// Adapted to System 2.0+ from TlsServerCertificate.cs
//------------------------------
// Note: this method only works for RSA certificates
// DH certificates requires some changes - does anyone use one ?
private static bool CheckCertificateUsage(X509Certificate2 cert)
{
try
{
// certificate extensions are required for this
// we "must" accept older certificates without proofs
if (cert.Version < 3)
{
return(true);
}
X509KeyUsageExtension kux = (cert.Extensions["2.5.29.15"] as X509KeyUsageExtension);
X509EnhancedKeyUsageExtension eku = (cert.Extensions["2.5.29.37"] as X509EnhancedKeyUsageExtension);
if (kux != null && eku != null)
{
// RFC3280 states that when both KeyUsageExtension and
// ExtendedKeyUsageExtension are present then BOTH should
// be valid
if ((kux.KeyUsages & s_flags) == 0)
{
return(false);
}
return(eku.EnhancedKeyUsages["1.3.6.1.5.5.7.3.1"] != null || eku.EnhancedKeyUsages["2.16.840.1.113730.4.1"] != null);
}
else if (kux != null)
{
return((kux.KeyUsages & s_flags) != 0);
}
else if (eku != null)
{
// Server Authentication (1.3.6.1.5.5.7.3.1) or
// Netscape Server Gated Crypto (2.16.840.1.113730.4)
return(eku.EnhancedKeyUsages["1.3.6.1.5.5.7.3.1"] != null || eku.EnhancedKeyUsages["2.16.840.1.113730.4.1"] != null);
}
// last chance - try with older (deprecated) Netscape extensions
X509Extension ext = cert.Extensions["2.16.840.1.113730.1.1"];
if (ext != null)
{
string text = ext.NetscapeCertType(false);
return(text.IndexOf("SSL Server Authentication", StringComparison.Ordinal) != -1);
}
return(true);
}
catch (Exception e)
{
#if SSHARP
ErrorLog.Error("ERROR processing certificate: {0}", e);
ErrorLog.Error("Please, report this problem to the Mono team");
#else
Console.Error.WriteLine("ERROR processing certificate: {0}", e);
Console.Error.WriteLine("Please, report this problem to the Mono team");
#endif
return(false);
}
}
