private bool checkCertificateUsage(Mono.Security.X509.X509Certificate cert)
{
ClientContext clientContext = (ClientContext)base.Context;
if (cert.Version < 3)
{
return(true);
}
KeyUsages usage = KeyUsages.none;
switch (clientContext.Negotiating.Cipher.ExchangeAlgorithmType)
{
case ExchangeAlgorithmType.DiffieHellman:
usage = KeyUsages.keyAgreement;
break;
case ExchangeAlgorithmType.Fortezza:
return(false);
case ExchangeAlgorithmType.RsaKeyX:
usage = KeyUsages.keyEncipherment;
break;
case ExchangeAlgorithmType.RsaSign:
usage = KeyUsages.digitalSignature;
break;
}
KeyUsageExtension keyUsageExtension = null;
ExtendedKeyUsageExtension extendedKeyUsageExtension = null;
Mono.Security.X509.X509Extension x509Extension = cert.Extensions["2.5.29.15"];
if (x509Extension != null)
{
keyUsageExtension = new KeyUsageExtension(x509Extension);
}
x509Extension = cert.Extensions["2.5.29.37"];
if (x509Extension != null)
{
extendedKeyUsageExtension = new ExtendedKeyUsageExtension(x509Extension);
}
if (keyUsageExtension != null && extendedKeyUsageExtension != null)
{
return(keyUsageExtension.Support(usage) && (extendedKeyUsageExtension.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || extendedKeyUsageExtension.KeyPurpose.Contains("2.16.840.1.113730.4.1")));
}
if (keyUsageExtension != null)
{
return(keyUsageExtension.Support(usage));
}
if (extendedKeyUsageExtension != null)
{
return(extendedKeyUsageExtension.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") || extendedKeyUsageExtension.KeyPurpose.Contains("2.16.840.1.113730.4.1"));
}
x509Extension = cert.Extensions["2.16.840.1.113730.1.1"];
if (x509Extension != null)
{
NetscapeCertTypeExtension netscapeCertTypeExtension = new NetscapeCertTypeExtension(x509Extension);
return(netscapeCertTypeExtension.Support(NetscapeCertTypeExtension.CertTypes.SslServer));
}
return(true);
}
private bool checkCertificateUsage(Mono.Security.X509.X509Certificate cert)
{
ClientContext context = (ClientContext)this.Context;
if (cert.Version < 3)
{
return(true);
}
KeyUsages usage = KeyUsages.none;
switch (context.Negotiating.Cipher.ExchangeAlgorithmType)
{
case ExchangeAlgorithmType.DiffieHellman:
usage = KeyUsages.keyAgreement;
break;
case ExchangeAlgorithmType.Fortezza:
return(false);
case ExchangeAlgorithmType.RsaKeyX:
usage = KeyUsages.keyEncipherment;
break;
case ExchangeAlgorithmType.RsaSign:
usage = KeyUsages.digitalSignature;
break;
}
KeyUsageExtension keyUsageExtension1 = (KeyUsageExtension)null;
ExtendedKeyUsageExtension keyUsageExtension2 = (ExtendedKeyUsageExtension)null;
Mono.Security.X509.X509Extension extension1 = cert.Extensions["2.5.29.15"];
if (extension1 != null)
{
keyUsageExtension1 = new KeyUsageExtension(extension1);
}
Mono.Security.X509.X509Extension extension2 = cert.Extensions["2.5.29.37"];
if (extension2 != null)
{
keyUsageExtension2 = new ExtendedKeyUsageExtension(extension2);
}
if (keyUsageExtension1 != null && keyUsageExtension2 != null)
{
if (!keyUsageExtension1.Support(usage))
{
return(false);
}
return(keyUsageExtension2.KeyPurpose.Contains((object)"1.3.6.1.5.5.7.3.1") || keyUsageExtension2.KeyPurpose.Contains((object)"2.16.840.1.113730.4.1"));
}
if (keyUsageExtension1 != null)
{
return(keyUsageExtension1.Support(usage));
}
if (keyUsageExtension2 != null)
{
return(keyUsageExtension2.KeyPurpose.Contains((object)"1.3.6.1.5.5.7.3.1") || keyUsageExtension2.KeyPurpose.Contains((object)"2.16.840.1.113730.4.1"));
}
Mono.Security.X509.X509Extension extension3 = cert.Extensions["2.16.840.1.113730.1.1"];
return(extension3 == null || new NetscapeCertTypeExtension(extension3).Support(NetscapeCertTypeExtension.CertTypes.SslServer));
}
private bool CheckClientCertificateExtensions(X509Certificate cert)
{
KeyUsages ku = KeyUsages.digitalSignature | KeyUsages.keyEncipherment | KeyUsages.keyAgreement;
KeyUsageExtension kux = null;
ExtendedKeyUsageExtension eku = null;
X509Extension xtn = cert.Extensions["2.5.29.15"];
if (xtn != null)
{
kux = new KeyUsageExtension(xtn);
}
xtn = cert.Extensions["2.5.29.37"];
if (xtn != null)
{
eku = new ExtendedKeyUsageExtension(xtn);
}
if ((kux != null) && (eku != null))
{
// RFC3280 states that when both KeyUsageExtension and
// ExtendedKeyUsageExtension are present then BOTH should
// be valid
return(kux.Support(ku) &&
eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2"));
}
else if (kux != null)
{
return(kux.Support(ku));
}
else if (eku != null)
{
// Client Authentication (1.3.6.1.5.5.7.3.2)
return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2"));
}
// last chance - try with older (deprecated) Netscape extensions
xtn = cert.Extensions["2.16.840.1.113730.1.1"];
if (xtn != null)
{
NetscapeCertTypeExtension ct = new NetscapeCertTypeExtension(xtn);
return(ct.Support(NetscapeCertTypeExtension.CertTypes.SslClient));
}
// certificate isn't valid for SSL client usage
return(false);
}
internal static bool VerifyKeyUsage(MX.X509Certificate certificate, KeyUsages keyUsages, string purpose)
{
if (certificate.Extensions == null)
{
return(true);
}
KeyUsageExtension kux = null;
ExtendedKeyUsageExtension eku = null;
var xtn = certificate.Extensions [OidKeyUsage];
if (xtn != null)
{
kux = new KeyUsageExtension(xtn);
}
xtn = certificate.Extensions [OidExtendedKeyUsage];
if (xtn != null)
{
eku = new ExtendedKeyUsageExtension(xtn);
}
if ((kux != null) && (eku != null))
{
// RFC3280 states that when both KeyUsageExtension and
// ExtendedKeyUsageExtension are present then BOTH should
// be valid
if (!kux.Support(keyUsages))
{
return(false);
}
return(eku.KeyPurpose.Contains(purpose));
}
else if (kux != null)
{
return(kux.Support(keyUsages));
}
else if (eku != null)
{
return(eku.KeyPurpose.Contains(purpose));
}
return(true);
}
public bool Support(KeyUsages usage)
{
int x = Convert.ToInt32(usage, CultureInfo.InvariantCulture);
return((x & kubits) == x);
}
// Note: this method only works for RSA certificates
// DH certificates requires some changes - does anyone use one ?
private bool checkCertificateUsage(X509Certificate cert)
{
ClientContext context = (ClientContext)this.Context;
// certificate extensions are required for this
// we "must" accept older certificates without proofs
if (cert.Version < 3)
{
return(true);
}
KeyUsages ku = KeyUsages.none;
switch (context.Negotiating.Cipher.ExchangeAlgorithmType)
{
case ExchangeAlgorithmType.RsaSign:
ku = KeyUsages.digitalSignature;
break;
case ExchangeAlgorithmType.RsaKeyX:
ku = KeyUsages.keyEncipherment;
break;
case ExchangeAlgorithmType.DiffieHellman:
ku = KeyUsages.keyAgreement;
break;
case ExchangeAlgorithmType.Fortezza:
return(false); // unsupported certificate type
}
KeyUsageExtension kux = null;
ExtendedKeyUsageExtension eku = null;
X509Extension xtn = cert.Extensions ["2.5.29.15"];
if (xtn != null)
{
kux = new KeyUsageExtension(xtn);
}
xtn = cert.Extensions ["2.5.29.37"];
if (xtn != null)
{
eku = new ExtendedKeyUsageExtension(xtn);
}
if ((kux != null) && (eku != null))
{
// RFC3280 states that when both KeyUsageExtension and
// ExtendedKeyUsageExtension are present then BOTH should
// be valid
if (!kux.Support(ku))
{
return(false);
}
return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") ||
eku.KeyPurpose.Contains("2.16.840.1.113730.4.1"));
}
else if (kux != null)
{
return(kux.Support(ku));
}
else if (eku != null)
{
// Server Authentication (1.3.6.1.5.5.7.3.1) or
// Netscape Server Gated Crypto (2.16.840.1.113730.4)
return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.1") ||
eku.KeyPurpose.Contains("2.16.840.1.113730.4.1"));
}
// last chance - try with older (deprecated) Netscape extensions
xtn = cert.Extensions ["2.16.840.1.113730.1.1"];
if (xtn != null)
{
NetscapeCertTypeExtension ct = new NetscapeCertTypeExtension(xtn);
return(ct.Support(NetscapeCertTypeExtension.CertTypes.SslServer));
}
// if the CN=host (checked later) then we assume this is meant for SSL/TLS
// e.g. the new smtp.gmail.com certificate
return(true);
}
private bool checkCertificateUsage(X509Certificate cert)
{
ServerContext context = (ServerContext)this.Context;
// certificate extensions are required for this
// we "must" accept older certificates without proofs
if (cert.Version < 3)
{
return(true);
}
KeyUsages ku = KeyUsages.none;
switch (context.Negotiating.Cipher.ExchangeAlgorithmType)
{
case ExchangeAlgorithmType.RsaSign:
case ExchangeAlgorithmType.RsaKeyX:
ku = KeyUsages.digitalSignature;
break;
case ExchangeAlgorithmType.DiffieHellman:
ku = KeyUsages.keyAgreement;
break;
case ExchangeAlgorithmType.Fortezza:
return(false); // unsupported certificate type
}
KeyUsageExtension kux = null;
ExtendedKeyUsageExtension eku = null;
X509Extension xtn = cert.Extensions["2.5.29.15"];
if (xtn != null)
{
kux = new KeyUsageExtension(xtn);
}
xtn = cert.Extensions["2.5.29.37"];
if (xtn != null)
{
eku = new ExtendedKeyUsageExtension(xtn);
}
if ((kux != null) && (eku != null))
{
// RFC3280 states that when both KeyUsageExtension and
// ExtendedKeyUsageExtension are present then BOTH should
// be valid
return(kux.Support(ku) &&
eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2"));
}
else if (kux != null)
{
return(kux.Support(ku));
}
else if (eku != null)
{
// Client Authentication (1.3.6.1.5.5.7.3.2)
return(eku.KeyPurpose.Contains("1.3.6.1.5.5.7.3.2"));
}
// last chance - try with older (deprecated) Netscape extensions
xtn = cert.Extensions["2.16.840.1.113730.1.1"];
if (xtn != null)
{
NetscapeCertTypeExtension ct = new NetscapeCertTypeExtension(xtn);
return(ct.Support(NetscapeCertTypeExtension.CertTypes.SslClient));
}
// certificate isn't valid for SSL server usage
return(false);
}
internal static bool VerifyKeyUsage (MX.X509Certificate certificate, KeyUsages keyUsages, string purpose)
{
if (certificate.Extensions == null)
return true;
KeyUsageExtension kux = null;
ExtendedKeyUsageExtension eku = null;
var xtn = certificate.Extensions [OidKeyUsage];
if (xtn != null)
kux = new KeyUsageExtension (xtn);
xtn = certificate.Extensions [OidExtendedKeyUsage];
if (xtn != null)
eku = new ExtendedKeyUsageExtension (xtn);
if ((kux != null) && (eku != null)) {
// RFC3280 states that when both KeyUsageExtension and
// ExtendedKeyUsageExtension are present then BOTH should
// be valid
if (!kux.Support (keyUsages))
return false;
return eku.KeyPurpose.Contains (purpose);
} else if (kux != null) {
return kux.Support (keyUsages);
} else if (eku != null) {
return eku.KeyPurpose.Contains (purpose);
}
return true;
}
public bool Support (KeyUsages usage)
{
int x = Convert.ToInt32 (usage, CultureInfo.InvariantCulture);
return ((x & kubits) == x);
}
public bool Support(KeyUsages usage)
{
int int32 = Convert.ToInt32((object)usage, (IFormatProvider)CultureInfo.InvariantCulture);
return((int32 & this.kubits) == int32);
}
public bool Support(KeyUsages usage)
{
int num = Convert.ToInt32(usage, CultureInfo.InvariantCulture);
return((num & this.kubits) == num);
}
public CertWizard()
{
InitializeComponent();
// create a list of all csp providers
CertEnroll.CCspInformations CspInformations = new CertEnroll.CCspInformations();
CspInformations.AddAvailableCsps();
// enumerate each provider
foreach (CertEnroll.ICspInformation oCsp in CspInformations)
{
// create a structure for display purposes
ProviderDetails oOpt = new ProviderDetails();
oOpt.IsHardware = oCsp.IsSmartCard || oCsp.IsHardwareDevice;
oOpt.IsLegacy = oCsp.LegacyCsp;
ProviderOptions.Add(oCsp.Name, oOpt);
// populate display structure with algorithmn information
foreach (CertEnroll.ICspAlgorithm oAlg in oCsp.CspAlgorithms)
{
// special case: eliminate generic ecdsa that does not work
if (oAlg.Name.Equals("ECDSA"))
{
continue;
}
// hash algorithms
if (oAlg.Type == CertEnroll.AlgorithmType.XCN_BCRYPT_HASH_INTERFACE)
{
if (oOpt.HashAlgorithmns.Contains(oAlg.Name))
{
continue;
}
oOpt.HashAlgorithmns.Add(oAlg.Name);
}
// signature algorithms
else if (oAlg.Type == CertEnroll.AlgorithmType.XCN_BCRYPT_SIGNATURE_INTERFACE ||
oAlg.Type == CertEnroll.AlgorithmType.XCN_BCRYPT_ASYMMETRIC_ENCRYPTION_INTERFACE)
{
if (oOpt.SignatureAlgorithmns.Contains(oAlg.Name))
{
continue;
}
oOpt.SignatureAlgorithmns.Add(oAlg.Name);
oOpt.SignatureMinLengths.Add(oAlg.Name, oAlg.MinLength);
oOpt.SignatureMaxLengths.Add(oAlg.Name, oAlg.MaxLength);
}
}
// sort so rsa is near the top
oOpt.SignatureAlgorithmns = oOpt.SignatureAlgorithmns.
OrderBy(x => x.Contains("_")).ThenBy(x => x).ToList();
}
// set default values
oValidFromDatePicker.SelectedDate = DateTime.Now;
oValidUntilDatePicker.SelectedDate = DateTime.Now.AddYears(3);
// populate extended key usage options
foreach (Oid oOid in NativeMethods.GetExtendedKeyUsages())
{
// skip weird looking or known problematic options
if (oOid.FriendlyName.StartsWith("sz") ||
oOid.FriendlyName.StartsWith("@"))
{
continue;
}
// translate into our display structure
EkuOption oKeyUsage = new EkuOption()
{
Name = oOid.FriendlyName,
Oid = oOid.Value
};
EnhancedKeyUsages.Add(oKeyUsage);
}
// populate key usage options
foreach (string sKeyUsage in Enum.GetNames(typeof(X509KeyUsageFlags)))
{
EkuOption oOpt = new EkuOption();
oOpt.Name = Regex.Replace(sKeyUsage, "(\\B[A-Z])", " $1");
oOpt.Oid = sKeyUsage;
KeyUsages.Add(oOpt);
}
// set combobox to sort
oProviderComboBox.Items.SortDescriptions.Add(new SortDescription("", ListSortDirection.Ascending));
oKeyUsageCombobox.Items.SortDescriptions.Add(new SortDescription("Name", ListSortDirection.Ascending));
oEnhancedKeyUsageCombobox.Items.SortDescriptions.Add(new SortDescription("Name", ListSortDirection.Ascending));
oProviderType_Checked(null, null);
// disable machine store option if user is not an admin
oCertificateStoreMachineRadio.IsEnabled =
new WindowsPrincipal(WindowsIdentity.GetCurrent())
.IsInRole(WindowsBuiltInRole.Administrator);
}
