public static void Main(string[] args) { // X:\jsc.svn\examples\java\hybrid\JVMCLRTCPMultiplex\JVMCLRTCPMultiplex\Program.cs // Error 1 Referenced assembly 'ScriptCoreLibA, Version=4.5.0.0, Culture=neutral, PublicKeyToken=null' does not have a strong name. X:\jsc.svn\examples\java\hybrid\JVMCLRSSLTCPListener\JVMCLRSSLTCPListener\CSC JVMCLRSSLTCPListener // will this work on android? System.Console.WriteLine( typeof(object).AssemblyQualifiedName ); // http://stackoverflow.com/questions/19958829/where-can-i-find-makecert-exe-visual-studio-ultimate-2012 // "C:\Program Files (x86)\Windows Kits\8.0\bin\x64\makecert.exe" // To generate a certificate with private key, you have to use the option -pe. But this is not suficient. // Private key will only be created if your certificate destination is a store. So you'll have to use the command like this: // https://social.msdn.microsoft.com/Forums/vstudio/en-US/1367551d-3448-49d7-bcea-6d96d04d1acb/rsacryptoserviceprovider-errors?forum=clr // Error: Save encoded certificate to store failed => 0x5(5) //Failed // certmgr.msc // http://certificateerror.blogspot.com/2011/08/access-local-machine-certificates.html // http://devproconnections.com/development/working-certificates // http://rickardrobin.wordpress.com/2012/12/05/specifying-a-friendly-name-to-a-certificate/ // http://myousufali.wordpress.com/2012/05/29/create-a-self-signed-server-certificate/ // The certificate has to be generated with "client authentication" option // http://stackoverflow.com/questions/18942848/authenticate-user-via-client-signed-ssl-certificate-in-asp-net-application // logical store name //Process.Start( // new ProcessStartInfo( // @"C:\Program Files (x86)\Windows Kits\8.0\bin\x64\makecert.exe", // //"-r -n \"CN=localhost\" -m 12 -sky exchange -sv serverCert.pvk -pe -ss my serverCert.cer" // //"-r -n \"CN=localhost\" -m 12 -sky exchange -pe -ss my serverCert.cer -sr localMachine" // //"-r -n \"CN=localhost\" -m 12 -sky exchange -pe -ss my serverCert.cer -sr currentuser" // "-r -n \"CN=localhost\" -m 12 -sky exchange -pe -ss my -sr currentuser" // ) //{ // UseShellExecute = false //} // ).WaitForExit(); // Additional information: The specified network password is not correct. X509Certificate2 xcertificate = new X509Certificate2("serverCert.cer.pfx", "xxx"); Console.WriteLine( new { xcertificate.HasPrivateKey } ); // http://www.dib0.nl/code/343-using-ssl-over-tcp-as-client-and-server-with-c // http://msdn.microsoft.com/en-us/library/system.net.security.sslstream.aspx // random NIC ip and random port? // then patch the io bridge? // then remove webdev dependency? TcpListener listener = new TcpListener(IPAddress.Any, 1300); listener.Start(); Process.Start(@"https://localhost:1300"); //.WaitForExit(); // https://github.com/stealth/qdns // https://github.com/stealth/qdns/blob/master/qdns.cc // http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/ldb.134.19.html // http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html // https://www.npmjs.org/package/port-mux // How? //The muxer basically sniffs the initial data packet sent by the client to determine (using a rule set) where to forward the request to. Action<TcpClient> yield = clientSocket => { //makecert -r -pe -n "CN=localhost" -m 12 -sky exchange -ss my serverCert.cer. This command created a self-signed certificate with "localhost" for the certificate subject and it makes the certificate valid for 12 months. // jsc, when was the last time we used makecert? // where is makecert? // http://stackoverflow.com/questions/23044914/c-sharp-ssl-server-mode-must-use-a-certificate-with-the-corresponding-private-ke // Additional information: The specified network password is not correct. // can we use async ? // Create a stream to decrypt the data // http://security.stackexchange.com/questions/12426/secure-communication-between-c-client-and-java-server-using-certificates // http://ishare2learn.wordpress.com/2012/05/22/ssl-communication-in-c/ // http://blogs.msdn.com/b/joncole/archive/2007/06/13/sample-asynchronous-sslstream-client-server-implementation.aspx // http://c-skills.blogspot.com/2014/05/quantum-dns-trickery.html // http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work // http://igorshare.wordpress.com/2007/11/21/part-2-securing-server-with-ssl/ // http://stackoverflow.com/questions/18942848/authenticate-user-via-client-signed-ssl-certificate-in-asp-net-application using (SslStream sslStream = new SslStream( innerStream: clientSocket.GetStream(), leaveInnerStreamOpen: false, userCertificateSelectionCallback: new LocalCertificateSelectionCallback( (object sender, string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, string[] acceptableIssuers) => { return localCertificates[0]; } ), userCertificateValidationCallback: new RemoteCertificateValidationCallback( (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) => { return true; } ), encryptionPolicy: EncryptionPolicy.RequireEncryption )) { // http://blogs.msdn.com/b/joncole/archive/2007/06/13/sample-asynchronous-sslstream-client-server-implementation.aspx // http://stackoverflow.com/questions/6356070/c-sslstream-and-local-proxy // Additional information: The handshake failed due to an unexpected packet format. // !!! // https://localhost:1300/ // Additional information: Authentication failed because the remote party has closed the transport stream. // Additional information: The server mode SSL must use a certificate with the associated private key. // You need to combine the certificate and private key into one PKCS12 package as described here: http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html // Additional information: A call to SSPI failed, see inner exception. // The client and server cannot communicate, because they do not possess a common algorithm // http://www.codeproject.com/Articles/326574/An-Introduction-to-Mutual-SSL-Authentication try { sslStream.AuthenticateAsServer(xcertificate, clientCertificateRequired: true, //clientCertificateRequired: false, // chrome for android does not like IIS TLS 1.2 enabledSslProtocols: System.Security.Authentication.SslProtocols.Tls12, checkCertificateRevocation: false ); var RemoteCertificate = sslStream.RemoteCertificate; Console.WriteLine(new { RemoteCertificate }); } catch (Exception ex) { Console.WriteLine(new { ex.Message }); if (ex.InnerException != null) Console.WriteLine(new { ex.InnerException.Message }); return; } // ... Send and read data over the stream // NET::ERR_CERT_AUTHORITY_INVALID // issue NIC private key pfx? // Error code: ERR_CONNECTION_REFUSED // Your connection is not private // NET::ERR_CERT_AUTHORITY_INVALID //var x = sslStream.ReadByte(); Console.WriteLine("read " + sslStream.GetHashCode()); //read 1707556 //read 15368010 //read 4094363 //GET / HTTP/1.1 //Host: localhost:1300 //Connection: keep-alive //Cache-Control: max-age=0 //Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 //User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2188.2 Safari/537.36 //Accept-Encoding: gzip, deflate, sdch //Accept-Language: en-US,en;q=0.8 // Additional information: Stream was not readable. #region 200 var rx = new StreamReader(sslStream); Action y = delegate { }; while (true) { var rxl = rx.ReadLine(); if (string.IsNullOrEmpty(rxl)) break; Console.WriteLine(rxl); if (rxl == "GET / HTTP/1.1") y = delegate { // Error code: ERR_EMPTY_RESPONSE // how many times have we played http server? // X:\jsc.svn\examples\javascript\chrome\apps\ChromeTCPServer\ChromeTCPServer\Application.cs sslStream.Write( Encoding.UTF8.GetBytes( "HTTP/1.0 200 OK\r\nConnection: close\r\n\r\n<h1>hello world</h1>" ) ); // i wonder could we send over a delegate as a jsc app? :D //sslStream.Write( // delegate //{ // // jsc would have to serialize this. AOT // new ScriptCoreLib.JavaScript.DOM.HTML.IHTMLPre { "hello world" }.AttachToDocument(); //} //); }; } y(); #endregion //Debugger.Break(); } }; // Wait for a client to connect on TCP port 1300 while (true) yield( listener.AcceptTcpClient() ); CLRProgram.CLRMain(); }
public static void Main(string[] args) { // http://stackoverflow.com/questions/9726802/ssl-socket-between-net-and-java-with-client-authentication // http://stackoverflow.com/questions/27203741/java-equivalent-to-net-sslstream // X:\jsc.svn\core\ScriptCoreLib.Ultra.Library\ScriptCoreLib.Ultra.Library\Extensions\TcpListenerExtensions.css // X:\jsc.svn\examples\javascript\Test\TestTCPMultiplex\TestTCPMultiplex\Application.cs // https://sites.google.com/a/jsc-solutions.net/backlog/knowledge-base/2014/201410/20141018-ssl // http://msdn.microsoft.com/en-us/library/ms733813.aspx // http://stackoverflow.com/questions/4095297/self-signed-certificates-performance-in-wcf-scenarios // https://sites.google.com/a/jsc-solutions.net/backlog/knowledge-base/2015/201510/20151009 var CN = "device SSL authority for developers"; #region CertificateRootFromCurrentUser Func<X509Certificate> CertificateRootFromCurrentUser = delegate { X509Store store = new X509Store( StoreName.Root, StoreLocation.CurrentUser); // https://syfuhs.net/2011/05/12/making-the-x509store-more-friendly/ // http://ftp.icpdas.com/pub/beta_version/VHM/wince600/at91sam9g45m10ek_armv4i/cesysgen/sdk/inc/wintrust.h // Policy Information: //URL = http://127.0.0.5:10500 try { store.Open(OpenFlags.ReadOnly); var item = store.Certificates.Find(X509FindType.FindBySubjectName, CN, true); if (item.Count > 0) return item[0]; } finally { store.Close(); } return null; }; #endregion // Error: There is no matching certificate in the issuer's Root cert store var r = CertificateRootFromCurrentUser(); if (r == null) { Process.Start( new ProcessStartInfo( @"C:\Program Files (x86)\Windows Kits\8.0\bin\x64\makecert.exe", // this cert is constant "-r -cy authority -a SHA1 -n \"CN=" + CN + "\" -len 2048 -m 72 -ss Root -sr currentuser" ) { UseShellExecute = false } ).WaitForExit(); } // X:\jsc.svn\examples\java\hybrid\JVMCLRSSLTCPListener\JVMCLRSSLTCPListener\Program.cs // https://www.npmjs.org/package/port-mux // http://c-skills.blogspot.com/ // http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html //// match HTTP GET requests (using a prefix string match) and forward them to localhost:80 //.addRule('GET ', 80) //// match TLS (HTTPS) requests (versions 3.{0,1,2,3}) using a regular expression //.addRule(/^\x16\x03[\x00 -\x03] /, '192.168.1.1:443') // regex match // f you wanted to be really clever, you could use a connection proxy thing to sniff the first couple of bytes of the incoming data stream, and hand off the connection based on the contents of byte 0: if it's 0x16 (the SSL/TLS 'handshake' byte), pass the connection to the SSL side, if it's an alphabetical character, do normal HTTP. My comment about port numbering applies. // http://serverfault.com/questions/47876/handling-http-and-https-requests-using-a-single-port-with-nginx // http://www.pond-weed.com/multiplex/ // http://stackoverflow.com/questions/463657/makecert-is-it-possible-to-change-the-key-size // The certificate has to be generated with "client authentication" option // http://stackoverflow.com/questions/18942848/authenticate-user-via-client-signed-ssl-certificate-in-asp-net-application // https://github.com/mono/mono/blob/master/mcs/tools/security/makecert.cs //X509CertificateBuilder // jsc can you build a cert anywhere? var port = new Random().Next(8000, 12000); // -l <link> Link to the policy information (such as a URL) // http://www.michael-thomas.com/tech/msiis/ssl_self_generating_certificates_for_iis_makecert.htm // -nscp Include netscape client auth extension // http://stackoverflow.com/questions/650017/what-does-subject-mean-in-certificate // http://technet.microsoft.com/en-us/library/aa998840.aspx // https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html // http://blogs.technet.com/b/jhoward/archive/2005/02/02/365323.aspx // http://certificate.fyicenter.com/439_Windows__makecert.exe_-in_-eku__Certificate_for_Server_Aut.html // http://www.forumeasy.com/forums/archive/ldappro/201211/p135257621115.html //'-eku 1.3.6.1.5.5.7.3.1' specifies the new certificate is for "Server Authentication" purpose only. // http://stackoverflow.com/questions/12120630/how-do-i-identify-my-server-name-for-server-authentication-by-client-in-c-sharp // http://stackoverflow.com/questions/17477279/client-authentication-1-3-6-1-5-5-7-3-2-oid-in-server-certificates // http://security.stackexchange.com/questions/36932/what-is-the-difference-between-ssl-and-x-509-certificates // http://msdn.microsoft.com/en-us/library/windows/desktop/aa378132(v=vs.85).aspx // Server Authentication (1.3.6.1.5.5.7.3.1) //Client Authentication (1.3.6.1.5.5.7.3.2) // http://msdn.microsoft.com/en-us/library/windows/desktop/aa386968(v=vs.85).aspx // http://www.wilsonmar.com/1certs.htm // http://forums.iis.net/t/1180823.aspx // http://stackoverflow.com/questions/13806299/how-to-create-a-self-signed-certificate-using-c // https://clrsecurity.svn.codeplex.com/svn/Security.Cryptography/src/CngKeyExtensionMethods.cs // --------------------------- //Security Warning //--------------------------- //You are about to install a certificate from a certification authority (CA) claiming to represent: //127.0.0.101 //Windows cannot validate that the certificate is actually from "127.0.0.101". You should confirm its origin by contacting "127.0.0.101". The following number will assist you in this process: //Thumbprint (sha1): 8B8942FB DEB64552 7BBDAD27 24B78664 A6D85D7E //Warning: //If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click "Yes" you acknowledge this risk. //Do you want to install this certificate? //--------------------------- //Yes No //--------------------------- // http://msdn.microsoft.com/en-us/library/ms733813.aspx #region CertificateFromCurrentUserByLocalEndPoint Func<IPEndPoint, X509Certificate> CertificateFromCurrentUserByLocalEndPoint = LocalEndPoint => { var host = LocalEndPoint.Address.ToString(); var link = "http://" + host + ":" + LocalEndPoint.Port; #region CertificateFromCurrentUser Func<X509Certificate> CertificateFromCurrentUser = delegate { X509Store store = new X509Store( //StoreName.Root, StoreName.My, StoreLocation.CurrentUser); // https://syfuhs.net/2011/05/12/making-the-x509store-more-friendly/ // http://ftp.icpdas.com/pub/beta_version/VHM/wince600/at91sam9g45m10ek_armv4i/cesysgen/sdk/inc/wintrust.h // Policy Information: //URL = http://127.0.0.5:10500 try { store.Open(OpenFlags.ReadOnly); // Additional information: The OID value was invalid. X509Certificate2Collection cers = store.Certificates; foreach (var item in cers) { // http://comments.gmane.org/gmane.comp.emulators.wine.devel/86862 var SPC_SP_AGENCY_INFO_OBJID = "1.3.6.1.4.1.311.2.1.10"; // // spcSpAgencyInfo private extension var elink = item.Extensions[SPC_SP_AGENCY_INFO_OBJID]; if (elink != null) { var prefix = 6; var linkvalue = Encoding.UTF8.GetString(elink.RawData, prefix, elink.RawData.Length - prefix); Console.WriteLine(new { item.Subject, linkvalue }); if (linkvalue == link) return item; } } } finally { store.Close(); } return null; }; #endregion var n = CertificateFromCurrentUser(); if (n == null) { // http://stackoverflow.com/questions/13332569/how-to-create-certificate-authority-certificate-with-makecert // http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/ // http://stackoverflow.com/questions/4095297/self-signed-certificates-performance-in-wcf-scenarios // logical store name Process.Start( new ProcessStartInfo( @"C:\Program Files (x86)\Windows Kits\8.0\bin\x64\makecert.exe", //"-r -n \"CN=localhost\" -m 12 -sky exchange -sv serverCert.pvk -pe -ss my serverCert.cer" //"-r -n \"CN=localhost\" -m 12 -sky exchange -pe -ss my serverCert.cer -sr localMachine" //"-r -n \"CN=localhost\" -m 12 -sky exchange -pe -ss my serverCert.cer -sr currentuser" //"-r -a SHA1 -n \"CN=" + host + "\" -len 2048 -m 1 -sky exchange -pe -ss my -sr currentuser -l " + link //"-r -cy authority -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -a SHA512 -n \"CN=" + host + "\" -len 2048 -m 1 -sky exchange -ss Root -sr currentuser -l " + link // chrome wont like SHA512 // https://code.google.com/p/chromium/issues/detail?id=342230 // http://serverfault.com/questions/407006/godaddy-ssl-certificate-shows-domain-name-instead-of-full-company-name // The certificate's O attribute in the subject (organization), along with the C attribute (country) determine what is displayed. If they are absent, it will simply display the primary subject domain name from the certificate. //"-r -cy authority -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -a SHA1 -n \"CN=" + host + ",O=JVMCLRTCPMultiplex\" -len 2048 -m 1 -sky exchange -ss Root -sr currentuser -l " + link //" -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -a SHA1 -n \"CN=" + host + "\" -len 2048 -m 1 -sky exchange -ss MY -sr currentuser -is Root -in \"" + CN + "\" -l " + link " -eku 1.3.6.1.5.5.7.3.1 -a SHA1 -n \"CN=" + host + "\" -len 2048 -m 1 -sky exchange -ss MY -sr currentuser -is Root -in \"" + CN + "\" -l " + link ) { UseShellExecute = false } ).WaitForExit(); n = CertificateFromCurrentUser(); } return n; }; #endregion //store.Open(OpenFlags. TcpListener listener = new TcpListener(IPAddress.Any, port); listener.Start(); Process.Start(@"http://" + "127.0.0.101" + ":" + port); //.WaitForExit(); //Process.Start(@"http://*****:*****@"X:\jsc.svn\examples\java\hybrid\JVMCLRSSLTCPListener\JVMCLRSSLTCPListener\bin\Debug\serverCert.cer.pfx", "xxx"); using (SslStream sslStream = new SslStream( innerStream: p, leaveInnerStreamOpen: false, userCertificateSelectionCallback: new LocalCertificateSelectionCallback( (object sender, string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, string[] acceptableIssuers) => { return localCertificates[0]; } ), userCertificateValidationCallback: new RemoteCertificateValidationCallback( (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) => { Console.WriteLine( new { certificate } ); return true; } ), encryptionPolicy: EncryptionPolicy.RequireEncryption )) { try { // AuthenticateAsServer // can this hang? if we use the wrong stream! sslStream.AuthenticateAsServer( serverCertificate: CertificateFromCurrentUserByLocalEndPoint((IPEndPoint)clientSocket.Client.LocalEndPoint), //clientCertificateRequired: false, clientCertificateRequired: true, // chrome for android does not like IIS TLS 1.2 enabledSslProtocols: System.Security.Authentication.SslProtocols.Tls12, checkCertificateRevocation: false ); } catch (Exception ex) { Console.WriteLine(new { ex.Message }); if (ex.InnerException != null) Console.WriteLine(new { ex.InnerException.Message }); return; } Console.WriteLine("read " + sslStream.GetHashCode()); x200(sslStream); sslStream.Close(); } Console.WriteLine("exit https"); return; } Console.WriteLine("exit other"); p.Close(); }; while (true) yield( listener.AcceptTcpClient() ); CLRProgram.CLRMain(); }