public static bool VerifyTrust(X509Certificate2 certificate, Ca signingCa)
{
var basicConstraints = X509CertificatePropertyExtrator.GetBasicConstraints(certificate);
if (Verify(certificate, GetPublicKey(signingCa.Certificate)))
{
if (VerifyChain(signingCa, 0))
{
return(VerifyRoot(signingCa));
}
}
return(false);
}
private static bool VerifyChain(Ca ca, int pathLength)
{
var basicConstraints = X509CertificatePropertyExtrator.GetBasicConstraints(ca.Certificate);
//check that CA certificate is in fact a CA
if (!basicConstraints.CertificateAuthority)
{
return(false);
}
//check that CA certificate must sign other certificates
X509KeyUsageFlags flags = X509CertificatePropertyExtrator.GetKeyUsage(ca.Certificate).KeyUsages;
if ((flags & (X509KeyUsageFlags.KeyCertSign)) != X509KeyUsageFlags.KeyCertSign)
{
return(false);
}
// Check path length
if (basicConstraints.HasPathLengthConstraint && basicConstraints.PathLengthConstraint < pathLength)
{
return(false);
}
if (IsSelfSigned(ca) && !ca.IsRoot)
{
return(false);
}
if (ca.IsRoot)
{
return(true);
}
if (ca.IssuingCa == null)
{
return(false);
}
Ca signingCa = ca.IssuingCa;
if (X509CertificatePropertyExtrator.GetBasicConstraints(signingCa.Certificate).PathLengthConstraint >= 0)
{
if (Verify(ca.Certificate, GetPublicKey(signingCa.Certificate)))
{
return(VerifyChain(ca.IssuingCa, ++pathLength));
}
}
return(false);
}