public bool IsCertificateTrusted(X509Certificate channelCertificate, CertificateProof proof) { var cert = new EphemeralCertificate(proof.EphemeralCertificate); if (!(cert.ValidFrom <= DateTime.UtcNow && DateTime.UtcNow <= cert.ValidTo)) { return(false); } if (!channelCertificate.GetRawCertData().SequenceEqual(cert.ClientCertificate)) { return(false); } lock (m_syncRoot) { TryAgain: if (!m_list.TryGetValue(HexToString(cert.TrustedCertThumbprint), out var data)) { if (m_lastCertRefresh.ElapsedSeconds() > 60)//check at most once per minute { RebuildCerts(); goto TryAgain; } return(false); } return(cert.ValidateSignature(new X509Certificate2(data))); } }
public bool IsCertificateTrusted(CtpNetStream stream, CertificateProof proof) { var eph = new EphemeralCertificate(proof.EphemeralCertificate); if (!TryFindCertificate(HexToString(eph.TrustedCertThumbprint), out var signingCert, out var account)) { return(false); } if (!eph.ValidateSignature(signingCert)) { return(false); } if (!account.IsIPAllowed(stream.RemoteEndpoint.Address)) { return(false); } GrantPermissions(stream, account, eph.LoginName, eph.GrantedRoles, eph.DeniedRoles); return(true); }
public CertificateProof GetCertificateProof() { return(new CertificateProof(EphemeralCertificate.SignServerCertificate(m_signingCertificate, m_config.SPN, DateTime.UtcNow.AddMinutes(-5), DateTime.UtcNow.AddMinutes(15), m_signingCertificate.RawData))); }