public void SetCertificate(SecIdentity identify, IEnumerable <SecCertificate> certificates)
{
using (var array = Bundle(identify, certificates)) {
var result = SSLSetCertificate(Handle, array.Handle);
CheckStatusAndThrow(result);
}
}
public void Identity()
{
using (SecIdentity id = GetIdentity()) {
Assert.NotNull(id.PrivateKey, "PrivateKey");
Assert.NotNull(id.Certificate, "Certificate");
}
}
public override void StartHandshake()
{
Debug("StartHandshake: {0}", IsServer);
if (Interlocked.CompareExchange(ref handshakeStarted, 1, 1) != 0)
{
throw new InvalidOperationException();
}
InitializeConnection();
SetSessionOption(SslSessionOption.BreakOnCertRequested, true);
SetSessionOption(SslSessionOption.BreakOnClientAuth, true);
SetSessionOption(SslSessionOption.BreakOnServerAuth, true);
if (IsServer)
{
SecCertificate[] intermediateCerts;
serverIdentity = MobileCertificateHelper.GetIdentity(LocalServerCertificate, out intermediateCerts);
if (serverIdentity == null)
{
throw new SSA.AuthenticationException("Unable to get server certificate from keychain.");
}
SetCertificate(serverIdentity, intermediateCerts);
for (int i = 0; i < intermediateCerts.Length; i++)
{
intermediateCerts [i].Dispose();
}
}
}
/// <summary>
/// Import the specified certificate and its associated private key.
/// </summary>
/// <param name="certificate">The certificate and key, in PKCS12 format.</param>
/// <param name="passphrase">The passphrase that protects the private key.</param>
public void Import(byte[] certificate, string passphrase)
{
NSDictionary opt;
if (string.IsNullOrEmpty(passphrase))
{
opt = new NSDictionary();
}
else
{
opt = NSDictionary.FromObjectAndKey(new NSString(passphrase), SecImportExport.Passphrase);
}
var status = SecImportExport.ImportPkcs12(certificate, opt, out NSDictionary[] array);
if (status == SecStatusCode.Success)
{
var identity = new SecIdentity(array[0]["identity"].Handle);
NSArray chain = array[0]["chain"] as NSArray;
SecCertificate[] certs = new SecCertificate[chain.Count];
for (System.nuint i = 0; i < chain.Count; i++)
{
certs[i] = chain.GetItem <SecCertificate>(i);
}
Credential = new NSUrlCredential(identity, certs, NSUrlCredentialPersistence.ForSession);
}
}
private void SetClientCertificate(ClientCertificate certificate)
{
if (certificate == null)
{
return;
}
byte[] bytes;
try
{
bytes = Convert.FromBase64String(certificate.RawData);
}
catch (Exception ex)
{
throw new HttpRequestException(FailureMessages.InvalidRawData, ex);
}
var options = NSDictionary.FromObjectsAndKeys(new object[] { certificate.Passphrase }, new object[] { "passphrase" });
var status = SecImportExport.ImportPkcs12(bytes, options, out NSDictionary[] items);
var identityRef = items[0]["identity"];
var identity = new SecIdentity(identityRef.Handle);
SecCertificate[] certs = { identity.Certificate };
this.UrlCredential = new NSUrlCredential(identity, certs, NSUrlCredentialPersistence.ForSession);
}
public void InstallIntoKeyChain(X509Certificate certificate)
{
var provider = DependencyInjector.Get <ICertificateProvider> ();
string password;
var data = provider.GetRawCertificateData(certificate, out password);
using (var identity = SecIdentity.Import(data, password)) {
SecKeyChain.AddIdentity(identity);
}
}
public override void WillSendRequestForAuthenticationChallenge(NSUrlConnection connection, NSUrlAuthenticationChallenge challenge)
{
var identity = SecIdentity.Import(Certificate);
var certificate = new SecCertificate(Certificate);
SecCertificate[] certificates = { certificate };
var credential = NSUrlCredential.FromIdentityCertificatesPersistance(identity, certificates, NSUrlCredentialPersistence.ForSession);
challenge.Sender.UseCredential(credential, challenge);
}
public MCSession(MCPeerID myPeerID, SecIdentity identity, MCEncryptionPreference encryptionPreference)
: base(NSObjectFlag.Empty)
{
if (identity == null)
{
Handle = Init(myPeerID, null, encryptionPreference);
}
else
{
using (var a = NSArray.FromNSObjects(identity))
Handle = Init(myPeerID, a, encryptionPreference);
}
}
public override bool ProcessHandshake()
{
if (handshakeFinished)
{
throw new NotSupportedException("Handshake already finished.");
}
while (true)
{
lastException = null;
var status = SSLHandshake(Handle);
Debug("Handshake: {0} - {0:x}", status);
CheckStatusAndThrow(status, SslStatus.WouldBlock, SslStatus.PeerAuthCompleted, SslStatus.PeerClientCertRequested);
if (status == SslStatus.PeerAuthCompleted)
{
RequirePeerTrust();
}
else if (status == SslStatus.PeerClientCertRequested)
{
RequirePeerTrust();
if (remoteCertificate == null)
{
throw new TlsException(AlertDescription.InternalError, "Cannot request client certificate before receiving one from the server.");
}
localClientCertificate = SelectClientCertificate(remoteCertificate, null);
if (localClientCertificate == null)
{
continue;
}
clientIdentity = AppleCertificateHelper.GetIdentity(localClientCertificate);
if (clientIdentity == null)
{
throw new TlsException(AlertDescription.CertificateUnknown);
}
SetCertificate(clientIdentity, new SecCertificate [0]);
}
else if (status == SslStatus.WouldBlock)
{
return(false);
}
else if (status == SslStatus.Success)
{
handshakeFinished = true;
return(true);
}
}
}
public static NSUrlCredential FromIdentityCertificatesPersistance(SecIdentity identity, SecCertificate [] certificates, NSUrlCredentialPersistence persistence)
{
if (identity == null)
{
throw new ArgumentNullException("identity");
}
if (certificates == null)
{
throw new ArgumentNullException("certificates");
}
using (var certs = NSArray.FromNativeObjects(certificates))
return(FromIdentityCertificatesPersistanceInternal(identity.Handle, certs.Handle, persistence));
}
NSArray Bundle(SecIdentity identity, IEnumerable <SecCertificate> certificates)
{
if (identity == null)
{
throw new ArgumentNullException("identity");
}
int i = 0;
int n = certificates == null ? 0 : certificates.Count();
var ptrs = new IntPtr [n + 1];
ptrs [0] = identity.Handle;
foreach (var certificate in certificates)
{
ptrs [++i] = certificate.Handle;
}
return(NSArray.FromIntPtrs(ptrs));
}
public override bool ProcessHandshake()
{
SslStatus status;
do
{
lastException = null;
status = SSLHandshake(Handle);
Debug("Handshake: {0} - {0:x}", status);
CheckStatusAndThrow(status, SslStatus.WouldBlock, SslStatus.PeerAuthCompleted, SslStatus.PeerClientCertRequested);
if (status == SslStatus.PeerAuthCompleted)
{
RequirePeerTrust();
}
else if (status == SslStatus.PeerClientCertRequested)
{
RequirePeerTrust();
if (remoteCertificate == null)
{
throw new TlsException(AlertDescription.InternalError, "Cannot request client certificate before receiving one from the server.");
}
localClientCertificate = MobileCertificateHelper.SelectClientCertificate(TargetHost, certificateValidator, ClientCertificates, remoteCertificate);
if (localClientCertificate == null)
{
continue;
}
clientIdentity = MobileCertificateHelper.GetIdentity(localClientCertificate);
if (clientIdentity == null)
{
throw new TlsException(AlertDescription.CertificateUnknown);
}
SetCertificate(clientIdentity, new SecCertificate [0]);
}
else if (status == SslStatus.WouldBlock)
{
return(false);
}
} while (status != SslStatus.Success);
return(true);
}
public static SecIdentity GetIdentity(X509Certificate certificate)
{
/*
* If we got an 'X509Certificate2', then we require it to have a private key
* and import it.
*/
var certificate2 = certificate as X509Certificate2;
if (certificate2 != null)
{
return(SecIdentity.Import(certificate2));
}
/*
* Otherwise, we require the private key to be in the keychain.
*/
using (var secCert = new SecCertificate(certificate)) {
return(SecKeyChain.FindIdentity(secCert, true));
}
}
public MCSession(MCPeerID myPeerID, SecIdentity identity, SecCertificate[] certificates, MCEncryptionPreference encryptionPreference)
: base(NSObjectFlag.Empty)
{
if (identity == null)
{
if (certificates == null)
{
Handle = Init(myPeerID, null, encryptionPreference);
}
else
{
throw new ArgumentNullException("identity");
}
}
else
{
using (var certs = NSArray.FromNativeObjects(certificates))
Handle = Init(myPeerID, certs, encryptionPreference);
}
}
/// <summary>
/// Import the specified certificate and its associated private key.
/// </summary>
/// <param name="certificate">The certificate and key, in PKCS12 format.</param>
/// <param name="passphrase">The passphrase that protects the private key.</param>
public void Import(byte[] certificate, string passphrase)
{
NSDictionary opt;
if (string.IsNullOrEmpty(passphrase))
{
opt = new NSDictionary();
}
else
{
opt = NSDictionary.FromObjectAndKey(new NSString(passphrase), SecImportExport.Passphrase);
}
var status = SecImportExport.ImportPkcs12(certificate, opt, out NSDictionary[] array);
if (status == SecStatusCode.Success)
{
var identity = new SecIdentity(array[0]["identity"].Handle);
SecCertificate[] certs = { identity.Certificate };
Credential = new NSUrlCredential(identity, certs, NSUrlCredentialPersistence.ForSession);
}
}
protected override void Dispose(bool disposing)
{
try {
if (disposed)
{
return;
}
if (disposing)
{
disposed = true;
if (serverIdentity != null)
{
serverIdentity.Dispose();
serverIdentity = null;
}
if (clientIdentity != null)
{
clientIdentity.Dispose();
clientIdentity = null;
}
if (remoteCertificate != null)
{
remoteCertificate.Dispose();
remoteCertificate = null;
}
}
} finally {
disposed = true;
if (context != IntPtr.Zero)
{
CFObject.CFRelease(context);
context = IntPtr.Zero;
}
base.Dispose(disposing);
}
}
public NSURLCredential(SecIdentity identity, AnyObject[] certificates, NSURLCredentialPersistence persistence)
{
}
public NSUrlCredential(SecIdentity identity, SecCertificate [] certificates, NSUrlCredentialPersistence persistence)
: this(identity.Handle, NSArray.FromNativeObjects(certificates).Handle, persistence)
{
}
public override void DidReceiveChallenge(NSUrlSession session, NSUrlSessionTask task, NSUrlAuthenticationChallenge challenge, Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler)
{
if (challenge.ProtectionSpace.AuthenticationMethod == NSUrlProtectionSpace.AuthenticationMethodNTLM) {
NetworkCredential credentialsToUse;
if (This.Credentials != null) {
if (This.Credentials is NetworkCredential) {
credentialsToUse = (NetworkCredential)This.Credentials;
} else {
var uri = this.getResponseForTask(task).Request.RequestUri;
credentialsToUse = This.Credentials.GetCredential(uri, "NTLM");
}
var credential = new NSUrlCredential(credentialsToUse.UserName, credentialsToUse.Password, NSUrlCredentialPersistence.ForSession);
completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, credential);
}
return;
}
if (challenge.ProtectionSpace.AuthenticationMethod == NSUrlProtectionSpace.AuthenticationMethodClientCertificate)
{
Console.WriteLine("Client Cert!");
var password = "******";
var options = NSDictionary.FromObjectAndKey(NSObject.FromObject(password), SecImportExport.Passphrase);
var path = Path.Combine(NSBundle.MainBundle.BundlePath, "Content", "client.p12");
var certData = File.ReadAllBytes(path);
NSDictionary[] importResult;
X509Certificate cert = new X509Certificate(certData, password);
SecStatusCode statusCode = SecImportExport.ImportPkcs12(certData, options, out importResult);
var identityHandle = importResult[0][SecImportExport.Identity];
var identity = new SecIdentity(identityHandle.Handle);
var certificate = new SecCertificate(cert.GetRawCertData());
SecCertificate[] certificates = { certificate };
NSUrlCredential credential = NSUrlCredential.FromIdentityCertificatesPersistance(identity, certificates, NSUrlCredentialPersistence.ForSession);
completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, credential);
return;
}
if (!This.customSSLVerification) {
goto doDefault;
}
if (challenge.ProtectionSpace.AuthenticationMethod != "NSURLAuthenticationMethodServerTrust") {
goto doDefault;
}
if (ServicePointManager.ServerCertificateValidationCallback == null) {
goto doDefault;
}
// Convert Mono Certificates to .NET certificates and build cert
// chain from root certificate
var serverCertChain = challenge.ProtectionSpace.ServerSecTrust;
var chain = new X509Chain();
X509Certificate2 root = null;
var errors = SslPolicyErrors.None;
if (serverCertChain == null || serverCertChain.Count == 0) {
errors = SslPolicyErrors.RemoteCertificateNotAvailable;
goto sslErrorVerify;
}
if (serverCertChain.Count == 1) {
errors = SslPolicyErrors.RemoteCertificateChainErrors;
goto sslErrorVerify;
}
var netCerts = Enumerable.Range(0, serverCertChain.Count)
.Select(x => serverCertChain[x].ToX509Certificate2())
.ToArray();
for (int i = 1; i < netCerts.Length; i++) {
chain.ChainPolicy.ExtraStore.Add(netCerts[i]);
}
root = netCerts[0];
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
if (!chain.Build(root)) {
errors = SslPolicyErrors.RemoteCertificateChainErrors;
goto sslErrorVerify;
}
var subject = root.Subject;
var subjectCn = cnRegex.Match(subject).Groups[1].Value;
if (String.IsNullOrWhiteSpace(subjectCn) || !Utility.MatchHostnameToPattern(task.CurrentRequest.Url.Host, subjectCn)) {
errors = SslPolicyErrors.RemoteCertificateNameMismatch;
goto sslErrorVerify;
}
sslErrorVerify:
var hostname = task.CurrentRequest.Url.Host;
bool result = ServicePointManager.ServerCertificateValidationCallback(hostname, root, chain, errors);
if (result) {
completionHandler(
NSUrlSessionAuthChallengeDisposition.UseCredential,
NSUrlCredential.FromTrust(challenge.ProtectionSpace.ServerSecTrust));
} else {
completionHandler(NSUrlSessionAuthChallengeDisposition.CancelAuthenticationChallenge, null);
}
return;
doDefault:
completionHandler(NSUrlSessionAuthChallengeDisposition.PerformDefaultHandling, challenge.ProposedCredential);
return;
}
public override void DidReceiveChallenge(NSUrlSession session, NSUrlSessionTask task, NSUrlAuthenticationChallenge challenge, Action <NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler)
{
if (challenge.ProtectionSpace.AuthenticationMethod == NSUrlProtectionSpace.AuthenticationMethodNTLM)
{
NetworkCredential credentialsToUse;
if (This.Credentials != null)
{
if (This.Credentials is NetworkCredential)
{
credentialsToUse = (NetworkCredential)This.Credentials;
}
else
{
var uri = this.getResponseForTask(task).Request.RequestUri;
credentialsToUse = This.Credentials.GetCredential(uri, "NTLM");
}
var credential = new NSUrlCredential(credentialsToUse.UserName, credentialsToUse.Password, NSUrlCredentialPersistence.ForSession);
completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, credential);
}
return;
}
if (challenge.ProtectionSpace.AuthenticationMethod == NSUrlProtectionSpace.AuthenticationMethodClientCertificate)
{
Console.WriteLine("Client Cert!");
var password = "******";
var options = NSDictionary.FromObjectAndKey(NSObject.FromObject(password), SecImportExport.Passphrase);
var path = Path.Combine(NSBundle.MainBundle.BundlePath, "Content", "client.p12");
var certData = File.ReadAllBytes(path);
NSDictionary[] importResult;
X509Certificate cert = new X509Certificate(certData, password);
SecStatusCode statusCode = SecImportExport.ImportPkcs12(certData, options, out importResult);
var identityHandle = importResult[0][SecImportExport.Identity];
var identity = new SecIdentity(identityHandle.Handle);
var certificate = new SecCertificate(cert.GetRawCertData());
SecCertificate[] certificates = { certificate };
NSUrlCredential credential = NSUrlCredential.FromIdentityCertificatesPersistance(identity, certificates, NSUrlCredentialPersistence.ForSession);
completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, credential);
return;
}
if (!This.customSSLVerification)
{
goto doDefault;
}
if (challenge.ProtectionSpace.AuthenticationMethod != "NSURLAuthenticationMethodServerTrust")
{
goto doDefault;
}
if (ServicePointManager.ServerCertificateValidationCallback == null)
{
goto doDefault;
}
// Convert Mono Certificates to .NET certificates and build cert
// chain from root certificate
var serverCertChain = challenge.ProtectionSpace.ServerSecTrust;
var chain = new X509Chain();
X509Certificate2 root = null;
var errors = SslPolicyErrors.None;
if (serverCertChain == null || serverCertChain.Count == 0)
{
errors = SslPolicyErrors.RemoteCertificateNotAvailable;
goto sslErrorVerify;
}
if (serverCertChain.Count == 1)
{
errors = SslPolicyErrors.RemoteCertificateChainErrors;
goto sslErrorVerify;
}
var netCerts = Enumerable.Range(0, serverCertChain.Count)
.Select(x => serverCertChain[x].ToX509Certificate2())
.ToArray();
for (int i = 1; i < netCerts.Length; i++)
{
chain.ChainPolicy.ExtraStore.Add(netCerts[i]);
}
root = netCerts[0];
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
if (!chain.Build(root))
{
errors = SslPolicyErrors.RemoteCertificateChainErrors;
goto sslErrorVerify;
}
var subject = root.Subject;
var subjectCn = cnRegex.Match(subject).Groups[1].Value;
if (String.IsNullOrWhiteSpace(subjectCn) || !Utility.MatchHostnameToPattern(task.CurrentRequest.Url.Host, subjectCn))
{
errors = SslPolicyErrors.RemoteCertificateNameMismatch;
goto sslErrorVerify;
}
sslErrorVerify:
var hostname = task.CurrentRequest.Url.Host;
bool result = ServicePointManager.ServerCertificateValidationCallback(hostname, root, chain, errors);
if (result)
{
completionHandler(
NSUrlSessionAuthChallengeDisposition.UseCredential,
NSUrlCredential.FromTrust(challenge.ProtectionSpace.ServerSecTrust));
}
else
{
completionHandler(NSUrlSessionAuthChallengeDisposition.CancelAuthenticationChallenge, null);
}
return;
doDefault:
completionHandler(NSUrlSessionAuthChallengeDisposition.PerformDefaultHandling, challenge.ProposedCredential);
return;
}
public NSURLCredential([Unwrapped] SecIdentity identity, AnyObject[] certificates, NSURLCredentialPersistence persistence, bool NAME_YOUR_PARAMS = false)
{
}
