X509CertificateValidator Class

Namespace: System.Net.Security
Summary:

Provides a base class for custom certificate validation logic in .NET. This class is used to implement certificate validation policies beyond the default ones provided by the framework.

Public Constructors

public X509CertificateValidator()

Initializes a new instance of the X509CertificateValidator class.

Public Methods

public virtual void Validate(X509Certificate2 cert)

Performs certificate validation. This is an abstract method that must be implemented by derived classes to provide custom validation logic.

Parameters:
Returns:

void. This method does not return a value. Exceptions are thrown if validation fails.

Remarks

The X509CertificateValidator class is designed for scenarios where you need to enforce specific certificate validation rules that are not covered by the standard .NET security policies. For example, you might want to:

To use custom validation, you typically inherit from X509CertificateValidator and override the Validate method. You then provide an instance of your custom validator to security-related operations, such as those in System.Net.Security.SslStream or when establishing WCF service endpoints.

Example: Custom Certificate Validation


using System;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

// Define a custom validator
public class MyCustomCertificateValidator : X509CertificateValidator
{
    public override void Validate(X509Certificate2 cert)
    {
        if (cert == null)
        {
            throw new ArgumentNullException(nameof(cert));
        }

        // Example: Check if the certificate has a specific subject name
        if (!cert.Subject.Contains("CN=MyTrustedServer"))
        {
            throw new SecurityException("The certificate's subject name is not trusted.");
        }

        // Example: Check if the certificate is expired
        if (cert.NotAfter < DateTime.UtcNow)
        {
            throw new SecurityException("The certificate has expired.");
        }

        // Add more custom validation logic here...
        Console.WriteLine($"Certificate validated for subject: {cert.Subject}");
    }
}

// How to use the custom validator (e.g., with SslStream)
public class SslClientExample
{
    public static void ConnectWithCustomValidation()
    {
        // ... establish SslStream ...

        // Create an instance of your custom validator
        var customValidator = new MyCustomCertificateValidator();

        // Assign your custom validator to the RemoteCertificateValidationCallback
        // This callback is invoked when the server's certificate needs to be validated.
        var sslParameters = new SslClientAuthenticationOptions
        {
            RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
            {
                try
                {
                    // Use your custom validator
                    customValidator.Validate((X509Certificate2)certificate);
                    return true; // Validation succeeded
                }
                catch (SecurityException ex)
                {
                    Console.WriteLine($"Certificate validation failed: {ex.Message}");
                    return false; // Validation failed
                }
                catch (Exception ex)
                {
                    Console.WriteLine($"An unexpected error occurred during validation: {ex.Message}");
                    return false;
                }
            }
        };

        // ... proceed with authentication using sslParameters ...
    }
}

See Also