public void Encrypt_Old()
{
// the old API was not working but the crash was fixed, still you need to provide an adequatly sized buffer
using (SecPolicy p = SecPolicy.CreateBasicX509Policy())
using (SecTrust t = new SecTrust(c, p)) {
// getting the public key won't (always) work if evaluate was not called
t.Evaluate();
using (SecKey pubkey = t.GetPublicKey()) {
byte[] plain = new byte [20];
byte[] cipher = new byte [pubkey.BlockSize];
Assert.That(pubkey.Encrypt(SecPadding.PKCS1, plain, cipher), Is.EqualTo(SecStatusCode.Success), "Encrypt");
}
}
}
public void Encrypt_New()
{
using (SecPolicy p = SecPolicy.CreateBasicX509Policy())
using (SecTrust t = new SecTrust(c, p)) {
// getting the public key won't (always) work if evaluate was not called
t.Evaluate();
using (SecKey pubkey = t.GetPublicKey()) {
byte[] plain = new byte [20];
byte[] secret;
Assert.That(pubkey.Encrypt(SecPadding.PKCS1, plain, out secret), Is.EqualTo(SecStatusCode.Success), "Encrypt");
Assert.That(secret.Length, Is.EqualTo(128), "secret.Length");
}
}
}
// SecTrustResult.Unspecified == "Use System Defaults" (valid)
// some days it seems iOS timeout just a bit too fast and we get a lot of false positives
// this will try again a few times (giving the network request a chance to get back)
static SecTrustResult Evaluate(SecTrust trust, bool expect_recoverable = false)
{
SecTrustResult result = SecTrustResult.Deny;
for (int i = 0; i < 8; i++)
{
result = trust.Evaluate();
if (result != SecTrustResult.RecoverableTrustFailure || expect_recoverable)
{
return(result);
}
NSRunLoop.Main.RunUntil(NSDate.Now.AddSeconds(i));
}
return(result);
}
public static bool InvokeSystemCertificateValidator(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates,
ref MonoSslPolicyErrors errors, ref int status11)
{
if (certificates == null)
{
errors |= MonoSslPolicyErrors.RemoteCertificateNotAvailable;
return(false);
}
if (!string.IsNullOrEmpty(targetHost))
{
var pos = targetHost.IndexOf(':');
if (pos > 0)
{
targetHost = targetHost.Substring(0, pos);
}
}
var policy = SecPolicy.CreateSslPolicy(!serverMode, targetHost);
var trust = new SecTrust(certificates, policy);
if (validator.Settings.TrustAnchors != null)
{
var status = trust.SetAnchorCertificates(validator.Settings.TrustAnchors);
if (status != SecStatusCode.Success)
{
throw new InvalidOperationException(status.ToString());
}
trust.SetAnchorCertificatesOnly(false);
}
var result = trust.Evaluate();
if (result == SecTrustResult.Unspecified || result == SecTrustResult.Proceed)
{
return(true);
}
errors |= MonoSslPolicyErrors.RemoteCertificateChainErrors;
return(false);
}
[Ignore("System.EntryPointNotFoundException: AppleCryptoNative_SecKeychainCreate")] // https://github.com/dotnet/runtime/issues/36897
#endif
public void KeyRecordTest()
{
using (var cert = new X509Certificate2(ImportExportTest.farscape_pfx, "farscape"))
using (var policy = SecPolicy.CreateBasicX509Policy())
using (var trust = new SecTrust(cert, policy)) {
trust.Evaluate();
using (SecKey pubkey = trust.GetPublicKey())
using (var rec = new SecRecord(pubkey)) {
Assert.NotNull(rec, "rec is null");
var ret = rec.GetKey();
Assert.That(ret.Handle, Is.Not.EqualTo(IntPtr.Zero), "Handle");
Assert.That(ret.Handle, Is.EqualTo(pubkey.Handle), "Same Handle");
Assert.Throws <InvalidOperationException> (() => rec.GetCertificate(), "GetCertificate should throw");
Assert.Throws <InvalidOperationException> (() => rec.GetIdentity(), "GetIdentity should throw");
}
}
}
// SecTrustResult.Unspecified == "Use System Defaults" (valid)
// some days it seems iOS timeout just a bit too fast and we get a lot of false positives
// this will try again a few times (giving the network request a chance to get back)
static SecTrustResult Evaluate(SecTrust trust, bool expect_recoverable = false)
{
SecTrustResult result = SecTrustResult.Deny;
for (int i = 0; i < 8; i++)
{
result = trust.Evaluate();
if (result != SecTrustResult.RecoverableTrustFailure || expect_recoverable)
{
return(result);
}
NSRunLoop.Main.RunUntil(NSDate.Now.AddSeconds(i));
}
// we have done our best (it has not failed, but did not confirm either)
// still it can't recover (we and expected it could) most likely due to external factors (e.g. network)
if (result == SecTrustResult.RecoverableTrustFailure && !expect_recoverable)
{
Assert.Inconclusive("Cannot recover from RecoverableTrustFailure after 8 attempts");
}
return(result);
}
void Trust_Leaf_Only(SecTrust trust, SecPolicy policy)
{
Assert.That(CFGetRetainCount(trust.Handle), Is.EqualTo((nint)1), "RetainCount(trust)");
Assert.That(CFGetRetainCount(policy.Handle), Is.EqualTo((nint)2), "RetainCount(policy)");
// that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that
trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc));
// the system was able to construct the chain based on the single certificate
var expectedTrust = SecTrustResult.RecoverableTrustFailure;
#if __MACOS__
if (!TestRuntime.CheckSystemVersion(PlatformName.MacOSX, 10, 9))
{
expectedTrust = SecTrustResult.Unspecified;
}
#endif
Assert.That(Evaluate(trust, true), Is.EqualTo(expectedTrust), "Evaluate");
using (var queue = new DispatchQueue("TrustAsync")) {
bool assert = false; // we don't want to assert in another queue
bool called = false;
var err = trust.Evaluate(DispatchQueue.MainQueue, (t, result) => {
assert = t.Handle == trust.Handle && result == expectedTrust;
called = true;
});
Assert.That(err, Is.EqualTo(SecStatusCode.Success), "async1/err");
TestRuntime.RunAsync(TimeSpan.FromSeconds(5), () => { }, () => called);
Assert.True(assert, "async1");
}
if (TestRuntime.CheckXcodeVersion(11, 0))
{
using (var queue = new DispatchQueue("TrustErrorAsync")) {
bool assert = false; // we don't want to assert in another queue
bool called = false;
var err = trust.Evaluate(DispatchQueue.MainQueue, (t, result, error) => {
assert = t.Handle == trust.Handle && !result && error != null;
called = true;
});
Assert.That(err, Is.EqualTo(SecStatusCode.Success), "async2/err");
TestRuntime.RunAsync(TimeSpan.FromSeconds(5), () => { }, () => called);
Assert.True(assert, "async2");
}
}
#if __MACOS__
var hasNetworkFetchAllowed = TestRuntime.CheckSystemVersion(PlatformName.MacOSX, 10, 9);
#else
var hasNetworkFetchAllowed = TestRuntime.CheckXcodeVersion(5, 0);
#endif
if (hasNetworkFetchAllowed)
{
Assert.True(trust.NetworkFetchAllowed, "NetworkFetchAllowed-1");
trust.NetworkFetchAllowed = false;
Assert.False(trust.NetworkFetchAllowed, "NetworkFetchAllowed-2");
trust.SetPolicy(policy);
var policies = trust.GetPolicies();
Assert.That(policies.Length, Is.EqualTo(1), "Policies.Length");
Assert.That(policies [0].Handle, Is.EqualTo(policy.Handle), "Handle");
}
}