private void Empty (KeyUsageExtension kue)
{
Assert.IsFalse (kue.Critical, "Critical");
Assert.AreEqual ("2.5.29.15", kue.Oid, "Oid");
Assert.IsNotNull (kue.Name, "Name");
Assert.IsFalse (kue.Name == kue.Oid, "Name!=Oid");
Assert.AreEqual (KeyUsages.none, kue.KeyUsage, "KeyUsage");
Assert.IsTrue (kue.Support (KeyUsages.none), "Support(none)");
Assert.IsFalse (kue.Support (KeyUsages.digitalSignature), "Support(digitalSignature)");
Assert.IsFalse (kue.Support (KeyUsages.decipherOnly), "Support(decipherOnly)");
}
public void KeyUsage_MaxValue ()
{
KeyUsageExtension kue = new KeyUsageExtension ();
kue.KeyUsage = (KeyUsages) Int32.MaxValue;
Assert.IsTrue (kue.Support (KeyUsages.none), "Support(none)");
Assert.IsTrue (kue.Support (KeyUsages.digitalSignature), "Support(digitalSignature)");
Assert.IsTrue (kue.Support (KeyUsages.nonRepudiation), "Support(nonRepudiation)");
Assert.IsTrue (kue.Support (KeyUsages.keyEncipherment), "Support(keyEncipherment)");
Assert.IsTrue (kue.Support (KeyUsages.dataEncipherment), "Support(dataEncipherment)");
Assert.IsTrue (kue.Support (KeyUsages.keyAgreement), "Support(keyAgreement)");
Assert.IsTrue (kue.Support (KeyUsages.keyCertSign), "Support(keyCertSign)");
Assert.IsTrue (kue.Support (KeyUsages.cRLSign), "Support(cRLSign)");
Assert.IsTrue (kue.Support (KeyUsages.encipherOnly), "Support(encipherOnly)");
Assert.IsTrue (kue.Support (KeyUsages.decipherOnly), "Support(decipherOnly)");
}
public bool VerifySignature (X509Certificate x509)
{
if (x509 == null)
throw new ArgumentNullException ("x509");
// 1. x509 certificate must be a CA certificate (unknown for v1 or v2 certs)
if (x509.Version >= 3) {
BasicConstraintsExtension basicConstraints = null;
// 1.2. Check for ca = true in BasicConstraint
X509Extension ext = x509.Extensions ["2.5.29.19"];
if (ext != null) {
basicConstraints = new BasicConstraintsExtension (ext);
if (!basicConstraints.CertificateAuthority)
return false;
}
// 1.1. Check for "cRLSign" bit in KeyUsage extension
ext = x509.Extensions ["2.5.29.15"];
if (ext != null) {
KeyUsageExtension keyUsage = new KeyUsageExtension (ext);
if (!keyUsage.Support (KeyUsages.cRLSign)) {
// 2nd chance if basicConstraints is CertificateAuthority
// and KeyUsage support digitalSignature
if ((basicConstraints == null) || !keyUsage.Support (KeyUsages.digitalSignature))
return false;
}
}
}
// 2. CRL issuer must match CA subject name
if (issuer != x509.SubjectName)
return false;
// 3. Check the CRL signature with the CA certificate public key
switch (signatureOID) {
case "1.2.840.10040.4.3":
return VerifySignature (x509.DSA);
default:
return VerifySignature (x509.RSA);
}
}
bool KeyUsage(MSX.PKCS12 pfx)
{
foreach (MSX.X509Certificate cert in pfx.Certificates) {
MSX.X509Extension xtn = cert.Extensions ["2.5.29.15"];
if (xtn == null)
continue;
var ku = new KeyUsageExtension (xtn);
if (!ku.Support (KeyUsages.digitalSignature) && !ku.Support (KeyUsages.keyEncipherment))
continue;
key = GetKeyMatchingCertificate (pfx, cert);
if (key == null)
continue;
x509 = new X509Certificate (cert.RawData);
break;
}
// complete ?
return ((x509 != null) && (key != null));
}