search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
2010-06-21 Atsushi Enomoto <atsushi@ximian.com>
[mcs.git] / class / System.ServiceModel / Mono.Security.Protocol.Tls.Handshake.Server / TlsClientCertificate.cs
blob15d8dd6554f682895a9e91eac26e353cac91c254
1 // Transport Security Layer (TLS)
2 // Copyright (c) 2003-2004 Carlos Guzman Alvarez
3 // Copyright (C) 2006 Novell, Inc (http://www.novell.com)
4 //
5 // Permission is hereby granted, free of charge, to any person obtaining
6 // a copy of this software and associated documentation files (the
7 // "Software"), to deal in the Software without restriction, including
8 // without limitation the rights to use, copy, modify, merge, publish,
9 // distribute, sublicense, and/or sell copies of the Software, and to
10 // permit persons to whom the Software is furnished to do so, subject to
11 // the following conditions:
12 //
13 // The above copyright notice and this permission notice shall be
14 // included in all copies or substantial portions of the Software.
15 //
16 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
23 //
24
25 using System;
26 using System.Collections;
27 using SSCX = System.Security.Cryptography.X509Certificates;
28 using Mono.Security.X509;
29 using Mono.Security.X509.Extensions;
30
31 namespace Mono.Security.Protocol.Tls.Handshake.Server
32 {
33 internal class TlsClientCertificate : HandshakeMessage
34 {
35 #region Fields
36
37 private X509CertificateCollection clientCertificates;
38
39 #endregion
40
41 #region Constructors
42
43 public TlsClientCertificate(Context context, byte[] buffer)
44 : base(context, HandshakeType.Certificate, buffer)
45 {
46 }
47
48 #endregion
49
50 #region Methods
51
52 public override void Update()
53 {
54 foreach (X509Certificate certificate in clientCertificates) {
55 this.Context.ClientSettings.Certificates.Add (new SSCX.X509Certificate (certificate.RawData));
56 }
57 }
58
59 #endregion
60
61 #region Protected Methods
62
63 protected override void ProcessAsSsl3()
64 {
65 this.ProcessAsTls1();
66 }
67
68 protected override void ProcessAsTls1()
69 {
70 int bytesRead = 0;
71 int length = this.ReadInt24 ();
72 this.clientCertificates = new X509CertificateCollection ();
73 while (length > bytesRead) {
74 int certLength = this.ReadInt24 ();
75 bytesRead += certLength + 3;
76 byte[] cert = this.ReadBytes (certLength);
77 this.clientCertificates.Add (new X509Certificate (cert));
78 }
79
80 if (this.clientCertificates.Count > 0)
81 {
82 this.validateCertificates (this.clientCertificates);
83 }
84 else if ((this.Context as ServerContext).ClientCertificateRequired)
85 {
86 throw new TlsException (AlertDescription.NoCertificate);
87 }
88 }
89
90 #endregion
91
92 #region Private Methods
93
94 private bool checkCertificateUsage (X509Certificate cert)
95 {
96 ServerContext context = (ServerContext)this.Context;
97
98 // certificate extensions are required for this
99 // we "must" accept older certificates without proofs
100 if (cert.Version < 3)
101 return true;
102
103 KeyUsages ku = KeyUsages.none;
104 switch (context.Negotiating.Cipher.ExchangeAlgorithmType)
105 {
106 case ExchangeAlgorithmType.RsaSign:
107 case ExchangeAlgorithmType.RsaKeyX:
108 ku = KeyUsages.digitalSignature;
109 break;
110 case ExchangeAlgorithmType.DiffieHellman:
111 ku = KeyUsages.keyAgreement;
112 break;
113 case ExchangeAlgorithmType.Fortezza:
114 return false; // unsupported certificate type
115 }
116
117 KeyUsageExtension kux = null;
118 ExtendedKeyUsageExtension eku = null;
119
120 X509Extension xtn = cert.Extensions["2.5.29.15"];
121 if (xtn != null)
122 kux = new KeyUsageExtension (xtn);
123
124 xtn = cert.Extensions["2.5.29.37"];
125 if (xtn != null)
126 eku = new ExtendedKeyUsageExtension (xtn);
127
128 if ((kux != null) && (eku != null))
129 {
130 // RFC3280 states that when both KeyUsageExtension and
131 // ExtendedKeyUsageExtension are present then BOTH should
132 // be valid
133 return (kux.Support (ku) &&
134 eku.KeyPurpose.Contains ("1.3.6.1.5.5.7.3.2"));
135 }
136 else if (kux != null)
137 {
138 return kux.Support (ku);
139 }
140 else if (eku != null)
141 {
142 // Client Authentication (1.3.6.1.5.5.7.3.2)
143 return eku.KeyPurpose.Contains ("1.3.6.1.5.5.7.3.2");
144 }
145
146 // last chance - try with older (deprecated) Netscape extensions
147 xtn = cert.Extensions["2.16.840.1.113730.1.1"];
148 if (xtn != null)
149 {
150 NetscapeCertTypeExtension ct = new NetscapeCertTypeExtension (xtn);
151 return ct.Support (NetscapeCertTypeExtension.CertTypes.SslClient);
152 }
153
154 // certificate isn't valid for SSL server usage
155 return false;
156 }
157
158 private void validateCertificates (X509CertificateCollection certificates)
159 {
160 ServerContext context = (ServerContext)this.Context;
161 AlertDescription description = AlertDescription.BadCertificate;
162 SSCX.X509Certificate client = null;
163 int[] certificateErrors = null;
164
165 // note: certificate may be null is no certificate is sent
166 // (e.g. optional mutual authentication)
167 if (certificates.Count > 0) {
168 X509Certificate leaf = certificates[0];
169
170 ArrayList errors = new ArrayList ();
171
172 // SSL specific check - not all certificates can be
173 // used to server-side SSL some rules applies after
174 // all ;-)
175 if (!checkCertificateUsage (leaf))
176 {
177 // WinError.h CERT_E_PURPOSE 0x800B0106
178 errors.Add ((int)-2146762490);
179 }
180
181 X509Chain verify;
182 // was a chain supplied ? if so use it, if not
183 if (certificates.Count > 1) {
184 // if so use it (and don't build our own)
185 X509CertificateCollection chain = new X509CertificateCollection (certificates);
186 chain.Remove (leaf);
187 verify = new X509Chain (chain);
188 } else {
189 // if not, then let's build our own (based on what's available in the stores)
190 verify = new X509Chain ();
191 }
192
193 bool result = false;
194
195 try
196 {
197 result = verify.Build (leaf);
198 }
199 catch (Exception)
200 {
201 result = false;
202 }
203
204 if (!result)
205 {
206 switch (verify.Status)
207 {
208 case X509ChainStatusFlags.InvalidBasicConstraints:
209 // WinError.h TRUST_E_BASIC_CONSTRAINTS 0x80096019
210 errors.Add ((int)-2146869223);
211 break;
212
213 case X509ChainStatusFlags.NotSignatureValid:
214 // WinError.h TRUST_E_BAD_DIGEST 0x80096010
215 errors.Add ((int)-2146869232);
216 break;
217
218 case X509ChainStatusFlags.NotTimeNested:
219 // WinError.h CERT_E_VALIDITYPERIODNESTING 0x800B0102
220 errors.Add ((int)-2146762494);
221 break;
222
223 case X509ChainStatusFlags.NotTimeValid:
224 // WinError.h CERT_E_EXPIRED 0x800B0101
225 description = AlertDescription.CertificateExpired;
226 errors.Add ((int)-2146762495);
227 break;
228
229 case X509ChainStatusFlags.PartialChain:
230 // WinError.h CERT_E_CHAINING 0x800B010A
231 description = AlertDescription.UnknownCA;
232 errors.Add ((int)-2146762486);
233 break;
234
235 case X509ChainStatusFlags.UntrustedRoot:
236 // WinError.h CERT_E_UNTRUSTEDROOT 0x800B0109
237 description = AlertDescription.UnknownCA;
238 errors.Add ((int)-2146762487);
239 break;
240
241 default:
242 // unknown error
243 description = AlertDescription.CertificateUnknown;
244 errors.Add ((int)verify.Status);
245 break;
246 }
247 }
248 client = new SSCX.X509Certificate (leaf.RawData);
249 certificateErrors = (int[])errors.ToArray (typeof (int));
250 }
251 else
252 {
253 certificateErrors = new int[0];
254 }
255
256 SSCX.X509CertificateCollection certCollection = new SSCX.X509CertificateCollection ();
257 foreach (X509Certificate certificate in certificates) {
258 certCollection.Add (new SSCX.X509Certificate (certificate.RawData));
259 }
260 if (!context.SslStream.RaiseClientCertificateValidation(client, certificateErrors))
261 {
262 throw new TlsException (
263 description,
264 "Invalid certificate received from client.");
265 }
266
267 this.Context.ClientSettings.ClientCertificate = client;
268 }
269
270 #endregion
271 }
272 }
git-svn mirror of mcs