Imported Upstream version 4.8.0.309

Former-commit-id: 5f9c6ae75f295e057a7d2971f3a6df4656fa8850

mcs/class/System/Mono.Net.Security/ChainValidationHelper.cs

@@ -44,8 +44,6 @@ using Mono.Security.Interface;
 using MSX = Mono.Security.X509;
 using Mono.Security.X509.Extensions;
 #endif
-using XX509CertificateCollection = System.Security.Cryptography.X509Certificates.X509CertificateCollection;
-using XX509Chain = System.Security.Cryptography.X509Certificates.X509Chain;
 
 using System;
 using System.Net;
@@ -77,7 +75,7 @@ namespace Mono.Net.Security
 		readonly MonoTlsStream tlsStream;
 		readonly HttpWebRequest request;
 
-		internal static ICertificateValidator GetDefaultValidator (MonoTlsProvider provider, MonoTlsSettings settings)
+		internal static ICertificateValidator GetInternalValidator (MonoTlsProvider provider, MonoTlsSettings settings)
 		{
 			if (settings == null)
 				return new ChainValidationHelper (provider, null, false, null, null);
@@ -86,6 +84,16 @@ namespace Mono.Net.Security
 			return new ChainValidationHelper (provider, settings, false, null, null);
 		}
 
+		internal static ICertificateValidator GetDefaultValidator (MonoTlsSettings settings)
+		{
+			var provider = MonoTlsProviderFactory.GetProvider ();
+			if (settings == null)
+				return new ChainValidationHelper (provider, null, false, null, null);
+			if (settings.CertificateValidator != null)
+				throw new NotSupportedException ();
+			return new ChainValidationHelper (provider, settings, false, null, null);
+		}
+
 #region SslStream support
 
 		/*
@@ -138,6 +146,8 @@ namespace Mono.Net.Security
 				settings = MonoTlsSettings.CopyDefaultSettings ();
 			if (cloneSettings)
 				settings = settings.CloneWithValidator (this);
+			if (provider == null)
+				provider = MonoTlsProviderFactory.GetProvider ();
 
 			this.provider = provider;
 			this.settings = settings;
@@ -172,7 +182,7 @@ namespace Mono.Net.Security
 				certValidationCallback = ServicePointManager.ServerCertValidationCallback;
 		}
 
-		static X509Certificate DefaultSelectionCallback (string targetHost, XX509CertificateCollection localCertificates, X509Certificate remoteCertificate, string[] acceptableIssuers)
+		static X509Certificate DefaultSelectionCallback (string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, string[] acceptableIssuers)
 		{
 			X509Certificate clientCertificate;
 			if (localCertificates == null || localCertificates.Count == 0)
@@ -195,7 +205,7 @@ namespace Mono.Net.Security
 		}
 
 		public bool SelectClientCertificate (
-			string targetHost, XX509CertificateCollection localCertificates, X509Certificate remoteCertificate,
+			string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate,
 			string[] acceptableIssuers, out X509Certificate clientCertificate)
 		{
 			if (certSelectionCallback == null) {
@@ -207,7 +217,7 @@ namespace Mono.Net.Security
 		}
 
 		internal X509Certificate SelectClientCertificate (
-			string targetHost, XX509CertificateCollection localCertificates, X509Certificate remoteCertificate,
+			string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate,
 			string[] acceptableIssuers)
 		{
 			if (certSelectionCallback == null)
@@ -217,7 +227,7 @@ namespace Mono.Net.Security
 
 		internal bool ValidateClientCertificate (X509Certificate certificate, MonoSslPolicyErrors errors)
 		{
-			var certs = new XX509CertificateCollection ();
+			var certs = new X509CertificateCollection ();
 			certs.Add (new X509Certificate2 (certificate.GetRawCertData ()));
 
 			var result = ValidateChain (string.Empty, true, certificate, null, certs, (SslPolicyErrors)errors);
@@ -227,7 +237,7 @@ namespace Mono.Net.Security
 			return result.Trusted && !result.UserDenied;
 		}
 
-		public ValidationResult ValidateCertificate (string host, bool serverMode, XX509CertificateCollection certs)
+		public ValidationResult ValidateCertificate (string host, bool serverMode, X509CertificateCollection certs)
 		{
 			try {
 				X509Certificate leaf;
@@ -246,10 +256,9 @@ namespace Mono.Net.Security
 			}
 		}
 
-		public ValidationResult ValidateCertificate (string host, bool serverMode, X509Certificate leaf, XX509Chain xchain)
+		public ValidationResult ValidateCertificate (string host, bool serverMode, X509Certificate leaf, X509Chain chain)
 		{
 			try {
-				var chain = xchain;
 				var result = ValidateChain (host, serverMode, leaf, chain, null, 0);
 				if (tlsStream != null)
 					tlsStream.CertificateValidationFailed = result == null || !result.Trusted || result.UserDenied;
@@ -262,7 +271,7 @@ namespace Mono.Net.Security
 		}
 
 		ValidationResult ValidateChain (string host, bool server, X509Certificate leaf,
-		                                X509Chain chain, XX509CertificateCollection certs,
+		                                X509Chain chain, X509CertificateCollection certs,
 		                                SslPolicyErrors errors)
 		{
 			var oldChain = chain;
@@ -281,7 +290,7 @@ namespace Mono.Net.Security
 		}
 
 		ValidationResult ValidateChain (string host, bool server, X509Certificate leaf,
-		                                ref X509Chain chain, XX509CertificateCollection certs,
+		                                ref X509Chain chain, X509CertificateCollection certs,
 		                                SslPolicyErrors errors)
 		{
 			// user_denied is true if the user callback is called and returns false
@@ -322,28 +331,19 @@ namespace Mono.Net.Security
 					wantsChain = true;
 			}
 
-			bool providerValidated = false;
-			if (provider != null && provider.HasCustomSystemCertificateValidator) {
-				var xerrors = (MonoSslPolicyErrors)errors;
-				var xchain = chain;
-				providerValidated = provider.InvokeSystemCertificateValidator (this, host, server, certs, wantsChain, ref xchain, out result, ref xerrors, ref status11);
-				chain = xchain;
-				errors = (SslPolicyErrors)xerrors;
-			} else if (wantsChain) {
-				chain = SystemCertificateValidator.CreateX509Chain (certs);
-			}
+			var xerrors = (MonoSslPolicyErrors)errors;
+			result = provider.ValidateCertificate (this, host, server, certs, wantsChain, ref chain, ref xerrors, ref status11);
+			errors = (SslPolicyErrors)xerrors;
 
-			if (!providerValidated)
-				result = SystemCertificateValidator.Evaluate (settings, host, certs, chain, ref errors, ref status11);
+			if (status11 == 0 && errors != 0) {
+				// TRUST_E_FAIL
+				status11 = unchecked ((int)0x800B010B);
+			}
 
 			if (policy != null && (!(policy is DefaultCertificatePolicy) || certValidationCallback == null)) {
 				ServicePoint sp = null;
 				if (request != null)
 					sp = request.ServicePointNoLock;
-				if (status11 == 0 && errors != 0) {
-					// TRUST_E_FAIL
-					status11 = unchecked ((int)0x800B010B);
-				}
 
 				// pre 2.0 callback
 				result = policy.CheckValidationResult (sp, leaf, request, status11);
@@ -360,9 +360,8 @@ namespace Mono.Net.Security
 			return new ValidationResult (result, user_denied, status11, (MonoSslPolicyErrors)errors);
 		}
 
-		public bool InvokeSystemValidator (string targetHost, bool serverMode, XX509CertificateCollection certificates, XX509Chain xchain, ref MonoSslPolicyErrors xerrors, ref int status11)
+		bool InvokeSystemValidator (string targetHost, bool serverMode, X509CertificateCollection certificates, X509Chain chain, ref MonoSslPolicyErrors xerrors, ref int status11)
 		{
-			X509Chain chain = xchain;
 			var errors = (SslPolicyErrors)xerrors;
 			var result = SystemCertificateValidator.Evaluate (settings, targetHost, certificates, chain, ref errors, ref status11);
 			xerrors = (MonoSslPolicyErrors)errors;