|
static private GetExtensionValue ( IX509Extension ext, |
||
| ext | IX509Extension | The extension object. |
| oid | The object identifier to obtain. | |
| return | ||
internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
{
ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();
if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
{
try
{
TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
}
catch (Exception cause)
{
throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
}
}
criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id);
foreach (PkixAttrCertChecker pkixAttrCertChecker in pkixParams.GetAttrCertCheckers())
{
pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
}
if (!criticalExtensionOids.IsEmpty)
{
throw new PkixCertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + criticalExtensionOids);
}
}
internal static ISet GetDeltaCrls(DateTime currentDate, PkixParameters paramsPKIX, X509Crl completeCRL)
{
X509CrlStoreSelector x509CrlStoreSelector = new X509CrlStoreSelector();
try
{
IList list = Platform.CreateArrayList();
list.Add(completeCRL.IssuerDN);
x509CrlStoreSelector.Issuers = list;
}
catch (IOException innerException)
{
throw new Exception("Cannot extract issuer from CRL.", innerException);
}
BigInteger bigInteger = null;
try
{
Asn1Object extensionValue = PkixCertPathValidatorUtilities.GetExtensionValue(completeCRL, X509Extensions.CrlNumber);
if (extensionValue != null)
{
bigInteger = DerInteger.GetInstance(extensionValue).PositiveValue;
}
}
catch (Exception innerException2)
{
throw new Exception("CRL number extension could not be extracted from CRL.", innerException2);
}
byte[] issuingDistributionPoint = null;
try
{
Asn1Object extensionValue2 = PkixCertPathValidatorUtilities.GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint);
if (extensionValue2 != null)
{
issuingDistributionPoint = extensionValue2.GetDerEncoded();
}
}
catch (Exception innerException3)
{
throw new Exception("Issuing distribution point extension value could not be read.", innerException3);
}
x509CrlStoreSelector.MinCrlNumber = ((bigInteger == null) ? null : bigInteger.Add(BigInteger.One));
x509CrlStoreSelector.IssuingDistributionPoint = issuingDistributionPoint;
x509CrlStoreSelector.IssuingDistributionPointEnabled = true;
x509CrlStoreSelector.MaxBaseCrlNumber = bigInteger;
ISet set = PkixCertPathValidatorUtilities.CrlUtilities.FindCrls(x509CrlStoreSelector, paramsPKIX, currentDate);
ISet set2 = new HashSet();
foreach (X509Crl x509Crl in set)
{
if (PkixCertPathValidatorUtilities.isDeltaCrl(x509Crl))
{
set2.Add(x509Crl);
}
}
return(set2);
}
internal static void GetCertStatus(DateTime validDate, X509Crl crl, object cert, CertStatus certStatus)
{
X509Crl x509Crl = null;
try
{
x509Crl = new X509Crl(CertificateList.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(crl.GetEncoded())));
}
catch (Exception innerException)
{
throw new Exception("Bouncy Castle X509Crl could not be created.", innerException);
}
X509CrlEntry revokedCertificate = x509Crl.GetRevokedCertificate(PkixCertPathValidatorUtilities.GetSerialNumber(cert));
if (revokedCertificate == null)
{
return;
}
X509Name issuerPrincipal = PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert);
if (issuerPrincipal.Equivalent(revokedCertificate.GetCertificateIssuer(), true) || issuerPrincipal.Equivalent(crl.IssuerDN, true))
{
DerEnumerated derEnumerated = null;
if (revokedCertificate.HasExtensions)
{
try
{
derEnumerated = DerEnumerated.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(revokedCertificate, X509Extensions.ReasonCode));
}
catch (Exception innerException2)
{
throw new Exception("Reason code CRL entry extension could not be decoded.", innerException2);
}
}
if (validDate.Ticks >= revokedCertificate.RevocationDate.Ticks || derEnumerated == null || derEnumerated.Value.TestBit(0) || derEnumerated.Value.TestBit(1) || derEnumerated.Value.TestBit(2) || derEnumerated.Value.TestBit(8))
{
if (derEnumerated != null)
{
certStatus.Status = derEnumerated.Value.SignValue;
}
else
{
certStatus.Status = 0;
}
certStatus.RevocationDate = new DateTimeObject(revokedCertificate.RevocationDate);
}
}
}
internal static void ProcessAttrCert7(
IX509AttributeCertificate attrCert,
PkixCertPath certPath,
PkixCertPath holderCertPath,
PkixParameters pkixParams)
{
// TODO:
// AA Controls
// Attribute encryption
// Proxy
ISet critExtOids = attrCert.GetCriticalExtensionOids();
// 7.1
// process extensions
// target information checked in step 6 / X509AttributeCertStoreSelector
if (critExtOids.Contains(X509Extensions.TargetInformation.Id))
{
try
{
TargetInformation.GetInstance(PkixCertPathValidatorUtilities
.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Target information extension could not be read.", e);
}
}
critExtOids.Remove(X509Extensions.TargetInformation.Id);
foreach (PkixAttrCertChecker checker in pkixParams.GetAttrCertCheckers())
{
checker.Check(attrCert, certPath, holderCertPath, critExtOids);
}
if (!critExtOids.IsEmpty)
{
throw new PkixCertPathValidatorException(
"Attribute certificate contains unsupported critical extensions: "
+ critExtOids);
}
}
internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
{
ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();
if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
{
try
{
TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
}
catch (global::System.Exception cause)
{
throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
}
}
criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id);
global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)pkixParams.GetAttrCertCheckers()).GetEnumerator();
try
{
while (enumerator.MoveNext())
{
PkixAttrCertChecker pkixAttrCertChecker = (PkixAttrCertChecker)enumerator.get_Current();
pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
}
}
finally
{
global::System.IDisposable disposable = enumerator as global::System.IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}
if (!criticalExtensionOids.IsEmpty)
{
throw new PkixCertPathValidatorException(string.Concat((object)"Attribute certificate contains unsupported critical extensions: ", (object)criticalExtensionOids));
}
}
/**
* Checks if an attribute certificate is revoked.
*
* @param attrCert Attribute certificate to check if it is revoked.
* @param paramsPKIX PKIX parameters.
* @param issuerCert The issuer certificate of the attribute certificate
* <code>attrCert</code>.
* @param validDate The date when the certificate revocation status should
* be checked.
* @param certPathCerts The certificates of the certification path to be
* checked.
*
* @throws CertPathValidatorException if the certificate is revoked or the
* status cannot be checked or some error occurs.
*/
internal static void CheckCrls(
IX509AttributeCertificate attrCert,
PkixParameters paramsPKIX,
X509Certificate issuerCert,
DateTime validDate,
IList certPathCerts)
{
if (!paramsPKIX.IsRevocationEnabled)
{
return;
}
// check if revocation is available
if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null)
{
if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null ||
attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null)
{
throw new PkixCertPathValidatorException(
"No rev avail extension is set, but also an AC revocation pointer.");
}
return;
}
CrlDistPoint crldp = null;
try
{
crldp = CrlDistPoint.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(
attrCert, X509Extensions.CrlDistributionPoints));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"CRL distribution point extension could not be read.", e);
}
try
{
PkixCertPathValidatorUtilities
.AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX);
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"No additional CRL locations could be decoded from CRL distribution point extension.", e);
}
CertStatus certStatus = new CertStatus();
ReasonsMask reasonsMask = new ReasonsMask();
Exception lastException = null;
bool validCrlFound = false;
// for each distribution point
if (crldp != null)
{
DistributionPoint[] dps = null;
try
{
dps = crldp.GetDistributionPoints();
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Distribution points could not be read.", e);
}
try
{
for (int i = 0; i < dps.Length &&
certStatus.Status == CertStatus.Unrevoked &&
!reasonsMask.IsAllReasons; i++)
{
PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX
.Clone();
CheckCrl(dps[i], attrCert, paramsPKIXClone,
validDate, issuerCert, certStatus, reasonsMask,
certPathCerts);
validCrlFound = true;
}
}
catch (Exception e)
{
lastException = new Exception(
"No valid CRL for distribution point found.", e);
}
}
/*
* If the revocation status has not been determined, repeat the
* process above with any available CRLs not specified in a
* distribution point but issued by the certificate issuer.
*/
if (certStatus.Status == CertStatus.Unrevoked &&
!reasonsMask.IsAllReasons)
{
try
{
/*
* assume a DP with both the reasons and the cRLIssuer
* fields omitted and a distribution point name of the
* certificate issuer.
*/
X509Name issuer;
try
{
issuer = X509Name.GetInstance(attrCert.Issuer.GetPrincipals()[0].GetEncoded());
}
catch (Exception e)
{
throw new Exception(
"Issuer from certificate for CRL could not be reencoded.",
e);
}
DistributionPoint dp = new DistributionPoint(
new DistributionPointName(0, new GeneralNames(
new GeneralName(GeneralName.DirectoryName, issuer))), null, null);
PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone();
CheckCrl(dp, attrCert, paramsPKIXClone, validDate,
issuerCert, certStatus, reasonsMask, certPathCerts);
validCrlFound = true;
}
catch (Exception e)
{
lastException = new Exception(
"No valid CRL for distribution point found.", e);
}
}
if (!validCrlFound)
{
throw new PkixCertPathValidatorException(
"No valid CRL found.", lastException);
}
if (certStatus.Status != CertStatus.Unrevoked)
{
// This format is enforced by the NistCertPath tests
string formattedDate = certStatus.RevocationDate.Value.ToString(
"ddd MMM dd HH:mm:ss K yyyy");
string message = "Attribute certificate revocation after "
+ formattedDate;
message += ", reason: "
+ Rfc3280CertPathUtilities.CrlReasons[certStatus.Status];
throw new PkixCertPathValidatorException(message);
}
if (!reasonsMask.IsAllReasons &&
certStatus.Status == CertStatus.Unrevoked)
{
certStatus.Status = CertStatus.Undetermined;
}
if (certStatus.Status == CertStatus.Undetermined)
{
throw new PkixCertPathValidatorException(
"Attribute certificate status could not be determined.");
}
}
internal static void CheckCrls(IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, X509Certificate issuerCert, DateTime validDate, IList certPathCerts)
{
if (paramsPKIX.IsRevocationEnabled)
{
if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) == null)
{
CrlDistPoint crlDistPoint = null;
try
{
crlDistPoint = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.CrlDistributionPoints));
}
catch (Exception cause)
{
throw new PkixCertPathValidatorException("CRL distribution point extension could not be read.", cause);
}
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(crlDistPoint, paramsPKIX);
}
catch (Exception cause2)
{
throw new PkixCertPathValidatorException("No additional CRL locations could be decoded from CRL distribution point extension.", cause2);
}
CertStatus certStatus = new CertStatus();
ReasonsMask reasonsMask = new ReasonsMask();
Exception cause3 = null;
bool flag = false;
if (crlDistPoint != null)
{
DistributionPoint[] array = null;
try
{
array = crlDistPoint.GetDistributionPoints();
}
catch (Exception cause4)
{
throw new PkixCertPathValidatorException("Distribution points could not be read.", cause4);
}
try
{
int num = 0;
while (num < array.Length && certStatus.Status == 11 && !reasonsMask.IsAllReasons)
{
PkixParameters paramsPKIX2 = (PkixParameters)paramsPKIX.Clone();
Rfc3281CertPathUtilities.CheckCrl(array[num], attrCert, paramsPKIX2, validDate, issuerCert, certStatus, reasonsMask, certPathCerts);
flag = true;
num++;
}
}
catch (Exception innerException)
{
cause3 = new Exception("No valid CRL for distribution point found.", innerException);
}
}
if (certStatus.Status == 11 && !reasonsMask.IsAllReasons)
{
try
{
Asn1Object name = null;
try
{
name = new Asn1InputStream(attrCert.Issuer.GetPrincipals()[0].GetEncoded()).ReadObject();
}
catch (Exception innerException2)
{
throw new Exception("Issuer from certificate for CRL could not be reencoded.", innerException2);
}
DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(4, name))), null, null);
PkixParameters paramsPKIX3 = (PkixParameters)paramsPKIX.Clone();
Rfc3281CertPathUtilities.CheckCrl(dp, attrCert, paramsPKIX3, validDate, issuerCert, certStatus, reasonsMask, certPathCerts);
flag = true;
}
catch (Exception innerException3)
{
cause3 = new Exception("No valid CRL for distribution point found.", innerException3);
}
}
if (!flag)
{
throw new PkixCertPathValidatorException("No valid CRL found.", cause3);
}
if (certStatus.Status != 11)
{
string str = certStatus.RevocationDate.Value.ToString("ddd MMM dd HH:mm:ss K yyyy");
string text = "Attribute certificate revocation after " + str;
text = text + ", reason: " + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status];
throw new PkixCertPathValidatorException(text);
}
if (!reasonsMask.IsAllReasons && certStatus.Status == 11)
{
certStatus.Status = 12;
}
if (certStatus.Status == 12)
{
throw new PkixCertPathValidatorException("Attribute certificate status could not be determined.");
}
}
else if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null || attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null)
{
throw new PkixCertPathValidatorException("No rev avail extension is set, but also an AC revocation pointer.");
}
}
}
internal static void PrepareNextCertB1(int i, IList[] policyNodes, string id_p, IDictionary m_idp, X509Certificate cert)
{
bool flag = false;
IEnumerator enumerator = policyNodes[i].GetEnumerator();
while (enumerator.MoveNext())
{
PkixPolicyNode pkixPolicyNode = (PkixPolicyNode)enumerator.Current;
if (pkixPolicyNode.ValidPolicy.Equals(id_p))
{
flag = true;
pkixPolicyNode.ExpectedPolicies = (ISet)m_idp[id_p];
break;
}
}
if (!flag)
{
enumerator = policyNodes[i].GetEnumerator();
while (enumerator.MoveNext())
{
PkixPolicyNode pkixPolicyNode2 = (PkixPolicyNode)enumerator.Current;
if (PkixCertPathValidatorUtilities.ANY_POLICY.Equals(pkixPolicyNode2.ValidPolicy))
{
ISet policyQualifiers = null;
Asn1Sequence asn1Sequence = null;
try
{
asn1Sequence = Asn1Sequence.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies));
}
catch (Exception innerException)
{
throw new Exception("Certificate policies cannot be decoded.", innerException);
}
IEnumerator enumerator2 = asn1Sequence.GetEnumerator();
while (enumerator2.MoveNext())
{
PolicyInformation policyInformation = null;
try
{
policyInformation = PolicyInformation.GetInstance(enumerator2.Current);
}
catch (Exception innerException2)
{
throw new Exception("Policy information cannot be decoded.", innerException2);
}
if (PkixCertPathValidatorUtilities.ANY_POLICY.Equals(policyInformation.PolicyIdentifier.Id))
{
try
{
policyQualifiers = PkixCertPathValidatorUtilities.GetQualifierSet(policyInformation.PolicyQualifiers);
break;
}
catch (PkixCertPathValidatorException cause)
{
throw new PkixCertPathValidatorException("Policy qualifier info set could not be built.", cause);
}
}
}
bool critical = false;
ISet criticalExtensionOids = cert.GetCriticalExtensionOids();
if (criticalExtensionOids != null)
{
critical = criticalExtensionOids.Contains(X509Extensions.CertificatePolicies.Id);
}
PkixPolicyNode parent = pkixPolicyNode2.Parent;
if (PkixCertPathValidatorUtilities.ANY_POLICY.Equals(parent.ValidPolicy))
{
PkixPolicyNode pkixPolicyNode3 = new PkixPolicyNode(Platform.CreateArrayList(), i, (ISet)m_idp[id_p], parent, policyQualifiers, id_p, critical);
parent.AddChild(pkixPolicyNode3);
policyNodes[i].Add(pkixPolicyNode3);
return;
}
break;
}
}
}
}
