private bool ValidateCertificateByTlsa(TlsaRecord tlsaRecord, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
switch (tlsaRecord.CertificateUsage)
{
case TlsaRecord.TlsaCertificateUsage.PkixTA:
return(chain.ChainElements.Cast <X509ChainElement>().Any(x => ValidateCertificateByTlsa(tlsaRecord, x.Certificate)) && (sslPolicyErrors == SslPolicyErrors.None));
case TlsaRecord.TlsaCertificateUsage.PkixEE:
return(ValidateCertificateByTlsa(tlsaRecord, certificate) && (sslPolicyErrors == SslPolicyErrors.None));
case TlsaRecord.TlsaCertificateUsage.DaneTA:
return(chain.ChainElements.Cast <X509ChainElement>().Any(x => ValidateCertificateByTlsa(tlsaRecord, x.Certificate)) && ((sslPolicyErrors | SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors));
case TlsaRecord.TlsaCertificateUsage.DaneEE:
return(ValidateCertificateByTlsa(tlsaRecord, certificate) && ((sslPolicyErrors | SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors));
default:
throw new NotSupportedException();
}
}
private bool ValidateCertificateByTlsa(TlsaRecord tlsaRecord, X509Certificate certificate)
{
return(TlsaRecord.GetCertificateAssocicationData(tlsaRecord.Selector, tlsaRecord.MatchingType, certificate).SequenceEqual(tlsaRecord.CertificateAssociationData));
}
