private bool ValidateCertificateByTlsa(TlsaRecord tlsaRecord, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
switch (tlsaRecord.CertificateUsage)
{
case TlsaRecord.TlsaCertificateUsage.PkixTA:
return chain.ChainElements.Cast<X509ChainElement>().Any(x => ValidateCertificateByTlsa(tlsaRecord, x.Certificate)) && (sslPolicyErrors == SslPolicyErrors.None);
case TlsaRecord.TlsaCertificateUsage.PkixEE:
return ValidateCertificateByTlsa(tlsaRecord, certificate) && (sslPolicyErrors == SslPolicyErrors.None);
case TlsaRecord.TlsaCertificateUsage.DaneTA:
return chain.ChainElements.Cast<X509ChainElement>().Any(x => ValidateCertificateByTlsa(tlsaRecord, x.Certificate)) && ((sslPolicyErrors | SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors);
case TlsaRecord.TlsaCertificateUsage.DaneEE:
return ValidateCertificateByTlsa(tlsaRecord, certificate) && ((sslPolicyErrors | SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors);
default:
throw new NotSupportedException();
}
}
private bool ValidateCertificateByTlsa(TlsaRecord tlsaRecord, X509Certificate certificate)
{
return TlsaRecord.GetCertificateAssocicationData(tlsaRecord.Selector, tlsaRecord.MatchingType, certificate).SequenceEqual(tlsaRecord.CertificateAssociationData);
}