| | | 1 | | using System.Net.Security; |
| | | 2 | | using System.Security.Cryptography.X509Certificates; |
| | | 3 | | |
| | | 4 | | namespace Kestrun.Certificates; |
| | | 5 | | |
| | | 6 | | /// <summary> |
| | | 7 | | /// Built-in callbacks for validating TLS client certificates. |
| | | 8 | | /// </summary> |
| | | 9 | | public static class ClientCertificateValidationCallbacks |
| | | 10 | | { |
| | | 11 | | /// <summary> |
| | | 12 | | /// Allows any presented client certificate. |
| | | 13 | | /// </summary> |
| | | 14 | | /// <param name="certificate">The client certificate.</param> |
| | | 15 | | /// <param name="chain">The X509 chain.</param> |
| | | 16 | | /// <param name="sslPolicyErrors">Any SSL policy errors.</param> |
| | | 17 | | /// <returns><c>true</c> to accept the certificate; otherwise <c>false</c>.</returns> |
| | | 18 | | public static bool AllowAny( |
| | | 19 | | X509Certificate2 certificate, |
| | | 20 | | X509Chain chain, |
| | | 21 | | SslPolicyErrors sslPolicyErrors) |
| | | 22 | | { |
| | | 23 | | _ = chain; |
| | | 24 | | _ = sslPolicyErrors; |
| | 2 | 25 | | return certificate is not null; |
| | | 26 | | } |
| | | 27 | | |
| | | 28 | | /// <summary> |
| | | 29 | | /// Allows self-signed client certificates (chain errors only) for development. |
| | | 30 | | /// </summary> |
| | | 31 | | /// <param name="certificate">The client certificate.</param> |
| | | 32 | | /// <param name="chain">The X509 chain.</param> |
| | | 33 | | /// <param name="sslPolicyErrors">Any SSL policy errors.</param> |
| | | 34 | | /// <returns><c>true</c> when the certificate is present and the only error is chain errors.</returns> |
| | | 35 | | public static bool AllowSelfSignedForDevelopment( |
| | | 36 | | X509Certificate2 certificate, |
| | | 37 | | X509Chain chain, |
| | | 38 | | SslPolicyErrors sslPolicyErrors) |
| | | 39 | | { |
| | | 40 | | _ = chain; |
| | | 41 | | |
| | 5 | 42 | | if (certificate is null) |
| | | 43 | | { |
| | 1 | 44 | | return false; |
| | | 45 | | } |
| | | 46 | | |
| | | 47 | | // Accept valid chains |
| | 4 | 48 | | if (sslPolicyErrors == SslPolicyErrors.None) |
| | | 49 | | { |
| | 1 | 50 | | return true; |
| | | 51 | | } |
| | | 52 | | |
| | | 53 | | // Accept self-signed / untrusted chains in dev (typical for local tutorial certs) |
| | 3 | 54 | | return sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors; |
| | | 55 | | } |
| | | 56 | | |
| | | 57 | | /// <summary> |
| | | 58 | | /// Allows connections without a client certificate, and allows self-signed client certificates (chain errors only) |
| | | 59 | | /// </summary> |
| | | 60 | | /// <param name="certificate">The client certificate (may be <c>null</c> when the client does not present one).</par |
| | | 61 | | /// <param name="chain">The X509 chain.</param> |
| | | 62 | | /// <param name="sslPolicyErrors">Any SSL policy errors.</param> |
| | | 63 | | /// <returns><c>true</c> to accept the connection; otherwise <c>false</c>.</returns> |
| | | 64 | | public static bool AllowMissingOrSelfSignedForDevelopment( |
| | | 65 | | X509Certificate2 certificate, |
| | | 66 | | X509Chain chain, |
| | | 67 | | SslPolicyErrors sslPolicyErrors) |
| | | 68 | | { |
| | | 69 | | _ = chain; |
| | | 70 | | |
| | | 71 | | // When ClientCertificateMode is AllowCertificate, clients may connect without presenting a certificate. |
| | 5 | 72 | | return certificate is null || sslPolicyErrors == SslPolicyErrors.None || sslPolicyErrors == SslPolicyErrors.Remo |
| | | 73 | | } |
| | | 74 | | } |