/// Constructors
public PkixPolicyNode(
IList children,
int depth,
ISet expectedPolicies,
PkixPolicyNode parent,
ISet policyQualifiers,
string validPolicy,
bool critical)
{
if (children == null)
{
this.mChildren = Platform.CreateArrayList();
}
else
{
this.mChildren = Platform.CreateArrayList(children);
}
this.mDepth = depth;
this.mExpectedPolicies = expectedPolicies;
this.mParent = parent;
this.mPolicyQualifiers = policyQualifiers;
this.mValidPolicy = validPolicy;
this.mCritical = critical;
}
internal static bool ProcessCertD1i(
int index,
IList[] policyNodes,
DerObjectIdentifier pOid,
ISet pq)
{
IList policyNodeVec = policyNodes[index - 1];
for (int j = 0; j < policyNodeVec.Count; j++)
{
PkixPolicyNode node = (PkixPolicyNode)policyNodeVec[j];
ISet expectedPolicies = node.ExpectedPolicies;
if (expectedPolicies.Contains(pOid.Id))
{
ISet childExpectedPolicies = new HashSet();
childExpectedPolicies.Add(pOid.Id);
PkixPolicyNode child = new PkixPolicyNode(Platform.CreateArrayList(),
index,
childExpectedPolicies,
node,
pq,
pOid.Id,
false);
node.AddChild(child);
policyNodes[index].Add(child);
return(true);
}
}
return(false);
}
/// Constructors
public PkixPolicyNode(
IList children,
int depth,
ISet expectedPolicies,
PkixPolicyNode parent,
ISet policyQualifiers,
string validPolicy,
bool critical)
{
if (children == null)
{
this.mChildren = Platform.CreateArrayList();
}
else
{
this.mChildren = Platform.CreateArrayList(children);
}
this.mDepth = depth;
this.mExpectedPolicies = expectedPolicies;
this.mParent = parent;
this.mPolicyQualifiers = policyQualifiers;
this.mValidPolicy = validPolicy;
this.mCritical = critical;
}
internal static void ProcessCertD1ii(
int index,
IList[] policyNodes,
DerObjectIdentifier _poid,
ISet _pq)
{
IList policyNodeVec = policyNodes[index - 1];
for (int j = 0; j < policyNodeVec.Count; j++)
{
PkixPolicyNode _node = (PkixPolicyNode)policyNodeVec[j];
if (ANY_POLICY.Equals(_node.ValidPolicy))
{
ISet _childExpectedPolicies = new HashSet();
_childExpectedPolicies.Add(_poid.Id);
PkixPolicyNode _child = new PkixPolicyNode(Platform.CreateArrayList(),
index,
_childExpectedPolicies,
_node,
_pq,
_poid.Id,
false);
_node.AddChild(_child);
policyNodes[index].Add(_child);
return;
}
}
}
internal static PkixPolicyNode RemovePolicyNode(
PkixPolicyNode validPolicyTree,
IList[] policyNodes,
PkixPolicyNode _node)
{
PkixPolicyNode _parent = (PkixPolicyNode)_node.Parent;
if (validPolicyTree == null)
{
return(null);
}
if (_parent == null)
{
for (int j = 0; j < policyNodes.Length; j++)
{
policyNodes[j] = Platform.CreateArrayList();
}
return(null);
}
else
{
_parent.RemoveChild(_node);
RemovePolicyNodeRecurse(policyNodes, _node);
return(validPolicyTree);
}
}
private static void RemovePolicyNodeRecurse(IList[] policyNodes, PkixPolicyNode _node)
{
policyNodes[_node.Depth].Remove(_node);
if (_node.HasChildren)
{
foreach (PkixPolicyNode _child in _node.Children)
{
RemovePolicyNodeRecurse(policyNodes, _child);
}
}
}
public PkixCertPathBuilderResult(
PkixCertPath certPath,
TrustAnchor trustAnchor,
PkixPolicyNode policyTree,
AsymmetricKeyParameter subjectPublicKey)
: base(trustAnchor, policyTree, subjectPublicKey)
{
if (certPath == null)
throw new ArgumentNullException("certPath");
this.certPath = certPath;
}
public PkixCertPathBuilderResult(
PkixCertPath certPath,
TrustAnchor trustAnchor,
PkixPolicyNode policyTree,
AsymmetricKeyParameter subjectPublicKey)
: base(trustAnchor, policyTree, subjectPublicKey)
{
if (certPath == null)
{
throw new ArgumentNullException("certPath");
}
this.certPath = certPath;
}
public PkixCertPathValidatorResult(
TrustAnchor trustAnchor,
PkixPolicyNode policyTree,
AsymmetricKeyParameter subjectPublicKey)
{
if (subjectPublicKey == null)
{
throw new NullReferenceException("subjectPublicKey must be non-null");
}
if (trustAnchor == null)
{
throw new NullReferenceException("trustAnchor must be non-null");
}
this.trustAnchor = trustAnchor;
this.policyTree = policyTree;
this.subjectPublicKey = subjectPublicKey;
}
public PkixCertPathValidatorResult(
TrustAnchor trustAnchor,
PkixPolicyNode policyTree,
AsymmetricKeyParameter subjectPublicKey)
{
if (subjectPublicKey == null)
{
throw new NullReferenceException("subjectPublicKey must be non-null");
}
if (trustAnchor == null)
{
throw new NullReferenceException("trustAnchor must be non-null");
}
this.trustAnchor = trustAnchor;
this.policyTree = policyTree;
this.subjectPublicKey = subjectPublicKey;
}
internal static PkixPolicyNode PrepareNextCertB2(
int i,
IList[] policyNodes,
string id_p,
PkixPolicyNode validPolicyTree)
{
int pos = 0;
// Copy to avoid RemoveAt calls interfering with enumeration
foreach (PkixPolicyNode node in Platform.CreateArrayList(policyNodes[i]))
{
if (node.ValidPolicy.Equals(id_p))
{
PkixPolicyNode p_node = (PkixPolicyNode)node.Parent;
p_node.RemoveChild(node);
// Removal of element at current iterator position not supported in C#
//nodes_i.remove();
policyNodes[i].RemoveAt(pos);
for (int k = (i - 1); k >= 0; k--)
{
IList nodes = policyNodes[k];
for (int l = 0; l < nodes.Count; l++)
{
PkixPolicyNode node2 = (PkixPolicyNode)nodes[l];
if (!node2.HasChildren)
{
validPolicyTree = RemovePolicyNode(validPolicyTree, policyNodes, node2);
if (validPolicyTree == null)
{
break;
}
}
}
}
}
else
{
++pos;
}
}
return(validPolicyTree);
}
public virtual PkixPolicyNode Copy()
{
PkixPolicyNode node = new PkixPolicyNode(
Platform.CreateArrayList(),
mDepth,
new HashSet(mExpectedPolicies),
null,
new HashSet(mPolicyQualifiers),
mValidPolicy,
mCritical);
foreach (PkixPolicyNode child in mChildren)
{
PkixPolicyNode copy = child.Copy();
copy.Parent = node;
node.AddChild(copy);
}
return(node);
}
public virtual void AddChild(
PkixPolicyNode child)
{
child.Parent = this;
mChildren.Add(child);
}
internal static PkixPolicyNode ProcessCertD(
PkixCertPath certPath,
int index,
ISet acceptablePolicies,
PkixPolicyNode validPolicyTree,
IList[] policyNodes,
int inhibitAnyPolicy)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
int n = certs.Count;
// i as defined in the algorithm description
int i = n - index;
//
// (d) policy Information checking against initial policy and
// policy mapping
//
Asn1Sequence certPolicies = null;
try
{
certPolicies = DerSequence.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Could not read certificate policies extension from certificate.", e, certPath, index);
}
if (certPolicies != null && validPolicyTree != null)
{
//
// (d) (1)
//
ISet pols = new HashSet();
foreach (Asn1Encodable ae in certPolicies)
{
PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object());
DerObjectIdentifier pOid = pInfo.PolicyIdentifier;
pols.Add(pOid.Id);
if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(pOid.Id))
{
ISet pq = null;
try
{
pq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers);
}
catch (PkixCertPathValidatorException ex)
{
throw new PkixCertPathValidatorException(
"Policy qualifier info set could not be build.", ex, certPath, index);
}
bool match = PkixCertPathValidatorUtilities.ProcessCertD1i(i, policyNodes, pOid, pq);
if (!match)
{
PkixCertPathValidatorUtilities.ProcessCertD1ii(i, policyNodes, pOid, pq);
}
}
}
if (acceptablePolicies.IsEmpty || acceptablePolicies.Contains(Rfc3280CertPathUtilities.ANY_POLICY))
{
acceptablePolicies.Clear();
acceptablePolicies.AddAll(pols);
}
else
{
ISet t1 = new HashSet();
foreach (object o in acceptablePolicies)
{
if (pols.Contains(o))
{
t1.Add(o);
}
}
acceptablePolicies.Clear();
acceptablePolicies.AddAll(t1);
}
//
// (d) (2)
//
if ((inhibitAnyPolicy > 0) || ((i < n) && PkixCertPathValidatorUtilities.IsSelfIssued(cert)))
{
foreach (Asn1Encodable ae in certPolicies)
{
PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object());
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(pInfo.PolicyIdentifier.Id))
{
ISet _apq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers);
IList _nodes = policyNodes[i - 1];
for (int k = 0; k < _nodes.Count; k++)
{
PkixPolicyNode _node = (PkixPolicyNode)_nodes[k];
IEnumerator _policySetIter = _node.ExpectedPolicies.GetEnumerator();
while (_policySetIter.MoveNext())
{
object _tmp = _policySetIter.Current;
string _policy;
if (_tmp is string)
{
_policy = (string)_tmp;
}
else if (_tmp is DerObjectIdentifier)
{
_policy = ((DerObjectIdentifier)_tmp).Id;
}
else
{
continue;
}
bool _found = false;
foreach (PkixPolicyNode _child in _node.Children)
{
if (_policy.Equals(_child.ValidPolicy))
{
_found = true;
}
}
if (!_found)
{
ISet _newChildExpectedPolicies = new HashSet();
_newChildExpectedPolicies.Add(_policy);
PkixPolicyNode _newChild = new PkixPolicyNode(Platform.CreateArrayList(), i,
_newChildExpectedPolicies, _node, _apq, _policy, false);
_node.AddChild(_newChild);
policyNodes[i].Add(_newChild);
}
}
}
break;
}
}
}
PkixPolicyNode _validPolicyTree = validPolicyTree;
//
// (d) (3)
//
for (int j = (i - 1); j >= 0; j--)
{
IList nodes = policyNodes[j];
for (int k = 0; k < nodes.Count; k++)
{
PkixPolicyNode node = (PkixPolicyNode)nodes[k];
if (!node.HasChildren)
{
_validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(_validPolicyTree, policyNodes,
node);
if (_validPolicyTree == null)
{
break;
}
}
}
}
//
// d (4)
//
ISet criticalExtensionOids = cert.GetCriticalExtensionOids();
if (criticalExtensionOids != null)
{
bool critical = criticalExtensionOids.Contains(X509Extensions.CertificatePolicies.Id);
IList nodes = policyNodes[i];
for (int j = 0; j < nodes.Count; j++)
{
PkixPolicyNode node = (PkixPolicyNode)nodes[j];
node.IsCritical = critical;
}
}
return _validPolicyTree;
}
return null;
}
internal static PkixPolicyNode ProcessCertE(
PkixCertPath certPath,
int index,
PkixPolicyNode validPolicyTree)
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (e)
//
Asn1Sequence certPolicies = null;
try
{
certPolicies = DerSequence.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException("Could not read certificate policies extension from certificate.",
e, certPath, index);
}
if (certPolicies == null)
{
validPolicyTree = null;
}
return validPolicyTree;
}
internal static PkixPolicyNode WrapupCertG(
PkixCertPath certPath,
PkixParameters paramsPKIX,
ISet userInitialPolicySet,
int index,
IList[] policyNodes,
PkixPolicyNode validPolicyTree,
ISet acceptablePolicies)
{
int n = certPath.Certificates.Count;
//
// (g)
//
PkixPolicyNode intersection;
//
// (g) (i)
//
if (validPolicyTree == null)
{
if (paramsPKIX.IsExplicitPolicyRequired)
{
throw new PkixCertPathValidatorException(
"Explicit policy requested but none available.", null, certPath, index);
}
intersection = null;
}
else if (PkixCertPathValidatorUtilities.IsAnyPolicy(userInitialPolicySet)) // (g)
// (ii)
{
if (paramsPKIX.IsExplicitPolicyRequired)
{
if (acceptablePolicies.IsEmpty)
{
throw new PkixCertPathValidatorException(
"Explicit policy requested but none available.", null, certPath, index);
}
else
{
ISet _validPolicyNodeSet = new HashSet();
for (int j = 0; j < policyNodes.Length; j++)
{
IList _nodeDepth = policyNodes[j];
for (int k = 0; k < _nodeDepth.Count; k++)
{
PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k];
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy))
{
foreach (object o in _node.Children)
{
_validPolicyNodeSet.Add(o);
}
}
}
}
foreach (PkixPolicyNode _node in _validPolicyNodeSet)
{
string _validPolicy = _node.ValidPolicy;
if (!acceptablePolicies.Contains(_validPolicy))
{
// TODO?
// validPolicyTree =
// removePolicyNode(validPolicyTree, policyNodes,
// _node);
}
}
if (validPolicyTree != null)
{
for (int j = (n - 1); j >= 0; j--)
{
IList nodes = policyNodes[j];
for (int k = 0; k < nodes.Count; k++)
{
PkixPolicyNode node = (PkixPolicyNode)nodes[k];
if (!node.HasChildren)
{
validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree,
policyNodes, node);
}
}
}
}
}
}
intersection = validPolicyTree;
}
else
{
//
// (g) (iii)
//
// This implementation is not exactly same as the one described in
// RFC3280.
// However, as far as the validation result is concerned, both
// produce
// adequate result. The only difference is whether AnyPolicy is
// remain
// in the policy tree or not.
//
// (g) (iii) 1
//
ISet _validPolicyNodeSet = new HashSet();
for (int j = 0; j < policyNodes.Length; j++)
{
IList _nodeDepth = policyNodes[j];
for (int k = 0; k < _nodeDepth.Count; k++)
{
PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k];
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy))
{
foreach (PkixPolicyNode _c_node in _node.Children)
{
if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(_c_node.ValidPolicy))
{
_validPolicyNodeSet.Add(_c_node);
}
}
}
}
}
//
// (g) (iii) 2
//
IEnumerator _vpnsIter = _validPolicyNodeSet.GetEnumerator();
while (_vpnsIter.MoveNext())
{
PkixPolicyNode _node = (PkixPolicyNode)_vpnsIter.Current;
string _validPolicy = _node.ValidPolicy;
if (!userInitialPolicySet.Contains(_validPolicy))
{
validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, _node);
}
}
//
// (g) (iii) 4
//
if (validPolicyTree != null)
{
for (int j = (n - 1); j >= 0; j--)
{
IList nodes = policyNodes[j];
for (int k = 0; k < nodes.Count; k++)
{
PkixPolicyNode node = (PkixPolicyNode)nodes[k];
if (!node.HasChildren)
{
validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes,
node);
}
}
}
}
intersection = validPolicyTree;
}
return intersection;
}
internal static void ProcessCertF(
PkixCertPath certPath,
int index,
PkixPolicyNode validPolicyTree,
int explicitPolicy)
{
//
// (f)
//
if (explicitPolicy <= 0 && validPolicyTree == null)
{
throw new PkixCertPathValidatorException(
"No valid policy tree found when one expected.", null, certPath, index);
}
}
internal static PkixPolicyNode PrepareCertB(
PkixCertPath certPath,
int index,
IList[] policyNodes,
PkixPolicyNode validPolicyTree,
int policyMapping)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
int n = certs.Count;
// i as defined in the algorithm description
int i = n - index;
// (b)
//
Asn1Sequence pm = null;
try
{
pm = (Asn1Sequence)Asn1Sequence.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyMappings));
}
catch (Exception ex)
{
throw new PkixCertPathValidatorException(
"Policy mappings extension could not be decoded.", ex, certPath, index);
}
PkixPolicyNode _validPolicyTree = validPolicyTree;
if (pm != null)
{
Asn1Sequence mappings = (Asn1Sequence)pm;
IDictionary m_idp = Platform.CreateHashtable();
ISet s_idp = new HashSet();
for (int j = 0; j < mappings.Count; j++)
{
Asn1Sequence mapping = (Asn1Sequence) mappings[j];
string id_p = ((DerObjectIdentifier) mapping[0]).Id;
string sd_p = ((DerObjectIdentifier) mapping[1]).Id;
ISet tmp;
if (!m_idp.Contains(id_p))
{
tmp = new HashSet();
tmp.Add(sd_p);
m_idp[id_p] = tmp;
s_idp.Add(id_p);
}
else
{
tmp = (ISet)m_idp[id_p];
tmp.Add(sd_p);
}
}
IEnumerator it_idp = s_idp.GetEnumerator();
while (it_idp.MoveNext())
{
string id_p = (string)it_idp.Current;
//
// (1)
//
if (policyMapping > 0)
{
bool idp_found = false;
IEnumerator nodes_i = policyNodes[i].GetEnumerator();
while (nodes_i.MoveNext())
{
PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
if (node.ValidPolicy.Equals(id_p))
{
idp_found = true;
node.ExpectedPolicies = (ISet)m_idp[id_p];
break;
}
}
if (!idp_found)
{
nodes_i = policyNodes[i].GetEnumerator();
while (nodes_i.MoveNext())
{
PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(node.ValidPolicy))
{
ISet pq = null;
Asn1Sequence policies = null;
try
{
policies = (Asn1Sequence)PkixCertPathValidatorUtilities.GetExtensionValue(cert,
X509Extensions.CertificatePolicies);
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Certificate policies extension could not be decoded.", e, certPath, index);
}
foreach (Asn1Encodable ae in policies)
{
PolicyInformation pinfo = null;
try
{
pinfo = PolicyInformation.GetInstance(ae.ToAsn1Object());
}
catch (Exception ex)
{
throw new PkixCertPathValidatorException(
"Policy information could not be decoded.", ex, certPath, index);
}
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id))
{
try
{
pq = PkixCertPathValidatorUtilities
.GetQualifierSet(pinfo.PolicyQualifiers);
}
catch (PkixCertPathValidatorException ex)
{
throw new PkixCertPathValidatorException(
"Policy qualifier info set could not be decoded.", ex, certPath,
index);
}
break;
}
}
bool ci = false;
ISet critExtOids = cert.GetCriticalExtensionOids();
if (critExtOids != null)
{
ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id);
}
PkixPolicyNode p_node = (PkixPolicyNode)node.Parent;
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(p_node.ValidPolicy))
{
PkixPolicyNode c_node = new PkixPolicyNode(Platform.CreateArrayList(), i,
(ISet)m_idp[id_p], p_node, pq, id_p, ci);
p_node.AddChild(c_node);
policyNodes[i].Add(c_node);
}
break;
}
}
}
//
// (2)
//
}
else if (policyMapping <= 0)
{
foreach (PkixPolicyNode node in Platform.CreateArrayList(policyNodes[i]))
{
if (node.ValidPolicy.Equals(id_p))
{
node.Parent.RemoveChild(node);
for (int k = i - 1; k >= 0; k--)
{
foreach (PkixPolicyNode node2 in Platform.CreateArrayList(policyNodes[k]))
{
if (!node2.HasChildren)
{
_validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(
_validPolicyTree, policyNodes, node2);
if (_validPolicyTree == null)
break;
}
}
}
}
}
}
}
}
return _validPolicyTree;
}
internal static PkixPolicyNode PrepareNextCertB2(
int i,
IList[] policyNodes,
string id_p,
PkixPolicyNode validPolicyTree)
{
int pos = 0;
// Copy to avoid RemoveAt calls interfering with enumeration
foreach (PkixPolicyNode node in Platform.CreateArrayList(policyNodes[i]))
{
if (node.ValidPolicy.Equals(id_p))
{
PkixPolicyNode p_node = (PkixPolicyNode)node.Parent;
p_node.RemoveChild(node);
// Removal of element at current iterator position not supported in C#
//nodes_i.remove();
policyNodes[i].RemoveAt(pos);
for (int k = (i - 1); k >= 0; k--)
{
IList nodes = policyNodes[k];
for (int l = 0; l < nodes.Count; l++)
{
PkixPolicyNode node2 = (PkixPolicyNode)nodes[l];
if (!node2.HasChildren)
{
validPolicyTree = RemovePolicyNode(validPolicyTree, policyNodes, node2);
if (validPolicyTree == null)
break;
}
}
}
}
else
{
++pos;
}
}
return validPolicyTree;
}
internal static void PrepareNextCertB1(
int i,
IList[] policyNodes,
string id_p,
IDictionary m_idp,
X509Certificate cert)
{
bool idp_found = false;
IEnumerator nodes_i = policyNodes[i].GetEnumerator();
while (nodes_i.MoveNext())
{
PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
if (node.ValidPolicy.Equals(id_p))
{
idp_found = true;
node.ExpectedPolicies = (ISet)m_idp[id_p];
break;
}
}
if (!idp_found)
{
nodes_i = policyNodes[i].GetEnumerator();
while (nodes_i.MoveNext())
{
PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
if (ANY_POLICY.Equals(node.ValidPolicy))
{
ISet pq = null;
Asn1Sequence policies = null;
try
{
policies = DerSequence.GetInstance(GetExtensionValue(cert, X509Extensions.CertificatePolicies));
}
catch (Exception e)
{
throw new Exception("Certificate policies cannot be decoded.", e);
}
IEnumerator enm = policies.GetEnumerator();
while (enm.MoveNext())
{
PolicyInformation pinfo = null;
try
{
pinfo = PolicyInformation.GetInstance(enm.Current);
}
catch (Exception ex)
{
throw new Exception("Policy information cannot be decoded.", ex);
}
if (ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id))
{
try
{
pq = GetQualifierSet(pinfo.PolicyQualifiers);
}
catch (PkixCertPathValidatorException ex)
{
throw new PkixCertPathValidatorException(
"Policy qualifier info set could not be built.", ex);
}
break;
}
}
bool ci = false;
ISet critExtOids = cert.GetCriticalExtensionOids();
if (critExtOids != null)
{
ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id);
}
PkixPolicyNode p_node = (PkixPolicyNode)node.Parent;
if (ANY_POLICY.Equals(p_node.ValidPolicy))
{
PkixPolicyNode c_node = new PkixPolicyNode(
Platform.CreateArrayList(), i,
(ISet)m_idp[id_p],
p_node, pq, id_p, ci);
p_node.AddChild(c_node);
policyNodes[i].Add(c_node);
}
break;
}
}
}
}
public virtual PkixCertPathValidatorResult Validate(
PkixCertPath certPath,
PkixParameters paramsPkix)
{
if (paramsPkix.GetTrustAnchors() == null)
{
throw new ArgumentException(
"trustAnchors is null, this is not allowed for certification path validation.",
"parameters");
}
//
// 6.1.1 - inputs
//
//
// (a)
//
IList certs = certPath.Certificates;
int n = certs.Count;
if (certs.Count == 0)
throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
//
// (b)
//
// DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);
//
// (c)
//
ISet userInitialPolicySet = paramsPkix.GetInitialPolicies();
//
// (d)
//
TrustAnchor trust;
try
{
trust = PkixCertPathValidatorUtilities.FindTrustAnchor(
(X509Certificate)certs[certs.Count - 1],
paramsPkix.GetTrustAnchors());
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1);
}
if (trust == null)
throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
//
// (e), (f), (g) are part of the paramsPkix object.
//
IEnumerator certIter;
int index = 0;
int i;
// Certificate for each interation of the validation loop
// Signature information for each iteration of the validation loop
//
// 6.1.2 - setup
//
//
// (a)
//
IList[] policyNodes = new IList[n + 1];
for (int j = 0; j < policyNodes.Length; j++)
{
policyNodes[j] = Platform.CreateArrayList();
}
ISet policySet = new HashSet();
policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY);
PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(),
Rfc3280CertPathUtilities.ANY_POLICY, false);
policyNodes[0].Add(validPolicyTree);
//
// (b) and (c)
//
PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
// (d)
//
int explicitPolicy;
ISet acceptablePolicies = new HashSet();
if (paramsPkix.IsExplicitPolicyRequired)
{
explicitPolicy = 0;
}
else
{
explicitPolicy = n + 1;
}
//
// (e)
//
int inhibitAnyPolicy;
if (paramsPkix.IsAnyPolicyInhibited)
{
inhibitAnyPolicy = 0;
}
else
{
inhibitAnyPolicy = n + 1;
}
//
// (f)
//
int policyMapping;
if (paramsPkix.IsPolicyMappingInhibited)
{
policyMapping = 0;
}
else
{
policyMapping = n + 1;
}
//
// (g), (h), (i), (j)
//
AsymmetricKeyParameter workingPublicKey;
X509Name workingIssuerName;
X509Certificate sign = trust.TrustedCert;
try
{
if (sign != null)
{
workingIssuerName = sign.SubjectDN;
workingPublicKey = sign.GetPublicKey();
}
else
{
workingIssuerName = new X509Name(trust.CAName);
workingPublicKey = trust.CAPublicKey;
}
}
catch (ArgumentException ex)
{
throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath,
-1);
}
AlgorithmIdentifier workingAlgId = null;
try
{
workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException(
"Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
}
// DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID;
// Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters;
//
// (k)
//
int maxPathLength = n;
//
// 6.1.3
//
X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints();
if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0]))
{
throw new PkixCertPathValidatorException(
"Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
}
//
// initialize CertPathChecker's
//
IList pathCheckers = paramsPkix.GetCertPathCheckers();
certIter = pathCheckers.GetEnumerator();
while (certIter.MoveNext())
{
((PkixCertPathChecker)certIter.Current).Init(false);
}
X509Certificate cert = null;
for (index = certs.Count - 1; index >= 0; index--)
{
// try
// {
//
// i as defined in the algorithm description
//
i = n - index;
//
// set certificate to be checked in this round
// sign and workingPublicKey and workingIssuerName are set
// at the end of the for loop and initialized the
// first time from the TrustAnchor
//
cert = (X509Certificate)certs[index];
//
// 6.1.3
//
Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey,
workingIssuerName, sign);
Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator);
validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index,
acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);
validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree);
Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy);
//
// 6.1.4
//
if (i != n)
{
if (cert != null && cert.Version == 1)
{
throw new PkixCertPathValidatorException(
"Version 1 certificates can't be used as CA ones.", null, certPath, index);
}
Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index);
validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes,
validPolicyTree, policyMapping);
Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator);
// (h)
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping);
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy);
//
// (i)
//
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping);
// (j)
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy);
// (k)
Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index);
// (l)
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength);
// (m)
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength);
// (n)
Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index);
ISet criticalExtensions1 = cert.GetCriticalExtensionOids();
if (criticalExtensions1 != null)
{
criticalExtensions1 = new HashSet(criticalExtensions1);
// these extensions are handled by the algorithm
criticalExtensions1.Remove(X509Extensions.KeyUsage.Id);
criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensions1.Remove(X509Extensions.NameConstraints.Id);
}
else
{
criticalExtensions1 = new HashSet();
}
// (o)
Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers);
// set signing certificate for next round
sign = cert;
// (c)
workingIssuerName = sign.SubjectDN;
// (d)
try
{
workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
}
workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
// (f)
// workingPublicKeyAlgorithm = workingAlgId.ObjectID;
// (e)
// workingPublicKeyParameters = workingAlgId.Parameters;
}
}
//
// 6.1.5 Wrap-up procedure
//
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert);
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy);
//
// (c) (d) and (e) are already done
//
//
// (f)
//
ISet criticalExtensions = cert.GetCriticalExtensionOids();
if (criticalExtensions != null)
{
criticalExtensions = new HashSet(criticalExtensions);
// Requires .Id
// these extensions are handled by the algorithm
criticalExtensions.Remove(X509Extensions.KeyUsage.Id);
criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensions.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensions.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensions.Remove(X509Extensions.NameConstraints.Id);
criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id);
}
else
{
criticalExtensions = new HashSet();
}
Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);
PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet,
index + 1, policyNodes, validPolicyTree, acceptablePolicies);
if ((explicitPolicy > 0) || (intersection != null))
{
return new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey());
}
throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index);
}
internal static bool ProcessCertD1i(
int index,
IList[] policyNodes,
DerObjectIdentifier pOid,
ISet pq)
{
IList policyNodeVec = policyNodes[index - 1];
for (int j = 0; j < policyNodeVec.Count; j++)
{
PkixPolicyNode node = (PkixPolicyNode)policyNodeVec[j];
ISet expectedPolicies = node.ExpectedPolicies;
if (expectedPolicies.Contains(pOid.Id))
{
ISet childExpectedPolicies = new HashSet();
childExpectedPolicies.Add(pOid.Id);
PkixPolicyNode child = new PkixPolicyNode(Platform.CreateArrayList(),
index,
childExpectedPolicies,
node,
pq,
pOid.Id,
false);
node.AddChild(child);
policyNodes[index].Add(child);
return true;
}
}
return false;
}
public virtual void AddChild(
PkixPolicyNode child)
{
child.Parent = this;
mChildren.Add(child);
}
public virtual PkixPolicyNode Copy()
{
PkixPolicyNode node = new PkixPolicyNode(
Platform.CreateArrayList(),
mDepth,
new HashSet(mExpectedPolicies),
null,
new HashSet(mPolicyQualifiers),
mValidPolicy,
mCritical);
foreach (PkixPolicyNode child in mChildren)
{
PkixPolicyNode copy = child.Copy();
copy.Parent = node;
node.AddChild(copy);
}
return node;
}
public virtual void RemoveChild(
PkixPolicyNode child)
{
mChildren.Remove(child);
}
internal static void ProcessCertD1ii(
int index,
IList[] policyNodes,
DerObjectIdentifier _poid,
ISet _pq)
{
IList policyNodeVec = policyNodes[index - 1];
for (int j = 0; j < policyNodeVec.Count; j++)
{
PkixPolicyNode _node = (PkixPolicyNode)policyNodeVec[j];
if (ANY_POLICY.Equals(_node.ValidPolicy))
{
ISet _childExpectedPolicies = new HashSet();
_childExpectedPolicies.Add(_poid.Id);
PkixPolicyNode _child = new PkixPolicyNode(Platform.CreateArrayList(),
index,
_childExpectedPolicies,
_node,
_pq,
_poid.Id,
false);
_node.AddChild(_child);
policyNodes[index].Add(_child);
return;
}
}
}
public virtual void RemoveChild(
PkixPolicyNode child)
{
mChildren.Remove(child);
}
internal static void PrepareNextCertB1(
int i,
IList[] policyNodes,
string id_p,
IDictionary m_idp,
X509Certificate cert)
{
bool idp_found = false;
IEnumerator nodes_i = policyNodes[i].GetEnumerator();
while (nodes_i.MoveNext())
{
PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
if (node.ValidPolicy.Equals(id_p))
{
idp_found = true;
node.ExpectedPolicies = (ISet)m_idp[id_p];
break;
}
}
if (!idp_found)
{
nodes_i = policyNodes[i].GetEnumerator();
while (nodes_i.MoveNext())
{
PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
if (ANY_POLICY.Equals(node.ValidPolicy))
{
ISet pq = null;
Asn1Sequence policies = null;
try
{
policies = DerSequence.GetInstance(GetExtensionValue(cert, X509Extensions.CertificatePolicies));
}
catch (Exception e)
{
throw new Exception("Certificate policies cannot be decoded.", e);
}
IEnumerator enm = policies.GetEnumerator();
while (enm.MoveNext())
{
PolicyInformation pinfo = null;
try
{
pinfo = PolicyInformation.GetInstance(enm.Current);
}
catch (Exception ex)
{
throw new Exception("Policy information cannot be decoded.", ex);
}
if (ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id))
{
try
{
pq = GetQualifierSet(pinfo.PolicyQualifiers);
}
catch (PkixCertPathValidatorException ex)
{
throw new PkixCertPathValidatorException(
"Policy qualifier info set could not be built.", ex);
}
break;
}
}
bool ci = false;
ISet critExtOids = cert.GetCriticalExtensionOids();
if (critExtOids != null)
{
ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id);
}
PkixPolicyNode p_node = (PkixPolicyNode)node.Parent;
if (ANY_POLICY.Equals(p_node.ValidPolicy))
{
PkixPolicyNode c_node = new PkixPolicyNode(
Platform.CreateArrayList(), i,
(ISet)m_idp[id_p],
p_node, pq, id_p, ci);
p_node.AddChild(c_node);
policyNodes[i].Add(c_node);
}
break;
}
}
}
}
internal static PkixPolicyNode RemovePolicyNode(
PkixPolicyNode validPolicyTree,
IList[] policyNodes,
PkixPolicyNode _node)
{
PkixPolicyNode _parent = (PkixPolicyNode)_node.Parent;
if (validPolicyTree == null)
{
return null;
}
if (_parent == null)
{
for (int j = 0; j < policyNodes.Length; j++)
{
policyNodes[j] = Platform.CreateArrayList();
}
return null;
}
else
{
_parent.RemoveChild(_node);
RemovePolicyNodeRecurse(policyNodes, _node);
return validPolicyTree;
}
}
public virtual PkixCertPathValidatorResult Validate(
PkixCertPath certPath,
PkixParameters paramsPkix)
{
if (paramsPkix.GetTrustAnchors() == null)
{
throw new ArgumentException(
"trustAnchors is null, this is not allowed for certification path validation.",
"parameters");
}
//
// 6.1.1 - inputs
//
//
// (a)
//
IList certs = certPath.Certificates;
int n = certs.Count;
if (certs.Count == 0)
{
throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
}
//
// (b)
//
// DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);
//
// (c)
//
ISet userInitialPolicySet = paramsPkix.GetInitialPolicies();
//
// (d)
//
TrustAnchor trust;
try
{
trust = PkixCertPathValidatorUtilities.FindTrustAnchor(
(X509Certificate)certs[certs.Count - 1],
paramsPkix.GetTrustAnchors());
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1);
}
if (trust == null)
{
throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
}
//
// (e), (f), (g) are part of the paramsPkix object.
//
IEnumerator certIter;
int index = 0;
int i;
// Certificate for each interation of the validation loop
// Signature information for each iteration of the validation loop
//
// 6.1.2 - setup
//
//
// (a)
//
IList[] policyNodes = new IList[n + 1];
for (int j = 0; j < policyNodes.Length; j++)
{
policyNodes[j] = Platform.CreateArrayList();
}
ISet policySet = new HashSet();
policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY);
PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(),
Rfc3280CertPathUtilities.ANY_POLICY, false);
policyNodes[0].Add(validPolicyTree);
//
// (b) and (c)
//
PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
// (d)
//
int explicitPolicy;
ISet acceptablePolicies = new HashSet();
if (paramsPkix.IsExplicitPolicyRequired)
{
explicitPolicy = 0;
}
else
{
explicitPolicy = n + 1;
}
//
// (e)
//
int inhibitAnyPolicy;
if (paramsPkix.IsAnyPolicyInhibited)
{
inhibitAnyPolicy = 0;
}
else
{
inhibitAnyPolicy = n + 1;
}
//
// (f)
//
int policyMapping;
if (paramsPkix.IsPolicyMappingInhibited)
{
policyMapping = 0;
}
else
{
policyMapping = n + 1;
}
//
// (g), (h), (i), (j)
//
AsymmetricKeyParameter workingPublicKey;
X509Name workingIssuerName;
X509Certificate sign = trust.TrustedCert;
try
{
if (sign != null)
{
workingIssuerName = sign.SubjectDN;
workingPublicKey = sign.GetPublicKey();
}
else
{
workingIssuerName = new X509Name(trust.CAName);
workingPublicKey = trust.CAPublicKey;
}
}
catch (ArgumentException ex)
{
throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath,
-1);
}
AlgorithmIdentifier workingAlgId = null;
try
{
workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException(
"Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
}
// DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID;
// Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters;
//
// (k)
//
int maxPathLength = n;
//
// 6.1.3
//
X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints();
if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0]))
{
throw new PkixCertPathValidatorException(
"Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
}
//
// initialize CertPathChecker's
//
IList pathCheckers = paramsPkix.GetCertPathCheckers();
certIter = pathCheckers.GetEnumerator();
while (certIter.MoveNext())
{
((PkixCertPathChecker)certIter.Current).Init(false);
}
X509Certificate cert = null;
for (index = certs.Count - 1; index >= 0; index--)
{
// try
// {
//
// i as defined in the algorithm description
//
i = n - index;
//
// set certificate to be checked in this round
// sign and workingPublicKey and workingIssuerName are set
// at the end of the for loop and initialized the
// first time from the TrustAnchor
//
cert = (X509Certificate)certs[index];
//
// 6.1.3
//
Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey,
workingIssuerName, sign);
Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator);
validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index,
acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);
validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree);
Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy);
//
// 6.1.4
//
if (i != n)
{
if (cert != null && cert.Version == 1)
{
throw new PkixCertPathValidatorException(
"Version 1 certificates can't be used as CA ones.", null, certPath, index);
}
Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index);
validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes,
validPolicyTree, policyMapping);
Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator);
// (h)
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping);
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy);
//
// (i)
//
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping);
// (j)
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy);
// (k)
Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index);
// (l)
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength);
// (m)
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength);
// (n)
Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index);
ISet criticalExtensions1 = cert.GetCriticalExtensionOids();
if (criticalExtensions1 != null)
{
criticalExtensions1 = new HashSet(criticalExtensions1);
// these extensions are handled by the algorithm
criticalExtensions1.Remove(X509Extensions.KeyUsage.Id);
criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensions1.Remove(X509Extensions.NameConstraints.Id);
}
else
{
criticalExtensions1 = new HashSet();
}
// (o)
Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers);
// set signing certificate for next round
sign = cert;
// (c)
workingIssuerName = sign.SubjectDN;
// (d)
try
{
workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
}
workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
// (f)
// workingPublicKeyAlgorithm = workingAlgId.ObjectID;
// (e)
// workingPublicKeyParameters = workingAlgId.Parameters;
}
}
//
// 6.1.5 Wrap-up procedure
//
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert);
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy);
//
// (c) (d) and (e) are already done
//
//
// (f)
//
ISet criticalExtensions = cert.GetCriticalExtensionOids();
if (criticalExtensions != null)
{
criticalExtensions = new HashSet(criticalExtensions);
// Requires .Id
// these extensions are handled by the algorithm
criticalExtensions.Remove(X509Extensions.KeyUsage.Id);
criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensions.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensions.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensions.Remove(X509Extensions.NameConstraints.Id);
criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id);
}
else
{
criticalExtensions = new HashSet();
}
Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);
PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet,
index + 1, policyNodes, validPolicyTree, acceptablePolicies);
if ((explicitPolicy > 0) || (intersection != null))
{
return(new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey()));
}
throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index);
}
private static void RemovePolicyNodeRecurse(IList[] policyNodes, PkixPolicyNode _node)
{
policyNodes[_node.Depth].Remove(_node);
if (_node.HasChildren)
{
foreach (PkixPolicyNode _child in _node.Children)
{
RemovePolicyNodeRecurse(policyNodes, _child);
}
}
}