bool ExtendedKeyUsage(MSX.PKCS12 pfx)
{
foreach (MSX.X509Certificate cert in pfx.Certificates)
{
MSX.X509Extension xtn = cert.Extensions ["2.5.29.37"];
if (xtn == null)
{
continue;
}
var eku = new ExtendedKeyUsageExtension(xtn);
if (!eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1"))
{
continue;
}
key = GetKeyMatchingCertificate(pfx, cert);
if (key == null)
{
continue;
}
x509 = new X509Certificate(cert.RawData);
break;
}
// complete ?
return((x509 != null) && (key != null));
}
private byte[] GetKeyIdentifier(Mono.Security.X509.X509Certificate x509)
{
// if present in certificate return value of the SubjectKeyIdentifier
Mono.Security.X509.X509Extension extn = x509.Extensions ["2.5.29.14"];
if (extn != null)
{
ASN1 bs = new ASN1(extn.Value.Value);
return(bs.Value);
}
// strangely DEPRECATED keyAttributes isn't used here (like KeyUsage)
// if not then we must calculate the SubjectKeyIdentifier ourselve
// Note: MS does that hash on the complete subjectPublicKeyInfo (unlike PKIX)
// http://groups.google.ca/groups?selm=e7RqM%24plCHA.1488%40tkmsftngp02&oe=UTF-8&output=gplain
ASN1 subjectPublicKeyInfo = new ASN1(0x30);
ASN1 algo = subjectPublicKeyInfo.Add(new ASN1(0x30));
algo.Add(new ASN1(CryptoConfig.EncodeOID(x509.KeyAlgorithm)));
// FIXME: does it work for DSA certs (without an 2.5.29.14 extension ?)
algo.Add(new ASN1(x509.KeyAlgorithmParameters));
byte[] pubkey = x509.PublicKey;
byte[] bsvalue = new byte [pubkey.Length + 1]; // add unused bits (0) before the public key
Array.Copy(pubkey, 0, bsvalue, 1, pubkey.Length);
subjectPublicKeyInfo.Add(new ASN1(0x03, bsvalue));
SHA1 sha = SHA1.Create();
return(sha.ComputeHash(subjectPublicKeyInfo.GetBytes()));
}
bool KeyUsage(MSX.PKCS12 pfx)
{
foreach (MSX.X509Certificate cert in pfx.Certificates)
{
MSX.X509Extension xtn = cert.Extensions ["2.5.29.15"];
if (xtn == null)
{
continue;
}
var ku = new KeyUsageExtension(xtn);
if (!ku.Support(KeyUsages.digitalSignature) && !ku.Support(KeyUsages.keyEncipherment))
{
continue;
}
key = GetKeyMatchingCertificate(pfx, cert);
if (key == null)
{
continue;
}
x509 = new X509Certificate(cert.RawData);
break;
}
// complete ?
return((x509 != null) && (key != null));
}
private bool checkCertificateUsage(Mono.Security.X509.X509Certificate cert)
{
ClientContext clientContext = (ClientContext)base.Context;
if (cert.Version < 3)
{
return(true);
}
KeyUsages usage = KeyUsages.none;
switch (clientContext.Negotiating.Cipher.ExchangeAlgorithmType)
{
case ExchangeAlgorithmType.DiffieHellman:
usage = KeyUsages.keyAgreement;
break;
case ExchangeAlgorithmType.Fortezza:
return(false);
case ExchangeAlgorithmType.RsaKeyX:
usage = KeyUsages.keyEncipherment;
break;
case ExchangeAlgorithmType.RsaSign:
usage = KeyUsages.digitalSignature;
break;
}
KeyUsageExtension keyUsageExtension = null;
ExtendedKeyUsageExtension extendedKeyUsageExtension = null;
Mono.Security.X509.X509Extension x509Extension = cert.Extensions["2.5.29.15"];
if (x509Extension != null)
{
keyUsageExtension = new KeyUsageExtension(x509Extension);
}
x509Extension = cert.Extensions["2.5.29.37"];
if (x509Extension != null)
{
extendedKeyUsageExtension = new ExtendedKeyUsageExtension(x509Extension);
}
if (keyUsageExtension != null && extendedKeyUsageExtension != null)
{
return(keyUsageExtension.Support(usage) && (extendedKeyUsageExtension.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || extendedKeyUsageExtension.KeyPurpose.Contains("2.16.840.1.113730.4.1")));
}
if (keyUsageExtension != null)
{
return(keyUsageExtension.Support(usage));
}
if (extendedKeyUsageExtension != null)
{
return(extendedKeyUsageExtension.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || extendedKeyUsageExtension.KeyPurpose.Contains("2.16.840.1.113730.4.1"));
}
x509Extension = cert.Extensions["2.16.840.1.113730.1.1"];
if (x509Extension != null)
{
NetscapeCertTypeExtension netscapeCertTypeExtension = new NetscapeCertTypeExtension(x509Extension);
return(netscapeCertTypeExtension.Support(NetscapeCertTypeExtension.CertTypes.SslServer));
}
return(true);
}
private bool checkServerIdentity(Mono.Security.X509.X509Certificate cert)
{
ClientContext clientContext = (ClientContext)base.Context;
string targetHost = clientContext.ClientSettings.TargetHost;
Mono.Security.X509.X509Extension x509Extension = cert.Extensions["2.5.29.17"];
if (x509Extension != null)
{
SubjectAltNameExtension subjectAltNameExtension = new SubjectAltNameExtension(x509Extension);
foreach (string pattern in subjectAltNameExtension.DNSNames)
{
if (TlsServerCertificate.Match(targetHost, pattern))
{
return(true);
}
}
foreach (string a in subjectAltNameExtension.IPAddresses)
{
if (a == targetHost)
{
return(true);
}
}
}
return(this.checkDomainName(cert.SubjectName));
}
bool NetscapeCertType(MSX.PKCS12 pfx)
{
foreach (MSX.X509Certificate cert in pfx.Certificates)
{
MSX.X509Extension xtn = cert.Extensions ["2.16.840.1.113730.1.1"];
if (xtn == null)
{
continue;
}
var ct = new NetscapeCertTypeExtension(xtn);
if (!ct.Support(NetscapeCertTypeExtension.CertTypes.SslServer))
{
continue;
}
key = GetKeyMatchingCertificate(pfx, cert);
if (key == null)
{
continue;
}
x509 = new X509Certificate(cert.RawData);
break;
}
// complete ?
return((x509 != null) && (key != null));
}
private static bool CheckServerIdentity(Mono.Security.X509.X509Certificate cert, string targetHost)
{
bool result;
try
{
Mono.Security.X509.X509Extension x509Extension = cert.Extensions["2.5.29.17"];
if (x509Extension != null)
{
SubjectAltNameExtension subjectAltNameExtension = new SubjectAltNameExtension(x509Extension);
foreach (string pattern in subjectAltNameExtension.DNSNames)
{
if (ServicePointManager.ChainValidationHelper.Match(targetHost, pattern))
{
return(true);
}
}
foreach (string a in subjectAltNameExtension.IPAddresses)
{
if (a == targetHost)
{
return(true);
}
}
}
result = ServicePointManager.ChainValidationHelper.CheckDomainName(cert.SubjectName, targetHost);
}
catch (Exception arg)
{
Console.Error.WriteLine("ERROR processing certificate: {0}", arg);
Console.Error.WriteLine("Please, report this problem to the Mono team");
result = false;
}
return(result);
}
// RFC2818 - HTTP Over TLS, Section 3.1
// http://www.ietf.org/rfc/rfc2818.txt
//
// 1. if present MUST use subjectAltName dNSName as identity
// 1.1. if multiples entries a match of any one is acceptable
// 1.2. wildcard * is acceptable
// 2. URI may be an IP address -> subjectAltName.iPAddress
// 2.1. exact match is required
// 3. Use of the most specific Common Name (CN=) in the Subject
// 3.1 Existing practice but DEPRECATED
static bool CheckServerIdentity(Mono.Security.X509.X509Certificate cert, string targetHost)
{
try {
Mono.Security.X509.X509Extension ext = cert.Extensions ["2.5.29.17"];
// 1. subjectAltName
if (ext != null)
{
SubjectAltNameExtension subjectAltName = new SubjectAltNameExtension(ext);
// 1.1 - multiple dNSName
foreach (string dns in subjectAltName.DNSNames)
{
// 1.2 TODO - wildcard support
if (Match(targetHost, dns))
{
return(true);
}
}
// 2. ipAddress
foreach (string ip in subjectAltName.IPAddresses)
{
// 2.1. Exact match required
if (ip == targetHost)
{
return(true);
}
}
}
// 3. Common Name (CN=)
return(CheckDomainName(cert.SubjectName, targetHost));
} catch (Exception e) {
Console.Error.WriteLine("ERROR processing certificate: {0}", e);
Console.Error.WriteLine("Please, report this problem to the Mono team");
return(false);
}
}
static byte [] GetAuthorityKeyIdentifier (X509Extension ext)
{
if (ext == null)
return null;
AuthorityKeyIdentifierExtension aki = new AuthorityKeyIdentifierExtension (ext);
return aki.Identifier;
}
private void Save (string filename, X509Extension ext)
{
using (FileStream fs = File.OpenWrite (filename)) {
byte[] raw = ext.GetBytes ();
fs.Write (raw, 0, raw.Length);
fs.Close ();
}
}
public int Add (X509Extension extension)
{
if (extension == null)
throw new ArgumentNullException ("extension");
if (readOnly)
throw new NotSupportedException ("Extensions are read only");
return InnerList.Add (extension);
}
public void AddRange (X509Extension[] extension)
{
if (extension == null)
throw new ArgumentNullException ("extension");
if (readOnly)
throw new NotSupportedException ("Extensions are read only");
for (int i = 0; i < extension.Length; i++)
InnerList.Add (extension [i]);
}
public X509Extension (X509Extension extension) : this ()
{
if (extension == null)
throw new ArgumentNullException ("extension");
if ((extension.Value.Tag != 0x04) || (extension.Value.Count != 0))
throw new ArgumentException ("Invalid extension");
extnOid = extension.Oid;
extnCritical = extension.Critical;
extnValue = extension.Value;
Decode ();
}
public X509Extension (X509Extension extension)
{
if (extension == null)
throw new ArgumentNullException ("extension");
if ((extension.Value == null) || (extension.Value.Tag != 0x04) || (extension.Value.Count != 1))
throw new ArgumentException (Locale.GetText ("Invalid X.509 extension."));
extnOid = extension.Oid;
extnCritical = extension.Critical;
extnValue = extension.Value;
Decode ();
}
public X509ExtensionCollection (ASN1 asn1) : this ()
{
readOnly = true;
if (asn1 == null)
return;
if (asn1.Tag != 0x30)
throw new Exception ("Invalid extensions format");
for (int i=0; i < asn1.Count; i++) {
X509Extension extension = new X509Extension (asn1 [i]);
InnerList.Add (extension);
}
}
private static bool CheckServerIdentity(Mono.Security.X509.X509Certificate cert, string targetHost)
{
try
{
Mono.Security.X509.X509Extension x509Extension = cert.Extensions["2.5.29.17"];
if (x509Extension != null)
{
SubjectAltNameExtension subjectAltNameExtension = new SubjectAltNameExtension(x509Extension);
string[] dNSNames = subjectAltNameExtension.DNSNames;
foreach (string pattern in dNSNames)
{
if (Match(targetHost, pattern))
{
return(true);
}
}
string[] iPAddresses = subjectAltNameExtension.IPAddresses;
foreach (string a in iPAddresses)
{
if (a == targetHost)
{
return(true);
}
}
}
return(CheckDomainName(cert.SubjectName, targetHost));
IL_00a6:
bool result;
return(result);
}
catch (Exception arg)
{
Console.Error.WriteLine("ERROR processing certificate: {0}", arg);
Console.Error.WriteLine("Please, report this problem to the Mono team");
return(false);
IL_00d5:
bool result;
return(result);
}
}
static string GetAuthorityKeyIdentifier(MX.X509Extension ext)
{
if (ext == null)
{
return(String.Empty);
}
MX.Extensions.AuthorityKeyIdentifierExtension aki = new MX.Extensions.AuthorityKeyIdentifierExtension(ext);
byte[] id = aki.Identifier;
if (id == null)
{
return(String.Empty);
}
StringBuilder sb = new StringBuilder();
foreach (byte b in id)
{
sb.Append(b.ToString("X02"));
}
return(sb.ToString());
}
private string GetAuthorityKeyIdentifier(Mono.Security.X509.X509Extension ext)
{
if (ext == null)
{
return(string.Empty);
}
AuthorityKeyIdentifierExtension authorityKeyIdentifierExtension = new AuthorityKeyIdentifierExtension(ext);
byte[] identifier = authorityKeyIdentifierExtension.Identifier;
if (identifier == null)
{
return(string.Empty);
}
StringBuilder stringBuilder = new StringBuilder();
byte[] array = identifier;
for (int i = 0; i < array.Length; i++)
{
byte b = array[i];
stringBuilder.Append(b.ToString("X02"));
}
return(stringBuilder.ToString());
}
private byte[] GetUniqueName(X509ExtensionCollection extensions)
{
X509Extension extension = extensions["2.5.29.14"];
return(extension == null ? (byte[])null : new SubjectKeyIdentifierExtension(extension).Identifier);
}
public SubjectKeyIdentifierExtension (X509Extension extension) : base (extension)
{
}
public BasicConstraintsExtension (X509Extension extension) : base (extension) {}
public void Insert(int index, X509Extension extension)
{
}
static byte [] GetSubjectKeyIdentifier (X509Extension ext)
{
if (ext == null)
return null;
SubjectKeyIdentifierExtension ski = new SubjectKeyIdentifierExtension (ext);
return ski.Identifier;
}
public NetscapeCertTypeExtension (X509Extension extension) : base (extension)
{
}
public CertificatePoliciesExtension (X509Extension extension) : base (extension)
{
}
public AuthorityKeyIdentifierExtension (X509Extension extension) : base (extension)
{
}
public SubjectAltNameExtension (X509Extension extension)
: base (extension)
{
}
public void Remove (X509Extension extension)
{
if (extension == null)
throw new ArgumentNullException ("extension");
InnerList.Remove (extension);
}
public void Insert (int index, X509Extension extension)
{
if (extension == null)
throw new ArgumentNullException ("extension");
InnerList.Insert (index, extension);
}
public int IndexOf (X509Extension extension)
{
if (extension == null)
throw new ArgumentNullException ("extension");
for (int i=0; i < InnerList.Count; i++) {
X509Extension ex = (X509Extension) InnerList [i];
if (ex.Equals (extension))
return i;
}
return -1;
}
public void CopyTo (X509Extension[] extensions, int index)
{
if (extensions == null)
throw new ArgumentNullException ("extensions");
InnerList.CopyTo (extensions, index);
}
public bool Contains (X509Extension extension)
{
return (IndexOf (extension) != -1);
}
public CRLDistributionPointsExtension (X509Extension extension)
: base (extension)
{
}
public bool Contains(X509Extension extension)
{
return(IndexOf(extension) != -1);
}
public ExtendedKeyUsageExtension (X509Extension extension) : base (extension)
{
}
public PrivateKeyUsagePeriodExtension (X509Extension extension) : base (extension)
{
}
public KeyAttributesExtension (X509Extension extension) : base (extension)
{
}