// Adapted to System 2.0+ from TlsServerCertificate.cs //------------------------------ // Note: this method only works for RSA certificates // DH certificates requires some changes - does anyone use one ? private static bool CheckCertificateUsage(X509Certificate2 cert) { try { // certificate extensions are required for this // we "must" accept older certificates without proofs if (cert.Version < 3) { return(true); } X509KeyUsageExtension kux = (cert.Extensions["2.5.29.15"] as X509KeyUsageExtension); X509EnhancedKeyUsageExtension eku = (cert.Extensions["2.5.29.37"] as X509EnhancedKeyUsageExtension); if (kux != null && eku != null) { // RFC3280 states that when both KeyUsageExtension and // ExtendedKeyUsageExtension are present then BOTH should // be valid if ((kux.KeyUsages & s_flags) == 0) { return(false); } return(eku.EnhancedKeyUsages["1.3.6.1.5.5.7.3.1"] != null || eku.EnhancedKeyUsages["2.16.840.1.113730.4.1"] != null); } else if (kux != null) { return((kux.KeyUsages & s_flags) != 0); } else if (eku != null) { // Server Authentication (1.3.6.1.5.5.7.3.1) or // Netscape Server Gated Crypto (2.16.840.1.113730.4) return(eku.EnhancedKeyUsages["1.3.6.1.5.5.7.3.1"] != null || eku.EnhancedKeyUsages["2.16.840.1.113730.4.1"] != null); } // last chance - try with older (deprecated) Netscape extensions X509Extension ext = cert.Extensions["2.16.840.1.113730.1.1"]; if (ext != null) { string text = ext.NetscapeCertType(false); return(text.IndexOf("SSL Server Authentication", StringComparison.Ordinal) != -1); } return(true); } catch (Exception e) { #if SSHARP ErrorLog.Error("ERROR processing certificate: {0}", e); ErrorLog.Error("Please, report this problem to the Mono team"); #else Console.Error.WriteLine("ERROR processing certificate: {0}", e); Console.Error.WriteLine("Please, report this problem to the Mono team"); #endif return(false); } }