// $Id$ // // Copyright 2007-2008 Cisco Systems Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); you may not // use this file except in compliance with the License. You may obtain a copy // of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the // License for the specific language governing permissions and limitations // under the License. using System; using System.Net; using System.Net.Security; using System.Net.Sockets; using System.Security.Authentication; using System.Security.Cryptography.X509Certificates; namespace Etch.Util { public class TlsConnection : TcpTransport { /// /// Term on uri which specifies whether server certificate should be authenticated. /// public const string AUTH_REQD = "TlsConnection.authReqd"; /// /// Term on uri which specifies the certificate name of the server. /// public const string CERT_NAME = "TlsConnection.certName"; public TlsConnection(Socket socket, string uri, Resources resources) : this(socket, new URL(uri), resources) { // nothing to do. } public TlsConnection(Socket socket, URL uri, Resources resources) : base(uri, resources) { SetCertificateName(uri.GetTerm(CERT_NAME, "default")); SetAuthReqd(uri.GetBooleanTerm(AUTH_REQD, true)); if (socket == null) { String host = uri.Host; if (host == null) throw new ArgumentNullException("host == null"); int? port = uri.Port; if (port == null) throw new ArgumentNullException("port == null"); if (port <= 0 || port >= 65536) throw new ArgumentOutOfRangeException("port <= 0 || port >= 65536"); this.socket = null; this.host = host; this.port = (int)port; } else { this.socket = socket; this.host = null; this.port = 0; } } private readonly String host; private readonly int port; public override string ToString() { Socket s = socket; if (s != null) return String.Format("TlsConnection(up, {0}, {1})", s.LocalEndPoint, s.RemoteEndPoint); return String.Format("TlsConnection(down, {0}, {1})", host, port); } protected override bool IsServer() { return host == null; } protected override Socket NewSocket() { IPAddress addr; if (host != null) { IPAddress[] addrs = Dns.GetHostAddresses(host); if (addrs == null || addrs.Length == 0) throw new ArgumentException("host is invalid"); addr = addrs[0]; } else { addr = IPAddress.Any; } IPEndPoint ipe = new IPEndPoint(addr, port); Socket socket = new Socket(ipe.AddressFamily, SocketType.Stream, ProtocolType.Tcp); socket.Connect(ipe); return socket; } protected override void SetUpSocket() { base.SetUpSocket(); if (IsServer()) { stream = new SslStream(stream, false); try { ((SslStream)stream).AuthenticateAsServer(GetServerCert(certName)); } catch (AuthenticationException e) { //Console.WriteLine(" Exception in authenticating certificate "); FireException("Certificate Authentication", e); } } else { stream = new SslStream(stream, false, new RemoteCertificateValidationCallback(ValidateServerCertificate), null); // The server name must match the name on the server certificate. try { ((SslStream)stream).AuthenticateAsClient(certName); } catch (AuthenticationException e) { AuthenticationException e1 = new AuthenticationException( "Remote Certificate Mismatch Error. Problem in setting up" + " SSL Connection. Either disable server authentication by using" + " term TlsConnection.authReqd=false on uri or provide a valid" + " certificate name using term TlsConnection.certName=name on uri.", e); throw e1; } } } private void SetCertificateName(string certName) { this.certName = certName; } private string certName; private void SetAuthReqd(bool authReqd) { this.authReqd = authReqd; } private bool authReqd; public bool ValidateServerCertificate( object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (!authReqd) return true; if (sslPolicyErrors == SslPolicyErrors.None) return true; //Console.WriteLine("Certificate error: {0}", sslPolicyErrors); // Do not allow this client to communicate with unauthenticated servers. return false; } private X509Certificate GetServerCert(string certName) { X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509CertificateCollection coll = store.Certificates.Find(X509FindType.FindBySubjectName, certName, true); return coll[0]; } } }