internal static void DemandHostStorePermissions(ServiceHost host)
{
bool validates = ValidatesCertificates(host);
bool demand = UsesCertificateServiceCredentials(host);
foreach (ServiceEndpoint endpoint in host.Description.Endpoints)
{
if (UsesCertificateClientCredentials(endpoint) && validates)
{
demand = true;
break;
}
if (MessageSecurityEnabled(endpoint))
{
if (IsAnonymous(endpoint))
{
demand = true;
break;
}
else
{
if (WindowsSecurityEnabled(endpoint) == false)
{
demand = true;
break;
}
}
}
}
if (demand)
{
IPermission certPermission = new StorePermission(StorePermissionFlags.EnumerateStores | StorePermissionFlags.OpenStore | StorePermissionFlags.EnumerateCertificates);
certPermission.Demand();
}
}
internal static void DemandClientStorePermissions(ServiceEndpoint endpoint)
{
if (MessageSecurityEnabled(endpoint) == false && WindowsSecurityEnabled(endpoint) == true)
{
return;
}
IPermission certPermission = new StorePermission(StorePermissionFlags.EnumerateStores | StorePermissionFlags.OpenStore | StorePermissionFlags.EnumerateCertificates);
if (ScopesCertificate(endpoint) || UsesCertificateClientCredentials(endpoint))
{
certPermission.Demand();
}
if (MessageSecurityEnabled(endpoint) && ValidatesCertificates(endpoint) && WindowsSecurityEnabled(endpoint) == false)
{
certPermission.Demand();
}
}
/// <summary>
/// 安装资源文件中的证书
/// </summary>
public static string InstallCertificateFromResource(StoreName sn, byte[] certificatefile)
{
try
{
StorePermission sp = new StorePermission(StorePermissionFlags.AllFlags);
sp.Demand();
X509Certificate2 certificate = new X509Certificate2(certificatefile);
if (TryGetCertificate(sn, certificatefile) == null)
{
X509Store AuthRoot = new X509Store(sn, StoreLocation.LocalMachine);
AuthRoot.Open(OpenFlags.ReadWrite);
//AuthRoot.Remove(certificate);
AuthRoot.Add(certificate);
AuthRoot.Close();
}
return(string.Empty);
}
catch (Exception ex)
{
return(ex.Message);
}
}
public bool Build(X509Certificate2 certificate)
{
lock (m_syncRoot) {
if (certificate == null || certificate.CertContext.IsInvalid)
{
throw new ArgumentException(SR.GetString(SR.Cryptography_InvalidContextHandle), "certificate");
}
// Chain building opens and enumerates the root store to see if the root of the chain is trusted.
StorePermission sp = new StorePermission(StorePermissionFlags.OpenStore | StorePermissionFlags.EnumerateCertificates);
sp.Demand();
X509ChainPolicy chainPolicy = this.ChainPolicy;
if (chainPolicy.RevocationMode == X509RevocationMode.Online)
{
if (certificate.Extensions[CAPI.szOID_CRL_DIST_POINTS] != null ||
certificate.Extensions[CAPI.szOID_AUTHORITY_INFO_ACCESS] != null)
{
// If there is a CDP or AIA extension, we demand unrestricted network access and store add permission
// since CAPI can download certificates into the CA store from the network.
PermissionSet ps = new PermissionSet(PermissionState.None);
ps.AddPermission(new WebPermission(PermissionState.Unrestricted));
ps.AddPermission(new StorePermission(StorePermissionFlags.AddToStore));
ps.Demand();
}
}
Reset();
int hr = BuildChain(m_useMachineContext ? new IntPtr(CAPI.HCCE_LOCAL_MACHINE) : new IntPtr(CAPI.HCCE_CURRENT_USER),
certificate.CertContext,
chainPolicy.ExtraStore,
chainPolicy.ApplicationPolicy,
chainPolicy.CertificatePolicy,
chainPolicy.RevocationMode,
chainPolicy.RevocationFlag,
chainPolicy.VerificationTime,
chainPolicy.UrlRetrievalTimeout,
ref m_safeCertChainHandle);
if (hr != CAPI.S_OK)
{
return(false);
}
// Init.
Init();
// Verify the chain using the specified policy.
CAPI.CERT_CHAIN_POLICY_PARA PolicyPara = new CAPI.CERT_CHAIN_POLICY_PARA(Marshal.SizeOf(typeof(CAPI.CERT_CHAIN_POLICY_PARA)));
CAPI.CERT_CHAIN_POLICY_STATUS PolicyStatus = new CAPI.CERT_CHAIN_POLICY_STATUS(Marshal.SizeOf(typeof(CAPI.CERT_CHAIN_POLICY_STATUS)));
PolicyPara.dwFlags = (uint)chainPolicy.VerificationFlags;
if (!CAPI.CertVerifyCertificateChainPolicy(new IntPtr(CAPI.CERT_CHAIN_POLICY_BASE),
m_safeCertChainHandle,
ref PolicyPara,
ref PolicyStatus))
{
// The API failed.
throw new CryptographicException(Marshal.GetLastWin32Error());
}
CAPI.SetLastError(PolicyStatus.dwError);
return(PolicyStatus.dwError == 0);
}
}