C#
C++/CLI
References ▼
A callback that provides information during the certificate exchange/verification phase of TLS DICOM Security negotiation and optionally controls the verification process.
protected virtual int OnVerify(int ok,string certificateString,DicomSecurityCertificateException error)
protected:virtual Int32 OnVerify(Int32 ok,String^ certificateString,DicomSecurityCertificateException^ error)
ok
A value of 1 indicates the verification of the certificate was successful. A value of 0 indicates failure.
certificateString
Provides detailed information about the certificate.
error
A DicomSecurityCertificateException exception that indicates Success or an error.
0 to stop the verification process.
1 to continue the verification process.
TLS Secure DICOM communications between an SCP and an SCU has a handshake process where the SCP and SCU verify each other's provided certificates.
The OnVerify is called once for each certificate in a certificate change, and provides information about the verification process.
This is useful for determining why a TLS DICOM Secure communication failed to be established.
The certificateString provides information about a certificate, including:
For example, if an SCU is providing a certificate that is created without SSL Server and SSL Client purposes, the OnVerify callback will return a DicomSecurityCertificateException.Code value of InvalidPurpose error, and show the problem in the Certificate Purposes section of the certificateString.
An example certificateString corresponding to a DicomSecurityCertificateException.Code value of InvalidPurpose error is shown below:
Subject Name: CN = Test Client, C = US, ST = Nebraska, L = Omaha, O = Test Client OrganizationIssuer Name: CN = LEAD CA, L = Charlotte, ST = North Carolina, C = US, emailAddress = [email protected], O = "LEAD Technologies, Inc."Valid From: Jun 1 21:31:35 2020 GMTValid To: May 30 21:31:35 2030 GMTSerial Number: ae:8a:75:37:56:03:c4:45Basic Constraints:Not a CA (Certificate Authority)Certificate purposes:SSL client : NoSSL client CA : NoSSL server : NoSSL server CA : NoNetscape SSL server : NoNetscape SSL server CA : NoS/MIME signing : NoS/MIME signing CA : NoS/MIME encryption : NoS/MIME encryption CA : NoCRL signing : NoCRL signing CA : NoAny Purpose : YesAny Purpose CA : YesOCSP helper : YesOCSP helper CA : NoTime Stamp signing : No
The error is a DicomSecurityCertificateException exception that indicates success or an error.
When overriding the OnVerify callback, the return value of the override determines the verification behavior.
Return 0 to stop the verification process with a "verification failed" state. If DicomOpenSslVerificationFlags.Peer is passed to the QueryRetrieveScu, a verification failure alert is sent to the SCU and the TLS/SSL handshake is terminated.
Return 1 to continue the verification process. If verify_callback always returns 1, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established.
Return ok to get the default verification behavior.
This example shows how to override the OnVerify callback for the SCP. In the example, the OnVerify callback gets called twice, once for each certificate in the certificate chain.
using Leadtools;using Leadtools.Dicom;[StructLayout(LayoutKind.Sequential)]public struct MSG{public IntPtr hwnd;public uint message;public IntPtr wParam;public IntPtr lParam;public uint time;public System.Drawing.Point p;}public enum WaitReturn{Complete,Timeout,}class Utils{[DllImport("user32.dll")][return: MarshalAs(UnmanagedType.Bool)]static extern bool PeekMessage(out MSG lpMsg, IntPtr hWnd,uint wMsgFilterMin, uint wMsgFilterMax,uint wRemoveMsg);[DllImport("user32.dll")]static extern bool TranslateMessage([In] ref MSG lpMsg);[DllImport("user32.dll")]static extern IntPtr DispatchMessage([In] ref MSG lpmsg);const uint PM_REMOVE = 1;public static WaitReturn WaitForComplete(double mill, WaitHandle wh){TimeSpan goal = new TimeSpan(DateTime.Now.AddMilliseconds(mill).Ticks);do{MSG msg = new MSG();if (PeekMessage(out msg, IntPtr.Zero, 0, 0, PM_REMOVE)){TranslateMessage(ref msg);DispatchMessage(ref msg);}if (wh.WaitOne(new TimeSpan(0, 0, 0), false)){return WaitReturn.Complete;}if (goal.CompareTo(new TimeSpan(DateTime.Now.Ticks)) < 0){return WaitReturn.Timeout;}} while (true);}public static void SetupTlsContext(DicomNet net, string certName){string serverCA = Path.Combine(LEAD_VARS.ImagesDir, "ca.pem");if (net != null){DicomOpenSslContextCreationSettings settings = new DicomOpenSslContextCreationSettings(DicomSslMethodType.SslV23,serverCA,DicomOpenSslVerificationFlags.Peer | DicomOpenSslVerificationFlags.FailIfNoPeerCertificate,2,DicomOpenSslOptionsFlags.NoSslV2 | DicomOpenSslOptionsFlags.AllBugWorkarounds);net.Initialize(null, DicomNetSecurityMode.Tls, settings);net.SetTlsClientCertificate(certName, DicomTlsCertificateType.Pem, null);}}}//// Secure client (TLS)//class Client : DicomNet{AutoResetEvent waitEvent = new AutoResetEvent(false);string clientPEM = Path.Combine(LEAD_VARS.ImagesDir, "client.pem");public Client(): base(null, DicomNetSecurityMode.Tls){SetTlsCipherSuiteByIndex(0, DicomTlsCipherSuiteType.DheRsaWithDesCbcSha);Utils.SetupTlsContext(this, clientPEM);}public bool Wait(){WaitReturn ret;ret = Utils.WaitForComplete((5 * 60) * 1000, waitEvent);return (ret == WaitReturn.Complete);}protected override void OnConnect(DicomExceptionCode error){waitEvent.Set();}protected override string OnPrivateKeyPassword(bool encryption){return "test";}protected override void OnSecureLinkReady(DicomExceptionCode error){waitEvent.Set();}}//// Secure server (TLS)//class ServerConnection : DicomNet{string serverPEM = Path.Combine(LEAD_VARS.ImagesDir, "server.pem");public ServerConnection(): base(null, DicomNetSecurityMode.Tls){SetTlsCipherSuiteByIndex(0, DicomTlsCipherSuiteType.DheRsaWith3DesEdeCbcSha);SetTlsClientCertificate(serverPEM, DicomTlsCertificateType.Pem, null);}protected override string OnPrivateKeyPassword(bool encryption){return "test";}// The OnVerify callback gets called twice, once for each certificate in the certificate chain.protected override int OnVerify(int ok, string certificateString, DicomSecurityCertificateException ex){string certificateMessageString = "Received Client Certificate:\n" + certificateString;// Log that the SCP received the Client CertificateDebug.WriteLine(certificateMessageString);if (ex.Code != DicomSecurityCertificateExceptionCode.Success){string message = string.Format("Error {0}: {1}", ex.Code, ex.Message);// Log the error with Client CertificateDebug.WriteLine(message);}return ok;}}class Server : DicomNet{string serverPEM = Path.Combine(LEAD_VARS.ImagesDir, "server.pem");ServerConnection client;public Server(): base(null, DicomNetSecurityMode.Tls){SetTlsCipherSuiteByIndex(0, DicomTlsCipherSuiteType.DheRsaWith3DesEdeCbcSha);Utils.SetupTlsContext(this, serverPEM);}protected override void OnAccept(DicomExceptionCode error){client = new ServerConnection();Utils.SetupTlsContext(client, serverPEM);Accept(client);}protected override string OnPrivateKeyPassword(bool encryption){return "test";}protected override void Dispose(bool __p1){client.Dispose();base.Dispose(__p1);}}public void TLSSecuritySample(){//Assert test to check file exists before running codestring clientPEM = Path.Combine(LEAD_VARS.ImagesDir, "ca.pem");Assert.IsTrue(File.Exists(clientPEM) == true, "Missing file: " + clientPEM);DicomEngine.Startup();DicomNet.Startup();using (Server server = new Server()){using (Client client = new Client()){server.Listen("127.0.0.1", 104, 1); // start serverclient.Connect(null, 1000, "127.0.0.1", 104); // connect to serverif (!client.Wait()) // wait for connection to finish{Debug.Fail("Connection timed out");}Debug.Assert(client.IsConnected(), "Client not connected");//// Wait for authenication//if (!client.Wait()){Debug.Fail("Connection timed out waiting for authenication");}// Once two computers have negotiated the ciphersuite, and have// authenticated each other, they can begin transferring// messages and data between them.//Now we can get detailed information about the Cipher SuiteDicomTlsCipherSuiteType cipherSuite = client.GetTlsCipherSuite();// Can also call GetTlsCipherSuiteByIndexDebug.WriteLine("Encryption Algorithm is : {0}", client.GetTlsEncryptionAlgorithm(cipherSuite));Debug.WriteLine("Authentication Algorithm is : {0}", client.GetTlsAuthenticationAlgorithm(cipherSuite));Debug.WriteLine("Integrity Algorithm is : {0}", client.GetTlsIntegrityAlgorithm(cipherSuite));Debug.WriteLine("Key Exchange Algorithm is : {0}", client.GetTlsKeyExchangeAlgorithm(cipherSuite));Debug.WriteLine("Encryption Key Length is : {0}", client.GetTlsEncryptionKeyLength(cipherSuite));Debug.WriteLine("Mutual Authentication Key Length is : {0}", client.GetTlsMutualAuthenticationKeyLength(cipherSuite));// Continue with normal dicom communicationclient.CloseForced(true);}server.CloseForced(true);}DicomEngine.Shutdown();DicomNet.Shutdown();}static class LEAD_VARS{public const string ImagesDir = @"C:\LEADTOOLS22\Resources\Images";}
Help Collections
Raster .NET | C API | C++ Class Library | HTML5 JavaScript
Document .NET | C API | C++ Class Library | HTML5 JavaScript
Medical .NET | C API | C++ Class Library | HTML5 JavaScript
Medical Web Viewer .NET
Multimedia
Direct Show .NET | C API | Filters
Media Foundation .NET | C API | Transforms
Supported Platforms
.NET, Java, Android, and iOS/macOS Assemblies
Imaging, Medical, and Document
C API/C++ Class Libraries
Imaging, Medical, and Document
HTML5 JavaScript Libraries
Imaging, Medical, and Document