/// <summary>
/// Initializes a new instance of the <see cref="CertificateValidator"/> class.
/// </summary>
/// <param name="identities">identities for this object</param>
/// <param name="flags">flags for the SSL wrapper</param>
/// <param name="modifySet">action to modify the default rule set</param>
/// <param name="instrumentation">instrumentation to use</param>
public CertificateValidator(CertIdentities identities, CertificateRulesFlags flags, Action <StandardValidationRuleSet> modifySet, ICertificateRulesInstrumentation instrumentation)
{
if (identities == null)
{
throw new ArgumentNullException("identities");
}
if (instrumentation == null)
{
instrumentation = SslWrappingInstrumentation.NullInstrumentation;
}
this.instrumentation = instrumentation;
StandardValidationRuleSet set = new StandardValidationRuleSet();
set.AddAcceptedCertificates(AbstractCertificateRule.RoleToApply.ClientCert, identities.IsClientCertificateIncluded);
set.AddAcceptedCertificates(AbstractCertificateRule.RoleToApply.ServerCert, identities.IsServerCertificateIncluded);
if (identities.IsClientWithNoCertificateAllowed)
{
set.AddBreakGlassCertificate(AbstractCertificateRule.RoleToApply.ClientCert, null);
set.SetChainValidationRequired(AbstractCertificateRule.RoleToApply.ClientCert, false);
}
if (identities.IsServerWithNoCertificateAllowed)
{
set.AddBreakGlassCertificate(AbstractCertificateRule.RoleToApply.ServerCert, null);
}
if ((flags & CertificateRulesFlags.MustCheckCertificateTrustChain) == CertificateRulesFlags.None)
{
set.SetChainValidationRequired(AbstractCertificateRule.RoleToApply.AllCerts, false);
}
if (modifySet != null)
{
modifySet(set);
}
this.extraRulesTovalidateCertificates = set.Rules;
this.BaseRule = null;
}
/// <summary>
/// Initializes a new instance of the <see cref="SslConnection"/> class.
/// </summary>
/// <param name="transportId">Unique Id of the transport associated with this policy</param>
/// <param name="configuration">Configuration settings</param>
public SslConnection(long transportId, Configuration configuration)
{
this.transportId = transportId;
if (configuration == null)
{
throw new ArgumentNullException(nameof(configuration));
}
if ((configuration.ClientCertificates != null || configuration.ServerCertificates != null) && configuration.Identities != null)
{
throw new ArgumentException("ClientCertificates and ServerCertificates must be null if Identities is provided");
}
this.configuration = configuration;
this.identities = configuration.Identities;
if (this.identities == null)
{
X509Certificate[] clientCertificates = this.configuration.ClientCertificates;
X509Certificate[] serverCertificates = this.configuration.ServerCertificates;
if (!configuration.StartAsClient && (serverCertificates == null || serverCertificates.Length == 0))
{
SecureTransportEventSource.Log.ServerCertificatesWereNotProvided(this.transportId);
throw new ArgumentException("Server certificates were not provided");
}
if (configuration.StartAsClient && (clientCertificates == null || clientCertificates.Length == 0))
{
SecureTransportEventSource.Log.ServerCertificatesWereNotProvided(this.transportId);
throw new ArgumentException("Client certificates were not provided");
}
this.identities = new CertIdentities();
this.identities.IsClientWithNoCertificateAllowed = clientCertificates == null && !this.FoundAnySubjectRuleMatch(configuration, AbstractCertificateRule.RoleToApply.ClientCert);
if (clientCertificates == null)
{
SecureTransportEventSource.Log.ClientCertificatesWereNotProvided(this.transportId);
clientCertificates = new X509Certificate[0];
}
if (serverCertificates == null)
{
SecureTransportEventSource.Log.ServerCertificatesWereNotProvided(this.transportId);
serverCertificates = new X509Certificate[0];
}
foreach (X509Certificate serverCertificate in serverCertificates)
{
if (serverCertificate != null)
{
string key = serverCertificate.GetSerialNumberString();
if (key != null)
{
SecureTransportEventSource.Log.SupportedServerCertificate(this.transportId, key);
}
}
else
{
throw new ArgumentException("One of the Server Certificates is null");
}
}
foreach (X509Certificate clientCertificate in clientCertificates)
{
if (clientCertificate != null)
{
string key = clientCertificate.GetSerialNumberString();
if (key != null)
{
SecureTransportEventSource.Log.SupportedClientCertificate(this.transportId, key);
}
}
else
{
throw new ArgumentException("One of the client certificates is null");
}
}
this.identities.SetClientIdentities(clientCertificates);
this.identities.SetServerIdentities(serverCertificates);
}
if (this.configuration.ExplicitRule != null)
{
this.certificateValidator = new CertificateValidator(this.configuration.ExplicitRule);
}
else
{
CertificateRulesFlags flags = CertificateValidator.GetFlags(this.configuration.MustCheckCertificateRevocation, this.configuration.MustCheckCertificateTrustChain);
if (this.configuration.SubjectValidations == null || this.configuration.SubjectValidations.Count == 0)
{
this.certificateValidator = new CertificateValidator(this.identities, flags);
}
else
{
Action <StandardValidationRuleSet> modifySet = (s) =>
{
foreach (SecureTransport.SubjectRuleValidation subjectRule in this.configuration.SubjectValidations)
{
s.AddAcceptedCertificateSubject(
subjectRule.Role,
subjectRule.SubjectValidation.CertificateSubject,
subjectRule.SubjectValidation.SigningCertThumbprints);
}
if (this.configuration.BlacklistedThumbprints != null)
{
foreach (string blacklisted in this.configuration.BlacklistedThumbprints)
{
s.AddBlacklistedCertificateThumbprint(AbstractCertificateRule.RoleToApply.AllCerts, blacklisted);
}
}
};
this.certificateValidator = new CertificateValidator(this.identities, flags, modifySet);
}
}
}
/// <summary>
/// Initializes a new instance of the <see cref="CertificateValidator"/> class.
/// </summary>
/// <param name="identities">identities for this object</param>
/// <param name="flags">flags for the SSL wrapper</param>
/// <param name="instrumentation">instrumentation to use</param>
public CertificateValidator(CertIdentities identities, CertificateRulesFlags flags, ICertificateRulesInstrumentation instrumentation = null)
: this(identities, flags, null, instrumentation)
{
}
/// <summary>
/// Initializes a new instance of the <see cref="CertificateValidator"/> class.
/// </summary>
/// <param name="identities">identities for this object</param>
/// <param name="flags">flags for the SSL wrapper</param>
/// <param name="modifySet">action to modify the default rule set</param>
public CertificateValidator(CertIdentities identities, CertificateRulesFlags flags, Action <StandardValidationRuleSet> modifySet)
: this(identities, flags, modifySet, null)
{
}
