public ValidateCertificate(IValidateCertificateSettings settings, IValidateCertificateSettings alternateSettings,
ICertificateProvider certificateProvider, ILogger logger)
{
_settings = settings;
_alternateSettings = alternateSettings;
_certificateProvider = certificateProvider;
_logger = logger;
}
public ValidateCertificate(IValidateCertificateSettings settings, ICertificateProvider certificateProvider, ILogger logger)
: this(settings, null, certificateProvider, logger)
{
}
private ValidationResult ValidateX509Certificate(X509Certificate2 certificate, X509Chain certificateChain, IValidateCertificateSettings settings)
{
// 1. Check time validity of certificate
ValidationResult result = ValidateExpiration(certificate.NotBefore, certificate.NotAfter);
if (result.Status != ValidationStatus.Success)
{
return(result);
}
string thumbprint = settings.Thumbprint;
if (settings.FindValue == null)
{
result = ValidateSubjectAndIssuer(certificate, settings.Subject, settings.Issuer);
if (result.Status != ValidationStatus.Success)
{
return(result);
}
result = ValidateSerialNumber(certificate, settings.SerialNumber);
if (result.Status != ValidationStatus.Success)
{
return(result);
}
}
else
{
X509Certificate2 matchCertificate = _certificateProvider.FindCertificate(settings);
if (matchCertificate == null)
{
throw new InvalidOperationException("Match certificate could not be found");
}
result = ValidateSubjectAndIssuer(certificate, matchCertificate.Subject, matchCertificate.Issuer);
if (result.Status != ValidationStatus.Success)
{
return(result);
}
if (string.IsNullOrEmpty(thumbprint))
{
thumbprint = matchCertificate.Thumbprint.Trim();
}
else if (!string.Equals(thumbprint, matchCertificate.Thumbprint, StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException($"Match certificate's thumbprint must match validation thumbprint if supplied");
}
}
// 4. Check thumprint of certificate
string certificateThumbprint = certificate.Thumbprint.Trim();
if (!string.Equals(certificateThumbprint, thumbprint, StringComparison.InvariantCultureIgnoreCase))
{
result = new ValidationResult(ValidationStatus.Thumbprint, $"Supplied certificate's thumbprint ({certificateThumbprint}) is incorrect");
if (result.Status != ValidationStatus.Success)
{
return(result);
}
}
// 5. Verify the certificate chains to a Trusted Root Authority should be checked uncomment the code below
if (settings.VerifyChain)
{
if (certificateChain == null)
{
certificateChain = new X509Chain();
if (!_settings.EnableRevocationListCheck)
{
// don't use Revocation List Check
certificateChain.ChainPolicy = new X509ChainPolicy()
{
RevocationMode = X509RevocationMode.NoCheck
};
}
certificateChain.Build(certificate);
}
result = ValidateCertificateChain(certificateChain);
}
return(result);
}
private ValidationResult ValidateX509Certificate(X509Certificate certificate, X509Chain certificateChain, IValidateCertificateSettings settings)
{
DateTime notBefore;
DateTime notAfter;
// Check time validity of certificate
if (!DateTime.TryParse(certificate.GetEffectiveDateString(), out notBefore) ||
!DateTime.TryParse(certificate.GetExpirationDateString(), out notAfter))
{
return(new ValidationResult(ValidationStatus.Expiration, "Invalid effective or expiration date"));
}
ValidationResult result = ValidateExpiration(notBefore, notAfter);
if (result.Status != ValidationStatus.Success)
{
return(result);
}
result = ValidateSubjectAndIssuer(certificate, settings.Subject, settings.Issuer);
if (result.Status != ValidationStatus.Success)
{
return(result);
}
result = ValidateSerialNumber(certificate, settings.SerialNumber);
if (result.Status != ValidationStatus.Success)
{
return(result);
}
// Verify the certificate chains to a Trusted Root Authority should be checked uncomment the code below
if (certificateChain != null && settings.VerifyChain)
{
result = ValidateCertificateChain(certificateChain);
}
return(result);
}