I have a custom X509CertificateValidator that currently validates a series of rules against a certificate presented for a WCF SOAP message.
There is a requirement to check the CN name on the certificate against the domain the certificate is being presented by, but I'm not aware that I have access to the request from within the X509CertificateValidator.
Is there any way to check that the certificate matches the request domain?
I haven't found any way to do this from within the X509CertificateValidator, but it is possible within the service.
Here is my first cut - I will be refining it to make it more elegant, but this works.
private static void ValidateRequestIsFromCertificateDomain()
{
RemoteEndpointMessageProperty endpointProperty = OperationContext.Current.IncomingMessageProperties[RemoteEndpointMessageProperty.Name] as RemoteEndpointMessageProperty;
var claimSet = OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets[0] as X509CertificateClaimSet;
string domain = claimSet.X509Certificate.GetNameInfo(X509NameType.DnsName, false);
var resolvedAddress = System.Net.Dns.GetHostAddresses(domain);
if (resolvedAddress.Count() == 0 || endpointProperty.Address != resolvedAddress[0].ToString())
{
throw new SecurityException("Client address mismatch");
}
}
This isn't really required because the client encrypts data with its private key that can only be decrypted with its public key - so you know the certificate is being presented by the real client.
However, if you are given this as an integration requirement as I have been, this may be useful to you.