| public Export ( System contentType ) : byte[] | ||
| contentType | System | |
| return | byte[] | |
public void UpdateCertificate(X509Certificate cert)
{
_updateCertificate.UpdateCertificate(cert);
File.WriteAllBytes(CertPathOnDisk, cert.Export(X509ContentType.Pfx, CertPassword));
_lastUpdate = DateTime.UtcNow;
LogInfo("Certificate successfully updated");
}
public bool ValidateServerCertficate (object sender, X509Certificate receivedCertificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (originalServerCertificate == null) {
return false;
} else {
if (receivedCertificate.Subject.IndexOf(".xamarin.com", 0, StringComparison.CurrentCultureIgnoreCase) == -1) { //not a call to an Xamarin server so verify certificate
if (originalServerCertificate.Equals (receivedCertificate)) {
return true;
} else {
//incorrect certificate found so notify user
CertificateHelper.BytesOfServerCertificate = receivedCertificate.Export (X509ContentType.Cert);
EventHandler handler = CertificateMismatchFound;
if (handler != null) {
handler (this, null);
}
return false;
}
} else {
//Call to Xamarin (used for Xamarin.Insights) so accept
return true;
}
}
}
private static bool ValidateCertificate(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors != SslPolicyErrors.None)
{
return false;
}
var cert2 = new X509Certificate2(certificate);
var time = System.DateTime.Now;
if (time > cert2.NotAfter || time < cert2.NotBefore)
{
// expiry
return false;
}
var der_encoded = certificate.Export(X509ContentType.Cert);
var hash = SHA256.Create().ComputeHash(der_encoded);
var received_fingerprint = BitConverter.ToString(hash).Replace('-', ':');
foreach (String fingerprint in Sha256Fingerprints)
{
if (fingerprint == received_fingerprint) { return true; }
}
return false;
}
public static string ExportToPEM(X509Certificate cert)
{
StringBuilder builder = new StringBuilder();
builder.AppendLine("-----BEGIN CERTIFICATE-----");
builder.AppendLine(Convert.ToBase64String(cert.Export(X509ContentType.Cert), Base64FormattingOptions.InsertLineBreaks));
builder.AppendLine("-----END CERTIFICATE-----");
return builder.ToString();
}
/// <summary>
/// Export a certificate to a PEM format string
/// </summary>
/// <param name="cert">The certificate to export</param>
/// <returns>A PEM encoded string</returns>
public static string ExportToPEM(System.Security.Cryptography.X509Certificates.X509Certificate cert)
{
StringBuilder builder = new StringBuilder();
builder.AppendLine("-----BEGIN CERTIFICATE-----");
builder.AppendLine(Convert.ToBase64String(cert.Export(X509ContentType.Cert), Base64FormattingOptions.InsertLineBreaks));
builder.AppendLine("-----END CERTIFICATE-----");
return(builder.ToString());
}
public bool Validate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslpolicyerrors)
{
var providedCert = new X509Certificate2(certificate.Export(X509ContentType.Cert));
var providedThumbprint = providedCert.Thumbprint;
if (providedThumbprint == endPoint.RemoteThumbprint)
{
return true;
}
throw new UnexpectedCertificateException(providedCert, endPoint);
}
internal void ExtractValues(string appParam, byte[] originalChallenge)
{
DataContractJsonSerializer jsonSerializerResponse = new DataContractJsonSerializer(typeof(ClientData));
object objResponse = jsonSerializerResponse.ReadObject(new MemoryStream(Helpers.Base64UrlDecode(clientData)));
ClientData clientDataObject = objResponse as ClientData;
if (clientDataObject == null
|| !clientDataObject.origin.Equals(appParam)
|| !clientDataObject.typ.Equals("navigator.id.finishEnrollment")
|| !clientDataObject.challenge.Equals(Helpers.Base64UrlEncode(originalChallenge))
)
throw new Exception("clientData does not contain necessary fields");
byte[] data = Helpers.Base64UrlDecode(registrationData);
if (data[0] != 0x05)
throw new Exception("Invalid registration data");
var keyLen = 65;
byte[] keyBytes = new byte[keyLen];
Array.Copy(data, 1, keyBytes, 0, keyLen);
publicKey = Helpers.Base64UrlEncode(keyBytes);
int keyHandleLen = data[66];
byte[] keyHandleBytes = new byte[keyHandleLen];
Array.Copy(data, 1 + 1 + keyLen, keyHandleBytes, 0, keyHandleLen);
keyHandle = Helpers.Base64UrlEncode(keyHandleBytes);
int certLen = data.Length - 1 - 1 - keyLen - keyHandleLen; // temporary!
byte[] certBytes = new byte[certLen];
Array.Copy(data, 1 + 1 + keyLen + keyHandleLen, certBytes, 0, certLen);
X509Certificate certObject = new X509Certificate(certBytes);
certBytes = certObject.Export(X509ContentType.Cert);
certLen = certBytes.Length;
int sigLen = data.Length - 1 - 1 - keyLen - keyHandleLen - certLen;
byte[] signatureBytes = new byte[sigLen];
Array.Copy(data, data.Length - sigLen, signatureBytes, 0, sigLen);
var bytesToVerify = new byte[] { 0x00 }
.Concat(SHA256.Create().ComputeHash(new UTF8Encoding().GetBytes(appParam)))
.Concat(SHA256.Create().ComputeHash(Helpers.Base64UrlDecode(clientData)))
.Concat(keyHandleBytes)
.Concat(keyBytes)
.ToArray();
var ecdsa = new ECDsaCng(CngKey.Import(FixKeyBytes(certObject.GetPublicKey()), CngKeyBlobFormat.EccPublicBlob))
{
HashAlgorithm = CngAlgorithm.Sha256
};
if (!ecdsa.VerifyData(bytesToVerify, FixSignatureBytes(signatureBytes)))
throw new Exception("Signature is not valid");
}
public static void SaveRemoteCertificate(Guid remoteGuid, X509Certificate certificate)
{
var remoteCertificateStore = new FileInfo(GetStorePath(remoteGuid));
if (remoteCertificateStore.Exists)
{
remoteCertificateStore.Delete();
}
var content = certificate.Export(X509ContentType.Cert);
using (var file = remoteCertificateStore.OpenWrite())
{
file.Write(content, 0, content.Length);
}
}
public void Export_SerializedCert ()
{
X509Certificate cert = new X509Certificate (cert1);
byte[] data = cert.Export (X509ContentType.SerializedCert);
// usable
X509Certificate2 c = new X509Certificate2 (data);
Assert.AreEqual (cert1, c.GetRawCertData (), "Equals");
}
public void Export_Cert ()
{
X509Certificate cert = new X509Certificate (cert1);
byte[] data = cert.Export (X509ContentType.Cert);
Assert.AreEqual (data, cert1, "original");
data = cert.Export (X509ContentType.Cert, (string)null);
Assert.AreEqual (data, cert1, "original/string/null");
data = cert.Export (X509ContentType.Cert, (SecureString) null);
Assert.AreEqual (data, cert1, "original/SecureString/null");
}
/// <summary>
/// Function will create and export certificate to PKCS12 format (PFX) with password (if any)
/// </summary>
/// <param name="keyContainerName">Name of the key container.</param>
/// <param name="cspProvider">The CSP provider.</param>
/// <param name="keySpec">The key specification</param>
/// <param name="cspFlags">The CSP flags.</param>
/// <param name="pfxPassword">The PFX password.</param>
/// <returns>Certificate exported to PKCS#12 format and converted to bytes</returns>
internal byte[] ExportCertToPKCS12(String keyContainerName, String cspProvider = MS_DEF_PROV, uint keySpec = AT_KEYEXCHANGE, uint cspFlags = 0, string pfxPassword = "")
{
byte[] pfxblob = null;
IntPtr hCertCntxt = IntPtr.Zero;
String DN = "CN=Opensslkey Unsigned Certificate";
hCertCntxt = CreateUnsignedCertCntxt(keyContainerName, DN, cspProvider, keySpec, cspFlags);
if (hCertCntxt == IntPtr.Zero)
{
throw new ApplicationException("Could not create certificate");
}
try
{
X509Certificate cert = new X509Certificate(hCertCntxt); //create certificate object from cert context.
//X509Certificate2UI.DisplayCertificate(new X509Certificate2(cert)); // display it, showing linked private key
pfxblob = cert.Export(X509ContentType.Pkcs12, pfxPassword);
}
catch (Exception exc)
{
throw new ApplicationException("Could not create certificate. Message: " + exc.Message, exc);
}
if (hCertCntxt != IntPtr.Zero)
{
UnsafeNativeMethods.CertFreeCertificateContext(hCertCntxt);
}
return pfxblob;
}
/// <summary>
/// Export a certificate to a PEM format string
/// </summary>
/// <param name="cert">The certificate to export</param>
/// <returns>A PEM encoded string</returns>
public static string ExportToPEM(X509Certificate cert)
{
var builder = new StringBuilder();
builder.AppendLine("-----BEGIN CERTIFICATE-----");
var bytes = cert.Export(X509ContentType.Cert);
builder.AppendLine(Convert.ToBase64String(bytes, Base64FormattingOptions.InsertLineBreaks));
builder.AppendLine("-----END CERTIFICATE-----");
var output = builder.ToString();
// just a single newline
output = output.Replace(Environment.NewLine, "\n");
return output;
}
public async void StartMQTT(string clientid, string cafile, string clientcertfile, string clientprivate, string clientprivatepassword = "")
{
var ca = new X509Certificate(cafile, "");
var reader = new PemReader(File.OpenText(clientprivate));
var privatekey = (AsymmetricCipherKeyPair)reader.ReadObject();
var pkinfo = (Org.BouncyCastle.Crypto.Parameters.RsaPrivateCrtKeyParameters)privatekey.Private;
var ce1 = new X509Certificate2(File.ReadAllBytes(clientcertfile), clientprivatepassword,
X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
CspParameters parms = new CspParameters();
parms.Flags = CspProviderFlags.NoFlags;
parms.KeyContainerName = Guid.NewGuid().ToString().ToUpperInvariant();
parms.ProviderType = ((Environment.OSVersion.Version.Major > 5) || ((Environment.OSVersion.Version.Major == 5) && (Environment.OSVersion.Version.Minor >= 1))) ? 0x18 : 1;
System.Security.Cryptography.RSACryptoServiceProvider rcsp =
new System.Security.Cryptography.RSACryptoServiceProvider(parms)
{
PersistKeyInCsp = true
};
rcsp.ImportParameters(DotNetUtilities.ToRSAParameters(pkinfo));
ce1.PrivateKey = rcsp;
//var clientcert = CertificatesToDBandBack.Certificate.GetCertificateFromPEMstring(File.ReadAllText(clientcertfile), File.ReadAllText(clientprivate), clientprivatepassword);
MQTTClient = new MqttFactory().CreateMqttClient();
var options = new MqttClientOptionsBuilder()
.WithTcpServer(mqtt_host, mqtt_port).WithClientId(clientid).WithTls(new MqttClientOptionsBuilderTlsParameters
{
AllowUntrustedCertificates = false,
IgnoreCertificateChainErrors = false,
IgnoreCertificateRevocationErrors = false,
UseTls = true,
SslProtocol = System.Security.Authentication.SslProtocols.Tls12,
Certificates = new List <byte[]>
{
ca.Export(X509ContentType.SerializedCert),
ce1.Export(X509ContentType.SerializedCert)
},
CertificateValidationCallback = (X509Certificate x, X509Chain y, SslPolicyErrors z, IMqttClientOptions o) =>
{
return(true);
}
}).Build();
MQTTClient.ApplicationMessageReceivedHandler = new MqttApplicationMessageReceivedHandlerDelegate(e =>
{
Console.WriteLine("### RECEIVED APPLICATION MESSAGE ###");
Console.WriteLine($"+ Topic = {e.ApplicationMessage.Topic}");
Console.WriteLine($"+ Payload = {Encoding.UTF8.GetString(e.ApplicationMessage.Payload)}");
Console.WriteLine($"+ QoS = {e.ApplicationMessage.QualityOfServiceLevel}");
Console.WriteLine($"+ Retain = {e.ApplicationMessage.Retain}");
Console.WriteLine();
});
MQTTClient.ConnectedHandler = new MqttClientConnectedHandlerDelegate(async a =>
{
Console.WriteLine("### CONNECTED WITH SERVER ###");
await MQTTClient.SubscribeAsync(new TopicFilterBuilder().WithTopic("#").Build());
});
MQTTClient.DisconnectedHandler = new MqttClientDisconnectedHandlerDelegate(async a =>
{
Console.WriteLine("### DISCONNECTED FROM SERVER ###");
});
var connect = await MQTTClient.ConnectAsync(options);
var sub = MQTTClient.SubscribeAsync(new TopicFilter
{
Topic = "test", QualityOfServiceLevel = MqttQualityOfServiceLevel.AtMostOnce
});
}
/// <summary>
/// Export a certificate to a PEM format string
/// </summary>
/// <param name="cert">The certificate to export</param>
/// <returns>A PEM encoded string</returns>
private string exportToPEM(X509Certificate cert)
{
string certToBase64String = Convert.ToBase64String(cert.Export(X509ContentType.Cert));
//certToBase64String = certToBase64String.Replace("/", @"\/");
//certToBase64String = certToBase64String.Substring(0, certToBase64String.Length - 1);
StringBuilder builder = new StringBuilder();
//builder.Append("-----BEGIN CERTIFICATE-----");
builder.Append(certToBase64String); //Convert.ToBase64String(cert.Export(X509ContentType.Cert))); //, Base64FormattingOptions.InsertLineBreaks));
//builder.Append("-----END CERTIFICATE-----");
return builder.ToString();
}
private bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
bool certOk = true;
// Validate only the first time or if the certificate changes
if (this.sslServerCert == null || !sslServerCert.Equals(certificate))
{
if (userValidateServerCertificate != null)
certOk = userValidateServerCertificate(this, certificate, chain, sslPolicyErrors);
else if (sslPolicyErrors != SslPolicyErrors.None)
certOk = false;
if(certOk)
this.sslServerCert = new X509Certificate(certificate.Export(X509ContentType.Cert));
}
return certOk;
}
//------ Since we are using an RSA with nonpersisted keycontainer, must pass it in to ensure it isn't colledted -----
private static byte[] GetPkcs12(RSA rsa, String keycontainer, String cspprovider, uint KEYSPEC, uint cspflags)
{
byte[] pfxblob = null;
IntPtr hCertCntxt = IntPtr.Zero;
String DN = "CN=Opensslkey Unsigned Certificate";
hCertCntxt = CreateUnsignedCertCntxt(keycontainer, cspprovider, KEYSPEC, cspflags, DN) ;
if(hCertCntxt == IntPtr.Zero){
Console.WriteLine("Couldn't create an unsigned-cert\n") ;
return null;
}
try{
X509Certificate cert = new X509Certificate(hCertCntxt) ; //create certificate object from cert context.
X509Certificate2UI.DisplayCertificate(new X509Certificate2(cert)) ; // display it, showing linked private key
SecureString pswd = GetSecPswd("Set PFX Password ==>") ;
pfxblob = cert.Export(X509ContentType.Pkcs12, pswd);
}
catch(Exception exc)
{
Console.WriteLine( "BAD RESULT" + exc.Message);
pfxblob = null;
}
rsa.Clear() ;
if(hCertCntxt != IntPtr.Zero)
Win32.CertFreeCertificateContext(hCertCntxt) ;
return pfxblob;
}
public string CertificateBase64Value(X509Certificate certificate)
{
byte[] export = certificate.Export(X509ContentType.Cert);
return Convert.ToBase64String(export);
}
private bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
bool certOk = true;
// Validate only the first time
if (this.sslServerCert == null)
{
if (userValidateServerCertificate != null)
certOk = userValidateServerCertificate(this, certificate, chain, sslPolicyErrors);
else if (sslPolicyErrors != SslPolicyErrors.None)
certOk = false;
if(certOk)
this.sslServerCert = new X509Certificate(certificate.Export(X509ContentType.Cert));
}
else if (!sslServerCert.Equals(certificate))
throw new FTPSslException("X509 certificate changes between validation requests. This is not allowed");
return certOk;
}
/// <summary>
/// Export a certificate to a PEM format string
/// </summary>
/// <param name="cert">The certificate to export</param>
/// <returns>A PEM encoded string</returns>
public static string ExportToPEM(X509Certificate cert)
{
StringWriter swriter = new StringWriter();
PemWriter writer = new PemWriter(swriter);
writer.WriteObject(new X509.X509CertificateParser().ReadCertificate(cert.Export(X509ContentType.Cert)));
return swriter.ToString();
}