Code:
/ 4.0 / 4.0 / untmp / DEVDIV_TFS / Dev10 / Releases / RTMRel / ndp / cdf / src / WCF / IdentityModel / System / IdentityModel / Selectors / X509CertificateValidator.cs / 1305376 / X509CertificateValidator.cs
//------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//-----------------------------------------------------------
namespace System.IdentityModel.Selectors
{
using System.Collections.ObjectModel;
using System.Diagnostics;
using System.IdentityModel.Tokens;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
// This is to allow easy rollback to CLR implementation by commenting out the below.
using X509Chain = System.IdentityModel.Selectors.X509CertificateChain;
public abstract class X509CertificateValidator
{
static X509CertificateValidator peerTrust;
static X509CertificateValidator chainTrust;
static X509CertificateValidator ntAuthChainTrust;
static X509CertificateValidator peerOrChainTrust;
static X509CertificateValidator none;
public static X509CertificateValidator None
{
get
{
if (none == null)
none = new NoneX509CertificateValidator();
return none;
}
}
public static X509CertificateValidator PeerTrust
{
get
{
if (peerTrust == null)
peerTrust = new PeerTrustValidator();
return peerTrust;
}
}
public static X509CertificateValidator ChainTrust
{
get
{
if (chainTrust == null)
chainTrust = new ChainTrustValidator();
return chainTrust;
}
}
internal static X509CertificateValidator NTAuthChainTrust
{
get
{
if (ntAuthChainTrust == null)
ntAuthChainTrust = new ChainTrustValidator(false, null, CAPI.CERT_CHAIN_POLICY_NT_AUTH);
return ntAuthChainTrust;
}
}
public static X509CertificateValidator PeerOrChainTrust
{
get
{
if (peerOrChainTrust == null)
peerOrChainTrust = new PeerOrChainTrustValidator();
return peerOrChainTrust;
}
}
public static X509CertificateValidator CreateChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy)
{
if (chainPolicy == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("chainPolicy");
return new ChainTrustValidator(useMachineContext, chainPolicy, X509CertificateChain.DefaultChainPolicyOID);
}
public static X509CertificateValidator CreatePeerOrChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy)
{
if (chainPolicy == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("chainPolicy");
return new PeerOrChainTrustValidator(useMachineContext, chainPolicy);
}
public abstract void Validate(X509Certificate2 certificate);
class NoneX509CertificateValidator : X509CertificateValidator
{
public override void Validate(X509Certificate2 certificate)
{
if (certificate == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate");
}
}
class PeerTrustValidator : X509CertificateValidator
{
public override void Validate(X509Certificate2 certificate)
{
if (certificate == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate");
Exception exception;
if (!TryValidate(certificate, out exception))
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(exception);
}
static bool StoreContainsCertificate(StoreName storeName, X509Certificate2 certificate)
{
X509CertificateStore store = new X509CertificateStore(storeName, StoreLocation.CurrentUser);
X509Certificate2Collection certificates = null;
try
{
store.Open(OpenFlags.ReadOnly);
certificates = store.Find(X509FindType.FindByThumbprint, certificate.GetCertHash(), false);
return certificates.Count > 0;
}
finally
{
SecurityUtils.ResetAllCertificates(certificates);
store.Close();
}
}
internal bool TryValidate(X509Certificate2 certificate, out Exception exception)
{
// Checklist
// 1) time validity of cert
// 2) in trusted people store
// 3) not in disallowed store
// The following code could be written as:
// DateTime now = DateTime.UtcNow;
// if (now > certificate.NotAfter.ToUniversalTime() || now < certificate.NotBefore.ToUniversalTime())
//
// this is because X509Certificate2.xxx doesn't return UT. However this would be a SMALL perf hit.
// I put a DebugAssert so that this will ensure that the we are compatible with the CLR we shipped with
DateTime now = DateTime.Now;
DiagnosticUtility.DebugAssert(now.Kind == certificate.NotAfter.Kind && now.Kind == certificate.NotBefore.Kind, "");
if (now > certificate.NotAfter || now < certificate.NotBefore )
{
exception = new SecurityTokenValidationException(SR.GetString(SR.X509InvalidUsageTime,
SecurityUtils.GetCertificateId(certificate), now, certificate.NotBefore, certificate.NotAfter));
return false;
}
if (!StoreContainsCertificate(StoreName.TrustedPeople, certificate))
{
exception = new SecurityTokenValidationException(SR.GetString(SR.X509IsNotInTrustedStore,
SecurityUtils.GetCertificateId(certificate)));
return false;
}
if (StoreContainsCertificate(StoreName.Disallowed, certificate))
{
exception = new SecurityTokenValidationException(SR.GetString(SR.X509IsInUntrustedStore,
SecurityUtils.GetCertificateId(certificate)));
return false;
}
exception = null;
return true;
}
}
class ChainTrustValidator : X509CertificateValidator
{
bool useMachineContext;
X509ChainPolicy chainPolicy;
uint chainPolicyOID = X509CertificateChain.DefaultChainPolicyOID;
public ChainTrustValidator()
{
this.chainPolicy = null;
}
public ChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy, uint chainPolicyOID)
{
this.useMachineContext = useMachineContext;
this.chainPolicy = chainPolicy;
this.chainPolicyOID = chainPolicyOID;
}
public override void Validate(X509Certificate2 certificate)
{
if (certificate == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate");
X509Chain chain = new X509Chain(this.useMachineContext, this.chainPolicyOID);
if (this.chainPolicy != null)
{
chain.ChainPolicy = this.chainPolicy;
}
if (!chain.Build(certificate))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.X509ChainBuildFail,
SecurityUtils.GetCertificateId(certificate), GetChainStatusInformation(chain.ChainStatus))));
}
}
static string GetChainStatusInformation(X509ChainStatus[] chainStatus)
{
if (chainStatus != null)
{
StringBuilder error = new StringBuilder(128);
for (int i = 0; i < chainStatus.Length; ++i)
{
error.Append(chainStatus[i].StatusInformation);
error.Append(" ");
}
return error.ToString();
}
return String.Empty;
}
}
class PeerOrChainTrustValidator : X509CertificateValidator
{
X509CertificateValidator chain;
PeerTrustValidator peer;
public PeerOrChainTrustValidator()
{
this.chain = X509CertificateValidator.ChainTrust;
this.peer = (PeerTrustValidator)X509CertificateValidator.PeerTrust;
}
public PeerOrChainTrustValidator(bool useMachineContext, X509ChainPolicy chainPolicy)
{
this.chain = X509CertificateValidator.CreateChainTrustValidator(useMachineContext, chainPolicy);
this.peer = (PeerTrustValidator)X509CertificateValidator.PeerTrust;
}
public override void Validate(X509Certificate2 certificate)
{
if (certificate == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate");
Exception exception;
if (this.peer.TryValidate(certificate, out exception))
return;
try
{
this.chain.Validate(certificate);
}
catch (SecurityTokenValidationException ex)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(exception.Message + " " + ex.Message));
}
}
}
}
}
// File provided for Reference Use Only by Microsoft Corporation (c) 2007.
Link Menu
This book is available now!
Buy at Amazon US or
Buy at Amazon UK
- HtmlTableRow.cs
- _AutoWebProxyScriptWrapper.cs
- HandoffBehavior.cs
- TrackBarRenderer.cs
- OptimalBreakSession.cs
- HostElement.cs
- SharedUtils.cs
- CookielessHelper.cs
- TimeSpanValidator.cs
- MachineKeySection.cs
- PerformanceCounterNameAttribute.cs
- DataKey.cs
- LogicalTreeHelper.cs
- TextOnlyOutput.cs
- UICuesEvent.cs
- SQLDecimalStorage.cs
- ZipIOBlockManager.cs
- Stylus.cs
- EventDescriptorCollection.cs
- TypeTypeConverter.cs
- RequiredAttributeAttribute.cs
- SafeTimerHandle.cs
- connectionpool.cs
- BuildProvider.cs
- SynchronizedPool.cs
- FixedMaxHeap.cs
- HttpCapabilitiesEvaluator.cs
- EpmSourcePathSegment.cs
- VisualBrush.cs
- ProjectionCamera.cs
- AddInContractAttribute.cs
- SecurityTokenSerializer.cs
- ControlCollection.cs
- X509CertificateStore.cs
- CollectionConverter.cs
- ClientBuildManagerCallback.cs
- Base64Stream.cs
- ChameleonKey.cs
- QueryExpr.cs
- PrePostDescendentsWalker.cs
- TextSegment.cs
- HostedTransportConfigurationManager.cs
- DynamicContractTypeBuilder.cs
- DisableDpiAwarenessAttribute.cs
- AttributeEmitter.cs
- RawStylusInputReport.cs
- cookiecontainer.cs
- EncodingTable.cs
- Transactions.cs
- X509WindowsSecurityToken.cs
- MetaTableHelper.cs
- DateTimeUtil.cs
- SHA512.cs
- MgmtConfigurationRecord.cs
- XmlCharType.cs
- CodeGroup.cs
- GPPOINTF.cs
- XmlUTF8TextReader.cs
- SQLBinaryStorage.cs
- Block.cs
- UnsafeNativeMethods.cs
- SpellerHighlightLayer.cs
- CompilationLock.cs
- DataSourceGroupCollection.cs
- ColumnResizeAdorner.cs
- WebPartCatalogCloseVerb.cs
- DataGridToolTip.cs
- StoryFragments.cs
- SQLDecimalStorage.cs
- XmlSchemaAnnotation.cs
- _OSSOCK.cs
- ContractInferenceHelper.cs
- ApplicationGesture.cs
- ClockGroup.cs
- DocComment.cs
- CuspData.cs
- BorderGapMaskConverter.cs
- DataGridCellEditEndingEventArgs.cs
- RsaSecurityKey.cs
- ProvideValueServiceProvider.cs
- WebPartDisplayModeCollection.cs
- VarInfo.cs
- NeedSkipTokenVisitor.cs
- OdbcException.cs
- SharedPersonalizationStateInfo.cs
- ReachNamespaceInfo.cs
- ItemsChangedEventArgs.cs
- CodeTypeMember.cs
- DbProviderManifest.cs
- ConnectionPoint.cs
- InvalidAsynchronousStateException.cs
- C14NUtil.cs
- PropertyGridView.cs
- DbException.cs
- DataGridViewCellCancelEventArgs.cs
- ItemDragEvent.cs
- SqlTrackingService.cs
- _ScatterGatherBuffers.cs
- XmlSchemaAppInfo.cs
- EntityDataSourceDesignerHelper.cs