private bool CustomCertificateValidation(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors != System.Net.Security.SslPolicyErrors.None) { return(WaCertThumbprints.Contains(certificate.GetCertHashString())); } return(true); }
static private bool ValidateRemoteCertificate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) { if (certificate.Subject.Contains("service.chadder.im")) { return(certificate.GetCertHashString() == "FD096DBACCFA2A0C32554D3825FDB82F72209057" && sslPolicyErrors == System.Net.Security.SslPolicyErrors.None); } return(sslPolicyErrors == System.Net.Security.SslPolicyErrors.None); }
private bool CustomCertificateValidation(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) { if (certificate.GetCertHashString() == WA_CERT_THUMBPRINT) { return(true); } else { return(false); } }
// Debug SMTP Tls Certificate private bool RemoteServerCertificateValidationCallback(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) { // Test - Zertifikat ausgeben if (_param.AppCfg_DebugTLS == "True" || _param.AppCfg_DebugTLS == "true") { MessageBox.Show("SMTP-Zertifikat: " + Environment.NewLine + "SN: " + certificate.GetSerialNumberString() + Environment.NewLine + "Hash: " + certificate.GetCertHashString() + Environment.NewLine + "From: " + certificate.GetEffectiveDateString() + Environment.NewLine + "To: " + certificate.GetExpirationDateString() + Environment.NewLine + "Issuer: " + certificate.Issuer + Environment.NewLine + "Subject: " + certificate.Subject ); } return(true); }
private bool ValidateUntrustedCert(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) { var certificateThumbPrint = certificate.GetCertHashString(); if (certificateThumbPrint == PuProdCertThumbPrint) { if (AllowUnsafePuProdCert) { return(true); } throw new ApplicationException(@"PU prod does have a self signed certificate. To allow the use of the well known self signed certificate add the setting <setting name=""AllowUnsafePuProdCert"" serializeAs=""String""> <value>True</value> </setting> to your app/web.config This is not enabled by default to make sure you are aware that you trust a self signed certificate. "); } else if (certificateThumbPrint == PuTestCertThumbPrint) { if (AllowUnsafePuTestCert) { return(true); } throw new ApplicationException(@"PU test does have a self signed certificate. To allow the use of the well known self signed certificate add the setting <setting name=""AllowUnsafePuTestCert"" serializeAs=""String""> <value>True</value> </setting> to your app/web.config This is not enabled by default to make sure you are aware that you trust a self signed certificate. "); } return(sslPolicyErrors == System.Net.Security.SslPolicyErrors.None); }
private void ExtractData(Packets.TcpPacket tcpPacket, FiveTuple fiveTuple, bool transferIsClientToServer, Packets.TlsRecordPacket.HandshakePacket handshake) { NetworkHost sourceHost, destinationHost; if (transferIsClientToServer) { sourceHost = fiveTuple.ClientHost; destinationHost = fiveTuple.ServerHost; } else { sourceHost = fiveTuple.ServerHost; destinationHost = fiveTuple.ClientHost; } //foreach (Packets.AbstractPacket p in tlsRecordPacket.GetSubPackets(false)) { // if(p.GetType()==typeof(Packets.TlsRecordPacket.HandshakePacket)) { // Packets.TlsRecordPacket.HandshakePacket handshake=(Packets.TlsRecordPacket.HandshakePacket)p; foreach (var version in handshake.GetSupportedSslVersions()) { //destinationHost.AddHostName(handshake.ServerHostName); System.Collections.Specialized.NameValueCollection param = new System.Collections.Specialized.NameValueCollection { { "TLS Handshake " + Enum.GetName(typeof(Packets.TlsRecordPacket.HandshakePacket.MessageTypes), handshake.MessageType) + " Supported Version", version.Item1.ToString() + "." + version.Item2.ToString() + " (0x" + version.Item1.ToString("x2") + version.Item2.ToString("x2") + ")" } }; base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(handshake.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, param, handshake.ParentFrame.Timestamp, "TLS Handshake")); } if (!String.IsNullOrEmpty(handshake.GetAlpnNextProtocolString())) { //destinationHost.AddHostName(handshake.ServerHostName); System.Collections.Specialized.NameValueCollection param = new System.Collections.Specialized.NameValueCollection { { "TLS ALPN", handshake.GetAlpnNextProtocolString() } }; base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(handshake.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, param, handshake.ParentFrame.Timestamp, "TLS Handshake")); } if (handshake.MessageType == Packets.TlsRecordPacket.HandshakePacket.MessageTypes.ClientHello) { if (handshake.ServerHostName != null) { destinationHost.AddHostName(handshake.ServerHostName); System.Collections.Specialized.NameValueCollection param = new System.Collections.Specialized.NameValueCollection(); param.Add("TLS Server Name (SNI)", handshake.ServerHostName); base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(handshake.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, param, handshake.ParentFrame.Timestamp, "TLS Client Hello")); } } else if (handshake.MessageType == Packets.TlsRecordPacket.HandshakePacket.MessageTypes.Certificate) { for (int i = 0; i < handshake.CertificateList.Count; i++) { byte[] certificate = handshake.CertificateList[i]; string x509CertSubject; System.Security.Cryptography.X509Certificates.X509Certificate x509Cert = null; try { x509Cert = new System.Security.Cryptography.X509Certificates.X509Certificate(certificate); x509CertSubject = x509Cert.Subject; } catch { x509CertSubject = "Unknown_x509_Certificate_Subject"; x509Cert = null; } if (x509CertSubject.Contains("CN=")) { x509CertSubject = x509CertSubject.Substring(x509CertSubject.IndexOf("CN=") + 3); } else if (x509CertSubject.Contains("=")) { x509CertSubject = x509CertSubject.Substring(x509CertSubject.IndexOf('=') + 1); } if (x509CertSubject.Length > 28) { x509CertSubject = x509CertSubject.Substring(0, 28); } if (x509CertSubject.Contains(",")) { x509CertSubject = x509CertSubject.Substring(0, x509CertSubject.IndexOf(',')); } x509CertSubject.Trim(new char[] { '.', ' ' }); /* * while (x509CertSubject.EndsWith(".") || x509CertSubject.EndsWith(" ")) * x509CertSubject=x509CertSubject.Substring(0, x509CertSubject.Length-1); */ string filename = x509CertSubject + ".cer"; string fileLocation = "/"; string details; if (x509Cert != null) { details = "TLS Certificate: " + x509Cert.Subject; } else { details = "TLS Certificate: Unknown x509 Certificate"; } FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(base.MainPacketHandler.FileStreamAssemblerList, fiveTuple, transferIsClientToServer, FileTransfer.FileStreamTypes.TlsCertificate, filename, fileLocation, certificate.Length, certificate.Length, details, null, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.source); base.MainPacketHandler.FileStreamAssemblerList.Add(assembler); if (i == 0 && x509CertSubject.Contains(".") && !x509CertSubject.Contains("*") && !x509CertSubject.Contains(" ")) { sourceHost.AddHostName(x509CertSubject); } System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection(); //parameters.Add("Certificate Subject", x509Cert.Subject); const string CERTIFICATE_SUBJECT = "Certificate Subject"; this.addParameters(parameters, x509Cert.Subject, CERTIFICATE_SUBJECT); if (i == 0) { //check for CN parameter if (parameters[CERTIFICATE_SUBJECT + " CN"] != null) { foreach (string cn in parameters.GetValues(CERTIFICATE_SUBJECT + " CN")) { sourceHost.AddNumberedExtraDetail("X.509 Certificate Subject CN", cn); if (cn.Contains(".") && !cn.Contains(" ")) { if (cn.Contains("*")) { if (cn.StartsWith("*.")) { sourceHost.AddDomainName(cn.Substring(2)); } } else { sourceHost.AddHostName(cn); } } } } } this.addParameters(parameters, x509Cert.Issuer, "Certificate Issuer"); //parameters.Add("Certificate Issuer", x509Cert.Issuer); parameters.Add("Certificate Hash", x509Cert.GetCertHashString()); parameters.Add("Certificate valid from", x509Cert.GetEffectiveDateString()); parameters.Add("Certificate valid to", x509Cert.GetExpirationDateString()); parameters.Add("Certificate Serial", x509Cert.GetSerialNumberString()); try { System.Security.Cryptography.X509Certificates.X509Certificate2 cert2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate); foreach (var ext in cert2.Extensions) { string fn = ext.Oid.FriendlyName; string oid = ext.Oid.Value; string val = ext.Format(true); System.IO.StringReader sr = new System.IO.StringReader(val); string line = sr.ReadLine(); while (line != null) { parameters.Add(oid + " " + fn, line); if (i == 0 && oid == "2.5.29.17") { sourceHost.AddNumberedExtraDetail("X.509 Certificate " + fn, line); } line = sr.ReadLine(); } } if (cert2.Verify()) { parameters.Add("Certificate valid", "TRUE"); } else { parameters.Add("Certificate valid", "FALSE"); } } catch (Exception) { } base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(tcpPacket.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, parameters, tcpPacket.ParentFrame.Timestamp, "X.509 Certificate")); if (assembler.TryActivate()) { assembler.AddData(certificate, tcpPacket.SequenceNumber);//this one should trigger FinnishAssembling() } } } //} //return true; }
public void AcceptCallback(IAsyncResult ar) { try { Socket listener = (Socket)ar.AsyncState; Socket socket = listener.EndAccept(ar); if (m_socket != null) { throw new Exception("Client not allowed: connection already active"); } m_socket = socket; LogDebug("Accepted connection"); // Check allowed { Process clientProcess = Utils.GetProcessOfMatchingIPEndPoint(m_socket.RemoteEndPoint as IPEndPoint, m_localEndPoint); string clientPath = clientProcess.MainModule.FileName; if (clientProcess == null) { throw new Exception("Client not allowed: Cannot detect client process"); } // If spot mode, must be the parent if (m_serviceMode == false) { int parentPID = Utils.GetParentProcess().Id; if (clientProcess.Id != parentPID) { throw new Exception("Client not allowed: Connection not from parent process (spot mode)"); } } // If service mode, hash must match if (m_serviceMode) { string allowedHash = ""; if (m_cmdline.ContainsKey("allowed_hash")) { allowedHash = m_cmdline["allowed_hash"]; } string clientHash = Utils.HashSHA512File(clientPath); if (allowedHash != clientHash) { throw new Exception("Client not allowed: Hash mismatch (client " + clientHash + " != expected " + allowedHash + ") (service mode)"); } } // Check signature (optional) { try { System.Security.Cryptography.X509Certificates.X509Certificate c1 = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(System.Reflection.Assembly.GetEntryAssembly().Location); // If above don't throw exception, Elevated it's signed, so it's mandatory that client is signed from same subject. try { System.Security.Cryptography.X509Certificates.X509Certificate c2 = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(clientPath); bool match = ( (c1.Issuer == c2.Issuer) && (c1.Subject == c2.Subject) && (c1.GetCertHashString() == c2.GetCertHashString()) && (c1.GetEffectiveDateString() == c2.GetEffectiveDateString()) && (c1.GetPublicKeyString() == c2.GetPublicKeyString()) && (c1.GetRawCertDataString() == c2.GetRawCertDataString()) && (c1.GetSerialNumberString() == c2.GetSerialNumberString()) ); if (match == false) { throw new Exception("Client not allowed: digital signature mismatch"); } } catch (Exception) { throw new Exception("Client not allowed: digital signature not available"); } } catch (Exception) { // Not signed, but maybe compiled from source, it's an optional check. } } } ReplyPID(Process.GetCurrentProcess().Id); m_socket.BeginReceive(m_buffer, 0, m_bufferSize, 0, new AsyncCallback(ReadCallback), m_socket); } catch (Exception ex) { Close(ex.Message); } }
public void AcceptCallback(IAsyncResult ar) { try { Socket listener = (Socket)ar.AsyncState; Socket socket = listener.EndAccept(ar); if (m_socket != null) { throw new Exception("A connection is already running"); } m_socket = socket; DebugLog("Accepted connection"); Process clientProcess = Utils.GetProcessOfMatchingIPEndPoint(m_socket.RemoteEndPoint as IPEndPoint, m_localEndPoint); if (clientProcess == null) { throw new Exception("Unable to detect client process"); } #if DEBUG // Never release a signed debug. #else bool match = false; try { System.Security.Cryptography.X509Certificates.X509Certificate c1 = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(System.Reflection.Assembly.GetEntryAssembly().Location); System.Security.Cryptography.X509Certificates.X509Certificate c2 = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(clientProcess.MainModule.FileName); match = ( (c1.Issuer == c2.Issuer) && (c1.Subject == c2.Subject) && (c1.GetCertHashString() == c2.GetCertHashString()) && (c1.GetEffectiveDateString() == c2.GetEffectiveDateString()) && (c1.GetPublicKeyString() == c2.GetPublicKeyString()) && (c1.GetRawCertDataString() == c2.GetRawCertDataString()) && (c1.GetSerialNumberString() == c2.GetSerialNumberString()) ); } catch { } if (Constants.Debug) { match = true; } if (match == false) { throw new Exception("Client not allowed, signature mismatch."); } #endif ReplyPID(Process.GetCurrentProcess().Id); m_socket.BeginReceive(m_buffer, 0, m_bufferSize, 0, new AsyncCallback(ReadCallback), m_socket); } catch (Exception ex) { Close(ex.Message); } }