public ServerContext(
SslServerStream stream,
SecurityProtocolType securityProtocolType,
X509Certificate serverCertificate,
bool clientCertificateRequired)
: base(securityProtocolType)
{
this.sslStream = stream;
this.clientCertificateRequired = clientCertificateRequired;
// Convert the System.Security cert to a Mono Cert
MonoX509.X509Certificate cert = new MonoX509.X509Certificate(serverCertificate.GetRawCertData());
// Add server certificate to the certificate collection
this.ServerSettings.Certificates = new MonoX509.X509CertificateCollection();
this.ServerSettings.Certificates.Add(cert);
this.ServerSettings.UpdateCertificateRSA();
// Add requested certificate types
this.ServerSettings.CertificateTypes = new ClientCertificateType[1];
this.ServerSettings.CertificateTypes[0] = ClientCertificateType.RSA;
// Add certificate authorities
this.ServerSettings.DistinguisedNames = new string[0];
}
public ServerContext(
SslServerStream stream,
SecurityProtocolType securityProtocolType,
X509Certificate serverCertificate,
bool clientCertificateRequired)
: base(securityProtocolType)
{
this.sslStream = stream;
this.clientCertificateRequired = clientCertificateRequired;
// Convert the System.Security cert to a Mono Cert
MonoX509.X509Certificate cert = new MonoX509.X509Certificate(serverCertificate.GetRawCertData());
// Add server certificate to the certificate collection
this.ServerSettings.Certificates = new MonoX509.X509CertificateCollection();
this.ServerSettings.Certificates.Add(cert);
this.ServerSettings.UpdateCertificateRSA();
// Add requested certificate types
this.ServerSettings.CertificateTypes = new ClientCertificateType[1];
this.ServerSettings.CertificateTypes[0] = ClientCertificateType.RSA;
// Add certificate authorities
MonoX509.X509CertificateCollection trusted = MonoX509.X509StoreManager.TrustedRootCertificates;
string[] list = new string [trusted.Count];
int i = 0;
foreach (MonoX509.X509Certificate root in trusted)
{
list [i++] = root.IssuerName;
}
this.ServerSettings.DistinguisedNames = list;
}
public override MSI.IMonoTlsContext CreateTlsContext(
string hostname, bool serverMode, MSI.TlsProtocols protocolFlags,
SSCX.X509Certificate serverCertificate, PSSCX.X509CertificateCollection clientCertificates,
bool remoteCertRequired, MSI.MonoEncryptionPolicy encryptionPolicy,
MSI.MonoTlsSettings settings)
{
TlsConfiguration config;
if (serverMode)
{
var cert = (PSSCX.X509Certificate2)serverCertificate;
var monoCert = new MX.X509Certificate(cert.RawData);
config = new TlsConfiguration((TlsProtocols)protocolFlags, (MSI.MonoTlsSettings)settings, monoCert, cert.PrivateKey);
if (remoteCertRequired)
{
config.AskForClientCertificate = true;
}
}
else
{
config = new TlsConfiguration((TlsProtocols)protocolFlags, (MSI.MonoTlsSettings)settings, hostname);
}
return(new TlsContextWrapper(config, serverMode));
}
// RFC2818 - HTTP Over TLS, Section 3.1
// http://www.ietf.org/rfc/rfc2818.txt
//
// 1. if present MUST use subjectAltName dNSName as identity
// 1.1. if multiples entries a match of any one is acceptable
// 1.2. wildcard * is acceptable
// 2. URI may be an IP address -> subjectAltName.iPAddress
// 2.1. exact match is required
// 3. Use of the most specific Common Name (CN=) in the Subject
// 3.1 Existing practice but DEPRECATED
static bool CheckServerIdentity(Mono.Security.X509.X509Certificate cert, string targetHost)
{
try {
Mono.Security.X509.X509Extension ext = cert.Extensions ["2.5.29.17"];
// 1. subjectAltName
if (ext != null)
{
SubjectAltNameExtension subjectAltName = new SubjectAltNameExtension(ext);
// 1.1 - multiple dNSName
foreach (string dns in subjectAltName.DNSNames)
{
// 1.2 TODO - wildcard support
if (Match(targetHost, dns))
{
return(true);
}
}
// 2. ipAddress
foreach (string ip in subjectAltName.IPAddresses)
{
// 2.1. Exact match required
if (ip == targetHost)
{
return(true);
}
}
}
// 3. Common Name (CN=)
return(CheckDomainName(cert.SubjectName, targetHost));
} catch (Exception e) {
Console.Error.WriteLine("ERROR processing certificate: {0}", e);
Console.Error.WriteLine("Please, report this problem to the Mono team");
return(false);
}
}
public static bool TryInstallCert(Syscert.X509Certificate certificate, ILog log = null)
{
try
{
var monoX509 = new Monocert.X509Certificate(certificate.GetRawCertData());
var store = WorkContext.IsMono
? Monocert.X509StoreManager.CurrentUser.TrustedRoot
: Monocert.X509StoreManager.LocalMachine.TrustedRoot;
// Add the certificate to the store.
store.Import(monoX509);
store.Certificates.Add(monoX509);
return(true);
}
catch (Exception ex)
{
if (log != null)
{
log.ErrorFormat("TryInstallCert() failed. Error: {0}", ex);
}
}
return(false);
}
private static bool CheckServerIdentity(Mono.Security.X509.X509Certificate cert, string targetHost)
{
bool result;
try
{
Mono.Security.X509.X509Extension x509Extension = cert.Extensions["2.5.29.17"];
if (x509Extension != null)
{
SubjectAltNameExtension subjectAltNameExtension = new SubjectAltNameExtension(x509Extension);
foreach (string pattern in subjectAltNameExtension.DNSNames)
{
if (ServicePointManager.ChainValidationHelper.Match(targetHost, pattern))
{
return(true);
}
}
foreach (string a in subjectAltNameExtension.IPAddresses)
{
if (a == targetHost)
{
return(true);
}
}
}
result = ServicePointManager.ChainValidationHelper.CheckDomainName(cert.SubjectName, targetHost);
}
catch (Exception arg)
{
Console.Error.WriteLine("ERROR processing certificate: {0}", arg);
Console.Error.WriteLine("Please, report this problem to the Mono team");
result = false;
}
return(result);
}
public ServerContext(
SslServerStream stream,
SecurityProtocolType securityProtocolType,
X509Certificate serverCertificate,
bool clientCertificateRequired)
: base(securityProtocolType)
{
this.sslStream = stream;
this.clientCertificateRequired = clientCertificateRequired;
// Convert the System.Security cert to a Mono Cert
MonoX509.X509Certificate cert = new MonoX509.X509Certificate(serverCertificate.GetRawCertData());
// Add server certificate to the certificate collection
this.ServerSettings.Certificates = new MonoX509.X509CertificateCollection();
this.ServerSettings.Certificates.Add(cert);
this.ServerSettings.UpdateCertificateRSA();
// Add requested certificate types
this.ServerSettings.CertificateTypes = new ClientCertificateType[1];
this.ServerSettings.CertificateTypes[0] = ClientCertificateType.RSA;
// Add certificate authorities
MonoX509.X509CertificateCollection trusted = MonoX509.X509StoreManager.TrustedRootCertificates;
string[] list = new string [trusted.Count];
int i = 0;
foreach (MonoX509.X509Certificate root in trusted)
{
list [i++] = root.IssuerName;
}
this.ServerSettings.DistinguisedNames = list;
}
internal X509ExtensionCollection(MX.X509Certificate cert)
{
_list = new ArrayList(cert.Extensions.Count);
if (cert.Extensions.Count == 0)
{
return;
}
object[] parameters = new object [2];
foreach (MX.X509Extension ext in cert.Extensions)
{
bool critical = ext.Critical;
string oid = ext.Oid;
byte[] raw_data = null;
// extension data is embedded in an octet stream (4)
ASN1 value = ext.Value;
if ((value.Tag == 0x04) && (value.Count > 0))
{
raw_data = value [0].GetBytes();
}
parameters [0] = new AsnEncodedData(oid, raw_data);
parameters [1] = critical;
X509Extension newt = (X509Extension)CryptoConfig.CreateFromName(oid, parameters);
if (newt == null)
{
// not registred in CryptoConfig, using default
newt = new X509Extension(oid, raw_data, critical);
}
_list.Add(newt);
}
}
public void SubjectAltNameGenerator ()
{
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider ();
X509CertificateBuilder x509 = new X509CertificateBuilder ();
x509.IssuerName = "C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server";
x509.NotAfter = DateTime.MaxValue;
x509.NotBefore = DateTime.MinValue;
x509.SubjectName = "C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org";
x509.SerialNumber = new byte[] {12, 34, 56, 78, 90};
x509.Version = 3;
x509.SubjectPublicKey = rsa;
string[] dns = new string[2];
dns[0] = "one";
dns[1] = "two";
string[] uris = new string[3];
uris[0] = "one:two://three";
uris[1] = "Here:I:AM://12345";
uris[2] = "last:one";
SubjectAltNameExtension sane = new SubjectAltNameExtension (null, dns, null, uris);
x509.Extensions.Add (sane);
byte[] data = x509.Sign (rsa);
X509Certificate x509_loaded = new X509Certificate (data);
SubjectAltNameExtension sane_test = new SubjectAltNameExtension (x509_loaded.Extensions[0]);
Assert.AreEqual (sane_test.RFC822.Length, 0, "RFC822 count");
Assert.AreEqual (sane_test.DNSNames.Length, 2, "DNSName count");
Assert.AreEqual (sane_test.IPAddresses.Length, 0, "IPAddresses count");
Assert.AreEqual (sane_test.UniformResourceIdentifiers.Length, 3, "URI Count");
Assert.AreEqual (sane_test.DNSNames[1], "two", "DNSName test");
Assert.AreEqual (sane_test.UniformResourceIdentifiers[2], "last:one", "URI Test");
}
public ServerContext(
SslServerStream stream,
SecurityProtocolType securityProtocolType,
System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate,
bool clientCertificateRequired,
bool requestClientCertificate)
: base(securityProtocolType)
{
this.sslStream = stream;
this.clientCertificateRequired = clientCertificateRequired;
this.request_client_certificate = requestClientCertificate;
Mono.Security.X509.X509Certificate x509Certificate1 = new Mono.Security.X509.X509Certificate(serverCertificate.GetRawCertData());
this.ServerSettings.Certificates = new Mono.Security.X509.X509CertificateCollection();
this.ServerSettings.Certificates.Add(x509Certificate1);
this.ServerSettings.UpdateCertificateRSA();
this.ServerSettings.CertificateTypes = new ClientCertificateType[1];
this.ServerSettings.CertificateTypes[0] = ClientCertificateType.RSA;
Mono.Security.X509.X509CertificateCollection rootCertificates = X509StoreManager.TrustedRootCertificates;
string[] strArray = new string[rootCertificates.Count];
int num = 0;
foreach (Mono.Security.X509.X509Certificate x509Certificate2 in rootCertificates)
{
strArray[num++] = x509Certificate2.IssuerName;
}
this.ServerSettings.DistinguisedNames = strArray;
}
private bool checkCertificateUsage(Mono.Security.X509.X509Certificate cert)
{
ClientContext clientContext = (ClientContext)base.Context;
if (cert.Version < 3)
{
return(true);
}
KeyUsages usage = KeyUsages.none;
switch (clientContext.Negotiating.Cipher.ExchangeAlgorithmType)
{
case ExchangeAlgorithmType.DiffieHellman:
usage = KeyUsages.keyAgreement;
break;
case ExchangeAlgorithmType.Fortezza:
return(false);
case ExchangeAlgorithmType.RsaKeyX:
usage = KeyUsages.keyEncipherment;
break;
case ExchangeAlgorithmType.RsaSign:
usage = KeyUsages.digitalSignature;
break;
}
KeyUsageExtension keyUsageExtension = null;
ExtendedKeyUsageExtension extendedKeyUsageExtension = null;
Mono.Security.X509.X509Extension x509Extension = cert.Extensions["2.5.29.15"];
if (x509Extension != null)
{
keyUsageExtension = new KeyUsageExtension(x509Extension);
}
x509Extension = cert.Extensions["2.5.29.37"];
if (x509Extension != null)
{
extendedKeyUsageExtension = new ExtendedKeyUsageExtension(x509Extension);
}
if (keyUsageExtension != null && extendedKeyUsageExtension != null)
{
return(keyUsageExtension.Support(usage) && (extendedKeyUsageExtension.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || extendedKeyUsageExtension.KeyPurpose.Contains("2.16.840.1.113730.4.1")));
}
if (keyUsageExtension != null)
{
return(keyUsageExtension.Support(usage));
}
if (extendedKeyUsageExtension != null)
{
return(extendedKeyUsageExtension.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || extendedKeyUsageExtension.KeyPurpose.Contains("2.16.840.1.113730.4.1"));
}
x509Extension = cert.Extensions["2.16.840.1.113730.1.1"];
if (x509Extension != null)
{
NetscapeCertTypeExtension netscapeCertTypeExtension = new NetscapeCertTypeExtension(x509Extension);
return(netscapeCertTypeExtension.Support(NetscapeCertTypeExtension.CertTypes.SslServer));
}
return(true);
}
private byte[] GetKeyIdentifier(Mono.Security.X509.X509Certificate x509)
{
// if present in certificate return value of the SubjectKeyIdentifier
Mono.Security.X509.X509Extension extn = x509.Extensions ["2.5.29.14"];
if (extn != null)
{
ASN1 bs = new ASN1(extn.Value.Value);
return(bs.Value);
}
// strangely DEPRECATED keyAttributes isn't used here (like KeyUsage)
// if not then we must calculate the SubjectKeyIdentifier ourselve
// Note: MS does that hash on the complete subjectPublicKeyInfo (unlike PKIX)
// http://groups.google.ca/groups?selm=e7RqM%24plCHA.1488%40tkmsftngp02&oe=UTF-8&output=gplain
ASN1 subjectPublicKeyInfo = new ASN1(0x30);
ASN1 algo = subjectPublicKeyInfo.Add(new ASN1(0x30));
algo.Add(new ASN1(CryptoConfig.EncodeOID(x509.KeyAlgorithm)));
// FIXME: does it work for DSA certs (without an 2.5.29.14 extension ?)
algo.Add(new ASN1(x509.KeyAlgorithmParameters));
byte[] pubkey = x509.PublicKey;
byte[] bsvalue = new byte [pubkey.Length + 1]; // add unused bits (0) before the public key
Array.Copy(pubkey, 0, bsvalue, 1, pubkey.Length);
subjectPublicKeyInfo.Add(new ASN1(0x03, bsvalue));
SHA1 sha = SHA1.Create();
return(sha.ComputeHash(subjectPublicKeyInfo.GetBytes()));
}
// Methods
public int Add (X509Certificate value)
{
if (value == null)
throw new ArgumentNullException ("value");
return InnerList.Add (value);
}
private bool checkServerIdentity(Mono.Security.X509.X509Certificate cert)
{
ClientContext clientContext = (ClientContext)base.Context;
string targetHost = clientContext.ClientSettings.TargetHost;
Mono.Security.X509.X509Extension x509Extension = cert.Extensions["2.5.29.17"];
if (x509Extension != null)
{
SubjectAltNameExtension subjectAltNameExtension = new SubjectAltNameExtension(x509Extension);
foreach (string pattern in subjectAltNameExtension.DNSNames)
{
if (TlsServerCertificate.Match(targetHost, pattern))
{
return(true);
}
}
foreach (string a in subjectAltNameExtension.IPAddresses)
{
if (a == targetHost)
{
return(true);
}
}
}
return(this.checkDomainName(cert.SubjectName));
}
internal static ITlsConfiguration CreateTlsConfiguration (
string hostname, bool serverMode, MSI.TlsProtocols protocolFlags,
SSCX.X509Certificate serverCertificate, bool remoteCertRequired,
MSI.MonoTlsSettings settings)
{
object[] args;
ITlsConfiguration config;
if (serverMode) {
var cert = (PSSCX.X509Certificate2)serverCertificate;
var monoCert = new MX.X509Certificate (cert.RawData);
args = new object[] {
(MSI.TlsProtocols)protocolFlags,
(MSI.MonoTlsSettings)settings,
monoCert,
cert.PrivateKey
};
} else {
args = new object[] {
(MSI.TlsProtocols)protocolFlags,
(MSI.MonoTlsSettings)settings,
hostname
};
}
config = (ITlsConfiguration)CreateInstance (tlsConfigTypeName, args);
if (serverMode && remoteCertRequired)
config.AskForClientCertificate = true;
return config;
}
public static X509CertificateImpl Import(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
MX.X509Certificate x509;
if (password == null)
{
try {
x509 = new MX.X509Certificate(rawData);
} catch (Exception e) {
try {
x509 = ImportPkcs12(rawData, null);
} catch {
string msg = Locale.GetText("Unable to decode certificate.");
// inner exception is the original (not second) exception
throw new CryptographicException(msg, e);
}
}
}
else
{
// try PKCS#12
try {
x509 = ImportPkcs12(rawData, password);
}
catch {
// it's possible to supply a (unrequired/unusued) password
// fix bug #79028
x509 = new MX.X509Certificate(rawData);
}
}
return(new X509CertificateImplMono(x509));
}
public override void Import(byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
base.Import(rawData, password, keyStorageFlags);
if (password == null)
{
try {
_cert = new Mono.Security.X509.X509Certificate(rawData);
}
catch (Exception e) {
try {
ImportPkcs12(rawData, null);
}
catch {
string msg = Locale.GetText("Unable to decode certificate.");
// inner exception is the original (not second) exception
throw new CryptographicException(msg, e);
}
}
}
else
{
// try PKCS#12
try {
ImportPkcs12(rawData, password);
}
catch {
// it's possible to supply a (unrequired/unusued) password
// fix bug #79028
_cert = new Mono.Security.X509.X509Certificate(rawData);
}
}
}
public static X509CertificateImpl InitFromCertificate(X509CertificateImpl impl)
{
if (impl == null)
{
return(null);
}
var copy = impl.Clone();
if (copy != null)
{
return(copy);
}
var data = impl.GetRawCertData();
if (data == null)
{
return(null);
}
var x509 = new MX.X509Certificate(data);
return(new X509CertificateImplMono(x509));
}
public void AddRange (X509Certificate [] value)
{
if (value == null)
throw new ArgumentNullException ("value");
for (int i = 0; i < value.Length; i++)
InnerList.Add (value [i]);
}
/// <summary>True upon a non-revoked certificate, an exception otherwise.</summary>
public bool Verify(X509Certificate x509, Brunet.Messaging.ISender sender)
{
Certificate cert = new Certificate(x509.RawData);
if(!_revoked_users.Contains(cert.Subject.Name)) {
return true;
}
throw new Exception("User has been revoked!");
}
internal PublicKey(MSX.X509Certificate certificate)
{
// note: _key MUSTonly contains the public part of the key
bool export_required = true;
if (certificate.KeyAlgorithm == rsaOid)
{
#if !MOONLIGHT
// shortcut export/import in the case the private key isn't available
RSACryptoServiceProvider rcsp = (certificate.RSA as RSACryptoServiceProvider);
if ((rcsp != null) && rcsp.PublicOnly)
{
_key = certificate.RSA;
export_required = false;
}
else
#endif
{
RSAManaged rsam = (certificate.RSA as RSAManaged);
if ((rsam != null) && rsam.PublicOnly)
{
_key = certificate.RSA;
export_required = false;
}
}
if (export_required)
{
RSAParameters rsap = certificate.RSA.ExportParameters(false);
_key = RSA.Create();
(_key as RSA).ImportParameters(rsap);
}
}
else
{
#if !MOONLIGHT
// shortcut export/import in the case the private key isn't available
DSACryptoServiceProvider dcsp = (certificate.DSA as DSACryptoServiceProvider);
if ((dcsp != null) && dcsp.PublicOnly)
{
_key = certificate.DSA;
export_required = false;
}
// note: DSAManaged isn't available in Mono.Security due to a bug in Fx 1.x
if (export_required)
{
DSAParameters rsap = certificate.DSA.ExportParameters(false);
_key = DSA.Create();
(_key as DSA).ImportParameters(rsap);
}
#endif
}
_oid = new Oid(certificate.KeyAlgorithm);
_keyValue = new AsnEncodedData(_oid, certificate.PublicKey);
_params = new AsnEncodedData(_oid, certificate.KeyAlgorithmParameters);
}
public ServerContext(
SslServerStream stream,
SecurityProtocolType securityProtocolType,
X509Certificate serverCertificate,
bool clientCertificateRequired,
bool requestClientCertificate)
: base(securityProtocolType)
{
this.sslStream = stream;
this.clientCertificateRequired = clientCertificateRequired;
this.request_client_certificate = requestClientCertificate;
// Convert the System.Security cert to a Mono Cert
MonoX509.X509Certificate cert = new MonoX509.X509Certificate(serverCertificate.GetRawCertData());
// Add server certificate to the certificate collection
this.ServerSettings.Certificates = new MonoX509.X509CertificateCollection();
this.ServerSettings.Certificates.Add(cert);
this.ServerSettings.UpdateCertificateRSA();
if (CertificateValidationHelper.SupportsX509Chain)
{
// Build the chain for the certificate and if the chain is correct, add all certificates
// (except the root certificate [FIRST ONE] ... the client is supposed to know that one,
// otherwise the whole concept of a trusted chain doesn't work out ...
MonoX509.X509Chain chain = new MonoX509.X509Chain(MonoX509.X509StoreManager.IntermediateCACertificates);
if (chain.Build(cert))
{
for (int j = chain.Chain.Count - 1; j > 0; j--)
{
ServerSettings.Certificates.Add(chain.Chain [j]);
}
}
}
// Add requested certificate types
ServerSettings.CertificateTypes = new ClientCertificateType [ServerSettings.Certificates.Count];
for (int j = 0; j < this.ServerSettings.CertificateTypes.Length; j++)
{
ServerSettings.CertificateTypes [j] = ClientCertificateType.RSA;
}
if (CertificateValidationHelper.SupportsX509Chain)
{
// Add certificate authorities
MonoX509.X509CertificateCollection trusted = MonoX509.X509StoreManager.TrustedRootCertificates;
string[] list = new string [trusted.Count];
int i = 0;
foreach (MonoX509.X509Certificate root in trusted)
{
list [i++] = root.IssuerName;
}
this.ServerSettings.DistinguisedNames = list;
}
}
internal X509ExtensionCollection(MX.X509Certificate cert)
{
_list = new ArrayList(cert.Extensions.Count);
if (cert.Extensions.Count == 0)
{
return;
}
#if !MOONLIGHT
object[] parameters = new object [2];
#endif
foreach (MX.X509Extension ext in cert.Extensions)
{
bool critical = ext.Critical;
string oid = ext.Oid;
byte[] raw_data = null;
// extension data is embedded in an octet stream (4)
ASN1 value = ext.Value;
if ((value.Tag == 0x04) && (value.Count > 0))
{
raw_data = value [0].GetBytes();
}
X509Extension newt = null;
#if MOONLIGHT
// non-extensible
switch (oid)
{
case "2.5.29.14":
newt = new X509SubjectKeyIdentifierExtension(new AsnEncodedData(oid, raw_data), critical);
break;
case "2.5.29.15":
newt = new X509KeyUsageExtension(new AsnEncodedData(oid, raw_data), critical);
break;
case "2.5.29.19":
newt = new X509BasicConstraintsExtension(new AsnEncodedData(oid, raw_data), critical);
break;
case "2.5.29.37":
newt = new X509EnhancedKeyUsageExtension(new AsnEncodedData(oid, raw_data), critical);
break;
}
#else
parameters [0] = new AsnEncodedData(oid, raw_data);
parameters [1] = critical;
newt = (X509Extension)CryptoConfig.CreateFromName(oid, parameters);
#endif
if (newt == null)
{
// not registred in CryptoConfig, using default
newt = new X509Extension(oid, raw_data, critical);
}
_list.Add(newt);
}
}
public bool Verify(X509Certificate certificate, ISender sender)
{
AHSender ahsender = sender as AHSender;
if(ahsender == null) {
return true;
}
return CertificateHandler.Verify(certificate, ahsender.Destination.ToString());
}
private bool IsSignedWith(X509Certificate2 signed, AsymmetricAlgorithm pubkey)
{
if (pubkey == null)
{
return(false);
}
Mono.Security.X509.X509Certificate monoCertificate = signed.MonoCertificate;
return(monoCertificate.VerifySignature(pubkey));
}
public static X509CertificateImpl InitFromHandle (IntPtr handle)
{
// both Marshal.PtrToStructure and Marshal.Copy use LinkDemand (so they will always success from here)
CertificateContext cc = (CertificateContext) Marshal.PtrToStructure (handle, typeof (CertificateContext));
byte[] data = new byte [cc.cbCertEncoded];
Marshal.Copy (cc.pbCertEncoded, data, 0, (int)cc.cbCertEncoded);
var x509 = new MX.X509Certificate (data);
return new X509CertificateImplMono (x509);
}
override public bool AddCACertificate(mx509.X509Certificate cert)
{
if (!base.AddCACertificate(cert))
{
return(false);
}
Store.AddTrusted(MonoX509ToOpenSsl(cert));
return(true);
}
public static ox509.X509Certificate MonoX509ToOpenSsl(mx509.X509Certificate cert)
{
BIO bio = BIO.MemoryBuffer(true);
bio.Write(cert.RawData);
var ocert = ox509.X509Certificate.FromDER(bio);
bio.Dispose();
return(ocert);
}
public TlsConfiguration(TlsProtocols protocols, TlsSettings settings, MX.X509Certificate certificate, AsymmetricAlgorithm privateKey)
{
supportedProtocols = protocols;
requestedProtocol = CheckProtocol(ref supportedProtocols, true);
UserSettings = settings ?? new TlsSettings();
Certificate = certificate;
PrivateKey = privateKey;
RenegotiationFlags = DefaultRenegotiationFlags;
}
private bool IsSignedWith(X509Certificate2 signed, AsymmetricAlgorithm pubkey)
{
if (pubkey == null)
{
return(false);
}
// Sadly X509Certificate2 doesn't expose the signature nor the tbs (to be signed) structure
MX.X509Certificate mx = signed.MonoCertificate;
return(mx.VerifySignature(pubkey));
}
override public bool AddSignedCertificate(mx509.X509Certificate cert)
{
if (!base.AddSignedCertificate(cert))
{
return(false);
}
_local_certificate = MonoX509ToOpenSsl(cert);
return(true);
}
private MX.X509Certificate ImportPkcs12(byte[] rawData, string password)
{
MX.PKCS12 pfx = null;
if (string.IsNullOrEmpty(password))
{
try {
// Support both unencrypted PKCS#12..
pfx = new MX.PKCS12(rawData, (string)null);
} catch {
// ..and PKCS#12 encrypted with an empty password
pfx = new MX.PKCS12(rawData, string.Empty);
}
}
else
{
pfx = new MX.PKCS12(rawData, password);
}
if (pfx.Certificates.Count == 0)
{
// no certificate was found
return(null);
}
else if (pfx.Keys.Count == 0)
{
// no key were found - pick the first certificate
return(pfx.Certificates [0]);
}
else
{
// find the certificate that match the first key
MX.X509Certificate cert = null;
var keypair = (pfx.Keys [0] as AsymmetricAlgorithm);
string pubkey = keypair.ToXmlString(false);
foreach (var c in pfx.Certificates)
{
if (((c.RSA != null) && (pubkey == c.RSA.ToXmlString(false))) ||
((c.DSA != null) && (pubkey == c.DSA.ToXmlString(false))))
{
cert = c;
break;
}
}
if (cert == null)
{
cert = pfx.Certificates [0]; // no match, pick first certificate without keys
}
else
{
cert.RSA = (keypair as RSA);
cert.DSA = (keypair as DSA);
}
return(cert);
}
}
public void SetCertificate(MX.X509Certificate certificate, AsymmetricAlgorithm privateKey)
{
Certificate = certificate;
#if !BOOTSTRAP_BASIC
if (PrivateKey != null && PrivateKey != privateKey)
{
PrivateKey.Dispose();
}
#endif
PrivateKey = privateKey;
}
void MustFallback()
{
ThrowIfContextInvalid();
if (fallback != null)
{
return;
}
var mxCert = new MX.X509Certificate(GetRawCertData());
fallback = new X509CertificateImplMono(mxCert);
}
public void UpdateCertificateRSA()
{
if (clientCertificate == null)
{
certificateRSA = null;
return;
}
Mono.Security.X509.X509Certificate x509Certificate = new Mono.Security.X509.X509Certificate(clientCertificate.GetRawCertData());
certificateRSA = new RSAManaged(x509Certificate.RSA.KeySize);
certificateRSA.ImportParameters(x509Certificate.RSA.ExportParameters(includePrivateParameters: false));
}
public Certificate(X509Certificate Cert)
{
_x509 = Cert;
_issuer = new DistinguishedName(Cert.IssuerName);
_subject = new DistinguishedName(Cert.SubjectName);
_signature = Cert.Signature;
_serial_number = Cert.SerialNumber;
_public_key = (RSACryptoServiceProvider) Cert.RSA;
SubjectAltNameExtension sane = new SubjectAltNameExtension(Cert.Extensions[0]);
_node_address = sane.UniformResourceIdentifiers[0];
}
public static X509CertificateImpl InitFromHandleCore(IntPtr handle)
{
// both Marshal.PtrToStructure and Marshal.Copy use LinkDemand (so they will always success from here)
CertificateContext cc = (CertificateContext)Marshal.PtrToStructure(handle, typeof(CertificateContext));
byte[] data = new byte [cc.cbCertEncoded];
Marshal.Copy(cc.pbCertEncoded, data, 0, (int)cc.cbCertEncoded);
var x509 = new MX.X509Certificate(data);
return(new X509CertificateImplMono(x509));
}
static Mono.Security.X509.X509Certificate LoadCertificate (string filename)
{
Mono.Security.X509.X509Certificate mx = null;
if (File.Exists (filename)) {
using (FileStream fs = File.OpenRead (filename)) {
byte[] data = new byte [fs.Length];
fs.Read (data, 0, data.Length);
mx = new Mono.Security.X509.X509Certificate (data);
}
}
return mx;
}
// constructors
// special constructor for Publisher (and related classes).
// Dates strings are null
internal X509Certificate(byte[] data, bool dates)
{
if (data != null)
{
#if NET_2_0
Import(data, (string)null, X509KeyStorageFlags.DefaultKeySet);
#else
x509 = new Mono.Security.X509.X509Certificate(data);
#endif
hideDates = !dates;
}
}
private void InitFromHandle(IntPtr handle)
{
if (handle != IntPtr.Zero)
{
// both Marshal.PtrToStructure and Marshal.Copy use LinkDemand (so they will always success from here)
CertificateContext cc = (CertificateContext)Marshal.PtrToStructure(handle, typeof(CertificateContext));
byte[] data = new byte [cc.cbCertEncoded];
Marshal.Copy(cc.pbCertEncoded, data, 0, (int)cc.cbCertEncoded);
x509 = new Mono.Security.X509.X509Certificate(data);
}
// for 1.x IntPtr.Zero results in an "empty" certificate instance
}
public override void Reset()
{
_cert = null;
_archived = false;
_extensions = null;
_name = String.Empty;
_serial = null;
_publicKey = null;
issuer_name = null;
subject_name = null;
signature_algorithm = null;
base.Reset();
}
public static byte[] CreateClientCert(string subjectName, byte[] rootKey, byte[] rootCert)
{
if (!subjectName.StartsWith("CN="))
subjectName = "CN=" + subjectName;
// Copy the root key since the PrivateKey constructor will blow away the data
byte[] rootKeyCopy = new byte[rootKey.Length];
Buffer.BlockCopy(rootKey, 0, rootKeyCopy, 0, rootKey.Length);
// Load the server's private key and certificate
PrivateKey pvk = new PrivateKey(rootKeyCopy, null);
RSA issuerKey = pvk.RSA;
X509Certificate issuerCert = new X509Certificate(rootCert);
// Serial number MUST be positive
byte[] sn = Guid.NewGuid().ToByteArray();
if ((sn[0] & 0x80) == 0x80)
sn[0] -= 0x80;
ExtendedKeyUsageExtension eku = new ExtendedKeyUsageExtension();
eku.KeyPurpose.Add("1.3.6.1.5.5.7.3.2"); // Indicates the cert is intended for client auth
// Generate a client certificate signed by the server root CA
X509CertificateBuilder cb = new X509CertificateBuilder(3);
cb.SerialNumber = sn;
cb.IssuerName = issuerCert.IssuerName;
cb.NotBefore = DateTime.Now;
cb.NotAfter = new DateTime(643445675990000000); // 12/31/2039 23:59:59Z
cb.SubjectName = subjectName;
cb.SubjectPublicKey = issuerKey;
cb.Hash = "SHA1";
cb.Extensions.Add(eku);
byte[] clientCert = cb.Sign(issuerKey);
// Generate a PKCS#12 file for the client containing the private key and certificate
PKCS12 p12 = new PKCS12();
p12.Password = null;
ArrayList list = new ArrayList(4);
// We use a fixed array to avoid endianess issues
// (in case some tools requires the ID to be 1).
list.Add(new byte[] { 1, 0, 0, 0 });
Hashtable attributes = new Hashtable(1);
attributes.Add(PKCS9.localKeyId, list);
p12.AddCertificate(new X509Certificate(clientCert), attributes);
p12.AddCertificate(issuerCert);
p12.AddPkcs8ShroudedKeyBag(issuerKey, attributes);
return p12.GetBytes();
}
public ServerContext(
SslServerStream stream,
SecurityProtocolType securityProtocolType,
X509Certificate serverCertificate,
bool clientCertificateRequired,
bool requestClientCertificate)
: base(securityProtocolType)
{
this.sslStream = stream;
this.clientCertificateRequired = clientCertificateRequired;
this.request_client_certificate = requestClientCertificate;
// Convert the System.Security cert to a Mono Cert
MonoX509.X509Certificate cert = new MonoX509.X509Certificate(serverCertificate.GetRawCertData());
// Add server certificate to the certificate collection
this.ServerSettings.Certificates = new MonoX509.X509CertificateCollection();
this.ServerSettings.Certificates.Add(cert);
this.ServerSettings.UpdateCertificateRSA();
if (CertificateValidationHelper.SupportsX509Chain) {
// Build the chain for the certificate and if the chain is correct, add all certificates
// (except the root certificate [FIRST ONE] ... the client is supposed to know that one,
// otherwise the whole concept of a trusted chain doesn't work out ...
MonoX509.X509Chain chain = new MonoX509.X509Chain (MonoX509.X509StoreManager.IntermediateCACertificates);
if (chain.Build (cert)) {
for (int j = chain.Chain.Count - 1; j > 0; j--)
ServerSettings.Certificates.Add (chain.Chain [j]);
}
}
// Add requested certificate types
ServerSettings.CertificateTypes = new ClientCertificateType [ServerSettings.Certificates.Count];
for (int j = 0; j < this.ServerSettings.CertificateTypes.Length; j++)
ServerSettings.CertificateTypes [j] = ClientCertificateType.RSA;
if (CertificateValidationHelper.SupportsX509Chain) {
// Add certificate authorities
MonoX509.X509CertificateCollection trusted = MonoX509.X509StoreManager.TrustedRootCertificates;
string[] list = new string [trusted.Count];
int i = 0;
foreach (MonoX509.X509Certificate root in trusted) {
list [i++] = root.IssuerName;
}
this.ServerSettings.DistinguisedNames = list;
}
}
public void basicConstraintsCriticalcAFalseCACRL ()
{
X509Crl crl = new X509Crl (basicConstraintsCriticalcAFalseCACRL_crl);
Assert.AreEqual (0, crl.Entries.Count, "Entries.Count");
Assert.AreEqual (2, crl.Extensions.Count, "Extensions.Count");
Assert.IsTrue (crl.IsCurrent, "IsCurrent"); // true till 2011
Assert.AreEqual ("C=US, O=Test Certificates, CN=basicConstraints Critical cA False CA", crl.IssuerName, "IssuerName");
Assert.AreEqual (634388218400000000, crl.NextUpdate.ToUniversalTime ().Ticks, "NextUpdate");
Assert.AreEqual ("32-BC-12-1F-84-D0-B6-3E-72-A0-FB-D9-75-99-CA-E5-2A-05-09-E6-C8-27-74-47-1C-DC-0C-D4-9F-BC-9F-B2-62-25-B4-6D-5B-E5-0B-E8-2A-8E-07-EB-3E-6B-C5-1E-9A-D2-14-FD-89-5B-C3-10-BF-19-77-67-0A-33-45-1B-BC-6C-ED-AF-84-30-59-FB-7C-71-95-63-60-31-9B-9B-0A-EA-77-F1-70-F1-B9-2E-D1-A9-04-42-66-94-B9-54-48-DB-44-56-56-1A-57-5A-01-0E-7C-4D-D7-C0-1F-5C-6F-13-F5-A3-57-88-6A-9A-71-CD-D5-AE-C3-00-B1-28", BitConverter.ToString (crl.Signature), "Signature");
Assert.AreEqual ("1.2.840.113549.1.1.5", crl.SignatureAlgorithm, "SignatureAlgorithm");
Assert.AreEqual (631232890400000000, crl.ThisUpdate.ToUniversalTime ().Ticks, "ThisUpdate");
Assert.AreEqual (2, crl.Version, "Version");
X509Certificate cert = new X509Certificate (basicConstraintsCriticalcAFalseCACert_crt);
// certificate has CA set to false
Assert.IsFalse (crl.VerifySignature (cert), "VerifySignature(cert)");
Assert.IsTrue (crl.VerifySignature (cert.RSA), "VerifySignature(RSA)");
}
static X509CertificateImpl Import (byte[] rawData)
{
var handle = CFHelpers.CreateCertificateFromData (rawData);
if (handle != IntPtr.Zero)
return new X509CertificateImplApple (handle, true);
MX.X509Certificate x509;
try {
x509 = new MX.X509Certificate (rawData);
} catch (Exception e) {
try {
x509 = ImportPkcs12 (rawData, null);
} catch {
string msg = Locale.GetText ("Unable to decode certificate.");
// inner exception is the original (not second) exception
throw new CryptographicException (msg, e);
}
}
return new X509CertificateImplMono (x509);
}
public bool Verify(X509Certificate certificate, ISender sender)
{
Address addr = null;
AHSender ahsender = sender as AHSender;
if(ahsender != null) {
addr = ahsender.Destination;
} else {
Edge edge = sender as Edge;
if(edge != null) {
Connection con = _ct.GetConnection(edge);
if(con != null) {
addr = con.Address;
}
}
}
if(addr == null) {
return true;
}
return CertificateHandler.Verify(certificate, addr.ToString());
}
public override void Import (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
MX.X509Certificate cert = null;
if (password == null) {
try {
cert = new MX.X509Certificate (rawData);
}
catch (Exception e) {
try {
cert = ImportPkcs12 (rawData, null);
}
catch {
string msg = Locale.GetText ("Unable to decode certificate.");
// inner exception is the original (not second) exception
throw new CryptographicException (msg, e);
}
}
} else {
// try PKCS#12
try {
cert = ImportPkcs12 (rawData, password);
}
catch {
// it's possible to supply a (unrequired/unusued) password
// fix bug #79028
cert = new MX.X509Certificate (rawData);
}
}
// we do not have to fully re-decode the certificate since X509Certificate does not deal with keys
if (cert != null) {
base.Import (cert.RawData, (string) null, keyStorageFlags);
_cert = cert; // becuase base call will call Reset!
}
}
public override void Import (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
base.Import (rawData, password, keyStorageFlags);
if (password == null) {
try {
_cert = new Mono.Security.X509.X509Certificate (rawData);
}
catch (Exception e) {
try {
ImportPkcs12 (rawData, null);
}
catch {
string msg = Locale.GetText ("Unable to decode certificate.");
// inner exception is the original (not second) exception
throw new CryptographicException (msg, e);
}
}
} else {
// try PKCS#12
try {
ImportPkcs12 (rawData, password);
}
catch {
// it's possible to supply a (unrequired/unusued) password
// fix bug #79028
_cert = new Mono.Security.X509.X509Certificate (rawData);
}
}
}
public CertificateMaker(X509Certificate x509)
{
_subject = new DistinguishedName(x509.SubjectName);
_public_key = (RSACryptoServiceProvider) x509.RSA;
SubjectAltNameExtension sane = new SubjectAltNameExtension(x509.Extensions[0]);
_node_address = sane.UniformResourceIdentifiers[0];
}
/// <summary>Adds a local signed public certificate to this CH.</summary>
public bool AddSignedCertificate(X509Certificate cert) {
MemBlock sn = MemBlock.Reference(cert.SerialNumber);
lock(_sync) {
_lc[sn] = cert;
_lc_issuers.Add(sn);
}
return true;
}
/// <summary>Adds CA certificate to this CH.</summary>
public bool AddCACertificate(X509Certificate cert) {
MemBlock sn = MemBlock.Reference(cert.SerialNumber);
lock(_sync) {
_cas[sn] = cert;
_supported_cas.Add(sn);
}
return true;
}
/// <summary>True if this certificate is signed by a CA whose cetificate
/// we have, false otherwise.</summary>
public bool Verify(X509Certificate x509) {
MemBlock sn = MemBlock.Reference(x509.SerialNumber);
lock(_sync) {
if(!_cas.ContainsKey(sn)) {
throw new Exception("Unsupported CA!");
}
if(!x509.VerifySignature(_cas[sn].RSA)) {
throw new Exception("Unable to verify certificate, bad signature!");
}
}
foreach(ICertificateVerification icv in _certificate_verifiers) {
if(!icv.Verify(x509)) {
throw new Exception("Certificate not valid, reason unsure");
}
}
return true;
}
/// <summary>First makes sure we have a CA that supports this certificate,
/// then looks through an x509 certificates SubjectAltName Extension's
/// URI list to determine if the given URI (RemoteID) exists in the
/// certificate.</summary>
/// <param name="x509">The certificate to check</param>
/// <param name="RemoteID">The URI to look for</param>
/// <returns>True if the URI exists, false otherwise</returns>
public virtual bool Verify(X509Certificate x509, string RemoteID) {
if(!Verify(x509)) {
throw new Exception("Invalid certificate!");
}
bool valid_address = false;
foreach(X509Extension ex in x509.Extensions) {
// SubjectAltName
if(ex.Oid != "2.5.29.17") {
continue;
}
SubjectAltNameExtension sane = new SubjectAltNameExtension(ex);
foreach(string uri in sane.UniformResourceIdentifiers) {
if(uri == RemoteID) {
valid_address = true;
break;
}
}
if(valid_address) {
break;
}
}
if(!valid_address) {
throw new Exception("Missing a valid SubjectAltName!");
}
return true;
}
public static X509CertificateImpl Import (byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
{
MX.X509Certificate x509;
if (password == null) {
try {
x509 = new MX.X509Certificate (rawData);
} catch (Exception e) {
try {
x509 = ImportPkcs12 (rawData, null);
} catch {
string msg = Locale.GetText ("Unable to decode certificate.");
// inner exception is the original (not second) exception
throw new CryptographicException (msg, e);
}
}
} else {
// try PKCS#12
try {
x509 = ImportPkcs12 (rawData, password);
}
catch {
// it's possible to supply a (unrequired/unusued) password
// fix bug #79028
x509 = new MX.X509Certificate (rawData);
}
}
return new X509CertificateImplMono (x509);
}
// constructors
public X509Certificate2 ()
{
_cert = null;
}
public static X509CertificateImpl InitFromCertificate (X509CertificateImpl impl)
{
ThrowIfContextInvalid (impl);
var copy = impl.Clone ();
if (copy != null)
return copy;
var data = impl.GetRawCertData ();
if (data == null)
return null;
var x509 = new MX.X509Certificate (data);
return new X509CertificateImplMono (x509);
}
public X509Certificate2 (X509Certificate certificate)
: base (certificate)
{
_cert = new MX.X509Certificate (base.GetRawCertData ());
}
public X509Certificate2 (IntPtr handle) : base (handle)
{
_cert = new MX.X509Certificate (base.GetRawCertData ());
}
static string Thumbprint (string algorithm, X509Certificate certificate)
{
HashAlgorithm hash = HashAlgorithm.Create (algorithm);
byte[] digest = hash.ComputeHash (certificate.RawData);
return BitConverter.ToString (digest);
}
public override void Reset ()
{
_cert = null;
_archived = false;
_extensions = null;
_name = String.Empty;
_serial = null;
_publicKey = null;
issuer_name = null;
subject_name = null;
signature_algorithm = null;
base.Reset ();
}