public void ThrowsForCertificatesMissingServerEku(string testCertName) { var certPath = TestResources.GetCertPath(testCertName); _output.WriteLine("Loading " + certPath); var cert = new X509Certificate2(certPath, "testPassword"); Assert.NotEmpty(cert.Extensions); var eku = Assert.Single(cert.Extensions.OfType <X509EnhancedKeyUsageExtension>()); Assert.NotEmpty(eku.EnhancedKeyUsages); var ex = Assert.Throws <InvalidOperationException>(() => new HttpsConnectionAdapter(new HttpsConnectionAdapterOptions { ServerCertificate = cert, })); Assert.Equal(HttpsStrings.FormatInvalidServerCertificateEku(cert.Thumbprint), ex.Message); }
private static void EnsureCertificateIsAllowedForServerAuth(X509Certificate2 certificate) { /* If the Extended Key Usage extension is included, then we check that the serverAuth usage is included. (http://oid-info.com/get/1.3.6.1.5.5.7.3.1) * If the Extended Key Usage extension is not included, then we assume the certificate is allowed for all usages. * * See also https://blogs.msdn.microsoft.com/kaushal/2012/02/17/client-certificates-vs-server-certificates/ * * From https://tools.ietf.org/html/rfc3280#section-4.2.1.13 "Certificate Extensions: Extended Key Usage" * * If the (Extended Key Usage) extension is present, then the certificate MUST only be used * for one of the purposes indicated. If multiple purposes are * indicated the application need not recognize all purposes indicated, * as long as the intended purpose is present. Certificate using * applications MAY require that a particular purpose be indicated in * order for the certificate to be acceptable to that application. */ var hasEkuExtension = false; foreach (var extension in certificate.Extensions.OfType <X509EnhancedKeyUsageExtension>()) { hasEkuExtension = true; foreach (var oid in extension.EnhancedKeyUsages) { if (oid.Value.Equals(ServerAuthenticationOid, StringComparison.Ordinal)) { return; } } } if (hasEkuExtension) { throw new InvalidOperationException(HttpsStrings.FormatInvalidServerCertificateEku(certificate.Thumbprint)); } }