public static bool VerifyTrust(X509Certificate2 certificate, Ca signingCa) { var basicConstraints = X509CertificatePropertyExtrator.GetBasicConstraints(certificate); if (Verify(certificate, GetPublicKey(signingCa.Certificate))) { if (VerifyChain(signingCa, 0)) { return(VerifyRoot(signingCa)); } } return(false); }
private static bool VerifyChain(Ca ca, int pathLength) { var basicConstraints = X509CertificatePropertyExtrator.GetBasicConstraints(ca.Certificate); //check that CA certificate is in fact a CA if (!basicConstraints.CertificateAuthority) { return(false); } //check that CA certificate must sign other certificates X509KeyUsageFlags flags = X509CertificatePropertyExtrator.GetKeyUsage(ca.Certificate).KeyUsages; if ((flags & (X509KeyUsageFlags.KeyCertSign)) != X509KeyUsageFlags.KeyCertSign) { return(false); } // Check path length if (basicConstraints.HasPathLengthConstraint && basicConstraints.PathLengthConstraint < pathLength) { return(false); } if (IsSelfSigned(ca) && !ca.IsRoot) { return(false); } if (ca.IsRoot) { return(true); } if (ca.IssuingCa == null) { return(false); } Ca signingCa = ca.IssuingCa; if (X509CertificatePropertyExtrator.GetBasicConstraints(signingCa.Certificate).PathLengthConstraint >= 0) { if (Verify(ca.Certificate, GetPublicKey(signingCa.Certificate))) { return(VerifyChain(ca.IssuingCa, ++pathLength)); } } return(false); }