate != null) && (certificate.GetIssuerName().Equals(this.certificateString.GetIssuerName()))))
{
result = true;
}
return(result);
}
public static void SaveRemoteCertificate(Guid remoteGuid, X509Certificate certificate)
{
var remoteCertificateStore = new FileInfo(GetStorePath(remoteGuid));
if (remoteCertificateStore.Exists)
{
remoteCertificateStore.Delete();
}
var content = certificate.Export(X509ContentType.Cert);
using (var file = remoteCertificateStore.OpenWrite())
{
file.Write(content, 0, content.Length);
}
}
/// <summary>
/// Check Validation Result
/// </summary>
/// <param name="srvPoint"></param>
/// <param name="certificate"></param>
/// <param name="request"></param>
/// <param name="certificateProblem"></param>
/// <returns></returns>
public bool CheckValidationResult(ServicePoint srvPoint,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
WebRequest request,
int certificateProblem)
{
bool result = false;
if ((certificateProblem == 0) || CertificateProblem.CertEXPIRED.Equals(certificateProblem) ||
((certificate != null) && (certificate.Issuer.Equals((new X509Certificate(Convert.FromBase64String(certificateString)).Issuer)))))
{
result = true;
}
return(result);
}
public static X509Certificate GetRemoteCertificate(Guid remoteGuid)
{
var remoteCertificateStore = new FileInfo(GetStorePath(remoteGuid));
if (remoteCertificateStore.Exists)
{
var cert = new X509Certificate();
cert.Import(remoteCertificateStore.FullName);
return(new X509Certificate(remoteCertificateStore.FullName, ""));
}
else
{
return(null);
}
}
private bool ValidateServerCertificate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
bool result;
if (sslPolicyErrors == SslPolicyErrors.None)
{
result = true;
}
else
{
System.Console.WriteLine("Certificate error: {0}", sslPolicyErrors);
result = false;
}
return(result);
}
private static bool CertificateValidationCallBack(
object sender,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
// If the certificate is a valid, signed certificate, return true.
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
return(true);
}
// If there are errors in the certificate chain, look at each error to determine the cause.
if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
if (chain != null && chain.ChainStatus != null)
{
foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
{
if ((certificate.Subject == certificate.Issuer) &&
(status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
{
// Self-signed certificates with an untrusted root are valid.
continue;
}
else
{
if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
{
// If there are any other errors in the certificate chain, the certificate is invalid,
// so the method returns false.
return(false);
}
}
}
}
// When processing reaches this line, the only errors in the certificate chain are
// untrusted root errors for self-signed certificates. These certificates are valid
// for default Exchange server installations, so return true.
return(true);
}
else
{
// In all other cases, return false.
return(false);
}
}
private bool ServerCertValidationHandler(Syscert.X509Certificate certificate, int[] certificateErrors)
{
foreach (var error in certificateErrors)
{
_log.DebugFormat("ServerCertValidationHandler CertificateError: {0}", error);
}
lock (RootSync)
{
Cache.Insert("ldapCertificate", certificate, DateTime.MaxValue);
Cache.Insert("ldapCertificateErrors", certificateErrors, DateTime.MaxValue);
_certificateConfirmRequest.CertificateErrors = certificateErrors;
}
return(true);
}
public static bool VerifyCertificateSAN(System.Security.Cryptography.X509Certificates.X509Certificate certificate, string sni)
{
// check subject alternate name (must have exactly 1, equal to sni)
var x509 = DotNetUtilities.FromX509Certificate(certificate);
var sans = X509ExtensionUtilities.GetSubjectAlternativeNames(x509);
if (sans.Count != 1)
{
return(false);
}
var san = (System.Collections.IList)((System.Collections.IList)sans)[0];
var sniOK = san[0].Equals(GeneralName.DnsName) && san[1].Equals(sni);
// if subject matches sni and SAN is ok, return true
return(x509.SubjectDN.ToString() == $"CN={sni}" && sniOK);
}
void RemoveNewFormat(X509Certificate certificate)
{
#if INSIDE_CORLIB
throw new NotSupportedException();
#else
using (var sscxCert = new SSCX.X509Certificate(certificate.RawData)) {
var hash = SSCX.X509Helper2.GetSubjectNameHash(sscxCert);
var filename = Path.Combine(_storePath, string.Format("{0:x8}.0", hash));
if (File.Exists(filename))
{
File.Delete(filename);
ClearCertificates();
}
}
#endif
}
internal override void OnNegotiateHandshakeCallback(IAsyncResult asyncResult)
{
this.protocol.EndReceiveRecord(asyncResult);
if (this.context.LastHandshakeMsg != HandshakeType.ClientHello)
{
this.protocol.SendAlert(AlertDescription.UnexpectedMessage);
}
this.protocol.SendRecord(HandshakeType.ServerHello);
this.protocol.SendRecord(HandshakeType.Certificate);
if (this.context.Negotiating.Cipher.IsExportable)
{
this.protocol.SendRecord(HandshakeType.ServerKeyExchange);
}
bool flag = false;
if (this.context.Negotiating.Cipher.IsExportable || ((ServerContext)this.context).ClientCertificateRequired || ((ServerContext)this.context).RequestClientCertificate)
{
this.protocol.SendRecord(HandshakeType.CertificateRequest);
flag = true;
}
this.protocol.SendRecord(HandshakeType.ServerHelloDone);
while (this.context.LastHandshakeMsg != HandshakeType.Finished)
{
byte[] array = this.protocol.ReceiveRecord(this.innerStream);
if (array == null || array.Length == 0)
{
throw new TlsException(AlertDescription.HandshakeFailiure, "The client stopped the handshake.");
}
}
if (flag)
{
System.Security.Cryptography.X509Certificates.X509Certificate clientCertificate = this.context.ClientSettings.ClientCertificate;
if (clientCertificate == null && ((ServerContext)this.context).ClientCertificateRequired)
{
throw new TlsException(AlertDescription.BadCertificate, "No certificate received from client.");
}
if (!this.RaiseClientCertificateValidation(clientCertificate, new int[0]))
{
throw new TlsException(AlertDescription.BadCertificate, "Client certificate not accepted.");
}
}
this.protocol.SendChangeCipherSpec();
this.protocol.SendRecord(HandshakeType.Finished);
this.context.HandshakeState = HandshakeState.Finished;
this.context.HandshakeMessages.Reset();
this.context.ClearKeyInfo();
}
public void TestX509CertificateConversion()
{
BigInteger DSAParaG = new BigInteger(Base64.Decode("AL0fxOTq10OHFbCf8YldyGembqEu08EDVzxyLL29Zn/t4It661YNol1rnhPIs+cirw+yf9zeCe+KL1IbZ/qIMZM="));
BigInteger DSAParaP = new BigInteger(Base64.Decode("AM2b/UeQA+ovv3dL05wlDHEKJ+qhnJBsRT5OB9WuyRC830G79y0R8wuq8jyIYWCYcTn1TeqVPWqiTv6oAoiEeOs="));
BigInteger DSAParaQ = new BigInteger(Base64.Decode("AIlJT7mcKL6SUBMmvm24zX1EvjNx"));
BigInteger DSAPublicY = new BigInteger(Base64.Decode("TtWy2GuT9yGBWOHi1/EpCDa/bWJCk2+yAdr56rAcqP0eHGkMnA9s9GJD2nGU8sFjNHm55swpn6JQb8q0agrCfw=="));
BigInteger DsaPrivateX = new BigInteger(Base64.Decode("MMpBAxNlv7eYfxLTZ2BItJeD31A="));
DsaParameters para = new DsaParameters(DSAParaP, DSAParaQ, DSAParaG);
DsaPrivateKeyParameters dsaPriv = new DsaPrivateKeyParameters(DsaPrivateX, para);
DsaPublicKeyParameters dsaPub = new DsaPublicKeyParameters(DSAPublicY, para);
IDictionary attrs = new Hashtable();
attrs[X509Name.C] = "AU";
attrs[X509Name.O] = "The Legion of the Bouncy Castle";
attrs[X509Name.L] = "Melbourne";
attrs[X509Name.ST] = "Victoria";
attrs[X509Name.E] = "*****@*****.**";
IList ord = new ArrayList(attrs.Keys);
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(new X509Name(ord, attrs));
certGen.SetNotBefore(DateTime.UtcNow.AddDays(-1));
certGen.SetNotAfter(DateTime.UtcNow.AddDays(1));
certGen.SetSubjectDN(new X509Name(ord, attrs));
certGen.SetPublicKey(dsaPub);
certGen.SetSignatureAlgorithm("SHA1WITHDSA");
X509Certificate cert = certGen.Generate(dsaPriv);
cert.CheckValidity();
cert.Verify(dsaPub);
SystemX509.X509Certificate dotNetCert = DotNetUtilities.ToX509Certificate(cert);
X509Certificate certCopy = DotNetUtilities.FromX509Certificate(dotNetCert);
Assert.AreEqual(cert, certCopy);
certCopy.CheckValidity();
certCopy.Verify(dsaPub);
}
public static void EncryptPdfWithCertificate(string sourceDocument, string targetDocument, string certPath)
{
X509Certificate chain = new X509Certificate();
chain.Import(certPath);
Org.BouncyCastle.X509.X509Certificate cert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(chain);
Org.BouncyCastle.X509.X509Certificate[] certs = new Org.BouncyCastle.X509.X509Certificate[1] {
cert
};
PdfReader reader = new PdfReader(sourceDocument);
PdfStamper st = new PdfStamper(reader, new FileStream(targetDocument, FileMode.Create, FileAccess.Write), '\0', false);
int[] x = new int[1];
x[0] = PdfWriter.ALLOW_SCREENREADERS;
st.SetEncryption(certs, x, PdfWriter.STANDARD_ENCRYPTION_40);
st.Close();
}
static SertificateGenerator()
{
if (ServerCertificate == null)
{
lock (synclock)
{
if (ServerCertificate == null)
{
var certificate = ReadServerCertificate();
Thread.MemoryBarrier();
ServerCertificate = certificate;
}
}
}
}
// new format
void ImportNewFormat(X509Certificate certificate)
{
#if INSIDE_CORLIB
throw new NotSupportedException();
#else
using (var sscxCert = new SSCX.X509Certificate(certificate.RawData)) {
var hash = SSCX.X509Helper2.GetSubjectNameHash(sscxCert);
var filename = Path.Combine(_storePath, string.Format("{0:x8}.0", hash));
if (!File.Exists(filename))
{
using (FileStream fs = File.Create(filename))
SSCX.X509Helper2.ExportAsPEM(sscxCert, fs, true);
ClearCertificates();
}
}
#endif
}
public static bool CertificateValidationCallBack(
object sender,
X509Certificate2Collection caCerts,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
// If the certificate is a valid, signed certificate, return true.
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
// If there are errors in the certificate chain, look at each error to determine the cause.
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
// Added our trusted certificates to the chain
//
chain.ChainPolicy.ExtraStore.AddRange(caCerts);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
var isValid = chain.Build((X509Certificate2)certificate);
var isTrusted = false;
var rootCert = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
// Make sure that one of our trusted certs exists in the chain provided by the server.
//
foreach (var cert in caCerts)
{
if (rootCert.RawData.SequenceEqual(cert.RawData))
{
isTrusted = true;
break;
}
}
return(isValid && isTrusted);
}
// In all other cases, return false.
return(false);
}
/// <summary>
/// SSLHandler: call back method to check certificate
/// </summary>
/// <param name="certificate">Actual certificate</param>
/// <param name="certificateErrors">certificateErrors errors</param>
/// <returns>certificate validity true or false.</returns>
public bool SSLHandler(Syscert.X509Certificate certificate, int[] certificateErrors)
{
bool retFlag = true;
if (certificateErrors != null && certificateErrors.Length > 0)
{
if (!(certificateErrors.Length == 1 && certificateErrors[0] == -2146762481))
{
for (int i = 0; i < certificateErrors.Length; i++)
{
log.Debug("Detected errors in the Server Certificate:{0}", certificateErrors[i]);
}
retFlag = false;
CertFailure = true;
}
}
return(retFlag);
}
public void SignXml(string XMLFileName, string SignedXMLFileName, string PrivateKeyPassword, string CertificateFileName)
{
System.IO.StreamReader sr = new System.IO.StreamReader(XMLFileName);
string file = sr.ReadToEnd();
sr.Close();
XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = false;
doc.LoadXml(file);
SignedXml signedXml = new SignedXml(doc);
AsymmetricCipherKeyPair kp = this.readKey1(CertificateFileName, PrivateKeyPassword);
AsymmetricKeyParameter privateKey = kp.Private;
System.Security.Cryptography.RSA Key = DotNetUtilities.ToRSA((RsaPrivateCrtKeyParameters)privateKey);
signedXml.SigningKey = Key;
Reference reference = new Reference();
reference.Uri = "";
XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(env);
XmlDsigC14NTransform c14t = new XmlDsigC14NTransform();
reference.AddTransform(c14t);
signedXml.AddReference(reference);
KeyInfo keyInfo = new KeyInfo();
System.Security.Cryptography.X509Certificates.X509Certificate MSCert = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile(CertificateFileName);
keyInfo.AddClause(new KeyInfoX509Data(MSCert));
signedXml.KeyInfo = keyInfo;
signedXml.ComputeSignature();
XmlElement xmlDigitalSignature = signedXml.GetXml();
doc.DocumentElement.AppendChild(doc.ImportNode(xmlDigitalSignature, true));
if (doc.FirstChild is XmlDeclaration)
{
doc.RemoveChild(doc.FirstChild);
}
XmlTextWriter xmltw = new XmlTextWriter(SignedXMLFileName, new System.Text.UTF8Encoding(false));
doc.WriteTo(xmltw);
xmltw.Close();
}
private void task_ssl_server(TcpClient client, System.Security.Cryptography.X509Certificates.X509Certificate serverCert)
{
Task task = new Task(() =>
{
SslStream sslStream = new SslStream(client.GetStream(), false, UserCertificateValidationCallback, null);
try
{
{
//
// 制限事項:
// SslStream を使用する限り、サーバが返却する証明書は1つのみに限られる。
// そのためサーバ証明書+中間CA証明書をクライアントに返却することはできない。
// 背景:
// AuthenticateAsServer() に指定できる証明書が X509Certificate 1つのみのため。
// 仮に X509CertificateCollection が指定できれば可能だと思うけれども。
// (おそらく)OpenSSLを使用すれば可能なはず。
//
sslStream.AuthenticateAsServer(serverCert, false, SslProtocols.Tls12, false);
sslStream.ReadTimeout = 2000;
// 読み込み
while (proc_sslstream_read(sslStream))
{
}
}
}
catch (AuthenticationException ex)
{
Console.WriteLine("AuthenticationException: {0}", ex.Message);
}
catch (Exception ex)
{
Console.WriteLine("Exception: {0}", ex.Message);
}
finally
{
sslStream.Close();
client.Close();
}
});
task.Start();
}
public static void DumpCertificationDetail(
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain)
{
StringBuilder certificateDetail = new StringBuilder();
certificateDetail.AppendLine("-----------------------------------------------");
certificateDetail.AppendLine("X509Certificate");
certificateDetail.AppendLine("-----------------------------------------------");
certificateDetail.AppendLine(certificate.ToString(true));
certificateDetail.AppendLine();
certificateDetail.AppendLine("-----------------------------------------------");
certificateDetail.AppendLine("X509Chain");
certificateDetail.AppendLine("ChainContext: " + chain.ChainContext.ToString());
//builder.AppendLine("ChainPolicy: " + chain.ChainPolicy.);
certificateDetail.AppendLine("ChainStatus: ");
foreach (X509ChainStatus status in chain.ChainStatus)
{
certificateDetail.AppendLine("\tChainStatus.Status:" + status.Status.ToString());
certificateDetail.AppendLine("\tChainStatus.StatusInformation:" + status.StatusInformation);
}
certificateDetail.AppendLine("-----------------------------------------------");
foreach (X509ChainElement element in chain.ChainElements)
{
certificateDetail.AppendLine("-----------------------------------------------");
certificateDetail.AppendLine("X509ChainElement");
certificateDetail.AppendLine("ChainElementStatus:");
foreach (X509ChainStatus status in element.ChainElementStatus)
{
certificateDetail.AppendLine("\tChainElementStatus.Status:" + status.Status.ToString());
certificateDetail.AppendLine("\tChainElementStatus.StatusInformation:" + status.StatusInformation);
}
certificateDetail.AppendLine("Information:" + element.Information);
certificateDetail.AppendLine("-----------------------------------------------");
certificateDetail.AppendLine(element.Certificate.ToString(true));
certificateDetail.AppendLine();
}
DebugLog.WriteInfo("SSL Certificate detail", certificateDetail.ToString());
}
private static PersonalCertificate CreateFromX509(X509Certificate certificate, CertificateStoreType certStoreType)
{
var parser = new X509CertificateParser();
var read = parser.ReadCertificate(certificate.GetRawCertData());
var cert = new PersonalCertificate
{
Issuer = certificate.Issuer,
Thumbprint = certificate.GetCertHashString(),
Subject = certificate.Subject,
DigestAlgorithm = (read.SigAlgName.EndsWith("withRSA", StringComparison.OrdinalIgnoreCase) ? read.SigAlgName.Substring(0, read.SigAlgName.Length - "withRSA".Length) : read.SigAlgName).Replace("-", string.Empty),
StoreType = certStoreType
};
var list = read.SubjectDN.GetValueList();
if (list?.Count > 0)
{
// ReSharper disable once PossibleNullReferenceException
cert.DisplayName = list[^ 1].ToString();
public static MonoNewTlsStream CreateServer(
Stream innerStream, bool leaveOpen, MonoTlsProvider provider, MonoTlsSettings settings,
SSCX.X509Certificate serverCertificate, bool clientCertificateRequired,
SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
{
var stream = new MonoNewTlsStream(innerStream, leaveOpen, provider, settings);
try {
stream.AuthenticateAsServer(serverCertificate, clientCertificateRequired, enabledSslProtocols, checkCertificateRevocation);
} catch (Exception ex) {
var tlsEx = stream.LastError;
if (tlsEx != null)
{
throw new AggregateException(ex, tlsEx);
}
throw;
}
return(stream);
}
private static bool CertificateValidationCallBack(
object sender,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
// If the certificate is a valid, signed certificate, return true.
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
_logger.LogDebug("======= It's ok");
return(true);
}
_logger.LogDebug("======= Compare root certs");
X509Certificate2 certificate2 = certificate as X509Certificate2 ?? new X509Certificate2(certificate);
bool isValidRoot = (certificate2.PublicKey.Key == _rootCert.PublicKey.Key);
_logger.LogDebug("Trusted root certificate: {0}", isValidRoot.ToString());
return(isValidRoot);
}
/// <summary>
/// Verifies the certificate fingerprint against the expected one
/// </summary>
/// <returns>
/// <c>true</c>, if certificate fingerprint is the expected, <c>false</c> otherwise.
/// </returns>
/// <param name='endCert'>
/// The last certificate of the chain.
/// </param>
private static bool VerifyFingerprint(System.Security.Cryptography.X509Certificates.X509Certificate endCert, String requestUri)
{
//SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation for requestUri "+ requestUri);
string[] fingerprints = null;
foreach (KeyValuePair <string, string[]> entry in IPhoneIO.fingerprints)
{
if (requestUri.StartsWith(entry.Key))
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*** found fingerprint to check for requestUri: [" + requestUri + "]");
fingerprints = new string[entry.Value.Length];
int i = 0;
foreach (string fprint in entry.Value)
{
fingerprints[i] = ToThumbprint(fprint);
}
}
}
if (fingerprints != null)
{
W.X509Certificate2 certificateThumb = new W.X509Certificate2(endCert);
//SystemLogger.Log (SystemLogger.Module.PLATFORM, "**************** Certificate Validation Thumbprint: [" + certificateThumb.Thumbprint + "]");
//SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation fingerprint: [" + string.Join(",", fingerprints) + "]");
if (!fingerprints.Contains(certificateThumb.Thumbprint))
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation fingerprint ERROR!!!");
return(false);
}
}
else
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** WARNING!! Certificate Validation fingerprint NOT FOUND!!! (you should provide a valid fingerprint in your io-sevices-config.xml file in order to validate HTTPS web certificates)");
return(false);
}
return(true);
}
public static bool IsCertInstalled(Syscert.X509Certificate certificate, ILog log = null)
{
try
{
var monoX509 = new Monocert.X509Certificate(certificate.GetRawCertData());
var store = WorkContext.IsMono
? Monocert.X509StoreManager.CurrentUser.TrustedRoot
: Monocert.X509StoreManager.LocalMachine.TrustedRoot;
return(store.Certificates.Contains(monoX509));
}
catch (Exception ex)
{
if (log != null)
{
log.ErrorFormat("IsCertInstalled() failed. Error: {0}", ex);
}
}
return(false);
}
/// <summary>
/// 証明書チェックコールバック処理
/// </summary>
/// <param name="sender"></param>
/// <param name="certificate"></param>
/// <param name="chain"></param>
/// <param name="sslPolicyErrors"></param>
/// <returns>判定結果</returns>
private bool OnRemoteCertificateValidationCallback(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (IsServerCertValidate)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors)
{
return(true);
}
return(false);
}
else
{
// サーバー証明書をチェックしないモードの場合、
// 信頼できない証明書(自己証明書)でもOKとするため、無条件にOK(true)を返す。
return(true);
}
}
internal static ITlsConfiguration CreateTlsConfiguration(
string hostname, bool serverMode, MSI.TlsProtocols protocolFlags,
SSCX.X509Certificate serverCertificate, bool remoteCertRequired,
MSI.MonoTlsSettings settings)
{
object[] args;
ITlsConfiguration config;
if (serverMode)
{
var cert = (PSSCX.X509Certificate2)serverCertificate;
var monoCert = new MX.X509Certificate(cert.RawData);
args = new object[] {
(MSI.TlsProtocols)protocolFlags,
(MSI.MonoTlsSettings)settings,
monoCert,
cert.PrivateKey
};
}
else
{
args = new object[] {
(MSI.TlsProtocols)protocolFlags,
(MSI.MonoTlsSettings)settings,
hostname
};
}
config = (ITlsConfiguration)CreateInstance(tlsConfigTypeName, args);
if (serverMode && remoteCertRequired)
{
config.AskForClientCertificate = true;
}
return(config);
}
public override IMonoTlsContext CreateTlsContext(
string hostname, bool serverMode, TlsProtocols protocolFlags,
SSCX.X509Certificate serverCertificate, PSSCX.X509CertificateCollection clientCertificates,
bool remoteCertRequired, bool checkCertName, bool checkCertRevocationStatus,
MonoEncryptionPolicy encryptionPolicy,
MonoRemoteCertificateValidationCallback userCertificateValidationCallback,
MonoLocalCertificateSelectionCallback userCertificateSelectionCallback,
MonoTlsSettings settings)
{
TlsConfiguration config;
if (serverMode)
{
var cert = (PSSCX.X509Certificate2)serverCertificate;
var monoCert = new MX.X509Certificate(cert.RawData);
config = new TlsConfiguration((TlsProtocols)protocolFlags, (TlsSettings)settings, monoCert, cert.PrivateKey);
}
else
{
config = new TlsConfiguration((TlsProtocols)protocolFlags, (TlsSettings)settings, hostname);
#if FIXME
if (certSelectionDelegate != null)
{
config.Client.LocalCertSelectionCallback = (t, l, r, a) => certSelectionDelegate(t, l, r, a);
}
#endif
if (userCertificateValidationCallback != null)
{
config.RemoteCertValidationCallback = (h, c, ch, p) => {
var ssc = new SSCX.X509Certificate(c.RawData);
return(userCertificateValidationCallback(h, ssc, null, (MonoSslPolicyErrors)p));
};
}
}
return(new TlsContextWrapper(config));
}
public Task <PersonalCertificate> GetCertificateFromMsix(string msixFile, CancellationToken cancellationToken = default, IProgress <ProgressData> progress = null)
{
if (string.IsNullOrEmpty(msixFile))
{
throw new ArgumentNullException(nameof(msixFile));
}
return(Task.Run(
() =>
{
try
{
var x509 = X509Certificate.CreateFromSignedFile(msixFile);
return CreateFromX509(x509, CertificateStoreType.File);
}
catch (Exception e)
{
// This will be probably WindowsCryptographicException but we do not want to expose too much...
Logger.Debug("Selected file {0} is not signed and no certificate could be exported from it (exception of type {1}).", msixFile, e.GetType().Name);
return null;
}
},
cancellationToken));
}
private static bool CertificateValidationCallBack(
object sender,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
// If the certificate is a valid, signed certificate, return true.
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
Console.WriteLine("It's ok");
return(true);
}
// If there are errors in the certificate chain, look at each error to determine the cause.
if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
if (chain != null && chain.ChainStatus != null)
{
foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
{
if ((certificate.Subject == certificate.Issuer) &&
(status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
{
// Self-signed certificates with an untrusted root are valid.
Console.WriteLine("Untrusted root certificate");
continue;
}
else
{
Console.WriteLine(sslPolicyErrors);
SslPolicyErrors ignoredErrors = SslPolicyErrors.None;
if (JSConfig.tlsAllowInvalidHostnames)
{
ignoredErrors |= SslPolicyErrors.RemoteCertificateNameMismatch; // name mismatch
}
if (JSConfig.tlsAllowChainErrors)
{
ignoredErrors |= SslPolicyErrors.RemoteCertificateChainErrors; // self-signed
}
if ((sslPolicyErrors & ~ignoredErrors) == SslPolicyErrors.None)
{
Console.WriteLine("FORCED ACCEPT CERTIFICATE!");
return(true);
}
if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
{
Console.WriteLine(status.StatusInformation);
// If there are any other errors in the certificate chain, the certificate is invalid,
// so the method returns false.
return(false);
}
}
}
}
// When processing reaches this line, the only errors in the certificate chain are
// untrusted root errors for self-signed certificates. These certificates are valid
// for default Exchange server installations, so return true.
Console.WriteLine("Certificates ok.");
return(true);
}
else
{
Console.WriteLine("Certificate Error!");
// In all other cases, return false.
return(false);
}
}
bool ICertificatePolicy.CheckValidationResult(ServicePoint srvPoint, System.Security.Cryptography.X509Certificates.X509Certificate cert, WebRequest request, int certificateProblem)
{
return(true);
}