[System]: Epic: Client Certificate Support - Part One. #8756
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is the first of two Pull Requests to implement Client Certificates :-)
Part One binds the new native APIs that will be used internally, finishes
the certificate selection callbacks, but without the more riskly changes
to the underlying handshake and I/O layer.
Part Two will bring support for TLS Renegotiation - and due to the required
changes in the underlying handshake, it is the more risky one.
* `Mono.Security.Interface.MonoTlsSettings`: Add `ClientCertificateIssuers`.
* `MobileTlsContext`:
- fully implement `SelectClientCertificate()`; the `acceptableIssuers` parameter
is now actually set and we also have a reasonable default selection.
- add `CanRenegotiate` and `RenegotiateAsync()` - these are not hooked up yet.
* `AppleTlsContext`:
- we will only ever call `RequirePeerTrust()` once per session, so we can
also remove it alltogether and just use `EvaluatePeerTrust()` instead.
- use proper exceptions for `SslStatus.PeerNoRenegotiation` and `PeerUnexpectedMsg`.
- don't call `SetClientSideAuthenticate()` on the client side.
- bind and hook up `SSLAddDistinguishedName()` and `SSLCopyDistinguishedNames()`.
- bind `SSLReHandshake()`.
* `MobileAuthenticatedStream`: minor cleanups; there will be more uses of the new
`GetInvalidNestedCallException()` helper class once Part Two lands.
* Enable some more constants in `SecureTransport.cs`.
* Add new `MonoBtlsError.GetErrorReason()` and `mono_btls_error_get_reason()`
implementation, only supporting `SSL_R_NO_RENEGOTIATION` at the moment.
* Add new native `mono_btls_ssl_ctx_set_client_ca_list()` function and managed
`MonoBtlsSslCtx.SetClientCertificateIssuers()`; hooked up via
`MonoTlsSettings.ClientCertificateIssuers`.
* According to a comment in the header file, `SSL_get_client_CA_list()` may only
be called during the selection callback or while the handshake is paused.
To respect this restriction, we now call it during the client certificate
selection callback and pass the list from native to managed.
- changed signature of `MonoBtlsSelectFunc` from
`int (* MonoBtlsSelectFunc) (void *instance)` to
`int (* MonoBtlsSelectFunc) (void *instance, int countIssuers, const int *sizes, void **issuerData)`.
- the managed counter-part is in `MonoBtlsSslCtx.NativeSelectFunc` / `NativeSelectCallback`.
* MonoBtlsContext:
- use the new `MonoBtlsError.GetErrorReason()` to throw a `TlsException` with
`AlertDescription.NoRenegotiation` that can be checked for by user code.
- `SelectCallback()` now has a `string[] acceptableIssuers` argument; pass it
to `SelectClientCertificate()`.
- the native backend does not support TLS Renegotiation, so `CanRenegotiate`
always returns false.
baulig
pushed a commit
to baulig/mono
that referenced
this pull request
May 18, 2018
This is the second and final part and it should be landed on top of mono#8756. * `Mono.Security.Interface.IMonoSslStream`: Add `CanRenegotiate` and `RenegotiateAsync()`. * `Mono.Security.Interface.MonoTlsSettings`: Add `DisallowUnauthenticatedCertificateRequest`. * `AppleTlsContext`: fully support renegotiation. - we may now receive `SslStatus.PeerAuthCompleted` and `SslStatus.PeerClientCertRequested` during `Read()`. It should in theory not happen during `Write()`, but I added it there as well just to be on the safe side. - `SetSessionOption()` may only be called before the initial handshake. * `MobileAuthenticatedStream`: this is the major part of the work and the most complex one. - added a new `Operation` enum to keep track of what is going on and detect invalid state. - a renegotion may only be triggered while we're idle - that is no handshake, read or write operation is currently active. - `InternalWrite()` may now be called from `SSLRead()`, the new `Operation` tells us what is currently happening. - `ProcessHandshake()` now takes a `bool renegotiate` argument. - added sanity checks to `ProcessRead()` and `ProcessWrite()`. * `MobileTlsContext.SelectClientCertificate()`: check for `MonoTlsSettings.DisallowUnauthenticatedCertificateRequest`
baulig
pushed a commit
to baulig/mono
that referenced
this pull request
May 18, 2018
This is the second and final part to bring Client Certificate support. It needs to be landed on top of mono#8753 and mono#8756. * `Mono.Security.Interface.IMonoSslStream`: Add `CanRenegotiate` and `RenegotiateAsync()`. * `Mono.Security.Interface.MonoTlsSettings`: Add `DisallowUnauthenticatedCertificateRequest`. * `AppleTlsContext`: fully support renegotiation. - we may now receive `SslStatus.PeerAuthCompleted` and `SslStatus.PeerClientCertRequested` during `Read()`. It should in theory not happen during `Write()`, but I added it there as well just to be on the safe side. - `SetSessionOption()` may only be called before the initial handshake. * `MobileAuthenticatedStream`: this is the major part of the work and the most complex one. - added a new `Operation` enum to keep track of what is going on and detect invalid state. - a renegotion may only be triggered while we're idle - that is no handshake, read or write operation is currently active. - `InternalWrite()` may now be called from `SSLRead()`, the new `Operation` tells us what is currently happening. - `ProcessHandshake()` now takes a `bool renegotiate` argument. - added sanity checks to `ProcessRead()` and `ProcessWrite()`. * `MobileTlsContext.SelectClientCertificate()`: check for `MonoTlsSettings.DisallowUnauthenticatedCertificateRequest` * `MonoTlsProviderFactory.InternalVersion`: bump the internal version number. Tests have already been added to `web-tests/master`, they will auto-enable themselves when using a Mono runtime that contains this code.
9 tasks
|
@monojenkins commit apidiff |
monojenkins
added a commit
to mono/api-snapshot
that referenced
this pull request
May 22, 2018
marek-safar
approved these changes
May 23, 2018
| @@ -56,6 +56,9 @@ static class MonoBtlsError | |||
| [DllImport (MonoBtlsObject.BTLS_DYLIB)] | |||
| extern static void mono_btls_error_get_error_string_n (int error, IntPtr buf, int len); | |||
|
|
|||
| [DllImport (MonoBtlsObject.BTLS_DYLIB)] | |||
| extern static int mono_btls_error_get_reason (int error); | |||
There was a problem hiding this comment.
We should bump mscorlib (to ensure unmanaged bits don't get out of sync)
akoeplinger
pushed a commit
to mono/api-snapshot
that referenced
this pull request
May 24, 2018
baulig
pushed a commit
to baulig/mono
that referenced
this pull request
May 24, 2018
This is the second and final part to bring Client Certificate support. It needs to be landed on top of mono#8753 and mono#8756. * `Mono.Security.Interface.IMonoSslStream`: Add `CanRenegotiate` and `RenegotiateAsync()`. * `Mono.Security.Interface.MonoTlsSettings`: Add `DisallowUnauthenticatedCertificateRequest`. * `AppleTlsContext`: fully support renegotiation. - we may now receive `SslStatus.PeerAuthCompleted` and `SslStatus.PeerClientCertRequested` during `Read()`. It should in theory not happen during `Write()`, but I added it there as well just to be on the safe side. - `SetSessionOption()` may only be called before the initial handshake. * `MobileAuthenticatedStream`: this is the major part of the work and the most complex one. - added a new `Operation` enum to keep track of what is going on and detect invalid state. - a renegotion may only be triggered while we're idle - that is no handshake, read or write operation is currently active. - `InternalWrite()` may now be called from `SSLRead()`, the new `Operation` tells us what is currently happening. - `ProcessHandshake()` now takes a `bool renegotiate` argument. - added sanity checks to `ProcessRead()` and `ProcessWrite()`. * `MobileTlsContext.SelectClientCertificate()`: check for `MonoTlsSettings.DisallowUnauthenticatedCertificateRequest` * `MonoTlsProviderFactory.InternalVersion`: bump the internal version number. Tests have already been added to `web-tests/master`, they will auto-enable themselves when using a Mono runtime that contains this code.
baulig
pushed a commit
to baulig/mono
that referenced
this pull request
May 24, 2018
This is the second and final part to bring Client Certificate support. It needs to be landed on top of mono#8753 and mono#8756. * `Mono.Security.Interface.IMonoSslStream`: Add `CanRenegotiate` and `RenegotiateAsync()`. * `Mono.Security.Interface.MonoTlsSettings`: Add `DisallowUnauthenticatedCertificateRequest`. * `AppleTlsContext`: fully support renegotiation. - we may now receive `SslStatus.PeerAuthCompleted` and `SslStatus.PeerClientCertRequested` during `Read()`. It should in theory not happen during `Write()`, but I added it there as well just to be on the safe side. - `SetSessionOption()` may only be called before the initial handshake. * `MobileAuthenticatedStream`: this is the major part of the work and the most complex one. - added a new `Operation` enum to keep track of what is going on and detect invalid state. - a renegotion may only be triggered while we're idle - that is no handshake, read or write operation is currently active. - `InternalWrite()` may now be called from `SSLRead()`, the new `Operation` tells us what is currently happening. - `ProcessHandshake()` now takes a `bool renegotiate` argument. - added sanity checks to `ProcessRead()` and `ProcessWrite()`. * `MobileTlsContext.SelectClientCertificate()`: check for `MonoTlsSettings.DisallowUnauthenticatedCertificateRequest` * `MonoTlsProviderFactory.InternalVersion`: bump the internal version number. Tests have already been added to `web-tests/master`, they will auto-enable themselves when using a Mono runtime that contains this code.
marek-safar
pushed a commit
that referenced
this pull request
May 25, 2018
This is the second and final part to bring Client Certificate support. It needs to be landed on top of #8753 and #8756. * `Mono.Security.Interface.IMonoSslStream`: Add `CanRenegotiate` and `RenegotiateAsync()`. * `Mono.Security.Interface.MonoTlsSettings`: Add `DisallowUnauthenticatedCertificateRequest`. * `AppleTlsContext`: fully support renegotiation. - we may now receive `SslStatus.PeerAuthCompleted` and `SslStatus.PeerClientCertRequested` during `Read()`. It should in theory not happen during `Write()`, but I added it there as well just to be on the safe side. - `SetSessionOption()` may only be called before the initial handshake. * `MobileAuthenticatedStream`: this is the major part of the work and the most complex one. - added a new `Operation` enum to keep track of what is going on and detect invalid state. - a renegotion may only be triggered while we're idle - that is no handshake, read or write operation is currently active. - `InternalWrite()` may now be called from `SSLRead()`, the new `Operation` tells us what is currently happening. - `ProcessHandshake()` now takes a `bool renegotiate` argument. - added sanity checks to `ProcessRead()` and `ProcessWrite()`. * `MobileTlsContext.SelectClientCertificate()`: check for `MonoTlsSettings.DisallowUnauthenticatedCertificateRequest` * `MonoTlsProviderFactory.InternalVersion`: bump the internal version number. Tests have already been added to `web-tests/master`, they will auto-enable themselves when using a Mono runtime that contains this code.
picenka21
pushed a commit
to picenka21/runtime
that referenced
this pull request
Feb 18, 2022
This is the first of two Pull Requests to implement Client Certificates :-)
Part One binds the new native APIs that will be used internally, finishes
the certificate selection callbacks, but without the more riskly changes
to the underlying handshake and I/O layer.
Part Two will bring support for TLS Renegotiation - and due to the required
changes in the underlying handshake, it is the more risky one.
* `Mono.Security.Interface.MonoTlsSettings`: Add `ClientCertificateIssuers`.
* `MobileTlsContext`:
- fully implement `SelectClientCertificate()`; the `acceptableIssuers` parameter
is now actually set and we also have a reasonable default selection.
- add `CanRenegotiate` and `RenegotiateAsync()` - these are not hooked up yet.
* `AppleTlsContext`:
- we will only ever call `RequirePeerTrust()` once per session, so we can
also remove it alltogether and just use `EvaluatePeerTrust()` instead.
- use proper exceptions for `SslStatus.PeerNoRenegotiation` and `PeerUnexpectedMsg`.
- don't call `SetClientSideAuthenticate()` on the client side.
- bind and hook up `SSLAddDistinguishedName()` and `SSLCopyDistinguishedNames()`.
- bind `SSLReHandshake()`.
* `MobileAuthenticatedStream`: minor cleanups; there will be more uses of the new
`GetInvalidNestedCallException()` helper class once Part Two lands.
* Enable some more constants in `SecureTransport.cs`.
* Add new `MonoBtlsError.GetErrorReason()` and `mono_btls_error_get_reason()`
implementation, only supporting `SSL_R_NO_RENEGOTIATION` at the moment.
* Add new native `mono_btls_ssl_ctx_set_client_ca_list()` function and managed
`MonoBtlsSslCtx.SetClientCertificateIssuers()`; hooked up via
`MonoTlsSettings.ClientCertificateIssuers`.
* According to a comment in the header file, `SSL_get_client_CA_list()` may only
be called during the selection callback or while the handshake is paused.
To respect this restriction, we now call it during the client certificate
selection callback and pass the list from native to managed.
- changed signature of `MonoBtlsSelectFunc` from
`int (* MonoBtlsSelectFunc) (void *instance)` to
`int (* MonoBtlsSelectFunc) (void *instance, int countIssuers, const int *sizes, void **issuerData)`.
- the managed counter-part is in `MonoBtlsSslCtx.NativeSelectFunc` / `NativeSelectCallback`.
* MonoBtlsContext:
- use the new `MonoBtlsError.GetErrorReason()` to throw a `TlsException` with
`AlertDescription.NoRenegotiation` that can be checked for by user code.
- `SelectCallback()` now has a `string[] acceptableIssuers` argument; pass it
to `SelectClientCertificate()`.
- the native backend does not support TLS Renegotiation, so `CanRenegotiate`
always returns false.
Implements mono/mono#7075
Commit migrated from mono/mono@0c2e513
picenka21
pushed a commit
to picenka21/runtime
that referenced
this pull request
Feb 18, 2022
This is the second and final part to bring Client Certificate support. It needs to be landed on top of mono/mono#8753 and mono/mono#8756. * `Mono.Security.Interface.IMonoSslStream`: Add `CanRenegotiate` and `RenegotiateAsync()`. * `Mono.Security.Interface.MonoTlsSettings`: Add `DisallowUnauthenticatedCertificateRequest`. * `AppleTlsContext`: fully support renegotiation. - we may now receive `SslStatus.PeerAuthCompleted` and `SslStatus.PeerClientCertRequested` during `Read()`. It should in theory not happen during `Write()`, but I added it there as well just to be on the safe side. - `SetSessionOption()` may only be called before the initial handshake. * `MobileAuthenticatedStream`: this is the major part of the work and the most complex one. - added a new `Operation` enum to keep track of what is going on and detect invalid state. - a renegotion may only be triggered while we're idle - that is no handshake, read or write operation is currently active. - `InternalWrite()` may now be called from `SSLRead()`, the new `Operation` tells us what is currently happening. - `ProcessHandshake()` now takes a `bool renegotiate` argument. - added sanity checks to `ProcessRead()` and `ProcessWrite()`. * `MobileTlsContext.SelectClientCertificate()`: check for `MonoTlsSettings.DisallowUnauthenticatedCertificateRequest` * `MonoTlsProviderFactory.InternalVersion`: bump the internal version number. Tests have already been added to `web-tests/master`, they will auto-enable themselves when using a Mono runtime that contains this code. Commit migrated from mono/mono@5715aee
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the first of two Pull Requests to implement Client Certificates :-)
Part One binds the new native APIs that will be used internally, finishes
the certificate selection callbacks, but without the more riskly changes
to the underlying handshake and I/O layer.
Part Two will bring support for TLS Renegotiation - and due to the required
changes in the underlying handshake, it is the more risky one.
Mono.Security.Interface.MonoTlsSettings: AddClientCertificateIssuers.MobileTlsContext:SelectClientCertificate(); theacceptableIssuersparameteris now actually set and we also have a reasonable default selection.
CanRenegotiateandRenegotiateAsync()- these are not hooked up yet.AppleTlsContext:RequirePeerTrust()once per session, so we canalso remove it alltogether and just use
EvaluatePeerTrust()instead.SslStatus.PeerNoRenegotiationandPeerUnexpectedMsg.SetClientSideAuthenticate()on the client side.SSLAddDistinguishedName()andSSLCopyDistinguishedNames().SSLReHandshake().MobileAuthenticatedStream: minor cleanups; there will be more uses of the newGetInvalidNestedCallException()helper class once Part Two lands.Enable some more constants in
SecureTransport.cs.Add new
MonoBtlsError.GetErrorReason()andmono_btls_error_get_reason()implementation, only supporting
SSL_R_NO_RENEGOTIATIONat the moment.Add new native
mono_btls_ssl_ctx_set_client_ca_list()function and managedMonoBtlsSslCtx.SetClientCertificateIssuers(); hooked up viaMonoTlsSettings.ClientCertificateIssuers.According to a comment in the header file,
SSL_get_client_CA_list()may onlybe called during the selection callback or while the handshake is paused.
To respect this restriction, we now call it during the client certificate
selection callback and pass the list from native to managed.
MonoBtlsSelectFuncfromint (* MonoBtlsSelectFunc) (void *instance)toint (* MonoBtlsSelectFunc) (void *instance, int countIssuers, const int *sizes, void **issuerData).MonoBtlsSslCtx.NativeSelectFunc/NativeSelectCallback.MonoBtlsContext:
MonoBtlsError.GetErrorReason()to throw aTlsExceptionwithAlertDescription.NoRenegotiationthat can be checked for by user code.SelectCallback()now has astring[] acceptableIssuersargument; pass itto
SelectClientCertificate().CanRenegotiatealways returns false.
Implements #7075