protected override void Dispose (bool disposing)
{
if (disposing) {
if (ssl_stream != null)
ssl_stream.Dispose ();
ssl_stream = null;
}
base.Dispose (disposing);
}
public virtual IAsyncResult BeginAuthenticateAsClient (string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState)
{
if (IsAuthenticated)
throw new InvalidOperationException ("This SslStream is already authenticated");
SslClientStream s = new SslClientStream (InnerStream, targetHost, !LeaveInnerStreamOpen, GetMonoSslProtocol (enabledSslProtocols), clientCertificates);
s.CheckCertRevocationStatus = checkCertificateRevocation;
// Due to the Mono.Security internal, it cannot reuse
// the delegated argument, as Mono.Security creates
// another instance of X509Certificate which lacks
// private key but is filled the private key via this
// delegate.
s.PrivateKeyCertSelectionDelegate = delegate (X509Certificate cert, string host) {
string hash = cert.GetCertHashString ();
// ... so, we cannot use the delegate argument.
foreach (X509Certificate cc in clientCertificates) {
if (cc.GetCertHashString () != hash)
continue;
X509Certificate2 cert2 = cc as X509Certificate2;
cert2 = cert2 ?? new X509Certificate2 (cc);
return cert2.PrivateKey;
}
return null;
};
if (validation_callback != null)
s.ServerCertValidationDelegate = delegate (X509Certificate cert, int [] certErrors) {
X509Chain chain = new X509Chain ();
X509Certificate2 x2 = (cert as X509Certificate2);
if (x2 == null)
x2 = new X509Certificate2 (cert);
if (!ServicePointManager.CheckCertificateRevocationList)
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
// SSL specific checks (done by Mono.Security.dll SSL/TLS implementation)
SslPolicyErrors errors = SslPolicyErrors.None;
foreach (int i in certErrors) {
switch (i) {
case -2146762490: // CERT_E_PURPOSE
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
break;
case -2146762481: // CERT_E_CN_NO_MATCH
errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
break;
default:
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
break;
}
}
chain.Build (x2);
// non-SSL specific X509 checks (i.e. RFC3280 related checks)
foreach (X509ChainStatus status in chain.ChainStatus) {
if (status.Status == X509ChainStatusFlags.NoError)
continue;
if ((status.Status & X509ChainStatusFlags.PartialChain) != 0)
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
else
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
return validation_callback (this, cert, chain, errors);
};
if (selection_callback != null)
s.ClientCertSelectionDelegate = OnCertificateSelection;
ssl_stream = s;
return BeginWrite (new byte [0], 0, 0, asyncCallback, asyncState);
}
public virtual IAsyncResult BeginAuthenticateAsServer (X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState)
{
if (IsAuthenticated)
throw new InvalidOperationException ("This SslStream is already authenticated");
SslServerStream s = new SslServerStream (InnerStream, serverCertificate, clientCertificateRequired, !LeaveInnerStreamOpen, GetMonoSslProtocol (enabledSslProtocols));
s.CheckCertRevocationStatus = checkCertificateRevocation;
// Due to the Mono.Security internal, it cannot reuse
// the delegated argument, as Mono.Security creates
// another instance of X509Certificate which lacks
// private key but is filled the private key via this
// delegate.
s.PrivateKeyCertSelectionDelegate = delegate (X509Certificate cert, string targetHost) {
// ... so, we cannot use the delegate argument.
X509Certificate2 cert2 = serverCertificate as X509Certificate2 ?? new X509Certificate2 (serverCertificate);
return cert2 != null ? cert2.PrivateKey : null;
};
if (validation_callback != null)
s.ClientCertValidationDelegate = delegate (X509Certificate cert, int [] certErrors) {
X509Chain chain = null;
if (cert is X509Certificate2) {
chain = new X509Chain ();
chain.Build ((X509Certificate2) cert);
}
// FIXME: SslPolicyErrors is incomplete
SslPolicyErrors errors = certErrors.Length > 0 ? SslPolicyErrors.RemoteCertificateChainErrors : SslPolicyErrors.None;
return validation_callback (this, cert, chain, errors);
};
ssl_stream = s;
return BeginWrite (new byte[0], 0, 0, asyncCallback, asyncState);
}
public virtual IAsyncResult BeginAuthenticateAsServer(X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState)
{
if (IsAuthenticated)
{
throw new InvalidOperationException("This SslStream is already authenticated");
}
SslServerStream s = new SslServerStream(InnerStream, serverCertificate, clientCertificateRequired, !LeaveInnerStreamOpen, GetMonoSslProtocol(enabledSslProtocols));
s.CheckCertRevocationStatus = checkCertificateRevocation;
// Due to the Mono.Security internal, it cannot reuse
// the delegated argument, as Mono.Security creates
// another instance of X509Certificate which lacks
// private key but is filled the private key via this
// delegate.
s.PrivateKeyCertSelectionDelegate = delegate(X509Certificate cert, string targetHost)
{
// ... so, we cannot use the delegate argument.
#if NETCF && !SSHARP
X509Certificate2 cert2 = serverCertificate as X509Certificate2 ?? new X509Certificate2(serverCertificate.GetRawCertData());
return(null);
#else
X509Certificate2 cert2 = serverCertificate as X509Certificate2 ?? new X509Certificate2(serverCertificate);
return(cert2 != null ? cert2.PrivateKey : null);
#endif
};
if (validation_callback != null)
{
s.ClientCertValidationDelegate = delegate(X509Certificate cert, int[] certErrors)
{
X509Chain chain = null;
if (cert is X509Certificate2)
{
chain = new X509Chain();
chain.Build((X509Certificate2)cert);
}
// FIXME: SslPolicyErrors is incomplete
SslPolicyErrors errors = certErrors.Length > 0 ? SslPolicyErrors.RemoteCertificateChainErrors : SslPolicyErrors.None;
return(validation_callback(this, cert, chain, errors));
}
}
;
ssl_stream = s;
return(BeginWrite(new byte[0], 0, 0, asyncCallback, asyncState));
}
MonoSecurityProtocolType GetMonoSslProtocol(SslProtocols ms)
{
switch (ms)
{
case SslProtocols.Ssl2:
return(MonoSecurityProtocolType.Ssl2);
case SslProtocols.Ssl3:
return(MonoSecurityProtocolType.Ssl3);
case SslProtocols.Tls:
return(MonoSecurityProtocolType.Tls);
default:
return(MonoSecurityProtocolType.Default);
}
}
public virtual IAsyncResult BeginAuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState)
{
if (IsAuthenticated)
{
throw new InvalidOperationException("This SslStream is already authenticated");
}
SslClientStream s = new SslClientStream(InnerStream, targetHost, !LeaveInnerStreamOpen, GetMonoSslProtocol(enabledSslProtocols), clientCertificates);
s.CheckCertRevocationStatus = checkCertificateRevocation;
// Due to the Mono.Security internal, it cannot reuse
// the delegated argument, as Mono.Security creates
// another instance of X509Certificate which lacks
// private key but is filled the private key via this
// delegate.
s.PrivateKeyCertSelectionDelegate = delegate(X509Certificate cert, string host)
{
#if !NETCF || SSHARP
string hash = cert.GetCertHashString();
// ... so, we cannot use the delegate argument.
foreach (X509Certificate cc in clientCertificates)
{
if (cc.GetCertHashString() != hash)
{
continue;
}
X509Certificate2 cert2 = cc as X509Certificate2;
cert2 = cert2 ?? new X509Certificate2(cc);
return(cert2.PrivateKey);
}
#endif
return(null);
};
#if MONOTOUCH || MONODROID
// Even if validation_callback is null this allows us to verify requests where the user
// does not provide a verification callback but attempts to authenticate with the website
// as a client (see https://bugzilla.xamarin.com/show_bug.cgi?id=18962 for an example)
var helper = new ServicePointManager.ChainValidationHelper(this, targetHost);
helper.ServerCertificateValidationCallback = validation_callback;
s.ServerCertValidation2 += new CertificateValidationCallback2(helper.ValidateChain);
#else
if (validation_callback != null)
{
s.ServerCertValidationDelegate = delegate(X509Certificate cert, int[] certErrors)
{
X509Chain chain = new X509Chain();
X509Certificate2 x2 = (cert as X509Certificate2);
if (x2 == null)
{
x2 = new X509Certificate2(cert);
}
#if !NETCF
if (!ServicePointManager.CheckCertificateRevocationList)
#endif
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
// SSL specific checks (done by Mono.Security.dll SSL/TLS implementation)
SslPolicyErrors errors = SslPolicyErrors.None;
foreach (int i in certErrors)
{
switch (i)
{
case -2146762490: // CERT_E_PURPOSE
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
break;
case -2146762481: // CERT_E_CN_NO_MATCH
errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
break;
default:
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
break;
}
}
chain.Build(x2);
// non-SSL specific X509 checks (i.e. RFC3280 related checks)
foreach (X509ChainStatus status in chain.ChainStatus)
{
if (status.Status == X509ChainStatusFlags.NoError)
{
continue;
}
if ((status.Status & X509ChainStatusFlags.PartialChain) != 0)
{
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
}
else
{
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
}
return(validation_callback(this, cert, chain, errors));
};
}
#endif
if (selection_callback != null)
{
s.ClientCertSelectionDelegate = OnCertificateSelection;
}
ssl_stream = s;
return(BeginWrite(new byte[0], 0, 0, asyncCallback, asyncState));
}
public SslConnection(Socket socket, SslStreamBase stream)
: base(socket)
{
_sslStream = stream;
}
public virtual IAsyncResult BeginAuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols sslProtocolType, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState)
{
if (IsAuthenticated)
{
throw new InvalidOperationException("This SslStream is already authenticated");
}
SslClientStream s = new SslClientStream(InnerStream, targetHost, !LeaveInnerStreamOpen, GetMonoSslProtocol(sslProtocolType), clientCertificates);
s.CheckCertRevocationStatus = checkCertificateRevocation;
// Due to the Mono.Security internal, it cannot reuse
// the delegated argument, as Mono.Security creates
// another instance of X509Certificate which lacks
// private key but is filled the private key via this
// delegate.
s.PrivateKeyCertSelectionDelegate = delegate(X509Certificate cert, string host) {
string hash = cert.GetCertHashString();
// ... so, we cannot use the delegate argument.
foreach (X509Certificate cc in clientCertificates)
{
if (cc.GetCertHashString() != hash)
{
continue;
}
X509Certificate2 cert2 = cc as X509Certificate2;
cert2 = cert2 ?? new X509Certificate2(cc);
return(cert2.PrivateKey);
}
return(null);
};
if (validation_callback != null)
{
s.ServerCertValidationDelegate = delegate(X509Certificate cert, int [] certErrors) {
X509Chain chain = new X509Chain();
X509Certificate2 x2 = (cert as X509Certificate2);
if (x2 == null)
{
x2 = new X509Certificate2(cert);
}
if (!ServicePointManager.CheckCertificateRevocationList)
{
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
}
// SSL specific checks (done by Mono.Security.dll SSL/TLS implementation)
SslPolicyErrors errors = SslPolicyErrors.None;
foreach (int i in certErrors)
{
switch (i)
{
case -2146762490: // CERT_E_PURPOSE
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
break;
case -2146762481: // CERT_E_CN_NO_MATCH
errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
break;
default:
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
break;
}
}
chain.Build(x2);
// non-SSL specific X509 checks (i.e. RFC3280 related checks)
foreach (X509ChainStatus status in chain.ChainStatus)
{
if (status.Status == X509ChainStatusFlags.NoError)
{
continue;
}
if ((status.Status & X509ChainStatusFlags.PartialChain) != 0)
{
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
}
else
{
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
}
return(validation_callback(this, cert, chain, errors));
}
}
;
if (selection_callback != null)
{
s.ClientCertSelectionDelegate = OnCertificateSelection;
}
ssl_stream = s;
return(BeginWrite(new byte [0], 0, 0, asyncCallback, asyncState));
}
public virtual IAsyncResult BeginAuthenticateAsClient(
string targetHost,
X509CertificateCollection clientCertificates,
SslProtocols enabledSslProtocols,
bool checkCertificateRevocation,
AsyncCallback asyncCallback,
object asyncState)
{
if (this.IsAuthenticated)
{
throw new InvalidOperationException("This SslStreamM is already authenticated");
}
SslClientStream sslClientStream = new SslClientStream(this.InnerStream, targetHost, !this.LeaveInnerStreamOpen, this.GetMonoSslProtocol(enabledSslProtocols), clientCertificates);
sslClientStream.CheckCertRevocationStatus = checkCertificateRevocation;
sslClientStream.PrivateKeyCertSelectionDelegate = (PrivateKeySelectionCallback)((cert, host) =>
{
string certHashString = cert.GetCertHashString();
foreach (X509Certificate clientCertificate in clientCertificates)
{
if (!(clientCertificate.GetCertHashString() != certHashString))
{
if (!(clientCertificate is X509Certificate2 x509Certificate2))
{
x509Certificate2 = new X509Certificate2(clientCertificate);
}
return(x509Certificate2.PrivateKey);
}
}
return((AsymmetricAlgorithm)null);
});
if (this.validation_callback != null)
{
sslClientStream.ServerCertValidationDelegate = (CertificateValidationCallback)((cert, certErrors) =>
{
X509Chain chain = new X509Chain();
if (!(cert is X509Certificate2 certificate))
{
certificate = new X509Certificate2(cert);
}
if (!ServicePointManager.CheckCertificateRevocationList)
{
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
}
SslPolicyErrors sslPolicyErrors = SslPolicyErrors.None;
foreach (int certError in certErrors)
{
switch (certError)
{
case -2146762490:
sslPolicyErrors |= SslPolicyErrors.RemoteCertificateNotAvailable;
break;
case -2146762481:
sslPolicyErrors |= SslPolicyErrors.RemoteCertificateNameMismatch;
break;
default:
sslPolicyErrors |= SslPolicyErrors.RemoteCertificateChainErrors;
break;
}
}
chain.Build(certificate);
foreach (X509ChainStatus chainStatu in chain.ChainStatus)
{
if (chainStatu.Status != X509ChainStatusFlags.NoError)
{
if ((chainStatu.Status & X509ChainStatusFlags.PartialChain) != X509ChainStatusFlags.NoError)
{
sslPolicyErrors |= SslPolicyErrors.RemoteCertificateNotAvailable;
}
else
{
sslPolicyErrors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
}
}
return(this.validation_callback((object)this, cert, chain, sslPolicyErrors));
});
}
if (this.selection_callback != null)
{
sslClientStream.ClientCertSelectionDelegate = new CertificateSelectionCallback(this.OnCertificateSelection);
}
this.ssl_stream = (SslStreamBase)sslClientStream;
return(this.BeginWrite(new byte[0], 0, 0, asyncCallback, asyncState));
}
