File: CertificateAuthenticationOptions.cs
Web Access
Project: src\src\Security\Authentication\Certificate\src\Microsoft.AspNetCore.Authentication.Certificate.csproj (Microsoft.AspNetCore.Authentication.Certificate)
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
 
using System.Security.Cryptography.X509Certificates;
 
namespace Microsoft.AspNetCore.Authentication.Certificate;
 
/// <summary>
/// Options used to configure certificate authentication.
/// </summary>
public class CertificateAuthenticationOptions : AuthenticationSchemeOptions
{
    /// <summary>
    /// Value indicating the types of certificates accepted by the authentication middleware.
    /// </summary>
    /// <value>
    /// Defaults to <see cref="CertificateTypes.Chained"/>.
    /// </value>
    public CertificateTypes AllowedCertificateTypes { get; set; } = CertificateTypes.Chained;
 
    /// <summary>
    /// Collection of X509 certificates which are trusted components of the certificate chain.
    /// </summary>
    public X509Certificate2Collection CustomTrustStore { get; set; } = new X509Certificate2Collection();
 
    /// <summary>
    /// Collection of X509 certificates which are added to the X509Chain.ChainPolicy.ExtraStore of the certificate chain.
    /// </summary>
    public X509Certificate2Collection AdditionalChainCertificates { get; set; } = new X509Certificate2Collection();
 
    /// <summary>
    /// Method used to validate certificate chains against <see cref="CustomTrustStore"/>.
    /// </summary>
    /// <value>
    /// Defaults to <see cref="X509ChainTrustMode.System"/>.
    /// </value>
    /// <remarks>This property must be set to <see cref="X509ChainTrustMode.CustomRootTrust"/> to enable <see cref="CustomTrustStore"/> to be used in certificate chain validation.</remarks>
    public X509ChainTrustMode ChainTrustValidationMode { get; set; } = X509ChainTrustMode.System;
 
    /// <summary>
    /// Flag indicating whether the client certificate must be suitable for client
    /// authentication, either via the Client Authentication EKU, or having no EKUs
    /// at all. If the certificate chains to a root CA all certificates in the chain must be validated
    /// for the client authentication EKU.
    /// </summary>
    /// <value>
    /// Defaults to <see langword="true" />.
    /// </value>
    public bool ValidateCertificateUse { get; set; } = true;
 
    /// <summary>
    /// Flag indicating whether the client certificate validity period should be checked.
    /// </summary>
    /// <value>
    /// Defaults to <see langword="true" />.
    /// </value>
    public bool ValidateValidityPeriod { get; set; } = true;
 
    /// <summary>
    /// Specifies which X509 certificates in the chain should be checked for revocation.
    /// </summary>
    /// <value>
    /// Defaults to <see cref="X509RevocationFlag.ExcludeRoot" />.
    /// </value>
    public X509RevocationFlag RevocationFlag { get; set; } = X509RevocationFlag.ExcludeRoot;
 
    /// <summary>
    /// Specifies conditions under which verification of certificates in the X509 chain should be conducted.
    /// </summary>
    /// <value>
    /// Defaults to <see cref="X509RevocationMode.Online" />.
    /// </value>
    public X509RevocationMode RevocationMode { get; set; } = X509RevocationMode.Online;
 
    /// <summary>
    /// The object provided by the application to process events raised by the certificate authentication middleware.
    /// The application may implement the interface fully, or it may create an instance of CertificateAuthenticationEvents
    /// and assign delegates only to the events it wants to process.
    /// </summary>
    public new CertificateAuthenticationEvents? Events
    {
        get { return (CertificateAuthenticationEvents?)base.Events; }
 
        set { base.Events = value; }
    }
}