public override void Connect()
{
//Connect raw tcp socket
base.Connect();
X509Certificate2Collection certCollection = new X509Certificate2Collection(_certificate);
_sslStream = new SslClientStream(
new NetworkStream(_socket, true),
_overwriteAuthenticationTargetHost != null?_overwriteAuthenticationTargetHost:_remoteHost,
true,
SecurityProtocolType.Tls,
certCollection);
((SslClientStream)_sslStream).CheckCertRevocationStatus = true;
((SslClientStream)_sslStream).PrivateKeyCertSelectionDelegate +=
delegate (X509Certificate cert, string targetHost)
{
X509Certificate2 cert2 = _certificate as X509Certificate2 ?? new X509Certificate2 (_certificate);
return cert2 != null ? cert2.PrivateKey : null;
};
((SslClientStream)_sslStream).ClientCertSelectionDelegate += SelectLocalCertificate;
((SslClientStream)_sslStream).ServerCertValidationDelegate += ValidateRemoteCertificate;
_sslStream.Write(new byte[0], 0, 0);
}
public SslConnection(Socket socket, SslStreamBase stream)
: base(socket)
{
_sslStream = stream;
}
protected override void Dispose (bool disposing)
{
if (disposing) {
if (ssl_stream != null)
ssl_stream.Dispose ();
ssl_stream = null;
}
base.Dispose (disposing);
}
public virtual IAsyncResult BeginAuthenticateAsServer (X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState)
{
if (IsAuthenticated)
throw new InvalidOperationException ("This SslStream is already authenticated");
SslServerStream s = new SslServerStream (InnerStream, serverCertificate, false, clientCertificateRequired, !LeaveInnerStreamOpen, GetMonoSslProtocol (enabledSslProtocols));
s.CheckCertRevocationStatus = checkCertificateRevocation;
// Due to the Mono.Security internal, it cannot reuse
// the delegated argument, as Mono.Security creates
// another instance of X509Certificate which lacks
// private key but is filled the private key via this
// delegate.
s.PrivateKeyCertSelectionDelegate = delegate (X509Certificate cert, string targetHost) {
// ... so, we cannot use the delegate argument.
X509Certificate2 cert2 = serverCertificate as X509Certificate2 ?? new X509Certificate2 (serverCertificate);
return cert2 != null ? cert2.PrivateKey : null;
};
s.ClientCertValidationDelegate = delegate (X509Certificate cert, int[] certErrors) {
var errors = certErrors.Length > 0 ? MonoSslPolicyErrors.RemoteCertificateChainErrors : MonoSslPolicyErrors.None;
return ((ChainValidationHelper)certificateValidator).ValidateClientCertificate (cert, errors);
};
ssl_stream = s;
return BeginWrite (new byte[0], 0, 0, asyncCallback, asyncState);
}
public virtual IAsyncResult BeginAuthenticateAsClient (string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState)
{
if (IsAuthenticated)
throw new InvalidOperationException ("This SslStream is already authenticated");
SslClientStream s = new SslClientStream (InnerStream, targetHost, !LeaveInnerStreamOpen, GetMonoSslProtocol (enabledSslProtocols), clientCertificates);
s.CheckCertRevocationStatus = checkCertificateRevocation;
// Due to the Mono.Security internal, it cannot reuse
// the delegated argument, as Mono.Security creates
// another instance of X509Certificate which lacks
// private key but is filled the private key via this
// delegate.
s.PrivateKeyCertSelectionDelegate = delegate (X509Certificate cert, string host) {
string hash = cert.GetCertHashString ();
// ... so, we cannot use the delegate argument.
foreach (X509Certificate cc in clientCertificates) {
if (cc.GetCertHashString () != hash)
continue;
X509Certificate2 cert2 = cc as X509Certificate2;
cert2 = cert2 ?? new X509Certificate2 (cc);
return cert2.PrivateKey;
}
return null;
};
// Even if validation_callback is null this allows us to verify requests where the user
// does not provide a verification callback but attempts to authenticate with the website
// as a client (see https://bugzilla.xamarin.com/show_bug.cgi?id=18962 for an example)
s.ServerCertValidation2 += (mcerts) => {
X509CertificateCollection certs = null;
if (mcerts != null) {
certs = new X509CertificateCollection ();
for (int i = 0; i < mcerts.Count; i++)
certs.Add (new X509Certificate2 (mcerts [i].RawData));
}
return ((ChainValidationHelper)certificateValidator).ValidateChain (targetHost, certs);
};
s.ClientCertSelectionDelegate = OnCertificateSelection;
ssl_stream = s;
return BeginWrite (new byte [0], 0, 0, asyncCallback, asyncState);
}
public virtual IAsyncResult BeginAuthenticateAsClient (string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState)
{
if (IsAuthenticated)
throw new InvalidOperationException ("This SslStream is already authenticated");
SslClientStream s = new SslClientStream (InnerStream, targetHost, !LeaveInnerStreamOpen, GetMonoSslProtocol (enabledSslProtocols), clientCertificates);
s.CheckCertRevocationStatus = checkCertificateRevocation;
// Due to the Mono.Security internal, it cannot reuse
// the delegated argument, as Mono.Security creates
// another instance of X509Certificate which lacks
// private key but is filled the private key via this
// delegate.
s.PrivateKeyCertSelectionDelegate = delegate (X509Certificate cert, string host) {
string hash = cert.GetCertHashString ();
// ... so, we cannot use the delegate argument.
foreach (X509Certificate cc in clientCertificates) {
if (cc.GetCertHashString () != hash)
continue;
X509Certificate2 cert2 = cc as X509Certificate2;
cert2 = cert2 ?? new X509Certificate2 (cc);
return cert2.PrivateKey;
}
return null;
};
#if MONOTOUCH || MONODROID
// Even if validation_callback is null this allows us to verify requests where the user
// does not provide a verification callback but attempts to authenticate with the website
// as a client (see https://bugzilla.xamarin.com/show_bug.cgi?id=18962 for an example)
var helper = new ServicePointManager.ChainValidationHelper (this, targetHost);
helper.ServerCertificateValidationCallback = validation_callback;
s.ServerCertValidation2 += new CertificateValidationCallback2 (helper.ValidateChain);
#else
if (validation_callback != null) {
s.ServerCertValidationDelegate = delegate (X509Certificate cert, int [] certErrors) {
X509Chain chain = new X509Chain ();
X509Certificate2 x2 = (cert as X509Certificate2);
if (x2 == null)
x2 = new X509Certificate2 (cert);
if (!ServicePointManager.CheckCertificateRevocationList)
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
// SSL specific checks (done by Mono.Security.dll SSL/TLS implementation)
SslPolicyErrors errors = SslPolicyErrors.None;
foreach (int i in certErrors) {
switch (i) {
case -2146762490: // CERT_E_PURPOSE
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
break;
case -2146762481: // CERT_E_CN_NO_MATCH
errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
break;
default:
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
break;
}
}
chain.Build (x2);
// non-SSL specific X509 checks (i.e. RFC3280 related checks)
foreach (X509ChainStatus status in chain.ChainStatus) {
if (status.Status == X509ChainStatusFlags.NoError)
continue;
if ((status.Status & X509ChainStatusFlags.PartialChain) != 0)
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
else
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
return validation_callback (this, cert, chain, errors);
};
}
#endif
if (selection_callback != null)
s.ClientCertSelectionDelegate = OnCertificateSelection;
ssl_stream = s;
return BeginWrite (new byte [0], 0, 0, asyncCallback, asyncState);
}
public virtual IAsyncResult BeginAuthenticateAsServer (X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols sslProtocolType, bool checkCertificateRevocation, AsyncCallback callback, object asyncState)
{
if (IsAuthenticated)
throw new InvalidOperationException ("This SslStream is already authenticated");
SslServerStream s = new SslServerStream (InnerStream, serverCertificate, clientCertificateRequired, !LeaveInnerStreamOpen, GetMonoSslProtocol (sslProtocolType));
s.CheckCertRevocationStatus = checkCertificateRevocation;
// Due to the Mono.Security internal, it cannot reuse
// the delegated argument, as Mono.Security creates
// another instance of X509Certificate which lacks
// private key but is filled the private key via this
// delegate.
s.PrivateKeyCertSelectionDelegate = delegate (X509Certificate cert, string targetHost) {
// ... so, we cannot use the delegate argument.
X509Certificate2 cert2 = serverCertificate as X509Certificate2 ?? new X509Certificate2 (serverCertificate);
return cert2 != null ? cert2.PrivateKey : null;
};
if (validation_callback != null)
s.ClientCertValidationDelegate = delegate (X509Certificate cert, int [] certErrors) {
X509Chain chain = null;
if (cert is X509Certificate2) {
chain = new X509Chain ();
chain.Build ((X509Certificate2) cert);
}
// FIXME: SslPolicyErrors is incomplete
SslPolicyErrors errors = certErrors.Length > 0 ? SslPolicyErrors.RemoteCertificateChainErrors : SslPolicyErrors.None;
return validation_callback (this, cert, chain, errors);
};
ssl_stream = s;
return BeginRead (new byte [0], 0, 0, callback, asyncState);
}
