internal static bool HasUnsupportedCriticalExtension(X509Certificate cert)
{
foreach (String oid in cert.GetCriticalExtensionOids())
{
if (oid == X509Extensions.KeyUsage.Id ||
oid == X509Extensions.CertificatePolicies.Id ||
oid == X509Extensions.PolicyMappings.Id ||
oid == X509Extensions.InhibitAnyPolicy.Id ||
oid == X509Extensions.CrlDistributionPoints.Id ||
oid == X509Extensions.IssuingDistributionPoint.Id ||
oid == X509Extensions.DeltaCrlIndicator.Id ||
oid == X509Extensions.PolicyConstraints.Id ||
oid == X509Extensions.BasicConstraints.Id ||
oid == X509Extensions.SubjectAlternativeName.Id ||
oid == X509Extensions.NameConstraints.Id)
{
continue;
}
try {
// EXTENDED KEY USAGE and TIMESTAMPING is ALLOWED
if (oid == X509Extensions.ExtendedKeyUsage.Id && cert.GetExtendedKeyUsage().Contains("1.3.6.1.5.5.7.3.8"))
{
continue;
}
} catch (CertificateParsingException) {
// DO NOTHING;
}
return(true);
}
return(false);
}
/**
* Validate the passed in certificate as being of the correct type to be used
* for time stamping. To be valid it must have an ExtendedKeyUsage extension
* which has a key purpose identifier of id-kp-timeStamping.
*
* @param cert the certificate of interest.
* @throws TspValidationException if the certicate fails on one of the check points.
*/
public static void ValidateCertificate(
X509Certificate cert)
{
if (cert.Version != 3)
throw new ArgumentException("Certificate must have an ExtendedKeyUsage extension.");
Asn1OctetString ext = cert.GetExtensionValue(X509Extensions.ExtendedKeyUsage);
if (ext == null)
throw new TspValidationException("Certificate must have an ExtendedKeyUsage extension.");
if (!cert.GetCriticalExtensionOids().Contains(X509Extensions.ExtendedKeyUsage.Id))
throw new TspValidationException("Certificate must have an ExtendedKeyUsage extension marked as critical.");
try
{
ExtendedKeyUsage extKey = ExtendedKeyUsage.GetInstance(
Asn1Object.FromByteArray(ext.GetOctets()));
if (!extKey.HasKeyPurposeId(KeyPurposeID.IdKPTimeStamping) || extKey.Count != 1)
throw new TspValidationException("ExtendedKeyUsage not solely time stamping.");
}
catch (IOException)
{
throw new TspValidationException("cannot process ExtendedKeyUsage extension");
}
}
internal static bool HasUnsupportedCriticalExtension(X509Certificate cert)
{
if (cert == null)
{
throw new ArgumentException("X509Certificate can't be null.");
}
foreach (String oid in cert.GetCriticalExtensionOids())
{
if (OID.X509Extensions.SUPPORTED_CRITICAL_EXTENSIONS.Contains(oid))
{
continue;
}
return(true);
}
return(false);
}
internal static bool HasUnsupportedCriticalExtension(X509Certificate cert)
{
if (cert == null)
{
throw new ArgumentException("X509Certificate can't be null.");
}
foreach (String oid in cert.GetCriticalExtensionOids())
{
if (oid == X509Extensions.BasicConstraints.Id ||
oid == X509Extensions.CertificatePolicies.Id ||
oid == X509Extensions.CrlDistributionPoints.Id ||
oid == X509Extensions.DeltaCrlIndicator.Id ||
oid == X509Extensions.InhibitAnyPolicy.Id ||
oid == X509Extensions.IssuingDistributionPoint.Id ||
oid == X509Extensions.NameConstraints.Id ||
oid == X509Extensions.PolicyConstraints.Id ||
oid == X509Extensions.PolicyMappings.Id ||
oid == X509Extensions.SubjectAlternativeName.Id)
{
continue;
}
if (oid == X509Extensions.KeyUsage.Id)
{
bool[] keyUsageFlags = cert.GetKeyUsage();
if (keyUsageFlags[KEY_USAGE_DIGITAL_SIGNATURE] || keyUsageFlags[KEY_USAGE_NON_REPUDIATION])
{
continue;
}
}
try {
// EXTENDED KEY USAGE and TIMESTAMPING is ALLOWED
if (oid == X509Extensions.ExtendedKeyUsage.Id && cert.GetExtendedKeyUsage().Contains(OID.X509Extensions.ID_KP_TIMESTAMPING))
{
continue;
}
} catch (CertificateParsingException) {
// DO NOTHING;
}
return(true);
}
return(false);
}
/**
* Verifies a single certificate.
* @param cert the certificate to verify
* @param crls the certificate revocation list or <CODE>null</CODE>
* @param calendar the date or <CODE>null</CODE> for the current date
* @return a <CODE>String</CODE> with the error description or <CODE>null</CODE>
* if no error
*/
public static String VerifyCertificate(X509Certificate cert, ICollection<X509Crl> crls, DateTime calendar)
{
foreach (String oid in cert.GetCriticalExtensionOids()) {
if (oid == X509Extensions.KeyUsage.Id
|| oid == X509Extensions.CertificatePolicies.Id
|| oid == X509Extensions.PolicyMappings.Id
|| oid == X509Extensions.InhibitAnyPolicy.Id
|| oid == X509Extensions.CrlDistributionPoints.Id
|| oid == X509Extensions.IssuingDistributionPoint.Id
|| oid == X509Extensions.DeltaCrlIndicator.Id
|| oid == X509Extensions.PolicyConstraints.Id
|| oid == X509Extensions.BasicConstraints.Id
|| oid == X509Extensions.SubjectAlternativeName.Id
|| oid == X509Extensions.NameConstraints.Id) {
continue;
}
try {
// EXTENDED KEY USAGE and TIMESTAMPING is ALLOWED
if (oid == X509Extensions.ExtendedKeyUsage.Id && cert.GetExtendedKeyUsage().Contains("1.3.6.1.5.5.7.3.8")) {
continue;
}
}
catch (CertificateParsingException) {
// DO NOTHING;
}
return "Has unsupported critical extension";
}
try {
if (!cert.IsValid(calendar.ToUniversalTime()))
return "The certificate has expired or is not yet valid";
if (crls != null) {
foreach (X509Crl crl in crls) {
if (crl.IsRevoked(cert))
return "Certificate revoked";
}
}
}
catch (Exception e) {
return e.ToString();
}
return null;
}
/**
* Verifies a single certificate.
* @param cert the certificate to verify
* @param crls the certificate revocation list or <CODE>null</CODE>
* @param calendar the date or <CODE>null</CODE> for the current date
* @return a <CODE>String</CODE> with the error description or <CODE>null</CODE>
* if no error
*/
public static String VerifyCertificate(X509Certificate cert, ICollection<X509Crl> crls, DateTime calendar) {
foreach (String oid in cert.GetCriticalExtensionOids())
{
// KEY USAGE and DIGITAL SIGNING is ALLOWED
if ("2.5.29.15".Equals(oid) && cert.GetKeyUsage()[0])
{
continue;
}
try
{
// EXTENDED KEY USAGE and TIMESTAMPING is ALLOWED
if ("2.5.29.37".Equals(oid) && cert.GetExtendedKeyUsage().Contains("1.3.6.1.5.5.7.3.8"))
{
continue;
}
}
catch (CertificateParsingException)
{
// DO NOTHING;
}
return "Has unsupported critical extension";
}
try {
if (!cert.IsValid(calendar))
return "The certificate has expired or is not yet valid";
if (crls != null) {
foreach (X509Crl crl in crls) {
if (crl.IsRevoked(cert))
return "Certificate revoked";
}
}
}
catch (Exception e) {
return e.ToString();
}
return null;
}
internal static void PrepareNextCertB1(
int i,
IList[] policyNodes,
string id_p,
IDictionary m_idp,
X509Certificate cert)
{
bool idp_found = false;
IEnumerator nodes_i = policyNodes[i].GetEnumerator();
while (nodes_i.MoveNext())
{
PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
if (node.ValidPolicy.Equals(id_p))
{
idp_found = true;
node.ExpectedPolicies = (ISet)m_idp[id_p];
break;
}
}
if (!idp_found)
{
nodes_i = policyNodes[i].GetEnumerator();
while (nodes_i.MoveNext())
{
PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
if (ANY_POLICY.Equals(node.ValidPolicy))
{
ISet pq = null;
Asn1Sequence policies = null;
try
{
policies = DerSequence.GetInstance(GetExtensionValue(cert, X509Extensions.CertificatePolicies));
}
catch (Exception e)
{
throw new Exception("Certificate policies cannot be decoded.", e);
}
IEnumerator enm = policies.GetEnumerator();
while (enm.MoveNext())
{
PolicyInformation pinfo = null;
try
{
pinfo = PolicyInformation.GetInstance(enm.Current);
}
catch (Exception ex)
{
throw new Exception("Policy information cannot be decoded.", ex);
}
if (ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id))
{
try
{
pq = GetQualifierSet(pinfo.PolicyQualifiers);
}
catch (PkixCertPathValidatorException ex)
{
throw new PkixCertPathValidatorException(
"Policy qualifier info set could not be built.", ex);
}
break;
}
}
bool ci = false;
ISet critExtOids = cert.GetCriticalExtensionOids();
if (critExtOids != null)
{
ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id);
}
PkixPolicyNode p_node = (PkixPolicyNode)node.Parent;
if (ANY_POLICY.Equals(p_node.ValidPolicy))
{
PkixPolicyNode c_node = new PkixPolicyNode(
Platform.CreateArrayList(), i,
(ISet)m_idp[id_p],
p_node, pq, id_p, ci);
p_node.AddChild(c_node);
policyNodes[i].Add(c_node);
}
break;
}
}
}
}
