feat: bypass server certificate config (#16)

* feat: add Bypass Certificate Check Flag

* CA Cert was not actually being checked

* Correctly Check CA

Author: MWClayson-NHS

application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs

@@ -82,7 +82,13 @@ private async Task<HttpResponseMessage> SendHttpRequest(HttpRequestMessage httpR
             handler.SslProtocols = SslProtocols.Tls12;
             handler.ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, chain, sslPolicyErrors) =>
             {
-                if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
+
+                if(_meshConnectConfiguration.BypassServerCertificateValidation)
+                {
+                    _logger.LogWarning("Bypassing Server Certificate Validation");
+                    return true;
+                }
+                else if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
                 {
                     return true; // Everything is fine
                 }
@@ -94,12 +100,26 @@ private async Task<HttpResponseMessage> SendHttpRequest(HttpRequestMessage httpR
                 {
                     chain.ChainPolicy.CustomTrustStore.Add(caCert);
                 }
-                if (cert != null)
+                if (cert == null)
+                {
+                    return false;
+                }
+                // Rebuild the chain with added certs
+                if (!chain.Build(cert))
                 {
-                    // Rebuild the chain with added certs
-                    return chain.Build(cert);
+                    return false;
                 }
-                return false;
+
+                bool isValidCA = mailboxConfiguration.serverSideCertCollection
+                    .Any(caCert => caCert.Thumbprint == cert.Thumbprint);
+                if (!isValidCA)
+                {
+                    _logger.LogError("Server certificate is not issued by a trusted CA!");
+                    return false;
+                }
+
+                return true;
+
             };
         }
 

application/DotNetMeshClient/NHS.Mesh.Client/Configuration/MeshConnectConfiguration.cs

@@ -54,4 +54,6 @@ public class MeshConnectConfiguration : IMeshConnectConfiguration
     public bool ProxyUseDefaultCredentials { get; set; }
     /// <summary>Gets the chunk size in bytes for sending chunked messages 19Mb limit outside of HSCN 100Mb limit within</summary>
     public int ChunkSize { get; set; }
+    /// <summary>Flag if the Servers Certificate is Checked against the CA Chain</summary>
+    public bool BypassServerCertificateValidation { get; set; }
 }

application/DotNetMeshClient/NHS.Mesh.Client/Contracts/Configurations/IMeshConnectConfiguration.cs

@@ -53,4 +53,6 @@ public interface IMeshConnectConfiguration
     bool ProxyUseDefaultCredentials { get; set; }
     /// <summary>Gets the chunk size in bytes for sending chunked messages 19Mb limit outside of HSCN 100Mb limit within</summary>
     int ChunkSize { get; set; }
+    /// <summary>Flag if the Servers Certificate is Checked against the CA Chain</summary>
+    public bool BypassServerCertificateValidation { get; set; }
 }

application/DotNetMeshClient/NHS.Mesh.Client/Extensions/MeshMailboxBuilder.cs

@@ -28,7 +28,8 @@ public MeshMailboxBuilder(IServiceCollection services,Action<IMeshConnectConfigu
             MeshApiInboxUriPath = "inbox",
             MeshApiOutboxUriPath = "outbox",
             MeshApiAcknowledgeUriPath = "status/acknowledged",
-            ChunkSize = 19 * 1024 * 1024// below the 20mb limit for external
+            ChunkSize = 19 * 1024 * 1024,// below the 20mb limit for external
+            BypassServerCertificateValidation = false
         };
 
         options(_meshConnectConfiguration);