in Amazon.KinesisTap.Core/CertificateUtility.cs [29:104]
public static X509Certificate2 GetCertificate(StoreLocation storeLocation, string username, string templateNameRegex = null)
{
if (string.IsNullOrWhiteSpace(username)) return null;
string extractionRegex = null, nameMatchRegex = null;
if (storeLocation == StoreLocation.LocalMachine)
{
extractionRegex = "DNS Name=([a-zA-Z0-9@\\.\\-_]+)";
nameMatchRegex = $"^{username}(.+)*";
}
else
{
extractionRegex = "Principal Name=([a-zA-Z0-9@\\.\\-_]+)";
nameMatchRegex = $"^{username}(@.+)*";
}
using (var store = new X509Store(StoreName.My, storeLocation))
{
store.Open(OpenFlags.OpenExistingOnly);
var candidateCertificates = store.Certificates.Find(X509FindType.FindBySubjectName, username, false)
.Find(X509FindType.FindByExtension, DnsNameOid, false)
.Find(X509FindType.FindByExtension, EnhancedKeyUsageOid, true);
if (candidateCertificates.Count > 0)
{
foreach (var cert in candidateCertificates)
{
if (cert.Subject == cert.Issuer)
{
continue;
}
if (cert.Extensions[EnhancedKeyUsageOid] is X509EnhancedKeyUsageExtension eku && eku.EnhancedKeyUsages[ClientAuthenticationOid] == null)
{
continue;
}
var dnsNameExtension = cert.Extensions[DnsNameOid];
if (dnsNameExtension == null)
{
continue;
}
if (!string.IsNullOrWhiteSpace(templateNameRegex))
{
var templateNameExtension = cert.Extensions[TemplateNameOid];
if (templateNameExtension == null)
{
continue;
}
var templateName = templateNameExtension.Format(false).Split('(').FirstOrDefault()?.Split('=').LastOrDefault()?.Trim();
if (string.IsNullOrWhiteSpace(templateName))
{
continue;
}
if (!Regex.IsMatch(templateName, templateNameRegex, RegexOptions.IgnoreCase))
{
continue;
}
}
var nameToMatch = dnsNameExtension.Format(false);
var nameMatches = Regex.Match(nameToMatch, extractionRegex);
if (nameMatches != null || nameMatches.Groups.Count == 2 || Regex.IsMatch(nameMatches.Groups[1].Value, nameMatchRegex))
{
return cert;
}
}
}
return null;
}
}