public ServerHandshakeSession(SecurityParameters securityParameters)
: base(securityParameters)
{
if (securityParameters.ServerCertificateSelectionCallback != null)
{
_certificateSelectionCallback = securityParameters.ServerCertificateSelectionCallback;
}
else
{
_certificateSelectionCallback = DefaultCertificateSelectionCallback;
}
if (securityParameters.ServerCertificateValidationCallback != null)
{
_certificateValidationCallback = securityParameters.ServerCertificateValidationCallback;
}
_availableCertificates = new List <X509CertificateCollection>();
_availableCertificates.AddRange(securityParameters.AvailableCertificates);
_availablePrivateKeys = new List <CertificatePrivateKey>();
_availablePrivateKeys.AddRange(securityParameters.AvailablePrivateKeys);
if (securityParameters.ClientCertificateTypes.Count > 0)
{
_certificateRequest = new HandshakeCertificateRequest(_version);
_certificateRequest.CertificateTypes.AddRange(securityParameters.ClientCertificateTypes);
_certificateRequest.SignatureAndHashAlgorithms.AddRange(_pluginManager.GetSupportedSignatureAndHashAlgorithms());
_certificateRequest.CertificateAuthorities.AddRange(securityParameters.ClientCertificateAuthorities);
}
}
/// <summary>
/// Call back to override server certificate validation
/// </summary>
/// <param name="sender"></param>
/// <param name="certificate"></param>
/// <param name="chain"></param>
/// <param name="sslPolicyErrors"></param>
/// <returns></returns>
internal bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
//if user callback is registered then do it
if (ServerCertificateValidationCallback != null)
{
var args = new CertificateValidationEventArgs
{
Certificate = certificate,
Chain = chain,
SslPolicyErrors = sslPolicyErrors
};
//why is the sender null?
ServerCertificateValidationCallback.InvokeParallel(this, args);
return(args.IsValid);
}
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
//By default
//do not allow this client to communicate with unauthenticated servers.
return(false);
}
public SecureClient Build(ServerCertificateValidationCallback serverCertificateValidationCallback = null,
X509CertificateCollection clientCertificateCollection = null, SslProtocols sslProtocols = SslProtocols.Tls12)
{
return(new SecureClient(loggerFactory, serializer, orderingService, cancellationToken, sendIdempotencyService,
receiveIdempotencyService, delaySequenceGenerator, millisecondsIntervalForPacketResend, serverCertificateValidationCallback,
sslProtocols, clientCertificateCollection, keepAliveTimeOut, maximumNumberOfKeepAliveMisses, keepAliveResponseTimeOut));
}
public ClientHandshakeSession(SecurityParameters securityParameters)
: base(securityParameters)
{
if (securityParameters.ServerCertificateValidationCallback != null)
{
_certificateValidationCallback = securityParameters.ServerCertificateValidationCallback;
}
else
{
_certificateValidationCallback = new ServerCertificateValidationCallback(DefaultCertificateValidationCallback);
}
if (securityParameters.ClientCertificateSelectionCallback != null)
{
_certificateSelectionCallback = securityParameters.ClientCertificateSelectionCallback;
}
else
{
_certificateSelectionCallback = new ClientCertificateSelectionCallback(DefaultCertificateSelectionCallback);
}
HandshakeClientHello clientHello = new HandshakeClientHello(_maxVersion);
clientHello.CipherSuites.AddRange(_supportedCipherSuites);
clientHello.CompressionMethods.AddRange(_supportedCompressions);
clientHello.Extensions.Add(new HelloSignatureAlgorithmsExtension(_pluginManager.GetSupportedSignatureAndHashAlgorithms()));
OutputMessage(clientHello);
_connectionState.ClientRandom = clientHello.Random.GetBytes();
}
private SqlConnectionPoolKey(SqlConnectionPoolKey key) : base(key)
{
_credential = key.Credential;
_accessToken = key.AccessToken;
_serverCertificateValidationCallback = key._serverCertificateValidationCallback;
_clientCertificateRetrievalCallback = key._clientCertificateRetrievalCallback;
CalculateHashCode();
}
public void RegisterServerCertificateValidationCallback(string host, ServerCertificateValidationCallback callback)
{
if (this._ServerCertHandlers.ContainsKey(host))
{
this._ServerCertHandlers[host] = callback;
return;
}
this._ServerCertHandlers.Add(host, callback);
}
public TlsNetworkTransport(CancellationToken cancellationToken, ILoggerFactory loggerFactory,
ServerCertificateValidationCallback serverCertificateValidationCallback, SslProtocols sslProtocols,
X509CertificateCollection clientCertificateCollection)
{
Init(loggerFactory, cancellationToken);
this.serverCertificateValidationCallback = serverCertificateValidationCallback;
this.sslProtocols = sslProtocols;
this.clientCertificateCollection = clientCertificateCollection;
}
public SecureClient(ILoggerFactory loggerFactory, ISerializer serializer, IOrderingService orderingService,
CancellationToken cancellationToken, ISendIdempotencyService <Guid, Packet> sendIdempotencyService,
IReceiveIdempotencyService <string> receiveIdempotencyService, ISequenceGenerator delaySequenceGenerator,
int millisecondsIntervalForPacketResend, ServerCertificateValidationCallback serverCertificateValidationCallback, SslProtocols sslProtocols,
X509CertificateCollection clientCertificateCollection, int keepAliveTimeOut,
int maximumNumberOfKeepAliveMisses, int keepAliveResponseTimeOut)
{
this.serverCertificateValidationCallback = serverCertificateValidationCallback;
this.sslProtocols = sslProtocols;
this.clientCertificateCollection = clientCertificateCollection;
Init(loggerFactory, serializer, orderingService, cancellationToken,
sendIdempotencyService, receiveIdempotencyService, delaySequenceGenerator,
millisecondsIntervalForPacketResend, keepAliveTimeOut, maximumNumberOfKeepAliveMisses, keepAliveResponseTimeOut);
}
internal SqlConnectionPoolKey(string connectionString,
SqlCredential credential,
string accessToken,
ServerCertificateValidationCallback serverCertificateValidationCallback,
ClientCertificateRetrievalCallback clientCertificateRetrievalCallback,
SqlClientOriginalNetworkAddressInfo originalNetworkAddressInfo) : base(connectionString)
{
Debug.Assert(_credential == null || _accessToken == null, "Credential and AccessToken can't have the value at the same time.");
_credential = credential;
_accessToken = accessToken;
_serverCertificateValidationCallback = serverCertificateValidationCallback;
_clientCertificateRetrievalCallback = clientCertificateRetrievalCallback;
_originalNetworkAddressInfo = originalNetworkAddressInfo;
CalculateHashCode();
}
/// <summary>
/// Call back to override server certificate validation
/// </summary>
/// <param name="sender"></param>
/// <param name="certificate"></param>
/// <param name="chain"></param>
/// <param name="sslPolicyErrors"></param>
/// <returns></returns>
internal bool ValidateServerCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
//if user callback is registered then do it
if (ServerCertificateValidationCallback != null)
{
var args = new CertificateValidationEventArgs
{
Certificate = certificate,
Chain = chain,
SslPolicyErrors = sslPolicyErrors
};
Delegate[] invocationList = ServerCertificateValidationCallback.GetInvocationList();
Task[] handlerTasks = new Task[invocationList.Length];
for (int i = 0; i < invocationList.Length; i++)
{
handlerTasks[i] = ((Func <object, CertificateValidationEventArgs, Task>)invocationList[i])(null, args);
}
Task.WhenAll(handlerTasks).Wait();
return(args.IsValid);
}
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
//By default
//do not allow this client to communicate with unauthenticated servers.
return(false);
}
/// <summary>
/// Call back to override server certificate validation
/// </summary>
/// <param name="sender">The sender object.</param>
/// <param name="sessionArgs">The http session.</param>
/// <param name="certificate">The remote certificate.</param>
/// <param name="chain">The certificate chain.</param>
/// <param name="sslPolicyErrors">Ssl policy errors</param>
/// <returns>Return true if valid certificate.</returns>
internal bool ValidateServerCertificate(object sender, SessionEventArgsBase sessionArgs, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
// if user callback is registered then do it
if (ServerCertificateValidationCallback != null)
{
var args = new CertificateValidationEventArgs(sessionArgs, certificate, chain, sslPolicyErrors);
// why is the sender null?
ServerCertificateValidationCallback.InvokeAsync(this, args, ExceptionFunc).Wait();
return(args.IsValid);
}
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
// By default
// do not allow this client to communicate with unauthenticated servers.
return(true);
}
public ClientHandshakeSession(SecurityParameters securityParameters)
: base(securityParameters)
{
if (securityParameters.ServerCertificateValidationCallback != null) {
_certificateValidationCallback = securityParameters.ServerCertificateValidationCallback;
} else {
_certificateValidationCallback = new ServerCertificateValidationCallback(DefaultCertificateValidationCallback);
}
if (securityParameters.ClientCertificateSelectionCallback != null) {
_certificateSelectionCallback = securityParameters.ClientCertificateSelectionCallback;
} else {
_certificateSelectionCallback = new ClientCertificateSelectionCallback(DefaultCertificateSelectionCallback);
}
HandshakeClientHello clientHello = new HandshakeClientHello(_maxVersion);
clientHello.CipherSuites.AddRange(_supportedCipherSuites);
clientHello.CompressionMethods.AddRange(_supportedCompressions);
clientHello.Extensions.Add(new HelloSignatureAlgorithmsExtension(_pluginManager.GetSupportedSignatureAndHashAlgorithms()));
OutputMessage(clientHello);
_connectionState.ClientRandom = clientHello.Random.GetBytes();
}
/// <summary>
/// Invocator for ServerCertificateValidationCallback event.
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
protected virtual void OnServerCertificateValidationCallback(object sender, CertificateValidationEventArgs e)
{
ServerCertificateValidationCallback?.Invoke(sender, e);
}
public ServerHandshakeSession(SecurityParameters securityParameters, ILogger logger)
: base(securityParameters, logger)
{
if (securityParameters.ServerCertificateSelectionCallback != null)
{
_certificateSelectionCallback = securityParameters.ServerCertificateSelectionCallback;
}
else
{
_certificateSelectionCallback = new ServerCertificateSelectionCallback(DefaultCertificateSelectionCallback);
}
if (securityParameters.ServerCertificateValidationCallback != null)
{
_certificateValidationCallback = securityParameters.ServerCertificateValidationCallback;
}
_availableCertificates = new List<X509CertificateCollection>();
_availableCertificates.AddRange(securityParameters.AvailableCertificates);
_availablePrivateKeys = new List<CertificatePrivateKey>();
_availablePrivateKeys.AddRange(securityParameters.AvailablePrivateKeys);
if (securityParameters.ClientCertificateTypes.Count > 0)
{
_certificateRequest = new HandshakeCertificateRequest(_version);
_certificateRequest.CertificateTypes.AddRange(securityParameters.ClientCertificateTypes);
_certificateRequest.SignatureAndHashAlgorithms.AddRange(_pluginManager.GetSupportedSignatureAndHashAlgorithms());
_certificateRequest.CertificateAuthorities.AddRange(securityParameters.ClientCertificateAuthorities);
}
}
public ClientHandshakeSession(SecurityParameters securityParameters, ILogger logger = null)
: base(securityParameters, logger)
{
if (securityParameters.ServerCertificateValidationCallback != null)
{
_certificateValidationCallback = securityParameters.ServerCertificateValidationCallback;
}
else
{
_certificateValidationCallback = new ServerCertificateValidationCallback(DefaultCertificateValidationCallback);
}
if (securityParameters.ClientCertificateSelectionCallback != null)
{
_certificateSelectionCallback = securityParameters.ClientCertificateSelectionCallback;
}
else
{
_certificateSelectionCallback = new ClientCertificateSelectionCallback(DefaultCertificateSelectionCallback);
}
var clientHello = new HandshakeClientHello(_maxVersion);
// add ciphersuites
clientHello.CipherSuites.AddRange(_supportedCipherSuites.Select(cs => (CipherSuiteId)cs));
// add compressions
clientHello.CompressionMethods.AddRange(_supportedCompressions);
// add signature and hash algorithms
//var sigHashAlgorithms = _pluginManager.GetSupportedSignatureAndHashAlgorithms();
//clientHello.Extensions.Add(new HelloSignatureAlgorithmsExtension(new[] { (ushort)0x0403 }));
clientHello.Extensions.Add(new HelloSignatureAlgorithmsExtension(new[] { new SignatureAndHashAlgorithm()
{
HashAlgorithm = HashAlgorithmType.Sha256,
SignatureAlgorithm = SignatureAlgorithmType.Ecdsa
} }));
//if (sigHashAlgorithms.Any(s => BitConverter.GetBytes(s)[0] == 0x03))
//{
// clientHello.Extensions.Add(new HelloEccExtension(0x0000));
//}
// get curve name from client certificate, only add the Curve Extension that corresponds to the client certificate
// otherwise the meter may take the curve from the first transmitted extension (ignoring the curve of the certificate)
var cert = securityParameters.AvailableCertificates.First()[0];
var data = Asn1Object.FromByteArray(cert.GetKeyAlgorithmParameters());
this.logger?.Debug($"Client certificate's key algorithm parameters {data}, here an OID is expepcted");
var oid = new DerObjectIdentifier(data.ToString());
var curveName = Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetName(oid);
if (curveName.ToUpperInvariant() == "SECP256R1")
{
clientHello.Extensions.Add(new HelloEccExtension(EccNamedCurve.Secp256R1));
}
else if (curveName.ToUpperInvariant() == "BRAINPOOLP256R1")
{
clientHello.Extensions.Add(new HelloEccExtension(EccNamedCurve.BrainpoolP256R1));
}
else
{
throw new NotSupportedException($"ECC Curve {curveName} is not supported");
}
this.logger?.Debug($"Creating ClientHello with max version {_maxVersion}, " +
$"supported cipher suites {string.Join(",", _supportedCipherSuites.Select(cs => $"{cs:X2}"))}, " +
$"compression methods {string.Join(",", _supportedCompressions.Select(c => $"{c:X2}"))}, " +
$"extension {string.Join(",", clientHello.Extensions.Select(ex => ex))} ");
this.OutputMessage(clientHello);
_connectionState.ClientRandom = clientHello.Random.GetBytes();
}
public ClientHandshakeSession(SecurityParameters securityParameters)
: base(securityParameters)
{
if (securityParameters.ServerCertificateValidationCallback != null)
{
_certificateValidationCallback = securityParameters.ServerCertificateValidationCallback;
}
else
{
_certificateValidationCallback = new ServerCertificateValidationCallback(DefaultCertificateValidationCallback);
}
if (securityParameters.ClientCertificateSelectionCallback != null)
{
_certificateSelectionCallback = securityParameters.ClientCertificateSelectionCallback;
}
else
{
_certificateSelectionCallback = new ClientCertificateSelectionCallback(DefaultCertificateSelectionCallback);
}
var clientHello = new HandshakeClientHello(_maxVersion);
// add ciphersuites
clientHello.CipherSuites.AddRange(_supportedCipherSuites.Select(cs => (CipherSuiteId)cs));
// add compressions
clientHello.CompressionMethods.AddRange(_supportedCompressions);
// add supported elliptic curves
clientHello.Extensions.Add(
new HelloEccExtension(
new[]
{
EccNamedCurve.Secp256R1,
EccNamedCurve.Secp384R1,
EccNamedCurve.BrainpoolP256R1,
EccNamedCurve.BrainpoolP384R1,
EccNamedCurve.BrainpoolP512R1
}));
// add elyptic curves point format
clientHello.Extensions.Add(
new HelloEccPointFormatsExtension(EccPointFormats.Uncompressed));
// add signature and hash algorithms
clientHello.Extensions.Add(
new HelloSignatureAlgorithmsExtension(
new[]
{
new SignatureAndHashAlgorithm()
{
HashAlgorithm = HashAlgorithmType.Sha256, SignatureAlgorithm = SignatureAlgorithmType.Ecdsa
},
new SignatureAndHashAlgorithm()
{
HashAlgorithm = HashAlgorithmType.Sha384, SignatureAlgorithm = SignatureAlgorithmType.Ecdsa
},
new SignatureAndHashAlgorithm()
{
HashAlgorithm = HashAlgorithmType.Sha512, SignatureAlgorithm = SignatureAlgorithmType.Ecdsa
},
}));
this.logger?.Debug($"Creating ClientHello with max version {_maxVersion}, " +
$"supported cipher suites {string.Join(",", _supportedCipherSuites?.Select(cs => $"{cs}"))}, " +
$"compression methods {string.Join(",", _supportedCompressions?.Select(c => $"{c}"))}, " +
$"extension {string.Join(",", clientHello.Extensions?.Select(ex => ex))} ");
this.OutputMessage(clientHello);
_connectionState.ClientRandom = clientHello.Random.GetBytes();
}
