Merge pull request #85 from Liryna/master

Add SslStream Configuration for Client & Server
2014-10-30 14:02:45 +09:00
parent 6822fdce36 88e224384f
commit 956f16a162
12 changed files with 308 additions and 37 deletions
--- a/websocket-sharp/Net/ClientSslAuthConfiguration.cs
+++ b/websocket-sharp/Net/ClientSslAuthConfiguration.cs
@@ -0,0 +1,100 @@
+#region License
+/*
+ * ClientSslAuthConfiguration.cs
+ *
+ * The MIT License
+ *
+ * Copyright (c) 2014 liryna
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#endregion
+
+#region Authors
+/*
+ * Authors:
+ * - Liryna liryna.stark@gmail.com
+ */
+#endregion
+
+using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
+
+namespace WebSocketSharp.Net
+{
+    /// <summary>
+    /// Stores the parameters used in configuring <see cref="System.Net.Security.SslStream"/>
+    /// as a client.
+    /// </summary>
+    public class ClientSslAuthConfiguration
+    {
+        /// <summary>
+        /// Gets or sets the certificate configuration used to authenticate the clients on the secure connection.
+        /// </summary>
+        /// <value>
+        /// A <see cref="X509CertificateCollection"/> that represents the certificate collection used to authenticate
+        /// the clients.
+        /// </value>
+        public X509CertificateCollection clientCertificates { get; set; }
+
+        /// <summary>
+        /// Gets or sets the Ssl protocols type enabled.
+        /// </summary>
+        /// <value>
+        /// The <see cref="SslProtocols"/> value that represents the protocol used for authentication.
+        /// </value>
+        public SslProtocols EnabledSslProtocols { get; set; }
+
+        /// <summary>
+        /// Gets or sets the verification of certificate revocation option.
+        /// </summary>
+        /// <value>
+        /// A Boolean value that specifies whether the certificate revocation list is checked during authentication.
+        /// </value>
+        public bool CheckCertificateRevocation { get; set; }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ClientSslAuthConfiguration"/> class.
+        /// </summary>
+        public ClientSslAuthConfiguration(X509CertificateCollection clientCertificates)
+            : this(clientCertificates, SslProtocols.Default, false)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ClientSslAuthConfiguration"/> class.
+        /// </summary>
+        public ClientSslAuthConfiguration(X509CertificateCollection clientCertificates,
+          SslProtocols enabledSslProtocols)
+            : this(clientCertificates, enabledSslProtocols, false)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ClientSslAuthConfiguration"/> class.
+        /// </summary>
+        public ClientSslAuthConfiguration(X509CertificateCollection clientCertificates,
+            SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
+        {
+            this.clientCertificates = clientCertificates;
+            this.EnabledSslProtocols = enabledSslProtocols;
+            this.CheckCertificateRevocation = checkCertificateRevocation;
+        }
+    }
+}
--- a/websocket-sharp/Net/EndPointListener.cs
+++ b/websocket-sharp/Net/EndPointListener.cs
@@ -54,7 +54,7 @@ namespace WebSocketSharp.Net
    #region Private Fields

    private List<HttpListenerPrefix>                     _all; // host == '+'
-    private X509Certificate2                             _cert;
+    private ServerSslAuthConfiguration                   _sslAuthenticationConfig;
    private static readonly string                       _defaultCertFolderPath;
    private IPEndPoint                                   _endpoint;
    private Dictionary<HttpListenerPrefix, HttpListener> _prefixes;
@@ -83,13 +83,13 @@ namespace WebSocketSharp.Net
      int port,
      bool secure,
      string certificateFolderPath,
-      X509Certificate2 defaultCertificate,
+      ServerSslAuthConfiguration defaultCertificate,
      bool reuseAddress)
    {
      if (secure) {
        _secure = secure;
-        _cert = getCertificate (port, certificateFolderPath, defaultCertificate);
-        if (_cert == null)
+        _sslAuthenticationConfig = getCertificate(port, certificateFolderPath, defaultCertificate);
+        if (_sslAuthenticationConfig == null)
          throw new ArgumentException ("No server certificate could be found.");
      }

@@ -116,9 +116,10 @@ namespace WebSocketSharp.Net

    #region Public Properties

-    public X509Certificate2 Certificate {
+    public ServerSslAuthConfiguration CertificateConfig
+    {
      get {
-        return _cert;
+          return _sslAuthenticationConfig;
      }
    }

@@ -173,8 +174,8 @@ namespace WebSocketSharp.Net
      return rsa;
    }

-    private static X509Certificate2 getCertificate (
-      int port, string certificateFolderPath, X509Certificate2 defaultCertificate)
+    private static ServerSslAuthConfiguration getCertificate(
+      int port, string certificateFolderPath, ServerSslAuthConfiguration defaultCertificate)
    {
      if (certificateFolderPath == null || certificateFolderPath.Length == 0)
        certificateFolderPath = _defaultCertFolderPath;
@@ -186,7 +187,7 @@ namespace WebSocketSharp.Net
          var cert = new X509Certificate2 (cer);
          cert.PrivateKey = createRSAFromFile (key);

-          return cert;
+          return new ServerSslAuthConfiguration(cert);
        }
      }
      catch {
--- a/websocket-sharp/Net/EndPointManager.cs
+++ b/websocket-sharp/Net/EndPointManager.cs
@@ -107,7 +107,7 @@ namespace WebSocketSharp.Net
          port,
          secure,
          httpListener.CertificateFolderPath,
-          httpListener.DefaultCertificate,
+          httpListener.DefaultSslAuthenticationConfig,
          httpListener.ReuseAddress);

        eps[port] = epl;
--- a/websocket-sharp/Net/HttpConnection.cs
+++ b/websocket-sharp/Net/HttpConnection.cs
@@ -87,7 +87,10 @@ namespace WebSocketSharp.Net
      var netStream = new NetworkStream (socket, false);
      if (_secure) {
        var sslStream = new SslStream (netStream, false);
-        sslStream.AuthenticateAsServer (listener.Certificate);
+        var certificateConfig = listener.CertificateConfig;
+        sslStream.AuthenticateAsServer(certificateConfig.ServerCertificate,
+            certificateConfig.ClientCertificateRequired, certificateConfig.EnabledSslProtocols,
+            certificateConfig.CheckCertificateRevocation);
        _stream = sslStream;
      }
      else {
--- a/websocket-sharp/Net/HttpListener.cs
+++ b/websocket-sharp/Net/HttpListener.cs
@@ -64,7 +64,7 @@ namespace WebSocketSharp.Net
    private Dictionary<HttpListenerContext, HttpListenerContext> _ctxRegistry;
    private object                                               _ctxRegistrySync;
    private Func<IIdentity, NetworkCredential>                   _credFinder;
-    private X509Certificate2                                     _defaultCert;
+    private ServerSslAuthConfiguration                           _defaultSslAuthenticationConfig;
    private bool                                                 _disposed;
    private bool                                                 _ignoreWriteExceptions;
    private bool                                                 _listening;
@@ -213,26 +213,27 @@ namespace WebSocketSharp.Net
    }

    /// <summary>
-    /// Gets or sets the default certificate used to authenticate the server on the secure
+    /// Gets or sets the default Ssl configuration used to authenticate the server on the secure
    /// connection.
    /// </summary>
    /// <value>
-    /// A <see cref="X509Certificate2"/> used to authenticate the server if the certificate
+    /// A <see cref="ServerSslAuthConfiguration"/> used to authenticate the server if the certificate
    /// files aren't found in the <see cref="CertificateFolderPath"/>. The default value is
    /// <see langword="null"/>.
    /// </value>
    /// <exception cref="ObjectDisposedException">
    /// This listener has been closed.
    /// </exception>
-    public X509Certificate2 DefaultCertificate {
+    public ServerSslAuthConfiguration DefaultSslAuthenticationConfig
+    {
      get {
        CheckDisposed ();
-        return _defaultCert;
+        return _defaultSslAuthenticationConfig;
      }

      set {
        CheckDisposed ();
-        _defaultCert = value;
+        _defaultSslAuthenticationConfig = value;
      }
    }

--- a/websocket-sharp/Net/ServerSslAuthConfiguration.cs
+++ b/websocket-sharp/Net/ServerSslAuthConfiguration.cs
@@ -0,0 +1,117 @@
+#region License
+/*
+ * ServerSslAuthConfiguration.cs
+ *
+ * The MIT License
+ *
+ * Copyright (c) 2014 liryna
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#endregion
+
+#region Authors
+/*
+ * Authors:
+ * - Liryna liryna.stark@gmail.com
+ */
+#endregion
+
+using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
+
+namespace WebSocketSharp.Net
+{
+    /// <summary>
+    /// Stores the parameters used in configuring <see cref="System.Net.Security.SslStream"/>
+    /// as a server.
+    /// </summary>
+    public class ServerSslAuthConfiguration
+    {
+        /// <summary>
+        /// Gets or sets the certificate used to authenticate the server on the secure connection.
+        /// </summary>
+        /// <value>
+        /// A <see cref="X509Certificate2"/> that represents the certificate used to authenticate
+        /// the server.
+        /// </value>
+        public X509Certificate2 ServerCertificate { get; set; }
+
+        /// <summary>
+        /// Gets or sets the client certificate request option.
+        /// </summary>
+        /// <value>
+        /// A Boolean value that specifies whether the client must supply a certificate for authentication.
+        /// </value>
+        public bool ClientCertificateRequired { get; set; }
+
+        /// <summary>
+        /// Gets or sets the Ssl protocols type enabled.
+        /// </summary>
+        /// <value>
+        /// The <see cref="SslProtocols"/> value that represents the protocol used for authentication.
+        /// </value>
+        public SslProtocols EnabledSslProtocols { get; set; }
+
+        /// <summary>
+        /// Gets or sets the verification of certificate revocation option.
+        /// </summary>
+        /// <value>
+        /// A Boolean value that specifies whether the certificate revocation list is checked during authentication.
+        /// </value>
+        public bool CheckCertificateRevocation { get; set; }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ServerSslAuthConfiguration"/> class.
+        /// </summary>
+        public ServerSslAuthConfiguration(X509Certificate2 serverCertificate)
+            : this(serverCertificate, false, SslProtocols.Default, false)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ServerSslAuthConfiguration"/> class.
+        /// </summary>
+        public ServerSslAuthConfiguration(X509Certificate2 serverCertificate, bool clientCertificateRequired)
+            : this(serverCertificate, clientCertificateRequired, SslProtocols.Default, false)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ServerSslAuthConfiguration"/> class.
+        /// </summary>
+        public ServerSslAuthConfiguration(X509Certificate2 serverCertificate, bool clientCertificateRequired,
+            SslProtocols enabledSslProtocols)
+            : this(serverCertificate, clientCertificateRequired, enabledSslProtocols, false)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ServerSslAuthConfiguration"/> class.
+        /// </summary>
+        public ServerSslAuthConfiguration(X509Certificate2 serverCertificate, bool clientCertificateRequired,
+            SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
+        {
+            this.ServerCertificate = serverCertificate;
+            this.ClientCertificateRequired = clientCertificateRequired;
+            this.EnabledSslProtocols = enabledSslProtocols;
+            this.CheckCertificateRevocation = checkCertificateRevocation;
+        }
+    }
+}
--- a/websocket-sharp/Net/WebSockets/TcpListenerWebSocketContext.cs
+++ b/websocket-sharp/Net/WebSockets/TcpListenerWebSocketContext.cs
@@ -61,7 +61,7 @@ namespace WebSocketSharp.Net.WebSockets
    #region Internal Constructors

    internal TcpListenerWebSocketContext (
-      TcpClient tcpClient, string protocol, bool secure, X509Certificate certificate, Logger logger)
+      TcpClient tcpClient, string protocol, bool secure, ServerSslAuthConfiguration certificateConfig, Logger logger)
    {
      _tcpClient = tcpClient;
      _secure = secure;
@@ -69,7 +69,9 @@ namespace WebSocketSharp.Net.WebSockets
      var netStream = tcpClient.GetStream ();
      if (secure) {
        var sslStream = new SslStream (netStream, false);
-        sslStream.AuthenticateAsServer (certificate);
+        sslStream.AuthenticateAsServer(certificateConfig.ServerCertificate,
+            certificateConfig.ClientCertificateRequired, certificateConfig.EnabledSslProtocols,
+            certificateConfig.CheckCertificateRevocation);
        _stream = sslStream;
      }
      else {