public void SelfSignedTest()
{
var chain = new X509Chain();
var trusted = new X509Certificate2Collection();
Assert.IsFalse(chain.Build(Certificates.SelfSigned));
Assert.IsFalse(chain.VerifyWithExtraRoots(Certificates.SelfSigned, trusted));
trusted.Add(Certificates.SelfSigned);
Assert.IsTrue(chain.VerifyWithExtraRoots(Certificates.SelfSigned, trusted));
Assert.IsFalse(chain.Build(Certificates.SelfSigned));
trusted.Clear();
Assert.IsFalse(chain.VerifyWithExtraRoots(Certificates.SelfSigned, trusted));
Assert.IsFalse(chain.Build(Certificates.SelfSigned));
}
public X509Certificate[] GetCertificateChain()
{
var list = new List<X509Certificate>();
var chain = new SystemX509.X509Chain();
chain.ChainPolicy.RevocationFlag = SystemX509.X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = SystemX509.X509RevocationMode.Online;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 30);
chain.ChainPolicy.VerificationFlags = SystemX509.X509VerificationFlags.NoFlag;
if (chain.Build(this.Cert2) == true)
{
foreach (SystemX509.X509ChainElement element in chain.ChainElements)
{
list.Add(DotNetUtilities.FromX509Certificate(element.Certificate));
}
}
else
{
list.Add(DotNetUtilities.FromX509Certificate(this.Cert2));
}
return list.ToArray();
}
internal static X509Certificate2Collection CreateBagOfCertificates(CmsSigner signer)
{
X509Certificate2Collection certificates = new X509Certificate2Collection();
certificates.AddRange(signer.Certificates);
if (signer.IncludeOption != X509IncludeOption.None)
{
if (signer.IncludeOption == X509IncludeOption.EndCertOnly)
{
certificates.Add(signer.Certificate);
return certificates;
}
int count = 1;
X509Chain chain = new X509Chain();
chain.Build(signer.Certificate);
if ((chain.ChainStatus.Length > 0) && ((chain.ChainStatus[0].Status & X509ChainStatusFlags.PartialChain) == X509ChainStatusFlags.PartialChain))
{
throw new CryptographicException(-2146762486);
}
if (signer.IncludeOption == X509IncludeOption.WholeChain)
{
count = chain.ChainElements.Count;
}
else if (chain.ChainElements.Count > 1)
{
count = chain.ChainElements.Count - 1;
}
for (int i = 0; i < count; i++)
{
certificates.Add(chain.ChainElements[i].Certificate);
}
}
return certificates;
}
/// <summary>
/// Ermittelt die Zertifikatskette anhand eines Zertifikats
/// </summary>
/// <param name="certificate">Das Zertifikat für das die Zertifikatskette ermittelt werden soll</param>
/// <returns>Die Zertifikate, die - zusätzlich zum übergebenen <paramref name="certificate"/> - die
/// Zertifikatskette bilden oder <code>null</code>, falls keine Zertifikatskette aufgebaut werden konnte.</returns>
public X509Certificate2Collection GetCertificateChain(X509Certificate2 certificate)
{
#if NET45
var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.AddRange(_rootCertificates);
chain.ChainPolicy.ExtraStore.AddRange(_intermediateCertificates);
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
if (!chain.Build(certificate))
return null;
if (chain.ChainStatus.Any(x => x.Status != X509ChainStatusFlags.NoError))
return null;
var chainCerts = chain.ChainElements.Cast<X509ChainElement>().Skip(1).Select(x => x.Certificate).ToArray();
return new X509Certificate2Collection(chainCerts);
#else
using (var chain = new X509Chain())
{
chain.ChainPolicy.ExtraStore.AddRange(_rootCertificates);
chain.ChainPolicy.ExtraStore.AddRange(_intermediateCertificates);
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
if (!chain.Build(certificate))
return null;
if (chain.ChainStatus.Any(x => x.Status != X509ChainStatusFlags.NoError))
return null;
var chainCerts = chain.ChainElements.Cast<X509ChainElement>().Skip(1).Select(x => x.Certificate).ToArray();
return new X509Certificate2Collection(chainCerts);
}
#endif
}
public List<string> CheckCertificateValidity(string xml, ElectronicServiceApplicant applicant, string signatureXPath, IDictionary<string, string> signatureXPathNamespaces)
{
bool missingRequiredAuthentication = false;
bool missingRequiredSignature = false;
X509Certificate2 signingCertificate = null;
if (applicant != null)
{
missingRequiredAuthentication = !HasFilledElectronicServiceApplicant(applicant);
if (signatureXPath != null)
{
missingRequiredSignature = !HasValidSignature(xml, signatureXPath, signatureXPathNamespaces, out signingCertificate);
}
}
if (missingRequiredAuthentication || missingRequiredSignature)
{
return new List<string>() { "NotAuthenticated" };
}
var x509Chain = new X509Chain();
x509Chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
x509Chain.Build(signingCertificate);
signingCertificate.Verify();
return x509Chain.ChainStatus.Select(e => e.StatusInformation).ToList();
}
public static bool ManuallyVerifyCA(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
Console.WriteLine("ManuallyVerifyCA");
bool isValid = false;
if (sslPolicyErrors == SslPolicyErrors.None) return true;
if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateNameMismatch) return true;
if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors || (int)sslPolicyErrors == (int)SslPolicyErrors.RemoteCertificateNameMismatch + (int)SslPolicyErrors.RemoteCertificateChainErrors)
{
try
{
X509Chain chain0 = new X509Chain();
chain0.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
// add all your extra certificate chain
chain0.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
Console.WriteLine("t**s buckets");
chain0.ChainPolicy.ExtraStore.Add(new X509Certificate2("..\\..\\..\\ca.p7b"));
Console.WriteLine("piss buckets");
isValid = chain0.Build((X509Certificate2)certificate);
if (isValid) return true;
}
catch (Exception e)
{
Console.WriteLine("sslPolicyErrors: {0}", e.Message);
return false;
}
}
Console.WriteLine("Certificate error: {0}", sslPolicyErrors);
return false;
}
static bool myRemoteCertificateValidationCallback(System.Object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
bool isOk = true;
// If there are errors in the certificate chain, look at each error to determine the cause.
if (sslPolicyErrors != System.Net.Security.SslPolicyErrors.None)
{
for (int i = 0; i < chain.ChainStatus.Length; i++)
{
if (chain.ChainStatus [i].Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.RevocationStatusUnknown)
{
chain.ChainPolicy.RevocationFlag = System.Security.Cryptography.X509Certificates.X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.Online;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
chain.ChainPolicy.VerificationFlags = System.Security.Cryptography.X509Certificates.X509VerificationFlags.AllFlags;
bool chainIsValid = chain.Build((System.Security.Cryptography.X509Certificates.X509Certificate2)certificate);
if (!chainIsValid)
{
isOk = false;
}
}
}
}
return(isOk);
}
private static void TestCertificates()
{
// Load certificate from cert store (user/computer store = MY = Personal)
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
foreach (var cert in store.Certificates)
{
// validate certificates
var chain = new X509Chain();
var policy = new X509ChainPolicy
{
RevocationFlag = X509RevocationFlag.EntireChain,
RevocationMode = X509RevocationMode.Online,
UrlRetrievalTimeout = TimeSpan.FromMilliseconds(10000)
};
chain.ChainPolicy = policy;
if (!chain.Build(cert))
{
// do some work
}
Console.WriteLine(cert.FriendlyName);
}
store.Close();
}
public bool CheckValidationResult(ServicePoint sp, X509Certificate cert,
WebRequest request, int problem)
{
var validationResult = true;
if (IssuerName != "S@SDFJ872JASD==")
if (!cert.Issuer.ToUpper().Contains(IssuerName.ToUpper().Trim())) return false;
var chain = new X509Chain();
chain.Build(new X509Certificate2(cert));
foreach (X509ChainElement e in chain.ChainElements)
{
foreach (X509ChainStatus s in e.ChainElementStatus)
{
if (((X509ChainStatusFlags.Revoked | X509ChainStatusFlags.NotTimeValid
| X509ChainStatusFlags.NotSignatureValid | X509ChainStatusFlags.InvalidExtension
| X509ChainStatusFlags.NotValidForUsage | X509ChainStatusFlags.Cyclic) & s.Status) == s.Status)
{
validationResult = false;
}
}
}
return validationResult;
}
[Ignore ("not up to date")] // X509Chain
public void DefaultValues ()
{
X509Chain chain = new X509Chain ();
chain.Build (cert);
Assert.IsTrue (chain.ChainElements.Count > 1, "#0");
ClaimSet cs = new X509CertificateClaimSet (cert);
ClaimSet ident = cs.Issuer;
X509CertificateClaimSet x509is = ident as X509CertificateClaimSet;
Assert.IsNotNull (x509is, "#0-2");
Assert.AreEqual (chain.ChainElements [1].Certificate, x509is.X509Certificate, "#0-3");
Assert.AreEqual (6, cs.Count, "#1");
Assert.AreEqual (6, ident.Issuer.Count, "#2");
Assert.IsFalse (cs.ContainsClaim (Claim.System), "#3");
List<string> d = new List<string> ();
foreach (Claim c in cs) {
if (c.ClaimType != ClaimTypes.Thumbprint)
Assert.AreEqual (Rights.PossessProperty, c.Right, "#4");
d.Add (c.ClaimType);
}
Assert.IsTrue (d.Contains (ClaimTypes.X500DistinguishedName), "#5");
Assert.IsTrue (d.Contains (ClaimTypes.Thumbprint), "#6");
Assert.IsTrue (d.Contains (ClaimTypes.Dns), "#7");
Assert.IsTrue (d.Contains (ClaimTypes.Rsa), "#8");
Assert.IsTrue (d.Contains (ClaimTypes.Name), "#9");
}
public static bool VerifyCertificate(byte[] certData, string publicKey, out string message)
{
var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreWrongUsage;
var cert = new X509Certificate2(certData);
bool success = chain.Build(cert);
if (chain.ChainStatus.Count() > 0)
message = string.Format("{0}\n{1}", chain.ChainStatus[0].Status, chain.ChainStatus[0].StatusInformation);
else
message = string.Empty;
if (!success)
return false;
if (cert.GetPublicKeyString() != publicKey)
{
message = "Public keys don't match";
return false;
}
return true;
}
private static void Main(string[] args)
{
// load certificate from cert store (user/computer store = MY = Personal)
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
// ... do work
foreach (var cert in store.Certificates)
{
// validate certificates
var chain = new X509Chain();
var policy = new X509ChainPolicy
{
RevocationFlag = X509RevocationFlag.EntireChain,
RevocationMode = X509RevocationMode.Online,
UrlRetrievalTimeout = TimeSpan.FromMilliseconds(10000)
};
chain.ChainPolicy = policy;
if (!chain.Build(cert))
{
// do some work
}
// validation - special class to validate cert
var validator = X509CertificateValidator.ChainTrust;
validator.Validate(cert);
Console.WriteLine(cert.FriendlyName);
}
store.Close();
}
public void SelfSignedRootTest()
{
var chain = new X509Chain();
var trusted = new X509Certificate2Collection();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
Assert.IsFalse(chain.Build(Certificates.SignedBySelfSigned));
Assert.IsFalse(chain.VerifyWithExtraRoots(Certificates.SignedBySelfSigned, trusted));
trusted.Add(Certificates.SelfSigned);
Assert.IsTrue(chain.VerifyWithExtraRoots(Certificates.SignedBySelfSigned, trusted));
Assert.IsFalse(chain.Build(Certificates.SignedBySelfSigned));
trusted.Clear();
Assert.IsFalse(chain.VerifyWithExtraRoots(Certificates.SignedBySelfSigned, trusted));
Assert.IsFalse(chain.Build(Certificates.SignedBySelfSigned));
}
public void ValidatorShouldReturnFalseWhenPassedATrustedCertificateWhichDoesNotHaveAWhitelistedSubjectKeyIdentifier()
{
var instance = new CertificateSubjectKeyIdentifierValidator(new[] { string.Empty });
var certificateChain = new X509Chain();
certificateChain.Build(Chained);
certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
bool result = instance.Validate(null, Chained, certificateChain, SslPolicyErrors.None);
result.ShouldBe(false);
}
internal static SslPolicyErrors VerifyCertificateProperties(
X509Chain chain,
X509Certificate2 remoteCertificate,
bool checkCertName,
bool isServer,
string hostName)
{
SslPolicyErrors sslPolicyErrors = SslPolicyErrors.None;
if (!chain.Build(remoteCertificate))
{
sslPolicyErrors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
if (checkCertName)
{
if (string.IsNullOrEmpty(hostName))
{
sslPolicyErrors |= SslPolicyErrors.RemoteCertificateNameMismatch;
}
else
{
int hostnameMatch;
using (SafeX509Handle certHandle = Interop.Crypto.X509Duplicate(remoteCertificate.Handle))
{
IPAddress hostnameAsIp;
if (IPAddress.TryParse(hostName, out hostnameAsIp))
{
byte[] addressBytes = hostnameAsIp.GetAddressBytes();
hostnameMatch = Interop.Crypto.CheckX509IpAddress(
certHandle,
addressBytes,
addressBytes.Length,
hostName,
hostName.Length);
}
else
{
hostnameMatch = Interop.Crypto.CheckX509Hostname(certHandle, hostName, hostName.Length);
}
}
if (hostnameMatch != 1)
{
Debug.Assert(hostnameMatch == 0, "hostnameMatch should be (0,1) was " + hostnameMatch);
sslPolicyErrors |= SslPolicyErrors.RemoteCertificateNameMismatch;
}
}
}
return sslPolicyErrors;
}
public void T2_InvalidUnknownCriticalCertificateExtension ()
{
X509Certificate2 ee = GetCertificate ("InvalidUnknownCriticalCertificateExtensionTest2EE.crt");
X509Chain chain = new X509Chain ();
Assert.IsFalse (chain.Build (ee), "Build");
CheckChainStatus (X509ChainStatusFlags.InvalidExtension, chain.ChainStatus, "ChainStatus");
Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
CheckChainStatus (X509ChainStatusFlags.InvalidExtension, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[1].Certificate, "TrustAnchorRoot");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "TrustAnchorRoot.Status");
}
public void ValidatorShouldReturnFalseWhenPassedASelfSignedCertificate()
{
var instance = new CertificateThumbprintValidator(new string[1]);
var certificateChain = new X509Chain();
certificateChain.Build(SelfSigned);
certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
bool result = instance.Validate(null, SelfSigned, certificateChain, SslPolicyErrors.None);
result.ShouldBe(false);
}
internal override bool RaiseServerCertificateValidation(X509Certificate certificate, int[] certificateErrors)
{
bool failed = (certificateErrors.Length > 0);
// only one problem can be reported by this interface
_status = ((failed) ? certificateErrors [0] : 0);
#if NET_2_0
#pragma warning disable 618
#endif
if (ServicePointManager.CertificatePolicy != null)
{
ServicePoint sp = _request.ServicePoint;
bool res = ServicePointManager.CertificatePolicy.CheckValidationResult(sp, certificate, _request, _status);
if (!res)
{
return(false);
}
failed = true;
}
#if NET_2_0
#pragma warning restore 618
#endif
#if NET_2_0
SNS.RemoteCertificateValidationCallback cb = ServicePointManager.ServerCertificateValidationCallback;
if (cb != null)
{
SNS.SslPolicyErrors ssl_errors = 0;
foreach (int i in certificateErrors)
{
if (i == (int)-2146762490) // TODO: is this what happens when the purpose is wrong?
{
ssl_errors |= SNS.SslPolicyErrors.RemoteCertificateNotAvailable;
}
else if (i == (int)-2146762481)
{
ssl_errors |= SNS.SslPolicyErrors.RemoteCertificateNameMismatch;
}
else
{
ssl_errors |= SNS.SslPolicyErrors.RemoteCertificateChainErrors;
}
}
SNCX.X509Certificate2 cert2 = new SNCX.X509Certificate2(certificate.GetRawCertData());
SNCX.X509Chain chain = new SNCX.X509Chain();
if (!chain.Build(cert2))
{
ssl_errors |= SNS.SslPolicyErrors.RemoteCertificateChainErrors;
}
return(cb(_request, cert2, chain, ssl_errors));
}
#endif
return(failed);
}
public static bool IsCertificateTrusted(X509Certificate2 certificate, IEnumerable<X509Certificate2> trustedCertificates)
{
if (certificate == null) { throw new ArgumentNullException("certificate"); }
if (trustedCertificates == null) { throw new ArgumentNullException("trustedCertificates"); }
X509Chain chain = new X509Chain();
X509Certificate2[] trusted = trustedCertificates.ToArray();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.ExtraStore.AddRange(trusted);
chain.Build(certificate);
return chain.ChainElements.OfType<X509ChainElement>().Any(c => trusted.Select(t => t.Thumbprint).Contains(c.Certificate.Thumbprint));
}
public override void Validate(X509Certificate2 certificate)
{
X509Chain chain = new X509Chain();
chain.ChainPolicy = policy;
chain.Build(certificate);
foreach (X509ChainElement element in chain.ChainElements)
{
if (element.Certificate.Thumbprint == issuerThumbprint)
return;
}
throw new SecurityTokenValidationException(String.Format("The certificate '{0}' failed validation", certificate));
}
public static X509Certificate2Collection FilterValidCerts(
X509Certificate2Collection certs,
X509ChainPolicy policy,
X509ChainStatusFlags problemFlags,
Action<Exception> notification)
{
var validCerts = new X509Certificate2Collection();
if (certs == null) return null;
foreach (var cert in certs)
{
X509Chain chainBuilder = new X509Chain();
chainBuilder.ChainPolicy = policy.Clone();
try
{
// We're using the system class as a helper to merely build the chain
// However, we will review each item in the chain ourselves, because we have our own rules...
chainBuilder.Build(cert);
X509ChainElementCollection chainElements = chainBuilder.ChainElements;
// If we don't have a trust chain, then we obviously have a problem...
if (chainElements.IsNullOrEmpty())
{
notification(new Exception(string.Format("Can't find a trust chain: {0} ", cert.Subject)));
return null;
}
// walk the chain starting at the leaf and see if we hit any issues before the anchor
foreach (X509ChainElement chainElement in chainElements)
{
if (ChainElementHasProblems(chainElement, problemFlags))
{
//this.NotifyProblem(chainElement);
notification(new Exception(string.Format("Chain Element has problem {0}", Summarize(chainElement, problemFlags))));
// Whoops... problem with at least one cert in the chain. Stop immediately
return null;
}
}
}
catch (Exception ex)
{
//this.NotifyError(certificate, ex);
// just eat it and drop out to return null
notification(ex);
return null;
}
validCerts.Add(cert);
}
return validCerts;
}
public void T2_InvalidEEnotBeforeDate ()
{
X509Certificate2 ee = GetCertificate ("InvalidEEnotBeforeDateTest2EE.crt");
X509Chain chain = new X509Chain ();
Assert.IsFalse (chain.Build (ee), "Build");
CheckChainStatus (X509ChainStatusFlags.NotTimeValid, chain.ChainStatus, "ChainStatus");
Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
CheckChainStatus (X509ChainStatusFlags.NotTimeValid, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
Assert.AreEqual (GoodCACert, chain.ChainElements[1].Certificate, "GoodCACert");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "GoodCACert.Status");
Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
}
public void T2_InvalidCASignature ()
{
X509Certificate2 ee = GetCertificate ("InvalidCASignatureTest2EE.crt");
X509Chain chain = new X509Chain ();
Assert.IsFalse (chain.Build (ee), "Build");
CheckChainStatus (X509ChainStatusFlags.NotSignatureValid | X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation, chain.ChainStatus, "ChainStatus");
Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
Assert.AreEqual (BadSignedCACert, chain.ChainElements[1].Certificate, "BadSignedCACert");
CheckChainStatus (X509ChainStatusFlags.NotSignatureValid | X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation, chain.ChainElements[1].ChainElementStatus, "BadSignedCACert.Status");
Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
}
public void T1_ValidSignature ()
{
X509Certificate2 ee = GetCertificate ("ValidCertificatePathTest1EE.crt");
X509Chain chain = new X509Chain ();
Assert.IsTrue (chain.Build (ee), "Build");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
Assert.AreEqual (GoodCACert, chain.ChainElements[1].Certificate, "GoodCACert");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "GoodCACert.Status");
Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
}
public static bool IsSelfSignedCertificate(X509Certificate2 x)
{
X509Chain c = new X509Chain();
bool b = false;
try
{
b = c.Build(x);
}
catch
{
}
return (c.ChainElements.Count == 1);
}
public override void Validate(X509Certificate2 certificate)
{
// Check that there is a certificate.
if (certificate == null)
{
throw new ArgumentNullException("certificate");
}
// create chain and set validation options
X509Chain chain = new X509Chain();
SetValidationSettings(chain);
// check if cert is valid and chains up to a trusted CA
if (!chain.Build(certificate))
{
foreach (X509ChainStatus status in chain.ChainStatus)
{
if ((certificate.Subject == certificate.Issuer) &&
(status.Status == X509ChainStatusFlags.UntrustedRoot))
{
// Self-signed certificates with an untrusted root are valid.
// You could do further check
if (_selfSignedCertificates.Contains(certificate.Subject))
{
continue;
}
else
{
throw new SecurityTokenValidationException(
"Client certificate is not valid");
}
}
// CN=idsrv3test has a different issuer aka not self signed
// And status is also not as untrusted root
else if ((certificate.Subject == "CN=idsrv3test"))
{
// Self-signed certificates with an untrusted root are valid.
// You could do further check
continue;
}
else
{
throw new SecurityTokenValidationException(
"Client certificate is not valid");
}
}
}
}
static void Main( string[] args )
{
//Part I - to access certificate
////example 1
//var cert = new X509Certificate2("c:\\etc\\dropbox");
//example 2
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
//store.Certificates.Find();
store.Close();
//example 3
//need to install nuget
//thinktecture.identity.model core
var cert1 = X509.LocalMachine.My.SubjectDistinguishedName.Find("CN=serverdev").First();
//part II - to validate certification
//example 1
var chain = new X509Chain();
var policy = new X509ChainPolicy
{
RevocationFlag = X509RevocationFlag.EntireChain,
RevocationMode = X509RevocationMode.Online
};
chain.ChainPolicy = policy;
if (!chain.Build(cert1))
{
foreach (var element in chain.ChainElements)
{
foreach (var status in element.ChainElementStatus)
{
Console.WriteLine(status.StatusInformation);
}
}
}
//example 2
var validator = X509CertificateValidator.ChainTrust;
validator.Validate(cert1);
//example 2B
validator = X509CertificateValidator.PeerOrChainTrust;
validator.Validate(cert1);
}
protected override bool validateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
bool isValid = false;
if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors)
{
X509Chain chain0 = new X509Chain();
chain0.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
// add all your extra certificate chain
chain0.ChainPolicy.ExtraStore.Add(new X509Certificate2(_cacert));
chain0.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
isValid = chain0.Build((X509Certificate2)certificate);
}
Logger.Debug("Checking cert valid, " + isValid);
return isValid;
}
[Category ("NotDotNet")] // test case is RFC3280 compliant
public void T1_ValidBasicSelfIssuedOldWithNew ()
{
X509Certificate2 ee = GetCertificate ("ValidBasicSelfIssuedOldWithNewTest1EE.crt");
X509Chain chain = new X509Chain ();
Assert.IsTrue (chain.Build (ee), "Build");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
Assert.AreEqual (BasicSelfIssuedNewKeyOldWithNewCACert, chain.ChainElements[1].Certificate, "BasicSelfIssuedNewKeyOldWithNewCACert");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "BasicSelfIssuedNewKeyOldWithNewCACert.Status");
Assert.AreEqual (BasicSelfIssuedNewKeyCACert, chain.ChainElements[2].Certificate, "BasicSelfIssuedNewKeyCACert");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "BasicSelfIssuedNewKeyCACert.Status");
Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status");
}
public void T1_InvalidKeyUsageCriticalKeyCertSignFalse ()
{
X509Certificate2 ee = GetCertificate ("InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt");
X509Chain chain = new X509Chain ();
Assert.IsFalse (chain.Build (ee), "Build");
CheckChainStatus (X509ChainStatusFlags.NotValidForUsage, chain.ChainStatus, "ChainStatus");
Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
// INFO: keyUsage only has CrlSign (no KeyCertSign)
// INFO: it's critical too but that doesn't change anything
Assert.AreEqual (KeyUsageCriticalkeyCertSignFalseCACert, chain.ChainElements[1].Certificate, "KeyUsageCriticalkeyCertSignFalseCACert");
CheckChainStatus (X509ChainStatusFlags.NotValidForUsage, chain.ChainElements[1].ChainElementStatus, "KeyUsageCriticalkeyCertSignFalseCACert.Status");
Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
}
private static List<X509Certificate> CreateChain(X509Certificate x509Certificate, X509Certificate2 x509Certificate2, X509CertificateParser parser)
{
X509Chain chain = new X509Chain(false);
chain.Build(x509Certificate2);
List<X509Certificate> finalChain = new List<X509Certificate>();
foreach (var chainElement in chain.ChainElements)
{
chainElement.Certificate.Verify();
finalChain.Add(parser.ReadCertificate(chainElement.Certificate.Export(X509ContentType.Cert)));
}
finalChain.Add(x509Certificate);
return finalChain;
}
private static X509Certificate2 GetIssuerCertificate(X509Certificate2 subjectCertificate)
{
// Don't check online for revocation; that's what this spike is attempting to do, so there's no point in letting .NET do it.
var policy = new X509ChainPolicy {RevocationMode = X509RevocationMode.NoCheck};
var chain = new X509Chain {ChainPolicy = policy};
// We need the certificate chain, in order to get the certificate and its issuer.
chain.Build(subjectCertificate);
if (chain.ChainElements.Count == 1) // Self-signed.
return chain.ChainElements[0].Certificate;
if (chain.ChainElements.Count >= 2)
return chain.ChainElements[1].Certificate;
throw new InvalidOperationException("Could not discover issuer certificate by building certificate chain.");
}
private bool isSignedBySecuNetCA(X509Certificate2 Cert)
{
byte[] _data;
Assembly _assembly = Assembly.GetExecutingAssembly();
using (MemoryStream _mem = new MemoryStream())
{
_assembly.GetManifestResourceStream("SafeShare.Core.Certificates.secunetCA.pem").CopyTo(_mem);
_data = _mem.ToArray();
}
X509Certificate2 authority = new X509Certificate2(_data);
X509Certificate2 certificateToValidate = Cert;
System.Security.Cryptography.X509Certificates.X509Chain chain = new System.Security.Cryptography.X509Certificates.X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
chain.ChainPolicy.VerificationTime = DateTime.Now;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0);
chain.ChainPolicy.ExtraStore.Add(authority);
bool isChainValid = chain.Build(certificateToValidate);
if (!isChainValid)
{
string[] errors = chain.ChainStatus
.Select(x => String.Format("{0} ({1})", x.StatusInformation.Trim(), x.Status))
.ToArray();
string certificateErrorsString = "Unknown errors.";
if (errors != null && errors.Length > 0)
{
certificateErrorsString = String.Join(", ", errors);
}
return(false);
}
if (!chain.ChainElements
.Cast <X509ChainElement>()
.Any(x => x.Certificate.Thumbprint == authority.Thumbprint))
{
return(false);
}
return(true);
}
void SetPrivateCertificate(X509CertificateImplBtls privateCert)
{
Debug("SetPrivateCertificate: {0}", privateCert);
ssl.SetCertificate(privateCert.X509);
ssl.SetPrivateKey(privateCert.NativePrivateKey);
var intermediate = privateCert.IntermediateCertificates;
if (intermediate == null)
{
/* Intermediate certificates are lost in the translation from X509Certificate(2) to X509CertificateImplBtls, so we need to restore them somehow. */
var chain = new System.Security.Cryptography.X509Certificates.X509Chain(false);
/* Let's try to recover as many as we can. */
chain.ChainPolicy.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck;
chain.Build(new System.Security.Cryptography.X509Certificates.X509Certificate2(privateCert.X509.GetRawData(MonoBtlsX509Format.DER), ""));
var elems = chain.ChainElements;
for (int j = 1; j < elems.Count; j++)
{
var cert = elems[j].Certificate;
/* If self-signed, it's a root and should not be sent. */
if (cert.SubjectName.RawData.SequenceEqual(cert.IssuerName.RawData))
{
break;
}
ssl.AddIntermediateCertificate(MonoBtlsX509.LoadFromData(cert.RawData, MonoBtlsX509Format.DER));
}
}
else
{
for (int i = 0; i < intermediate.Count; i++)
{
var impl = (X509CertificateImplBtls)intermediate [i];
Debug("SetPrivateCertificate - add intermediate: {0}", impl);
ssl.AddIntermediateCertificate(impl.X509);
}
}
}
/// <summary>
/// Verifies the server certificate by calling into ServicePointManager.ServerCertificateValidationCallback or,
/// if the is no delegate attached to it by using the default hostname verifier.
/// </summary>
/// <returns><c>true</c>, if server certificate was verifyed, <c>false</c> otherwise.</returns>
/// <param name="hostname"></param>
/// <param name="session"></param>
bool verifyServerCertificate(string hostname, ISSLSession session)
{
var defaultVerifier = HttpsURLConnection.DefaultHostnameVerifier;
if (ServicePointManager.ServerCertificateValidationCallback == null)
{
return(defaultVerifier.Verify(hostname, session));
}
// Convert java certificates to .NET certificates and build cert chain from root certificate
var certificates = session.GetPeerCertificateChain();
var chain = new System.Security.Cryptography.X509Certificates.X509Chain();
System.Security.Cryptography.X509Certificates.X509Certificate2 root = null;
var errors = System.Net.Security.SslPolicyErrors.None;
// Build certificate chain and check for errors
if (certificates == null || certificates.Length == 0) //no cert at all
{
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNotAvailable;
goto bail;
}
if (certificates.Length == 1) //no root?
{
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors;
goto bail;
}
var netCerts = certificates.Select(x => new System.Security.Cryptography.X509Certificates.X509Certificate2(x.GetEncoded())).ToArray();
for (int i = 1; i < netCerts.Length; i++)
{
chain.ChainPolicy.ExtraStore.Add(netCerts[i]);
}
root = netCerts[0];
chain.ChainPolicy.RevocationFlag = System.Security.Cryptography.X509Certificates.X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
chain.ChainPolicy.VerificationFlags =
System.Security.Cryptography.X509Certificates.X509VerificationFlags.AllowUnknownCertificateAuthority;
if (!chain.Build(root))
{
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors;
goto bail;
}
var subject = root.Subject;
var subjectCn = cnRegex.Match(subject).Groups[1].Value;
if (String.IsNullOrWhiteSpace(subjectCn) || !Utility.MatchHostnameToPattern(hostname, subjectCn))
{
errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch;
goto bail;
}
bail:
// Call the delegate to validate
return(ServicePointManager.ServerCertificateValidationCallback(this, root, chain, errors));
}
internal ValidationResult ValidateChain(Mono.Security.X509.X509CertificateCollection certs)
{
bool user_denied = false;
if (certs == null || certs.Count == 0)
{
return(null);
}
ICertificatePolicy certificatePolicy = ServicePointManager.CertificatePolicy;
System.Net.Security.RemoteCertificateValidationCallback serverCertificateValidationCallback = ServicePointManager.ServerCertificateValidationCallback;
System.Security.Cryptography.X509Certificates.X509Chain x509Chain = new System.Security.Cryptography.X509Certificates.X509Chain();
x509Chain.ChainPolicy = new System.Security.Cryptography.X509Certificates.X509ChainPolicy();
for (int i = 1; i < certs.Count; i++)
{
System.Security.Cryptography.X509Certificates.X509Certificate2 certificate = new System.Security.Cryptography.X509Certificates.X509Certificate2(certs[i].RawData);
x509Chain.ChainPolicy.ExtraStore.Add(certificate);
}
System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate = new System.Security.Cryptography.X509Certificates.X509Certificate2(certs[0].RawData);
int num = 0;
System.Net.Security.SslPolicyErrors sslPolicyErrors = System.Net.Security.SslPolicyErrors.None;
try
{
if (!x509Chain.Build(x509Certificate))
{
sslPolicyErrors |= ServicePointManager.ChainValidationHelper.GetErrorsFromChain(x509Chain);
}
}
catch (Exception arg)
{
Console.Error.WriteLine("ERROR building certificate chain: {0}", arg);
Console.Error.WriteLine("Please, report this problem to the Mono team");
sslPolicyErrors |= System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors;
}
if (!ServicePointManager.ChainValidationHelper.CheckCertificateUsage(x509Certificate))
{
sslPolicyErrors |= System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors;
num = -2146762490;
}
if (!ServicePointManager.ChainValidationHelper.CheckServerIdentity(certs[0], this.Host))
{
sslPolicyErrors |= System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch;
num = -2146762481;
}
bool flag = false;
try
{
OSX509Certificates.SecTrustResult secTrustResult = OSX509Certificates.TrustEvaluateSsl(certs);
flag = (secTrustResult == OSX509Certificates.SecTrustResult.Proceed || secTrustResult == OSX509Certificates.SecTrustResult.Unspecified);
}
catch
{
}
if (flag)
{
num = 0;
sslPolicyErrors = System.Net.Security.SslPolicyErrors.None;
}
if (certificatePolicy != null && (!(certificatePolicy is DefaultCertificatePolicy) || serverCertificateValidationCallback == null))
{
ServicePoint srvPoint = null;
HttpWebRequest httpWebRequest = this.sender as HttpWebRequest;
if (httpWebRequest != null)
{
srvPoint = httpWebRequest.ServicePoint;
}
if (num == 0 && sslPolicyErrors != System.Net.Security.SslPolicyErrors.None)
{
num = ServicePointManager.ChainValidationHelper.GetStatusFromChain(x509Chain);
}
flag = certificatePolicy.CheckValidationResult(srvPoint, x509Certificate, httpWebRequest, num);
user_denied = (!flag && !(certificatePolicy is DefaultCertificatePolicy));
}
if (serverCertificateValidationCallback != null)
{
flag = serverCertificateValidationCallback(this.sender, x509Certificate, x509Chain, sslPolicyErrors);
user_denied = !flag;
}
return(new ValidationResult(flag, user_denied, num));
}
/// <summary>
/// Validates the web certificates.
/// </summary>
/// <returns>
/// <c>true</c>, if web certificates was validated, <c>false</c> otherwise.
/// </returns>
/// <param name='sender'>
/// <c>Object</c> usually parsed as WebRequest or HttpWebRequest.
/// </param>
/// <param name='endCert'>
/// Certificate consumed in the request.
/// </param>
/// <param name='chain'>
/// Certificate chain total or partial.
/// </param>
/// <param name='Errors'>
/// Policy errors found during the chain build process.
/// </param>
public static bool ValidateWebCertificates(Object sender, System.Security.Cryptography.X509Certificates.X509Certificate endCert, System.Security.Cryptography.X509Certificates.X509Chain chain, SslPolicyErrors Errors)
{
var request = sender as WebRequest;
string requestUri = request.RequestUri.ToString();
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation");
bool bErrorsFound = false;
try {
X509Certificate BCCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(endCert);
if (!CertificateIsTheSame(BCCert))
{
chain.Build(new System.Security.Cryptography.X509Certificates.X509Certificate2(endCert.GetRawCertData()));
if (Errors.Equals(SslPolicyErrors.None))
{
if (chain == null || chain.ChainElements == null || chain.ChainElements.Count == 0)
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Chain is empty");
bErrorsFound = true;
}
else
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Chain Element count: " + chain.ChainElements.Count);
}
if (CertIsSelfSigned(BCCert))
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. End Certificate is Self Signed");
bErrorsFound = true;
}
else
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. End Certificate NOT Self Signed");
}
if (ValidateFingerprints)
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. VALIDATING Fingerprint");
if (!VerifyFingerprint(endCert, requestUri))
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Invalid Fingerprint");
bErrorsFound = true;
}
else
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Valid Fingerprint");
}
}
else
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. DO NOT validate Fingerprint");
}
/*foreach (System.Security.Cryptography.X509Certificates.X509ChainElement cert in chain.ChainElements) {
* X509Certificate BCCerto = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate (cert.Certificate);
* if(CertIsSelfSigned(BCCerto)){
* SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** SELF SIGNED Certificate: CERT NAME " + BCCerto.SubjectDN.ToString() + " ;ID = " + BCCerto.SerialNumber);
* if(cert.Certificate.SerialNumber.Equals(chain.ChainElements[chain.ChainElements.Count-1].Certificate.SerialNumber)){
* string[] stringSeparators = new string[] {";"};
* string[] valids = _VALIDROOTAUTHORITIES.Split(stringSeparators, StringSplitOptions.RemoveEmptyEntries);
* foreach(String validRoot in valids){
* SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** SELF SIGNED Certificate check ["+validRoot+"]: "+cert.Certificate.SerialNumber+":"+chain.ChainElements[chain.ChainElements.Count-1].Certificate.SerialNumber);
* if(BCCerto.SubjectDN.ToString().Contains(validRoot)){
* bErrorsFound = false;
* } else {
* bErrorsFound = true;
* }
* }
* }else {
* bErrorsFound = true;
* }
*
*
* }else{
* SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** CERT NAME " + BCCerto.SubjectDN.ToString() + " ;ID = " + BCCerto.SerialNumber);
* }
*
* if(!CertIsValidNow(BCCerto)) bErrorsFound = true;
* }*/
//if (chain.ChainElements.Count > 1 && !VerifyCertificateOCSP(chain)) bCertIsOk = true;
//if (chain.ChainElements.Count > 1) bCertIsOk = true;
// DO NOT check OCSP revocation URLs. The time consuming this is expensive.
// TODO make this configurable and asynchronously in the case of enabled
// !VerifyCertificateOCSP(chain) ---> ASYNC
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** OCSP Verification (certificate revocation check) is DISABLED for this build");
if (!bErrorsFound)
{
myCertificateList.Add(BCCert.GetHashCode(), DateTime.Now);
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Valid Certificate");
return(true);
}
else
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Invalid Certificate");
return(false);
}
}
else if (Errors.Equals(SslPolicyErrors.RemoteCertificateChainErrors))
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Errors found in the certificate chain.");
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Checking chain status information for each element in the chain");
foreach (System.Security.Cryptography.X509Certificates.X509ChainElement element in chain.ChainElements)
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Checking chain element... " + element.Information);
if (chain.ChainStatus != null && chain.ChainStatus.Length >= 0)
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Chain Status array is not empty");
for (int index = 0; index < element.ChainElementStatus.Length; index++)
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: chain element status: "
+ element.ChainElementStatus[index].Status);
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: chain element status information: "
+ element.ChainElementStatus[index].StatusInformation);
}
}
}
}
else if (Errors.Equals(SslPolicyErrors.RemoteCertificateNameMismatch))
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: The certificate contains errors.");
}
else if (Errors.Equals(SslPolicyErrors.RemoteCertificateNotAvailable))
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: The certificate is not available");
}
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Policy Errors: " + Errors);
return(false);
}
else //Trusted certificate
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Trusted Certificate");
return(true);
}
} catch (Exception e) {
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Unhandled exception: " + e.Message);
return(false);
}
}
