|
public AddExcludedSubtree ( |
||
| subtree | ||
| return | void | |
internal static void PrepareNextCertG(
PkixCertPath certPath,
int index,
PkixNameConstraintValidator nameConstraintValidator)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (g) handle the name constraints extension
//
NameConstraints nc = null;
try
{
Asn1Sequence ncSeq = DerSequence.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.NameConstraints));
if (ncSeq != null)
{
nc = new NameConstraints(ncSeq);
}
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Name constraints extension could not be decoded.", e, certPath, index);
}
if (nc != null)
{
//
// (g) (1) permitted subtrees
//
Asn1Sequence permitted = nc.PermittedSubtrees;
if (permitted != null)
{
try
{
nameConstraintValidator.IntersectPermittedSubtree(permitted);
}
catch (Exception ex)
{
throw new PkixCertPathValidatorException(
"Permitted subtrees cannot be build from name constraints extension.", ex, certPath, index);
}
}
//
// (g) (2) excluded subtrees
//
Asn1Sequence excluded = nc.ExcludedSubtrees;
if (excluded != null)
{
IEnumerator e = excluded.GetEnumerator();
try
{
while (e.MoveNext())
{
GeneralSubtree subtree = GeneralSubtree.GetInstance(e.Current);
nameConstraintValidator.AddExcludedSubtree(subtree);
}
}
catch (Exception ex)
{
throw new PkixCertPathValidatorException(
"Excluded subtrees cannot be build from name constraints extension.", ex, certPath, index);
}
}
}
}
/**
* Tests byte array based GeneralNames for inclusion or exclusion.
*
* @param nameType The {@link GeneralName} type to test.
* @param testName The name to test.
* @param testNameIsConstraint The names where <code>testName</code> must
* be included and excluded.
* @param testNameIsNotConstraint The names where <code>testName</code>
* must not be excluded and included.
* @param testNames1 Operand 1 of test names to use for union and
* intersection testing.
* @param testNames2 Operand 2 of test names to use for union and
* intersection testing.
* @param testUnion The union results.
* @param testInterSection The intersection results.
* @throws Exception If an unexpected exception occurs.
*/
private void TestConstraints(
int nameType,
byte[] testName,
byte[][] testNameIsConstraint,
byte[][] testNameIsNotConstraint,
byte[][] testNames1,
byte[][] testNames2,
byte[][][] testUnion,
byte[][] testInterSection)
{
for (int i = 0; i < testNameIsConstraint.Length; i++)
{
PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
new GeneralName(nameType, new DerOctetString(
testNameIsConstraint[i])))));
constraintValidator.checkPermitted(new GeneralName(nameType,
new DerOctetString(testName)));
}
for (int i = 0; i < testNameIsNotConstraint.Length; i++)
{
PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
new GeneralName(nameType, new DerOctetString(
testNameIsNotConstraint[i])))));
try
{
constraintValidator.checkPermitted(new GeneralName(nameType,
new DerOctetString(testName)));
Fail("not permitted name allowed: " + nameType);
}
catch (PkixNameConstraintValidatorException)
{
// expected
}
}
for (int i = 0; i < testNameIsConstraint.Length; i++)
{
PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName(
nameType, new DerOctetString(testNameIsConstraint[i]))));
try
{
constraintValidator.checkExcluded(new GeneralName(nameType,
new DerOctetString(testName)));
Fail("excluded name missed: " + nameType);
}
catch (PkixNameConstraintValidatorException)
{
// expected
}
}
for (int i = 0; i < testNameIsNotConstraint.Length; i++)
{
PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName(
nameType, new DerOctetString(testNameIsNotConstraint[i]))));
constraintValidator.checkExcluded(new GeneralName(nameType,
new DerOctetString(testName)));
}
for (int i = 0; i < testNames1.Length; i++)
{
PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName(
nameType, new DerOctetString(testNames1[i]))));
constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName(
nameType, new DerOctetString(testNames2[i]))));
PkixNameConstraintValidator constraints2 = new PkixNameConstraintValidator();
for (int j = 0; j < testUnion[i].Length; j++)
{
constraints2.AddExcludedSubtree(new GeneralSubtree(
new GeneralName(nameType, new DerOctetString(
testUnion[i][j]))));
}
if (!constraints2.Equals(constraintValidator))
{
Fail("union wrong: " + nameType);
}
constraintValidator = new PkixNameConstraintValidator();
constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
new GeneralName(nameType, new DerOctetString(testNames1[i])))));
constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
new GeneralName(nameType, new DerOctetString(testNames2[i])))));
constraints2 = new PkixNameConstraintValidator();
if (testInterSection[i] != null)
{
constraints2.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
new GeneralName(nameType, new DerOctetString(
testInterSection[i])))));
}
else
{
constraints2.IntersectEmptyPermittedSubtree(nameType);
}
if (!constraints2.Equals(constraintValidator))
{
Fail("intersection wrong: " + nameType);
}
}
}
