Skip to content

Latest commit

 

History

History
70 lines (48 loc) · 2.96 KB

README.md

File metadata and controls

70 lines (48 loc) · 2.96 KB
Raw

Certificate Transparency for .NET

C# .NET port of,

Cats.CertificateTransparency Logo

    Install-Package Cats.CertificateTransparency

Blog Post

The library is designed to be dependency injection friendly, every service class has a matching interface. However, to get things up and running quickly there is also a static Instance class which will construct lazy singletons for both ILogListService and CertificateTransparencyVerifier.

If you want to provide a custom list of included and excluded domains to these static instances you must first call Instance.InitDomains. By default validation will be enabled for all TLS secured domains.

Instance.InitDomains(new [] { "*.google.com", "microsoft.com" }, new [] { "nuget.org" });

Examples

Plain old .NET Framework

var client = new HttpClient(new HttpClientHandler()
{
    ServerCertificateCustomValidationCallback = (request, certificate, chain, sslPolicyErrors) =>
    {
        var certificateChain = chain.ChainElements.OfType<X509ChainElement>().Select(i => i.Certificate).ToList();
        var certificateVerifier = Cats.CertificateTransparency.Instance.CertificateTransparencyVerifier;
        var ctValueTask = certificateVerifier.IsValidAsync(request.RequestUri.Host, certificateChain, CancellationToken.None);

        var ctResult = ctValueTask.IsCompleted
            ? ctValueTask.Result
            : ctValueTask.AsTask().Result;

        return ctResult.IsValid;
    }
});

Xamarin Android

bool VerifyCtResult(string hostname, IList<DotNetX509Certificate> certificateChain, CtVerificationResult result)
{
    // any extra checks or logging you might want to add
    return result.IsValid;
}

// optionally pass in a function to manually handle the transparency result
var httpHandler = new Cats.CertificateTransparency.CatsAndroidClientHandler(VerifyCtResult);
var client = new HttpClient(httpHandler);

Xamarin iOS

There is currently no platform specific implementation for iOS. Certificate transparency is already enabled since iOS 12.1.1, however, it can be disabled per domain via a property list setting NSRequiresCertificateTransparency.

If you are keen you could use the CertificateVerifier to build your own HttpClientHandler, similar to the included Android implementation.

Contributions

Any contributions are welcome! Especially extra test cases!