/// <summary>Override to review certificate validation decisions.</summary>
protected bool RemoteCertificateValidation(object sender,
X509Certificate cert, X509Chain chain, int depth, VerifyResult result)
{
try {
_ch.Verify(OpenSslCertificateHandler.OpenSslX509ToMonoX509(cert),
default(ISender));
} catch {
return(false);
}
return(result == VerifyResult.X509_V_OK ||
result == VerifyResult.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
}
public void ValidityTest()
{
var osch = new OpenSslCertificateHandler();
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(512);
byte[] blob = rsa.ExportCspBlob(false);
RSACryptoServiceProvider rsa_pub = new RSACryptoServiceProvider();
rsa_pub.ImportCspBlob(blob);
string ID = "brunet:node:PXYSWDL5SZDHDDXJKZCLFENOP2KZDMBU";
CertificateMaker cm = new CertificateMaker("US", "UFL", "ACIS", "David Wolinsky",
"*****@*****.**", rsa_pub, ID);
Certificate cert_0 = cm.Sign(cm, rsa);
osch.AddSignedCertificate(cert_0.X509);
osch.AddCACertificate(cert_0.X509);
var ocert = OpenSslCertificateHandler.OpenSslX509ToMonoX509(osch.LocalCertificate);
Assert.AreEqual(cert_0.X509.RawData, ocert.RawData, "local check");
Assert.IsTrue(CertificateHandler.Verify(ocert, ID), "Valid");
}
/// <summary></summary>
public DtlsOverlord(RSACryptoServiceProvider private_key,
CertificateHandler ch, PType ptype) : base(private_key, ch)
{
_osch = ch as OpenSslCertificateHandler;
if (_osch == null)
{
throw new Exception("CertificateHandler is invalid type: " + ch.GetType());
}
_it = new IdentifierTable();
_sas_helper = new IdentifierTableAsDtlsAssociation(_it);
_rwl = new ReaderWriterLock();
_sender_to_sa = new Dictionary <ISender, DtlsAssociation>();
PType = ptype;
_ptype_mb = ptype.ToMemBlock();
_ctx = new SslContext(SslMethod.DTLSv1_method);
_ctx.SetCertificateStore(_osch.Store);
_ctx.SetVerify(VerifyMode.SSL_VERIFY_PEER |
VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
RemoteCertificateValidation);
_ctx.UsePrivateKey(AsymmetricKeyToOpenSslFormat(_private_key));
_ctx.UseCertificate(_osch.LocalCertificate);
_ctx.CheckPrivateKey();
_ctx.Options = SslOptions.SSL_OP_SINGLE_DH_USE;
var rng = new RNGCryptoServiceProvider();
byte[] sid = new byte[4];
rng.GetBytes(sid);
_ctx.SetSessionIdContext(sid);
_ctx.SetCookieGenerateCallback(GenerateCookie);
_ctx.SetCookieVerifyCallback(VerifyCookie);
_ctx.Options = SslOptions.SSL_OP_COOKIE_EXCHANGE;
UpdateCookie();
}
public DtlsOverlordClientServer(bool threaded, bool good_client,
bool good_server, double noisy)
{
var server_ch = new OpenSslCertificateHandler();
if (good_server)
{
server_ch.AddSignedCertificate(X509);
}
server_ch.AddCACertificate(X509);
Server = new DtlsOverlord(Rsa, server_ch, PType);
ServerIn = new MockDataHandler();
Server.Subscribe(ServerIn, null);
var client_ch = new OpenSslCertificateHandler();
if (good_client)
{
client_ch.AddCACertificate(X509);
}
client_ch.AddSignedCertificate(X509);
Client = new DtlsOverlord(Rsa, client_ch, PType);
ClientIn = new MockDataHandler();
Client.Subscribe(ClientIn, null);
if (threaded)
{
ToServer = new ThreadedMockSender(null, null, Server, 1, noisy);
ToClient = new ThreadedMockSender(ToServer, null, Client, 1, noisy);
}
else
{
ToServer = new MockSender(null, null, Server, 1, noisy);
ToClient = new MockSender(ToServer, null, Client, 1, noisy);
}
ToServer.ReturnPath = ToClient;
}
/// <summary>Creates an ApplicationNode and prepares it for connection to
/// the overlay. For historical reasons it is linked to _node, _dht,
/// _rpc_dht, and _bso.</summary>
public virtual ApplicationNode CreateNode(NodeConfig node_config) {
// Get a Node ID for the new Node
AHAddress address = null;
try {
address = (AHAddress) AddressParser.Parse(node_config.NodeAddress);
} catch {
address = Utils.GenerateAHAddress();
}
// Create the Node state
StructuredNode node = new StructuredNode(address, node_config.BrunetNamespace);
_shutdown.OnExit += node.Disconnect;
IEnumerable addresses = IPAddresses.GetIPAddresses(node_config.DevicesToBind);
SecurityOverlord so = null;
// Enable Security if requested
if(node_config.Security.Enabled) {
if(node_config.Security.SelfSignedCertificates) {
SecurityPolicy.SetDefaultSecurityPolicy(SecurityPolicy.DefaultEncryptor,
SecurityPolicy.DefaultAuthenticator, true);
}
byte[] blob = null;
using(FileStream fs = File.Open(node_config.Security.KeyPath, FileMode.Open)) {
blob = new byte[fs.Length];
fs.Read(blob, 0, blob.Length);
}
RSACryptoServiceProvider rsa_private = new RSACryptoServiceProvider();
rsa_private.ImportCspBlob(blob);
CertificateHandler ch = null;
if(node_config.Security.Dtls) {
ch = new OpenSslCertificateHandler(node_config.Security.CertificatePath,
address.ToString());
} else {
ch = new CertificateHandler(node_config.Security.CertificatePath,
address.ToString());
}
if(node_config.Security.SecureEdges) {
node.EdgeVerifyMethod = EdgeVerify.AddressInSubjectAltName;
}
// A hack to enable a test for security that doesn't require each peer
// to exchange certificates
if(node_config.Security.TestEnable) {
blob = rsa_private.ExportCspBlob(false);
RSACryptoServiceProvider rsa_pub = new RSACryptoServiceProvider();
rsa_pub.ImportCspBlob(blob);
CertificateMaker cm = new CertificateMaker("United States", "UFL",
"ACIS", "David Wolinsky", "*****@*****.**", rsa_pub,
"brunet:node:abcdefghijklmnopqrs");
Certificate cacert = cm.Sign(cm, rsa_private);
cm = new CertificateMaker("United States", "UFL",
"ACIS", "David Wolinsky", "*****@*****.**", rsa_pub,
address.ToString());
Certificate cert = cm.Sign(cacert, rsa_private);
ch.AddCACertificate(cacert.X509);
ch.AddSignedCertificate(cert.X509);
}
if(node_config.Security.Dtls) {
OpenSslCertificateHandler ssl_ch = ch as OpenSslCertificateHandler;
so = new DtlsOverlord(rsa_private, ssl_ch, new PType(20));
node.GetTypeSource(new PType(20)).Subscribe(so, null);
} else {
so = new SymphonySecurityOverlord(node, rsa_private, ch, node.Rrm);
node.GetTypeSource(PeerSecOverlord.Security).Subscribe(so, null);
}
so.Subscribe(node, null);
}
// Add Dht
new TableServer(node);
IDht dht = new Dht(node, 3, 20);
RpcDhtProxy dht_proxy = new RpcDhtProxy(dht, node);
// Setup Vivaldi if requested
IRelayOverlap ito = null;
NCService ncservice = null;
if(node_config.NCService.Enabled) {
ncservice = new NCService(node, node_config.NCService.Checkpoint);
if (node_config.NCService.OptimizeShortcuts) {
node.Ssco.TargetSelector = new VivaldiTargetSelector(node, ncservice);
}
ito = new NCRelayOverlap(ncservice);
} else {
ito = new SimpleRelayOverlap();
}
// Create the ApplicationNode
ApplicationNode app_node = new ApplicationNode(node, dht, dht_proxy, ncservice, so);
// Add Edge listeners
EdgeListener el = null;
foreach(NodeConfig.EdgeListener item in node_config.EdgeListeners) {
el = CreateEdgeListener(item, app_node, addresses);
if(node_config.Security.SecureEdgesEnabled) {
el = new SecureEdgeListener(el, so);
}
node.AddEdgeListener(el);
}
// Create the tunnel and potentially wrap it in a SecureEL
el = new Relay.RelayEdgeListener(node, ito);
if(node_config.Security.SecureEdgesEnabled) {
el = new SecureEdgeListener(el, so);
}
node.AddEdgeListener(el);
List<TransportAddress> RemoteTAs = null;
if(node_config.RemoteTAs != null) {
RemoteTAs = new List<TransportAddress>();
foreach(String ta in node_config.RemoteTAs) {
RemoteTAs.Add(TransportAddressFactory.CreateInstance(ta));
}
node.RemoteTAs = RemoteTAs;
}
// Add XmlRpc
if(node_config.XmlRpcManager.Enabled) {
if(_xrm == null) {
_xrm = new XmlRpcManagerServer(node_config.XmlRpcManager.Port);
}
_xrm.Add(node, GetXmlRpcUri(app_node));
new RpcDht(dht, node);
}
if(node_config.PrivateNodeConfig != null &&
node_config.PrivateNodeConfig.Enabled)
{
CreatePrivateNode(app_node, NodeConfig.GetPrivateNodeConfig(node_config));
}
return app_node;
}
protected virtual StructuredNode PrepareNode(int id, AHAddress address)
{
if(TakenIDs.ContainsKey(id)) {
throw new Exception("ID already taken");
}
StructuredNode node = new StructuredNode(address, BrunetNamespace);
NodeMapping nm = new NodeMapping();
nm.ID = id;
TakenIDs[id] = nm;
nm.Node = node;
Nodes.Add((Address) address, nm);
EdgeListener el = CreateEdgeListener(nm.ID);
if(_secure_edges || _secure_senders) {
byte[] blob = _se_key.ExportCspBlob(true);
RSACryptoServiceProvider rsa_copy = new RSACryptoServiceProvider();
rsa_copy.ImportCspBlob(blob);
string username = address.ToString().Replace('=', '0');
CertificateMaker cm = new CertificateMaker("United States", "UFL",
"ACIS", username, "*****@*****.**", rsa_copy,
address.ToString());
Certificate cert = cm.Sign(_ca_cert, _se_key);
CertificateHandler ch = null;
if(_dtls) {
ch = new OpenSslCertificateHandler();
} else {
ch = new CertificateHandler();
}
ch.AddCACertificate(_ca_cert.X509);
ch.AddSignedCertificate(cert.X509);
if(_dtls) {
nm.SO = new DtlsOverlord(rsa_copy, ch, PeerSecOverlord.Security);
} else {
nm.Sso = new SymphonySecurityOverlord(node, rsa_copy, ch, node.Rrm);
nm.SO = nm.Sso;
}
var brh = new BroadcastRevocationHandler(_ca_cert, nm.SO);
node.GetTypeSource(BroadcastRevocationHandler.PType).Subscribe(brh, null);
ch.AddCertificateVerification(brh);
nm.SO.Subscribe(node, null);
node.GetTypeSource(PeerSecOverlord.Security).Subscribe(nm.SO, null);
}
if(_pathing) {
nm.PathEM = new PathELManager(el, nm.Node);
nm.PathEM.Start();
el = nm.PathEM.CreatePath();
PType path_p = PType.Protocol.Pathing;
nm.Node.DemuxHandler.GetTypeSource(path_p).Subscribe(nm.PathEM, path_p);
}
if(_secure_edges) {
node.EdgeVerifyMethod = EdgeVerify.AddressInSubjectAltName;
el = new SecureEdgeListener(el, nm.SO);
}
node.AddEdgeListener(el);
if(!_start) {
node.RemoteTAs = GetRemoteTAs();
}
IRelayOverlap ito = null;
if(NCEnable) {
nm.NCService = new NCService(node, new Point());
// My evaluations show that when this is enabled the system sucks
// (node as StructuredNode).Sco.TargetSelector = new VivaldiTargetSelector(node, ncservice);
ito = new NCRelayOverlap(nm.NCService);
} else {
ito = new SimpleRelayOverlap();
}
if(_broken != 0) {
el = new Relay.RelayEdgeListener(node, ito);
if(_secure_edges) {
el = new SecureEdgeListener(el, nm.SO);
}
node.AddEdgeListener(el);
}
BroadcastHandler bhandler = new BroadcastHandler(node as StructuredNode);
node.DemuxHandler.GetTypeSource(BroadcastSender.PType).Subscribe(bhandler, null);
node.DemuxHandler.GetTypeSource(SimBroadcastPType).Subscribe(SimBroadcastHandler, null);
// Enables Dht data store
new TableServer(node);
nm.Dht = new Dht(node, 3, 20);
nm.DhtProxy = new RpcDhtProxy(nm.Dht, node);
return node;
}
public void ValidityTest() {
var osch = new OpenSslCertificateHandler();
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(512);
byte[] blob = rsa.ExportCspBlob(false);
RSACryptoServiceProvider rsa_pub = new RSACryptoServiceProvider();
rsa_pub.ImportCspBlob(blob);
string ID = "brunet:node:PXYSWDL5SZDHDDXJKZCLFENOP2KZDMBU";
CertificateMaker cm = new CertificateMaker("US", "UFL", "ACIS", "David Wolinsky",
"*****@*****.**", rsa_pub, ID);
Certificate cert_0 = cm.Sign(cm, rsa);
osch.AddSignedCertificate(cert_0.X509);
osch.AddCACertificate(cert_0.X509);
var ocert = OpenSslCertificateHandler.OpenSslX509ToMonoX509(osch.LocalCertificate);
Assert.AreEqual(cert_0.X509.RawData, ocert.RawData, "local check");
Assert.IsTrue(CertificateHandler.Verify(ocert, ID), "Valid");
}
