Summary description for PkixCertPathValidatorUtilities.
        internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
        {
            ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();

            if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
            {
                try
                {
                    TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
                }
                catch (Exception cause)
                {
                    throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
                }
            }
            criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id);
            foreach (PkixAttrCertChecker pkixAttrCertChecker in pkixParams.GetAttrCertCheckers())
            {
                pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
            }
            if (!criticalExtensionOids.IsEmpty)
            {
                throw new PkixCertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + criticalExtensionOids);
            }
        }
Ejemplo n.º 2
0
 internal static void AddAdditionalStoresFromCrlDistributionPoint(CrlDistPoint crldp, PkixParameters pkixParams)
 {
     if (crldp != null)
     {
         DistributionPoint[] array = null;
         try
         {
             array = crldp.GetDistributionPoints();
         }
         catch (Exception innerException)
         {
             throw new Exception("Distribution points could not be read.", innerException);
         }
         for (int i = 0; i < array.Length; i++)
         {
             DistributionPointName distributionPointName = array[i].DistributionPointName;
             if (distributionPointName != null && distributionPointName.PointType == 0)
             {
                 GeneralName[] names = GeneralNames.GetInstance(distributionPointName.Name).GetNames();
                 for (int j = 0; j < names.Length; j++)
                 {
                     if (names[j].TagNo == 6)
                     {
                         string @string = DerIA5String.GetInstance(names[j].Name).GetString();
                         PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(@string, pkixParams);
                     }
                 }
             }
         }
     }
 }
        private static void CheckCrl(DistributionPoint dp, IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, DateTime validDate, X509Certificate issuerCert, CertStatus certStatus, ReasonsMask reasonMask, IList certPathCerts)
        {
            if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null)
            {
                return;
            }
            DateTime utcNow = DateTime.UtcNow;

            if (validDate.CompareTo(utcNow) > 0)
            {
                throw new Exception("Validation time is in future.");
            }
            ISet        completeCrls = PkixCertPathValidatorUtilities.GetCompleteCrls(dp, attrCert, utcNow, paramsPKIX);
            bool        flag         = false;
            Exception   ex           = null;
            IEnumerator enumerator   = completeCrls.GetEnumerator();

            while (enumerator.MoveNext() && certStatus.Status == 11 && !reasonMask.IsAllReasons)
            {
                try
                {
                    X509Crl     x509Crl     = (X509Crl)enumerator.Current;
                    ReasonsMask reasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(x509Crl, dp);
                    if (reasonsMask.HasNewReasons(reasonMask))
                    {
                        ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(x509Crl, attrCert, null, null, paramsPKIX, certPathCerts);
                        AsymmetricKeyParameter key = Rfc3280CertPathUtilities.ProcessCrlG(x509Crl, keys);
                        X509Crl x509Crl2           = null;
                        if (paramsPKIX.IsUseDeltasEnabled)
                        {
                            ISet deltaCrls = PkixCertPathValidatorUtilities.GetDeltaCrls(utcNow, paramsPKIX, x509Crl);
                            x509Crl2 = Rfc3280CertPathUtilities.ProcessCrlH(deltaCrls, key);
                        }
                        if (paramsPKIX.ValidityModel != 1 && attrCert.NotAfter.CompareTo(x509Crl.ThisUpdate) < 0)
                        {
                            throw new Exception("No valid CRL for current time found.");
                        }
                        Rfc3280CertPathUtilities.ProcessCrlB1(dp, attrCert, x509Crl);
                        Rfc3280CertPathUtilities.ProcessCrlB2(dp, attrCert, x509Crl);
                        Rfc3280CertPathUtilities.ProcessCrlC(x509Crl2, x509Crl, paramsPKIX);
                        Rfc3280CertPathUtilities.ProcessCrlI(validDate, x509Crl2, attrCert, certStatus, paramsPKIX);
                        Rfc3280CertPathUtilities.ProcessCrlJ(validDate, x509Crl, attrCert, certStatus);
                        if (certStatus.Status == 8)
                        {
                            certStatus.Status = 11;
                        }
                        reasonMask.AddReasons(reasonsMask);
                        flag = true;
                    }
                }
                catch (Exception ex2)
                {
                    ex = ex2;
                }
            }
            if (!flag)
            {
                throw ex;
            }
        }
Ejemplo n.º 4
0
        /**
         * Find the issuer certificates of a given certificate.
         *
         * @param cert
         *            The certificate for which an issuer should be found.
         * @param pkixParams
         * @return A <code>Collection</code> object containing the issuer
         *         <code>X509Certificate</code>s. Never <code>null</code>.
         *
         * @exception Exception
         *                if an error occurs.
         */
        internal static ICollection FindIssuerCerts(
            X509Certificate cert,
            PkixBuilderParameters pkixParams)
        {
            X509CertStoreSelector certSelect = new X509CertStoreSelector();
            ISet certs = new HashSet();

            try
            {
                certSelect.Subject = cert.IssuerDN;
            }
            catch (IOException ex)
            {
                throw new Exception(
                          "Subject criteria for certificate selector to find issuer certificate could not be set.", ex);
            }

            try
            {
                certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetStores()));
                certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetAdditionalStores()));
            }
            catch (Exception e)
            {
                throw new Exception("Issuer certificate cannot be searched.", e);
            }

            return(certs);
        }
Ejemplo n.º 5
0
        internal static PkixPolicyNode PrepareNextCertB2(int i, IList[] policyNodes, string id_p, PkixPolicyNode validPolicyTree)
        {
            int num = 0;

            foreach (PkixPolicyNode pkixPolicyNode in Platform.CreateArrayList(policyNodes[i]))
            {
                if (pkixPolicyNode.ValidPolicy.Equals(id_p))
                {
                    PkixPolicyNode parent = pkixPolicyNode.Parent;
                    parent.RemoveChild(pkixPolicyNode);
                    policyNodes[i].RemoveAt(num);
                    for (int j = i - 1; j >= 0; j--)
                    {
                        IList list = policyNodes[j];
                        for (int k = 0; k < list.Count; k++)
                        {
                            PkixPolicyNode pkixPolicyNode2 = (PkixPolicyNode)list[k];
                            if (!pkixPolicyNode2.HasChildren)
                            {
                                validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, pkixPolicyNode2);
                                if (validPolicyTree == null)
                                {
                                    break;
                                }
                            }
                        }
                    }
                }
                else
                {
                    num++;
                }
            }
            return(validPolicyTree);
        }
Ejemplo n.º 6
0
        public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters pkixParams)
        {
            //IL_002d: Unknown result type (might be due to invalid IL or missing references)
            IX509Selector targetConstraints = pkixParams.GetTargetConstraints();

            if (!(targetConstraints is X509AttrCertStoreSelector))
            {
                throw new ArgumentException("TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).get_FullName(), "pkixParams");
            }
            IX509AttributeCertificate attributeCert     = ((X509AttrCertStoreSelector)targetConstraints).AttributeCert;
            PkixCertPath holderCertPath                 = Rfc3281CertPathUtilities.ProcessAttrCert1(attributeCert, pkixParams);
            PkixCertPathValidatorResult result          = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams);
            X509Certificate             x509Certificate = (X509Certificate)certPath.Certificates.get_Item(0);

            Rfc3281CertPathUtilities.ProcessAttrCert3(x509Certificate, pkixParams);
            Rfc3281CertPathUtilities.ProcessAttrCert4(x509Certificate, pkixParams);
            Rfc3281CertPathUtilities.ProcessAttrCert5(attributeCert, pkixParams);
            Rfc3281CertPathUtilities.ProcessAttrCert7(attributeCert, certPath, holderCertPath, pkixParams);
            Rfc3281CertPathUtilities.AdditionalChecks(attributeCert, pkixParams);
            global::System.DateTime validCertDateFromValidityModel;
            try
            {
                validCertDateFromValidityModel = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1);
            }
            catch (global::System.Exception cause)
            {
                throw new PkixCertPathValidatorException("Could not get validity date from attribute certificate.", cause);
            }
            Rfc3281CertPathUtilities.CheckCrls(attributeCert, pkixParams, x509Certificate, validCertDateFromValidityModel, certPath.Certificates);
            return(result);
        }
Ejemplo n.º 7
0
        /**
         * Build and validate a CertPath using the given parameter.
         *
         * @param params PKIXBuilderParameters object containing all information to
         *            build the CertPath
         */
        public virtual PkixCertPathBuilderResult Build(
            PkixBuilderParameters pkixParams)
        {
            // search target certificates

            IX509Selector certSelect = pkixParams.GetTargetCertConstraints();

            if (!(certSelect is X509CertStoreSelector))
            {
                throw new PkixCertPathBuilderException(
                          "TargetConstraints must be an instance of "
                          + typeof(X509CertStoreSelector).FullName + " for "
                          + this.GetType() + " class.");
            }

            ISet targets = new HashSet();

            try
            {
                targets.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)certSelect, pkixParams.GetStores()));
                // TODO Should this include an entry for pkixParams.GetAdditionalStores() too?
            }
            catch (Exception e)
            {
                throw new PkixCertPathBuilderException(
                          "Error finding target certificate.", e);
            }

            if (targets.IsEmpty)
            {
                throw new PkixCertPathBuilderException("No certificate found matching targetContraints.");
            }

            PkixCertPathBuilderResult result = null;
            IList certPathList = new ArrayList();

            // check all potential target certificates
            foreach (X509Certificate cert in targets)
            {
                result = Build(cert, pkixParams, certPathList);

                if (result != null)
                {
                    break;
                }
            }

            if (result == null && certPathException != null)
            {
                throw new PkixCertPathBuilderException(certPathException.Message, certPathException.InnerException);
            }

            if (result == null && certPathException == null)
            {
                throw new PkixCertPathBuilderException("Unable to find certificate chain.");
            }

            return(result);
        }
Ejemplo n.º 8
0
        internal static ISet GetDeltaCrls(DateTime currentDate, PkixParameters paramsPKIX, X509Crl completeCRL)
        {
            X509CrlStoreSelector x509CrlStoreSelector = new X509CrlStoreSelector();

            try
            {
                IList list = Platform.CreateArrayList();
                list.Add(completeCRL.IssuerDN);
                x509CrlStoreSelector.Issuers = list;
            }
            catch (IOException innerException)
            {
                throw new Exception("Cannot extract issuer from CRL.", innerException);
            }
            BigInteger bigInteger = null;

            try
            {
                Asn1Object extensionValue = PkixCertPathValidatorUtilities.GetExtensionValue(completeCRL, X509Extensions.CrlNumber);
                if (extensionValue != null)
                {
                    bigInteger = DerInteger.GetInstance(extensionValue).PositiveValue;
                }
            }
            catch (Exception innerException2)
            {
                throw new Exception("CRL number extension could not be extracted from CRL.", innerException2);
            }
            byte[] issuingDistributionPoint = null;
            try
            {
                Asn1Object extensionValue2 = PkixCertPathValidatorUtilities.GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint);
                if (extensionValue2 != null)
                {
                    issuingDistributionPoint = extensionValue2.GetDerEncoded();
                }
            }
            catch (Exception innerException3)
            {
                throw new Exception("Issuing distribution point extension value could not be read.", innerException3);
            }
            x509CrlStoreSelector.MinCrlNumber                    = ((bigInteger == null) ? null : bigInteger.Add(BigInteger.One));
            x509CrlStoreSelector.IssuingDistributionPoint        = issuingDistributionPoint;
            x509CrlStoreSelector.IssuingDistributionPointEnabled = true;
            x509CrlStoreSelector.MaxBaseCrlNumber                = bigInteger;
            ISet set  = PkixCertPathValidatorUtilities.CrlUtilities.FindCrls(x509CrlStoreSelector, paramsPKIX, currentDate);
            ISet set2 = new HashSet();

            foreach (X509Crl x509Crl in set)
            {
                if (PkixCertPathValidatorUtilities.isDeltaCrl(x509Crl))
                {
                    set2.Add(x509Crl);
                }
            }
            return(set2);
        }
Ejemplo n.º 9
0
        /**
         * Fetches complete CRLs according to RFC 3280.
         *
         * @param dp The distribution point for which the complete CRL
         * @param cert The <code>X509Certificate</code> or
         *            {@link org.bouncycastle.x509.X509AttributeCertificate} for
         *            which the CRL should be searched.
         * @param currentDate The date for which the delta CRLs must be valid.
         * @param paramsPKIX The extended PKIX parameters.
         * @return A <code>Set</code> of <code>X509CRL</code>s with complete
         *         CRLs.
         * @throws Exception if an exception occurs while picking the CRLs
         *             or no CRLs are found.
         */
        internal static ISet GetCompleteCrls(
            DistributionPoint dp,
            object cert,
            DateTime currentDate,
            PkixParameters paramsPKIX)
        {
            X509CrlStoreSelector crlselect = new X509CrlStoreSelector();

            try
            {
                ISet issuers = new HashSet();
                if (cert is X509V2AttributeCertificate)
                {
                    issuers.Add(((X509V2AttributeCertificate)cert)
                                .Issuer.GetPrincipals()[0]);
                }
                else
                {
                    issuers.Add(GetIssuerPrincipal(cert));
                }
                PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
            }
            catch (Exception e)
            {
                throw new Exception("Could not get issuer information from distribution point.", e);
            }

            if (cert is X509Certificate)
            {
                crlselect.CertificateChecking = (X509Certificate)cert;
            }
            else if (cert is X509V2AttributeCertificate)
            {
                crlselect.AttrCertChecking = (IX509AttributeCertificate)cert;
            }

            crlselect.CompleteCrlEnabled = true;
            ISet crls = CrlUtilities.FindCrls(crlselect, paramsPKIX, currentDate);

            if (crls.IsEmpty)
            {
                if (cert is IX509AttributeCertificate)
                {
                    IX509AttributeCertificate aCert = (IX509AttributeCertificate)cert;

                    throw new Exception("No CRLs found for issuer \"" + aCert.Issuer.GetPrincipals()[0] + "\"");
                }
                else
                {
                    X509Certificate xCert = (X509Certificate)cert;

                    throw new Exception("No CRLs found for issuer \"" + xCert.IssuerDN + "\"");
                }
            }

            return(crls);
        }
Ejemplo n.º 10
0
 private static void RemovePolicyNodeRecurse(IList[] policyNodes, PkixPolicyNode _node)
 {
     policyNodes[_node.Depth].Remove(_node);
     if (_node.HasChildren)
     {
         foreach (PkixPolicyNode node in _node.Children)
         {
             PkixCertPathValidatorUtilities.RemovePolicyNodeRecurse(policyNodes, node);
         }
     }
 }
Ejemplo n.º 11
0
        public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams)
        {
            IX509Selector targetCertConstraints = pkixParams.GetTargetCertConstraints();

            if (!(targetCertConstraints is X509CertStoreSelector))
            {
                throw new PkixCertPathBuilderException(string.Concat(new object[]
                {
                    "TargetConstraints must be an instance of ",
                    typeof(X509CertStoreSelector).FullName,
                    " for ",
                    base.GetType(),
                    " class."
                }));
            }
            ISet set = new HashSet();

            try
            {
                set.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)targetCertConstraints, pkixParams.GetStores()));
            }
            catch (Exception exception)
            {
                throw new PkixCertPathBuilderException("Error finding target certificate.", exception);
            }
            if (set.IsEmpty)
            {
                throw new PkixCertPathBuilderException("No certificate found matching targetContraints.");
            }
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
            IList tbvPath = Platform.CreateArrayList();

            foreach (X509Certificate tbvCert in set)
            {
                pkixCertPathBuilderResult = this.Build(tbvCert, pkixParams, tbvPath);
                if (pkixCertPathBuilderResult != null)
                {
                    break;
                }
            }
            if (pkixCertPathBuilderResult == null && this.certPathException != null)
            {
                throw new PkixCertPathBuilderException(this.certPathException.Message, this.certPathException.InnerException);
            }
            if (pkixCertPathBuilderResult == null && this.certPathException == null)
            {
                throw new PkixCertPathBuilderException("Unable to find certificate chain.");
            }
            return(pkixCertPathBuilderResult);
        }
Ejemplo n.º 12
0
        internal static DateTime GetValidCertDateFromValidityModel(
            PkixParameters paramsPkix,
            PkixCertPath certPath,
            int index)
        {
            if (paramsPkix.ValidityModel != PkixParameters.ChainValidityModel)
            {
                return(GetValidDate(paramsPkix));
            }

            // if end cert use given signing/encryption/... time
            if (index <= 0)
            {
                return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix));
                // else use time when previous cert was created
            }

            if (index - 1 == 0)
            {
                DerGeneralizedTime dateOfCertgen = null;
                try
                {
                    X509Certificate cert   = (X509Certificate)certPath.Certificates[index - 1];
                    Asn1OctetString extVal = cert.GetExtensionValue(
                        IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen);
                    dateOfCertgen = DerGeneralizedTime.GetInstance(extVal);
                }
                catch (ArgumentException)
                {
                    throw new Exception(
                              "Date of cert gen extension could not be read.");
                }
                if (dateOfCertgen != null)
                {
                    try
                    {
                        return(dateOfCertgen.ToDateTime());
                    }
                    catch (ArgumentException e)
                    {
                        throw new Exception(
                                  "Date from date of cert gen extension could not be parsed.",
                                  e);
                    }
                }
            }

            return(((X509Certificate)certPath.Certificates[index - 1]).NotBefore);
        }
 internal static void ProcessAttrCert5(IX509AttributeCertificate attrCert, PkixParameters pkixParams)
 {
     try
     {
         attrCert.CheckValidity(PkixCertPathValidatorUtilities.GetValidDate(pkixParams));
     }
     catch (CertificateExpiredException cause)
     {
         throw new PkixCertPathValidatorException("Attribute certificate is not valid.", cause);
     }
     catch (CertificateNotYetValidException cause2)
     {
         throw new PkixCertPathValidatorException("Attribute certificate is not valid.", cause2);
     }
 }
Ejemplo n.º 14
0
        internal static void GetCertStatus(DateTime validDate, X509Crl crl, object cert, CertStatus certStatus)
        {
            X509Crl x509Crl = null;

            try
            {
                x509Crl = new X509Crl(CertificateList.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(crl.GetEncoded())));
            }
            catch (Exception innerException)
            {
                throw new Exception("Bouncy Castle X509Crl could not be created.", innerException);
            }
            X509CrlEntry revokedCertificate = x509Crl.GetRevokedCertificate(PkixCertPathValidatorUtilities.GetSerialNumber(cert));

            if (revokedCertificate == null)
            {
                return;
            }
            X509Name issuerPrincipal = PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert);

            if (issuerPrincipal.Equivalent(revokedCertificate.GetCertificateIssuer(), true) || issuerPrincipal.Equivalent(crl.IssuerDN, true))
            {
                DerEnumerated derEnumerated = null;
                if (revokedCertificate.HasExtensions)
                {
                    try
                    {
                        derEnumerated = DerEnumerated.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(revokedCertificate, X509Extensions.ReasonCode));
                    }
                    catch (Exception innerException2)
                    {
                        throw new Exception("Reason code CRL entry extension could not be decoded.", innerException2);
                    }
                }
                if (validDate.Ticks >= revokedCertificate.RevocationDate.Ticks || derEnumerated == null || derEnumerated.Value.TestBit(0) || derEnumerated.Value.TestBit(1) || derEnumerated.Value.TestBit(2) || derEnumerated.Value.TestBit(8))
                {
                    if (derEnumerated != null)
                    {
                        certStatus.Status = derEnumerated.Value.SignValue;
                    }
                    else
                    {
                        certStatus.Status = 0;
                    }
                    certStatus.RevocationDate = new DateTimeObject(revokedCertificate.RevocationDate);
                }
            }
        }
Ejemplo n.º 15
0
 internal static void AddAdditionalStoresFromAltNames(X509Certificate cert, PkixParameters pkixParams)
 {
     if (cert.GetIssuerAlternativeNames() != null)
     {
         IEnumerator enumerator = cert.GetIssuerAlternativeNames().GetEnumerator();
         while (enumerator.MoveNext())
         {
             IList list = (IList)enumerator.Current;
             if (list[0].Equals(6))
             {
                 string location = (string)list[1];
                 PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(location, pkixParams);
             }
         }
     }
 }
Ejemplo n.º 16
0
        internal static ISet GetCompleteCrls(DistributionPoint dp, object cert, DateTime currentDate, PkixParameters paramsPKIX)
        {
            X509CrlStoreSelector x509CrlStoreSelector = new X509CrlStoreSelector();

            try
            {
                ISet set = new HashSet();
                if (cert is X509V2AttributeCertificate)
                {
                    set.Add(((X509V2AttributeCertificate)cert).Issuer.GetPrincipals()[0]);
                }
                else
                {
                    set.Add(PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert));
                }
                PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, set, x509CrlStoreSelector, paramsPKIX);
            }
            catch (Exception innerException)
            {
                throw new Exception("Could not get issuer information from distribution point.", innerException);
            }
            if (cert is X509Certificate)
            {
                x509CrlStoreSelector.CertificateChecking = (X509Certificate)cert;
            }
            else if (cert is X509V2AttributeCertificate)
            {
                x509CrlStoreSelector.AttrCertChecking = (IX509AttributeCertificate)cert;
            }
            x509CrlStoreSelector.CompleteCrlEnabled = true;
            ISet set2 = PkixCertPathValidatorUtilities.CrlUtilities.FindCrls(x509CrlStoreSelector, paramsPKIX, currentDate);

            if (!set2.IsEmpty)
            {
                return(set2);
            }
            if (cert is IX509AttributeCertificate)
            {
                IX509AttributeCertificate iX509AttributeCertificate = (IX509AttributeCertificate)cert;
                throw new Exception("No CRLs found for issuer \"" + iX509AttributeCertificate.Issuer.GetPrincipals()[0] + "\"");
            }
            X509Certificate x509Certificate = (X509Certificate)cert;

            throw new Exception("No CRLs found for issuer \"" + x509Certificate.IssuerDN + "\"");
        }
Ejemplo n.º 17
0
 internal static void AddAdditionalStoresFromCrlDistributionPoint(
     CrlDistPoint crldp,
     PkixParameters pkixParams)
 {
     if (crldp != null)
     {
         DistributionPoint[] dps = null;
         try
         {
             dps = crldp.GetDistributionPoints();
         }
         catch (Exception e)
         {
             throw new Exception(
                       "Distribution points could not be read.", e);
         }
         for (int i = 0; i < dps.Length; i++)
         {
             DistributionPointName dpn = dps[i].DistributionPointName;
             // look for URIs in fullName
             if (dpn != null)
             {
                 if (dpn.PointType == DistributionPointName.FullName)
                 {
                     GeneralName[] genNames = GeneralNames.GetInstance(
                         dpn.Name).GetNames();
                     // look for an URI
                     for (int j = 0; j < genNames.Length; j++)
                     {
                         if (genNames[j].TagNo == GeneralName.UniformResourceIdentifier)
                         {
                             string location = DerIA5String.GetInstance(
                                 genNames[j].Name).GetString();
                             PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(
                                 location, pkixParams);
                         }
                     }
                 }
             }
         }
     }
 }
Ejemplo n.º 18
0
        internal static PkixPolicyNode RemovePolicyNode(PkixPolicyNode validPolicyTree, IList[] policyNodes, PkixPolicyNode _node)
        {
            PkixPolicyNode parent = _node.Parent;

            if (validPolicyTree == null)
            {
                return(null);
            }
            if (parent == null)
            {
                for (int i = 0; i < policyNodes.Length; i++)
                {
                    policyNodes[i] = Platform.CreateArrayList();
                }
                return(null);
            }
            parent.RemoveChild(_node);
            PkixCertPathValidatorUtilities.RemovePolicyNodeRecurse(policyNodes, _node);
            return(validPolicyTree);
        }
Ejemplo n.º 19
0
        internal static void ProcessAttrCert7(
            IX509AttributeCertificate attrCert,
            PkixCertPath certPath,
            PkixCertPath holderCertPath,
            PkixParameters pkixParams)
        {
            // TODO:
            // AA Controls
            // Attribute encryption
            // Proxy
            ISet critExtOids = attrCert.GetCriticalExtensionOids();

            // 7.1
            // process extensions

            // target information checked in step 6 / X509AttributeCertStoreSelector
            if (critExtOids.Contains(X509Extensions.TargetInformation.Id))
            {
                try
                {
                    TargetInformation.GetInstance(PkixCertPathValidatorUtilities
                                                  .GetExtensionValue(attrCert, X509Extensions.TargetInformation));
                }
                catch (Exception e)
                {
                    throw new PkixCertPathValidatorException(
                              "Target information extension could not be read.", e);
                }
            }
            critExtOids.Remove(X509Extensions.TargetInformation.Id);
            foreach (PkixAttrCertChecker checker in pkixParams.GetAttrCertCheckers())
            {
                checker.Check(attrCert, certPath, holderCertPath, critExtOids);
            }
            if (!critExtOids.IsEmpty)
            {
                throw new PkixCertPathValidatorException(
                          "Attribute certificate contains unsupported critical extensions: "
                          + critExtOids);
            }
        }
        internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
        {
            ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();

            if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
            {
                try
                {
                    TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
                }
                catch (global::System.Exception cause)
                {
                    throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
                }
            }
            criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id);
            global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)pkixParams.GetAttrCertCheckers()).GetEnumerator();
            try
            {
                while (enumerator.MoveNext())
                {
                    PkixAttrCertChecker pkixAttrCertChecker = (PkixAttrCertChecker)enumerator.get_Current();
                    pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
                }
            }
            finally
            {
                global::System.IDisposable disposable = enumerator as global::System.IDisposable;
                if (disposable != null)
                {
                    disposable.Dispose();
                }
            }
            if (!criticalExtensionOids.IsEmpty)
            {
                throw new PkixCertPathValidatorException(string.Concat((object)"Attribute certificate contains unsupported critical extensions: ", (object)criticalExtensionOids));
            }
        }
Ejemplo n.º 21
0
        /**
         * Validates an attribute certificate with the given certificate path.
         *
         * <p>
         * <code>params</code> must be an instance of
         * <code>ExtendedPkixParameters</code>.
         * </p><p>
         * The target constraints in the <code>params</code> must be an
         * <code>X509AttrCertStoreSelector</code> with at least the attribute
         * certificate criterion set. Obey that also target informations may be
         * necessary to correctly validate this attribute certificate.
         * </p><p>
         * The attribute certificate issuer must be added to the trusted attribute
         * issuers with {@link ExtendedPkixParameters#setTrustedACIssuers(Set)}.
         * </p>
         * @param certPath The certificate path which belongs to the attribute
         *            certificate issuer public key certificate.
         * @param params The PKIX parameters.
         * @return A <code>PKIXCertPathValidatorResult</code> of the result of
         *         validating the <code>certPath</code>.
         * @throws InvalidAlgorithmParameterException if <code>params</code> is
         *             inappropriate for this validator.
         * @throws CertPathValidatorException if the verification fails.
         */
        public virtual PkixCertPathValidatorResult Validate(
            PkixCertPath certPath,
            PkixParameters pkixParams)
        {
            IX509Selector certSelect = pkixParams.GetTargetConstraints();

            if (!(certSelect is X509AttrCertStoreSelector))
            {
                throw new ArgumentException(
                          "TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName,
                          "pkixParams");
            }
            IX509AttributeCertificate attrCert = ((X509AttrCertStoreSelector)certSelect).AttributeCert;

            PkixCertPath holderCertPath            = Rfc3281CertPathUtilities.ProcessAttrCert1(attrCert, pkixParams);
            PkixCertPathValidatorResult result     = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams);
            X509Certificate             issuerCert = (X509Certificate)certPath.Certificates[0];

            Rfc3281CertPathUtilities.ProcessAttrCert3(issuerCert, pkixParams);
            Rfc3281CertPathUtilities.ProcessAttrCert4(issuerCert, pkixParams);
            Rfc3281CertPathUtilities.ProcessAttrCert5(attrCert, pkixParams);
            // 6 already done in X509AttrCertStoreSelector
            Rfc3281CertPathUtilities.ProcessAttrCert7(attrCert, certPath, holderCertPath, pkixParams);
            Rfc3281CertPathUtilities.AdditionalChecks(attrCert, pkixParams);
            DateTime date;

            try
            {
                date = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1);
            }
            catch (Exception e)
            {
                throw new PkixCertPathValidatorException(
                          "Could not get validity date from attribute certificate.", e);
            }
            Rfc3281CertPathUtilities.CheckCrls(attrCert, pkixParams, issuerCert, date, certPath.Certificates);
            return(result);
        }
Ejemplo n.º 22
0
 internal static void AddAdditionalStoresFromAltNames(
     X509Certificate cert,
     PkixParameters pkixParams)
 {
     // if in the IssuerAltName extension an URI
     // is given, add an additinal X.509 store
     if (cert.GetIssuerAlternativeNames() != null)
     {
         IEnumerator it = cert.GetIssuerAlternativeNames().GetEnumerator();
         while (it.MoveNext())
         {
             // look for URI
             IList list = (IList)it.Current;
             //if (list[0].Equals(new Integer(GeneralName.UniformResourceIdentifier)))
             if (list[0].Equals(GeneralName.UniformResourceIdentifier))
             {
                 // found
                 string temp = (string)list[1];
                 PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(temp, pkixParams);
             }
         }
     }
 }
Ejemplo n.º 23
0
 internal static DateTime GetValidCertDateFromValidityModel(PkixParameters paramsPkix, PkixCertPath certPath, int index)
 {
     if (paramsPkix.ValidityModel != 1)
     {
         return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix));
     }
     if (index <= 0)
     {
         return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix));
     }
     if (index - 1 == 0)
     {
         DerGeneralizedTime derGeneralizedTime = null;
         try
         {
             X509Certificate x509Certificate = (X509Certificate)certPath.Certificates[index - 1];
             Asn1OctetString extensionValue  = x509Certificate.GetExtensionValue(IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen);
             derGeneralizedTime = DerGeneralizedTime.GetInstance(extensionValue);
         }
         catch (ArgumentException)
         {
             throw new Exception("Date of cert gen extension could not be read.");
         }
         if (derGeneralizedTime != null)
         {
             try
             {
                 return(derGeneralizedTime.ToDateTime());
             }
             catch (ArgumentException innerException)
             {
                 throw new Exception("Date from date of cert gen extension could not be parsed.", innerException);
             }
         }
     }
     return(((X509Certificate)certPath.Certificates[index - 1]).NotBefore);
 }
Ejemplo n.º 24
0
        internal static ICollection FindIssuerCerts(X509Certificate cert, PkixBuilderParameters pkixParams)
        {
            X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
            ISet set = new HashSet();

            try
            {
                x509CertStoreSelector.Subject = cert.IssuerDN;
            }
            catch (IOException innerException)
            {
                throw new Exception("Subject criteria for certificate selector to find issuer certificate could not be set.", innerException);
            }
            try
            {
                set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
                set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetAdditionalStores()));
            }
            catch (Exception innerException2)
            {
                throw new Exception("Issuer certificate cannot be searched.", innerException2);
            }
            return(set);
        }
        private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath)
        {
            if (tbvPath.Contains(tbvCert))
            {
                return(null);
            }
            if (pkixParams.GetExcludedCerts().Contains(tbvCert))
            {
                return(null);
            }
            if (pkixParams.MaxPathLength != -1 && tbvPath.Count - 1 > pkixParams.MaxPathLength)
            {
                return(null);
            }
            tbvPath.Add(tbvCert);
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
            PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator();

            try
            {
                if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
                {
                    PkixCertPath certPath = new PkixCertPath(tbvPath);
                    PkixCertPathValidatorResult pkixCertPathValidatorResult;
                    try
                    {
                        pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams);
                    }
                    catch (Exception innerException)
                    {
                        throw new Exception("Certification path could not be validated.", innerException);
                    }
                    return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey));
                }
                try
                {
                    PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
                }
                catch (CertificateParsingException innerException2)
                {
                    throw new Exception("No additional X.509 stores can be added from certificate locations.", innerException2);
                }
                ISet set = new HashSet();
                try
                {
                    set.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
                }
                catch (Exception innerException3)
                {
                    throw new Exception("Cannot find issuer certificate for certificate in certification path.", innerException3);
                }
                if (set.IsEmpty)
                {
                    throw new Exception("No issuer certificate for certificate in certification path found.");
                }
                foreach (X509Certificate x509Certificate in set)
                {
                    if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate))
                    {
                        pkixCertPathBuilderResult = this.Build(attrCert, x509Certificate, pkixParams, tbvPath);
                        if (pkixCertPathBuilderResult != null)
                        {
                            break;
                        }
                    }
                }
            }
            catch (Exception innerException4)
            {
                this.certPathException = new Exception("No valid certification path could be build.", innerException4);
            }
            if (pkixCertPathBuilderResult == null)
            {
                tbvPath.Remove(tbvCert);
            }
            return(pkixCertPathBuilderResult);
        }
        public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams)
        {
            IX509Selector targetConstraints = pkixParams.GetTargetConstraints();

            if (!(targetConstraints is X509AttrCertStoreSelector))
            {
                throw new PkixCertPathBuilderException(string.Concat(new string[]
                {
                    "TargetConstraints must be an instance of ",
                    typeof(X509AttrCertStoreSelector).FullName,
                    " for ",
                    typeof(PkixAttrCertPathBuilder).FullName,
                    " class."
                }));
            }
            ICollection collection;

            try
            {
                collection = PkixCertPathValidatorUtilities.FindCertificates((X509AttrCertStoreSelector)targetConstraints, pkixParams.GetStores());
            }
            catch (Exception exception)
            {
                throw new PkixCertPathBuilderException("Error finding target attribute certificate.", exception);
            }
            if (collection.Count == 0)
            {
                throw new PkixCertPathBuilderException("No attribute certificate found matching targetContraints.");
            }
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;

            foreach (IX509AttributeCertificate iX509AttributeCertificate in collection)
            {
                X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
                X509Name[]            principals            = iX509AttributeCertificate.Issuer.GetPrincipals();
                ISet set = new HashSet();
                for (int i = 0; i < principals.Length; i++)
                {
                    try
                    {
                        x509CertStoreSelector.Subject = principals[i];
                        set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
                    }
                    catch (Exception exception2)
                    {
                        throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", exception2);
                    }
                }
                if (set.IsEmpty)
                {
                    throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
                }
                IList tbvPath = Platform.CreateArrayList();
                foreach (X509Certificate tbvCert in set)
                {
                    pkixCertPathBuilderResult = this.Build(iX509AttributeCertificate, tbvCert, pkixParams, tbvPath);
                    if (pkixCertPathBuilderResult != null)
                    {
                        break;
                    }
                }
                if (pkixCertPathBuilderResult != null)
                {
                    break;
                }
            }
            if (pkixCertPathBuilderResult == null && this.certPathException != null)
            {
                throw new PkixCertPathBuilderException("Possible certificate chain could not be validated.", this.certPathException);
            }
            if (pkixCertPathBuilderResult == null && this.certPathException == null)
            {
                throw new PkixCertPathBuilderException("Unable to find certificate chain.");
            }
            return(pkixCertPathBuilderResult);
        }
Ejemplo n.º 27
0
        /**
         * Checks if an attribute certificate is revoked.
         *
         * @param attrCert Attribute certificate to check if it is revoked.
         * @param paramsPKIX PKIX parameters.
         * @param issuerCert The issuer certificate of the attribute certificate
         *            <code>attrCert</code>.
         * @param validDate The date when the certificate revocation status should
         *            be checked.
         * @param certPathCerts The certificates of the certification path to be
         *            checked.
         *
         * @throws CertPathValidatorException if the certificate is revoked or the
         *             status cannot be checked or some error occurs.
         */
        internal static void CheckCrls(
            IX509AttributeCertificate attrCert,
            PkixParameters paramsPKIX,
            X509Certificate issuerCert,
            DateTime validDate,
            IList certPathCerts)
        {
            if (!paramsPKIX.IsRevocationEnabled)
            {
                return;
            }

            // check if revocation is available
            if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null)
            {
                if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null ||
                    attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null)
                {
                    throw new PkixCertPathValidatorException(
                              "No rev avail extension is set, but also an AC revocation pointer.");
                }

                return;
            }

            CrlDistPoint crldp = null;

            try
            {
                crldp = CrlDistPoint.GetInstance(
                    PkixCertPathValidatorUtilities.GetExtensionValue(
                        attrCert, X509Extensions.CrlDistributionPoints));
            }
            catch (Exception e)
            {
                throw new PkixCertPathValidatorException(
                          "CRL distribution point extension could not be read.", e);
            }
            try
            {
                PkixCertPathValidatorUtilities
                .AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX);
            }
            catch (Exception e)
            {
                throw new PkixCertPathValidatorException(
                          "No additional CRL locations could be decoded from CRL distribution point extension.", e);
            }

            CertStatus  certStatus  = new CertStatus();
            ReasonsMask reasonsMask = new ReasonsMask();

            Exception lastException = null;
            bool      validCrlFound = false;

            // for each distribution point
            if (crldp != null)
            {
                DistributionPoint[] dps = null;
                try
                {
                    dps = crldp.GetDistributionPoints();
                }
                catch (Exception e)
                {
                    throw new PkixCertPathValidatorException(
                              "Distribution points could not be read.", e);
                }
                try
                {
                    for (int i = 0; i < dps.Length &&
                         certStatus.Status == CertStatus.Unrevoked &&
                         !reasonsMask.IsAllReasons; i++)
                    {
                        PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX
                                                         .Clone();
                        CheckCrl(dps[i], attrCert, paramsPKIXClone,
                                 validDate, issuerCert, certStatus, reasonsMask,
                                 certPathCerts);
                        validCrlFound = true;
                    }
                }
                catch (Exception e)
                {
                    lastException = new Exception(
                        "No valid CRL for distribution point found.", e);
                }
            }

            /*
             * If the revocation status has not been determined, repeat the
             * process above with any available CRLs not specified in a
             * distribution point but issued by the certificate issuer.
             */

            if (certStatus.Status == CertStatus.Unrevoked &&
                !reasonsMask.IsAllReasons)
            {
                try
                {
                    /*
                     * assume a DP with both the reasons and the cRLIssuer
                     * fields omitted and a distribution point name of the
                     * certificate issuer.
                     */
                    X509Name issuer;
                    try
                    {
                        issuer = X509Name.GetInstance(attrCert.Issuer.GetPrincipals()[0].GetEncoded());
                    }
                    catch (Exception e)
                    {
                        throw new Exception(
                                  "Issuer from certificate for CRL could not be reencoded.",
                                  e);
                    }
                    DistributionPoint dp = new DistributionPoint(
                        new DistributionPointName(0, new GeneralNames(
                                                      new GeneralName(GeneralName.DirectoryName, issuer))), null, null);
                    PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone();
                    CheckCrl(dp, attrCert, paramsPKIXClone, validDate,
                             issuerCert, certStatus, reasonsMask, certPathCerts);
                    validCrlFound = true;
                }
                catch (Exception e)
                {
                    lastException = new Exception(
                        "No valid CRL for distribution point found.", e);
                }
            }

            if (!validCrlFound)
            {
                throw new PkixCertPathValidatorException(
                          "No valid CRL found.", lastException);
            }
            if (certStatus.Status != CertStatus.Unrevoked)
            {
                // This format is enforced by the NistCertPath tests
                string formattedDate = certStatus.RevocationDate.Value.ToString(
                    "ddd MMM dd HH:mm:ss K yyyy");
                string message = "Attribute certificate revocation after "
                                 + formattedDate;
                message += ", reason: "
                           + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status];
                throw new PkixCertPathValidatorException(message);
            }
            if (!reasonsMask.IsAllReasons &&
                certStatus.Status == CertStatus.Unrevoked)
            {
                certStatus.Status = CertStatus.Undetermined;
            }
            if (certStatus.Status == CertStatus.Undetermined)
            {
                throw new PkixCertPathValidatorException(
                          "Attribute certificate status could not be determined.");
            }
        }
Ejemplo n.º 28
0
        /**
         *
         * Checks a distribution point for revocation information for the
         * certificate <code>attrCert</code>.
         *
         * @param dp The distribution point to consider.
         * @param attrCert The attribute certificate which should be checked.
         * @param paramsPKIX PKIX parameters.
         * @param validDate The date when the certificate revocation status should
         *            be checked.
         * @param issuerCert Certificate to check if it is revoked.
         * @param reasonMask The reasons mask which is already checked.
         * @param certPathCerts The certificates of the certification path to be
         *            checked.
         * @throws Exception if the certificate is revoked or the status
         *             cannot be checked or some error occurs.
         */
        private static void CheckCrl(
            DistributionPoint dp,
            IX509AttributeCertificate attrCert,
            PkixParameters paramsPKIX,
            DateTime validDate,
            X509Certificate issuerCert,
            CertStatus certStatus,
            ReasonsMask reasonMask,
            IList certPathCerts)
        {
            /*
             * 4.3.6 No Revocation Available
             *
             * The noRevAvail extension, defined in [X.509-2000], allows an AC
             * issuer to indicate that no revocation information will be made
             * available for this AC.
             */
            if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null)
            {
                return;
            }

            DateTime currentDate = DateTime.UtcNow;

            if (validDate.CompareTo(currentDate) > 0)
            {
                throw new Exception("Validation time is in future.");
            }

            // (a)

            /*
             * We always get timely valid CRLs, so there is no step (a) (1).
             * "locally cached" CRLs are assumed to be in getStore(), additional
             * CRLs must be enabled in the ExtendedPkixParameters and are in
             * getAdditionalStore()
             */
            ISet crls = PkixCertPathValidatorUtilities.GetCompleteCrls(dp, attrCert,
                                                                       currentDate, paramsPKIX);
            bool      validCrlFound = false;
            Exception lastException = null;

            IEnumerator crl_iter = crls.GetEnumerator();

            while (crl_iter.MoveNext() &&
                   certStatus.Status == CertStatus.Unrevoked &&
                   !reasonMask.IsAllReasons)
            {
                try
                {
                    X509Crl crl = (X509Crl)crl_iter.Current;

                    // (d)
                    ReasonsMask interimReasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(crl, dp);

                    // (e)

                    /*
                     * The reasons mask is updated at the end, so only valid CRLs
                     * can update it. If this CRL does not contain new reasons it
                     * must be ignored.
                     */
                    if (!interimReasonsMask.HasNewReasons(reasonMask))
                    {
                        continue;
                    }

                    // (f)
                    ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, attrCert,
                                                                     null, null, paramsPKIX, certPathCerts);
                    // (g)
                    AsymmetricKeyParameter pubKey = Rfc3280CertPathUtilities.ProcessCrlG(crl, keys);

                    X509Crl deltaCRL = null;

                    if (paramsPKIX.IsUseDeltasEnabled)
                    {
                        // get delta CRLs
                        ISet deltaCRLs = PkixCertPathValidatorUtilities.GetDeltaCrls(
                            currentDate, paramsPKIX, crl);
                        // we only want one valid delta CRL
                        // (h)
                        deltaCRL = Rfc3280CertPathUtilities.ProcessCrlH(deltaCRLs, pubKey);
                    }

                    /*
                     * CRL must be be valid at the current time, not the validation
                     * time. If a certificate is revoked with reason keyCompromise,
                     * cACompromise, it can be used for forgery, also for the past.
                     * This reason may not be contained in older CRLs.
                     */

                    /*
                     * in the chain model signatures stay valid also after the
                     * certificate has been expired, so they do not have to be in
                     * the CRL vality time
                     */
                    if (paramsPKIX.ValidityModel != PkixParameters.ChainValidityModel)
                    {
                        /*
                         * if a certificate has expired, but was revoked, it is not
                         * more in the CRL, so it would be regarded as valid if the
                         * first check is not done
                         */
                        if (attrCert.NotAfter.CompareTo(crl.ThisUpdate) < 0)
                        {
                            throw new Exception(
                                      "No valid CRL for current time found.");
                        }
                    }

                    Rfc3280CertPathUtilities.ProcessCrlB1(dp, attrCert, crl);

                    // (b) (2)
                    Rfc3280CertPathUtilities.ProcessCrlB2(dp, attrCert, crl);

                    // (c)
                    Rfc3280CertPathUtilities.ProcessCrlC(deltaCRL, crl, paramsPKIX);

                    // (i)
                    Rfc3280CertPathUtilities.ProcessCrlI(validDate, deltaCRL,
                                                         attrCert, certStatus, paramsPKIX);

                    // (j)
                    Rfc3280CertPathUtilities.ProcessCrlJ(validDate, crl, attrCert,
                                                         certStatus);

                    // (k)
                    if (certStatus.Status == CrlReason.RemoveFromCrl)
                    {
                        certStatus.Status = CertStatus.Unrevoked;
                    }

                    // update reasons mask
                    reasonMask.AddReasons(interimReasonsMask);
                    validCrlFound = true;
                }
                catch (Exception e)
                {
                    lastException = e;
                }
            }
            if (!validCrlFound)
            {
                throw lastException;
            }
        }
Ejemplo n.º 29
0
        /**
         * Searches for a holder public key certificate and verifies its
         * certification path.
         *
         * @param attrCert the attribute certificate.
         * @param pkixParams The PKIX parameters.
         * @return The certificate path of the holder certificate.
         * @throws Exception if
         *             <ul>
         *             <li>no public key certificate can be found although holder
         *             information is given by an entity name or a base certificate
         *             ID</li>
         *             <li>support classes cannot be created</li>
         *             <li>no certification path for the public key certificate can
         *             be built</li>
         *             </ul>
         */
        internal static PkixCertPath ProcessAttrCert1(
            IX509AttributeCertificate attrCert,
            PkixParameters pkixParams)
        {
            PkixCertPathBuilderResult result = null;
            // find holder PKCs
            ISet holderPKCs = new HashSet();

            if (attrCert.Holder.GetIssuer() != null)
            {
                X509CertStoreSelector selector = new X509CertStoreSelector();
                selector.SerialNumber = attrCert.Holder.SerialNumber;
                X509Name[] principals = attrCert.Holder.GetIssuer();
                for (int i = 0; i < principals.Length; i++)
                {
                    try
                    {
//						if (principals[i] is X500Principal)
                        {
                            selector.Issuer = principals[i];
                        }
                        holderPKCs.AddAll(PkixCertPathValidatorUtilities
                                          .FindCertificates(selector, pkixParams.GetStores()));
                    }
                    catch (Exception e)
                    {
                        throw new PkixCertPathValidatorException(
                                  "Public key certificate for attribute certificate cannot be searched.",
                                  e);
                    }
                }
                if (holderPKCs.IsEmpty)
                {
                    throw new PkixCertPathValidatorException(
                              "Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
                }
            }
            if (attrCert.Holder.GetEntityNames() != null)
            {
                X509CertStoreSelector selector   = new X509CertStoreSelector();
                X509Name[]            principals = attrCert.Holder.GetEntityNames();
                for (int i = 0; i < principals.Length; i++)
                {
                    try
                    {
//						if (principals[i] is X500Principal)
                        {
                            selector.Issuer = principals[i];
                        }
                        holderPKCs.AddAll(PkixCertPathValidatorUtilities
                                          .FindCertificates(selector, pkixParams.GetStores()));
                    }
                    catch (Exception e)
                    {
                        throw new PkixCertPathValidatorException(
                                  "Public key certificate for attribute certificate cannot be searched.",
                                  e);
                    }
                }
                if (holderPKCs.IsEmpty)
                {
                    throw new PkixCertPathValidatorException(
                              "Public key certificate specified in entity name for attribute certificate cannot be found.");
                }
            }

            // verify cert paths for PKCs
            PkixBuilderParameters parameters = (PkixBuilderParameters)
                                               PkixBuilderParameters.GetInstance(pkixParams);

            PkixCertPathValidatorException lastException = null;

            foreach (X509Certificate cert in holderPKCs)
            {
                X509CertStoreSelector selector = new X509CertStoreSelector();
                selector.Certificate = cert;
                parameters.SetTargetConstraints(selector);

                PkixCertPathBuilder builder = new PkixCertPathBuilder();

                try
                {
                    result = builder.Build(PkixBuilderParameters.GetInstance(parameters));
                }
                catch (PkixCertPathBuilderException e)
                {
                    lastException = new PkixCertPathValidatorException(
                        "Certification path for public key certificate of attribute certificate could not be build.",
                        e);
                }
            }
            if (lastException != null)
            {
                throw lastException;
            }
            return(result.CertPath);
        }
Ejemplo n.º 30
0
        protected virtual PkixCertPathBuilderResult Build(
            X509Certificate tbvCert,
            PkixBuilderParameters pkixParams,
            IList tbvPath)
        {
            // If tbvCert is readily present in tbvPath, it indicates having run
            // into a cycle in the PKI graph.
            if (tbvPath.Contains(tbvCert))
            {
                return(null);
            }

            // step out, the certificate is not allowed to appear in a certification
            // chain.
            if (pkixParams.GetExcludedCerts().Contains(tbvCert))
            {
                return(null);
            }

            // test if certificate path exceeds maximum length
            if (pkixParams.MaxPathLength != -1)
            {
                if (tbvPath.Count - 1 > pkixParams.MaxPathLength)
                {
                    return(null);
                }
            }

            tbvPath.Add(tbvCert);

            X509CertificateParser     certParser    = new X509CertificateParser();
            PkixCertPathBuilderResult builderResult = null;
            PkixCertPathValidator     validator     = new PkixCertPathValidator();

            try
            {
                // check whether the issuer of <tbvCert> is a TrustAnchor
                if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
                {
                    // exception message from possibly later tried certification
                    // chains
                    PkixCertPath certPath = null;
                    try
                    {
                        certPath = new PkixCertPath(tbvPath);
                    }
                    catch (Exception e)
                    {
                        throw new Exception(
                                  "Certification path could not be constructed from certificate list.",
                                  e);
                    }

                    PkixCertPathValidatorResult result = null;
                    try
                    {
                        result = (PkixCertPathValidatorResult)validator.Validate(
                            certPath, pkixParams);
                    }
                    catch (Exception e)
                    {
                        throw new Exception(
                                  "Certification path could not be validated.", e);
                    }

                    return(new PkixCertPathBuilderResult(certPath, result.TrustAnchor,
                                                         result.PolicyTree, result.SubjectPublicKey));
                }
                else
                {
                    // add additional X.509 stores from locations in certificate
                    try
                    {
                        PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(
                            tbvCert, pkixParams);
                    }
                    catch (CertificateParsingException e)
                    {
                        throw new Exception(
                                  "No additiontal X.509 stores can be added from certificate locations.",
                                  e);
                    }

                    // try to get the issuer certificate from one of the stores
                    HashSet issuers = new HashSet();
                    try
                    {
                        issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
                    }
                    catch (Exception e)
                    {
                        throw new Exception(
                                  "Cannot find issuer certificate for certificate in certification path.",
                                  e);
                    }

                    if (issuers.IsEmpty)
                    {
                        throw new Exception("No issuer certificate for certificate in certification path found.");
                    }

                    foreach (X509Certificate issuer in issuers)
                    {
                        builderResult = Build(issuer, pkixParams, tbvPath);

                        if (builderResult != null)
                        {
                            break;
                        }
                    }
                }
            }
            catch (Exception e)
            {
                certPathException = e;
            }

            if (builderResult == null)
            {
                tbvPath.Remove(tbvCert);
            }

            return(builderResult);
        }