internal static MonoSslStream CreateSslStream (
Stream innerStream, bool leaveInnerStreamOpen,
ICertificateValidator certificateValidator,
MonoTlsSettings settings = null)
{
var stream = new MonoNewTlsStream (innerStream, leaveInnerStreamOpen, certificateValidator, settings);
return new MonoSslStreamImpl (stream);
}
internal static void AddCertificateValidator (MSI.MonoTlsSettings settings, ICertificateValidator validator)
{
if (validator == null)
return;
settings.RemoteCertificateValidationCallback = (s, c, ch, e) => {
return ((CertificateValidator)validator).ValidationCallback (s, c, ch, (SslPolicyErrors)e);
};
}
internal static MSI.ICertificateValidator GetCertificateValidator (ICertificateValidator validator)
{
if (validator == null)
return null;
var settings = new MSI.MonoTlsSettings ();
settings.ServerCertificateValidationCallback = (s, c, ch, e) => {
return ((CertificateValidator)validator).ValidationCallback (s, c, ch, (SslPolicyErrors)e);
};
return MSI.CertificateValidationHelper.CreateDefaultValidator (settings);
}
public static MonoNewTlsStream CreateClient (
Stream innerStream, bool leaveOpen, ICertificateValidator certificateValidator, TlsSettings settings,
string targetHost, PSSCX.X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
{
var stream = new MonoNewTlsStream (innerStream, leaveOpen, certificateValidator, settings);
try {
stream.AuthenticateAsClient (targetHost, clientCertificates, enabledSslProtocols, checkCertificateRevocation);
} catch (Exception ex) {
var tlsEx = stream.LastError;
if (tlsEx != null)
throw new AggregateException (ex, tlsEx);
throw;
}
return stream;
}
public CertificateProvider(
LetsEncryptOptions options,
ICertificateValidator certificateValidator,
IPersistenceService persistenceService,
ILetsEncryptClientFactory clientFactory,
ILogger <CertificateProvider> logger)
{
var domains = options.Domains?.Distinct().ToArray();
if (domains == null || domains.Length == 0)
{
throw new ArgumentException("Domains configuration invalid");
}
_domains = domains;
_persistenceService = persistenceService;
_clientFactory = clientFactory;
_certificateValidator = certificateValidator;
_logger = logger;
}
public WsFedCachingSecurityTokenProvider(string metadataEndpoint, ICertificateValidator backchannelCertificateValidator,
TimeSpan backchannelTimeout, HttpMessageHandler backchannelHttpHandler)
{
_metadataEndpoint = metadataEndpoint;
_backchannelTimeout = backchannelTimeout;
_backchannelHttpHandler = backchannelHttpHandler ?? new WebRequestHandler();
if (backchannelCertificateValidator != null)
{
// Set the cert validate callback
var webRequestHandler = _backchannelHttpHandler as WebRequestHandler;
if (webRequestHandler == null)
{
throw new InvalidOperationException(Properties.Resources.Exception_ValidatorHandlerMismatch);
}
webRequestHandler.ServerCertificateValidationCallback = backchannelCertificateValidator.Validate;
}
RetrieveMetadata();
}
private static HttpMessageHandler ResolveHttpMessageHandler(TwitterAuthenticationOptions options)
{
HttpMessageHandler handler = options.BackchannelHttpHandler ?? new WebRequestHandler();
WebRequestHandler handler2 = handler as WebRequestHandler;
if (handler2 == null)
{
if (options.BackchannelCertificateValidator != null)
{
throw new InvalidOperationException("Microsoft.Owin.Resources.Exception_ValidatorHandlerMismatch");
}
return(handler);
}
if (options.BackchannelCertificateValidator != null)
{
ICertificateValidator backchannelCertificateValidator = options.BackchannelCertificateValidator;
handler2.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(backchannelCertificateValidator.Validate);
}
return(handler);
}
public WsFedCachingSecurityKeyProvider(string metadataEndpoint, ICertificateValidator backchannelCertificateValidator,
TimeSpan backchannelTimeout, HttpMessageHandler backchannelHttpHandler)
{
_metadataEndpoint = metadataEndpoint;
_backchannelTimeout = backchannelTimeout;
_backchannelHttpHandler = backchannelHttpHandler ?? new WebRequestHandler();
if (backchannelCertificateValidator != null)
{
// Set the cert validate callback
var webRequestHandler = _backchannelHttpHandler as WebRequestHandler;
if (webRequestHandler == null)
{
throw new InvalidOperationException(Properties.Resources.Exception_ValidatorHandlerMismatch);
}
webRequestHandler.ServerCertificateValidationCallback = backchannelCertificateValidator.Validate;
}
RetrieveMetadata();
}
public DiscoveryCachingSecurityTokenProvider(string discoveryEndpoint, ICertificateValidator backchannelCertificateValidator, HttpMessageHandler backchannelHttpHandler)
{
_discoveryEndpoint = discoveryEndpoint;
_backchannelHttpHandler = backchannelHttpHandler ?? new WebRequestHandler();
if (backchannelCertificateValidator != null)
{
// Set the cert validate callback
var webRequestHandler = _backchannelHttpHandler as WebRequestHandler;
if (webRequestHandler == null)
{
throw new InvalidOperationException("Invalid certificate validator");
}
webRequestHandler.ServerCertificateValidationCallback = backchannelCertificateValidator.Validate;
}
_configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(_discoveryEndpoint, new HttpClient(_backchannelHttpHandler));
RetrieveMetadata();
}
/// <summary>
/// Create the transport listener for the service host endpoint.
/// </summary>
/// <param name="endpointUri">The endpoint Uri.</param>
/// <param name="endpoints">The description of the endpoints.</param>
/// <param name="endpointConfiguration">The configuration of the endpoints.</param>
/// <param name="listener">The transport listener.</param>
/// <param name="certificateValidator">The certificate validator for the transport.</param>
public virtual void CreateServiceHostEndpoint(
Uri endpointUri,
EndpointDescriptionCollection endpoints,
EndpointConfiguration endpointConfiguration,
ITransportListener listener,
ICertificateValidator certificateValidator
)
{
// create the stack listener.
try
{
TransportListenerSettings settings = new TransportListenerSettings();
settings.Descriptions = endpoints;
settings.Configuration = endpointConfiguration;
settings.ServerCertificate = InstanceCertificate;
settings.CertificateValidator = certificateValidator;
settings.NamespaceUris = MessageContext.NamespaceUris;
settings.Factory = MessageContext.Factory;
listener.Open(
endpointUri,
settings,
GetEndpointInstance(this));
TransportListeners.Add(listener);
listener.ConnectionStatusChanged += OnConnectionStatusChanged;
}
catch (Exception e)
{
string message = $"Could not load {endpointUri.Scheme} Stack Listener.";
if (e.InnerException != null)
{
message += (" " + e.InnerException.Message);
}
Utils.Trace(e, message);
throw;
}
}
void CheckValidationResult(
ICertificateValidator validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain,
X509Chain chain, MonoBtlsX509StoreCtx storeCtx,
bool success, ref MonoSslPolicyErrors errors, ref int status11)
{
status11 = unchecked ((int)0);
if (success)
{
return;
}
errors = MonoSslPolicyErrors.RemoteCertificateChainErrors;
if (!wantsChain || storeCtx == null || chain == null)
{
status11 = unchecked ((int)0x800B010B);
return;
}
var error = storeCtx.GetError();
switch (error)
{
case Mono.Btls.MonoBtlsX509Error.OK:
errors = MonoSslPolicyErrors.None;
break;
case Mono.Btls.MonoBtlsX509Error.CRL_NOT_YET_VALID:
break;
case MonoBtlsX509Error.HOSTNAME_MISMATCH:
errors = MonoSslPolicyErrors.RemoteCertificateNameMismatch;
chain.Impl.AddStatus(X509ChainStatusFlags.UntrustedRoot);
status11 = unchecked ((int)0x800B010B);
break;
default:
chain.Impl.AddStatus(MapVerifyErrorToChainStatus(error));
status11 = unchecked ((int)0x800B010B);
break;
}
}
public MonoTlsSettings CloneWithValidator(ICertificateValidator validator)
{
if (cloned)
{
this.certificateValidator = validator;
return(this);
}
var copy = new MonoTlsSettings();
copy.ServerCertificateValidationCallback = ServerCertificateValidationCallback;
copy.ClientCertificateSelectionCallback = ClientCertificateSelectionCallback;
copy.checkCertName = checkCertName;
copy.checkCertRevocationStatus = checkCertRevocationStatus;
copy.UseServicePointManagerCallback = useServicePointManagerCallback;
copy.skipSystemValidators = skipSystemValidators;
copy.callbackNeedsChain = callbackNeedsChain;
copy.UserSettings = UserSettings;
copy.certificateValidator = validator;
copy.cloned = true;
return(copy);
}
public void Initialize()
{
var persistenceService = Substitute.For <IPersistenceService>();
var options = new LetsEncryptOptions
{
Domains = new[] { "test.com" },
Email = "*****@*****.**",
KeyAlgorithm = KeyAlgorithm.ES512,
UseStaging = true,
};
var certificateValidator = Substitute.For <ICertificateValidator>();
certificateValidator.IsCertificateValid(null).Returns(false);
certificateValidator.IsCertificateValid(RefEq(InvalidCert)).Returns(false);
certificateValidator.IsCertificateValid(RefEq(ValidCert)).Returns(true);
var client = Substitute.For <ILetsEncryptClient>();
var factory = Substitute.For <ILetsEncryptClientFactory>();
factory.GetClient().Returns(Task.FromResult(client));
var sut = new CertificateProvider(
options,
certificateValidator,
persistenceService,
factory,
NullLogger <CertificateProvider> .Instance);
PersistenceService = persistenceService;
CertificateValidator = certificateValidator;
LetsEncryptClientFactory = factory;
LetsEncryptClient = client;
Sut = sut;
}
public LegacySslStream(Stream innerStream, bool leaveInnerStreamOpen, MonoTlsSettings settings)
: base(innerStream, leaveInnerStreamOpen)
{
this.settings = settings;
this.certificateValidator = settings.CertificateValidator;
}
public TokenHandlerConfigurationProvider(IFederationPartyContextBuilder federationPartyContextBuilder, ICertificateValidator certificateValidator)
{
this._federationPartyContextBuilder = federationPartyContextBuilder;
this._certificateValidator = certificateValidator;
}
public FederationMetadataSerialiser(ICertificateValidator certificateValidator, ILogProvider logProvider)
{
this._certificateValidator = certificateValidator;
base.CertificateValidator = (X509CertificateValidator)certificateValidator;
this._logProvider = logProvider;
}
/// <summary>
/// Creates a new LightBuzz secure HTTPS handler with the specified parameters.
/// </summary>
/// <param name="validator">The certificate validator</param>
public LightBuzzHttpsHandler(ICertificateValidator validator) :
this(DefaultContentType, DefaultZumoApiVersion, DefaultEncoding, DefaultTimeout, validator)
{
}
public LegacySslStream(Stream innerStream, bool leaveInnerStreamOpen, MonoTlsProvider provider, MonoTlsSettings settings)
: base(innerStream, leaveInnerStreamOpen)
{
this.provider = provider;
certificateValidator = ChainValidationHelper.GetDefaultValidator(provider, settings);
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="config">An IWeemoConfig implementation; the props should have valid values</param>
/// <param name="certValidator">An ICertificateValidator implementation to use to validate the response certificate</param>
public RestSharpWeemoClient(IWeemoConfig config, ICertificateValidator certValidator)
{
this.config = config;
this.certValidator = certValidator;
}
internal MonoNewTlsStream (Stream innerStream, bool leaveOpen, ICertificateValidator certificateValidator, MonoTlsSettings settings)
: base (innerStream, leaveOpen, certificateValidator, EncryptionPolicy.RequireEncryption, settings)
{
}
public MonoTlsSettings CloneWithValidator (ICertificateValidator validator)
{
if (cloned) {
this.certificateValidator = validator;
return this;
}
var copy = new MonoTlsSettings ();
copy.RemoteCertificateValidationCallback = RemoteCertificateValidationCallback;
copy.ClientCertificateSelectionCallback = ClientCertificateSelectionCallback;
copy.checkCertName = checkCertName;
copy.checkCertRevocationStatus = checkCertRevocationStatus;
copy.UseServicePointManagerCallback = useServicePointManagerCallback;
copy.skipSystemValidators = skipSystemValidators;
copy.callbackNeedsChain = callbackNeedsChain;
copy.UserSettings = UserSettings;
copy.certificateValidator = validator;
copy.EnabledProtocols = EnabledProtocols;
copy.TrustAnchors = TrustAnchors;
copy.cloned = true;
return copy;
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="config">An IWeemoConfig implementation; the props should have valid values</param>
/// <param name="certValidator">An ICertificateValidator implementation to use to validate the response certificate</param>
public HttpWebRequestWeemoClient(IWeemoConfig config, ICertificateValidator certValidator)
{
this.config = config;
this.certValidator = certValidator;
}
public LookupClientBuilder CertificateValidator(ICertificateValidator certificateValidator)
{
this.validator = certificateValidator;
return(this);
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="config">An IWeemoConfig implementation; the props should have valid values</param>
/// <param name="certValidator">An ICertificateValidator implementation to use to validate the response certificate</param>
public RestSharpWeemoClient(IWeemoConfig config, ICertificateValidator certValidator)
{
this.config = config;
this.certValidator = certValidator;
}
public LegacySslStream (Stream innerStream, bool leaveInnerStreamOpen, MonoTlsSettings settings)
: base (innerStream, leaveInnerStreamOpen)
{
this.settings = settings;
this.certificateValidator = settings.CertificateValidator;
}
/// <summary>
/// Creates a new LightBuzz secure HTTPS handler with the specified parameters.
/// </summary>
/// <param name="contentType">The Content Type header type.</param>
/// <param name="zumoApiVersion">The ZUMO API version number.</param>
/// <param name="encoding">The encoding of the response message.</param>
/// <param name="requestTimeout">The request timeout value in milliseconds.</param>
/// <param name="validator">The certificate validator</param>
public LightBuzzHttpsHandler(string contentType, string zumoApiVersion, Encoding encoding, int requestTimeout, ICertificateValidator validator)
{
AutomaticDecompression = DecompressionMethods.Deflate;
ContentType = contentType;
ZumoApiVersion = zumoApiVersion;
Encoding = encoding;
RequestTimeout = requestTimeout;
Validator = validator;
}
public LegacySslStream (Stream innerStream, bool leaveInnerStreamOpen, MonoTlsProvider provider, MonoTlsSettings settings)
: base (innerStream, leaveInnerStreamOpen)
{
this.provider = provider;
this.settings = settings;
this.certificateValidator = ChainValidationHelper.GetDefaultValidator (provider, settings);
}
public FederationMetadataSerialiser(ICertificateValidator certificateValidator)
{
base.CertificateValidator = (X509CertificateValidator)certificateValidator;
base.CertificateValidationMode = certificateValidator.X509CertificateValidationMode;
}
void CheckValidationResult (
ICertificateValidator validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain,
X509Chain chain, MonoBtlsX509StoreCtx storeCtx,
bool success, ref MonoSslPolicyErrors errors, ref int status11)
{
if (!success) {
errors = MonoSslPolicyErrors.RemoteCertificateChainErrors;
status11 = unchecked((int)0x800B010B);
}
}
private async Task <ModuleClient> CreateInternalClientFromEnvironmentAsync()
{
IDictionary envVariables = Environment.GetEnvironmentVariables();
string connectionString = GetValueFromEnvironment(envVariables, EdgehubConnectionstringVariableName) ?? GetValueFromEnvironment(envVariables, IothubConnectionstringVariableName);
// First try to create from connection string and if env variable for connection string is not found try to create from edgedUri
if (!string.IsNullOrWhiteSpace(connectionString))
{
string certPath = Environment.GetEnvironmentVariable(EdgeCaCertificateFileVariableName);
ICertificateValidator certificateValidator = NullCertificateValidator.Instance;
if (!string.IsNullOrWhiteSpace(certPath))
{
Debug.WriteLine("EdgeModuleClientFactory setupTrustBundle from file");
var expectedRoot = new X509Certificate2(certPath);
certificateValidator = GetCertificateValidator(new List <X509Certificate2>()
{
expectedRoot
});
}
return(new ModuleClient(CreateInternalClientFromConnectionString(connectionString, _options), certificateValidator));
}
else
{
string edgedUri = GetValueFromEnvironment(envVariables, IotEdgedUriVariableName) ?? throw new InvalidOperationException($"Environment variable {IotEdgedUriVariableName} is required.");
string deviceId = GetValueFromEnvironment(envVariables, DeviceIdVariableName) ?? throw new InvalidOperationException($"Environment variable {DeviceIdVariableName} is required.");
string moduleId = GetValueFromEnvironment(envVariables, ModuleIdVariableName) ?? throw new InvalidOperationException($"Environment variable {ModuleIdVariableName} is required.");
string hostname = GetValueFromEnvironment(envVariables, IotHubHostnameVariableName) ?? throw new InvalidOperationException($"Environment variable {IotHubHostnameVariableName} is required.");
string authScheme = GetValueFromEnvironment(envVariables, AuthSchemeVariableName) ?? throw new InvalidOperationException($"Environment variable {AuthSchemeVariableName} is required.");
string generationId = GetValueFromEnvironment(envVariables, ModuleGenerationIdVariableName) ?? throw new InvalidOperationException($"Environment variable {ModuleGenerationIdVariableName} is required.");
string gateway = GetValueFromEnvironment(envVariables, GatewayHostnameVariableName);
if (!string.Equals(authScheme, SasTokenAuthScheme, StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException($"Unsupported authentication scheme. Supported scheme is {SasTokenAuthScheme}.");
}
ISignatureProvider signatureProvider = new HttpHsmSignatureProvider(edgedUri, DefaultApiVersion);
TimeSpan sasTokenTimeToLive = _options?.SasTokenTimeToLive ?? default;
int sasTokenRenewalBuffer = _options?.SasTokenRenewalBuffer ?? default;
#pragma warning disable CA2000 // Dispose objects before losing scope - IDisposable ModuleAuthenticationWithHsm is disposed when the client is disposed.
// Since the sdk creates the instance of disposable ModuleAuthenticationWithHsm, the sdk needs to dispose it once the client is disposed.
var authMethod = new ModuleAuthenticationWithHsm(signatureProvider, deviceId, moduleId, generationId, sasTokenTimeToLive, sasTokenRenewalBuffer, disposeWithClient: true);
#pragma warning restore CA2000 // Dispose objects before losing scope - IDisposable ModuleAuthenticationWithHsm is disposed when the client is disposed.
Debug.WriteLine("EdgeModuleClientFactory setupTrustBundle from service");
ICertificateValidator certificateValidator = NullCertificateValidator.Instance;
if (!string.IsNullOrEmpty(gateway))
{
IList <X509Certificate2> certs = await _trustBundleProvider.GetTrustBundleAsync(new Uri(edgedUri), DefaultApiVersion).ConfigureAwait(false);
certificateValidator = GetCertificateValidator(certs);
}
return(new ModuleClient(CreateInternalClientFromAuthenticationMethod(hostname, gateway, authMethod, _options), certificateValidator));
}
}
public MonoTlsSettings CloneWithValidator (ICertificateValidator validator)
{
if (cloned) {
this.certificateValidator = validator;
return this;
}
var copy = new MonoTlsSettings (this);
copy.certificateValidator = validator;
return copy;
}
public KestrelCertificateSelector(string named, ICertificateValidator certificateValidator)
{
_certificateValidator = certificateValidator ?? throw new ArgumentNullException(nameof(certificateValidator));
_named = named;
}
public CertificateAuthenticationHandler(ICertificatePrincipalFactory certificatePrincipalFactory, ICertificateValidator certificateValidator, ILoggerFactory loggerFactory, IOptionsMonitor <CertificateAuthenticationOptions> options, ISystemClock systemClock, UrlEncoder urlEncoder) : base(options, loggerFactory, urlEncoder, systemClock)
{
this.CertificatePrincipalFactory = certificatePrincipalFactory ?? throw new ArgumentNullException(nameof(certificatePrincipalFactory));
this.CertificateValidator = certificateValidator ?? throw new ArgumentNullException(nameof(certificateValidator));
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="config">An IWeemoConfig implementation; the props should have valid values</param>
/// <param name="certValidator">An ICertificateValidator implementation to use to validate the response certificate</param>
public HttpWebRequestWeemoClient(IWeemoConfig config, ICertificateValidator certValidator)
{
this.config = config;
this.certValidator = certValidator;
}
/*
* If @serverMode is true, then we're a server and want to validate a certificate
* that we received from a client.
*
* Returns `true` if certificate validation has been performed and `false` to invoke the
* default system validator.
*/
public virtual bool InvokeSystemCertificateValidator (
ICertificateValidator validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, out bool success,
ref MonoSslPolicyErrors errors, ref int status11)
{
success = false;
return false;
}
public LegacySslStream(Stream innerStream, bool leaveInnerStreamOpen, MonoTlsSettings settings)
: base(innerStream, leaveInnerStreamOpen)
{
this.settings = settings;
this.certificateValidator = ChainValidationHelper.GetDefaultValidator(settings);
}
