.NET provides a very complicated (and complete) x509 Certificate handler. We do not require all those features and we also embed data that we use for quick retrieval that wouldn't be easy to reproduce using that framework. This model can be used on non-x509 certificate models and perhaps even abstract to support handshakes on pre-shared keys. In our system, certificate's serial numbers are equivalent to the data common to a certificate request and signed certificate, so that the model can support self-signed CAs. Thus a cert.SerialNumber == hash(cert.ca.unsigned data). This class is thread-safe.
Пример #1
0
    /// <summary>Create a DtlsFilter.</summary>
    /// <param name="key">A CryptoKey initialized by the OpenSSL.NET library.</param>
    /// <param name="cert">The path to the certificate to use.</param>
    /// <param name="ca_cert">The path to the ca certificate to use.</param>
    /// <param name="client">Use client initialization parameters.</param>
    public DtlsAssociation(ISender sender, CertificateHandler ch, PType ptype,
        Ssl ssl, bool client) : base(sender, ch)
    {
      _ip = new IdentifierPair();
      PType = ptype;
      _ssl = ssl;
      _client = client;
      _ssl.SetReadAhead(1);
      // Buggy SSL versions have issue with compression and dtls
      _ssl.SetOptions((int) SslOptions.SSL_OP_NO_COMPRESSION);
      if(client) {
        _ssl.SetConnectState();
      } else {
        _ssl.SetAcceptState();
      }

      // The ssl object will take control
      _read = BIO.MemoryBuffer(false);
      _read.NonBlocking = true;
      _write = BIO.MemoryBuffer(false);
      _write.NonBlocking = true;

      _ssl.SetBIO(_read, _write);
      _ssl.DoHandshake();

      _buffer = new byte[Int16.MaxValue];
      _buffer_sync = new object();
      _fe_lock = 0;
    }
Пример #2
0
        public void AddBadLocalCert()
        {
            CertificateHandler       ch  = new CertificateHandler("certs", "12345");
            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(512);

            byte[] blob = rsa.ExportCspBlob(false);
            RSACryptoServiceProvider rsa_pub = new RSACryptoServiceProvider();

            rsa_pub.ImportCspBlob(blob);
            string           ID = "brunet:node:PXYSWDL5SZDHDDXJKZCLFENOP2KZDMBU";
            CertificateMaker cm = new CertificateMaker("US", "UFL", "ACIS", "David Wolinsky",
                                                       "*****@*****.**", rsa_pub, ID);
            Certificate cert_0 = cm.Sign(cm, rsa);

            ch.AddCACertificate(cert_0.X509);
            try {
                ch.AddSignedCertificate(cert_0.X509);
                Assert.IsTrue(false, "Shouldn't add this certificate!");
            } catch {
            }

            CertificateMaker cm0 = new CertificateMaker("US", "UFL", "ACIS", "David Wolinsky",
                                                        "*****@*****.**", rsa_pub, "12345");
            Certificate cert_1 = cm0.Sign(cm, rsa);

            ch.AddSignedCertificate(cert_1.X509);
        }
Пример #3
0
        public bool Verify(X509Certificate certificate, ISender sender)
        {
            Address  addr     = null;
            AHSender ahsender = sender as AHSender;

            if (ahsender != null)
            {
                addr = ahsender.Destination;
            }
            else
            {
                Edge edge = sender as Edge;
                if (edge != null)
                {
                    Connection con = _ct.GetConnection(edge);
                    if (con != null)
                    {
                        addr = con.Address;
                    }
                }
            }

            if (addr == null)
            {
                return(true);
            }
            return(CertificateHandler.Verify(certificate, addr.ToString()));
        }
Пример #4
0
        public void ValidityTest()
        {
            CertificateHandler       ch  = new CertificateHandler();
            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(512);

            byte[] blob = rsa.ExportCspBlob(false);
            RSACryptoServiceProvider rsa_pub = new RSACryptoServiceProvider();

            rsa_pub.ImportCspBlob(blob);
            string           ID = "brunet:node:PXYSWDL5SZDHDDXJKZCLFENOP2KZDMBU";
            CertificateMaker cm = new CertificateMaker("US", "UFL", "ACIS", "David Wolinsky",
                                                       "*****@*****.**", rsa_pub, ID);
            Certificate cert_0 = cm.Sign(cm, rsa);

            ch.AddSignedCertificate(cert_0.X509);
            ch.AddCACertificate(cert_0.X509);
            rsa = new RSACryptoServiceProvider(1024);
            rsa_pub.ImportCspBlob(rsa.ExportCspBlob(false));
            cm = new CertificateMaker("US", "UFL", "ACIS", "David Wolinsky",
                                      "*****@*****.**", rsa_pub, ID);
            Certificate cert_1 = cm.Sign(cm, rsa);

            Assert.IsTrue(ch.Verify(cert_0.X509, null, ID), "Valid");
            bool success = false;

            try {
                success = ch.Verify(cert_1.X509, null, ID);
            } catch { }
            Assert.IsTrue(!success, "Valid cert2");
        }
Пример #5
0
 /// <summary></summary>
 public SecurityOverlord(RSACryptoServiceProvider private_key,
                         CertificateHandler ch)
 {
     _private_key = private_key;
     _ch          = ch;
     _stopped     = 0;
     _sa_check    = FuzzyTimer.Instance.DoEvery(CheckSAs, CHECK_SA_PERIOD, 0);//CHECK_SA_PERIOD / 2);
 }
Пример #6
0
 /// <summary></summary>
 public SecurityAssociation(ISender sender, CertificateHandler ch)
 {
     Sender      = sender;
     _ch         = ch;
     _closed     = 0;
     _receiving  = true;
     _sending    = true;
     _state      = States.Waiting;
     _state_lock = new object();
 }
        public bool Verify(X509Certificate certificate, ISender sender)
        {
            AHSender ahsender = sender as AHSender;

            if (ahsender == null)
            {
                return(true);
            }

            return(CertificateHandler.Verify(certificate, ahsender.Destination.ToString()));
        }
Пример #8
0
 public ProtocolSecurityOverlord(Node node,
     RSACryptoServiceProvider rsa,
     ReqrepManager rrman,
     CertificateHandler ch) :
     base(rsa, rrman, ch)
 {
   _node = node;
   _address_to_sa = new Dictionary<Address, SecurityAssociation>();
   _sa_to_address = new Dictionary<SecurityAssociation, Address>();
   lock(_sync) {
     _node.Rpc.AddHandler("Security", this);
   }
 }
Пример #9
0
 public SecurityOverlord(RSACryptoServiceProvider rsa, ReqrepManager rrman, CertificateHandler ch)
 {
     _private_key      = rsa;
     _private_key_lock = new object();
     _ch     = ch;
     _spi    = new Dictionary <int, Dictionary <ISender, SecurityAssociation> >();
     _cookie = new byte[CookieLength];
     _rand   = new Random();
     _rand.NextBytes(_cookie);
     _rrman          = rrman;
     _last_heartbeat = DateTime.UtcNow;
     _rrman.Subscribe(this, null);
 }
Пример #10
0
        public void FindCertificateTest()
        {
            CertificateHandler ch = new CertificateHandler();

            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(512);

            byte[] blob = rsa.ExportCspBlob(false);
            RSACryptoServiceProvider rsa_pub = new RSACryptoServiceProvider();

            rsa_pub.ImportCspBlob(blob);

            List <Brunet.Util.MemBlock> supported   = new List <Brunet.Util.MemBlock>();
            List <Brunet.Util.MemBlock> unsupported = new List <Brunet.Util.MemBlock>();

            for (int i = 0; i < 20; i++)
            {
                CertificateMaker cm = new CertificateMaker("US", "UFL", "ACIS", "David Wolinsky",
                                                           "*****@*****.**" + i, rsa_pub, i.ToString());
                Certificate cert = cm.Sign(cm, rsa);
                if (i % 2 == 0)
                {
                    ch.AddCACertificate(cert.X509);
                    ch.AddSignedCertificate(cert.X509);
                    supported.Add(cert.SerialNumber);
                }
                else
                {
                    unsupported.Add(cert.SerialNumber);
                }
            }

            Assert.IsNotNull(ch.FindCertificate(supported), "Should find a certificate");

            bool success = false;

            try {
                success = ch.FindCertificate(unsupported) != null;
            } catch { }

            Assert.IsTrue(!success, "Should not find a certificate");

            List <Brunet.Util.MemBlock> mixed = new List <Brunet.Util.MemBlock>(unsupported);

            mixed.Insert(4, supported[1]);
            Assert.AreEqual(supported[1],
                            Brunet.Util.MemBlock.Reference(ch.FindCertificate(mixed).SerialNumber),
                            "Only one supported");
        }
Пример #11
0
        protected SecurityOverlord CreateInvalidSO(string name, int level)
        {
            if (rsa == null)
            {
                rsa = new RSACryptoServiceProvider();
                byte[] blob = rsa.ExportCspBlob(false);
                RSACryptoServiceProvider rsa_pub = new RSACryptoServiceProvider();
                rsa_pub.ImportCspBlob(blob);
                CertificateMaker cm = new CertificateMaker("United States", "UFL",
                                                           "ACIS", "David Wolinsky", "*****@*****.**", rsa_pub,
                                                           "brunet:node:abcdefghijklmnopqrs");
                Certificate cert = cm.Sign(cm, rsa);
                x509 = cert.X509;
            }

            CertificateHandler ch = new CertificateHandler();

            if (level == 2 || level == 0)
            {
                ch.AddCACertificate(x509);
            }
            if (level == 3 || level == 0)
            {
                ch.AddSignedCertificate(x509);
            }
            ReqrepManager rrm = new ReqrepManager("so" + name);

            _timeout += rrm.TimeoutChecker;
            SecurityOverlord so = new SecurityOverlord(rsa_safe, rrm, ch);

            so.AnnounceSA += AnnounceSA;
            RoutingDataHandler rdh = new RoutingDataHandler();

            rrm.Subscribe(so, null);
            so.Subscribe(rdh, null);
            rdh.Subscribe(rrm, null);
            return(so);
        }
Пример #12
0
    protected virtual StructuredNode PrepareNode(int id, AHAddress address)
    {
      if(TakenIDs.ContainsKey(id)) {
        throw new Exception("ID already taken");
      }

      StructuredNode node = new StructuredNode(address, BrunetNamespace);

      NodeMapping nm = new NodeMapping();
      nm.ID = id;
      TakenIDs[id] = nm;
      nm.Node = node;
      Nodes.Add((Address) address, nm);

      EdgeListener el = CreateEdgeListener(nm.ID);

      if(_secure_edges || _secure_senders) {
        byte[] blob = _se_key.ExportCspBlob(true);
        RSACryptoServiceProvider rsa_copy = new RSACryptoServiceProvider();
        rsa_copy.ImportCspBlob(blob);

        string username = address.ToString().Replace('=', '0');
        CertificateMaker cm = new CertificateMaker("United States", "UFL", 
          "ACIS", username, "*****@*****.**", rsa_copy,
          address.ToString());
        Certificate cert = cm.Sign(_ca_cert, _se_key);

        CertificateHandler ch = null;
        if(_dtls) {
          ch = new OpenSslCertificateHandler();
        } else {
          ch = new CertificateHandler();
        }
        ch.AddCACertificate(_ca_cert.X509);
        ch.AddSignedCertificate(cert.X509);

        if(_dtls) {
          nm.SO = new DtlsOverlord(rsa_copy, ch, PeerSecOverlord.Security);
        } else {
          nm.Sso = new SymphonySecurityOverlord(node, rsa_copy, ch, node.Rrm);
          nm.SO = nm.Sso;
        }

        var brh = new BroadcastRevocationHandler(_ca_cert, nm.SO);
        node.GetTypeSource(BroadcastRevocationHandler.PType).Subscribe(brh, null);
        ch.AddCertificateVerification(brh);
        nm.SO.Subscribe(node, null);
        node.GetTypeSource(PeerSecOverlord.Security).Subscribe(nm.SO, null);
      }

      if(_pathing) {
        nm.PathEM = new PathELManager(el, nm.Node);
        nm.PathEM.Start();
        el = nm.PathEM.CreatePath();
        PType path_p = PType.Protocol.Pathing;
        nm.Node.DemuxHandler.GetTypeSource(path_p).Subscribe(nm.PathEM, path_p);
      }

      if(_secure_edges) {
        node.EdgeVerifyMethod = EdgeVerify.AddressInSubjectAltName;
        el = new SecureEdgeListener(el, nm.SO);
      }

      node.AddEdgeListener(el);

      if(!_start) {
        node.RemoteTAs = GetRemoteTAs();
      }

      IRelayOverlap ito = null;
      if(NCEnable) {
        nm.NCService = new NCService(node, new Point());
// My evaluations show that when this is enabled the system sucks
//        (node as StructuredNode).Sco.TargetSelector = new VivaldiTargetSelector(node, ncservice);
        ito = new NCRelayOverlap(nm.NCService);
      } else {
        ito = new SimpleRelayOverlap();
      }

      if(_broken != 0) {
        el = new Relay.RelayEdgeListener(node, ito);
        if(_secure_edges) {
          el = new SecureEdgeListener(el, nm.SO);
        }
        node.AddEdgeListener(el);
      }

      BroadcastHandler bhandler = new BroadcastHandler(node as StructuredNode);
      node.DemuxHandler.GetTypeSource(BroadcastSender.PType).Subscribe(bhandler, null);
      node.DemuxHandler.GetTypeSource(SimBroadcastPType).Subscribe(SimBroadcastHandler, null);

      // Enables Dht data store
      new TableServer(node);
      nm.Dht = new Dht(node, 3, 20);
      nm.DhtProxy = new RpcDhtProxy(nm.Dht, node);
      return node;
    }
Пример #13
0
 public SymphonyVerification(CertificateHandler ch)
 {
   _ch = ch;
 }
Пример #14
0
 public SymphonyVerification(CertificateHandler ch)
 {
     _ch = ch;
 }
Пример #15
0
    protected virtual StructuredNode PrepareNode(int id, AHAddress address)
    {
      if(TakenIDs.Contains(id)) {
        throw new Exception("ID already taken");
      }

      StructuredNode node = new StructuredNode(address, BrunetNamespace);

      NodeMapping nm = new NodeMapping();
      TakenIDs[id] = nm.ID = id;
      nm.Node = node;
      Nodes.Add((Address) address, nm);

      EdgeListener el = CreateEdgeListener(nm.ID);

      if(SecureEdges || SecureSenders) {
        byte[] blob = SEKey.ExportCspBlob(true);
        RSACryptoServiceProvider rsa_copy = new RSACryptoServiceProvider();
        rsa_copy.ImportCspBlob(blob);

        CertificateMaker cm = new CertificateMaker("United States", "UFL", 
          "ACIS", "David Wolinsky", "*****@*****.**", rsa_copy,
          address.ToString());
        Certificate cert = cm.Sign(CACert, SEKey);

        CertificateHandler ch = new CertificateHandler();
        ch.AddCACertificate(CACert.X509);
        ch.AddSignedCertificate(cert.X509);

        ProtocolSecurityOverlord so = new ProtocolSecurityOverlord(node, rsa_copy, node.Rrm, ch);
        so.Subscribe(node, null);
        node.GetTypeSource(SecurityOverlord.Security).Subscribe(so, null);
        nm.BSO = so;
        node.HeartBeatEvent += so.Heartbeat;
      }

      if(SecureEdges) {
        node.EdgeVerifyMethod = EdgeVerify.AddressInSubjectAltName;
        el = new SecureEdgeListener(el, nm.BSO);
      }

      node.AddEdgeListener(el);

      node.RemoteTAs = GetRemoteTAs();

      ITunnelOverlap ito = null;
      if(NCEnable) {
        nm.NCService = new NCService(node, new Point());
// My evaluations show that when this is enabled the system sucks
//        (node as StructuredNode).Sco.TargetSelector = new VivaldiTargetSelector(node, ncservice);
        ito = new NCTunnelOverlap(nm.NCService);
      } else {
        ito = new SimpleTunnelOverlap();
      }

      if(Broken != 0) {
        el = new Tunnel.TunnelEdgeListener(node, ito);
        node.AddEdgeListener(el);
      }
      // Enables Dht data store
      new TableServer(node);
      return node;
    }