System.Net.Security.TrustPolicy Class

Provides a base class for implementing custom security policy checks for System.Net.Security.SslStream and related classes. This class is used to determine whether a server's certificate should be trusted during the SSL/TLS handshake.

By default, .NET Framework uses a built-in trust policy that relies on the operating system's certificate store. Custom implementations of TrustPolicy allow for more granular control over certificate validation, such as integrating with custom certificate authorities or implementing specific compliance requirements.

Syntax

Inheritance

Object
TrustPolicy

Constructors

The TrustPolicy class has the following constructors:

• TrustPolicy()
  Initializes a new instance of the TrustPolicy class.

Methods

The TrustPolicy class has the following methods:

• bool Validate(X509Certificate certificate, string targetName)
  Validates the specified X.509 certificate against the target name. This is the primary method that must be implemented by custom trust policy classes.

  Parameters

  • certificate X509Certificate
    
    The X.509 certificate to validate.
  • targetName string
    
    The target host name to validate the certificate against.

  Returns

  true if the certificate is trusted; otherwise, false.

Remarks

To implement a custom trust policy, you need to create a class that derives from TrustPolicy and overrides the Validate method. This method receives the server's certificate and the target host name. Your implementation should perform the necessary checks to determine if the certificate is valid and trustworthy for the given context.

Common validation steps include:

• Checking if the certificate has expired.
• Verifying that the certificate's subject name or Subject Alternative Name (SAN) matches the targetName.
• Validating the certificate chain against a trusted root certificate authority.
• Applying custom business logic or policy rules.

The TrustPolicy class is an abstract class, meaning you cannot instantiate it directly. You must derive from it to create a usable policy.

The default trust policy in .NET relies on the Windows certificate store. If you don't provide a custom TrustPolicy, the system's certificate validation mechanisms will be used.

Example

The following example demonstrates how to create a simple custom TrustPolicy that always trusts a certificate if its subject name contains a specific string. In a real-world scenario, this validation would be much more robust.

// A very basic custom trust policy for demonstration purposes.
public class MyCustomTrustPolicy : TrustPolicy
{
    private readonly string _requiredSubjectSubstring;

    public MyCustomTrustPolicy(string requiredSubstring)
    {
        _requiredSubjectSubstring = requiredSubstring;
    }

    public override bool Validate(X509Certificate certificate, string targetName)
    {
        if (certificate == null)
        {
            return false;
        }

        // Basic check: does the subject name contain the required substring?
        if (!string.IsNullOrEmpty(certificate.Subject) && certificate.Subject.Contains(_requiredSubjectSubstring))
        {
            // In a real scenario, you would also check expiry, chain, etc.
            Console.WriteLine($"Certificate subject '{certificate.Subject}' trusted for target '{targetName}'.");
            return true;
        }

        Console.WriteLine($"Certificate subject '{certificate.Subject}' NOT trusted for target '{targetName}'.");
        return false;
    }
}

// How to use it (simplified):
// SslStream sslStream = new SslStream(...);
// sslStream.AuthenticateAsClient(targetHost, new MyCustomTrustPolicy("MyCompany"), ...);