private void Process(int n)
{
X509ChainElement x509ChainElement = this.elements[n];
X509Certificate2 certificate = x509ChainElement.Certificate;
if (n != this.elements.Count - 1 && certificate.MonoCertificate.KeyAlgorithm == "1.2.840.10040.4.1" && certificate.MonoCertificate.KeyAlgorithmParameters == null)
{
X509Certificate2 certificate2 = this.elements[n + 1].Certificate;
certificate.MonoCertificate.KeyAlgorithmParameters = certificate2.MonoCertificate.KeyAlgorithmParameters;
}
bool flag = this.working_public_key == null;
if (!this.IsSignedWith(certificate, (!flag) ? this.working_public_key : certificate.PublicKey.Key) && (flag || n != this.elements.Count - 1 || this.IsSelfIssued(certificate)))
{
x509ChainElement.StatusFlags |= X509ChainStatusFlags.NotSignatureValid;
}
if (this.ChainPolicy.VerificationTime < certificate.NotBefore || this.ChainPolicy.VerificationTime > certificate.NotAfter)
{
x509ChainElement.StatusFlags |= X509ChainStatusFlags.NotTimeValid;
}
if (flag)
{
return;
}
if (!X500DistinguishedName.AreEqual(certificate.IssuerName, this.working_issuer_name))
{
x509ChainElement.StatusFlags |= X509ChainStatusFlags.InvalidNameConstraints;
}
if (this.IsSelfIssued(certificate) || n != 0)
{
}
}
private void Process(int n)
{
X509ChainElement element = elements [n];
X509Certificate2 certificate = element.Certificate;
// pre-step: DSA certificates may inherit the parameters of their CA
if ((n != elements.Count - 1) && (certificate.MonoCertificate.KeyAlgorithm == "1.2.840.10040.4.1"))
{
if (certificate.MonoCertificate.KeyAlgorithmParameters == null)
{
X509Certificate2 parent = elements [n + 1].Certificate;
certificate.MonoCertificate.KeyAlgorithmParameters = parent.MonoCertificate.KeyAlgorithmParameters;
}
}
bool root = (working_public_key == null);
// 6.1.3.a.1 - check signature (with special case to deal with root certificates)
if (!IsSignedWith(certificate, root ? certificate.PublicKey.Key : working_public_key))
{
// another special case where only an end-entity is available and can't be verified.
// In this case we do not report an invalid signature (since this is unknown)
if (root || (n != elements.Count - 1) || IsSelfIssued(certificate))
{
element.StatusFlags |= X509ChainStatusFlags.NotSignatureValid;
}
}
// 6.1.3.a.2 - check validity period
if ((ChainPolicy.VerificationTime < certificate.NotBefore) ||
(ChainPolicy.VerificationTime > certificate.NotAfter))
{
element.StatusFlags |= X509ChainStatusFlags.NotTimeValid;
}
// TODO - for X509ChainStatusFlags.NotTimeNested (needs global structure)
// note: most of them don't apply to the root certificate
if (root)
{
return;
}
// 6.1.3.a.3 - revocation check (we're doing at the last stage)
// note: you revoke a trusted root by removing it from your trusted store (i.e. no CRL can do this job)
// 6.1.3.a.4 - check certificate issuer name
if (!X500DistinguishedName.AreEqual(certificate.IssuerName, working_issuer_name))
{
// NOTE: this is not the "right" error flag, but it's the closest one defined
element.StatusFlags |= X509ChainStatusFlags.InvalidNameConstraints;
}
if (!IsSelfIssued(certificate) && (n != 0))
{
// TODO 6.1.3.b - subject name in the permitted_subtrees ...
// TODO 6.1.3.c - subject name not within excluded_subtrees...
// TODO - check for X509ChainStatusFlags.InvalidNameConstraint
// TODO - check for X509ChainStatusFlags.HasNotSupportedNameConstraint
// TODO - check for X509ChainStatusFlags.HasNotPermittedNameConstraint
// TODO - check for X509ChainStatusFlags.HasExcludedNameConstraint
}
// TODO 6.1.3.d - check if certificate policies extension is present
//if (false) {
// TODO - for X509ChainStatusFlags.InvalidPolicyConstraints
// using X509ChainPolicy.ApplicationPolicy and X509ChainPolicy.CertificatePolicy
// TODO - check for X509ChainStatusFlags.NoIssuanceChainPolicy
//} else {
// TODO 6.1.3.e - set valid_policy_tree to NULL
//}
// TODO 6.1.3.f - verify explict_policy > 0 if valid_policy_tree != NULL
}