| public Find ( System findType, object findValue, bool validOnly ) : System.Security.Cryptography.X509Certificates.X509Certificate2Collection | ||
| findType | System | |
| findValue | object | |
| validOnly | bool | |
| return | System.Security.Cryptography.X509Certificates.X509Certificate2Collection | |
// dotnet/wcf#1574 - This is a workaround for dotnet/corefx#12214
// The copy constructor was removed in .NET Core, this is the workaround to allow us to make copies of certificates
internal static X509Certificate2 CloneCertificateInternal(this X509Certificate2 certificateToClone)
{
#if TARGETS_WINDOWS
return new X509Certificate2(certificateToClone.Handle);
#else
X509Certificate2Collection collection = new X509Certificate2Collection(certificateToClone);
X509Certificate2Collection copyCollection = collection.Find(X509FindType.FindByThumbprint, certificateToClone.Thumbprint, false);
return copyCollection[0];
#endif
}
// dotnet/wcf#1574 - This is a workaround for dotnet/corefx#12214
internal static X509Certificate2 CloneCertificateInternal(this X509Certificate certificateToClone)
{
#if TARGETS_WINDOWS
return new X509Certificate2(certificateToClone.Handle);
#else
byte[] certificateBytes = certificateToClone.Export(X509ContentType.Pfx, string.Empty);
X509Certificate2 certificateToClone2 = new X509Certificate2(certificateBytes, string.Empty);
X509Certificate2Collection collection = new X509Certificate2Collection(certificateToClone2);
X509Certificate2Collection copyCollection = collection.Find(X509FindType.FindByThumbprint, certificateToClone2.Thumbprint, false);
return copyCollection[0];
#endif
}
private X509Certificate2 SelectBestFromCollection(X509Certificate2 child, X509Certificate2Collection c)
{
switch (c.Count)
{
case 0:
return(null);
case 1:
return(c [0]);
default:
// multiple candidate, keep only the ones that are still valid
X509Certificate2Collection time_valid = c.Find(X509FindType.FindByTimeValid, ChainPolicy.VerificationTime, false);
switch (time_valid.Count)
{
case 0:
// that's too restrictive, let's revert and try another thing...
time_valid = c;
break;
case 1:
return(time_valid [0]);
default:
break;
}
// again multiple candidates, let's find the AKI that match the SKI (if we have one)
string aki = GetAuthorityKeyIdentifier(child);
if (String.IsNullOrEmpty(aki))
{
return(time_valid [0]); // FIXME: out of luck, you get the first one
}
foreach (X509Certificate2 parent in time_valid)
{
string ski = GetSubjectKeyIdentifier(parent);
// if both id are available then they must match
if (aki == ski)
{
return(parent);
}
}
return(time_valid [0]); // FIXME: out of luck, you get the first one
}
}
private X509Certificate2 SelectBestFromCollection(X509Certificate2 child, X509Certificate2Collection c)
{
int count = c.Count;
if (count == 0)
{
return(null);
}
if (count == 1)
{
return(c[0]);
}
X509Certificate2Collection x509Certificate2Collection = c.Find(X509FindType.FindByTimeValid, this.ChainPolicy.VerificationTime, false);
int count2 = x509Certificate2Collection.Count;
if (count2 != 0)
{
if (count2 == 1)
{
return(x509Certificate2Collection[0]);
}
}
else
{
x509Certificate2Collection = c;
}
string authorityKeyIdentifier = this.GetAuthorityKeyIdentifier(child);
if (string.IsNullOrEmpty(authorityKeyIdentifier))
{
return(x509Certificate2Collection[0]);
}
foreach (X509Certificate2 x509Certificate in x509Certificate2Collection)
{
string subjectKeyIdentifier = this.GetSubjectKeyIdentifier(x509Certificate);
if (authorityKeyIdentifier == subjectKeyIdentifier)
{
return(x509Certificate);
}
}
return(x509Certificate2Collection[0]);
}
private X509Certificate2 SelectBestFromCollection(X509Certificate2 child, X509Certificate2Collection c)
{
switch (c.Count)
{
case 0:
return(null);
case 1:
return(c[0]);
default:
{
X509Certificate2Collection x509Certificate2Collection = c.Find(X509FindType.FindByTimeValid, ChainPolicy.VerificationTime, validOnly: false);
switch (x509Certificate2Collection.Count)
{
case 0:
x509Certificate2Collection = c;
break;
case 1:
return(x509Certificate2Collection[0]);
}
string authorityKeyIdentifier = GetAuthorityKeyIdentifier(child);
if (string.IsNullOrEmpty(authorityKeyIdentifier))
{
return(x509Certificate2Collection[0]);
}
X509Certificate2Enumerator enumerator = x509Certificate2Collection.GetEnumerator();
while (enumerator.MoveNext())
{
X509Certificate2 current = enumerator.Current;
string subjectKeyIdentifier = GetSubjectKeyIdentifier(current);
if (authorityKeyIdentifier == subjectKeyIdentifier)
{
return(current);
}
}
return(x509Certificate2Collection[0]);
}
}
}
internal static unsafe uint AddCertsToMessage(System.Security.Cryptography.SafeCryptMsgHandle safeCryptMsgHandle, X509Certificate2Collection bagOfCerts, X509Certificate2Collection chainOfCerts)
{
uint num = 0;
X509Certificate2Enumerator enumerator = chainOfCerts.GetEnumerator();
while (enumerator.MoveNext())
{
X509Certificate2 current = enumerator.Current;
if (bagOfCerts.Find(X509FindType.FindByThumbprint, current.Thumbprint, false).Count == 0)
{
System.Security.Cryptography.CAPI.CERT_CONTEXT cert_context = *((System.Security.Cryptography.CAPI.CERT_CONTEXT*) System.Security.Cryptography.X509Certificates.X509Utils.GetCertContext(current).DangerousGetHandle());
System.Security.Cryptography.CAPI.CRYPTOAPI_BLOB cryptoapi_blob = new System.Security.Cryptography.CAPI.CRYPTOAPI_BLOB {
cbData = cert_context.cbCertEncoded,
pbData = cert_context.pbCertEncoded
};
if (!System.Security.Cryptography.CAPI.CryptMsgControl(safeCryptMsgHandle, 0, 10, new IntPtr((long) ((ulong) ((IntPtr) &cryptoapi_blob)))))
{
throw new CryptographicException(Marshal.GetLastWin32Error());
}
num++;
}
}
return num;
}
private X509Certificate2Collection findCertificates(string prop, string storeSpec, string value)
{
StoreLocation storeLoc = 0;
StoreName storeName = 0;
string storeNameStr = null;
parseStore(prop, storeSpec, ref storeLoc, ref storeName, ref storeNameStr);
//
// Open the X509 certificate store.
//
X509Store store = null;
try
{
if(storeNameStr != null)
{
store = new X509Store(storeNameStr, storeLoc);
}
else
{
store = new X509Store(storeName, storeLoc);
}
store.Open(OpenFlags.ReadOnly);
}
catch(Exception ex)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex);
e.reason = "IceSSL: failure while opening store specified by " + prop;
throw e;
}
//
// Start with all of the certificates in the collection and filter as necessary.
//
// - If the value is "*", return all certificates.
// - Otherwise, search using key:value pairs. The following keys are supported:
//
// Issuer
// IssuerDN
// Serial
// Subject
// SubjectDN
// SubjectKeyId
// Thumbprint
//
// A value must be enclosed in single or double quotes if it contains whitespace.
//
X509Certificate2Collection result = new X509Certificate2Collection();
result.AddRange(store.Certificates);
try
{
if(value != "*")
{
int start = 0;
int pos;
while((pos = value.IndexOf(':', start)) != -1)
{
//
// Parse the X509FindType.
//
string field = value.Substring(start, pos - start).Trim().ToUpperInvariant();
X509FindType findType;
if(field.Equals("SUBJECT"))
{
findType = X509FindType.FindBySubjectName;
}
else if(field.Equals("SUBJECTDN"))
{
findType = X509FindType.FindBySubjectDistinguishedName;
}
else if(field.Equals("ISSUER"))
{
findType = X509FindType.FindByIssuerName;
}
else if(field.Equals("ISSUERDN"))
{
findType = X509FindType.FindByIssuerDistinguishedName;
}
else if(field.Equals("THUMBPRINT"))
{
findType = X509FindType.FindByThumbprint;
}
else if(field.Equals("SUBJECTKEYID"))
{
findType = X509FindType.FindBySubjectKeyIdentifier;
}
else if(field.Equals("SERIAL"))
{
findType = X509FindType.FindBySerialNumber;
}
else
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: unknown key in `" + value + "'";
throw e;
}
//
// Parse the argument.
//
start = pos + 1;
while(start < value.Length && (value[start] == ' ' || value[start] == '\t'))
{
++start;
}
if(start == value.Length)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: missing argument in `" + value + "'";
throw e;
}
string arg;
if(value[start] == '"' || value[start] == '\'')
{
int end = start;
++end;
while(end < value.Length)
{
if(value[end] == value[start] && value[end - 1] != '\\')
{
break;
}
++end;
}
if(end == value.Length || value[end] != value[start])
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: unmatched quote in `" + value + "'";
throw e;
}
++start;
arg = value.Substring(start, end - start);
start = end + 1;
}
else
{
char[] ws = new char[] { ' ', '\t' };
int end = value.IndexOfAny(ws, start);
if(end == -1)
{
arg = value.Substring(start);
start = value.Length;
}
else
{
arg = value.Substring(start, end - start);
start = end + 1;
}
}
//
// Execute the query.
//
// TODO: allow user to specify a value for validOnly?
//
bool validOnly = false;
result = result.Find(findType, arg, validOnly);
}
}
}
finally
{
store.Close();
}
return result;
}
public void SearchCertificates (String label)
{
nint row = splitViewController.MainOutlineView.SelectedRow;
UIErrorHelper.CheckedExec (delegate() {
if (row >= (nint)0) {
NSObject item = splitViewController.MainOutlineView.ItemAtRow ((int)row);
if ((item is VMCACertsNode) || (item is VMCAPersonalCertificatesNode)) {
int certState;
if (item is VMCACertsNode)
certState = (int)(item as VMCACertsNode).Tag;
else
certState = -1; //private certificates
if (certState != -1) {
CertificateDetailsListView certView = splitViewController.MainTableView.DataSource as CertificateDetailsListView;
X509Certificate2Collection certificateCollection = new X509Certificate2Collection (certView.Entries.ToArray ());
X509Certificate2Collection searchResult = certificateCollection.Find (X509FindType.FindBySubjectName, label, false);
List<X509Certificate2> certList = new List<X509Certificate2> ();
foreach (X509Certificate2 cert in searchResult)
certList.Add (cert);
splitViewController.MainTableView.DataSource = new CertificateDetailsListView (certList, this.Servernode.ServerDTO, certState);
}
}
}
});
}
public void Find_FindBySubjectKeyIdentifier ()
{
// empty
Assert.AreEqual (0, collection.Find (X509FindType.FindBySubjectKeyIdentifier, String.Empty, false).Count, "FindBySubjectKeyIdentifier/Empty/false");
X509Certificate2Collection c = new X509Certificate2Collection (collection);
c.Add (new X509Certificate2 (X509Certificate2Test.cert_8));
Assert.AreEqual (0, c.Find (X509FindType.FindBySubjectKeyIdentifier, "9D2D73C3B8E34D2928C3", false).Count, "FindBySubjectKeyIdentifier/half/false");
Assert.AreEqual (1, c.Find (X509FindType.FindBySubjectKeyIdentifier, "9D2D73C3B8E34D2928C365BEA998CBD68A06689C", false).Count, "FindBySubjectKeyIdentifier/full/false");
Assert.AreEqual (1, c.Find (X509FindType.FindBySubjectKeyIdentifier, "9d2d73c3b8e34d2928c365bea998cbd68a06689c", false).Count, "FindBySubjectKeyIdentifier/full/false");
}
/// <summary>
/// Finds a certificate in the specified collection.
/// </summary>
/// <param name="collection">The collection.</param>
/// <param name="thumbprint">The thumbprint of the certificate.</param>
/// <param name="subjectName">Subject name of the certificate.</param>
/// <param name="needPrivateKey">if set to <c>true</c> [need private key].</param>
/// <returns></returns>
public static X509Certificate2 Find(X509Certificate2Collection collection, string thumbprint, string subjectName, bool needPrivateKey)
{
// find by thumbprint.
if (!String.IsNullOrEmpty(thumbprint))
{
collection = collection.Find(X509FindType.FindByThumbprint, thumbprint, false);
foreach (X509Certificate2 certificate in collection)
{
if (!needPrivateKey || certificate.HasPrivateKey)
{
if (String.IsNullOrEmpty(subjectName))
{
return certificate;
}
List<string> subjectName2 = Utils.ParseDistinguishedName(subjectName);
if (Utils.CompareDistinguishedName(certificate, subjectName2))
{
return certificate;
}
}
}
return null;
}
// find by subject name.
if (!String.IsNullOrEmpty(subjectName))
{
List<string> subjectName2 = Utils.ParseDistinguishedName(subjectName);
foreach (X509Certificate2 certificate in collection)
{
if (Utils.CompareDistinguishedName(certificate, subjectName2))
{
if (!needPrivateKey || certificate.HasPrivateKey)
{
return certificate;
}
}
}
collection = collection.Find(X509FindType.FindBySubjectName, subjectName, false);
foreach (X509Certificate2 certificate in collection)
{
if (!needPrivateKey || certificate.HasPrivateKey)
{
return certificate;
}
}
}
// certificate not found.
return null;
}
internal static X509Certificate2 FindCertificate (SubjectIdentifier identifier, X509Certificate2Collection certificates) {
X509Certificate2 certificate = null;
if (certificates != null && certificates.Count > 0) {
X509Certificate2Collection filters;
switch (identifier.Type) {
case SubjectIdentifierType.IssuerAndSerialNumber:
filters = certificates.Find(X509FindType.FindByIssuerDistinguishedName, ((X509IssuerSerial) identifier.Value).IssuerName, false);
if (filters.Count > 0) {
filters = filters.Find(X509FindType.FindBySerialNumber, ((X509IssuerSerial) identifier.Value).SerialNumber, false);
if (filters.Count > 0)
certificate = filters[0];
}
break;
case SubjectIdentifierType.SubjectKeyIdentifier:
filters = certificates.Find(X509FindType.FindBySubjectKeyIdentifier, identifier.Value, false);
if (filters.Count > 0)
certificate = filters[0];
break;
}
}
return certificate;
}
internal static unsafe uint AddCertsToMessage (SafeCryptMsgHandle safeCryptMsgHandle, X509Certificate2Collection bagOfCerts, X509Certificate2Collection chainOfCerts) {
uint certsAdded = 0;
foreach (X509Certificate2 certificate in chainOfCerts) {
// Skip it if already in the bag of certs.
X509Certificate2Collection foundCerts = bagOfCerts.Find(X509FindType.FindByThumbprint, certificate.Thumbprint, false);
if (foundCerts.Count == 0) {
SafeCertContextHandle safeCertContextHandle = X509Utils.GetCertContext(certificate);
CAPI.CERT_CONTEXT pCertContext = *((CAPI.CERT_CONTEXT*) safeCertContextHandle.DangerousGetHandle());
CAPI.CRYPTOAPI_BLOB certBlob = new CAPI.CRYPTOAPI_BLOB();
certBlob.cbData = pCertContext.cbCertEncoded;
certBlob.pbData = pCertContext.pbCertEncoded;
if (!CAPI.CryptMsgControl(safeCryptMsgHandle,
0,
CAPI.CMSG_CTRL_ADD_CERT,
new IntPtr((long) &certBlob)))
throw new CryptographicException(Marshal.GetLastWin32Error());
certsAdded++;
}
}
return certsAdded;
}
///////////////////////////////////////////////////////////////////////
/// <summary>
/// Carry out the filters requested.
/// </summary>
static X509Certificate2Collection FilterCertificates(X509Certificate2Collection certificates)
{
int index;
if (0 < certificates.Count && null != sha1)
{
certificates = certificates.Find(X509FindType.FindByThumbprint, sha1, false);
}
if (0 < certificates.Count && 0 < subjects.Count)
{
foreach (string subject in subjects)
{
certificates = certificates.Find(X509FindType.FindBySubjectName, subject, false);
}
}
if (0 < certificates.Count && 0 < issuers.Count)
{
foreach (string issuer in issuers)
{
certificates = certificates.Find(X509FindType.FindByIssuerName, issuer, false);
}
}
if (0 < certificates.Count && 0 < serials.Count)
{
foreach (string serial in serials)
{
certificates = certificates.Find(X509FindType.FindBySerialNumber, serial, false);
}
}
if (0 < certificates.Count && 0 < templates.Count)
{
foreach (string template in templates)
{
certificates = certificates.Find(X509FindType.FindByTemplateName, template, false);
}
}
if (0 < certificates.Count && 0 < extensions.Count)
{
foreach (string extension in extensions)
{
certificates = certificates.Find(X509FindType.FindByExtension, extension, false);
}
}
if (0 < certificates.Count && 0 < ekus.Count)
{
foreach (string eku in ekus)
{
certificates = certificates.Find(X509FindType.FindByApplicationPolicy, eku, false);
}
}
if (0 < certificates.Count && 0 < policies.Count)
{
foreach (string policy in policies)
{
certificates = certificates.Find(X509FindType.FindByCertificatePolicy, policy, false);
}
}
if (0 < certificates.Count && 0 < keyUsages.Count)
{
for (index = 0; index < keyUsages.Count; index++)
{
certificates = certificates.Find(X509FindType.FindByKeyUsage, keyUsages[index], false);
}
}
if (0 < certificates.Count && performTimeValidityCheck)
{
certificates = certificates.Find(expirationType, time, false);
}
if (0 < certificates.Count && validOnly)
{
// Use empty subject name to perform null filtering.
certificates = certificates.Find(X509FindType.FindBySubjectName, string.Empty, true);
}
return certificates;
}
public void X509Certificate2CollectionFindBySubjectName_Test ()
{
// Created with mono makecert
// makecert -n "O=Root, CN=MyCNName, T=SomeElse" -r <filename>
const string Cert = "MIIB6zCCAVSgAwIBAgIQEshQw4bf1kSsYsUoLCjlpTANBgkqhkiG9w0BAQUFADA1MQ0wCwYDVQQKEwRSb290MREwDwYDVQQDEwhNeUNOTmFtZTERMA8GA1UEDBMIU29tZUVsc2UwHhcNMTIwMzE1MTUzNjE0WhcNMzkxMjMxMjM1OTU5WjA1MQ0wCwYDVQQKEwRSb290MREwDwYDVQQDEwhNeUNOTmFtZTERMA8GA1UEDBMIU29tZUVsc2UwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBAI8A3ay+oRKRBAD4oojA2s4feHBHn5OafJ+Vxap7wsd3IF/qBrXdnFLxfvLltCSZDarajwTjxX2rhT7Q0hm3Yyy6DnyaMoL8u//c6HCv47SFNJ4JEgu2WP9M/xNU2m+JiABX+K/nwoWfE1VIYueJWL9ftCBOG099QBCsCrpdFUcbAgERMA0GCSqGSIb3DQEBBQUAA4GBAHV+uMPliZPhfLdcMGIbYQnWY2m4YrU/IvqZK4HTKyzG/heAp7+OvkGiC0YJHtvWehgZUV9ukVEbl93rCKmXlb6BuPgN60U1iLYJQ9nAVHm7fRoAjvjDj3CGFtmYb81sYu8sc5GHqsCbvTKHwW/x2O3uLJBM5ApDlcczmgdm8xqQ";
var cerBytes = Convert.FromBase64String (Cert);
var cert = new X509Certificate2 (cerBytes);
var collection = new X509Certificate2Collection ();
var found = collection.Find (X509FindType.FindBySubjectName, "SomeElse", false);
Assert.AreEqual (0, found.Count, "empty");
collection.Add (cert);
collection.Find (X509FindType.FindBySubjectName, "T=SomeElse", false);
Assert.AreEqual (0, found.Count, "with prefix");
found = collection.Find (X509FindType.FindBySubjectName, "SomeElse", false);
Assert.That (found.Count == 1, "full");
found = collection.Find (X509FindType.FindBySubjectName, "Else", false);
Assert.That (found.Count == 1, "partial");
Assert.That (found [0].SubjectName.Name.Contains ("O=Root"));
Assert.That (found [0].SubjectName.Name.Contains ("T=SomeElse"));
Assert.That (found [0].SubjectName.Name.Contains ("CN=MyCNName"));
found = collection.Find (X509FindType.FindBySubjectName, "MyCNName", false);
Assert.IsTrue (found.Count == 1);
Assert.That (found [0].SubjectName.Name.Contains ("O=Root"));
Assert.That (found [0].SubjectName.Name.Contains ("T=SomeElse"));
Assert.That (found [0].SubjectName.Name.Contains ("CN=MyCNName"));
found = collection.Find (X509FindType.FindBySubjectName, "Root", false);
Assert.IsTrue (found.Count == 1);
Assert.That (found [0].SubjectName.Name.Contains ("O=Root"));
Assert.That (found [0].SubjectName.Name.Contains ("T=SomeElse"));
Assert.That (found [0].SubjectName.Name.Contains ("CN=MyCNName"));
found = collection.Find (X509FindType.FindBySubjectName, "SomeRandomStringThatDoesn'tExist", false);
Assert.AreEqual (0, found.Count);
}
///////////////////////////////////////////////////////////////////////
///
/// <summary>
/// Carry out the filters requested.
/// </summary>
///
static X509Certificate2 FilterCertificates(X509Certificate2Collection certificates) {
int index;
if (0 < certificates.Count && null != sha1) {
certificates = certificates.Find(X509FindType.FindByThumbprint, sha1, false);
}
if (0 < certificates.Count && 0 < subjects.Count) {
foreach (string subject in subjects) {
certificates = certificates.Find(X509FindType.FindBySubjectDistinguishedName, subject, false);
}
}
if (0 < certificates.Count && 0 < issuers.Count) {
foreach (string issuer in issuers) {
certificates = certificates.Find(X509FindType.FindByIssuerDistinguishedName, issuer, false);
}
}
// filter out certificates without a private key.
if (0 < certificates.Count) {
X509Certificate2Collection collection = new X509Certificate2Collection();
for (index = 0; index < certificates.Count; index++) {
try
{
if (certificates[index].PrivateKey != null)
collection.Add(certificates[index]);
}
catch{}
}
certificates.Clear();
certificates = collection;
}
// finally, ask the user to select a certificate if more than one is found.
if (1 < certificates.Count) {
certificates = X509Certificate2UI.SelectFromCollection( certificates , "Certificates", "Please select a certificate", X509SelectionFlag.SingleSelection);
}
if (certificates.Count != 1)
throw new InternalException("Internal error: No valid certificates were found to sign the document.");
return (certificates.Count == 0 ? null : certificates[0]);
}
// TODO: Issue #3891. Get the Trusted Issuers List from WinHTTP and use that to help narrow down
// the list of eligible client certificates.
public static X509Certificate2 GetEligibleClientCertificate(X509Certificate2Collection candidateCerts)
{
if (candidateCerts.Count == 0)
{
return null;
}
// Reduce the set of certificates to match the proper 'Client Authentication' criteria.
candidateCerts = candidateCerts.Find(X509FindType.FindByKeyUsage, X509KeyUsageFlags.DigitalSignature, false);
candidateCerts = candidateCerts.Find(X509FindType.FindByApplicationPolicy, ClientAuthenticationOID, false);
// Build a new collection with certs that have a private key. Need to do this
// manually because there is no X509FindType to match this criteria.
var eligibleCerts = new X509Certificate2Collection();
foreach (X509Certificate2 cert in candidateCerts)
{
if (cert.HasPrivateKey)
{
eligibleCerts.Add(cert);
}
}
if (eligibleCerts.Count > 0)
{
return eligibleCerts[0];
}
else
{
return null;
}
}
internal static X509Certificate2 FindCertificate(SubjectIdentifier identifier, X509Certificate2Collection certificates)
{
X509Certificate2 certificate = null;
if ((certificates != null) && (certificates.Count > 0))
{
X509Certificate2Collection certificates2;
switch (identifier.Type)
{
case SubjectIdentifierType.IssuerAndSerialNumber:
{
X509IssuerSerial serial = (X509IssuerSerial) identifier.Value;
certificates2 = certificates.Find(X509FindType.FindByIssuerDistinguishedName, serial.IssuerName, false);
if (certificates2.Count > 0)
{
X509IssuerSerial serial2 = (X509IssuerSerial) identifier.Value;
certificates2 = certificates2.Find(X509FindType.FindBySerialNumber, serial2.SerialNumber, false);
if (certificates2.Count > 0)
{
certificate = certificates2[0];
}
}
return certificate;
}
case SubjectIdentifierType.SubjectKeyIdentifier:
certificates2 = certificates.Find(X509FindType.FindBySubjectKeyIdentifier, identifier.Value, false);
if (certificates2.Count > 0)
{
certificate = certificates2[0];
}
return certificate;
}
}
return certificate;
}
private X509Certificate2 SelectBestFromCollection (X509Certificate2 child, X509Certificate2Collection c)
{
switch (c.Count) {
case 0:
return null;
case 1:
return c [0];
default:
// multiple candidate, keep only the ones that are still valid
X509Certificate2Collection time_valid = c.Find (X509FindType.FindByTimeValid, ChainPolicy.VerificationTime, false);
switch (time_valid.Count) {
case 0:
// that's too restrictive, let's revert and try another thing...
time_valid = c;
break;
case 1:
return time_valid [0];
default:
break;
}
// again multiple candidates, let's find the AKI that match the SKI (if we have one)
string aki = GetAuthorityKeyIdentifier (child);
if (String.IsNullOrEmpty (aki)) {
return time_valid [0]; // FIXME: out of luck, you get the first one
}
foreach (X509Certificate2 parent in time_valid) {
string ski = GetSubjectKeyIdentifier (parent);
// if both id are available then they must match
if (aki == ski)
return parent;
}
return time_valid [0]; // FIXME: out of luck, you get the first one
}
}
/// <summary>
/// Invokes X509Certificate2Collection.Find() and creates a ClonedCertificate object that will dispose the returned certificates. This
/// is a way of coping with the non-obvious fact that X509Certificate2Collection.Find() returns cloned certificates.
/// </summary>
public ClonedCertificates(X509Certificate2Collection certs, X509FindType findType, object findValue)
{
_clonedCerts = certs.Find(findType, findValue, validOnly: false);
}