bool NetscapeCertType(MSX.PKCS12 pfx)
{
foreach (MSX.X509Certificate cert in pfx.Certificates)
{
MSX.X509Extension xtn = cert.Extensions ["2.16.840.1.113730.1.1"];
if (xtn == null)
{
continue;
}
var ct = new NetscapeCertTypeExtension(xtn);
if (!ct.Support(NetscapeCertTypeExtension.CertTypes.SslServer))
{
continue;
}
key = GetKeyMatchingCertificate(pfx, cert);
if (key == null)
{
continue;
}
x509 = new X509Certificate(cert.RawData);
break;
}
// complete ?
return((x509 != null) && (key != null));
}
private bool checkCertificateUsage(Mono.Security.X509.X509Certificate cert)
{
ClientContext clientContext = (ClientContext)base.Context;
if (cert.Version < 3)
{
return(true);
}
KeyUsages usage = KeyUsages.none;
switch (clientContext.Negotiating.Cipher.ExchangeAlgorithmType)
{
case ExchangeAlgorithmType.DiffieHellman:
usage = KeyUsages.keyAgreement;
break;
case ExchangeAlgorithmType.Fortezza:
return(false);
case ExchangeAlgorithmType.RsaKeyX:
usage = KeyUsages.keyEncipherment;
break;
case ExchangeAlgorithmType.RsaSign:
usage = KeyUsages.digitalSignature;
break;
}
KeyUsageExtension keyUsageExtension = null;
ExtendedKeyUsageExtension extendedKeyUsageExtension = null;
Mono.Security.X509.X509Extension x509Extension = cert.Extensions["2.5.29.15"];
if (x509Extension != null)
{
keyUsageExtension = new KeyUsageExtension(x509Extension);
}
x509Extension = cert.Extensions["2.5.29.37"];
if (x509Extension != null)
{
extendedKeyUsageExtension = new ExtendedKeyUsageExtension(x509Extension);
}
if (keyUsageExtension != null && extendedKeyUsageExtension != null)
{
return(keyUsageExtension.Support(usage) && (extendedKeyUsageExtension.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || extendedKeyUsageExtension.KeyPurpose.Contains("2.16.840.1.113730.4.1")));
}
if (keyUsageExtension != null)
{
return(keyUsageExtension.Support(usage));
}
if (extendedKeyUsageExtension != null)
{
return(extendedKeyUsageExtension.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || extendedKeyUsageExtension.KeyPurpose.Contains("2.16.840.1.113730.4.1"));
}
x509Extension = cert.Extensions["2.16.840.1.113730.1.1"];
if (x509Extension != null)
{
NetscapeCertTypeExtension netscapeCertTypeExtension = new NetscapeCertTypeExtension(x509Extension);
return(netscapeCertTypeExtension.Support(NetscapeCertTypeExtension.CertTypes.SslServer));
}
return(true);
}
private bool CheckClientCertificateExtensions(X509Certificate cert)
{
KeyUsages ku = KeyUsages.digitalSignature | KeyUsages.keyEncipherment | KeyUsages.keyAgreement;
KeyUsageExtension kux = null;
ExtendedKeyUsageExtension eku = null;
X509Extension xtn = cert.Extensions["2.5.29.15"];
if (xtn != null)
{
kux = new KeyUsageExtension(xtn);
}
xtn = cert.Extensions["2.5.29.37"];
if (xtn != null)
{
eku = new ExtendedKeyUsageExtension(xtn);
}
if ((kux != null) && (eku != null))
{
// RFC3280 states that when both KeyUsageExtension and
// ExtendedKeyUsageExtension are present then BOTH should
// be valid
return(kux.Support(ku) &&
eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2"));
}
else if (kux != null)
{
return(kux.Support(ku));
}
else if (eku != null)
{
// Client Authentication (1.3.6.1.5.5.7.3.2)
return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2"));
}
// last chance - try with older (deprecated) Netscape extensions
xtn = cert.Extensions["2.16.840.1.113730.1.1"];
if (xtn != null)
{
NetscapeCertTypeExtension ct = new NetscapeCertTypeExtension(xtn);
return(ct.Support(NetscapeCertTypeExtension.CertTypes.SslClient));
}
// certificate isn't valid for SSL client usage
return(false);
}
// Note: this method only works for RSA certificates
// DH certificates requires some changes - does anyone use one ?
private bool checkCertificateUsage(X509Certificate cert)
{
ClientContext context = (ClientContext)this.Context;
// certificate extensions are required for this
// we "must" accept older certificates without proofs
if (cert.Version < 3)
{
return(true);
}
KeyUsages ku = KeyUsages.none;
switch (context.Negotiating.Cipher.ExchangeAlgorithmType)
{
case ExchangeAlgorithmType.RsaSign:
ku = KeyUsages.digitalSignature;
break;
case ExchangeAlgorithmType.RsaKeyX:
ku = KeyUsages.keyEncipherment;
break;
case ExchangeAlgorithmType.DiffieHellman:
ku = KeyUsages.keyAgreement;
break;
case ExchangeAlgorithmType.Fortezza:
return(false); // unsupported certificate type
}
KeyUsageExtension kux = null;
ExtendedKeyUsageExtension eku = null;
X509Extension xtn = cert.Extensions ["2.5.29.15"];
if (xtn != null)
{
kux = new KeyUsageExtension(xtn);
}
xtn = cert.Extensions ["2.5.29.37"];
if (xtn != null)
{
eku = new ExtendedKeyUsageExtension(xtn);
}
if ((kux != null) && (eku != null))
{
// RFC3280 states that when both KeyUsageExtension and
// ExtendedKeyUsageExtension are present then BOTH should
// be valid
if (!kux.Support(ku))
{
return(false);
}
return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") ||
eku.KeyPurpose.Contains("2.16.840.1.113730.4.1"));
}
else if (kux != null)
{
return(kux.Support(ku));
}
else if (eku != null)
{
// Server Authentication (1.3.6.1.5.5.7.3.1) or
// Netscape Server Gated Crypto (2.16.840.1.113730.4)
return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") ||
eku.KeyPurpose.Contains("2.16.840.1.113730.4.1"));
}
// last chance - try with older (deprecated) Netscape extensions
xtn = cert.Extensions ["2.16.840.1.113730.1.1"];
if (xtn != null)
{
NetscapeCertTypeExtension ct = new NetscapeCertTypeExtension(xtn);
return(ct.Support(NetscapeCertTypeExtension.CertTypes.SslServer));
}
// if the CN=host (checked later) then we assume this is meant for SSL/TLS
// e.g. the new smtp.gmail.com certificate
return(true);
}
private bool checkCertificateUsage(X509Certificate cert)
{
ServerContext context = (ServerContext)this.Context;
// certificate extensions are required for this
// we "must" accept older certificates without proofs
if (cert.Version < 3)
{
return(true);
}
KeyUsages ku = KeyUsages.none;
switch (context.Negotiating.Cipher.ExchangeAlgorithmType)
{
case ExchangeAlgorithmType.RsaSign:
case ExchangeAlgorithmType.RsaKeyX:
ku = KeyUsages.digitalSignature;
break;
case ExchangeAlgorithmType.DiffieHellman:
ku = KeyUsages.keyAgreement;
break;
case ExchangeAlgorithmType.Fortezza:
return(false); // unsupported certificate type
}
KeyUsageExtension kux = null;
ExtendedKeyUsageExtension eku = null;
X509Extension xtn = cert.Extensions["2.5.29.15"];
if (xtn != null)
{
kux = new KeyUsageExtension(xtn);
}
xtn = cert.Extensions["2.5.29.37"];
if (xtn != null)
{
eku = new ExtendedKeyUsageExtension(xtn);
}
if ((kux != null) && (eku != null))
{
// RFC3280 states that when both KeyUsageExtension and
// ExtendedKeyUsageExtension are present then BOTH should
// be valid
return(kux.Support(ku) &&
eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2"));
}
else if (kux != null)
{
return(kux.Support(ku));
}
else if (eku != null)
{
// Client Authentication (1.3.6.1.5.5.7.3.2)
return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2"));
}
// last chance - try with older (deprecated) Netscape extensions
xtn = cert.Extensions["2.16.840.1.113730.1.1"];
if (xtn != null)
{
NetscapeCertTypeExtension ct = new NetscapeCertTypeExtension(xtn);
return(ct.Support(NetscapeCertTypeExtension.CertTypes.SslClient));
}
// certificate isn't valid for SSL server usage
return(false);
}
