public bool IsCertificateTrusted(X509Certificate channelCertificate, CertificateProof proof)
{
var cert = new EphemeralCertificate(proof.EphemeralCertificate);
if (!(cert.ValidFrom <= DateTime.UtcNow && DateTime.UtcNow <= cert.ValidTo))
{
return(false);
}
if (!channelCertificate.GetRawCertData().SequenceEqual(cert.ClientCertificate))
{
return(false);
}
lock (m_syncRoot)
{
TryAgain:
if (!m_list.TryGetValue(HexToString(cert.TrustedCertThumbprint), out var data))
{
if (m_lastCertRefresh.ElapsedSeconds() > 60)//check at most once per minute
{
RebuildCerts();
goto TryAgain;
}
return(false);
}
return(cert.ValidateSignature(new X509Certificate2(data)));
}
}
public bool IsCertificateTrusted(CtpNetStream stream, CertificateProof proof)
{
var eph = new EphemeralCertificate(proof.EphemeralCertificate);
if (!TryFindCertificate(HexToString(eph.TrustedCertThumbprint), out var signingCert, out var account))
{
return(false);
}
if (!eph.ValidateSignature(signingCert))
{
return(false);
}
if (!account.IsIPAllowed(stream.RemoteEndpoint.Address))
{
return(false);
}
GrantPermissions(stream, account, eph.LoginName, eph.GrantedRoles, eph.DeniedRoles);
return(true);
}
public CertificateProof GetCertificateProof()
{
return(new CertificateProof(EphemeralCertificate.SignServerCertificate(m_signingCertificate, m_config.SPN,
DateTime.UtcNow.AddMinutes(-5), DateTime.UtcNow.AddMinutes(15), m_signingCertificate.RawData)));
}
