As mentioned in questions like this, this and this, if you try to encrypt/decrypt using a certificate that's only valid for digital signatures, you'll get a CryptographicException: "Bad Key" from RSACryptoServiceProvider.
My question is how verify up front (e.g. as you're configuring certificates in your application), whether a certificate is valid for this purpose. I found that an approach like this using only the v3 extensions is not sufficient, as RSACryptoServiceProvider works just fine for decrypt using a cert with v3 extension of only DigitalSignatures.
So I assume that I'll need to check for specific list of OIDs using code similar to what I found here:
private static bool IsCertificateOkForDecryption(X509Certificate2 certificate)
{
string[] validOids =
{
//TODO: what goes here??
};
return (
certificate.Extensions.Where(e=> validOids.Contains(e.Oid.Value)
.Any()
);
}
(code is not exact -- just for illustration)
Is there an easier way?
If not, where can I find the list of OIDs which are valid?
For background, see also the Kentor.AuthServices SAML issue that sparked this question.
