public override bool Equals(object obj)
{
if (ReferenceEquals(null, obj))
{
return(false);
}
if (ReferenceEquals(this, obj))
{
return(true);
}
Certificate cert = obj as Certificate;
if (cert == null)
{
return(false);
}
if (_version != cert._version)
{
return(false);
}
if (_type != cert._type)
{
return(false);
}
if (_serialNumber != cert._serialNumber)
{
return(false);
}
if (!_issuedTo.Equals(cert._issuedTo))
{
return(false);
}
if (_capability != cert._capability)
{
return(false);
}
if (_issuedOnUTC != cert._issuedOnUTC)
{
return(false);
}
if (_expiresOnUTC != cert._expiresOnUTC)
{
return(false);
}
if (_publicKeyEncryptionAlgorithm != cert._publicKeyEncryptionAlgorithm)
{
return(false);
}
if (_publicKeyXML != cert._publicKeyXML)
{
return(false);
}
if (_issuerSignature == cert._issuerSignature)
{
return(true);
}
return(_issuerSignature.Equals(cert._issuerSignature));
}
public CertificateStore(Certificate cert, AsymmetricCryptoKey privateKey, string password)
: base(SymmetricEncryptionAlgorithm.Rijndael, 256, password)
{
_cert = cert;
_privateKey = privateKey;
}
public void Verify(Certificate[] trustedRootCAs)
{
Certificate issuerCert = _issuerSignature.SigningCertificate;
#region verify signature
switch (_type)
{
case CertificateType.RootCA:
if (!_issuerSignature.Verify(GetHash(_issuerSignature.HashAlgorithm), this))
{
throw new InvalidCertificateException("Root CA certificate issued to '" + _issuedTo.Name + "' by self has invalid signature.");
}
break;
case CertificateType.CA:
if (!_issuerSignature.Verify(GetHash(_issuerSignature.HashAlgorithm), trustedRootCAs))
{
throw new InvalidCertificateException("CA certificate issued to '" + _issuedTo.Name + "' by issuer '" + issuerCert._issuedTo.Name + "' has invalid signature.");
}
break;
default:
if (!_issuerSignature.Verify(GetHash(_issuerSignature.HashAlgorithm), trustedRootCAs))
{
throw new InvalidCertificateException("Certificate issued to '" + _issuedTo.Name + "' by issuer '" + issuerCert._issuedTo.Name + "' has invalid signature.");
}
break;
}
#endregion
#region check capability
switch (_type)
{
case CertificateType.RootCA:
//self
if (_capability != CertificateCapability.SignCACertificate)
{
throw new InvalidCertificateException("Root CA certificate can only be used to sign a CA certificate.");
}
//root ca doesnt have issuer
break;
case CertificateType.CA:
//self
switch (_capability)
{
case CertificateCapability.SignCACertificate:
case CertificateCapability.SignAnyUserCertificate:
case CertificateCapability.SignDomainUserCertificate:
break;
default:
throw new InvalidCertificateException("CA certificates can only be used to sign a CA or user certificate.");
}
//ca issuer must have ca signing capability
if (issuerCert._capability != CertificateCapability.SignCACertificate)
{
throw new InvalidCertificateException("CA certificate issuer '" + issuerCert._issuedTo.Name + "' doesn't have capability to sign CA certificate.");
}
break;
default:
//self
switch (_capability)
{
case CertificateCapability.SignCACertificate:
case CertificateCapability.SignAnyUserCertificate:
case CertificateCapability.SignDomainUserCertificate:
throw new InvalidCertificateException("User certificate cannot sign other certificates.");
}
//issuer
switch (issuerCert._capability)
{
case CertificateCapability.SignAnyUserCertificate:
break;
case CertificateCapability.SignDomainUserCertificate:
//check if issuer email domain matches with user email domain
if (!_issuedTo.FieldExists(CertificateProfileFlags.EmailAddress) || !issuerCert.IssuedTo.EmailAddress.Host.Equals(_issuedTo.EmailAddress.Host, StringComparison.CurrentCultureIgnoreCase))
{
throw new CryptoException("Certificate issuer '" + issuerCert._issuedTo.Name + "' domain must match with user certificate email address domain.");
}
break;
default:
throw new InvalidCertificateException("Certificate issuer '" + issuerCert._issuedTo.Name + "' doesn't have capability to sign user certificate.");
}
break;
}
#endregion
#region check if root is trusted and issued date against signer date range
switch (_type)
{
case CertificateType.RootCA:
bool trustedRootCA = false;
foreach (Certificate rootCA in trustedRootCAs)
{
if (this.Equals(rootCA))
{
trustedRootCA = true;
break;
}
}
if (!trustedRootCA)
{
throw new InvalidCertificateException("Root certificate issued by '" + _issuedTo.Name + "' is not trusted.");
}
break;
default:
if ((issuerCert._issuedOnUTC > _issuedOnUTC) || (_issuedOnUTC > issuerCert._expiresOnUTC))
{
throw new InvalidCertificateException("Issuer '" + issuerCert._issuedTo.Name + "' certificate was expired during signing certificate for '" + _issuedTo.Name + "'.");
}
break;
}
#endregion
#region check if user cert is expired
if ((_type == CertificateType.User) && HasExpired())
{
throw new InvalidCertificateException("Certificate issued to '" + _issuedTo.Name + "' has expired.");
}
#endregion
}
public CertificateStore(Certificate cert, AsymmetricCryptoKey privateKey)
{
_cert = cert;
_privateKey = privateKey;
}
