Skip to content

dmariogatto/certificate-transparency

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
2 branches 8 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
src
 
 
.gitattributes
 
 
.gitignore
 
 
LICENSE
 
 
NOTICE.md
 
 
README.md
 
 
ThirdPartyLicense.md
 
 
logo.png
 
 
Certificate Transparency for .NET Examples Plain old .NET Framework Xamarin Android Xamarin iOS Contributions

README.md

Certificate Transparency for .NET

C# .NET port of,

Cats.CertificateTransparency Logo

    Install-Package Cats.CertificateTransparency

Blog Post

The library is designed to be dependency injection friendly, every service class has a matching interface. However, to get things up and running quickly there is also a static Instance class which will construct lazy singletons for both ILogListService and CertificateTransparencyVerifier.

If you want to provide a custom list of included and excluded domains to these static instances you must first call Instance.InitDomains. By default validation will be enabled for all TLS secured domains.

Instance.InitDomains(new [] { "*.google.com", "microsoft.com" }, new [] { "nuget.org" });

Examples

Plain old .NET Framework

var client = new HttpClient(new HttpClientHandler()
{
    ServerCertificateCustomValidationCallback = (request, certificate, chain, sslPolicyErrors) =>
    {
        var certificateChain = chain.ChainElements.OfType<X509ChainElement>().Select(i => i.Certificate).ToList();
        var certificateVerifier = Cats.CertificateTransparency.Instance.CertificateTransparencyVerifier;
        var ctValueTask = certificateVerifier.IsValidAsync(request.RequestUri.Host, certificateChain, CancellationToken.None);

        var ctResult = ctValueTask.IsCompleted
            ? ctValueTask.Result
            : ctValueTask.AsTask().Result;

        return ctResult.IsValid;
    }
});

Xamarin Android

bool VerifyCtResult(string hostname, IList<DotNetX509Certificate> certificateChain, CtVerificationResult result)
{
    // any extra checks or logging you might want to add
    return result.IsValid;
}

// optionally pass in a function to manually handle the transparency result
var httpHandler = new Cats.CertificateTransparency.CatsAndroidClientHandler(VerifyCtResult);
var client = new HttpClient(httpHandler);

Xamarin iOS

There is currently no platform specific implementation for iOS. Certificate transparency is already enabled since iOS 12.1.1, however, it can be disabled per domain via a property list setting NSRequiresCertificateTransparency.

If you are keen you could use the CertificateVerifier to build your own HttpClientHandler, similar to the included Android implementation.

Contributions

Any contributions are welcome! Especially extra test cases!

About

Certificate Transparency ported to C# for .NET

Topics

certificate-transparency

Resources

Readme

License

MIT license

Stars

5 stars

Watchers

4 watching

Forks

2 forks

Releases 8

2.1.1 Latest
Feb 18, 2023
+ 7 releases

Packages

No packages published

Languages