Merge pull request #2802 from BrzVlad/feature-evacuation-opt2

[mono.git] / mcs / class / Mono.Security / Mono.Security.Interface / CertificateValidationHelper.cs

diff --git a/mcs/class/Mono.Security/Mono.Security.Interface/CertificateValidationHelper.cs b/mcs/class/Mono.Security/Mono.Security.Interface/CertificateValidationHelper.cs
index 18ada523b25442368a31361778f30e5f1c626d6b..fd392b409e5a4bef6de68f174911b79f638997be 100644 (file)
--- a/mcs/class/Mono.Security/Mono.Security.Interface/CertificateValidationHelper.cs
+++ b/mcs/class/Mono.Security/Mono.Security.Interface/CertificateValidationHelper.cs
@@ -36,7 +36,6 @@ using Mono.Net.Security;
 
 namespace Mono.Security.Interface
 {
-       #if (!MONOTOUCH && !MONODROID) || INSIDE_SYSTEM
        public class ValidationResult
        {
                bool trusted;
@@ -52,12 +51,11 @@ namespace Mono.Security.Interface
                        this.policy_errors = policy_errors;
                }
 
-               internal ValidationResult (bool trusted, bool user_defined, int error_code)
+               internal ValidationResult (bool trusted, bool user_denied, int error_code)
                {
                        this.trusted = trusted;
                        this.user_denied = user_denied;
                        this.error_code = error_code;
-                       this.policy_errors = policy_errors;
                }
 
                public bool Trusted {
@@ -86,30 +84,56 @@ namespace Mono.Security.Interface
                        get;
                }
 
-               X509Certificate SelectClientCertificate (
+               /*
+                * Returns `true` if a client certificate has been selected (which could be `null`).
+                */
+               bool SelectClientCertificate (
                        string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate,
-                       string[] acceptableIssuers);
+                       string[] acceptableIssuers, out X509Certificate clientCertificate);
 
-               ValidationResult ValidateChain (string targetHost, X509CertificateCollection certificates);
+               /*
+                * If @serverMode is true, then we're a server and want to validate a certificate that we received from a client.
+                */
+               ValidationResult ValidateCertificate (string targetHost, bool serverMode, X509CertificateCollection certificates);
+       }
 
-               ValidationResult ValidateClientCertificate (X509CertificateCollection certificates);
+       internal interface ICertificateValidator2 : ICertificateValidator
+       {
+               /*
+                * Internal use only.
+                */
+               ValidationResult ValidateCertificate (string targetHost, bool serverMode, X509Certificate leaf, X509Chain chain);
+
+               /*
+                * On OS X and Mobile, the @chain will be initialized with the @certificates, but not actually built.
+                */
+               bool InvokeSystemValidator (
+                       string targetHost, bool serverMode, X509CertificateCollection certificates,
+                       X509Chain chain, ref MonoSslPolicyErrors errors, ref int status11);
        }
-       #endif
 
-       #if !INSIDE_SYSTEM
-       public
-       #endif
-       static class CertificateValidationHelper
+       public static class CertificateValidationHelper
        {
                const string SecurityLibrary = "/System/Library/Frameworks/Security.framework/Security";
                static readonly bool noX509Chain;
+               static readonly bool supportsTrustAnchors;
 
                static CertificateValidationHelper ()
                {
                        #if MONOTOUCH || XAMMAC
                        noX509Chain = true;
+                       supportsTrustAnchors = true;
+                       #elif MONODROID
+                       noX509Chain = true;
+                       supportsTrustAnchors = false;
                        #else
-                       noX509Chain = File.Exists (SecurityLibrary);
+                       if (File.Exists (SecurityLibrary)) {
+                               noX509Chain = true;
+                               supportsTrustAnchors = true;
+                       } else {
+                               noX509Chain = false;
+                               supportsTrustAnchors = false;
+                       }
                        #endif
                }
 
@@ -117,16 +141,24 @@ namespace Mono.Security.Interface
                        get { return !noX509Chain; }
                }
 
-               internal static ICertificateValidator GetDefaultValidator (MonoTlsSettings settings)
+               public static bool SupportsTrustAnchors {
+                       get { return supportsTrustAnchors; }
+               }
+
+               /*
+                * Internal API, intended to be used by MonoTlsProvider implementations.
+                */
+               internal static ICertificateValidator2 GetDefaultValidator (MonoTlsSettings settings, MonoTlsProvider provider)
                {
-                       return (ICertificateValidator)NoReflectionHelper.GetDefaultCertificateValidator (settings);
+                       return (ICertificateValidator2)NoReflectionHelper.GetDefaultCertificateValidator (provider, settings);
                }
 
-               #if !INSIDE_SYSTEM
-               public static ICertificateValidator GetValidator (MonoTlsSettings settings)
+               /*
+                * Use this overloaded version in user code.
+                */
+               public static ICertificateValidator GetValidator (MonoTlsSettings settings, MonoTlsProvider provider = null)
                {
-                       return GetDefaultValidator (settings);
+                       return GetDefaultValidator (settings, provider);
                }
-               #endif
        }
 }