public static bool SslCheckHostnameMatch(SafeSslHandle handle, string hostName, DateTime notBefore)
{
int result;
// The IdnMapping converts Unicode input into the IDNA punycode sequence.
// It also does host case normalization. The bypass logic would be something
// like "all characters being within [a-z0-9.-]+"
//
// The SSL Policy (SecPolicyCreateSSL) has been verified as not inherently supporting
// IDNA as of macOS 10.12.1 (Sierra). If it supports low-level IDNA at a later date,
// this code could be removed.
//
// It was verified as supporting case invariant match as of 10.12.1 (Sierra).
string matchName = s_idnMapping.GetAscii(hostName);
using (SafeCFDateHandle cfNotBefore = CoreFoundation.CFDateCreate(notBefore))
using (SafeCreateHandle cfHostname = CoreFoundation.CFStringCreateWithCString(matchName))
{
result = AppleCryptoNative_SslIsHostnameMatch(handle, cfHostname, cfNotBefore);
}
switch (result)
{
case 0:
return(false);
case 1:
return(true);
default:
Debug.Fail($"AppleCryptoNative_SslIsHostnameMatch returned {result}");
throw new SslException();
}
}
internal void Execute(
DateTime verificationTime,
bool allowNetwork,
OidCollection applicationPolicy,
OidCollection certificatePolicy,
X509RevocationFlag revocationFlag)
{
int osStatus;
// Save the time code for determining which message to load for NotTimeValid.
_verificationTime = verificationTime;
int ret;
using (SafeCFDateHandle cfEvaluationTime = Interop.CoreFoundation.CFDateCreate(verificationTime))
{
ret = Interop.AppleCrypto.AppleCryptoNative_X509ChainEvaluate(
_chainHandle !,
cfEvaluationTime,
allowNetwork,
out osStatus);
}
if (ret == 0)
{
throw Interop.AppleCrypto.CreateExceptionForOSStatus(osStatus);
}
if (ret != 1)
{
Debug.Fail($"AppleCryptoNative_X509ChainEvaluate returned unknown result {ret}");
throw new CryptographicException();
}
(X509Certificate2, int)[] elements = ParseResults(_chainHandle !, _revocationMode);
internal void Execute(
DateTime verificationTime,
bool allowNetwork,
OidCollection applicationPolicy,
OidCollection certificatePolicy,
X509RevocationFlag revocationFlag)
{
int osStatus;
// Save the time code for determining which message to load for NotTimeValid.
_verificationTime = verificationTime;
int ret;
using (SafeCFDateHandle cfEvaluationTime = Interop.CoreFoundation.CFDateCreate(verificationTime))
{
ret = Interop.AppleCrypto.AppleCryptoNative_X509ChainEvaluate(
_chainHandle,
cfEvaluationTime,
allowNetwork,
out osStatus);
}
if (ret == 0)
{
throw Interop.AppleCrypto.CreateExceptionForOSStatus(osStatus);
}
if (ret != 1)
{
Debug.Fail($"AppleCryptoNative_X509ChainEvaluate returned unknown result {ret}");
throw new CryptographicException();
}
Tuple <X509Certificate2, int>[] elements = ParseResults(_chainHandle, _revocationMode);
Debug.Assert(elements.Length > 0);
if (!IsPolicyMatch(elements, applicationPolicy, certificatePolicy))
{
for (int i = 0; i < elements.Length; i++)
{
Tuple <X509Certificate2, int> currentValue = elements[i];
elements[i] = Tuple.Create(
currentValue.Item1,
currentValue.Item2 | (int)X509ChainStatusFlags.NotValidForUsage);
}
}
FixupRevocationStatus(elements, revocationFlag);
BuildAndSetProperties(elements);
}
internal static SafeCFDateHandle CFDateCreate(DateTime date)
{
Debug.Assert(
date.Kind != DateTimeKind.Unspecified,
"DateTimeKind.Unspecified should be specified to Local or UTC by the caller");
// UTC stays unchanged, Local is changed.
// Unspecified gets treated as Local (which may or may not be desired).
DateTime utcDate = date.ToUniversalTime();
double epochDeltaSeconds = (utcDate - s_cfDateEpoch).TotalSeconds;
SafeCFDateHandle cfDate = CFDateCreate(IntPtr.Zero, epochDeltaSeconds);
if (cfDate.IsInvalid)
{
cfDate.Dispose();
throw new OutOfMemoryException();
}
return(cfDate);
}
private static extern int AppleCryptoNative_SslIsHostnameMatch(
SafeSslHandle handle,
SafeCreateHandle cfHostname,
SafeCFDateHandle cfValidTime);
internal static partial int AppleCryptoNative_X509ChainEvaluate(
SafeX509ChainHandle chain,
SafeCFDateHandle cfEvaluationTime,
[MarshalAs(UnmanagedType.Bool)] bool allowNetwork,
out int pOSStatus);
internal static extern int AppleCryptoNative_X509ChainEvaluate(
SafeX509ChainHandle chain,
SafeCFDateHandle cfEvaluationTime,
bool allowNetwork,
out int pOSStatus);
private static partial int AppleCryptoNative_SslIsHostnameMatch(
SafeSslHandle handle,
SafeCreateHandle cfHostname,
SafeCFDateHandle cfValidTime,
out int pOSStatus);