/// <summary>
/// Creates a new object that is a copy of the current instance.
/// </summary>
/// <returns>
/// A new object that is a copy of this instance.
/// </returns>
public new object MemberwiseClone()
{
CertificateIdentifierCollection collection = new CertificateIdentifierCollection();
for (int ii = 0; ii < this.Count; ii++)
{
collection.Add((CertificateIdentifier)Utils.Clone(this[ii]));
}
return(collection);
}
/// <summary>
/// Updates the validator with a new set of trust lists.
/// </summary>
public virtual void Update(
CertificateTrustList issuerStore,
CertificateTrustList trustedStore,
CertificateStoreIdentifier rejectedCertificateStore)
{
lock (m_lock)
{
m_validatedCertificates.Clear();
m_trustedCertificateStore = null;
m_trustedCertificateList = null;
if (trustedStore != null)
{
m_trustedCertificateStore = new CertificateStoreIdentifier();
m_trustedCertificateStore.StoreType = trustedStore.StoreType;
m_trustedCertificateStore.StorePath = trustedStore.StorePath;
m_trustedCertificateStore.ValidationOptions = trustedStore.ValidationOptions;
if (trustedStore.TrustedCertificates != null)
{
m_trustedCertificateList = new CertificateIdentifierCollection();
m_trustedCertificateList.AddRange(trustedStore.TrustedCertificates);
}
}
m_issuerCertificateStore = null;
m_issuerCertificateList = null;
if (issuerStore != null)
{
m_issuerCertificateStore = new CertificateStoreIdentifier();
m_issuerCertificateStore.StoreType = issuerStore.StoreType;
m_issuerCertificateStore.StorePath = issuerStore.StorePath;
m_issuerCertificateStore.ValidationOptions = issuerStore.ValidationOptions;
if (issuerStore.TrustedCertificates != null)
{
m_issuerCertificateList = new CertificateIdentifierCollection();
m_issuerCertificateList.AddRange(issuerStore.TrustedCertificates);
}
}
m_rejectedCertificateStore = null;
if (rejectedCertificateStore != null)
{
m_rejectedCertificateStore = (CertificateStoreIdentifier)rejectedCertificateStore.MemberwiseClone();
}
}
}
/// <summary>
/// Returns the issuers for the certificates.
/// </summary>
public async Task <bool> GetIssuers(X509Certificate2Collection certificates, List <CertificateIdentifier> issuers)
{
bool isTrusted = false;
CertificateIdentifier issuer = null;
X509Certificate2 certificate = certificates[0];
CertificateIdentifierCollection collection = new CertificateIdentifierCollection();
for (int ii = 1; ii < certificates.Count; ii++)
{
collection.Add(new CertificateIdentifier(certificates[ii]));
}
do
{
issuer = await GetIssuer(certificate, m_trustedCertificateList, m_trustedCertificateStore, true);
if (issuer == null)
{
issuer = await GetIssuer(certificate, m_issuerCertificateList, m_issuerCertificateStore, true);
if (issuer == null)
{
issuer = await GetIssuer(certificate, collection, null, true);
}
}
if (issuer != null)
{
isTrusted = true;
issuers.Add(issuer);
certificate = await issuer.Find(false);
// check for root.
if (Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer))
{
break;
}
}
else
{
isTrusted = false;
}
}while (issuer != null);
return(isTrusted);
}
/// <summary>
/// Returns the certificate information for a trusted issuer certificate.
/// </summary>
private async Task <CertificateIdentifier> GetIssuer(
X509Certificate2 certificate,
CertificateIdentifierCollection explicitList,
CertificateStoreIdentifier certificateStore,
bool checkRecovationStatus)
{
string subjectName = certificate.IssuerName.Name;
string keyId = null;
string serialNumber = null;
// find the authority key identifier.
X509AuthorityKeyIdentifierExtension authority = FindAuthorityKeyIdentifier(certificate);
if (authority != null)
{
keyId = authority.KeyId;
serialNumber = authority.SerialNumber;
}
// check in explicit list.
if (explicitList != null)
{
for (int ii = 0; ii < explicitList.Count; ii++)
{
X509Certificate2 issuer = await explicitList[ii].Find(false);
if (issuer != null)
{
if (!IsIssuerAllowed(issuer))
{
continue;
}
if (Match(issuer, subjectName, serialNumber, keyId))
{
// can't check revocation.
return(new CertificateIdentifier(issuer, CertificateValidationOptions.SuppressRevocationStatusUnknown));
}
}
}
}
// check in certificate store.
if (certificateStore != null)
{
ICertificateStore store = certificateStore.OpenStore();
try
{
X509Certificate2Collection certificates = await store.Enumerate();
for (int ii = 0; ii < certificates.Count; ii++)
{
X509Certificate2 issuer = certificates[ii];
if (issuer != null)
{
if (!IsIssuerAllowed(issuer))
{
continue;
}
if (Match(issuer, subjectName, serialNumber, keyId))
{
CertificateValidationOptions options = certificateStore.ValidationOptions;
// already checked revocation for file based stores. windows based stores always suppress.
options |= CertificateValidationOptions.SuppressRevocationStatusUnknown;
if (checkRecovationStatus)
{
StatusCode status = store.IsRevoked(issuer, certificate);
if (StatusCode.IsBad(status))
{
if (status != StatusCodes.BadNotSupported && status != StatusCodes.BadCertificateRevocationUnknown)
{
throw new ServiceResultException(status);
}
}
}
return(new CertificateIdentifier(certificates[ii], options));
}
}
}
}
finally
{
store.Close();
}
}
// not a trusted issuer.
return(null);
}
/// <summary>
/// Updates the validator with a new set of trust lists.
/// </summary>
public virtual void Update(
CertificateTrustList issuerStore,
CertificateTrustList trustedStore,
CertificateStoreIdentifier rejectedCertificateStore)
{
lock (m_lock)
{
m_validatedCertificates.Clear();
m_trustedCertificateStore = null;
m_trustedCertificateList = null;
if (trustedStore != null)
{
m_trustedCertificateStore = new CertificateStoreIdentifier();
m_trustedCertificateStore.StoreType = trustedStore.StoreType;
m_trustedCertificateStore.StorePath = trustedStore.StorePath;
m_trustedCertificateStore.ValidationOptions = trustedStore.ValidationOptions;
if (trustedStore.TrustedCertificates != null)
{
m_trustedCertificateList = new CertificateIdentifierCollection();
m_trustedCertificateList.AddRange(trustedStore.TrustedCertificates);
}
}
m_issuerCertificateStore = null;
m_issuerCertificateList = null;
if (issuerStore != null)
{
m_issuerCertificateStore = new CertificateStoreIdentifier();
m_issuerCertificateStore.StoreType = issuerStore.StoreType;
m_issuerCertificateStore.StorePath = issuerStore.StorePath;
m_issuerCertificateStore.ValidationOptions = issuerStore.ValidationOptions;
if (issuerStore.TrustedCertificates != null)
{
m_issuerCertificateList = new CertificateIdentifierCollection();
m_issuerCertificateList.AddRange(issuerStore.TrustedCertificates);
}
}
m_rejectedCertificateStore = null;
if (rejectedCertificateStore != null)
{
m_rejectedCertificateStore = (CertificateStoreIdentifier)rejectedCertificateStore.Clone();
}
}
}
/// <summary>
/// Returns the certificate information for a trusted issuer certificate.
/// </summary>
private CertificateIdentifier GetIssuer(
X509Certificate2 certificate,
CertificateIdentifierCollection explicitList,
CertificateStoreIdentifier certificateStore,
bool checkRecovationStatus)
{
string subjectName = certificate.IssuerName.Name;
string keyId = null;
string serialNumber = null;
// find the authority key identifier.
X509AuthorityKeyIdentifierExtension authority = FindAuthorityKeyIdentifier(certificate);
if (authority != null)
{
keyId = authority.KeyId;
serialNumber = authority.SerialNumber;
}
// check in explicit list.
if (explicitList != null)
{
for (int ii = 0; ii < explicitList.Count; ii++)
{
X509Certificate2 issuer = explicitList[ii].Find(false);
if (issuer != null)
{
if (!IsIssuerAllowed(issuer))
{
continue;
}
if (Match(issuer, subjectName, serialNumber, keyId))
{
// can't check revocation.
return new CertificateIdentifier(issuer, CertificateValidationOptions.SuppressRevocationStatusUnknown);
}
}
}
}
// check in certificate store.
if (certificateStore != null)
{
ICertificateStore store = certificateStore.OpenStore();
try
{
X509Certificate2Collection certificates = store.Enumerate();
for (int ii = 0; ii < certificates.Count; ii++)
{
X509Certificate2 issuer = certificates[ii];
if (issuer != null)
{
if (!IsIssuerAllowed(issuer))
{
continue;
}
if (Match(issuer, subjectName, serialNumber, keyId))
{
CertificateValidationOptions options = certificateStore.ValidationOptions;
// already checked revocation for file based stores. windows based stores always suppress.
options |= CertificateValidationOptions.SuppressRevocationStatusUnknown;
if (checkRecovationStatus)
{
StatusCode status = store.IsRevoked(issuer, certificate);
if (StatusCode.IsBad(status))
{
if (status != StatusCodes.BadNotSupported && status != StatusCodes.BadCertificateRevocationUnknown)
{
throw new ServiceResultException(status);
}
}
}
return new CertificateIdentifier(certificates[ii], options);
}
}
}
}
finally
{
store.Close();
}
}
// not a trusted issuer.
return null;
}
/// <summary>
/// Returns the issuers for the certificates.
/// </summary>
public bool GetIssuers(X509Certificate2Collection certificates, List<CertificateIdentifier> issuers)
{
bool isTrusted = false;
CertificateIdentifier issuer = null;
X509Certificate2 certificate = certificates[0];
CertificateIdentifierCollection collection = new CertificateIdentifierCollection();
for (int ii = 1; ii < certificates.Count; ii++)
{
collection.Add(new CertificateIdentifier(certificates[ii]));
}
do
{
issuer = GetIssuer(certificate, m_trustedCertificateList, m_trustedCertificateStore, true);
if (issuer == null)
{
issuer = GetIssuer(certificate, m_issuerCertificateList, m_issuerCertificateStore, true);
if (issuer == null)
{
issuer = GetIssuer(certificate, collection, null, true);
}
}
if (issuer != null)
{
isTrusted = true;
issuers.Add(issuer);
certificate = issuer.Find(false);
// check for root.
if (Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer))
{
break;
}
}
else
{
isTrusted = false;
}
}
while (issuer != null);
return isTrusted;
}
/// <summary>
/// Returns the issuers for the certificates.
/// </summary>
public bool GetIssuersWithChainSupportEnabled(X509Certificate2Collection certificates,
List <CertificateIdentifier> issuers)
{
bool isTrusted = false;
bool isChainComplete = false;
CertificateIdentifier issuer = null;
X509Certificate2 certificate = certificates[0];
// application certificate is trusted
CertificateIdentifier trustedCertificate = GetTrustedCertificate(certificate);
if (trustedCertificate != null)
{
isTrusted = true;
}
if (Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer))
{
if (!isTrusted)
{
throw ServiceResultException.Create(
StatusCodes.BadCertificateUntrusted,
"Self Signed Certificate is not trusted.\r\nIssuerName: {0}",
certificate.IssuerName.Name);
}
return(isTrusted);
}
CertificateIdentifierCollection collection = new CertificateIdentifierCollection();
for (int ii = 1; ii < certificates.Count; ii++)
{
collection.Add(new CertificateIdentifier(certificates[ii]));
}
do
{
issuer = GetIssuer(certificate, m_trustedCertificateList, m_trustedCertificateStore, true);
if (issuer != null)
{
isTrusted = true;
}
if (issuer == null)
{
issuer = GetIssuer(certificate, m_issuerCertificateList, m_issuerCertificateStore, true);
if (issuer == null)
{
issuer = GetIssuer(certificate, collection, null, true);
}
}
if (issuer != null)
{
//isTrusted = true;
issuers.Add(issuer);
certificate = issuer.Find(false);
// check for root.
if (Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer))
{
isChainComplete = true;
break;
}
}
else
{
isTrusted = false;
}
} while (issuer != null);
if (!isChainComplete)
{
throw ServiceResultException.Create(
StatusCodes.BadSecurityChecksFailed,
"Certificate chain not complete.\r\nSubjectName: {0}\r\nIssuerName: {1}",
certificates[0].SubjectName.Name,
certificates[0].IssuerName.Name);
}
if (!isTrusted)
{
throw ServiceResultException.Create(
StatusCodes.BadCertificateUntrusted,
"Certificate issuer is not trusted.\r\nSubjectName: {0}\r\nIssuerName: {1}",
certificates[0].SubjectName.Name,
certificates[0].IssuerName.Name);
}
return(isTrusted);
}
/// <summary>
/// Creates a new object that is a copy of the current instance.
/// </summary>
/// <returns>
/// A new object that is a copy of this instance.
/// </returns>
public new object MemberwiseClone()
{
CertificateIdentifierCollection collection = new CertificateIdentifierCollection();
for (int ii = 0; ii < this.Count; ii++)
{
collection.Add((CertificateIdentifier)Utils.Clone(this[ii]));
}
return collection;
}
