public override int Start() { #pragma warning disable 0219 Certificate c = null; #pragma warning restore 0219 try { c = CertificateStore.CreateFromPfxFile(@"certs\server.pfx", "test").FindCertificateByUsage(new string[] {"1.3.6.1.5.5.7.3.1"}); } catch { AddError("CC-S-0"); return 1; } int tests = 0; // test constructor try { #pragma warning disable 0219 CertificateChain cc = new CertificateChain(null); #pragma warning restore 0219 AddError("CC-S-1"); } catch (ArgumentNullException) { } catch { AddError("CC-S-2"); } tests += 2; // do other tests tests = TestBuildChain(); tests += TestVerifyCert(); return tests; }
/// <summary> /// Initializes a new CertificateVerificationResult instance. /// </summary> /// <param name="chain">The <see cref="CertificateChain"/> that has to be verified.</param> /// <param name="server">The server to which the <see cref="Certificate"/> has been issued.</param> /// <param name="type">One of the <see cref="AuthType"/> values.</param> /// <param name="flags">One of the <see cref="VerificationFlags"/> values.</param> /// <param name="callback">The delegate to call when the verification finishes.</param> /// <param name="asyncState">User-defined state data.</param> public CertificateVerificationResult(CertificateChain chain, string server, AuthType type, VerificationFlags flags, AsyncCallback callback, object asyncState) { m_Chain = chain; m_Server = server; m_Type = type; m_Flags = flags; m_AsyncState = asyncState; m_Callback = callback; m_WaitHandle = null; m_HasEnded = false; }
static void Main(string[] args) { Console.WriteLine("This example shows how you can validate a certificate."); // load the certificate from a file Certificate cert = Certificate.CreateFromCerFile(@"client.cer"); // build a certificate chain CertificateChain cc = new CertificateChain(cert); // validate the chain CertificateStatus status = cc.VerifyChain(null, AuthType.Client); // interpret the result if (status == CertificateStatus.ValidCertificate) { Console.WriteLine("The certificate is valid."); } else { Console.WriteLine("The certificate is not valid [" + status.ToString() + "]."); } }
protected SslHandshakeStatus ProcessCertificate(HandshakeMessage message, bool client) { if (client) { if (m_State != HandshakeType.ServerHello) throw new SslException(AlertDescription.UnexpectedMessage, "Certificate message must be preceded by a ServerHello message."); } else { // server if (m_State != HandshakeType.ClientHello) throw new SslException(AlertDescription.UnexpectedMessage, "Certificate message must be preceded by a ClientHello message."); } UpdateHashes(message, HashUpdate.All); // input message Certificate[] certs = null; try { certs = ParseCertificateList(message.fragment); if (certs.Length == 0) { if (!m_MutualAuthentication) return new SslHandshakeStatus(SslStatus.MessageIncomplete, null); } } catch (SslException t) { throw t; } catch (Exception f) { throw new SslException(f, AlertDescription.InternalError, "The Certificate message is invalid."); } CertificateChain chain = null; m_RemoteCertificate = null; if (certs.Length != 0) { m_RemoteCertificate = certs[0]; if (m_RemoteCertificate.GetPublicKeyLength() < 512) { throw new SslException(AlertDescription.HandshakeFailure, "The pulic key should be at least 512 bits."); } CertificateStore cs = new CertificateStore(certs); for(int i = 0; i < certs.Length; i++) { certs[i].Store = cs; } chain = new CertificateChain(m_RemoteCertificate, cs); } VerifyChain(chain, client); return new SslHandshakeStatus(SslStatus.MessageIncomplete, null); }
protected void VerifyChain(CertificateChain chain, bool client) { VerifyEventArgs e = new VerifyEventArgs(); switch(m_Options.VerificationType) { case CredentialVerification.Manual: try { m_Options.Verifier(Parent, m_RemoteCertificate, chain, e); } catch (Exception de) { throw new SslException(de, AlertDescription.InternalError, "The code inside the CertVerifyEventHandler delegate threw an exception."); } break; case CredentialVerification.Auto: if (chain != null) e.Valid = (chain.VerifyChain(m_Options.CommonName, client ? AuthType.Client : AuthType.Server) == CertificateStatus.ValidCertificate); else e.Valid = false; break; case CredentialVerification.AutoWithoutCName: if (chain != null) e.Valid = (chain.VerifyChain(m_Options.CommonName, client ? AuthType.Client : AuthType.Server, VerificationFlags.IgnoreInvalidName) == CertificateStatus.ValidCertificate); else e.Valid = false; break; case CredentialVerification.None: default: e.Valid = true; break; } if (!e.Valid) { throw new SslException(AlertDescription.CertificateUnknown, "The certificate could not be verified."); } }
private void CheckClientCertAtServer(SecureSocket socket, Certificate clientCertificate, CertificateChain allClientCertificates, VerifyEventArgs args) { Debug.WriteLine("check the client certificate event"); if (allClientCertificates != null) { args.Valid = m_serverAuth.IsValidClientCertificate(clientCertificate, allClientCertificates, ((IPEndPoint)socket.RemoteEndPoint).Address); } else { args.Valid = !((m_requiredOptions & SecurityAssociationOptions.EstablishTrustInClient) > 0); } }
private void stream_OnCertVerify(SecureSocket sock, Certificate cert, CertificateChain chain, VerifyEventArgs e) { isSecurityChanging = false; raiseCertificateVerifiedEvent(EventArgs.Empty); }
public virtual bool IsValidClientCertificate(Certificate clientCert, CertificateChain allClientCertsReceived, IPAddress clientAddress) { return IsValidCertificate(allClientCertsReceived, null, AuthType.Client); }
private void CheckServerCertAtClient(SecureSocket socket, Certificate cert, CertificateChain chain, VerifyEventArgs args) { Debug.WriteLine("check the server certificate event"); args.Valid = m_clientAuth.IsValidServerCertificate(cert, chain, ((IPEndPoint)socket.RemoteEndPoint).Address); }
private void verifyLevel3Authentication( SecureSocket socket, Certificate cert, CertificateChain chain, VerifyEventArgs e ) { try { // Verify level 2 first verifyLevel2Authentication( socket, cert, chain, e ); if ( !e.Valid ) { return; } // Verify that the host name or IP matches the subject on the certificate // ( Level3 authentication ) // First, get the "CN=" name from the certificate string commonName = null; DistinguishedName certificateName = cert.GetDistinguishedName(); for ( int a = 0; a < certificateName.Count; a++ ) { NameAttribute part = certificateName[a]; if ( part.ObjectID == OID_CN ) { commonName = part.Value; break; } } if ( commonName == null ) { if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 ) { log.Warn ( "Client Certificate fails SIF Level 3 Authentication: common name attribute not found." ); } e.Valid = false; return; } if( String.Compare( commonName, "localhost", true ) == 0 ) { commonName = "127.0.0.1"; } // Does it match the IP Address? IPEndPoint remoteEndPoint = (IPEndPoint) socket.RemoteEndPoint; if ( remoteEndPoint.Address.ToString() == commonName ) { e.Valid = true; return; } // Does it match the common name of the client machine? IPHostEntry entry = GetHostByAddress( remoteEndPoint.Address ); if ( entry == null ) { if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 ) { log.Warn ( "Client Certificate fails SIF Level 3 Authentication: Host Name not found for Address " + remoteEndPoint.Address.ToString() ); } e.Valid = false; return; } if ( string.Compare( commonName, entry.HostName, true ) == 0 ) { e.Valid = true; return; } // No match was found e.Valid = false; if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 ) { log.Warn ( "Client Certificate fails SIF Level 3 Authentication: Certificate Common Name=" + commonName + ". Does not match client IP / Host: " + remoteEndPoint.Address.ToString() + " / " + socket.CommonName ); } } catch ( Exception ex ) { if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 ) { log.Warn ( "Client Certificate fails SIF Level 3 Authentication: " + ex.Message, ex ); } e.Valid = false; } }
public void OnVerify(SecureSocket socket, Certificate remote, CertificateChain chain, VerifyEventArgs e) { Console.WriteLine("\r\nThe certificate of the FTP server:"); Console.WriteLine(remote.ToString(true) + "\r\n"); // certificate chain verification can be placed here }
private void verifyLevel2Authentication( SecureSocket socket, Certificate cert, CertificateChain chain, VerifyEventArgs e ) { // Verify level 1 first verifyLevel1Authentication( socket, cert, chain, e ); if ( !e.Valid ) { return; } CertificateStatus certStatus = chain.VerifyChain( null, AuthType.Client, VerificationFlags.IgnoreInvalidName ); if ( certStatus != CertificateStatus.ValidCertificate ) { if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 ) { log.Warn ( "Client Certificate is not trusted and fails SIF Level 2 Authentication: " + certStatus.ToString() ); } e.Valid = false; } else { e.Valid = true; } }
private void verifyLevel1Authentication( SecureSocket socket, Certificate cert, CertificateChain chain, VerifyEventArgs e ) { if ( cert == null ) { if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 ) { log.Warn( "Client Certificate is missing and fails SIF Level 1 Authentication" ); } e.Valid = false; } else if ( !cert.IsCurrent ) { if ( (Adk.Debug & AdkDebugFlags.Messaging_Detailed) != 0 ) { log.Warn( "Client Certificate is invalid and fails SIF Level 1 Authentication" ); } e.Valid = false; } else { e.Valid = true; } }
/// <summary> /// This method is called when the SecureSocket received the remote /// certificate and when the certificate validation type is set to Manual. /// </summary> /// <param name="socket">The <see cref="SecureSocket"/> that received the certificate to verify.</param> /// <param name="remote">The <see cref="Certificate"/> of the remote party to verify.</param> /// <param name="chain">The <see cref="CertificateChain"/> associated with the remote certificate.</param> /// <param name="e">A <see cref="VerifyEventArgs"/> instance used to (in)validate the certificate.</param> /// <remarks>If an error is thrown by the code in the delegate, the SecureSocket will close the connection.</remarks> protected void OnVerify(SecureSocket socket, Certificate remote, CertificateChain chain, VerifyEventArgs e) { // get all the certificates from the certificate chain .. Certificate[] certs = chain.GetCertificates(); // .. and print them out in the console for(int i = 0; i < certs.Length; i++) { Console.WriteLine(certs[i].ToString(true)); } // print out the result of the chain verification Console.WriteLine(chain.VerifyChain(socket.CommonName, AuthType.Server)); }
/// <summary> /// Verifies a certificate received from the remote host. /// </summary> /// <param name="socket">The SecureSocket that received the certificate.</param> /// <param name="remote">The received certificate.</param> /// <param name="e">The event parameters.</param> protected void OnVerify(SecureSocket socket, Certificate remote, CertificateChain chain, VerifyEventArgs e) { CertificateChain cc = new CertificateChain(remote); Console.WriteLine("\r\nServer Certificate:\r\n-------------------"); Console.WriteLine(remote.ToString(true)); Console.Write("\r\nServer Certificate Verification:\r\n--------------------------------\r\n -> "); Console.WriteLine(cc.VerifyChain(socket.CommonName, AuthType.Server).ToString() + "\r\n"); }
/// <summary> /// verifies the certificate chain against the certificate store /// </summary> /// <param name="allCertsReceived">the chain to verify</param> /// <param name="expectedCNName">the expected CN; may be null</param> /// <param name="authType">the authtype: is the certificate to verify a client or server certificate; /// i.e when verifying a client cert, pass AuthType.Client; when verifying a server cert: pass AuthType.Server</param>ram> /// <returns></returns> protected bool IsValidCertificate(CertificateChain allCertsReceived, string expectedCNName, AuthType authType) { VerificationFlags verificationFlags = VerificationFlags.None; if (expectedCNName == null) { verificationFlags = VerificationFlags.IgnoreInvalidName; } CertificateStatus status = allCertsReceived.VerifyChain(expectedCNName, authType, verificationFlags); return status == CertificateStatus.ValidCertificate; }
/// <summary> /// Returns a <see cref="CertificateChain"/> where the leaf certificate corresponds to this <see cref="Certificate"/>. /// </summary> /// <returns>The CertificateChain corresponding to this Certificate.</returns> /// <exception cref="CertificateException">An error occurs while building the certificate chain.</exception> public CertificateChain GetCertificateChain() { if (m_Chain == null) m_Chain = new CertificateChain(this, Store); return m_Chain; }
/// <summary> /// see <see cref="Ch.Elca.Iiop.Security.Ssl.IClientSideAuthentication.IsValidServerCertificate"/> /// </summary> public virtual bool IsValidServerCertificate(Certificate serverCert, CertificateChain allServerCertsReceived, IPAddress serverAddress) { return IsValidCertificate(allServerCertsReceived, m_expectedServerCName, AuthType.Server); }