static bool CheckCertificateUsage (X509Certificate2 cert)
{
try {
// certificate extensions are required for this
// we "must" accept older certificates without proofs
if (cert.Version < 3)
return true;
X509KeyUsageExtension kux = (X509KeyUsageExtension) cert.Extensions ["2.5.29.15"];
X509EnhancedKeyUsageExtension eku = (X509EnhancedKeyUsageExtension) cert.Extensions ["2.5.29.37"];
if (kux != null && eku != null) {
// RFC3280 states that when both KeyUsageExtension and
// ExtendedKeyUsageExtension are present then BOTH should
// be valid
if ((kux.KeyUsages & s_flags) == 0)
return false;
return eku.EnhancedKeyUsages ["1.3.6.1.5.5.7.3.1"] != null ||
eku.EnhancedKeyUsages ["2.16.840.1.113730.4.1"] != null;
} else if (kux != null) {
return ((kux.KeyUsages & s_flags) != 0);
} else if (eku != null) {
// Server Authentication (1.3.6.1.5.5.7.3.1) or
// Netscape Server Gated Crypto (2.16.840.1.113730.4)
return eku.EnhancedKeyUsages ["1.3.6.1.5.5.7.3.1"] != null ||
eku.EnhancedKeyUsages ["2.16.840.1.113730.4.1"] != null;
}
// last chance - try with older (deprecated) Netscape extensions
X509Extension ext = cert.Extensions ["2.16.840.1.113730.1.1"];
if (ext != null) {
string text = ext.NetscapeCertType (false);
return text.IndexOf ("SSL Server Authentication") != -1;
}
return true;
} catch (Exception e) {
Console.Error.WriteLine ("ERROR processing certificate: {0}", e);
Console.Error.WriteLine ("Please, report this problem to the Mono team");
return false;
}
}