Update of /cvsroot/pgsqlclient/pgsqlclient_10/Mono.Security.Protocol.Tls/Mono.Security.Protocol.Tls/Mono.Security.Protocol.Tls.Handshake/Mono.Security.Protocol.Tls.Handshake.Client
In directory sc8-pr-cvs1:/tmp/cvs-serv31455
Modified Files:
TlsServerCertificate.cs
Log Message:
2003-12-09 Carlos Guzmán Álvarez <car...@te...>
* Mono.Security.Protocol.Handshake.Client/TlsServerCertificate.cs:
- Retrict certificate validation to the first validation.
( real validation needs to be made using a chain )
- Improved domain validation by making a IP checking between
the target host IP and the certificate domain IP.
- Fixed error list handling on certificate validation.
Index: TlsServerCertificate.cs
===================================================================
RCS file: /cvsroot/pgsqlclient/pgsqlclient_10/Mono.Security.Protocol.Tls/Mono.Security.Protocol.Tls/Mono.Security.Protocol.Tls.Handshake/Mono.Security.Protocol.Tls.Handshake.Client/TlsServerCertificate.cs,v
retrieving revision 1.13
retrieving revision 1.14
diff -C2 -d -r1.13 -r1.14
*** TlsServerCertificate.cs 25 Nov 2003 12:36:06 -0000 1.13
--- TlsServerCertificate.cs 9 Dec 2003 19:21:33 -0000 1.14
***************
*** 24,27 ****
--- 24,28 ----
using System;
+ using System.Net;
using System.Collections;
using System.Text.RegularExpressions;
***************
*** 90,97 ****
readed += certLength;
-
- this.validateCertificate(certificate);
}
}
}
--- 91,101 ----
readed += certLength;
}
}
+
+ #warning Correct validation needs to be made using a certificate chain
+
+ // Restrict validation to the first certificate
+ this.validateCertificate(certificates[0]);
}
***************
*** 102,111 ****
private void validateCertificate(X509Certificate certificate)
{
! int[] certificateErrors = new int[0];
// 1 step : Validate dates
if (!certificate.IsCurrent)
{
! #warning "Add error to the list"
}
--- 106,115 ----
private void validateCertificate(X509Certificate certificate)
{
! ArrayList errors = new ArrayList();
// 1 step : Validate dates
if (!certificate.IsCurrent)
{
! errors.Add(0x800B0101);
}
***************
*** 124,132 ****
if (!this.checkDomainName(certificate.SubjectName))
{
! #warning "Add error to the list"
}
! if (certificateErrors.Length > 0)
{
if (!this.Context.SslStream.RaiseServerCertificateValidation(
new X509Cert.X509Certificate(certificate.RawData),
--- 128,143 ----
if (!this.checkDomainName(certificate.SubjectName))
{
! errors.Add(0x800B010F);
}
! if (errors.Count > 0)
{
+ int[] certificateErrors = new int[errors.Count];
+
+ for (int i = 0; i < certificateErrors.Length; i++)
+ {
+ certificateErrors[i] = Convert.ToInt32(errors[i]);
+ }
+
if (!this.Context.SslStream.RaiseServerCertificateValidation(
new X509Cert.X509Certificate(certificate.RawData),
***************
*** 155,159 ****
}
! return (this.Context.ClientSettings.TargetHost == domainName);
}
--- 166,183 ----
}
! if (domainName == String.Empty)
! {
! return false;
! }
! else
! {
! string targetHost = this.Context.ClientSettings.TargetHost;
!
! // Check that the IP is correct
! IPAddress ipHost = Dns.Resolve(targetHost).AddressList[0];
! IPAddress ipDomain = Dns.Resolve(domainName).AddressList[0];
!
! return (ipHost.Address == ipDomain.Address);
! }
}
|
