public static bool InvokeSystemCertificateValidator(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, out bool success,
ref MonoSslPolicyErrors errors, ref int status11)
{
if (certificates == null) {
errors |= MonoSslPolicyErrors.RemoteCertificateNotAvailable;
success = false;
return true;
}
var policy = SecPolicy.CreateSslPolicy (!serverMode, targetHost);
var trust = new SecTrust (certificates, policy);
if (validator.Settings.TrustAnchors != null) {
var status = trust.SetAnchorCertificates (validator.Settings.TrustAnchors);
if (status != SecStatusCode.Success)
throw new InvalidOperationException (status.ToString ());
trust.SetAnchorCertificatesOnly (false);
}
var result = trust.Evaluate ();
if (result == SecTrustResult.Unspecified) {
success = true;
return true;
}
errors |= MonoSslPolicyErrors.RemoteCertificateChainErrors;
success = false;
return true;
}
/*
* If @serverMode is true, then we're a server and want to validate a certificate
* that we received from a client.
*
* On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built.
*
* Returns `true` if certificate validation has been performed and `false` to invoke the
* default system validator.
*/
internal virtual bool InvokeSystemCertificateValidator(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
out bool success, ref MonoSslPolicyErrors errors, ref int status11)
{
throw new InvalidOperationException();
}
protected MobileTlsContext(MobileAuthenticatedStream parent, MonoSslAuthenticationOptions options)
{
Parent = parent;
Options = options;
IsServer = options.ServerMode;
EnabledProtocols = options.EnabledSslProtocols;
if (options.ServerMode)
{
LocalServerCertificate = options.ServerCertificate;
AskForClientCertificate = options.ClientCertificateRequired;
}
else
{
ClientCertificates = options.ClientCertificates;
TargetHost = options.TargetHost;
ServerName = options.TargetHost;
if (!string.IsNullOrEmpty(ServerName))
{
var pos = ServerName.IndexOf(':');
if (pos > 0)
{
ServerName = ServerName.Substring(0, pos);
}
}
}
certificateValidator = (ICertificateValidator2)ChainValidationHelper.GetInternalValidator(
parent.SslStream, parent.Provider, parent.Settings);
}
public AppleTlsContext(
MobileAuthenticatedStream parent, MonoTlsSettings settings,
AppleTlsProvider provider, bool serverMode, string targetHost,
SSA.SslProtocols enabledProtocols, X509Certificate serverCertificate,
X509CertificateCollection clientCertificates, bool askForClientCert)
{
this.parent = parent;
this.settings = settings;
this.provider = provider;
this.serverMode = serverMode;
this.targetHost = targetHost;
this.enabledProtocols = enabledProtocols;
this.serverCertificate = serverCertificate;
this.clientCertificates = clientCertificates;
this.askForClientCert = askForClientCert;
handle = GCHandle.Alloc(this);
connectionId = GCHandle.ToIntPtr(handle);
readFunc = NativeReadCallback;
writeFunc = NativeWriteCallback;
certificateValidator = CertificateValidationHelper.GetDefaultValidator(settings, provider);
if (IsServer)
{
if (serverCertificate == null)
{
throw new ArgumentNullException("serverCertificate");
}
}
}
public MobileTlsContext(
MobileAuthenticatedStream parent, bool serverMode, string targetHost,
SslProtocols enabledProtocols, X509Certificate serverCertificate,
X509CertificateCollection clientCertificates, bool askForClientCert)
{
this.parent = parent;
this.serverMode = serverMode;
this.targetHost = targetHost;
this.enabledProtocols = enabledProtocols;
this.serverCertificate = serverCertificate;
this.clientCertificates = clientCertificates;
this.askForClientCert = askForClientCert;
serverName = targetHost;
if (!string.IsNullOrEmpty(serverName))
{
var pos = serverName.IndexOf(':');
if (pos > 0)
{
serverName = serverName.Substring(0, pos);
}
}
certificateValidator = CertificateValidationHelper.GetInternalValidator(
parent.Settings, parent.Provider);
}
internal override bool ValidateCertificate(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
ref MonoSslPolicyErrors errors, ref int status11)
{
if (wantsChain)
{
chain = MNS.SystemCertificateValidator.CreateX509Chain(certificates);
}
return(AppleCertificateHelper.InvokeSystemCertificateValidator(validator, targetHost, serverMode, certificates, ref errors, ref status11));
}
public static bool Validate(string targetHost, bool serverMode, ICertificateValidator2 validator, X509CertificateCollection certificates)
{
var result = validator.ValidateCertificate(targetHost, serverMode, certificates);
if (result != null && result.Trusted && !result.UserDenied)
{
return(true);
}
return(false);
}
public static bool InvokeSystemCertificateValidator(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates,
ref MonoSslPolicyErrors errors, ref int status11)
{
if (certificates == null)
{
errors |= MonoSslPolicyErrors.RemoteCertificateNotAvailable;
return(false);
}
if (!string.IsNullOrEmpty(targetHost))
{
var pos = targetHost.IndexOf(':');
if (pos > 0)
{
targetHost = targetHost.Substring(0, pos);
}
}
var policy = SecPolicy.CreateSslPolicy(!serverMode, targetHost);
var trust = new SecTrust(certificates, policy);
if (validator.Settings.TrustAnchors != null)
{
var status = trust.SetAnchorCertificates(validator.Settings.TrustAnchors);
if (status != SecStatusCode.Success)
{
throw new InvalidOperationException(status.ToString());
}
trust.SetAnchorCertificatesOnly(false);
}
if (validator.Settings.CertificateValidationTime != null)
{
var status = trust.SetVerifyDate(validator.Settings.CertificateValidationTime.Value);
if (status != SecStatusCode.Success)
{
throw new InvalidOperationException(status.ToString());
}
}
var result = trust.Evaluate();
if (result == SecTrustResult.Unspecified)
{
return(true);
}
errors |= MonoSslPolicyErrors.RemoteCertificateChainErrors;
return(false);
}
public MobileTlsContext(
MobileAuthenticatedStream parent, bool serverMode, string targetHost,
SslProtocols enabledProtocols, X509Certificate serverCertificate,
X509CertificateCollection clientCertificates, bool askForClientCert)
{
this.parent = parent;
this.serverMode = serverMode;
this.targetHost = targetHost;
this.enabledProtocols = enabledProtocols;
this.serverCertificate = serverCertificate;
this.clientCertificates = clientCertificates;
this.askForClientCert = askForClientCert;
certificateValidator = CertificateValidationHelper.GetDefaultValidator(
parent.Settings, parent.Provider);
}
public MobileTlsContext (
MobileAuthenticatedStream parent, bool serverMode, string targetHost,
SslProtocols enabledProtocols, X509Certificate serverCertificate,
X509CertificateCollection clientCertificates, bool askForClientCert)
{
this.parent = parent;
this.serverMode = serverMode;
this.targetHost = targetHost;
this.enabledProtocols = enabledProtocols;
this.serverCertificate = serverCertificate;
this.clientCertificates = clientCertificates;
this.askForClientCert = askForClientCert;
certificateValidator = CertificateValidationHelper.GetInternalValidator (
parent.Settings, parent.Provider);
}
public static X509Certificate SelectClientCertificate(string targetHost, ICertificateValidator2 validator, X509CertificateCollection clientCertificates, X509Certificate serverCertificate)
{
X509Certificate certificate;
var selected = validator.SelectClientCertificate (targetHost, clientCertificates, serverCertificate, null, out certificate);
if (selected)
return certificate;
if (clientCertificates == null || clientCertificates.Count == 0)
return null;
if (clientCertificates.Count == 1)
return clientCertificates [0];
// FIXME: select onne.
throw new NotImplementedException ();
}
internal override bool ValidateCertificate(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
ref MonoSslPolicyErrors errors, ref int status11)
{
if (chain != null)
{
var chainImpl = (X509ChainImplBtls)chain.Impl;
var success = chainImpl.StoreCtx.VerifyResult == 1;
CheckValidationResult(
validator, targetHost, serverMode, certificates,
wantsChain, chain, chainImpl.StoreCtx,
success, ref errors, ref status11);
return(success);
}
using (var store = new MonoBtlsX509Store())
using (var nativeChain = MonoBtlsProvider.GetNativeChain(certificates))
using (var param = GetVerifyParam(validator.Settings, targetHost, serverMode))
using (var storeCtx = new MonoBtlsX509StoreCtx()) {
SetupCertificateStore(store, validator.Settings, serverMode);
storeCtx.Initialize(store, nativeChain);
storeCtx.SetVerifyParam(param);
var ret = storeCtx.Verify();
var success = ret == 1;
if (wantsChain && chain == null)
{
chain = GetManagedChain(nativeChain);
}
CheckValidationResult(
validator, targetHost, serverMode, certificates,
wantsChain, null, storeCtx,
success, ref errors, ref status11);
return(success);
}
}
public AppleTlsContext(
MobileAuthenticatedStream parent, bool serverMode, string targetHost,
SSA.SslProtocols enabledProtocols, X509Certificate serverCertificate,
X509CertificateCollection clientCertificates, bool askForClientCert)
: base(parent, serverMode, targetHost, enabledProtocols,
serverCertificate, clientCertificates, askForClientCert)
{
handle = GCHandle.Alloc(this);
connectionId = GCHandle.ToIntPtr(handle);
readFunc = NativeReadCallback;
writeFunc = NativeWriteCallback;
certificateValidator = CertificateValidationHelper.GetDefaultValidator(Settings, Provider);
if (IsServer)
{
if (serverCertificate == null)
{
throw new ArgumentNullException("serverCertificate");
}
}
}
public static X509Certificate SelectClientCertificate(string targetHost, ICertificateValidator2 validator, X509CertificateCollection clientCertificates, X509Certificate serverCertificate)
{
X509Certificate certificate;
var selected = validator.SelectClientCertificate(targetHost, clientCertificates, serverCertificate, null, out certificate);
if (selected)
{
return(certificate);
}
if (clientCertificates == null || clientCertificates.Count == 0)
{
return(null);
}
if (clientCertificates.Count == 1)
{
return(clientCertificates [0]);
}
// FIXME: select onne.
throw new NotImplementedException();
}
public MobileTlsContext (
MobileAuthenticatedStream parent, bool serverMode, string targetHost,
SslProtocols enabledProtocols, X509Certificate serverCertificate,
X509CertificateCollection clientCertificates, bool askForClientCert)
{
this.parent = parent;
this.serverMode = serverMode;
this.targetHost = targetHost;
this.enabledProtocols = enabledProtocols;
this.serverCertificate = serverCertificate;
this.clientCertificates = clientCertificates;
this.askForClientCert = askForClientCert;
serverName = targetHost;
if (!string.IsNullOrEmpty (serverName)) {
var pos = serverName.IndexOf (':');
if (pos > 0)
serverName = serverName.Substring (0, pos);
}
certificateValidator = CertificateValidationHelper.GetInternalValidator (
parent.Settings, parent.Provider);
}
public static bool InvokeSystemCertificateValidator(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, out bool success,
ref MonoSslPolicyErrors errors, ref int status11)
{
if (certificates == null)
{
errors |= MonoSslPolicyErrors.RemoteCertificateNotAvailable;
success = false;
return(true);
}
var policy = SecPolicy.CreateSslPolicy(!serverMode, targetHost);
var trust = new SecTrust(certificates, policy);
if (validator.Settings.TrustAnchors != null)
{
var status = trust.SetAnchorCertificates(validator.Settings.TrustAnchors);
if (status != SecStatusCode.Success)
{
throw new InvalidOperationException(status.ToString());
}
trust.SetAnchorCertificatesOnly(false);
}
var result = trust.Evaluate();
if (result == SecTrustResult.Unspecified)
{
success = true;
return(true);
}
errors |= MonoSslPolicyErrors.RemoteCertificateChainErrors;
success = false;
return(true);
}
public AppleTlsContext(
MobileAuthenticatedStream parent, MonoTlsSettings settings,
AppleTlsProvider provider, bool serverMode, string targetHost,
SSA.SslProtocols enabledProtocols, X509Certificate serverCertificate,
X509CertificateCollection clientCertificates, bool askForClientCert)
{
this.parent = parent;
this.settings = settings;
this.provider = provider;
this.serverMode = serverMode;
this.targetHost = targetHost;
this.enabledProtocols = enabledProtocols;
this.serverCertificate = serverCertificate;
this.clientCertificates = clientCertificates;
this.askForClientCert = askForClientCert;
handle = GCHandle.Alloc (this);
connectionId = GCHandle.ToIntPtr (handle);
readFunc = NativeReadCallback;
writeFunc = NativeWriteCallback;
// a bit higher than the default maximum fragment size
readBuffer = new byte [16384];
writeBuffer = new byte [16384];
certificateValidator = CertificateValidationHelper.GetDefaultValidator (settings, provider);
if (IsServer) {
if (serverCertificate == null)
throw new ArgumentNullException ("serverCertificate");
}
}
public static bool Validate(string targetHost, bool serverMode, ICertificateValidator2 validator, X509CertificateCollection certificates)
{
var result = validator.ValidateCertificate (targetHost, serverMode, certificates);
if (result != null && result.Trusted && !result.UserDenied)
return true;
return false;
}
internal override bool InvokeSystemCertificateValidator(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
out bool success, ref MonoSslPolicyErrors errors, ref int status11)
{
if (wantsChain)
chain = MSN.SystemCertificateValidator.CreateX509Chain (certificates);
return MobileCertificateHelper.InvokeSystemCertificateValidator (validator, targetHost, serverMode, certificates, out success, ref errors, ref status11);
}
/* * If @serverMode is true, then we're a server and want to validate a certificate * that we received from a client. * * On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built. * * Returns `true` if certificate validation has been performed and `false` to invoke the * default system validator. */ internal abstract bool ValidateCertificate ( ICertificateValidator2 validator, string targetHost, bool serverMode, X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain, ref MonoSslPolicyErrors errors, ref int status11);
/*
* If @serverMode is true, then we're a server and want to validate a certificate
* that we received from a client.
*
* On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built.
*
* Returns `true` if certificate validation has been performed and `false` to invoke the
* default system validator.
*/
internal abstract bool ValidateCertificate(
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
ref MonoSslPolicyErrors errors, ref int status11);
internal override bool ValidateCertificate (
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
ref MonoSslPolicyErrors errors, ref int status11)
{
if (chain != null) {
var chainImpl = (X509ChainImplBtls)chain.Impl;
var success = chainImpl.StoreCtx.VerifyResult == 1;
CheckValidationResult (
validator, targetHost, serverMode, certificates,
wantsChain, chain, chainImpl.StoreCtx,
success, ref errors, ref status11);
return success;
}
using (var store = new MonoBtlsX509Store ())
using (var nativeChain = MonoBtlsProvider.GetNativeChain (certificates))
using (var param = GetVerifyParam (targetHost, serverMode))
using (var storeCtx = new MonoBtlsX509StoreCtx ()) {
SetupCertificateStore (store);
storeCtx.Initialize (store, nativeChain);
storeCtx.SetVerifyParam (param);
var ret = storeCtx.Verify ();
var success = ret == 1;
if (wantsChain && chain == null) {
chain = GetManagedChain (nativeChain);
}
CheckValidationResult (
validator, targetHost, serverMode, certificates,
wantsChain, null, storeCtx,
success, ref errors, ref status11);
return success;
}
}
/*
* If @serverMode is true, then we're a server and want to validate a certificate
* that we received from a client.
*
* On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built.
*
* Returns `true` if certificate validation has been performed and `false` to invoke the
* default system validator.
*/
internal virtual bool InvokeSystemCertificateValidator (
ICertificateValidator2 validator, string targetHost, bool serverMode,
X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
out bool success, ref MonoSslPolicyErrors errors, ref int status11)
{
throw new InvalidOperationException ();
}
