Server certificate validation (#194)

* add certificate validation callback

* add unit test for cert validation

* add config extension for certificate validation configuration

* cleanup

* fix race condition

* remove local functions

Author: zivillian

src/Exceptionless/Configuration/CertificateData.cs

@@ -0,0 +1,56 @@
+#if !PORTABLE && !NETSTANDARD1_2
+using System.Net.Http;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Exceptionless {
+    public class CertificateData {
+#if NET45
+        public CertificateData(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
+            :this(chain, sslPolicyErrors) {
+            Sender = sender;
+            Certificate = new X509Certificate2(certificate.Handle);
+        }
+#else
+        public CertificateData(HttpRequestMessage request, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
+            :this(chain, sslPolicyErrors) {
+            Request = request;
+            Certificate = certificate;
+        }
+#endif
+        private CertificateData(X509Chain chain, SslPolicyErrors sslPolicyErrors) {
+            Chain = chain;
+            SslPolicyErrors = sslPolicyErrors;
+        }
+
+        /// <summary>
+        /// The certificate used to authenticate the remote party.
+        /// </summary>
+        public X509Certificate2 Certificate { get; }
+
+        /// <summary>
+        /// The chain of certificate authorities associated with the remote certificate.
+        /// </summary>
+        public X509Chain Chain { get; }
+
+        /// <summary>
+        /// One or more errors associated with the remote certificate.
+        /// </summary>
+        public SslPolicyErrors SslPolicyErrors { get; }
+
+#if NET45
+        /// <summary>
+        /// An object that contains state information for this validation.
+        /// </summary>
+        public object Sender { get; }
+#endif
+
+#if !NET45 && !PORTABLE && !NETSTANDARD1_2
+        /// <summary>
+        /// The request which was sent to the remore party
+        /// </summary>
+        public HttpRequestMessage Request { get; }
+#endif
+    }
+}
+#endif

src/Exceptionless/Configuration/ExceptionlessConfiguration.cs

@@ -1,5 +1,7 @@
 using System;
+#if !PORTABLE
 using System.Collections.Concurrent;
+#endif
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Linq;
@@ -275,6 +277,13 @@ public int SubmissionBatchSize {
             }
         }
 
+#if !PORTABLE && !NETSTANDARD1_2
+        /// <summary>
+        /// Callback which is invoked to validate the exceptionless server certificate.
+        /// </summary>
+        public Func<CertificateData, bool> ServerCertificateValidationCallback { get; set; }
+#endif
+
         /// <summary>
         /// A list of exclusion patterns that will automatically remove any data that matches them from any data submitted to the server.
         /// For example, entering CreditCard will remove any extended data properties, form fields, cookies and query

src/Exceptionless/Extensions/ExceptionlessConfigurationExtensions.cs

@@ -15,6 +15,7 @@
 
 #if !PORTABLE && !NETSTANDARD1_2
 using Exceptionless.Diagnostics;
+using System.Net.Security;
 #endif
 
 #if NET45
@@ -435,6 +436,46 @@ private static string GetEnvironmentalVariable(string name) {
         }
 #endif
 
+#if !PORTABLE && !NETSTANDARD1_2
+        /// <summary>
+        /// Add a custom server certificate validation against the thumbprint of the server certificate.
+        /// </summary>
+        /// <param name="config">The configuration object you want to apply the attribute settings to.</param>
+        /// <param name="thumbprint">Thumbprint of the server certificate. <example>e.g. "86481791CDAF6D7A02BEE9A649EA9F84DE84D22C"</example></param>
+        public static void TrustCertificateThumbprint(this ExceptionlessConfiguration config, string thumbprint) {
+            config.ServerCertificateValidationCallback = x => {
+                if (x.SslPolicyErrors == SslPolicyErrors.None) return true;
+                return x.Certificate != null && thumbprint != null && thumbprint.Equals(x.Certificate.Thumbprint, StringComparison.OrdinalIgnoreCase);
+            };
+        }
+
+        /// <summary>
+        /// Add a custom server certificate validation against the thumbprint of any of the ca certificates.
+        /// </summary>
+        /// <param name="config">The configuration object you want to apply the attribute settings to.</param>
+        /// <param name="thumbprint">Thumbprint of the ca certificate. <example>e.g. "afe5d244a8d1194230ff479fe2f897bbcd7a8cb4"</example></param>
+        public static void TrustCAThumbprint(this ExceptionlessConfiguration config, string thumbprint) {
+            config.ServerCertificateValidationCallback = x => {
+                if (x.SslPolicyErrors == SslPolicyErrors.None) return true;
+                if (x.Chain == null || thumbprint == null) return false;
+                foreach (var ca in x.Chain.ChainElements) {
+                    if (thumbprint.Equals(ca.Certificate.Thumbprint, StringComparison.OrdinalIgnoreCase))
+                        return true;
+                }
+                return false;
+            };
+        }
+
+        /// <summary>
+        /// Disable any certificate validation. Do not use this in production.
+        /// </summary>
+        /// <param name="config"></param>
+        [Obsolete("This will open the client to Man-in-Middle attacks. It should never be used in production.")]
+        public static void SkipCertificateValidation(this ExceptionlessConfiguration config) {
+            config.ServerCertificateValidationCallback = x => true;
+        }
+#endif
+
         private static bool IsValidApiKey(string apiKey) {
             return !String.IsNullOrEmpty(apiKey) && apiKey != "API_KEY_HERE";
         }

src/Exceptionless/Newtonsoft.Json/Serialization/DefaultContractResolver.cs

@@ -40,7 +40,9 @@
 #if !(DOTNET || PORTABLE || PORTABLE40 || NETSTANDARD1_0 || NETSTANDARD1_1 || NETSTANDARD1_2 || NETSTANDARD1_3 || NETSTANDARD1_4 || NETSTANDARD1_5)
 using System.Security.Permissions;
 #endif
+#if !PORTABLE
 using System.Xml.Serialization;
+#endif
 using Exceptionless.Json.Converters;
 using Exceptionless.Json.Utilities;
 using Exceptionless.Json.Linq;

src/Exceptionless/Submission/DefaultSubmissionClient.cs

@@ -4,6 +4,10 @@
 using System.Net;
 using System.Net.Http;
 using System.Net.Http.Headers;
+#if NET45 || (!PORTABLE && !NETSTANDARD1_2)
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
+#endif
 using System.Text;
 using Exceptionless.Configuration;
 using Exceptionless.Dependency;
@@ -123,12 +127,18 @@ public void SendHeartbeat(string sessionIdOrUserId, bool closeSession, Exception
         protected virtual HttpClient CreateHttpClient(ExceptionlessConfiguration config) {
 #if NET45
             var handler = new WebRequestHandler { UseDefaultCredentials = true };
-            handler.ServerCertificateValidationCallback = delegate { return true; };
 #else
             var handler = new HttpClientHandler { UseDefaultCredentials = true };
+#endif
 #if !PORTABLE && !NETSTANDARD1_2
-            //handler.ServerCertificateCustomValidationCallback = delegate { return true; };
+            var callback = config.ServerCertificateValidationCallback;
+            if (callback != null) {
+#if NET45
+                handler.ServerCertificateValidationCallback = (s,c,ch,p)=>Validate(s,c,ch,p,callback);
+#else
+                handler.ServerCertificateCustomValidationCallback = (m,c,ch,p)=>Validate(m,c,ch,p,callback);
 #endif
+            }
 #endif
             if (handler.SupportsAutomaticDecompression)
                 handler.AutomaticDecompression = DecompressionMethods.Deflate | DecompressionMethods.GZip | DecompressionMethods.None;
@@ -147,6 +157,20 @@ protected virtual HttpClient CreateHttpClient(ExceptionlessConfiguration config)
             return client;
         }
 
+#if !PORTABLE && !NETSTANDARD1_2
+#if NET45
+        private bool Validate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors, Func<CertificateData, bool> callback) {
+            var certData = new CertificateData(sender, certificate, chain, sslPolicyErrors);
+            return callback(certData);
+        }
+#else
+        private bool Validate(HttpRequestMessage httpRequestMessage, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors, Func<CertificateData, bool> callback) {
+            var certData = new CertificateData(httpRequestMessage, certificate, chain, sslPolicyErrors);
+            return callback(certData);
+        }
+#endif
+#endif
+
         private string GetResponseMessage(HttpResponseMessage response) {
             if (response.IsSuccessStatusCode)
                 return null;

test/Exceptionless.Tests/Configuration/CertificateValidationTest.cs

@@ -0,0 +1,66 @@
+using System;
+using System.Net.Security;
+using Exceptionless.Dependency;
+using Exceptionless.Submission;
+using Xunit;
+
+namespace Exceptionless.Tests.Configuration {
+    public class CertificateValidationTest {
+        [Fact(Skip = "depends on availability of a remote service")]
+        public void CanOverrideCertValidation() {
+            Run(GetClient(x => {
+                Assert.NotNull(x.Certificate);
+                Assert.NotNull(x.Chain);
+                Assert.NotNull(x.Sender);
+                Assert.Equal(SslPolicyErrors.RemoteCertificateChainErrors, x.SslPolicyErrors);
+                return true;
+            },"https://expired.badssl.com/"));
+        }
+
+        [Fact(Skip = "depends on availability of a remote service")]
+        public void CanTrustByThumbprint() {
+            Run(GetClient(x=>x.Certificate.Thumbprint == "3E8AB453B8CF62F0BD0240739AAB815A170B08F0", "https://revoked.badssl.com/"));
+            var client = GetClient(null, "https://revoked.badssl.com/");
+            client.Configuration.TrustCertificateThumbprint("3e8Ab453b8cf62f0bd0240739aab815a170b08f0");
+            Run(client);
+        }
+
+        [Fact(Skip = "depends on availability of a remote service")]
+        public void CanTrustByCAThumbprint() {
+            var client = GetClient(null, "https://revoked.badssl.com/");
+            client.Configuration.TrustCAThumbprint("a8985d3A65e5e5c4b2d7d66d40c6dd2fb19c5436");
+            Run(client);
+        }
+
+        [Fact(Skip = "depends on availability of a remote service")]
+        public void CanTrustAllCertificates() {
+            var client = GetClient(null, "https://self-signed.badssl.com/");
+#pragma warning disable CS0618 // 'member' is obsolete
+            client.Configuration.SkipCertificateValidation();
+#pragma warning restore CS0618 // 'member' is obsolete
+            Run(client);
+        }
+
+        private void Run(ExceptionlessClient client) {
+            bool failed = true;
+            var callback = client.Configuration.ServerCertificateValidationCallback;
+            client.Configuration.ServerCertificateValidationCallback = x => {
+                failed = false;
+                return callback(x);
+            };
+            var submissionClient = client.Configuration.Resolver.Resolve<ISubmissionClient>();
+            var response = submissionClient.GetSettings(client.Configuration, 1, null);
+            Assert.Contains(" 404 ", response.Message);
+            Assert.False(failed, "Validation Callback was not invoked");
+        }
+
+        private ExceptionlessClient GetClient(Func<CertificateData, bool> validator, string serverUrl) {
+            return new ExceptionlessClient("LhhP1C9gijpSKCslHHCvwdSIz298twx271n1l6xw") {
+                Configuration = {
+                    ServerUrl = serverUrl,
+                    ServerCertificateValidationCallback = validator
+                }
+            };
+        }
+    }
+}