private bool ValidateCertificateByTlsa(TlsaRecord tlsaRecord, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { switch (tlsaRecord.CertificateUsage) { case TlsaRecord.TlsaCertificateUsage.PkixTA: return(chain.ChainElements.Cast <X509ChainElement>().Any(x => ValidateCertificateByTlsa(tlsaRecord, x.Certificate)) && (sslPolicyErrors == SslPolicyErrors.None)); case TlsaRecord.TlsaCertificateUsage.PkixEE: return(ValidateCertificateByTlsa(tlsaRecord, certificate) && (sslPolicyErrors == SslPolicyErrors.None)); case TlsaRecord.TlsaCertificateUsage.DaneTA: return(chain.ChainElements.Cast <X509ChainElement>().Any(x => ValidateCertificateByTlsa(tlsaRecord, x.Certificate)) && ((sslPolicyErrors | SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors)); case TlsaRecord.TlsaCertificateUsage.DaneEE: return(ValidateCertificateByTlsa(tlsaRecord, certificate) && ((sslPolicyErrors | SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors)); default: throw new NotSupportedException(); } }
private bool ValidateCertificateByTlsa(TlsaRecord tlsaRecord, X509Certificate certificate) { return(TlsaRecord.GetCertificateAssocicationData(tlsaRecord.Selector, tlsaRecord.MatchingType, certificate).SequenceEqual(tlsaRecord.CertificateAssociationData)); }