public void StartHandshake()
{
Debug("StartHandshake: {0}", IsServer);
if (Interlocked.CompareExchange(ref handshakeStarted, 1, 1) != 0)
{
throw new InvalidOperationException();
}
InitializeConnection();
SetSessionOption(SslSessionOption.BreakOnCertRequested, true);
SetSessionOption(SslSessionOption.BreakOnClientAuth, true);
SetSessionOption(SslSessionOption.BreakOnServerAuth, true);
if (IsServer)
{
serverIdentity = MobileCertificateHelper.GetIdentity(serverCertificate);
if (serverIdentity == null)
{
throw new SSA.AuthenticationException("Unable to get server certificate from keychain.");
}
SetCertificate(serverIdentity, new SecCertificate [0]);
}
}
public override void StartHandshake()
{
Debug("StartHandshake: {0}", IsServer);
if (Interlocked.CompareExchange(ref handshakeStarted, 1, 1) != 0)
{
throw new InvalidOperationException();
}
InitializeConnection();
SetSessionOption(SslSessionOption.BreakOnCertRequested, true);
SetSessionOption(SslSessionOption.BreakOnClientAuth, true);
SetSessionOption(SslSessionOption.BreakOnServerAuth, true);
if (IsServer)
{
SecCertificate[] intermediateCerts;
serverIdentity = MobileCertificateHelper.GetIdentity(LocalServerCertificate, out intermediateCerts);
if (serverIdentity == null)
{
throw new SSA.AuthenticationException("Unable to get server certificate from keychain.");
}
SetCertificate(serverIdentity, intermediateCerts);
for (int i = 0; i < intermediateCerts.Length; i++)
{
intermediateCerts [i].Dispose();
}
}
}
void EvaluateTrust()
{
InitializeSession();
/*
* We're using .NET's SslStream semantics here.
*
* A server must always provide a valid certificate.
*
* However, in server mode, "ask for client certificate" means that
* we ask the client to provide a certificate, then invoke the client
* certificate validator - passing 'null' if the client didn't provide
* any.
*
*/
var trust = GetPeerTrust(!IsServer);
X509CertificateCollection certificates;
if (trust == null || trust.Count == 0)
{
remoteCertificate = null;
if (!IsServer)
{
throw new TlsException(AlertDescription.CertificateUnknown);
}
certificates = null;
}
else
{
if (trust.Count > 1)
{
Debug("WARNING: Got multiple certificates in SecTrust!");
}
certificates = new X509CertificateCollection();
for (int i = 0; i < trust.Count; i++)
{
certificates.Add(trust [i].ToX509Certificate());
}
remoteCertificate = certificates [0];
Debug("Got peer trust: {0}", remoteCertificate);
}
bool ok;
try {
ok = MobileCertificateHelper.Validate(TargetHost, IsServer, certificateValidator, certificates);
} catch (Exception ex) {
Debug("Certificate validation failed: {0}", ex);
throw new TlsException(AlertDescription.CertificateUnknown, "Certificate validation threw exception.");
}
if (!ok)
{
throw new TlsException(AlertDescription.CertificateUnknown);
}
}
internal override bool InvokeSystemCertificateValidator(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
out bool success, ref MonoSslPolicyErrors errors, ref int status11)
{
if (wantsChain)
{
chain = MNS.SystemCertificateValidator.CreateX509Chain(certificates);
}
return(MobileCertificateHelper.InvokeSystemCertificateValidator(validator, targetHost, serverMode, certificates, out success, ref errors, ref status11));
}
public override bool ProcessHandshake()
{
SslStatus status;
do
{
lastException = null;
status = SSLHandshake(Handle);
Debug("Handshake: {0} - {0:x}", status);
CheckStatusAndThrow(status, SslStatus.WouldBlock, SslStatus.PeerAuthCompleted, SslStatus.PeerClientCertRequested);
if (status == SslStatus.PeerAuthCompleted)
{
RequirePeerTrust();
}
else if (status == SslStatus.PeerClientCertRequested)
{
RequirePeerTrust();
if (remoteCertificate == null)
{
throw new TlsException(AlertDescription.InternalError, "Cannot request client certificate before receiving one from the server.");
}
localClientCertificate = MobileCertificateHelper.SelectClientCertificate(TargetHost, certificateValidator, ClientCertificates, remoteCertificate);
if (localClientCertificate == null)
{
continue;
}
clientIdentity = MobileCertificateHelper.GetIdentity(localClientCertificate);
if (clientIdentity == null)
{
throw new TlsException(AlertDescription.CertificateUnknown);
}
SetCertificate(clientIdentity, new SecCertificate [0]);
}
else if (status == SslStatus.WouldBlock)
{
return(false);
}
} while (status != SslStatus.Success);
return(true);
}
