bool NetscapeCertType(MSX.PKCS12 pfx)
        {
            foreach (MSX.X509Certificate cert in pfx.Certificates)
            {
                MSX.X509Extension xtn = cert.Extensions ["2.16.840.1.113730.1.1"];
                if (xtn == null)
                {
                    continue;
                }

                var ct = new NetscapeCertTypeExtension(xtn);
                if (!ct.Support(NetscapeCertTypeExtension.CertTypes.SslServer))
                {
                    continue;
                }

                key = GetKeyMatchingCertificate(pfx, cert);
                if (key == null)
                {
                    continue;
                }

                x509 = new X509Certificate(cert.RawData);
                break;
            }

            // complete ?
            return((x509 != null) && (key != null));
        }
Example #2
0
        private bool checkCertificateUsage(Mono.Security.X509.X509Certificate cert)
        {
            ClientContext clientContext = (ClientContext)base.Context;

            if (cert.Version < 3)
            {
                return(true);
            }
            KeyUsages usage = KeyUsages.none;

            switch (clientContext.Negotiating.Cipher.ExchangeAlgorithmType)
            {
            case ExchangeAlgorithmType.DiffieHellman:
                usage = KeyUsages.keyAgreement;
                break;

            case ExchangeAlgorithmType.Fortezza:
                return(false);

            case ExchangeAlgorithmType.RsaKeyX:
                usage = KeyUsages.keyEncipherment;
                break;

            case ExchangeAlgorithmType.RsaSign:
                usage = KeyUsages.digitalSignature;
                break;
            }
            KeyUsageExtension         keyUsageExtension         = null;
            ExtendedKeyUsageExtension extendedKeyUsageExtension = null;

            Mono.Security.X509.X509Extension x509Extension = cert.Extensions["2.5.29.15"];
            if (x509Extension != null)
            {
                keyUsageExtension = new KeyUsageExtension(x509Extension);
            }
            x509Extension = cert.Extensions["2.5.29.37"];
            if (x509Extension != null)
            {
                extendedKeyUsageExtension = new ExtendedKeyUsageExtension(x509Extension);
            }
            if (keyUsageExtension != null && extendedKeyUsageExtension != null)
            {
                return(keyUsageExtension.Support(usage) && (extendedKeyUsageExtension.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || extendedKeyUsageExtension.KeyPurpose.Contains("2.16.840.1.113730.4.1")));
            }
            if (keyUsageExtension != null)
            {
                return(keyUsageExtension.Support(usage));
            }
            if (extendedKeyUsageExtension != null)
            {
                return(extendedKeyUsageExtension.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || extendedKeyUsageExtension.KeyPurpose.Contains("2.16.840.1.113730.4.1"));
            }
            x509Extension = cert.Extensions["2.16.840.1.113730.1.1"];
            if (x509Extension != null)
            {
                NetscapeCertTypeExtension netscapeCertTypeExtension = new NetscapeCertTypeExtension(x509Extension);
                return(netscapeCertTypeExtension.Support(NetscapeCertTypeExtension.CertTypes.SslServer));
            }
            return(true);
        }
Example #3
0
        private bool CheckClientCertificateExtensions(X509Certificate cert)
        {
            KeyUsages                 ku  = KeyUsages.digitalSignature | KeyUsages.keyEncipherment | KeyUsages.keyAgreement;
            KeyUsageExtension         kux = null;
            ExtendedKeyUsageExtension eku = null;

            X509Extension xtn = cert.Extensions["2.5.29.15"];

            if (xtn != null)
            {
                kux = new KeyUsageExtension(xtn);
            }

            xtn = cert.Extensions["2.5.29.37"];
            if (xtn != null)
            {
                eku = new ExtendedKeyUsageExtension(xtn);
            }

            if ((kux != null) && (eku != null))
            {
                // RFC3280 states that when both KeyUsageExtension and
                // ExtendedKeyUsageExtension are present then BOTH should
                // be valid
                return(kux.Support(ku) &&
                       eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2"));
            }
            else if (kux != null)
            {
                return(kux.Support(ku));
            }
            else if (eku != null)
            {
                // Client Authentication (1.3.6.1.5.5.7.3.2)
                return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2"));
            }

            // last chance - try with older (deprecated) Netscape extensions
            xtn = cert.Extensions["2.16.840.1.113730.1.1"];
            if (xtn != null)
            {
                NetscapeCertTypeExtension ct = new NetscapeCertTypeExtension(xtn);
                return(ct.Support(NetscapeCertTypeExtension.CertTypes.SslClient));
            }

            // certificate isn't valid for SSL client usage
            return(false);
        }
Example #4
0
        // Note: this method only works for RSA certificates
        // DH certificates requires some changes - does anyone use one ?
        private bool checkCertificateUsage(X509Certificate cert)
        {
            ClientContext context = (ClientContext)this.Context;

            // certificate extensions are required for this
            // we "must" accept older certificates without proofs
            if (cert.Version < 3)
            {
                return(true);
            }

            KeyUsages ku = KeyUsages.none;

            switch (context.Negotiating.Cipher.ExchangeAlgorithmType)
            {
            case ExchangeAlgorithmType.RsaSign:
                ku = KeyUsages.digitalSignature;
                break;

            case ExchangeAlgorithmType.RsaKeyX:
                ku = KeyUsages.keyEncipherment;
                break;

            case ExchangeAlgorithmType.DiffieHellman:
                ku = KeyUsages.keyAgreement;
                break;

            case ExchangeAlgorithmType.Fortezza:
                return(false);                        // unsupported certificate type
            }

            KeyUsageExtension         kux = null;
            ExtendedKeyUsageExtension eku = null;

            X509Extension xtn = cert.Extensions ["2.5.29.15"];

            if (xtn != null)
            {
                kux = new KeyUsageExtension(xtn);
            }

            xtn = cert.Extensions ["2.5.29.37"];
            if (xtn != null)
            {
                eku = new ExtendedKeyUsageExtension(xtn);
            }

            if ((kux != null) && (eku != null))
            {
                // RFC3280 states that when both KeyUsageExtension and
                // ExtendedKeyUsageExtension are present then BOTH should
                // be valid
                if (!kux.Support(ku))
                {
                    return(false);
                }
                return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") ||
                       eku.KeyPurpose.Contains("2.16.840.1.113730.4.1"));
            }
            else if (kux != null)
            {
                return(kux.Support(ku));
            }
            else if (eku != null)
            {
                // Server Authentication (1.3.6.1.5.5.7.3.1) or
                // Netscape Server Gated Crypto (2.16.840.1.113730.4)
                return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") ||
                       eku.KeyPurpose.Contains("2.16.840.1.113730.4.1"));
            }

            // last chance - try with older (deprecated) Netscape extensions
            xtn = cert.Extensions ["2.16.840.1.113730.1.1"];
            if (xtn != null)
            {
                NetscapeCertTypeExtension ct = new NetscapeCertTypeExtension(xtn);
                return(ct.Support(NetscapeCertTypeExtension.CertTypes.SslServer));
            }

            // if the CN=host (checked later) then we assume this is meant for SSL/TLS
            // e.g. the new smtp.gmail.com certificate
            return(true);
        }
        private bool checkCertificateUsage(X509Certificate cert)
        {
            ServerContext context = (ServerContext)this.Context;

            // certificate extensions are required for this
            // we "must" accept older certificates without proofs
            if (cert.Version < 3)
            {
                return(true);
            }

            KeyUsages ku = KeyUsages.none;

            switch (context.Negotiating.Cipher.ExchangeAlgorithmType)
            {
            case ExchangeAlgorithmType.RsaSign:
            case ExchangeAlgorithmType.RsaKeyX:
                ku = KeyUsages.digitalSignature;
                break;

            case ExchangeAlgorithmType.DiffieHellman:
                ku = KeyUsages.keyAgreement;
                break;

            case ExchangeAlgorithmType.Fortezza:
                return(false);                        // unsupported certificate type
            }

            KeyUsageExtension         kux = null;
            ExtendedKeyUsageExtension eku = null;

            X509Extension xtn = cert.Extensions["2.5.29.15"];

            if (xtn != null)
            {
                kux = new KeyUsageExtension(xtn);
            }

            xtn = cert.Extensions["2.5.29.37"];
            if (xtn != null)
            {
                eku = new ExtendedKeyUsageExtension(xtn);
            }

            if ((kux != null) && (eku != null))
            {
                // RFC3280 states that when both KeyUsageExtension and
                // ExtendedKeyUsageExtension are present then BOTH should
                // be valid
                return(kux.Support(ku) &&
                       eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2"));
            }
            else if (kux != null)
            {
                return(kux.Support(ku));
            }
            else if (eku != null)
            {
                // Client Authentication (1.3.6.1.5.5.7.3.2)
                return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2"));
            }

            // last chance - try with older (deprecated) Netscape extensions
            xtn = cert.Extensions["2.16.840.1.113730.1.1"];
            if (xtn != null)
            {
                NetscapeCertTypeExtension ct = new NetscapeCertTypeExtension(xtn);
                return(ct.Support(NetscapeCertTypeExtension.CertTypes.SslClient));
            }

            // certificate isn't valid for SSL server usage
            return(false);
        }