122 lines
4.6 KiB
C#
122 lines
4.6 KiB
C#
//
|
|
// HttpsClientStream.cs: Glue between HttpWebRequest and SslClientStream to
|
|
// reduce reflection usage.
|
|
//
|
|
// Author:
|
|
// Sebastien Pouliot <sebastien@ximian.com>
|
|
//
|
|
// Copyright (C) 2004-2007 Novell, Inc. (http://www.novell.com)
|
|
//
|
|
// Permission is hereby granted, free of charge, to any person obtaining
|
|
// a copy of this software and associated documentation files (the
|
|
// "Software"), to deal in the Software without restriction, including
|
|
// without limitation the rights to use, copy, modify, merge, publish,
|
|
// distribute, sublicense, and/or sell copies of the Software, and to
|
|
// permit persons to whom the Software is furnished to do so, subject to
|
|
// the following conditions:
|
|
//
|
|
// The above copyright notice and this permission notice shall be
|
|
// included in all copies or substantial portions of the Software.
|
|
//
|
|
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
//
|
|
|
|
using System;
|
|
using System.IO;
|
|
using System.Net;
|
|
using System.Security.Cryptography;
|
|
using System.Security.Cryptography.X509Certificates;
|
|
using SNS = System.Net.Security;
|
|
using SNCX = System.Security.Cryptography.X509Certificates;
|
|
|
|
namespace Mono.Security.Protocol.Tls {
|
|
|
|
// Note: DO NOT REUSE this class - instead use SslClientStream
|
|
|
|
internal class HttpsClientStream : SslClientStream {
|
|
|
|
private HttpWebRequest _request;
|
|
private int _status;
|
|
|
|
public HttpsClientStream (Stream stream, X509CertificateCollection clientCertificates,
|
|
HttpWebRequest request, byte [] buffer)
|
|
: base (stream, request.Address.Host, false, (Mono.Security.Protocol.Tls.SecurityProtocolType)
|
|
ServicePointManager.SecurityProtocol, clientCertificates)
|
|
{
|
|
// this constructor permit access to the WebRequest to call
|
|
// ICertificatePolicy.CheckValidationResult
|
|
_request = request;
|
|
_status = 0;
|
|
if (buffer != null)
|
|
InputBuffer.Write (buffer, 0, buffer.Length);
|
|
// also saved from reflection
|
|
base.CheckCertRevocationStatus = ServicePointManager.CheckCertificateRevocationList;
|
|
|
|
ClientCertSelection += delegate (X509CertificateCollection clientCerts, X509Certificate serverCertificate,
|
|
string targetHost, X509CertificateCollection serverRequestedCertificates) {
|
|
return ((clientCerts == null) || (clientCerts.Count == 0)) ? null : clientCerts [0];
|
|
};
|
|
PrivateKeySelection += delegate (X509Certificate certificate, string targetHost) {
|
|
X509Certificate2 cert = (certificate as X509Certificate2);
|
|
return (cert == null) ? null : cert.PrivateKey;
|
|
};
|
|
}
|
|
|
|
public bool TrustFailure {
|
|
get {
|
|
switch (_status) {
|
|
case -2146762486: // CERT_E_CHAINING 0x800B010A
|
|
case -2146762487: // CERT_E_UNTRUSTEDROOT 0x800B0109
|
|
return true;
|
|
default:
|
|
return false;
|
|
}
|
|
}
|
|
}
|
|
|
|
internal override bool RaiseServerCertificateValidation (X509Certificate certificate, int[] certificateErrors)
|
|
{
|
|
bool failed = (certificateErrors.Length > 0);
|
|
// only one problem can be reported by this interface
|
|
_status = ((failed) ? certificateErrors [0] : 0);
|
|
|
|
#pragma warning disable 618
|
|
if (ServicePointManager.CertificatePolicy != null) {
|
|
ServicePoint sp = _request.ServicePoint;
|
|
bool res = ServicePointManager.CertificatePolicy.CheckValidationResult (sp, certificate, _request, _status);
|
|
if (!res)
|
|
return false;
|
|
failed = true;
|
|
}
|
|
#pragma warning restore 618
|
|
if (HaveRemoteValidation2Callback)
|
|
return failed; // The validation already tried the 2.0 callback
|
|
|
|
SNS.RemoteCertificateValidationCallback cb = ServicePointManager.ServerCertificateValidationCallback;
|
|
if (cb != null) {
|
|
SNS.SslPolicyErrors ssl_errors = 0;
|
|
foreach (int i in certificateErrors) {
|
|
if (i == (int)-2146762490) // TODO: is this what happens when the purpose is wrong?
|
|
ssl_errors |= SNS.SslPolicyErrors.RemoteCertificateNotAvailable;
|
|
else if (i == (int) -2146762481)
|
|
ssl_errors |= SNS.SslPolicyErrors.RemoteCertificateNameMismatch;
|
|
else
|
|
ssl_errors |= SNS.SslPolicyErrors.RemoteCertificateChainErrors;
|
|
}
|
|
SNCX.X509Certificate2 cert2 = new SNCX.X509Certificate2 (certificate.GetRawCertData ());
|
|
SNCX.X509Chain chain = new SNCX.X509Chain ();
|
|
if (!chain.Build (cert2))
|
|
ssl_errors |= SNS.SslPolicyErrors.RemoteCertificateChainErrors;
|
|
return cb (_request, cert2, chain, ssl_errors);
|
|
}
|
|
return failed;
|
|
}
|
|
}
|
|
}
|