From e3e8fafaa65ea4da5c03f7c54ec360f873193401 Mon Sep 17 00:00:00 2001
From: sta <sta.blockhead@gmail.com>
Date: Thu, 6 Nov 2014 11:16:15 +0900
Subject: [PATCH] Fix for issue #86, added ClientCertificateValidationCallback
 property to ServerSslAuthConfiguration class, and refactored

---
 websocket-sharp/Ext.cs                        |   5 +-
 websocket-sharp/Net/HttpConnection.cs         |  12 +-
 websocket-sharp/Net/HttpListener.cs           |   8 +-
 .../Net/ServerSslAuthConfiguration.cs         | 129 ++++++++++--------
 .../WebSockets/TcpListenerWebSocketContext.cs |  14 +-
 websocket-sharp/Server/HttpServer.cs          |   8 +-
 websocket-sharp/Server/WebSocketServer.cs     |   8 +-
 7 files changed, 103 insertions(+), 81 deletions(-)

diff --git a/websocket-sharp/Ext.cs b/websocket-sharp/Ext.cs
index 930f7e1a..abeabcc5 100644
--- a/websocket-sharp/Ext.cs
+++ b/websocket-sharp/Ext.cs
@@ -561,11 +561,10 @@ namespace WebSocketSharp
       this TcpClient tcpClient,
       string protocol,
       bool secure,
-      ServerSslAuthConfiguration sslConfiguration,
+      ServerSslAuthConfiguration sslConfig,
       Logger logger)
     {
-      return new TcpListenerWebSocketContext (
-        tcpClient, protocol, secure, sslConfiguration, logger);
+      return new TcpListenerWebSocketContext (tcpClient, protocol, secure, sslConfig, logger);
     }
 
     internal static byte[] InternalToByteArray (this ushort value, ByteOrder order)
diff --git a/websocket-sharp/Net/HttpConnection.cs b/websocket-sharp/Net/HttpConnection.cs
index 38f95207..4a2ae384 100644
--- a/websocket-sharp/Net/HttpConnection.cs
+++ b/websocket-sharp/Net/HttpConnection.cs
@@ -93,13 +93,13 @@ namespace WebSocketSharp.Net
 
       var netStream = new NetworkStream (socket, false);
       if (_secure) {
-        var sslStream = new SslStream (netStream, false);
-        var sslConfig = listener.SslConfiguration;
+        var conf = listener.SslConfiguration;
+        var sslStream = new SslStream (netStream, false, conf.ClientCertificateValidationCallback);
         sslStream.AuthenticateAsServer (
-          sslConfig.ServerCertificate,
-          sslConfig.ClientCertificateRequired,
-          sslConfig.EnabledSslProtocols,
-          sslConfig.CheckCertificateRevocation);
+          conf.ServerCertificate,
+          conf.ClientCertificateRequired,
+          conf.EnabledSslProtocols,
+          conf.CheckCertificateRevocation);
 
         _stream = sslStream;
       }
diff --git a/websocket-sharp/Net/HttpListener.cs b/websocket-sharp/Net/HttpListener.cs
index c3659b8e..4a2aa6de 100644
--- a/websocket-sharp/Net/HttpListener.cs
+++ b/websocket-sharp/Net/HttpListener.cs
@@ -307,12 +307,12 @@ namespace WebSocketSharp.Net
     }
 
     /// <summary>
-    /// Gets or sets the SSL configuration used to authenticate the server and optionally the client
-    /// for secure connection.
+    /// Gets or sets the SSL configuration used to authenticate the server and
+    /// optionally the client for secure connection.
     /// </summary>
     /// <value>
-    /// A <see cref="ServerSslAuthConfiguration"/> that represents the configuration used to
-    /// authenticate the server and optionally the client for secure connection.
+    /// A <see cref="ServerSslAuthConfiguration"/> that represents the configuration
+    /// used to authenticate the server and optionally the client for secure connection.
     /// </value>
     /// <exception cref="ObjectDisposedException">
     /// This listener has been closed.
diff --git a/websocket-sharp/Net/ServerSslAuthConfiguration.cs b/websocket-sharp/Net/ServerSslAuthConfiguration.cs
index 02cfd6d4..2e655090 100644
--- a/websocket-sharp/Net/ServerSslAuthConfiguration.cs
+++ b/websocket-sharp/Net/ServerSslAuthConfiguration.cs
@@ -34,17 +34,27 @@
  */
 #endregion
 
+using System.Net.Security;
 using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
 
 namespace WebSocketSharp.Net
 {
   /// <summary>
-  /// Stores the parameters used in configuring <see cref="System.Net.Security.SslStream"/>
-  /// as a server.
+  /// Stores the parameters used to configure a <see cref="SslStream"/> instance as a server.
   /// </summary>
   public class ServerSslAuthConfiguration
   {
+    #region Private Fields
+
+    private X509Certificate2                    _cert;
+    private bool                                _checkCertRevocation;
+    private bool                                _clientCertRequired;
+    private RemoteCertificateValidationCallback _clientCertValidationCallback;
+    private SslProtocols                        _enabledProtocols;
+
+    #endregion
+
     #region Public Constructors
 
     /// <summary>
@@ -60,50 +70,6 @@ namespace WebSocketSharp.Net
     {
     }
 
-    /// <summary>
-    /// Initializes a new instance of the <see cref="ServerSslAuthConfiguration"/> class with
-    /// the specified <paramref name="serverCertificate"/> and
-    /// <paramref name="clientCertificateRequired"/>.
-    /// </summary>
-    /// <param name="serverCertificate">
-    /// A <see cref="X509Certificate2"/> that represents the certificate used to authenticate
-    /// the server.
-    /// </param>
-    /// <param name="clientCertificateRequired">
-    /// <c>true</c> if the client must supply a certificate for authentication;
-    /// otherwise, <c>false</c>.
-    /// </param>
-    public ServerSslAuthConfiguration (
-      X509Certificate2 serverCertificate, bool clientCertificateRequired)
-      : this (serverCertificate, clientCertificateRequired, SslProtocols.Default, false)
-    {
-    }
-
-    /// <summary>
-    /// Initializes a new instance of the <see cref="ServerSslAuthConfiguration"/> class with
-    /// the specified <paramref name="serverCertificate"/>,
-    /// <paramref name="clientCertificateRequired"/>, and <paramref name="enabledSslProtocols"/>.
-    /// </summary>
-    /// <param name="serverCertificate">
-    /// A <see cref="X509Certificate2"/> that represents the certificate used to authenticate
-    /// the server.
-    /// </param>
-    /// <param name="clientCertificateRequired">
-    /// <c>true</c> if the client must supply a certificate for authentication;
-    /// otherwise, <c>false</c>.
-    /// </param>
-    /// <param name="enabledSslProtocols">
-    /// The <see cref="SslProtocols"/> enum value that represents the protocols used for
-    /// authentication.
-    /// </param>
-    public ServerSslAuthConfiguration (
-      X509Certificate2 serverCertificate,
-      bool clientCertificateRequired,
-      SslProtocols enabledSslProtocols)
-      : this (serverCertificate, clientCertificateRequired, enabledSslProtocols, false)
-    {
-    }
-
     /// <summary>
     /// Initializes a new instance of the <see cref="ServerSslAuthConfiguration"/> class with
     /// the specified <paramref name="serverCertificate"/>,
@@ -132,10 +98,10 @@ namespace WebSocketSharp.Net
       SslProtocols enabledSslProtocols,
       bool checkCertificateRevocation)
     {
-      ServerCertificate = serverCertificate;
-      ClientCertificateRequired = clientCertificateRequired;
-      EnabledSslProtocols = enabledSslProtocols;
-      CheckCertificateRevocation = checkCertificateRevocation;
+      _cert = serverCertificate;
+      _clientCertRequired = clientCertificateRequired;
+      _enabledProtocols = enabledSslProtocols;
+      _checkCertRevocation = checkCertificateRevocation;
     }
 
     #endregion
@@ -149,7 +115,15 @@ namespace WebSocketSharp.Net
     /// <value>
     /// <c>true</c> if the certificate revocation list is checked; otherwise, <c>false</c>.
     /// </value>
-    public bool CheckCertificateRevocation { get; set; }
+    public bool CheckCertificateRevocation {
+      get {
+        return _checkCertRevocation;
+      }
+
+      set {
+        _checkCertRevocation = value;
+      }
+    }
 
     /// <summary>
     /// Gets or sets a value indicating whether the client must supply a certificate for
@@ -158,7 +132,38 @@ namespace WebSocketSharp.Net
     /// <value>
     /// <c>true</c> if the client must supply a certificate; otherwise, <c>false</c>.
     /// </value>
-    public bool ClientCertificateRequired { get; set; }
+    public bool ClientCertificateRequired {
+      get {
+        return _clientCertRequired;
+      }
+
+      set {
+        _clientCertRequired = value;
+      }
+    }
+
+    /// <summary>
+    /// Gets or sets the callback used to validate the certificate supplied by the client.
+    /// </summary>
+    /// <remarks>
+    /// If this callback returns <c>true</c>, the client certificate will be valid.
+    /// </remarks>
+    /// <value>
+    /// A <see cref="RemoteCertificateValidationCallback"/> delegate that references the method
+    /// used to validate the client certificate. The default value is a function that only returns
+    /// <c>true</c>.
+    /// </value>
+    public RemoteCertificateValidationCallback ClientCertificateValidationCallback {
+      get {
+        return _clientCertValidationCallback ??
+               (_clientCertValidationCallback =
+                 (sender, certificate, chain, sslPolicyErrors) => true);
+      }
+
+      set {
+        _clientCertValidationCallback = value;
+      }
+    }
 
     /// <summary>
     /// Gets or sets the SSL protocols used for authentication.
@@ -167,7 +172,15 @@ namespace WebSocketSharp.Net
     /// The <see cref="SslProtocols"/> enum value that represents the protocols used for
     /// authentication.
     /// </value>
-    public SslProtocols EnabledSslProtocols { get; set; }
+    public SslProtocols EnabledSslProtocols {
+      get {
+        return _enabledProtocols;
+      }
+
+      set {
+        _enabledProtocols = value;
+      }
+    }
 
     /// <summary>
     /// Gets or sets the certificate used to authenticate the server on the secure connection.
@@ -176,7 +189,15 @@ namespace WebSocketSharp.Net
     /// A <see cref="X509Certificate2"/> that represents the certificate used to authenticate
     /// the server.
     /// </value>
-    public X509Certificate2 ServerCertificate { get; set; }
+    public X509Certificate2 ServerCertificate {
+      get {
+        return _cert;
+      }
+
+      set {
+        _cert = value;
+      }
+    }
 
     #endregion
   }
diff --git a/websocket-sharp/Net/WebSockets/TcpListenerWebSocketContext.cs b/websocket-sharp/Net/WebSockets/TcpListenerWebSocketContext.cs
index 2a504451..b6192aa2 100644
--- a/websocket-sharp/Net/WebSockets/TcpListenerWebSocketContext.cs
+++ b/websocket-sharp/Net/WebSockets/TcpListenerWebSocketContext.cs
@@ -71,7 +71,7 @@ namespace WebSocketSharp.Net.WebSockets
       TcpClient tcpClient,
       string protocol,
       bool secure,
-      ServerSslAuthConfiguration sslConfiguration,
+      ServerSslAuthConfiguration sslConfig,
       Logger logger)
     {
       _tcpClient = tcpClient;
@@ -79,12 +79,14 @@ namespace WebSocketSharp.Net.WebSockets
 
       var netStream = tcpClient.GetStream ();
       if (secure) {
-        var sslStream = new SslStream (netStream, false);
+        var sslStream = new SslStream (
+          netStream, false, sslConfig.ClientCertificateValidationCallback);
+
         sslStream.AuthenticateAsServer (
-          sslConfiguration.ServerCertificate,
-          sslConfiguration.ClientCertificateRequired,
-          sslConfiguration.EnabledSslProtocols,
-          sslConfiguration.CheckCertificateRevocation);
+          sslConfig.ServerCertificate,
+          sslConfig.ClientCertificateRequired,
+          sslConfig.EnabledSslProtocols,
+          sslConfig.CheckCertificateRevocation);
 
         _stream = sslStream;
       }
diff --git a/websocket-sharp/Server/HttpServer.cs b/websocket-sharp/Server/HttpServer.cs
index 0d2e24e5..bcef5850 100644
--- a/websocket-sharp/Server/HttpServer.cs
+++ b/websocket-sharp/Server/HttpServer.cs
@@ -335,12 +335,12 @@ namespace WebSocketSharp.Server
     }
 
     /// <summary>
-    /// Gets or sets the SSL configuration used to authenticate the server and optionally the client
-    /// for secure connection.
+    /// Gets or sets the SSL configuration used to authenticate the server and
+    /// optionally the client for secure connection.
     /// </summary>
     /// <value>
-    /// A <see cref="ServerSslAuthConfiguration"/> that represents the configuration used to
-    /// authenticate the server and optionally the client for secure connection.
+    /// A <see cref="ServerSslAuthConfiguration"/> that represents the configuration
+    /// used to authenticate the server and optionally the client for secure connection.
     /// </value>
     public ServerSslAuthConfiguration SslConfiguration {
       get {
diff --git a/websocket-sharp/Server/WebSocketServer.cs b/websocket-sharp/Server/WebSocketServer.cs
index 5e1c7c31..d436d91f 100644
--- a/websocket-sharp/Server/WebSocketServer.cs
+++ b/websocket-sharp/Server/WebSocketServer.cs
@@ -441,12 +441,12 @@ namespace WebSocketSharp.Server
     }
 
     /// <summary>
-    /// Gets or sets the SSL configuration used to authenticate the server and optionally the client
-    /// for secure connection.
+    /// Gets or sets the SSL configuration used to authenticate the server and
+    /// optionally the client for secure connection.
     /// </summary>
     /// <value>
-    /// A <see cref="ServerSslAuthConfiguration"/> that represents the configuration used to
-    /// authenticate the server and optionally the client for secure connection.
+    /// A <see cref="ServerSslAuthConfiguration"/> that represents the configuration
+    /// used to authenticate the server and optionally the client for secure connection.
     /// </value>
     public ServerSslAuthConfiguration SslConfiguration {
       get {