private unsafe void GetCredentials() { CredentialUse direction; CredentialFlags flags; if (_isServer) { direction = CredentialUse.Inbound; flags = CredentialFlags.UseStrongCrypto | CredentialFlags.SendAuxRecord; } else { direction = CredentialUse.Outbound; flags = CredentialFlags.ValidateManual | CredentialFlags.NoDefaultCred | CredentialFlags.SendAuxRecord | CredentialFlags.UseStrongCrypto; } var creds = new SecureCredential() { rootStore = IntPtr.Zero, phMappers = IntPtr.Zero, palgSupportedAlgs = IntPtr.Zero, cMappers = 0, cSupportedAlgs = 0, dwSessionLifespan = 0, reserved = 0, dwMinimumCipherStrength = 0, //this is required to force encryption dwMaximumCipherStrength = 0, version = SecureCredential.CurrentVersion, dwFlags = flags, certContextArray = IntPtr.Zero, cCreds = 0 }; IntPtr certPointer; if (_isServer) { creds.grbitEnabledProtocols = InteropSspi.ServerProtocolMask; certPointer = _serverCertificate.Handle; //pointer to the pointer IntPtr certPointerPointer = new IntPtr(&certPointer); creds.certContextArray = certPointerPointer; creds.cCreds = 1; } else { creds.grbitEnabledProtocols = InteropSspi.ClientProtocolMask; } long timestamp = 0; SecurityStatus code = (SecurityStatus)InteropSspi.AcquireCredentialsHandleW(null, SecurityPackage, (int)direction, null, ref creds, null, null, ref _credsHandle, out timestamp); if (code != 0) { throw new InvalidOperationException("Could not acquire the credentials"); } }
private void AcquireClientCredentials() { SecureCredential secureCredential = new SecureCredential(SecureCredential.CurrentVersion, this.ClientCertificate, SecureCredential.Flags.ValidateManual | SecureCredential.Flags.NoDefaultCred, this.protocolFlags); this.credentialsHandle = SspiWrapper.AcquireCredentialsHandle( SecurityPackage, CredentialUse.Outbound, secureCredential ); }
private void AcquireServerCredentials() { SecureCredential secureCredential = new SecureCredential(SecureCredential.CurrentVersion, this.serverCertificate, SecureCredential.Flags.Zero, this.protocolFlags); this.credentialsHandle = SspiWrapper.AcquireCredentialsHandle( SecurityPackage, CredentialUse.Inbound, secureCredential ); }
internal unsafe static extern int AcquireCredentialsHandleW( [In] string principal, [In] string moduleName, [In] int usage, [In] void *logonID, [In] ref SecureCredential authData, [In] void *keyCallback, [In] void *keyArgument, ref SSPIHandle handlePtr, [Out] out long timeStamp );
public SecureCredential(int version, X509Certificate certificate, SecureCredential.Flags flags, SchProtocols protocols, EncryptionPolicy policy) { // default values required for a struct rootStore = phMappers = palgSupportedAlgs = certContextArray = IntPtr.Zero; cCreds = cMappers = cSupportedAlgs = 0; if (policy == EncryptionPolicy.RequireEncryption) { // Prohibit null encryption cipher dwMinimumCipherStrength = 0; dwMaximumCipherStrength = 0; } else if (policy == EncryptionPolicy.AllowNoEncryption) { // Allow null encryption cipher in addition to other ciphers dwMinimumCipherStrength = -1; dwMaximumCipherStrength = 0; } else if (policy == EncryptionPolicy.NoEncryption) { // Suppress all encryption and require null encryption cipher only dwMinimumCipherStrength = -1; dwMaximumCipherStrength = -1; } else { throw new ArgumentException(SR.GetString(SR.net_invalid_enum, "EncryptionPolicy"), "policy"); } dwSessionLifespan = reserved = 0; this.version = version; dwFlags = flags; grbitEnabledProtocols = protocols; if (certificate != null) { certContextArray = certificate.Handle; cCreds = 1; } }
/// <summary> /// Releases the unmanaged resources used by the <see cref="T:System.ComponentModel.Component"></see> and optionally releases the managed resources. /// </summary> /// <param name="disposing">true to release both managed and unmanaged resources; false to release only unmanaged resources.</param> protected override void Dispose(bool disposing) { base.Dispose(disposing); if (this.credentials != null) { this.credentials.Dispose(); this.credentials = null; } }
/// <summary> /// Set all properties to it's default values. /// </summary> public override void Reset() { this.target = Application.ProductName ?? AppDomain.CurrentDomain.FriendlyName; this.credentials = null; this.caption = null;// target as caption; this.message = null; this.banner = null; this.saveChecked = false; this.flags = CredentialsDialogFlags.Default; }
SafeFreeCredentials AcquireCredentialsHandle(CredentialUse credUsage, ref SecureCredential secureCredential) { // First try without impersonation, if it fails, then try the process account. // I.E. We don't know which account the certificate context was created under. try { // // For v 1.1 compat We want to ensure the credential are accessed under >>process<< acount. // #if FEATURE_MONO_CAS using (WindowsIdentity.Impersonate(IntPtr.Zero)) #endif { return SSPIWrapper.AcquireCredentialsHandle(m_SecModule, SecurityPackage, credUsage, secureCredential); } } catch { return SSPIWrapper.AcquireCredentialsHandle(m_SecModule, SecurityPackage, credUsage, secureCredential); } }
private bool AcquireServerCredentials(ref byte[] thumbPrint) { GlobalLog.Enter("SecureChannel#" + ValidationHelper.HashString(this) + "::AcquireServerCredentials"); X509Certificate localCertificate = null; bool cachedCred = false; if (m_CertSelectionDelegate != null) { X509CertificateCollection tempCollection = new X509CertificateCollection(); tempCollection.Add(m_ServerCertificate); localCertificate = m_CertSelectionDelegate(string.Empty, tempCollection, null, new string[0]); GlobalLog.Print("SecureChannel#" + ValidationHelper.HashString(this) + "::AcquireServerCredentials() Use delegate selected Cert"); } else { localCertificate = m_ServerCertificate; } if (localCertificate == null) throw new NotSupportedException(SR.GetString(SR.net_ssl_io_no_server_cert)); // SECURITY: Accessing X509 cert Credential is disabled for semitrust // We no longer need to demand for unmanaged code permissions. // EnsurePrivateKey should do the right demand for us. X509Certificate2 selectedCert = EnsurePrivateKey(localCertificate); if (selectedCert == null) throw new NotSupportedException(SR.GetString(SR.net_ssl_io_no_server_cert)); GlobalLog.Assert(localCertificate.Equals(selectedCert), "AcquireServerCredentials()|'selectedCert' does not match 'localCertificate'."); // // Note selectedCert is a safe ref possibly cloned from the user passed Cert object // byte [] guessedThumbPrint = selectedCert.GetCertHash(); try { SafeFreeCredentials cachedCredentialHandle = SslSessionsCache.TryCachedCredential(guessedThumbPrint, m_ProtocolFlags, m_EncryptionPolicy); if (cachedCredentialHandle != null) { m_CredentialsHandle = cachedCredentialHandle; m_ServerCertificate = localCertificate; cachedCred = true; } else { SecureCredential.Flags flags = SecureCredential.Flags.Zero; if (!ServicePointManager.DisableSendAuxRecord) { flags |= SecureCredential.Flags.SendAuxRecord; } SecureCredential secureCredential = new SecureCredential(SecureCredential.CurrentVersion, selectedCert, flags, m_ProtocolFlags, m_EncryptionPolicy); m_CredentialsHandle = AcquireCredentialsHandle(CredentialUse.Inbound, ref secureCredential); thumbPrint = guessedThumbPrint; m_ServerCertificate = localCertificate; } } finally { // an extra cert could have been created, dispose it now if ((object)localCertificate != (object)selectedCert) selectedCert.Reset(); } GlobalLog.Leave("SecureChannel#" + ValidationHelper.HashString(this) + "::AcquireServerCredentials, cachedCreds = " + cachedCred.ToString(), ValidationHelper.ToString(m_CredentialsHandle)); return cachedCred; }
private bool AcquireClientCredentials(ref byte[] thumbPrint) { GlobalLog.Enter("SecureChannel#" + ValidationHelper.HashString(this) + "::AcquireClientCredentials"); // // Acquire possible Client Certificate information and set it on the handle // X509Certificate clientCertificate = null; // This is a candidate that can come from the user callback or be guessed when targeting a session restart ArrayList filteredCerts = new ArrayList(); // This is an intermediate client certs collection that try to use if no selectedCert is available yet. string[] issuers = null; // This is a list of issuers sent by the server, only valid is we do know what the server cert is. bool sessionRestartAttempt = false; // if true and no cached creds we will use anonymous creds. if (m_CertSelectionDelegate!=null) { if (issuers == null) issuers = GetIssuers(); GlobalLog.Print("SecureChannel#" + ValidationHelper.HashString(this) + "::AcquireClientCredentials() calling CertificateSelectionCallback"); X509Certificate2 remoteCert = null; try { X509Certificate2Collection dummyCollection; remoteCert = GetRemoteCertificate(out dummyCollection); clientCertificate = m_CertSelectionDelegate(m_HostName, ClientCertificates, remoteCert, issuers); } finally { if (remoteCert != null) remoteCert.Reset(); } if (clientCertificate != null) { if (m_CredentialsHandle == null) sessionRestartAttempt = true; filteredCerts.Add(clientCertificate); if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_got_certificate_from_delegate)); } else { // If ClientCertificates.Count != 0, how come we don't try to go through them and add them to the filtered certs, just like when there is no delegate???? if (ClientCertificates.Count == 0) { if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_no_delegate_and_have_no_client_cert)); sessionRestartAttempt = true; } else { if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_no_delegate_but_have_client_cert)); } } } else if (m_CredentialsHandle == null && m_ClientCertificates != null && m_ClientCertificates.Count > 0) { // This is where we attempt to restart a session by picking the FIRST cert from the collection. // Otheriwse (next elses) it is either server sending a client cert request or the session is renegotiated. clientCertificate = ClientCertificates[0]; sessionRestartAttempt = true; if (clientCertificate!=null) filteredCerts.Add(clientCertificate); if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_attempting_restart_using_cert, (clientCertificate == null ? "null" : clientCertificate.ToString(true)))); } else if (m_ClientCertificates!=null && m_ClientCertificates.Count > 0) { // // This should be a server request for the client cert sent over currently anonyumous sessions. // if (issuers == null) issuers = GetIssuers(); if (Logging.On) { if (issuers == null || issuers.Length == 0) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_no_issuers_try_all_certs)); else Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_server_issuers_look_for_matching_certs, issuers.Length)); } for (int i = 0; i < m_ClientCertificates.Count; ++i) { // // make sure we add only if the cert matches one of the issuers // If no issuers were sent and then try all client certs starting with the first one. // if (issuers != null && issuers.Length != 0) { X509Certificate2 certificateEx = null; X509Chain chain = null; try { certificateEx = MakeEx(m_ClientCertificates[i]); if (certificateEx == null) continue; GlobalLog.Print("SecureChannel#" + ValidationHelper.HashString(this) + "::AcquireClientCredentials() root cert:" + certificateEx.Issuer); chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreInvalidName; chain.Build(certificateEx); bool found = false; // // We ignore any errors happened with chain. // Consider: try to locate the "best" client cert that has no errors and the lognest validity internal // if (chain.ChainElements.Count > 0) { for (int ii=0; ii< chain.ChainElements.Count; ++ii) { string issuer = chain.ChainElements[ii].Certificate.Issuer; found = Array.IndexOf(issuers, issuer)!=-1; if (found) { GlobalLog.Print("SecureChannel#" + ValidationHelper.HashString(this) + "::AcquireClientCredentials() matched:" + issuer); break; } GlobalLog.Print("SecureChannel#" + ValidationHelper.HashString(this) + "::AcquireClientCredentials() no match:" + issuer); } } if (!found) { continue; } } finally { if (chain != null) chain.Reset(); if (certificateEx != null && (object)certificateEx != (object)m_ClientCertificates[i]) certificateEx.Reset(); } } if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_selected_cert, m_ClientCertificates[i].ToString(true))); filteredCerts.Add(m_ClientCertificates[i]); } } bool cachedCred = false; // This is a return result from this method X509Certificate2 selectedCert = null; // This is a final selected cert (ensured that it does have private key with it) clientCertificate = null; if (Logging.On) { Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_n_certs_after_filtering, filteredCerts.Count)); if (filteredCerts.Count != 0) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_finding_matching_certs)); } // // ATTN: When the client cert was returned by the user callback OR it was guessed AND it has no private key. // THEN anonymous (no client cert) credential will be used // // SECURITY: Accessing X509 cert Credential is disabled for semitrust // We no longer need to demand for unmanaged code permissions. // EnsurePrivateKey should do the right demand for us. for (int i=0; i < filteredCerts.Count; ++i) { clientCertificate = filteredCerts[i] as X509Certificate; if ((selectedCert = EnsurePrivateKey(clientCertificate)) != null) break; clientCertificate = null; selectedCert = null; } GlobalLog.Assert(((object) clientCertificate == (object) selectedCert) || clientCertificate.Equals(selectedCert), "AcquireClientCredentials()|'selectedCert' does not match 'clientCertificate'."); GlobalLog.Print("SecureChannel#" + ValidationHelper.HashString(this) + "::AcquireClientCredentials() Selected Cert = " + (selectedCert == null? "null": selectedCert.Subject)); try { // Try to locate cached creds first. // // SECURITY: selectedCert ref if not null is a safe object that does not depend on possible **user** inherited X509Certificate type. // byte[] guessedThumbPrint = selectedCert == null? null: selectedCert.GetCertHash(); SafeFreeCredentials cachedCredentialHandle = SslSessionsCache.TryCachedCredential(guessedThumbPrint, m_ProtocolFlags, m_EncryptionPolicy); // We can probably do some optimization here. If the selectedCert is returned by the delegate // we can always go ahead and use the certificate to create our credential // (Instead of going anonymous as we do here) if (sessionRestartAttempt && cachedCredentialHandle == null && selectedCert != null) { GlobalLog.Print("SecureChannel#" + ValidationHelper.HashString(this) + "::AcquireClientCredentials() Reset to anonymous session."); // (see VsWhidbey#363953) For some (probably good) reason IIS does not renegotiate a restarted session if client cert is needed. // So we don't want to reuse **anonymous** cached credential for a new SSL connection if the client has passed some certificate. // The following block happens if client did specify a certificate but no cached creds were found in the cache // Since we don't restart a session the server side can still challenge for a client cert. if ((object)clientCertificate != (object)selectedCert) selectedCert.Reset(); guessedThumbPrint = null; selectedCert = null; clientCertificate = null; } if (cachedCredentialHandle != null) { if (Logging.On) Logging.PrintInfo(Logging.Web, SR.GetString(SR.net_log_using_cached_credential)); m_CredentialsHandle = cachedCredentialHandle; m_SelectedClientCertificate = clientCertificate; cachedCred = true; } else { SecureCredential.Flags flags = SecureCredential.Flags.ValidateManual | SecureCredential.Flags.NoDefaultCred; if (!ServicePointManager.DisableSendAuxRecord) { flags |= SecureCredential.Flags.SendAuxRecord; } if (!ServicePointManager.DisableStrongCrypto && ((m_ProtocolFlags & (SchProtocols.Tls10 | SchProtocols.Tls11 | SchProtocols.Tls12)) != 0) && (m_EncryptionPolicy != EncryptionPolicy.AllowNoEncryption) && (m_EncryptionPolicy != EncryptionPolicy.NoEncryption)) { flags |= SecureCredential.Flags.UseStrongCrypto; } SecureCredential secureCredential = new SecureCredential(SecureCredential.CurrentVersion, selectedCert, flags, m_ProtocolFlags, m_EncryptionPolicy); m_CredentialsHandle = AcquireCredentialsHandle(CredentialUse.Outbound, ref secureCredential); thumbPrint = guessedThumbPrint; //delay it until here in case something above threw m_SelectedClientCertificate = clientCertificate; } } finally { // an extra cert could have been created, dispose it now if (selectedCert != null && (object)clientCertificate != (object)selectedCert) selectedCert.Reset(); } GlobalLog.Leave("SecureChannel#" + ValidationHelper.HashString(this) + "::AcquireClientCredentials, cachedCreds = " + cachedCred.ToString(), ValidationHelper.ToString(m_CredentialsHandle)); return cachedCred; }
public static SafeFreeCredentials AcquireCredentialsHandle(SSPIInterface SecModule, string package, CredentialUse intent, SecureCredential scc) { GlobalLog.Print("SSPIWrapper::AcquireCredentialsHandle#3(): using " + package); if (Logging.On) Logging.PrintInfo(Logging.Web, "AcquireCredentialsHandle(" + "package = " + package + ", " + "intent = " + intent + ", " + "scc = " + scc + ")"); SafeFreeCredentials outCredential = null; int errorCode = SecModule.AcquireCredentialsHandle( package, intent, ref scc, out outCredential ); if (errorCode != 0) { #if TRAVE GlobalLog.Print("SSPIWrapper::AcquireCredentialsHandle#3(): error " + SecureChannel.MapSecurityStatus((uint)errorCode)); #endif if (Logging.On) Logging.PrintError(Logging.Web, SR.GetString(SR.net_log_operation_failed_with_error, "AcquireCredentialsHandle()", String.Format(CultureInfo.CurrentCulture, "0X{0:X}", errorCode))); throw new Win32Exception(errorCode); } #if TRAVE GlobalLog.Print("SSPIWrapper::AcquireCredentialsHandle#3(): cred handle = " + outCredential.ToString()); #endif return outCredential; }
private void AcquireServerCredentials() { SecureCredential scc = new SecureCredential(4, this.serverCertificate, SecureCredential.Flags.Zero, this.protocolFlags); this.credentialsHandle = SspiWrapper.AcquireCredentialsHandle("Microsoft Unified Security Protocol Provider", CredentialUse.Inbound, scc); }
private void AcquireClientCredentials() { SecureCredential scc = new SecureCredential(4, this.ClientCertificate, SecureCredential.Flags.NoDefaultCred | SecureCredential.Flags.ValidateManual, this.protocolFlags); this.credentialsHandle = SspiWrapper.AcquireCredentialsHandle("Microsoft Unified Security Protocol Provider", CredentialUse.Outbound, scc); }
public static SafeFreeCredentials AcquireCredentialsHandle( string package, CredentialUse intent, SecureCredential scc) { SafeFreeCredentials outCredential = null; int errorCode = SafeFreeCredentials.AcquireCredentialsHandle( package, intent, ref scc, out outCredential ); if (errorCode != 0) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(errorCode)); } return outCredential; }
private bool AcquireClientCredentials(ref byte[] thumbPrint) { X509Certificate certificate = null; ArrayList list = new ArrayList(); string[] acceptableIssuers = null; bool flag = false; if (this.m_CertSelectionDelegate != null) { if (acceptableIssuers == null) { acceptableIssuers = this.GetIssuers(); } X509Certificate2 remoteCertificate = null; try { X509Certificate2Collection certificates; remoteCertificate = this.GetRemoteCertificate(out certificates); certificate = this.m_CertSelectionDelegate(this.m_HostName, this.ClientCertificates, remoteCertificate, acceptableIssuers); } finally { if (remoteCertificate != null) { remoteCertificate.Reset(); } } if (certificate != null) { if (this.m_CredentialsHandle == null) { flag = true; } list.Add(certificate); if (Logging.On) { Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_got_certificate_from_delegate")); } } else if (this.ClientCertificates.Count == 0) { if (Logging.On) { Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_no_delegate_and_have_no_client_cert")); } flag = true; } else if (Logging.On) { Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_no_delegate_but_have_client_cert")); } } else if (((this.m_CredentialsHandle == null) && (this.m_ClientCertificates != null)) && (this.m_ClientCertificates.Count > 0)) { certificate = this.ClientCertificates[0]; flag = true; if (certificate != null) { list.Add(certificate); } if (Logging.On) { Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_attempting_restart_using_cert", new object[] { (certificate == null) ? "null" : certificate.ToString(true) })); } } else if ((this.m_ClientCertificates != null) && (this.m_ClientCertificates.Count > 0)) { if (acceptableIssuers == null) { acceptableIssuers = this.GetIssuers(); } if (Logging.On) { if ((acceptableIssuers == null) || (acceptableIssuers.Length == 0)) { Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_no_issuers_try_all_certs")); } else { Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_server_issuers_look_for_matching_certs", new object[] { acceptableIssuers.Length })); } } for (int j = 0; j < this.m_ClientCertificates.Count; j++) { if ((acceptableIssuers != null) && (acceptableIssuers.Length != 0)) { X509Certificate2 certificate3 = null; X509Chain chain = null; try { certificate3 = MakeEx(this.m_ClientCertificates[j]); if (certificate3 == null) { continue; } chain = new X509Chain { ChainPolicy = { RevocationMode = X509RevocationMode.NoCheck, VerificationFlags = X509VerificationFlags.IgnoreInvalidName } }; chain.Build(certificate3); bool flag2 = false; if (chain.ChainElements.Count > 0) { for (int k = 0; k < chain.ChainElements.Count; k++) { string issuer = chain.ChainElements[k].Certificate.Issuer; flag2 = Array.IndexOf<string>(acceptableIssuers, issuer) != -1; if (flag2) { break; } } } if (!flag2) { continue; } } finally { if (chain != null) { chain.Reset(); } if ((certificate3 != null) && (certificate3 != this.m_ClientCertificates[j])) { certificate3.Reset(); } } } if (Logging.On) { Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_selected_cert", new object[] { this.m_ClientCertificates[j].ToString(true) })); } list.Add(this.m_ClientCertificates[j]); } } X509Certificate2 certificate4 = null; certificate = null; if (Logging.On) { Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_n_certs_after_filtering", new object[] { list.Count })); if (list.Count != 0) { Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_finding_matching_certs")); } } for (int i = 0; i < list.Count; i++) { certificate = list[i] as X509Certificate; certificate4 = this.EnsurePrivateKey(certificate); if (certificate4 != null) { break; } certificate = null; certificate4 = null; } try { byte[] buffer = (certificate4 == null) ? null : certificate4.GetCertHash(); SafeFreeCredentials credentials = SslSessionsCache.TryCachedCredential(buffer, this.m_ProtocolFlags, this.m_EncryptionPolicy); if ((flag && (credentials == null)) && (certificate4 != null)) { if (certificate != certificate4) { certificate4.Reset(); } buffer = null; certificate4 = null; certificate = null; } if (credentials != null) { if (Logging.On) { Logging.PrintInfo(Logging.Web, SR.GetString("net_log_using_cached_credential")); } this.m_CredentialsHandle = credentials; this.m_SelectedClientCertificate = certificate; return true; } SecureCredential secureCredential = new SecureCredential(4, certificate4, SecureCredential.Flags.NoDefaultCred | SecureCredential.Flags.ValidateManual, this.m_ProtocolFlags, this.m_EncryptionPolicy); this.m_CredentialsHandle = this.AcquireCredentialsHandle(CredentialUse.Outbound, ref secureCredential); thumbPrint = buffer; this.m_SelectedClientCertificate = certificate; } finally { if ((certificate4 != null) && (certificate != certificate4)) { certificate4.Reset(); } } return false; }
private bool AcquireServerCredentials(ref byte[] thumbPrint) { X509Certificate serverCertificate = null; if (this.m_CertSelectionDelegate != null) { X509CertificateCollection localCertificates = new X509CertificateCollection(); localCertificates.Add(this.m_ServerCertificate); serverCertificate = this.m_CertSelectionDelegate(string.Empty, localCertificates, null, new string[0]); } else { serverCertificate = this.m_ServerCertificate; } if (serverCertificate == null) { throw new NotSupportedException(SR.GetString("net_ssl_io_no_server_cert")); } X509Certificate2 certificate2 = this.EnsurePrivateKey(serverCertificate); if (certificate2 == null) { throw new NotSupportedException(SR.GetString("net_ssl_io_no_server_cert")); } byte[] certHash = certificate2.GetCertHash(); try { SafeFreeCredentials credentials = SslSessionsCache.TryCachedCredential(certHash, this.m_ProtocolFlags, this.m_EncryptionPolicy); if (credentials != null) { this.m_CredentialsHandle = credentials; this.m_ServerCertificate = serverCertificate; return true; } SecureCredential secureCredential = new SecureCredential(4, certificate2, SecureCredential.Flags.Zero, this.m_ProtocolFlags, this.m_EncryptionPolicy); this.m_CredentialsHandle = this.AcquireCredentialsHandle(CredentialUse.Inbound, ref secureCredential); thumbPrint = certHash; this.m_ServerCertificate = serverCertificate; } finally { if (serverCertificate != certificate2) { certificate2.Reset(); } } return false; }
private SafeFreeCredentials AcquireCredentialsHandle(CredentialUse credUsage, ref SecureCredential secureCredential) { SafeFreeCredentials credentials; try { using (WindowsIdentity.Impersonate(IntPtr.Zero)) { credentials = SSPIWrapper.AcquireCredentialsHandle(GlobalSSPI.SSPISecureChannel, "Microsoft Unified Security Protocol Provider", credUsage, secureCredential); } } catch { credentials = SSPIWrapper.AcquireCredentialsHandle(GlobalSSPI.SSPISecureChannel, "Microsoft Unified Security Protocol Provider", credUsage, secureCredential); } return credentials; }
public SecureCredential(int version, X509Certificate certificate, SecureCredential.Flags flags, SchProtocols protocols) { // default values required for a struct rootStore = phMappers = palgSupportedAlgs = certContextArray = IntPtr.Zero; cCreds = cMappers = cSupportedAlgs = 0; dwMinimumCipherStrength = dwMaximumCipherStrength = 0; dwSessionLifespan = reserved = 0; this.version = version; dwFlags = flags; grbitEnabledProtocols = protocols; if (certificate != null) { certContextArray = certificate.Handle; cCreds = 1; } }