Exemplo n.º 1
0
        public static bool VerifyTrust(X509Certificate2 certificate, Ca signingCa)
        {
            var basicConstraints = X509CertificatePropertyExtrator.GetBasicConstraints(certificate);

            if (Verify(certificate, GetPublicKey(signingCa.Certificate)))
            {
                if (VerifyChain(signingCa, 0))
                {
                    return(VerifyRoot(signingCa));
                }
            }
            return(false);
        }
Exemplo n.º 2
0
        private static bool VerifyChain(Ca ca, int pathLength)
        {
            var basicConstraints = X509CertificatePropertyExtrator.GetBasicConstraints(ca.Certificate);

            //check that CA certificate is in fact a CA
            if (!basicConstraints.CertificateAuthority)
            {
                return(false);
            }

            //check that CA certificate must sign other certificates
            X509KeyUsageFlags flags = X509CertificatePropertyExtrator.GetKeyUsage(ca.Certificate).KeyUsages;

            if ((flags & (X509KeyUsageFlags.KeyCertSign)) != X509KeyUsageFlags.KeyCertSign)
            {
                return(false);
            }


            // Check path length
            if (basicConstraints.HasPathLengthConstraint && basicConstraints.PathLengthConstraint < pathLength)
            {
                return(false);
            }
            if (IsSelfSigned(ca) && !ca.IsRoot)
            {
                return(false);
            }
            if (ca.IsRoot)
            {
                return(true);
            }
            if (ca.IssuingCa == null)
            {
                return(false);
            }
            Ca signingCa = ca.IssuingCa;

            if (X509CertificatePropertyExtrator.GetBasicConstraints(signingCa.Certificate).PathLengthConstraint >= 0)
            {
                if (Verify(ca.Certificate, GetPublicKey(signingCa.Certificate)))
                {
                    return(VerifyChain(ca.IssuingCa, ++pathLength));
                }
            }
            return(false);
        }