[System]: Epic: Client Certificate Support - Part Two.

This is the second and final part to bring Client Certificate support.
It needs to be landed on top of #8753 and #8756.

* `Mono.Security.Interface.IMonoSslStream`: Add `CanRenegotiate` and `RenegotiateAsync()`.

* `Mono.Security.Interface.MonoTlsSettings`: Add `DisallowUnauthenticatedCertificateRequest`.

* `AppleTlsContext`: fully support renegotiation.
  - we may now receive `SslStatus.PeerAuthCompleted` and `SslStatus.PeerClientCertRequested`
    during `Read()`.  It should in theory not happen during `Write()`, but I added it there
    as well just to be on the safe side.
  - `SetSessionOption()` may only be called before the initial handshake.

* `MobileAuthenticatedStream`: this is the major part of the work and the most complex one.
  - added a new `Operation` enum to keep track of what is going on and detect invalid state.
  - a renegotion may only be triggered while we're idle - that is no handshake, read or write
    operation is currently active.
  - `InternalWrite()` may now be called from `SSLRead()`, the new `Operation` tells us what
    is currently happening.
  - `ProcessHandshake()` now takes a `bool renegotiate` argument.
  - added sanity checks to `ProcessRead()` and `ProcessWrite()`.

* `MobileTlsContext.SelectClientCertificate()`: check for
  `MonoTlsSettings.DisallowUnauthenticatedCertificateRequest`

* `MonoTlsProviderFactory.InternalVersion`: bump the internal version number.

Tests have already been added to `web-tests/master`, they will auto-enable themselves when
using a Mono runtime that contains this code.

3 files changed, 13 insertions, 1 deletions

diff --git a/mcs/class/Mono.Security/Mono.Security.Interface/IMonoSslStream.cs b/mcs/class/Mono.Security/Mono.Security.Interface/IMonoSslStream.cs
index bd459711040..fd8b7da41bb 100644
--- a/mcs/class/Mono.Security/Mono.Security.Interface/IMonoSslStream.cs
+++ b/mcs/class/Mono.Security/Mono.Security.Interface/IMonoSslStream.cs
@@ -208,6 +208,12 @@ namespace Mono.Security.Interface
 
 
 		MonoTlsConnectionInfo GetConnectionInfo ();
+
+		bool CanRenegotiate {
+			get;
+		}
+
+		Task RenegotiateAsync (CancellationToken cancellationToken);
 	}
 
 	interface IMonoSslStream2 : IMonoSslStream
diff --git a/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsProviderFactory.cs b/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsProviderFactory.cs
index d8f086f5cb7..5df54ac6eeb 100644
--- a/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsProviderFactory.cs
+++ b/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsProviderFactory.cs
@@ -182,9 +182,10 @@ namespace Mono.Security.Interface
 		 *
 		 * - 1: everything up until May 2018
 		 * - 2: the new ServicePointScheduler changes have landed
+		 * - 3: full support for Client Certificates
 		 *
 		 */
-		internal const int InternalVersion = 2;
+		internal const int InternalVersion = 3;
 
 		#endregion
 	}
diff --git a/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs b/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs
index 04069a409bc..b0195803152 100644
--- a/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs
+++ b/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs
@@ -100,6 +100,10 @@ namespace Mono.Security.Interface
 			get; set;
 		}
 
+		public bool DisallowUnauthenticatedCertificateRequest {
+			get; set;
+		}
+
 		/*
 		 * If you set this here, then it will override 'ServicePointManager.SecurityProtocol'.
 		 */
@@ -189,6 +193,7 @@ namespace Mono.Security.Interface
 			CertificateValidationTime = other.CertificateValidationTime;
 			SendCloseNotify = other.SendCloseNotify;
 			ClientCertificateIssuers = other.ClientCertificateIssuers;
+			DisallowUnauthenticatedCertificateRequest = other.DisallowUnauthenticatedCertificateRequest;
 			if (other.TrustAnchors != null)
 				TrustAnchors = new X509CertificateCollection (other.TrustAnchors);
 			if (other.CertificateSearchPaths != null) {