SanValidatingIssuerNameRegistry 1.0.0
dotnet add package SanValidatingIssuerNameRegistry --version 1.0.0
NuGet\Install-Package SanValidatingIssuerNameRegistry -Version 1.0.0
<PackageReference Include="SanValidatingIssuerNameRegistry" Version="1.0.0" />
paket add SanValidatingIssuerNameRegistry --version 1.0.0
#r "nuget: SanValidatingIssuerNameRegistry, 1.0.0"
// Install SanValidatingIssuerNameRegistry as a Cake Addin #addin nuget:?package=SanValidatingIssuerNameRegistry&version=1.0.0 // Install SanValidatingIssuerNameRegistry as a Cake Tool #tool nuget:?package=SanValidatingIssuerNameRegistry&version=1.0.0
SanValidatingIssuerNameRegistry
SanValidatingIssuerNameRegistry is an IssuerNameRegistry
implementation for Windows Identity Foundation which validates the signing certificate against the issuer name using the subject alternative name of the certificate.
Getting Started
Installation
SanValidatingIssuerNameRegistry can be installed on an ASP.NET project utilizing Windows Identity Foundation by installing the nuget package. Alternatively, it can be installed on an already deployed ASP.NET application using Windows Identity Framework by copying the appropriate assembly file to the bin
folder.
Configuration
The simplest way to configure SanValidatingIssuerNameRegistry is by adding it as the the issuerNameRegistry
in the web.config file.
<system.identityModel>
<identityConfiguration>
<issuerNameRegistry type="SanValidatingIssuerNameRegistry.SanValidatingIssuerNameRegistry, SanValidatingIssuerNameRegistry">
<add issuerUri="http://sts.corp.example/adfs/services/trust" allowUriValidation="false" allowIpValidation="false" />
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
In addition to validating the issuer name against a DNS subject alternative name, allowUriValidation
can be set to true to allow validating against a URI subject alternative name, and allowIpValidation
to true to allow validating against an IP address subject alternative name. These values are false by default due to potential security concerns, and should only be enabled if necessary.
Certificate Validation
SanValidatingIssuerNameRegistry will only validate that subject alternative name of the certificate matches the issuer name as a URI. It does not validate the certificate itself. Given the simplicity of creating a fraudulent certificate with a matching subject alternative name, it is highly recommended to validate the certificate itself. This can be done using the certificateValidation
element, setting the certificateValidationMode
attribute to either ChainTrust
, PeerTrust
, or ChainOrPeerTrust
. If none of these validation modes will work with the given signing certificate, a custom X509CertificateValidator
should be used.
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET Framework | net45 is compatible. net451 was computed. net452 was computed. net46 was computed. net461 is compatible. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 is compatible. net48 is compatible. net481 was computed. |
-
.NETFramework 4.5
- No dependencies.
-
.NETFramework 4.6.1
- No dependencies.
-
.NETFramework 4.7.2
- No dependencies.
-
.NETFramework 4.8
- No dependencies.
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Version | Downloads | Last updated |
---|---|---|
1.0.0 | 327 | 3/24/2022 |