// RFC2818 - HTTP Over TLS, Section 3.1
// http://www.ietf.org/rfc/rfc2818.txt
//
// 1. if present MUST use subjectAltName dNSName as identity
// 1.1. if multiples entries a match of any one is acceptable
// 1.2. wildcard * is acceptable
// 2. URI may be an IP address -> subjectAltName.iPAddress
// 2.1. exact match is required
// 3. Use of the most specific Common Name (CN=) in the Subject
// 3.1 Existing practice but DEPRECATED
static bool CheckServerIdentity(MSX.X509Certificate cert, string targetHost)
{
try {
MSX.X509Extension ext = cert.Extensions ["2.5.29.17"];
// 1. subjectAltName
if (ext != null)
{
SubjectAltNameExtension subjectAltName = new SubjectAltNameExtension(ext);
// 1.1 - multiple dNSName
foreach (string dns in subjectAltName.DNSNames)
{
// 1.2 TODO - wildcard support
if (Match(targetHost, dns))
{
return(true);
}
}
// 2. ipAddress
foreach (string ip in subjectAltName.IPAddresses)
{
// 2.1. Exact match required
if (ip == targetHost)
{
return(true);
}
}
}
// 3. Common Name (CN=)
return(CheckDomainName(cert.SubjectName, targetHost));
} catch (Exception e) {
Console.Error.WriteLine("ERROR processing certificate: {0}", e);
Console.Error.WriteLine("Please, report this problem to the Mono team");
return(false);
}
}
static string GetAuthorityKeyIdentifier(MX.X509Extension ext)
{
if (ext == null)
{
return(String.Empty);
}
MX.Extensions.AuthorityKeyIdentifierExtension aki = new MX.Extensions.AuthorityKeyIdentifierExtension(ext);
byte[] id = aki.Identifier;
if (id == null)
{
return(String.Empty);
}
StringBuilder sb = new StringBuilder();
foreach (byte b in id)
{
sb.Append(b.ToString("X02"));
}
return(sb.ToString());
}
