internal static void DemandHostStorePermissions(ServiceHost host) { bool validates = ValidatesCertificates(host); bool demand = UsesCertificateServiceCredentials(host); foreach (ServiceEndpoint endpoint in host.Description.Endpoints) { if (UsesCertificateClientCredentials(endpoint) && validates) { demand = true; break; } if (MessageSecurityEnabled(endpoint)) { if (IsAnonymous(endpoint)) { demand = true; break; } else { if (WindowsSecurityEnabled(endpoint) == false) { demand = true; break; } } } } if (demand) { IPermission certPermission = new StorePermission(StorePermissionFlags.EnumerateStores | StorePermissionFlags.OpenStore | StorePermissionFlags.EnumerateCertificates); certPermission.Demand(); } }
internal static void DemandClientStorePermissions(ServiceEndpoint endpoint) { if (MessageSecurityEnabled(endpoint) == false && WindowsSecurityEnabled(endpoint) == true) { return; } IPermission certPermission = new StorePermission(StorePermissionFlags.EnumerateStores | StorePermissionFlags.OpenStore | StorePermissionFlags.EnumerateCertificates); if (ScopesCertificate(endpoint) || UsesCertificateClientCredentials(endpoint)) { certPermission.Demand(); } if (MessageSecurityEnabled(endpoint) && ValidatesCertificates(endpoint) && WindowsSecurityEnabled(endpoint) == false) { certPermission.Demand(); } }
/// <summary> /// 安装资源文件中的证书 /// </summary> public static string InstallCertificateFromResource(StoreName sn, byte[] certificatefile) { try { StorePermission sp = new StorePermission(StorePermissionFlags.AllFlags); sp.Demand(); X509Certificate2 certificate = new X509Certificate2(certificatefile); if (TryGetCertificate(sn, certificatefile) == null) { X509Store AuthRoot = new X509Store(sn, StoreLocation.LocalMachine); AuthRoot.Open(OpenFlags.ReadWrite); //AuthRoot.Remove(certificate); AuthRoot.Add(certificate); AuthRoot.Close(); } return(string.Empty); } catch (Exception ex) { return(ex.Message); } }
public bool Build(X509Certificate2 certificate) { lock (m_syncRoot) { if (certificate == null || certificate.CertContext.IsInvalid) { throw new ArgumentException(SR.GetString(SR.Cryptography_InvalidContextHandle), "certificate"); } // Chain building opens and enumerates the root store to see if the root of the chain is trusted. StorePermission sp = new StorePermission(StorePermissionFlags.OpenStore | StorePermissionFlags.EnumerateCertificates); sp.Demand(); X509ChainPolicy chainPolicy = this.ChainPolicy; if (chainPolicy.RevocationMode == X509RevocationMode.Online) { if (certificate.Extensions[CAPI.szOID_CRL_DIST_POINTS] != null || certificate.Extensions[CAPI.szOID_AUTHORITY_INFO_ACCESS] != null) { // If there is a CDP or AIA extension, we demand unrestricted network access and store add permission // since CAPI can download certificates into the CA store from the network. PermissionSet ps = new PermissionSet(PermissionState.None); ps.AddPermission(new WebPermission(PermissionState.Unrestricted)); ps.AddPermission(new StorePermission(StorePermissionFlags.AddToStore)); ps.Demand(); } } Reset(); int hr = BuildChain(m_useMachineContext ? new IntPtr(CAPI.HCCE_LOCAL_MACHINE) : new IntPtr(CAPI.HCCE_CURRENT_USER), certificate.CertContext, chainPolicy.ExtraStore, chainPolicy.ApplicationPolicy, chainPolicy.CertificatePolicy, chainPolicy.RevocationMode, chainPolicy.RevocationFlag, chainPolicy.VerificationTime, chainPolicy.UrlRetrievalTimeout, ref m_safeCertChainHandle); if (hr != CAPI.S_OK) { return(false); } // Init. Init(); // Verify the chain using the specified policy. CAPI.CERT_CHAIN_POLICY_PARA PolicyPara = new CAPI.CERT_CHAIN_POLICY_PARA(Marshal.SizeOf(typeof(CAPI.CERT_CHAIN_POLICY_PARA))); CAPI.CERT_CHAIN_POLICY_STATUS PolicyStatus = new CAPI.CERT_CHAIN_POLICY_STATUS(Marshal.SizeOf(typeof(CAPI.CERT_CHAIN_POLICY_STATUS))); PolicyPara.dwFlags = (uint)chainPolicy.VerificationFlags; if (!CAPI.CertVerifyCertificateChainPolicy(new IntPtr(CAPI.CERT_CHAIN_POLICY_BASE), m_safeCertChainHandle, ref PolicyPara, ref PolicyStatus)) { // The API failed. throw new CryptographicException(Marshal.GetLastWin32Error()); } CAPI.SetLastError(PolicyStatus.dwError); return(PolicyStatus.dwError == 0); } }