Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[System]: Epic: Client Certificate Support - Part Two. #8758

Merged
merged 3 commits into from May 25, 2018
Merged

[System]: Epic: Client Certificate Support - Part Two. #8758

merged 3 commits into from May 25, 2018

Conversation

baulig
Copy link
Contributor

@baulig baulig commented May 18, 2018
edited by marek-safar

[System]: Epic: Client Certificate Support - Part Two.

This is the second and final part to bring Client Certificate support. It needs to be landed on top of #8753 and #8756.

  • Mono.Security.Interface.IMonoSslStream: Add CanRenegotiate and RenegotiateAsync().

  • Mono.Security.Interface.MonoTlsSettings: Add DisallowUnauthenticatedCertificateRequest.

  • AppleTlsContext: fully support renegotiation.

    • we may now receive SslStatus.PeerAuthCompleted and SslStatus.PeerClientCertRequested
      during Read(). It should in theory not happen during Write(), but I added it there
      as well just to be on the safe side.
    • SetSessionOption() may only be called before the initial handshake.

  • MobileAuthenticatedStream: this is the major part of the work and the most complex one.

    • added a new Operation enum to keep track of what is going on and detect invalid state.
    • a renegotion may only be triggered while we're idle - that is no handshake, read or write
      operation is currently active.
    • InternalWrite() may now be called from SSLRead(), the new Operation tells us what
      is currently happening.
    • ProcessHandshake() now takes a bool renegotiate argument.
    • added sanity checks to ProcessRead() and ProcessWrite().

  • MobileTlsContext.SelectClientCertificate(): check for
    MonoTlsSettings.DisallowUnauthenticatedCertificateRequest

Tests have already been added to xamarin/web-tests@869370e, they will auto-enable themselves when using a Mono runtime that contains this code.

Implements #7075

Fixes #6498

@baulig baulig mentioned this pull request May 18, 2018
Closed
9 tasks
@baulig baulig self-assigned this May 22, 2018
@baulig baulig force-pushed the epic-client-certificates-part-two branch from 6b660c6 to c51774a Compare May 24, 2018 19:19
@baulig
Copy link
Contributor Author

baulig commented May 24, 2018

@monojenkins build deb with monolite

[System]: Epic: Client Certificate Support - Part Two.
0a43e1c 
This is the second and final part to bring Client Certificate support.
It needs to be landed on top of mono#8753 and mono#8756.

* `Mono.Security.Interface.IMonoSslStream`: Add `CanRenegotiate` and `RenegotiateAsync()`.

* `Mono.Security.Interface.MonoTlsSettings`: Add `DisallowUnauthenticatedCertificateRequest`.

* `AppleTlsContext`: fully support renegotiation.
  - we may now receive `SslStatus.PeerAuthCompleted` and `SslStatus.PeerClientCertRequested`
    during `Read()`.  It should in theory not happen during `Write()`, but I added it there
    as well just to be on the safe side.
  - `SetSessionOption()` may only be called before the initial handshake.

* `MobileAuthenticatedStream`: this is the major part of the work and the most complex one.
  - added a new `Operation` enum to keep track of what is going on and detect invalid state.
  - a renegotion may only be triggered while we're idle - that is no handshake, read or write
    operation is currently active.
  - `InternalWrite()` may now be called from `SSLRead()`, the new `Operation` tells us what
    is currently happening.
  - `ProcessHandshake()` now takes a `bool renegotiate` argument.
  - added sanity checks to `ProcessRead()` and `ProcessWrite()`.

* `MobileTlsContext.SelectClientCertificate()`: check for
  `MonoTlsSettings.DisallowUnauthenticatedCertificateRequest`

* `MonoTlsProviderFactory.InternalVersion`: bump the internal version number.

Tests have already been added to `web-tests/master`, they will auto-enable themselves when
using a Mono runtime that contains this code.
@baulig baulig force-pushed the epic-client-certificates-part-two branch from c51774a to 0a43e1c Compare May 24, 2018 19:24
@baulig baulig requested a review from luhenry as a code owner May 24, 2018 19:24
@baulig
Copy link
Contributor Author

baulig commented May 24, 2018

@monojenkins build deb with monolite

@baulig
Copy link
Contributor Author

baulig commented May 24, 2018

build

@marek-safar
Copy link
Member

@monojenkins commit apidiff

monojenkins added a commit to mono/api-snapshot that referenced this pull request May 25, 2018
@monojenkins
Apply changes from mono/mono#8758 to API snapshot
327b68e
@marek-safar marek-safar merged commit 61d1fe5 into mono:master May 25, 2018
@baulig baulig deleted the epic-client-certificates-part-two branch May 25, 2018 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marek-safar marek-safar marek-safar approved these changes

@akoeplinger akoeplinger Awaiting requested review from akoeplinger

@luhenry luhenry Awaiting requested review from luhenry

Assignees

@baulig baulig

Labels
area-BCL: Mono.Security area-BCL: System
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@baulig @marek-safar @monojenkins