/// <summary>
/// Constructs an instance specifying a certificate chain validator.
/// </summary>
/// <param name="validator">The <see cref="TrustChainValidator"/> to use in validating certificate chains</param>
/// <param name="policyResolver">The <see cref="IPolicyResolver"/> to use in resolving policies.</param>
/// <param name="policyFilter">The <see cref="IPolicyFilter"/> to use in validating certificate against policies</param>
public TrustModel(TrustChainValidator validator, IPolicyResolver policyResolver, IPolicyFilter policyFilter)
{
if (validator == null)
{
throw new ArgumentNullException("validator");
}
m_certChainValidator = validator;
m_trustPolicyResolver = policyResolver;
m_policyFilter = policyFilter;
}
/// <summary>
/// Constructs an instance specifying a certificate chain validator.
/// </summary>
/// <param name="validator">The <see cref="TrustChainValidator"/> to use in validating certificate chains</param>
/// <param name="policyResolver">The <see cref="IPolicyResolver"/> to use in resolving policies.</param>
/// <param name="policyFilter">The <see cref="IPolicyFilter"/> to use in validating certificate against policies</param>
public TrustModel(TrustChainValidator validator, IPolicyResolver policyResolver, IPolicyFilter policyFilter)
{
if (validator == null)
{
throw new ArgumentNullException("validator");
}
m_certChainValidator = validator;
m_trustPolicyResolver = policyResolver;
m_policyFilter = policyFilter;
}
/// <summary>
/// Creates a DirectAgent instance, specifying private, external and trust anchor certificate stores, and
/// trust and cryptography models.
/// </summary>
/// <param name="domainResolver">
/// An <see cref="IDomainResolver"/> instance providing array of local domain name managed by this agent.
/// </param>
/// <param name="privateCerts">
/// An <see cref="ICertificateResolver"/> instance providing private certificates
/// for senders of outgoing messages and receivers of incoming messages.
/// </param>
/// <param name="publicCerts">
/// An <see cref="ICertificateResolver"/> instance providing public certificates
/// for receivers of outgoing messages and senders of incoming messages.
/// </param>
/// <param name="anchors">
/// An <see cref="ITrustAnchorResolver"/> instance providing trust anchors.
/// </param>
/// <param name="trustModel">
/// An instance or subclass of <see cref="SMIMECryptographer"/> providing a custom trust model.
/// </param>
/// <param name="cryptographer">
/// An instance or subclass of <see cref="Health.Direct.Agent"/> providing a custom cryptography model.
/// </param>
/// <param name="certPolicyResolvers">Certificate <see cref="ICertPolicyResolvers">policy container</see></param>
/// <param name="policyFilter"><see cref="IPolicyFilter"/></param>
public DirectAgent(IDomainResolver domainResolver, ICertificateResolver privateCerts, ICertificateResolver publicCerts
, ITrustAnchorResolver anchors, TrustModel trustModel, SMIMECryptographer cryptographer,
ICertPolicyResolvers certPolicyResolvers, IPolicyFilter policyFilter)
{
m_managedDomains = new AgentDomains(domainResolver);
if (privateCerts == null)
{
throw new ArgumentNullException("privateCerts");
}
if (publicCerts == null)
{
throw new ArgumentNullException("publicCerts");
}
if (anchors == null)
{
throw new ArgumentNullException("anchors");
}
if (trustModel == null)
{
throw new ArgumentNullException("trustModel");
}
if (cryptographer == null)
{
throw new ArgumentNullException("cryptographer");
}
m_privateCertResolver = privateCerts;
m_publicCertResolver = publicCerts;
m_cryptographer = cryptographer;
m_trustAnchors = anchors;
m_trustModel = trustModel;
if (!m_trustModel.CertChainValidator.HasCertificateResolver)
{
m_trustModel.CertChainValidator.IssuerResolver = m_publicCertResolver;
}
m_minTrustRequirement = TrustEnforcementStatus.Success;
m_privatePolicyResolver = certPolicyResolvers.PrivateResolver;
m_publicPolicyResolver = certPolicyResolvers.PublicResolver;
m_policyFilter = policyFilter;
}
/// <summary>
/// Creates a agent from settings.
/// </summary>
/// <returns>The configured agent instance.</returns>
public DirectAgent CreateAgent()
{
this.Validate();
ICertificateResolver privateCerts = this.PrivateCerts.CreateResolver();
ICertificateResolver publicCerts = this.PublicCerts.CreateResolver();
ITrustAnchorResolver trustAnchors = this.Anchors.Resolver.CreateResolver();
ICertPolicyResolvers certPolicyResolvers = GetPolicyResolvers();
IPolicyFilter policyFilter = PolicyFilter.Default;
TrustModel trustModel = (this.Trust != null) ? this.Trust.CreateTrustModel(certPolicyResolvers.TrustResolver, policyFilter) : TrustModel.Default;
SMIMECryptographer cryptographer = this.Cryptographer.Create();
IDomainResolver domainResolver = this.CreateResolver();
DirectAgent agent = new DirectAgent(domainResolver, privateCerts, publicCerts, trustAnchors, trustModel, cryptographer, certPolicyResolvers, policyFilter);
agent.AllowNonWrappedIncoming = m_allowNonWrappedIncoming;
agent.WrapMessages = m_wrapOutgoing;
return(agent);
}
/// <summary>
/// Resolve incoming public policies base on recipient
/// Any negative policy will retturn an uncompliant result.
/// No policies will result in compliance.
/// </summary>
/// <param name="recipient">Incoming messages are sent to the recipent</param>
/// <param name="cert">Signing cert</param>
/// <param name="policyFilter">The <see cref="IPolicyFilter"/> to use in validating certificate against policies</param>
public bool IsCertPolicyCompliant(MailAddress recipient, X509Certificate2 cert, IPolicyFilter policyFilter = null)
{
bool isCompliant = true;
// apply the policy if it exists
if (m_trustPolicyResolver != null)
{
IList <IPolicyExpression> expressions = m_trustPolicyResolver.GetIncomingPolicy(recipient);
foreach (var expression in expressions)
{
try
{
// check for compliance
if (policyFilter.IsCompliant(cert, expression))
{
continue;
}
isCompliant = false;
break;
}
catch (PolicyRequiredException)
{
isCompliant = false;
break;
}
catch (PolicyProcessException ppe)
{
throw new AgentException(AgentError.InvalidPolicy, ppe);
}
}
}
return(isCompliant);
}
/// <summary>
/// Creates a DirectAgent instance, specifying private, external and trust anchor certificate stores, and
/// and defaulting to the standard trust and cryptography models.
/// </summary>
/// <param name="domainResolver">
/// An <see cref="IDomainResolver"/> instance providing array of local domain name managed by this agent.
/// </param>
/// <param name="privateCerts">
/// An <see cref="ICertificateResolver"/> instance providing private certificates
/// for senders of outgoing messages and receivers of incoming messages.
/// </param>
/// <param name="publicCerts">
/// An <see cref="ICertificateResolver"/> instance providing public certificates
/// for receivers of outgoing messages and senders of incoming messages.
/// </param>
/// <param name="anchors">
/// An <see cref="ITrustAnchorResolver"/> instance providing trust anchors.
/// </param>
/// <param name="certPolicyResolvers">Certificate <see cref="ICertPolicyResolvers">policy container</see></param>
public DirectAgent(IDomainResolver domainResolver, ICertificateResolver privateCerts, ICertificateResolver publicCerts, ITrustAnchorResolver anchors
, ICertPolicyResolvers certPolicyResolvers, IPolicyFilter polciyFilter)
: this(domainResolver, privateCerts, publicCerts, anchors, TrustModel.Default, SMIMECryptographer.Default, certPolicyResolvers, polciyFilter)
{
}
/// <summary>
/// Creates a DirectAgent instance, specifying private, external and trust anchor certificate stores, and
/// trust and cryptography models.
/// </summary>
/// <param name="domainResolver">
/// An <see cref="IDomainResolver"/> instance providing array of local domain name managed by this agent.
/// </param>
/// <param name="privateCerts">
/// An <see cref="ICertificateResolver"/> instance providing private certificates
/// for senders of outgoing messages and receivers of incoming messages.
/// </param>
/// <param name="publicCerts">
/// An <see cref="ICertificateResolver"/> instance providing public certificates
/// for receivers of outgoing messages and senders of incoming messages.
/// </param>
/// <param name="anchors">
/// An <see cref="ITrustAnchorResolver"/> instance providing trust anchors.
/// </param>
/// <param name="trustModel">
/// An instance or subclass of <see cref="SMIMECryptographer"/> providing a custom trust model.
/// </param>
/// <param name="cryptographer">
/// An instance or subclass of <see cref="Health.Direct.Agent"/> providing a custom cryptography model.
/// </param>
/// <param name="certPolicyResolvers">Certificate <see cref="ICertPolicyResolvers">policy container</see></param>
/// <param name="policyFilter"><see cref="IPolicyFilter"/></param>
public DirectAgent(IDomainResolver domainResolver, ICertificateResolver privateCerts, ICertificateResolver publicCerts
, ITrustAnchorResolver anchors, TrustModel trustModel, SMIMECryptographer cryptographer,
ICertPolicyResolvers certPolicyResolvers, IPolicyFilter policyFilter)
{
m_managedDomains = new AgentDomains(domainResolver);
if (privateCerts == null)
{
throw new ArgumentNullException("privateCerts");
}
if (publicCerts == null)
{
throw new ArgumentNullException("publicCerts");
}
if (anchors == null)
{
throw new ArgumentNullException("anchors");
}
if (trustModel == null)
{
throw new ArgumentNullException("trustModel");
}
if (cryptographer == null)
{
throw new ArgumentNullException("cryptographer");
}
m_privateCertResolver = privateCerts;
m_publicCertResolver = publicCerts;
m_cryptographer = cryptographer;
m_trustAnchors = anchors;
m_trustModel = trustModel;
if (!m_trustModel.CertChainValidator.HasCertificateResolver)
{
m_trustModel.CertChainValidator.IssuerResolver = m_publicCertResolver;
}
m_minTrustRequirement = TrustEnforcementStatus.Success;
m_privatePolicyResolver = certPolicyResolvers.PrivateResolver;
m_publicPolicyResolver = certPolicyResolvers.PublicResolver;
m_policyFilter = policyFilter;
}
/// <summary>
/// Creates a DirectAgent instance, specifying private, external and trust anchor certificate stores, and
/// and defaulting to the standard trust and cryptography models.
/// </summary>
/// <param name="domainResolver">
/// An <see cref="IDomainResolver"/> instance providing array of local domain name managed by this agent.
/// </param>
/// <param name="privateCerts">
/// An <see cref="ICertificateResolver"/> instance providing private certificates
/// for senders of outgoing messages and receivers of incoming messages.
/// </param>
/// <param name="publicCerts">
/// An <see cref="ICertificateResolver"/> instance providing public certificates
/// for receivers of outgoing messages and senders of incoming messages.
/// </param>
/// <param name="anchors">
/// An <see cref="ITrustAnchorResolver"/> instance providing trust anchors.
/// </param>
/// <param name="certPolicyResolvers">Certificate <see cref="ICertPolicyResolvers">policy container</see></param>
/// <param name="polciyFilter"></param>
public DirectAgent(IDomainResolver domainResolver, ICertificateResolver privateCerts, ICertificateResolver publicCerts, ITrustAnchorResolver anchors
, ICertPolicyResolvers certPolicyResolvers, IPolicyFilter polciyFilter)
: this(domainResolver, privateCerts, publicCerts, anchors, TrustModel.Default, SMIMECryptographer.Default, certPolicyResolvers, polciyFilter)
{
}
/// <summary>
/// Create a Trust Model from the given settings
/// </summary>
/// <param name="trustPolicyResolver"><see cref="IPolicyResolver"/> injected for trust policy resolution.</param>
/// <param name="policyFilter"><see cref="IPolicyFilter"/></param>
/// <returns>TrustModel</returns>
public TrustModel CreateTrustModel(IPolicyResolver trustPolicyResolver, IPolicyFilter policyFilter)
{
TrustChainValidator validator = new TrustChainValidator();
validator.RevocationCheckMode = this.RevocationCheckMode;
validator.RevocationCheckGranularity = this.RevocationCheckGranularity;
if (this.MaxIssuerChainLength > 0)
{
validator.MaxIssuerChainLength = this.MaxIssuerChainLength;
}
if (this.TimeoutMilliseconds > 0)
{
validator.ValidationPolicy.UrlRetrievalTimeout = TimeSpan.FromMilliseconds(this.TimeoutMilliseconds);
}
TrustModel trustModel = new TrustModel(validator, trustPolicyResolver, policyFilter);
if (this.ProblemFlags != null)
{
X509ChainStatusFlags flags = X509ChainStatusFlags.NoError;
foreach(X509ChainStatusFlags flag in this.ProblemFlags)
{
flags = (flags | flag);
}
trustModel.CertChainValidator.ProblemFlags = flags;
}
return trustModel;
}
