protected MobileTlsContext(MobileAuthenticatedStream parent, MonoSslAuthenticationOptions options)
        {
            Parent           = parent;
            Options          = options;
            IsServer         = options.ServerMode;
            EnabledProtocols = options.EnabledSslProtocols;

            if (options.ServerMode)
            {
                LocalServerCertificate  = options.ServerCertificate;
                AskForClientCertificate = options.ClientCertificateRequired;
            }
            else
            {
                ClientCertificates = options.ClientCertificates;
                TargetHost         = options.TargetHost;
                ServerName         = options.TargetHost;
                if (!string.IsNullOrEmpty(ServerName))
                {
                    var pos = ServerName.IndexOf(':');
                    if (pos > 0)
                    {
                        ServerName = ServerName.Substring(0, pos);
                    }
                }
            }

            certificateValidator = (ICertificateValidator2)ChainValidationHelper.GetInternalValidator(
                parent.SslStream, parent.Provider, parent.Settings);
        }
Пример #2
0
 public LegacySslStream(Stream innerStream, bool leaveInnerStreamOpen, MonoTlsProvider provider, MonoTlsSettings settings)
     : base(innerStream, leaveInnerStreamOpen)
 {
     this.provider             = provider;
     this.settings             = settings;
     this.certificateValidator = ChainValidationHelper.GetDefaultValidator(provider, settings);
 }
Пример #3
0
        internal static ChainValidationHelper Create(MonoTlsProvider provider, ref MonoTlsSettings settings, MonoTlsStream stream)
        {
            var helper = new ChainValidationHelper(provider, settings, true, stream, null);

            settings = helper.settings;
            return(helper);
        }
Пример #4
0
 internal static object GetDefaultCertificateValidator(object settings)
 {
                 #if SECURITY_DEP
     return(ChainValidationHelper.GetDefaultValidator((MSI.MonoTlsSettings)settings));
                 #else
     throw new NotSupportedException();
                 #endif
 }
Пример #5
0
 internal static object GetInternalValidator(object provider, object settings)
 {
                 #if SECURITY_DEP
     return(ChainValidationHelper.GetInternalValidator((MSI.MonoTlsProvider)provider, (MSI.MonoTlsSettings)settings));
                 #else
     throw new NotSupportedException();
                 #endif
 }
Пример #6
0
 internal override bool ValidateCertificate(
     MNS.ChainValidationHelper validator, string targetHost, bool serverMode,
     X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
     ref SslPolicyErrors errors, ref int status11)
 {
     if (wantsChain)
     {
         chain = MNS.SystemCertificateValidator.CreateX509Chain(certificates);
     }
     return(AppleCertificateHelper.InvokeSystemCertificateValidator(validator, targetHost, serverMode, certificates, ref errors, ref status11));
 }
Пример #7
0
        public MonoTlsStream(HttpWebRequest request, NetworkStream networkStream)
        {
            this.request       = request;
            this.networkStream = networkStream;

            settings = request.TlsSettings;
            provider = request.TlsProvider ?? MonoTlsProviderFactory.GetProviderInternal();
            status   = WebExceptionStatus.SecureChannelFailure;

            /*validationHelper =*/ ChainValidationHelper.Create(provider.Provider, ref settings, this);
        }
Пример #8
0
        ChainValidationHelper(ChainValidationHelper other, MonoTlsSettings settings, ServerCertValidationCallbackWrapper callbackWrapper = null)
        {
            sender = other.sender;
            certValidationCallback = other.certValidationCallback;
            certSelectionCallback  = other.certSelectionCallback;
            tlsStream = other.tlsStream;
            request   = other.request;

            this.settings        = settings = settings.CloneWithValidator(this);
            this.callbackWrapper = callbackWrapper;
        }
Пример #9
0
        public override bool ValidateCertificate(ChainValidationHelper validator, string targetHost, bool serverMode,
                                                 X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain, ref SslPolicyErrors errors,
                                                 ref int status11)
        {
            if (wantsChain)
            {
                chain = SystemCertificateValidator.CreateX509Chain(certificates);
            }
            var result = SystemCertificateValidator.Evaluate(validator.Settings, targetHost, certificates, chain,
                                                             ref errors, ref status11);

            return(result);
        }
        public static bool InvokeSystemCertificateValidator(
            MNS.ChainValidationHelper validator, string targetHost, bool serverMode,
            X509CertificateCollection certificates,
            ref SslPolicyErrors errors, ref int status11)
        {
            if (certificates == null)
            {
                errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
                return(false);
            }

            if (!string.IsNullOrEmpty(targetHost))
            {
                var pos = targetHost.IndexOf(':');
                if (pos > 0)
                {
                    targetHost = targetHost.Substring(0, pos);
                }
            }

            using (var policy = SecPolicy.CreateSslPolicy(!serverMode, targetHost))
                using (var trust = new SecTrust(certificates, policy)) {
                    if (validator.Settings.TrustAnchors != null)
                    {
                        var status = trust.SetAnchorCertificates(validator.Settings.TrustAnchors);
                        if (status != SecStatusCode.Success)
                        {
                            throw new InvalidOperationException(status.ToString());
                        }
                        trust.SetAnchorCertificatesOnly(false);
                    }

                    if (validator.Settings.CertificateValidationTime != null)
                    {
                        var status = trust.SetVerifyDate(validator.Settings.CertificateValidationTime.Value);
                        if (status != SecStatusCode.Success)
                        {
                            throw new InvalidOperationException(status.ToString());
                        }
                    }

                    var result = trust.Evaluate();
                    if (result == SecTrustResult.Unspecified || result == SecTrustResult.Proceed)
                    {
                        return(true);
                    }

                    errors |= SslPolicyErrors.RemoteCertificateChainErrors;
                    return(false);
                }
        }
Пример #11
0
        /*
         * This is a hack which is used in SslStream - see ReferenceSources/SslStream.cs for details.
         */
        internal static ChainValidationHelper CloneWithCallbackWrapper(MonoTlsProvider provider, ref MonoTlsSettings settings, ServerCertValidationCallbackWrapper wrapper)
        {
            var helper = (ChainValidationHelper)settings.CertificateValidator;

            if (helper == null)
            {
                helper = new ChainValidationHelper(provider, settings, true, null, wrapper);
            }
            else
            {
                helper = new ChainValidationHelper(helper, provider, settings, wrapper);
            }
            settings = helper.settings;
            return(helper);
        }
Пример #12
0
        public MonoTlsStream(HttpWebRequest request, NetworkStream networkStream)
        {
#if SECURITY_DEP
            this.request       = request;
            this.networkStream = networkStream;

            settings = request.TlsSettings;
            provider = request.TlsProvider ?? MonoTlsProviderFactory.GetProviderInternal();
            status   = WebExceptionStatus.SecureChannelFailure;

            ChainValidationHelper.Create(provider, ref settings, this);
#else
            throw new PlatformNotSupportedException(EXCEPTION_MESSAGE);
#endif
        }
Пример #13
0
        internal override bool ValidateCertificate(
            MNS.ChainValidationHelper validator, string targetHost, bool serverMode,
            X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
            ref SslPolicyErrors errors, ref int status11)
        {
            if (chain != null)
            {
                var chainImpl = (X509ChainImplBtls)chain.Impl;
                var success   = chainImpl.StoreCtx.VerifyResult == 1;
                CheckValidationResult(
                    validator, targetHost, serverMode, certificates,
                    wantsChain, chain, chainImpl.StoreCtx,
                    success, ref errors, ref status11);
                return(success);
            }

            using (var store = new MonoBtlsX509Store())
                using (var nativeChain = MonoBtlsProvider.GetNativeChain(certificates))
                    using (var param = GetVerifyParam(validator.Settings, targetHost, serverMode))
                        using (var storeCtx = new MonoBtlsX509StoreCtx()) {
                            SetupCertificateStore(store, validator.Settings, serverMode);

                            storeCtx.Initialize(store, nativeChain);

                            storeCtx.SetVerifyParam(param);

                            var ret = storeCtx.Verify();

                            var success = ret == 1;

                            if (wantsChain && chain == null)
                            {
                                chain = GetManagedChain(nativeChain);
                            }

                            CheckValidationResult(
                                validator, targetHost, serverMode, certificates,
                                wantsChain, null, storeCtx,
                                success, ref errors, ref status11);
                            return(success);
                        }
        }
Пример #14
0
        void CheckValidationResult(
            MNS.ChainValidationHelper validator, string targetHost, bool serverMode,
            X509CertificateCollection certificates, bool wantsChain,
            X509Chain chain, MonoBtlsX509StoreCtx storeCtx,
            bool success, ref SslPolicyErrors errors, ref int status11)
        {
            status11 = unchecked ((int)0);
            if (success)
            {
                return;
            }
            errors = SslPolicyErrors.RemoteCertificateChainErrors;
            if (!wantsChain || storeCtx == null || chain == null)
            {
                status11 = unchecked ((int)0x800B010B);
                return;
            }
            var error = storeCtx.GetError();

            switch (error)
            {
            case Mono.Btls.MonoBtlsX509Error.OK:
                errors = SslPolicyErrors.None;
                break;

            case Mono.Btls.MonoBtlsX509Error.CRL_NOT_YET_VALID:
                break;

            case MonoBtlsX509Error.HOSTNAME_MISMATCH:
                errors = SslPolicyErrors.RemoteCertificateNameMismatch;
                chain.Impl.AddStatus(X509ChainStatusFlags.UntrustedRoot);
                status11 = unchecked ((int)0x800B010B);
                break;

            default:
                chain.Impl.AddStatus(MapVerifyErrorToChainStatus(error));
                status11 = unchecked ((int)0x800B010B);
                break;
            }
        }
		/*
		 * This is a hack which is used in SslStream - see ReferenceSources/SslStream.cs for details.
		 */
		internal static ChainValidationHelper CloneWithCallbackWrapper (MonoTlsProvider provider, ref MonoTlsSettings settings, ServerCertValidationCallbackWrapper wrapper)
		{
			var helper = (ChainValidationHelper)settings.CertificateValidator;
			if (helper == null)
				helper = new ChainValidationHelper (provider, settings, true, null, wrapper);
			else
				helper = new ChainValidationHelper (helper, provider, settings, wrapper);
			settings = helper.settings;
			return helper;
		}
Пример #16
0
		public MonoTlsStream (HttpWebRequest request, NetworkStream networkStream)
		{
			this.request = request;
			this.networkStream = networkStream;

			settings = request.TlsSettings;
			provider = request.TlsProvider ?? MonoTlsProviderFactory.GetProviderInternal ();
			status = WebExceptionStatus.SecureChannelFailure;

			validationHelper = ChainValidationHelper.Create (provider.Provider, ref settings, this);
		}
Пример #17
0
 /*
  * If @serverMode is true, then we're a server and want to validate a certificate
  * that we received from a client.
  *
  * On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built.
  *
  * Returns `true` if certificate validation has been performed and `false` to invoke the
  * default system validator.
  */
 internal abstract bool ValidateCertificate(
     ChainValidationHelper validator, string targetHost, bool serverMode,
     X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
     ref SslPolicyErrors errors, ref int status11);
		internal static ChainValidationHelper Create (MonoTlsProvider provider, ref MonoTlsSettings settings, MonoTlsStream stream)
		{
			var helper = new ChainValidationHelper (provider, settings, true, stream, null);
			settings = helper.settings;
			return helper;
		}
		ChainValidationHelper (ChainValidationHelper other, MonoTlsProvider provider, MonoTlsSettings settings, ServerCertValidationCallbackWrapper callbackWrapper = null)
		{
			sender = other.sender;
			certValidationCallback = other.certValidationCallback;
			certSelectionCallback = other.certSelectionCallback;
			tlsStream = other.tlsStream;
			request = other.request;

			if (settings == null)
				settings = MonoTlsSettings.DefaultSettings;

			this.provider = provider;
			this.settings = settings.CloneWithValidator (this);
			this.callbackWrapper = callbackWrapper;
		}