diff options
| -rw-r--r-- | src/DotNetOpenAuth/OpenId/HostMetaDiscoveryService.cs | 21 | ||||
| -rw-r--r-- | src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs | 9 | ||||
| -rw-r--r-- | src/DotNetOpenAuth/OpenId/OpenIdStrings.resx | 3 |
3 files changed, 26 insertions, 7 deletions
diff --git a/src/DotNetOpenAuth/OpenId/HostMetaDiscoveryService.cs b/src/DotNetOpenAuth/OpenId/HostMetaDiscoveryService.cs index cb13522..939ccab 100644 --- a/src/DotNetOpenAuth/OpenId/HostMetaDiscoveryService.cs +++ b/src/DotNetOpenAuth/OpenId/HostMetaDiscoveryService.cs @@ -224,11 +224,16 @@ namespace DotNetOpenAuth.OpenId { var certs = certNodes.Cast<XPathNavigator>().Select(n => new X509Certificate2(Convert.FromBase64String(n.Value.Trim()))).ToList(); // Verify that we trust the signer of the certificates. - try { - VerifyCertChain(certs); - } catch (SecurityException) { - Logger.Yadis.Warn("Insufficient security permissions to perform custom certificate chain validation. Performing basic validation policy check on signing certificate."); - ErrorUtilities.VerifyProtocol(certs[0].Verify(), "Invalid or untrusted signing certificate."); + // Start by trying to validate just the certificate used to sign the XRDS document, + // since we can do that with partial trust. + if (!certs[0].Verify()) { + // We couldn't verify just the signing certificate, so try to verify the whole certificate chain. + try { + VerifyCertChain(certs); + } catch (SecurityException) { + Logger.Yadis.Warn("Signing certificate verification failed and we have insufficient code access security permissions to perform certificate chain validation."); + ErrorUtilities.ThrowProtocol(OpenIdStrings.X509CertificateNotTrusted); + } } // Verify that the certificate is issued to the host on whom we are performing discovery. @@ -263,8 +268,10 @@ namespace DotNetOpenAuth.OpenId { if (chain.ChainStatus.Length > 0) { ErrorUtilities.ThrowProtocol( - "Failure(s) in validating the certificate chain: ", - string.Join(", ", chain.ChainStatus.Select(status => status.StatusInformation).ToArray())); + string.Format( + CultureInfo.CurrentCulture, + OpenIdStrings.X509CertificateNotTrusted + " {0}", + string.Join(", ", chain.ChainStatus.Select(status => status.StatusInformation).ToArray()))); } } diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs index 33a16f8..adfe4ee 100644 --- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs +++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs @@ -722,6 +722,15 @@ namespace DotNetOpenAuth.OpenId { } /// <summary> + /// Looks up a localized string similar to The X.509 certificate used to sign this document is not trusted.. + /// </summary> + internal static string X509CertificateNotTrusted { + get { + return ResourceManager.GetString("X509CertificateNotTrusted", resourceCulture); + } + } + + /// <summary> /// Looks up a localized string similar to XRI support has been disabled at this site.. /// </summary> internal static string XriResolutionDisabled { diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx index c5f506d..ae68fe6 100644 --- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx +++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx @@ -346,4 +346,7 @@ Discovered endpoint info: <data name="PropertyNotSet" xml:space="preserve"> <value>The {0} property must be set first.</value> </data> + <data name="X509CertificateNotTrusted" xml:space="preserve"> + <value>The X.509 certificate used to sign this document is not trusted.</value> + </data> </root>
\ No newline at end of file |