public bool Verify(string hostname, ISSLSession session)
{
#pragma warning disable 0612
return(verifyServerCertificate(hostname, session) & verifyClientCiphers(hostname, session));
#pragma warning restore 0612
}
public bool Verify(string hostname, ISSLSession session)
{
if (hostname.Equals("10.0.2.2"))
{
return(true);
}
return(false);
}
/// <summary>
/// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or,
/// if the is no delegate attached to it by using the default hostname verifier.
/// </summary>
/// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns>
/// <param name="hostname"></param>
/// <param name="session"></param>
static bool verifyServerCertificate(string hostname, ISSLSession session)
{
var defaultVerifier = HttpsURLConnection.DefaultHostnameVerifier;
if (ServicePointManager.ServerCertificateValidationCallback == null)
{
return(defaultVerifier.Verify(hostname, session));
}
// Convert java certificates to .NET certificates and build cert chain from root certificate
var certificates = session.GetPeerCertificateChain();
var chain = new X509Chain();
X509Certificate2 root = null;
var errors = System.Net.Security.SslPolicyErrors.None;
// Build certificate chain and check for errors
if (certificates == null || certificates.Length == 0)
{
//no cert at all
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNotAvailable;
goto bail;
}
if (certificates.Length == 1)
{
//no root?
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors;
goto bail;
}
var netCerts = certificates.Select(x => new X509Certificate2(x.GetEncoded())).ToArray();
for (int i = 1; i < netCerts.Length; i++)
{
chain.ChainPolicy.ExtraStore.Add(netCerts[i]);
}
root = netCerts[0];
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
if (!chain.Build(root))
{
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors;
goto bail;
}
var subject = root.Subject;
var subjectCn = cnRegex.Match(subject).Groups[1].Value;
if (String.IsNullOrWhiteSpace(subjectCn) || !Utility.MatchHostnameToPattern(hostname, subjectCn))
{
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch;
goto bail;
}
bail:
// Call the delegate to validate
return(ServicePointManager.ServerCertificateValidationCallback(hostname, root, chain, errors));
}
/// <summary>
/// Verifies client ciphers and is only available in Mono and Xamarin products.
/// </summary>
/// <returns><c>true</c>, if client ciphers was verifyed, <c>false</c> otherwise.</returns>
/// <param name="hostname"></param>
/// <param name="session"></param>
bool verifyClientCiphers(string hostname, ISSLSession session)
{
var callback = ServicePointManager.ClientCipherSuitesCallback;
if (callback == null)
{
return(true);
}
var protocol = session.Protocol.StartsWith("SSL", StringComparison.InvariantCulture) ? SecurityProtocolType.Ssl3 : SecurityProtocolType.Tls;
var acceptedCiphers = callback(protocol, new[] { session.CipherSuite });
return(acceptedCiphers.Contains(session.CipherSuite));
}
/// <summary>
/// Verifies client ciphers and is only available in Mono and Xamarin products.
/// </summary>
/// <returns><c>true</c>, if client ciphers was verifyed, <c>false</c> otherwise.</returns>
/// <param name="hostname"></param>
/// <param name="session"></param>
static bool verifyClientCiphers(string hostname, ISSLSession session)
{
//This API has been deprecated by Xamarin & Mono
return(true);
/*
* var callback = ServicePointManager.ClientCipherSuitesCallback;
* if (callback == null) return true;
*
* var protocol = session.Protocol.StartsWith("SSL", StringComparison.InvariantCulture) ? SecurityProtocolType.Ssl3 : SecurityProtocolType.Tls;
* var acceptedCiphers = callback(protocol, new[] { session.CipherSuite });
*
* return acceptedCiphers.Contains(session.CipherSuite);
*/
}
public bool Verify(string hostname, ISSLSession session)
{
var certChain = _certCleaner.Clean(session.GetPeerCertificates().OfType <X509Certificate>());
if (certChain.Any())
{
var dotNetCertChain = certChain.Select(c => c.ToDotNetX509Certificate()).ToArray();
var ctValueTask = _verifier.IsValidAsync(hostname, dotNetCertChain, default);
var ctResult = ctValueTask.IsCompleted
? ctValueTask.Result
: ctValueTask.AsTask().Result;
var customResult = _verifyResultFunc?.Invoke(hostname, dotNetCertChain, ctResult);
return(customResult ?? ctResult.IsValid);
}
return(false);
}
/// <summary>
/// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or,
/// if the is no delegate attached to it by using the default hostname verifier.
/// </summary>
/// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns>
/// <param name="hostname"></param>
/// <param name="session"></param>
static bool verifyServerCertificate(string hostname, ISSLSession session)
{
var defaultVerifier = HttpsURLConnection.DefaultHostnameVerifier;
if (ServicePointManager.ServerCertificateValidationCallback == null)
{
return(defaultVerifier.Verify(hostname, session));
}
// Convert java certificates to .NET certificates and build cert chain from root certificate
var certificates = session.GetPeerCertificateChain();
var chain = new X509Chain();
var netCerts = certificates.Select(x => new X509Certificate2(x.GetEncoded())).ToArray();
for (int i = 1; i < netCerts.Length; i++)
{
chain.ChainPolicy.ExtraStore.Add(netCerts [i]);
}
X509Certificate2 root = netCerts [0];
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
chain.Build(root);
//If the callback returns true, then we want it to continue with the default validation. The call back is only responsible for
//certificate pinning. Nothing else.
//Unless, of course, you want to use a self-signed cert in which case the above comment is incorrect.
if (ServicePointManager.ServerCertificateValidationCallback(hostname, root, chain, System.Net.Security.SslPolicyErrors.None))
{
return(true);
}
return(false);
}
public bool Verify(string hostname, ISSLSession session)
{
return(verifyServerCertificate(hostname, session) & verifyClientCiphers(hostname, session));
}
public bool Verify(string hostname, ISSLSession session)
{
return(true);
}
/// <summary>
/// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or,
/// if the is no delegate attached to it by using the default hostname verifier.
/// </summary>
/// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns>
/// <param name="hostname"></param>
/// <param name="session"></param>
public bool Verify(string hostname, ISSLSession session)
{
var errors = SslPolicyErrors.None;
if (nativeHandler.TLSConfig.DangerousAcceptAnyServerCertificateValidator)
{
goto sslErrorVerify;
}
// Convert java certificates to .NET certificates and build cert chain from root certificate
var serverCertChain = session.GetPeerCertificateChain();
var netCerts = serverCertChain.Select(x => new X509Certificate2(x.GetEncoded())).ToList();
switch (nativeHandler.PinningMode)
{
case "CertificateOnly":
var chain = new X509Chain();
X509Certificate2 root = null;
// Build certificate chain and check for errors
if (serverCertChain == null || serverCertChain.Length == 0)
{ //no cert at all
errors = SslPolicyErrors.RemoteCertificateNotAvailable;
PinningFailureMessage = FailureMessages.NoCertAtAll;
goto sslErrorVerify;
}
if (serverCertChain.Length == 1)
{ //no root?
errors = SslPolicyErrors.RemoteCertificateChainErrors;
PinningFailureMessage = FailureMessages.NoRoot;
goto sslErrorVerify;
}
for (int i = 1; i < netCerts.Count; i++)
{
chain.ChainPolicy.ExtraStore.Add(netCerts[i]);
}
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
root = netCerts[0];
if (!chain.Build(root))
{
errors = SslPolicyErrors.RemoteCertificateChainErrors;
PinningFailureMessage = FailureMessages.ChainError;
goto sslErrorVerify;
}
var subject = root.Subject;
var subjectCn = cnRegex.Match(subject).Groups[1].Value;
if (string.IsNullOrWhiteSpace(subjectCn) || !Utility.MatchHostnameToPattern(hostname, subjectCn))
{
var subjectAn = root.ParseSubjectAlternativeName();
if (subjectAn.FirstOrDefault(s => Utility.MatchHostnameToPattern(hostname, s)) == null)
{
errors = SslPolicyErrors.RemoteCertificateNameMismatch;
PinningFailureMessage = FailureMessages.SubjectNameMismatch;
goto sslErrorVerify;
}
}
break;
case "PublicKeysOnly":
if (nativeHandler.CertificatePinner != null)
{
if (!nativeHandler.CertificatePinner.HasPins(hostname))
{
errors = SslPolicyErrors.RemoteCertificateNameMismatch;
PinningFailureMessage = FailureMessages.NoPinsProvided + " " + hostname;
}
// CertificatePinner.Check will be done by Square.OkHttp3.CertificatePinner
}
break;
}
sslErrorVerify:
return(errors == SslPolicyErrors.None);
}
/// <summary>
/// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or,
/// if the is no delegate attached to it by using the default hostname verifier.
/// </summary>
/// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns>
/// <param name="hostname"></param>
/// <param name="session"></param>
bool verifyServerCertificate(string hostname, ISSLSession session)
{
var defaultVerifier = HttpsURLConnection.DefaultHostnameVerifier;
if (ServicePointManager.ServerCertificateValidationCallback == null) return defaultVerifier.Verify(hostname, session);
// Convert java certificates to .NET certificates and build cert chain from root certificate
var certificates = session.GetPeerCertificateChain();
var chain = new System.Security.Cryptography.X509Certificates.X509Chain();
System.Security.Cryptography.X509Certificates.X509Certificate2 root = null;
var errors = System.Net.Security.SslPolicyErrors.None;
// Build certificate chain and check for errors
if (certificates == null || certificates.Length == 0) {//no cert at all
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNotAvailable;
goto bail;
}
if (certificates.Length == 1) {//no root?
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors;
goto bail;
}
var netCerts = certificates.Select(x => new System.Security.Cryptography.X509Certificates.X509Certificate2(x.GetEncoded())).ToArray();
for (int i = 1; i < netCerts.Length; i++) {
chain.ChainPolicy.ExtraStore.Add(netCerts[i]);
}
root = netCerts[0];
chain.ChainPolicy.RevocationFlag = System.Security.Cryptography.X509Certificates.X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
chain.ChainPolicy.VerificationFlags =
System.Security.Cryptography.X509Certificates.X509VerificationFlags.AllowUnknownCertificateAuthority;
if (!chain.Build(root)) {
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors;
goto bail;
}
var subject = root.Subject;
var subjectCn = cnRegex.Match(subject).Groups[1].Value;
if (String.IsNullOrWhiteSpace(subjectCn) || !match(hostname, subjectCn)) {
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch;
goto bail;
}
bail:
// Call the delegate to validate
return ServicePointManager.ServerCertificateValidationCallback(this, root, chain, errors);
}
public bool Verify(string hostname, ISSLSession session)
{
// everything goes through
// all host names are valid
return(true);
}
public bool Verify(string hostname, ISSLSession session)
{
return verify(hostname, session);
}
public bool Verify(string hostname, ISSLSession session)
{
System.Diagnostics.Debug.WriteLine("HostnameVerifier.Verify returns true");
return(true);
}
/// <summary>
/// Verifies client ciphers and is only available in Mono and Xamarin products.
/// </summary>
/// <returns><c>true</c>, if client ciphers was verifyed, <c>false</c> otherwise.</returns>
/// <param name="hostname"></param>
/// <param name="session"></param>
static bool verifyClientCiphers(string hostname, ISSLSession session)
{
return(true);
}
/// <summary>
/// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or,
/// if the is no delegate attached to it by using the default hostname verifier.
/// </summary>
/// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns>
/// <param name="hostname"></param>
/// <param name="session"></param>
static bool verifyServerCertificate(string hostname, ISSLSession session)
{
var defaultVerifier = HttpsURLConnection.DefaultHostnameVerifier;
if (ServicePointManager.ServerCertificateValidationCallback == null) return defaultVerifier.Verify(hostname, session);
// Convert java certificates to .NET certificates and build cert chain from root certificate
var certificates = session.GetPeerCertificateChain();
var chain = new X509Chain();
var netCerts = certificates.Select(x => new X509Certificate2(x.GetEncoded())).ToArray();
for (int i = 1; i < netCerts.Length; i++) {
chain.ChainPolicy.ExtraStore.Add(netCerts[i]);
}
X509Certificate2 root = netCerts[0];
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
chain.Build(root);
//If the callback returns true, then we want it to continue with the default validation. The call back is only responsible for
//certificate pinning. Nothing else.
if (ServicePointManager.ServerCertificateValidationCallback(hostname, root, chain, System.Net.Security.SslPolicyErrors.None))
{
return defaultVerifier.Verify(hostname, session);
}
return false;
}
public bool Verify(string hostname, ISSLSession session)
{
return verifyServerCertificate(hostname, session) & verifyClientCiphers(hostname, session);
}
public bool Verify(string hostname, ISSLSession session)
{
return(verify(hostname, session));
}
/// <summary>
/// Verifies client ciphers and is only available in Mono and Xamarin products.
/// </summary>
/// <returns><c>true</c>, if client ciphers was verifyed, <c>false</c> otherwise.</returns>
/// <param name="hostname"></param>
/// <param name="session"></param>
bool verifyClientCiphers(string hostname, ISSLSession session)
{
var callback = ServicePointManager.ClientCipherSuitesCallback;
if (callback == null) return true;
var protocol = session.Protocol.StartsWith("SSL", StringComparison.InvariantCulture) ? SecurityProtocolType.Ssl3 : SecurityProtocolType.Tls;
var acceptedCiphers = callback(protocol, new[] { session.CipherSuite });
return acceptedCiphers.Contains(session.CipherSuite);
}
/// <summary>
/// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or,
/// if the is no delegate attached to it by using the default hostname verifier.
/// </summary>
/// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns>
/// <param name="hostname"></param>
/// <param name="session"></param>
public bool Verify(string hostname, ISSLSession session)
{
var errors = SslPolicyErrors.None;
// Convert java certificates to .NET certificates and build cert chain from root certificate
/*var serverCertChain = session.GetPeerCertificateChain();
* var chain = new X509Chain();
* X509Certificate2 root = null;
* var errors = SslPolicyErrors.None;
*
* // Build certificate chain and check for errors
* if (serverCertChain == null || serverCertChain.Length == 0)
* {//no cert at all
* errors = SslPolicyErrors.RemoteCertificateNotAvailable;
* PinningFailureMessage = FailureMessages.NoCertAtAll;
* goto sslErrorVerify;
* }
*
* if (serverCertChain.Length == 1)
* {//no root?
* errors = SslPolicyErrors.RemoteCertificateChainErrors;
* PinningFailureMessage = FailureMessages.NoRoot;
* goto sslErrorVerify;
* }
*
* var netCerts = serverCertChain.Select(x => new X509Certificate2(x.GetEncoded())).ToArray();
*
* for (int i = 1; i < netCerts.Length; i++)
* {
* chain.ChainPolicy.ExtraStore.Add(netCerts[i]);
* }
*
* root = netCerts[0];
*
* chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
* chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
* chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
* chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
*
* if (!chain.Build(root))
* {
* errors = SslPolicyErrors.RemoteCertificateChainErrors;
* PinningFailureMessage = FailureMessages.ChainError;
* goto sslErrorVerify;
* }
*
* var subject = root.Subject;
* var subjectCn = cnRegex.Match(subject).Groups[1].Value;
*
* if (string.IsNullOrWhiteSpace(subjectCn) || !Utility.MatchHostnameToPattern(hostname, subjectCn))
* {
* errors = SslPolicyErrors.RemoteCertificateNameMismatch;
* PinningFailureMessage = FailureMessages.SubjectNameMismatch;
* goto sslErrorVerify;
* }*/
if (Pins.FirstOrDefault((pin) => pin.Hostname == hostname) == null)
{
errors = SslPolicyErrors.RemoteCertificateNameMismatch;
PinningFailureMessage = FailureMessages.NoPinsProvided + " " + hostname;
}
//sslErrorVerify:
return(errors == SslPolicyErrors.None);
}
