public static CertificateSecurityInformation VerifyEnc(Org.BouncyCastle.X509.X509Certificate encCert, Org.BouncyCastle.X509.X509Certificate authCert, DateTime date, IX509Store certs, bool checkRevocation)
{
CertificateSecurityInformation result = new CertificateSecurityInformation();
result.Certificate = new X509Certificate2(encCert.GetEncoded());
//check validity
try
{
encCert.CheckValidity(date);
}
catch (CertificateExpiredException)
{
result.securityViolations.Add(CertSecurityViolation.NotTimeValid);
}
catch (CertificateNotYetValidException)
{
result.securityViolations.Add(CertSecurityViolation.NotTimeValid);
}
//check key usage
int[] keyUsageIndexes = new int[] { 2, 3 };
foreach (int i in keyUsageIndexes)
{
if (!encCert.GetKeyUsage()[i])
{
result.securityViolations.Add(CertSecurityViolation.NotValidForUsage);
trace.TraceEvent(TraceEventType.Warning, 0, "The key usage did not have the correct usage flag set");
}
}
//check issuer/subject
if (!encCert.IssuerDN.Equivalent(encCert.SubjectDN, false)) result.securityViolations.Add(CertSecurityViolation.HasNotPermittedNameConstraint);
//check key size
if (!VerifyKeySize(encCert.GetPublicKey(), EteeActiveConfig.Unseal.MinimumEncryptionKeySize.AsymmerticRecipientKey)) result.securityViolations.Add(CertSecurityViolation.NotValidKeySize);
//check key type
if (!(encCert.GetPublicKey() is RsaKeyParameters)) result.securityViolations.Add(CertSecurityViolation.NotValidKeyType);
if (authCert != null)
{
//check signature
try
{
encCert.Verify(authCert.GetPublicKey());
}
catch (InvalidKeyException)
{
result.securityViolations.Add(CertSecurityViolation.NotSignatureValid);
}
//Validate
result.IssuerInfo = VerifyBoth(authCert, date, certs, new List<CertificateList>(0), new List<BasicOcspResponse>(0), checkRevocation, false);
}
else
{
//We assume that we have the authCert in case it's of a 3rd person, we don't care if its or own encryption cert (we only care for the validity)
}
return result;
}