private bool checkCertificateUsage(Mono.Security.X509.X509Certificate cert) { ClientContext clientContext = (ClientContext)base.Context; if (cert.Version < 3) { return(true); } KeyUsages usage = KeyUsages.none; switch (clientContext.Negotiating.Cipher.ExchangeAlgorithmType) { case ExchangeAlgorithmType.DiffieHellman: usage = KeyUsages.keyAgreement; break; case ExchangeAlgorithmType.Fortezza: return(false); case ExchangeAlgorithmType.RsaKeyX: usage = KeyUsages.keyEncipherment; break; case ExchangeAlgorithmType.RsaSign: usage = KeyUsages.digitalSignature; break; } KeyUsageExtension keyUsageExtension = null; ExtendedKeyUsageExtension extendedKeyUsageExtension = null; Mono.Security.X509.X509Extension x509Extension = cert.Extensions["2.5.29.15"]; if (x509Extension != null) { keyUsageExtension = new KeyUsageExtension(x509Extension); } x509Extension = cert.Extensions["2.5.29.37"]; if (x509Extension != null) { extendedKeyUsageExtension = new ExtendedKeyUsageExtension(x509Extension); } if (keyUsageExtension != null && extendedKeyUsageExtension != null) { return(keyUsageExtension.Support(usage) && (extendedKeyUsageExtension.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || extendedKeyUsageExtension.KeyPurpose.Contains("2.16.840.1.113730.4.1"))); } if (keyUsageExtension != null) { return(keyUsageExtension.Support(usage)); } if (extendedKeyUsageExtension != null) { return(extendedKeyUsageExtension.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || extendedKeyUsageExtension.KeyPurpose.Contains("2.16.840.1.113730.4.1")); } x509Extension = cert.Extensions["2.16.840.1.113730.1.1"]; if (x509Extension != null) { NetscapeCertTypeExtension netscapeCertTypeExtension = new NetscapeCertTypeExtension(x509Extension); return(netscapeCertTypeExtension.Support(NetscapeCertTypeExtension.CertTypes.SslServer)); } return(true); }
private bool checkCertificateUsage(Mono.Security.X509.X509Certificate cert) { ClientContext context = (ClientContext)this.Context; if (cert.Version < 3) { return(true); } KeyUsages usage = KeyUsages.none; switch (context.Negotiating.Cipher.ExchangeAlgorithmType) { case ExchangeAlgorithmType.DiffieHellman: usage = KeyUsages.keyAgreement; break; case ExchangeAlgorithmType.Fortezza: return(false); case ExchangeAlgorithmType.RsaKeyX: usage = KeyUsages.keyEncipherment; break; case ExchangeAlgorithmType.RsaSign: usage = KeyUsages.digitalSignature; break; } KeyUsageExtension keyUsageExtension1 = (KeyUsageExtension)null; ExtendedKeyUsageExtension keyUsageExtension2 = (ExtendedKeyUsageExtension)null; Mono.Security.X509.X509Extension extension1 = cert.Extensions["2.5.29.15"]; if (extension1 != null) { keyUsageExtension1 = new KeyUsageExtension(extension1); } Mono.Security.X509.X509Extension extension2 = cert.Extensions["2.5.29.37"]; if (extension2 != null) { keyUsageExtension2 = new ExtendedKeyUsageExtension(extension2); } if (keyUsageExtension1 != null && keyUsageExtension2 != null) { if (!keyUsageExtension1.Support(usage)) { return(false); } return(keyUsageExtension2.KeyPurpose.Contains((object)"1.3.6.1.5.5.7.3.1") || keyUsageExtension2.KeyPurpose.Contains((object)"2.16.840.1.113730.4.1")); } if (keyUsageExtension1 != null) { return(keyUsageExtension1.Support(usage)); } if (keyUsageExtension2 != null) { return(keyUsageExtension2.KeyPurpose.Contains((object)"1.3.6.1.5.5.7.3.1") || keyUsageExtension2.KeyPurpose.Contains((object)"2.16.840.1.113730.4.1")); } Mono.Security.X509.X509Extension extension3 = cert.Extensions["2.16.840.1.113730.1.1"]; return(extension3 == null || new NetscapeCertTypeExtension(extension3).Support(NetscapeCertTypeExtension.CertTypes.SslServer)); }
private bool CheckClientCertificateExtensions(X509Certificate cert) { KeyUsages ku = KeyUsages.digitalSignature | KeyUsages.keyEncipherment | KeyUsages.keyAgreement; KeyUsageExtension kux = null; ExtendedKeyUsageExtension eku = null; X509Extension xtn = cert.Extensions["2.5.29.15"]; if (xtn != null) { kux = new KeyUsageExtension(xtn); } xtn = cert.Extensions["2.5.29.37"]; if (xtn != null) { eku = new ExtendedKeyUsageExtension(xtn); } if ((kux != null) && (eku != null)) { // RFC3280 states that when both KeyUsageExtension and // ExtendedKeyUsageExtension are present then BOTH should // be valid return(kux.Support(ku) && eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2")); } else if (kux != null) { return(kux.Support(ku)); } else if (eku != null) { // Client Authentication (1.3.6.1.5.5.7.3.2) return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2")); } // last chance - try with older (deprecated) Netscape extensions xtn = cert.Extensions["2.16.840.1.113730.1.1"]; if (xtn != null) { NetscapeCertTypeExtension ct = new NetscapeCertTypeExtension(xtn); return(ct.Support(NetscapeCertTypeExtension.CertTypes.SslClient)); } // certificate isn't valid for SSL client usage return(false); }
internal static bool VerifyKeyUsage(MX.X509Certificate certificate, KeyUsages keyUsages, string purpose) { if (certificate.Extensions == null) { return(true); } KeyUsageExtension kux = null; ExtendedKeyUsageExtension eku = null; var xtn = certificate.Extensions [OidKeyUsage]; if (xtn != null) { kux = new KeyUsageExtension(xtn); } xtn = certificate.Extensions [OidExtendedKeyUsage]; if (xtn != null) { eku = new ExtendedKeyUsageExtension(xtn); } if ((kux != null) && (eku != null)) { // RFC3280 states that when both KeyUsageExtension and // ExtendedKeyUsageExtension are present then BOTH should // be valid if (!kux.Support(keyUsages)) { return(false); } return(eku.KeyPurpose.Contains(purpose)); } else if (kux != null) { return(kux.Support(keyUsages)); } else if (eku != null) { return(eku.KeyPurpose.Contains(purpose)); } return(true); }
public bool Support(KeyUsages usage) { int x = Convert.ToInt32(usage, CultureInfo.InvariantCulture); return((x & kubits) == x); }
// Note: this method only works for RSA certificates // DH certificates requires some changes - does anyone use one ? private bool checkCertificateUsage(X509Certificate cert) { ClientContext context = (ClientContext)this.Context; // certificate extensions are required for this // we "must" accept older certificates without proofs if (cert.Version < 3) { return(true); } KeyUsages ku = KeyUsages.none; switch (context.Negotiating.Cipher.ExchangeAlgorithmType) { case ExchangeAlgorithmType.RsaSign: ku = KeyUsages.digitalSignature; break; case ExchangeAlgorithmType.RsaKeyX: ku = KeyUsages.keyEncipherment; break; case ExchangeAlgorithmType.DiffieHellman: ku = KeyUsages.keyAgreement; break; case ExchangeAlgorithmType.Fortezza: return(false); // unsupported certificate type } KeyUsageExtension kux = null; ExtendedKeyUsageExtension eku = null; X509Extension xtn = cert.Extensions ["2.5.29.15"]; if (xtn != null) { kux = new KeyUsageExtension(xtn); } xtn = cert.Extensions ["2.5.29.37"]; if (xtn != null) { eku = new ExtendedKeyUsageExtension(xtn); } if ((kux != null) && (eku != null)) { // RFC3280 states that when both KeyUsageExtension and // ExtendedKeyUsageExtension are present then BOTH should // be valid if (!kux.Support(ku)) { return(false); } return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || eku.KeyPurpose.Contains("2.16.840.1.113730.4.1")); } else if (kux != null) { return(kux.Support(ku)); } else if (eku != null) { // Server Authentication (1.3.6.1.5.5.7.3.1) or // Netscape Server Gated Crypto (2.16.840.1.113730.4) return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || eku.KeyPurpose.Contains("2.16.840.1.113730.4.1")); } // last chance - try with older (deprecated) Netscape extensions xtn = cert.Extensions ["2.16.840.1.113730.1.1"]; if (xtn != null) { NetscapeCertTypeExtension ct = new NetscapeCertTypeExtension(xtn); return(ct.Support(NetscapeCertTypeExtension.CertTypes.SslServer)); } // if the CN=host (checked later) then we assume this is meant for SSL/TLS // e.g. the new smtp.gmail.com certificate return(true); }
private bool checkCertificateUsage(X509Certificate cert) { ServerContext context = (ServerContext)this.Context; // certificate extensions are required for this // we "must" accept older certificates without proofs if (cert.Version < 3) { return(true); } KeyUsages ku = KeyUsages.none; switch (context.Negotiating.Cipher.ExchangeAlgorithmType) { case ExchangeAlgorithmType.RsaSign: case ExchangeAlgorithmType.RsaKeyX: ku = KeyUsages.digitalSignature; break; case ExchangeAlgorithmType.DiffieHellman: ku = KeyUsages.keyAgreement; break; case ExchangeAlgorithmType.Fortezza: return(false); // unsupported certificate type } KeyUsageExtension kux = null; ExtendedKeyUsageExtension eku = null; X509Extension xtn = cert.Extensions["2.5.29.15"]; if (xtn != null) { kux = new KeyUsageExtension(xtn); } xtn = cert.Extensions["2.5.29.37"]; if (xtn != null) { eku = new ExtendedKeyUsageExtension(xtn); } if ((kux != null) && (eku != null)) { // RFC3280 states that when both KeyUsageExtension and // ExtendedKeyUsageExtension are present then BOTH should // be valid return(kux.Support(ku) && eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2")); } else if (kux != null) { return(kux.Support(ku)); } else if (eku != null) { // Client Authentication (1.3.6.1.5.5.7.3.2) return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2")); } // last chance - try with older (deprecated) Netscape extensions xtn = cert.Extensions["2.16.840.1.113730.1.1"]; if (xtn != null) { NetscapeCertTypeExtension ct = new NetscapeCertTypeExtension(xtn); return(ct.Support(NetscapeCertTypeExtension.CertTypes.SslClient)); } // certificate isn't valid for SSL server usage return(false); }
internal static bool VerifyKeyUsage (MX.X509Certificate certificate, KeyUsages keyUsages, string purpose) { if (certificate.Extensions == null) return true; KeyUsageExtension kux = null; ExtendedKeyUsageExtension eku = null; var xtn = certificate.Extensions [OidKeyUsage]; if (xtn != null) kux = new KeyUsageExtension (xtn); xtn = certificate.Extensions [OidExtendedKeyUsage]; if (xtn != null) eku = new ExtendedKeyUsageExtension (xtn); if ((kux != null) && (eku != null)) { // RFC3280 states that when both KeyUsageExtension and // ExtendedKeyUsageExtension are present then BOTH should // be valid if (!kux.Support (keyUsages)) return false; return eku.KeyPurpose.Contains (purpose); } else if (kux != null) { return kux.Support (keyUsages); } else if (eku != null) { return eku.KeyPurpose.Contains (purpose); } return true; }
public bool Support (KeyUsages usage) { int x = Convert.ToInt32 (usage, CultureInfo.InvariantCulture); return ((x & kubits) == x); }
public bool Support(KeyUsages usage) { int int32 = Convert.ToInt32((object)usage, (IFormatProvider)CultureInfo.InvariantCulture); return((int32 & this.kubits) == int32); }
public bool Support(KeyUsages usage) { int num = Convert.ToInt32(usage, CultureInfo.InvariantCulture); return((num & this.kubits) == num); }
public CertWizard() { InitializeComponent(); // create a list of all csp providers CertEnroll.CCspInformations CspInformations = new CertEnroll.CCspInformations(); CspInformations.AddAvailableCsps(); // enumerate each provider foreach (CertEnroll.ICspInformation oCsp in CspInformations) { // create a structure for display purposes ProviderDetails oOpt = new ProviderDetails(); oOpt.IsHardware = oCsp.IsSmartCard || oCsp.IsHardwareDevice; oOpt.IsLegacy = oCsp.LegacyCsp; ProviderOptions.Add(oCsp.Name, oOpt); // populate display structure with algorithmn information foreach (CertEnroll.ICspAlgorithm oAlg in oCsp.CspAlgorithms) { // special case: eliminate generic ecdsa that does not work if (oAlg.Name.Equals("ECDSA")) { continue; } // hash algorithms if (oAlg.Type == CertEnroll.AlgorithmType.XCN_BCRYPT_HASH_INTERFACE) { if (oOpt.HashAlgorithmns.Contains(oAlg.Name)) { continue; } oOpt.HashAlgorithmns.Add(oAlg.Name); } // signature algorithms else if (oAlg.Type == CertEnroll.AlgorithmType.XCN_BCRYPT_SIGNATURE_INTERFACE || oAlg.Type == CertEnroll.AlgorithmType.XCN_BCRYPT_ASYMMETRIC_ENCRYPTION_INTERFACE) { if (oOpt.SignatureAlgorithmns.Contains(oAlg.Name)) { continue; } oOpt.SignatureAlgorithmns.Add(oAlg.Name); oOpt.SignatureMinLengths.Add(oAlg.Name, oAlg.MinLength); oOpt.SignatureMaxLengths.Add(oAlg.Name, oAlg.MaxLength); } } // sort so rsa is near the top oOpt.SignatureAlgorithmns = oOpt.SignatureAlgorithmns. OrderBy(x => x.Contains("_")).ThenBy(x => x).ToList(); } // set default values oValidFromDatePicker.SelectedDate = DateTime.Now; oValidUntilDatePicker.SelectedDate = DateTime.Now.AddYears(3); // populate extended key usage options foreach (Oid oOid in NativeMethods.GetExtendedKeyUsages()) { // skip weird looking or known problematic options if (oOid.FriendlyName.StartsWith("sz") || oOid.FriendlyName.StartsWith("@")) { continue; } // translate into our display structure EkuOption oKeyUsage = new EkuOption() { Name = oOid.FriendlyName, Oid = oOid.Value }; EnhancedKeyUsages.Add(oKeyUsage); } // populate key usage options foreach (string sKeyUsage in Enum.GetNames(typeof(X509KeyUsageFlags))) { EkuOption oOpt = new EkuOption(); oOpt.Name = Regex.Replace(sKeyUsage, "(\\B[A-Z])", " $1"); oOpt.Oid = sKeyUsage; KeyUsages.Add(oOpt); } // set combobox to sort oProviderComboBox.Items.SortDescriptions.Add(new SortDescription("", ListSortDirection.Ascending)); oKeyUsageCombobox.Items.SortDescriptions.Add(new SortDescription("Name", ListSortDirection.Ascending)); oEnhancedKeyUsageCombobox.Items.SortDescriptions.Add(new SortDescription("Name", ListSortDirection.Ascending)); oProviderType_Checked(null, null); // disable machine store option if user is not an admin oCertificateStoreMachineRadio.IsEnabled = new WindowsPrincipal(WindowsIdentity.GetCurrent()) .IsInRole(WindowsBuiltInRole.Administrator); }