feat(batch9): implement f1 auth and dirstore foundations

dotnet/src/ZB.MOM.NatsNet.Server/ClientConnection.cs

@@ -17,6 +17,7 @@ using System.Net;
 using System.Net.Security;
 using System.Net.Sockets;
 using System.Runtime.CompilerServices;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Text.Json;
@@ -875,6 +876,47 @@ public sealed partial class ClientConnection
         }
     }
 
+    /// <summary>
+    /// Returns true when the current TLS peer certificate matches one of the pinned
+    /// SPKI SHA-256 key identifiers.
+    /// Mirrors Go <c>client.matchesPinnedCert</c>.
+    /// </summary>
+    internal bool MatchesPinnedCert(PinnedCertSet? tlsPinnedCerts)
+    {
+        if (tlsPinnedCerts == null)
+        {
+            return true;
+        }
+
+        var certificate = GetTlsCertificate();
+        if (certificate == null)
+        {
+            Debugf("Failed pinned cert test as client did not provide a certificate");
+            return false;
+        }
+
+        byte[] subjectPublicKeyInfo;
+        try
+        {
+            subjectPublicKeyInfo = certificate.PublicKey.ExportSubjectPublicKeyInfo();
+        }
+        catch
+        {
+            subjectPublicKeyInfo = certificate.GetPublicKey();
+        }
+
+        var sha = SHA256.HashData(subjectPublicKeyInfo);
+        var keyId = Convert.ToHexString(sha).ToLowerInvariant();
+
+        if (!tlsPinnedCerts.Contains(keyId))
+        {
+            Debugf("Failed pinned cert test for key id: {0}", keyId);
+            return false;
+        }
+
+        return true;
+    }
+
     internal void SetAccount(INatsAccount? acc)
     {
         lock (_mu) { Account = acc; }