public CertificateValidationResult Validate(Certificate certificate) { if (certificate == null) throw new ArgumentNullException("certificate"); try { var x509Certs = new List<X509Certificate>(); x509Certs.AddRange(_chain.Select(c => c.BouncyX509Certificate)); x509Certs.Add(certificate.BouncyX509Certificate); IX509Store x509CertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(x509Certs)); var x509Certificates = x509Certs.Skip(1).ToList(); var certPath = new PkixCertPath(x509Certificates); ISet trust = new HashSet { new TrustAnchor(x509Certs.First(), null) }; var certPathValidator = new PkixCertPathValidator(); var paramsPkix = new PkixParameters(trust); paramsPkix.AddStore(x509CertStore); paramsPkix.IsRevocationEnabled = false; var pkixResult = certPathValidator.Validate(certPath, paramsPkix); return new CertificateValidationResult(pkixResult); } catch (Exception e) { return new CertificateValidationResult(e); } }
/** * Validates an attribute certificate with the given certificate path. * * <p> * <code>params</code> must be an instance of * <code>ExtendedPkixParameters</code>. * </p><p> * The target constraints in the <code>params</code> must be an * <code>X509AttrCertStoreSelector</code> with at least the attribute * certificate criterion set. Obey that also target informations may be * necessary to correctly validate this attribute certificate. * </p><p> * The attribute certificate issuer must be added to the trusted attribute * issuers with {@link ExtendedPkixParameters#setTrustedACIssuers(Set)}. * </p> * @param certPath The certificate path which belongs to the attribute * certificate issuer public key certificate. * @param params The PKIX parameters. * @return A <code>PKIXCertPathValidatorResult</code> of the result of * validating the <code>certPath</code>. * @throws InvalidAlgorithmParameterException if <code>params</code> is * inappropriate for this validator. * @throws CertPathValidatorException if the verification fails. */ public virtual PkixCertPathValidatorResult Validate( PkixCertPath certPath, PkixParameters pkixParams) { IX509Selector certSelect = pkixParams.GetTargetConstraints(); if (!(certSelect is X509AttrCertStoreSelector)) { throw new ArgumentException( "TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName, "pkixParams"); } IX509AttributeCertificate attrCert = ((X509AttrCertStoreSelector) certSelect).AttributeCert; PkixCertPath holderCertPath = Rfc3281CertPathUtilities.ProcessAttrCert1(attrCert, pkixParams); PkixCertPathValidatorResult result = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams); X509Certificate issuerCert = (X509Certificate)certPath.Certificates[0]; Rfc3281CertPathUtilities.ProcessAttrCert3(issuerCert, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert4(issuerCert, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert5(attrCert, pkixParams); // 6 already done in X509AttrCertStoreSelector Rfc3281CertPathUtilities.ProcessAttrCert7(attrCert, certPath, holderCertPath, pkixParams); Rfc3281CertPathUtilities.AdditionalChecks(attrCert, pkixParams); DateTime date; try { date = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1); } catch (Exception e) { throw new PkixCertPathValidatorException( "Could not get validity date from attribute certificate.", e); } Rfc3281CertPathUtilities.CheckCrls(attrCert, pkixParams, issuerCert, date, certPath.Certificates); return result; }
/** * Returns an instance of <code>PkixBuilderParameters</code>. * <p> * This method can be used to get a copy from other * <code>PKIXBuilderParameters</code>, <code>PKIXParameters</code>, * and <code>ExtendedPKIXParameters</code> instances. * </p> * * @param pkixParams The PKIX parameters to create a copy of. * @return An <code>PkixBuilderParameters</code> instance. */ public static PkixBuilderParameters GetInstance( PkixParameters pkixParams) { PkixBuilderParameters parameters = new PkixBuilderParameters( pkixParams.GetTrustAnchors(), new X509CertStoreSelector(pkixParams.GetTargetCertConstraints())); parameters.SetParams(pkixParams); return parameters; }
internal static void AddAdditionalStoreFromLocation( string location, PkixParameters pkixParams) { if (pkixParams.IsAdditionalLocationsEnabled) { try { if (location.StartsWith("ldap://")) { // ldap://directory.d-trust.net/CN=D-TRUST // Qualified CA 2003 1:PN,O=D-Trust GmbH,C=DE // skip "ldap://" location = location.Substring(7); // after first / baseDN starts string url;//, baseDN; int slashPos = location.IndexOf('/'); if (slashPos != -1) { url = "ldap://" + location.Substring(0, slashPos); // baseDN = location.Substring(slashPos); } else { url = "ldap://" + location; // baseDN = nsull; } throw Platform.CreateNotImplementedException("LDAP cert/CRL stores"); // use all purpose parameters //X509LDAPCertStoreParameters ldapParams = new X509LDAPCertStoreParameters.Builder( // url, baseDN).build(); //pkixParams.AddAdditionalStore(X509Store.getInstance( // "CERTIFICATE/LDAP", ldapParams)); //pkixParams.AddAdditionalStore(X509Store.getInstance( // "CRL/LDAP", ldapParams)); //pkixParams.AddAdditionalStore(X509Store.getInstance( // "ATTRIBUTECERTIFICATE/LDAP", ldapParams)); //pkixParams.AddAdditionalStore(X509Store.getInstance( // "CERTIFICATEPAIR/LDAP", ldapParams)); } } catch (Exception) { // cannot happen throw new Exception("Exception adding X.509 stores."); } } }
public virtual ISet FindCrls(X509CrlStoreSelector crlselect, PkixParameters paramsPkix) { ISet completeSet = new HashSet(); // get complete CRL(s) try { completeSet.AddAll(FindCrls(crlselect, paramsPkix.GetStores())); } catch (Exception e) { throw new Exception("Exception obtaining complete CRLs.", e); } return completeSet; }
public virtual ISet FindCrls(X509CrlStoreSelector crlselect, PkixParameters paramsPkix, DateTime currentDate) { ISet initialSet = new HashSet(); // get complete CRL(s) try { initialSet.AddAll(FindCrls(crlselect, paramsPkix.GetAdditionalStores())); initialSet.AddAll(FindCrls(crlselect, paramsPkix.GetStores())); } catch (Exception e) { throw new Exception("Exception obtaining complete CRLs.", e); } ISet finalSet = new HashSet(); DateTime validityDate = currentDate; if (paramsPkix.Date != null) { validityDate = paramsPkix.Date.Value; } // based on RFC 5280 6.3.3 foreach (X509Crl crl in initialSet) { if (crl.NextUpdate.Value.CompareTo(validityDate) > 0) { X509Certificate cert = crlselect.CertificateChecking; if (cert != null) { if (crl.ThisUpdate.CompareTo(cert.NotAfter) < 0) { finalSet.Add(crl); } } else { finalSet.Add(crl); } } } return finalSet; }
internal static void ProcessAttrCert7( IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams) { // TODO: // AA Controls // Attribute encryption // Proxy ISet critExtOids = attrCert.GetCriticalExtensionOids(); // 7.1 // process extensions // target information checked in step 6 / X509AttributeCertStoreSelector if (critExtOids.Contains(X509Extensions.TargetInformation.Id)) { try { TargetInformation.GetInstance(PkixCertPathValidatorUtilities .GetExtensionValue(attrCert, X509Extensions.TargetInformation)); } catch (Exception e) { throw new PkixCertPathValidatorException( "Target information extension could not be read.", e); } } critExtOids.Remove(X509Extensions.TargetInformation.Id); foreach (PkixAttrCertChecker checker in pkixParams.GetAttrCertCheckers()) { checker.Check(attrCert, certPath, holderCertPath, critExtOids); } if (!critExtOids.IsEmpty) { throw new PkixCertPathValidatorException( "Attribute certificate contains unsupported critical extensions: " + critExtOids); } }
internal static void AddAdditionalStoresFromAltNames( X509Certificate cert, PkixParameters pkixParams) { // if in the IssuerAltName extension an URI // is given, add an additinal X.509 store if (cert.GetIssuerAlternativeNames() != null) { IEnumerator it = cert.GetIssuerAlternativeNames().GetEnumerator(); while (it.MoveNext()) { // look for URI IList list = (IList)it.Current; //if (list[0].Equals(new Integer(GeneralName.UniformResourceIdentifier))) if (list[0].Equals(GeneralName.UniformResourceIdentifier)) { // found string temp = (string)list[1]; PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(temp, pkixParams); } } } }
protected virtual void SetParams(PkixParameters parameters) { Date = parameters.Date; SetCertPathCheckers(parameters.GetCertPathCheckers()); IsAnyPolicyInhibited = parameters.IsAnyPolicyInhibited; IsExplicitPolicyRequired = parameters.IsExplicitPolicyRequired; IsPolicyMappingInhibited = parameters.IsPolicyMappingInhibited; IsRevocationEnabled = parameters.IsRevocationEnabled; SetInitialPolicies(parameters.GetInitialPolicies()); IsPolicyQualifiersRejected = parameters.IsPolicyQualifiersRejected; SetTargetCertConstraints(parameters.GetTargetCertConstraints()); SetTrustAnchors(parameters.GetTrustAnchors()); validityModel = parameters.validityModel; useDeltas = parameters.useDeltas; additionalLocationsEnabled = parameters.additionalLocationsEnabled; selector = ((parameters.selector == null) ? null : ((IX509Selector)((ICloneable)parameters.selector).Clone())); stores = Platform.CreateArrayList((global::System.Collections.ICollection)parameters.stores); additionalStores = Platform.CreateArrayList((global::System.Collections.ICollection)parameters.additionalStores); trustedACIssuers = new HashSet(parameters.trustedACIssuers); prohibitedACAttributes = new HashSet(parameters.prohibitedACAttributes); necessaryACAttributes = new HashSet(parameters.necessaryACAttributes); attrCertCheckers = new HashSet(parameters.attrCertCheckers); }
internal static DateTime GetValidCertDateFromValidityModel(PkixParameters paramsPkix, PkixCertPath certPath, int index) { if (paramsPkix.ValidityModel != 1) { return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix)); } if (index <= 0) { return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix)); } if (index - 1 == 0) { DerGeneralizedTime derGeneralizedTime = null; try { X509Certificate x509Certificate = (X509Certificate)certPath.Certificates[index - 1]; Asn1OctetString extensionValue = x509Certificate.GetExtensionValue(IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen); derGeneralizedTime = DerGeneralizedTime.GetInstance(extensionValue); } catch (ArgumentException) { throw new Exception("Date of cert gen extension could not be read."); } if (derGeneralizedTime != null) { try { return(derGeneralizedTime.ToDateTime()); } catch (ArgumentException innerException) { throw new Exception("Date from date of cert gen extension could not be parsed.", innerException); } } } return(((X509Certificate)certPath.Certificates[index - 1]).NotBefore); }
public virtual object Clone() { // FIXME Check this whole method against the Java implementation! PkixParameters parameters = new PkixParameters(GetTrustAnchors()); parameters.SetParams(this); return(parameters); // PkixParameters obj = new PkixParameters(new HashSet()); //// (PkixParameters) this.MemberwiseClone(); // obj.x509Stores = new ArrayList(x509Stores); // obj.certPathCheckers = new ArrayList(certPathCheckers); // // //Iterator iter = certPathCheckers.iterator(); // //obj.certPathCheckers = new ArrayList(); // //while (iter.hasNext()) // //{ // // obj.certPathCheckers.add(((PKIXCertPathChecker)iter.next()) // // .clone()); // //} // //if (initialPolicies != null) // //{ // // obj.initialPolicies = new HashSet(initialPolicies); // //} //// if (trustAnchors != null) //// { //// obj.trustAnchors = new HashSet(trustAnchors); //// } //// if (certSelector != null) //// { //// obj.certSelector = (X509CertStoreSelector) certSelector.Clone(); //// } // return obj; }
internal static void AdditionalChecks( IX509AttributeCertificate attrCert, PkixParameters pkixParams) { // 1 foreach (string oid in pkixParams.GetProhibitedACAttributes()) { if (attrCert.GetAttributes(oid) != null) { throw new PkixCertPathValidatorException( "Attribute certificate contains prohibited attribute: " + oid + "."); } } foreach (string oid in pkixParams.GetNecessaryACAttributes()) { if (attrCert.GetAttributes(oid) == null) { throw new PkixCertPathValidatorException( "Attribute certificate does not contain necessary attribute: " + oid + "."); } } }
internal static void AdditionalChecks( IX509AttributeCertificate attrCert, PkixParameters pkixParams) { // 1 foreach (string oid in pkixParams.GetProhibitedACAttributes()) { if (attrCert.GetAttributes(oid) != null) { throw new PkixCertPathValidatorException( "Attribute certificate contains prohibited attribute: " + oid + "."); } } foreach (string oid in pkixParams.GetNecessaryACAttributes()) { if (attrCert.GetAttributes(oid) == null) { throw new PkixCertPathValidatorException( "Attribute certificate does not contain necessary attribute: " + oid + "."); } } }
internal static void ProcessAttrCert4( X509Certificate acIssuerCert, PkixParameters pkixParams) { ISet set = pkixParams.GetTrustedACIssuers(); bool trusted = false; foreach (TrustAnchor anchor in set) { IDictionary symbols = X509Name.RFC2253Symbols; if (acIssuerCert.SubjectDN.ToString(false, symbols).Equals(anchor.CAName) || acIssuerCert.Equals(anchor.TrustedCert)) { trusted = true; } } if (!trusted) { throw new PkixCertPathValidatorException( "Attribute certificate issuer is not directly trusted."); } }
internal static ISet GetCompleteCrls(DistributionPoint dp, object cert, DateTime currentDate, PkixParameters paramsPKIX) { X509CrlStoreSelector x509CrlStoreSelector = new X509CrlStoreSelector(); try { ISet set = new HashSet(); if (cert is X509V2AttributeCertificate) { set.Add(((X509V2AttributeCertificate)cert).Issuer.GetPrincipals()[0]); } else { set.Add(PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert)); } PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, set, x509CrlStoreSelector, paramsPKIX); } catch (Exception innerException) { throw new Exception("Could not get issuer information from distribution point.", innerException); } if (cert is X509Certificate) { x509CrlStoreSelector.CertificateChecking = (X509Certificate)cert; } else if (cert is X509V2AttributeCertificate) { x509CrlStoreSelector.AttrCertChecking = (IX509AttributeCertificate)cert; } x509CrlStoreSelector.CompleteCrlEnabled = true; ISet set2 = PkixCertPathValidatorUtilities.CrlUtilities.FindCrls(x509CrlStoreSelector, paramsPKIX, currentDate); if (!set2.IsEmpty) { return(set2); } if (cert is IX509AttributeCertificate) { IX509AttributeCertificate iX509AttributeCertificate = (IX509AttributeCertificate)cert; throw new Exception("No CRLs found for issuer \"" + iX509AttributeCertificate.Issuer.GetPrincipals()[0] + "\""); } X509Certificate x509Certificate = (X509Certificate)cert; throw new Exception("No CRLs found for issuer \"" + x509Certificate.IssuerDN + "\""); }
/** * Fetches delta CRLs according to RFC 3280 section 5.2.4. * * @param currentDate The date for which the delta CRLs must be valid. * @param paramsPKIX The extended PKIX parameters. * @param completeCRL The complete CRL the delta CRL is for. * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs. * @throws Exception if an exception occurs while picking the delta * CRLs. */ internal static ISet GetDeltaCrls( DateTime currentDate, PkixParameters paramsPKIX, X509Crl completeCRL) { X509CrlStoreSelector deltaSelect = new X509CrlStoreSelector(); // 5.2.4 (a) try { IList deltaSelectIssuer = Platform.CreateArrayList(); deltaSelectIssuer.Add(completeCRL.IssuerDN); deltaSelect.Issuers = deltaSelectIssuer; } catch (IOException e) { throw new Exception("Cannot extract issuer from CRL.", e); } BigInteger completeCRLNumber = null; try { Asn1Object asn1Object = GetExtensionValue(completeCRL, X509Extensions.CrlNumber); if (asn1Object != null) { completeCRLNumber = CrlNumber.GetInstance(asn1Object).PositiveValue; } } catch (Exception e) { throw new Exception( "CRL number extension could not be extracted from CRL.", e); } // 5.2.4 (b) byte[] idp = null; try { Asn1Object obj = GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint); if (obj != null) { idp = obj.GetDerEncoded(); } } catch (Exception e) { throw new Exception( "Issuing distribution point extension value could not be read.", e); } // 5.2.4 (d) deltaSelect.MinCrlNumber = (completeCRLNumber == null) ? null : completeCRLNumber.Add(BigInteger.One); deltaSelect.IssuingDistributionPoint = idp; deltaSelect.IssuingDistributionPointEnabled = true; // 5.2.4 (c) deltaSelect.MaxBaseCrlNumber = completeCRLNumber; // find delta CRLs ISet temp = CrlUtilities.FindCrls(deltaSelect, paramsPKIX, currentDate); ISet result = new HashSet(); foreach (X509Crl crl in temp) { if (isDeltaCrl(crl)) { result.Add(crl); } } return result; }
/** * Obtain and validate the certification path for the complete CRL issuer. * If a key usage extension is present in the CRL issuer's certificate, * verify that the cRLSign bit is set. * * @param crl CRL which contains revocation information for the certificate * <code>cert</code>. * @param cert The attribute certificate or certificate to check if it is * revoked. * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>. * @param defaultCRLSignKey The public key of the issuer certificate * <code>defaultCRLSignCert</code>. * @param paramsPKIX paramsPKIX PKIX parameters. * @param certPathCerts The certificates on the certification path. * @return A <code>Set</code> with all keys of possible CRL issuer * certificates. * @throws AnnotatedException if the CRL is not valid or the status cannot be checked or * some error occurs. */ internal static ISet ProcessCrlF( X509Crl crl, object cert, X509Certificate defaultCRLSignCert, AsymmetricKeyParameter defaultCRLSignKey, PkixParameters paramsPKIX, IList certPathCerts) { // (f) // get issuer from CRL X509CertStoreSelector selector = new X509CertStoreSelector(); try { selector.Subject = crl.IssuerDN; } catch (IOException e) { throw new Exception( "Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e); } // get CRL signing certs IList coll = Platform.CreateArrayList(); try { CollectionUtilities.AddRange(coll, PkixCertPathValidatorUtilities.FindCertificates(selector, paramsPKIX.GetStores())); CollectionUtilities.AddRange(coll, PkixCertPathValidatorUtilities.FindCertificates(selector, paramsPKIX.GetAdditionalStores())); } catch (Exception e) { throw new Exception("Issuer certificate for CRL cannot be searched.", e); } coll.Add(defaultCRLSignCert); IEnumerator cert_it = coll.GetEnumerator(); IList validCerts = Platform.CreateArrayList(); IList validKeys = Platform.CreateArrayList(); while (cert_it.MoveNext()) { X509Certificate signingCert = (X509Certificate)cert_it.Current; /* * CA of the certificate, for which this CRL is checked, has also * signed CRL, so skip the path validation, because is already done */ if (signingCert.Equals(defaultCRLSignCert)) { validCerts.Add(signingCert); validKeys.Add(defaultCRLSignKey); continue; } try { // CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder builder = new PkixCertPathBuilder(); selector = new X509CertStoreSelector(); selector.Certificate = signingCert; PkixParameters temp = (PkixParameters)paramsPKIX.Clone(); temp.SetTargetCertConstraints(selector); PkixBuilderParameters parameters = (PkixBuilderParameters) PkixBuilderParameters.GetInstance(temp); /* * if signingCert is placed not higher on the cert path a * dependency loop results. CRL for cert is checked, but * signingCert is needed for checking the CRL which is dependent * on checking cert because it is higher in the cert path and so * signing signingCert transitively. so, revocation is disabled, * forgery attacks of the CRL are detected in this outer loop * for all other it must be enabled to prevent forgery attacks */ if (certPathCerts.Contains(signingCert)) { parameters.IsRevocationEnabled = false; } else { parameters.IsRevocationEnabled = true; } IList certs = builder.Build(parameters).CertPath.Certificates; validCerts.Add(signingCert); validKeys.Add(PkixCertPathValidatorUtilities.GetNextWorkingKey(certs, 0)); } catch (PkixCertPathBuilderException e) { throw new Exception("Internal error.", e); } catch (PkixCertPathValidatorException e) { throw new Exception("Public key of issuer certificate of CRL could not be retrieved.", e); } //catch (Exception e) //{ // throw new Exception(e.Message); //} } ISet checkKeys = new HashSet(); Exception lastException = null; for (int i = 0; i < validCerts.Count; i++) { X509Certificate signCert = (X509Certificate)validCerts[i]; bool[] keyusage = signCert.GetKeyUsage(); if (keyusage != null && (keyusage.Length < 7 || !keyusage[CRL_SIGN])) { lastException = new Exception( "Issuer certificate key usage extension does not permit CRL signing."); } else { checkKeys.Add(validKeys[i]); } } if ((checkKeys.Count == 0) && lastException == null) { throw new Exception("Cannot find a valid issuer certificate."); } if ((checkKeys.Count == 0) && lastException != null) { throw lastException; } return checkKeys; }
internal static void ProcessCertA( PkixCertPath certPath, PkixParameters paramsPKIX, int index, AsymmetricKeyParameter workingPublicKey, X509Name workingIssuerName, X509Certificate sign) { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (a) verify // try { // (a) (1) // cert.Verify(workingPublicKey); } catch (GeneralSecurityException e) { throw new PkixCertPathValidatorException("Could not validate certificate signature.", e, certPath, index); } try { // (a) (2) // cert.CheckValidity(PkixCertPathValidatorUtilities .GetValidCertDateFromValidityModel(paramsPKIX, certPath, index)); } catch (CertificateExpiredException e) { throw new PkixCertPathValidatorException("Could not validate certificate: " + e.Message, e, certPath, index); } catch (CertificateNotYetValidException e) { throw new PkixCertPathValidatorException("Could not validate certificate: " + e.Message, e, certPath, index); } catch (Exception e) { throw new PkixCertPathValidatorException("Could not validate time of certificate.", e, certPath, index); } // // (a) (3) // if (paramsPKIX.IsRevocationEnabled) { try { CheckCrls(paramsPKIX, cert, PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(paramsPKIX, certPath, index), sign, workingPublicKey, certs); } catch (Exception e) { Exception cause = e.InnerException; if (cause == null) { cause = e; } throw new PkixCertPathValidatorException(e.Message, cause, certPath, index); } } // // (a) (4) name chaining // X509Name issuer = PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert); if (!issuer.Equivalent(workingIssuerName, true)) { throw new PkixCertPathValidatorException("IssuerName(" + issuer + ") does not match SubjectName(" + workingIssuerName + ") of signing certificate.", null, certPath, index); } }
internal static void GetCrlIssuersFromDistributionPoint(DistributionPoint dp, global::System.Collections.ICollection issuerPrincipals, X509CrlStoreSelector selector, PkixParameters pkixParams) { //IL_0045: Expected O, but got Unknown global::System.Collections.IList list = Platform.CreateArrayList(); if (dp.CrlIssuer != null) { GeneralName[] names = dp.CrlIssuer.GetNames(); for (int i = 0; i < names.Length; i++) { if (names[i].TagNo == 4) { try { list.Add((object)X509Name.GetInstance(names[i].Name.ToAsn1Object())); } catch (IOException val) { IOException val2 = val; throw new global::System.Exception("CRL issuer information from distribution point cannot be decoded.", (global::System.Exception)(object) val2); } } } } else { if (dp.DistributionPointName == null) { throw new global::System.Exception("CRL issuer is omitted from distribution point but no distributionPoint field present."); } global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)issuerPrincipals).GetEnumerator(); while (enumerator.MoveNext()) { list.Add((object)(X509Name)enumerator.get_Current()); } } selector.Issuers = (global::System.Collections.ICollection)list; }
internal static ISet GetCompleteCrls(DistributionPoint dp, object cert, global::System.DateTime currentDate, PkixParameters paramsPKIX) { X509CrlStoreSelector x509CrlStoreSelector = new X509CrlStoreSelector(); try { ISet set = new HashSet(); if (cert is X509V2AttributeCertificate) { set.Add(((X509V2AttributeCertificate)cert).Issuer.GetPrincipals()[0]); } else { set.Add(GetIssuerPrincipal(cert)); } GetCrlIssuersFromDistributionPoint(dp, set, x509CrlStoreSelector, paramsPKIX); } catch (global::System.Exception ex) { throw new global::System.Exception("Could not get issuer information from distribution point.", ex); } if (cert is X509Certificate) { x509CrlStoreSelector.CertificateChecking = (X509Certificate)cert; } else if (cert is X509V2AttributeCertificate) { x509CrlStoreSelector.AttrCertChecking = (IX509AttributeCertificate)cert; } x509CrlStoreSelector.CompleteCrlEnabled = true; ISet set2 = CrlUtilities.FindCrls(x509CrlStoreSelector, paramsPKIX, currentDate); if (set2.IsEmpty) { if (cert is IX509AttributeCertificate) { IX509AttributeCertificate iX509AttributeCertificate = (IX509AttributeCertificate)cert; throw new global::System.Exception(string.Concat((object)"No CRLs found for issuer \"", (object)iX509AttributeCertificate.Issuer.GetPrincipals()[0], (object)"\"")); } X509Certificate x509Certificate = (X509Certificate)cert; throw new global::System.Exception(string.Concat((object)"No CRLs found for issuer \"", (object)x509Certificate.IssuerDN, (object)"\"")); } return(set2); }
/** * Fetches complete CRLs according to RFC 3280. * * @param dp The distribution point for which the complete CRL * @param cert The <code>X509Certificate</code> or * {@link org.bouncycastle.x509.X509AttributeCertificate} for * which the CRL should be searched. * @param currentDate The date for which the delta CRLs must be valid. * @param paramsPKIX The extended PKIX parameters. * @return A <code>Set</code> of <code>X509CRL</code>s with complete * CRLs. * @throws Exception if an exception occurs while picking the CRLs * or no CRLs are found. */ internal static ISet GetCompleteCrls( DistributionPoint dp, object cert, DateTime currentDate, PkixParameters paramsPKIX) { X509CrlStoreSelector crlselect = new X509CrlStoreSelector(); try { ISet issuers = new HashSet(); if (cert is X509V2AttributeCertificate) { issuers.Add(((X509V2AttributeCertificate)cert) .Issuer.GetPrincipals()[0]); } else { issuers.Add(GetIssuerPrincipal(cert)); } PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX); } catch (Exception e) { new Exception("Could not get issuer information from distribution point.", e); } if (cert is X509Certificate) { crlselect.CertificateChecking = (X509Certificate)cert; } else if (cert is X509V2AttributeCertificate) { crlselect.AttrCertChecking = (IX509AttributeCertificate)cert; } if (paramsPKIX.Date != null) { crlselect.DateAndTime = paramsPKIX.Date; } else { crlselect.DateAndTime = new DateTimeObject(currentDate); } crlselect.CompleteCrlEnabled = true; ISet crls = new HashSet(); try { crls.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetStores())); crls.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetAdditionalStores())); } catch (Exception e) { throw new Exception("Could not search for CRLs.", e); } if (crls.IsEmpty) { throw new Exception("No CRLs found."); } return(crls); }
internal static ISet GetDeltaCrls(global::System.DateTime currentDate, PkixParameters paramsPKIX, X509Crl completeCRL) { //IL_0023: Expected O, but got Unknown X509CrlStoreSelector x509CrlStoreSelector = new X509CrlStoreSelector(); try { global::System.Collections.IList list = Platform.CreateArrayList(); list.Add((object)completeCRL.IssuerDN); x509CrlStoreSelector.Issuers = (global::System.Collections.ICollection)list; } catch (IOException val) { IOException val2 = val; throw new global::System.Exception("Cannot extract issuer from CRL.", (global::System.Exception)(object) val2); } BigInteger bigInteger = null; try { Asn1Object extensionValue = GetExtensionValue(completeCRL, X509Extensions.CrlNumber); if (extensionValue != null) { bigInteger = DerInteger.GetInstance(extensionValue).PositiveValue; } } catch (global::System.Exception ex) { throw new global::System.Exception("CRL number extension could not be extracted from CRL.", ex); } byte[] issuingDistributionPoint = null; try { Asn1Object extensionValue2 = GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint); if (extensionValue2 != null) { issuingDistributionPoint = extensionValue2.GetDerEncoded(); } } catch (global::System.Exception ex2) { throw new global::System.Exception("Issuing distribution point extension value could not be read.", ex2); } x509CrlStoreSelector.MinCrlNumber = bigInteger?.Add(BigInteger.One); x509CrlStoreSelector.IssuingDistributionPoint = issuingDistributionPoint; x509CrlStoreSelector.IssuingDistributionPointEnabled = true; x509CrlStoreSelector.MaxBaseCrlNumber = bigInteger; ISet set = CrlUtilities.FindCrls(x509CrlStoreSelector, paramsPKIX, currentDate); ISet set2 = new HashSet(); global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator(); try { while (enumerator.MoveNext()) { X509Crl x509Crl = (X509Crl)enumerator.get_Current(); if (isDeltaCrl(x509Crl)) { set2.Add(x509Crl); } } return(set2); } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } }
internal static void AddAdditionalStoresFromCrlDistributionPoint(CrlDistPoint crldp, PkixParameters pkixParams) { if (crldp == null) { return; } DistributionPoint[] array = null; try { array = crldp.GetDistributionPoints(); } catch (global::System.Exception ex) { throw new global::System.Exception("Distribution points could not be read.", ex); } for (int i = 0; i < array.Length; i++) { DistributionPointName distributionPointName = array[i].DistributionPointName; if (distributionPointName == null || distributionPointName.PointType != 0) { continue; } GeneralName[] names = GeneralNames.GetInstance(distributionPointName.Name).GetNames(); for (int j = 0; j < names.Length; j++) { if (names[j].TagNo == 6) { string @string = DerIA5String.GetInstance(names[j].Name).GetString(); AddAdditionalStoreFromLocation(@string, pkixParams); } } } }
internal static PkixCertPath ProcessAttrCert1(IX509AttributeCertificate attrCert, PkixParameters pkixParams) { PkixCertPathBuilderResult pkixCertPathBuilderResult = null; ISet set = new HashSet(); if (attrCert.Holder.GetIssuer() != null) { X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector(); x509CertStoreSelector.SerialNumber = attrCert.Holder.SerialNumber; X509Name[] issuer = attrCert.Holder.GetIssuer(); for (int i = 0; i < issuer.Length; i++) { try { x509CertStoreSelector.Issuer = issuer[i]; set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores())); } catch (global::System.Exception cause) { throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause); } } if (set.IsEmpty) { throw new PkixCertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found."); } } if (attrCert.Holder.GetEntityNames() != null) { X509CertStoreSelector x509CertStoreSelector2 = new X509CertStoreSelector(); X509Name[] entityNames = attrCert.Holder.GetEntityNames(); for (int j = 0; j < entityNames.Length; j++) { try { x509CertStoreSelector2.Issuer = entityNames[j]; set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector2, pkixParams.GetStores())); } catch (global::System.Exception cause2) { throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause2); } } if (set.IsEmpty) { throw new PkixCertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found."); } } PkixBuilderParameters instance = PkixBuilderParameters.GetInstance(pkixParams); PkixCertPathValidatorException ex = null; global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator(); try { while (enumerator.MoveNext()) { X509Certificate certificate = (X509Certificate)enumerator.get_Current(); X509CertStoreSelector x509CertStoreSelector3 = new X509CertStoreSelector(); x509CertStoreSelector3.Certificate = certificate; instance.SetTargetConstraints(x509CertStoreSelector3); PkixCertPathBuilder pkixCertPathBuilder = new PkixCertPathBuilder(); try { pkixCertPathBuilderResult = pkixCertPathBuilder.Build(PkixBuilderParameters.GetInstance(instance)); } catch (PkixCertPathBuilderException cause3) { ex = new PkixCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", cause3); } } } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } if (ex != null) { throw ex; } return(pkixCertPathBuilderResult.CertPath); }
internal static PkixCertPathValidatorResult ProcessAttrCert2( PkixCertPath certPath, PkixParameters pkixParams) { PkixCertPathValidator validator = new PkixCertPathValidator(); try { return validator.Validate(certPath, pkixParams); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException( "Certification path for issuer certificate of attribute certificate could not be validated.", e); } }
/** * * Checks a distribution point for revocation information for the * certificate <code>attrCert</code>. * * @param dp The distribution point to consider. * @param attrCert The attribute certificate which should be checked. * @param paramsPKIX PKIX parameters. * @param validDate The date when the certificate revocation status should * be checked. * @param issuerCert Certificate to check if it is revoked. * @param reasonMask The reasons mask which is already checked. * @param certPathCerts The certificates of the certification path to be * checked. * @throws Exception if the certificate is revoked or the status * cannot be checked or some error occurs. */ private static void CheckCrl( DistributionPoint dp, IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, DateTime validDate, X509Certificate issuerCert, CertStatus certStatus, ReasonsMask reasonMask, IList certPathCerts) { /* * 4.3.6 No Revocation Available * * The noRevAvail extension, defined in [X.509-2000], allows an AC * issuer to indicate that no revocation information will be made * available for this AC. */ if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null) { return; } DateTime currentDate = DateTime.UtcNow; if (validDate.CompareTo(currentDate) > 0) { throw new Exception("Validation time is in future."); } // (a) /* * We always get timely valid CRLs, so there is no step (a) (1). * "locally cached" CRLs are assumed to be in getStore(), additional * CRLs must be enabled in the ExtendedPkixParameters and are in * getAdditionalStore() */ ISet crls = PkixCertPathValidatorUtilities.GetCompleteCrls(dp, attrCert, currentDate, paramsPKIX); bool validCrlFound = false; Exception lastException = null; IEnumerator crl_iter = crls.GetEnumerator(); while (crl_iter.MoveNext() && certStatus.Status == CertStatus.Unrevoked && !reasonMask.IsAllReasons) { try { X509Crl crl = (X509Crl) crl_iter.Current; // (d) ReasonsMask interimReasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(crl, dp); // (e) /* * The reasons mask is updated at the end, so only valid CRLs * can update it. If this CRL does not contain new reasons it * must be ignored. */ if (!interimReasonsMask.HasNewReasons(reasonMask)) { continue; } // (f) ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, attrCert, null, null, paramsPKIX, certPathCerts); // (g) AsymmetricKeyParameter pubKey = Rfc3280CertPathUtilities.ProcessCrlG(crl, keys); X509Crl deltaCRL = null; if (paramsPKIX.IsUseDeltasEnabled) { // get delta CRLs ISet deltaCRLs = PkixCertPathValidatorUtilities.GetDeltaCrls( currentDate, paramsPKIX, crl); // we only want one valid delta CRL // (h) deltaCRL = Rfc3280CertPathUtilities.ProcessCrlH(deltaCRLs, pubKey); } /* * CRL must be be valid at the current time, not the validation * time. If a certificate is revoked with reason keyCompromise, * cACompromise, it can be used for forgery, also for the past. * This reason may not be contained in older CRLs. */ /* * in the chain model signatures stay valid also after the * certificate has been expired, so they do not have to be in * the CRL vality time */ if (paramsPKIX.ValidityModel != PkixParameters.ChainValidityModel) { /* * if a certificate has expired, but was revoked, it is not * more in the CRL, so it would be regarded as valid if the * first check is not done */ if (attrCert.NotAfter.CompareTo(crl.ThisUpdate) < 0) { throw new Exception( "No valid CRL for current time found."); } } Rfc3280CertPathUtilities.ProcessCrlB1(dp, attrCert, crl); // (b) (2) Rfc3280CertPathUtilities.ProcessCrlB2(dp, attrCert, crl); // (c) Rfc3280CertPathUtilities.ProcessCrlC(deltaCRL, crl, paramsPKIX); // (i) Rfc3280CertPathUtilities.ProcessCrlI(validDate, deltaCRL, attrCert, certStatus, paramsPKIX); // (j) Rfc3280CertPathUtilities.ProcessCrlJ(validDate, crl, attrCert, certStatus); // (k) if (certStatus.Status == CrlReason.RemoveFromCrl) { certStatus.Status = CertStatus.Unrevoked; } // update reasons mask reasonMask.AddReasons(interimReasonsMask); validCrlFound = true; } catch (Exception e) { lastException = e; } } if (!validCrlFound) { throw lastException; } }
internal static global::System.DateTime GetValidDate(PkixParameters paramsPKIX) { return(paramsPKIX.Date?.Value ?? global::System.DateTime.get_UtcNow()); }
/** * * Checks a distribution point for revocation information for the * certificate <code>attrCert</code>. * * @param dp The distribution point to consider. * @param attrCert The attribute certificate which should be checked. * @param paramsPKIX PKIX parameters. * @param validDate The date when the certificate revocation status should * be checked. * @param issuerCert Certificate to check if it is revoked. * @param reasonMask The reasons mask which is already checked. * @param certPathCerts The certificates of the certification path to be * checked. * @throws Exception if the certificate is revoked or the status * cannot be checked or some error occurs. */ private static void CheckCrl( DistributionPoint dp, IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, DateTime validDate, X509Certificate issuerCert, CertStatus certStatus, ReasonsMask reasonMask, IList certPathCerts) { /* * 4.3.6 No Revocation Available * * The noRevAvail extension, defined in [X.509-2000], allows an AC * issuer to indicate that no revocation information will be made * available for this AC. */ if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null) { return; } DateTime currentDate = DateTime.UtcNow; if (validDate.CompareTo(currentDate) > 0) { throw new Exception("Validation time is in future."); } // (a) /* * We always get timely valid CRLs, so there is no step (a) (1). * "locally cached" CRLs are assumed to be in getStore(), additional * CRLs must be enabled in the ExtendedPkixParameters and are in * getAdditionalStore() */ ISet crls = PkixCertPathValidatorUtilities.GetCompleteCrls(dp, attrCert, currentDate, paramsPKIX); bool validCrlFound = false; Exception lastException = null; IEnumerator crl_iter = crls.GetEnumerator(); while (crl_iter.MoveNext() && certStatus.Status == CertStatus.Unrevoked && !reasonMask.IsAllReasons) { try { X509Crl crl = (X509Crl)crl_iter.Current; // (d) ReasonsMask interimReasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(crl, dp); // (e) /* * The reasons mask is updated at the end, so only valid CRLs * can update it. If this CRL does not contain new reasons it * must be ignored. */ if (!interimReasonsMask.HasNewReasons(reasonMask)) { continue; } // (f) ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, attrCert, null, null, paramsPKIX, certPathCerts); // (g) AsymmetricKeyParameter pubKey = Rfc3280CertPathUtilities.ProcessCrlG(crl, keys); X509Crl deltaCRL = null; if (paramsPKIX.IsUseDeltasEnabled) { // get delta CRLs ISet deltaCRLs = PkixCertPathValidatorUtilities.GetDeltaCrls( currentDate, paramsPKIX, crl); // we only want one valid delta CRL // (h) deltaCRL = Rfc3280CertPathUtilities.ProcessCrlH(deltaCRLs, pubKey); } /* * CRL must be be valid at the current time, not the validation * time. If a certificate is revoked with reason keyCompromise, * cACompromise, it can be used for forgery, also for the past. * This reason may not be contained in older CRLs. */ /* * in the chain model signatures stay valid also after the * certificate has been expired, so they do not have to be in * the CRL vality time */ if (paramsPKIX.ValidityModel != PkixParameters.ChainValidityModel) { /* * if a certificate has expired, but was revoked, it is not * more in the CRL, so it would be regarded as valid if the * first check is not done */ if (attrCert.NotAfter.CompareTo(crl.ThisUpdate) < 0) { throw new Exception( "No valid CRL for current time found."); } } Rfc3280CertPathUtilities.ProcessCrlB1(dp, attrCert, crl); // (b) (2) Rfc3280CertPathUtilities.ProcessCrlB2(dp, attrCert, crl); // (c) Rfc3280CertPathUtilities.ProcessCrlC(deltaCRL, crl, paramsPKIX); // (i) Rfc3280CertPathUtilities.ProcessCrlI(validDate, deltaCRL, attrCert, certStatus, paramsPKIX); // (j) Rfc3280CertPathUtilities.ProcessCrlJ(validDate, crl, attrCert, certStatus); // (k) if (certStatus.Status == CrlReason.RemoveFromCrl) { certStatus.Status = CertStatus.Unrevoked; } // update reasons mask reasonMask.AddReasons(interimReasonsMask); validCrlFound = true; } catch (Exception e) { lastException = e; } } if (!validCrlFound) { throw lastException; } }
internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams) { ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids(); if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id)) { try { TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation)); } catch (Exception cause) { throw new PkixCertPathValidatorException("Target information extension could not be read.", cause); } } criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id); foreach (PkixAttrCertChecker pkixAttrCertChecker in pkixParams.GetAttrCertCheckers()) { pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids); } if (!criticalExtensionOids.IsEmpty) { throw new PkixCertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + criticalExtensionOids); } }
internal static ISet[] ProcessCrlA1ii( DateTime currentDate, PkixParameters paramsPKIX, X509Certificate cert, X509Crl crl) { ISet deltaSet = new HashSet(); X509CrlStoreSelector crlselect = new X509CrlStoreSelector(); crlselect.CertificateChecking = cert; try { IList issuer = Platform.CreateArrayList(); issuer.Add(crl.IssuerDN); crlselect.Issuers = issuer; } catch (IOException e) { throw new Exception("Cannot extract issuer from CRL." + e, e); } crlselect.CompleteCrlEnabled = true; ISet completeSet = CrlUtilities.FindCrls(crlselect, paramsPKIX, currentDate); if (paramsPKIX.IsUseDeltasEnabled) { // get delta CRL(s) try { deltaSet.AddAll(PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl)); } catch (Exception e) { throw new Exception("Exception obtaining delta CRLs.", e); } } return new ISet[]{ completeSet, deltaSet }; }
internal static PkixCertPathValidatorResult ProcessAttrCert2(PkixCertPath certPath, PkixParameters pkixParams) { PkixCertPathValidator pkixCertPathValidator = new PkixCertPathValidator(); PkixCertPathValidatorResult result; try { result = pkixCertPathValidator.Validate(certPath, pkixParams); } catch (PkixCertPathValidatorException cause) { throw new PkixCertPathValidatorException("Certification path for issuer certificate of attribute certificate could not be validated.", cause); } return(result); }
/** * If use-deltas is set, verify the issuer and scope of the delta CRL. * * @param deltaCRL The delta CRL. * @param completeCRL The complete CRL. * @param pkixParams The PKIX paramaters. * @throws AnnotatedException if an exception occurs. */ internal static void ProcessCrlC( X509Crl deltaCRL, X509Crl completeCRL, PkixParameters pkixParams) { if (deltaCRL == null) return; IssuingDistributionPoint completeidp = null; try { completeidp = IssuingDistributionPoint.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint)); } catch (Exception e) { throw new Exception("000 Issuing distribution point extension could not be decoded.", e); } if (pkixParams.IsUseDeltasEnabled) { // (c) (1) if (!deltaCRL.IssuerDN.Equivalent(completeCRL.IssuerDN, true)) throw new Exception("Complete CRL issuer does not match delta CRL issuer."); // (c) (2) IssuingDistributionPoint deltaidp = null; try { deltaidp = IssuingDistributionPoint.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(deltaCRL, X509Extensions.IssuingDistributionPoint)); } catch (Exception e) { throw new Exception( "Issuing distribution point extension from delta CRL could not be decoded.", e); } if (!Platform.Equals(completeidp, deltaidp)) { throw new Exception( "Issuing distribution point extension from delta CRL and complete CRL does not match."); } // (c) (3) Asn1Object completeKeyIdentifier = null; try { completeKeyIdentifier = PkixCertPathValidatorUtilities.GetExtensionValue( completeCRL, X509Extensions.AuthorityKeyIdentifier); } catch (Exception e) { throw new Exception( "Authority key identifier extension could not be extracted from complete CRL.", e); } Asn1Object deltaKeyIdentifier = null; try { deltaKeyIdentifier = PkixCertPathValidatorUtilities.GetExtensionValue( deltaCRL, X509Extensions.AuthorityKeyIdentifier); } catch (Exception e) { throw new Exception( "Authority key identifier extension could not be extracted from delta CRL.", e); } if (completeKeyIdentifier == null) throw new Exception("CRL authority key identifier is null."); if (deltaKeyIdentifier == null) throw new Exception("Delta CRL authority key identifier is null."); if (!completeKeyIdentifier.Equals(deltaKeyIdentifier)) { throw new Exception( "Delta CRL authority key identifier does not match complete CRL authority key identifier."); } } }
internal static PkixCertPath ProcessAttrCert1(IX509AttributeCertificate attrCert, PkixParameters pkixParams) { PkixCertPathBuilderResult pkixCertPathBuilderResult = null; ISet set = new HashSet(); if (attrCert.Holder.GetIssuer() != null) { X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector(); x509CertStoreSelector.SerialNumber = attrCert.Holder.SerialNumber; X509Name[] issuer = attrCert.Holder.GetIssuer(); for (int i = 0; i < issuer.Length; i++) { try { x509CertStoreSelector.Issuer = issuer[i]; set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores())); } catch (Exception cause) { throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause); } } if (set.IsEmpty) { throw new PkixCertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found."); } } if (attrCert.Holder.GetEntityNames() != null) { X509CertStoreSelector x509CertStoreSelector2 = new X509CertStoreSelector(); X509Name[] entityNames = attrCert.Holder.GetEntityNames(); for (int j = 0; j < entityNames.Length; j++) { try { x509CertStoreSelector2.Issuer = entityNames[j]; set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector2, pkixParams.GetStores())); } catch (Exception cause2) { throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause2); } } if (set.IsEmpty) { throw new PkixCertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found."); } } PkixBuilderParameters instance = PkixBuilderParameters.GetInstance(pkixParams); PkixCertPathValidatorException ex = null; foreach (X509Certificate certificate in set) { instance.SetTargetConstraints(new X509CertStoreSelector { Certificate = certificate }); PkixCertPathBuilder pkixCertPathBuilder = new PkixCertPathBuilder(); try { pkixCertPathBuilderResult = pkixCertPathBuilder.Build(PkixBuilderParameters.GetInstance(instance)); } catch (PkixCertPathBuilderException cause3) { ex = new PkixCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", cause3); } } if (ex != null) { throw ex; } return(pkixCertPathBuilderResult.CertPath); }
internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams) { ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids(); if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id)) { try { TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation)); } catch (global::System.Exception cause) { throw new PkixCertPathValidatorException("Target information extension could not be read.", cause); } } criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id); global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)pkixParams.GetAttrCertCheckers()).GetEnumerator(); try { while (enumerator.MoveNext()) { PkixAttrCertChecker pkixAttrCertChecker = (PkixAttrCertChecker)enumerator.get_Current(); pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids); } } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } if (!criticalExtensionOids.IsEmpty) { throw new PkixCertPathValidatorException(string.Concat((object)"Attribute certificate contains unsupported critical extensions: ", (object)criticalExtensionOids)); } }
private static void CheckCrl(DistributionPoint dp, IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, DateTime validDate, X509Certificate issuerCert, CertStatus certStatus, ReasonsMask reasonMask, IList certPathCerts) { if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null) { return; } DateTime utcNow = DateTime.UtcNow; if (validDate.CompareTo(utcNow) > 0) { throw new Exception("Validation time is in future."); } ISet completeCrls = PkixCertPathValidatorUtilities.GetCompleteCrls(dp, attrCert, utcNow, paramsPKIX); bool flag = false; Exception ex = null; IEnumerator enumerator = completeCrls.GetEnumerator(); while (enumerator.MoveNext() && certStatus.Status == 11 && !reasonMask.IsAllReasons) { try { X509Crl x509Crl = (X509Crl)enumerator.Current; ReasonsMask reasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(x509Crl, dp); if (reasonsMask.HasNewReasons(reasonMask)) { ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(x509Crl, attrCert, null, null, paramsPKIX, certPathCerts); AsymmetricKeyParameter key = Rfc3280CertPathUtilities.ProcessCrlG(x509Crl, keys); X509Crl x509Crl2 = null; if (paramsPKIX.IsUseDeltasEnabled) { ISet deltaCrls = PkixCertPathValidatorUtilities.GetDeltaCrls(utcNow, paramsPKIX, x509Crl); x509Crl2 = Rfc3280CertPathUtilities.ProcessCrlH(deltaCrls, key); } if (paramsPKIX.ValidityModel != 1 && attrCert.NotAfter.CompareTo(x509Crl.ThisUpdate) < 0) { throw new Exception("No valid CRL for current time found."); } Rfc3280CertPathUtilities.ProcessCrlB1(dp, attrCert, x509Crl); Rfc3280CertPathUtilities.ProcessCrlB2(dp, attrCert, x509Crl); Rfc3280CertPathUtilities.ProcessCrlC(x509Crl2, x509Crl, paramsPKIX); Rfc3280CertPathUtilities.ProcessCrlI(validDate, x509Crl2, attrCert, certStatus, paramsPKIX); Rfc3280CertPathUtilities.ProcessCrlJ(validDate, x509Crl, attrCert, certStatus); if (certStatus.Status == 8) { certStatus.Status = 11; } reasonMask.AddReasons(reasonsMask); flag = true; } } catch (Exception ex2) { ex = ex2; } } if (!flag) { throw ex; } }
internal static void AddAdditionalStoresFromCrlDistributionPoint(CrlDistPoint crldp, PkixParameters pkixParams) { if (crldp != null) { DistributionPoint[] array = null; try { array = crldp.GetDistributionPoints(); } catch (Exception innerException) { throw new Exception("Distribution points could not be read.", innerException); } for (int i = 0; i < array.Length; i++) { DistributionPointName distributionPointName = array[i].DistributionPointName; if (distributionPointName != null && distributionPointName.PointType == 0) { GeneralName[] names = GeneralNames.GetInstance(distributionPointName.Name).GetNames(); for (int j = 0; j < names.Length; j++) { if (names[j].TagNo == 6) { string @string = DerIA5String.GetInstance(names[j].Name).GetString(); PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(@string, pkixParams); } } } } } }
internal static void CheckCrls(IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, X509Certificate issuerCert, DateTime validDate, IList certPathCerts) { if (paramsPKIX.IsRevocationEnabled) { if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) == null) { CrlDistPoint crlDistPoint = null; try { crlDistPoint = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.CrlDistributionPoints)); } catch (Exception cause) { throw new PkixCertPathValidatorException("CRL distribution point extension could not be read.", cause); } try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(crlDistPoint, paramsPKIX); } catch (Exception cause2) { throw new PkixCertPathValidatorException("No additional CRL locations could be decoded from CRL distribution point extension.", cause2); } CertStatus certStatus = new CertStatus(); ReasonsMask reasonsMask = new ReasonsMask(); Exception cause3 = null; bool flag = false; if (crlDistPoint != null) { DistributionPoint[] array = null; try { array = crlDistPoint.GetDistributionPoints(); } catch (Exception cause4) { throw new PkixCertPathValidatorException("Distribution points could not be read.", cause4); } try { int num = 0; while (num < array.Length && certStatus.Status == 11 && !reasonsMask.IsAllReasons) { PkixParameters paramsPKIX2 = (PkixParameters)paramsPKIX.Clone(); Rfc3281CertPathUtilities.CheckCrl(array[num], attrCert, paramsPKIX2, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); flag = true; num++; } } catch (Exception innerException) { cause3 = new Exception("No valid CRL for distribution point found.", innerException); } } if (certStatus.Status == 11 && !reasonsMask.IsAllReasons) { try { Asn1Object name = null; try { name = new Asn1InputStream(attrCert.Issuer.GetPrincipals()[0].GetEncoded()).ReadObject(); } catch (Exception innerException2) { throw new Exception("Issuer from certificate for CRL could not be reencoded.", innerException2); } DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(4, name))), null, null); PkixParameters paramsPKIX3 = (PkixParameters)paramsPKIX.Clone(); Rfc3281CertPathUtilities.CheckCrl(dp, attrCert, paramsPKIX3, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); flag = true; } catch (Exception innerException3) { cause3 = new Exception("No valid CRL for distribution point found.", innerException3); } } if (!flag) { throw new PkixCertPathValidatorException("No valid CRL found.", cause3); } if (certStatus.Status != 11) { string str = certStatus.RevocationDate.Value.ToString("ddd MMM dd HH:mm:ss K yyyy"); string text = "Attribute certificate revocation after " + str; text = text + ", reason: " + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status]; throw new PkixCertPathValidatorException(text); } if (!reasonsMask.IsAllReasons && certStatus.Status == 11) { certStatus.Status = 12; } if (certStatus.Status == 12) { throw new PkixCertPathValidatorException("Attribute certificate status could not be determined."); } } else if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null || attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null) { throw new PkixCertPathValidatorException("No rev avail extension is set, but also an AC revocation pointer."); } } }
internal static void ProcessAttrCert5( IX509AttributeCertificate attrCert, PkixParameters pkixParams) { try { attrCert.CheckValidity(PkixCertPathValidatorUtilities.GetValidDate(pkixParams)); } catch (CertificateExpiredException e) { throw new PkixCertPathValidatorException( "Attribute certificate is not valid.", e); } catch (CertificateNotYetValidException e) { throw new PkixCertPathValidatorException( "Attribute certificate is not valid.", e); } }
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix) { if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } IList certificates = certPath.Certificates; int count = certificates.Count; if (certificates.Count == 0) { throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); } ISet initialPolicies = paramsPkix.GetInitialPolicies(); TrustAnchor trustAnchor; try { trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates[certificates.Count - 1], paramsPkix.GetTrustAnchors()); } catch (Exception ex) { throw new PkixCertPathValidatorException(ex.Message, ex, certPath, certificates.Count - 1); } if (trustAnchor == null) { throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); } int i = 0; IList[] array = new IList[count + 1]; for (int j = 0; j < array.Length; j++) { array[j] = Platform.CreateArrayList(); } ISet set = new HashSet(); set.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false); array[0].Add(pkixPolicyNode); PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); ISet acceptablePolicies = new HashSet(); int num; if (paramsPkix.IsExplicitPolicyRequired) { num = 0; } else { num = count + 1; } int inhibitAnyPolicy; if (paramsPkix.IsAnyPolicyInhibited) { inhibitAnyPolicy = 0; } else { inhibitAnyPolicy = count + 1; } int policyMapping; if (paramsPkix.IsPolicyMappingInhibited) { policyMapping = 0; } else { policyMapping = count + 1; } X509Certificate x509Certificate = trustAnchor.TrustedCert; X509Name workingIssuerName; AsymmetricKeyParameter asymmetricKeyParameter; try { if (x509Certificate != null) { workingIssuerName = x509Certificate.SubjectDN; asymmetricKeyParameter = x509Certificate.GetPublicKey(); } else { workingIssuerName = new X509Name(trustAnchor.CAName); asymmetricKeyParameter = trustAnchor.CAPublicKey; } } catch (ArgumentException cause) { throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", cause, certPath, -1); } try { PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } catch (PkixCertPathValidatorException cause2) { throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1); } int maxPathLength = count; X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints(); if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates[0])) { throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } IList certPathCheckers = paramsPkix.GetCertPathCheckers(); IEnumerator enumerator = certPathCheckers.GetEnumerator(); while (enumerator.MoveNext()) { ((PkixCertPathChecker)enumerator.Current).Init(false); } X509Certificate x509Certificate2 = null; for (i = certificates.Count - 1; i >= 0; i--) { int num2 = count - i; x509Certificate2 = (X509Certificate)certificates[i]; Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, i, asymmetricKeyParameter, workingIssuerName, x509Certificate); Rfc3280CertPathUtilities.ProcessCertBC(certPath, i, nameConstraintValidator); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, i, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, i, pkixPolicyNode); Rfc3280CertPathUtilities.ProcessCertF(certPath, i, pkixPolicyNode, num); if (num2 != count) { if (x509Certificate2 != null && x509Certificate2.Version == 1) { throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, i); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, i); pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, i, array, pkixPolicyNode, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, i, nameConstraintValidator); num = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, i, num); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, i, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, i, inhibitAnyPolicy); num = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, i, num); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, i, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, i, inhibitAnyPolicy); Rfc3280CertPathUtilities.PrepareNextCertK(certPath, i); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, i, maxPathLength); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, i, maxPathLength); Rfc3280CertPathUtilities.PrepareNextCertN(certPath, i); ISet set2 = x509Certificate2.GetCriticalExtensionOids(); if (set2 != null) { set2 = new HashSet(set2); set2.Remove(X509Extensions.KeyUsage.Id); set2.Remove(X509Extensions.CertificatePolicies.Id); set2.Remove(X509Extensions.PolicyMappings.Id); set2.Remove(X509Extensions.InhibitAnyPolicy.Id); set2.Remove(X509Extensions.IssuingDistributionPoint.Id); set2.Remove(X509Extensions.DeltaCrlIndicator.Id); set2.Remove(X509Extensions.PolicyConstraints.Id); set2.Remove(X509Extensions.BasicConstraints.Id); set2.Remove(X509Extensions.SubjectAlternativeName.Id); set2.Remove(X509Extensions.NameConstraints.Id); } else { set2 = new HashSet(); } Rfc3280CertPathUtilities.PrepareNextCertO(certPath, i, set2, certPathCheckers); x509Certificate = x509Certificate2; workingIssuerName = x509Certificate.SubjectDN; try { asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, i); } catch (PkixCertPathValidatorException cause3) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, i); } PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } } num = Rfc3280CertPathUtilities.WrapupCertA(num, x509Certificate2); num = Rfc3280CertPathUtilities.WrapupCertB(certPath, i + 1, num); ISet set3 = x509Certificate2.GetCriticalExtensionOids(); if (set3 != null) { set3 = new HashSet(set3); set3.Remove(X509Extensions.KeyUsage.Id); set3.Remove(X509Extensions.CertificatePolicies.Id); set3.Remove(X509Extensions.PolicyMappings.Id); set3.Remove(X509Extensions.InhibitAnyPolicy.Id); set3.Remove(X509Extensions.IssuingDistributionPoint.Id); set3.Remove(X509Extensions.DeltaCrlIndicator.Id); set3.Remove(X509Extensions.PolicyConstraints.Id); set3.Remove(X509Extensions.BasicConstraints.Id); set3.Remove(X509Extensions.SubjectAlternativeName.Id); set3.Remove(X509Extensions.NameConstraints.Id); set3.Remove(X509Extensions.CrlDistributionPoints.Id); } else { set3 = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, i + 1, certPathCheckers, set3); PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, i + 1, array, pkixPolicyNode, acceptablePolicies); if (num > 0 || pkixPolicyNode2 != null) { return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey())); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, i); }
internal static void ProcessAttrCert3( X509Certificate acIssuerCert, PkixParameters pkixParams) { if (acIssuerCert.GetKeyUsage() != null && (!acIssuerCert.GetKeyUsage()[0] && !acIssuerCert.GetKeyUsage()[1])) { throw new PkixCertPathValidatorException( "Attribute certificate issuer public key cannot be used to validate digital signatures."); } if (acIssuerCert.GetBasicConstraints() != -1) { throw new PkixCertPathValidatorException( "Attribute certificate issuer is also a public key certificate issuer."); } }
/** * Add the CRL issuers from the cRLIssuer field of the distribution point or * from the certificate if not given to the issuer criterion of the * <code>selector</code>. * <p> * The <code>issuerPrincipals</code> are a collection with a single * <code>X500Principal</code> for <code>X509Certificate</code>s. For * {@link X509AttributeCertificate}s the issuer may contain more than one * <code>X500Principal</code>. * </p> * * @param dp The distribution point. * @param issuerPrincipals The issuers of the certificate or attribute * certificate which contains the distribution point. * @param selector The CRL selector. * @param pkixParams The PKIX parameters containing the cert stores. * @throws Exception if an exception occurs while processing. * @throws ClassCastException if <code>issuerPrincipals</code> does not * contain only <code>X500Principal</code>s. */ internal static void GetCrlIssuersFromDistributionPoint( DistributionPoint dp, ICollection issuerPrincipals, X509CrlStoreSelector selector, PkixParameters pkixParams) { IList issuers = Platform.CreateArrayList(); // indirect CRL if (dp.CrlIssuer != null) { GeneralName[] genNames = dp.CrlIssuer.GetNames(); // look for a DN for (int j = 0; j < genNames.Length; j++) { if (genNames[j].TagNo == GeneralName.DirectoryName) { try { issuers.Add(X509Name.GetInstance(genNames[j].Name.ToAsn1Object())); } catch (IOException e) { throw new Exception( "CRL issuer information from distribution point cannot be decoded.", e); } } } } else { /* * certificate issuer is CRL issuer, distributionPoint field MUST be * present. */ if (dp.DistributionPointName == null) { throw new Exception( "CRL issuer is omitted from distribution point but no distributionPoint field present."); } // add and check issuer principals for (IEnumerator it = issuerPrincipals.GetEnumerator(); it.MoveNext();) { issuers.Add((X509Name)it.Current); } } // TODO: is not found although this should correctly add the rel name. selector of Sun is buggy here or PKI test case is invalid // distributionPoint // if (dp.getDistributionPoint() != null) // { // // look for nameRelativeToCRLIssuer // if (dp.getDistributionPoint().getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) // { // // append fragment to issuer, only one // // issuer can be there, if this is given // if (issuers.size() != 1) // { // throw new AnnotatedException( // "nameRelativeToCRLIssuer field is given but more than one CRL issuer is given."); // } // DEREncodable relName = dp.getDistributionPoint().getName(); // Iterator it = issuers.iterator(); // List issuersTemp = new ArrayList(issuers.size()); // while (it.hasNext()) // { // Enumeration e = null; // try // { // e = ASN1Sequence.getInstance( // new ASN1InputStream(((X500Principal) it.next()) // .getEncoded()).readObject()).getObjects(); // } // catch (IOException ex) // { // throw new AnnotatedException( // "Cannot decode CRL issuer information.", ex); // } // ASN1EncodableVector v = new ASN1EncodableVector(); // while (e.hasMoreElements()) // { // v.add((DEREncodable) e.nextElement()); // } // v.add(relName); // issuersTemp.add(new X500Principal(new DERSequence(v) // .getDEREncoded())); // } // issuers.clear(); // issuers.addAll(issuersTemp); // } // } selector.Issuers = issuers; }
/** * Searches for a holder public key certificate and verifies its * certification path. * * @param attrCert the attribute certificate. * @param pkixParams The PKIX parameters. * @return The certificate path of the holder certificate. * @throws Exception if * <ul> * <li>no public key certificate can be found although holder * information is given by an entity name or a base certificate * ID</li> * <li>support classes cannot be created</li> * <li>no certification path for the public key certificate can * be built</li> * </ul> */ internal static PkixCertPath ProcessAttrCert1( IX509AttributeCertificate attrCert, PkixParameters pkixParams) { PkixCertPathBuilderResult result = null; // find holder PKCs ISet holderPKCs = new HashSet(); if (attrCert.Holder.GetIssuer() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.SerialNumber = attrCert.Holder.SerialNumber; X509Name[] principals = attrCert.Holder.GetIssuer(); for (int i = 0; i < principals.Length; i++) { try { // if (principals[i] is X500Principal) { selector.Issuer = principals[i]; } holderPKCs.AddAll(PkixCertPathValidatorUtilities .FindCertificates(selector, pkixParams.GetStores())); } catch (Exception e) { throw new PkixCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } } if (holderPKCs.IsEmpty) { throw new PkixCertPathValidatorException( "Public key certificate specified in base certificate ID for attribute certificate cannot be found."); } } if (attrCert.Holder.GetEntityNames() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); X509Name[] principals = attrCert.Holder.GetEntityNames(); for (int i = 0; i < principals.Length; i++) { try { // if (principals[i] is X500Principal) { selector.Issuer = principals[i]; } holderPKCs.AddAll(PkixCertPathValidatorUtilities .FindCertificates(selector, pkixParams.GetStores())); } catch (Exception e) { throw new PkixCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } } if (holderPKCs.IsEmpty) { throw new PkixCertPathValidatorException( "Public key certificate specified in entity name for attribute certificate cannot be found."); } } // verify cert paths for PKCs PkixBuilderParameters parameters = (PkixBuilderParameters) PkixBuilderParameters.GetInstance(pkixParams); PkixCertPathValidatorException lastException = null; foreach (X509Certificate cert in holderPKCs) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.Certificate = cert; parameters.SetTargetConstraints(selector); PkixCertPathBuilder builder = new PkixCertPathBuilder(); try { result = builder.Build(PkixBuilderParameters.GetInstance(parameters)); } catch (PkixCertPathBuilderException e) { lastException = new PkixCertPathValidatorException( "Certification path for public key certificate of attribute certificate could not be build.", e); } } if (lastException != null) { throw lastException; } return result.CertPath; }
/** * Fetches delta CRLs according to RFC 3280 section 5.2.4. * * @param currentDate The date for which the delta CRLs must be valid. * @param paramsPKIX The extended PKIX parameters. * @param completeCRL The complete CRL the delta CRL is for. * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs. * @throws Exception if an exception occurs while picking the delta * CRLs. */ internal static ISet GetDeltaCrls( DateTime currentDate, PkixParameters paramsPKIX, X509Crl completeCRL) { X509CrlStoreSelector deltaSelect = new X509CrlStoreSelector(); // 5.2.4 (a) try { IList deltaSelectIssuer = Platform.CreateArrayList(); deltaSelectIssuer.Add(completeCRL.IssuerDN); deltaSelect.Issuers = deltaSelectIssuer; } catch (IOException e) { throw new Exception("Cannot extract issuer from CRL.", e); } BigInteger completeCRLNumber = null; try { Asn1Object asn1Object = GetExtensionValue(completeCRL, X509Extensions.CrlNumber); if (asn1Object != null) { completeCRLNumber = CrlNumber.GetInstance(asn1Object).PositiveValue; } } catch (Exception e) { throw new Exception( "CRL number extension could not be extracted from CRL.", e); } // 5.2.4 (b) byte[] idp = null; try { Asn1Object obj = GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint); if (obj != null) { idp = obj.GetDerEncoded(); } } catch (Exception e) { throw new Exception( "Issuing distribution point extension value could not be read.", e); } // 5.2.4 (d) deltaSelect.MinCrlNumber = (completeCRLNumber == null) ? null : completeCRLNumber.Add(BigInteger.One); deltaSelect.IssuingDistributionPoint = idp; deltaSelect.IssuingDistributionPointEnabled = true; // 5.2.4 (c) deltaSelect.MaxBaseCrlNumber = completeCRLNumber; // find delta CRLs ISet temp = CrlUtilities.FindCrls(deltaSelect, paramsPKIX, currentDate); ISet result = new HashSet(); foreach (X509Crl crl in temp) { if (isDeltaCrl(crl)) { result.Add(crl); } } return(result); }
/** * Checks if an attribute certificate is revoked. * * @param attrCert Attribute certificate to check if it is revoked. * @param paramsPKIX PKIX parameters. * @param issuerCert The issuer certificate of the attribute certificate * <code>attrCert</code>. * @param validDate The date when the certificate revocation status should * be checked. * @param certPathCerts The certificates of the certification path to be * checked. * * @throws CertPathValidatorException if the certificate is revoked or the * status cannot be checked or some error occurs. */ internal static void CheckCrls( IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, X509Certificate issuerCert, DateTime validDate, IList certPathCerts) { if (paramsPKIX.IsRevocationEnabled) { // check if revocation is available if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) == null) { CrlDistPoint crldp = null; try { crldp = CrlDistPoint.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue( attrCert, X509Extensions.CrlDistributionPoints)); } catch (Exception e) { throw new PkixCertPathValidatorException( "CRL distribution point extension could not be read.", e); } try { PkixCertPathValidatorUtilities .AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX); } catch (Exception e) { throw new PkixCertPathValidatorException( "No additional CRL locations could be decoded from CRL distribution point extension.", e); } CertStatus certStatus = new CertStatus(); ReasonsMask reasonsMask = new ReasonsMask(); Exception lastException = null; bool validCrlFound = false; // for each distribution point if (crldp != null) { DistributionPoint[] dps = null; try { dps = crldp.GetDistributionPoints(); } catch (Exception e) { throw new PkixCertPathValidatorException( "Distribution points could not be read.", e); } try { for (int i = 0; i < dps.Length && certStatus.Status == CertStatus.Unrevoked && !reasonsMask.IsAllReasons; i++) { PkixParameters paramsPKIXClone = (PkixParameters) paramsPKIX .Clone(); CheckCrl(dps[i], attrCert, paramsPKIXClone, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } } catch (Exception e) { lastException = new Exception( "No valid CRL for distribution point found.", e); } } /* * If the revocation status has not been determined, repeat the * process above with any available CRLs not specified in a * distribution point but issued by the certificate issuer. */ if (certStatus.Status == CertStatus.Unrevoked && !reasonsMask.IsAllReasons) { try { /* * assume a DP with both the reasons and the cRLIssuer * fields omitted and a distribution point name of the * certificate issuer. */ Asn1Object issuer = null; try { issuer = new Asn1InputStream( attrCert.Issuer.GetPrincipals()[0].GetEncoded()).ReadObject(); } catch (Exception e) { throw new Exception( "Issuer from certificate for CRL could not be reencoded.", e); } DistributionPoint dp = new DistributionPoint( new DistributionPointName(0, new GeneralNames( new GeneralName(GeneralName.DirectoryName, issuer))), null, null); PkixParameters paramsPKIXClone = (PkixParameters) paramsPKIX.Clone(); CheckCrl(dp, attrCert, paramsPKIXClone, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } catch (Exception e) { lastException = new Exception( "No valid CRL for distribution point found.", e); } } if (!validCrlFound) { throw new PkixCertPathValidatorException( "No valid CRL found.", lastException); } if (certStatus.Status != CertStatus.Unrevoked) { // TODO This format is forced by the NistCertPath tests string formattedDate = certStatus.RevocationDate.Value.ToString( "G", new CultureInfo("en-us")); string message = "Attribute certificate revocation after " + formattedDate; message += ", reason: " + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status]; throw new PkixCertPathValidatorException(message); } if (!reasonsMask.IsAllReasons && certStatus.Status == CertStatus.Unrevoked) { certStatus.Status = CertStatus.Undetermined; } if (certStatus.Status == CertStatus.Undetermined) { throw new PkixCertPathValidatorException( "Attribute certificate status could not be determined."); } } else { if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null || attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null) { throw new PkixCertPathValidatorException( "No rev avail extension is set, but also an AC revocation pointer."); } } } }
public virtual PkixCertPathValidatorResult Validate( PkixCertPath certPath, PkixParameters paramsPkix) { if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException( "trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } // // 6.1.1 - inputs // // // (a) // IList certs = certPath.Certificates; int n = certs.Count; if (certs.Count == 0) { throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); } // // (b) // // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix); // // (c) // ISet userInitialPolicySet = paramsPkix.GetInitialPolicies(); // // (d) // TrustAnchor trust; try { trust = PkixCertPathValidatorUtilities.FindTrustAnchor( (X509Certificate)certs[certs.Count - 1], paramsPkix.GetTrustAnchors()); } catch (Exception e) { throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1); } if (trust == null) { throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); } // // (e), (f), (g) are part of the paramsPkix object. // IEnumerator certIter; int index = 0; int i; // Certificate for each interation of the validation loop // Signature information for each iteration of the validation loop // // 6.1.2 - setup // // // (a) // IList[] policyNodes = new IList[n + 1]; for (int j = 0; j < policyNodes.Length; j++) { policyNodes[j] = Platform.CreateArrayList(); } ISet policySet = new HashSet(); policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false); policyNodes[0].Add(validPolicyTree); // // (b) and (c) // PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); // (d) // int explicitPolicy; ISet acceptablePolicies = new HashSet(); if (paramsPkix.IsExplicitPolicyRequired) { explicitPolicy = 0; } else { explicitPolicy = n + 1; } // // (e) // int inhibitAnyPolicy; if (paramsPkix.IsAnyPolicyInhibited) { inhibitAnyPolicy = 0; } else { inhibitAnyPolicy = n + 1; } // // (f) // int policyMapping; if (paramsPkix.IsPolicyMappingInhibited) { policyMapping = 0; } else { policyMapping = n + 1; } // // (g), (h), (i), (j) // AsymmetricKeyParameter workingPublicKey; X509Name workingIssuerName; X509Certificate sign = trust.TrustedCert; try { if (sign != null) { workingIssuerName = sign.SubjectDN; workingPublicKey = sign.GetPublicKey(); } else { workingIssuerName = new X509Name(trust.CAName); workingPublicKey = trust.CAPublicKey; } } catch (ArgumentException ex) { throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, -1); } //AlgorithmIdentifier workingAlgId = null; try { /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException( "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1); } // DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID; // Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters; // // (k) // int maxPathLength = n; // // 6.1.3 // X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints(); if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0])) { throw new PkixCertPathValidatorException( "Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } // // initialize CertPathChecker's // IList pathCheckers = paramsPkix.GetCertPathCheckers(); certIter = pathCheckers.GetEnumerator(); while (certIter.MoveNext()) { ((PkixCertPathChecker)certIter.Current).Init(false); } X509Certificate cert = null; for (index = certs.Count - 1; index >= 0; index--) { // try // { // // i as defined in the algorithm description // i = n - index; // // set certificate to be checked in this round // sign and workingPublicKey and workingIssuerName are set // at the end of the for loop and initialized the // first time from the TrustAnchor // cert = (X509Certificate)certs[index]; // // 6.1.3 // Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey, workingIssuerName, sign); Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index, acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree); Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy); // // 6.1.4 // if (i != n) { if (cert != null && cert.Version == 1) { throw new PkixCertPathValidatorException( "Version 1 certificates can't be used as CA ones.", null, certPath, index); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index); validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes, validPolicyTree, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator); // (h) explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy); // // (i) // explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping); // (j) inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy); // (k) Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index); // (l) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength); // (m) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength); // (n) Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index); ISet criticalExtensions1 = cert.GetCriticalExtensionOids(); if (criticalExtensions1 != null) { criticalExtensions1 = new HashSet(criticalExtensions1); // these extensions are handled by the algorithm criticalExtensions1.Remove(X509Extensions.KeyUsage.Id); criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions1.Remove(X509Extensions.NameConstraints.Id); } else { criticalExtensions1 = new HashSet(); } // (o) Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers); // set signing certificate for next round sign = cert; // (c) workingIssuerName = sign.SubjectDN; // (d) try { workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index); } /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); // (f) // workingPublicKeyAlgorithm = workingAlgId.ObjectID; // (e) // workingPublicKeyParameters = workingAlgId.Parameters; } } // // 6.1.5 Wrap-up procedure // explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert); explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy); // // (c) (d) and (e) are already done // // // (f) // ISet criticalExtensions = cert.GetCriticalExtensionOids(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); // Requires .Id // these extensions are handled by the algorithm criticalExtensions.Remove(X509Extensions.KeyUsage.Id); criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions.Remove(X509Extensions.NameConstraints.Id); criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id); } else { criticalExtensions = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions); PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies); if ((explicitPolicy > 0) || (intersection != null)) { return(new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey())); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index); }
/** * Searches for a holder public key certificate and verifies its * certification path. * * @param attrCert the attribute certificate. * @param pkixParams The PKIX parameters. * @return The certificate path of the holder certificate. * @throws Exception if * <ul> * <li>no public key certificate can be found although holder * information is given by an entity name or a base certificate * ID</li> * <li>support classes cannot be created</li> * <li>no certification path for the public key certificate can * be built</li> * </ul> */ internal static PkixCertPath ProcessAttrCert1( IX509AttributeCertificate attrCert, PkixParameters pkixParams) { PkixCertPathBuilderResult result = null; // find holder PKCs ISet holderPKCs = new HashSet(); if (attrCert.Holder.GetIssuer() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.SerialNumber = attrCert.Holder.SerialNumber; X509Name[] principals = attrCert.Holder.GetIssuer(); for (int i = 0; i < principals.Length; i++) { try { // if (principals[i] is X500Principal) { selector.Issuer = principals[i]; } holderPKCs.AddAll(PkixCertPathValidatorUtilities .FindCertificates(selector, pkixParams.GetStores())); } catch (Exception e) { throw new PkixCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } } if (holderPKCs.IsEmpty) { throw new PkixCertPathValidatorException( "Public key certificate specified in base certificate ID for attribute certificate cannot be found."); } } if (attrCert.Holder.GetEntityNames() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); X509Name[] principals = attrCert.Holder.GetEntityNames(); for (int i = 0; i < principals.Length; i++) { try { // if (principals[i] is X500Principal) { selector.Issuer = principals[i]; } holderPKCs.AddAll(PkixCertPathValidatorUtilities .FindCertificates(selector, pkixParams.GetStores())); } catch (Exception e) { throw new PkixCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } } if (holderPKCs.IsEmpty) { throw new PkixCertPathValidatorException( "Public key certificate specified in entity name for attribute certificate cannot be found."); } } // verify cert paths for PKCs PkixBuilderParameters parameters = (PkixBuilderParameters) PkixBuilderParameters.GetInstance(pkixParams); PkixCertPathValidatorException lastException = null; foreach (X509Certificate cert in holderPKCs) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.Certificate = cert; parameters.SetTargetConstraints(selector); PkixCertPathBuilder builder = new PkixCertPathBuilder(); try { result = builder.Build(PkixBuilderParameters.GetInstance(parameters)); } catch (PkixCertPathBuilderException e) { lastException = new PkixCertPathValidatorException( "Certification path for public key certificate of attribute certificate could not be build.", e); } } if (lastException != null) { throw lastException; } return(result.CertPath); }
internal static void GetCrlIssuersFromDistributionPoint(DistributionPoint dp, ICollection issuerPrincipals, X509CrlStoreSelector selector, PkixParameters pkixParams) { IList list = Platform.CreateArrayList(); if (dp.CrlIssuer != null) { GeneralName[] names = dp.CrlIssuer.GetNames(); for (int i = 0; i < names.Length; i++) { if (names[i].TagNo == 4) { try { list.Add(X509Name.GetInstance(names[i].Name.ToAsn1Object())); } catch (IOException innerException) { throw new Exception("CRL issuer information from distribution point cannot be decoded.", innerException); } } } } else { if (dp.DistributionPointName == null) { throw new Exception("CRL issuer is omitted from distribution point but no distributionPoint field present."); } IEnumerator enumerator = issuerPrincipals.GetEnumerator(); while (enumerator.MoveNext()) { list.Add((X509Name)enumerator.Current); } } selector.Issuers = list; }
/** * Checks if an attribute certificate is revoked. * * @param attrCert Attribute certificate to check if it is revoked. * @param paramsPKIX PKIX parameters. * @param issuerCert The issuer certificate of the attribute certificate * <code>attrCert</code>. * @param validDate The date when the certificate revocation status should * be checked. * @param certPathCerts The certificates of the certification path to be * checked. * * @throws CertPathValidatorException if the certificate is revoked or the * status cannot be checked or some error occurs. */ internal static void CheckCrls( IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, X509Certificate issuerCert, DateTime validDate, IList certPathCerts) { if (!paramsPKIX.IsRevocationEnabled) { return; } // check if revocation is available if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null) { if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null || attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null) { throw new PkixCertPathValidatorException( "No rev avail extension is set, but also an AC revocation pointer."); } return; } CrlDistPoint crldp = null; try { crldp = CrlDistPoint.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue( attrCert, X509Extensions.CrlDistributionPoints)); } catch (Exception e) { throw new PkixCertPathValidatorException( "CRL distribution point extension could not be read.", e); } try { PkixCertPathValidatorUtilities .AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX); } catch (Exception e) { throw new PkixCertPathValidatorException( "No additional CRL locations could be decoded from CRL distribution point extension.", e); } CertStatus certStatus = new CertStatus(); ReasonsMask reasonsMask = new ReasonsMask(); Exception lastException = null; bool validCrlFound = false; // for each distribution point if (crldp != null) { DistributionPoint[] dps = null; try { dps = crldp.GetDistributionPoints(); } catch (Exception e) { throw new PkixCertPathValidatorException( "Distribution points could not be read.", e); } try { for (int i = 0; i < dps.Length && certStatus.Status == CertStatus.Unrevoked && !reasonsMask.IsAllReasons; i++) { PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX .Clone(); CheckCrl(dps[i], attrCert, paramsPKIXClone, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } } catch (Exception e) { lastException = new Exception( "No valid CRL for distribution point found.", e); } } /* * If the revocation status has not been determined, repeat the * process above with any available CRLs not specified in a * distribution point but issued by the certificate issuer. */ if (certStatus.Status == CertStatus.Unrevoked && !reasonsMask.IsAllReasons) { try { /* * assume a DP with both the reasons and the cRLIssuer * fields omitted and a distribution point name of the * certificate issuer. */ X509Name issuer; try { issuer = X509Name.GetInstance(attrCert.Issuer.GetPrincipals()[0].GetEncoded()); } catch (Exception e) { throw new Exception( "Issuer from certificate for CRL could not be reencoded.", e); } DistributionPoint dp = new DistributionPoint( new DistributionPointName(0, new GeneralNames( new GeneralName(GeneralName.DirectoryName, issuer))), null, null); PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone(); CheckCrl(dp, attrCert, paramsPKIXClone, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } catch (Exception e) { lastException = new Exception( "No valid CRL for distribution point found.", e); } } if (!validCrlFound) { throw new PkixCertPathValidatorException( "No valid CRL found.", lastException); } if (certStatus.Status != CertStatus.Unrevoked) { // This format is enforced by the NistCertPath tests string formattedDate = certStatus.RevocationDate.Value.ToString( "ddd MMM dd HH:mm:ss K yyyy"); string message = "Attribute certificate revocation after " + formattedDate; message += ", reason: " + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status]; throw new PkixCertPathValidatorException(message); } if (!reasonsMask.IsAllReasons && certStatus.Status == CertStatus.Unrevoked) { certStatus.Status = CertStatus.Undetermined; } if (certStatus.Status == CertStatus.Undetermined) { throw new PkixCertPathValidatorException( "Attribute certificate status could not be determined."); } }
internal static void AddAdditionalStoresFromAltNames( X509Certificate cert, PkixParameters pkixParams) { // if in the IssuerAltName extension an URI // is given, add an additinal X.509 store if (cert.GetIssuerAlternativeNames() != null) { IEnumerator it = cert.GetIssuerAlternativeNames().GetEnumerator(); while (it.MoveNext()) { // look for URI IList list = (IList)it.Current; //if (list[0].Equals(new Integer(GeneralName.UniformResourceIdentifier))) if (list[0].Equals(GeneralName.UniformResourceIdentifier)) { // found string temp = (string)list[1]; PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(temp, pkixParams); } } } }
/** * Checks a certificate if it is revoked. * * @param paramsPKIX PKIX parameters. * @param cert Certificate to check if it is revoked. * @param validDate The date when the certificate revocation status should be * checked. * @param sign The issuer certificate of the certificate <code>cert</code>. * @param workingPublicKey The public key of the issuer certificate <code>sign</code>. * @param certPathCerts The certificates of the certification path. * @throws AnnotatedException if the certificate is revoked or the status cannot be checked * or some error occurs. */ protected static void CheckCrls( PkixParameters paramsPKIX, X509Certificate cert, DateTime validDate, X509Certificate sign, AsymmetricKeyParameter workingPublicKey, IList certPathCerts) { Exception lastException = null; CrlDistPoint crldp = null; try { crldp = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CrlDistributionPoints)); } catch (Exception e) { throw new Exception("CRL distribution point extension could not be read.", e); } try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX); } catch (Exception e) { throw new Exception( "No additional CRL locations could be decoded from CRL distribution point extension.", e); } CertStatus certStatus = new CertStatus(); ReasonsMask reasonsMask = new ReasonsMask(); bool validCrlFound = false; // for each distribution point if (crldp != null) { DistributionPoint[] dps = null; try { dps = crldp.GetDistributionPoints(); } catch (Exception e) { throw new Exception("Distribution points could not be read.", e); } if (dps != null) { for (int i = 0; i < dps.Length && certStatus.Status == CertStatus.Unrevoked && !reasonsMask.IsAllReasons; i++) { PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone(); try { CheckCrl(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } catch (Exception e) { lastException = e; } } } } /* * If the revocation status has not been determined, repeat the process * above with any available CRLs not specified in a distribution point * but issued by the certificate issuer. */ if (certStatus.Status == CertStatus.Unrevoked && !reasonsMask.IsAllReasons) { try { /* * assume a DP with both the reasons and the cRLIssuer fields * omitted and a distribution point name of the certificate * issuer. */ Asn1Object issuer = null; try { issuer = new Asn1InputStream(cert.IssuerDN.GetEncoded()).ReadObject(); } catch (Exception e) { throw new Exception("Issuer from certificate for CRL could not be reencoded.", e); } DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames( new GeneralName(GeneralName.DirectoryName, issuer))), null, null); PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone(); CheckCrl(dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } catch (Exception e) { lastException = e; } } if (!validCrlFound) { throw lastException; } if (certStatus.Status != CertStatus.Unrevoked) { // TODO This format is forced by the NistCertPath tests string formattedDate = certStatus.RevocationDate.Value.ToString( "G", System.util.Util.GetStandartEnUSLocale()); string message = "Certificate revocation after " + formattedDate; message += ", reason: " + CrlReasons[certStatus.Status]; throw new Exception(message); } if (!reasonsMask.IsAllReasons && certStatus.Status == CertStatus.Unrevoked) { certStatus.Status = CertStatus.Undetermined; } if (certStatus.Status == CertStatus.Undetermined) { throw new Exception("Certificate status could not be determined."); } }
internal static DateTime GetValidDate(PkixParameters paramsPKIX) { DateTimeObject validDate = paramsPKIX.Date; if (validDate == null) return DateTime.UtcNow; return validDate.Value; }
internal static ISet ProcessCrlA1i( DateTime currentDate, PkixParameters paramsPKIX, X509Certificate cert, X509Crl crl) { ISet deltaSet = new HashSet(); if (paramsPKIX.IsUseDeltasEnabled) { CrlDistPoint freshestCRL = null; try { freshestCRL = CrlDistPoint.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.FreshestCrl)); } catch (Exception e) { throw new Exception("Freshest CRL extension could not be decoded from certificate.", e); } if (freshestCRL == null) { try { freshestCRL = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(crl, X509Extensions.FreshestCrl)); } catch (Exception e) { throw new Exception("Freshest CRL extension could not be decoded from CRL.", e); } } if (freshestCRL != null) { try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(freshestCRL, paramsPKIX); } catch (Exception e) { throw new Exception( "No new delta CRL locations could be added from Freshest CRL extension.", e); } // get delta CRL(s) try { deltaSet.AddAll(PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl)); } catch (Exception e) { throw new Exception("Exception obtaining delta CRLs.", e); } } } return deltaSet; }
internal static DateTime GetValidCertDateFromValidityModel( PkixParameters paramsPkix, PkixCertPath certPath, int index) { if (paramsPkix.ValidityModel != PkixParameters.ChainValidityModel) { return GetValidDate(paramsPkix); } // if end cert use given signing/encryption/... time if (index <= 0) { return PkixCertPathValidatorUtilities.GetValidDate(paramsPkix); // else use time when previous cert was created } if (index - 1 == 0) { DerGeneralizedTime dateOfCertgen = null; try { X509Certificate cert = (X509Certificate)certPath.Certificates[index - 1]; Asn1OctetString extVal = cert.GetExtensionValue( IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen); dateOfCertgen = DerGeneralizedTime.GetInstance(extVal); } catch (ArgumentException) { throw new Exception( "Date of cert gen extension could not be read."); } if (dateOfCertgen != null) { try { return dateOfCertgen.ToDateTime(); } catch (ArgumentException e) { throw new Exception( "Date from date of cert gen extension could not be parsed.", e); } } } return ((X509Certificate)certPath.Certificates[index - 1]).NotBefore; }
internal static PkixPolicyNode WrapupCertG( PkixCertPath certPath, PkixParameters paramsPKIX, ISet userInitialPolicySet, int index, IList[] policyNodes, PkixPolicyNode validPolicyTree, ISet acceptablePolicies) { int n = certPath.Certificates.Count; // // (g) // PkixPolicyNode intersection; // // (g) (i) // if (validPolicyTree == null) { if (paramsPKIX.IsExplicitPolicyRequired) { throw new PkixCertPathValidatorException( "Explicit policy requested but none available.", null, certPath, index); } intersection = null; } else if (PkixCertPathValidatorUtilities.IsAnyPolicy(userInitialPolicySet)) // (g) // (ii) { if (paramsPKIX.IsExplicitPolicyRequired) { if (acceptablePolicies.IsEmpty) { throw new PkixCertPathValidatorException( "Explicit policy requested but none available.", null, certPath, index); } else { ISet _validPolicyNodeSet = new HashSet(); for (int j = 0; j < policyNodes.Length; j++) { IList _nodeDepth = policyNodes[j]; for (int k = 0; k < _nodeDepth.Count; k++) { PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k]; if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy)) { foreach (object o in _node.Children) { _validPolicyNodeSet.Add(o); } } } } foreach (PkixPolicyNode _node in _validPolicyNodeSet) { string _validPolicy = _node.ValidPolicy; if (!acceptablePolicies.Contains(_validPolicy)) { // TODO? // validPolicyTree = // removePolicyNode(validPolicyTree, policyNodes, // _node); } } if (validPolicyTree != null) { for (int j = (n - 1); j >= 0; j--) { IList nodes = policyNodes[j]; for (int k = 0; k < nodes.Count; k++) { PkixPolicyNode node = (PkixPolicyNode)nodes[k]; if (!node.HasChildren) { validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, node); } } } } } } intersection = validPolicyTree; } else { // // (g) (iii) // // This implementation is not exactly same as the one described in // RFC3280. // However, as far as the validation result is concerned, both // produce // adequate result. The only difference is whether AnyPolicy is // remain // in the policy tree or not. // // (g) (iii) 1 // ISet _validPolicyNodeSet = new HashSet(); for (int j = 0; j < policyNodes.Length; j++) { IList _nodeDepth = policyNodes[j]; for (int k = 0; k < _nodeDepth.Count; k++) { PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k]; if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy)) { foreach (PkixPolicyNode _c_node in _node.Children) { if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(_c_node.ValidPolicy)) { _validPolicyNodeSet.Add(_c_node); } } } } } // // (g) (iii) 2 // IEnumerator _vpnsIter = _validPolicyNodeSet.GetEnumerator(); while (_vpnsIter.MoveNext()) { PkixPolicyNode _node = (PkixPolicyNode)_vpnsIter.Current; string _validPolicy = _node.ValidPolicy; if (!userInitialPolicySet.Contains(_validPolicy)) { validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, _node); } } // // (g) (iii) 4 // if (validPolicyTree != null) { for (int j = (n - 1); j >= 0; j--) { IList nodes = policyNodes[j]; for (int k = 0; k < nodes.Count; k++) { PkixPolicyNode node = (PkixPolicyNode)nodes[k]; if (!node.HasChildren) { validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, node); } } } } intersection = validPolicyTree; } return intersection; }
/** * Add the CRL issuers from the cRLIssuer field of the distribution point or * from the certificate if not given to the issuer criterion of the * <code>selector</code>. * <p> * The <code>issuerPrincipals</code> are a collection with a single * <code>X500Principal</code> for <code>X509Certificate</code>s. For * {@link X509AttributeCertificate}s the issuer may contain more than one * <code>X500Principal</code>. * </p> * * @param dp The distribution point. * @param issuerPrincipals The issuers of the certificate or attribute * certificate which contains the distribution point. * @param selector The CRL selector. * @param pkixParams The PKIX parameters containing the cert stores. * @throws Exception if an exception occurs while processing. * @throws ClassCastException if <code>issuerPrincipals</code> does not * contain only <code>X500Principal</code>s. */ internal static void GetCrlIssuersFromDistributionPoint( DistributionPoint dp, ICollection issuerPrincipals, X509CrlStoreSelector selector, PkixParameters pkixParams) { IList issuers = Platform.CreateArrayList(); // indirect CRL if (dp.CrlIssuer != null) { GeneralName[] genNames = dp.CrlIssuer.GetNames(); // look for a DN for (int j = 0; j < genNames.Length; j++) { if (genNames[j].TagNo == GeneralName.DirectoryName) { try { issuers.Add(X509Name.GetInstance(genNames[j].Name.ToAsn1Object())); } catch (IOException e) { throw new Exception( "CRL issuer information from distribution point cannot be decoded.", e); } } } } else { /* * certificate issuer is CRL issuer, distributionPoint field MUST be * present. */ if (dp.DistributionPointName == null) { throw new Exception( "CRL issuer is omitted from distribution point but no distributionPoint field present."); } // add and check issuer principals for (IEnumerator it = issuerPrincipals.GetEnumerator(); it.MoveNext(); ) { issuers.Add((X509Name)it.Current); } } // TODO: is not found although this should correctly add the rel name. selector of Sun is buggy here or PKI test case is invalid // distributionPoint // if (dp.getDistributionPoint() != null) // { // // look for nameRelativeToCRLIssuer // if (dp.getDistributionPoint().getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) // { // // append fragment to issuer, only one // // issuer can be there, if this is given // if (issuers.size() != 1) // { // throw new AnnotatedException( // "nameRelativeToCRLIssuer field is given but more than one CRL issuer is given."); // } // DEREncodable relName = dp.getDistributionPoint().getName(); // Iterator it = issuers.iterator(); // List issuersTemp = new ArrayList(issuers.size()); // while (it.hasNext()) // { // Enumeration e = null; // try // { // e = ASN1Sequence.getInstance( // new ASN1InputStream(((X500Principal) it.next()) // .getEncoded()).readObject()).getObjects(); // } // catch (IOException ex) // { // throw new AnnotatedException( // "Cannot decode CRL issuer information.", ex); // } // ASN1EncodableVector v = new ASN1EncodableVector(); // while (e.hasMoreElements()) // { // v.add((DEREncodable) e.nextElement()); // } // v.add(relName); // issuersTemp.add(new X500Principal(new DERSequence(v) // .getDEREncoded())); // } // issuers.clear(); // issuers.addAll(issuersTemp); // } // } selector.Issuers = issuers; }
internal static void ProcessCrlI( DateTime validDate, X509Crl deltacrl, object cert, CertStatus certStatus, PkixParameters pkixParams) { if (pkixParams.IsUseDeltasEnabled && deltacrl != null) { PkixCertPathValidatorUtilities.GetCertStatus(validDate, deltacrl, cert, certStatus); } }
/** * Fetches complete CRLs according to RFC 3280. * * @param dp The distribution point for which the complete CRL * @param cert The <code>X509Certificate</code> or * {@link org.bouncycastle.x509.X509AttributeCertificate} for * which the CRL should be searched. * @param currentDate The date for which the delta CRLs must be valid. * @param paramsPKIX The extended PKIX parameters. * @return A <code>Set</code> of <code>X509CRL</code>s with complete * CRLs. * @throws Exception if an exception occurs while picking the CRLs * or no CRLs are found. */ internal static ISet GetCompleteCrls( DistributionPoint dp, object cert, DateTime currentDate, PkixParameters paramsPKIX) { X509CrlStoreSelector crlselect = new X509CrlStoreSelector(); try { ISet issuers = new HashSet(); if (cert is X509V2AttributeCertificate) { issuers.Add(((X509V2AttributeCertificate)cert) .Issuer.GetPrincipals()[0]); } else { issuers.Add(GetIssuerPrincipal(cert)); } PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX); } catch (Exception e) { throw new Exception("Could not get issuer information from distribution point.", e); } if (cert is X509Certificate) { crlselect.CertificateChecking = (X509Certificate)cert; } else if (cert is X509V2AttributeCertificate) { crlselect.AttrCertChecking = (IX509AttributeCertificate)cert; } crlselect.CompleteCrlEnabled = true; ISet crls = CrlUtilities.FindCrls(crlselect, paramsPKIX, currentDate); if (crls.IsEmpty) { if (cert is IX509AttributeCertificate) { IX509AttributeCertificate aCert = (IX509AttributeCertificate)cert; throw new Exception("No CRLs found for issuer \"" + aCert.Issuer.GetPrincipals()[0] + "\""); } else { X509Certificate xCert = (X509Certificate)cert; throw new Exception("No CRLs found for issuer \"" + xCert.IssuerDN + "\""); } } return crls; }
/** * Checks a distribution point for revocation information for the * certificate <code>cert</code>. * * @param dp The distribution point to consider. * @param paramsPKIX PKIX parameters. * @param cert Certificate to check if it is revoked. * @param validDate The date when the certificate revocation status should be * checked. * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>. * @param defaultCRLSignKey The public key of the issuer certificate * <code>defaultCRLSignCert</code>. * @param certStatus The current certificate revocation status. * @param reasonMask The reasons mask which is already checked. * @param certPathCerts The certificates of the certification path. * @throws AnnotatedException if the certificate is revoked or the status cannot be checked * or some error occurs. */ private static void CheckCrl( DistributionPoint dp, PkixParameters paramsPKIX, X509Certificate cert, DateTime validDate, X509Certificate defaultCRLSignCert, AsymmetricKeyParameter defaultCRLSignKey, CertStatus certStatus, ReasonsMask reasonMask, IList certPathCerts) //throws AnnotatedException { DateTime currentDate = DateTime.UtcNow; if (validDate.Ticks > currentDate.Ticks) { throw new Exception("Validation time is in future."); } // (a) /* * We always get timely valid CRLs, so there is no step (a) (1). * "locally cached" CRLs are assumed to be in getStore(), additional * CRLs must be enabled in the ExtendedPKIXParameters and are in * getAdditionalStore() */ ISet crls = PkixCertPathValidatorUtilities.GetCompleteCrls(dp, cert, currentDate, paramsPKIX); bool validCrlFound = false; Exception lastException = null; IEnumerator crl_iter = crls.GetEnumerator(); while (crl_iter.MoveNext() && certStatus.Status == CertStatus.Unrevoked && !reasonMask.IsAllReasons) { try { X509Crl crl = (X509Crl)crl_iter.Current; // (d) ReasonsMask interimReasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(crl, dp); // (e) /* * The reasons mask is updated at the end, so only valid CRLs * can update it. If this CRL does not contain new reasons it * must be ignored. */ if (!interimReasonsMask.HasNewReasons(reasonMask)) { continue; } // (f) ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, cert, defaultCRLSignCert, defaultCRLSignKey, paramsPKIX, certPathCerts); // (g) AsymmetricKeyParameter key = Rfc3280CertPathUtilities.ProcessCrlG(crl, keys); X509Crl deltaCRL = null; if (paramsPKIX.IsUseDeltasEnabled) { // get delta CRLs ISet deltaCRLs = PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl); // we only want one valid delta CRL // (h) deltaCRL = Rfc3280CertPathUtilities.ProcessCrlH(deltaCRLs, key); } /* * CRL must be be valid at the current time, not the validation * time. If a certificate is revoked with reason keyCompromise, * cACompromise, it can be used for forgery, also for the past. * This reason may not be contained in older CRLs. */ /* * in the chain model signatures stay valid also after the * certificate has been expired, so they do not have to be in * the CRL validity time */ if (paramsPKIX.ValidityModel != PkixParameters.ChainValidityModel) { /* * if a certificate has expired, but was revoked, it is not * more in the CRL, so it would be regarded as valid if the * first check is not done */ if (cert.NotAfter.Ticks < crl.ThisUpdate.Ticks) { throw new Exception("No valid CRL for current time found."); } } Rfc3280CertPathUtilities.ProcessCrlB1(dp, cert, crl); // (b) (2) Rfc3280CertPathUtilities.ProcessCrlB2(dp, cert, crl); // (c) Rfc3280CertPathUtilities.ProcessCrlC(deltaCRL, crl, paramsPKIX); // (i) Rfc3280CertPathUtilities.ProcessCrlI(validDate, deltaCRL, cert, certStatus, paramsPKIX); // (j) Rfc3280CertPathUtilities.ProcessCrlJ(validDate, crl, cert, certStatus); // (k) if (certStatus.Status == CrlReason.RemoveFromCrl) { certStatus.Status = CertStatus.Unrevoked; } // update reasons mask reasonMask.AddReasons(interimReasonsMask); ISet criticalExtensions = crl.GetCriticalExtensionOids(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id); if (!criticalExtensions.IsEmpty) throw new Exception("CRL contains unsupported critical extensions."); } if (deltaCRL != null) { criticalExtensions = deltaCRL.GetCriticalExtensionOids(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id); if (!criticalExtensions.IsEmpty) throw new Exception("Delta CRL contains unsupported critical extension."); } } validCrlFound = true; } catch (Exception e) { lastException = e; } } if (!validCrlFound) { throw lastException; } }
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix) { //IL_0012: Unknown result type (might be due to invalid IL or missing references) //IL_0170: Expected O, but got Unknown if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } global::System.Collections.IList certificates = certPath.Certificates; int count = ((global::System.Collections.ICollection)certificates).get_Count(); if (((global::System.Collections.ICollection)certificates).get_Count() == 0) { throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); } ISet initialPolicies = paramsPkix.GetInitialPolicies(); TrustAnchor trustAnchor; try { trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates.get_Item(((global::System.Collections.ICollection)certificates).get_Count() - 1), paramsPkix.GetTrustAnchors()); } catch (global::System.Exception ex) { throw new PkixCertPathValidatorException(ex.get_Message(), ex, certPath, ((global::System.Collections.ICollection)certificates).get_Count() - 1); } if (trustAnchor == null) { throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); } int num = 0; global::System.Collections.IList[] array = new global::System.Collections.IList[count + 1]; for (int i = 0; i < array.Length; i++) { array[i] = Platform.CreateArrayList(); } ISet set = new HashSet(); set.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, critical: false); array[0].Add((object)pkixPolicyNode); PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); ISet acceptablePolicies = new HashSet(); int explicitPolicy = ((!paramsPkix.IsExplicitPolicyRequired) ? (count + 1) : 0); int inhibitAnyPolicy = ((!paramsPkix.IsAnyPolicyInhibited) ? (count + 1) : 0); int policyMapping = ((!paramsPkix.IsPolicyMappingInhibited) ? (count + 1) : 0); X509Certificate x509Certificate = trustAnchor.TrustedCert; X509Name workingIssuerName; AsymmetricKeyParameter asymmetricKeyParameter; try { if (x509Certificate != null) { workingIssuerName = x509Certificate.SubjectDN; asymmetricKeyParameter = x509Certificate.GetPublicKey(); } else { workingIssuerName = new X509Name(trustAnchor.CAName); asymmetricKeyParameter = trustAnchor.CAPublicKey; } } catch (ArgumentException val) { ArgumentException cause = val; throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", (global::System.Exception)(object) cause, certPath, -1); } try { PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } catch (PkixCertPathValidatorException cause2) { throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1); } int maxPathLength = count; X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints(); if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates.get_Item(0))) { throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } global::System.Collections.IList certPathCheckers = paramsPkix.GetCertPathCheckers(); global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)certPathCheckers).GetEnumerator(); while (enumerator.MoveNext()) { ((PkixCertPathChecker)enumerator.get_Current()).Init(forward: false); } X509Certificate x509Certificate2 = null; for (num = ((global::System.Collections.ICollection)certificates).get_Count() - 1; num >= 0; num--) { int num2 = count - num; x509Certificate2 = (X509Certificate)certificates.get_Item(num); Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, num, asymmetricKeyParameter, workingIssuerName, x509Certificate); Rfc3280CertPathUtilities.ProcessCertBC(certPath, num, nameConstraintValidator); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, num, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, num, pkixPolicyNode); Rfc3280CertPathUtilities.ProcessCertF(certPath, num, pkixPolicyNode, explicitPolicy); if (num2 != count) { if (x509Certificate2 != null && x509Certificate2.Version == 1) { throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, num); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, num); pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, num, array, pkixPolicyNode, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, num, nameConstraintValidator); explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, num, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, num, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, num, inhibitAnyPolicy); explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, num, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, num, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, num, inhibitAnyPolicy); Rfc3280CertPathUtilities.PrepareNextCertK(certPath, num); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, num, maxPathLength); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, num, maxPathLength); Rfc3280CertPathUtilities.PrepareNextCertN(certPath, num); ISet criticalExtensionOids = x509Certificate2.GetCriticalExtensionOids(); if (criticalExtensionOids != null) { criticalExtensionOids = new HashSet(criticalExtensionOids); criticalExtensionOids.Remove(X509Extensions.KeyUsage.Id); criticalExtensionOids.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensionOids.Remove(X509Extensions.PolicyMappings.Id); criticalExtensionOids.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensionOids.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensionOids.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensionOids.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensionOids.Remove(X509Extensions.BasicConstraints.Id); criticalExtensionOids.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensionOids.Remove(X509Extensions.NameConstraints.Id); } else { criticalExtensionOids = new HashSet(); } Rfc3280CertPathUtilities.PrepareNextCertO(certPath, num, criticalExtensionOids, certPathCheckers); x509Certificate = x509Certificate2; workingIssuerName = x509Certificate.SubjectDN; try { asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, num); } catch (PkixCertPathValidatorException cause3) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, num); } PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } } explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, x509Certificate2); explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, num + 1, explicitPolicy); ISet criticalExtensionOids2 = x509Certificate2.GetCriticalExtensionOids(); if (criticalExtensionOids2 != null) { criticalExtensionOids2 = new HashSet(criticalExtensionOids2); criticalExtensionOids2.Remove(X509Extensions.KeyUsage.Id); criticalExtensionOids2.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensionOids2.Remove(X509Extensions.PolicyMappings.Id); criticalExtensionOids2.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensionOids2.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensionOids2.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensionOids2.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensionOids2.Remove(X509Extensions.BasicConstraints.Id); criticalExtensionOids2.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensionOids2.Remove(X509Extensions.NameConstraints.Id); criticalExtensionOids2.Remove(X509Extensions.CrlDistributionPoints.Id); } else { criticalExtensionOids2 = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, num + 1, certPathCheckers, criticalExtensionOids2); PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, num + 1, array, pkixPolicyNode, acceptablePolicies); if (explicitPolicy > 0 || pkixPolicyNode2 != null) { return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey())); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, num); }