internal static bool CheckSslCertificate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
var startTime = DateTime.Parse(certificate.GetEffectiveDateString());
var endTime = DateTime.Parse(certificate.GetExpirationDateString());
if (startTime <= DateTime.Now && endTime >= DateTime.Now && certificate.Issuer.Contains("Philips Hue"))
{
return(true);
}
else
{
return(false);
}
}
// Debug SMTP Tls Certificate
private bool RemoteServerCertificateValidationCallback(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
// Test - Zertifikat ausgeben
if (_param.AppCfg_DebugTLS == "True" || _param.AppCfg_DebugTLS == "true")
{
MessageBox.Show("SMTP-Zertifikat: " + Environment.NewLine +
"SN: " + certificate.GetSerialNumberString() + Environment.NewLine +
"Hash: " + certificate.GetCertHashString() + Environment.NewLine +
"From: " + certificate.GetEffectiveDateString() + Environment.NewLine +
"To: " + certificate.GetExpirationDateString() + Environment.NewLine +
"Issuer: " + certificate.Issuer + Environment.NewLine +
"Subject: " + certificate.Subject
);
}
return(true);
}
private bool Validator(object sender, System.Security.Cryptography.X509Certificates.X509Certificate cert, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors ssl_policy_errors)
{
byte[] server_certificate = cert.GetRawCertData();
bool match = (server_certificate.Length == certificate.Length) &&
DateTime.Parse(cert.GetEffectiveDateString()) <= DateTime.Now &&
DateTime.Parse(cert.GetExpirationDateString()) >= DateTime.Now;
int size = server_certificate.Length;
int i = 0;
while (match && i < size)
{
match = server_certificate[i] == certificate[i];
++i;
}
return(match);
}
private void ExtractData(Packets.TcpPacket tcpPacket, FiveTuple fiveTuple, bool transferIsClientToServer, Packets.TlsRecordPacket.HandshakePacket handshake)
{
NetworkHost sourceHost, destinationHost;
if (transferIsClientToServer)
{
sourceHost = fiveTuple.ClientHost;
destinationHost = fiveTuple.ServerHost;
}
else
{
sourceHost = fiveTuple.ServerHost;
destinationHost = fiveTuple.ClientHost;
}
//foreach (Packets.AbstractPacket p in tlsRecordPacket.GetSubPackets(false)) {
// if(p.GetType()==typeof(Packets.TlsRecordPacket.HandshakePacket)) {
// Packets.TlsRecordPacket.HandshakePacket handshake=(Packets.TlsRecordPacket.HandshakePacket)p;
foreach (var version in handshake.GetSupportedSslVersions())
{
//destinationHost.AddHostName(handshake.ServerHostName);
System.Collections.Specialized.NameValueCollection param = new System.Collections.Specialized.NameValueCollection {
{ "TLS Handshake " + Enum.GetName(typeof(Packets.TlsRecordPacket.HandshakePacket.MessageTypes), handshake.MessageType) + " Supported Version", version.Item1.ToString() + "." + version.Item2.ToString() + " (0x" + version.Item1.ToString("x2") + version.Item2.ToString("x2") + ")" }
};
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(handshake.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, param, handshake.ParentFrame.Timestamp, "TLS Handshake"));
}
if (!String.IsNullOrEmpty(handshake.GetAlpnNextProtocolString()))
{
//destinationHost.AddHostName(handshake.ServerHostName);
System.Collections.Specialized.NameValueCollection param = new System.Collections.Specialized.NameValueCollection {
{ "TLS ALPN", handshake.GetAlpnNextProtocolString() }
};
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(handshake.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, param, handshake.ParentFrame.Timestamp, "TLS Handshake"));
}
if (handshake.MessageType == Packets.TlsRecordPacket.HandshakePacket.MessageTypes.ClientHello)
{
if (handshake.ServerHostName != null)
{
destinationHost.AddHostName(handshake.ServerHostName);
System.Collections.Specialized.NameValueCollection param = new System.Collections.Specialized.NameValueCollection();
param.Add("TLS Server Name (SNI)", handshake.ServerHostName);
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(handshake.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, param, handshake.ParentFrame.Timestamp, "TLS Client Hello"));
}
}
else if (handshake.MessageType == Packets.TlsRecordPacket.HandshakePacket.MessageTypes.Certificate)
{
for (int i = 0; i < handshake.CertificateList.Count; i++)
{
byte[] certificate = handshake.CertificateList[i];
string x509CertSubject;
System.Security.Cryptography.X509Certificates.X509Certificate x509Cert = null;
try {
x509Cert = new System.Security.Cryptography.X509Certificates.X509Certificate(certificate);
x509CertSubject = x509Cert.Subject;
}
catch {
x509CertSubject = "Unknown_x509_Certificate_Subject";
x509Cert = null;
}
if (x509CertSubject.Contains("CN="))
{
x509CertSubject = x509CertSubject.Substring(x509CertSubject.IndexOf("CN=") + 3);
}
else if (x509CertSubject.Contains("="))
{
x509CertSubject = x509CertSubject.Substring(x509CertSubject.IndexOf('=') + 1);
}
if (x509CertSubject.Length > 28)
{
x509CertSubject = x509CertSubject.Substring(0, 28);
}
if (x509CertSubject.Contains(","))
{
x509CertSubject = x509CertSubject.Substring(0, x509CertSubject.IndexOf(','));
}
x509CertSubject.Trim(new char[] { '.', ' ' });
/*
* while (x509CertSubject.EndsWith(".") || x509CertSubject.EndsWith(" "))
* x509CertSubject=x509CertSubject.Substring(0, x509CertSubject.Length-1);
*/
string filename = x509CertSubject + ".cer";
string fileLocation = "/";
string details;
if (x509Cert != null)
{
details = "TLS Certificate: " + x509Cert.Subject;
}
else
{
details = "TLS Certificate: Unknown x509 Certificate";
}
FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(base.MainPacketHandler.FileStreamAssemblerList, fiveTuple, transferIsClientToServer, FileTransfer.FileStreamTypes.TlsCertificate, filename, fileLocation, certificate.Length, certificate.Length, details, null, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.source);
base.MainPacketHandler.FileStreamAssemblerList.Add(assembler);
if (i == 0 && x509CertSubject.Contains(".") && !x509CertSubject.Contains("*") && !x509CertSubject.Contains(" "))
{
sourceHost.AddHostName(x509CertSubject);
}
System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection();
//parameters.Add("Certificate Subject", x509Cert.Subject);
const string CERTIFICATE_SUBJECT = "Certificate Subject";
this.addParameters(parameters, x509Cert.Subject, CERTIFICATE_SUBJECT);
if (i == 0)
{
//check for CN parameter
if (parameters[CERTIFICATE_SUBJECT + " CN"] != null)
{
foreach (string cn in parameters.GetValues(CERTIFICATE_SUBJECT + " CN"))
{
sourceHost.AddNumberedExtraDetail("X.509 Certificate Subject CN", cn);
if (cn.Contains(".") && !cn.Contains(" "))
{
if (cn.Contains("*"))
{
if (cn.StartsWith("*."))
{
sourceHost.AddDomainName(cn.Substring(2));
}
}
else
{
sourceHost.AddHostName(cn);
}
}
}
}
}
this.addParameters(parameters, x509Cert.Issuer, "Certificate Issuer");
//parameters.Add("Certificate Issuer", x509Cert.Issuer);
parameters.Add("Certificate Hash", x509Cert.GetCertHashString());
parameters.Add("Certificate valid from", x509Cert.GetEffectiveDateString());
parameters.Add("Certificate valid to", x509Cert.GetExpirationDateString());
parameters.Add("Certificate Serial", x509Cert.GetSerialNumberString());
try {
System.Security.Cryptography.X509Certificates.X509Certificate2 cert2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate);
foreach (var ext in cert2.Extensions)
{
string fn = ext.Oid.FriendlyName;
string oid = ext.Oid.Value;
string val = ext.Format(true);
System.IO.StringReader sr = new System.IO.StringReader(val);
string line = sr.ReadLine();
while (line != null)
{
parameters.Add(oid + " " + fn, line);
if (i == 0 && oid == "2.5.29.17")
{
sourceHost.AddNumberedExtraDetail("X.509 Certificate " + fn, line);
}
line = sr.ReadLine();
}
}
if (cert2.Verify())
{
parameters.Add("Certificate valid", "TRUE");
}
else
{
parameters.Add("Certificate valid", "FALSE");
}
}
catch (Exception) { }
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(tcpPacket.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, parameters, tcpPacket.ParentFrame.Timestamp, "X.509 Certificate"));
if (assembler.TryActivate())
{
assembler.AddData(certificate, tcpPacket.SequenceNumber);//this one should trigger FinnishAssembling()
}
}
}
//}
//return true;
}
public void AcceptCallback(IAsyncResult ar)
{
try
{
Socket listener = (Socket)ar.AsyncState;
Socket socket = listener.EndAccept(ar);
if (m_socket != null)
{
throw new Exception("Client not allowed: connection already active");
}
m_socket = socket;
LogDebug("Accepted connection");
// Check allowed
{
Process clientProcess = Utils.GetProcessOfMatchingIPEndPoint(m_socket.RemoteEndPoint as IPEndPoint, m_localEndPoint);
string clientPath = clientProcess.MainModule.FileName;
if (clientProcess == null)
{
throw new Exception("Client not allowed: Cannot detect client process");
}
// If spot mode, must be the parent
if (m_serviceMode == false)
{
int parentPID = Utils.GetParentProcess().Id;
if (clientProcess.Id != parentPID)
{
throw new Exception("Client not allowed: Connection not from parent process (spot mode)");
}
}
// If service mode, hash must match
if (m_serviceMode)
{
string allowedHash = "";
if (m_cmdline.ContainsKey("allowed_hash"))
{
allowedHash = m_cmdline["allowed_hash"];
}
string clientHash = Utils.HashSHA512File(clientPath);
if (allowedHash != clientHash)
{
throw new Exception("Client not allowed: Hash mismatch (client " + clientHash + " != expected " + allowedHash + ") (service mode)");
}
}
// Check signature (optional)
{
try
{
System.Security.Cryptography.X509Certificates.X509Certificate c1 = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(System.Reflection.Assembly.GetEntryAssembly().Location);
// If above don't throw exception, Elevated it's signed, so it's mandatory that client is signed from same subject.
try
{
System.Security.Cryptography.X509Certificates.X509Certificate c2 = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(clientPath);
bool match = (
(c1.Issuer == c2.Issuer) &&
(c1.Subject == c2.Subject) &&
(c1.GetCertHashString() == c2.GetCertHashString()) &&
(c1.GetEffectiveDateString() == c2.GetEffectiveDateString()) &&
(c1.GetPublicKeyString() == c2.GetPublicKeyString()) &&
(c1.GetRawCertDataString() == c2.GetRawCertDataString()) &&
(c1.GetSerialNumberString() == c2.GetSerialNumberString())
);
if (match == false)
{
throw new Exception("Client not allowed: digital signature mismatch");
}
}
catch (Exception)
{
throw new Exception("Client not allowed: digital signature not available");
}
}
catch (Exception)
{
// Not signed, but maybe compiled from source, it's an optional check.
}
}
}
ReplyPID(Process.GetCurrentProcess().Id);
m_socket.BeginReceive(m_buffer, 0, m_bufferSize, 0, new AsyncCallback(ReadCallback), m_socket);
}
catch (Exception ex)
{
Close(ex.Message);
}
}
public void AcceptCallback(IAsyncResult ar)
{
try
{
Socket listener = (Socket)ar.AsyncState;
Socket socket = listener.EndAccept(ar);
if (m_socket != null)
{
throw new Exception("A connection is already running");
}
m_socket = socket;
DebugLog("Accepted connection");
Process clientProcess = Utils.GetProcessOfMatchingIPEndPoint(m_socket.RemoteEndPoint as IPEndPoint, m_localEndPoint);
if (clientProcess == null)
{
throw new Exception("Unable to detect client process");
}
#if DEBUG
// Never release a signed debug.
#else
bool match = false;
try
{
System.Security.Cryptography.X509Certificates.X509Certificate c1 = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(System.Reflection.Assembly.GetEntryAssembly().Location);
System.Security.Cryptography.X509Certificates.X509Certificate c2 = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(clientProcess.MainModule.FileName);
match = (
(c1.Issuer == c2.Issuer) &&
(c1.Subject == c2.Subject) &&
(c1.GetCertHashString() == c2.GetCertHashString()) &&
(c1.GetEffectiveDateString() == c2.GetEffectiveDateString()) &&
(c1.GetPublicKeyString() == c2.GetPublicKeyString()) &&
(c1.GetRawCertDataString() == c2.GetRawCertDataString()) &&
(c1.GetSerialNumberString() == c2.GetSerialNumberString())
);
}
catch
{
}
if (Constants.Debug)
{
match = true;
}
if (match == false)
{
throw new Exception("Client not allowed, signature mismatch.");
}
#endif
ReplyPID(Process.GetCurrentProcess().Id);
m_socket.BeginReceive(m_buffer, 0, m_bufferSize, 0, new AsyncCallback(ReadCallback), m_socket);
}
catch (Exception ex)
{
Close(ex.Message);
}
}
public bool PsCertificateValidationCallBack(
object sender,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
string sCerts = string.Empty;
// If the certificate is a valid, signed certificate, return true.
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
sCerts += "[Valid Cert - No Errors]----------------------------\r\n\r\n";
sCerts += "Issuer: " + certificate.Issuer + "\r\n";
sCerts += "Subject: " + certificate.Subject + "\r\n";
sCerts += "EffectiveDateString: " + certificate.GetEffectiveDateString() + "\r\n";
sCerts += "ExpirationDate: " + certificate.GetExpirationDateString() + "\r\n";
sCerts += "Format: " + certificate.GetFormat() + "\r\n";
sCerts += "SerialNumber: " + certificate.GetSerialNumberString() + "\r\n";
sCerts += "RawCertData: " + certificate.GetRawCertDataString() + "\r\n";
sCerts += "PublicKey: " + certificate.GetPublicKeyString() + "\r\n";
sCerts += "\r\n---------------------------------\r\n\r\n";
_Certificates += sCerts;
return(true);
}
// If thre are errors in the certificate chain, look at each error to determine the cause.
if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
sCerts += "[Remote Certificate Chain Errors Found]----------------------------\r\n\r\n";
if (chain != null && chain.ChainStatus != null)
{
foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
{
if ((certificate.Subject == certificate.Issuer) &&
(status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
{
sCerts += " [Self-signed certificates with an untrusted root - Considering as valid]----------------------------\r\n\r\n";
sCerts += " Status Information: " + status.StatusInformation + "\r\n\r\n";
sCerts += " Issuer: " + certificate.Issuer + "\r\n";
sCerts += " Subject: " + certificate.Subject + "\r\n";
sCerts += " EffectiveDateString: " + certificate.GetEffectiveDateString() + "\r\n";
sCerts += " ExpirationDate: " + certificate.GetExpirationDateString() + "\r\n";
sCerts += " Format: " + certificate.GetFormat() + "\r\n";
sCerts += " SerialNumber: " + certificate.GetSerialNumberString() + "\r\n";
sCerts += " RawCertData: " + certificate.GetRawCertDataString() + "\r\n";
sCerts += " PublicKey: " + certificate.GetPublicKeyString() + "\r\n";
sCerts += "\r\n ---------------------------------\r\n\r\n";
_Certificates += sCerts;
// Self-signed certificates with an untrusted root are valid.
continue;
}
else
{
if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
{
sCerts += " [Certificate Errors - Considering as invlid]----------------------------\r\n";
sCerts += " Status Information: " + status.StatusInformation + "\r\n\r\n";
sCerts += " Issuer: " + certificate.Issuer + "\r\n";
sCerts += " Subject: " + certificate.Subject + "\r\n";
sCerts += " EffectiveDateString: " + certificate.GetEffectiveDateString() + "\r\n";
sCerts += " ExpirationDate: " + certificate.GetExpirationDateString() + "\r\n";
sCerts += " Format: " + certificate.GetFormat() + "\r\n";
sCerts += " SerialNumber: " + certificate.GetSerialNumberString() + "\r\n";
sCerts += " RawCertData: " + certificate.GetRawCertDataString() + "\r\n";
sCerts += " PublicKey: " + certificate.GetPublicKeyString() + "\r\n";
sCerts += "\r\n ---------------------------------\r\n\r\n";
_Certificates += sCerts;
// If there are any other errors in the certificate chain, the certificate is invalid,
// so the method returns false.
return(false);
}
}
}
}
// When processing reaches this line, the only errors in the certificate chain are
// untrusted root errors for self-signed certifcates. These certificates are valid
// for default Exchange server installations, so return true.
return(true);
}
else
{
// In all other cases, return false.
return(false);
}
}