/// Validates that the certificate provided is a CA certificate.
/// </summary>
/// <param name="certificate">The certificate to validate.</param>
/// <param name="certificationPathLength">The allowed certification path length.</param>
/// <returns><c>null</c> if the certificate info does not allow to determine the CA status;
/// otherwise, a boolean value indicating the CA status.</null></returns>
private static bool?IsCA(Org.BouncyCastle.X509.X509Certificate certificate, out int certificationPathLength)
{
// If certificate version equal to 3 then the isCA property can be retrieved.
if (certificate.Version == 3)
{
// A value of -1 indicates certificate is not a CA.
// A value of Integer.MAX_VALUE indicates there is no limit on the allowed length of the certification path.
certificationPathLength = certificate.GetBasicConstraints();
return(certificationPathLength != -1);
}
certificationPathLength = -1;
return(null);
}
internal static void ProcessAttrCert3(
X509Certificate acIssuerCert,
PkixParameters pkixParams)
{
if (acIssuerCert.GetKeyUsage() != null
&& (!acIssuerCert.GetKeyUsage()[0] && !acIssuerCert.GetKeyUsage()[1]))
{
throw new PkixCertPathValidatorException(
"Attribute certificate issuer public key cannot be used to validate digital signatures.");
}
if (acIssuerCert.GetBasicConstraints() != -1)
{
throw new PkixCertPathValidatorException(
"Attribute certificate issuer is also a public key certificate issuer.");
}
}
