internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams) { ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids(); if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id)) { try { TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation)); } catch (Exception cause) { throw new PkixCertPathValidatorException("Target information extension could not be read.", cause); } } criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id); foreach (PkixAttrCertChecker pkixAttrCertChecker in pkixParams.GetAttrCertCheckers()) { pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids); } if (!criticalExtensionOids.IsEmpty) { throw new PkixCertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + criticalExtensionOids); } }
internal static void AddAdditionalStoresFromCrlDistributionPoint(CrlDistPoint crldp, PkixParameters pkixParams) { if (crldp != null) { DistributionPoint[] array = null; try { array = crldp.GetDistributionPoints(); } catch (Exception innerException) { throw new Exception("Distribution points could not be read.", innerException); } for (int i = 0; i < array.Length; i++) { DistributionPointName distributionPointName = array[i].DistributionPointName; if (distributionPointName != null && distributionPointName.PointType == 0) { GeneralName[] names = GeneralNames.GetInstance(distributionPointName.Name).GetNames(); for (int j = 0; j < names.Length; j++) { if (names[j].TagNo == 6) { string @string = DerIA5String.GetInstance(names[j].Name).GetString(); PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(@string, pkixParams); } } } } } }
private static void CheckCrl(DistributionPoint dp, IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, DateTime validDate, X509Certificate issuerCert, CertStatus certStatus, ReasonsMask reasonMask, IList certPathCerts) { if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null) { return; } DateTime utcNow = DateTime.UtcNow; if (validDate.CompareTo(utcNow) > 0) { throw new Exception("Validation time is in future."); } ISet completeCrls = PkixCertPathValidatorUtilities.GetCompleteCrls(dp, attrCert, utcNow, paramsPKIX); bool flag = false; Exception ex = null; IEnumerator enumerator = completeCrls.GetEnumerator(); while (enumerator.MoveNext() && certStatus.Status == 11 && !reasonMask.IsAllReasons) { try { X509Crl x509Crl = (X509Crl)enumerator.Current; ReasonsMask reasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(x509Crl, dp); if (reasonsMask.HasNewReasons(reasonMask)) { ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(x509Crl, attrCert, null, null, paramsPKIX, certPathCerts); AsymmetricKeyParameter key = Rfc3280CertPathUtilities.ProcessCrlG(x509Crl, keys); X509Crl x509Crl2 = null; if (paramsPKIX.IsUseDeltasEnabled) { ISet deltaCrls = PkixCertPathValidatorUtilities.GetDeltaCrls(utcNow, paramsPKIX, x509Crl); x509Crl2 = Rfc3280CertPathUtilities.ProcessCrlH(deltaCrls, key); } if (paramsPKIX.ValidityModel != 1 && attrCert.NotAfter.CompareTo(x509Crl.ThisUpdate) < 0) { throw new Exception("No valid CRL for current time found."); } Rfc3280CertPathUtilities.ProcessCrlB1(dp, attrCert, x509Crl); Rfc3280CertPathUtilities.ProcessCrlB2(dp, attrCert, x509Crl); Rfc3280CertPathUtilities.ProcessCrlC(x509Crl2, x509Crl, paramsPKIX); Rfc3280CertPathUtilities.ProcessCrlI(validDate, x509Crl2, attrCert, certStatus, paramsPKIX); Rfc3280CertPathUtilities.ProcessCrlJ(validDate, x509Crl, attrCert, certStatus); if (certStatus.Status == 8) { certStatus.Status = 11; } reasonMask.AddReasons(reasonsMask); flag = true; } } catch (Exception ex2) { ex = ex2; } } if (!flag) { throw ex; } }
/** * Find the issuer certificates of a given certificate. * * @param cert * The certificate for which an issuer should be found. * @param pkixParams * @return A <code>Collection</code> object containing the issuer * <code>X509Certificate</code>s. Never <code>null</code>. * * @exception Exception * if an error occurs. */ internal static ICollection FindIssuerCerts( X509Certificate cert, PkixBuilderParameters pkixParams) { X509CertStoreSelector certSelect = new X509CertStoreSelector(); ISet certs = new HashSet(); try { certSelect.Subject = cert.IssuerDN; } catch (IOException ex) { throw new Exception( "Subject criteria for certificate selector to find issuer certificate could not be set.", ex); } try { certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetStores())); certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetAdditionalStores())); } catch (Exception e) { throw new Exception("Issuer certificate cannot be searched.", e); } return(certs); }
internal static PkixPolicyNode PrepareNextCertB2(int i, IList[] policyNodes, string id_p, PkixPolicyNode validPolicyTree) { int num = 0; foreach (PkixPolicyNode pkixPolicyNode in Platform.CreateArrayList(policyNodes[i])) { if (pkixPolicyNode.ValidPolicy.Equals(id_p)) { PkixPolicyNode parent = pkixPolicyNode.Parent; parent.RemoveChild(pkixPolicyNode); policyNodes[i].RemoveAt(num); for (int j = i - 1; j >= 0; j--) { IList list = policyNodes[j]; for (int k = 0; k < list.Count; k++) { PkixPolicyNode pkixPolicyNode2 = (PkixPolicyNode)list[k]; if (!pkixPolicyNode2.HasChildren) { validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, pkixPolicyNode2); if (validPolicyTree == null) { break; } } } } } else { num++; } } return(validPolicyTree); }
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters pkixParams) { //IL_002d: Unknown result type (might be due to invalid IL or missing references) IX509Selector targetConstraints = pkixParams.GetTargetConstraints(); if (!(targetConstraints is X509AttrCertStoreSelector)) { throw new ArgumentException("TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).get_FullName(), "pkixParams"); } IX509AttributeCertificate attributeCert = ((X509AttrCertStoreSelector)targetConstraints).AttributeCert; PkixCertPath holderCertPath = Rfc3281CertPathUtilities.ProcessAttrCert1(attributeCert, pkixParams); PkixCertPathValidatorResult result = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams); X509Certificate x509Certificate = (X509Certificate)certPath.Certificates.get_Item(0); Rfc3281CertPathUtilities.ProcessAttrCert3(x509Certificate, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert4(x509Certificate, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert5(attributeCert, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert7(attributeCert, certPath, holderCertPath, pkixParams); Rfc3281CertPathUtilities.AdditionalChecks(attributeCert, pkixParams); global::System.DateTime validCertDateFromValidityModel; try { validCertDateFromValidityModel = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1); } catch (global::System.Exception cause) { throw new PkixCertPathValidatorException("Could not get validity date from attribute certificate.", cause); } Rfc3281CertPathUtilities.CheckCrls(attributeCert, pkixParams, x509Certificate, validCertDateFromValidityModel, certPath.Certificates); return(result); }
/** * Build and validate a CertPath using the given parameter. * * @param params PKIXBuilderParameters object containing all information to * build the CertPath */ public virtual PkixCertPathBuilderResult Build( PkixBuilderParameters pkixParams) { // search target certificates IX509Selector certSelect = pkixParams.GetTargetCertConstraints(); if (!(certSelect is X509CertStoreSelector)) { throw new PkixCertPathBuilderException( "TargetConstraints must be an instance of " + typeof(X509CertStoreSelector).FullName + " for " + this.GetType() + " class."); } ISet targets = new HashSet(); try { targets.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)certSelect, pkixParams.GetStores())); // TODO Should this include an entry for pkixParams.GetAdditionalStores() too? } catch (Exception e) { throw new PkixCertPathBuilderException( "Error finding target certificate.", e); } if (targets.IsEmpty) { throw new PkixCertPathBuilderException("No certificate found matching targetContraints."); } PkixCertPathBuilderResult result = null; IList certPathList = new ArrayList(); // check all potential target certificates foreach (X509Certificate cert in targets) { result = Build(cert, pkixParams, certPathList); if (result != null) { break; } } if (result == null && certPathException != null) { throw new PkixCertPathBuilderException(certPathException.Message, certPathException.InnerException); } if (result == null && certPathException == null) { throw new PkixCertPathBuilderException("Unable to find certificate chain."); } return(result); }
internal static ISet GetDeltaCrls(DateTime currentDate, PkixParameters paramsPKIX, X509Crl completeCRL) { X509CrlStoreSelector x509CrlStoreSelector = new X509CrlStoreSelector(); try { IList list = Platform.CreateArrayList(); list.Add(completeCRL.IssuerDN); x509CrlStoreSelector.Issuers = list; } catch (IOException innerException) { throw new Exception("Cannot extract issuer from CRL.", innerException); } BigInteger bigInteger = null; try { Asn1Object extensionValue = PkixCertPathValidatorUtilities.GetExtensionValue(completeCRL, X509Extensions.CrlNumber); if (extensionValue != null) { bigInteger = DerInteger.GetInstance(extensionValue).PositiveValue; } } catch (Exception innerException2) { throw new Exception("CRL number extension could not be extracted from CRL.", innerException2); } byte[] issuingDistributionPoint = null; try { Asn1Object extensionValue2 = PkixCertPathValidatorUtilities.GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint); if (extensionValue2 != null) { issuingDistributionPoint = extensionValue2.GetDerEncoded(); } } catch (Exception innerException3) { throw new Exception("Issuing distribution point extension value could not be read.", innerException3); } x509CrlStoreSelector.MinCrlNumber = ((bigInteger == null) ? null : bigInteger.Add(BigInteger.One)); x509CrlStoreSelector.IssuingDistributionPoint = issuingDistributionPoint; x509CrlStoreSelector.IssuingDistributionPointEnabled = true; x509CrlStoreSelector.MaxBaseCrlNumber = bigInteger; ISet set = PkixCertPathValidatorUtilities.CrlUtilities.FindCrls(x509CrlStoreSelector, paramsPKIX, currentDate); ISet set2 = new HashSet(); foreach (X509Crl x509Crl in set) { if (PkixCertPathValidatorUtilities.isDeltaCrl(x509Crl)) { set2.Add(x509Crl); } } return(set2); }
/** * Fetches complete CRLs according to RFC 3280. * * @param dp The distribution point for which the complete CRL * @param cert The <code>X509Certificate</code> or * {@link org.bouncycastle.x509.X509AttributeCertificate} for * which the CRL should be searched. * @param currentDate The date for which the delta CRLs must be valid. * @param paramsPKIX The extended PKIX parameters. * @return A <code>Set</code> of <code>X509CRL</code>s with complete * CRLs. * @throws Exception if an exception occurs while picking the CRLs * or no CRLs are found. */ internal static ISet GetCompleteCrls( DistributionPoint dp, object cert, DateTime currentDate, PkixParameters paramsPKIX) { X509CrlStoreSelector crlselect = new X509CrlStoreSelector(); try { ISet issuers = new HashSet(); if (cert is X509V2AttributeCertificate) { issuers.Add(((X509V2AttributeCertificate)cert) .Issuer.GetPrincipals()[0]); } else { issuers.Add(GetIssuerPrincipal(cert)); } PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX); } catch (Exception e) { throw new Exception("Could not get issuer information from distribution point.", e); } if (cert is X509Certificate) { crlselect.CertificateChecking = (X509Certificate)cert; } else if (cert is X509V2AttributeCertificate) { crlselect.AttrCertChecking = (IX509AttributeCertificate)cert; } crlselect.CompleteCrlEnabled = true; ISet crls = CrlUtilities.FindCrls(crlselect, paramsPKIX, currentDate); if (crls.IsEmpty) { if (cert is IX509AttributeCertificate) { IX509AttributeCertificate aCert = (IX509AttributeCertificate)cert; throw new Exception("No CRLs found for issuer \"" + aCert.Issuer.GetPrincipals()[0] + "\""); } else { X509Certificate xCert = (X509Certificate)cert; throw new Exception("No CRLs found for issuer \"" + xCert.IssuerDN + "\""); } } return(crls); }
private static void RemovePolicyNodeRecurse(IList[] policyNodes, PkixPolicyNode _node) { policyNodes[_node.Depth].Remove(_node); if (_node.HasChildren) { foreach (PkixPolicyNode node in _node.Children) { PkixCertPathValidatorUtilities.RemovePolicyNodeRecurse(policyNodes, node); } } }
public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams) { IX509Selector targetCertConstraints = pkixParams.GetTargetCertConstraints(); if (!(targetCertConstraints is X509CertStoreSelector)) { throw new PkixCertPathBuilderException(string.Concat(new object[] { "TargetConstraints must be an instance of ", typeof(X509CertStoreSelector).FullName, " for ", base.GetType(), " class." })); } ISet set = new HashSet(); try { set.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)targetCertConstraints, pkixParams.GetStores())); } catch (Exception exception) { throw new PkixCertPathBuilderException("Error finding target certificate.", exception); } if (set.IsEmpty) { throw new PkixCertPathBuilderException("No certificate found matching targetContraints."); } PkixCertPathBuilderResult pkixCertPathBuilderResult = null; IList tbvPath = Platform.CreateArrayList(); foreach (X509Certificate tbvCert in set) { pkixCertPathBuilderResult = this.Build(tbvCert, pkixParams, tbvPath); if (pkixCertPathBuilderResult != null) { break; } } if (pkixCertPathBuilderResult == null && this.certPathException != null) { throw new PkixCertPathBuilderException(this.certPathException.Message, this.certPathException.InnerException); } if (pkixCertPathBuilderResult == null && this.certPathException == null) { throw new PkixCertPathBuilderException("Unable to find certificate chain."); } return(pkixCertPathBuilderResult); }
internal static DateTime GetValidCertDateFromValidityModel( PkixParameters paramsPkix, PkixCertPath certPath, int index) { if (paramsPkix.ValidityModel != PkixParameters.ChainValidityModel) { return(GetValidDate(paramsPkix)); } // if end cert use given signing/encryption/... time if (index <= 0) { return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix)); // else use time when previous cert was created } if (index - 1 == 0) { DerGeneralizedTime dateOfCertgen = null; try { X509Certificate cert = (X509Certificate)certPath.Certificates[index - 1]; Asn1OctetString extVal = cert.GetExtensionValue( IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen); dateOfCertgen = DerGeneralizedTime.GetInstance(extVal); } catch (ArgumentException) { throw new Exception( "Date of cert gen extension could not be read."); } if (dateOfCertgen != null) { try { return(dateOfCertgen.ToDateTime()); } catch (ArgumentException e) { throw new Exception( "Date from date of cert gen extension could not be parsed.", e); } } } return(((X509Certificate)certPath.Certificates[index - 1]).NotBefore); }
internal static void ProcessAttrCert5(IX509AttributeCertificate attrCert, PkixParameters pkixParams) { try { attrCert.CheckValidity(PkixCertPathValidatorUtilities.GetValidDate(pkixParams)); } catch (CertificateExpiredException cause) { throw new PkixCertPathValidatorException("Attribute certificate is not valid.", cause); } catch (CertificateNotYetValidException cause2) { throw new PkixCertPathValidatorException("Attribute certificate is not valid.", cause2); } }
internal static void GetCertStatus(DateTime validDate, X509Crl crl, object cert, CertStatus certStatus) { X509Crl x509Crl = null; try { x509Crl = new X509Crl(CertificateList.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(crl.GetEncoded()))); } catch (Exception innerException) { throw new Exception("Bouncy Castle X509Crl could not be created.", innerException); } X509CrlEntry revokedCertificate = x509Crl.GetRevokedCertificate(PkixCertPathValidatorUtilities.GetSerialNumber(cert)); if (revokedCertificate == null) { return; } X509Name issuerPrincipal = PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert); if (issuerPrincipal.Equivalent(revokedCertificate.GetCertificateIssuer(), true) || issuerPrincipal.Equivalent(crl.IssuerDN, true)) { DerEnumerated derEnumerated = null; if (revokedCertificate.HasExtensions) { try { derEnumerated = DerEnumerated.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(revokedCertificate, X509Extensions.ReasonCode)); } catch (Exception innerException2) { throw new Exception("Reason code CRL entry extension could not be decoded.", innerException2); } } if (validDate.Ticks >= revokedCertificate.RevocationDate.Ticks || derEnumerated == null || derEnumerated.Value.TestBit(0) || derEnumerated.Value.TestBit(1) || derEnumerated.Value.TestBit(2) || derEnumerated.Value.TestBit(8)) { if (derEnumerated != null) { certStatus.Status = derEnumerated.Value.SignValue; } else { certStatus.Status = 0; } certStatus.RevocationDate = new DateTimeObject(revokedCertificate.RevocationDate); } } }
internal static void AddAdditionalStoresFromAltNames(X509Certificate cert, PkixParameters pkixParams) { if (cert.GetIssuerAlternativeNames() != null) { IEnumerator enumerator = cert.GetIssuerAlternativeNames().GetEnumerator(); while (enumerator.MoveNext()) { IList list = (IList)enumerator.Current; if (list[0].Equals(6)) { string location = (string)list[1]; PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(location, pkixParams); } } } }
internal static ISet GetCompleteCrls(DistributionPoint dp, object cert, DateTime currentDate, PkixParameters paramsPKIX) { X509CrlStoreSelector x509CrlStoreSelector = new X509CrlStoreSelector(); try { ISet set = new HashSet(); if (cert is X509V2AttributeCertificate) { set.Add(((X509V2AttributeCertificate)cert).Issuer.GetPrincipals()[0]); } else { set.Add(PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert)); } PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, set, x509CrlStoreSelector, paramsPKIX); } catch (Exception innerException) { throw new Exception("Could not get issuer information from distribution point.", innerException); } if (cert is X509Certificate) { x509CrlStoreSelector.CertificateChecking = (X509Certificate)cert; } else if (cert is X509V2AttributeCertificate) { x509CrlStoreSelector.AttrCertChecking = (IX509AttributeCertificate)cert; } x509CrlStoreSelector.CompleteCrlEnabled = true; ISet set2 = PkixCertPathValidatorUtilities.CrlUtilities.FindCrls(x509CrlStoreSelector, paramsPKIX, currentDate); if (!set2.IsEmpty) { return(set2); } if (cert is IX509AttributeCertificate) { IX509AttributeCertificate iX509AttributeCertificate = (IX509AttributeCertificate)cert; throw new Exception("No CRLs found for issuer \"" + iX509AttributeCertificate.Issuer.GetPrincipals()[0] + "\""); } X509Certificate x509Certificate = (X509Certificate)cert; throw new Exception("No CRLs found for issuer \"" + x509Certificate.IssuerDN + "\""); }
internal static void AddAdditionalStoresFromCrlDistributionPoint( CrlDistPoint crldp, PkixParameters pkixParams) { if (crldp != null) { DistributionPoint[] dps = null; try { dps = crldp.GetDistributionPoints(); } catch (Exception e) { throw new Exception( "Distribution points could not be read.", e); } for (int i = 0; i < dps.Length; i++) { DistributionPointName dpn = dps[i].DistributionPointName; // look for URIs in fullName if (dpn != null) { if (dpn.PointType == DistributionPointName.FullName) { GeneralName[] genNames = GeneralNames.GetInstance( dpn.Name).GetNames(); // look for an URI for (int j = 0; j < genNames.Length; j++) { if (genNames[j].TagNo == GeneralName.UniformResourceIdentifier) { string location = DerIA5String.GetInstance( genNames[j].Name).GetString(); PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation( location, pkixParams); } } } } } } }
internal static PkixPolicyNode RemovePolicyNode(PkixPolicyNode validPolicyTree, IList[] policyNodes, PkixPolicyNode _node) { PkixPolicyNode parent = _node.Parent; if (validPolicyTree == null) { return(null); } if (parent == null) { for (int i = 0; i < policyNodes.Length; i++) { policyNodes[i] = Platform.CreateArrayList(); } return(null); } parent.RemoveChild(_node); PkixCertPathValidatorUtilities.RemovePolicyNodeRecurse(policyNodes, _node); return(validPolicyTree); }
internal static void ProcessAttrCert7( IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams) { // TODO: // AA Controls // Attribute encryption // Proxy ISet critExtOids = attrCert.GetCriticalExtensionOids(); // 7.1 // process extensions // target information checked in step 6 / X509AttributeCertStoreSelector if (critExtOids.Contains(X509Extensions.TargetInformation.Id)) { try { TargetInformation.GetInstance(PkixCertPathValidatorUtilities .GetExtensionValue(attrCert, X509Extensions.TargetInformation)); } catch (Exception e) { throw new PkixCertPathValidatorException( "Target information extension could not be read.", e); } } critExtOids.Remove(X509Extensions.TargetInformation.Id); foreach (PkixAttrCertChecker checker in pkixParams.GetAttrCertCheckers()) { checker.Check(attrCert, certPath, holderCertPath, critExtOids); } if (!critExtOids.IsEmpty) { throw new PkixCertPathValidatorException( "Attribute certificate contains unsupported critical extensions: " + critExtOids); } }
internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams) { ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids(); if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id)) { try { TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation)); } catch (global::System.Exception cause) { throw new PkixCertPathValidatorException("Target information extension could not be read.", cause); } } criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id); global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)pkixParams.GetAttrCertCheckers()).GetEnumerator(); try { while (enumerator.MoveNext()) { PkixAttrCertChecker pkixAttrCertChecker = (PkixAttrCertChecker)enumerator.get_Current(); pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids); } } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } if (!criticalExtensionOids.IsEmpty) { throw new PkixCertPathValidatorException(string.Concat((object)"Attribute certificate contains unsupported critical extensions: ", (object)criticalExtensionOids)); } }
/** * Validates an attribute certificate with the given certificate path. * * <p> * <code>params</code> must be an instance of * <code>ExtendedPkixParameters</code>. * </p><p> * The target constraints in the <code>params</code> must be an * <code>X509AttrCertStoreSelector</code> with at least the attribute * certificate criterion set. Obey that also target informations may be * necessary to correctly validate this attribute certificate. * </p><p> * The attribute certificate issuer must be added to the trusted attribute * issuers with {@link ExtendedPkixParameters#setTrustedACIssuers(Set)}. * </p> * @param certPath The certificate path which belongs to the attribute * certificate issuer public key certificate. * @param params The PKIX parameters. * @return A <code>PKIXCertPathValidatorResult</code> of the result of * validating the <code>certPath</code>. * @throws InvalidAlgorithmParameterException if <code>params</code> is * inappropriate for this validator. * @throws CertPathValidatorException if the verification fails. */ public virtual PkixCertPathValidatorResult Validate( PkixCertPath certPath, PkixParameters pkixParams) { IX509Selector certSelect = pkixParams.GetTargetConstraints(); if (!(certSelect is X509AttrCertStoreSelector)) { throw new ArgumentException( "TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName, "pkixParams"); } IX509AttributeCertificate attrCert = ((X509AttrCertStoreSelector)certSelect).AttributeCert; PkixCertPath holderCertPath = Rfc3281CertPathUtilities.ProcessAttrCert1(attrCert, pkixParams); PkixCertPathValidatorResult result = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams); X509Certificate issuerCert = (X509Certificate)certPath.Certificates[0]; Rfc3281CertPathUtilities.ProcessAttrCert3(issuerCert, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert4(issuerCert, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert5(attrCert, pkixParams); // 6 already done in X509AttrCertStoreSelector Rfc3281CertPathUtilities.ProcessAttrCert7(attrCert, certPath, holderCertPath, pkixParams); Rfc3281CertPathUtilities.AdditionalChecks(attrCert, pkixParams); DateTime date; try { date = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1); } catch (Exception e) { throw new PkixCertPathValidatorException( "Could not get validity date from attribute certificate.", e); } Rfc3281CertPathUtilities.CheckCrls(attrCert, pkixParams, issuerCert, date, certPath.Certificates); return(result); }
internal static void AddAdditionalStoresFromAltNames( X509Certificate cert, PkixParameters pkixParams) { // if in the IssuerAltName extension an URI // is given, add an additinal X.509 store if (cert.GetIssuerAlternativeNames() != null) { IEnumerator it = cert.GetIssuerAlternativeNames().GetEnumerator(); while (it.MoveNext()) { // look for URI IList list = (IList)it.Current; //if (list[0].Equals(new Integer(GeneralName.UniformResourceIdentifier))) if (list[0].Equals(GeneralName.UniformResourceIdentifier)) { // found string temp = (string)list[1]; PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(temp, pkixParams); } } } }
internal static DateTime GetValidCertDateFromValidityModel(PkixParameters paramsPkix, PkixCertPath certPath, int index) { if (paramsPkix.ValidityModel != 1) { return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix)); } if (index <= 0) { return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix)); } if (index - 1 == 0) { DerGeneralizedTime derGeneralizedTime = null; try { X509Certificate x509Certificate = (X509Certificate)certPath.Certificates[index - 1]; Asn1OctetString extensionValue = x509Certificate.GetExtensionValue(IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen); derGeneralizedTime = DerGeneralizedTime.GetInstance(extensionValue); } catch (ArgumentException) { throw new Exception("Date of cert gen extension could not be read."); } if (derGeneralizedTime != null) { try { return(derGeneralizedTime.ToDateTime()); } catch (ArgumentException innerException) { throw new Exception("Date from date of cert gen extension could not be parsed.", innerException); } } } return(((X509Certificate)certPath.Certificates[index - 1]).NotBefore); }
internal static ICollection FindIssuerCerts(X509Certificate cert, PkixBuilderParameters pkixParams) { X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector(); ISet set = new HashSet(); try { x509CertStoreSelector.Subject = cert.IssuerDN; } catch (IOException innerException) { throw new Exception("Subject criteria for certificate selector to find issuer certificate could not be set.", innerException); } try { set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores())); set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetAdditionalStores())); } catch (Exception innerException2) { throw new Exception("Issuer certificate cannot be searched.", innerException2); } return(set); }
private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath) { if (tbvPath.Contains(tbvCert)) { return(null); } if (pkixParams.GetExcludedCerts().Contains(tbvCert)) { return(null); } if (pkixParams.MaxPathLength != -1 && tbvPath.Count - 1 > pkixParams.MaxPathLength) { return(null); } tbvPath.Add(tbvCert); PkixCertPathBuilderResult pkixCertPathBuilderResult = null; PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator(); try { if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null) { PkixCertPath certPath = new PkixCertPath(tbvPath); PkixCertPathValidatorResult pkixCertPathValidatorResult; try { pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams); } catch (Exception innerException) { throw new Exception("Certification path could not be validated.", innerException); } return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey)); } try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams); } catch (CertificateParsingException innerException2) { throw new Exception("No additional X.509 stores can be added from certificate locations.", innerException2); } ISet set = new HashSet(); try { set.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams)); } catch (Exception innerException3) { throw new Exception("Cannot find issuer certificate for certificate in certification path.", innerException3); } if (set.IsEmpty) { throw new Exception("No issuer certificate for certificate in certification path found."); } foreach (X509Certificate x509Certificate in set) { if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate)) { pkixCertPathBuilderResult = this.Build(attrCert, x509Certificate, pkixParams, tbvPath); if (pkixCertPathBuilderResult != null) { break; } } } } catch (Exception innerException4) { this.certPathException = new Exception("No valid certification path could be build.", innerException4); } if (pkixCertPathBuilderResult == null) { tbvPath.Remove(tbvCert); } return(pkixCertPathBuilderResult); }
public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams) { IX509Selector targetConstraints = pkixParams.GetTargetConstraints(); if (!(targetConstraints is X509AttrCertStoreSelector)) { throw new PkixCertPathBuilderException(string.Concat(new string[] { "TargetConstraints must be an instance of ", typeof(X509AttrCertStoreSelector).FullName, " for ", typeof(PkixAttrCertPathBuilder).FullName, " class." })); } ICollection collection; try { collection = PkixCertPathValidatorUtilities.FindCertificates((X509AttrCertStoreSelector)targetConstraints, pkixParams.GetStores()); } catch (Exception exception) { throw new PkixCertPathBuilderException("Error finding target attribute certificate.", exception); } if (collection.Count == 0) { throw new PkixCertPathBuilderException("No attribute certificate found matching targetContraints."); } PkixCertPathBuilderResult pkixCertPathBuilderResult = null; foreach (IX509AttributeCertificate iX509AttributeCertificate in collection) { X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector(); X509Name[] principals = iX509AttributeCertificate.Issuer.GetPrincipals(); ISet set = new HashSet(); for (int i = 0; i < principals.Length; i++) { try { x509CertStoreSelector.Subject = principals[i]; set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores())); } catch (Exception exception2) { throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", exception2); } } if (set.IsEmpty) { throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found."); } IList tbvPath = Platform.CreateArrayList(); foreach (X509Certificate tbvCert in set) { pkixCertPathBuilderResult = this.Build(iX509AttributeCertificate, tbvCert, pkixParams, tbvPath); if (pkixCertPathBuilderResult != null) { break; } } if (pkixCertPathBuilderResult != null) { break; } } if (pkixCertPathBuilderResult == null && this.certPathException != null) { throw new PkixCertPathBuilderException("Possible certificate chain could not be validated.", this.certPathException); } if (pkixCertPathBuilderResult == null && this.certPathException == null) { throw new PkixCertPathBuilderException("Unable to find certificate chain."); } return(pkixCertPathBuilderResult); }
/** * Checks if an attribute certificate is revoked. * * @param attrCert Attribute certificate to check if it is revoked. * @param paramsPKIX PKIX parameters. * @param issuerCert The issuer certificate of the attribute certificate * <code>attrCert</code>. * @param validDate The date when the certificate revocation status should * be checked. * @param certPathCerts The certificates of the certification path to be * checked. * * @throws CertPathValidatorException if the certificate is revoked or the * status cannot be checked or some error occurs. */ internal static void CheckCrls( IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, X509Certificate issuerCert, DateTime validDate, IList certPathCerts) { if (!paramsPKIX.IsRevocationEnabled) { return; } // check if revocation is available if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null) { if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null || attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null) { throw new PkixCertPathValidatorException( "No rev avail extension is set, but also an AC revocation pointer."); } return; } CrlDistPoint crldp = null; try { crldp = CrlDistPoint.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue( attrCert, X509Extensions.CrlDistributionPoints)); } catch (Exception e) { throw new PkixCertPathValidatorException( "CRL distribution point extension could not be read.", e); } try { PkixCertPathValidatorUtilities .AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX); } catch (Exception e) { throw new PkixCertPathValidatorException( "No additional CRL locations could be decoded from CRL distribution point extension.", e); } CertStatus certStatus = new CertStatus(); ReasonsMask reasonsMask = new ReasonsMask(); Exception lastException = null; bool validCrlFound = false; // for each distribution point if (crldp != null) { DistributionPoint[] dps = null; try { dps = crldp.GetDistributionPoints(); } catch (Exception e) { throw new PkixCertPathValidatorException( "Distribution points could not be read.", e); } try { for (int i = 0; i < dps.Length && certStatus.Status == CertStatus.Unrevoked && !reasonsMask.IsAllReasons; i++) { PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX .Clone(); CheckCrl(dps[i], attrCert, paramsPKIXClone, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } } catch (Exception e) { lastException = new Exception( "No valid CRL for distribution point found.", e); } } /* * If the revocation status has not been determined, repeat the * process above with any available CRLs not specified in a * distribution point but issued by the certificate issuer. */ if (certStatus.Status == CertStatus.Unrevoked && !reasonsMask.IsAllReasons) { try { /* * assume a DP with both the reasons and the cRLIssuer * fields omitted and a distribution point name of the * certificate issuer. */ X509Name issuer; try { issuer = X509Name.GetInstance(attrCert.Issuer.GetPrincipals()[0].GetEncoded()); } catch (Exception e) { throw new Exception( "Issuer from certificate for CRL could not be reencoded.", e); } DistributionPoint dp = new DistributionPoint( new DistributionPointName(0, new GeneralNames( new GeneralName(GeneralName.DirectoryName, issuer))), null, null); PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone(); CheckCrl(dp, attrCert, paramsPKIXClone, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } catch (Exception e) { lastException = new Exception( "No valid CRL for distribution point found.", e); } } if (!validCrlFound) { throw new PkixCertPathValidatorException( "No valid CRL found.", lastException); } if (certStatus.Status != CertStatus.Unrevoked) { // This format is enforced by the NistCertPath tests string formattedDate = certStatus.RevocationDate.Value.ToString( "ddd MMM dd HH:mm:ss K yyyy"); string message = "Attribute certificate revocation after " + formattedDate; message += ", reason: " + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status]; throw new PkixCertPathValidatorException(message); } if (!reasonsMask.IsAllReasons && certStatus.Status == CertStatus.Unrevoked) { certStatus.Status = CertStatus.Undetermined; } if (certStatus.Status == CertStatus.Undetermined) { throw new PkixCertPathValidatorException( "Attribute certificate status could not be determined."); } }
/** * * Checks a distribution point for revocation information for the * certificate <code>attrCert</code>. * * @param dp The distribution point to consider. * @param attrCert The attribute certificate which should be checked. * @param paramsPKIX PKIX parameters. * @param validDate The date when the certificate revocation status should * be checked. * @param issuerCert Certificate to check if it is revoked. * @param reasonMask The reasons mask which is already checked. * @param certPathCerts The certificates of the certification path to be * checked. * @throws Exception if the certificate is revoked or the status * cannot be checked or some error occurs. */ private static void CheckCrl( DistributionPoint dp, IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, DateTime validDate, X509Certificate issuerCert, CertStatus certStatus, ReasonsMask reasonMask, IList certPathCerts) { /* * 4.3.6 No Revocation Available * * The noRevAvail extension, defined in [X.509-2000], allows an AC * issuer to indicate that no revocation information will be made * available for this AC. */ if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null) { return; } DateTime currentDate = DateTime.UtcNow; if (validDate.CompareTo(currentDate) > 0) { throw new Exception("Validation time is in future."); } // (a) /* * We always get timely valid CRLs, so there is no step (a) (1). * "locally cached" CRLs are assumed to be in getStore(), additional * CRLs must be enabled in the ExtendedPkixParameters and are in * getAdditionalStore() */ ISet crls = PkixCertPathValidatorUtilities.GetCompleteCrls(dp, attrCert, currentDate, paramsPKIX); bool validCrlFound = false; Exception lastException = null; IEnumerator crl_iter = crls.GetEnumerator(); while (crl_iter.MoveNext() && certStatus.Status == CertStatus.Unrevoked && !reasonMask.IsAllReasons) { try { X509Crl crl = (X509Crl)crl_iter.Current; // (d) ReasonsMask interimReasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(crl, dp); // (e) /* * The reasons mask is updated at the end, so only valid CRLs * can update it. If this CRL does not contain new reasons it * must be ignored. */ if (!interimReasonsMask.HasNewReasons(reasonMask)) { continue; } // (f) ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, attrCert, null, null, paramsPKIX, certPathCerts); // (g) AsymmetricKeyParameter pubKey = Rfc3280CertPathUtilities.ProcessCrlG(crl, keys); X509Crl deltaCRL = null; if (paramsPKIX.IsUseDeltasEnabled) { // get delta CRLs ISet deltaCRLs = PkixCertPathValidatorUtilities.GetDeltaCrls( currentDate, paramsPKIX, crl); // we only want one valid delta CRL // (h) deltaCRL = Rfc3280CertPathUtilities.ProcessCrlH(deltaCRLs, pubKey); } /* * CRL must be be valid at the current time, not the validation * time. If a certificate is revoked with reason keyCompromise, * cACompromise, it can be used for forgery, also for the past. * This reason may not be contained in older CRLs. */ /* * in the chain model signatures stay valid also after the * certificate has been expired, so they do not have to be in * the CRL vality time */ if (paramsPKIX.ValidityModel != PkixParameters.ChainValidityModel) { /* * if a certificate has expired, but was revoked, it is not * more in the CRL, so it would be regarded as valid if the * first check is not done */ if (attrCert.NotAfter.CompareTo(crl.ThisUpdate) < 0) { throw new Exception( "No valid CRL for current time found."); } } Rfc3280CertPathUtilities.ProcessCrlB1(dp, attrCert, crl); // (b) (2) Rfc3280CertPathUtilities.ProcessCrlB2(dp, attrCert, crl); // (c) Rfc3280CertPathUtilities.ProcessCrlC(deltaCRL, crl, paramsPKIX); // (i) Rfc3280CertPathUtilities.ProcessCrlI(validDate, deltaCRL, attrCert, certStatus, paramsPKIX); // (j) Rfc3280CertPathUtilities.ProcessCrlJ(validDate, crl, attrCert, certStatus); // (k) if (certStatus.Status == CrlReason.RemoveFromCrl) { certStatus.Status = CertStatus.Unrevoked; } // update reasons mask reasonMask.AddReasons(interimReasonsMask); validCrlFound = true; } catch (Exception e) { lastException = e; } } if (!validCrlFound) { throw lastException; } }
/** * Searches for a holder public key certificate and verifies its * certification path. * * @param attrCert the attribute certificate. * @param pkixParams The PKIX parameters. * @return The certificate path of the holder certificate. * @throws Exception if * <ul> * <li>no public key certificate can be found although holder * information is given by an entity name or a base certificate * ID</li> * <li>support classes cannot be created</li> * <li>no certification path for the public key certificate can * be built</li> * </ul> */ internal static PkixCertPath ProcessAttrCert1( IX509AttributeCertificate attrCert, PkixParameters pkixParams) { PkixCertPathBuilderResult result = null; // find holder PKCs ISet holderPKCs = new HashSet(); if (attrCert.Holder.GetIssuer() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.SerialNumber = attrCert.Holder.SerialNumber; X509Name[] principals = attrCert.Holder.GetIssuer(); for (int i = 0; i < principals.Length; i++) { try { // if (principals[i] is X500Principal) { selector.Issuer = principals[i]; } holderPKCs.AddAll(PkixCertPathValidatorUtilities .FindCertificates(selector, pkixParams.GetStores())); } catch (Exception e) { throw new PkixCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } } if (holderPKCs.IsEmpty) { throw new PkixCertPathValidatorException( "Public key certificate specified in base certificate ID for attribute certificate cannot be found."); } } if (attrCert.Holder.GetEntityNames() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); X509Name[] principals = attrCert.Holder.GetEntityNames(); for (int i = 0; i < principals.Length; i++) { try { // if (principals[i] is X500Principal) { selector.Issuer = principals[i]; } holderPKCs.AddAll(PkixCertPathValidatorUtilities .FindCertificates(selector, pkixParams.GetStores())); } catch (Exception e) { throw new PkixCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } } if (holderPKCs.IsEmpty) { throw new PkixCertPathValidatorException( "Public key certificate specified in entity name for attribute certificate cannot be found."); } } // verify cert paths for PKCs PkixBuilderParameters parameters = (PkixBuilderParameters) PkixBuilderParameters.GetInstance(pkixParams); PkixCertPathValidatorException lastException = null; foreach (X509Certificate cert in holderPKCs) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.Certificate = cert; parameters.SetTargetConstraints(selector); PkixCertPathBuilder builder = new PkixCertPathBuilder(); try { result = builder.Build(PkixBuilderParameters.GetInstance(parameters)); } catch (PkixCertPathBuilderException e) { lastException = new PkixCertPathValidatorException( "Certification path for public key certificate of attribute certificate could not be build.", e); } } if (lastException != null) { throw lastException; } return(result.CertPath); }
protected virtual PkixCertPathBuilderResult Build( X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath) { // If tbvCert is readily present in tbvPath, it indicates having run // into a cycle in the PKI graph. if (tbvPath.Contains(tbvCert)) { return(null); } // step out, the certificate is not allowed to appear in a certification // chain. if (pkixParams.GetExcludedCerts().Contains(tbvCert)) { return(null); } // test if certificate path exceeds maximum length if (pkixParams.MaxPathLength != -1) { if (tbvPath.Count - 1 > pkixParams.MaxPathLength) { return(null); } } tbvPath.Add(tbvCert); X509CertificateParser certParser = new X509CertificateParser(); PkixCertPathBuilderResult builderResult = null; PkixCertPathValidator validator = new PkixCertPathValidator(); try { // check whether the issuer of <tbvCert> is a TrustAnchor if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null) { // exception message from possibly later tried certification // chains PkixCertPath certPath = null; try { certPath = new PkixCertPath(tbvPath); } catch (Exception e) { throw new Exception( "Certification path could not be constructed from certificate list.", e); } PkixCertPathValidatorResult result = null; try { result = (PkixCertPathValidatorResult)validator.Validate( certPath, pkixParams); } catch (Exception e) { throw new Exception( "Certification path could not be validated.", e); } return(new PkixCertPathBuilderResult(certPath, result.TrustAnchor, result.PolicyTree, result.SubjectPublicKey)); } else { // add additional X.509 stores from locations in certificate try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames( tbvCert, pkixParams); } catch (CertificateParsingException e) { throw new Exception( "No additiontal X.509 stores can be added from certificate locations.", e); } // try to get the issuer certificate from one of the stores HashSet issuers = new HashSet(); try { issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams)); } catch (Exception e) { throw new Exception( "Cannot find issuer certificate for certificate in certification path.", e); } if (issuers.IsEmpty) { throw new Exception("No issuer certificate for certificate in certification path found."); } foreach (X509Certificate issuer in issuers) { builderResult = Build(issuer, pkixParams, tbvPath); if (builderResult != null) { break; } } } } catch (Exception e) { certPathException = e; } if (builderResult == null) { tbvPath.Remove(tbvCert); } return(builderResult); }