/// <summary>
/// Validates SSL Policy Errors
/// </summary>
/// <param name="certificate">Certificate that is being validated</param>
/// <param name="chain">Result of X509 chain build</param>
/// <param name="sslPolicyErrors">SSL policy errors returned by the validation</param>
/// <param name="roleToApply">role (clientCert/serverCert) to validate</param>
/// <returns>True if the certificate trust chain validates and if CRL validation succeeds or CRL is offline. False if trust chain validations fail or CRL says certificate is revoked</returns>
private bool ValidateSslPolicyErrors(X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors, AbstractCertificateRule.RoleToApply roleToApply)
{
// the behavior for this certificate
AbstractCertificateRule.Behavior beh = AbstractCertificateRule.Behavior.Neutral;
string reason = "no baseRule existed";
if (this.BaseRule != null)
{
beh = this.BaseRule.IsValid(certificate, chain, sslPolicyErrors);
reason = "baserule " + this.BaseRule.GetType() + " set it to " + beh;
}
// evaluate all rules for the given role
foreach (AbstractCertificateRule rule in this.extraRulesTovalidateCertificates)
{
if ((rule.AppliesTo & roleToApply) == AbstractCertificateRule.RoleToApply.None)
{
continue;
}
AbstractCertificateRule.Behavior thisB = rule.IsValid(certificate, chain, sslPolicyErrors);
AbstractCertificateRule.Behavior newBeh = AbstractCertificateRule.Compose(beh, thisB);
if (beh != newBeh)
{
reason = "rule " + rule.GetType() + " set it to " + newBeh;
}
beh = newBeh;
if (beh == AbstractCertificateRule.Behavior.BlackListed)
{
this.instrumentation.ValidateCertificateCompleted(certificate, succeeded: false, reason: "rule " + rule.GetType() + " blacklisted it");
return(false);
}
}
if (beh == AbstractCertificateRule.Behavior.Allowed || beh == AbstractCertificateRule.Behavior.BreakGlassUnlessBlackListed)
{
this.instrumentation.ValidateCertificateCompleted(certificate, succeeded: true, reason: reason);
return(true);
}
this.instrumentation.ValidateCertificateCompleted(certificate, succeeded: false, reason: reason);
return(false);
}
/// <summary>
/// Initializes a new instance of the <see cref="CertificateValidator"/> class.
/// </summary>
/// <param name="rules">validation rules.</param>
/// <param name="instrumentation">instrumentation to use</param>
public CertificateValidator(IEnumerable <AbstractCertificateRule> rules, ICertificateRulesInstrumentation instrumentation = null)
{
if (instrumentation == null)
{
instrumentation = SslWrappingInstrumentation.NullInstrumentation;
}
this.instrumentation = instrumentation;
if (rules == null)
{
rules = new AbstractCertificateRule[0];
}
this.extraRulesTovalidateCertificates = rules.ToArray();
this.BaseRule = null;
}
/// <summary>
/// Initializes a new instance of the <see cref="CertificateValidator"/> class.
/// </summary>
/// <param name="rule">validation rule.</param>
/// <param name="instrumentation">instrumentation to use</param>
public CertificateValidator(AbstractCertificateRule rule, ICertificateRulesInstrumentation instrumentation = null)
{
if (instrumentation == null)
{
instrumentation = SslWrappingInstrumentation.NullInstrumentation;
}
this.instrumentation = instrumentation;
this.extraRulesTovalidateCertificates = new List <AbstractCertificateRule>();
if (rule != null)
{
this.extraRulesTovalidateCertificates.Add(rule);
}
this.BaseRule = null;
}