public virtual Task AuthenticateAsClientAsync(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
{
var t = Tuple.Create(targetHost, clientCertificates, enabledSslProtocols, checkCertificateRevocation, this);
return(Task.Factory.FromAsync((callback, state) => {
var d = (Tuple <string, X509CertificateCollection, SslProtocols, bool, SslStream>)state;
return d.Item5.BeginAuthenticateAsClient(d.Item1, d.Item2, d.Item3, d.Item4, callback, null);
}, EndAuthenticateAsClient, t));
}
/*
* AsymmetricAlgorithm GetPrivateKey (X509Certificate cert, string targetHost)
* {
* // FIXME: what can I do for non-X509Certificate2 ?
* X509Certificate2 cert2 = cert as X509Certificate2;
* return cert2 != null ? cert2.PrivateKey : null;
* }
*/
X509Certificate OnCertificateSelection(X509CertificateCollection clientCerts, X509Certificate serverCert, string targetHost, X509CertificateCollection serverRequestedCerts)
{
string[] acceptableIssuers = new string[serverRequestedCerts != null ? serverRequestedCerts.Count : 0];
for (int i = 0; i < acceptableIssuers.Length; i++)
{
acceptableIssuers[i] = serverRequestedCerts[i].GetIssuerName();
}
return(selection_callback(this, targetHost, clientCerts, serverCert, acceptableIssuers));
}
public virtual void AuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
{
EndAuthenticateAsClient(BeginAuthenticateAsClient(
targetHost, clientCertificates, enabledSslProtocols, checkCertificateRevocation, null, null));
}
public virtual IAsyncResult BeginAuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState)
{
if (IsAuthenticated)
{
throw new InvalidOperationException("This SslStream is already authenticated");
}
SslClientStream s = new SslClientStream(InnerStream, targetHost, !LeaveInnerStreamOpen, GetMonoSslProtocol(enabledSslProtocols), clientCertificates);
s.CheckCertRevocationStatus = checkCertificateRevocation;
// Due to the Mono.Security internal, it cannot reuse
// the delegated argument, as Mono.Security creates
// another instance of X509Certificate which lacks
// private key but is filled the private key via this
// delegate.
s.PrivateKeyCertSelectionDelegate = delegate(X509Certificate cert, string host)
{
#if !NETCF || SSHARP
string hash = cert.GetCertHashString();
// ... so, we cannot use the delegate argument.
foreach (X509Certificate cc in clientCertificates)
{
if (cc.GetCertHashString() != hash)
{
continue;
}
X509Certificate2 cert2 = cc as X509Certificate2;
cert2 = cert2 ?? new X509Certificate2(cc);
return(cert2.PrivateKey);
}
#endif
return(null);
};
#if MONOTOUCH || MONODROID
// Even if validation_callback is null this allows us to verify requests where the user
// does not provide a verification callback but attempts to authenticate with the website
// as a client (see https://bugzilla.xamarin.com/show_bug.cgi?id=18962 for an example)
var helper = new ServicePointManager.ChainValidationHelper(this, targetHost);
helper.ServerCertificateValidationCallback = validation_callback;
s.ServerCertValidation2 += new CertificateValidationCallback2(helper.ValidateChain);
#else
if (validation_callback != null)
{
s.ServerCertValidationDelegate = delegate(X509Certificate cert, int[] certErrors)
{
X509Chain chain = new X509Chain();
X509Certificate2 x2 = (cert as X509Certificate2);
if (x2 == null)
{
x2 = new X509Certificate2(cert);
}
#if !NETCF
if (!ServicePointManager.CheckCertificateRevocationList)
#endif
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
// SSL specific checks (done by Mono.Security.dll SSL/TLS implementation)
SslPolicyErrors errors = SslPolicyErrors.None;
foreach (int i in certErrors)
{
switch (i)
{
case -2146762490: // CERT_E_PURPOSE
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
break;
case -2146762481: // CERT_E_CN_NO_MATCH
errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
break;
default:
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
break;
}
}
chain.Build(x2);
// non-SSL specific X509 checks (i.e. RFC3280 related checks)
foreach (X509ChainStatus status in chain.ChainStatus)
{
if (status.Status == X509ChainStatusFlags.NoError)
{
continue;
}
if ((status.Status & X509ChainStatusFlags.PartialChain) != 0)
{
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
}
else
{
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
}
return(validation_callback(this, cert, chain, errors));
};
}
#endif
if (selection_callback != null)
{
s.ClientCertSelectionDelegate = OnCertificateSelection;
}
ssl_stream = s;
return(BeginWrite(new byte[0], 0, 0, asyncCallback, asyncState));
}
