/// <include file='doc\PublisherIdentityPermission.uex' path='docs/doc[@for="PublisherIdentityPermission.ToXml"]/*' />
public override SecurityElement ToXml()
{
SecurityElement esd = CodeAccessPermission.CreatePermissionElement(this);
if (m_certificate != null)
{
esd.AddAttribute("X509v3Certificate", m_certificate.GetRawCertDataString());
}
return(esd);
}
/// <include file='doc\PublisherMembershipCondition.uex' path='docs/doc[@for="PublisherMembershipCondition.ToXml1"]/*' />
public SecurityElement ToXml(PolicyLevel level)
{
if (m_certificate == null && m_element != null)
{
ParseCertificate();
}
SecurityElement root = new SecurityElement("IMembershipCondition");
System.Security.Util.XMLUtil.AddClassAttribute(root, this.GetType());
root.AddAttribute("version", "1");
if (m_certificate != null)
{
root.AddAttribute("X509Certificate", m_certificate.GetRawCertDataString());
}
return(root);
}
public void AcceptCallback(IAsyncResult ar)
{
try
{
Socket listener = (Socket)ar.AsyncState;
Socket socket = listener.EndAccept(ar);
if (m_socket != null)
{
throw new Exception("Client not allowed: connection already active");
}
m_socket = socket;
LogDebug("Accepted connection");
// Check allowed
{
Process clientProcess = Utils.GetProcessOfMatchingIPEndPoint(m_socket.RemoteEndPoint as IPEndPoint, m_localEndPoint);
string clientPath = clientProcess.MainModule.FileName;
if (clientProcess == null)
{
throw new Exception("Client not allowed: Cannot detect client process");
}
// If spot mode, must be the parent
if (m_serviceMode == false)
{
int parentPID = Utils.GetParentProcess().Id;
if (clientProcess.Id != parentPID)
{
throw new Exception("Client not allowed: Connection not from parent process (spot mode)");
}
}
// If service mode, hash must match
if (m_serviceMode)
{
string allowedHash = "";
if (m_cmdline.ContainsKey("allowed_hash"))
{
allowedHash = m_cmdline["allowed_hash"];
}
string clientHash = Utils.HashSHA512File(clientPath);
if (allowedHash != clientHash)
{
throw new Exception("Client not allowed: Hash mismatch (client " + clientHash + " != expected " + allowedHash + ") (service mode)");
}
}
// Check signature (optional)
{
try
{
System.Security.Cryptography.X509Certificates.X509Certificate c1 = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(System.Reflection.Assembly.GetEntryAssembly().Location);
// If above don't throw exception, Elevated it's signed, so it's mandatory that client is signed from same subject.
try
{
System.Security.Cryptography.X509Certificates.X509Certificate c2 = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(clientPath);
bool match = (
(c1.Issuer == c2.Issuer) &&
(c1.Subject == c2.Subject) &&
(c1.GetCertHashString() == c2.GetCertHashString()) &&
(c1.GetEffectiveDateString() == c2.GetEffectiveDateString()) &&
(c1.GetPublicKeyString() == c2.GetPublicKeyString()) &&
(c1.GetRawCertDataString() == c2.GetRawCertDataString()) &&
(c1.GetSerialNumberString() == c2.GetSerialNumberString())
);
if (match == false)
{
throw new Exception("Client not allowed: digital signature mismatch");
}
}
catch (Exception)
{
throw new Exception("Client not allowed: digital signature not available");
}
}
catch (Exception)
{
// Not signed, but maybe compiled from source, it's an optional check.
}
}
}
ReplyPID(Process.GetCurrentProcess().Id);
m_socket.BeginReceive(m_buffer, 0, m_bufferSize, 0, new AsyncCallback(ReadCallback), m_socket);
}
catch (Exception ex)
{
Close(ex.Message);
}
}
public void AcceptCallback(IAsyncResult ar)
{
try
{
Socket listener = (Socket)ar.AsyncState;
Socket socket = listener.EndAccept(ar);
if (m_socket != null)
{
throw new Exception("A connection is already running");
}
m_socket = socket;
DebugLog("Accepted connection");
Process clientProcess = Utils.GetProcessOfMatchingIPEndPoint(m_socket.RemoteEndPoint as IPEndPoint, m_localEndPoint);
if (clientProcess == null)
{
throw new Exception("Unable to detect client process");
}
#if DEBUG
// Never release a signed debug.
#else
bool match = false;
try
{
System.Security.Cryptography.X509Certificates.X509Certificate c1 = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(System.Reflection.Assembly.GetEntryAssembly().Location);
System.Security.Cryptography.X509Certificates.X509Certificate c2 = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(clientProcess.MainModule.FileName);
match = (
(c1.Issuer == c2.Issuer) &&
(c1.Subject == c2.Subject) &&
(c1.GetCertHashString() == c2.GetCertHashString()) &&
(c1.GetEffectiveDateString() == c2.GetEffectiveDateString()) &&
(c1.GetPublicKeyString() == c2.GetPublicKeyString()) &&
(c1.GetRawCertDataString() == c2.GetRawCertDataString()) &&
(c1.GetSerialNumberString() == c2.GetSerialNumberString())
);
}
catch
{
}
if (Constants.Debug)
{
match = true;
}
if (match == false)
{
throw new Exception("Client not allowed, signature mismatch.");
}
#endif
ReplyPID(Process.GetCurrentProcess().Id);
m_socket.BeginReceive(m_buffer, 0, m_bufferSize, 0, new AsyncCallback(ReadCallback), m_socket);
}
catch (Exception ex)
{
Close(ex.Message);
}
}
public bool PsCertificateValidationCallBack(
object sender,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
string sCerts = string.Empty;
// If the certificate is a valid, signed certificate, return true.
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
sCerts += "[Valid Cert - No Errors]----------------------------\r\n\r\n";
sCerts += "Issuer: " + certificate.Issuer + "\r\n";
sCerts += "Subject: " + certificate.Subject + "\r\n";
sCerts += "EffectiveDateString: " + certificate.GetEffectiveDateString() + "\r\n";
sCerts += "ExpirationDate: " + certificate.GetExpirationDateString() + "\r\n";
sCerts += "Format: " + certificate.GetFormat() + "\r\n";
sCerts += "SerialNumber: " + certificate.GetSerialNumberString() + "\r\n";
sCerts += "RawCertData: " + certificate.GetRawCertDataString() + "\r\n";
sCerts += "PublicKey: " + certificate.GetPublicKeyString() + "\r\n";
sCerts += "\r\n---------------------------------\r\n\r\n";
_Certificates += sCerts;
return(true);
}
// If thre are errors in the certificate chain, look at each error to determine the cause.
if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
sCerts += "[Remote Certificate Chain Errors Found]----------------------------\r\n\r\n";
if (chain != null && chain.ChainStatus != null)
{
foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
{
if ((certificate.Subject == certificate.Issuer) &&
(status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
{
sCerts += " [Self-signed certificates with an untrusted root - Considering as valid]----------------------------\r\n\r\n";
sCerts += " Status Information: " + status.StatusInformation + "\r\n\r\n";
sCerts += " Issuer: " + certificate.Issuer + "\r\n";
sCerts += " Subject: " + certificate.Subject + "\r\n";
sCerts += " EffectiveDateString: " + certificate.GetEffectiveDateString() + "\r\n";
sCerts += " ExpirationDate: " + certificate.GetExpirationDateString() + "\r\n";
sCerts += " Format: " + certificate.GetFormat() + "\r\n";
sCerts += " SerialNumber: " + certificate.GetSerialNumberString() + "\r\n";
sCerts += " RawCertData: " + certificate.GetRawCertDataString() + "\r\n";
sCerts += " PublicKey: " + certificate.GetPublicKeyString() + "\r\n";
sCerts += "\r\n ---------------------------------\r\n\r\n";
_Certificates += sCerts;
// Self-signed certificates with an untrusted root are valid.
continue;
}
else
{
if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
{
sCerts += " [Certificate Errors - Considering as invlid]----------------------------\r\n";
sCerts += " Status Information: " + status.StatusInformation + "\r\n\r\n";
sCerts += " Issuer: " + certificate.Issuer + "\r\n";
sCerts += " Subject: " + certificate.Subject + "\r\n";
sCerts += " EffectiveDateString: " + certificate.GetEffectiveDateString() + "\r\n";
sCerts += " ExpirationDate: " + certificate.GetExpirationDateString() + "\r\n";
sCerts += " Format: " + certificate.GetFormat() + "\r\n";
sCerts += " SerialNumber: " + certificate.GetSerialNumberString() + "\r\n";
sCerts += " RawCertData: " + certificate.GetRawCertDataString() + "\r\n";
sCerts += " PublicKey: " + certificate.GetPublicKeyString() + "\r\n";
sCerts += "\r\n ---------------------------------\r\n\r\n";
_Certificates += sCerts;
// If there are any other errors in the certificate chain, the certificate is invalid,
// so the method returns false.
return(false);
}
}
}
}
// When processing reaches this line, the only errors in the certificate chain are
// untrusted root errors for self-signed certifcates. These certificates are valid
// for default Exchange server installations, so return true.
return(true);
}
else
{
// In all other cases, return false.
return(false);
}
}