public void TestValidUnexpectedCert() { ExpectedCertificate allowed = new ExpectedCertificate("Some public key", IgnorePolicyErrors.None); SslCertValidator validator = new SslCertValidator(allowed); Assert.IsTrue(validator.CertRequired); Assert.IsFalse(validator.IsValid(null, _clientCert.Certificate, EmptyX509Chain, SslPolicyErrors.None)); }
public void TestValidAndExpectedCert() { ExpectedCertificate allowed = new ExpectedCertificate(_clientCert.Certificate.GetPublicKeyString(), IgnorePolicyErrors.None); SslCertValidator validator = new SslCertValidator(allowed); Assert.IsTrue(validator.CertRequired); Assert.IsTrue(validator.IsValid(null, _clientCert.Certificate, EmptyX509Chain, SslPolicyErrors.None)); Assert.IsFalse(validator.IsValid(null, _clientCert.Certificate, EmptyX509Chain, SslPolicyErrors.RemoteCertificateChainErrors)); }
public void TestAllowByIssuer() { ExpectedCertificate allowed = new ExpectedCertificate(); allowed.IssuedTo = _clientCert.Certificate.Subject; allowed.IgnoredErrors = IgnorePolicyErrors.All; SslCertValidator validator = new SslCertValidator(allowed); Assert.IsTrue(validator.CertRequired); Assert.IsTrue(validator.IsValid(null, _clientCert.Certificate, EmptyX509Chain, SslPolicyErrors.RemoteCertificateChainErrors)); }
public void TestAllowAnyTrustedCert() { ExpectedCertificate allowed = new ExpectedCertificate(); allowed.IgnoredErrors = IgnorePolicyErrors.NameMismatch; SslCertValidator validator = new SslCertValidator(allowed); Assert.IsTrue(validator.CertRequired); Assert.IsTrue(validator.IsValid(null, _clientCert.Certificate, EmptyX509Chain, SslPolicyErrors.RemoteCertificateNameMismatch)); Assert.IsFalse(validator.IsValid(null, _clientCert.Certificate, EmptyX509Chain, SslPolicyErrors.RemoteCertificateChainErrors)); }
public void TestAllowByHash() { ExpectedCertificate allowed = new ExpectedCertificate(); allowed.Hash = _clientCert.Certificate.GetCertHashString(); allowed.IgnoredErrors = IgnorePolicyErrors.All; SslCertValidator validator = new SslCertValidator(allowed); Assert.IsTrue(validator.CertRequired); Assert.IsTrue(validator.IsValid(null, _clientCert.Certificate, EmptyX509Chain, SslPolicyErrors.RemoteCertificateChainErrors)); }
public void TestDenyByPublicKey() { ExpectedCertificate allowed = new ExpectedCertificate(); allowed.PublicKey = _serverCert.Certificate.GetPublicKeyString(); allowed.IgnoredErrors = IgnorePolicyErrors.All; SslCertValidator validator = new SslCertValidator(allowed); Assert.IsTrue(validator.CertRequired); Assert.IsFalse(validator.IsValid(null, _clientCert.Certificate, EmptyX509Chain, SslPolicyErrors.RemoteCertificateChainErrors)); }
/// <summary> /// "When validating a signed response message, the sender Access Point SHOULD check /// that the certificate in the response matches the metadata received from the Service /// Metadata Publisher. This is done by comparing the subject common name in the /// certificate to the value stated in the metadata. This check ensures that only the /// legitimate Access Point stated in the service metadata will be able to produce /// correct responses." /// </summary> /// <param name="certificate">The certificate to be checked.</param> private void ValidateAgainstExpectedCertificate(X509Certificate2 certificate) { // The same validator might also be used for communication with a START client. In // this case, no identifier is expected, and this validation step is skipped: if (ExpectedCertificate == null) { return; } if (!ExpectedCertificate.Equals(certificate)) { throw new SecurityTokenValidationException("Validation failed. Certificate in the response does not match the metadata from the SMP."); } }
bool IsMatch(ExpectedCertificate allow, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (allow.IgnoredErrors == IgnorePolicyErrors.All || allow.IgnoredErrors == IgnorePolicyErrors.ChainErrors) sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors; if (allow.IgnoredErrors == IgnorePolicyErrors.All || allow.IgnoredErrors == IgnorePolicyErrors.NameMismatch) sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch; if (sslPolicyErrors != SslPolicyErrors.None) return false; if (!String.IsNullOrEmpty(allow.IssuedTo) && false == StringComparer.Ordinal.Equals(allow.IssuedTo, certificate.Subject)) return false; if (!String.IsNullOrEmpty(allow.Hash) && false == StringComparer.Ordinal.Equals(allow.Hash, certificate.GetCertHashString())) return false; if (!String.IsNullOrEmpty(allow.PublicKey) && false == StringComparer.Ordinal.Equals(allow.PublicKey, certificate.GetPublicKeyString())) return false; return true; }
/// <summary> /// Creates the client with the specified client certificiate and the expected server information /// </summary> public SslClient(string serverName, int bindingPort, X509Certificate certificate, ExpectedCertificate expectedCert) : this(serverName, bindingPort, certificate, new SslCertValidator(expectedCert)) { }
/// <summary> /// Constructs the server with the specified certificate and optionally allowable client certificates /// </summary> public SslServer(string bindingName, int bindingPort, X509Certificate certificate, ExpectedCertificate[] allowClients) : base(bindingName, bindingPort) { _cert = certificate; _certVerify = new SslCertValidator(allowClients); }