/// <summary>
/// Perform certificate validation common for both server and client.
/// </summary>
/// <param name="certificate">The remote certificate to validate.</param>
/// <param name="sslPolicyErrors">The SSL policy errors supplied by .Net.</param>
/// <param name="enhancedKeyUsage">Enhanced key usage, which the remote computers certificate should contain.</param>
/// <returns> <c>true</c> if the certificate should be treated as trusted; otherwise <c>false</c> </returns>
private bool VerifyRemoteCertificate(X509Certificate certificate, SslPolicyErrors sslPolicyErrors, string enhancedKeyUsage)
{
// Accept without looking at if the certificate is valid if validation is disabled
if (socketSettings_.ValidateCertificates == false)
{
return(true);
}
// Validate enhanced key usage
if (!ContainsEnhancedKeyUsage(certificate, enhancedKeyUsage))
{
if (enhancedKeyUsage == clientAuthenticationOid)
{
log_.OnEvent("Remote certificate is not intended for client authentication: It is missing enhanced key usage " + enhancedKeyUsage);
}
else
{
log_.OnEvent("Remote certificate is not intended for server authentication: It is missing enhanced key usage " + enhancedKeyUsage);
}
return(false);
}
// If CA Certficiate is specifed then validate agains the CA certificate, otherwise it is validated against the installed certificates
if (!string.IsNullOrEmpty(socketSettings_.CACertificatePath))
{
X509Chain chain0 = new X509Chain();
chain0.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
// add all your extra certificate chain
chain0.ChainPolicy.ExtraStore.Add(StreamFactory.LoadCertificate(socketSettings_.CACertificatePath, null));
chain0.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
bool isValid = chain0.Build((X509Certificate2)certificate);
// If the certificate is valid then reset the sslPolicyErrors.RemoteCertificateChainErrors status
if (isValid)
{
sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
}
// If the certificate could not be validated against CA, then set the SslPolicyErrors.RemoteCertificateChainErrors
else //if (isValid == false)
{
sslPolicyErrors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
}
// Any basic authentication check failed, do after checking CA
if (sslPolicyErrors != SslPolicyErrors.None)
{
log_.OnEvent("Remote certificate was not recognized as a valid certificate: " + sslPolicyErrors);
return(false);
}
// No errors found accept the certificate
return(true);
}
private X509CertificateCollection GetClientCertificates()
{
if (!string.IsNullOrEmpty(socketSettings_.CertificatePath))
{
X509CertificateCollection certificates = new X509Certificate2Collection();
X509Certificate2 clientCert = StreamFactory.LoadCertificate(socketSettings_.CertificatePath, socketSettings_.CertificatePassword);
certificates.Add(clientCert);
return(certificates);
}
else
{
return(new X509Certificate2Collection());
}
}
private X509CertificateCollection GetClientCertificates(bool checkExpiry)
{
var certName = socketSettings_.CertificatePath;
if (!string.IsNullOrEmpty(certName))
{
X509CertificateCollection certificates = new X509Certificate2Collection();
X509Certificate2 clientCert = StreamFactory.LoadCertificate(socketSettings_.CertificatePath, socketSettings_.CertificatePassword);
if (checkExpiry)
{
try
{
if (clientCert.NotAfter < DateTime.Now)
{
log_.OnEvent($"Error - SSL certificate {certName} expired on {clientCert.NotAfter:yyyy-MM-dd}");
}
else if (clientCert.NotAfter <= DateTime.Now.AddDays(7))
{
log_.OnEvent($"Error - SSL certificate {certName} nears expiry on {clientCert.NotAfter:yyyy-MM-dd}");
}
else if (clientCert.NotAfter <= DateTime.Now.AddMonths(1))
{
log_.OnEvent($"Warning - SSL certificate {certName} nears expiry on {clientCert.NotAfter:yyyy-MM-dd}");
}
else
{
log_.OnEvent($"SSL certificate {certName} expires on {clientCert.NotAfter:yyyy-MM-dd}");
}
}
catch (Exception ex)
{
log_.OnEvent($"Unable to check SSL certificate {certName} expiry: {ex.Message}");
}
}
certificates.Add(clientCert);
return(certificates);
}
else
{
return(new X509Certificate2Collection());
}
}
