public static SafeFreeCredentials AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, bool isServer) { int protocolFlags = GetProtocolFlagsFromSslProtocols(protocols, isServer); Interop.Secur32.SecureCredential.Flags flags; Interop.Secur32.CredentialUse direction; if (!isServer) { direction = Interop.Secur32.CredentialUse.Outbound; flags = Interop.Secur32.SecureCredential.Flags.ValidateManual | Interop.Secur32.SecureCredential.Flags.NoDefaultCred; // CoreFX: always opt-in SCH_USE_STRONG_CRYPTO except for SSL3. if (((protocolFlags & (Interop.SChannel.SP_PROT_TLS1_0 | Interop.SChannel.SP_PROT_TLS1_1 | Interop.SChannel.SP_PROT_TLS1_2)) != 0) && (policy != EncryptionPolicy.AllowNoEncryption) && (policy != EncryptionPolicy.NoEncryption)) { flags |= Interop.Secur32.SecureCredential.Flags.UseStrongCrypto; } } else { direction = Interop.Secur32.CredentialUse.Inbound; flags = Interop.Secur32.SecureCredential.Flags.Zero; } Interop.Secur32.SecureCredential secureCredential = CreateSecureCredential( Interop.Secur32.SecureCredential.CurrentVersion, certificate, flags, protocolFlags, policy); return(AcquireCredentialsHandle(direction, secureCredential)); }
public unsafe static int AcquireCredentialsHandle( string package, Interop.Secur32.CredentialUse intent, ref Interop.Secur32.SecureCredential authdata, out SafeFreeCredentials outCredential) { GlobalLog.Print("SafeFreeCredentials::AcquireCredentialsHandle#2(" + package + ", " + intent + ", " + authdata + ")"); int errorCode = -1; long timeStamp; // If there is a certificate, wrap it into an array. // Not threadsafe. IntPtr copiedPtr = authdata.certContextArray; try { IntPtr certArrayPtr = new IntPtr(&copiedPtr); if (copiedPtr != IntPtr.Zero) { authdata.certContextArray = certArrayPtr; } outCredential = new SafeFreeCredential_SECURITY(); errorCode = Interop.Secur32.AcquireCredentialsHandleW( null, package, (int)intent, null, ref authdata, null, null, ref outCredential._handle, out timeStamp); } finally { authdata.certContextArray = copiedPtr; } #if TRACE_VERBOSE GlobalLog.Print("Unmanaged::AcquireCredentialsHandle() returns 0x" + errorCode.ToString("x") + ", handle = " + outCredential.ToString()); #endif if (errorCode != 0) { outCredential.SetHandleAsInvalid(); } return(errorCode); }
private static Interop.Secur32.SecureCredential CreateSecureCredential( int version, X509Certificate certificate, Interop.Secur32.SecureCredential.Flags flags, int protocols, EncryptionPolicy policy) { var credential = new Interop.Secur32.SecureCredential() { rootStore = IntPtr.Zero, phMappers = IntPtr.Zero, palgSupportedAlgs = IntPtr.Zero, certContextArray = IntPtr.Zero, cCreds = 0, cMappers = 0, cSupportedAlgs = 0, dwSessionLifespan = 0, reserved = 0 }; if (policy == EncryptionPolicy.RequireEncryption) { // Prohibit null encryption cipher. credential.dwMinimumCipherStrength = 0; credential.dwMaximumCipherStrength = 0; } else if (policy == EncryptionPolicy.AllowNoEncryption) { // Allow null encryption cipher in addition to other ciphers. credential.dwMinimumCipherStrength = -1; credential.dwMaximumCipherStrength = 0; } else if (policy == EncryptionPolicy.NoEncryption) { // Suppress all encryption and require null encryption cipher only credential.dwMinimumCipherStrength = -1; credential.dwMaximumCipherStrength = -1; } else { throw new ArgumentException(SR.Format(SR.net_invalid_enum, "EncryptionPolicy"), "policy"); } credential.version = version; credential.dwFlags = flags; credential.grbitEnabledProtocols = protocols; if (certificate != null) { credential.certContextArray = certificate.Handle; credential.cCreds = 1; } return(credential); }
public SafeFreeCredentials AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, bool isServer) { Interop.Secur32.SecureCredential secureCredential = CreateSecureCredential(Interop.Secur32.SecureCredential.CurrentVersion, certificate, protocols, policy, isServer); // First try without impersonation, if it fails, then try the process account. // I.E. We don't know which account the certificate context was created under. try { // // For app-compat we want to ensure the credential are accessed under >>process<< acount. // return(WindowsIdentity.RunImpersonated <SafeFreeCredentials>(SafeAccessTokenHandle.InvalidHandle, () => { return AcquireCredentialsHandle(MSSecurityPackage, isServer, secureCredential); })); } catch { return(AcquireCredentialsHandle(MSSecurityPackage, isServer, secureCredential)); } }
private Interop.Secur32.SecureCredential CreateSecureCredential(int version, X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, bool isServer) { Interop.Secur32.SecureCredential.Flags flags = Interop.Secur32.SecureCredential.Flags.Zero; if (!isServer) { flags = Interop.Secur32.SecureCredential.Flags.ValidateManual | Interop.Secur32.SecureCredential.Flags.NoDefaultCred; if ((protocols.HasFlag(SslProtocols.Tls) || protocols.HasFlag(SslProtocols.Tls11) || protocols.HasFlag(SslProtocols.Tls12)) && (policy != EncryptionPolicy.AllowNoEncryption) && (policy != EncryptionPolicy.NoEncryption)) { flags |= Interop.Secur32.SecureCredential.Flags.UseStrongCrypto; } } var credential = new Interop.Secur32.SecureCredential() { rootStore = IntPtr.Zero, phMappers = IntPtr.Zero, palgSupportedAlgs = IntPtr.Zero, certContextArray = IntPtr.Zero, cCreds = 0, cMappers = 0, cSupportedAlgs = 0, dwSessionLifespan = 0, reserved = 0 }; if (policy == EncryptionPolicy.RequireEncryption) { // Prohibit null encryption cipher. credential.dwMinimumCipherStrength = 0; credential.dwMaximumCipherStrength = 0; } else if (policy == EncryptionPolicy.AllowNoEncryption) { // Allow null encryption cipher in addition to other ciphers. credential.dwMinimumCipherStrength = -1; credential.dwMaximumCipherStrength = 0; } else if (policy == EncryptionPolicy.NoEncryption) { // Suppress all encryption and require null encryption cipher only credential.dwMinimumCipherStrength = -1; credential.dwMaximumCipherStrength = -1; } else { throw new ArgumentException(SR.Format(SR.net_invalid_enum, "EncryptionPolicy"), "policy"); } int _protocolFlags = 0; if (isServer) { _protocolFlags = ((int)protocols & Interop.SChannel.ServerProtocolMask); } else { _protocolFlags = ((int)protocols & Interop.SChannel.ClientProtocolMask); } credential.version = version; credential.dwFlags = flags; credential.grbitEnabledProtocols = _protocolFlags; if (certificate != null) { credential.certContextArray = certificate.Handle; credential.cCreds = 1; } return(credential); }
private int AcquireCredentialsHandle(string moduleName, bool IsInBoundCred, ref Interop.Secur32.SecureCredential authdata, out SafeFreeCredentials outCredential) { Interop.Secur32.CredentialUse intent = IsInBoundCred ? Interop.Secur32.CredentialUse.Inbound : Interop.Secur32.CredentialUse.Outbound; return(SafeFreeCredentials.AcquireCredentialsHandle(moduleName, intent, ref authdata, out outCredential)); }
private SafeFreeCredentials AcquireCredentialsHandle(string package, bool isServer, Interop.Secur32.SecureCredential scc) { GlobalLog.Print("SSPIWrapper::AcquireCredentialsHandle#3(): using " + package); if (Logging.On) { Logging.PrintInfo(Logging.Web, "AcquireCredentialsHandle(" + "package = " + package + ", " + "IsInBoundCred = " + isServer + ", " + "scc = " + scc + ")"); } SafeFreeCredentials outCredential = null; int errorCode = AcquireCredentialsHandle( package, isServer, ref scc, out outCredential ); if (errorCode != 0) { #if TRACE_VERBOSE GlobalLog.Print("SSPIWrapper::AcquireCredentialsHandle#3(): error " + Interop.MapSecurityStatus((uint)errorCode)); #endif if (Logging.On) { Logging.PrintError(Logging.Web, SR.Format(SR.net_log_operation_failed_with_error, "AcquireCredentialsHandle()", String.Format(CultureInfo.CurrentCulture, "0X{0:X}", errorCode))); } throw new Win32Exception(errorCode); } #if TRACE_VERBOSE GlobalLog.Print("SSPIWrapper::AcquireCredentialsHandle#3(): cred handle = " + outCredential.ToString()); #endif return(outCredential); }
// // Security: we temporarily reset thread token to open the handle under process account. // private static SafeFreeCredentials AcquireCredentialsHandle(Interop.Secur32.CredentialUse credUsage, Interop.Secur32.SecureCredential secureCredential) { // First try without impersonation, if it fails, then try the process account. // I.E. We don't know which account the certificate context was created under. try { // // For app-compat we want to ensure the credential are accessed under >>process<< acount. // return(WindowsIdentity.RunImpersonated <SafeFreeCredentials>(SafeAccessTokenHandle.InvalidHandle, () => { return SSPIWrapper.AcquireCredentialsHandle(GlobalSSPI.SSPISecureChannel, SecurityPackage, credUsage, secureCredential); })); } catch { return(SSPIWrapper.AcquireCredentialsHandle(GlobalSSPI.SSPISecureChannel, SecurityPackage, credUsage, secureCredential)); } }
private Interop.Secur32.SecureCredential CreateSecureCredential(int version, X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, bool isServer) { Interop.Secur32.SecureCredential.Flags flags = Interop.Secur32.SecureCredential.Flags.Zero; if (!isServer) { flags = Interop.Secur32.SecureCredential.Flags.ValidateManual | Interop.Secur32.SecureCredential.Flags.NoDefaultCred; if ((protocols.HasFlag(SslProtocols.Tls) || protocols.HasFlag(SslProtocols.Tls11) || protocols.HasFlag(SslProtocols.Tls12)) && (policy != EncryptionPolicy.AllowNoEncryption) && (policy != EncryptionPolicy.NoEncryption)) { flags |= Interop.Secur32.SecureCredential.Flags.UseStrongCrypto; } } var credential = new Interop.Secur32.SecureCredential() { rootStore = IntPtr.Zero, phMappers = IntPtr.Zero, palgSupportedAlgs = IntPtr.Zero, certContextArray = IntPtr.Zero, cCreds = 0, cMappers = 0, cSupportedAlgs = 0, dwSessionLifespan = 0, reserved = 0 }; if (policy == EncryptionPolicy.RequireEncryption) { // Prohibit null encryption cipher. credential.dwMinimumCipherStrength = 0; credential.dwMaximumCipherStrength = 0; } else if (policy == EncryptionPolicy.AllowNoEncryption) { // Allow null encryption cipher in addition to other ciphers. credential.dwMinimumCipherStrength = -1; credential.dwMaximumCipherStrength = 0; } else if (policy == EncryptionPolicy.NoEncryption) { // Suppress all encryption and require null encryption cipher only credential.dwMinimumCipherStrength = -1; credential.dwMaximumCipherStrength = -1; } else { throw new ArgumentException(SR.Format(SR.net_invalid_enum, "EncryptionPolicy"), "policy"); } int _protocolFlags = 0; if (isServer) { _protocolFlags = ((int)protocols & Interop.SChannel.ServerProtocolMask); } else { _protocolFlags = ((int)protocols & Interop.SChannel.ClientProtocolMask); } credential.version = version; credential.dwFlags = flags; credential.grbitEnabledProtocols = _protocolFlags; if (certificate != null) { credential.certContextArray = certificate.Handle; credential.cCreds = 1; } return credential; }
public Interop.Secur32.SecureCredential CreateSecureCredential( int version, X509Certificate certificate, Interop.Secur32.SecureCredential.Flags flags, int protocols, EncryptionPolicy policy) { var credential = new Interop.Secur32.SecureCredential() { rootStore = IntPtr.Zero, phMappers = IntPtr.Zero, palgSupportedAlgs = IntPtr.Zero, certContextArray = IntPtr.Zero, cCreds = 0, cMappers = 0, cSupportedAlgs = 0, dwSessionLifespan = 0, reserved = 0 }; if (policy == EncryptionPolicy.RequireEncryption) { // Prohibit null encryption cipher. credential.dwMinimumCipherStrength = 0; credential.dwMaximumCipherStrength = 0; } else if (policy == EncryptionPolicy.AllowNoEncryption) { // Allow null encryption cipher in addition to other ciphers. credential.dwMinimumCipherStrength = -1; credential.dwMaximumCipherStrength = 0; } else if (policy == EncryptionPolicy.NoEncryption) { // Suppress all encryption and require null encryption cipher only credential.dwMinimumCipherStrength = -1; credential.dwMaximumCipherStrength = -1; } else { throw new ArgumentException(SR.Format(SR.net_invalid_enum, "EncryptionPolicy"), "policy"); } credential.version = version; credential.dwFlags = flags; credential.grbitEnabledProtocols = protocols; if (certificate != null) { credential.certContextArray = certificate.Handle; credential.cCreds = 1; } return credential; }
public int AcquireCredentialsHandle(string moduleName, Interop.Secur32.CredentialUse usage, ref Interop.Secur32.SecureCredential authdata, out SafeFreeCredentials outCredential) { return(SafeFreeCredentials.AcquireCredentialsHandle(moduleName, usage, ref authdata, out outCredential)); }
public static SafeFreeCredentials AcquireCredentialsHandle(SSPIInterface secModule, string package, Interop.Secur32.CredentialUse intent, Interop.Secur32.SecureCredential scc) { GlobalLog.Print("SSPIWrapper::AcquireCredentialsHandle#3(): using " + package); if (SecurityEventSource.Log.IsEnabled()) { SecurityEventSource.AcquireCredentialsHandle(package, intent, scc); } SafeFreeCredentials outCredential = null; int errorCode = secModule.AcquireCredentialsHandle( package, intent, ref scc, out outCredential); if (errorCode != 0) { #if TRACE_VERBOSE GlobalLog.Print("SSPIWrapper::AcquireCredentialsHandle#3(): error " + Interop.MapSecurityStatus((uint)errorCode)); #endif if (NetEventSource.Log.IsEnabled()) { NetEventSource.PrintError(NetEventSource.ComponentType.Security, SR.Format(SR.net_log_operation_failed_with_error, "AcquireCredentialsHandle()", String.Format(CultureInfo.CurrentCulture, "0X{0:X}", errorCode))); } throw new Win32Exception(errorCode); } #if TRACE_VERBOSE GlobalLog.Print("SSPIWrapper::AcquireCredentialsHandle#3(): cred handle = " + outCredential.ToString()); #endif return(outCredential); }