// TODO: this is called from MsQuicListener and when it fails it wreaks havoc in MsQuicListener finalizer.
// Consider moving bigger logic like this outside of constructor call chains.
private static unsafe SafeMsQuicConfigurationHandle Create(QuicOptions options, QUIC_CREDENTIAL_FLAGS flags, X509Certificate?certificate, SslStreamCertificateContext?certificateContext, List <SslApplicationProtocol>?alpnProtocols, CipherSuitesPolicy?cipherSuitesPolicy)
{
// TODO: some of these checks should be done by the QuicOptions type.
if (alpnProtocols == null || alpnProtocols.Count == 0)
{
throw new Exception("At least one SslApplicationProtocol value must be present in SslClientAuthenticationOptions or SslServerAuthenticationOptions.");
}
if (options.MaxBidirectionalStreams > ushort.MaxValue)
{
throw new Exception("MaxBidirectionalStreams overflow.");
}
if (options.MaxBidirectionalStreams > ushort.MaxValue)
{
throw new Exception("MaxBidirectionalStreams overflow.");
}
if ((flags & QUIC_CREDENTIAL_FLAGS.CLIENT) == 0)
{
if (certificate == null && certificateContext == null)
{
throw new Exception("Server must provide certificate");
}
}
else
{
flags |= QUIC_CREDENTIAL_FLAGS.INDICATE_CERTIFICATE_RECEIVED | QUIC_CREDENTIAL_FLAGS.NO_CERTIFICATE_VALIDATION;
}
if (!OperatingSystem.IsWindows())
{
// Use certificate handles on Windows, fall-back to ASN1 otherwise.
flags |= QUIC_CREDENTIAL_FLAGS.USE_PORTABLE_CERTIFICATES;
}
Debug.Assert(!MsQuicApi.Api.Registration.IsInvalid);
QUIC_SETTINGS settings = default(QUIC_SETTINGS);
settings.IsSet.PeerUnidiStreamCount = 1;
settings.PeerUnidiStreamCount = (ushort)options.MaxUnidirectionalStreams;
settings.IsSet.PeerBidiStreamCount = 1;
settings.PeerBidiStreamCount = (ushort)options.MaxBidirectionalStreams;
settings.IsSet.IdleTimeoutMs = 1;
if (options.IdleTimeout != Timeout.InfiniteTimeSpan)
{
if (options.IdleTimeout <= TimeSpan.Zero)
{
throw new Exception("IdleTimeout must not be negative.");
}
settings.IdleTimeoutMs = (ulong)options.IdleTimeout.TotalMilliseconds;
}
else
{
settings.IdleTimeoutMs = 0;
}
SafeMsQuicConfigurationHandle configurationHandle;
X509Certificate2[]? intermediates = null;
QUIC_HANDLE *handle;
using var msquicBuffers = new MsQuicBuffers();
msquicBuffers.Initialize(alpnProtocols, alpnProtocol => alpnProtocol.Protocol);
ThrowIfFailure(MsQuicApi.Api.ApiTable->ConfigurationOpen(
MsQuicApi.Api.Registration.QuicHandle,
msquicBuffers.Buffers,
(uint)alpnProtocols.Count,
&settings,
(uint)sizeof(QUIC_SETTINGS),
(void *)IntPtr.Zero,
&handle), "ConfigurationOpen failed");
configurationHandle = new SafeMsQuicConfigurationHandle(handle);
try
{
QUIC_CREDENTIAL_CONFIG config = default;
config.Flags = flags; // TODO: consider using LOAD_ASYNCHRONOUS with a callback.
if (cipherSuitesPolicy != null)
{
config.Flags |= QUIC_CREDENTIAL_FLAGS.SET_ALLOWED_CIPHER_SUITES;
config.AllowedCipherSuites = CipherSuitePolicyToFlags(cipherSuitesPolicy);
}
if (certificateContext != null)
{
certificate = certificateContext.Certificate;
intermediates = certificateContext.IntermediateCertificates;
}
int status;
if (certificate != null)
{
if (OperatingSystem.IsWindows())
{
config.Type = QUIC_CREDENTIAL_TYPE.CERTIFICATE_CONTEXT;
config.CertificateContext = (void *)certificate.Handle;
status = MsQuicApi.Api.ApiTable->ConfigurationLoadCredential(configurationHandle.QuicHandle, &config);
}
else
{
byte[] asn1;
if (intermediates?.Length > 0)
{
X509Certificate2Collection collection = new X509Certificate2Collection();
collection.Add(certificate);
for (int i = 0; i < intermediates?.Length; i++)
{
collection.Add(intermediates[i]);
}
asn1 = collection.Export(X509ContentType.Pkcs12) !;
}
else
{
asn1 = certificate.Export(X509ContentType.Pkcs12);
}
fixed(byte *ptr = asn1)
{
QUIC_CERTIFICATE_PKCS12 pkcs12Config = new QUIC_CERTIFICATE_PKCS12
{
Asn1Blob = ptr,
Asn1BlobLength = (uint)asn1.Length,
PrivateKeyPassword = (sbyte *)IntPtr.Zero
};
config.Type = QUIC_CREDENTIAL_TYPE.CERTIFICATE_PKCS12;
config.CertificatePkcs12 = &pkcs12Config;
status = MsQuicApi.Api.ApiTable->ConfigurationLoadCredential(configurationHandle.QuicHandle, &config);
}
}
}
else
{
config.Type = QUIC_CREDENTIAL_TYPE.NONE;
status = MsQuicApi.Api.ApiTable->ConfigurationLoadCredential(configurationHandle.QuicHandle, &config);
}
#if TARGET_WINDOWS
if ((Interop.SECURITY_STATUS)status == Interop.SECURITY_STATUS.AlgorithmMismatch && MsQuicApi.Tls13MayBeDisabled)
{
throw new MsQuicException(status, SR.net_ssl_app_protocols_invalid);
}
#endif
ThrowIfFailure(status, "ConfigurationLoadCredential failed");
}
catch
{
configurationHandle.Dispose();
throw;
}
return(configurationHandle);
}