public void StartHandshake() { Debug("StartHandshake: {0}", IsServer); if (Interlocked.CompareExchange(ref handshakeStarted, 1, 1) != 0) { throw new InvalidOperationException(); } InitializeConnection(); SetSessionOption(SslSessionOption.BreakOnCertRequested, true); SetSessionOption(SslSessionOption.BreakOnClientAuth, true); SetSessionOption(SslSessionOption.BreakOnServerAuth, true); if (IsServer) { serverIdentity = MobileCertificateHelper.GetIdentity(serverCertificate); if (serverIdentity == null) { throw new SSA.AuthenticationException("Unable to get server certificate from keychain."); } SetCertificate(serverIdentity, new SecCertificate [0]); } }
public override void StartHandshake() { Debug("StartHandshake: {0}", IsServer); if (Interlocked.CompareExchange(ref handshakeStarted, 1, 1) != 0) { throw new InvalidOperationException(); } InitializeConnection(); SetSessionOption(SslSessionOption.BreakOnCertRequested, true); SetSessionOption(SslSessionOption.BreakOnClientAuth, true); SetSessionOption(SslSessionOption.BreakOnServerAuth, true); if (IsServer) { SecCertificate[] intermediateCerts; serverIdentity = MobileCertificateHelper.GetIdentity(LocalServerCertificate, out intermediateCerts); if (serverIdentity == null) { throw new SSA.AuthenticationException("Unable to get server certificate from keychain."); } SetCertificate(serverIdentity, intermediateCerts); for (int i = 0; i < intermediateCerts.Length; i++) { intermediateCerts [i].Dispose(); } } }
void EvaluateTrust() { InitializeSession(); /* * We're using .NET's SslStream semantics here. * * A server must always provide a valid certificate. * * However, in server mode, "ask for client certificate" means that * we ask the client to provide a certificate, then invoke the client * certificate validator - passing 'null' if the client didn't provide * any. * */ var trust = GetPeerTrust(!IsServer); X509CertificateCollection certificates; if (trust == null || trust.Count == 0) { remoteCertificate = null; if (!IsServer) { throw new TlsException(AlertDescription.CertificateUnknown); } certificates = null; } else { if (trust.Count > 1) { Debug("WARNING: Got multiple certificates in SecTrust!"); } certificates = new X509CertificateCollection(); for (int i = 0; i < trust.Count; i++) { certificates.Add(trust [i].ToX509Certificate()); } remoteCertificate = certificates [0]; Debug("Got peer trust: {0}", remoteCertificate); } bool ok; try { ok = MobileCertificateHelper.Validate(TargetHost, IsServer, certificateValidator, certificates); } catch (Exception ex) { Debug("Certificate validation failed: {0}", ex); throw new TlsException(AlertDescription.CertificateUnknown, "Certificate validation threw exception."); } if (!ok) { throw new TlsException(AlertDescription.CertificateUnknown); } }
internal override bool InvokeSystemCertificateValidator( ICertificateValidator2 validator, string targetHost, bool serverMode, X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain, out bool success, ref MonoSslPolicyErrors errors, ref int status11) { if (wantsChain) { chain = MNS.SystemCertificateValidator.CreateX509Chain(certificates); } return(MobileCertificateHelper.InvokeSystemCertificateValidator(validator, targetHost, serverMode, certificates, out success, ref errors, ref status11)); }
public override bool ProcessHandshake() { SslStatus status; do { lastException = null; status = SSLHandshake(Handle); Debug("Handshake: {0} - {0:x}", status); CheckStatusAndThrow(status, SslStatus.WouldBlock, SslStatus.PeerAuthCompleted, SslStatus.PeerClientCertRequested); if (status == SslStatus.PeerAuthCompleted) { RequirePeerTrust(); } else if (status == SslStatus.PeerClientCertRequested) { RequirePeerTrust(); if (remoteCertificate == null) { throw new TlsException(AlertDescription.InternalError, "Cannot request client certificate before receiving one from the server."); } localClientCertificate = MobileCertificateHelper.SelectClientCertificate(TargetHost, certificateValidator, ClientCertificates, remoteCertificate); if (localClientCertificate == null) { continue; } clientIdentity = MobileCertificateHelper.GetIdentity(localClientCertificate); if (clientIdentity == null) { throw new TlsException(AlertDescription.CertificateUnknown); } SetCertificate(clientIdentity, new SecCertificate [0]); } else if (status == SslStatus.WouldBlock) { return(false); } } while (status != SslStatus.Success); return(true); }