private IList <X509Certificate> TrustedChain(
X509TrustManagerExtensions trustManagerExt,
HttpsURLConnection conn)
{
var serverCerts = conn.GetServerCertificates();
var untrustedCerts = serverCerts.Where(x => x is X509Certificate).Cast <X509Certificate>().ToArray();
var host = conn.URL.Host;
try
{
return(trustManagerExt.CheckServerTrusted(untrustedCerts,
"RSA", host));
}
catch (CertificateException e)
{
throw new SSLException(e);
}
}
private void ValidatePinning(
X509TrustManagerExtensions trustManagerExt,
HttpsURLConnection conn)
{
var host = conn.URL.Host;
if (host != ApiHost)
{
// no pinning against other hosts
return;
}
var trustedChain = TrustedChain(trustManagerExt, conn);
var leaf = trustedChain[0];
var thumbprint = GetThumbprintSha256(leaf);
if (!ExpectedFingerprint.Equals(thumbprint))
{
throw new SSLPeerUnverifiedException("Certificate chain not trusted.");
}
}
protected override SSLSocketFactory ConfigureCustomSSLSocketFactory(HttpsURLConnection connection)
{
var algorithm = TrustManagerFactory.DefaultAlgorithm;
var trustManagerFactory = TrustManagerFactory.GetInstance(algorithm);
trustManagerFactory.Init((KeyStore)null);
var trustManagers = trustManagerFactory.GetTrustManagers();
var context = SSLContext.GetInstance("TLS");
context.Init(null, trustManagers, null);
SSLContext.Default = context;
if (_trustManagerExt == null)
{
var x509TrustManager = trustManagers.FirstOrDefault(x => x is IX509TrustManager) as IX509TrustManager;
_trustManagerExt = new X509TrustManagerExtensions(x509TrustManager);
}
return(context.SocketFactory);
}
