public static X509Certificate2 CreateCertificate2(byte[] data, string password, bool disallowFallback = false)
{
using (var impl = new X509CertificateImplBtls(disallowFallback)) {
impl.Import(data, password, X509KeyStorageFlags.DefaultKeySet);
return(new X509Certificate2(impl));
}
}
int SelectCallback(string[] acceptableIssuers)
{
Debug("SELECT CALLBACK!");
/*
* Make behavior consistent with AppleTls, which does not call the selection callback after a
* certificate has been set. See the comment in AppleTlsContext for details.
*/
if (nativeClientCertificate != null)
{
return(1);
}
GetPeerCertificate();
var clientCert = SelectClientCertificate(acceptableIssuers);
Debug($"SELECT CALLBACK #1: {clientCert}");
if (clientCert == null)
{
return(1);
}
nativeClientCertificate = GetPrivateCertificate(clientCert);
Debug($"SELECT CALLBACK #2: {nativeClientCertificate}");
clientCertificate = new X509Certificate(nativeClientCertificate);
SetPrivateCertificate(nativeClientCertificate);
return(1);
}
public MonoBtlsContext(MNS.MobileAuthenticatedStream parent, MNS.MonoSslAuthenticationOptions options)
: base(parent, options)
{
if (IsServer)
{
nativeServerCertificate = GetPrivateCertificate(LocalServerCertificate);
}
}
internal X509Certificate2Impl GetNativeCertificate(
byte[] data, SafePasswordHandle password, X509KeyStorageFlags flags)
{
var impl = new X509CertificateImplBtls(false);
impl.Import(data, password, flags);
return(impl);
}
internal override X509Certificate2Impl GetNativeCertificate(
byte[] data, string password, X509KeyStorageFlags flags)
{
var impl = new X509CertificateImplBtls(false);
impl.Import(data, password, flags);
return(impl);
}
X509CertificateImplBtls (X509CertificateImplBtls other)
{
disallowFallback = other.disallowFallback;
x509 = other.x509 != null ? other.x509.Copy () : null;
privateKey = other.privateKey != null ? other.privateKey.Copy () : null;
if (other.intermediateCerts != null)
intermediateCerts = other.intermediateCerts.Clone ();
}
X509CertificateImplBtls (X509CertificateImplBtls other)
{
disallowFallback = other.disallowFallback;
x509 = other.x509 != null ? other.x509.Copy () : null;
nativePrivateKey = other.nativePrivateKey != null ? other.nativePrivateKey.Copy () : null;
fallback = other.fallback != null ? (X509Certificate2Impl)other.fallback.Clone () : null;
if (other.intermediateCerts != null)
intermediateCerts = other.intermediateCerts.Clone ();
}
X509CertificateImplBtls(X509CertificateImplBtls other)
{
x509 = other.x509 != null?other.x509.Copy() : null;
nativePrivateKey = other.nativePrivateKey != null?other.nativePrivateKey.Copy() : null;
if (other.intermediateCerts != null)
{
intermediateCerts = other.intermediateCerts.Clone();
}
}
X509CertificateImplBtls(X509CertificateImplBtls other)
{
disallowFallback = other.disallowFallback;
x509 = other.x509 != null?other.x509.Copy() : null;
privateKey = other.privateKey != null?other.privateKey.Copy() : null;
if (other.intermediateCerts != null)
{
intermediateCerts = other.intermediateCerts.Clone();
}
}
public MonoBtlsContext(
MNS.MobileAuthenticatedStream parent,
bool serverMode, string targetHost,
SslProtocols enabledProtocols, X509Certificate serverCertificate,
X509CertificateCollection clientCertificates, bool askForClientCert)
: base(parent, serverMode, targetHost, enabledProtocols,
serverCertificate, clientCertificates, askForClientCert)
{
if (serverMode)
{
nativeServerCertificate = GetPrivateCertificate(serverCertificate);
}
}
X509CertificateImplBtls(X509CertificateImplBtls other)
{
disallowFallback = other.disallowFallback;
x509 = other.x509 != null?other.x509.Copy() : null;
nativePrivateKey = other.nativePrivateKey != null?other.nativePrivateKey.Copy() : null;
fallback = other.fallback != null ? (X509Certificate2Impl)other.fallback.Clone() : null;
if (other.intermediateCerts != null)
{
intermediateCerts = other.intermediateCerts.Clone();
}
}
static X509CertificateImplBtls GetPrivateCertificate(X509Certificate certificate)
{
var impl = certificate.Impl as X509CertificateImplBtls;
if (impl != null)
{
return((X509CertificateImplBtls)impl.Clone());
}
var password = Guid.NewGuid().ToString();
var buffer = certificate.Export(X509ContentType.Pfx, password);
impl = new X509CertificateImplBtls();
impl.Import(buffer, password, X509KeyStorageFlags.DefaultKeySet);
return(impl);
}
void SetPrivateCertificate(X509CertificateImplBtls privateCert)
{
Debug("SetPrivateCertificate: {0}", privateCert);
ssl.SetCertificate(privateCert.X509);
ssl.SetPrivateKey(privateCert.NativePrivateKey);
var intermediate = privateCert.IntermediateCertificates;
if (intermediate == null)
{
return;
}
for (int i = 0; i < intermediate.Count; i++)
{
var impl = (X509CertificateImplBtls)intermediate [i];
Debug("SetPrivateCertificate - add intermediate: {0}", impl);
ssl.AddIntermediateCertificate(impl.X509);
}
}
int ServerNameCallback()
{
Debug("SERVER NAME CALLBACK");
var name = ssl.GetServerName();
Debug($"SERVER NAME CALLBACK #1: {name}");
var certificate = SelectServerCertificate(name);
if (certificate == null)
{
return(1);
}
nativeServerCertificate = GetPrivateCertificate(certificate);
SetPrivateCertificate(nativeServerCertificate);
return(1);
}
internal X509ChainImplBtls (MonoBtlsX509StoreCtx storeCtx)
{
this.storeCtx = storeCtx.Copy ();
this.chain = storeCtx.GetChain ();
policy = new X509ChainPolicy ();
untrustedChain = storeCtx.GetUntrusted ();
if (untrustedChain != null) {
untrusted = new X509Certificate2Collection ();
policy.ExtraStore = untrusted;
for (int i = 0; i < untrustedChain.Count; i++) {
var cert = untrustedChain.GetCertificate (i);
using (var impl = new X509CertificateImplBtls (cert))
untrusted.Add (new X509Certificate2 (impl));
}
}
}
void ImportPkcs12(byte[] data, SafePasswordHandle password)
{
using (var pkcs12 = new MonoBtlsPkcs12()) {
if (password == null || password.IsInvalid)
{
try {
// Support both unencrypted PKCS#12..
pkcs12.Import(data, null);
} catch {
// ..and PKCS#12 encrypted with an empty password
using (var empty = new SafePasswordHandle(string.Empty))
pkcs12.Import(data, empty);
}
}
else
{
pkcs12.Import(data, password);
}
x509 = pkcs12.GetCertificate(0);
if (pkcs12.HasPrivateKey)
{
nativePrivateKey = pkcs12.GetPrivateKey();
}
if (pkcs12.Count > 1)
{
intermediateCerts = new X509CertificateImplCollection();
for (int i = 0; i < pkcs12.Count; i++)
{
using (var ic = pkcs12.GetCertificate(i)) {
if (MonoBtlsX509.Compare(ic, x509) == 0)
{
continue;
}
var impl = new X509CertificateImplBtls(ic);
intermediateCerts.Add(impl, true);
}
}
}
}
}
internal X509ChainImplBtls(MonoBtlsX509StoreCtx storeCtx)
{
this.storeCtx = storeCtx.Copy();
this.chain = storeCtx.GetChain();
policy = new X509ChainPolicy();
untrustedChain = storeCtx.GetUntrusted();
if (untrustedChain != null)
{
untrusted = new X509Certificate2Collection();
policy.ExtraStore = untrusted;
for (int i = 0; i < untrustedChain.Count; i++)
{
var cert = untrustedChain.GetCertificate(i);
using (var impl = new X509CertificateImplBtls(cert))
untrusted.Add(new X509Certificate2(impl));
}
}
}
int SelectCallback()
{
Debug("SELECT CALLBACK!");
GetPeerCertificate();
if (remoteCertificate == null)
{
throw new TlsException(AlertDescription.InternalError, "Cannot request client certificate before receiving one from the server.");
}
var clientCert = SelectClientCertificate(remoteCertificate, null);
Debug("SELECT CALLBACK #1: {0}", clientCert);
if (clientCert == null)
{
return(1);
}
nativeClientCertificate = GetPrivateCertificate(clientCert);
Debug("SELECT CALLBACK #2: {0}", nativeClientCertificate);
clientCertificate = new X509Certificate(nativeClientCertificate);
SetPrivateCertificate(nativeClientCertificate);
return(1);
}
void SetPrivateCertificate(X509CertificateImplBtls privateCert)
{
Debug("SetPrivateCertificate: {0}", privateCert);
ssl.SetCertificate(privateCert.X509);
ssl.SetPrivateKey(privateCert.NativePrivateKey);
var intermediate = privateCert.IntermediateCertificates;
if (intermediate == null)
{
/* Intermediate certificates are lost in the translation from X509Certificate(2) to X509CertificateImplBtls, so we need to restore them somehow. */
var chain = new System.Security.Cryptography.X509Certificates.X509Chain(false);
/* Let's try to recover as many as we can. */
chain.ChainPolicy.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck;
chain.Build(new System.Security.Cryptography.X509Certificates.X509Certificate2(privateCert.X509.GetRawData(MonoBtlsX509Format.DER), ""));
var elems = chain.ChainElements;
for (int j = 1; j < elems.Count; j++)
{
var cert = elems[j].Certificate;
/* If self-signed, it's a root and should not be sent. */
if (cert.SubjectName.RawData.SequenceEqual(cert.IssuerName.RawData))
{
break;
}
ssl.AddIntermediateCertificate(MonoBtlsX509.LoadFromData(cert.RawData, MonoBtlsX509Format.DER));
}
}
else
{
for (int i = 0; i < intermediate.Count; i++)
{
var impl = (X509CertificateImplBtls)intermediate [i];
Debug("SetPrivateCertificate - add intermediate: {0}", impl);
ssl.AddIntermediateCertificate(impl.X509);
}
}
}
public static X509Certificate2 CreateCertificate2(byte[] data, MonoBtlsX509Format format, bool disallowFallback = false)
{
using (var impl = new X509CertificateImplBtls(data, format, disallowFallback)) {
return(new X509Certificate2(impl));
}
}
public static X509Certificate2 CreateCertificate2 (byte[] data, MonoBtlsX509Format format, bool disallowFallback = false)
{
using (var impl = new X509CertificateImplBtls (data, format, disallowFallback)) {
return new X509Certificate2 (impl);
}
}
public static X509Certificate CreateCertificate(MonoBtlsX509 x509)
{
using (var impl = new X509CertificateImplBtls(x509))
return(new X509Certificate(impl));
}
void ImportPkcs12 (byte[] data, string password)
{
using (var pkcs12 = new MonoBtlsPkcs12 ()) {
if (string.IsNullOrEmpty (password)) {
try {
// Support both unencrypted PKCS#12..
pkcs12.Import (data, null);
} catch {
// ..and PKCS#12 encrypted with an empty password
pkcs12.Import (data, string.Empty);
}
} else {
pkcs12.Import (data, password);
}
x509 = pkcs12.GetCertificate (0);
if (pkcs12.HasPrivateKey)
nativePrivateKey = pkcs12.GetPrivateKey ();
if (pkcs12.Count > 1) {
intermediateCerts = new X509CertificateImplCollection ();
for (int i = 0; i < pkcs12.Count; i++) {
using (var ic = pkcs12.GetCertificate (i)) {
if (MonoBtlsX509.Compare (ic, x509) == 0)
continue;
var impl = new X509CertificateImplBtls (ic, true);
intermediateCerts.Add (impl, true);
}
}
}
}
}
public static X509Certificate2 CreateCertificate2(byte[] data, string password, bool disallowFallback = false)
{
using (var handle = new SafePasswordHandle(password))
using (var impl = new X509CertificateImplBtls(data, handle, X509KeyStorageFlags.DefaultKeySet))
return(new X509Certificate2(impl));
}
public static X509Certificate2 CreateCertificate2(byte[] data, MonoBtlsX509Format format)
{
using (var impl = new X509CertificateImplBtls(data, format)) {
return(new X509Certificate2(impl));
}
}
public static X509Certificate2 CreateCertificate2 (byte[] data, string password, bool disallowFallback = false)
{
using (var impl = new X509CertificateImplBtls (disallowFallback)) {
impl.Import (data, password, X509KeyStorageFlags.DefaultKeySet);
return new X509Certificate2 (impl);
}
}
public static X509Certificate CreateCertificate (MonoBtlsX509 x509)
{
using (var impl = new X509CertificateImplBtls (x509, true))
return new X509Certificate (impl);
}
internal override X509Certificate2Impl GetNativeCertificate (
byte[] data, string password, X509KeyStorageFlags flags)
{
var impl = new X509CertificateImplBtls (false);
impl.Import (data, password, flags);
return impl;
}