internal bool TryValidate(X509Certificate2 certificate, out Exception exception)
{
DateTime now = DateTime.Now;
if ((now > certificate.NotAfter) || (now < certificate.NotBefore))
{
exception = new SecurityTokenValidationException(System.IdentityModel.SR.GetString("X509InvalidUsageTime", new object[] { System.IdentityModel.SecurityUtils.GetCertificateId(certificate), now, certificate.NotBefore, certificate.NotAfter }));
return false;
}
if (!StoreContainsCertificate(StoreName.TrustedPeople, certificate))
{
exception = new SecurityTokenValidationException(System.IdentityModel.SR.GetString("X509IsNotInTrustedStore", new object[] { System.IdentityModel.SecurityUtils.GetCertificateId(certificate) }));
return false;
}
if (StoreContainsCertificate(StoreName.Disallowed, certificate))
{
exception = new SecurityTokenValidationException(System.IdentityModel.SR.GetString("X509IsInUntrustedStore", new object[] { System.IdentityModel.SecurityUtils.GetCertificateId(certificate) }));
return false;
}
exception = null;
return true;
}
internal bool TryValidate(X509Certificate2 certificate, out Exception exception)
{
// Checklist
// 1) time validity of cert
// 2) in trusted people store
// 3) not in disallowed store
// The following code could be written as:
// DateTime now = DateTime.UtcNow;
// if (now > certificate.NotAfter.ToUniversalTime() || now < certificate.NotBefore.ToUniversalTime())
//
// this is because X509Certificate2.xxx doesn't return UT. However this would be a SMALL perf hit.
// I put a DebugAssert so that this will ensure that the we are compatible with the CLR we shipped with
DateTime now = DateTime.Now;
DiagnosticUtility.DebugAssert(now.Kind == certificate.NotAfter.Kind && now.Kind == certificate.NotBefore.Kind, "");
if (now > certificate.NotAfter || now < certificate.NotBefore)
{
exception = new SecurityTokenValidationException(SR.GetString(SR.X509InvalidUsageTime,
SecurityUtils.GetCertificateId(certificate), now, certificate.NotBefore, certificate.NotAfter));
return false;
}
if (!StoreContainsCertificate(StoreName.TrustedPeople, certificate))
{
exception = new SecurityTokenValidationException(SR.GetString(SR.X509IsNotInTrustedStore,
SecurityUtils.GetCertificateId(certificate)));
return false;
}
if (StoreContainsCertificate(StoreName.Disallowed, certificate))
{
exception = new SecurityTokenValidationException(SR.GetString(SR.X509IsInUntrustedStore,
SecurityUtils.GetCertificateId(certificate)));
return false;
}
exception = null;
return true;
}
private bool TryValidate(X509Certificate2 certificate, out Exception exception)
{
var now = DateTime.Now;
if ((now > certificate.NotAfter) || (now < certificate.NotBefore))
{
exception =
new SecurityTokenValidationException(
String.Format("The X.509 certificate ({0}) usage time is invalid. The usage time '{1}' does not fall between NotBefore time '{2}' and NotAfter time '{3}'.",
!String.IsNullOrWhiteSpace(certificate.SubjectName.Name) ? certificate.SubjectName.Name : certificate.Thumbprint,
now,
certificate.NotBefore,
certificate.NotAfter));
return false;
}
if (!StoreContainsCertificate(StoreName.My, certificate) &&
!StoreContainsCertificate(StoreName.TrustedPeople, certificate) &&
!StoreContainsCertificate(StoreName.TrustedPublisher, certificate) &&
!StoreContainsCertificate("Enterprise Trust", certificate))
{
exception =
new SecurityTokenValidationException(
String.Format("The X.509 certificate {0} is not in the personal, trusted people, publisher or enterprise trust stores",
!String.IsNullOrWhiteSpace(certificate.SubjectName.Name) ? certificate.SubjectName.Name : certificate.Thumbprint));
return false;
}
if (StoreContainsCertificate(StoreName.Disallowed, certificate))
{
exception =
new SecurityTokenValidationException(
String.Format("The X.509 certificate {0} is in an untrusted certificate store",
!String.IsNullOrWhiteSpace(certificate.SubjectName.Name) ? certificate.SubjectName.Name : certificate.Thumbprint));
return false;
}
exception = null;
return true;
}
