public X509Certificate2 FindIssuerCertificate(X509Certificate2 serverX509Certificate2) { X509Certificate2 issuerX509Certificate2 = null; // Find the issuer certificate X509Chain x509Chain = new X509Chain(); x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; x509Chain.Build(serverX509Certificate2); // Iterate though the chain, to validate if it contain a valid root vertificate X509ChainElementCollection x509ChainElementCollection = x509Chain.ChainElements; X509ChainElementEnumerator enumerator = x509ChainElementCollection.GetEnumerator(); X509ChainElement x509ChainElement; X509Certificate2 x509Certificate2 = null; IDictionary <string, X509Certificate2> map = new Dictionary <string, X509Certificate2>(); // At this point, the certificate is not valid, until a // it is proved that it has a valid root certificate while (enumerator.MoveNext()) { x509ChainElement = enumerator.Current; x509Certificate2 = x509ChainElement.Certificate; map.Add(x509Certificate2.Subject, x509Certificate2); } if (map.ContainsKey(serverX509Certificate2.Issuer)) { issuerX509Certificate2 = map[serverX509Certificate2.Issuer]; } return(issuerX509Certificate2); }
private X509CertificateClaimSet(X509ChainElementCollection elements, int index) { this.expirationTime = System.IdentityModel.SecurityUtils.MinUtcDateTime; this.elements = elements; this.index = index; this.certificate = elements[index].Certificate; }
public static void ShowCertAndChain(X509Certificate cert, X509Chain chain) { StringBuilder sb = new StringBuilder(); if (null != cert) { ShowX509Certificate(sb, cert); } if (null != chain) { sb.Append("-X509Chain(Start)-" + System.Environment.NewLine); ////sb.Append(string.Format("Cert.ChainStatus='{0}'", string.Join(",", chain.ChainStatus.ToList())) + System.Environment.NewLine); foreach (X509ChainStatus cstat in chain.ChainStatus) { sb.Append(string.Format("X509ChainStatus::'{0}'-'{1}'", cstat.Status.ToString(), cstat.StatusInformation) + System.Environment.NewLine); } X509ChainElementCollection ces = chain.ChainElements; ShowX509ChainElementCollection(sb, ces); sb.Append("-X509Chain(End)-" + System.Environment.NewLine); } string result = sb.ToString(); Console.WriteLine(result); }
public static bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { X509ChainElementCollection x509ChainElementCollection = chain.ChainElements; foreach (X509ChainElement chainElement in x509ChainElementCollection) { X509Certificate2 cert = chainElement.Certificate; X509ChainStatus[] chainStatus = chainElement.ChainElementStatus; string info = chainElement.Information; // Get the raw bytes so we can write it: string name = cert.GetNameInfo(X509NameType.SimpleName, false); byte[] rawCert = cert.GetRawCertData(); // Substitute characters that foul up a shell script or batch file string outputName = (name.Replace(' ', '_')).Replace('*', '_').Replace('(', '_').Replace(')', '_') + ".cer"; using (FileStream fs = new FileStream(outputName, FileMode.Create, FileAccess.Write)) { fs.Write(rawCert, 0, rawCert.Length); } } return(true); }
private void AssertCert(X509Certificate2 cert, bool expectValidCert) { X509Chain chainBuilder = new X509Chain(); X509ChainPolicy policy = new X509ChainPolicy(); policy.VerificationFlags = X509VerificationFlags.IgnoreWrongUsage; chainBuilder.ChainPolicy = policy; chainBuilder.Build(cert); X509ChainElementCollection chainElements = chainBuilder.ChainElements; // If we don't have a trust chain, then we obviously have a problem... Assert.False(chainElements.IsNullOrEmpty(), string.Format("Can't find a trust chain: {0} ", cert.Subject)); // walk the chain starting at the leaf and see if we hit any issues foreach (X509ChainElement chainElement in chainElements) { if (expectValidCert) { AssertChainHasNoProblems(chainElement); } else { AssertChainHasProblems(chainElement); } } }
public static void Test(X509IncludeOption include) { cert = EndCert; X509Chain chain = new X509Chain(); chain.Build(cert); X509ChainElementCollection lmnts = chain.ChainElements; KeyInfoX509Data data = new KeyInfoX509Data(cert, include); ArrayList al = data.Certificates; if (al == null) { return; } for (int i = 0; i < al.Count; i++) { rv = lmnts[i].Certificate.ToString(true) == ((X509Certificate)al[i]).ToString(true); if (!rv) { Console.WriteLine("i = " + i.ToString() + " and include=" + include.ToString()); } } Console.WriteLine("*************************************************************"); }
private static bool ValidationCheck(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors != SslPolicyErrors.None) { return(false); } if (chain.ChainPolicy.VerificationFlags == X509VerificationFlags.NoFlag && chain.ChainPolicy.RevocationMode == X509RevocationMode.Online) { return(true); } X509Chain newChain = new X509Chain(); X509ChainElementCollection chainElements = chain.ChainElements; for (int i = 1; i < chainElements.Count - 1; i++) { newChain.ChainPolicy.ExtraStore.Add(chainElements[i].Certificate); } // Use chainElements[0].Certificate since it's the right cert already // in X509Certificate2 form, preventing a cast or the sometimes-dangerous // X509Certificate2(X509Certificate) constructor. // If the chain build successfully it matches all our policy requests, // if it fails, it either failed to build (which is unlikely, since we already had one) // or it failed policy (like it's revoked). return(newChain.Build(chainElements[0].Certificate)); }
public override string GetIssuerName(SecurityToken securityToken) { X509SecurityToken x509Token = securityToken as X509SecurityToken; if (x509Token != null) { // The following check is to allow only trusted issuers of the STS token if (String.Equals(x509Token.Certificate.SubjectName.Name, "CN=localhost")) { return(x509Token.Certificate.SubjectName.Name); } // The following check is to allow only trusted issuers for the client certificate. if (HttpContext.Current != null && HttpContext.Current.Request != null && HttpContext.Current.Request.ClientCertificate != null && HttpContext.Current.Request.ClientCertificate.IsPresent && HttpContext.Current.Request.ClientCertificate.IsValid) { X509Certificate2 clientCertificate = new X509Certificate2(HttpContext.Current.Request.ClientCertificate.Certificate); // Get the issuer of the client certificate X509Chain chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.Build(clientCertificate); X509ChainElementCollection elements = chain.ChainElements; X509Certificate2 issuerCert = null; if (elements.Count > 1) { issuerCert = elements[1].Certificate; } else { // This is a self-issued certificate. issuerCert = clientCertificate; } string issuerCertThumbprint = issuerCert.Thumbprint; // Reset the state of the certificate and free resources associated with it. for (int i = 1; i < elements.Count; ++i) { elements[i].Certificate.Reset(); } // The implementation below currently accepts all client certificates and returns the SubjectName as the issuer name. This is intended only for illustration purposes. // In production, consider doing additional validation based on the issuer of the client certificate to return an appropriate issuer name. // DO NOT use this sample code ‘as is’ in production code. // Ensure that the issuer of the client certificate as obtained from the transport, matches the issuer token passed in to this method. if (!StringComparer.Ordinal.Equals(issuerCertThumbprint, x509Token.Certificate.Thumbprint)) { throw new SecurityTokenException("Issuer of the client certificate as obtained from the transport does not match the issuer token passed in to this method."); } return(x509Token.Certificate.SubjectName.Name); } } throw new SecurityTokenException("Untrusted issuer."); }
public X509Certificate2 Load() { if (!File.Exists(Filename)) { Logger.LogError("Cannot load certificate because the file does not exist: {0}", Filename); return(null); } Logger.Log("Loading..."); X509Certificate2 certificate = null; try { certificate = new X509Certificate2(Filename, Password); } catch (Exception e) { Logger.LogError(e, "Failed to load certificate: {0}"); return(null); } Logger.Log("Verifying..."); X509Chain chain = new X509Chain(); chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly; chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromSeconds(5); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority | X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown; bool happy = chain.Build(certificate); bool valid = true; //Get elements X509ChainElementCollection elements = chain.ChainElements; Logger.Log($"Chain built with {elements.Count} elements, happy={happy}"); //Make sure each element is okay for (int i = 0; i < elements.Count; i++) { X509ChainElement element = elements[i]; Logger.Log($" > Element {i}: {element.Certificate.GetNameInfo(X509NameType.SimpleName, false)}"); foreach (X509ChainStatus status in element.ChainElementStatus) { Logger.LogError($" >>> {status.Status}: {status.StatusInformation}"); valid = false; } } //Final check if (!happy && !valid) { Logger.LogError("Failed to load certificate! Happy: {0}, Valid: {1}", happy, valid); return(null); } //return the certificate return(certificate); }
public override void Reset() { if (elements != null) { nativeCertificateChain.handle = UnityTls.NativeInterface.UNITYTLS_INVALID_HANDLE; elements.Clear(); elements = null; } }
public static X509Certificate2Collection FilterValidCerts( X509Certificate2Collection certs, X509ChainPolicy policy, X509ChainStatusFlags problemFlags, Action <Exception> notification) { var validCerts = new X509Certificate2Collection(); if (certs == null) { return(null); } foreach (var cert in certs) { X509Chain chainBuilder = new X509Chain(); chainBuilder.ChainPolicy = policy.Clone(); try { // We're using the system class as a helper to merely build the chain // However, we will review each item in the chain ourselves, because we have our own rules... chainBuilder.Build(cert); X509ChainElementCollection chainElements = chainBuilder.ChainElements; // If we don't have a trust chain, then we obviously have a problem... if (chainElements.IsNullOrEmpty()) { notification(new Exception(string.Format("Can't find a trust chain: {0} ", cert.Subject))); return(null); } // walk the chain starting at the leaf and see if we hit any issues before the anchor foreach (X509ChainElement chainElement in chainElements) { if (ChainElementHasProblems(chainElement, problemFlags)) { //this.NotifyProblem(chainElement); notification(new Exception(string.Format("Chain Element has problem {0}", Summarize(chainElement, problemFlags)))); // Whoops... problem with at least one cert in the chain. Stop immediately return(null); } } } catch (Exception ex) { //this.NotifyError(certificate, ex); // just eat it and drop out to return null notification(ex); return(null); } validCerts.Add(cert); } return(validCerts); }
public KeyInfoX509Data(X509Certificate cert, X509IncludeOption includeOption) { if (cert == null) { throw new ArgumentNullException(nameof(cert)); } X509Certificate2 certificate = new X509Certificate2(cert); X509ChainElementCollection elements = null; X509Chain chain = null; switch (includeOption) { case X509IncludeOption.ExcludeRoot: // Build the certificate chain chain = new X509Chain(); chain.Build(certificate); // Can't honor the option if we only have a partial chain. if ((chain.ChainStatus.Length > 0) && ((chain.ChainStatus[0].Status & X509ChainStatusFlags.PartialChain) == X509ChainStatusFlags.PartialChain)) { throw new CryptographicException(SR.Cryptography_Partial_Chain); } elements = (X509ChainElementCollection)chain.ChainElements; for (int index = 0; index < (Utils.IsSelfSigned(chain) ? 1 : elements.Count - 1); index++) { AddCertificate(elements[index].Certificate); } break; case X509IncludeOption.EndCertOnly: AddCertificate(certificate); break; case X509IncludeOption.WholeChain: // Build the certificate chain chain = new X509Chain(); chain.Build(certificate); // Can't honor the option if we only have a partial chain. if ((chain.ChainStatus.Length > 0) && ((chain.ChainStatus[0].Status & X509ChainStatusFlags.PartialChain) == X509ChainStatusFlags.PartialChain)) { throw new CryptographicException(SR.Cryptography_Partial_Chain); } elements = (X509ChainElementCollection)chain.ChainElements; foreach (X509ChainElement element in elements) { AddCertificate(element.Certificate); } break; } }
/// <summary> /// Initializes a new instance of the <see cref="X509ChainElementCollectionWrap"/> class. /// </summary> /// <param name="collection"> /// The collection. /// </param> public void Initialize(X509ChainElementCollection collection) { this.elements = new IX509ChainElement[collection.Count]; var elementFactory = new X509ChainElementFactory(this.file, this.path); for (var i = 0; i < this.elements.Length; i++) { this.elements[i] = elementFactory.Create(collection[i]); } }
private static ICollection <X509Certificate> GetCertChainCollectionFromAlias() { X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); // If you get compilation error after on X509Certificate2UI class, then Project->Add Reference -> Add System.Security X509Certificate2Collection selectedCert = X509Certificate2UI.SelectFromCollection(store.Certificates, null, null, X509SelectionFlag.SingleSelection); storedSelectedCert = selectedCert; //Org.BouncyCastle.X509.X509Certificate[] chain = null; ICollection <X509Certificate> certChain = new List <X509Certificate>(); /* * Org.BouncyCastle.X509.X509CertificateParser cp = new Org.BouncyCastle.X509.X509CertificateParser(); * chain = new Org.BouncyCastle.X509.X509Certificate[] { * cp.ReadCertificate(certificate.RawData)}; * foreach (Org.BouncyCastle.X509.X509Certificate c in chain) * Console.WriteLine(c); */ X509Chain ch = new X509Chain(); try { ch.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; ch.Build(selectedCert[0]); X509ChainElementCollection chainElems = ch.ChainElements; } catch (Exception exception) { throw exception; } foreach (X509ChainElement element in ch.ChainElements) { //element.Certificate //cp.ReadCertificate(element.Certificate.RawData); X509Certificate x509cert = new X509Certificate(element.Certificate.RawData); certChain.Add(x509cert); Console.WriteLine("Element Subject: {0}", element.Certificate.Subject); Console.WriteLine("Element issuer name: {0}", element.Certificate.Issuer); if (ch.ChainStatus.Length > 1) { for (int index = 0; index < element.ChainElementStatus.Length; index++) { Console.WriteLine(element.ChainElementStatus[index].Status); Console.WriteLine(element.ChainElementStatus[index].StatusInformation); } } } return(certChain); }
protected override void EstablishContext() { base.EstablishContext(); var collection = new X509Chain(); collection.Build(new X509Certificate2(LiebherrRootCaCertificateRawCertData)); this.SpecifiedCollection = collection.ChainElements; this.ExpectedCount = 1; }
internal static bool IsSelfSigned(X509Chain chain) { X509ChainElementCollection chainElements = chain.ChainElements; if (chainElements.Count != 1) { return(false); } X509Certificate2 certificate = chainElements[0].Certificate; return(string.Compare(certificate.SubjectName.Name, certificate.IssuerName.Name, StringComparison.OrdinalIgnoreCase) == 0); }
private void TestOCSP() { OcspLookup ocspLookup = new OcspLookup(); X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); certStore.Open(OpenFlags.ReadOnly); string serial = "4c 05 5a 37"; X509Certificate2Collection collection = certStore.Certificates.Find(X509FindType.FindBySerialNumber, serial, true); X509Certificate2 cert = null; if (collection.Count > 0) { cert = collection[0]; } else { // the certificate not found throw new NotImplementedException("The certificate was not found."); } X509Chain x509Chain = new X509Chain(); x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; x509Chain.Build(cert); // Iterate though the chain, to validate if it contain a valid root vertificate X509ChainElementCollection x509ChainElementCollection = x509Chain.ChainElements; X509ChainElementEnumerator enumerator = x509ChainElementCollection.GetEnumerator(); X509ChainElement x509ChainElement; X509Certificate2 x509Certificate2 = null; IDictionary <string, X509Certificate2> map = new Dictionary <string, X509Certificate2>(); IList <X509Certificate2> list = new List <X509Certificate2>(); // At this point, the certificate is not valid, until a // it is proved that it has a valid root certificate while (enumerator.MoveNext()) { x509ChainElement = enumerator.Current; x509Certificate2 = x509ChainElement.Certificate; list.Add(x509Certificate2); } ocspLookup.RevocationResponseOnline(list[0], list[1], "http://ocsp.systemtest8.trust2408.com/responder"); }
public static Int32 IndexOf(this X509ChainElementCollection collection, X509ChainElement item) { if (collection == null) { return(-1); } for (Int32 index = 0; index < collection.Count; index++) { if (collection[index].Certificate.Equals(item.Certificate)) { return(index); } } return(-1); }
public KeyInfoX509Data(X509Certificate cert, X509IncludeOption includeOption) { if (cert == null) { throw new ArgumentNullException("cert"); } X509Certificate2 certificate = new X509Certificate2(cert); X509ChainElementCollection chainElements = null; X509Chain chain = null; switch (includeOption) { case X509IncludeOption.ExcludeRoot: chain = new X509Chain(); chain.Build(certificate); if ((chain.ChainStatus.Length > 0) && ((chain.ChainStatus[0].Status & X509ChainStatusFlags.PartialChain) == X509ChainStatusFlags.PartialChain)) { throw new CryptographicException(-2146762486); } chainElements = chain.ChainElements; for (int i = 0; i < (System.Security.Cryptography.X509Certificates.X509Utils.IsSelfSigned(chain) ? 1 : (chainElements.Count - 1)); i++) { this.AddCertificate(chainElements[i].Certificate); } return; case X509IncludeOption.EndCertOnly: this.AddCertificate(certificate); return; case X509IncludeOption.WholeChain: { chain = new X509Chain(); chain.Build(certificate); if ((chain.ChainStatus.Length > 0) && ((chain.ChainStatus[0].Status & X509ChainStatusFlags.PartialChain) == X509ChainStatusFlags.PartialChain)) { throw new CryptographicException(-2146762486); } X509ChainElementEnumerator enumerator = chain.ChainElements.GetEnumerator(); while (enumerator.MoveNext()) { X509ChainElement current = enumerator.Current; this.AddCertificate(current.Certificate); } return; } } }
public override void Reset() { if (certificates != null) { foreach (var certificate in certificates) { certificate.Dispose(); } certificates = null; } if (elements != null) { elements.Clear(); elements = null; } }
internal static string GetCertificateIssuerName(X509Certificate2 certificate, IssuerNameRegistry issuerNameRegistry) { if (certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("certificate"); } if (issuerNameRegistry == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("issuerNameRegistry"); } X509Chain chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.Build(certificate); X509ChainElementCollection elements = chain.ChainElements; string issuer = null; if (elements.Count > 1) { using (X509SecurityToken token = new X509SecurityToken(elements[1].Certificate)) { issuer = issuerNameRegistry.GetIssuerName(token); } } else { // This is a self-issued certificate. Use the thumbprint of the current certificate. using (X509SecurityToken token = new X509SecurityToken(certificate)) { issuer = issuerNameRegistry.GetIssuerName(token); } } for (int i = 1; i < elements.Count; ++i) { // Resets the state of the certificate and frees resources associated with it. elements[i].Certificate.Reset(); } return(issuer); }
private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, IEnumerable <string> ocspServers, IEnumerable <X509Crl> crlList, FirmaXades.Crypto.DigestMethod digestMethod, X509Certificate2[] extraCerts = null) { if (addCert) { if (CertificateChecked(cert, unsignedProperties)) { return; } string str = Guid.NewGuid().ToString(); Cert cert2 = new Cert(); cert2.IssuerSerial.X509IssuerName = cert.IssuerName.Name; cert2.IssuerSerial.X509SerialNumber = cert.GetSerialNumberAsDecimalString(); DigestUtil.SetCertDigest(cert.GetRawCertData(), digestMethod, cert2.CertDigest); cert2.URI = "#Cert" + str; unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(cert2); EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate(); encapsulatedX509Certificate.Id = "Cert" + str; encapsulatedX509Certificate.PkiData = cert.GetRawCertData(); unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate); } X509ChainElementCollection chainElements = CertUtil.GetCertChain(cert, extraCerts).ChainElements; if (chainElements.Count > 1) { X509ChainElementEnumerator enumerator = chainElements.GetEnumerator(); enumerator.MoveNext(); enumerator.MoveNext(); if (!ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate, crlList, digestMethod)) { X509Certificate2[] array = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate, ocspServers, digestMethod); if (array != null) { X509Certificate2 x509Certificate = DetermineStartCert(new List <X509Certificate2>(array)); if (x509Certificate.IssuerName.Name != enumerator.Current.Certificate.SubjectName.Name) { X509Chain certChain = CertUtil.GetCertChain(x509Certificate, array); AddCertificate(certChain.ChainElements[1].Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, array); } } } AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, extraCerts); } }
private static void ShowX509ChainElementCollection(StringBuilder sb, X509ChainElementCollection ces) { int x509ChainElementCount = 0; foreach (X509ChainElement ce in ces) { sb.Append(string.Empty + System.Environment.NewLine); sb.Append(string.Format("----X509ChainElementNumber:{0}", ++x509ChainElementCount) + System.Environment.NewLine); sb.Append(string.Format("X509ChainElement.Cert.SubjectName.Name='{0}'", ce.Certificate.SubjectName.Name) + System.Environment.NewLine); sb.Append(string.Format("X509ChainElement.Cert.Issuer='{0}'", ce.Certificate.Issuer) + System.Environment.NewLine); sb.Append(string.Format("X509ChainElement.Cert.Thumbprint='{0}'", ce.Certificate.Thumbprint) + System.Environment.NewLine); sb.Append(string.Format("X509ChainElement.Cert.HasPrivateKey='{0}'", ce.Certificate.HasPrivateKey) + System.Environment.NewLine); X509Certificate2 cert2 = ce.Certificate as X509Certificate2; ShowX509Certificate2(sb, cert2); ShowX509Extensions(sb, cert2.Subject, ce.Certificate.Extensions); } }
public KeyInfoX509Data(X509Certificate cert, X509IncludeOption includeOption) { if (cert == null) { throw new ArgumentNullException(nameof(cert)); } X509Certificate2 certificate = new X509Certificate2(cert); switch (includeOption) { case X509IncludeOption.ExcludeRoot: X509Chain chain = new X509Chain(); chain.Build(certificate); if (chain.ChainStatus.Length != 0 && (chain.ChainStatus[0].Status & X509ChainStatusFlags.PartialChain) == X509ChainStatusFlags.PartialChain) { throw new CryptographicException(-2146762486); } X509ChainElementCollection chainElements = chain.ChainElements; for (int index = 0; index < (X509Utils.IsSelfSigned(chain) ? 1 : chainElements.Count - 1); ++index) { this.AddCertificate((X509Certificate)chainElements[index].Certificate); } break; case X509IncludeOption.EndCertOnly: this.AddCertificate((X509Certificate)certificate); break; case X509IncludeOption.WholeChain: X509Chain x509Chain = new X509Chain(); x509Chain.Build(certificate); if (x509Chain.ChainStatus.Length != 0 && (x509Chain.ChainStatus[0].Status & X509ChainStatusFlags.PartialChain) == X509ChainStatusFlags.PartialChain) { throw new CryptographicException(-2146762486); } foreach (X509ChainElement chainElement in x509Chain.ChainElements) { this.AddCertificate((X509Certificate)chainElement.Certificate); } break; } }
/// <summary> /// Validate network ssl certificate, you can use certificate validation on your config for more security /// example : request.ServerCertificateValidationCallback = ValidationCallback; /// </summary> public static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors != SslPolicyErrors.None) { return(false); } if (chain.ChainPolicy.VerificationFlags == X509VerificationFlags.NoFlag && chain.ChainPolicy.RevocationMode == X509RevocationMode.Online) { return(true); } X509Chain newChain = new X509Chain(); X509ChainElementCollection chainElements = chain.ChainElements; for (int i = 1; i < chainElements.Count - 1; i++) { newChain.ChainPolicy.ExtraStore.Add(chainElements[i].Certificate); } return(newChain.Build(chainElements[0].Certificate)); }
public static Boolean Contains(this X509ChainElementCollection collection, X509ChainElement item) { return(collection.Cast <X509ChainElement>().Any(x => item.Certificate.Equals(item.Certificate))); }
public static X509ChainElement Item(this X509ChainElementCollection collection, X509ChainElement item) { return(collection.Count == 0 ? null : collection.Cast <X509ChainElement>().FirstOrDefault(x => x.Certificate.Thumbprint == item.Certificate.Thumbprint)); }
internal SignerInfoAsn Sign( ReadOnlyMemory <byte> data, string contentTypeOid, bool silent, out X509Certificate2Collection chainCerts) { HashAlgorithmName hashAlgorithmName = PkcsHelpers.GetDigestAlgorithm(DigestAlgorithm); IncrementalHash hasher = IncrementalHash.CreateHash(hashAlgorithmName); hasher.AppendData(data.Span); byte[] dataHash = hasher.GetHashAndReset(); SignerInfoAsn newSignerInfo = new SignerInfoAsn(); newSignerInfo.DigestAlgorithm.Algorithm = DigestAlgorithm; // If the user specified attributes (not null, count > 0) we need attributes. // If the content type is null we're counter-signing, and need the message digest attr. // If the content type is otherwise not-data we need to record it as the content-type attr. if (SignedAttributes?.Count > 0 || contentTypeOid != Oids.Pkcs7Data) { List <AttributeAsn> signedAttrs = BuildAttributes(SignedAttributes); using (var writer = new AsnWriter(AsnEncodingRules.DER)) { writer.WriteOctetString(dataHash); signedAttrs.Add( new AttributeAsn { AttrType = new Oid(Oids.MessageDigest, Oids.MessageDigest), AttrValues = new[] { new ReadOnlyMemory <byte>(writer.Encode()) }, }); } if (contentTypeOid != null) { using (var writer = new AsnWriter(AsnEncodingRules.DER)) { writer.WriteObjectIdentifier(contentTypeOid); signedAttrs.Add( new AttributeAsn { AttrType = new Oid(Oids.ContentType, Oids.ContentType), AttrValues = new[] { new ReadOnlyMemory <byte>(writer.Encode()) }, }); } } // Use the serializer/deserializer to DER-normalize the attribute order. SignedAttributesSet signedAttrsSet = new SignedAttributesSet(); signedAttrsSet.SignedAttributes = PkcsHelpers.NormalizeAttributeSet( signedAttrs.ToArray(), normalized => hasher.AppendData(normalized)); // Since this contains user data in a context where BER is permitted, use BER. // There shouldn't be any observable difference here between BER and DER, though, // since the top level fields were written by NormalizeSet. using (AsnWriter attrsWriter = new AsnWriter(AsnEncodingRules.BER)) { signedAttrsSet.Encode(attrsWriter); newSignerInfo.SignedAttributes = attrsWriter.Encode(); } dataHash = hasher.GetHashAndReset(); } switch (SignerIdentifierType) { case SubjectIdentifierType.IssuerAndSerialNumber: byte[] serial = Certificate.GetSerialNumber(); Array.Reverse(serial); newSignerInfo.Sid.IssuerAndSerialNumber = new IssuerAndSerialNumberAsn { Issuer = Certificate.IssuerName.RawData, SerialNumber = serial, }; newSignerInfo.Version = 1; break; case SubjectIdentifierType.SubjectKeyIdentifier: newSignerInfo.Sid.SubjectKeyIdentifier = PkcsPal.Instance.GetSubjectKeyIdentifier(Certificate); newSignerInfo.Version = 3; break; case SubjectIdentifierType.NoSignature: newSignerInfo.Sid.IssuerAndSerialNumber = new IssuerAndSerialNumberAsn { Issuer = SubjectIdentifier.DummySignerEncodedValue, SerialNumber = new byte[1], }; newSignerInfo.Version = 1; break; default: Debug.Fail($"Unresolved SignerIdentifierType value: {SignerIdentifierType}"); throw new CryptographicException(); } if (UnsignedAttributes != null && UnsignedAttributes.Count > 0) { List <AttributeAsn> attrs = BuildAttributes(UnsignedAttributes); newSignerInfo.UnsignedAttributes = PkcsHelpers.NormalizeAttributeSet(attrs.ToArray()); } bool signed; Oid signatureAlgorithm; ReadOnlyMemory <byte> signatureValue; if (SignerIdentifierType == SubjectIdentifierType.NoSignature) { signatureAlgorithm = new Oid(Oids.NoSignature, null); signatureValue = dataHash; signed = true; } else { signed = CmsSignature.Sign( dataHash, hashAlgorithmName, Certificate, PrivateKey, silent, out signatureAlgorithm, out signatureValue); } if (!signed) { throw new CryptographicException(SR.Cryptography_Cms_CannotDetermineSignatureAlgorithm); } newSignerInfo.SignatureValue = signatureValue; newSignerInfo.SignatureAlgorithm.Algorithm = signatureAlgorithm; X509Certificate2Collection certs = new X509Certificate2Collection(); certs.AddRange(Certificates); if (SignerIdentifierType != SubjectIdentifierType.NoSignature) { if (IncludeOption == X509IncludeOption.EndCertOnly) { certs.Add(Certificate); } else if (IncludeOption != X509IncludeOption.None) { X509Chain chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags; if (!chain.Build(Certificate)) { foreach (X509ChainStatus status in chain.ChainStatus) { if (status.Status == X509ChainStatusFlags.PartialChain) { throw new CryptographicException(SR.Cryptography_Cms_IncompleteCertChain); } } } X509ChainElementCollection elements = chain.ChainElements; int count = elements.Count; int last = count - 1; if (last == 0) { // If there's always one cert treat it as EE, not root. last = -1; } for (int i = 0; i < count; i++) { X509Certificate2 cert = elements[i].Certificate; if (i == last && IncludeOption == X509IncludeOption.ExcludeRoot && cert.SubjectName.RawData.AsSpan().SequenceEqual(cert.IssuerName.RawData)) { break; } certs.Add(cert); } } } chainCerts = certs; return(newSignerInfo); }
X509CertificateClaimSet(X509ChainElementCollection elements, int index) { this.elements = elements; this.index = index; this.certificate = elements[index].Certificate; }
private static void SetCertificate(SafeSslHandle sslContext, X509Certificate2 certificate) { Debug.Assert(sslContext != null, "sslContext != null"); Debug.Assert(certificate != null, "certificate != null"); Debug.Assert(certificate.HasPrivateKey, "certificate.HasPrivateKey"); X509Chain chain = TLSCertificateExtensions.BuildNewChain( certificate, includeClientApplicationPolicy: false) !; using (chain) { X509ChainElementCollection elements = chain.ChainElements; // We need to leave off the EE (first) and root (last) certificate from the intermediates. X509Certificate2[] intermediateCerts = elements.Count < 3 ? Array.Empty <X509Certificate2>() : new X509Certificate2[elements.Count - 2]; // Build an array which is [ // SecIdentityRef for EE cert, // SecCertificateRef for intermed0, // SecCertificateREf for intermed1, // ... // ] IntPtr[] ptrs = new IntPtr[intermediateCerts.Length + 1]; for (int i = 0; i < intermediateCerts.Length; i++) { X509Certificate2 intermediateCert = elements[i + 1].Certificate !; if (intermediateCert.HasPrivateKey) { // In the unlikely event that we get a certificate with a private key from // a chain, clear it to the certificate. // // The current value of intermediateCert is still in elements, which will // get Disposed at the end of this method. The new value will be // in the intermediate certs array, which also gets serially Disposed. intermediateCert = new X509Certificate2(intermediateCert.RawData); } intermediateCerts[i] = intermediateCert; ptrs[i + 1] = intermediateCert.Handle; } ptrs[0] = certificate.Handle; Interop.AppleCrypto.SslSetCertificate(sslContext, ptrs); // The X509Chain created all new certs for us, so Dispose them. // And since the intermediateCerts could have been new instances, Dispose them, too for (int i = 0; i < elements.Count; i++) { elements[i].Certificate !.Dispose(); if (i < intermediateCerts.Length) { intermediateCerts[i].Dispose(); } } } }
public X509Chain (bool useMachineContext) { _machineContext = useMachineContext; _elements = new X509ChainElementCollection (); _policy = new X509ChainPolicy (); }