Code:
/ 4.0 / 4.0 / DEVDIV_TFS / Dev10 / Releases / RTMRel / ndp / cdf / src / WCF / IdentityModel / System / IdentityModel / Selectors / X509CertificateValidator.cs / 1305376 / X509CertificateValidator.cs
//------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //----------------------------------------------------------- namespace System.IdentityModel.Selectors { using System.Collections.ObjectModel; using System.Diagnostics; using System.IdentityModel.Tokens; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Text; // This is to allow easy rollback to CLR implementation by commenting out the below. using X509Chain = System.IdentityModel.Selectors.X509CertificateChain; public abstract class X509CertificateValidator { static X509CertificateValidator peerTrust; static X509CertificateValidator chainTrust; static X509CertificateValidator ntAuthChainTrust; static X509CertificateValidator peerOrChainTrust; static X509CertificateValidator none; public static X509CertificateValidator None { get { if (none == null) none = new NoneX509CertificateValidator(); return none; } } public static X509CertificateValidator PeerTrust { get { if (peerTrust == null) peerTrust = new PeerTrustValidator(); return peerTrust; } } public static X509CertificateValidator ChainTrust { get { if (chainTrust == null) chainTrust = new ChainTrustValidator(); return chainTrust; } } internal static X509CertificateValidator NTAuthChainTrust { get { if (ntAuthChainTrust == null) ntAuthChainTrust = new ChainTrustValidator(false, null, CAPI.CERT_CHAIN_POLICY_NT_AUTH); return ntAuthChainTrust; } } public static X509CertificateValidator PeerOrChainTrust { get { if (peerOrChainTrust == null) peerOrChainTrust = new PeerOrChainTrustValidator(); return peerOrChainTrust; } } public static X509CertificateValidator CreateChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy) { if (chainPolicy == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("chainPolicy"); return new ChainTrustValidator(useMachineContext, chainPolicy, X509CertificateChain.DefaultChainPolicyOID); } public static X509CertificateValidator CreatePeerOrChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy) { if (chainPolicy == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("chainPolicy"); return new PeerOrChainTrustValidator(useMachineContext, chainPolicy); } public abstract void Validate(X509Certificate2 certificate); class NoneX509CertificateValidator : X509CertificateValidator { public override void Validate(X509Certificate2 certificate) { if (certificate == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate"); } } class PeerTrustValidator : X509CertificateValidator { public override void Validate(X509Certificate2 certificate) { if (certificate == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate"); Exception exception; if (!TryValidate(certificate, out exception)) throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(exception); } static bool StoreContainsCertificate(StoreName storeName, X509Certificate2 certificate) { X509CertificateStore store = new X509CertificateStore(storeName, StoreLocation.CurrentUser); X509Certificate2Collection certificates = null; try { store.Open(OpenFlags.ReadOnly); certificates = store.Find(X509FindType.FindByThumbprint, certificate.GetCertHash(), false); return certificates.Count > 0; } finally { SecurityUtils.ResetAllCertificates(certificates); store.Close(); } } internal bool TryValidate(X509Certificate2 certificate, out Exception exception) { // Checklist // 1) time validity of cert // 2) in trusted people store // 3) not in disallowed store // The following code could be written as: // DateTime now = DateTime.UtcNow; // if (now > certificate.NotAfter.ToUniversalTime() || now < certificate.NotBefore.ToUniversalTime()) // // this is because X509Certificate2.xxx doesn't return UT. However this would be a SMALL perf hit. // I put a DebugAssert so that this will ensure that the we are compatible with the CLR we shipped with DateTime now = DateTime.Now; DiagnosticUtility.DebugAssert(now.Kind == certificate.NotAfter.Kind && now.Kind == certificate.NotBefore.Kind, ""); if (now > certificate.NotAfter || now < certificate.NotBefore ) { exception = new SecurityTokenValidationException(SR.GetString(SR.X509InvalidUsageTime, SecurityUtils.GetCertificateId(certificate), now, certificate.NotBefore, certificate.NotAfter)); return false; } if (!StoreContainsCertificate(StoreName.TrustedPeople, certificate)) { exception = new SecurityTokenValidationException(SR.GetString(SR.X509IsNotInTrustedStore, SecurityUtils.GetCertificateId(certificate))); return false; } if (StoreContainsCertificate(StoreName.Disallowed, certificate)) { exception = new SecurityTokenValidationException(SR.GetString(SR.X509IsInUntrustedStore, SecurityUtils.GetCertificateId(certificate))); return false; } exception = null; return true; } } class ChainTrustValidator : X509CertificateValidator { bool useMachineContext; X509ChainPolicy chainPolicy; uint chainPolicyOID = X509CertificateChain.DefaultChainPolicyOID; public ChainTrustValidator() { this.chainPolicy = null; } public ChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy, uint chainPolicyOID) { this.useMachineContext = useMachineContext; this.chainPolicy = chainPolicy; this.chainPolicyOID = chainPolicyOID; } public override void Validate(X509Certificate2 certificate) { if (certificate == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate"); X509Chain chain = new X509Chain(this.useMachineContext, this.chainPolicyOID); if (this.chainPolicy != null) { chain.ChainPolicy = this.chainPolicy; } if (!chain.Build(certificate)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.X509ChainBuildFail, SecurityUtils.GetCertificateId(certificate), GetChainStatusInformation(chain.ChainStatus)))); } } static string GetChainStatusInformation(X509ChainStatus[] chainStatus) { if (chainStatus != null) { StringBuilder error = new StringBuilder(128); for (int i = 0; i < chainStatus.Length; ++i) { error.Append(chainStatus[i].StatusInformation); error.Append(" "); } return error.ToString(); } return String.Empty; } } class PeerOrChainTrustValidator : X509CertificateValidator { X509CertificateValidator chain; PeerTrustValidator peer; public PeerOrChainTrustValidator() { this.chain = X509CertificateValidator.ChainTrust; this.peer = (PeerTrustValidator)X509CertificateValidator.PeerTrust; } public PeerOrChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy) { this.chain = X509CertificateValidator.CreateChainTrustValidator(useMachineContext, chainPolicy); this.peer = (PeerTrustValidator)X509CertificateValidator.PeerTrust; } public override void Validate(X509Certificate2 certificate) { if (certificate == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate"); Exception exception; if (this.peer.TryValidate(certificate, out exception)) return; try { this.chain.Validate(certificate); } catch (SecurityTokenValidationException ex) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(exception.Message + " " + ex.Message)); } } } } } // File provided for Reference Use Only by Microsoft Corporation (c) 2007. //------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //----------------------------------------------------------- namespace System.IdentityModel.Selectors { using System.Collections.ObjectModel; using System.Diagnostics; using System.IdentityModel.Tokens; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Text; // This is to allow easy rollback to CLR implementation by commenting out the below. using X509Chain = System.IdentityModel.Selectors.X509CertificateChain; public abstract class X509CertificateValidator { static X509CertificateValidator peerTrust; static X509CertificateValidator chainTrust; static X509CertificateValidator ntAuthChainTrust; static X509CertificateValidator peerOrChainTrust; static X509CertificateValidator none; public static X509CertificateValidator None { get { if (none == null) none = new NoneX509CertificateValidator(); return none; } } public static X509CertificateValidator PeerTrust { get { if (peerTrust == null) peerTrust = new PeerTrustValidator(); return peerTrust; } } public static X509CertificateValidator ChainTrust { get { if (chainTrust == null) chainTrust = new ChainTrustValidator(); return chainTrust; } } internal static X509CertificateValidator NTAuthChainTrust { get { if (ntAuthChainTrust == null) ntAuthChainTrust = new ChainTrustValidator(false, null, CAPI.CERT_CHAIN_POLICY_NT_AUTH); return ntAuthChainTrust; } } public static X509CertificateValidator PeerOrChainTrust { get { if (peerOrChainTrust == null) peerOrChainTrust = new PeerOrChainTrustValidator(); return peerOrChainTrust; } } public static X509CertificateValidator CreateChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy) { if (chainPolicy == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("chainPolicy"); return new ChainTrustValidator(useMachineContext, chainPolicy, X509CertificateChain.DefaultChainPolicyOID); } public static X509CertificateValidator CreatePeerOrChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy) { if (chainPolicy == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("chainPolicy"); return new PeerOrChainTrustValidator(useMachineContext, chainPolicy); } public abstract void Validate(X509Certificate2 certificate); class NoneX509CertificateValidator : X509CertificateValidator { public override void Validate(X509Certificate2 certificate) { if (certificate == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate"); } } class PeerTrustValidator : X509CertificateValidator { public override void Validate(X509Certificate2 certificate) { if (certificate == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate"); Exception exception; if (!TryValidate(certificate, out exception)) throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(exception); } static bool StoreContainsCertificate(StoreName storeName, X509Certificate2 certificate) { X509CertificateStore store = new X509CertificateStore(storeName, StoreLocation.CurrentUser); X509Certificate2Collection certificates = null; try { store.Open(OpenFlags.ReadOnly); certificates = store.Find(X509FindType.FindByThumbprint, certificate.GetCertHash(), false); return certificates.Count > 0; } finally { SecurityUtils.ResetAllCertificates(certificates); store.Close(); } } internal bool TryValidate(X509Certificate2 certificate, out Exception exception) { // Checklist // 1) time validity of cert // 2) in trusted people store // 3) not in disallowed store // The following code could be written as: // DateTime now = DateTime.UtcNow; // if (now > certificate.NotAfter.ToUniversalTime() || now < certificate.NotBefore.ToUniversalTime()) // // this is because X509Certificate2.xxx doesn't return UT. However this would be a SMALL perf hit. // I put a DebugAssert so that this will ensure that the we are compatible with the CLR we shipped with DateTime now = DateTime.Now; DiagnosticUtility.DebugAssert(now.Kind == certificate.NotAfter.Kind && now.Kind == certificate.NotBefore.Kind, ""); if (now > certificate.NotAfter || now < certificate.NotBefore ) { exception = new SecurityTokenValidationException(SR.GetString(SR.X509InvalidUsageTime, SecurityUtils.GetCertificateId(certificate), now, certificate.NotBefore, certificate.NotAfter)); return false; } if (!StoreContainsCertificate(StoreName.TrustedPeople, certificate)) { exception = new SecurityTokenValidationException(SR.GetString(SR.X509IsNotInTrustedStore, SecurityUtils.GetCertificateId(certificate))); return false; } if (StoreContainsCertificate(StoreName.Disallowed, certificate)) { exception = new SecurityTokenValidationException(SR.GetString(SR.X509IsInUntrustedStore, SecurityUtils.GetCertificateId(certificate))); return false; } exception = null; return true; } } class ChainTrustValidator : X509CertificateValidator { bool useMachineContext; X509ChainPolicy chainPolicy; uint chainPolicyOID = X509CertificateChain.DefaultChainPolicyOID; public ChainTrustValidator() { this.chainPolicy = null; } public ChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy, uint chainPolicyOID) { this.useMachineContext = useMachineContext; this.chainPolicy = chainPolicy; this.chainPolicyOID = chainPolicyOID; } public override void Validate(X509Certificate2 certificate) { if (certificate == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate"); X509Chain chain = new X509Chain(this.useMachineContext, this.chainPolicyOID); if (this.chainPolicy != null) { chain.ChainPolicy = this.chainPolicy; } if (!chain.Build(certificate)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.X509ChainBuildFail, SecurityUtils.GetCertificateId(certificate), GetChainStatusInformation(chain.ChainStatus)))); } } static string GetChainStatusInformation(X509ChainStatus[] chainStatus) { if (chainStatus != null) { StringBuilder error = new StringBuilder(128); for (int i = 0; i < chainStatus.Length; ++i) { error.Append(chainStatus[i].StatusInformation); error.Append(" "); } return error.ToString(); } return String.Empty; } } class PeerOrChainTrustValidator : X509CertificateValidator { X509CertificateValidator chain; PeerTrustValidator peer; public PeerOrChainTrustValidator() { this.chain = X509CertificateValidator.ChainTrust; this.peer = (PeerTrustValidator)X509CertificateValidator.PeerTrust; } public PeerOrChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy) { this.chain = X509CertificateValidator.CreateChainTrustValidator(useMachineContext, chainPolicy); this.peer = (PeerTrustValidator)X509CertificateValidator.PeerTrust; } public override void Validate(X509Certificate2 certificate) { if (certificate == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate"); Exception exception; if (this.peer.TryValidate(certificate, out exception)) return; try { this.chain.Validate(certificate); } catch (SecurityTokenValidationException ex) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(exception.Message + " " + ex.Message)); } } } } } // File provided for Reference Use Only by Microsoft Corporation (c) 2007.
Link Menu
This book is available now!
Buy at Amazon US or
Buy at Amazon UK
- LayoutExceptionEventArgs.cs
- DataGridViewButtonCell.cs
- TimeoutValidationAttribute.cs
- OptimalTextSource.cs
- GlyphsSerializer.cs
- ContainerCodeDomSerializer.cs
- Renderer.cs
- FirstMatchCodeGroup.cs
- Int16AnimationUsingKeyFrames.cs
- XmlAttributeCollection.cs
- BaseCollection.cs
- RadioButtonBaseAdapter.cs
- SqlDataSourceWizardForm.cs
- FontFamily.cs
- HostSecurityManager.cs
- objectquery_tresulttype.cs
- TabPageDesigner.cs
- SoapSchemaMember.cs
- CreateUserWizard.cs
- EventHandlerList.cs
- SchemaMerger.cs
- SchemaInfo.cs
- MeshGeometry3D.cs
- ViewStateException.cs
- StyleSheetDesigner.cs
- COM2Enum.cs
- OdbcCommandBuilder.cs
- ConfigurationManagerHelper.cs
- EdmEntityTypeAttribute.cs
- Menu.cs
- InstanceKeyView.cs
- RulePatternOps.cs
- JapaneseCalendar.cs
- CssTextWriter.cs
- RichTextBoxDesigner.cs
- loginstatus.cs
- RelationalExpressions.cs
- MatrixConverter.cs
- PKCS1MaskGenerationMethod.cs
- Pkcs7Recipient.cs
- FragmentQuery.cs
- UIElementParaClient.cs
- LoginCancelEventArgs.cs
- CultureTable.cs
- StylusPointProperties.cs
- BufferedResponseStream.cs
- ColorAnimationBase.cs
- QueryOpeningEnumerator.cs
- SingleConverter.cs
- SettingsAttributeDictionary.cs
- PasswordTextNavigator.cs
- BrushConverter.cs
- ComplexBindingPropertiesAttribute.cs
- AnnotationResourceChangedEventArgs.cs
- LocationReferenceEnvironment.cs
- SqlServer2KCompatibilityCheck.cs
- WinEventQueueItem.cs
- TdsRecordBufferSetter.cs
- BuildTopDownAttribute.cs
- RectAnimationClockResource.cs
- ResourceProviderFactory.cs
- MatrixAnimationUsingPath.cs
- HtmlShimManager.cs
- ControlIdConverter.cs
- Guid.cs
- MDIWindowDialog.cs
- JournalEntryStack.cs
- FileUtil.cs
- PropertyKey.cs
- EllipticalNodeOperations.cs
- RoutedPropertyChangedEventArgs.cs
- ZipIOZip64EndOfCentralDirectoryBlock.cs
- LinkButton.cs
- TextTreeInsertUndoUnit.cs
- ExtendedPropertyCollection.cs
- QilVisitor.cs
- TrackingCondition.cs
- XmlSchemaAnyAttribute.cs
- PriorityRange.cs
- DoubleAnimationClockResource.cs
- ToolboxItemFilterAttribute.cs
- TextLineResult.cs
- ServiceHostFactory.cs
- xmlfixedPageInfo.cs
- TripleDESCryptoServiceProvider.cs
- CannotUnloadAppDomainException.cs
- OnOperation.cs
- SequentialOutput.cs
- FastPropertyAccessor.cs
- WebConfigurationHostFileChange.cs
- EnumCodeDomSerializer.cs
- ViewEventArgs.cs
- JsonMessageEncoderFactory.cs
- FileIOPermission.cs
- DataGridViewHeaderCell.cs
- EventMap.cs
- SpAudioStreamWrapper.cs
- CmsInterop.cs
- WmpBitmapEncoder.cs
- EncodingStreamWrapper.cs