Skip to content

Commit 6c31c01

Browse files
mconnewmconnew
committed
Improve validation of service certifcate by requiring Server Auth usage
1 parent 66a675d commit 6c31c01

File tree

1 file changed

+5
-0
lines changed

1 file changed

+5
-0
lines changed

src/System.Private.ServiceModel/src/System/ServiceModel/Security/X509ServiceCertificateAuthentication.cs

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
using System.IdentityModel.Selectors;
77
using System.Runtime;
88
using System.Runtime.InteropServices;
9+
using System.Security.Cryptography;
910
using System.Security.Cryptography.X509Certificates;
1011

1112
namespace System.ServiceModel.Security
@@ -16,6 +17,8 @@ public sealed class X509ServiceCertificateAuthentication
1617
internal const X509RevocationMode DefaultRevocationMode = X509RevocationMode.Online;
1718
internal const StoreLocation DefaultTrustedStoreLocation = StoreLocation.CurrentUser;
1819
private static X509CertificateValidator s_defaultCertificateValidator;
20+
// ASN.1 description: {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) kp(3) serverAuth(1)}
21+
static readonly Oid serverAuthOid = new Oid("1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.1");
1922

2023
private X509CertificateValidationMode _certificateValidationMode = DefaultCertificateValidationMode;
2124
private X509RevocationMode _revocationMode = DefaultRevocationMode;
@@ -44,6 +47,7 @@ internal static X509CertificateValidator DefaultCertificateValidator
4447
{
4548
bool useMachineContext = DefaultTrustedStoreLocation == StoreLocation.LocalMachine;
4649
X509ChainPolicy chainPolicy = new X509ChainPolicy();
50+
chainPolicy.ApplicationPolicy.Add(serverAuthOid);
4751
chainPolicy.RevocationMode = DefaultRevocationMode;
4852
s_defaultCertificateValidator = X509CertificateValidator.CreateChainTrustValidator(useMachineContext, chainPolicy);
4953
}
@@ -130,6 +134,7 @@ internal bool TryGetCertificateValidator(out X509CertificateValidator validator)
130134
{
131135
bool useMachineContext = _trustedStoreLocation == StoreLocation.LocalMachine;
132136
X509ChainPolicy chainPolicy = new X509ChainPolicy();
137+
chainPolicy.ApplicationPolicy.Add(serverAuthOid);
133138
chainPolicy.RevocationMode = _revocationMode;
134139
if (_certificateValidationMode == X509CertificateValidationMode.ChainTrust)
135140
{

0 commit comments

Comments
 (0)