xenadmin/XenAdmin/Network/SSL.cs

152 lines
6.1 KiB
C#
Raw Normal View History

/* Copyright (c) Citrix Systems Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms,
* with or without modification, are permitted provided
* that the following conditions are met:
*
* * Redistributions of source code must retain the above
* copyright notice, this list of conditions and the
* following disclaimer.
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the
* following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
* CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
using System.Collections.Generic;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Windows.Forms;
using XenAdmin.Core;
using XenAdmin.Dialogs.Network;
namespace XenAdmin.Network
{
internal class SSL
{
private static readonly log4net.ILog log = log4net.LogManager.GetLogger(System.Reflection.MethodBase.GetCurrentMethod().DeclaringType);
private static readonly object CertificateValidationLock = new object();
internal static bool ValidateServerCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
log.Debug("SslPolicyErrors is set to None, exiting validation");
return true;
}
lock (CertificateValidationLock)
{
bool AcceptCertificate = false;
HttpWebRequest webreq = (HttpWebRequest)sender;
if (webreq.Address.Host == InvisibleMessages.ACTIVATION_SERVER)
{
// Strict checking on the activation server certificate.
// Also, this ensures that it doesn't get added to the user settings
// through Settings.AddCertificate or Settings.ReplaceCertificate below.
log.Debug("SslPolicyErrors is set to None, exiting validation");
return sslPolicyErrors == SslPolicyErrors.None;
}
//This allows to run tests without MainWindow
if (Program.MainWindow == null) return true;
foreach (KeyValuePair<string, string> kvp in Settings.KnownServers)
{
if (kvp.Key != webreq.Address.Host)
continue;
if (kvp.Value == certificate.GetCertHashString())
{
return true;
}
else if (!XenAdmin.Properties.Settings.Default.WarnChangedCertificate && Registry.AlwaysShowSSLCertificates == SSLCertificateTypes.None)
{
Settings.ReplaceCertificate(kvp.Key, certificate);
log.Debug("Updating cert silently");
return true;
}
else
{
Program.Invoke(Program.MainWindow, delegate
{
CertificateChangedDialog dialog = new CertificateChangedDialog(certificate, webreq.Address.Host);
AcceptCertificate = dialog.ShowDialog(Program.MainWindow) == DialogResult.OK;
});
if (AcceptCertificate)
log.Debug("Updating cert after confirmation");
else
log.Debug("User rejected changed cert");
return AcceptCertificate;
}
}
if (!XenAdmin.Properties.Settings.Default.WarnUnrecognizedCertificate && Registry.AlwaysShowSSLCertificates != SSLCertificateTypes.All)
{
// user has chosen to ignore new certificates
Settings.AddCertificate(certificate, webreq.Address.Host);
log.Debug("Adding new cert silently");
return true;
}
Program.Invoke(Program.MainWindow, delegate
{
UnknownCertificateDialog dialog = new UnknownCertificateDialog(certificate, webreq.Address.Host);
AcceptCertificate = dialog.ShowDialog(Program.MainWindow) == DialogResult.OK;
});
if (AcceptCertificate)
log.Debug("Adding cert after confirmation");
else
2015-10-26 17:01:55 +01:00
log.Debug("User rejected new cert");
return AcceptCertificate;
}
}
}
public static class X509Ext
{
public static bool VerifyInAllStores(this X509Certificate2 certificate2)
{
try
{
X509Chain chain = new X509Chain(true);
if (chain.Build(certificate2))
return true;
return certificate2.Verify();
}
catch (CryptographicException)
{
return false;
}
}
}
}