internal bool TryValidate(X509Certificate2 certificate, out Exception exception) { DateTime now = DateTime.Now; if ((now > certificate.NotAfter) || (now < certificate.NotBefore)) { exception = new SecurityTokenValidationException(System.IdentityModel.SR.GetString("X509InvalidUsageTime", new object[] { System.IdentityModel.SecurityUtils.GetCertificateId(certificate), now, certificate.NotBefore, certificate.NotAfter })); return false; } if (!StoreContainsCertificate(StoreName.TrustedPeople, certificate)) { exception = new SecurityTokenValidationException(System.IdentityModel.SR.GetString("X509IsNotInTrustedStore", new object[] { System.IdentityModel.SecurityUtils.GetCertificateId(certificate) })); return false; } if (StoreContainsCertificate(StoreName.Disallowed, certificate)) { exception = new SecurityTokenValidationException(System.IdentityModel.SR.GetString("X509IsInUntrustedStore", new object[] { System.IdentityModel.SecurityUtils.GetCertificateId(certificate) })); return false; } exception = null; return true; }
internal bool TryValidate(X509Certificate2 certificate, out Exception exception) { // Checklist // 1) time validity of cert // 2) in trusted people store // 3) not in disallowed store // The following code could be written as: // DateTime now = DateTime.UtcNow; // if (now > certificate.NotAfter.ToUniversalTime() || now < certificate.NotBefore.ToUniversalTime()) // // this is because X509Certificate2.xxx doesn't return UT. However this would be a SMALL perf hit. // I put a DebugAssert so that this will ensure that the we are compatible with the CLR we shipped with DateTime now = DateTime.Now; DiagnosticUtility.DebugAssert(now.Kind == certificate.NotAfter.Kind && now.Kind == certificate.NotBefore.Kind, ""); if (now > certificate.NotAfter || now < certificate.NotBefore) { exception = new SecurityTokenValidationException(SR.GetString(SR.X509InvalidUsageTime, SecurityUtils.GetCertificateId(certificate), now, certificate.NotBefore, certificate.NotAfter)); return false; } if (!StoreContainsCertificate(StoreName.TrustedPeople, certificate)) { exception = new SecurityTokenValidationException(SR.GetString(SR.X509IsNotInTrustedStore, SecurityUtils.GetCertificateId(certificate))); return false; } if (StoreContainsCertificate(StoreName.Disallowed, certificate)) { exception = new SecurityTokenValidationException(SR.GetString(SR.X509IsInUntrustedStore, SecurityUtils.GetCertificateId(certificate))); return false; } exception = null; return true; }
private bool TryValidate(X509Certificate2 certificate, out Exception exception) { var now = DateTime.Now; if ((now > certificate.NotAfter) || (now < certificate.NotBefore)) { exception = new SecurityTokenValidationException( String.Format("The X.509 certificate ({0}) usage time is invalid. The usage time '{1}' does not fall between NotBefore time '{2}' and NotAfter time '{3}'.", !String.IsNullOrWhiteSpace(certificate.SubjectName.Name) ? certificate.SubjectName.Name : certificate.Thumbprint, now, certificate.NotBefore, certificate.NotAfter)); return false; } if (!StoreContainsCertificate(StoreName.My, certificate) && !StoreContainsCertificate(StoreName.TrustedPeople, certificate) && !StoreContainsCertificate(StoreName.TrustedPublisher, certificate) && !StoreContainsCertificate("Enterprise Trust", certificate)) { exception = new SecurityTokenValidationException( String.Format("The X.509 certificate {0} is not in the personal, trusted people, publisher or enterprise trust stores", !String.IsNullOrWhiteSpace(certificate.SubjectName.Name) ? certificate.SubjectName.Name : certificate.Thumbprint)); return false; } if (StoreContainsCertificate(StoreName.Disallowed, certificate)) { exception = new SecurityTokenValidationException( String.Format("The X.509 certificate {0} is in an untrusted certificate store", !String.IsNullOrWhiteSpace(certificate.SubjectName.Name) ? certificate.SubjectName.Name : certificate.Thumbprint)); return false; } exception = null; return true; }