CustomValidators and Chaining of Validators

Article
05/30/2006

I was looking into custom certificate validators sample and was quite curious on how I could chain the certificate validation and where Martin helped me out with this and this is prietty much how he put it.

Here is a validator implementation that accepts self-issued certs, certs in the trusted people store and certs that chain to a trusted root CA;

class CustomValidator : X509CertificateValidator
{
public CustomValidator()
{
}

public override void Validate(X509Certificate2 cert)
{
if (cert.Subject == cert.Issuer)
return;
else
X509CertificateValidator.PeerOrChainTrust.Validate ( cert );
}
}

If you wanted to do peer/chain and then extra checking, you'd reverse the order;

class CustomValidator : X509CertificateValidator
{
public CustomValidator()
{
}

public override void Validate(X509Certificate2 cert)
{
X509CertificateValidator.PeerOrChainTrust.Validate ( cert );

if ( !CertIsOK ( cert ))
throw new SecurityTokenException ( "Certificate is not OK" (;
}

private bool CertIsOK ( X509Certificate2 cert )
{
bool bRet = false;

// Perform checks here and set bRet to true if all checks are passed.

return bRet;
}
}

So basically what you can do is set the X509ValidationMode to None and then test your code. That way no matter whats wrong with the certificate, no checks will be done and the certificate will be accepted, then fix the certificate problem.

CustomValidators and Chaining of Validators

Additional resources