public ValidationResult (bool trusted, bool user_denied, int error_code, MonoSslPolicyErrors? policy_errors)
{
this.trusted = trusted;
this.user_denied = user_denied;
this.error_code = error_code;
this.policy_errors = policy_errors;
}
public static bool InvokeSystemCertificateValidator(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, out bool success,
ref MonoSslPolicyErrors errors, ref int status11)
{
if (certificates == null) {
errors |= MonoSslPolicyErrors.RemoteCertificateNotAvailable;
success = false;
return true;
}
var policy = SecPolicy.CreateSslPolicy (!serverMode, targetHost);
var trust = new SecTrust (certificates, policy);
if (validator.Settings.TrustAnchors != null) {
var status = trust.SetAnchorCertificates (validator.Settings.TrustAnchors);
if (status != SecStatusCode.Success)
throw new InvalidOperationException (status.ToString ());
trust.SetAnchorCertificatesOnly (false);
}
var result = trust.Evaluate ();
if (result == SecTrustResult.Unspecified) {
success = true;
return true;
}
errors |= MonoSslPolicyErrors.RemoteCertificateChainErrors;
success = false;
return true;
}
/*
* Mono-specific version of 'userCertValidationCallbackWrapper'; we're called from ChainValidationHelper.ValidateChain() here.
*
* Since we're built without the PrebuiltSystem alias, we can't use 'SslPolicyErrors' here. This prevents us from creating a subclass of 'ChainValidationHelper'
* as well as providing a custom 'ServerCertValidationCallback'.
*/
bool myUserCertValidationCallbackWrapper (ServerCertValidationCallback callback, X509Certificate certificate, X509Chain chain, MonoSslPolicyErrors sslPolicyErrors)
{
m_RemoteCertificateOrBytes = certificate == null ? null : certificate.GetRawCertData ();
if (callback == null) {
if (!_SslState.RemoteCertRequired)
sslPolicyErrors &= ~MonoSslPolicyErrors.RemoteCertificateNotAvailable;
return (sslPolicyErrors == MonoSslPolicyErrors.None);
}
return MNS.ChainValidationHelper.InvokeCallback (callback, this, certificate, chain, sslPolicyErrors);
}
internal override bool ValidateCertificate(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
ref MonoSslPolicyErrors errors, ref int status11)
{
if (chain != null)
{
var chainImpl = (X509ChainImplBtls)chain.Impl;
var success = chainImpl.StoreCtx.VerifyResult == 1;
CheckValidationResult(
validator, targetHost, serverMode, certificates,
wantsChain, chain, chainImpl.StoreCtx,
success, ref errors, ref status11);
return(success);
}
using (var store = new MonoBtlsX509Store())
using (var nativeChain = MonoBtlsProvider.GetNativeChain(certificates))
using (var param = GetVerifyParam(validator.Settings, targetHost, serverMode))
using (var storeCtx = new MonoBtlsX509StoreCtx()) {
SetupCertificateStore(store, validator.Settings, serverMode);
storeCtx.Initialize(store, nativeChain);
storeCtx.SetVerifyParam(param);
var ret = storeCtx.Verify();
var success = ret == 1;
if (wantsChain && chain == null)
{
chain = GetManagedChain(nativeChain);
}
CheckValidationResult(
validator, targetHost, serverMode, certificates,
wantsChain, null, storeCtx,
success, ref errors, ref status11);
return(success);
}
}
void CheckValidationResult(
ICertificateValidator validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain,
X509Chain chain, MonoBtlsX509StoreCtx storeCtx,
bool success, ref MonoSslPolicyErrors errors, ref int status11)
{
status11 = unchecked ((int)0);
if (success)
{
return;
}
errors = MonoSslPolicyErrors.RemoteCertificateChainErrors;
if (!wantsChain || storeCtx == null || chain == null)
{
status11 = unchecked ((int)0x800B010B);
return;
}
var error = storeCtx.GetError();
switch (error)
{
case Mono.Btls.MonoBtlsX509Error.OK:
errors = MonoSslPolicyErrors.None;
break;
case Mono.Btls.MonoBtlsX509Error.CRL_NOT_YET_VALID:
break;
case MonoBtlsX509Error.HOSTNAME_MISMATCH:
errors = MonoSslPolicyErrors.RemoteCertificateNameMismatch;
chain.Impl.AddStatus(X509ChainStatusFlags.UntrustedRoot);
status11 = unchecked ((int)0x800B010B);
break;
default:
chain.Impl.AddStatus(MapVerifyErrorToChainStatus(error));
status11 = unchecked ((int)0x800B010B);
break;
}
}
public static bool InvokeSystemCertificateValidator(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, out bool success,
ref MonoSslPolicyErrors errors, ref int status11)
{
if (certificates == null)
{
errors |= MonoSslPolicyErrors.RemoteCertificateNotAvailable;
success = false;
return(true);
}
var policy = SecPolicy.CreateSslPolicy(!serverMode, targetHost);
var trust = new SecTrust(certificates, policy);
if (validator.Settings.TrustAnchors != null)
{
var status = trust.SetAnchorCertificates(validator.Settings.TrustAnchors);
if (status != SecStatusCode.Success)
{
throw new InvalidOperationException(status.ToString());
}
trust.SetAnchorCertificatesOnly(false);
}
var result = trust.Evaluate();
if (result == SecTrustResult.Unspecified)
{
success = true;
return(true);
}
errors |= MonoSslPolicyErrors.RemoteCertificateChainErrors;
success = false;
return(true);
}
public bool InvokeSystemValidator (string targetHost, bool serverMode, XX509CertificateCollection certificates, ref MonoSslPolicyErrors xerrors, ref int status11)
{
if (SystemCertificateValidator.NeedsChain (settings))
throw new NotSupportedException ("Cannot use ICertificateValidator.InvokeSystemValidator() when the X509Chain is required.");
X509Chain chain = null;
var errors = (SslPolicyErrors)xerrors;
var result = SystemCertificateValidator.Evaluate (settings, targetHost, certificates, ref chain, ref errors, ref status11);
xerrors = (MonoSslPolicyErrors)errors;
return result;
}
/*
* If @serverMode is true, then we're a server and want to validate a certificate
* that we received from a client.
*
* On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built.
*
* Returns `true` if certificate validation has been performed and `false` to invoke the
* default system validator.
*/
internal abstract bool ValidateCertificate(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
ref MonoSslPolicyErrors errors, ref int status11);
/*
* Mono-specific version of 'userCertValidationCallbackWrapper'; we're called from ChainValidationHelper.ValidateChain() here.
*
* Since we're built without the PrebuiltSystem alias, we can't use 'SslPolicyErrors' here. This prevents us from creating a subclass of 'ChainValidationHelper'
* as well as providing a custom 'ServerCertValidationCallback'.
*/
bool myUserCertValidationCallbackWrapper(ServerCertValidationCallback callback, X509Certificate certificate, X509Chain chain, MonoSslPolicyErrors sslPolicyErrors)
{
m_RemoteCertificateOrBytes = certificate == null ? null : certificate.GetRawCertData();
if (callback == null)
{
if (!_SslState.RemoteCertRequired)
{
sslPolicyErrors &= ~MonoSslPolicyErrors.RemoteCertificateNotAvailable;
}
return(sslPolicyErrors == MonoSslPolicyErrors.None);
}
return(ChainValidationHelper.InvokeCallback(callback, this, certificate, chain, sslPolicyErrors));
}
void CheckValidationResult (
ICertificateValidator validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain,
X509Chain chain, MonoBtlsX509StoreCtx storeCtx,
bool success, ref MonoSslPolicyErrors errors, ref int status11)
{
if (!success) {
errors = MonoSslPolicyErrors.RemoteCertificateChainErrors;
status11 = unchecked((int)0x800B010B);
}
}
internal override bool ValidateCertificate (
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
ref MonoSslPolicyErrors errors, ref int status11)
{
if (chain != null) {
var chainImpl = (X509ChainImplBtls)chain.Impl;
var success = chainImpl.StoreCtx.VerifyResult == 1;
CheckValidationResult (
validator, targetHost, serverMode, certificates,
wantsChain, chain, chainImpl.StoreCtx,
success, ref errors, ref status11);
return success;
}
using (var store = new MonoBtlsX509Store ())
using (var nativeChain = MonoBtlsProvider.GetNativeChain (certificates))
using (var param = GetVerifyParam (targetHost, serverMode))
using (var storeCtx = new MonoBtlsX509StoreCtx ()) {
SetupCertificateStore (store);
storeCtx.Initialize (store, nativeChain);
storeCtx.SetVerifyParam (param);
var ret = storeCtx.Verify ();
var success = ret == 1;
if (wantsChain && chain == null) {
chain = GetManagedChain (nativeChain);
}
CheckValidationResult (
validator, targetHost, serverMode, certificates,
wantsChain, null, storeCtx,
success, ref errors, ref status11);
return success;
}
}
bool InvokeSystemValidator (string targetHost, bool serverMode, X509CertificateCollection certificates, X509Chain chain, ref MonoSslPolicyErrors xerrors, ref int status11)
{
var errors = (SslPolicyErrors)xerrors;
var result = SystemCertificateValidator.Evaluate (settings, targetHost, certificates, chain, ref errors, ref status11);
xerrors = (MonoSslPolicyErrors)errors;
return result;
}
internal override bool InvokeSystemCertificateValidator(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
out bool success, ref MonoSslPolicyErrors errors, ref int status11)
{
if (wantsChain)
chain = MSN.SystemCertificateValidator.CreateX509Chain (certificates);
return MobileCertificateHelper.InvokeSystemCertificateValidator (validator, targetHost, serverMode, certificates, out success, ref errors, ref status11);
}
internal static bool InvokeCallback(ServerCertValidationCallback callback, object sender, X509Certificate certificate, X509Chain chain, MonoSslPolicyErrors sslPolicyErrors)
{
return(callback.Invoke(sender, certificate, chain, (SslPolicyErrors)sslPolicyErrors));
}
bool ValidationCallback(TestContext ctx, string targetHost, X509Certificate certificate, X509Chain chain, MonoSslPolicyErrors sslPolicyErrors)
{
// `targetHost` is only non-null if we're called from `HttpWebRequest`.
ctx.Assert(targetHost, Is.Null, "target host");
ctx.Assert(certificate, Is.Not.Null, "certificate");
if (Parameters.ExpectSuccess)
{
ctx.Assert(sslPolicyErrors, Is.EqualTo(MonoSslPolicyErrors.None), "errors");
}
else
{
ctx.Assert(sslPolicyErrors, Is.Not.EqualTo(MonoSslPolicyErrors.None), "expect error");
}
ctx.Assert(chain, Is.Not.Null, "chain");
++validatorInvoked;
if (Parameters.ExpectedChain != null)
{
var extraStore = chain.ChainPolicy.ExtraStore;
ctx.Assert(extraStore, Is.Not.Null, "ChainPolicy.ExtraStore");
ctx.Assert(extraStore.Count, Is.EqualTo(Parameters.ExpectedChain.Count), "ChainPolicy.ExtraStore.Count");
var extraStoreCert = extraStore[0];
ctx.Assert(extraStoreCert, Is.Not.Null, "ChainPolicy.ExtraStore[0]");
ctx.Assert(extraStoreCert, Is.InstanceOfType(typeof(X509Certificate2)), "ChainPolicy.ExtraStore[0].GetType()");
}
return(true);
}
/* * If @serverMode is true, then we're a server and want to validate a certificate * that we received from a client. * * On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built. * * Returns `true` if certificate validation has been performed and `false` to invoke the * default system validator. */ internal abstract bool ValidateCertificate ( ICertificateValidator2 validator, string targetHost, bool serverMode, X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain, ref MonoSslPolicyErrors errors, ref int status11);
/*
* If @serverMode is true, then we're a server and want to validate a certificate
* that we received from a client.
*
* On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built.
*
* Returns `true` if certificate validation has been performed and `false` to invoke the
* default system validator.
*/
internal virtual bool InvokeSystemCertificateValidator (
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
out bool success, ref MonoSslPolicyErrors errors, ref int status11)
{
throw new InvalidOperationException ();
}
/*
* If @serverMode is true, then we're a server and want to validate a certificate
* that we received from a client.
*
* Returns `true` if certificate validation has been performed and `false` to invoke the
* default system validator.
*/
public virtual bool InvokeSystemCertificateValidator (
ICertificateValidator validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, out bool success,
ref MonoSslPolicyErrors errors, ref int status11)
{
success = false;
return false;
}
internal static bool InvokeCallback (ServerCertValidationCallback callback, object sender, X509Certificate certificate, X509Chain chain, MonoSslPolicyErrors sslPolicyErrors)
{
return callback.Invoke (sender, certificate, chain, (SslPolicyErrors)sslPolicyErrors);
}
bool InvokeSystemValidator(string targetHost, bool serverMode, X509CertificateCollection certificates, X509Chain chain, ref MonoSslPolicyErrors xerrors, ref int status11)
{
var errors = (SslPolicyErrors)xerrors;
var result = SystemCertificateValidator.Evaluate(settings, targetHost, certificates, chain, ref errors, ref status11);
xerrors = (MonoSslPolicyErrors)errors;
return(result);
}
internal bool ValidateClientCertificate (X509Certificate certificate, MonoSslPolicyErrors errors)
{
var certs = new X509CertificateCollection ();
certs.Add (new X509Certificate2 (certificate.GetRawCertData ()));
var result = ValidateChain (string.Empty, true, certificate, null, certs, (SslPolicyErrors)errors);
if (result == null)
return false;
return result.Trusted && !result.UserDenied;
}
