public X509CrlStoreSelector(
X509CrlStoreSelector o)
{
this.certificateChecking = o.CertificateChecking;
this.dateAndTime = o.DateAndTime;
this.issuers = o.Issuers;
this.maxCrlNumber = o.MaxCrlNumber;
this.minCrlNumber = o.MinCrlNumber;
this.deltaCrlIndicatorEnabled = o.DeltaCrlIndicatorEnabled;
this.completeCrlEnabled = o.CompleteCrlEnabled;
this.maxBaseCrlNumber = o.MaxBaseCrlNumber;
this.attrCertChecking = o.AttrCertChecking;
this.issuingDistributionPointEnabled = o.IssuingDistributionPointEnabled;
this.issuingDistributionPoint = o.IssuingDistributionPoint;
}
public virtual ISet FindCrls(X509CrlStoreSelector crlselect, PkixParameters paramsPkix)
{
ISet completeSet = new HashSet();
// get complete CRL(s)
try
{
completeSet.AddAll(FindCrls(crlselect, paramsPkix.GetStores()));
}
catch (Exception e)
{
throw new Exception("Exception obtaining complete CRLs.", e);
}
return completeSet;
}
public virtual ISet FindCrls(X509CrlStoreSelector crlselect, PkixParameters paramsPkix, DateTime currentDate)
{
ISet initialSet = new HashSet();
// get complete CRL(s)
try
{
initialSet.AddAll(FindCrls(crlselect, paramsPkix.GetAdditionalStores()));
initialSet.AddAll(FindCrls(crlselect, paramsPkix.GetStores()));
}
catch (Exception e)
{
throw new Exception("Exception obtaining complete CRLs.", e);
}
ISet finalSet = new HashSet();
DateTime validityDate = currentDate;
if (paramsPkix.Date != null)
{
validityDate = paramsPkix.Date.Value;
}
// based on RFC 5280 6.3.3
foreach (X509Crl crl in initialSet)
{
if (crl.NextUpdate.Value.CompareTo(validityDate) > 0)
{
X509Certificate cert = crlselect.CertificateChecking;
if (cert != null)
{
if (crl.ThisUpdate.CompareTo(cert.NotAfter) < 0)
{
finalSet.Add(crl);
}
}
else
{
finalSet.Add(crl);
}
}
}
return finalSet;
}
internal static ISet[] ProcessCrlA1ii(
DateTime currentDate,
PkixParameters paramsPKIX,
X509Certificate cert,
X509Crl crl)
{
ISet deltaSet = new HashSet();
X509CrlStoreSelector crlselect = new X509CrlStoreSelector();
crlselect.CertificateChecking = cert;
try
{
IList issuer = Platform.CreateArrayList();
issuer.Add(crl.IssuerDN);
crlselect.Issuers = issuer;
}
catch (IOException e)
{
throw new Exception("Cannot extract issuer from CRL." + e, e);
}
crlselect.CompleteCrlEnabled = true;
ISet completeSet = CrlUtilities.FindCrls(crlselect, paramsPKIX, currentDate);
if (paramsPKIX.IsUseDeltasEnabled)
{
// get delta CRL(s)
try
{
deltaSet.AddAll(PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl));
}
catch (Exception e)
{
throw new Exception("Exception obtaining delta CRLs.", e);
}
}
return new ISet[]{ completeSet, deltaSet };
}
/// <summary>
/// crl checking
/// Return a Collection of all CRLs found in the X509Store's that are
/// matching the crlSelect criteriums.
/// </summary>
/// <param name="crlSelect">a {@link X509CRLStoreSelector} object that will be used
/// to select the CRLs</param>
/// <param name="crlStores">a List containing only {@link org.bouncycastle.x509.X509Store
/// X509Store} objects. These are used to search for CRLs</param>
/// <returns>a Collection of all found {@link X509CRL X509CRL} objects. May be
/// empty but never <code>null</code>.
/// </returns>
private ICollection FindCrls(X509CrlStoreSelector crlSelect, IList crlStores)
{
ISet crls = new HashSet();
Exception lastException = null;
bool foundValidStore = false;
foreach (IX509Store store in crlStores)
{
try
{
crls.AddAll(store.GetMatches(crlSelect));
foundValidStore = true;
}
catch (X509StoreException e)
{
lastException = new Exception("Exception searching in X.509 CRL store.", e);
}
}
if (!foundValidStore && lastException != null)
throw lastException;
return crls;
}
/**
* Fetches delta CRLs according to RFC 3280 section 5.2.4.
*
* @param currentDate The date for which the delta CRLs must be valid.
* @param paramsPKIX The extended PKIX parameters.
* @param completeCRL The complete CRL the delta CRL is for.
* @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
* @throws Exception if an exception occurs while picking the delta
* CRLs.
*/
internal static ISet GetDeltaCrls(
DateTime currentDate,
PkixParameters paramsPKIX,
X509Crl completeCRL)
{
X509CrlStoreSelector deltaSelect = new X509CrlStoreSelector();
// 5.2.4 (a)
try
{
IList deltaSelectIssuer = Platform.CreateArrayList();
deltaSelectIssuer.Add(completeCRL.IssuerDN);
deltaSelect.Issuers = deltaSelectIssuer;
}
catch (IOException e)
{
throw new Exception("Cannot extract issuer from CRL.", e);
}
BigInteger completeCRLNumber = null;
try
{
Asn1Object asn1Object = GetExtensionValue(completeCRL, X509Extensions.CrlNumber);
if (asn1Object != null)
{
completeCRLNumber = CrlNumber.GetInstance(asn1Object).PositiveValue;
}
}
catch (Exception e)
{
throw new Exception(
"CRL number extension could not be extracted from CRL.", e);
}
// 5.2.4 (b)
byte[] idp = null;
try
{
Asn1Object obj = GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint);
if (obj != null)
{
idp = obj.GetDerEncoded();
}
}
catch (Exception e)
{
throw new Exception(
"Issuing distribution point extension value could not be read.",
e);
}
// 5.2.4 (d)
deltaSelect.MinCrlNumber = (completeCRLNumber == null)
? null
: completeCRLNumber.Add(BigInteger.One);
deltaSelect.IssuingDistributionPoint = idp;
deltaSelect.IssuingDistributionPointEnabled = true;
// 5.2.4 (c)
deltaSelect.MaxBaseCrlNumber = completeCRLNumber;
// find delta CRLs
ISet temp = CrlUtilities.FindCrls(deltaSelect, paramsPKIX, currentDate);
ISet result = new HashSet();
foreach (X509Crl crl in temp)
{
if (isDeltaCrl(crl))
{
result.Add(crl);
}
}
return result;
}
/**
* Fetches complete CRLs according to RFC 3280.
*
* @param dp The distribution point for which the complete CRL
* @param cert The <code>X509Certificate</code> or
* {@link org.bouncycastle.x509.X509AttributeCertificate} for
* which the CRL should be searched.
* @param currentDate The date for which the delta CRLs must be valid.
* @param paramsPKIX The extended PKIX parameters.
* @return A <code>Set</code> of <code>X509CRL</code>s with complete
* CRLs.
* @throws Exception if an exception occurs while picking the CRLs
* or no CRLs are found.
*/
internal static ISet GetCompleteCrls(
DistributionPoint dp,
object cert,
DateTime currentDate,
PkixParameters paramsPKIX)
{
X509CrlStoreSelector crlselect = new X509CrlStoreSelector();
try
{
ISet issuers = new HashSet();
if (cert is X509V2AttributeCertificate)
{
issuers.Add(((X509V2AttributeCertificate)cert)
.Issuer.GetPrincipals()[0]);
}
else
{
issuers.Add(GetIssuerPrincipal(cert));
}
PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
}
catch (Exception e)
{
throw new Exception("Could not get issuer information from distribution point.", e);
}
if (cert is X509Certificate)
{
crlselect.CertificateChecking = (X509Certificate)cert;
}
else if (cert is X509V2AttributeCertificate)
{
crlselect.AttrCertChecking = (IX509AttributeCertificate)cert;
}
crlselect.CompleteCrlEnabled = true;
ISet crls = CrlUtilities.FindCrls(crlselect, paramsPKIX, currentDate);
if (crls.IsEmpty)
{
if (cert is IX509AttributeCertificate)
{
IX509AttributeCertificate aCert = (IX509AttributeCertificate)cert;
throw new Exception("No CRLs found for issuer \"" + aCert.Issuer.GetPrincipals()[0] + "\"");
}
else
{
X509Certificate xCert = (X509Certificate)cert;
throw new Exception("No CRLs found for issuer \"" + xCert.IssuerDN + "\"");
}
}
return crls;
}
/**
* Add the CRL issuers from the cRLIssuer field of the distribution point or
* from the certificate if not given to the issuer criterion of the
* <code>selector</code>.
* <p>
* The <code>issuerPrincipals</code> are a collection with a single
* <code>X500Principal</code> for <code>X509Certificate</code>s. For
* {@link X509AttributeCertificate}s the issuer may contain more than one
* <code>X500Principal</code>.
* </p>
*
* @param dp The distribution point.
* @param issuerPrincipals The issuers of the certificate or attribute
* certificate which contains the distribution point.
* @param selector The CRL selector.
* @param pkixParams The PKIX parameters containing the cert stores.
* @throws Exception if an exception occurs while processing.
* @throws ClassCastException if <code>issuerPrincipals</code> does not
* contain only <code>X500Principal</code>s.
*/
internal static void GetCrlIssuersFromDistributionPoint(
DistributionPoint dp,
ICollection issuerPrincipals,
X509CrlStoreSelector selector,
PkixParameters pkixParams)
{
IList issuers = Platform.CreateArrayList();
// indirect CRL
if (dp.CrlIssuer != null)
{
GeneralName[] genNames = dp.CrlIssuer.GetNames();
// look for a DN
for (int j = 0; j < genNames.Length; j++)
{
if (genNames[j].TagNo == GeneralName.DirectoryName)
{
try
{
issuers.Add(X509Name.GetInstance(genNames[j].Name.ToAsn1Object()));
}
catch (IOException e)
{
throw new Exception(
"CRL issuer information from distribution point cannot be decoded.",
e);
}
}
}
}
else
{
/*
* certificate issuer is CRL issuer, distributionPoint field MUST be
* present.
*/
if (dp.DistributionPointName == null)
{
throw new Exception(
"CRL issuer is omitted from distribution point but no distributionPoint field present.");
}
// add and check issuer principals
for (IEnumerator it = issuerPrincipals.GetEnumerator(); it.MoveNext(); )
{
issuers.Add((X509Name)it.Current);
}
}
// TODO: is not found although this should correctly add the rel name. selector of Sun is buggy here or PKI test case is invalid
// distributionPoint
// if (dp.getDistributionPoint() != null)
// {
// // look for nameRelativeToCRLIssuer
// if (dp.getDistributionPoint().getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER)
// {
// // append fragment to issuer, only one
// // issuer can be there, if this is given
// if (issuers.size() != 1)
// {
// throw new AnnotatedException(
// "nameRelativeToCRLIssuer field is given but more than one CRL issuer is given.");
// }
// DEREncodable relName = dp.getDistributionPoint().getName();
// Iterator it = issuers.iterator();
// List issuersTemp = new ArrayList(issuers.size());
// while (it.hasNext())
// {
// Enumeration e = null;
// try
// {
// e = ASN1Sequence.getInstance(
// new ASN1InputStream(((X500Principal) it.next())
// .getEncoded()).readObject()).getObjects();
// }
// catch (IOException ex)
// {
// throw new AnnotatedException(
// "Cannot decode CRL issuer information.", ex);
// }
// ASN1EncodableVector v = new ASN1EncodableVector();
// while (e.hasMoreElements())
// {
// v.add((DEREncodable) e.nextElement());
// }
// v.add(relName);
// issuersTemp.add(new X500Principal(new DERSequence(v)
// .getDEREncoded()));
// }
// issuers.clear();
// issuers.addAll(issuersTemp);
// }
// }
selector.Issuers = issuers;
}
public override void PerformTest()
{
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);
// Testing CollectionCertStore generation from List
IList certList = new ArrayList();
certList.Add(rootCert);
certList.Add(interCert);
certList.Add(finalCert);
IX509Store certStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
// set default to be the same as for SUN X500 name
X509Name.DefaultReverse = true;
// Searching for rootCert by subjectDN
X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
targetConstraints.Subject = PrincipalUtilities.GetSubjectX509Principal(rootCert);
IList certs = new ArrayList(certStore.GetMatches(targetConstraints));
if (certs.Count != 1 || !certs.Contains(rootCert))
{
Fail("rootCert not found by subjectDN");
}
// Searching for rootCert by subjectDN encoded as byte
targetConstraints = new X509CertStoreSelector();
targetConstraints.Subject = PrincipalUtilities.GetSubjectX509Principal(rootCert);
certs = new ArrayList(certStore.GetMatches(targetConstraints));
if (certs.Count != 1 || !certs.Contains(rootCert))
{
Fail("rootCert not found by encoded subjectDN");
}
X509Name.DefaultReverse = false;
// Searching for rootCert by public key encoded as byte
targetConstraints = new X509CertStoreSelector();
targetConstraints.SubjectPublicKey =
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(rootCert.GetPublicKey());
certs = new ArrayList(certStore.GetMatches(targetConstraints));
if (certs.Count != 1 || !certs.Contains(rootCert))
{
Fail("rootCert not found by encoded public key");
}
// Searching for interCert by issuerDN
targetConstraints = new X509CertStoreSelector();
targetConstraints.Issuer = PrincipalUtilities.GetSubjectX509Principal(rootCert);
certs = new ArrayList(certStore.GetMatches(targetConstraints));
if (certs.Count != 2)
{
Fail("did not found 2 certs");
}
if (!certs.Contains(rootCert))
{
Fail("rootCert not found");
}
if (!certs.Contains(interCert))
{
Fail("interCert not found");
}
// Searching for rootCrl by issuerDN
IList crlList = new ArrayList();
crlList.Add(rootCrl);
crlList.Add(interCrl);
IX509Store store = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(crlList));
X509CrlStoreSelector targetConstraintsCRL = new X509CrlStoreSelector();
ArrayList issuers = new ArrayList();
issuers.Add(rootCrl.IssuerDN);
targetConstraintsCRL.Issuers = issuers;
IList crls = new ArrayList(store.GetMatches(targetConstraintsCRL));
if (crls.Count != 1 || !crls.Contains(rootCrl))
{
Fail("rootCrl not found");
}
crls = new ArrayList(certStore.GetMatches(targetConstraintsCRL));
if (crls.Count != 0)
{
Fail("error using wrong selector (CRL)");
}
certs = new ArrayList(store.GetMatches(targetConstraints));
if (certs.Count != 0)
{
Fail("error using wrong selector (certs)");
}
// Searching for attribute certificates
X509V2AttributeCertificate attrCert = new X509V2AttributeCertificate(AttrCertTest.attrCert);
IX509AttributeCertificate attrCert2 = new X509V2AttributeCertificate(AttrCertTest.certWithBaseCertificateID);
IList attrList = new ArrayList();
attrList.Add(attrCert);
attrList.Add(attrCert2);
store = X509StoreFactory.Create(
"AttributeCertificate/Collection",
new X509CollectionStoreParameters(attrList));
X509AttrCertStoreSelector attrSelector = new X509AttrCertStoreSelector();
attrSelector.Holder = attrCert.Holder;
if (!attrSelector.Holder.Equals(attrCert.Holder))
{
Fail("holder get not correct");
}
IList attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert))
{
Fail("attrCert not found on holder");
}
attrSelector.Holder = attrCert2.Holder;
if (attrSelector.Holder.Equals(attrCert.Holder))
{
Fail("holder get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert2))
{
Fail("attrCert2 not found on holder");
}
attrSelector = new X509AttrCertStoreSelector();
attrSelector.Issuer = attrCert.Issuer;
if (!attrSelector.Issuer.Equals(attrCert.Issuer))
{
Fail("issuer get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert))
{
Fail("attrCert not found on issuer");
}
attrSelector.Issuer = attrCert2.Issuer;
if (attrSelector.Issuer.Equals(attrCert.Issuer))
{
Fail("issuer get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert2))
{
Fail("attrCert2 not found on issuer");
}
attrSelector = new X509AttrCertStoreSelector();
attrSelector.AttributeCert = attrCert;
if (!attrSelector.AttributeCert.Equals(attrCert))
{
Fail("attrCert get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert))
{
Fail("attrCert not found on attrCert");
}
attrSelector = new X509AttrCertStoreSelector();
attrSelector.SerialNumber = attrCert.SerialNumber;
if (!attrSelector.SerialNumber.Equals(attrCert.SerialNumber))
{
Fail("serial number get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert))
{
Fail("attrCert not found on serial number");
}
attrSelector = (X509AttrCertStoreSelector)attrSelector.Clone();
if (!attrSelector.SerialNumber.Equals(attrCert.SerialNumber))
{
Fail("serial number get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert))
{
Fail("attrCert not found on serial number");
}
attrSelector = new X509AttrCertStoreSelector();
attrSelector.AttributeCertificateValid = new DateTimeObject(attrCert.NotBefore);
if (attrSelector.AttributeCertificateValid.Value != attrCert.NotBefore)
{
Fail("valid get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert))
{
Fail("attrCert not found on valid");
}
attrSelector = new X509AttrCertStoreSelector();
attrSelector.AttributeCertificateValid = new DateTimeObject(attrCert.NotBefore.AddMilliseconds(-100));
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 0)
{
Fail("attrCert found on before");
}
attrSelector.AttributeCertificateValid = new DateTimeObject(attrCert.NotAfter.AddMilliseconds(100));
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 0)
{
Fail("attrCert found on after");
}
attrSelector.SerialNumber = BigInteger.ValueOf(10000);
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 0)
{
Fail("attrCert found on wrong serial number");
}
attrSelector.AttributeCert = null;
attrSelector.AttributeCertificateValid = null;
attrSelector.Holder = null;
attrSelector.Issuer = null;
attrSelector.SerialNumber = null;
if (attrSelector.AttributeCert != null)
{
Fail("null attrCert");
}
if (attrSelector.AttributeCertificateValid != null)
{
Fail("null attrCertValid");
}
if (attrSelector.Holder != null)
{
Fail("null attrCert holder");
}
if (attrSelector.Issuer != null)
{
Fail("null attrCert issuer");
}
if (attrSelector.SerialNumber != null)
{
Fail("null attrCert serial");
}
attrs = new ArrayList(certStore.GetMatches(attrSelector));
if (attrs.Count != 0)
{
Fail("error using wrong selector (attrs)");
}
certPairTest();
}
/**
* Fetches complete CRLs according to RFC 3280.
*
* @param dp The distribution point for which the complete CRL
* @param cert The <code>X509Certificate</code> or
* {@link org.bouncycastle.x509.X509AttributeCertificate} for
* which the CRL should be searched.
* @param currentDate The date for which the delta CRLs must be valid.
* @param paramsPKIX The extended PKIX parameters.
* @return A <code>Set</code> of <code>X509CRL</code>s with complete
* CRLs.
* @throws Exception if an exception occurs while picking the CRLs
* or no CRLs are found.
*/
internal static ISet GetCompleteCrls(
DistributionPoint dp,
object cert,
DateTime currentDate,
PkixParameters paramsPKIX)
{
X509CrlStoreSelector crlselect = new X509CrlStoreSelector();
try
{
ISet issuers = new HashSet();
if (cert is X509V2AttributeCertificate)
{
issuers.Add(((X509V2AttributeCertificate)cert)
.Issuer.GetPrincipals()[0]);
}
else
{
issuers.Add(GetIssuerPrincipal(cert));
}
PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
}
catch (Exception e)
{
new Exception("Could not get issuer information from distribution point.", e);
}
if (cert is X509Certificate)
{
crlselect.CertificateChecking = (X509Certificate)cert;
}
else if (cert is X509V2AttributeCertificate)
{
crlselect.AttrCertChecking = (IX509AttributeCertificate)cert;
}
if (paramsPKIX.Date != null)
{
crlselect.DateAndTime = paramsPKIX.Date;
}
else
{
crlselect.DateAndTime = new DateTimeObject(currentDate);
}
crlselect.CompleteCrlEnabled = true;
ISet crls = new HashSet();
try
{
crls.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetStores()));
crls.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetAdditionalStores()));
}
catch (Exception e)
{
throw new Exception("Could not search for CRLs.", e);
}
if (crls.IsEmpty)
throw new Exception("No CRLs found.");
return crls;
}