Merge pull request #85 from Liryna/master

Add SslStream Configuration for Client & Server

websocket-sharp/Ext.cs

@@ -554,10 +554,10 @@ namespace WebSocketSharp
       this TcpClient tcpClient,
       string protocol,
       bool secure,
-      X509Certificate certificate,
+      ServerSslAuthConfiguration certificateConfig,
       Logger logger)
     {
-      return new TcpListenerWebSocketContext (tcpClient, protocol, secure, certificate, logger);
+      return new TcpListenerWebSocketContext (tcpClient, protocol, secure, certificateConfig, logger);
     }
 
     internal static byte[] InternalToByteArray (this ushort value, ByteOrder order)

websocket-sharp/Net/ClientSslAuthConfiguration.cs

@@ -0,0 +1,100 @@
+#region License
+/*
+ * ClientSslAuthConfiguration.cs
+ *
+ * The MIT License
+ *
+ * Copyright (c) 2014 liryna
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#endregion
+
+#region Authors
+/*
+ * Authors:
+ * - Liryna liryna.stark@gmail.com
+ */
+#endregion
+
+using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
+
+namespace WebSocketSharp.Net
+{
+    /// <summary>
+    /// Stores the parameters used in configuring <see cref="System.Net.Security.SslStream"/>
+    /// as a client.
+    /// </summary>
+    public class ClientSslAuthConfiguration
+    {
+        /// <summary>
+        /// Gets or sets the certificate configuration used to authenticate the clients on the secure connection.
+        /// </summary>
+        /// <value>
+        /// A <see cref="X509CertificateCollection"/> that represents the certificate collection used to authenticate
+        /// the clients.
+        /// </value>
+        public X509CertificateCollection clientCertificates { get; set; }
+
+        /// <summary>
+        /// Gets or sets the Ssl protocols type enabled.
+        /// </summary>
+        /// <value>
+        /// The <see cref="SslProtocols"/> value that represents the protocol used for authentication.
+        /// </value>
+        public SslProtocols EnabledSslProtocols { get; set; }
+
+        /// <summary>
+        /// Gets or sets the verification of certificate revocation option.
+        /// </summary>
+        /// <value>
+        /// A Boolean value that specifies whether the certificate revocation list is checked during authentication.
+        /// </value>
+        public bool CheckCertificateRevocation { get; set; }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ClientSslAuthConfiguration"/> class.
+        /// </summary>
+        public ClientSslAuthConfiguration(X509CertificateCollection clientCertificates)
+            : this(clientCertificates, SslProtocols.Default, false)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ClientSslAuthConfiguration"/> class.
+        /// </summary>
+        public ClientSslAuthConfiguration(X509CertificateCollection clientCertificates,
+          SslProtocols enabledSslProtocols)
+            : this(clientCertificates, enabledSslProtocols, false)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ClientSslAuthConfiguration"/> class.
+        /// </summary>
+        public ClientSslAuthConfiguration(X509CertificateCollection clientCertificates,
+            SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
+        {
+            this.clientCertificates = clientCertificates;
+            this.EnabledSslProtocols = enabledSslProtocols;
+            this.CheckCertificateRevocation = checkCertificateRevocation;
+        }
+    }
+}

websocket-sharp/Net/EndPointListener.cs

@@ -54,7 +54,7 @@ namespace WebSocketSharp.Net
     #region Private Fields
 
     private List<HttpListenerPrefix>                     _all; // host == '+'
-    private X509Certificate2                             _cert;
+    private ServerSslAuthConfiguration                   _sslAuthenticationConfig;
     private static readonly string                       _defaultCertFolderPath;
     private IPEndPoint                                   _endpoint;
     private Dictionary<HttpListenerPrefix, HttpListener> _prefixes;
@@ -83,13 +83,13 @@ namespace WebSocketSharp.Net
       int port,
       bool secure,
       string certificateFolderPath,
-      X509Certificate2 defaultCertificate,
+      ServerSslAuthConfiguration defaultCertificate,
       bool reuseAddress)
     {
       if (secure) {
         _secure = secure;
-        _cert = getCertificate (port, certificateFolderPath, defaultCertificate);
+        _sslAuthenticationConfig = getCertificate(port, certificateFolderPath, defaultCertificate);
-        if (_cert == null)
+        if (_sslAuthenticationConfig == null)
           throw new ArgumentException ("No server certificate could be found.");
       }
 
@@ -116,9 +116,10 @@ namespace WebSocketSharp.Net
 
     #region Public Properties
 
-    public X509Certificate2 Certificate {
+    public ServerSslAuthConfiguration CertificateConfig
+    {
       get {
-        return _cert;
+          return _sslAuthenticationConfig;
       }
     }
 
@@ -173,8 +174,8 @@ namespace WebSocketSharp.Net
       return rsa;
     }
 
-    private static X509Certificate2 getCertificate (
+    private static ServerSslAuthConfiguration getCertificate(
-      int port, string certificateFolderPath, X509Certificate2 defaultCertificate)
+      int port, string certificateFolderPath, ServerSslAuthConfiguration defaultCertificate)
     {
       if (certificateFolderPath == null || certificateFolderPath.Length == 0)
         certificateFolderPath = _defaultCertFolderPath;
@@ -186,7 +187,7 @@ namespace WebSocketSharp.Net
           var cert = new X509Certificate2 (cer);
           cert.PrivateKey = createRSAFromFile (key);
 
-          return cert;
+          return new ServerSslAuthConfiguration(cert);
         }
       }
       catch {

websocket-sharp/Net/EndPointManager.cs

@@ -107,7 +107,7 @@ namespace WebSocketSharp.Net
           port,
           secure,
           httpListener.CertificateFolderPath,
-          httpListener.DefaultCertificate,
+          httpListener.DefaultSslAuthenticationConfig,
           httpListener.ReuseAddress);
 
         eps[port] = epl;

websocket-sharp/Net/HttpConnection.cs

@@ -87,7 +87,10 @@ namespace WebSocketSharp.Net
       var netStream = new NetworkStream (socket, false);
       if (_secure) {
         var sslStream = new SslStream (netStream, false);
-        sslStream.AuthenticateAsServer (listener.Certificate);
+        var certificateConfig = listener.CertificateConfig;
+        sslStream.AuthenticateAsServer(certificateConfig.ServerCertificate,
+            certificateConfig.ClientCertificateRequired, certificateConfig.EnabledSslProtocols,
+            certificateConfig.CheckCertificateRevocation);
         _stream = sslStream;
       }
       else {

websocket-sharp/Net/HttpListener.cs

@@ -64,7 +64,7 @@ namespace WebSocketSharp.Net
     private Dictionary<HttpListenerContext, HttpListenerContext> _ctxRegistry;
     private object                                               _ctxRegistrySync;
     private Func<IIdentity, NetworkCredential>                   _credFinder;
-    private X509Certificate2                                     _defaultCert;
+    private ServerSslAuthConfiguration                           _defaultSslAuthenticationConfig;
     private bool                                                 _disposed;
     private bool                                                 _ignoreWriteExceptions;
     private bool                                                 _listening;
@@ -213,26 +213,27 @@ namespace WebSocketSharp.Net
     }
 
     /// <summary>
-    /// Gets or sets the default certificate used to authenticate the server on the secure
+    /// Gets or sets the default Ssl configuration used to authenticate the server on the secure
     /// connection.
     /// </summary>
     /// <value>
-    /// A <see cref="X509Certificate2"/> used to authenticate the server if the certificate
+    /// A <see cref="ServerSslAuthConfiguration"/> used to authenticate the server if the certificate
     /// files aren't found in the <see cref="CertificateFolderPath"/>. The default value is
     /// <see langword="null"/>.
     /// </value>
     /// <exception cref="ObjectDisposedException">
     /// This listener has been closed.
     /// </exception>
-    public X509Certificate2 DefaultCertificate {
+    public ServerSslAuthConfiguration DefaultSslAuthenticationConfig
+    {
       get {
         CheckDisposed ();
-        return _defaultCert;
+        return _defaultSslAuthenticationConfig;
       }
 
       set {
         CheckDisposed ();
-        _defaultCert = value;
+        _defaultSslAuthenticationConfig = value;
       }
     }
 

websocket-sharp/Net/ServerSslAuthConfiguration.cs

@@ -0,0 +1,117 @@
+#region License
+/*
+ * ServerSslAuthConfiguration.cs
+ *
+ * The MIT License
+ *
+ * Copyright (c) 2014 liryna
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#endregion
+
+#region Authors
+/*
+ * Authors:
+ * - Liryna liryna.stark@gmail.com
+ */
+#endregion
+
+using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
+
+namespace WebSocketSharp.Net
+{
+    /// <summary>
+    /// Stores the parameters used in configuring <see cref="System.Net.Security.SslStream"/>
+    /// as a server.
+    /// </summary>
+    public class ServerSslAuthConfiguration
+    {
+        /// <summary>
+        /// Gets or sets the certificate used to authenticate the server on the secure connection.
+        /// </summary>
+        /// <value>
+        /// A <see cref="X509Certificate2"/> that represents the certificate used to authenticate
+        /// the server.
+        /// </value>
+        public X509Certificate2 ServerCertificate { get; set; }
+
+        /// <summary>
+        /// Gets or sets the client certificate request option.
+        /// </summary>
+        /// <value>
+        /// A Boolean value that specifies whether the client must supply a certificate for authentication.
+        /// </value>
+        public bool ClientCertificateRequired { get; set; }
+
+        /// <summary>
+        /// Gets or sets the Ssl protocols type enabled.
+        /// </summary>
+        /// <value>
+        /// The <see cref="SslProtocols"/> value that represents the protocol used for authentication.
+        /// </value>
+        public SslProtocols EnabledSslProtocols { get; set; }
+
+        /// <summary>
+        /// Gets or sets the verification of certificate revocation option.
+        /// </summary>
+        /// <value>
+        /// A Boolean value that specifies whether the certificate revocation list is checked during authentication.
+        /// </value>
+        public bool CheckCertificateRevocation { get; set; }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ServerSslAuthConfiguration"/> class.
+        /// </summary>
+        public ServerSslAuthConfiguration(X509Certificate2 serverCertificate)
+            : this(serverCertificate, false, SslProtocols.Default, false)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ServerSslAuthConfiguration"/> class.
+        /// </summary>
+        public ServerSslAuthConfiguration(X509Certificate2 serverCertificate, bool clientCertificateRequired)
+            : this(serverCertificate, clientCertificateRequired, SslProtocols.Default, false)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ServerSslAuthConfiguration"/> class.
+        /// </summary>
+        public ServerSslAuthConfiguration(X509Certificate2 serverCertificate, bool clientCertificateRequired,
+            SslProtocols enabledSslProtocols)
+            : this(serverCertificate, clientCertificateRequired, enabledSslProtocols, false)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ServerSslAuthConfiguration"/> class.
+        /// </summary>
+        public ServerSslAuthConfiguration(X509Certificate2 serverCertificate, bool clientCertificateRequired,
+            SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
+        {
+            this.ServerCertificate = serverCertificate;
+            this.ClientCertificateRequired = clientCertificateRequired;
+            this.EnabledSslProtocols = enabledSslProtocols;
+            this.CheckCertificateRevocation = checkCertificateRevocation;
+        }
+    }
+}

websocket-sharp/Net/WebSockets/TcpListenerWebSocketContext.cs

@@ -61,7 +61,7 @@ namespace WebSocketSharp.Net.WebSockets
     #region Internal Constructors
 
     internal TcpListenerWebSocketContext (
-      TcpClient tcpClient, string protocol, bool secure, X509Certificate certificate, Logger logger)
+      TcpClient tcpClient, string protocol, bool secure, ServerSslAuthConfiguration certificateConfig, Logger logger)
     {
       _tcpClient = tcpClient;
       _secure = secure;
@@ -69,7 +69,9 @@ namespace WebSocketSharp.Net.WebSockets
       var netStream = tcpClient.GetStream ();
       if (secure) {
         var sslStream = new SslStream (netStream, false);
-        sslStream.AuthenticateAsServer (certificate);
+        sslStream.AuthenticateAsServer(certificateConfig.ServerCertificate,
+            certificateConfig.ClientCertificateRequired, certificateConfig.EnabledSslProtocols,
+            certificateConfig.CheckCertificateRevocation);
         _stream = sslStream;
       }
       else {

websocket-sharp/Server/HttpServer.cs

@@ -181,15 +181,16 @@ namespace WebSocketSharp.Server
     }
 
     /// <summary>
-    /// Gets or sets the certificate used to authenticate the server on the secure connection.
+    /// Gets or sets the Ssl configuration used to authenticate the server on the secure connection.
     /// </summary>
     /// <value>
-    /// A <see cref="X509Certificate2"/> that represents the certificate used to authenticate
+    /// A <see cref="ServerSslAuthConfiguration"/> that represents the Ssl configuration used to authenticate
     /// the server.
     /// </value>
-    public X509Certificate2 Certificate {
+    public ServerSslAuthConfiguration CertificateConfig
+    {
       get {
-        return _listener.DefaultCertificate;
+        return _listener.DefaultSslAuthenticationConfig;
       }
 
       set {
@@ -202,7 +203,7 @@ namespace WebSocketSharp.Server
         if (EndPointListener.CertificateExists (_port, _listener.CertificateFolderPath))
           _logger.Warn ("The server certificate associated with the port number already exists.");
 
-        _listener.DefaultCertificate = value;
+        _listener.DefaultSslAuthenticationConfig = value;
       }
     }
 
@@ -508,7 +509,7 @@ namespace WebSocketSharp.Server
     {
       return _secure &&
              !EndPointListener.CertificateExists (_port, _listener.CertificateFolderPath) &&
-             _listener.DefaultCertificate == null
+             _listener.DefaultSslAuthenticationConfig == null
              ? "The secure connection requires a server certificate."
              : null;
     }

websocket-sharp/Server/WebSocketServer.cs

@@ -60,7 +60,7 @@ namespace WebSocketSharp.Server
 
     private System.Net.IPAddress               _address;
     private AuthenticationSchemes              _authSchemes;
-    private X509Certificate2                   _certificate;
+    private ServerSslAuthConfiguration         _certificateConfig;
     private Func<IIdentity, NetworkCredential> _credentialsFinder;
     private TcpListener                        _listener;
     private Logger                             _logger;
@@ -312,15 +312,16 @@ namespace WebSocketSharp.Server
     }
 
     /// <summary>
-    /// Gets or sets the certificate used to authenticate the server on the secure connection.
+    /// Gets or sets the certificate configuration used to authenticate the server on the secure connection.
     /// </summary>
     /// <value>
-    /// A <see cref="X509Certificate2"/> that represents the certificate used to authenticate
+    /// A <see cref="ServerSslAuthConfiguration"/> that represents the certificate configuration used to authenticate
     /// the server.
     /// </value>
-    public X509Certificate2 Certificate {
+    public ServerSslAuthConfiguration SslAuthenticationConfig
+    {
       get {
-        return _certificate;
+        return _certificateConfig;
       }
 
       set {
@@ -330,7 +331,7 @@ namespace WebSocketSharp.Server
           return;
         }
 
-        _certificate = value;
+        _certificateConfig = value;
       }
     }
 
@@ -587,7 +588,8 @@ namespace WebSocketSharp.Server
 
     private string checkIfCertificateExists ()
     {
-      return _secure && _certificate == null
+      return _secure && (_certificateConfig == null
+          || _certificateConfig != null && _certificateConfig.ServerCertificate == null)
              ? "The secure connection requires a server certificate."
              : null;
     }
@@ -638,7 +640,7 @@ namespace WebSocketSharp.Server
           ThreadPool.QueueUserWorkItem (
             state => {
               try {
-                var ctx = cl.GetWebSocketContext (null, _secure, _certificate, _logger);
+                var ctx = cl.GetWebSocketContext (null, _secure, _certificateConfig, _logger);
                 if (_authSchemes != AuthenticationSchemes.Anonymous &&
                     !authenticateRequest (_authSchemes, ctx))
                   return;

websocket-sharp/WebSocket.cs

@@ -71,6 +71,8 @@ namespace WebSocketSharp
     private string                  _base64Key;
     private LocalCertificateSelectionCallback
                                     _certSelectionCallback;
+    private ClientSslAuthConfiguration
+                                    _certificateConfig;
     private RemoteCertificateValidationCallback
                                     _certValidationCallback;
     private bool                    _client;
@@ -461,6 +463,40 @@ namespace WebSocketSharp
       }
     }
 
+    /// <summary>
+    /// Gets or sets the certificate configuration used to authenticate the client on the secure connection.
+    /// </summary>
+    /// <value>
+    /// A <see cref="ClientSslAuthConfiguration"/> that represents the certificate configuration used to authenticate
+    /// the client.
+    /// </value>
+    public ClientSslAuthConfiguration SslAuthenticationConfig
+    {
+        get
+        {
+            return _certificateConfig;
+        }
+
+        set
+        {
+            lock (_forConn)
+            {
+                var msg = checkIfAvailable(false, false);
+                if (msg != null)
+                {
+                    _logger.Error(msg);
+                    error(
+                      "An error has occurred in setting the server certificate configuration.",
+                      null);
+
+                    return;
+                }
+
+                _certificateConfig = value;
+            }
+        }
+    }
+
     /// <summary>
     /// Gets or sets the callback used to validate the certificate supplied by the server.
     /// </summary>
@@ -1343,7 +1379,13 @@ namespace WebSocketSharp
             ((sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) =>
               null));
 
+        if (_certificateConfig == null)
             sslStream.AuthenticateAsClient(_uri.DnsSafeHost);
+        else
+        {
+            sslStream.AuthenticateAsClient(_uri.DnsSafeHost, _certificateConfig.clientCertificates,
+                _certificateConfig.EnabledSslProtocols, _certificateConfig.CheckCertificateRevocation);
+        }
         _stream = sslStream;
       }
     }

websocket-sharp/websocket-sharp.csproj

@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="3.5" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
@@ -67,6 +67,8 @@
     <Compile Include="CloseEventArgs.cs" />
     <Compile Include="ByteOrder.cs" />
     <Compile Include="ErrorEventArgs.cs" />
+    <Compile Include="Net\ClientSslAuthConfiguration.cs" />
+    <Compile Include="Net\ServerSslAuthConfiguration.cs" />
     <Compile Include="WebSocket.cs" />
     <Compile Include="Server\WebSocketServer.cs" />
     <Compile Include="Net\AuthenticationSchemes.cs" />