public override void Connect() { //Connect raw tcp socket base.Connect(); X509Certificate2Collection certCollection = new X509Certificate2Collection(_certificate); _sslStream = new SslClientStream( new NetworkStream(_socket, true), _overwriteAuthenticationTargetHost != null?_overwriteAuthenticationTargetHost:_remoteHost, true, SecurityProtocolType.Tls, certCollection); ((SslClientStream)_sslStream).CheckCertRevocationStatus = true; ((SslClientStream)_sslStream).PrivateKeyCertSelectionDelegate += delegate (X509Certificate cert, string targetHost) { X509Certificate2 cert2 = _certificate as X509Certificate2 ?? new X509Certificate2 (_certificate); return cert2 != null ? cert2.PrivateKey : null; }; ((SslClientStream)_sslStream).ClientCertSelectionDelegate += SelectLocalCertificate; ((SslClientStream)_sslStream).ServerCertValidationDelegate += ValidateRemoteCertificate; _sslStream.Write(new byte[0], 0, 0); }
public SslConnection(Socket socket, SslStreamBase stream) : base(socket) { _sslStream = stream; }
protected override void Dispose (bool disposing) { if (disposing) { if (ssl_stream != null) ssl_stream.Dispose (); ssl_stream = null; } base.Dispose (disposing); }
public virtual IAsyncResult BeginAuthenticateAsServer (X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState) { if (IsAuthenticated) throw new InvalidOperationException ("This SslStream is already authenticated"); SslServerStream s = new SslServerStream (InnerStream, serverCertificate, false, clientCertificateRequired, !LeaveInnerStreamOpen, GetMonoSslProtocol (enabledSslProtocols)); s.CheckCertRevocationStatus = checkCertificateRevocation; // Due to the Mono.Security internal, it cannot reuse // the delegated argument, as Mono.Security creates // another instance of X509Certificate which lacks // private key but is filled the private key via this // delegate. s.PrivateKeyCertSelectionDelegate = delegate (X509Certificate cert, string targetHost) { // ... so, we cannot use the delegate argument. X509Certificate2 cert2 = serverCertificate as X509Certificate2 ?? new X509Certificate2 (serverCertificate); return cert2 != null ? cert2.PrivateKey : null; }; s.ClientCertValidationDelegate = delegate (X509Certificate cert, int[] certErrors) { var errors = certErrors.Length > 0 ? MonoSslPolicyErrors.RemoteCertificateChainErrors : MonoSslPolicyErrors.None; return ((ChainValidationHelper)certificateValidator).ValidateClientCertificate (cert, errors); }; ssl_stream = s; return BeginWrite (new byte[0], 0, 0, asyncCallback, asyncState); }
public virtual IAsyncResult BeginAuthenticateAsClient (string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState) { if (IsAuthenticated) throw new InvalidOperationException ("This SslStream is already authenticated"); SslClientStream s = new SslClientStream (InnerStream, targetHost, !LeaveInnerStreamOpen, GetMonoSslProtocol (enabledSslProtocols), clientCertificates); s.CheckCertRevocationStatus = checkCertificateRevocation; // Due to the Mono.Security internal, it cannot reuse // the delegated argument, as Mono.Security creates // another instance of X509Certificate which lacks // private key but is filled the private key via this // delegate. s.PrivateKeyCertSelectionDelegate = delegate (X509Certificate cert, string host) { string hash = cert.GetCertHashString (); // ... so, we cannot use the delegate argument. foreach (X509Certificate cc in clientCertificates) { if (cc.GetCertHashString () != hash) continue; X509Certificate2 cert2 = cc as X509Certificate2; cert2 = cert2 ?? new X509Certificate2 (cc); return cert2.PrivateKey; } return null; }; // Even if validation_callback is null this allows us to verify requests where the user // does not provide a verification callback but attempts to authenticate with the website // as a client (see https://bugzilla.xamarin.com/show_bug.cgi?id=18962 for an example) s.ServerCertValidation2 += (mcerts) => { X509CertificateCollection certs = null; if (mcerts != null) { certs = new X509CertificateCollection (); for (int i = 0; i < mcerts.Count; i++) certs.Add (new X509Certificate2 (mcerts [i].RawData)); } return ((ChainValidationHelper)certificateValidator).ValidateChain (targetHost, certs); }; s.ClientCertSelectionDelegate = OnCertificateSelection; ssl_stream = s; return BeginWrite (new byte [0], 0, 0, asyncCallback, asyncState); }
public virtual IAsyncResult BeginAuthenticateAsClient (string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState) { if (IsAuthenticated) throw new InvalidOperationException ("This SslStream is already authenticated"); SslClientStream s = new SslClientStream (InnerStream, targetHost, !LeaveInnerStreamOpen, GetMonoSslProtocol (enabledSslProtocols), clientCertificates); s.CheckCertRevocationStatus = checkCertificateRevocation; // Due to the Mono.Security internal, it cannot reuse // the delegated argument, as Mono.Security creates // another instance of X509Certificate which lacks // private key but is filled the private key via this // delegate. s.PrivateKeyCertSelectionDelegate = delegate (X509Certificate cert, string host) { string hash = cert.GetCertHashString (); // ... so, we cannot use the delegate argument. foreach (X509Certificate cc in clientCertificates) { if (cc.GetCertHashString () != hash) continue; X509Certificate2 cert2 = cc as X509Certificate2; cert2 = cert2 ?? new X509Certificate2 (cc); return cert2.PrivateKey; } return null; }; #if MONOTOUCH || MONODROID // Even if validation_callback is null this allows us to verify requests where the user // does not provide a verification callback but attempts to authenticate with the website // as a client (see https://bugzilla.xamarin.com/show_bug.cgi?id=18962 for an example) var helper = new ServicePointManager.ChainValidationHelper (this, targetHost); helper.ServerCertificateValidationCallback = validation_callback; s.ServerCertValidation2 += new CertificateValidationCallback2 (helper.ValidateChain); #else if (validation_callback != null) { s.ServerCertValidationDelegate = delegate (X509Certificate cert, int [] certErrors) { X509Chain chain = new X509Chain (); X509Certificate2 x2 = (cert as X509Certificate2); if (x2 == null) x2 = new X509Certificate2 (cert); if (!ServicePointManager.CheckCertificateRevocationList) chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; // SSL specific checks (done by Mono.Security.dll SSL/TLS implementation) SslPolicyErrors errors = SslPolicyErrors.None; foreach (int i in certErrors) { switch (i) { case -2146762490: // CERT_E_PURPOSE errors |= SslPolicyErrors.RemoteCertificateNotAvailable; break; case -2146762481: // CERT_E_CN_NO_MATCH errors |= SslPolicyErrors.RemoteCertificateNameMismatch; break; default: errors |= SslPolicyErrors.RemoteCertificateChainErrors; break; } } chain.Build (x2); // non-SSL specific X509 checks (i.e. RFC3280 related checks) foreach (X509ChainStatus status in chain.ChainStatus) { if (status.Status == X509ChainStatusFlags.NoError) continue; if ((status.Status & X509ChainStatusFlags.PartialChain) != 0) errors |= SslPolicyErrors.RemoteCertificateNotAvailable; else errors |= SslPolicyErrors.RemoteCertificateChainErrors; } return validation_callback (this, cert, chain, errors); }; } #endif if (selection_callback != null) s.ClientCertSelectionDelegate = OnCertificateSelection; ssl_stream = s; return BeginWrite (new byte [0], 0, 0, asyncCallback, asyncState); }
public virtual IAsyncResult BeginAuthenticateAsServer (X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols sslProtocolType, bool checkCertificateRevocation, AsyncCallback callback, object asyncState) { if (IsAuthenticated) throw new InvalidOperationException ("This SslStream is already authenticated"); SslServerStream s = new SslServerStream (InnerStream, serverCertificate, clientCertificateRequired, !LeaveInnerStreamOpen, GetMonoSslProtocol (sslProtocolType)); s.CheckCertRevocationStatus = checkCertificateRevocation; // Due to the Mono.Security internal, it cannot reuse // the delegated argument, as Mono.Security creates // another instance of X509Certificate which lacks // private key but is filled the private key via this // delegate. s.PrivateKeyCertSelectionDelegate = delegate (X509Certificate cert, string targetHost) { // ... so, we cannot use the delegate argument. X509Certificate2 cert2 = serverCertificate as X509Certificate2 ?? new X509Certificate2 (serverCertificate); return cert2 != null ? cert2.PrivateKey : null; }; if (validation_callback != null) s.ClientCertValidationDelegate = delegate (X509Certificate cert, int [] certErrors) { X509Chain chain = null; if (cert is X509Certificate2) { chain = new X509Chain (); chain.Build ((X509Certificate2) cert); } // FIXME: SslPolicyErrors is incomplete SslPolicyErrors errors = certErrors.Length > 0 ? SslPolicyErrors.RemoteCertificateChainErrors : SslPolicyErrors.None; return validation_callback (this, cert, chain, errors); }; ssl_stream = s; return BeginRead (new byte [0], 0, 0, callback, asyncState); }