public static IChainPal BuildChain(
bool useMachineContext,
ICertificatePal cert,
X509Certificate2Collection extraStore,
OidCollection applicationPolicy,
OidCollection certificatePolicy,
X509RevocationMode revocationMode,
X509RevocationFlag revocationFlag,
DateTime verificationTime,
TimeSpan timeout)
{
// An input value of 0 on the timeout is "take all the time you need".
if (timeout == TimeSpan.Zero)
{
timeout = TimeSpan.MaxValue;
}
// Let Unspecified mean Local, so only convert if the source was UTC.
//
// Converge on Local instead of UTC because OpenSSL is going to assume we gave it
// local time.
if (verificationTime.Kind == DateTimeKind.Utc)
{
verificationTime = verificationTime.ToLocalTime();
}
TimeSpan remainingDownloadTime = timeout;
X509Certificate2 leaf = new X509Certificate2(cert.Handle);
List <X509Certificate2> downloaded = new List <X509Certificate2>();
List <X509Certificate2> systemTrusted = new List <X509Certificate2>();
List <X509Certificate2> candidates = OpenSslX509ChainProcessor.FindCandidates(
leaf,
extraStore,
downloaded,
systemTrusted,
ref remainingDownloadTime);
IChainPal chain = OpenSslX509ChainProcessor.BuildChain(
leaf,
candidates,
downloaded,
systemTrusted,
applicationPolicy,
certificatePolicy,
revocationMode,
revocationFlag,
verificationTime,
ref remainingDownloadTime);
if (chain.ChainStatus.Length == 0 && downloaded.Count > 0)
{
SaveIntermediateCertificates(chain.ChainElements, downloaded);
}
return(chain);
}
public static IChainPal BuildChain(
bool useMachineContext,
ICertificatePal cert,
X509Certificate2Collection extraStore,
OidCollection applicationPolicy,
OidCollection certificatePolicy,
X509RevocationMode revocationMode,
X509RevocationFlag revocationFlag,
DateTime verificationTime,
TimeSpan timeout)
{
CheckRevocationMode(revocationMode);
// An input value of 0 on the timeout is "take all the time you need".
if (timeout == TimeSpan.Zero)
{
timeout = TimeSpan.MaxValue;
}
TimeSpan remainingDownloadTime = timeout;
X509Certificate2 leaf = new X509Certificate2(cert.Handle);
List <X509Certificate2> downloaded = new List <X509Certificate2>();
List <X509Certificate2> candidates = OpenSslX509ChainProcessor.FindCandidates(
leaf,
extraStore,
downloaded,
ref remainingDownloadTime);
IChainPal chain = OpenSslX509ChainProcessor.BuildChain(
leaf,
candidates,
downloaded,
applicationPolicy,
certificatePolicy,
verificationTime);
if (chain.ChainStatus.Length == 0 && downloaded.Count > 0)
{
SaveIntermediateCertificates(chain.ChainElements, downloaded);
}
return(chain);
}
public static IChainPal BuildChain(
bool useMachineContext,
ICertificatePal cert,
X509Certificate2Collection extraStore,
OidCollection applicationPolicy,
OidCollection certificatePolicy,
X509RevocationMode revocationMode,
X509RevocationFlag revocationFlag,
DateTime verificationTime,
TimeSpan timeout)
{
CheckRevocationMode(revocationMode);
X509Certificate2 leaf = new X509Certificate2(cert.Handle);
X509Certificate2Collection candidates = OpenSslX509ChainProcessor.FindCandidates(leaf, extraStore);
return(OpenSslX509ChainProcessor.BuildChain(
leaf,
candidates,
applicationPolicy,
certificatePolicy,
verificationTime));
}
public static IChainPal BuildChain(
bool useMachineContext,
ICertificatePal cert,
X509Certificate2Collection extraStore,
OidCollection applicationPolicy,
OidCollection certificatePolicy,
X509RevocationMode revocationMode,
X509RevocationFlag revocationFlag,
DateTime verificationTime,
TimeSpan timeout)
{
// An input value of 0 on the timeout is "take all the time you need".
if (timeout == TimeSpan.Zero)
{
timeout = TimeSpan.MaxValue;
}
// Let Unspecified mean Local, so only convert if the source was UTC.
//
// Converge on Local instead of UTC because OpenSSL is going to assume we gave it
// local time.
if (verificationTime.Kind == DateTimeKind.Utc)
{
verificationTime = verificationTime.ToLocalTime();
}
TimeSpan remainingDownloadTime = timeout;
using (var leaf = new X509Certificate2(cert.Handle))
{
var downloaded = new HashSet <X509Certificate2>();
var systemTrusted = new HashSet <X509Certificate2>();
HashSet <X509Certificate2> candidates = OpenSslX509ChainProcessor.FindCandidates(
leaf,
extraStore,
downloaded,
systemTrusted,
ref remainingDownloadTime);
IChainPal chain = OpenSslX509ChainProcessor.BuildChain(
leaf,
candidates,
downloaded,
systemTrusted,
applicationPolicy,
certificatePolicy,
revocationMode,
revocationFlag,
verificationTime,
ref remainingDownloadTime);
#if DEBUG
if (chain.ChainElements.Length > 0)
{
X509Certificate2 reportedLeaf = chain.ChainElements[0].Certificate;
Debug.Assert(reportedLeaf != null, "reportedLeaf != null");
Debug.Assert(reportedLeaf.Equals(leaf), "reportedLeaf.Equals(leaf)");
Debug.Assert(!ReferenceEquals(reportedLeaf, leaf), "!ReferenceEquals(reportedLeaf, leaf)");
}
#endif
if (chain.ChainStatus.Length == 0 && downloaded.Count > 0)
{
SaveIntermediateCertificates(chain.ChainElements, downloaded);
}
// Everything we put into the chain has been cloned, dispose all the originals.
systemTrusted.DisposeAll();
downloaded.DisposeAll();
// Candidate certs which came from extraStore should NOT be disposed, since they came
// from outside.
var extraStoreByReference = new HashSet <X509Certificate2>(
ReferenceEqualityComparer <X509Certificate2> .Instance);
foreach (X509Certificate2 extraCert in extraStore)
{
extraStoreByReference.Add(extraCert);
}
foreach (X509Certificate2 candidate in candidates)
{
if (!extraStoreByReference.Contains(candidate))
{
candidate.Dispose();
}
}
return(chain);
}
}
public static IChainPal BuildChain(
bool useMachineContext,
ICertificatePal cert,
X509Certificate2Collection?extraStore,
OidCollection applicationPolicy,
OidCollection certificatePolicy,
X509RevocationMode revocationMode,
X509RevocationFlag revocationFlag,
X509Certificate2Collection customTrustStore,
X509ChainTrustMode trustMode,
DateTime verificationTime,
TimeSpan timeout)
{
// An input value of 0 on the timeout is "take all the time you need".
if (timeout == TimeSpan.Zero)
{
timeout = TimeSpan.MaxValue;
}
// Let Unspecified mean Local, so only convert if the source was UTC.
//
// Converge on Local instead of UTC because OpenSSL is going to assume we gave it
// local time.
if (verificationTime.Kind == DateTimeKind.Utc)
{
verificationTime = verificationTime.ToLocalTime();
}
// Until we support the Disallowed store, ensure it's empty (which is done by the ctor)
using (new X509Store(StoreName.Disallowed, StoreLocation.CurrentUser, OpenFlags.ReadOnly))
{
}
TimeSpan remainingDownloadTime = timeout;
OpenSslX509ChainProcessor chainPal = OpenSslX509ChainProcessor.InitiateChain(
((OpenSslX509CertificateReader)cert).SafeHandle,
customTrustStore,
trustMode,
verificationTime,
remainingDownloadTime);
Interop.Crypto.X509VerifyStatusCode status = chainPal.FindFirstChain(extraStore);
if (!OpenSslX509ChainProcessor.IsCompleteChain(status))
{
List <X509Certificate2>?tmp = null;
status = chainPal.FindChainViaAia(ref tmp);
if (tmp != null)
{
if (status == Interop.Crypto.X509VerifyStatusCode.X509_V_OK)
{
SaveIntermediateCertificates(tmp);
}
foreach (X509Certificate2 downloaded in tmp)
{
downloaded.Dispose();
}
}
}
// In NoCheck+OK then we don't need to build the chain any more, we already
// know it's error-free. So skip straight to finish.
if (status != Interop.Crypto.X509VerifyStatusCode.X509_V_OK ||
revocationMode != X509RevocationMode.NoCheck)
{
if (OpenSslX509ChainProcessor.IsCompleteChain(status))
{
chainPal.CommitToChain();
chainPal.ProcessRevocation(revocationMode, revocationFlag);
}
}
chainPal.Finish(applicationPolicy, certificatePolicy);
#if DEBUG
if (chainPal.ChainElements !.Length > 0)
{
X509Certificate2 reportedLeaf = chainPal.ChainElements[0].Certificate;
Debug.Assert(reportedLeaf != null, "reportedLeaf != null");
Debug.Assert(!ReferenceEquals(cert, reportedLeaf.Pal), "!ReferenceEquals(cert, reportedLeaf.Pal)");
}
#endif
return(chainPal);
}
public static void FlushStores()
{
OpenSslX509ChainProcessor.FlushStores();
}