public ValidationResult (bool trusted, bool user_denied, int error_code, MonoSslPolicyErrors? policy_errors) { this.trusted = trusted; this.user_denied = user_denied; this.error_code = error_code; this.policy_errors = policy_errors; }
public static bool InvokeSystemCertificateValidator( ICertificateValidator2 validator, string targetHost, bool serverMode, X509CertificateCollection certificates, out bool success, ref MonoSslPolicyErrors errors, ref int status11) { if (certificates == null) { errors |= MonoSslPolicyErrors.RemoteCertificateNotAvailable; success = false; return true; } var policy = SecPolicy.CreateSslPolicy (!serverMode, targetHost); var trust = new SecTrust (certificates, policy); if (validator.Settings.TrustAnchors != null) { var status = trust.SetAnchorCertificates (validator.Settings.TrustAnchors); if (status != SecStatusCode.Success) throw new InvalidOperationException (status.ToString ()); trust.SetAnchorCertificatesOnly (false); } var result = trust.Evaluate (); if (result == SecTrustResult.Unspecified) { success = true; return true; } errors |= MonoSslPolicyErrors.RemoteCertificateChainErrors; success = false; return true; }
/* * Mono-specific version of 'userCertValidationCallbackWrapper'; we're called from ChainValidationHelper.ValidateChain() here. * * Since we're built without the PrebuiltSystem alias, we can't use 'SslPolicyErrors' here. This prevents us from creating a subclass of 'ChainValidationHelper' * as well as providing a custom 'ServerCertValidationCallback'. */ bool myUserCertValidationCallbackWrapper (ServerCertValidationCallback callback, X509Certificate certificate, X509Chain chain, MonoSslPolicyErrors sslPolicyErrors) { m_RemoteCertificateOrBytes = certificate == null ? null : certificate.GetRawCertData (); if (callback == null) { if (!_SslState.RemoteCertRequired) sslPolicyErrors &= ~MonoSslPolicyErrors.RemoteCertificateNotAvailable; return (sslPolicyErrors == MonoSslPolicyErrors.None); } return MNS.ChainValidationHelper.InvokeCallback (callback, this, certificate, chain, sslPolicyErrors); }
internal override bool ValidateCertificate( ICertificateValidator2 validator, string targetHost, bool serverMode, X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain, ref MonoSslPolicyErrors errors, ref int status11) { if (chain != null) { var chainImpl = (X509ChainImplBtls)chain.Impl; var success = chainImpl.StoreCtx.VerifyResult == 1; CheckValidationResult( validator, targetHost, serverMode, certificates, wantsChain, chain, chainImpl.StoreCtx, success, ref errors, ref status11); return(success); } using (var store = new MonoBtlsX509Store()) using (var nativeChain = MonoBtlsProvider.GetNativeChain(certificates)) using (var param = GetVerifyParam(validator.Settings, targetHost, serverMode)) using (var storeCtx = new MonoBtlsX509StoreCtx()) { SetupCertificateStore(store, validator.Settings, serverMode); storeCtx.Initialize(store, nativeChain); storeCtx.SetVerifyParam(param); var ret = storeCtx.Verify(); var success = ret == 1; if (wantsChain && chain == null) { chain = GetManagedChain(nativeChain); } CheckValidationResult( validator, targetHost, serverMode, certificates, wantsChain, null, storeCtx, success, ref errors, ref status11); return(success); } }
void CheckValidationResult( ICertificateValidator validator, string targetHost, bool serverMode, X509CertificateCollection certificates, bool wantsChain, X509Chain chain, MonoBtlsX509StoreCtx storeCtx, bool success, ref MonoSslPolicyErrors errors, ref int status11) { status11 = unchecked ((int)0); if (success) { return; } errors = MonoSslPolicyErrors.RemoteCertificateChainErrors; if (!wantsChain || storeCtx == null || chain == null) { status11 = unchecked ((int)0x800B010B); return; } var error = storeCtx.GetError(); switch (error) { case Mono.Btls.MonoBtlsX509Error.OK: errors = MonoSslPolicyErrors.None; break; case Mono.Btls.MonoBtlsX509Error.CRL_NOT_YET_VALID: break; case MonoBtlsX509Error.HOSTNAME_MISMATCH: errors = MonoSslPolicyErrors.RemoteCertificateNameMismatch; chain.Impl.AddStatus(X509ChainStatusFlags.UntrustedRoot); status11 = unchecked ((int)0x800B010B); break; default: chain.Impl.AddStatus(MapVerifyErrorToChainStatus(error)); status11 = unchecked ((int)0x800B010B); break; } }
public static bool InvokeSystemCertificateValidator( ICertificateValidator2 validator, string targetHost, bool serverMode, X509CertificateCollection certificates, out bool success, ref MonoSslPolicyErrors errors, ref int status11) { if (certificates == null) { errors |= MonoSslPolicyErrors.RemoteCertificateNotAvailable; success = false; return(true); } var policy = SecPolicy.CreateSslPolicy(!serverMode, targetHost); var trust = new SecTrust(certificates, policy); if (validator.Settings.TrustAnchors != null) { var status = trust.SetAnchorCertificates(validator.Settings.TrustAnchors); if (status != SecStatusCode.Success) { throw new InvalidOperationException(status.ToString()); } trust.SetAnchorCertificatesOnly(false); } var result = trust.Evaluate(); if (result == SecTrustResult.Unspecified) { success = true; return(true); } errors |= MonoSslPolicyErrors.RemoteCertificateChainErrors; success = false; return(true); }
public bool InvokeSystemValidator (string targetHost, bool serverMode, XX509CertificateCollection certificates, ref MonoSslPolicyErrors xerrors, ref int status11) { if (SystemCertificateValidator.NeedsChain (settings)) throw new NotSupportedException ("Cannot use ICertificateValidator.InvokeSystemValidator() when the X509Chain is required."); X509Chain chain = null; var errors = (SslPolicyErrors)xerrors; var result = SystemCertificateValidator.Evaluate (settings, targetHost, certificates, ref chain, ref errors, ref status11); xerrors = (MonoSslPolicyErrors)errors; return result; }
/* * If @serverMode is true, then we're a server and want to validate a certificate * that we received from a client. * * On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built. * * Returns `true` if certificate validation has been performed and `false` to invoke the * default system validator. */ internal abstract bool ValidateCertificate( ICertificateValidator2 validator, string targetHost, bool serverMode, X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain, ref MonoSslPolicyErrors errors, ref int status11);
/* * Mono-specific version of 'userCertValidationCallbackWrapper'; we're called from ChainValidationHelper.ValidateChain() here. * * Since we're built without the PrebuiltSystem alias, we can't use 'SslPolicyErrors' here. This prevents us from creating a subclass of 'ChainValidationHelper' * as well as providing a custom 'ServerCertValidationCallback'. */ bool myUserCertValidationCallbackWrapper(ServerCertValidationCallback callback, X509Certificate certificate, X509Chain chain, MonoSslPolicyErrors sslPolicyErrors) { m_RemoteCertificateOrBytes = certificate == null ? null : certificate.GetRawCertData(); if (callback == null) { if (!_SslState.RemoteCertRequired) { sslPolicyErrors &= ~MonoSslPolicyErrors.RemoteCertificateNotAvailable; } return(sslPolicyErrors == MonoSslPolicyErrors.None); } return(ChainValidationHelper.InvokeCallback(callback, this, certificate, chain, sslPolicyErrors)); }
void CheckValidationResult ( ICertificateValidator validator, string targetHost, bool serverMode, X509CertificateCollection certificates, bool wantsChain, X509Chain chain, MonoBtlsX509StoreCtx storeCtx, bool success, ref MonoSslPolicyErrors errors, ref int status11) { if (!success) { errors = MonoSslPolicyErrors.RemoteCertificateChainErrors; status11 = unchecked((int)0x800B010B); } }
internal override bool ValidateCertificate ( ICertificateValidator2 validator, string targetHost, bool serverMode, X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain, ref MonoSslPolicyErrors errors, ref int status11) { if (chain != null) { var chainImpl = (X509ChainImplBtls)chain.Impl; var success = chainImpl.StoreCtx.VerifyResult == 1; CheckValidationResult ( validator, targetHost, serverMode, certificates, wantsChain, chain, chainImpl.StoreCtx, success, ref errors, ref status11); return success; } using (var store = new MonoBtlsX509Store ()) using (var nativeChain = MonoBtlsProvider.GetNativeChain (certificates)) using (var param = GetVerifyParam (targetHost, serverMode)) using (var storeCtx = new MonoBtlsX509StoreCtx ()) { SetupCertificateStore (store); storeCtx.Initialize (store, nativeChain); storeCtx.SetVerifyParam (param); var ret = storeCtx.Verify (); var success = ret == 1; if (wantsChain && chain == null) { chain = GetManagedChain (nativeChain); } CheckValidationResult ( validator, targetHost, serverMode, certificates, wantsChain, null, storeCtx, success, ref errors, ref status11); return success; } }
bool InvokeSystemValidator (string targetHost, bool serverMode, X509CertificateCollection certificates, X509Chain chain, ref MonoSslPolicyErrors xerrors, ref int status11) { var errors = (SslPolicyErrors)xerrors; var result = SystemCertificateValidator.Evaluate (settings, targetHost, certificates, chain, ref errors, ref status11); xerrors = (MonoSslPolicyErrors)errors; return result; }
internal override bool InvokeSystemCertificateValidator( ICertificateValidator2 validator, string targetHost, bool serverMode, X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain, out bool success, ref MonoSslPolicyErrors errors, ref int status11) { if (wantsChain) chain = MSN.SystemCertificateValidator.CreateX509Chain (certificates); return MobileCertificateHelper.InvokeSystemCertificateValidator (validator, targetHost, serverMode, certificates, out success, ref errors, ref status11); }
internal static bool InvokeCallback(ServerCertValidationCallback callback, object sender, X509Certificate certificate, X509Chain chain, MonoSslPolicyErrors sslPolicyErrors) { return(callback.Invoke(sender, certificate, chain, (SslPolicyErrors)sslPolicyErrors)); }
bool ValidationCallback(TestContext ctx, string targetHost, X509Certificate certificate, X509Chain chain, MonoSslPolicyErrors sslPolicyErrors) { // `targetHost` is only non-null if we're called from `HttpWebRequest`. ctx.Assert(targetHost, Is.Null, "target host"); ctx.Assert(certificate, Is.Not.Null, "certificate"); if (Parameters.ExpectSuccess) { ctx.Assert(sslPolicyErrors, Is.EqualTo(MonoSslPolicyErrors.None), "errors"); } else { ctx.Assert(sslPolicyErrors, Is.Not.EqualTo(MonoSslPolicyErrors.None), "expect error"); } ctx.Assert(chain, Is.Not.Null, "chain"); ++validatorInvoked; if (Parameters.ExpectedChain != null) { var extraStore = chain.ChainPolicy.ExtraStore; ctx.Assert(extraStore, Is.Not.Null, "ChainPolicy.ExtraStore"); ctx.Assert(extraStore.Count, Is.EqualTo(Parameters.ExpectedChain.Count), "ChainPolicy.ExtraStore.Count"); var extraStoreCert = extraStore[0]; ctx.Assert(extraStoreCert, Is.Not.Null, "ChainPolicy.ExtraStore[0]"); ctx.Assert(extraStoreCert, Is.InstanceOfType(typeof(X509Certificate2)), "ChainPolicy.ExtraStore[0].GetType()"); } return(true); }
/* * If @serverMode is true, then we're a server and want to validate a certificate * that we received from a client. * * On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built. * * Returns `true` if certificate validation has been performed and `false` to invoke the * default system validator. */ internal abstract bool ValidateCertificate ( ICertificateValidator2 validator, string targetHost, bool serverMode, X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain, ref MonoSslPolicyErrors errors, ref int status11);
/* * If @serverMode is true, then we're a server and want to validate a certificate * that we received from a client. * * On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built. * * Returns `true` if certificate validation has been performed and `false` to invoke the * default system validator. */ internal virtual bool InvokeSystemCertificateValidator ( ICertificateValidator2 validator, string targetHost, bool serverMode, X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain, out bool success, ref MonoSslPolicyErrors errors, ref int status11) { throw new InvalidOperationException (); }
/* * If @serverMode is true, then we're a server and want to validate a certificate * that we received from a client. * * Returns `true` if certificate validation has been performed and `false` to invoke the * default system validator. */ public virtual bool InvokeSystemCertificateValidator ( ICertificateValidator validator, string targetHost, bool serverMode, X509CertificateCollection certificates, out bool success, ref MonoSslPolicyErrors errors, ref int status11) { success = false; return false; }
internal static bool InvokeCallback (ServerCertValidationCallback callback, object sender, X509Certificate certificate, X509Chain chain, MonoSslPolicyErrors sslPolicyErrors) { return callback.Invoke (sender, certificate, chain, (SslPolicyErrors)sslPolicyErrors); }
bool InvokeSystemValidator(string targetHost, bool serverMode, X509CertificateCollection certificates, X509Chain chain, ref MonoSslPolicyErrors xerrors, ref int status11) { var errors = (SslPolicyErrors)xerrors; var result = SystemCertificateValidator.Evaluate(settings, targetHost, certificates, chain, ref errors, ref status11); xerrors = (MonoSslPolicyErrors)errors; return(result); }
internal bool ValidateClientCertificate (X509Certificate certificate, MonoSslPolicyErrors errors) { var certs = new X509CertificateCollection (); certs.Add (new X509Certificate2 (certificate.GetRawCertData ())); var result = ValidateChain (string.Empty, true, certificate, null, certs, (SslPolicyErrors)errors); if (result == null) return false; return result.Trusted && !result.UserDenied; }