CertPath implementation for X.509 certificates.
		/**
		* Validates an attribute certificate with the given certificate path.
		* 
		* <p>
		* <code>params</code> must be an instance of
		* <code>ExtendedPkixParameters</code>.
		* </p><p>
		* The target constraints in the <code>params</code> must be an
		* <code>X509AttrCertStoreSelector</code> with at least the attribute
		* certificate criterion set. Obey that also target informations may be
		* necessary to correctly validate this attribute certificate.
		* </p><p>
		* The attribute certificate issuer must be added to the trusted attribute
		* issuers with {@link ExtendedPkixParameters#setTrustedACIssuers(Set)}.
		* </p>
		* @param certPath The certificate path which belongs to the attribute
		*            certificate issuer public key certificate.
		* @param params The PKIX parameters.
		* @return A <code>PKIXCertPathValidatorResult</code> of the result of
		*         validating the <code>certPath</code>.
		* @throws InvalidAlgorithmParameterException if <code>params</code> is
		*             inappropriate for this validator.
		* @throws CertPathValidatorException if the verification fails.
		*/
		public virtual PkixCertPathValidatorResult Validate(
			PkixCertPath	certPath,
			PkixParameters	pkixParams)
		{
			IX509Selector certSelect = pkixParams.GetTargetConstraints();
			if (!(certSelect is X509AttrCertStoreSelector))
			{
				throw new ArgumentException(
					"TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName,
					"pkixParams");
			}
			IX509AttributeCertificate attrCert = ((X509AttrCertStoreSelector) certSelect).AttributeCert;

			PkixCertPath holderCertPath = Rfc3281CertPathUtilities.ProcessAttrCert1(attrCert, pkixParams);
			PkixCertPathValidatorResult result = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams);
			X509Certificate issuerCert = (X509Certificate)certPath.Certificates[0];
			Rfc3281CertPathUtilities.ProcessAttrCert3(issuerCert, pkixParams);
			Rfc3281CertPathUtilities.ProcessAttrCert4(issuerCert, pkixParams);
			Rfc3281CertPathUtilities.ProcessAttrCert5(attrCert, pkixParams);
			// 6 already done in X509AttrCertStoreSelector
			Rfc3281CertPathUtilities.ProcessAttrCert7(attrCert, certPath, holderCertPath, pkixParams);
			Rfc3281CertPathUtilities.AdditionalChecks(attrCert, pkixParams);
			DateTime date;
			try
			{
				date = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1);
			}
			catch (Exception e)
			{
				throw new PkixCertPathValidatorException(
					"Could not get validity date from attribute certificate.", e);
			}
			Rfc3281CertPathUtilities.CheckCrls(attrCert, pkixParams, issuerCert, date, certPath.Certificates);
			return result;
		}
Beispiel #2
0
        public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters pkixParams)
        {
            //IL_002d: Unknown result type (might be due to invalid IL or missing references)
            IX509Selector targetConstraints = pkixParams.GetTargetConstraints();

            if (!(targetConstraints is X509AttrCertStoreSelector))
            {
                throw new ArgumentException("TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).get_FullName(), "pkixParams");
            }
            IX509AttributeCertificate attributeCert     = ((X509AttrCertStoreSelector)targetConstraints).AttributeCert;
            PkixCertPath holderCertPath                 = Rfc3281CertPathUtilities.ProcessAttrCert1(attributeCert, pkixParams);
            PkixCertPathValidatorResult result          = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams);
            X509Certificate             x509Certificate = (X509Certificate)certPath.Certificates.get_Item(0);

            Rfc3281CertPathUtilities.ProcessAttrCert3(x509Certificate, pkixParams);
            Rfc3281CertPathUtilities.ProcessAttrCert4(x509Certificate, pkixParams);
            Rfc3281CertPathUtilities.ProcessAttrCert5(attributeCert, pkixParams);
            Rfc3281CertPathUtilities.ProcessAttrCert7(attributeCert, certPath, holderCertPath, pkixParams);
            Rfc3281CertPathUtilities.AdditionalChecks(attributeCert, pkixParams);
            global::System.DateTime validCertDateFromValidityModel;
            try
            {
                validCertDateFromValidityModel = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1);
            }
            catch (global::System.Exception cause)
            {
                throw new PkixCertPathValidatorException("Could not get validity date from attribute certificate.", cause);
            }
            Rfc3281CertPathUtilities.CheckCrls(attributeCert, pkixParams, x509Certificate, validCertDateFromValidityModel, certPath.Certificates);
            return(result);
        }
        internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
        {
            ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();

            if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
            {
                try
                {
                    TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
                }
                catch (Exception cause)
                {
                    throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
                }
            }
            criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id);
            foreach (PkixAttrCertChecker pkixAttrCertChecker in pkixParams.GetAttrCertCheckers())
            {
                pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
            }
            if (!criticalExtensionOids.IsEmpty)
            {
                throw new PkixCertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + criticalExtensionOids);
            }
        }
        public CertificateValidationResult Validate(Certificate certificate)
        {
            if (certificate == null)
                throw new ArgumentNullException("certificate");

            try
            {
                var x509Certs = new List<X509Certificate>();
                x509Certs.AddRange(_chain.Select(c => c.BouncyX509Certificate));
                x509Certs.Add(certificate.BouncyX509Certificate);

                IX509Store x509CertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(x509Certs));

                var x509Certificates = x509Certs.Skip(1).ToList();

                var certPath = new PkixCertPath(x509Certificates);

                ISet trust = new HashSet { new TrustAnchor(x509Certs.First(), null) };

                var certPathValidator = new PkixCertPathValidator();

                var paramsPkix = new PkixParameters(trust);
                paramsPkix.AddStore(x509CertStore);
                paramsPkix.IsRevocationEnabled = false;

                var pkixResult = certPathValidator.Validate(certPath, paramsPkix);

                return new CertificateValidationResult(pkixResult);
            }
            catch (Exception e)
            {
                return new CertificateValidationResult(e);
            }
        }
Beispiel #5
0
        public override bool Equals(object obj)
        {
            if (this == obj)
            {
                return(true);
            }
            PkixCertPath pkixCertPath = obj as PkixCertPath;

            if (pkixCertPath == null)
            {
                return(false);
            }
            IList list  = this.Certificates;
            IList list2 = pkixCertPath.Certificates;

            if (list.Count != list2.Count)
            {
                return(false);
            }
            IEnumerator enumerator  = list.GetEnumerator();
            IEnumerator enumerator2 = list.GetEnumerator();

            while (enumerator.MoveNext())
            {
                enumerator2.MoveNext();
                if (!object.Equals(enumerator.Current, enumerator2.Current))
                {
                    return(false);
                }
            }
            return(true);
        }
Beispiel #6
0
        public override bool Equals(object obj)
        {
            if (this == obj)
            {
                return(true);
            }
            PkixCertPath pkixCertPath = obj as PkixCertPath;

            if (pkixCertPath == null)
            {
                return(false);
            }
            global::System.Collections.IList list  = Certificates;
            global::System.Collections.IList list2 = pkixCertPath.Certificates;
            if (((global::System.Collections.ICollection)list).get_Count() != ((global::System.Collections.ICollection)list2).get_Count())
            {
                return(false);
            }
            global::System.Collections.IEnumerator enumerator  = ((global::System.Collections.IEnumerable)list).GetEnumerator();
            global::System.Collections.IEnumerator enumerator2 = ((global::System.Collections.IEnumerable)list).GetEnumerator();
            while (enumerator.MoveNext())
            {
                enumerator2.MoveNext();
                if (!object.Equals(enumerator.get_Current(), enumerator2.get_Current()))
                {
                    return(false);
                }
            }
            return(true);
        }
 public PkixCertPathBuilderResult(PkixCertPath certPath, TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey) : base(trustAnchor, policyTree, subjectPublicKey)
 {
     if (certPath == null)
     {
         throw new ArgumentNullException("certPath");
     }
     this.certPath = certPath;
 }
 public PkixCertPathBuilderResult(PkixCertPath certPath, TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey)
     : base(trustAnchor, policyTree, subjectPublicKey)
 {
     //IL_0012: Unknown result type (might be due to invalid IL or missing references)
     if (certPath == null)
     {
         throw new ArgumentNullException("certPath");
     }
     this.certPath = certPath;
 }
		public PkixCertPathBuilderResult(
			PkixCertPath			certPath,
			TrustAnchor				trustAnchor,
			PkixPolicyNode			policyTree,
			AsymmetricKeyParameter	subjectPublicKey)
			: base(trustAnchor, policyTree, subjectPublicKey)
		{			
			if (certPath == null)
				throw new ArgumentNullException("certPath");

			this.certPath = certPath;
		}
        internal static PkixCertPathValidatorResult ProcessAttrCert2(PkixCertPath certPath, PkixParameters pkixParams)
        {
            PkixCertPathValidator pkixCertPathValidator = new PkixCertPathValidator();

            try
            {
                return(pkixCertPathValidator.Validate(certPath, pkixParams));
            }
            catch (PkixCertPathValidatorException cause)
            {
                throw new PkixCertPathValidatorException("Certification path for issuer certificate of attribute certificate could not be validated.", cause);
            }
        }
Beispiel #11
0
 public PkixCertPathValidatorException(string message, Exception cause, PkixCertPath certPath, int index) : base(message)
 {
     if (certPath == null && index != -1)
     {
         throw new ArgumentNullException("certPath = null and index != -1");
     }
     if (index < -1 || (certPath != null && index >= certPath.Certificates.Count))
     {
         throw new IndexOutOfRangeException(" index < -1 or out of bound of certPath.getCertificates()");
     }
     this.cause    = cause;
     this.certPath = certPath;
     this.index    = index;
 }
Beispiel #12
0
        internal static DateTime GetValidCertDateFromValidityModel(
            PkixParameters paramsPkix,
            PkixCertPath certPath,
            int index)
        {
            if (paramsPkix.ValidityModel != PkixParameters.ChainValidityModel)
            {
                return(GetValidDate(paramsPkix));
            }

            // if end cert use given signing/encryption/... time
            if (index <= 0)
            {
                return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix));
                // else use time when previous cert was created
            }

            if (index - 1 == 0)
            {
                DerGeneralizedTime dateOfCertgen = null;
                try
                {
                    X509Certificate cert   = (X509Certificate)certPath.Certificates[index - 1];
                    Asn1OctetString extVal = cert.GetExtensionValue(
                        IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen);
                    dateOfCertgen = DerGeneralizedTime.GetInstance(extVal);
                }
                catch (ArgumentException)
                {
                    throw new Exception(
                              "Date of cert gen extension could not be read.");
                }
                if (dateOfCertgen != null)
                {
                    try
                    {
                        return(dateOfCertgen.ToDateTime());
                    }
                    catch (ArgumentException e)
                    {
                        throw new Exception(
                                  "Date from date of cert gen extension could not be parsed.",
                                  e);
                    }
                }
            }

            return(((X509Certificate)certPath.Certificates[index - 1]).NotBefore);
        }
 public PkixCertPathValidatorException(string message, global::System.Exception cause, PkixCertPath certPath, int index)
     : base(message)
 {
     //IL_001b: Unknown result type (might be due to invalid IL or missing references)
     //IL_003d: Unknown result type (might be due to invalid IL or missing references)
     if (certPath == null && index != -1)
     {
         throw new ArgumentNullException("certPath = null and index != -1");
     }
     if (index < -1 || (certPath != null && index >= ((global::System.Collections.ICollection)certPath.Certificates).get_Count()))
     {
         throw new IndexOutOfRangeException(" index < -1 or out of bound of certPath.getCertificates()");
     }
     this.cause    = cause;
     this.certPath = certPath;
     this.index    = index;
 }
Beispiel #14
0
        /**
         * Compares this certification path for equality with the specified object.
         * Two CertPaths are equal if and only if their types are equal and their
         * certificate Lists (and by implication the Certificates in those Lists)
         * are equal. A CertPath is never equal to an object that is not a CertPath.<br />
         * <br />
         * This algorithm is implemented by this method. If it is overridden, the
         * behavior specified here must be maintained.
         *
         * @param other
         *            the object to test for equality with this certification path
         *
         * @return true if the specified object is equal to this certification path,
         *         false otherwise
         *
         * @see Object#hashCode() Object.hashCode()
         */
        public override bool Equals(
            object obj)
        {
            if (this == obj)
            {
                return(true);
            }

            PkixCertPath other = obj as PkixCertPath;

            if (other == null)
            {
                return(false);
            }

//			if (!this.Type.Equals(other.Type))
//				return false;

            //return this.Certificates.Equals(other.Certificates);

            // TODO Extract this to a utility class
            IList thisCerts  = this.Certificates;
            IList otherCerts = other.Certificates;

            if (thisCerts.Count != otherCerts.Count)
            {
                return(false);
            }

            IEnumerator e1 = thisCerts.GetEnumerator();
            IEnumerator e2 = thisCerts.GetEnumerator();

            while (e1.MoveNext())
            {
                e2.MoveNext();

                if (!Platform.Equals(e1.Current, e2.Current))
                {
                    return(false);
                }
            }

            return(true);
        }
		internal static void ProcessAttrCert7(
			IX509AttributeCertificate	attrCert,
			PkixCertPath				certPath,
			PkixCertPath				holderCertPath,
			PkixParameters				pkixParams)
		{
			// TODO:
			// AA Controls
			// Attribute encryption
			// Proxy
			ISet critExtOids = attrCert.GetCriticalExtensionOids();

			// 7.1
			// process extensions

			// target information checked in step 6 / X509AttributeCertStoreSelector
			if (critExtOids.Contains(X509Extensions.TargetInformation.Id))
			{
				try
				{
					TargetInformation.GetInstance(PkixCertPathValidatorUtilities
						.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
				}
				catch (Exception e)
				{
					throw new PkixCertPathValidatorException(
						"Target information extension could not be read.", e);
				}
			}
			critExtOids.Remove(X509Extensions.TargetInformation.Id);
			foreach (PkixAttrCertChecker checker in pkixParams.GetAttrCertCheckers())
			{
				checker.Check(attrCert, certPath, holderCertPath, critExtOids);
			}
			if (!critExtOids.IsEmpty)
			{
				throw new PkixCertPathValidatorException(
					"Attribute certificate contains unsupported critical extensions: "
						+ critExtOids);
			}
		}
Beispiel #16
0
        public PkixCertPath(Stream inStream, string encoding)
        {
            string text = encoding.ToUpper();
            IList  list;

            try
            {
                if (text.Equals("PkiPath".ToUpper()))
                {
                    Asn1InputStream asn1InputStream = new Asn1InputStream(inStream);
                    Asn1Object      asn1Object      = asn1InputStream.ReadObject();
                    if (!(asn1Object is Asn1Sequence))
                    {
                        throw new CertificateException("input stream does not contain a ASN1 SEQUENCE while reading PkiPath encoded data to load CertPath");
                    }
                    list = Platform.CreateArrayList();
                    using (IEnumerator enumerator = ((Asn1Sequence)asn1Object).GetEnumerator())
                    {
                        while (enumerator.MoveNext())
                        {
                            Asn1Encodable asn1Encodable = (Asn1Encodable)enumerator.Current;
                            byte[]        encoded       = asn1Encodable.GetEncoded("DER");
                            Stream        inStream2     = new MemoryStream(encoded, false);
                            list.Insert(0, new X509CertificateParser().ReadCertificate(inStream2));
                        }
                        goto IL_EF;
                    }
                }
                if (!text.Equals("PKCS7") && !text.Equals("PEM"))
                {
                    throw new CertificateException("unsupported encoding: " + encoding);
                }
                list = Platform.CreateArrayList(new X509CertificateParser().ReadCertificates(inStream));
                IL_EF :;
            }
            catch (IOException ex)
            {
                throw new CertificateException("IOException throw while decoding CertPath:\n" + ex.ToString());
            }
            this.certificates = PkixCertPath.SortCerts(list);
        }
Beispiel #17
0
        internal static void ProcessAttrCert7(
            IX509AttributeCertificate attrCert,
            PkixCertPath certPath,
            PkixCertPath holderCertPath,
            PkixParameters pkixParams)
        {
            // TODO:
            // AA Controls
            // Attribute encryption
            // Proxy
            ISet critExtOids = attrCert.GetCriticalExtensionOids();

            // 7.1
            // process extensions

            // target information checked in step 6 / X509AttributeCertStoreSelector
            if (critExtOids.Contains(X509Extensions.TargetInformation.Id))
            {
                try
                {
                    TargetInformation.GetInstance(PkixCertPathValidatorUtilities
                                                  .GetExtensionValue(attrCert, X509Extensions.TargetInformation));
                }
                catch (Exception e)
                {
                    throw new PkixCertPathValidatorException(
                              "Target information extension could not be read.", e);
                }
            }
            critExtOids.Remove(X509Extensions.TargetInformation.Id);
            foreach (PkixAttrCertChecker checker in pkixParams.GetAttrCertCheckers())
            {
                checker.Check(attrCert, certPath, holderCertPath, critExtOids);
            }
            if (!critExtOids.IsEmpty)
            {
                throw new PkixCertPathValidatorException(
                          "Attribute certificate contains unsupported critical extensions: "
                          + critExtOids);
            }
        }
        /**
         * Validates an attribute certificate with the given certificate path.
         *
         * <p>
         * <code>params</code> must be an instance of
         * <code>ExtendedPkixParameters</code>.
         * </p><p>
         * The target constraints in the <code>params</code> must be an
         * <code>X509AttrCertStoreSelector</code> with at least the attribute
         * certificate criterion set. Obey that also target informations may be
         * necessary to correctly validate this attribute certificate.
         * </p><p>
         * The attribute certificate issuer must be added to the trusted attribute
         * issuers with {@link ExtendedPkixParameters#setTrustedACIssuers(Set)}.
         * </p>
         * @param certPath The certificate path which belongs to the attribute
         *            certificate issuer public key certificate.
         * @param params The PKIX parameters.
         * @return A <code>PKIXCertPathValidatorResult</code> of the result of
         *         validating the <code>certPath</code>.
         * @throws InvalidAlgorithmParameterException if <code>params</code> is
         *             inappropriate for this validator.
         * @throws CertPathValidatorException if the verification fails.
         */
        public virtual PkixCertPathValidatorResult Validate(
            PkixCertPath certPath,
            PkixParameters pkixParams)
        {
            IX509Selector certSelect = pkixParams.GetTargetConstraints();

            if (!(certSelect is X509AttrCertStoreSelector))
            {
                throw new ArgumentException(
                          "TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName,
                          "pkixParams");
            }
            IX509AttributeCertificate attrCert = ((X509AttrCertStoreSelector)certSelect).AttributeCert;

            PkixCertPath holderCertPath            = Rfc3281CertPathUtilities.ProcessAttrCert1(attrCert, pkixParams);
            PkixCertPathValidatorResult result     = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams);
            X509Certificate             issuerCert = (X509Certificate)certPath.Certificates[0];

            Rfc3281CertPathUtilities.ProcessAttrCert3(issuerCert, pkixParams);
            Rfc3281CertPathUtilities.ProcessAttrCert4(issuerCert, pkixParams);
            Rfc3281CertPathUtilities.ProcessAttrCert5(attrCert, pkixParams);
            // 6 already done in X509AttrCertStoreSelector
            Rfc3281CertPathUtilities.ProcessAttrCert7(attrCert, certPath, holderCertPath, pkixParams);
            Rfc3281CertPathUtilities.AdditionalChecks(attrCert, pkixParams);
            DateTime date;

            try
            {
                date = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1);
            }
            catch (Exception e)
            {
                throw new PkixCertPathValidatorException(
                          "Could not get validity date from attribute certificate.", e);
            }
            Rfc3281CertPathUtilities.CheckCrls(attrCert, pkixParams, issuerCert, date, certPath.Certificates);
            return(result);
        }
        internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
        {
            ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();

            if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
            {
                try
                {
                    TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
                }
                catch (global::System.Exception cause)
                {
                    throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
                }
            }
            criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id);
            global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)pkixParams.GetAttrCertCheckers()).GetEnumerator();
            try
            {
                while (enumerator.MoveNext())
                {
                    PkixAttrCertChecker pkixAttrCertChecker = (PkixAttrCertChecker)enumerator.get_Current();
                    pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
                }
            }
            finally
            {
                global::System.IDisposable disposable = enumerator as global::System.IDisposable;
                if (disposable != null)
                {
                    disposable.Dispose();
                }
            }
            if (!criticalExtensionOids.IsEmpty)
            {
                throw new PkixCertPathValidatorException(string.Concat((object)"Attribute certificate contains unsupported critical extensions: ", (object)criticalExtensionOids));
            }
        }
		/// <summary>
		/// Creates a <code>PkixCertPathValidatorException</code> with the specified
		/// detail message, cause, certification path, and index.
		/// </summary>
		/// <param name="message">the detail message (or <code>null</code> if none)</param>
		/// <param name="cause">the cause (or <code>null</code> if none)</param>
		/// <param name="certPath">the certification path that was in the process of being
		/// validated when the error was encountered</param>
		/// <param name="index">the index of the certificate in the certification path that</param>																																																																																   * 
		public PkixCertPathValidatorException(
			string			message,
			Exception		cause,
			PkixCertPath	certPath,
			int				index)
			: base(message)
		{
			if (certPath == null && index != -1)
			{
				throw new ArgumentNullException(
					"certPath = null and index != -1");
			}
			if (index < -1
				|| (certPath != null && index >= certPath.Certificates.Count))
			{
				throw new IndexOutOfRangeException(
					" index < -1 or out of bound of certPath.getCertificates()");
			}

			this.cause = cause;
			this.certPath = certPath;
			this.index = index;
		}
Beispiel #21
0
 internal static global::System.DateTime GetValidCertDateFromValidityModel(PkixParameters paramsPkix, PkixCertPath certPath, int index)
 {
     //IL_0065: Expected O, but got Unknown
     if (paramsPkix.ValidityModel != 1)
     {
         return(GetValidDate(paramsPkix));
     }
     if (index <= 0)
     {
         return(GetValidDate(paramsPkix));
     }
     if (index - 1 == 0)
     {
         DerGeneralizedTime derGeneralizedTime = null;
         try
         {
             X509Certificate x509Certificate = (X509Certificate)certPath.Certificates.get_Item(index - 1);
             Asn1OctetString extensionValue  = x509Certificate.GetExtensionValue(IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen);
             derGeneralizedTime = DerGeneralizedTime.GetInstance(extensionValue);
         }
         catch (ArgumentException)
         {
             throw new global::System.Exception("Date of cert gen extension could not be read.");
         }
         if (derGeneralizedTime != null)
         {
             try
             {
                 return(derGeneralizedTime.ToDateTime());
             }
             catch (ArgumentException val2)
             {
                 ArgumentException val3 = val2;
                 throw new global::System.Exception("Date from date of cert gen extension could not be parsed.", (global::System.Exception)(object) val3);
             }
         }
     }
     return(((X509Certificate)certPath.Certificates.get_Item(index - 1)).NotBefore);
 }
		internal static int PrepareNextCertH3(
			PkixCertPath	certPath,
			int				index,
			int				inhibitAnyPolicy)
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];

			//
			// (h)
			//
			if (!PkixCertPathValidatorUtilities.IsSelfIssued(cert))
			{
				//
				// (3)
				//
				if (inhibitAnyPolicy != 0)
					return inhibitAnyPolicy - 1;
			}
			return inhibitAnyPolicy;
		}
		internal static void PrepareNextCertO(
			PkixCertPath	certPath,
			int				index,
			ISet			criticalExtensions,
			IList			pathCheckers)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];

			//
			// (o)
			//
			IEnumerator tmpIter = pathCheckers.GetEnumerator();
			while (tmpIter.MoveNext())
			{
				try
				{
					((PkixCertPathChecker)tmpIter.Current).Check(cert, criticalExtensions);
				}
				catch (PkixCertPathValidatorException e)
				{
					throw new PkixCertPathValidatorException(e.Message, e.InnerException, certPath, index);
				}
			}
			if (!criticalExtensions.IsEmpty)
			{
				throw new PkixCertPathValidatorException("Certificate has unsupported critical extension.", null, certPath,
					index);
			}
		}
		internal static int PrepareNextCertM(
			PkixCertPath	certPath,
			int				index,
			int				maxPathLength)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];

			//
			// (m)
			//
			BasicConstraints bc = null;
			try
			{
				bc = BasicConstraints.GetInstance(
					PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.BasicConstraints));
			}
			catch (Exception e)
			{
				throw new PkixCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath,
					index);
			}
			if (bc != null)
			{
				BigInteger _pathLengthConstraint = bc.PathLenConstraint;

				if (_pathLengthConstraint != null)
				{
					int _plc = _pathLengthConstraint.IntValue;

					if (_plc < maxPathLength)
					{
						return _plc;
					}
				}
			}
			return maxPathLength;
		}
		internal static void PrepareNextCertK(
			PkixCertPath	certPath,
			int				index)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];
			//
			// (k)
			//
			BasicConstraints bc = null;
			try
			{
				bc = BasicConstraints.GetInstance(
					PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.BasicConstraints));
			}
			catch (Exception e)
			{
				throw new PkixCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath,
					index);
			}
			if (bc != null)
			{
				if (!(bc.IsCA()))
					throw new PkixCertPathValidatorException("Not a CA certificate");
			}
			else
			{
				throw new PkixCertPathValidatorException("Intermediate certificate lacks BasicConstraints");
			}
		}
		internal static void PrepareNextCertG(
			PkixCertPath				certPath,
			int							index,
			PkixNameConstraintValidator	nameConstraintValidator)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];

			//
			// (g) handle the name constraints extension
			//
			NameConstraints nc = null;
			try
			{
				Asn1Sequence ncSeq = DerSequence.GetInstance(
					PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.NameConstraints));
				if (ncSeq != null)
				{
					nc = new NameConstraints(ncSeq);
				}
			}
			catch (Exception e)
			{
				throw new PkixCertPathValidatorException(
					"Name constraints extension could not be decoded.", e, certPath, index);
			}
			if (nc != null)
			{
				//
				// (g) (1) permitted subtrees
				//
				Asn1Sequence permitted = nc.PermittedSubtrees;
				if (permitted != null)
				{
					try
					{
						nameConstraintValidator.IntersectPermittedSubtree(permitted);
					}
					catch (Exception ex)
					{
						throw new PkixCertPathValidatorException(
							"Permitted subtrees cannot be build from name constraints extension.", ex, certPath, index);
					}
				}

				//
				// (g) (2) excluded subtrees
				//
				Asn1Sequence excluded = nc.ExcludedSubtrees;
				if (excluded != null)
				{
					IEnumerator e = excluded.GetEnumerator();
					try
					{
						while (e.MoveNext())
						{
							GeneralSubtree subtree = GeneralSubtree.GetInstance(e.Current);
							nameConstraintValidator.AddExcludedSubtree(subtree);
						}
					}
					catch (Exception ex)
					{
						throw new PkixCertPathValidatorException(
							"Excluded subtrees cannot be build from name constraints extension.", ex, certPath, index);
					}
				}
			}
		}
		internal static void ProcessCertA(
			PkixCertPath			certPath,
			PkixParameters			paramsPKIX,
			int						index,
			AsymmetricKeyParameter	workingPublicKey,
			X509Name				workingIssuerName,
			X509Certificate			sign)
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];
			//
			// (a) verify
			//
			try
			{
				// (a) (1)
				//
				cert.Verify(workingPublicKey);
			}
			catch (GeneralSecurityException e)
			{
				throw new PkixCertPathValidatorException("Could not validate certificate signature.", e, certPath, index);
			}

			try
			{
				// (a) (2)
				//
				cert.CheckValidity(PkixCertPathValidatorUtilities
					.GetValidCertDateFromValidityModel(paramsPKIX, certPath, index));
			}
			catch (CertificateExpiredException e)
			{
				throw new PkixCertPathValidatorException("Could not validate certificate: " + e.Message, e, certPath, index);
			}
			catch (CertificateNotYetValidException e)
			{
				throw new PkixCertPathValidatorException("Could not validate certificate: " + e.Message, e, certPath, index);
			}
			catch (Exception e)
			{
				throw new PkixCertPathValidatorException("Could not validate time of certificate.", e, certPath, index);
			}

			//
			// (a) (3)
			//
			if (paramsPKIX.IsRevocationEnabled)
			{
				try
				{
					CheckCrls(paramsPKIX, cert, PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(paramsPKIX,
						certPath, index), sign, workingPublicKey, certs);
				}
				catch (Exception e)
				{
					Exception cause = e.InnerException;
					if (cause == null)
					{
						cause = e;
					}
					throw new PkixCertPathValidatorException(e.Message, cause, certPath, index);
				}
			}

			//
			// (a) (4) name chaining
			//
			X509Name issuer = PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert);
			if (!issuer.Equivalent(workingIssuerName, true))
			{
				throw new PkixCertPathValidatorException("IssuerName(" + issuer
					+ ") does not match SubjectName(" + workingIssuerName + ") of signing certificate.", null,
					certPath, index);
			}
		}
		public override void PerformTest()
		{
			X509CertificateParser certParser = new X509CertificateParser();
			X509CrlParser crlParser = new X509CrlParser();

			// initialise CertStore
			X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
			X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
			X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
			X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
			X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);

			IList x509Certs = new ArrayList();
			x509Certs.Add(rootCert);
			x509Certs.Add(interCert);
			x509Certs.Add(finalCert);

			IList x509Crls = new ArrayList();
			x509Crls.Add(rootCrl);
			x509Crls.Add(interCrl);

//			CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
//			CertStore store = CertStore.GetInstance("Collection", ccsp);
//			X509CollectionStoreParameters ccsp = new X509CollectionStoreParameters(list);
			IX509Store x509CertStore = X509StoreFactory.Create(
				"Certificate/Collection",
				new X509CollectionStoreParameters(x509Certs));
			IX509Store x509CrlStore = X509StoreFactory.Create(
				"CRL/Collection",
				new X509CollectionStoreParameters(x509Crls));

			// NB: Month is 1-based in .NET
            //DateTime validDate = new DateTime(2008,9,4,14,49,10).ToUniversalTime();
            DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);

			//validating path
			IList certchain = new ArrayList();
			certchain.Add(finalCert);
			certchain.Add(interCert);
//			CertPath cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
			PkixCertPath cp = new PkixCertPath(certchain);
			ISet trust = new HashSet();
			trust.Add(new TrustAnchor(rootCert, null));

//			CertPathValidator cpv = CertPathValidator.GetInstance("PKIX");
			PkixCertPathValidator cpv = new PkixCertPathValidator();
			PkixParameters param = new PkixParameters(trust);
			param.AddStore(x509CertStore);
			param.AddStore(x509CrlStore);
			param.Date = new DateTimeObject(validDate);
			MyChecker checker = new MyChecker();
			param.AddCertPathChecker(checker);

			PkixCertPathValidatorResult result = (PkixCertPathValidatorResult) cpv.Validate(cp, param);
			PkixPolicyNode policyTree = result.PolicyTree;
			AsymmetricKeyParameter subjectPublicKey = result.SubjectPublicKey;

			if (checker.GetCount() != 2)
			{
				Fail("checker not evaluated for each certificate");
			}
	        
			if (!subjectPublicKey.Equals(finalCert.GetPublicKey()))
			{
				Fail("wrong public key returned");
			}

			//
			// invalid path containing a valid one test
			//
			try
			{
				// initialise CertStore
				rootCert = certParser.ReadCertificate(AC_RAIZ_ICPBRASIL);
				interCert = certParser.ReadCertificate(AC_PR);
				finalCert = certParser.ReadCertificate(schefer);

				x509Certs = new ArrayList();
				x509Certs.Add(rootCert);
				x509Certs.Add(interCert);
				x509Certs.Add(finalCert);

//				ccsp = new CollectionCertStoreParameters(list);
//				store = CertStore.GetInstance("Collection", ccsp);
//				ccsp = new X509CollectionStoreParameters(list);
				x509CertStore = X509StoreFactory.Create(
					"Certificate/Collection",
					new X509CollectionStoreParameters(x509Certs));

				// NB: Month is 1-based in .NET
				validDate = new DateTime(2004,3,21,2,21,10).ToUniversalTime();

				//validating path
				certchain = new ArrayList();
				certchain.Add(finalCert);
				certchain.Add(interCert);
//				cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
				cp = new PkixCertPath(certchain);
				trust = new HashSet();
				trust.Add(new TrustAnchor(rootCert, null));

//				cpv = CertPathValidator.GetInstance("PKIX");
				cpv = new PkixCertPathValidator();
				param = new PkixParameters(trust);
				param.AddStore(x509CertStore);
				param.IsRevocationEnabled = false;
				param.Date = new DateTimeObject(validDate);

				result =(PkixCertPathValidatorResult) cpv.Validate(cp, param);
				policyTree = result.PolicyTree;
				subjectPublicKey = result.SubjectPublicKey;

				Fail("Invalid path validated");
			}
			catch (Exception e)
			{
				if (e is PkixCertPathValidatorException 
					&& e.Message.StartsWith("Could not validate certificate signature."))
				{
					return;
				}
				Fail("unexpected exception", e);
			}
		}
		internal static void PrepareNextCertA(
			PkixCertPath	certPath,
			int				index)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];
			//
			//
			// (a) check the policy mappings
			//
			Asn1Sequence pm = null;
			try
			{
				pm = Asn1Sequence.GetInstance(
					PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyMappings));
			}
			catch (Exception ex)
			{
				throw new PkixCertPathValidatorException(
					"Policy mappings extension could not be decoded.", ex, certPath, index);
			}
			if (pm != null)
			{
				Asn1Sequence mappings = pm;

				for (int j = 0; j < mappings.Count; j++)
				{
					DerObjectIdentifier issuerDomainPolicy = null;
					DerObjectIdentifier subjectDomainPolicy = null;
					try
					{
						Asn1Sequence mapping = DerSequence.GetInstance(mappings[j]);

						issuerDomainPolicy = DerObjectIdentifier.GetInstance(mapping[0]);
						subjectDomainPolicy = DerObjectIdentifier.GetInstance(mapping[1]);
					}
					catch (Exception e)
					{
						throw new PkixCertPathValidatorException(
							"Policy mappings extension contents could not be decoded.", e, certPath, index);
					}

					if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(issuerDomainPolicy.Id))
						throw new PkixCertPathValidatorException(
							"IssuerDomainPolicy is anyPolicy", null, certPath, index);

					if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(subjectDomainPolicy.Id))
						throw new PkixCertPathValidatorException(
							"SubjectDomainPolicy is anyPolicy,", null, certPath, index);
				}
			}
		}
		internal static void ProcessCertBC(
			PkixCertPath				certPath,
			int							index,
			PkixNameConstraintValidator	nameConstraintValidator)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];
			int n = certs.Count;
			// i as defined in the algorithm description
			int i = n - index;
			//
			// (b), (c) permitted and excluded subtree checking.
			//
			if (!(PkixCertPathValidatorUtilities.IsSelfIssued(cert) && (i < n)))
			{
				X509Name principal = cert.SubjectDN;
				Asn1InputStream aIn = new Asn1InputStream(principal.GetEncoded());
				Asn1Sequence dns;

				try
				{
					dns = DerSequence.GetInstance(aIn.ReadObject());
				}
				catch (Exception e)
				{
					throw new PkixCertPathValidatorException(
						"Exception extracting subject name when checking subtrees.", e, certPath, index);
				}

				try
				{
					nameConstraintValidator.CheckPermittedDN(dns);
					nameConstraintValidator.CheckExcludedDN(dns);
				}
				catch (PkixNameConstraintValidatorException e)
				{
					throw new PkixCertPathValidatorException(
						"Subtree check for certificate subject failed.", e, certPath, index);
				}

				GeneralNames altName = null;
				try
				{
					altName = GeneralNames.GetInstance(
						PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.SubjectAlternativeName));
				}
				catch (Exception e)
				{
					throw new PkixCertPathValidatorException(
						"Subject alternative name extension could not be decoded.", e, certPath, index);
				}

				IList emails = X509Name.GetInstance(dns).GetValueList(X509Name.EmailAddress);
				foreach (string email in emails)
				{
					GeneralName emailAsGeneralName = new GeneralName(GeneralName.Rfc822Name, email);
					try
					{
						nameConstraintValidator.checkPermitted(emailAsGeneralName);
						nameConstraintValidator.checkExcluded(emailAsGeneralName);
					}
					catch (PkixNameConstraintValidatorException ex)
					{
						throw new PkixCertPathValidatorException(
							"Subtree check for certificate subject alternative email failed.", ex, certPath, index);
					}
				}
				if (altName != null)
				{
					GeneralName[] genNames = null;
					try
					{
						genNames = altName.GetNames();
					}
					catch (Exception e)
					{
						throw new PkixCertPathValidatorException(
							"Subject alternative name contents could not be decoded.", e, certPath, index);
					}
					foreach (GeneralName genName in genNames)
					{
						try
						{
							nameConstraintValidator.checkPermitted(genName);
							nameConstraintValidator.checkExcluded(genName);
						}
						catch (PkixNameConstraintValidatorException e)
						{
							throw new PkixCertPathValidatorException(
								"Subtree check for certificate subject alternative name failed.", e, certPath, index);
						}
					}
				}
			}
		}
		internal static void WrapupCertF(
			PkixCertPath	certPath,
			int				index,
			IList			pathCheckers,
			ISet			criticalExtensions)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];
			IEnumerator tmpIter = pathCheckers.GetEnumerator();

			while (tmpIter.MoveNext())
			{
				try
				{
					((PkixCertPathChecker)tmpIter.Current).Check(cert, criticalExtensions);
				}
				catch (PkixCertPathValidatorException e)
				{
					throw new PkixCertPathValidatorException("Additional certificate path checker failed.", e, certPath,
						index);
				}
			}

			if (!criticalExtensions.IsEmpty)
			{
				throw new PkixCertPathValidatorException("Certificate has unsupported critical extension",
					null, certPath, index);
			}
		}
		private PkixCertPathBuilderResult Build(
			IX509AttributeCertificate	attrCert,
			X509Certificate				tbvCert,
			PkixBuilderParameters		pkixParams,
			IList						tbvPath)
		{
			// If tbvCert is readily present in tbvPath, it indicates having run
			// into a cycle in the
			// PKI graph.
			if (tbvPath.Contains(tbvCert))
				return null;

			// step out, the certificate is not allowed to appear in a certification
			// chain
			if (pkixParams.GetExcludedCerts().Contains(tbvCert))
				return null;

			// test if certificate path exceeds maximum length
			if (pkixParams.MaxPathLength != -1)
			{
				if (tbvPath.Count - 1 > pkixParams.MaxPathLength)
					return null;
			}

			tbvPath.Add(tbvCert);

			PkixCertPathBuilderResult builderResult = null;

//			X509CertificateParser certParser = new X509CertificateParser();
			PkixAttrCertPathValidator validator = new PkixAttrCertPathValidator();

			try
			{
				// check whether the issuer of <tbvCert> is a TrustAnchor
				if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
				{
					PkixCertPath certPath = new PkixCertPath(tbvPath);
					PkixCertPathValidatorResult result;

					try
					{
						result = validator.Validate(certPath, pkixParams);
					}
					catch (Exception e)
					{
						throw new Exception("Certification path could not be validated.", e);
					}

					return new PkixCertPathBuilderResult(certPath, result.TrustAnchor,
						result.PolicyTree, result.SubjectPublicKey);
				}
				else
				{
					// add additional X.509 stores from locations in certificate
					try
					{
						PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
					}
					catch (CertificateParsingException e)
					{
						throw new Exception("No additional X.509 stores can be added from certificate locations.", e);
					}

					// try to get the issuer certificate from one of the stores
					ISet issuers = new HashSet();
					try
					{
						issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
					}
					catch (Exception e)
					{
						throw new Exception("Cannot find issuer certificate for certificate in certification path.", e);
					}

					if (issuers.IsEmpty)
						throw new Exception("No issuer certificate for certificate in certification path found.");

					foreach (X509Certificate issuer in issuers)
					{
						// if untrusted self signed certificate continue
						if (PkixCertPathValidatorUtilities.IsSelfIssued(issuer))
							continue;

						builderResult = Build(attrCert, issuer, pkixParams, tbvPath);

						if (builderResult != null)
							break;
					}
				}
			}
			catch (Exception e)
			{
				certPathException = new Exception("No valid certification path could be build.", e);
			}

			if (builderResult == null)
			{
				tbvPath.Remove(tbvCert);
			}

			return builderResult;
		}
Beispiel #33
0
 internal static DateTime GetValidCertDateFromValidityModel(PkixParameters paramsPkix, PkixCertPath certPath, int index)
 {
     if (paramsPkix.ValidityModel != 1)
     {
         return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix));
     }
     if (index <= 0)
     {
         return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix));
     }
     if (index - 1 == 0)
     {
         DerGeneralizedTime derGeneralizedTime = null;
         try
         {
             X509Certificate x509Certificate = (X509Certificate)certPath.Certificates[index - 1];
             Asn1OctetString extensionValue  = x509Certificate.GetExtensionValue(IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen);
             derGeneralizedTime = DerGeneralizedTime.GetInstance(extensionValue);
         }
         catch (ArgumentException)
         {
             throw new Exception("Date of cert gen extension could not be read.");
         }
         if (derGeneralizedTime != null)
         {
             try
             {
                 return(derGeneralizedTime.ToDateTime());
             }
             catch (ArgumentException innerException)
             {
                 throw new Exception("Date from date of cert gen extension could not be parsed.", innerException);
             }
         }
     }
     return(((X509Certificate)certPath.Certificates[index - 1]).NotBefore);
 }
        public virtual PkixCertPathValidatorResult Validate(
            PkixCertPath certPath,
            PkixParameters paramsPkix)
        {
            if (paramsPkix.GetTrustAnchors() == null)
            {
                throw new ArgumentException(
                          "trustAnchors is null, this is not allowed for certification path validation.",
                          "parameters");
            }

            //
            // 6.1.1 - inputs
            //

            //
            // (a)
            //
            IList certs = certPath.Certificates;
            int   n     = certs.Count;

            if (certs.Count == 0)
            {
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
            }

            //
            // (b)
            //
            // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);

            //
            // (c)
            //
            ISet userInitialPolicySet = paramsPkix.GetInitialPolicies();

            //
            // (d)
            //
            TrustAnchor trust;

            try
            {
                trust = PkixCertPathValidatorUtilities.FindTrustAnchor(
                    (X509Certificate)certs[certs.Count - 1],
                    paramsPkix.GetTrustAnchors());
            }
            catch (Exception e)
            {
                throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1);
            }

            if (trust == null)
            {
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
            }

            //
            // (e), (f), (g) are part of the paramsPkix object.
            //
            IEnumerator certIter;
            int         index = 0;
            int         i;

            // Certificate for each interation of the validation loop
            // Signature information for each iteration of the validation loop
            //
            // 6.1.2 - setup
            //

            //
            // (a)
            //
            IList[] policyNodes = new IList[n + 1];
            for (int j = 0; j < policyNodes.Length; j++)
            {
                policyNodes[j] = Platform.CreateArrayList();
            }

            ISet policySet = new HashSet();

            policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY);

            PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(),
                                                                Rfc3280CertPathUtilities.ANY_POLICY, false);

            policyNodes[0].Add(validPolicyTree);

            //
            // (b) and (c)
            //
            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();

            // (d)
            //
            int  explicitPolicy;
            ISet acceptablePolicies = new HashSet();

            if (paramsPkix.IsExplicitPolicyRequired)
            {
                explicitPolicy = 0;
            }
            else
            {
                explicitPolicy = n + 1;
            }

            //
            // (e)
            //
            int inhibitAnyPolicy;

            if (paramsPkix.IsAnyPolicyInhibited)
            {
                inhibitAnyPolicy = 0;
            }
            else
            {
                inhibitAnyPolicy = n + 1;
            }

            //
            // (f)
            //
            int policyMapping;

            if (paramsPkix.IsPolicyMappingInhibited)
            {
                policyMapping = 0;
            }
            else
            {
                policyMapping = n + 1;
            }

            //
            // (g), (h), (i), (j)
            //
            AsymmetricKeyParameter workingPublicKey;
            X509Name workingIssuerName;

            X509Certificate sign = trust.TrustedCert;

            try
            {
                if (sign != null)
                {
                    workingIssuerName = sign.SubjectDN;
                    workingPublicKey  = sign.GetPublicKey();
                }
                else
                {
                    workingIssuerName = new X509Name(trust.CAName);
                    workingPublicKey  = trust.CAPublicKey;
                }
            }
            catch (ArgumentException ex)
            {
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath,
                                                         -1);
            }

            //AlgorithmIdentifier workingAlgId = null;
            try
            {
                /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
            }
            catch (PkixCertPathValidatorException e)
            {
                throw new PkixCertPathValidatorException(
                          "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
            }

//			DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID;
//			Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters;

            //
            // (k)
            //
            int maxPathLength = n;

            //
            // 6.1.3
            //

            X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints();

            if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0]))
            {
                throw new PkixCertPathValidatorException(
                          "Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            }

            //
            // initialize CertPathChecker's
            //
            IList pathCheckers = paramsPkix.GetCertPathCheckers();

            certIter = pathCheckers.GetEnumerator();

            while (certIter.MoveNext())
            {
                ((PkixCertPathChecker)certIter.Current).Init(false);
            }

            X509Certificate cert = null;

            for (index = certs.Count - 1; index >= 0; index--)
            {
                // try
                // {
                //
                // i as defined in the algorithm description
                //
                i = n - index;

                //
                // set certificate to be checked in this round
                // sign and workingPublicKey and workingIssuerName are set
                // at the end of the for loop and initialized the
                // first time from the TrustAnchor
                //
                cert = (X509Certificate)certs[index];

                //
                // 6.1.3
                //

                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey,
                                                      workingIssuerName, sign);

                Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index,
                                                                        acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree);

                Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy);

                //
                // 6.1.4
                //

                if (i != n)
                {
                    if (cert != null && cert.Version == 1)
                    {
                        throw new PkixCertPathValidatorException(
                                  "Version 1 certificates can't be used as CA ones.", null, certPath, index);
                    }

                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index);

                    validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes,
                                                                            validPolicyTree, policyMapping);

                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator);

                    // (h)
                    explicitPolicy   = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy);

                    //
                    // (i)
                    //
                    explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy);
                    policyMapping  = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping);

                    // (j)
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy);

                    // (k)
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index);

                    // (l)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength);

                    // (m)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength);

                    // (n)
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index);

                    ISet criticalExtensions1 = cert.GetCriticalExtensionOids();

                    if (criticalExtensions1 != null)
                    {
                        criticalExtensions1 = new HashSet(criticalExtensions1);

                        // these extensions are handled by the algorithm
                        criticalExtensions1.Remove(X509Extensions.KeyUsage.Id);
                        criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id);
                        criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id);
                        criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id);
                        criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id);
                        criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id);
                        criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id);
                        criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id);
                        criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id);
                        criticalExtensions1.Remove(X509Extensions.NameConstraints.Id);
                    }
                    else
                    {
                        criticalExtensions1 = new HashSet();
                    }

                    // (o)
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers);

                    // set signing certificate for next round
                    sign = cert;

                    // (c)
                    workingIssuerName = sign.SubjectDN;

                    // (d)
                    try
                    {
                        workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index);
                    }
                    catch (PkixCertPathValidatorException e)
                    {
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
                    }

                    /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
                    // (f)
//                    workingPublicKeyAlgorithm = workingAlgId.ObjectID;
                    // (e)
//                    workingPublicKeyParameters = workingAlgId.Parameters;
                }
            }

            //
            // 6.1.5 Wrap-up procedure
            //

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert);

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy);

            //
            // (c) (d) and (e) are already done
            //

            //
            // (f)
            //
            ISet criticalExtensions = cert.GetCriticalExtensionOids();

            if (criticalExtensions != null)
            {
                criticalExtensions = new HashSet(criticalExtensions);

                // Requires .Id
                // these extensions are handled by the algorithm
                criticalExtensions.Remove(X509Extensions.KeyUsage.Id);
                criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id);
                criticalExtensions.Remove(X509Extensions.PolicyMappings.Id);
                criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id);
                criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id);
                criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id);
                criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id);
                criticalExtensions.Remove(X509Extensions.BasicConstraints.Id);
                criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id);
                criticalExtensions.Remove(X509Extensions.NameConstraints.Id);
                criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id);
            }
            else
            {
                criticalExtensions = new HashSet();
            }

            Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);

            PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet,
                                                                               index + 1, policyNodes, validPolicyTree, acceptablePolicies);

            if ((explicitPolicy > 0) || (intersection != null))
            {
                return(new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey()));
            }

            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index);
        }
		internal static PkixPolicyNode PrepareCertB(
			PkixCertPath	certPath,
			int				index,
			IList[]			policyNodes,
			PkixPolicyNode	validPolicyTree,
			int				policyMapping)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];
			int n = certs.Count;
			// i as defined in the algorithm description
			int i = n - index;
			// (b)
			//
			Asn1Sequence pm = null;
			try
			{
				pm = (Asn1Sequence)Asn1Sequence.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyMappings));
			}
			catch (Exception ex)
			{
				throw new PkixCertPathValidatorException(
					"Policy mappings extension could not be decoded.", ex, certPath, index);
			}
			PkixPolicyNode _validPolicyTree = validPolicyTree;
			if (pm != null)
			{
				Asn1Sequence mappings = (Asn1Sequence)pm;
				IDictionary m_idp = Platform.CreateHashtable();
				ISet s_idp = new HashSet();

				for (int j = 0; j < mappings.Count; j++)
				{
					Asn1Sequence mapping = (Asn1Sequence) mappings[j];
					string id_p = ((DerObjectIdentifier) mapping[0]).Id;
					string sd_p = ((DerObjectIdentifier) mapping[1]).Id;
					ISet tmp;

					if (!m_idp.Contains(id_p))
					{
						tmp = new HashSet();
						tmp.Add(sd_p);
						m_idp[id_p] = tmp;
						s_idp.Add(id_p);
					}
					else
					{
						tmp = (ISet)m_idp[id_p];
						tmp.Add(sd_p);
					}
				}

				IEnumerator it_idp = s_idp.GetEnumerator();
				while (it_idp.MoveNext())
				{
					string id_p = (string)it_idp.Current;

					//
					// (1)
					//
					if (policyMapping > 0)
					{
						bool idp_found = false;
						IEnumerator nodes_i = policyNodes[i].GetEnumerator();

						while (nodes_i.MoveNext())
						{
							PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
							if (node.ValidPolicy.Equals(id_p))
							{
								idp_found = true;
								node.ExpectedPolicies = (ISet)m_idp[id_p];
								break;
							}
						}

						if (!idp_found)
						{
							nodes_i = policyNodes[i].GetEnumerator();
							while (nodes_i.MoveNext())
							{
								PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
								if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(node.ValidPolicy))
								{
									ISet pq = null;
									Asn1Sequence policies = null;
									try
									{
										policies = (Asn1Sequence)PkixCertPathValidatorUtilities.GetExtensionValue(cert,
											X509Extensions.CertificatePolicies);
									}
									catch (Exception e)
									{
										throw new PkixCertPathValidatorException(
											"Certificate policies extension could not be decoded.", e, certPath, index);
									}

									foreach (Asn1Encodable ae in policies)
									{
										PolicyInformation pinfo = null;
										try
										{
											pinfo = PolicyInformation.GetInstance(ae.ToAsn1Object());
										}
										catch (Exception ex)
										{
											throw new PkixCertPathValidatorException(
												"Policy information could not be decoded.", ex, certPath, index);
										}
										if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id))
										{
											try
											{
												pq = PkixCertPathValidatorUtilities
													.GetQualifierSet(pinfo.PolicyQualifiers);
											}
											catch (PkixCertPathValidatorException ex)
											{
												throw new PkixCertPathValidatorException(
													"Policy qualifier info set could not be decoded.", ex, certPath,
													index);
											}
											break;
										}
									}
									bool ci = false;
									ISet critExtOids = cert.GetCriticalExtensionOids();
									if (critExtOids != null)
									{
										ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id);
									}

									PkixPolicyNode p_node = (PkixPolicyNode)node.Parent;
									if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(p_node.ValidPolicy))
									{
										PkixPolicyNode c_node = new PkixPolicyNode(Platform.CreateArrayList(), i,
											(ISet)m_idp[id_p], p_node, pq, id_p, ci);
										p_node.AddChild(c_node);
										policyNodes[i].Add(c_node);
									}
									break;
								}
							}
						}

						//
						// (2)
						//
					}
					else if (policyMapping <= 0)
					{
                        foreach (PkixPolicyNode node in Platform.CreateArrayList(policyNodes[i]))
                        {
							if (node.ValidPolicy.Equals(id_p))
							{
								node.Parent.RemoveChild(node);

                                for (int k = i - 1; k >= 0; k--)
								{
                                    foreach (PkixPolicyNode node2 in Platform.CreateArrayList(policyNodes[k]))
									{
										if (!node2.HasChildren)
										{
											_validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(
												_validPolicyTree, policyNodes, node2);

                                            if (_validPolicyTree == null)
												break;
										}
									}
								}
							}
						}
					}
				}
			}
			return _validPolicyTree;
		}
		internal static void ProcessCertF(
			PkixCertPath	certPath,
			int				index,
			PkixPolicyNode	validPolicyTree,
			int				explicitPolicy)
		{
			//
			// (f)
			//
			if (explicitPolicy <= 0 && validPolicyTree == null)
			{
				throw new PkixCertPathValidatorException(
					"No valid policy tree found when one expected.", null, certPath, index);
			}
		}
		internal static DateTime GetValidCertDateFromValidityModel(
			PkixParameters	paramsPkix,
			PkixCertPath	certPath,
			int				index)
		{
			if (paramsPkix.ValidityModel != PkixParameters.ChainValidityModel)
			{
				return GetValidDate(paramsPkix);
			}

			// if end cert use given signing/encryption/... time
			if (index <= 0)
			{
				return PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);
				// else use time when previous cert was created
			}

			if (index - 1 == 0)
			{
				DerGeneralizedTime dateOfCertgen = null;
				try
				{
					X509Certificate cert = (X509Certificate)certPath.Certificates[index - 1];
					Asn1OctetString extVal = cert.GetExtensionValue(
						IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen);
					dateOfCertgen = DerGeneralizedTime.GetInstance(extVal);
				}
				catch (ArgumentException)
				{
					throw new Exception(
						"Date of cert gen extension could not be read.");
				}
				if (dateOfCertgen != null)
				{
					try
					{
						return dateOfCertgen.ToDateTime();
					}
					catch (ArgumentException e)
					{
						throw new Exception(
							"Date from date of cert gen extension could not be parsed.",
							e);
					}
				}
			}

			return ((X509Certificate)certPath.Certificates[index - 1]).NotBefore;
		}
		internal static int PrepareNextCertI2(
			PkixCertPath	certPath,
			int				index,
			int				policyMapping)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];

			//
			// (i)
			//
			Asn1Sequence pc = null;
			try
			{
				pc = DerSequence.GetInstance(
					PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyConstraints));
			}
			catch (Exception e)
			{
				throw new PkixCertPathValidatorException(
					"Policy constraints extension cannot be decoded.", e, certPath, index);
			}

			int tmpInt;

			if (pc != null)
			{
				IEnumerator policyConstraints = pc.GetEnumerator();

				while (policyConstraints.MoveNext())
				{
					try
					{
						Asn1TaggedObject constraint = Asn1TaggedObject.GetInstance(policyConstraints.Current);
						if (constraint.TagNo == 1)
						{
							tmpInt = DerInteger.GetInstance(constraint, false).Value.IntValue;
							if (tmpInt < policyMapping)
							{
								return tmpInt;
							}
							break;
						}
					}
					catch (ArgumentException e)
					{
						throw new PkixCertPathValidatorException(
							"Policy constraints extension contents cannot be decoded.", e, certPath, index);
					}
				}
			}
			return policyMapping;
		}
Beispiel #39
0
        private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, global::System.Collections.IList tbvPath)
        {
            if (tbvPath.Contains((object)tbvCert))
            {
                return(null);
            }
            if (pkixParams.GetExcludedCerts().Contains(tbvCert))
            {
                return(null);
            }
            if (pkixParams.MaxPathLength != -1 && ((global::System.Collections.ICollection)tbvPath).get_Count() - 1 > pkixParams.MaxPathLength)
            {
                return(null);
            }
            tbvPath.Add((object)tbvCert);
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
            PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator();

            try
            {
                if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
                {
                    PkixCertPath certPath = new PkixCertPath((global::System.Collections.ICollection)tbvPath);
                    PkixCertPathValidatorResult pkixCertPathValidatorResult;
                    try
                    {
                        pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams);
                    }
                    catch (global::System.Exception ex)
                    {
                        throw new global::System.Exception("Certification path could not be validated.", ex);
                    }
                    return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey));
                }
                try
                {
                    PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
                }
                catch (CertificateParsingException ex2)
                {
                    throw new global::System.Exception("No additional X.509 stores can be added from certificate locations.", (global::System.Exception)ex2);
                }
                ISet set = new HashSet();
                try
                {
                    set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
                }
                catch (global::System.Exception ex3)
                {
                    throw new global::System.Exception("Cannot find issuer certificate for certificate in certification path.", ex3);
                }
                if (set.IsEmpty)
                {
                    throw new global::System.Exception("No issuer certificate for certificate in certification path found.");
                }
                global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator();
                try
                {
                    while (enumerator.MoveNext())
                    {
                        X509Certificate x509Certificate = (X509Certificate)enumerator.get_Current();
                        if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate))
                        {
                            pkixCertPathBuilderResult = Build(attrCert, x509Certificate, pkixParams, tbvPath);
                            if (pkixCertPathBuilderResult != null)
                            {
                                break;
                            }
                        }
                    }
                }
                finally
                {
                    global::System.IDisposable disposable = enumerator as global::System.IDisposable;
                    if (disposable != null)
                    {
                        disposable.Dispose();
                    }
                }
            }
            catch (global::System.Exception ex4)
            {
                certPathException = new global::System.Exception("No valid certification path could be build.", ex4);
            }
            if (pkixCertPathBuilderResult == null)
            {
                tbvPath.Remove((object)tbvCert);
            }
            return(pkixCertPathBuilderResult);
        }
		internal static int PrepareNextCertJ(
			PkixCertPath	certPath,
			int				index,
			int				inhibitAnyPolicy)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];

			//
			// (j)
			//
			DerInteger iap = null;
			try
			{
				iap = DerInteger.GetInstance(
					PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.InhibitAnyPolicy));
			}
			catch (Exception e)
			{
				throw new PkixCertPathValidatorException(
					"Inhibit any-policy extension cannot be decoded.", e, certPath, index);
			}

			if (iap != null)
			{
				int _inhibitAnyPolicy = iap.Value.IntValue;

				if (_inhibitAnyPolicy < inhibitAnyPolicy)
					return _inhibitAnyPolicy;
			}
			return inhibitAnyPolicy;
		}
		internal static PkixCertPathValidatorResult ProcessAttrCert2(
			PkixCertPath	certPath,
			PkixParameters	pkixParams)
		{
			PkixCertPathValidator validator = new PkixCertPathValidator();

			try
			{
				return validator.Validate(certPath, pkixParams);
			}
			catch (PkixCertPathValidatorException e)
			{
				throw new PkixCertPathValidatorException(
					"Certification path for issuer certificate of attribute certificate could not be validated.",
					e);
			}
		}
		internal static int PrepareNextCertL(
			PkixCertPath	certPath,
			int				index,
			int				maxPathLength)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];
			//
			// (l)
			//
			if (!PkixCertPathValidatorUtilities.IsSelfIssued(cert))
			{
				if (maxPathLength <= 0)
				{
					throw new PkixCertPathValidatorException("Max path length not greater than zero", null, certPath, index);
				}

				return maxPathLength - 1;
			}
			return maxPathLength;
		}
Beispiel #43
0
        public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix)
        {
            if (paramsPkix.GetTrustAnchors() == null)
            {
                throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters");
            }
            IList certificates = certPath.Certificates;
            int   count        = certificates.Count;

            if (certificates.Count == 0)
            {
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
            }
            ISet        initialPolicies = paramsPkix.GetInitialPolicies();
            TrustAnchor trustAnchor;

            try
            {
                trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates[certificates.Count - 1], paramsPkix.GetTrustAnchors());
            }
            catch (Exception ex)
            {
                throw new PkixCertPathValidatorException(ex.Message, ex, certPath, certificates.Count - 1);
            }
            if (trustAnchor == null)
            {
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
            }
            int i = 0;

            IList[] array = new IList[count + 1];
            for (int j = 0; j < array.Length; j++)
            {
                array[j] = Platform.CreateArrayList();
            }
            ISet set = new HashSet();

            set.Add(Rfc3280CertPathUtilities.ANY_POLICY);
            PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false);

            array[0].Add(pkixPolicyNode);
            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
            ISet acceptablePolicies = new HashSet();
            int  num;

            if (paramsPkix.IsExplicitPolicyRequired)
            {
                num = 0;
            }
            else
            {
                num = count + 1;
            }
            int inhibitAnyPolicy;

            if (paramsPkix.IsAnyPolicyInhibited)
            {
                inhibitAnyPolicy = 0;
            }
            else
            {
                inhibitAnyPolicy = count + 1;
            }
            int policyMapping;

            if (paramsPkix.IsPolicyMappingInhibited)
            {
                policyMapping = 0;
            }
            else
            {
                policyMapping = count + 1;
            }
            X509Certificate        x509Certificate = trustAnchor.TrustedCert;
            X509Name               workingIssuerName;
            AsymmetricKeyParameter asymmetricKeyParameter;

            try
            {
                if (x509Certificate != null)
                {
                    workingIssuerName      = x509Certificate.SubjectDN;
                    asymmetricKeyParameter = x509Certificate.GetPublicKey();
                }
                else
                {
                    workingIssuerName      = new X509Name(trustAnchor.CAName);
                    asymmetricKeyParameter = trustAnchor.CAPublicKey;
                }
            }
            catch (ArgumentException cause)
            {
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", cause, certPath, -1);
            }
            try
            {
                PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
            }
            catch (PkixCertPathValidatorException cause2)
            {
                throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1);
            }
            int maxPathLength = count;
            X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints();

            if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates[0]))
            {
                throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            }
            IList       certPathCheckers = paramsPkix.GetCertPathCheckers();
            IEnumerator enumerator       = certPathCheckers.GetEnumerator();

            while (enumerator.MoveNext())
            {
                ((PkixCertPathChecker)enumerator.Current).Init(false);
            }
            X509Certificate x509Certificate2 = null;

            for (i = certificates.Count - 1; i >= 0; i--)
            {
                int num2 = count - i;
                x509Certificate2 = (X509Certificate)certificates[i];
                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, i, asymmetricKeyParameter, workingIssuerName, x509Certificate);
                Rfc3280CertPathUtilities.ProcessCertBC(certPath, i, nameConstraintValidator);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, i, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, i, pkixPolicyNode);
                Rfc3280CertPathUtilities.ProcessCertF(certPath, i, pkixPolicyNode, num);
                if (num2 != count)
                {
                    if (x509Certificate2 != null && x509Certificate2.Version == 1)
                    {
                        throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, i);
                    }
                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, i);
                    pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, i, array, pkixPolicyNode, policyMapping);
                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, i, nameConstraintValidator);
                    num              = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, i, num);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, i, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, i, inhibitAnyPolicy);
                    num              = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, i, num);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, i, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, i, inhibitAnyPolicy);
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, i);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, i, maxPathLength);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, i, maxPathLength);
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, i);
                    ISet set2 = x509Certificate2.GetCriticalExtensionOids();
                    if (set2 != null)
                    {
                        set2 = new HashSet(set2);
                        set2.Remove(X509Extensions.KeyUsage.Id);
                        set2.Remove(X509Extensions.CertificatePolicies.Id);
                        set2.Remove(X509Extensions.PolicyMappings.Id);
                        set2.Remove(X509Extensions.InhibitAnyPolicy.Id);
                        set2.Remove(X509Extensions.IssuingDistributionPoint.Id);
                        set2.Remove(X509Extensions.DeltaCrlIndicator.Id);
                        set2.Remove(X509Extensions.PolicyConstraints.Id);
                        set2.Remove(X509Extensions.BasicConstraints.Id);
                        set2.Remove(X509Extensions.SubjectAlternativeName.Id);
                        set2.Remove(X509Extensions.NameConstraints.Id);
                    }
                    else
                    {
                        set2 = new HashSet();
                    }
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, i, set2, certPathCheckers);
                    x509Certificate   = x509Certificate2;
                    workingIssuerName = x509Certificate.SubjectDN;
                    try
                    {
                        asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, i);
                    }
                    catch (PkixCertPathValidatorException cause3)
                    {
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, i);
                    }
                    PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
                }
            }
            num = Rfc3280CertPathUtilities.WrapupCertA(num, x509Certificate2);
            num = Rfc3280CertPathUtilities.WrapupCertB(certPath, i + 1, num);
            ISet set3 = x509Certificate2.GetCriticalExtensionOids();

            if (set3 != null)
            {
                set3 = new HashSet(set3);
                set3.Remove(X509Extensions.KeyUsage.Id);
                set3.Remove(X509Extensions.CertificatePolicies.Id);
                set3.Remove(X509Extensions.PolicyMappings.Id);
                set3.Remove(X509Extensions.InhibitAnyPolicy.Id);
                set3.Remove(X509Extensions.IssuingDistributionPoint.Id);
                set3.Remove(X509Extensions.DeltaCrlIndicator.Id);
                set3.Remove(X509Extensions.PolicyConstraints.Id);
                set3.Remove(X509Extensions.BasicConstraints.Id);
                set3.Remove(X509Extensions.SubjectAlternativeName.Id);
                set3.Remove(X509Extensions.NameConstraints.Id);
                set3.Remove(X509Extensions.CrlDistributionPoints.Id);
            }
            else
            {
                set3 = new HashSet();
            }
            Rfc3280CertPathUtilities.WrapupCertF(certPath, i + 1, certPathCheckers, set3);
            PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, i + 1, array, pkixPolicyNode, acceptablePolicies);

            if (num > 0 || pkixPolicyNode2 != null)
            {
                return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey()));
            }
            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, i);
        }
		internal static void PrepareNextCertN(
			PkixCertPath	certPath,
			int				index)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];

			//
			// (n)
			//
			bool[] _usage = cert.GetKeyUsage();

			if ((_usage != null) && !_usage[Rfc3280CertPathUtilities.KEY_CERT_SIGN])
			{
				throw new PkixCertPathValidatorException(
					"Issuer certificate keyusage extension is critical and does not permit key signing.", null,
					certPath, index);
			}
		}
Beispiel #45
0
 public PkixCertPath(ICollection certificates)
 {
     this.certificates = PkixCertPath.SortCerts(Platform.CreateArrayList(certificates));
 }
		internal static int PrepareNextCertH2(
			PkixCertPath	certPath,
			int				index,
			int				policyMapping)
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];

			//
			// (h)
			//
			if (!PkixCertPathValidatorUtilities.IsSelfIssued(cert))
			{
				//
				// (2)
				//
				if (policyMapping != 0)
					return policyMapping - 1;
			}
			return policyMapping;
		}
        private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath)
        {
            if (tbvPath.Contains(tbvCert))
            {
                return(null);
            }
            if (pkixParams.GetExcludedCerts().Contains(tbvCert))
            {
                return(null);
            }
            if (pkixParams.MaxPathLength != -1 && tbvPath.Count - 1 > pkixParams.MaxPathLength)
            {
                return(null);
            }
            tbvPath.Add(tbvCert);
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
            PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator();

            try
            {
                if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
                {
                    PkixCertPath certPath = new PkixCertPath(tbvPath);
                    PkixCertPathValidatorResult pkixCertPathValidatorResult;
                    try
                    {
                        pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams);
                    }
                    catch (Exception innerException)
                    {
                        throw new Exception("Certification path could not be validated.", innerException);
                    }
                    return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey));
                }
                try
                {
                    PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
                }
                catch (CertificateParsingException innerException2)
                {
                    throw new Exception("No additional X.509 stores can be added from certificate locations.", innerException2);
                }
                ISet set = new HashSet();
                try
                {
                    set.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
                }
                catch (Exception innerException3)
                {
                    throw new Exception("Cannot find issuer certificate for certificate in certification path.", innerException3);
                }
                if (set.IsEmpty)
                {
                    throw new Exception("No issuer certificate for certificate in certification path found.");
                }
                foreach (X509Certificate x509Certificate in set)
                {
                    if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate))
                    {
                        pkixCertPathBuilderResult = this.Build(attrCert, x509Certificate, pkixParams, tbvPath);
                        if (pkixCertPathBuilderResult != null)
                        {
                            break;
                        }
                    }
                }
            }
            catch (Exception innerException4)
            {
                this.certPathException = new Exception("No valid certification path could be build.", innerException4);
            }
            if (pkixCertPathBuilderResult == null)
            {
                tbvPath.Remove(tbvCert);
            }
            return(pkixCertPathBuilderResult);
        }
		internal static int WrapupCertB(
			PkixCertPath	certPath,
			int				index,
			int				explicitPolicy)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];

			//
			// (b)
			//
			int tmpInt;
			Asn1Sequence pc = null;
			try
			{
				pc = DerSequence.GetInstance(
					PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyConstraints));
			}
			catch (Exception e)
			{
				throw new PkixCertPathValidatorException("Policy constraints could not be decoded.", e, certPath, index);
			}

			if (pc != null)
			{
				IEnumerator policyConstraints = pc.GetEnumerator();

				while (policyConstraints.MoveNext())
				{
					Asn1TaggedObject constraint = (Asn1TaggedObject)policyConstraints.Current;
					switch (constraint.TagNo)
					{
						case 0:
							try
							{
								tmpInt = DerInteger.GetInstance(constraint, false).Value.IntValue;
							}
							catch (Exception e)
							{
								throw new PkixCertPathValidatorException(
									"Policy constraints requireExplicitPolicy field could not be decoded.", e, certPath,
									index);
							}
							if (tmpInt == 0)
							{
								return 0;
							}
							break;
					}
				}
			}
			return explicitPolicy;
		}
Beispiel #49
0
        public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix)
        {
            //IL_0012: Unknown result type (might be due to invalid IL or missing references)
            //IL_0170: Expected O, but got Unknown
            if (paramsPkix.GetTrustAnchors() == null)
            {
                throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters");
            }
            global::System.Collections.IList certificates = certPath.Certificates;
            int count = ((global::System.Collections.ICollection)certificates).get_Count();

            if (((global::System.Collections.ICollection)certificates).get_Count() == 0)
            {
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
            }
            ISet        initialPolicies = paramsPkix.GetInitialPolicies();
            TrustAnchor trustAnchor;

            try
            {
                trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates.get_Item(((global::System.Collections.ICollection)certificates).get_Count() - 1), paramsPkix.GetTrustAnchors());
            }
            catch (global::System.Exception ex)
            {
                throw new PkixCertPathValidatorException(ex.get_Message(), ex, certPath, ((global::System.Collections.ICollection)certificates).get_Count() - 1);
            }
            if (trustAnchor == null)
            {
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
            }
            int num = 0;

            global::System.Collections.IList[] array = new global::System.Collections.IList[count + 1];
            for (int i = 0; i < array.Length; i++)
            {
                array[i] = Platform.CreateArrayList();
            }
            ISet set = new HashSet();

            set.Add(Rfc3280CertPathUtilities.ANY_POLICY);
            PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, critical: false);

            array[0].Add((object)pkixPolicyNode);
            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
            ISet                   acceptablePolicies           = new HashSet();
            int                    explicitPolicy   = ((!paramsPkix.IsExplicitPolicyRequired) ? (count + 1) : 0);
            int                    inhibitAnyPolicy = ((!paramsPkix.IsAnyPolicyInhibited) ? (count + 1) : 0);
            int                    policyMapping    = ((!paramsPkix.IsPolicyMappingInhibited) ? (count + 1) : 0);
            X509Certificate        x509Certificate  = trustAnchor.TrustedCert;
            X509Name               workingIssuerName;
            AsymmetricKeyParameter asymmetricKeyParameter;

            try
            {
                if (x509Certificate != null)
                {
                    workingIssuerName      = x509Certificate.SubjectDN;
                    asymmetricKeyParameter = x509Certificate.GetPublicKey();
                }
                else
                {
                    workingIssuerName      = new X509Name(trustAnchor.CAName);
                    asymmetricKeyParameter = trustAnchor.CAPublicKey;
                }
            }
            catch (ArgumentException val)
            {
                ArgumentException cause = val;
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", (global::System.Exception)(object) cause, certPath, -1);
            }
            try
            {
                PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
            }
            catch (PkixCertPathValidatorException cause2)
            {
                throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1);
            }
            int maxPathLength = count;
            X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints();

            if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates.get_Item(0)))
            {
                throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            }
            global::System.Collections.IList       certPathCheckers = paramsPkix.GetCertPathCheckers();
            global::System.Collections.IEnumerator enumerator       = ((global::System.Collections.IEnumerable)certPathCheckers).GetEnumerator();
            while (enumerator.MoveNext())
            {
                ((PkixCertPathChecker)enumerator.get_Current()).Init(forward: false);
            }
            X509Certificate x509Certificate2 = null;

            for (num = ((global::System.Collections.ICollection)certificates).get_Count() - 1; num >= 0; num--)
            {
                int num2 = count - num;
                x509Certificate2 = (X509Certificate)certificates.get_Item(num);
                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, num, asymmetricKeyParameter, workingIssuerName, x509Certificate);
                Rfc3280CertPathUtilities.ProcessCertBC(certPath, num, nameConstraintValidator);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, num, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, num, pkixPolicyNode);
                Rfc3280CertPathUtilities.ProcessCertF(certPath, num, pkixPolicyNode, explicitPolicy);
                if (num2 != count)
                {
                    if (x509Certificate2 != null && x509Certificate2.Version == 1)
                    {
                        throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, num);
                    }
                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, num);
                    pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, num, array, pkixPolicyNode, policyMapping);
                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, num, nameConstraintValidator);
                    explicitPolicy   = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, num, explicitPolicy);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, num, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, num, inhibitAnyPolicy);
                    explicitPolicy   = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, num, explicitPolicy);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, num, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, num, inhibitAnyPolicy);
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, num);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, num, maxPathLength);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, num, maxPathLength);
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, num);
                    ISet criticalExtensionOids = x509Certificate2.GetCriticalExtensionOids();
                    if (criticalExtensionOids != null)
                    {
                        criticalExtensionOids = new HashSet(criticalExtensionOids);
                        criticalExtensionOids.Remove(X509Extensions.KeyUsage.Id);
                        criticalExtensionOids.Remove(X509Extensions.CertificatePolicies.Id);
                        criticalExtensionOids.Remove(X509Extensions.PolicyMappings.Id);
                        criticalExtensionOids.Remove(X509Extensions.InhibitAnyPolicy.Id);
                        criticalExtensionOids.Remove(X509Extensions.IssuingDistributionPoint.Id);
                        criticalExtensionOids.Remove(X509Extensions.DeltaCrlIndicator.Id);
                        criticalExtensionOids.Remove(X509Extensions.PolicyConstraints.Id);
                        criticalExtensionOids.Remove(X509Extensions.BasicConstraints.Id);
                        criticalExtensionOids.Remove(X509Extensions.SubjectAlternativeName.Id);
                        criticalExtensionOids.Remove(X509Extensions.NameConstraints.Id);
                    }
                    else
                    {
                        criticalExtensionOids = new HashSet();
                    }
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, num, criticalExtensionOids, certPathCheckers);
                    x509Certificate   = x509Certificate2;
                    workingIssuerName = x509Certificate.SubjectDN;
                    try
                    {
                        asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, num);
                    }
                    catch (PkixCertPathValidatorException cause3)
                    {
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, num);
                    }
                    PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
                }
            }
            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, x509Certificate2);
            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, num + 1, explicitPolicy);
            ISet criticalExtensionOids2 = x509Certificate2.GetCriticalExtensionOids();

            if (criticalExtensionOids2 != null)
            {
                criticalExtensionOids2 = new HashSet(criticalExtensionOids2);
                criticalExtensionOids2.Remove(X509Extensions.KeyUsage.Id);
                criticalExtensionOids2.Remove(X509Extensions.CertificatePolicies.Id);
                criticalExtensionOids2.Remove(X509Extensions.PolicyMappings.Id);
                criticalExtensionOids2.Remove(X509Extensions.InhibitAnyPolicy.Id);
                criticalExtensionOids2.Remove(X509Extensions.IssuingDistributionPoint.Id);
                criticalExtensionOids2.Remove(X509Extensions.DeltaCrlIndicator.Id);
                criticalExtensionOids2.Remove(X509Extensions.PolicyConstraints.Id);
                criticalExtensionOids2.Remove(X509Extensions.BasicConstraints.Id);
                criticalExtensionOids2.Remove(X509Extensions.SubjectAlternativeName.Id);
                criticalExtensionOids2.Remove(X509Extensions.NameConstraints.Id);
                criticalExtensionOids2.Remove(X509Extensions.CrlDistributionPoints.Id);
            }
            else
            {
                criticalExtensionOids2 = new HashSet();
            }
            Rfc3280CertPathUtilities.WrapupCertF(certPath, num + 1, certPathCheckers, criticalExtensionOids2);
            PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, num + 1, array, pkixPolicyNode, acceptablePolicies);

            if (explicitPolicy > 0 || pkixPolicyNode2 != null)
            {
                return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey()));
            }
            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, num);
        }
		internal static PkixPolicyNode WrapupCertG(
			PkixCertPath	certPath,
			PkixParameters	paramsPKIX,
			ISet			userInitialPolicySet,
			int				index,
			IList[]			policyNodes,
			PkixPolicyNode	validPolicyTree,
			ISet			acceptablePolicies)
		{
			int n = certPath.Certificates.Count;

			//
			// (g)
			//
			PkixPolicyNode intersection;

			//
			// (g) (i)
			//
			if (validPolicyTree == null)
			{
				if (paramsPKIX.IsExplicitPolicyRequired)
				{
					throw new PkixCertPathValidatorException(
						"Explicit policy requested but none available.", null, certPath, index);
				}
				intersection = null;
			}
			else if (PkixCertPathValidatorUtilities.IsAnyPolicy(userInitialPolicySet)) // (g)
				// (ii)
			{
				if (paramsPKIX.IsExplicitPolicyRequired)
				{
					if (acceptablePolicies.IsEmpty)
					{
						throw new PkixCertPathValidatorException(
							"Explicit policy requested but none available.", null, certPath, index);
					}
					else
					{
						ISet _validPolicyNodeSet = new HashSet();

						for (int j = 0; j < policyNodes.Length; j++)
						{
							IList _nodeDepth = policyNodes[j];

							for (int k = 0; k < _nodeDepth.Count; k++)
							{
								PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k];

								if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy))
								{
									foreach (object o in _node.Children)
									{
										_validPolicyNodeSet.Add(o);
									}
								}
							}
						}

						foreach (PkixPolicyNode _node in _validPolicyNodeSet)
						{
							string _validPolicy = _node.ValidPolicy;

							if (!acceptablePolicies.Contains(_validPolicy))
							{
								// TODO?
								// validPolicyTree =
								// removePolicyNode(validPolicyTree, policyNodes,
								// _node);
							}
						}
						if (validPolicyTree != null)
						{
							for (int j = (n - 1); j >= 0; j--)
							{
								IList nodes = policyNodes[j];

								for (int k = 0; k < nodes.Count; k++)
								{
									PkixPolicyNode node = (PkixPolicyNode)nodes[k];
									if (!node.HasChildren)
									{
										validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree,
											policyNodes, node);
									}
								}
							}
						}
					}
				}

				intersection = validPolicyTree;
			}
			else
			{
				//
				// (g) (iii)
				//
				// This implementation is not exactly same as the one described in
				// RFC3280.
				// However, as far as the validation result is concerned, both
				// produce
				// adequate result. The only difference is whether AnyPolicy is
				// remain
				// in the policy tree or not.
				//
				// (g) (iii) 1
				//
				ISet _validPolicyNodeSet = new HashSet();

				for (int j = 0; j < policyNodes.Length; j++)
				{
					IList _nodeDepth = policyNodes[j];

					for (int k = 0; k < _nodeDepth.Count; k++)
					{
						PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k];

						if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy))
						{
							foreach (PkixPolicyNode _c_node in _node.Children)
							{
								if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(_c_node.ValidPolicy))
								{
									_validPolicyNodeSet.Add(_c_node);
								}
							}
						}
					}
				}

				//
				// (g) (iii) 2
				//
				IEnumerator _vpnsIter = _validPolicyNodeSet.GetEnumerator();
				while (_vpnsIter.MoveNext())
				{
					PkixPolicyNode _node = (PkixPolicyNode)_vpnsIter.Current;
					string _validPolicy = _node.ValidPolicy;

					if (!userInitialPolicySet.Contains(_validPolicy))
					{
						validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, _node);
					}
				}

				//
				// (g) (iii) 4
				//
				if (validPolicyTree != null)
				{
					for (int j = (n - 1); j >= 0; j--)
					{
						IList nodes = policyNodes[j];

						for (int k = 0; k < nodes.Count; k++)
						{
							PkixPolicyNode node = (PkixPolicyNode)nodes[k];
							if (!node.HasChildren)
							{
								validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes,
									node);
							}
						}
					}
				}

				intersection = validPolicyTree;
			}
			return intersection;
		}
Beispiel #51
0
 /**
  * Performs checks on the specified attribute certificate. Every handled
  * extension is rmeoved from the <code>unresolvedCritExts</code>
  * collection.
  *
  * @param attrCert The attribute certificate to be checked.
  * @param certPath The certificate path which belongs to the attribute
  *            certificate issuer public key certificate.
  * @param holderCertPath The certificate path which belongs to the holder
  *            certificate.
  * @param unresolvedCritExts a <code>Collection</code> of OID strings
  *            representing the current set of unresolved critical extensions
  * @throws CertPathValidatorException if the specified attribute certificate
  *             does not pass the check.
  */
 public abstract void Check(IX509AttributeCertificate attrCert, PkixCertPath certPath,
                            PkixCertPath holderCertPath, ICollection unresolvedCritExts);
		internal static PkixPolicyNode ProcessCertE(
			PkixCertPath	certPath,
			int				index,
			PkixPolicyNode	validPolicyTree)
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];

			//
			// (e)
			//
			Asn1Sequence certPolicies = null;
			try
			{
				certPolicies = DerSequence.GetInstance(
					PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies));
			}
			catch (Exception e)
			{
				throw new PkixCertPathValidatorException("Could not read certificate policies extension from certificate.",
					e, certPath, index);
			}
			if (certPolicies == null)
			{
				validPolicyTree = null;
			}
			return validPolicyTree;
		}
        public virtual PkixCertPathValidatorResult Validate(
			PkixCertPath	certPath,
			PkixParameters	paramsPkix)
        {
            if (paramsPkix.GetTrustAnchors() == null)
            {
                throw new ArgumentException(
                    @"trustAnchors is null, this is not allowed for certification path validation.",
                    "parameters");
            }

            //
            // 6.1.1 - inputs
            //

            //
            // (a)
            //
            IList certs = certPath.Certificates;
            int n = certs.Count;

            if (certs.Count == 0)
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);

            //
            // (b)
            //
            // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);

            //
            // (c)
            //
            ISet userInitialPolicySet = paramsPkix.GetInitialPolicies();

            //
            // (d)
            //
            TrustAnchor trust;
            try
            {
                trust = PkixCertPathValidatorUtilities.FindTrustAnchor(
                    (X509Certificate)certs[certs.Count - 1],
                    paramsPkix.GetTrustAnchors());
            }
            catch (Exception e)
            {
                throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1);
            }

            if (trust == null)
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);

            //
            // (e), (f), (g) are part of the paramsPkix object.
            //
            IEnumerator certIter;
            int index = 0;
            int i;
            // Certificate for each interation of the validation loop
            // Signature information for each iteration of the validation loop
            //
            // 6.1.2 - setup
            //

            //
            // (a)
            //
            IList[] policyNodes = new IList[n + 1];
            for (int j = 0; j < policyNodes.Length; j++)
            {
                policyNodes[j] = Platform.CreateArrayList();
            }

            ISet policySet = new HashSet();

            policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY);

            PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(),
                    Rfc3280CertPathUtilities.ANY_POLICY, false);

            policyNodes[0].Add(validPolicyTree);

            //
            // (b) and (c)
            //
            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();

            // (d)
            //
            int explicitPolicy;
            ISet acceptablePolicies = new HashSet();

            if (paramsPkix.IsExplicitPolicyRequired)
            {
                explicitPolicy = 0;
            }
            else
            {
                explicitPolicy = n + 1;
            }

            //
            // (e)
            //
            int inhibitAnyPolicy;

            if (paramsPkix.IsAnyPolicyInhibited)
            {
                inhibitAnyPolicy = 0;
            }
            else
            {
                inhibitAnyPolicy = n + 1;
            }

            //
            // (f)
            //
            int policyMapping;

            if (paramsPkix.IsPolicyMappingInhibited)
            {
                policyMapping = 0;
            }
            else
            {
                policyMapping = n + 1;
            }

            //
            // (g), (h), (i), (j)
            //
            IAsymmetricKeyParameter workingPublicKey;
            X509Name workingIssuerName;

            X509Certificate sign = trust.TrustedCert;
            try
            {
                if (sign != null)
                {
                    workingIssuerName = sign.SubjectDN;
                    workingPublicKey = sign.GetPublicKey();
                }
                else
                {
                    workingIssuerName = new X509Name(trust.CAName);
                    workingPublicKey = trust.CAPublicKey;
                }
            }
            catch (ArgumentException ex)
            {
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath,
                        -1);
            }

            AlgorithmIdentifier workingAlgId = null;
            try
            {
                workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
            }
            catch (PkixCertPathValidatorException e)
            {
                throw new PkixCertPathValidatorException(
                        "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
            }

            //			DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID;
            //			Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters;

            //
            // (k)
            //
            int maxPathLength = n;

            //
            // 6.1.3
            //

            X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints();
            if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0]))
            {
                throw new PkixCertPathValidatorException(
                    "Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            }

            //
            // initialize CertPathChecker's
            //
            IList pathCheckers = paramsPkix.GetCertPathCheckers();
            certIter = pathCheckers.GetEnumerator();

            while (certIter.MoveNext())
            {
                ((PkixCertPathChecker)certIter.Current).Init(false);
            }

            X509Certificate cert = null;

            for (index = certs.Count - 1; index >= 0; index--)
            {
                // try
                // {
                //
                // i as defined in the algorithm description
                //
                i = n - index;

                //
                // set certificate to be checked in this round
                // sign and workingPublicKey and workingIssuerName are set
                // at the end of the for loop and initialized the
                // first time from the TrustAnchor
                //
                cert = (X509Certificate)certs[index];

                //
                // 6.1.3
                //

                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey,
                    workingIssuerName, sign);

                Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index,
                    acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree);

                Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy);

                //
                // 6.1.4
                //

                if (i != n)
                {
                    if (cert != null && cert.Version == 1)
                    {
                        throw new PkixCertPathValidatorException(
                            "Version 1 certificates can't be used as CA ones.", null, certPath, index);
                    }

                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index);

                    validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes,
                        validPolicyTree, policyMapping);

                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator);

                    // (h)
                    explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy);
                    policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy);

                    //
                    // (i)
                    //
                    explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy);
                    policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping);

                    // (j)
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy);

                    // (k)
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index);

                    // (l)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength);

                    // (m)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength);

                    // (n)
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index);

                    ISet criticalExtensions1 = cert.GetCriticalExtensionOids();

                    if (criticalExtensions1 != null)
                    {
                        criticalExtensions1 = new HashSet(criticalExtensions1);

                        // these extensions are handled by the algorithm
                        criticalExtensions1.Remove(X509Extensions.KeyUsage.Id);
                        criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id);
                        criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id);
                        criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id);
                        criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id);
                        criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id);
                        criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id);
                        criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id);
                        criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id);
                        criticalExtensions1.Remove(X509Extensions.NameConstraints.Id);
                    }
                    else
                    {
                        criticalExtensions1 = new HashSet();
                    }

                    // (o)
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers);

                    // set signing certificate for next round
                    sign = cert;

                    // (c)
                    workingIssuerName = sign.SubjectDN;

                    // (d)
                    try
                    {
                        workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index);
                    }
                    catch (PkixCertPathValidatorException e)
                    {
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
                    }

                    workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
                    // (f)
            //                    workingPublicKeyAlgorithm = workingAlgId.ObjectID;
                    // (e)
            //                    workingPublicKeyParameters = workingAlgId.Parameters;
                }
            }

            //
            // 6.1.5 Wrap-up procedure
            //

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert);

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy);

            //
            // (c) (d) and (e) are already done
            //

            //
            // (f)
            //
            ISet criticalExtensions = cert.GetCriticalExtensionOids();

            if (criticalExtensions != null)
            {
                criticalExtensions = new HashSet(criticalExtensions);

                // Requires .Id
                // these extensions are handled by the algorithm
                criticalExtensions.Remove(X509Extensions.KeyUsage.Id);
                criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id);
                criticalExtensions.Remove(X509Extensions.PolicyMappings.Id);
                criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id);
                criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id);
                criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id);
                criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id);
                criticalExtensions.Remove(X509Extensions.BasicConstraints.Id);
                criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id);
                criticalExtensions.Remove(X509Extensions.NameConstraints.Id);
                criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id);
            }
            else
            {
                criticalExtensions = new HashSet();
            }

            Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);

            PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet,
                    index + 1, policyNodes, validPolicyTree, acceptablePolicies);

            if ((explicitPolicy > 0) || (intersection != null))
            {
                return new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey());
            }

            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index);
        }
		internal static PkixPolicyNode ProcessCertD(
			PkixCertPath	certPath,
			int				index,
			ISet			acceptablePolicies,
			PkixPolicyNode	validPolicyTree,
			IList[]			policyNodes,
			int				inhibitAnyPolicy)
			//throws CertPathValidatorException
		{
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];
			int n = certs.Count;
			// i as defined in the algorithm description
			int i = n - index;
			//
			// (d) policy Information checking against initial policy and
			// policy mapping
			//
			Asn1Sequence certPolicies = null;
			try
			{
				certPolicies = DerSequence.GetInstance(
					PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies));
			}
			catch (Exception e)
			{
				throw new PkixCertPathValidatorException(
					"Could not read certificate policies extension from certificate.", e, certPath, index);
			}
			if (certPolicies != null && validPolicyTree != null)
			{
				//
				// (d) (1)
				//
				ISet pols = new HashSet();

				foreach (Asn1Encodable ae in certPolicies)
				{
					PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object());
					DerObjectIdentifier pOid = pInfo.PolicyIdentifier;

					pols.Add(pOid.Id);

					if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(pOid.Id))
					{
						ISet pq = null;
						try
						{
							pq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers);
						}
						catch (PkixCertPathValidatorException ex)
						{
							throw new PkixCertPathValidatorException(
								"Policy qualifier info set could not be build.", ex, certPath, index);
						}

						bool match = PkixCertPathValidatorUtilities.ProcessCertD1i(i, policyNodes, pOid, pq);

						if (!match)
						{
							PkixCertPathValidatorUtilities.ProcessCertD1ii(i, policyNodes, pOid, pq);
						}
					}
				}

				if (acceptablePolicies.IsEmpty || acceptablePolicies.Contains(Rfc3280CertPathUtilities.ANY_POLICY))
				{
					acceptablePolicies.Clear();
					acceptablePolicies.AddAll(pols);
				}
				else
				{
					ISet t1 = new HashSet();

					foreach (object o in acceptablePolicies)
					{
						if (pols.Contains(o))
						{
							t1.Add(o);
						}
					}
					acceptablePolicies.Clear();
					acceptablePolicies.AddAll(t1);
				}

				//
				// (d) (2)
				//
				if ((inhibitAnyPolicy > 0) || ((i < n) && PkixCertPathValidatorUtilities.IsSelfIssued(cert)))
				{
					foreach (Asn1Encodable ae in certPolicies)
					{
						PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object());
						if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(pInfo.PolicyIdentifier.Id))
						{
							ISet _apq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers);
							IList _nodes = policyNodes[i - 1];

							for (int k = 0; k < _nodes.Count; k++)
							{
								PkixPolicyNode _node = (PkixPolicyNode)_nodes[k];

								IEnumerator  _policySetIter = _node.ExpectedPolicies.GetEnumerator();
								while (_policySetIter.MoveNext())
								{
									object _tmp = _policySetIter.Current;

									string _policy;
									if (_tmp is string)
									{
										_policy = (string)_tmp;
									}
									else if (_tmp is DerObjectIdentifier)
									{
										_policy = ((DerObjectIdentifier)_tmp).Id;
									}
									else
									{
										continue;
									}

									bool _found = false;

									foreach (PkixPolicyNode _child in _node.Children)
									{
										if (_policy.Equals(_child.ValidPolicy))
										{
											_found = true;
										}
									}

									if (!_found)
									{
										ISet _newChildExpectedPolicies = new HashSet();
										_newChildExpectedPolicies.Add(_policy);

										PkixPolicyNode _newChild = new PkixPolicyNode(Platform.CreateArrayList(), i,
											_newChildExpectedPolicies, _node, _apq, _policy, false);
										_node.AddChild(_newChild);
										policyNodes[i].Add(_newChild);
									}
								}
							}
							break;
						}
					}
				}

				PkixPolicyNode _validPolicyTree = validPolicyTree;
				//
				// (d) (3)
				//
				for (int j = (i - 1); j >= 0; j--)
				{
					IList nodes = policyNodes[j];

					for (int k = 0; k < nodes.Count; k++)
					{
						PkixPolicyNode node = (PkixPolicyNode)nodes[k];
						if (!node.HasChildren)
						{
							_validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(_validPolicyTree, policyNodes,
								node);
							if (_validPolicyTree == null)
							{
								break;
							}
						}
					}
				}

				//
				// d (4)
				//
				ISet criticalExtensionOids = cert.GetCriticalExtensionOids();

				if (criticalExtensionOids != null)
				{
					bool critical = criticalExtensionOids.Contains(X509Extensions.CertificatePolicies.Id);

					IList nodes = policyNodes[i];
					for (int j = 0; j < nodes.Count; j++)
					{
						PkixPolicyNode node = (PkixPolicyNode)nodes[j];
						node.IsCritical = critical;
					}
				}
				return _validPolicyTree;
			}
			return null;
		}
Beispiel #55
0
        protected virtual PkixCertPathBuilderResult Build(
            X509Certificate tbvCert,
            PkixBuilderParameters pkixParams,
            IList tbvPath)
        {
            // If tbvCert is readily present in tbvPath, it indicates having run
            // into a cycle in the PKI graph.
            if (tbvPath.Contains(tbvCert))
            {
                return(null);
            }

            // step out, the certificate is not allowed to appear in a certification
            // chain.
            if (pkixParams.GetExcludedCerts().Contains(tbvCert))
            {
                return(null);
            }

            // test if certificate path exceeds maximum length
            if (pkixParams.MaxPathLength != -1)
            {
                if (tbvPath.Count - 1 > pkixParams.MaxPathLength)
                {
                    return(null);
                }
            }

            tbvPath.Add(tbvCert);

            X509CertificateParser     certParser    = new X509CertificateParser();
            PkixCertPathBuilderResult builderResult = null;
            PkixCertPathValidator     validator     = new PkixCertPathValidator();

            try
            {
                // check whether the issuer of <tbvCert> is a TrustAnchor
                if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
                {
                    // exception message from possibly later tried certification
                    // chains
                    PkixCertPath certPath = null;
                    try
                    {
                        certPath = new PkixCertPath(tbvPath);
                    }
                    catch (Exception e)
                    {
                        throw new Exception(
                                  "Certification path could not be constructed from certificate list.",
                                  e);
                    }

                    PkixCertPathValidatorResult result = null;
                    try
                    {
                        result = (PkixCertPathValidatorResult)validator.Validate(
                            certPath, pkixParams);
                    }
                    catch (Exception e)
                    {
                        throw new Exception(
                                  "Certification path could not be validated.", e);
                    }

                    return(new PkixCertPathBuilderResult(certPath, result.TrustAnchor,
                                                         result.PolicyTree, result.SubjectPublicKey));
                }
                else
                {
                    // add additional X.509 stores from locations in certificate
                    try
                    {
                        PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(
                            tbvCert, pkixParams);
                    }
                    catch (CertificateParsingException e)
                    {
                        throw new Exception(
                                  "No additiontal X.509 stores can be added from certificate locations.",
                                  e);
                    }

                    // try to get the issuer certificate from one of the stores
                    HashSet issuers = new HashSet();
                    try
                    {
                        issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
                    }
                    catch (Exception e)
                    {
                        throw new Exception(
                                  "Cannot find issuer certificate for certificate in certification path.",
                                  e);
                    }

                    if (issuers.IsEmpty)
                    {
                        throw new Exception("No issuer certificate for certificate in certification path found.");
                    }

                    foreach (X509Certificate issuer in issuers)
                    {
                        builderResult = Build(issuer, pkixParams, tbvPath);

                        if (builderResult != null)
                        {
                            break;
                        }
                    }
                }
            }
            catch (Exception e)
            {
                certPathException = e;
            }

            if (builderResult == null)
            {
                tbvPath.Remove(tbvCert);
            }

            return(builderResult);
        }