static bool ValidateCertAgainstBaseline(IDictionary<string, string> certVals, X509Certificate cer)
{
bool retVal = true;
long effectiveDateFound, expiryDateFound, effectiveDateBsl, expiryDateBsl;
byte[] bytes;
string str;
int hash;
IntPtr handle;
// now validate against the actual cert
if (!certVals["HashString"].Equals(cer.GetCertHashString()))
{
TestFramework.LogError("001", "Expected hash string: " + certVals["HashString"] + ", found: " + cer.GetCertHashString());
retVal = false;
}
// check the dates
try
{
effectiveDateBsl = Convert.ToInt64(certVals["EffectiveDateStringInTicks"]);
effectiveDateFound = DateTime.Parse(cer.GetEffectiveDateString(), CultureInfo.InvariantCulture).ToUniversalTime().Ticks;
expiryDateBsl = Convert.ToInt64(certVals["ExpirationDateStringInTicks"]);
expiryDateFound = DateTime.Parse(cer.GetExpirationDateString(), CultureInfo.InvariantCulture).ToUniversalTime().Ticks;
if (effectiveDateBsl != effectiveDateFound)
{
TestFramework.LogError("002", "Expected \"Valid From\": [" + (new DateTime(effectiveDateBsl, DateTimeKind.Utc)).ToString() + "], found: [" + cer.GetEffectiveDateString() +" nonUTC]");
TestFramework.LogError("002", " ticks(" + effectiveDateBsl + ") found ticks(" + effectiveDateFound + ")");
retVal = false;
}
if (expiryDateBsl != expiryDateFound)
{
TestFramework.LogError("003", "Expected \"Valid To\": [" + (new DateTime(expiryDateBsl)).ToString() + "], found: [" + cer.GetExpirationDateString() + " nonUTC]");
TestFramework.LogError("003", " ticks(" + expiryDateBsl + ") found ticks(" + expiryDateFound + ")");
retVal = false;
}
}
catch (Exception e)
{
TestFramework.LogError("103", "Unexpected exception: " + e);
retVal = false;
}
TestFramework.LogInformation(" Validating field: Format");
if (!certVals["Format"].Equals(cer.GetFormat()))
{
TestFramework.LogError("004", "Expected format: " + certVals["Format"] + ", found: " + cer.GetFormat());
retVal = false;
}
TestFramework.LogInformation(" Validating field: Issuer");
if (!certVals["Issuer"].Equals(cer.Issuer))
{
TestFramework.LogError("005", "Expected issuer: " + certVals["Issuer"] + ", found: " + cer.Issuer);
retVal = false;
}
TestFramework.LogInformation(" Validating field: KeyAlgorithm");
if (!certVals["KeyAlgorithm"].Equals(cer.GetKeyAlgorithm()))
{
TestFramework.LogError("006", "Expected key algorithm: " + certVals["KeyAlgorithm"] + ", found: " + cer.GetKeyAlgorithm());
retVal = false;
}
TestFramework.LogInformation(" Validating field: KeyAlgorithmParameters");
if (!certVals["KeyAlgorithmParameters"].Equals(cer.GetKeyAlgorithmParametersString()))
{
TestFramework.LogError("007", "Expected key alg parameters :" + certVals["KeyAlgorithmParameters"] + ", found :" +
cer.GetKeyAlgorithmParametersString());
retVal = false;
}
TestFramework.LogInformation(" Validating field: PublicKeyString");
if (!certVals["PublicKeyString"].Equals(cer.GetPublicKeyString()))
{
TestFramework.LogError("008", "Expected public key: " + certVals["PublicKeyString"] + ", found: " +
cer.GetPublicKeyString());
retVal = false;
}
TestFramework.LogInformation(" Validating field: SerialNumberString");
if (!certVals["SerialNumberString"].Equals(cer.GetSerialNumberString()))
{
TestFramework.LogError("009", "Expected serial number: " + certVals["SerialNumberString"] + ", found: " + cer.GetSerialNumberString());
retVal = false;
}
TestFramework.LogInformation(" Validating field: Subject");
if (!certVals["Subject"].Equals(cer.Subject))
{
TestFramework.LogError("010", "Expected subject: " + certVals["Subject"] + ", found: " + cer.Subject);
retVal = false;
}
TestFramework.LogInformation(" Retrieving field: CertHash");
bytes = cer.GetCertHash();
TestFramework.LogInformation(" Retrieving field: HashCode");
hash = cer.GetHashCode();
TestFramework.LogInformation(" Retrieving field: RawCertHash");
bytes = cer.GetRawCertData();
TestFramework.LogInformation(" Retrieving field: RawCertDataString");
str = cer.GetRawCertDataString();
TestFramework.LogInformation(" Retrieving field: SerialNumber");
bytes = cer.GetSerialNumber();
TestFramework.LogInformation(" Retrieving field: ToString()");
str = cer.ToString();
TestFramework.LogInformation(" Retrieving field: ToString(true)");
str = cer.ToString(true);
TestFramework.LogInformation(" Retrieving field: Handle");
handle = GetHandle(cer);
TestFramework.LogInformation(" Testing: Equality with a string");
if (cer.Equals(str))
{
TestFramework.LogError("110", "X509Certificate \"equals\" a string?");
retVal = false;
}
TestFramework.LogInformation(" Testing: Equality with itself(1)");
if (!cer.Equals((object)cer))
{
TestFramework.LogError("120", "X509Certificate does not equal itself");
retVal = false;
}
TestFramework.LogInformation(" Testing: Equality with itself(2)");
if (!cer.Equals(cer))
{
TestFramework.LogError("130", "X509Certificate does not equal itself");
retVal = false;
}
return retVal;
}
public static void AddCertificate(X509Certificate certificate, string hostname)
{
Dictionary <string, string> known_servers = KnownServers;
known_servers.Add(hostname, certificate.GetCertHashString());
KnownServers = known_servers;
}
private bool ValidateCert(object sender, X509Certificate cert,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
//все и так хорошо
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
//не передан хэш сертификата
//значит и проверять нечего
if (string.IsNullOrEmpty(CertHashString))
{
return(false);
}
//получаем хэш сертификата сервера в виде строки
string hashstring = cert.GetCertHashString();
//если хэши полученного и известного
//сертификата совпадают - все ок.
if (hashstring == CertHashString)
{
return(true);
}
return(false);
}
// Token: 0x06000098 RID: 152 RVA: 0x00009AE0 File Offset: 0x00007CE0
public bool method_0(object object_0, X509Certificate x509Certificate_0, X509Chain x509Chain_0, SslPolicyErrors sslPolicyErrors_0)
{
string host = ((HttpWebRequest)object_0).Host;
string certHashString = x509Certificate_0.GetCertHashString();
if (Debugger.IsAttached)
{
return(true);
}
if (Class158.smethod_3().ToUpper().Contains(certHashString.ToUpper()))
{
return(true);
}
if (this.bool_0)
{
if (!x509Certificate_0.Issuer.Contains("Let's Encrypt Authority X3") && !x509Certificate_0.Issuer.Contains("DigiCert SHA2 High Assurance Server CA"))
{
GClass3.smethod_0(certHashString, "SSL");
return(false);
}
return(true);
}
else
{
if (host.Contains("supreme"))
{
return(true);
}
GClass3.smethod_0(certHashString, "SSL");
return(host.Replace("www.", string.Empty) == "supremenewyork.com" && x509Certificate_0.Issuer == "CN=GlobalSign CloudSSL CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE");
}
}
public static void ReplaceCertificate(string hostname, X509Certificate certificate)
{
Dictionary <string, string> known_servers = KnownServers;
known_servers[hostname] = certificate.GetCertHashString();
KnownServers = known_servers;
}
/// <summary>
/// Callback used to validate the certificate in an SSL conversation
/// </summary>
/// <param name="sender"></param>
/// <param name="cert"></param>
/// <param name="chain"></param>
/// <param name="policyErrors"></param>
/// <returns></returns>
public static bool ValidateRemoteCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors policyErrors)
{
//if there are no certificate validation errors, we always return true
if (policyErrors == SslPolicyErrors.None)
{
return(true);
}
// if there are certification validation errors, we check for a few cases of self-signed certificates that we trust
var validCertificates = new List <string>()
{
//self signed certificates of our servers:
//2c 4f 9b ff ad 30 ee 30 4c 78 e0 a5 c8 d9 d8 f2 fe 40 e3 56,
"2C4F9BFFAD30EE304C78E0A5C8D9D8F2Fe40E356",
//c2 24 11 9d 9f 36 0c 21 20 69 3b 79 84 e0 c2 14 be 24 57 d9
"C224119D9F360C2120693B7984E0C214BE2457D9",
//d0 a8 0e 74 eb 6c d9 ee e4 39 04 88 35 13 fc 8b 24 b2 12 e2
"D0A80E74EB6CD9EEE43904883513FC8B24B212E2"
};
var certHashString = cert.GetCertHashString();
bool shouldApprove = validCertificates.Contains(certHashString);
if (!shouldApprove)
{
Trace.WriteLine(string.Format("Remote certificate validation failed for {0} (thumbprint {1})", cert.Subject, certHashString));
}
return(shouldApprove);
}
[DebuggerNonUserCode] // avoid "Exception User-Unhandled" Visual Studio messages
public static bool ValidateCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sender.GetType() != typeof(HttpWebRequest))
{
return(sslPolicyErrors == SslPolicyErrors.None);
}
var request = (HttpWebRequest)sender;
var hash = certificate.GetCertHashString();
trustedCertificates.TryGetValue(hash, out var hosts);
if (hosts != null)
{
if (hosts.Contains(request.Host))
{
return(true);
}
}
if (sslPolicyErrors != SslPolicyErrors.None)
{
// Throw exception with certificate details, this will cause a "Exception User-Unhandled" when running it in the Visual Studio debugger.
// The certificate is only available inside this function, so we can't catch it at the calling method.
throw new Exception("certificate validation failed: " + certificate.ToString());
}
return(sslPolicyErrors == SslPolicyErrors.None);
}
public void ConstructorIntPtr()
{
byte[] cert = { 0x30, 0x82, 0x01, 0xFF, 0x30, 0x82, 0x01, 0x6C, 0x02, 0x05, 0x02, 0x72, 0x00, 0x06, 0xE8, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x02, 0x05, 0x00, 0x30, 0x5F, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x17, 0x52, 0x53, 0x41, 0x20, 0x44, 0x61, 0x74, 0x61, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2C, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31, 0x2E, 0x30, 0x2C, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x53, 0x65, 0x72, 0x76,
0x65, 0x72, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1E, 0x17, 0x0D, 0x39, 0x36, 0x30, 0x33, 0x31, 0x32, 0x31, 0x38, 0x33, 0x38, 0x34, 0x37, 0x5A, 0x17, 0x0D, 0x39, 0x37, 0x30, 0x33, 0x31, 0x32, 0x31, 0x38, 0x33, 0x38, 0x34, 0x36, 0x5A, 0x30, 0x61, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0A, 0x43, 0x61, 0x6C, 0x69, 0x66, 0x6F, 0x72, 0x6E, 0x69, 0x61, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03,
0x55, 0x04, 0x0A, 0x13, 0x0B, 0x43, 0x6F, 0x6D, 0x6D, 0x65, 0x72, 0x63, 0x65, 0x4E, 0x65, 0x74, 0x31, 0x27, 0x30, 0x25, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x1E, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x30, 0x70, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x5F, 0x00, 0x30, 0x5C, 0x02, 0x55, 0x2D, 0x58, 0xE9, 0xBF, 0xF0, 0x31, 0xCD, 0x79, 0x06, 0x50, 0x5A, 0xD5, 0x9E, 0x0E, 0x2C, 0xE6, 0xC2, 0xF7, 0xF9,
0xD2, 0xCE, 0x55, 0x64, 0x85, 0xB1, 0x90, 0x9A, 0x92, 0xB3, 0x36, 0xC1, 0xBC, 0xEA, 0xC8, 0x23, 0xB7, 0xAB, 0x3A, 0xA7, 0x64, 0x63, 0x77, 0x5F, 0x84, 0x22, 0x8E, 0xE5, 0xB6, 0x45, 0xDD, 0x46, 0xAE, 0x0A, 0xDD, 0x00, 0xC2, 0x1F, 0xBA, 0xD9, 0xAD, 0xC0, 0x75, 0x62, 0xF8, 0x95, 0x82, 0xA2, 0x80, 0xB1, 0x82, 0x69, 0xFA, 0xE1, 0xAF, 0x7F, 0xBC, 0x7D, 0xE2, 0x7C, 0x76, 0xD5, 0xBC, 0x2A, 0x80, 0xFB, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x02, 0x05, 0x00, 0x03, 0x7E, 0x00, 0x54, 0x20, 0x67, 0x12, 0xBB, 0x66, 0x14, 0xC3, 0x26, 0x6B, 0x7F,
0xDA, 0x4A, 0x25, 0x4D, 0x8B, 0xE0, 0xFD, 0x1E, 0x53, 0x6D, 0xAC, 0xA2, 0xD0, 0x89, 0xB8, 0x2E, 0x90, 0xA0, 0x27, 0x43, 0xA4, 0xEE, 0x4A, 0x26, 0x86, 0x40, 0xFF, 0xB8, 0x72, 0x8D, 0x1E, 0xE7, 0xB7, 0x77, 0xDC, 0x7D, 0xD8, 0x3F, 0x3A, 0x6E, 0x55, 0x10, 0xA6, 0x1D, 0xB5, 0x58, 0xF2, 0xF9, 0x0F, 0x2E, 0xB4, 0x10, 0x55, 0x48, 0xDC, 0x13, 0x5F, 0x0D, 0x08, 0x26, 0x88, 0xC9, 0xAF, 0x66, 0xF2, 0x2C, 0x9C, 0x6F, 0x3D, 0xC3, 0x2B, 0x69, 0x28, 0x89, 0x40, 0x6F, 0x8F, 0x35, 0x3B, 0x9E, 0xF6, 0x8E, 0xF1, 0x11, 0x17, 0xFB, 0x0C, 0x98, 0x95, 0xA1, 0xC2, 0xBA, 0x89, 0x48, 0xEB, 0xB4, 0x06, 0x6A, 0x22, 0x54,
0xD7, 0xBA, 0x18, 0x3A, 0x48, 0xA6, 0xCB, 0xC2, 0xFD, 0x20, 0x57, 0xBC, 0x63, 0x1C };
// will only work on Windows (MS or Mono)
// this isn't much of a problem because the structure CERT_CONTEXT (IntPtr)
// is specific to CryptoAPI/Windows.
IntPtr handle = IntPtr.Zero;
if (Path.DirectorySeparatorChar == '\\')
{
handle = GetHandle(cert);
}
else
{
handle = GetHandleEx(cert);
}
X509Certificate x509 = new X509Certificate(handle);
byte[] hash = { 0xD6, 0x2F, 0x48, 0xD0, 0x13, 0xEE, 0x7F, 0xB5, 0x8B, 0x79, 0x07, 0x45, 0x12, 0x67, 0x0D, 0x9C, 0x5B, 0x3A, 0x5D, 0xA9 };
Assert.AreEqual(hash, x509.GetCertHash(), "GetCertHash");
Assert.AreEqual("D62F48D013EE7FB58B79074512670D9C5B3A5DA9", x509.GetCertHashString(), "GetCertHashString");
#if NET_2_0
DateTime from = DateTime.ParseExact(x509.GetEffectiveDateString(), "MM/dd/yyyy HH:mm:ss", null).ToUniversalTime();
Assert.AreEqual("03/12/1996 18:38:47", from.ToString(), "GetEffectiveDateString");
DateTime until = DateTime.ParseExact(x509.GetExpirationDateString(), "MM/dd/yyyy HH:mm:ss", null).ToUniversalTime();
Assert.AreEqual("03/12/1997 18:38:46", until.ToString(), "GetExpirationDateString");
#else
// fx 1.x has a bug where the returned dates were always in the Seattle time zone
Assert.AreEqual("03/12/1996 10:38:47", x509.GetEffectiveDateString(), "GetEffectiveDateString");
Assert.AreEqual("03/12/1997 10:38:46", x509.GetExpirationDateString(), "GetExpirationDateString");
// which was making it easier to test the dates ;-)
#endif
Assert.AreEqual("X509", x509.GetFormat(), "GetFormat");
Assert.AreEqual(-701544240, x509.GetHashCode(), "GetHashCode");
Assert.AreEqual("C=US, O=\"RSA Data Security, Inc.\", OU=Secure Server Certification Authority", x509.GetIssuerName(), "GetIssuerName");
Assert.AreEqual("1.2.840.113549.1.1.1", x509.GetKeyAlgorithm(), "GetKeyAlgorithm");
byte[] keyparams = { 0x05, 0x00 };
Assert.AreEqual(keyparams, x509.GetKeyAlgorithmParameters(), "GetKeyAlgorithmParameters");
Assert.AreEqual("0500", x509.GetKeyAlgorithmParametersString(), "GetKeyAlgorithmParametersString");
Assert.AreEqual("C=US, S=California, O=CommerceNet, OU=Server Certification Authority", x509.GetName(), "GetName");
byte[] pubkey = { 0x30, 0x5C, 0x02, 0x55, 0x2D, 0x58, 0xE9, 0xBF, 0xF0, 0x31, 0xCD, 0x79, 0x06, 0x50, 0x5A, 0xD5, 0x9E, 0x0E, 0x2C, 0xE6, 0xC2, 0xF7, 0xF9, 0xD2, 0xCE, 0x55, 0x64, 0x85, 0xB1, 0x90, 0x9A, 0x92, 0xB3, 0x36, 0xC1, 0xBC, 0xEA, 0xC8, 0x23, 0xB7, 0xAB, 0x3A, 0xA7, 0x64, 0x63, 0x77, 0x5F, 0x84, 0x22, 0x8E, 0xE5, 0xB6, 0x45, 0xDD, 0x46, 0xAE, 0x0A, 0xDD, 0x00, 0xC2, 0x1F, 0xBA, 0xD9, 0xAD, 0xC0, 0x75, 0x62, 0xF8, 0x95, 0x82, 0xA2, 0x80, 0xB1, 0x82, 0x69, 0xFA, 0xE1, 0xAF, 0x7F, 0xBC, 0x7D, 0xE2, 0x7C, 0x76, 0xD5, 0xBC, 0x2A, 0x80, 0xFB, 0x02, 0x03, 0x01, 0x00, 0x01 };
Assert.AreEqual(pubkey, x509.GetPublicKey(), "GetPublicKey");
Assert.AreEqual("305C02552D58E9BFF031CD7906505AD59E0E2CE6C2F7F9D2CE556485B1909A92B336C1BCEAC823B7AB3AA76463775F84228EE5B645DD46AE0ADD00C21FBAD9ADC07562F89582A280B18269FAE1AF7FBC7DE27C76D5BC2A80FB0203010001", x509.GetPublicKeyString(), "GetPublicKeyString");
Assert.AreEqual(cert, x509.GetRawCertData(), "GetRawCertData");
Assert.AreEqual(ToString(cert), x509.GetRawCertDataString(), "GetRawCertDataString");
byte[] serial = { 0xE8, 0x06, 0x00, 0x72, 0x02 };
Assert.AreEqual(serial, x509.GetSerialNumber(), "GetSerialNumber");
#if NET_2_0
Assert.AreEqual("02720006E8", x509.GetSerialNumberString(), "GetSerialNumberString");
#else
Assert.AreEqual("E806007202", x509.GetSerialNumberString(), "GetSerialNumberString");
#endif
}
/// <summary>
/// Binds the given certificate from the given store to the given ip:port and returns whether the operation was successfull
/// </summary>
/// <param name="ip">IP Address</param>
/// <param name="port">TCP/UDP Port</param>
/// <param name="cert">The .X509 certificate</param>
/// <param name="store">The .X509 certificate store, into which the certificate will be installed if it is not present</param>
/// <param name="force">Indicates that current existing port bindings shall be overwritten</param>
/// <returns>Operation success result (false indicates, that the port has already been bound to an other certificate)</returns>
public static bool BindCertificatePort(string ip, ushort port, X509Certificate cert, StoreName store, bool force)
{
if (!NeedsBinding(ip, port))
{
if (force)
{
UnbindPort(ip, port);
}
else
{
return(false);
}
}
using (Process proc = new Process
{
StartInfo = new ProcessStartInfo
{
Verb = "runas",
UseShellExecute = false,
WorkingDirectory = Util.Sys32Path,
WindowStyle = ProcessWindowStyle.Hidden,
FileName = $@"{Util.Sys32Path}\netsh.exe",
Arguments = $@"http add sslcert ipport=""{ip}:{port}"" certhash={cert.GetCertHashString()} appid={{{GUID}}}", // clientcertnegotiation=enable
}
})
{
proc.Start();
proc.WaitForExit();
return(true);
}
}
// TODO: this is just a temporary hack not meant to be used in production enviroment
public static bool Validator(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors
)
{
string gitHubCertificateHash = "CF059889CAFF8ED85E5CE0C2E4F7E6C3C750DD5C";
string remoteCertificateHash = certificate.GetCertHashString();
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
// verify against api.github.com certificate hash string
else if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors && remoteCertificateHash == gitHubCertificateHash)
{
Console.WriteLine("Applied github certificate issue work-around.");
return(true);
}
else
{
Console.WriteLine("SSL validation error! Remote hash is: {0}", remoteCertificateHash);
return(false);
}
}
private bool CertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
_logger.LogError(
"SMTP Server's certificate {CertificateSubject} issued by {CertificateIssuer} with thumbprint {CertificateThumbprint} and expiration date {CertificateExpirationDate} is considered invalid with {SslPolicyErrors} policy errors",
certificate.Subject,
certificate.Issuer,
certificate.GetCertHashString(),
certificate.GetExpirationDateString(),
sslPolicyErrors);
if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors) && chain?.ChainStatus != null)
{
foreach (var chainStatus in chain.ChainStatus)
{
_logger.LogError("Status: {Status} - {StatusInformation}", chainStatus.Status, chainStatus.StatusInformation);
}
}
return(false);
}
public bool IsExempted(HttpWebRequest request, X509Certificate certificate)
{
try
{
using (SqliteCommand command = m_connection.CreateCommand())
{
command.CommandText = "SELECT Thumbprint, Host, DateExempted, ExpireDate FROM cert_exemptions WHERE Thumbprint = $certHash AND Host = $host";
command.Parameters.Add(new SqliteParameter("$certHash", certificate.GetCertHashString()));
command.Parameters.Add(new SqliteParameter("$host", request.Host));
using (SqliteDataReader reader = command.ExecuteReader())
{
if (reader.Read())
{
if (isReaderRowCurrentlyExempted(reader))
{
return(true);
}
}
}
return(false);
}
}
catch (Exception ex)
{
LoggerUtil.RecursivelyLogException(m_logger, ex);
return(false);
}
}
public bool CertificateValidation(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
{
Eligible eligble = Eligible.Instance;
ArrayList fingerprint = eligble.Fingerprints();
if (certificate == null || chain == null)
{
return(false);
}
if (errors != SslPolicyErrors.None)
{
return(false);
}
var certFingerprint = certificate.GetCertHashString();
if (!fingerprint.Contains(certFingerprint))
{
return(false);
}
return(true);
}
public static string GetCertificateInfo(X509Certificate certificate)
{
StringBuilder certInfo = new StringBuilder();
//Note: certificate.ToString() returns just the class name in Mono 2.0
// Simulate the .Net frameworks 2.0 ToString()
certInfo.AppendLine("[Subject]");
certInfo.AppendLine(certificate.Subject);
certInfo.AppendLine("");
certInfo.AppendLine("[Issuer]");
certInfo.AppendLine(certificate.Issuer);
certInfo.AppendLine("");
certInfo.AppendLine("[Serial Number]");
certInfo.AppendLine(certificate.GetSerialNumberString());
certInfo.AppendLine("");
certInfo.AppendLine("[Not Before]");
certInfo.AppendLine(certificate.GetEffectiveDateString());
certInfo.AppendLine("");
certInfo.AppendLine("[Not After]");
certInfo.AppendLine(certificate.GetExpirationDateString());
certInfo.AppendLine("");
certInfo.AppendLine("[Thumbprint]");
certInfo.AppendLine(certificate.GetCertHashString());
return(certInfo.ToString());
}
public override void Authenticate(RequestContext <AuthenticateRequest, AuthenticateResponse> requestContext)
{
SslConnection connection = _context.Connection as SslConnection;
X509Certificate cert = connection.ClientCertificate;
string certHashString = cert.GetCertHashString();
foreach (User user in ServerContext.AccessControlList.Users)
{
SslAuthenticationParameters auth = (SslAuthenticationParameters)user.GetAuthentication("ssl_auth");
if (auth != null && auth.CertificateHash.Equals(certHashString))
{
ServerContext.ServerAuthenticationContext.AuthenticatedPermissionMember = user;
AuthenticateResponse response = requestContext.CreateResponse();
response.Succeeded = true;
response.Execute();
return;
}
}
_log.WarnFormat("Could not find user associated with certificate '{0}'", certHashString);
AuthenticateResponse errorResponse = requestContext.CreateResponse();
errorResponse.Succeeded = false;
errorResponse.CustomErrorMessage = "No client associated with specified certificate!";
errorResponse.Execute();
}
private X509SecurityToken getToken(string which)
{
X509SecurityToken token = null;
X509CertificateStore store = null;
string serverKeyIdentifier = "bBwPfItvKp3b6TNDq+14qs58VJQ="; //"po3h4Y4J8ITs/pW3acuRjpT8V1o=";
string clientKeyIdentifier = "gBfo0147lM6cKnTbbMSuMVvmFY4="; //"Gu4aD7+bYTVtmSveoPIWTRtzD3M=";
store = X509CertificateStore.CurrentUserStore(X509CertificateStore.MyStore);
store.OpenRead();
X509CertificateCollection coll;
if (which == "server")
{
coll = store.FindCertificateByKeyIdentifier(Convert.FromBase64String(serverKeyIdentifier));
}
else
{
coll = store.FindCertificateByKeyIdentifier(Convert.FromBase64String(clientKeyIdentifier));
}
if (coll.Count > 0)
{
X509Certificate cert = (X509Certificate)coll[0];
token = new X509SecurityToken(cert);
byte[] hash = cert.GetCertHash();
string hashstring = cert.GetCertHashString();
string serialstring = cert.GetSerialNumberString();
}
return(token);
}
public bool AreEqual(X509Certificate a, X509Certificate b)
{
var aHash = a.GetCertHashString();
var bHash = b.GetCertHashString();
return(string.Equals(aHash, bHash));
}
private static bool ValidateServerCertficate(
object sender,
X509Certificate cert,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
//// The path to the certificate.
string Certificate = "/Users/haydenredd/Projects/SplunkSharp/SplunkSharp/Resources/splunk-VirtualBox.crt";
// Load the certificate into an X509Certificate object.
cert = X509Certificate.CreateFromCertFile(Certificate);
string results = cert.GetCertHashString();
if (results == someString)
{
Console.WriteLine(results + " = " + someString);
return(true);
}
else
{
Console.WriteLine(results + " != " + someString);
return(false);
//Environment.Exit(1);
}
}
public static ActionResult GetThumbPrint(Session session)
{
var certpath = session["CERTPATH"].ToString();
var password = session["CERTPASS"].ToString();
if (string.IsNullOrEmpty(certpath.Trim()))
{
MessageBox.Show("Please, select the certificate file path correctly.",
session["ProductName"] ?? "modSIC",
MessageBoxButtons.OK,
MessageBoxIcon.Error
);
return(ActionResult.Success);
}
try
{
X509Certificate certificate = new X509Certificate(certpath, password);
session["CERTHASHCODE"] = certificate.GetCertHashString();
session["VALIDCERTIFICATE"] = "1";
return(ActionResult.Success);
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, session["ProductName"] ?? "modSIC", MessageBoxButtons.OK, MessageBoxIcon.Error);
session.Log(ex.Message);
session["VALIDCERTIFICATE"] = "0";
return(ActionResult.Success);
}
}
private static void DisplayCertInformation(X509Certificate remoteCertificate, bool verbose)
{
Console.WriteLine("");
Console.WriteLine("Certficate Information for:");
Console.WriteLine($"{remoteCertificate.Subject}");
Console.WriteLine("");
Console.WriteLine("Valid From:");
Console.WriteLine($"{remoteCertificate.GetEffectiveDateString()}");
Console.WriteLine("Valid To:");
Console.WriteLine($"{remoteCertificate.GetExpirationDateString()}");
Console.WriteLine("Certificate Format:");
Console.WriteLine($"{remoteCertificate.GetFormat()}");
Console.WriteLine("");
Console.WriteLine("Issuer Name:");
Console.WriteLine($"{remoteCertificate.Issuer}");
if (verbose)
{
Console.WriteLine("Serial Number:");
Console.WriteLine($"{remoteCertificate.GetSerialNumberString()}");
Console.WriteLine("Hash:");
Console.WriteLine($"{remoteCertificate.GetCertHashString()}");
Console.WriteLine("Key Algorithm:");
Console.WriteLine($"{remoteCertificate.GetKeyAlgorithm()}");
Console.WriteLine("Key Algorithm Parameters:");
Console.WriteLine($"{remoteCertificate.GetKeyAlgorithmParametersString()}");
Console.WriteLine("Public Key:");
Console.WriteLine($"{remoteCertificate.GetPublicKeyString()}");
}
}
static void Main(string[] args)
{
Console.Write("Input path to signed binary: ");
X509Certificate cert = X509Certificate.CreateFromSignedFile(Console.ReadLine());
Console.WriteLine(cert.GetCertHashString());
}
private static bool TrustValidate(X509Certificate certificate, WebRequest request = null)
{
string host;
return(request != null &&
Trusted.TryGetValue(certificate.GetCertHashString() ?? String.Empty, out host) &&
request.RequestUri.Host == host);
}
public CertificateDetails(X509Certificate certificate)
{
IssuedTo = certificate.Subject.Replace("CN=", string.Empty);
IssuedBy = certificate.Issuer.Replace("CN=", string.Empty);
IssueDate = certificate.GetEffectiveDateString();
ExpireDate = certificate.GetExpirationDateString();
Thumbprint = certificate.GetCertHashString()?.ToLower();
}
/// <summary>
/// Remote Certificate validation override method
/// </summary>
/// <param name="sender"></param>
/// <param name="certificate"></param>
/// <param name="chain"></param>
/// <param name="sslPolicyErrors"></param>
/// <returns></returns>
public static bool RemoteCertificateValidation(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
//Validate the certificate hash, if we're using a self signed certificate, at least check its the same one we issued.
if (certificate.GetCertHashString() == "48D5760D449114D08E0297AD9BDB29028326BD96")
{
return(true);
}
return(false);
}
private static void ValidateServerCertificate(X509Certificate certificate, string thumbprint)
{
string certHashString = certificate.GetCertHashString();
if (!thumbprint.Equals(certHashString))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("HttpsServerCertThumbprintMismatch", new object[] { certificate.Subject, certHashString, thumbprint })));
}
}
public bool CheckValidationResult(ServicePoint service_point,
X509Certificate certificate,
WebRequest request,
int problem)
{
Log.DebugFormat("Checking validation result for {0}: "
+ "problem={1}",
request.RequestUri, problem);
if (0 == problem)
{
return(true);
}
// Only try to deal with the problem if it is a trust
// failure.
if (-2146762486 != problem)
{
return(false);
}
LoadCertificates();
string hash = certificate.GetCertHashString();
Log.Debug("Certificate hash: " + hash);
int stored_problem = 0;
if (cert_hashes.TryGetValue(hash, out stored_problem) &&
problem == stored_problem)
{
Log.Debug("We already trust this site");
return(true);
}
Decision decision = GetDecision(certificate, request);
Log.Debug("Decision: " + decision);
switch (decision)
{
case Decision.DontTrust:
return(false);
case Decision.TrustOnce:
return(true);
case Decision.TrustAlways:
SaveCertificate(hash, problem);
return(true);
default:
Debug.Assert(false, "Unknown decision");
return(false);
}
}
public bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
// Check MeshCentral server's TLS certificate. This is our first security layer.
if ((serverTlsCertHash != null) && (serverTlsCertHash != certificate.GetCertHashString().ToLower()) && (serverTlsCertHash != GetMeshKeyHash(certificate).ToLower()) && (serverTlsCertHash != GetMeshCertHash(certificate).ToLower()))
{
return(false);
}
return(true);
}
public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
Console.WriteLine("Certificate: {0}", certificate.GetCertHashString());
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
Console.WriteLine("Certificate error: {0}", sslPolicyErrors);
return(false);
}
private bool VerifyServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
string hash1 = GetMeshKeyHash(certificate);
string hash2 = certificate.GetCertHashString();
Debug("VerifyServerCertificate: tlsCertFingerprint = " + ((tlsCertFingerprint == null) ? "NULL" : tlsCertFingerprint));
Debug("VerifyServerCertificate: Hash1 = " + hash1);
Debug("VerifyServerCertificate: Hash2 = " + hash2);
return((tlsCertFingerprint == GetMeshKeyHash(certificate)) || (tlsCertFingerprint == certificate.GetCertHashString()));
}
private bool ValidateServerCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
// we can perform additional certificate checks here
return(true);
}
// Do not allow this client to communicate with unauthenticated servers.
// log the certificate error into the error log.
var s = "SSL certificate error: ";
s += sslPolicyErrors;
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNameMismatch) != 0)
{
// if name mismatch error is reported, and the stored name is not empty
// then the remote certificate is not acceptable.
string s2 = "CN=";
s2 += Certificate.Name.ToUpper();
s = certificate.Subject.ToUpper();
if (Certificate.Name.Length != 0 && (!s.Contains(s2)))
{
Console.WriteLine("SSL certificate name " + certificate.Subject + " unexpected with given certificate " + Certificate.Name + ". Rejecting ...");
return(false);
}
}
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
// if there is a certificate chain error, then we accept the certificate
// if its hash matches what we expect, or if stored hash is "-"
s = certificate.GetCertHashString();
if (s != null)
{
if ((!s.Equals(Certificate.Hash, StringComparison.OrdinalIgnoreCase)) && Certificate.Hash.Length != 0)
{
Console.WriteLine("SSL certificate hash " + s + " unexpected with given hash " + Certificate.Hash + ". Rejecting ...");
return(false);
}
}
}
return(true);
}
private static bool SSLValidationForLinux(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslpolicyerrors)
{
// If the Mono root CA store is initialized properly, then use that.
if (sslpolicyerrors == SslPolicyErrors.None)
{
// Good certificate.
return(true);
}
// I'm not sure of the stability of the certificate thumbprint for protobuild.org
// itself, so instead just verify that it is Let's Encrypt that's providing the
// certificate.
if (sender is HttpWebRequest &&
(sender as HttpWebRequest).Host == "protobuild.org")
{
if (chain.ChainElements.Count > 2 &&
chain.ChainElements[1].Certificate.Thumbprint == "3EAE91937EC85D74483FF4B77B07B43E2AF36BF4")
{
// This is the Let's Encrypt certificate authority. We can implicitly trust this without warning.
return(true);
}
else
{
// The thumbprint differs! Show a danger message to the user, but continue anyway
// because if the thumbprint does legitimately change, we have no way of backporting
// a new certificate thumbprint without issuing a new version of Protobuild.
var givenThumbprint = chain.ChainElements.Count >= 2 ?
chain.ChainElements[1].Certificate.Thumbprint :
"<no thumbprint available>";
Console.Error.WriteLine(
"DANGER: The thumbprint of the issuer's SSL certificate for protobuild.org \"" +
givenThumbprint + "\" does not match the expected thumbprint value \"" +
chain.ChainElements[1].Certificate.Thumbprint +
"\". It's possible that Let's Encrypt " +
"changed their certificate thumbprint, or someone is performing a MITM " +
"attack on your connection. Unfortunately Mono does not ship out-of-the-box " +
"with appropriate root CA certificates on Linux, so we have no method of verifying " +
"that the proposed thumbprint is correct. You should verify that the given " +
"thumbprint is correct either through your web browser (by visiting protobuild.org " +
"and checking the certificate chain), or by performing the same operation on " +
"Mac OS or Windows. If the operation succeeds, or the thumbprint matches, please " +
"file an issue at https://github.com/hach-que/Protobuild/issues/new so we can " +
"update the embedded thumbprint. We will now continue the operation regardless " +
"as we can't update the thumbprint in previous versions if it has changed.");
return(true);
}
}
Console.WriteLine(
"WARNING: Implicitly trusting SSL certificate " + certificate.GetCertHashString() + " " +
"for " + certificate.Subject + " issued by " + certificate.Issuer + " on Linux, due " +
"to inconsistent root CA store policies of Mono.");
return(true);
}
