private IList <X509Certificate> TrustedChain( X509TrustManagerExtensions trustManagerExt, HttpsURLConnection conn) { var serverCerts = conn.GetServerCertificates(); var untrustedCerts = serverCerts.Where(x => x is X509Certificate).Cast <X509Certificate>().ToArray(); var host = conn.URL.Host; try { return(trustManagerExt.CheckServerTrusted(untrustedCerts, "RSA", host)); } catch (CertificateException e) { throw new SSLException(e); } }
private void ValidatePinning( X509TrustManagerExtensions trustManagerExt, HttpsURLConnection conn) { var host = conn.URL.Host; if (host != ApiHost) { // no pinning against other hosts return; } var trustedChain = TrustedChain(trustManagerExt, conn); var leaf = trustedChain[0]; var thumbprint = GetThumbprintSha256(leaf); if (!ExpectedFingerprint.Equals(thumbprint)) { throw new SSLPeerUnverifiedException("Certificate chain not trusted."); } }
protected override SSLSocketFactory ConfigureCustomSSLSocketFactory(HttpsURLConnection connection) { var algorithm = TrustManagerFactory.DefaultAlgorithm; var trustManagerFactory = TrustManagerFactory.GetInstance(algorithm); trustManagerFactory.Init((KeyStore)null); var trustManagers = trustManagerFactory.GetTrustManagers(); var context = SSLContext.GetInstance("TLS"); context.Init(null, trustManagers, null); SSLContext.Default = context; if (_trustManagerExt == null) { var x509TrustManager = trustManagers.FirstOrDefault(x => x is IX509TrustManager) as IX509TrustManager; _trustManagerExt = new X509TrustManagerExtensions(x509TrustManager); } return(context.SocketFactory); }