public void WrongExtension_X509EnhancedKeyUsageExtension()
{
X509EnhancedKeyUsageExtension eku = new X509EnhancedKeyUsageExtension();
X509KeyUsageExtension ku = new X509KeyUsageExtension();
ku.CopyFrom(eku);
}
public void WrongAsnEncodedData()
{
AsnEncodedData aed = new AsnEncodedData(new byte[0]);
X509KeyUsageExtension ku = new X509KeyUsageExtension(X509KeyUsageFlags.CrlSign, true);
ku.CopyFrom(aed); // note: not the same behaviour than using the constructor!
}
private static unsafe int VerifyCertificate(X509Certificate2 certificate, X509Certificate2Collection extraStore)
{
int num;
int num2 = System.Security.Cryptography.X509Certificates.X509Utils.VerifyCertificate(System.Security.Cryptography.X509Certificates.X509Utils.GetCertContext(certificate), null, null, X509RevocationMode.Online, X509RevocationFlag.ExcludeRoot, DateTime.Now, new TimeSpan(0, 0, 0), extraStore, new IntPtr(1L), new IntPtr((void *)&num));
if (num2 != 0)
{
return(num);
}
X509ExtensionEnumerator enumerator = certificate.Extensions.GetEnumerator();
while (enumerator.MoveNext())
{
X509Extension current = enumerator.Current;
if (string.Compare(current.Oid.Value, "2.5.29.15", StringComparison.OrdinalIgnoreCase) == 0)
{
X509KeyUsageExtension extension2 = new X509KeyUsageExtension();
extension2.CopyFrom(current);
if (((extension2.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.None) && ((extension2.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.None))
{
return(-2146762480);
}
}
}
return(num2);
}
public void WrongExtension_X509Extension_KeyUsages()
{
X509Extension ex = new X509Extension("1.2.3", new byte[0], true);
X509KeyUsageExtension ku = new X509KeyUsageExtension();
ku.CopyFrom(ex);
Assert.AreEqual(0, ku.KeyUsages, "KeyUsages");
}
public void WrongExtension_X509Extension()
{
X509Extension ex = new X509Extension("1.2.3", new byte [0], true);
X509KeyUsageExtension ku = new X509KeyUsageExtension(X509KeyUsageFlags.CrlSign, true);
ku.CopyFrom(ex);
Assert.IsTrue(ku.Critical, "Critical");
Assert.AreEqual(String.Empty, BitConverter.ToString(ku.RawData), "RawData");
Assert.AreEqual("1.2.3", ku.Oid.Value, "Oid.Value");
Assert.IsNull(ku.Oid.FriendlyName, "Oid.FriendlyName");
}
public bool CheckSignature(X509Certificate2 certificate, bool verifySignatureOnly)
{
if (!CheckSignature(certificate.PublicKey.Key))
{
return(false);
}
if (verifySignatureOnly)
{
SignedXmlDebugLog.LogVerificationResult(this, certificate, true);
return(true);
}
// Check key usages to make sure it is good for signing.
foreach (X509Extension extension in certificate.Extensions)
{
if (String.Compare(extension.Oid.Value, CAPI.szOID_KEY_USAGE, StringComparison.OrdinalIgnoreCase) == 0)
{
X509KeyUsageExtension keyUsage = new X509KeyUsageExtension();
keyUsage.CopyFrom(extension);
SignedXmlDebugLog.LogVerifyKeyUsage(this, certificate, keyUsage);
bool validKeyUsage = (keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) != 0 ||
(keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) != 0;
if (!validKeyUsage)
{
SignedXmlDebugLog.LogVerificationFailure(this, SecurityResources.GetResourceString("Log_VerificationFailed_X509KeyUsage"));
return(false);
}
break;
}
}
// Do the chain verification to make sure the certificate is valid.
X509Chain chain = new X509Chain();
chain.ChainPolicy.ExtraStore.AddRange(BuildBagOfCerts());
bool chainVerified = chain.Build(certificate);
SignedXmlDebugLog.LogVerifyX509Chain(this, chain, certificate);
if (!chainVerified)
{
SignedXmlDebugLog.LogVerificationFailure(this, SecurityResources.GetResourceString("Log_VerificationFailed_X509Chain"));
return(false);
}
SignedXmlDebugLog.LogVerificationResult(this, certificate, true);
return(true);
}
internal static X509Certificate2 SelectSignerCertificate()
{
X509Store x509Store = new X509Store();
x509Store.Open(OpenFlags.OpenExistingOnly | OpenFlags.IncludeArchived);
X509Certificate2Collection certificates = new X509Certificate2Collection();
foreach (X509Certificate2 certificate in x509Store.Certificates)
{
if (certificate.HasPrivateKey && certificate.NotBefore <= DateTime.Now && certificate.NotAfter >= DateTime.Now)
{
bool flag = true;
foreach (X509Extension x509Extension in certificate.Extensions)
{
if (string.Compare(x509Extension.Oid.Value, "2.5.29.15", StringComparison.OrdinalIgnoreCase) == 0)
{
X509KeyUsageExtension keyUsageExtension = new X509KeyUsageExtension();
keyUsageExtension.CopyFrom((AsnEncodedData)x509Extension);
if ((keyUsageExtension.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.None && (keyUsageExtension.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.None)
{
flag = false;
break;
}
else
{
break;
}
}
}
if (flag)
{
certificates.Add(certificate);
}
}
}
if (certificates.Count < 1)
{
throw new CryptographicException(-2146889714);
}
X509Certificate2Collection certificate2Collection = X509Certificate2UI.SelectFromCollection(certificates, (string)null, (string)null, X509SelectionFlag.SingleSelection);
if (certificate2Collection.Count < 1)
{
throw new CryptographicException(1223);
}
else
{
return(certificate2Collection[0]);
}
}
internal static CmsRecipientCollection SelectRecipients(SubjectIdentifierType recipientIdentifierType)
{
X509Store x509Store = new X509Store("AddressBook");
x509Store.Open(OpenFlags.OpenExistingOnly);
X509Certificate2Collection certificates1 = new X509Certificate2Collection(x509Store.Certificates);
foreach (X509Certificate2 certificate in x509Store.Certificates)
{
if (certificate.NotBefore <= DateTime.Now && certificate.NotAfter >= DateTime.Now)
{
bool flag = true;
foreach (X509Extension x509Extension in certificate.Extensions)
{
if (string.Compare(x509Extension.Oid.Value, "2.5.29.15", StringComparison.OrdinalIgnoreCase) == 0)
{
X509KeyUsageExtension keyUsageExtension = new X509KeyUsageExtension();
keyUsageExtension.CopyFrom((AsnEncodedData)x509Extension);
if ((keyUsageExtension.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.None && (keyUsageExtension.KeyUsages & X509KeyUsageFlags.KeyAgreement) == X509KeyUsageFlags.None)
{
flag = false;
break;
}
else
{
break;
}
}
}
if (flag)
{
certificates1.Add(certificate);
}
}
}
if (certificates1.Count < 1)
{
throw new CryptographicException(-2146889717);
}
X509Certificate2Collection certificates2 = X509Certificate2UI.SelectFromCollection(certificates1, (string)null, (string)null, X509SelectionFlag.MultiSelection);
if (certificates2.Count < 1)
{
throw new CryptographicException(1223);
}
else
{
return(new CmsRecipientCollection(recipientIdentifierType, certificates2));
}
}
public bool CheckSignature(X509Certificate2 certificate, bool verifySignatureOnly)
{
if (!verifySignatureOnly)
{
// Check key usages to make sure it is good for signing.
foreach (X509Extension extension in certificate.Extensions)
{
if (string.Equals(extension.Oid.Value, "2.5.29.15" /* szOID_KEY_USAGE */, StringComparison.OrdinalIgnoreCase))
{
X509KeyUsageExtension keyUsage = new X509KeyUsageExtension();
keyUsage.CopyFrom(extension);
SignedXmlDebugLog.LogVerifyKeyUsage(this, certificate, keyUsage);
bool validKeyUsage = (keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) != 0 ||
(keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) != 0;
if (!validKeyUsage)
{
SignedXmlDebugLog.LogVerificationFailure(this, SR.Log_VerificationFailed_X509KeyUsage);
return(false);
}
break;
}
}
// Do the chain verification to make sure the certificate is valid.
X509Chain chain = new X509Chain();
chain.ChainPolicy.ExtraStore.AddRange(BuildBagOfCerts());
bool chainVerified = chain.Build(certificate);
SignedXmlDebugLog.LogVerifyX509Chain(this, chain, certificate);
if (!chainVerified)
{
SignedXmlDebugLog.LogVerificationFailure(this, SR.Log_VerificationFailed_X509Chain);
return(false);
}
}
using (AsymmetricAlgorithm publicKey = Utils.GetAnyPublicKey(certificate))
{
if (!CheckSignature(publicKey))
{
return(false);
}
}
SignedXmlDebugLog.LogVerificationResult(this, certificate, true);
return(true);
}
/// <summary>
/// Determine whether a cert can be used for code signing.
/// </summary>
/// <param name="cert">Certificate</param>
/// <returns>True or false</returns>
public static bool CanSignWith(X509Certificate2 cert)
{
// Check key usages to make sure it is good for signing.
bool bCodeSigningEnabled = true;
if (cert.Extensions.Count > 0)
{
foreach (X509Extension extension in cert.Extensions)
{
bool?bCodeSignEnhancedKeyPresent = null;
if (String.Compare(extension.Oid.Value, szOID_KEY_USAGE, true, CultureInfo.InvariantCulture) == 0)
{
X509KeyUsageExtension keyUsage = new X509KeyUsageExtension();
keyUsage.CopyFrom(extension);
if ((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == 0)
{
bCodeSigningEnabled = false;
}
else
{
// Check if enhanced code-signing key is present.
foreach (X509Extension codesignextension in cert.Extensions)
{
bCodeSignEnhancedKeyPresent = CodeSignEnhancedKeyPresent(codesignextension);
if (bCodeSignEnhancedKeyPresent.HasValue)
{
bCodeSigningEnabled = bCodeSignEnhancedKeyPresent.Value;
break;
}
}
break;
}
}
else
{
bCodeSignEnhancedKeyPresent = CodeSignEnhancedKeyPresent(extension);
if (bCodeSignEnhancedKeyPresent.HasValue && bCodeSignEnhancedKeyPresent.Value == false)
{
bCodeSigningEnabled = false;
}
}
}
}
return(bCodeSigningEnabled);
}
internal static CmsRecipientCollection SelectRecipients(SubjectIdentifierType recipientIdentifierType)
{
X509Store store = new X509Store("AddressBook");
store.Open(OpenFlags.OpenExistingOnly);
X509Certificate2Collection certificates = new X509Certificate2Collection(store.Certificates);
X509Certificate2Enumerator enumerator = store.Certificates.GetEnumerator();
while (enumerator.MoveNext())
{
X509Certificate2 current = enumerator.Current;
if ((current.NotBefore <= DateTime.Now) && (current.NotAfter >= DateTime.Now))
{
bool flag = true;
X509ExtensionEnumerator enumerator2 = current.Extensions.GetEnumerator();
while (enumerator2.MoveNext())
{
X509Extension asnEncodedData = enumerator2.Current;
if (string.Compare(asnEncodedData.Oid.Value, "2.5.29.15", StringComparison.OrdinalIgnoreCase) == 0)
{
X509KeyUsageExtension extension2 = new X509KeyUsageExtension();
extension2.CopyFrom(asnEncodedData);
if (((extension2.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.None) && ((extension2.KeyUsages & X509KeyUsageFlags.KeyAgreement) == X509KeyUsageFlags.None))
{
flag = false;
}
break;
}
}
if (flag)
{
certificates.Add(current);
}
}
}
if (certificates.Count < 1)
{
throw new CryptographicException(-2146889717);
}
X509Certificate2Collection certificates2 = X509Certificate2UI.SelectFromCollection(certificates, null, null, X509SelectionFlag.MultiSelection);
if (certificates2.Count < 1)
{
throw new CryptographicException(0x4c7);
}
return(new CmsRecipientCollection(recipientIdentifierType, certificates2));
}
internal static X509Certificate2 SelectSignerCertificate()
{
X509Store store = new X509Store();
store.Open(OpenFlags.IncludeArchived | OpenFlags.OpenExistingOnly);
X509Certificate2Collection certificates = new X509Certificate2Collection();
X509Certificate2Enumerator enumerator = store.Certificates.GetEnumerator();
while (enumerator.MoveNext())
{
X509Certificate2 current = enumerator.Current;
if ((current.HasPrivateKey && (current.NotBefore <= DateTime.Now)) && (current.NotAfter >= DateTime.Now))
{
bool flag = true;
X509ExtensionEnumerator enumerator2 = current.Extensions.GetEnumerator();
while (enumerator2.MoveNext())
{
X509Extension asnEncodedData = enumerator2.Current;
if (string.Compare(asnEncodedData.Oid.Value, "2.5.29.15", StringComparison.OrdinalIgnoreCase) == 0)
{
X509KeyUsageExtension extension2 = new X509KeyUsageExtension();
extension2.CopyFrom(asnEncodedData);
if (((extension2.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.None) && ((extension2.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.None))
{
flag = false;
}
break;
}
}
if (flag)
{
certificates.Add(current);
}
}
}
if (certificates.Count < 1)
{
throw new CryptographicException(-2146889714);
}
certificates = X509Certificate2UI.SelectFromCollection(certificates, null, null, X509SelectionFlag.SingleSelection);
if (certificates.Count < 1)
{
throw new CryptographicException(0x4c7);
}
return(certificates[0]);
}
public bool CheckSignature(X509Certificate2 certificate, bool verifySignatureOnly)
{
if (!this.CheckSignature(certificate.PublicKey.Key))
{
return(false);
}
if (verifySignatureOnly)
{
SignedXmlDebugLog.LogVerificationResult(this, certificate, true);
return(true);
}
X509ExtensionEnumerator enumerator = certificate.Extensions.GetEnumerator();
while (enumerator.MoveNext())
{
X509Extension current = enumerator.Current;
if (string.Compare(current.Oid.Value, "2.5.29.15", StringComparison.OrdinalIgnoreCase) == 0)
{
X509KeyUsageExtension keyUsages = new X509KeyUsageExtension();
keyUsages.CopyFrom(current);
SignedXmlDebugLog.LogVerifyKeyUsage(this, certificate, keyUsages);
if (((keyUsages.KeyUsages & X509KeyUsageFlags.DigitalSignature) != X509KeyUsageFlags.None) || ((keyUsages.KeyUsages & X509KeyUsageFlags.NonRepudiation) != X509KeyUsageFlags.None))
{
break;
}
SignedXmlDebugLog.LogVerificationFailure(this, SecurityResources.GetResourceString("Log_VerificationFailed_X509KeyUsage"));
return(false);
}
}
X509Chain chain = new X509Chain();
chain.ChainPolicy.ExtraStore.AddRange(this.BuildBagOfCerts());
bool flag2 = chain.Build(certificate);
SignedXmlDebugLog.LogVerifyX509Chain(this, chain, certificate);
if (!flag2)
{
SignedXmlDebugLog.LogVerificationFailure(this, SecurityResources.GetResourceString("Log_VerificationFailed_X509Chain"));
return(false);
}
SignedXmlDebugLog.LogVerificationResult(this, certificate, true);
return(true);
}
private static unsafe int VerifyCertificate(X509Certificate2 certificate,
X509Certificate2Collection extraStore)
{
int dwErrorStatus;
int hr = X509Utils.VerifyCertificate(X509Utils.GetCertContext(certificate),
null,
null,
X509RevocationMode.Online,
X509RevocationFlag.ExcludeRoot,
DateTime.Now,
new TimeSpan(0, 0, 0),
extraStore,
new IntPtr(CAPI.CERT_CHAIN_POLICY_BASE),
new IntPtr(&dwErrorStatus));
if (hr != CAPI.S_OK)
{
return(dwErrorStatus);
}
// Check key usages to make sure it is good for signing.
foreach (X509Extension extension in certificate.Extensions)
{
if (String.Compare(extension.Oid.Value, CAPI.szOID_KEY_USAGE, StringComparison.OrdinalIgnoreCase) == 0)
{
X509KeyUsageExtension keyUsage = new X509KeyUsageExtension();
keyUsage.CopyFrom(extension);
if ((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == 0 &&
(keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == 0)
{
hr = CAPI.CERT_E_WRONG_USAGE;
break;
}
}
}
return(hr);
}
private static unsafe int VerifyCertificate(X509Certificate2 certificate, X509Certificate2Collection extraStore)
{
int num1;
int num2 = X509Utils.VerifyCertificate(X509Utils.GetCertContext(certificate), (OidCollection)null, (OidCollection)null, X509RevocationMode.Online, X509RevocationFlag.ExcludeRoot, DateTime.Now, new TimeSpan(0, 0, 0), extraStore, new IntPtr(1L), new IntPtr((void *)&num1));
if (num2 != 0)
{
return(num1);
}
foreach (X509Extension x509Extension in certificate.Extensions)
{
if (string.Compare(x509Extension.Oid.Value, "2.5.29.15", StringComparison.OrdinalIgnoreCase) == 0)
{
X509KeyUsageExtension keyUsageExtension = new X509KeyUsageExtension();
keyUsageExtension.CopyFrom((AsnEncodedData)x509Extension);
if ((keyUsageExtension.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.None && (keyUsageExtension.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.None)
{
num2 = -2146762480;
break;
}
}
}
return(num2);
}
public void CopyFrom_Null()
{
X509KeyUsageExtension eku = new X509KeyUsageExtension();
eku.CopyFrom(null);
}