-
Notifications
You must be signed in to change notification settings - Fork 24
/
X509ChainValidator.cs
51 lines (44 loc) · 2.21 KB
/
X509ChainValidator.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
using System.Diagnostics;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
namespace MQTTnet.Client.Extensions
{
internal static class X509ChainValidator
{
internal static bool ValidateChain(MqttClientCertificateValidationEventArgs certValArgs, string caCertFile = "")
{
X509Certificate2Collection caCerts = new();
if (!string.IsNullOrEmpty(caCertFile))
{
caCerts.ImportFromPemFile(caCertFile);
}
return ValidateChain(certValArgs, caCerts);
}
internal static bool ValidateChain(MqttClientCertificateValidationEventArgs cvArgs, X509Certificate2Collection caChain)
{
if (cvArgs.SslPolicyErrors == SslPolicyErrors.None)
{
return true;
}
if (cvArgs.SslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors)
{
bool chainValidated = false;
cvArgs.Chain.Reset();
cvArgs.Chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
cvArgs.Chain.ChainPolicy.CustomTrustStore.AddRange(caChain);
Trace.TraceWarning("Validating TLS with chain:\n\t" + string.Join("\n\t",cvArgs.Chain.ChainPolicy.CustomTrustStore.Select(c => c.Subject)));
cvArgs.Chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreEndRevocationUnknown;
Trace.TraceWarning($"Chain validation configured with verification flags:\n\t{cvArgs.Chain.ChainPolicy.VerificationFlags}");
chainValidated = cvArgs.Chain.Build(new X509Certificate2(cvArgs.Certificate));
if (chainValidated == false)
{
Trace.TraceError($"Error validating TLS chain for cert: '{cvArgs.Certificate.Subject}' issued by '{cvArgs.Certificate.Issuer}'");
cvArgs.Chain.ChainStatus.ToList().ForEach(s => Trace.TraceError(" " + s.StatusInformation));
}
return chainValidated;
}
Trace.TraceError("RemoteCertificateValidation Errors: " + cvArgs.SslPolicyErrors);
return false;
}
}
}