Using custom SSL client certificates System.Net.HttpClient on Mono

Question

I'm using Microsoft HTTP Client Libraries from NuGet and I'm basically trying to allow TLS authentication in HttpClient using X509Certificate2 certificates.

I have tried creating the client like this:

WebRequestHandler certHandler = new WebRequestHandler () {
    ClientCertificateOptions = ClientCertificateOption.Manual,
    UseDefaultCredentials = false
};
certHandler.ClientCertificates.Add (this.ClientCertificate);
HttpClient client = new HttpClient (certHandler);

However certHandler.ClientCertificates is failing because this getter is not implemented in Mono, so I get a NotImplementedException from that. (I'm not sure why that's still a TODO.)

So far I'm out of luck. Any ideas how can I simply set a client certificate on HttpClient in Mono environment?

Maybe this might help... http://www.dib0.nl/code/367-using-a-client-certificate-with-an-ssl-stream-in-c — Mick, Aug 27 '14 at 00:44
It might be a todo as there are other means of accomplishing the connection which don't utilise HttpClient — Mick, Aug 27 '14 at 00:45
Although this guy seems to have got it working on Mono... http://forums.xamarin.com/discussion/2980/ssl-connection-exception-too — Mick, Aug 27 '14 at 00:48
@Mick yep that guy was using TcpClient which I can't. I need many features of HttpClient. — ahmet alp balkan, Aug 27 '14 at 01:05
@Mick yep I gotta use PCL HttpClient (and therefore `HttpRequestMessage`) I also realized HttpWebRequest.ClientCertificates exists. — ahmet alp balkan, Aug 27 '14 at 01:11
How about this... http://stackoverflow.com/questions/2603691/android-httpclient-and-https — Mick, Aug 27 '14 at 01:14
haha... oops... I'd troll around the Xamarin forums for a solution. Someone there would have definitely encountered the issue — Mick, Aug 27 '14 at 02:08
You developing this for mono ? Or Xamarin on IOS or Android? There is this... https://github.com/paulcbetts/modernhttpclient. — Mick, Aug 27 '14 at 02:13
@Mick nope I was just developing a NuGet package, a library for some REST API that authenticates with certs. People are going to use it 99% on Windows, so I better switch to Windows for development. :) — ahmet alp balkan, Aug 27 '14 at 06:45

Sébastien Nussbaumer · Answer 1 · 2014-09-05T09:14:12.600

It looks as if it's simply a matter of being able to pass the client certificate collection to the HttpWebRequest in CreateWebRequest, so since inheriting won't work, I just copy/pasted the class from mono and added the implementation.

// Copyright (c) 2013 Xamarin Inc. (http://www.xamarin.com)
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
// THE SOFTWARE.
using System;
using System.Net.Cache;
using System.Net.Security;
using System.Security.Principal;
using System.Security.Cryptography.X509Certificates;

namespace System.Net.Http
{
    public class WebRequestHandlerWithClientcertificates : HttpClientHandler
    {
        bool allowPipelining;
        RequestCachePolicy cachePolicy;
        AuthenticationLevel authenticationLevel;
        TimeSpan continueTimeout;
        TokenImpersonationLevel impersonationLevel;
        int maxResponseHeadersLength;
        int readWriteTimeout;
        RemoteCertificateValidationCallback serverCertificateValidationCallback;
        bool unsafeAuthenticatedConnectionSharing;
        private X509CertificateCollection clientCertificates;

        public WebRequestHandler ()
        {
            allowPipelining = true;
            authenticationLevel = AuthenticationLevel.MutualAuthRequested;
            cachePolicy = System.Net.WebRequest.DefaultCachePolicy;
            continueTimeout = TimeSpan.FromMilliseconds (350);
            impersonationLevel = TokenImpersonationLevel.Delegation;
            maxResponseHeadersLength = HttpWebRequest.DefaultMaximumResponseHeadersLength;
            readWriteTimeout = 300000;
            serverCertificateValidationCallback = null;
            unsafeAuthenticatedConnectionSharing = false;
        }

        public bool AllowPipelining {
            get { return allowPipelining; }
            set {
                EnsureModifiability ();
                allowPipelining = value;
            }
        }

        public RequestCachePolicy CachePolicy {
            get { return cachePolicy; }
            set {
                EnsureModifiability ();
                cachePolicy = value;
            }
        }

        public AuthenticationLevel AuthenticationLevel {
            get { return authenticationLevel; }
            set {
                EnsureModifiability ();
                authenticationLevel = value;
            }
        }

        public X509CertificateCollection ClientCertificates {
            get {
                if (clientCertificates==null) {
                    clientCertificates = new X509CertificateCollection();
                }
                return clientCertificates;
            }
            set {
                if (value==null) {
                    throw new ArgumentNullException("value");
                }
                EnsureModifiability ();
                clientCertificates = value;
            }
        }

        [MonoTODO]
        public TimeSpan ContinueTimeout {
            get { return continueTimeout; }
            set {
                EnsureModifiability ();
                continueTimeout = value;
            }
        }

        public TokenImpersonationLevel ImpersonationLevel {
            get { return impersonationLevel; }
            set {
                EnsureModifiability ();
                impersonationLevel = value;
            }
        }

        public int MaxResponseHeadersLength {
            get { return maxResponseHeadersLength; }
            set {
                EnsureModifiability ();
                maxResponseHeadersLength = value;
            }
        }

        public int ReadWriteTimeout {
            get { return readWriteTimeout; }
            set {
                EnsureModifiability ();
                readWriteTimeout = value;
            }
        }

        [MonoTODO]
        public RemoteCertificateValidationCallback ServerCertificateValidationCallback {
            get { return serverCertificateValidationCallback; }
            set {
                EnsureModifiability ();
                serverCertificateValidationCallback = value;
            }
        }

        public bool UnsafeAuthenticatedConnectionSharing {
            get { return unsafeAuthenticatedConnectionSharing; }
            set {
                EnsureModifiability ();
                unsafeAuthenticatedConnectionSharing = value;
            }
        }

        internal override HttpWebRequest CreateWebRequest (HttpRequestMessage request)
        {
            HttpWebRequest wr = base.CreateWebRequest (request);

            wr.Pipelined = allowPipelining;
            wr.AuthenticationLevel = authenticationLevel;
            wr.CachePolicy = cachePolicy;
            wr.ImpersonationLevel = impersonationLevel;
            wr.MaximumResponseHeadersLength = maxResponseHeadersLength;
            wr.ReadWriteTimeout = readWriteTimeout;
            wr.UnsafeAuthenticatedConnectionSharing = unsafeAuthenticatedConnectionSharing;
            // here : maybe wr.ClientCertificates = ClientCertificates if the line below throws an error in your tests
            wr.ClientCertificates.Add(ClientCertificates);

            return wr;
        }
    }
}

now in your code use a WebRequestHandlerWithClientCertificates instead of a WebRequestHandler

3 compilation problems with this: (1) cannot 'override' inherited member because it's not marked as 'abstract' or 'virtual' at `ClientCertificates` (2) cannot override `CreateWebRequest` because it's not found (I think because it's marked as internal) and (3) `base.CreateWebRequest` is inaccessible due to its protection level. — ahmet alp balkan, Sep 05 '14 at 00:47
Hum, darn. I don't have an environment at hand to test it sorry. The point was to simply implement the ClientCertificates property and pass it to wr in CreateWebRequest, since it looks as if it's the only thing that's necessary. The only solution that comes to mind would be then to copy/paste WebRequestHandler and do that, and submitting a patch to mono if it works. I updated my answer to reflect that. — Sébastien Nussbaumer, Sep 05 '14 at 09:14

Using custom SSL client certificates System.Net.HttpClient on Mono

1 Answers1

Linked