protected MobileTlsContext(MobileAuthenticatedStream parent, MonoSslAuthenticationOptions options)
{
Parent = parent;
Options = options;
IsServer = options.ServerMode;
EnabledProtocols = options.EnabledSslProtocols;
if (options.ServerMode)
{
LocalServerCertificate = options.ServerCertificate;
AskForClientCertificate = options.ClientCertificateRequired;
}
else
{
ClientCertificates = options.ClientCertificates;
TargetHost = options.TargetHost;
ServerName = options.TargetHost;
if (!string.IsNullOrEmpty(ServerName))
{
var pos = ServerName.IndexOf(':');
if (pos > 0)
{
ServerName = ServerName.Substring(0, pos);
}
}
}
certificateValidator = (ICertificateValidator2)ChainValidationHelper.GetInternalValidator(
parent.SslStream, parent.Provider, parent.Settings);
}
public LegacySslStream(Stream innerStream, bool leaveInnerStreamOpen, MonoTlsProvider provider, MonoTlsSettings settings)
: base(innerStream, leaveInnerStreamOpen)
{
this.provider = provider;
this.settings = settings;
this.certificateValidator = ChainValidationHelper.GetDefaultValidator(provider, settings);
}
internal static ChainValidationHelper Create(MonoTlsProvider provider, ref MonoTlsSettings settings, MonoTlsStream stream)
{
var helper = new ChainValidationHelper(provider, settings, true, stream, null);
settings = helper.settings;
return(helper);
}
internal static object GetDefaultCertificateValidator(object settings)
{
#if SECURITY_DEP
return(ChainValidationHelper.GetDefaultValidator((MSI.MonoTlsSettings)settings));
#else
throw new NotSupportedException();
#endif
}
internal static object GetInternalValidator(object provider, object settings)
{
#if SECURITY_DEP
return(ChainValidationHelper.GetInternalValidator((MSI.MonoTlsProvider)provider, (MSI.MonoTlsSettings)settings));
#else
throw new NotSupportedException();
#endif
}
internal override bool ValidateCertificate(
MNS.ChainValidationHelper validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
ref SslPolicyErrors errors, ref int status11)
{
if (wantsChain)
{
chain = MNS.SystemCertificateValidator.CreateX509Chain(certificates);
}
return(AppleCertificateHelper.InvokeSystemCertificateValidator(validator, targetHost, serverMode, certificates, ref errors, ref status11));
}
public MonoTlsStream(HttpWebRequest request, NetworkStream networkStream)
{
this.request = request;
this.networkStream = networkStream;
settings = request.TlsSettings;
provider = request.TlsProvider ?? MonoTlsProviderFactory.GetProviderInternal();
status = WebExceptionStatus.SecureChannelFailure;
/*validationHelper =*/ ChainValidationHelper.Create(provider.Provider, ref settings, this);
}
ChainValidationHelper(ChainValidationHelper other, MonoTlsSettings settings, ServerCertValidationCallbackWrapper callbackWrapper = null)
{
sender = other.sender;
certValidationCallback = other.certValidationCallback;
certSelectionCallback = other.certSelectionCallback;
tlsStream = other.tlsStream;
request = other.request;
this.settings = settings = settings.CloneWithValidator(this);
this.callbackWrapper = callbackWrapper;
}
public override bool ValidateCertificate(ChainValidationHelper validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain, ref SslPolicyErrors errors,
ref int status11)
{
if (wantsChain)
{
chain = SystemCertificateValidator.CreateX509Chain(certificates);
}
var result = SystemCertificateValidator.Evaluate(validator.Settings, targetHost, certificates, chain,
ref errors, ref status11);
return(result);
}
public static bool InvokeSystemCertificateValidator(
MNS.ChainValidationHelper validator, string targetHost, bool serverMode,
X509CertificateCollection certificates,
ref SslPolicyErrors errors, ref int status11)
{
if (certificates == null)
{
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
return(false);
}
if (!string.IsNullOrEmpty(targetHost))
{
var pos = targetHost.IndexOf(':');
if (pos > 0)
{
targetHost = targetHost.Substring(0, pos);
}
}
using (var policy = SecPolicy.CreateSslPolicy(!serverMode, targetHost))
using (var trust = new SecTrust(certificates, policy)) {
if (validator.Settings.TrustAnchors != null)
{
var status = trust.SetAnchorCertificates(validator.Settings.TrustAnchors);
if (status != SecStatusCode.Success)
{
throw new InvalidOperationException(status.ToString());
}
trust.SetAnchorCertificatesOnly(false);
}
if (validator.Settings.CertificateValidationTime != null)
{
var status = trust.SetVerifyDate(validator.Settings.CertificateValidationTime.Value);
if (status != SecStatusCode.Success)
{
throw new InvalidOperationException(status.ToString());
}
}
var result = trust.Evaluate();
if (result == SecTrustResult.Unspecified || result == SecTrustResult.Proceed)
{
return(true);
}
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
return(false);
}
}
/*
* This is a hack which is used in SslStream - see ReferenceSources/SslStream.cs for details.
*/
internal static ChainValidationHelper CloneWithCallbackWrapper(MonoTlsProvider provider, ref MonoTlsSettings settings, ServerCertValidationCallbackWrapper wrapper)
{
var helper = (ChainValidationHelper)settings.CertificateValidator;
if (helper == null)
{
helper = new ChainValidationHelper(provider, settings, true, null, wrapper);
}
else
{
helper = new ChainValidationHelper(helper, provider, settings, wrapper);
}
settings = helper.settings;
return(helper);
}
public MonoTlsStream(HttpWebRequest request, NetworkStream networkStream)
{
#if SECURITY_DEP
this.request = request;
this.networkStream = networkStream;
settings = request.TlsSettings;
provider = request.TlsProvider ?? MonoTlsProviderFactory.GetProviderInternal();
status = WebExceptionStatus.SecureChannelFailure;
ChainValidationHelper.Create(provider, ref settings, this);
#else
throw new PlatformNotSupportedException(EXCEPTION_MESSAGE);
#endif
}
internal override bool ValidateCertificate(
MNS.ChainValidationHelper validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
ref SslPolicyErrors errors, ref int status11)
{
if (chain != null)
{
var chainImpl = (X509ChainImplBtls)chain.Impl;
var success = chainImpl.StoreCtx.VerifyResult == 1;
CheckValidationResult(
validator, targetHost, serverMode, certificates,
wantsChain, chain, chainImpl.StoreCtx,
success, ref errors, ref status11);
return(success);
}
using (var store = new MonoBtlsX509Store())
using (var nativeChain = MonoBtlsProvider.GetNativeChain(certificates))
using (var param = GetVerifyParam(validator.Settings, targetHost, serverMode))
using (var storeCtx = new MonoBtlsX509StoreCtx()) {
SetupCertificateStore(store, validator.Settings, serverMode);
storeCtx.Initialize(store, nativeChain);
storeCtx.SetVerifyParam(param);
var ret = storeCtx.Verify();
var success = ret == 1;
if (wantsChain && chain == null)
{
chain = GetManagedChain(nativeChain);
}
CheckValidationResult(
validator, targetHost, serverMode, certificates,
wantsChain, null, storeCtx,
success, ref errors, ref status11);
return(success);
}
}
void CheckValidationResult(
MNS.ChainValidationHelper validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain,
X509Chain chain, MonoBtlsX509StoreCtx storeCtx,
bool success, ref SslPolicyErrors errors, ref int status11)
{
status11 = unchecked ((int)0);
if (success)
{
return;
}
errors = SslPolicyErrors.RemoteCertificateChainErrors;
if (!wantsChain || storeCtx == null || chain == null)
{
status11 = unchecked ((int)0x800B010B);
return;
}
var error = storeCtx.GetError();
switch (error)
{
case Mono.Btls.MonoBtlsX509Error.OK:
errors = SslPolicyErrors.None;
break;
case Mono.Btls.MonoBtlsX509Error.CRL_NOT_YET_VALID:
break;
case MonoBtlsX509Error.HOSTNAME_MISMATCH:
errors = SslPolicyErrors.RemoteCertificateNameMismatch;
chain.Impl.AddStatus(X509ChainStatusFlags.UntrustedRoot);
status11 = unchecked ((int)0x800B010B);
break;
default:
chain.Impl.AddStatus(MapVerifyErrorToChainStatus(error));
status11 = unchecked ((int)0x800B010B);
break;
}
}
/*
* This is a hack which is used in SslStream - see ReferenceSources/SslStream.cs for details.
*/
internal static ChainValidationHelper CloneWithCallbackWrapper (MonoTlsProvider provider, ref MonoTlsSettings settings, ServerCertValidationCallbackWrapper wrapper)
{
var helper = (ChainValidationHelper)settings.CertificateValidator;
if (helper == null)
helper = new ChainValidationHelper (provider, settings, true, null, wrapper);
else
helper = new ChainValidationHelper (helper, provider, settings, wrapper);
settings = helper.settings;
return helper;
}
public MonoTlsStream (HttpWebRequest request, NetworkStream networkStream)
{
this.request = request;
this.networkStream = networkStream;
settings = request.TlsSettings;
provider = request.TlsProvider ?? MonoTlsProviderFactory.GetProviderInternal ();
status = WebExceptionStatus.SecureChannelFailure;
validationHelper = ChainValidationHelper.Create (provider.Provider, ref settings, this);
}
/*
* If @serverMode is true, then we're a server and want to validate a certificate
* that we received from a client.
*
* On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built.
*
* Returns `true` if certificate validation has been performed and `false` to invoke the
* default system validator.
*/
internal abstract bool ValidateCertificate(
ChainValidationHelper validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
ref SslPolicyErrors errors, ref int status11);
internal static ChainValidationHelper Create (MonoTlsProvider provider, ref MonoTlsSettings settings, MonoTlsStream stream)
{
var helper = new ChainValidationHelper (provider, settings, true, stream, null);
settings = helper.settings;
return helper;
}
ChainValidationHelper (ChainValidationHelper other, MonoTlsProvider provider, MonoTlsSettings settings, ServerCertValidationCallbackWrapper callbackWrapper = null)
{
sender = other.sender;
certValidationCallback = other.certValidationCallback;
certSelectionCallback = other.certSelectionCallback;
tlsStream = other.tlsStream;
request = other.request;
if (settings == null)
settings = MonoTlsSettings.DefaultSettings;
this.provider = provider;
this.settings = settings.CloneWithValidator (this);
this.callbackWrapper = callbackWrapper;
}