public void Run()
{
try
{
ReceiveLoop();
}
catch (Exception e)
{
scheduler.ReportException(e, "receiving from " + IoScheduler.GetCertificatePublicKey(remoteCert));
}
}
public static ServerSenderThread Create(IoScheduler scheduler, SslStream stream)
{
var remoteCert = stream.RemoteCertificate as X509Certificate2;
var destinationPublicKey = IoScheduler.GetCertificatePublicKey(remoteCert);
if (scheduler.Verbose)
{
Console.WriteLine("Creating sender thread to send to remote certified as {0}",
IoScheduler.CertificateToString(remoteCert));
}
ServerSenderThread senderThread = new ServerSenderThread(scheduler, destinationPublicKey, stream, remoteCert);
senderThread.Start();
return(senderThread);
}
///////////////////////////////////
// API for IoNative.cs
///////////////////////////////////
public void ReceivePacket(Int32 timeLimit, out bool ok, out bool timedOut, out byte[] remotePublicKey, out byte[] message)
{
ReceivedPacket packet;
try {
if (timeLimit == 0)
{
timedOut = !receiveQueue.TryReceive(out packet);
}
else
{
TimeSpan timeSpan = TimeSpan.FromMilliseconds(timeLimit);
packet = receiveQueue.Receive(timeSpan);
timedOut = false;
}
ok = true;
if (timedOut)
{
remotePublicKey = null;
message = null;
}
else
{
remotePublicKey = IoScheduler.GetCertificatePublicKey(packet.SenderCert);
message = packet.Message;
if (verbose)
{
Console.WriteLine("Dequeueing a packet of size {0} from {1}",
message.Length, CertificateToString(packet.SenderCert));
}
}
}
catch (TimeoutException) {
remotePublicKey = null;
message = null;
ok = true;
timedOut = true;
}
catch (Exception e) {
Console.Error.WriteLine("Unexpected error trying to read packet from packet queue. Exception:\n{0}", e);
remotePublicKey = null;
message = null;
ok = false;
timedOut = false;
}
}
public static void CreateNewIdentity(string friendlyName, string hostNameOrAddress, int port,
out PublicIdentity publicIdentity, out PrivateIdentity privateIdentity)
{
var key = RSA.Create(4096);
var subject = string.Format("CN = {0}", friendlyName);
var req = new CertificateRequest(subject, key, HashAlgorithmName.SHA256, RSASignaturePadding.Pss);
var now = DateTime.Now;
var expiry = now.AddYears(10);
var cert = req.CreateSelfSigned(now, expiry);
var pkcs12 = cert.Export(X509ContentType.Pkcs12, "" /* empty password */);
publicIdentity = new PublicIdentity {
FriendlyName = friendlyName,
PublicKey = IoScheduler.GetCertificatePublicKey(cert),
HostNameOrAddress = hostNameOrAddress,
Port = port
};
privateIdentity = new PrivateIdentity {
FriendlyName = friendlyName,
Pkcs12 = pkcs12,
HostNameOrAddress = hostNameOrAddress,
Port = port
};
}
protected override bool Connect()
{
var destinationPublicIdentity = scheduler.LookupPublicKey(destinationPublicKey);
if (destinationPublicIdentity == null)
{
if (scheduler.Verbose)
{
Console.Error.WriteLine("Could not connect to destination public key {0} because we don't know its address.",
IoScheduler.PublicKeyToString(destinationPublicKey));
}
return(false);
}
if (scheduler.Verbose)
{
Console.WriteLine("Starting connection to {0}", IoScheduler.PublicIdentityToString(destinationPublicIdentity));
}
TcpClient client;
try
{
client = new TcpClient(destinationPublicIdentity.HostNameOrAddress, destinationPublicIdentity.Port);
}
catch (Exception e)
{
scheduler.ReportException(e, "connecting to " + IoScheduler.PublicIdentityToString(destinationPublicIdentity));
return(false);
}
var myCertificateCollection = new X509CertificateCollection();
myCertificateCollection.Add(scheduler.MyCert);
var myValidator = new CertificateValidator(scheduler, destinationPublicIdentity);
try {
stream = new SslStream(client.GetStream(), leaveInnerStreamOpen: false, myValidator.ValidateSSLCertificate);
stream.AuthenticateAsClient(destinationPublicIdentity.FriendlyName, myCertificateCollection,
checkCertificateRevocation: false);
}
catch (Exception e) {
scheduler.ReportException(e, "authenticating connection to " + IoScheduler.PublicIdentityToString(destinationPublicIdentity));
return(false);
}
remoteCert = stream.RemoteCertificate as X509Certificate2;
if (!ByteArrayComparer.Default().Equals(IoScheduler.GetCertificatePublicKey(remoteCert), destinationPublicKey))
{
Console.Error.WriteLine("Connected to {0} expecting public key {1} but found public key {2}, so disconnecting.",
IoScheduler.PublicIdentityToString(destinationPublicIdentity),
IoScheduler.PublicKeyToString(destinationPublicKey),
IoScheduler.PublicKeyToString(IoScheduler.GetCertificatePublicKey(remoteCert)));
return(false);
}
if (scheduler.Verbose)
{
Console.WriteLine("Successfully connected to {0} and got certificate identifying it as {1}",
IoScheduler.PublicIdentityToString(destinationPublicIdentity),
IoScheduler.CertificateToString(remoteCert));
}
// Now that the connection is successful, create a thread to
// receive packets on it.
ReceiverThread receiverThread = ReceiverThread.Create(scheduler, stream);
return(true);
}
public bool ValidateSSLCertificate(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
const SslPolicyErrors ignoredErrors = SslPolicyErrors.RemoteCertificateChainErrors;
if ((sslPolicyErrors & ~ignoredErrors) != SslPolicyErrors.None)
{
Console.Error.WriteLine("Could not validate SSL certificate for {0} due to errors {1}",
IoScheduler.GetCertificatePublicKey(certificate as X509Certificate2),
sslPolicyErrors & ~ignoredErrors);
return(false);
}
var cert2 = certificate as X509Certificate2;
// If we were expecting a specific public identity, check that
// the key in the certificate matches what we were expecting.
if (expectedPublicIdentity != null)
{
if (!ByteArrayComparer.Default().Equals(IoScheduler.GetCertificatePublicKey(cert2), expectedPublicIdentity.PublicKey))
{
Console.Error.WriteLine("Connected to {0} expecting public key {1} but found public key {2}, so disconnecting.",
IoScheduler.PublicIdentityToString(expectedPublicIdentity),
IoScheduler.PublicKeyToString(expectedPublicIdentity.PublicKey),
IoScheduler.PublicKeyToString(IoScheduler.GetCertificatePublicKey(cert2)));
return(false);
}
if (cert2.SubjectName.Name != "CN=" + expectedPublicIdentity.FriendlyName)
{
Console.Error.WriteLine("Connected to {0} expecting subject CN={1} but found {2}, so disconnecting.",
IoScheduler.PublicIdentityToString(expectedPublicIdentity),
expectedPublicIdentity.FriendlyName,
cert2.SubjectName.Name);
return(false);
}
}
else
{
// If we weren't expecting any particular public identity,
// consider the expected public identity to be the known one
// matching the public key in the certificate we got. If
// there is no known one, then this is just an anonymous
// client, which is fine. Otherwise, check that the subject
// matches what we expect. This is just a paranoid check; it
// should never fail.
expectedPublicIdentity = scheduler.LookupPublicKey(IoScheduler.GetCertificatePublicKey(cert2));
if (expectedPublicIdentity != null)
{
if (cert2.SubjectName.Name != "CN=" + expectedPublicIdentity.FriendlyName)
{
Console.Error.WriteLine("Received a certificate we expected to have subject CN={1} but found {2}, so disconnecting.",
IoScheduler.PublicIdentityToString(expectedPublicIdentity),
expectedPublicIdentity.FriendlyName,
cert2.SubjectName.Name);
return(false);
}
}
}
return(true);
}
public static string CertificateToString(X509Certificate2 cert)
{
return(string.Format("{0} (key {1})",
cert.SubjectName.Name, PublicKeyToString(IoScheduler.GetCertificatePublicKey(cert))));
}