[System]: Epic: Client Certificate Support - Part One. (#8756)

This is the first of two Pull Requests to implement Client Certificates :-)

Part One binds the new native APIs that will be used internally, finishes
the certificate selection callbacks, but without the more riskly changes
to the underlying handshake and I/O layer.

Part Two will bring support for TLS Renegotiation - and due to the required
changes in the underlying handshake, it is the more risky one.

* `Mono.Security.Interface.MonoTlsSettings`: Add `ClientCertificateIssuers`.

* `MobileTlsContext`:
  - fully implement `SelectClientCertificate()`; the `acceptableIssuers` parameter
    is now actually set and we also have a reasonable default selection.
  - add `CanRenegotiate` and `RenegotiateAsync()` - these are not hooked up yet.

* `AppleTlsContext`:
  - we will only ever call `RequirePeerTrust()` once per session, so we can
    also remove it alltogether and just use `EvaluatePeerTrust()` instead.
  - use proper exceptions for `SslStatus.PeerNoRenegotiation` and `PeerUnexpectedMsg`.
  - don't call `SetClientSideAuthenticate()` on the client side.
  - bind and hook up `SSLAddDistinguishedName()` and `SSLCopyDistinguishedNames()`.
  - bind `SSLReHandshake()`.

* `MobileAuthenticatedStream`: minor cleanups; there will be more uses of the new
  `GetInvalidNestedCallException()` helper class once Part Two lands.

* Enable some more constants in `SecureTransport.cs`.

* Add new `MonoBtlsError.GetErrorReason()` and `mono_btls_error_get_reason()`
  implementation, only supporting `SSL_R_NO_RENEGOTIATION` at the moment.

* Add new native `mono_btls_ssl_ctx_set_client_ca_list()` function and managed
  `MonoBtlsSslCtx.SetClientCertificateIssuers()`; hooked up via
  `MonoTlsSettings.ClientCertificateIssuers`.

* According to a comment in the header file, `SSL_get_client_CA_list()` may only
  be called during the selection callback or while the handshake is paused.
  To respect this restriction, we now call it during the client certificate
  selection callback and pass the list from native to managed.
  - changed signature of `MonoBtlsSelectFunc` from
    `int (* MonoBtlsSelectFunc) (void *instance)` to
    `int (* MonoBtlsSelectFunc) (void *instance, int countIssuers, const int *sizes, void **issuerData)`.
  - the managed counter-part is in `MonoBtlsSslCtx.NativeSelectFunc` / `NativeSelectCallback`.

* MonoBtlsContext:
  - use the new `MonoBtlsError.GetErrorReason()` to throw a `TlsException` with
    `AlertDescription.NoRenegotiation` that can be checked for by user code.
  - `SelectCallback()` now has a `string[] acceptableIssuers` argument; pass it
    to `SelectClientCertificate()`.
  - the native backend does not support TLS Renegotiation, so `CanRenegotiate`
    always returns false.

Implements #7075

1 files changed, 8 insertions, 0 deletions

diff --git a/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs b/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs
index ee7e216cc21..04069a409bc 100644
--- a/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs
+++ b/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs
@@ -94,6 +94,13 @@ namespace Mono.Security.Interface
 		}
 
 		/*
+		 * Client Certificate Support.
+		 */
+		public string[] ClientCertificateIssuers {
+			get; set;
+		}
+
+		/*
 		 * If you set this here, then it will override 'ServicePointManager.SecurityProtocol'.
 		 */
 		public TlsProtocols? EnabledProtocols {
@@ -181,6 +188,7 @@ namespace Mono.Security.Interface
 			EnabledCiphers = other.EnabledCiphers;
 			CertificateValidationTime = other.CertificateValidationTime;
 			SendCloseNotify = other.SendCloseNotify;
+			ClientCertificateIssuers = other.ClientCertificateIssuers;
 			if (other.TrustAnchors != null)
 				TrustAnchors = new X509CertificateCollection (other.TrustAnchors);
 			if (other.CertificateSearchPaths != null) {