public X509Certificate2 FindIssuerCertificate(X509Certificate2 serverX509Certificate2)
{
X509Certificate2 issuerX509Certificate2 = null;
// Find the issuer certificate
X509Chain x509Chain = new X509Chain();
x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
x509Chain.Build(serverX509Certificate2);
// Iterate though the chain, to validate if it contain a valid root vertificate
X509ChainElementCollection x509ChainElementCollection = x509Chain.ChainElements;
X509ChainElementEnumerator enumerator = x509ChainElementCollection.GetEnumerator();
X509ChainElement x509ChainElement;
X509Certificate2 x509Certificate2 = null;
IDictionary <string, X509Certificate2> map = new Dictionary <string, X509Certificate2>();
// At this point, the certificate is not valid, until a
// it is proved that it has a valid root certificate
while (enumerator.MoveNext())
{
x509ChainElement = enumerator.Current;
x509Certificate2 = x509ChainElement.Certificate;
map.Add(x509Certificate2.Subject, x509Certificate2);
}
if (map.ContainsKey(serverX509Certificate2.Issuer))
{
issuerX509Certificate2 = map[serverX509Certificate2.Issuer];
}
return(issuerX509Certificate2);
}
/// <summary>
/// Insert the certificate in the certificate list and check the certificate validity.
/// </summary>
/// <param name="cert"></param>
/// <param name="unsignedProperties"></param>
/// <param name="addCert"></param>
/// <param name="ocspServers"></param>
/// <param name="crlList"></param>
/// <param name="digestMethod"></param>
/// <param name="addCertificateOcspUrl"></param>
/// <param name="extraCerts"></param>
/// <param name="useNonce">If true then nonce will be used. The ocsp server should support this. OCSP reposnder in Microsoft Windows must be configured explicitly to support nonce.</param>
private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, IEnumerable <OcspServer> ocspServers,
IEnumerable <X509Crl> crlList, FirmaXadesNet.Crypto.DigestMethod digestMethod, bool addCertificateOcspUrl, X509Certificate2[] extraCerts = null, bool useNonce = true)
{
if (addCert)
{
if (CertificateChecked(cert, unsignedProperties))
{
return;
}
string guidCert = Guid.NewGuid().ToString();
Cert chainCert = new Cert();
chainCert.IssuerSerial.X509IssuerName = cert.IssuerName.Name;
chainCert.IssuerSerial.X509SerialNumber = cert.GetSerialNumberAsDecimalString();
DigestUtil.SetCertDigest(cert.GetRawCertData(), digestMethod, chainCert.CertDigest);
chainCert.URI = "#Cert" + guidCert;
unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(chainCert);
EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate
{
Id = "Cert" + guidCert,
PkiData = cert.GetRawCertData()
};
unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate);
}
var chain = CertUtil.GetCertChain(cert, extraCerts).ChainElements;
if (chain.Count > 1)
{
X509ChainElementEnumerator enumerator = chain.GetEnumerator();
enumerator.MoveNext(); // el mismo certificado que el pasado por parametro
enumerator.MoveNext();
bool valid = ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate, crlList, digestMethod);
if (!valid)
{
var ocspCerts = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate, ocspServers, digestMethod, addCertificateOcspUrl, useNonce);
if (ocspCerts != null)
{
X509Certificate2 startOcspCert = DetermineStartCert(ocspCerts);
if (!EquivalentDN(startOcspCert.IssuerName, enumerator.Current.Certificate.SubjectName))
{
var chainOcsp = CertUtil.GetCertChain(startOcspCert, ocspCerts);
AddCertificate(chainOcsp.ChainElements[1].Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, addCertificateOcspUrl, ocspCerts);
}
}
}
AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, addCertificateOcspUrl, extraCerts);
}
}
/// <summary>
/// Inserta en la lista de certificados el certificado y comprueba la valided del certificado.
/// </summary>
/// <param name="cert"></param>
/// <param name="unsignedProperties"></param>
/// <param name="addCertValue"></param>
/// <param name="extraCerts"></param>
private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, X509Certificate2[] extraCerts = null)
{
if (addCert)
{
if (CertificateChecked(cert, unsignedProperties))
{
return;
}
string guidCert = Guid.NewGuid().ToString();
Cert chainCert = new Cert();
chainCert.IssuerSerial.X509IssuerName = cert.IssuerName.Name;
chainCert.IssuerSerial.X509SerialNumber = CertUtil.HexToDecimal(cert.SerialNumber);
DigestUtil.SetCertDigest(cert.GetRawCertData(), _firma.RefsDigestMethod, chainCert.CertDigest);
chainCert.URI = "#Cert" + guidCert;
unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(chainCert);
EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate();
encapsulatedX509Certificate.Id = "Cert" + guidCert;
encapsulatedX509Certificate.PkiData = cert.GetRawCertData();
unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate);
}
var chain = CertUtil.GetCertChain(cert, extraCerts).ChainElements;
if (chain.Count > 1)
{
X509ChainElementEnumerator enumerator = chain.GetEnumerator();
enumerator.MoveNext(); // el mismo certificado que el pasado por parametro
enumerator.MoveNext();
bool valid = ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate);
if (!valid)
{
var ocspCerts = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate);
if (ocspCerts != null)
{
X509Certificate2 startOcspCert = DetermineStartCert(new List <X509Certificate2>(ocspCerts));
if (startOcspCert.IssuerName.Name != enumerator.Current.Certificate.SubjectName.Name)
{
var chainOcsp = CertUtil.GetCertChain(startOcspCert, ocspCerts);
AddCertificate(chainOcsp.ChainElements[1].Certificate, unsignedProperties, true, ocspCerts);
}
}
}
AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, extraCerts);
}
}
private void TestOCSP()
{
OcspLookup ocspLookup = new OcspLookup();
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
string serial = "4c 05 5a 37";
X509Certificate2Collection collection = certStore.Certificates.Find(X509FindType.FindBySerialNumber, serial, true);
X509Certificate2 cert = null;
if (collection.Count > 0)
{
cert = collection[0];
}
else
{
// the certificate not found
throw new NotImplementedException("The certificate was not found.");
}
X509Chain x509Chain = new X509Chain();
x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
x509Chain.Build(cert);
// Iterate though the chain, to validate if it contain a valid root vertificate
X509ChainElementCollection x509ChainElementCollection = x509Chain.ChainElements;
X509ChainElementEnumerator enumerator = x509ChainElementCollection.GetEnumerator();
X509ChainElement x509ChainElement;
X509Certificate2 x509Certificate2 = null;
IDictionary <string, X509Certificate2> map = new Dictionary <string, X509Certificate2>();
IList <X509Certificate2> list = new List <X509Certificate2>();
// At this point, the certificate is not valid, until a
// it is proved that it has a valid root certificate
while (enumerator.MoveNext())
{
x509ChainElement = enumerator.Current;
x509Certificate2 = x509ChainElement.Certificate;
list.Add(x509Certificate2);
}
ocspLookup.RevocationResponseOnline(list[0], list[1], "http://ocsp.systemtest8.trust2408.com/responder");
}
public KeyInfoX509Data(X509Certificate cert, X509IncludeOption includeOption)
{
if (cert == null)
{
throw new ArgumentNullException("cert");
}
X509Certificate2 certificate = new X509Certificate2(cert);
X509ChainElementCollection chainElements = null;
X509Chain chain = null;
switch (includeOption)
{
case X509IncludeOption.ExcludeRoot:
chain = new X509Chain();
chain.Build(certificate);
if ((chain.ChainStatus.Length > 0) && ((chain.ChainStatus[0].Status & X509ChainStatusFlags.PartialChain) == X509ChainStatusFlags.PartialChain))
{
throw new CryptographicException(-2146762486);
}
chainElements = chain.ChainElements;
for (int i = 0; i < (System.Security.Cryptography.X509Certificates.X509Utils.IsSelfSigned(chain) ? 1 : (chainElements.Count - 1)); i++)
{
this.AddCertificate(chainElements[i].Certificate);
}
return;
case X509IncludeOption.EndCertOnly:
this.AddCertificate(certificate);
return;
case X509IncludeOption.WholeChain:
{
chain = new X509Chain();
chain.Build(certificate);
if ((chain.ChainStatus.Length > 0) && ((chain.ChainStatus[0].Status & X509ChainStatusFlags.PartialChain) == X509ChainStatusFlags.PartialChain))
{
throw new CryptographicException(-2146762486);
}
X509ChainElementEnumerator enumerator = chain.ChainElements.GetEnumerator();
while (enumerator.MoveNext())
{
X509ChainElement current = enumerator.Current;
this.AddCertificate(current.Certificate);
}
return;
}
}
}
internal static void LogVerifyX509Chain(SignedXml signedXml, X509Chain chain, X509Certificate certificate)
{
if (InformationLoggingEnabled)
{
string data = string.Format(CultureInfo.InvariantCulture, SecurityResources.GetResourceString("Log_BuildX509Chain"), new object[] { GetKeyName(certificate) });
WriteLine(signedXml, TraceEventType.Information, SignedXmlDebugEvent.X509Verification, data);
}
if (VerboseLoggingEnabled)
{
string str2 = string.Format(CultureInfo.InvariantCulture, SecurityResources.GetResourceString("Log_RevocationMode"), new object[] { chain.ChainPolicy.RevocationFlag });
WriteLine(signedXml, TraceEventType.Verbose, SignedXmlDebugEvent.X509Verification, str2);
string str3 = string.Format(CultureInfo.InvariantCulture, SecurityResources.GetResourceString("Log_RevocationFlag"), new object[] { chain.ChainPolicy.RevocationFlag });
WriteLine(signedXml, TraceEventType.Verbose, SignedXmlDebugEvent.X509Verification, str3);
string str4 = string.Format(CultureInfo.InvariantCulture, SecurityResources.GetResourceString("Log_VerificationFlag"), new object[] { chain.ChainPolicy.VerificationFlags });
WriteLine(signedXml, TraceEventType.Verbose, SignedXmlDebugEvent.X509Verification, str4);
string str5 = string.Format(CultureInfo.InvariantCulture, SecurityResources.GetResourceString("Log_VerificationTime"), new object[] { chain.ChainPolicy.VerificationTime });
WriteLine(signedXml, TraceEventType.Verbose, SignedXmlDebugEvent.X509Verification, str5);
string str6 = string.Format(CultureInfo.InvariantCulture, SecurityResources.GetResourceString("Log_UrlTimeout"), new object[] { chain.ChainPolicy.UrlRetrievalTimeout });
WriteLine(signedXml, TraceEventType.Verbose, SignedXmlDebugEvent.X509Verification, str6);
}
if (InformationLoggingEnabled)
{
foreach (X509ChainStatus status in chain.ChainStatus)
{
if (status.Status != X509ChainStatusFlags.NoError)
{
string str7 = string.Format(CultureInfo.InvariantCulture, SecurityResources.GetResourceString("Log_X509ChainError"), new object[] { status.Status, status.StatusInformation });
WriteLine(signedXml, TraceEventType.Information, SignedXmlDebugEvent.X509Verification, str7);
}
}
}
if (VerboseLoggingEnabled)
{
StringBuilder builder = new StringBuilder();
builder.Append(SecurityResources.GetResourceString("Log_CertificateChain"));
X509ChainElementEnumerator enumerator = chain.ChainElements.GetEnumerator();
while (enumerator.MoveNext())
{
X509ChainElement current = enumerator.Current;
builder.AppendFormat(CultureInfo.InvariantCulture, " {0}", new object[] { GetKeyName(current.Certificate) });
}
WriteLine(signedXml, TraceEventType.Verbose, SignedXmlDebugEvent.X509Verification, builder.ToString());
}
}
private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, IEnumerable <string> ocspServers, IEnumerable <X509Crl> crlList, FirmaXades.Crypto.DigestMethod digestMethod, X509Certificate2[] extraCerts = null)
{
if (addCert)
{
if (CertificateChecked(cert, unsignedProperties))
{
return;
}
string str = Guid.NewGuid().ToString();
Cert cert2 = new Cert();
cert2.IssuerSerial.X509IssuerName = cert.IssuerName.Name;
cert2.IssuerSerial.X509SerialNumber = cert.GetSerialNumberAsDecimalString();
DigestUtil.SetCertDigest(cert.GetRawCertData(), digestMethod, cert2.CertDigest);
cert2.URI = "#Cert" + str;
unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(cert2);
EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate();
encapsulatedX509Certificate.Id = "Cert" + str;
encapsulatedX509Certificate.PkiData = cert.GetRawCertData();
unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate);
}
X509ChainElementCollection chainElements = CertUtil.GetCertChain(cert, extraCerts).ChainElements;
if (chainElements.Count > 1)
{
X509ChainElementEnumerator enumerator = chainElements.GetEnumerator();
enumerator.MoveNext();
enumerator.MoveNext();
if (!ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate, crlList, digestMethod))
{
X509Certificate2[] array = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate, ocspServers, digestMethod);
if (array != null)
{
X509Certificate2 x509Certificate = DetermineStartCert(new List <X509Certificate2>(array));
if (x509Certificate.IssuerName.Name != enumerator.Current.Certificate.SubjectName.Name)
{
X509Chain certChain = CertUtil.GetCertChain(x509Certificate, array);
AddCertificate(certChain.ChainElements[1].Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, array);
}
}
}
AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, extraCerts);
}
}
private static bool OnValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
SslStream stream = (SslStream)sender;
SslStreamValidationContext context = s_streamValidationContexts[stream];
SslSocket socket = context.m_socket;
List <string> commonNamesFromCertSubject = GetCommonNamesFromCertSubject(certificate.Subject);
bool flag = false;
if ((socket.m_bundleInfo != null) && socket.m_bundleInfo.isUsingCertBundle)
{
byte[] certBundleBytes = socket.m_bundleInfo.certBundleBytes;
if (socket.m_bundleInfo.isCertBundleSigned)
{
if (!VerifyBundleSignature(socket.m_bundleInfo.certBundleBytes))
{
return(false);
}
certBundleBytes = GetUnsignedBundleBytes(socket.m_bundleInfo.certBundleBytes);
}
byte[] publicKey = certificate.GetPublicKey();
foreach (string str in commonNamesFromCertSubject)
{
if (IsWhitelistedInCertBundle(certBundleBytes, str, publicKey))
{
flag = true;
break;
}
}
if (!flag)
{
return(false);
}
}
bool flag3 = IsCertSignedByBlizzard(certificate);
bool flag4 = false;
flag4 = true;
bool flag5 = (!flag3 && flag4) && (chain.ChainElements.Count == 1);
try
{
if (sslPolicyErrors != SslPolicyErrors.None)
{
SslPolicyErrors errors = (!flag3 && !flag5) ? SslPolicyErrors.None : (SslPolicyErrors.RemoteCertificateChainErrors | SslPolicyErrors.RemoteCertificateNotAvailable);
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNameMismatch) != SslPolicyErrors.None)
{
string resolvedAddress = socket.m_resolvedAddress;
foreach (string str3 in commonNamesFromCertSubject)
{
if (str3.Equals(resolvedAddress))
{
errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
break;
}
}
}
if ((sslPolicyErrors & ~errors) != SslPolicyErrors.None)
{
object[] args = new object[] { sslPolicyErrors };
s_log.LogWarning("Failed policy check. {0}", args);
return(false);
}
}
if (chain.ChainElements == null)
{
s_log.LogWarning("ChainElements is null");
return(false);
}
X509ChainElementEnumerator enumerator = chain.ChainElements.GetEnumerator();
while (enumerator.MoveNext())
{
X509ChainElement current = enumerator.Current;
object[] objArray2 = new object[] { current.Certificate.Thumbprint };
s_log.LogDebug("Certificate Thumbprint: {0}", objArray2);
foreach (X509ChainStatus status in current.ChainElementStatus)
{
object[] objArray3 = new object[] { status.Status };
s_log.LogDebug(" Certificate Status: {0}", objArray3);
}
}
bool flag6 = false;
if (flag3 && (chain.ChainElements.Count == 1))
{
chain.ChainPolicy.ExtraStore.Add(s_rootCertificate);
chain.Build(new X509Certificate2(certificate));
flag6 = true;
}
int num2 = !flag3 ? 3 : 2;
if (flag4 && !flag6)
{
num2 = 1;
}
if (chain.ChainElements.Count != num2)
{
object[] objArray4 = new object[] { chain.ChainElements.Count };
s_log.LogWarning("ChainElements.Count is {0}", objArray4);
return(false);
}
for (int i = 0; i < num2; i++)
{
if (chain.ChainElements[i] == null)
{
s_log.LogWarning("ChainElements[" + i + "] is null");
return(false);
}
}
if (flag3)
{
string str4;
if (ApplicationMgr.GetMobileEnvironment() == MobileEnv.PRODUCTION)
{
str4 = "673D9D1072B625CAD95CB47BF0F0F512233E39FD";
}
else
{
str4 = "C0805E3CF51F1A56CE9E6E35CB4F4901B68128B7";
}
if (chain.ChainElements[1].Certificate.Thumbprint != str4)
{
s_log.LogWarning("Root certificate thumb print check failure");
object[] objArray5 = new object[] { str4 };
s_log.LogWarning(" expected: {0}", objArray5);
object[] objArray6 = new object[] { chain.ChainElements[1].Certificate.Thumbprint };
s_log.LogWarning(" received: {0}", objArray6);
return(false);
}
}
for (int j = 0; j < num2; j++)
{
if (DateTime.Now > chain.ChainElements[j].Certificate.NotAfter)
{
s_log.LogWarning("ChainElements[" + j + "] certificate is expired.");
return(false);
}
}
X509ChainElementEnumerator enumerator4 = chain.ChainElements.GetEnumerator();
while (enumerator4.MoveNext())
{
foreach (X509ChainStatus status2 in enumerator4.Current.ChainElementStatus)
{
if ((!flag3 && !flag6) || (status2.Status != X509ChainStatusFlags.UntrustedRoot))
{
object[] objArray7 = new object[] { status2.Status };
s_log.LogWarning("Found unexpected chain error={0}.", objArray7);
return(false);
}
}
}
}
catch (Exception exception)
{
object[] objArray8 = new object[] { exception };
s_log.LogWarning("Exception while trying to validate certificate. {0}", objArray8);
return(false);
}
return(true);
}
/// <summary>
/// Checks a certificate status in a CRL.
/// </summary>
/// <param name="certificate">The certificate to check</param>
/// <returns>The RevocationResponse object that contains the result</returns>
public RevocationResponse CheckCertificate(X509Certificate2 certificate)
{
/*
* Assumptions:
* - Certificate has an CRL Distribution Points extension value.
* - An HTTP distribution point is present.
*/
// create RevocationResponse and set default values
RevocationResponse response = new RevocationResponse();
response.IsValid = true;
response.NextUpdate = DateTime.MinValue;
if (certificate != null)
{
X509Chain x509Chain = new X509Chain();
x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
x509Chain.Build(certificate);
// Iterate though the chain, to get the certificate list
X509ChainElementCollection x509ChainElementCollection = x509Chain.ChainElements;
X509ChainElementEnumerator enumerator = x509ChainElementCollection.GetEnumerator();
X509ChainElement x509ChainElement;
X509Certificate2 x509Certificate2 = null;
IDictionary <string, X509Certificate2> map = new Dictionary <string, X509Certificate2>();
IList <X509Certificate2> list = new List <X509Certificate2>();
while (enumerator.MoveNext())
{
x509ChainElement = enumerator.Current;
x509Certificate2 = x509ChainElement.Certificate;
list.Add(x509Certificate2);
}
// now we have a list of the certificate chain
// list[0] -> the function certificate
// list[0 .. lsit.Count] -> middel certificates
// oces1 : none middle certificate exist
// oces2 : one middle certificate exist
// list[list.Count] - > root certificate
// we needed to validate all certificates, except the root certificates
// The question wheather the root certificates is trusted, is validated in MultipleRootX509CertificateValidator
// However - In the case where the root certificate is not installed,
// the chain list will only be 1 length, so no validation is perfored at all.
int index = 0;
//bool chainValid = true;
while (index < (list.Count - 1) && response.IsValid == true)
{
// this.logger.Info("CRL validation the certificate: " + list[index].Subject);
// Retrieve URL distribution points
List <Uri> URLs = this.GetURLs(list[index]);
// The list should only contain one element
// so we are only interesting in the first CRL list
if (URLs.Count > 0)
{
Uri url = URLs[0];
CrlInstance crl = this.GetInstance(url);
try
{
if (!crl.IsRevoked(certificate))
{
// so the certificate is not revoked.
// remember, that the issueing certificate could be revoked.
// So the next update must be the earlist of the all
response.IsValid = true;
if (response.NextUpdate == DateTime.MinValue)
{
response.NextUpdate = crl.getNextUpdate();
}
else if (response.NextUpdate < crl.getNextUpdate())
{
// no new update
// the already registrated 'NextUpdate' is before the crl.getNextUpdate
}
else
{
// new update time
// The already registrated 'NextUpdate', is greater (futher in the future) then crl.getNextUpdate
// so we use the crl.getNextUpdate as next update
response.NextUpdate = crl.getNextUpdate();
}
}
else
{
response.IsValid = false;
}
}
catch (CheckCertificateRevokedUnexpectedException exception)
{
// could not validate the certificate - so i don't trust it
response.Exception = exception;
response.IsValid = false;
}
}
else
{
// url server not identified, so we don't trust this certificate
response.IsValid = false;
}
// increase the index, to check the next certificate
index++;
}
// all the certificate in the chain is now checked.
if (response.IsValid == true)
{
response.RevocationCheckStatus = RevocationCheckStatus.AllChecksPassed;
}
else
{
response.RevocationCheckStatus = RevocationCheckStatus.CertificateRevoked;
}
x509Chain.Reset();
}
else
{
response.IsValid = false;
response.Exception = new CheckCertificateRevokedUnexpectedException(new Exception("Error during CRL lookup. The certificate is null"));//did not have any CRL DistPoints. Certificate: " + certificate));
response.RevocationCheckStatus = RevocationCheckStatus.UnknownIssue;
}
return(response);
}
private static SslSocket.CertValidationResult IsServerCertificateValid(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
SslSocket.CertValidationResult certValidationResult;
string str;
SslStream sslStream = (SslStream)sender;
SslSocket mSslSocket = SslSocket.s_streamValidationContexts[sslStream].m_sslSocket;
SslCertBundleSettings mBundleSettings = mSslSocket.m_bundleSettings;
if (mBundleSettings.bundle == null || !mBundleSettings.bundle.IsUsingCertBundle)
{
return(SslSocket.CertValidationResult.FAILED_CERT_BUNDLE);
}
List <string> commonNamesFromCertSubject = SslSocket.GetCommonNamesFromCertSubject(certificate.Subject);
SslSocket.BundleInfo bundleInfo = new SslSocket.BundleInfo();
byte[] certBundleBytes = mBundleSettings.bundle.CertBundleBytes;
if (mBundleSettings.bundle.isCertBundleSigned)
{
if (!SslSocket.VerifyBundleSignature(mBundleSettings.bundle.CertBundleBytes))
{
return(SslSocket.CertValidationResult.FAILED_CERT_BUNDLE);
}
certBundleBytes = SslSocket.GetUnsignedBundleBytes(mBundleSettings.bundle.CertBundleBytes);
}
if (!SslSocket.GetBundleInfo(certBundleBytes, out bundleInfo))
{
return(SslSocket.CertValidationResult.FAILED_CERT_BUNDLE);
}
bool flag = false;
byte[] publicKey = certificate.GetPublicKey();
foreach (string str1 in commonNamesFromCertSubject)
{
if (!SslSocket.IsWhitelistedInCertBundle(bundleInfo, str1, publicKey))
{
continue;
}
flag = true;
break;
}
if (!flag)
{
return(SslSocket.CertValidationResult.FAILED_CERT_BUNDLE);
}
bool flag1 = SslSocket.IsCertSignedByBlizzard(certificate);
bool runtimeEnvironment = BattleNet.Client().GetRuntimeEnvironment() == constants.RuntimeEnvironment.Mono;
bool flag2 = (flag1 || !runtimeEnvironment ? false : chain.ChainElements.Count == 1);
try
{
if (sslPolicyErrors != SslPolicyErrors.None)
{
SslPolicyErrors sslPolicyError = (flag1 || flag2 ? SslPolicyErrors.RemoteCertificateNotAvailable | SslPolicyErrors.RemoteCertificateChainErrors : SslPolicyErrors.None);
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNameMismatch) != SslPolicyErrors.None && mSslSocket.m_connection.MatchSslCertName(commonNamesFromCertSubject))
{
sslPolicyError |= SslPolicyErrors.RemoteCertificateNameMismatch;
}
if ((sslPolicyErrors & ~sslPolicyError) != SslPolicyErrors.None)
{
SslSocket.s_log.LogWarning("Failed policy check. sslPolicyErrors: {0}, expectedPolicyErrors: {1}", new object[] { sslPolicyErrors, sslPolicyError });
certValidationResult = SslSocket.CertValidationResult.FAILED_SERVER_RESPONSE;
return(certValidationResult);
}
}
if (chain.ChainElements != null)
{
X509ChainElementEnumerator enumerator = chain.ChainElements.GetEnumerator();
while (enumerator.MoveNext())
{
X509ChainElement current = enumerator.Current;
SslSocket.s_log.LogDebug("Certificate Thumbprint: {0}", new object[] { current.Certificate.Thumbprint });
X509ChainStatus[] chainElementStatus = current.ChainElementStatus;
for (int i = 0; i < (int)chainElementStatus.Length; i++)
{
X509ChainStatus x509ChainStatu = chainElementStatus[i];
SslSocket.s_log.LogDebug(" Certificate Status: {0}", new object[] { x509ChainStatu.Status });
}
}
bool flag3 = false;
if (flag1)
{
if (chain.ChainElements.Count == 1)
{
chain.ChainPolicy.ExtraStore.Add(SslSocket.s_rootCertificate);
chain.Build(new X509Certificate2(certificate));
flag3 = true;
}
}
else if (flag2 && bundleInfo.bundleCerts != null)
{
foreach (X509Certificate2 bundleCert in bundleInfo.bundleCerts)
{
chain.ChainPolicy.ExtraStore.Add(bundleCert);
}
chain.Build(new X509Certificate2(certificate));
flag3 = true;
}
int num = 0;
while (num < chain.ChainElements.Count)
{
if (chain.ChainElements[num] != null)
{
num++;
}
else
{
SslSocket.s_log.LogWarning(string.Concat("ChainElements[", num, "] is null"));
certValidationResult = (!flag3 ? SslSocket.CertValidationResult.FAILED_SERVER_RESPONSE : SslSocket.CertValidationResult.FAILED_CERT_BUNDLE);
return(certValidationResult);
}
}
if (flag1)
{
str = (BattleNet.Client().GetMobileEnvironment() != constants.MobileEnv.PRODUCTION ? "C0805E3CF51F1A56CE9E6E35CB4F4901B68128B7" : "673D9D1072B625CAD95CB47BF0F0F512233E39FD");
if (chain.ChainElements[1].Certificate.Thumbprint != str)
{
SslSocket.s_log.LogWarning("Root certificate thumb print check failure");
SslSocket.s_log.LogWarning(" expected: {0}", new object[] { str });
SslSocket.s_log.LogWarning(" received: {0}", new object[] { chain.ChainElements[1].Certificate.Thumbprint });
certValidationResult = (!flag3 ? SslSocket.CertValidationResult.FAILED_SERVER_RESPONSE : SslSocket.CertValidationResult.FAILED_CERT_BUNDLE);
return(certValidationResult);
}
}
int num1 = 0;
while (num1 < chain.ChainElements.Count)
{
if (DateTime.Now <= chain.ChainElements[num1].Certificate.NotAfter)
{
num1++;
}
else
{
SslSocket.s_log.LogWarning(string.Concat("ChainElements[", num1, "] certificate is expired."));
certValidationResult = (!flag3 ? SslSocket.CertValidationResult.FAILED_SERVER_RESPONSE : SslSocket.CertValidationResult.FAILED_CERT_BUNDLE);
return(certValidationResult);
}
}
X509ChainElementEnumerator x509ChainElementEnumerator = chain.ChainElements.GetEnumerator();
while (x509ChainElementEnumerator.MoveNext())
{
X509ChainStatus[] x509ChainStatusArray = x509ChainElementEnumerator.Current.ChainElementStatus;
int num2 = 0;
while (num2 < (int)x509ChainStatusArray.Length)
{
X509ChainStatus x509ChainStatu1 = x509ChainStatusArray[num2];
if ((flag1 || flag3) && x509ChainStatu1.Status == X509ChainStatusFlags.UntrustedRoot)
{
num2++;
}
else
{
SslSocket.s_log.LogWarning("Found unexpected chain error={0}.", new object[] { x509ChainStatu1.Status });
certValidationResult = (!flag3 ? SslSocket.CertValidationResult.FAILED_SERVER_RESPONSE : SslSocket.CertValidationResult.FAILED_CERT_BUNDLE);
return(certValidationResult);
}
}
}
X509Certificate2 x509Certificate2 = new X509Certificate2(chain.ChainElements[0].Certificate);
SslSocket.s_log.LogDebug("Received valid certificate from FRONT >");
SslSocket.s_log.LogDebug(" Subject: {0}", new object[] { x509Certificate2.Subject });
SslSocket.s_log.LogDebug(" Issuer: {0}", new object[] { x509Certificate2.Issuer });
SslSocket.s_log.LogDebug(" Version: {0}", new object[] { x509Certificate2.Version });
SslSocket.s_log.LogDebug(" Valid Date: {0}", new object[] { x509Certificate2.NotBefore });
SslSocket.s_log.LogDebug(" Expiry Date: {0}", new object[] { x509Certificate2.NotAfter });
SslSocket.s_log.LogDebug(" Thumbprint: {0}", new object[] { x509Certificate2.Thumbprint });
SslSocket.s_log.LogDebug(" Serial Number: {0}", new object[] { x509Certificate2.SerialNumber });
SslSocket.s_log.LogDebug(" Friendly Name: {0}", new object[] { x509Certificate2.FriendlyName });
SslSocket.s_log.LogDebug(" Public Key Format: {0}", new object[] { x509Certificate2.PublicKey.EncodedKeyValue.Format(true) });
SslSocket.s_log.LogDebug(" Raw Data Length: {0}", new object[] { (int)x509Certificate2.RawData.Length });
SslSocket.s_log.LogDebug(" CN: {0}", new object[] { x509Certificate2.GetNameInfo(X509NameType.DnsName, false) });
return(SslSocket.CertValidationResult.OK);
}
else
{
SslSocket.s_log.LogWarning("ChainElements is null");
certValidationResult = SslSocket.CertValidationResult.FAILED_SERVER_RESPONSE;
}
}
catch (Exception exception)
{
SslSocket.s_log.LogWarning("Exception while trying to validate certificate. {0}", new object[] { exception });
certValidationResult = SslSocket.CertValidationResult.FAILED_CERT_BUNDLE;
}
return(certValidationResult);
}
public bool IsCertificateChildOfRoot(X509Certificate2 certificate, IDictionary <string, X509Certificate2> rootCertificateDirectory)
{
// valid until proved otherwhise
bool isValid = true;
X509Chain x509Chain = this.CreateChain(certificate);
// Modified chain validation of the certificate. We are not interested in Ctl lists
X509ChainStatus status;
int index = 0;
while (isValid && index < x509Chain.ChainStatus.Length)
{
status = x509Chain.ChainStatus[index];
switch (status.Status)
{
case X509ChainStatusFlags.CtlNotSignatureValid:
case X509ChainStatusFlags.CtlNotTimeValid:
case X509ChainStatusFlags.CtlNotValidForUsage:
case X509ChainStatusFlags.NoError:
case X509ChainStatusFlags.OfflineRevocation:
case X509ChainStatusFlags.RevocationStatusUnknown:
{
// so far, still valid
break;
}
case X509ChainStatusFlags.Cyclic:
case X509ChainStatusFlags.HasExcludedNameConstraint:
case X509ChainStatusFlags.HasNotDefinedNameConstraint:
case X509ChainStatusFlags.HasNotPermittedNameConstraint:
case X509ChainStatusFlags.HasNotSupportedNameConstraint:
case X509ChainStatusFlags.InvalidBasicConstraints:
case X509ChainStatusFlags.InvalidExtension:
case X509ChainStatusFlags.InvalidNameConstraints:
case X509ChainStatusFlags.InvalidPolicyConstraints:
case X509ChainStatusFlags.NoIssuanceChainPolicy:
case X509ChainStatusFlags.NotSignatureValid:
case X509ChainStatusFlags.NotTimeNested:
case X509ChainStatusFlags.NotTimeValid:
case X509ChainStatusFlags.NotValidForUsage:
case X509ChainStatusFlags.PartialChain:
case X509ChainStatusFlags.Revoked:
case X509ChainStatusFlags.UntrustedRoot:
{
this.logger.Warn("X509ChainStatusFlags '" + status.Status + "' is not valid, so the certificate '" + certificate.Subject + "' is not valid.");
this.logger.Debug("x509Chain.ChainStatus.Length:" + x509Chain.ChainStatus.Length + ". Index: " + index + ".");
isValid = false;
break;
}
default:
{
this.logger.Warn("The certificate chain.ChainStatus '" + status.Status + "' is not implemented.");
isValid = false;
break;
}
}
index++;
}
if (isValid)
{
// Check if the certificate has the default root certificate as its root
string x509CertificateThumbprint = certificate.Thumbprint.ToLowerInvariant();
if (rootCertificateDirectory.ContainsKey(x509CertificateThumbprint))
{
// certificate is a root certificate - not valid
isValid = false;
}
else
{
// Iterate though the chain, to validate if it contain a valid root vertificate
X509ChainElementCollection x509ChainElementCollection = x509Chain.ChainElements;
X509ChainElementEnumerator enumerator = x509ChainElementCollection.GetEnumerator();
X509ChainElement x509ChainElement;
X509Certificate2 x509Certificate2;
// At this point, the certificate is not valid, until a
// it is proved that it has a valid root certificate
isValid = false;
while (isValid == false && enumerator.MoveNext())
{
x509ChainElement = enumerator.Current;
x509Certificate2 = x509ChainElement.Certificate;
x509CertificateThumbprint = x509Certificate2.Thumbprint.ToLowerInvariant();
if (rootCertificateDirectory.ContainsKey(x509CertificateThumbprint))
{
// The current chain element is in the trusted rootCertificateDirectory
isValid = true;
// now the loop will break, as we have found a trusted root certificate
}
}
this.logger.Debug("Found root certificate in the root certificate list: " + isValid.ToString());
}
}
return(isValid);
}