bool FilterCertificateByPolicy(MailAddress address, X509Certificate2 cert, IPolicyResolver resolver, bool incoming)
{
if (cert == null || resolver == null)
{
return(true);
}
IList <IPolicyExpression> exressions = (incoming)
? resolver.GetIncomingPolicy(address)
: resolver.GetOutgoingPolicy(address);
try
{
var policyFilter = PolicyFilter.Default;
foreach (var expression in exressions)
{
if (!policyFilter.IsCompliant(cert, expression))
{
return(false);
}
}
}
catch (PolicyRequiredException) // certificate
{
return(false);
}
catch (PolicyProcessException processException)
{
throw new AgentException(AgentError.InvalidPolicy, processException);
}
return(true);
}
/// <summary>
/// Get the cert policy resolvers as a <see cref="ICertPolicyResolvers"/> structured container..
/// </summary>
/// <returns></returns>
public ICertPolicyResolvers GetPolicyResolvers()
{
IList <KeyValuePair <string, IPolicyResolver> > policyResolvers = new List <KeyValuePair <string, IPolicyResolver> >();
if (CertPolicies != null)
{
PolicyResolverSettings policyResolverSettings =
this.CertPolicies.Resolvers.FirstOrDefault(r => r.Name == CertPolicyResolvers.TrustPolicyName);
if (policyResolverSettings != null)
{
IPolicyResolver trustPolicyResolver = policyResolverSettings.CreateResolver();
policyResolvers.Add(new KeyValuePair <string, IPolicyResolver>(CertPolicyResolvers.TrustPolicyName, trustPolicyResolver));
}
policyResolverSettings = this.CertPolicies.Resolvers.FirstOrDefault(r => r.Name == CertPolicyResolvers.PrivatePolicyName);
if (policyResolverSettings != null)
{
IPolicyResolver privatePolicyResolver = policyResolverSettings.CreateResolver();
policyResolvers.Add(new KeyValuePair <string, IPolicyResolver>(CertPolicyResolvers.PrivatePolicyName, privatePolicyResolver));
}
policyResolverSettings = this.CertPolicies.Resolvers.FirstOrDefault(r => r.Name == CertPolicyResolvers.PublicPolicyName);
if (policyResolverSettings != null)
{
IPolicyResolver publicPolicyResolver = policyResolverSettings.CreateResolver();
policyResolvers.Add(new KeyValuePair <string, IPolicyResolver>(CertPolicyResolvers.PublicPolicyName, publicPolicyResolver));
}
}
CertPolicyResolvers certPolicyResolvers = new CertPolicyResolvers(policyResolvers);
return(certPolicyResolvers);
}
/// <summary>
/// Create a Trust Model from the given settings
/// </summary>
/// <param name="trustPolicyResolver"><see cref="IPolicyResolver"/> injected for trust policy resolution.</param>
/// <param name="policyFilter"><see cref="IPolicyFilter"/></param>
/// <returns>TrustModel</returns>
public TrustModel CreateTrustModel(IPolicyResolver trustPolicyResolver, IPolicyFilter policyFilter)
{
TrustChainValidator validator = new TrustChainValidator();
validator.RevocationCheckMode = this.RevocationCheckMode;
validator.RevocationCheckGranularity = this.RevocationCheckGranularity;
if (this.MaxIssuerChainLength > 0)
{
validator.MaxIssuerChainLength = this.MaxIssuerChainLength;
}
if (this.TimeoutMilliseconds > 0)
{
validator.ValidationPolicy.UrlRetrievalTimeout = TimeSpan.FromMilliseconds(this.TimeoutMilliseconds);
}
TrustModel trustModel = new TrustModel(validator, trustPolicyResolver, policyFilter);
if (this.ProblemFlags != null)
{
X509ChainStatusFlags flags = X509ChainStatusFlags.NoError;
foreach (X509ChainStatusFlags flag in this.ProblemFlags)
{
flags = (flags | flag);
}
trustModel.CertChainValidator.ProblemFlags = flags;
}
return(trustModel);
}
/// <summary>
/// Constructs an instance specifying a certificate chain validator.
/// </summary>
/// <param name="validator">The <see cref="TrustChainValidator"/> to use in validating certificate chains</param>
/// <param name="policyResolver">The <see cref="IPolicyResolver"/> to use in resolving policies.</param>
public TrustModel(TrustChainValidator validator, IPolicyResolver policyResolver)
{
if (validator == null)
{
throw new ArgumentNullException("validator");
}
m_certChainValidator = validator;
m_trustPolicyResolver = policyResolver;
}
/// <summary>
/// Constructs an instance specifying a certificate chain validator.
/// </summary>
/// <param name="validator">The <see cref="TrustChainValidator"/> to use in validating certificate chains</param>
/// <param name="policyResolver">The <see cref="IPolicyResolver"/> to use in resolving policies.</param>
/// <param name="policyFilter">The <see cref="IPolicyFilter"/> to use in validating certificate against policies</param>
public TrustModel(TrustChainValidator validator, IPolicyResolver policyResolver, IPolicyFilter policyFilter)
{
if (validator == null)
{
throw new ArgumentNullException("validator");
}
m_certChainValidator = validator;
m_trustPolicyResolver = policyResolver;
m_policyFilter = policyFilter;
}
public TrustPolicyResolver(TrustPolicyServiceResolverSettings settings)
{
ClientSettings settings1 = settings.ClientSettings;
var incomingCacheSettings =
new CacheSettings(settings.CacheSettings) {Name = "BundleCache.incoming"};
var outgoingCacheSettings =
new CacheSettings(settings.CacheSettings) {Name = "BundleCache.outgoing"};
m_incomingResolver =
new PolicyResolver(new CertPolicyIndex(settings1, true, CertPolicyUse.TRUST), incomingCacheSettings);
m_outgoingResolver =
new PolicyResolver(new CertPolicyIndex(settings1, false, CertPolicyUse.TRUST), outgoingCacheSettings);
}
/// <summary>
/// Creates a DirectAgent instance, specifying private, external and trust anchor certificate stores, and
/// trust and cryptography models.
/// </summary>
/// <param name="domainResolver">
/// An <see cref="IDomainResolver"/> instance providing array of local domain name managed by this agent.
/// </param>
/// <param name="privateCerts">
/// An <see cref="ICertificateResolver"/> instance providing private certificates
/// for senders of outgoing messages and receivers of incoming messages.
/// </param>
/// <param name="publicCerts">
/// An <see cref="ICertificateResolver"/> instance providing public certificates
/// for receivers of outgoing messages and senders of incoming messages.
/// </param>
/// <param name="anchors">
/// An <see cref="ITrustAnchorResolver"/> instance providing trust anchors.
/// </param>
/// <param name="trustModel">
/// An instance or subclass of <see cref="SMIMECryptographer"/> providing a custom trust model.
/// </param>
/// <param name="cryptographer">
/// An instance or subclass of <see cref="Health.Direct.Agent"/> providing a custom cryptography model.
/// </param>
/// <param name="certPolicyResolvers">Certificate <see cref="ICertPolicyResolvers">policy container</see></param>
public DirectAgent(IDomainResolver domainResolver,
ICertificateResolver privateCerts,
ICertificateResolver publicCerts,
ITrustAnchorResolver anchors,
TrustModel trustModel,
ISmimeCryptographer cryptographer,
ICertPolicyResolvers certPolicyResolvers)
{
m_managedDomains = new AgentDomains(domainResolver);
if (privateCerts == null)
{
throw new ArgumentNullException("privateCerts");
}
if (publicCerts == null)
{
throw new ArgumentNullException("publicCerts");
}
if (anchors == null)
{
throw new ArgumentNullException("anchors");
}
if (trustModel == null)
{
throw new ArgumentNullException("trustModel");
}
if (cryptographer == null)
{
throw new ArgumentNullException("cryptographer");
}
m_privateCertResolver = privateCerts;
m_publicCertResolver = publicCerts;
m_cryptographer = cryptographer;
m_trustAnchors = anchors;
m_trustModel = trustModel;
if (!m_trustModel.CertChainValidator.HasCertificateResolver)
{
m_trustModel.CertChainValidator.IssuerResolver = m_publicCertResolver;
}
m_minTrustRequirement = TrustEnforcementStatus.Success;
m_privatePolicyResolver = certPolicyResolvers.PrivateResolver;
m_publicPolicyResolver = certPolicyResolvers.PublicResolver;
}
public PublicPolicyResolver(PublicPolicyServiceResolverSettings settings)
{
PublicPolicyServiceResolverSettings settings1 = settings;
CacheSettings incomingCacheSettings =
new CacheSettings(settings1.CacheSettings) { Name = "publicPolicy.incoming" };
CacheSettings outgoingCacheSettings =
new CacheSettings(settings1.CacheSettings) { Name = "publicPolicy.outgoing" };
m_incomingResolver =
new PolicyResolver(new CertPolicyIndex(settings1.ClientSettings, true, CertPolicyUse.PUBLIC_RESOLVER), incomingCacheSettings);
m_outgoingResolver =
new PolicyResolver(new CertPolicyIndex(settings1.ClientSettings, false, CertPolicyUse.PUBLIC_RESOLVER), outgoingCacheSettings);
}
public PrivatePolicyResolver(PrivatePolicyServiceResolverSettings settings)
{
PrivatePolicyServiceResolverSettings settings1 = settings;
CacheSettings incomingCacheSettings =
new CacheSettings(settings1.CacheSettings)
{
Name = "privatePolicy.incoming"
};
CacheSettings outgoingCacheSettings =
new CacheSettings(settings1.CacheSettings)
{
Name = "privatePolicy.outgoing"
};
m_incomingResolver =
new PolicyResolver(new CertPolicyIndex(settings1.ClientSettings, true, CertPolicyUse.PRIVATE_RESOLVER), incomingCacheSettings);
m_outgoingResolver =
new PolicyResolver(new CertPolicyIndex(settings1.ClientSettings, false, CertPolicyUse.PRIVATE_RESOLVER), outgoingCacheSettings);
}
public TrustPolicyResolver(TrustPolicyServiceResolverSettings settings)
{
ClientSettings settings1 = settings.ClientSettings;
var incomingCacheSettings =
new CacheSettings(settings.CacheSettings)
{
Name = "BundleCache.incoming"
};
var outgoingCacheSettings =
new CacheSettings(settings.CacheSettings)
{
Name = "BundleCache.outgoing"
};
m_incomingResolver =
new PolicyResolver(new CertPolicyIndex(settings1, true, CertPolicyUse.TRUST), incomingCacheSettings);
m_outgoingResolver =
new PolicyResolver(new CertPolicyIndex(settings1, false, CertPolicyUse.TRUST), outgoingCacheSettings);
}
void Verify(PolicySettings settings)
{
Assert.NotNull(settings.Resolvers);
Assert.Equal(3, settings.Resolvers.Count());
IPolicyResolver trustResolver = settings.Resolvers.FirstOrDefault(r => r.Name == CertPolicyResolvers.TrustPolicyName).CreateResolver();
IPolicyResolver privateResolver = settings.Resolvers.FirstOrDefault(r => r.Name == CertPolicyResolvers.PrivatePolicyName).CreateResolver();
IPolicyResolver publicResolver = settings.Resolvers.FirstOrDefault(r => r.Name == CertPolicyResolvers.PublicPolicyName).CreateResolver();
Assert.NotNull(trustResolver);
Assert.NotNull(privateResolver);
Assert.NotNull(publicResolver);
TrustPolicyServiceResolverSettings trustSettings =
settings.Resolvers.FirstOrDefault(r => r.Name == CertPolicyResolvers.TrustPolicyName) as
TrustPolicyServiceResolverSettings;
Assert.True(trustSettings.CacheSettings.Cache);
Assert.True(trustSettings.CacheSettings.NegativeCache);
Assert.Equal(60, trustSettings.CacheSettings.CacheTTLSeconds);
PrivatePolicyServiceResolverSettings privateSettings =
settings.Resolvers.FirstOrDefault(r => r.Name == CertPolicyResolvers.PrivatePolicyName) as
PrivatePolicyServiceResolverSettings;
Assert.True(privateSettings.CacheSettings.Cache);
Assert.True(privateSettings.CacheSettings.NegativeCache);
Assert.Equal(60, privateSettings.CacheSettings.CacheTTLSeconds);
PublicPolicyServiceResolverSettings publicSettings =
settings.Resolvers.FirstOrDefault(r => r.Name == CertPolicyResolvers.PublicPolicyName) as
PublicPolicyServiceResolverSettings;
Assert.True(publicSettings.CacheSettings.Cache);
Assert.True(publicSettings.CacheSettings.NegativeCache);
Assert.Equal(60, publicSettings.CacheSettings.CacheTTLSeconds);
}
/// <summary>
/// Creates a DirectAgent instance, specifying private, external and trust anchor certificate stores, and
/// trust and cryptography models.
/// </summary>
/// <param name="domainResolver">
/// An <see cref="IDomainResolver"/> instance providing array of local domain name managed by this agent.
/// </param>
/// <param name="privateCerts">
/// An <see cref="ICertificateResolver"/> instance providing private certificates
/// for senders of outgoing messages and receivers of incoming messages.
/// </param>
/// <param name="publicCerts">
/// An <see cref="ICertificateResolver"/> instance providing public certificates
/// for receivers of outgoing messages and senders of incoming messages.
/// </param>
/// <param name="anchors">
/// An <see cref="ITrustAnchorResolver"/> instance providing trust anchors.
/// </param>
/// <param name="trustModel">
/// An instance or subclass of <see cref="SMIMECryptographer"/> providing a custom trust model.
/// </param>
/// <param name="cryptographer">
/// An instance or subclass of <see cref="Health.Direct.Agent"/> providing a custom cryptography model.
/// </param>
/// <param name="certPolicyResolvers">Certificate <see cref="ICertPolicyResolvers">policy container</see></param>
/// <param name="policyFilter"><see cref="IPolicyFilter"/></param>
public DirectAgent(IDomainResolver domainResolver, ICertificateResolver privateCerts, ICertificateResolver publicCerts
, ITrustAnchorResolver anchors, TrustModel trustModel, SMIMECryptographer cryptographer,
ICertPolicyResolvers certPolicyResolvers, IPolicyFilter policyFilter)
{
m_managedDomains = new AgentDomains(domainResolver);
if (privateCerts == null)
{
throw new ArgumentNullException("privateCerts");
}
if (publicCerts == null)
{
throw new ArgumentNullException("publicCerts");
}
if (anchors == null)
{
throw new ArgumentNullException("anchors");
}
if (trustModel == null)
{
throw new ArgumentNullException("trustModel");
}
if (cryptographer == null)
{
throw new ArgumentNullException("cryptographer");
}
m_privateCertResolver = privateCerts;
m_publicCertResolver = publicCerts;
m_cryptographer = cryptographer;
m_trustAnchors = anchors;
m_trustModel = trustModel;
if (!m_trustModel.CertChainValidator.HasCertificateResolver)
{
m_trustModel.CertChainValidator.IssuerResolver = m_publicCertResolver;
}
m_minTrustRequirement = TrustEnforcementStatus.Success;
m_privatePolicyResolver = certPolicyResolvers.PrivateResolver;
m_publicPolicyResolver = certPolicyResolvers.PublicResolver;
m_policyFilter = policyFilter;
}
bool FilterCertificateByPolicy(MailAddress address, X509Certificate2 cert, IPolicyResolver resolver, bool incoming)
{
if (cert == null || resolver == null || m_policyFilter == null)
{
return true;
}
IList<IPolicyExpression> exressions = (incoming)
? resolver.GetIncomingPolicy(address)
: resolver.GetOutgoingPolicy(address);
try
{
foreach (var expression in exressions)
{
if (! m_policyFilter.IsCompliant(cert, expression))
{
return false;
}
}
}
catch (PolicyRequiredException) // certificate
{
return false;
}
catch (PolicyProcessException processException)
{
throw new AgentException(AgentError.InvalidPolicy, processException);
}
return true;
}
/// <summary>
/// Create a Trust Model from the given settings
/// </summary>
/// <param name="trustPolicyResolver"><see cref="IPolicyResolver"/> injected for trust policy resolution.</param>
/// <param name="policyFilter"><see cref="IPolicyFilter"/></param>
/// <returns>TrustModel</returns>
public TrustModel CreateTrustModel(IPolicyResolver trustPolicyResolver, IPolicyFilter policyFilter)
{
TrustChainValidator validator = new TrustChainValidator();
validator.RevocationCheckMode = this.RevocationCheckMode;
validator.RevocationCheckGranularity = this.RevocationCheckGranularity;
if (this.MaxIssuerChainLength > 0)
{
validator.MaxIssuerChainLength = this.MaxIssuerChainLength;
}
if (this.TimeoutMilliseconds > 0)
{
validator.ValidationPolicy.UrlRetrievalTimeout = TimeSpan.FromMilliseconds(this.TimeoutMilliseconds);
}
TrustModel trustModel = new TrustModel(validator, trustPolicyResolver, policyFilter);
if (this.ProblemFlags != null)
{
X509ChainStatusFlags flags = X509ChainStatusFlags.NoError;
foreach(X509ChainStatusFlags flag in this.ProblemFlags)
{
flags = (flags | flag);
}
trustModel.CertChainValidator.ProblemFlags = flags;
}
return trustModel;
}
