internal int OnVerifyCertThunk(int ok, IntPtr store_ctx)
{
X509StoreContext ctx = new X509StoreContext(store_ctx, false);
X509Certificate cert = ctx.CurrentCert;
int depth = ctx.ErrorDepth;
VerifyResult result = (VerifyResult)ctx.Error;
// build the X509Chain from the store
X509Store store = ctx.Store;
Core.Stack <X509Object> objStack = store.Objects;
X509Chain chain = new X509Chain();
foreach (X509Object obj in objStack)
{
X509Certificate objCert = obj.Certificate;
if (objCert != null)
{
chain.Add(objCert);
}
}
// Call the managed delegate
if (OnVerifyCert(this, cert, chain, depth, result))
{
return(1);
}
else
{
return(0);
}
}
public Core.Stack <X509Name> LoadClientCAFile(string filename)
{
IntPtr stack = Native.SSL_load_client_CA_file(filename);
Core.Stack <X509Name> name_stack = new Core.Stack <X509Name>(stack, true);
return(name_stack);
}
/// <summary>
///
/// </summary>
/// <param name="sk_ext"></param>
public void AddExtensions(Core.Stack <X509Extension> sk_ext)
{
foreach (X509Extension ext in sk_ext)
{
AddExtension(ext);
}
}
public override void Run(MState state, Core.Stack <byte> args)
{
var f = state.Stack.Pop();
var s = state.Stack.Pop();
state.Stack.Push(f == s);
}
public int InternalClientCertificateSelectionCallback(Ssl ssl, out X509Certificate x509_cert, out CryptoKey key)
{
int nRet = 0;
x509_cert = null;
key = null;
Core.Stack <X509Name> name_stack = ssl.CAList;
string[] strIssuers = new string[name_stack.Count];
int count = 0;
foreach (X509Name name in name_stack)
{
strIssuers[count++] = name.OneLine;
}
if (localCertificateSelectionCallback != null)
{
X509Certificate cert = localCertificateSelectionCallback(this, targetHost, clientCertificates, ssl.GetPeerCertificate(), strIssuers);
if (cert != null && cert.HasPrivateKey)
{
x509_cert = cert;
key = cert.PrivateKey;
// Addref the cert and private key
x509_cert.AddRef();
key.AddRef();
// return success
nRet = 1;
}
}
return(nRet);
}
public override void Run(MState state, Core.Stack <byte> args)
{
var val = state.Stack.Pop();
if (val)
{
state.IP = args.Pop() - 1;
}
}
/// <summary>
/// Add the extensions to the request using X509_REQ_add_extensions().
/// </summary>
/// <param name="sk_ext"></param>
public void AddExtensions(Core.Stack <X509Extension> sk_ext)
{
IntPtr stack = Native.sk_new_null();
foreach (var ext in sk_ext)
{
Native.sk_push(stack, ext.Handle);
}
Native.ExpectSuccess(Native.X509_REQ_add_extensions(ptr, stack));
Native.sk_free(stack);
}
public List <string> GetCipherList()
{
List <string> ret = new List <string>();
SSL_CTX raw = (SSL_CTX)Marshal.PtrToStructure(ptr, typeof(SSL_CTX));
Core.Stack <SslCipher> stack = new Core.Stack <SslCipher>(raw.cipher_list, false);
foreach (SslCipher cipher in stack)
{
IntPtr cipher_ptr = Native.SSL_CIPHER_description(cipher.Handle, null, 0);
if (cipher_ptr != IntPtr.Zero)
{
string strCipher = Marshal.PtrToStringAnsi(cipher_ptr);
ret.Add(strCipher);
Native.OPENSSL_free(cipher_ptr);
}
}
return(ret);
}
/// <summary>
/// Calls PEM_x509_INFO_read_bio()
/// </summary>
/// <param name="bio"></param>
public X509List(BIO bio)
{
var sk = Native.ExpectNonNull(
Native.PEM_X509_INFO_read_bio(bio.Handle, IntPtr.Zero, null, IntPtr.Zero));
using (var stack = new Core.Stack <X509CertificateInfo>(sk, true))
{
while (stack.Count > 0)
{
using (var xi = stack.Shift())
{
if (xi.Certificate != null)
{
Add(xi.Certificate);
}
}
}
}
}
/// <summary>
/// Creates a chain from a BIO. Expects the stream to contain
/// a collection of X509_INFO objects in PEM format by calling
/// PEM_X509_INFO_read_bio()
/// </summary>
/// <param name="bio"></param>
public X509Chain(BIO bio)
{
IntPtr sk = Native.ExpectNonNull(Native.PEM_X509_INFO_read_bio(bio.Handle, IntPtr.Zero, null, IntPtr.Zero));
using (Core.Stack <X509CertificateInfo> stack = new Core.Stack <X509CertificateInfo>(sk, true))
{
while (stack.Count > 0)
{
using (X509CertificateInfo xi = stack.Shift())
{
X509Certificate cert = xi.Certificate;
if (cert != null)
{
this.Add(cert);
}
}
}
}
}
public void Exec(byte[] source)
{
var s = new MState();
while (s.IP < source.Length)
{
s.IP += 1;
var op = (OpCode)source[s.IP];
if (op == OpCode.Halt)
{
break;
}
else
{
bool found = false;
foreach (var instr in Instructions)
{
if (instr.OpCode == op)
{
found = true;
var argstack = new Core.Stack <byte>();
for (int i = 0; i < instr.ArgsCount; i++)
{
s.IP += 1;
argstack.Push(source[s.IP]);
}
instr.Run(s, argstack);
}
}
if (!found)
{
//Screen.WriteLine("Could not find OpCode: " + (byte)op);
}
}
}
}
public Core.Stack<X509Name> LoadClientCAFile(string filename)
{
IntPtr stack = Native.SSL_load_client_CA_file(filename);
Core.Stack<X509Name> name_stack = new Core.Stack<X509Name>(stack, true);
return name_stack;
}
public List<string> GetCipherList()
{
List<string> ret = new List<string>();
SSL_CTX raw = (SSL_CTX)Marshal.PtrToStructure(ptr, typeof(SSL_CTX));
Core.Stack<SslCipher> stack = new Core.Stack<SslCipher>(raw.cipher_list, false);
foreach (SslCipher cipher in stack)
{
IntPtr cipher_ptr = Native.SSL_CIPHER_description(cipher.Handle, null, 0);
if (cipher_ptr != IntPtr.Zero)
{
string strCipher = Marshal.PtrToStringAnsi(cipher_ptr);
ret.Add(strCipher);
Native.OPENSSL_free(cipher_ptr);
}
}
return ret;
}
private void InitializeServerContext(
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
if (serverCertificate == null)
{
throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null");
}
if (!serverCertificate.HasPrivateKey)
{
throw new ArgumentException("Server certificate must have a private key", "serverCertificate");
}
// Initialize the context
sslContext = new SslContext(SslMethod.TLSv1_server_method, ConnectionEnd.Server, true, new[] { Protocols.Http2, Protocols.Http1 });
// Remove support for protocols not specified in the enabledSslProtocols
if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2)
{
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2;
}
if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 &&
((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default))
{
// no SSLv3 support
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3;
}
if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls &&
(enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)
{
sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1;
}
// Set the context mode
sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY;
// Set the workaround options
sslContext.Options = SslOptions.SSL_OP_ALL;
// Set the client certificate verification callback if we are requiring client certs
if (clientCertificateRequired)
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback);
}
else
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null);
}
// Set the client certificate max verification depth
sslContext.SetVerifyDepth(10);
// Set the certificate store and ca list
if (caCerts != null)
{
// Don't take ownership of the X509Store IntPtr. When we
// SetCertificateStore, the context takes ownership of the store pointer.
var cert_store = new X509Store(caCerts, false);
sslContext.SetCertificateStore(cert_store);
Stack<X509Name> name_stack = new Core.Stack<X509Name>();
foreach (X509Certificate cert in caCerts)
{
X509Name subject = cert.Subject;
name_stack.Add(subject);
}
// Assign the stack to the context
sslContext.CAList = name_stack;
}
// Set the cipher string
sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength));
// Set the certificate
sslContext.UseCertificate(serverCertificate);
// Set the private key
sslContext.UsePrivateKey(serverCertificate.PrivateKey);
// Set the session id context
sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes("AppDomainHost: UnitTests12345678"/*AppDomain.CurrentDomain.FriendlyName*/));
}
private void InitializeServerContext(
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
if (serverCertificate == null)
{
throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null");
}
if (!serverCertificate.HasPrivateKey)
{
throw new ArgumentException("Server certificate must have a private key", "serverCertificate");
}
// Initialize the context with specified TLS version
sslContext = new SslContext(SslMethod.TLSv12_server_method, ConnectionEnd.Server, new[] {
Protocols.Http2,
Protocols.Http1
});
var options = sslContext.Options;
// Remove support for protocols not specified in the enabledSslProtocols
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2))
{
options |= SslOptions.SSL_OP_NO_SSLv2;
}
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3))
{
options |= SslOptions.SSL_OP_NO_SSLv3;
}
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls))
{
options |= SslOptions.SSL_OP_NO_TLSv1;
}
// Set the workaround options
sslContext.Options = options | SslOptions.SSL_OP_ALL;
// Set the context mode
sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY;
// Set the client certificate verification callback if we are requiring client certs
if (clientCertificateRequired)
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, OnRemoteCertificate);
}
else
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null);
}
// Set the client certificate max verification depth
sslContext.SetVerifyDepth(10);
// Set the certificate store and ca list
if (caCerts != null)
{
// Don't take ownership of the X509Store IntPtr. When we
// SetCertificateStore, the context takes ownership of the store pointer.
sslContext.SetCertificateStore(new X509Store(caCerts, false));
var name_stack = new Core.Stack <X509Name>();
foreach (var cert in caCerts)
{
var subject = cert.Subject;
name_stack.Add(subject);
}
// Assign the stack to the context
sslContext.CAList = name_stack;
}
// Set the cipher string
sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength));
// Set the certificate
sslContext.UseCertificate(serverCertificate);
// Set the private key
sslContext.UsePrivateKey(serverCertificate.PrivateKey);
// Set the session id context
sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes(AppDomain.CurrentDomain.FriendlyName));
}
private void InitializeServerContext(
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
if (serverCertificate == null)
{
throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null");
}
if (!serverCertificate.HasPrivateKey)
{
throw new ArgumentException("Server certificate must have a private key", "serverCertificate");
}
// Initialize the context
sslContext = new SslContext(SslMethod.SSLv23_server_method);
// Remove support for protocols not specified in the enabledSslProtocols
if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2)
{
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2;
}
if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 &&
((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default))
{
// no SSLv3 support
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3;
}
if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls &&
(enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)
{
sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1;
}
/*
// Initialize the context with the specified ssl version
switch (enabledSslProtocols)
{
case SslProtocols.None:
throw new ArgumentException("SslProtocol.None is not supported", "enabledSslProtocols");
break;
case SslProtocols.Ssl2:
sslContext = new SslContext(SslMethod.SSLv2_server_method);
break;
case SslProtocols.Ssl3:
case SslProtocols.Default:
sslContext = new SslContext(SslMethod.SSLv3_server_method);
break;
case SslProtocols.Tls:
sslContext = new SslContext(SslMethod.TLSv1_server_method);
break;
}
*/
// Set the context mode
sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY;
// Set the workaround options
sslContext.Options = SslOptions.SSL_OP_ALL;
// Set the client certificate verification callback if we are requiring client certs
if (clientCertificateRequired)
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback);
}
else
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null);
}
// Set the client certificate max verification depth
sslContext.SetVerifyDepth(10);
// Set the certificate store and ca list
if (caCerts != null)
{
// Don't take ownership of the X509Store IntPtr. When we
// SetCertificateStore, the context takes ownership of the store pointer.
X509Store cert_store = new X509Store(caCerts, false);
sslContext.SetCertificateStore(cert_store);
Core.Stack<X509Name> name_stack = new Core.Stack<X509Name>();
foreach (X509Certificate cert in caCerts)
{
X509Name subject = cert.Subject;
name_stack.Add(subject);
}
// Assign the stack to the context
sslContext.CAList = name_stack;
}
// Set the cipher string
sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength));
// Set the certificate
sslContext.UseCertificate(serverCertificate);
// Set the private key
sslContext.UsePrivateKey(serverCertificate.PrivateKey);
// Set the session id context
sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes(AppDomain.CurrentDomain.FriendlyName));
}
