Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
2009-08-20 Sebastien Pouliot <sebastien@ximian.com>
	* SslStream.cs : Always use/provide a X509Chain even if this 
	duplicates some of the old/existing logic of Mono.Security.
	This makes it possible to provide a callback using 
	ServicePointManager.ServerCertificateValidationCallback


svn path=/trunk/mcs/; revision=140359
  • Loading branch information
Sebastien Pouliot committed Aug 20, 2009
1 parent f7613c5 commit 52a7635
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 6 deletions.
7 changes: 7 additions & 0 deletions mcs/class/System/System.Net.Security/ChangeLog
@@ -1,3 +1,10 @@
2009-08-20 Sebastien Pouliot <sebastien@ximian.com>

* SslStream.cs : Always use/provide a X509Chain even if this
duplicates some of the old/existing logic of Mono.Security.
This makes it possible to provide a callback using
ServicePointManager.ServerCertificateValidationCallback

2007-08-24 Atsushi Enomoto <atsushi@ximian.com>

* SslStream.cs : uh, fixed the build.
Expand Down
39 changes: 33 additions & 6 deletions mcs/class/System/System.Net.Security/SslStream.cs
Expand Up @@ -348,13 +348,40 @@ public virtual IAsyncResult BeginAuthenticateAsClient (string targetHost, X509Ce

if (validation_callback != null)
s.ServerCertValidationDelegate = delegate (X509Certificate cert, int [] certErrors) {
X509Chain chain = null;
if (cert is X509Certificate2) {
chain = new X509Chain ();
chain.Build ((X509Certificate2) cert);
X509Chain chain = new X509Chain ();
X509Certificate2 x2 = (cert as X509Certificate2);
if (x2 == null)
x2 = new X509Certificate2 (cert);

if (!ServicePointManager.CheckCertificateRevocationList)
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

// SSL specific checks (done by Mono.Security.dll SSL/TLS implementation)
SslPolicyErrors errors = SslPolicyErrors.None;
foreach (int i in certErrors) {
switch (i) {
case -2146762490: // CERT_E_PURPOSE
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
break;
case -2146762481: // CERT_E_CN_NO_MATCH
errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
break;
default:
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
break;
}
}
// FIXME: SslPolicyErrors is incomplete
SslPolicyErrors errors = certErrors.Length > 0 ? SslPolicyErrors.RemoteCertificateChainErrors : SslPolicyErrors.None;

chain.Build (x2);

// non-SSL specific X509 checks (i.e. RFC3280 related checks)
foreach (X509ChainStatus status in chain.ChainStatus) {
if ((status.Status & X509ChainStatusFlags.PartialChain) != 0)
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
else
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
}

return validation_callback (this, cert, chain, errors);
};
if (selection_callback != null)
Expand Down

0 comments on commit 52a7635

Please sign in to comment.