private bool BuildChain(X509Chain chain, X509Certificate2 certificate)
{
try
{
if (chain.Build(certificate) && chain.HasNoError())
{
return(true);
}
return(false);
}
catch (System.Security.Cryptography.CryptographicException)
{
return(false);
}
}
private void ValidateAsPEPPOLCertificate(X509Certificate2 certificate)
{
X509Chain chain = new X509Chain()
{
ChainPolicy = new X509ChainPolicy()
{
RevocationMode = this.RevocationMode,
RevocationFlag = X509RevocationFlag.EndCertificateOnly
}
};
if (ExtraTrustedRootCertificates != null)
{
chain.ChainPolicy.ExtraStore.AddRange(ExtraTrustedRootCertificates);
}
if (ExtraTrustedIntermediateCertificates != null)
{
chain.ChainPolicy.ExtraStore.AddRange(ExtraTrustedIntermediateCertificates);
}
//Validate chain errors or if it is revoked
try
{
var buildOk = chain.Build(certificate);
var chainOk = chain.HasNoError();
if (!buildOk || !chainOk)
{
throw new Exception(string.Format("Validation failed. Chain could not be built. BuildOK: {0} ChainOK: {1} ChainStatus: {2} ", buildOk, chainOk, chain.ChainStatus.Aggregate("Errors in chain: ", (current, asdf) => asdf.Status + asdf.StatusInformation)));
}
}
catch (System.Security.Cryptography.CryptographicException exception)
{
throw new SecurityTokenValidationException("Validation failed. Chain could not be built." + exception.Message, exception);
}
// Skip the check for the expected issuer if we are dealing with
// a certificate from the Root CA or an Intermediate CA:
if (IsPeppolRoot(certificate) || IsPeppolIntermediateCA(certificate))
{
return;
}
if (!IsExpectedIssuer(chain))
{
throw new SecurityTokenValidationException("Validation failed. Issued by the wrong CA.");
}
}
