public static SslPolicyErrors VerifyResultToPolicyErrror(UnityTls.unitytls_x509verify_result verifyResult)
{
// First, check "non-flags"
if (verifyResult == UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_SUCCESS)
{
return(SslPolicyErrors.None);
}
if (verifyResult == UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FATAL_ERROR)
{
return(SslPolicyErrors.RemoteCertificateChainErrors);
}
var error = SslPolicyErrors.None;
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_CN_MISMATCH))
{
error |= SslPolicyErrors.RemoteCertificateNameMismatch;
}
// Anything else translates to MonoSslPolicyErrors.RemoteCertificateChainErrors. So if it is not the only flag, add it.
if (verifyResult != UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_CN_MISMATCH)
{
error |= SslPolicyErrors.RemoteCertificateChainErrors;
}
return(error);
}
public static X509ChainStatusFlags VerifyResultToChainStatus(UnityTls.unitytls_x509verify_result verifyResult)
{
// First, check "non-flags"
if (verifyResult == UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_SUCCESS)
{
return(X509ChainStatusFlags.NoError);
}
if (verifyResult == UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FATAL_ERROR)
{
return(X509ChainStatusFlags.UntrustedRoot); // Inaccurate, throw exception instead?
}
// Yes, we ignore user error flags here. They still affect if a chain is accepted, but they are not status flags of the chain!
var error = X509ChainStatusFlags.NoError;
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_EXPIRED))
{
error |= X509ChainStatusFlags.NotTimeValid;
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_REVOKED))
{
error |= X509ChainStatusFlags.Revoked;
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_CN_MISMATCH))
{
// Unclear what to return, behaving like Mono's BTLS impl
// https://github.com/mono/mono/blob/1553889bc54f87060158febca7e6b8b9910975f8/mcs/class/System/Mono.Btls/MonoBtlsProvider.cs#L312
error |= X509ChainStatusFlags.UntrustedRoot;
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_NOT_TRUSTED))
{
error |= X509ChainStatusFlags.UntrustedRoot;
}
return(error);
}
public static void CheckAndThrow(UnityTls.unitytls_errorstate errorState,
UnityTls.unitytls_x509verify_result verifyResult, string context,
AlertDescription defaultAlert = AlertDescription.InternalError)
{
// Ignore verify result if verification is not the issue.
if (verifyResult == UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_SUCCESS)
{
CheckAndThrow(errorState, context, defaultAlert);
return;
}
var alert = UnityTlsConversions.VerifyResultToAlertDescription(verifyResult, defaultAlert);
var message = string.Format("{0} - error code: {1}, verify result: {2}", context, errorState.code,
verifyResult);
throw new TlsException(alert, message);
}
public static AlertDescription VerifyResultToAlertDescription(UnityTls.unitytls_x509verify_result verifyResult,
AlertDescription defaultAlert = AlertDescription.InternalError)
{
if (verifyResult == UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FATAL_ERROR)
{
return(AlertDescription.CertificateUnknown);
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_EXPIRED))
{
return(AlertDescription.CertificateExpired);
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_REVOKED))
{
return(AlertDescription.CertificateRevoked);
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_CN_MISMATCH))
{
return(AlertDescription.UnknownCA);
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_NOT_TRUSTED))
{
return(AlertDescription.CertificateUnknown);
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_USER_ERROR1))
{
return(AlertDescription.UserCancelled);
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_USER_ERROR2))
{
return(AlertDescription.UserCancelled);
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_USER_ERROR2))
{
return(AlertDescription.UserCancelled);
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_USER_ERROR3))
{
return(AlertDescription.UserCancelled);
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_USER_ERROR4))
{
return(AlertDescription.UserCancelled);
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_USER_ERROR5))
{
return(AlertDescription.UserCancelled);
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_USER_ERROR6))
{
return(AlertDescription.UserCancelled);
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_USER_ERROR7))
{
return(AlertDescription.UserCancelled);
}
if (verifyResult.HasFlag(UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_USER_ERROR8))
{
return(AlertDescription.UserCancelled);
}
return(defaultAlert);
}
