protected override void Dispose (bool disposing) { if (disposing) { if (ssl_stream != null) ssl_stream.Dispose (); ssl_stream = null; } base.Dispose (disposing); }
public virtual IAsyncResult BeginAuthenticateAsClient (string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState) { if (IsAuthenticated) throw new InvalidOperationException ("This SslStream is already authenticated"); SslClientStream s = new SslClientStream (InnerStream, targetHost, !LeaveInnerStreamOpen, GetMonoSslProtocol (enabledSslProtocols), clientCertificates); s.CheckCertRevocationStatus = checkCertificateRevocation; // Due to the Mono.Security internal, it cannot reuse // the delegated argument, as Mono.Security creates // another instance of X509Certificate which lacks // private key but is filled the private key via this // delegate. s.PrivateKeyCertSelectionDelegate = delegate (X509Certificate cert, string host) { string hash = cert.GetCertHashString (); // ... so, we cannot use the delegate argument. foreach (X509Certificate cc in clientCertificates) { if (cc.GetCertHashString () != hash) continue; X509Certificate2 cert2 = cc as X509Certificate2; cert2 = cert2 ?? new X509Certificate2 (cc); return cert2.PrivateKey; } return null; }; if (validation_callback != null) s.ServerCertValidationDelegate = delegate (X509Certificate cert, int [] certErrors) { X509Chain chain = new X509Chain (); X509Certificate2 x2 = (cert as X509Certificate2); if (x2 == null) x2 = new X509Certificate2 (cert); if (!ServicePointManager.CheckCertificateRevocationList) chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; // SSL specific checks (done by Mono.Security.dll SSL/TLS implementation) SslPolicyErrors errors = SslPolicyErrors.None; foreach (int i in certErrors) { switch (i) { case -2146762490: // CERT_E_PURPOSE errors |= SslPolicyErrors.RemoteCertificateNotAvailable; break; case -2146762481: // CERT_E_CN_NO_MATCH errors |= SslPolicyErrors.RemoteCertificateNameMismatch; break; default: errors |= SslPolicyErrors.RemoteCertificateChainErrors; break; } } chain.Build (x2); // non-SSL specific X509 checks (i.e. RFC3280 related checks) foreach (X509ChainStatus status in chain.ChainStatus) { if (status.Status == X509ChainStatusFlags.NoError) continue; if ((status.Status & X509ChainStatusFlags.PartialChain) != 0) errors |= SslPolicyErrors.RemoteCertificateNotAvailable; else errors |= SslPolicyErrors.RemoteCertificateChainErrors; } return validation_callback (this, cert, chain, errors); }; if (selection_callback != null) s.ClientCertSelectionDelegate = OnCertificateSelection; ssl_stream = s; return BeginWrite (new byte [0], 0, 0, asyncCallback, asyncState); }
public virtual IAsyncResult BeginAuthenticateAsServer (X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState) { if (IsAuthenticated) throw new InvalidOperationException ("This SslStream is already authenticated"); SslServerStream s = new SslServerStream (InnerStream, serverCertificate, clientCertificateRequired, !LeaveInnerStreamOpen, GetMonoSslProtocol (enabledSslProtocols)); s.CheckCertRevocationStatus = checkCertificateRevocation; // Due to the Mono.Security internal, it cannot reuse // the delegated argument, as Mono.Security creates // another instance of X509Certificate which lacks // private key but is filled the private key via this // delegate. s.PrivateKeyCertSelectionDelegate = delegate (X509Certificate cert, string targetHost) { // ... so, we cannot use the delegate argument. X509Certificate2 cert2 = serverCertificate as X509Certificate2 ?? new X509Certificate2 (serverCertificate); return cert2 != null ? cert2.PrivateKey : null; }; if (validation_callback != null) s.ClientCertValidationDelegate = delegate (X509Certificate cert, int [] certErrors) { X509Chain chain = null; if (cert is X509Certificate2) { chain = new X509Chain (); chain.Build ((X509Certificate2) cert); } // FIXME: SslPolicyErrors is incomplete SslPolicyErrors errors = certErrors.Length > 0 ? SslPolicyErrors.RemoteCertificateChainErrors : SslPolicyErrors.None; return validation_callback (this, cert, chain, errors); }; ssl_stream = s; return BeginWrite (new byte[0], 0, 0, asyncCallback, asyncState); }
public virtual IAsyncResult BeginAuthenticateAsServer(X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState) { if (IsAuthenticated) { throw new InvalidOperationException("This SslStream is already authenticated"); } SslServerStream s = new SslServerStream(InnerStream, serverCertificate, clientCertificateRequired, !LeaveInnerStreamOpen, GetMonoSslProtocol(enabledSslProtocols)); s.CheckCertRevocationStatus = checkCertificateRevocation; // Due to the Mono.Security internal, it cannot reuse // the delegated argument, as Mono.Security creates // another instance of X509Certificate which lacks // private key but is filled the private key via this // delegate. s.PrivateKeyCertSelectionDelegate = delegate(X509Certificate cert, string targetHost) { // ... so, we cannot use the delegate argument. #if NETCF && !SSHARP X509Certificate2 cert2 = serverCertificate as X509Certificate2 ?? new X509Certificate2(serverCertificate.GetRawCertData()); return(null); #else X509Certificate2 cert2 = serverCertificate as X509Certificate2 ?? new X509Certificate2(serverCertificate); return(cert2 != null ? cert2.PrivateKey : null); #endif }; if (validation_callback != null) { s.ClientCertValidationDelegate = delegate(X509Certificate cert, int[] certErrors) { X509Chain chain = null; if (cert is X509Certificate2) { chain = new X509Chain(); chain.Build((X509Certificate2)cert); } // FIXME: SslPolicyErrors is incomplete SslPolicyErrors errors = certErrors.Length > 0 ? SslPolicyErrors.RemoteCertificateChainErrors : SslPolicyErrors.None; return(validation_callback(this, cert, chain, errors)); } } ; ssl_stream = s; return(BeginWrite(new byte[0], 0, 0, asyncCallback, asyncState)); } MonoSecurityProtocolType GetMonoSslProtocol(SslProtocols ms) { switch (ms) { case SslProtocols.Ssl2: return(MonoSecurityProtocolType.Ssl2); case SslProtocols.Ssl3: return(MonoSecurityProtocolType.Ssl3); case SslProtocols.Tls: return(MonoSecurityProtocolType.Tls); default: return(MonoSecurityProtocolType.Default); } }
public virtual IAsyncResult BeginAuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState) { if (IsAuthenticated) { throw new InvalidOperationException("This SslStream is already authenticated"); } SslClientStream s = new SslClientStream(InnerStream, targetHost, !LeaveInnerStreamOpen, GetMonoSslProtocol(enabledSslProtocols), clientCertificates); s.CheckCertRevocationStatus = checkCertificateRevocation; // Due to the Mono.Security internal, it cannot reuse // the delegated argument, as Mono.Security creates // another instance of X509Certificate which lacks // private key but is filled the private key via this // delegate. s.PrivateKeyCertSelectionDelegate = delegate(X509Certificate cert, string host) { #if !NETCF || SSHARP string hash = cert.GetCertHashString(); // ... so, we cannot use the delegate argument. foreach (X509Certificate cc in clientCertificates) { if (cc.GetCertHashString() != hash) { continue; } X509Certificate2 cert2 = cc as X509Certificate2; cert2 = cert2 ?? new X509Certificate2(cc); return(cert2.PrivateKey); } #endif return(null); }; #if MONOTOUCH || MONODROID // Even if validation_callback is null this allows us to verify requests where the user // does not provide a verification callback but attempts to authenticate with the website // as a client (see https://bugzilla.xamarin.com/show_bug.cgi?id=18962 for an example) var helper = new ServicePointManager.ChainValidationHelper(this, targetHost); helper.ServerCertificateValidationCallback = validation_callback; s.ServerCertValidation2 += new CertificateValidationCallback2(helper.ValidateChain); #else if (validation_callback != null) { s.ServerCertValidationDelegate = delegate(X509Certificate cert, int[] certErrors) { X509Chain chain = new X509Chain(); X509Certificate2 x2 = (cert as X509Certificate2); if (x2 == null) { x2 = new X509Certificate2(cert); } #if !NETCF if (!ServicePointManager.CheckCertificateRevocationList) #endif chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; // SSL specific checks (done by Mono.Security.dll SSL/TLS implementation) SslPolicyErrors errors = SslPolicyErrors.None; foreach (int i in certErrors) { switch (i) { case -2146762490: // CERT_E_PURPOSE errors |= SslPolicyErrors.RemoteCertificateNotAvailable; break; case -2146762481: // CERT_E_CN_NO_MATCH errors |= SslPolicyErrors.RemoteCertificateNameMismatch; break; default: errors |= SslPolicyErrors.RemoteCertificateChainErrors; break; } } chain.Build(x2); // non-SSL specific X509 checks (i.e. RFC3280 related checks) foreach (X509ChainStatus status in chain.ChainStatus) { if (status.Status == X509ChainStatusFlags.NoError) { continue; } if ((status.Status & X509ChainStatusFlags.PartialChain) != 0) { errors |= SslPolicyErrors.RemoteCertificateNotAvailable; } else { errors |= SslPolicyErrors.RemoteCertificateChainErrors; } } return(validation_callback(this, cert, chain, errors)); }; } #endif if (selection_callback != null) { s.ClientCertSelectionDelegate = OnCertificateSelection; } ssl_stream = s; return(BeginWrite(new byte[0], 0, 0, asyncCallback, asyncState)); }
public SslConnection(Socket socket, SslStreamBase stream) : base(socket) { _sslStream = stream; }
public virtual IAsyncResult BeginAuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols sslProtocolType, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState) { if (IsAuthenticated) { throw new InvalidOperationException("This SslStream is already authenticated"); } SslClientStream s = new SslClientStream(InnerStream, targetHost, !LeaveInnerStreamOpen, GetMonoSslProtocol(sslProtocolType), clientCertificates); s.CheckCertRevocationStatus = checkCertificateRevocation; // Due to the Mono.Security internal, it cannot reuse // the delegated argument, as Mono.Security creates // another instance of X509Certificate which lacks // private key but is filled the private key via this // delegate. s.PrivateKeyCertSelectionDelegate = delegate(X509Certificate cert, string host) { string hash = cert.GetCertHashString(); // ... so, we cannot use the delegate argument. foreach (X509Certificate cc in clientCertificates) { if (cc.GetCertHashString() != hash) { continue; } X509Certificate2 cert2 = cc as X509Certificate2; cert2 = cert2 ?? new X509Certificate2(cc); return(cert2.PrivateKey); } return(null); }; if (validation_callback != null) { s.ServerCertValidationDelegate = delegate(X509Certificate cert, int [] certErrors) { X509Chain chain = new X509Chain(); X509Certificate2 x2 = (cert as X509Certificate2); if (x2 == null) { x2 = new X509Certificate2(cert); } if (!ServicePointManager.CheckCertificateRevocationList) { chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; } // SSL specific checks (done by Mono.Security.dll SSL/TLS implementation) SslPolicyErrors errors = SslPolicyErrors.None; foreach (int i in certErrors) { switch (i) { case -2146762490: // CERT_E_PURPOSE errors |= SslPolicyErrors.RemoteCertificateNotAvailable; break; case -2146762481: // CERT_E_CN_NO_MATCH errors |= SslPolicyErrors.RemoteCertificateNameMismatch; break; default: errors |= SslPolicyErrors.RemoteCertificateChainErrors; break; } } chain.Build(x2); // non-SSL specific X509 checks (i.e. RFC3280 related checks) foreach (X509ChainStatus status in chain.ChainStatus) { if (status.Status == X509ChainStatusFlags.NoError) { continue; } if ((status.Status & X509ChainStatusFlags.PartialChain) != 0) { errors |= SslPolicyErrors.RemoteCertificateNotAvailable; } else { errors |= SslPolicyErrors.RemoteCertificateChainErrors; } } return(validation_callback(this, cert, chain, errors)); } } ; if (selection_callback != null) { s.ClientCertSelectionDelegate = OnCertificateSelection; } ssl_stream = s; return(BeginWrite(new byte [0], 0, 0, asyncCallback, asyncState)); }
public virtual IAsyncResult BeginAuthenticateAsClient( string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState) { if (this.IsAuthenticated) { throw new InvalidOperationException("This SslStreamM is already authenticated"); } SslClientStream sslClientStream = new SslClientStream(this.InnerStream, targetHost, !this.LeaveInnerStreamOpen, this.GetMonoSslProtocol(enabledSslProtocols), clientCertificates); sslClientStream.CheckCertRevocationStatus = checkCertificateRevocation; sslClientStream.PrivateKeyCertSelectionDelegate = (PrivateKeySelectionCallback)((cert, host) => { string certHashString = cert.GetCertHashString(); foreach (X509Certificate clientCertificate in clientCertificates) { if (!(clientCertificate.GetCertHashString() != certHashString)) { if (!(clientCertificate is X509Certificate2 x509Certificate2)) { x509Certificate2 = new X509Certificate2(clientCertificate); } return(x509Certificate2.PrivateKey); } } return((AsymmetricAlgorithm)null); }); if (this.validation_callback != null) { sslClientStream.ServerCertValidationDelegate = (CertificateValidationCallback)((cert, certErrors) => { X509Chain chain = new X509Chain(); if (!(cert is X509Certificate2 certificate)) { certificate = new X509Certificate2(cert); } if (!ServicePointManager.CheckCertificateRevocationList) { chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; } SslPolicyErrors sslPolicyErrors = SslPolicyErrors.None; foreach (int certError in certErrors) { switch (certError) { case -2146762490: sslPolicyErrors |= SslPolicyErrors.RemoteCertificateNotAvailable; break; case -2146762481: sslPolicyErrors |= SslPolicyErrors.RemoteCertificateNameMismatch; break; default: sslPolicyErrors |= SslPolicyErrors.RemoteCertificateChainErrors; break; } } chain.Build(certificate); foreach (X509ChainStatus chainStatu in chain.ChainStatus) { if (chainStatu.Status != X509ChainStatusFlags.NoError) { if ((chainStatu.Status & X509ChainStatusFlags.PartialChain) != X509ChainStatusFlags.NoError) { sslPolicyErrors |= SslPolicyErrors.RemoteCertificateNotAvailable; } else { sslPolicyErrors |= SslPolicyErrors.RemoteCertificateChainErrors; } } } return(this.validation_callback((object)this, cert, chain, sslPolicyErrors)); }); } if (this.selection_callback != null) { sslClientStream.ClientCertSelectionDelegate = new CertificateSelectionCallback(this.OnCertificateSelection); } this.ssl_stream = (SslStreamBase)sslClientStream; return(this.BeginWrite(new byte[0], 0, 0, asyncCallback, asyncState)); }