public static void VerifyCACert(X509Certificate2 cert, string subject, int pathLengthConstraint)
{
TestContext.Out.WriteLine($"{nameof(VerifyCACert)}:");
Assert.NotNull(cert);
TestContext.Out.WriteLine(cert);
Assert.False(cert.HasPrivateKey);
Assert.True(X509Utils.CompareDistinguishedName(subject, cert.Subject));
Assert.True(X509Utils.CompareDistinguishedName(subject, cert.Issuer));
// test basic constraints
var constraints = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert);
Assert.NotNull(constraints);
TestContext.Out.WriteLine(constraints.Format(true));
Assert.True(constraints.Critical);
Assert.True(constraints.CertificateAuthority);
if (pathLengthConstraint < 0)
{
Assert.False(constraints.HasPathLengthConstraint);
}
else
{
Assert.True(constraints.HasPathLengthConstraint);
Assert.AreEqual(pathLengthConstraint, constraints.PathLengthConstraint);
}
// key usage
var keyUsage = X509Extensions.FindExtension <X509KeyUsageExtension>(cert);
Assert.NotNull(keyUsage);
TestContext.Out.WriteLine(keyUsage.Format(true));
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == X509KeyUsageFlags.CrlSign);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == X509KeyUsageFlags.KeyCertSign);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == 0);
// enhanced key usage
X509EnhancedKeyUsageExtension enhancedKeyUsage = X509Extensions.FindExtension <X509EnhancedKeyUsageExtension>(cert);
Assert.Null(enhancedKeyUsage);
// test for authority key
X509AuthorityKeyIdentifierExtension authority = X509Extensions.FindExtension <X509AuthorityKeyIdentifierExtension>(cert);
Assert.NotNull(authority);
TestContext.Out.WriteLine(authority.Format(true));
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.GetSerialNumber());
Assert.NotNull(authority.KeyIdentifier);
Assert.NotNull(authority.Issuer);
Assert.NotNull(authority.ToString());
Assert.AreEqual(authority.SerialNumber, Utils.ToHexString(authority.GetSerialNumber(), true));
// verify authority key in signed cert
X509SubjectKeyIdentifierExtension subjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(cert);
TestContext.Out.WriteLine(subjectKeyId.Format(true));
Assert.AreEqual(subjectKeyId.SubjectKeyIdentifier, authority.KeyIdentifier);
Assert.AreEqual(cert.SerialNumber, authority.SerialNumber);
Assert.AreEqual(cert.GetSerialNumber(), authority.GetSerialNumber());
X509SubjectAltNameExtension subjectAlternateName = X509Extensions.FindExtension <X509SubjectAltNameExtension>(cert);
Assert.Null(subjectAlternateName);
}