ApplicGate
(v12.0.8874.35714 started 2024-04-18 18:00:37 on VM2)

Notes:
challenge and hashalg are the original values and must be the same as received in a POST message from the Application Gateway.
signature, appgwcert and usercert are data reveived in a POST message from the Application Gateway.

public static string CheckSignResponse(string retSubject, string challenge, string hashalg, string signature, string appgwcert, string appgwcertIssuer, string appgwcertRoot, string appgwcertRevocationMode, string usercert, string usercertIssuer, string usercertRoot, string usercertRevocationMode, ref string strSignSubject, ref string strSignCertIssuer, ref string strUserCertIssuer)
{
    /* checks the signature (challenge + usercert signed by appgwcert)
     * 
     * Input:
     *   retSubject    blank ... return emailaddress
     *                 "E" within retSubject: return emailaddress
     *                 "S" within retSubject: return subject
     *                 "U" within retSubject: return userPrincipalName
     *                        if more than one character is specified: fields are separated by |
     *                        order of of fields in return string is: E then S then U
     *                        e.g "ES" returns emailaddress and subject (separated by |)
     *   challenge       ... data that has been used for signing  (hex bytes separated by "-", eg. "10-AB-C0-....-F1" )
     *   hashalg         ... "MD5", "SHA1", "SHA256", ...
     *   signature       ... signature of byte respresentation of challenge + usercert:  hash value signed by appgwcert (hex bytes separated by "-")
     *
     *   appgwcert       ... certificate that has been used by the Application Gateway for signing (hex bytes separated by "-")
     *   appgwcertIssuer ... Common Name (CN) of allowed certificate issuer (optional) or list of CNs separated by "|"
     *   appgwcertRoot   ... Common Name (CN) of allowed certificate root (optional)  or list of CNs separated by "|"
     *   appgwcertRevocationMode ... "NoCheck", "Online" or "Offline"; if empty: defaults to "Online"
     *
     *   usercert        ... certificate of user (hex bytes separated by "-")
     *   usercertIssuer  ... Common Name (CN) of allowed certificate issuer (optional) or list of CNs separated by "|"
     *   usercertRoot    ... Common Name (CN) of allowed certificate root (optional) or list of CNs separated by "|"
     *   usercertRevocationMode ... "NoCheck", "Online" or "Offline"; if empty: defaults to "Online"
     *
     *Output:
     *   strSignSubject    ... Subject of signature certificate (appgwcert)
     *   strSignCertIssuer ... Issuer of signature certificate  (appgwcert)
     *   strUserCertIssuer ... Issuer of user certificate (usercert)
     *   
     *  return:     emailaddress etc. depending on value of retSubject
     *             else error message starting with "Error:"
     *
     */
  ....
}

ApplicGate Logo  reinhold.leitner@applicgate.com (C) April 2024
www.applicgate.com