// RFC2818 - HTTP Over TLS, Section 3.1 // http://www.ietf.org/rfc/rfc2818.txt // // 1. if present MUST use subjectAltName dNSName as identity // 1.1. if multiples entries a match of any one is acceptable // 1.2. wildcard * is acceptable // 2. URI may be an IP address -> subjectAltName.iPAddress // 2.1. exact match is required // 3. Use of the most specific Common Name (CN=) in the Subject // 3.1 Existing practice but DEPRECATED static bool CheckServerIdentity(MSX.X509Certificate cert, string targetHost) { try { MSX.X509Extension ext = cert.Extensions ["2.5.29.17"]; // 1. subjectAltName if (ext != null) { SubjectAltNameExtension subjectAltName = new SubjectAltNameExtension(ext); // 1.1 - multiple dNSName foreach (string dns in subjectAltName.DNSNames) { // 1.2 TODO - wildcard support if (Match(targetHost, dns)) { return(true); } } // 2. ipAddress foreach (string ip in subjectAltName.IPAddresses) { // 2.1. Exact match required if (ip == targetHost) { return(true); } } } // 3. Common Name (CN=) return(CheckDomainName(cert.SubjectName, targetHost)); } catch (Exception e) { Console.Error.WriteLine("ERROR processing certificate: {0}", e); Console.Error.WriteLine("Please, report this problem to the Mono team"); return(false); } }
static string GetAuthorityKeyIdentifier(MX.X509Extension ext) { if (ext == null) { return(String.Empty); } MX.Extensions.AuthorityKeyIdentifierExtension aki = new MX.Extensions.AuthorityKeyIdentifierExtension(ext); byte[] id = aki.Identifier; if (id == null) { return(String.Empty); } StringBuilder sb = new StringBuilder(); foreach (byte b in id) { sb.Append(b.ToString("X02")); } return(sb.ToString()); }