diff options
author | Martin Baulig <mabaul@microsoft.com> | 2018-05-18 03:06:55 +0300 |
---|---|---|
committer | Marek Safar <marek.safar@gmail.com> | 2018-05-25 12:01:42 +0300 |
commit | 5715aee671a8f72e2807e4c0a587c111f424f10e (patch) | |
tree | 37d6b7b750a60b4a2ac8c56756f37d41645fdc75 /mcs/class/Mono.Security | |
parent | 5076f806dcb3264ab7f7fc3b1b8c31a60a871bb3 (diff) |
[System]: Epic: Client Certificate Support - Part Two.
This is the second and final part to bring Client Certificate support.
It needs to be landed on top of #8753 and #8756.
* `Mono.Security.Interface.IMonoSslStream`: Add `CanRenegotiate` and `RenegotiateAsync()`.
* `Mono.Security.Interface.MonoTlsSettings`: Add `DisallowUnauthenticatedCertificateRequest`.
* `AppleTlsContext`: fully support renegotiation.
- we may now receive `SslStatus.PeerAuthCompleted` and `SslStatus.PeerClientCertRequested`
during `Read()`. It should in theory not happen during `Write()`, but I added it there
as well just to be on the safe side.
- `SetSessionOption()` may only be called before the initial handshake.
* `MobileAuthenticatedStream`: this is the major part of the work and the most complex one.
- added a new `Operation` enum to keep track of what is going on and detect invalid state.
- a renegotion may only be triggered while we're idle - that is no handshake, read or write
operation is currently active.
- `InternalWrite()` may now be called from `SSLRead()`, the new `Operation` tells us what
is currently happening.
- `ProcessHandshake()` now takes a `bool renegotiate` argument.
- added sanity checks to `ProcessRead()` and `ProcessWrite()`.
* `MobileTlsContext.SelectClientCertificate()`: check for
`MonoTlsSettings.DisallowUnauthenticatedCertificateRequest`
* `MonoTlsProviderFactory.InternalVersion`: bump the internal version number.
Tests have already been added to `web-tests/master`, they will auto-enable themselves when
using a Mono runtime that contains this code.
Diffstat (limited to 'mcs/class/Mono.Security')
3 files changed, 13 insertions, 1 deletions
diff --git a/mcs/class/Mono.Security/Mono.Security.Interface/IMonoSslStream.cs b/mcs/class/Mono.Security/Mono.Security.Interface/IMonoSslStream.cs index bd459711040..fd8b7da41bb 100644 --- a/mcs/class/Mono.Security/Mono.Security.Interface/IMonoSslStream.cs +++ b/mcs/class/Mono.Security/Mono.Security.Interface/IMonoSslStream.cs @@ -208,6 +208,12 @@ namespace Mono.Security.Interface MonoTlsConnectionInfo GetConnectionInfo (); + + bool CanRenegotiate { + get; + } + + Task RenegotiateAsync (CancellationToken cancellationToken); } interface IMonoSslStream2 : IMonoSslStream diff --git a/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsProviderFactory.cs b/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsProviderFactory.cs index d8f086f5cb7..5df54ac6eeb 100644 --- a/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsProviderFactory.cs +++ b/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsProviderFactory.cs @@ -182,9 +182,10 @@ namespace Mono.Security.Interface * * - 1: everything up until May 2018 * - 2: the new ServicePointScheduler changes have landed + * - 3: full support for Client Certificates * */ - internal const int InternalVersion = 2; + internal const int InternalVersion = 3; #endregion } diff --git a/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs b/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs index 04069a409bc..b0195803152 100644 --- a/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs +++ b/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs @@ -100,6 +100,10 @@ namespace Mono.Security.Interface get; set; } + public bool DisallowUnauthenticatedCertificateRequest { + get; set; + } + /* * If you set this here, then it will override 'ServicePointManager.SecurityProtocol'. */ @@ -189,6 +193,7 @@ namespace Mono.Security.Interface CertificateValidationTime = other.CertificateValidationTime; SendCloseNotify = other.SendCloseNotify; ClientCertificateIssuers = other.ClientCertificateIssuers; + DisallowUnauthenticatedCertificateRequest = other.DisallowUnauthenticatedCertificateRequest; if (other.TrustAnchors != null) TrustAnchors = new X509CertificateCollection (other.TrustAnchors); if (other.CertificateSearchPaths != null) { |