private X509AttrCertStoreSelector(
X509AttrCertStoreSelector o)
{
this.attributeCert = o.attributeCert;
this.attributeCertificateValid = o.attributeCertificateValid;
this.holder = o.holder;
this.issuer = o.issuer;
this.serialNumber = o.serialNumber;
}
private X509AttrCertStoreSelector(
X509AttrCertStoreSelector o)
{
this.attributeCert = o.attributeCert;
this.attributeCertificateValid = o.attributeCertificateValid;
this.holder = o.holder;
this.issuer = o.issuer;
this.serialNumber = o.serialNumber;
this.targetGroups = new HashSet(o.targetGroups);
this.targetNames = new HashSet(o.targetNames);
}
public X509CrlStoreSelector(
X509CrlStoreSelector o)
{
this.certificateChecking = o.CertificateChecking;
this.dateAndTime = o.DateAndTime;
this.issuers = o.Issuers;
this.maxCrlNumber = o.MaxCrlNumber;
this.minCrlNumber = o.MinCrlNumber;
this.deltaCrlIndicatorEnabled = o.DeltaCrlIndicatorEnabled;
this.completeCrlEnabled = o.CompleteCrlEnabled;
this.maxBaseCrlNumber = o.MaxBaseCrlNumber;
this.attrCertChecking = o.AttrCertChecking;
this.issuingDistributionPointEnabled = o.IssuingDistributionPointEnabled;
this.issuingDistributionPoint = o.IssuingDistributionPoint;
}
internal static void ProcessAttrCert7(
IX509AttributeCertificate attrCert,
PkixCertPath certPath,
PkixCertPath holderCertPath,
PkixParameters pkixParams)
{
// TODO:
// AA Controls
// Attribute encryption
// Proxy
ISet critExtOids = attrCert.GetCriticalExtensionOids();
// 7.1
// process extensions
// target information checked in step 6 / X509AttributeCertStoreSelector
if (critExtOids.Contains(X509Extensions.TargetInformation.Id))
{
try
{
TargetInformation.GetInstance(PkixCertPathValidatorUtilities
.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Target information extension could not be read.", e);
}
}
critExtOids.Remove(X509Extensions.TargetInformation.Id);
foreach (PkixAttrCertChecker checker in pkixParams.GetAttrCertCheckers())
{
checker.Check(attrCert, certPath, holderCertPath, critExtOids);
}
if (!critExtOids.IsEmpty)
{
throw new PkixCertPathValidatorException(
"Attribute certificate contains unsupported critical extensions: "
+ critExtOids);
}
}
internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
{
ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();
if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
{
try
{
TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
}
catch (global::System.Exception cause)
{
throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
}
}
criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id);
global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)pkixParams.GetAttrCertCheckers()).GetEnumerator();
try
{
while (enumerator.MoveNext())
{
PkixAttrCertChecker pkixAttrCertChecker = (PkixAttrCertChecker)enumerator.get_Current();
pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
}
}
finally
{
global::System.IDisposable disposable = enumerator as global::System.IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}
if (!criticalExtensionOids.IsEmpty)
{
throw new PkixCertPathValidatorException(string.Concat((object)"Attribute certificate contains unsupported critical extensions: ", (object)criticalExtensionOids));
}
}
/**
* Validates an attribute certificate with the given certificate path.
*
* <p>
* <code>params</code> must be an instance of
* <code>ExtendedPkixParameters</code>.
* </p><p>
* The target constraints in the <code>params</code> must be an
* <code>X509AttrCertStoreSelector</code> with at least the attribute
* certificate criterion set. Obey that also target informations may be
* necessary to correctly validate this attribute certificate.
* </p><p>
* The attribute certificate issuer must be added to the trusted attribute
* issuers with {@link ExtendedPkixParameters#setTrustedACIssuers(Set)}.
* </p>
* @param certPath The certificate path which belongs to the attribute
* certificate issuer public key certificate.
* @param params The PKIX parameters.
* @return A <code>PKIXCertPathValidatorResult</code> of the result of
* validating the <code>certPath</code>.
* @throws InvalidAlgorithmParameterException if <code>params</code> is
* inappropriate for this validator.
* @throws CertPathValidatorException if the verification fails.
*/
public virtual PkixCertPathValidatorResult Validate(
PkixCertPath certPath,
PkixParameters pkixParams)
{
IX509Selector certSelect = pkixParams.GetTargetConstraints();
if (!(certSelect is X509AttrCertStoreSelector))
{
throw new ArgumentException(
"TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName,
"pkixParams");
}
IX509AttributeCertificate attrCert = ((X509AttrCertStoreSelector)certSelect).AttributeCert;
PkixCertPath holderCertPath = Rfc3281CertPathUtilities.ProcessAttrCert1(attrCert, pkixParams);
PkixCertPathValidatorResult result = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams);
X509Certificate issuerCert = (X509Certificate)certPath.Certificates[0];
Rfc3281CertPathUtilities.ProcessAttrCert3(issuerCert, pkixParams);
Rfc3281CertPathUtilities.ProcessAttrCert4(issuerCert, pkixParams);
Rfc3281CertPathUtilities.ProcessAttrCert5(attrCert, pkixParams);
// 6 already done in X509AttrCertStoreSelector
Rfc3281CertPathUtilities.ProcessAttrCert7(attrCert, certPath, holderCertPath, pkixParams);
Rfc3281CertPathUtilities.AdditionalChecks(attrCert, pkixParams);
DateTime date;
try
{
date = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1);
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Could not get validity date from attribute certificate.", e);
}
Rfc3281CertPathUtilities.CheckCrls(attrCert, pkixParams, issuerCert, date, certPath.Certificates);
return(result);
}
public void TestWithAttributeCertificate()
{
IX509Store x509Certs = CmsTestUtil.MakeCertStore(SignCert);
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
IX509AttributeCertificate attrCert = CmsTestUtil.GetAttributeCertificate();
IX509Store store = CmsTestUtil.MakeAttrCertStore(attrCert);
gen.AddAttributeCertificates(store);
MemoryStream bOut = new MemoryStream();
byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
Stream sigOut = gen.Open(bOut, true);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
sp.GetSignedContent().Drain();
Assert.AreEqual(4, sp.Version);
store = sp.GetAttributeCertificates("Collection");
ArrayList coll = new ArrayList(store.GetMatches(null));
Assert.AreEqual(1, coll.Count);
Assert.IsTrue(coll.Contains(attrCert));
}
internal static void AdditionalChecks(
IX509AttributeCertificate attrCert,
PkixParameters pkixParams)
{
// 1
foreach (string oid in pkixParams.GetProhibitedACAttributes())
{
if (attrCert.GetAttributes(oid) != null)
{
throw new PkixCertPathValidatorException(
"Attribute certificate contains prohibited attribute: "
+ oid + ".");
}
}
foreach (string oid in pkixParams.GetNecessaryACAttributes())
{
if (attrCert.GetAttributes(oid) == null)
{
throw new PkixCertPathValidatorException(
"Attribute certificate does not contain necessary attribute: "
+ oid + ".");
}
}
}
/**
* Checks if an attribute certificate is revoked.
*
* @param attrCert Attribute certificate to check if it is revoked.
* @param paramsPKIX PKIX parameters.
* @param issuerCert The issuer certificate of the attribute certificate
* <code>attrCert</code>.
* @param validDate The date when the certificate revocation status should
* be checked.
* @param certPathCerts The certificates of the certification path to be
* checked.
*
* @throws CertPathValidatorException if the certificate is revoked or the
* status cannot be checked or some error occurs.
*/
internal static void CheckCrls(
IX509AttributeCertificate attrCert,
PkixParameters paramsPKIX,
X509Certificate issuerCert,
DateTime validDate,
IList certPathCerts)
{
if (paramsPKIX.IsRevocationEnabled)
{
// check if revocation is available
if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) == null)
{
CrlDistPoint crldp = null;
try
{
crldp = CrlDistPoint.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(
attrCert, X509Extensions.CrlDistributionPoints));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"CRL distribution point extension could not be read.", e);
}
try
{
PkixCertPathValidatorUtilities
.AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX);
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"No additional CRL locations could be decoded from CRL distribution point extension.", e);
}
CertStatus certStatus = new CertStatus();
ReasonsMask reasonsMask = new ReasonsMask();
Exception lastException = null;
bool validCrlFound = false;
// for each distribution point
if (crldp != null)
{
DistributionPoint[] dps = null;
try
{
dps = crldp.GetDistributionPoints();
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Distribution points could not be read.", e);
}
try
{
for (int i = 0; i < dps.Length
&& certStatus.Status == CertStatus.Unrevoked
&& !reasonsMask.IsAllReasons; i++)
{
PkixParameters paramsPKIXClone = (PkixParameters) paramsPKIX
.Clone();
CheckCrl(dps[i], attrCert, paramsPKIXClone,
validDate, issuerCert, certStatus, reasonsMask,
certPathCerts);
validCrlFound = true;
}
}
catch (Exception e)
{
lastException = new Exception(
"No valid CRL for distribution point found.", e);
}
}
/*
* If the revocation status has not been determined, repeat the
* process above with any available CRLs not specified in a
* distribution point but issued by the certificate issuer.
*/
if (certStatus.Status == CertStatus.Unrevoked
&& !reasonsMask.IsAllReasons)
{
try
{
/*
* assume a DP with both the reasons and the cRLIssuer
* fields omitted and a distribution point name of the
* certificate issuer.
*/
Asn1Object issuer = null;
try
{
issuer = new Asn1InputStream(
attrCert.Issuer.GetPrincipals()[0].GetEncoded()).ReadObject();
}
catch (Exception e)
{
throw new Exception(
"Issuer from certificate for CRL could not be reencoded.",
e);
}
DistributionPoint dp = new DistributionPoint(
new DistributionPointName(0, new GeneralNames(
new GeneralName(GeneralName.DirectoryName, issuer))), null, null);
PkixParameters paramsPKIXClone = (PkixParameters) paramsPKIX.Clone();
CheckCrl(dp, attrCert, paramsPKIXClone, validDate,
issuerCert, certStatus, reasonsMask, certPathCerts);
validCrlFound = true;
}
catch (Exception e)
{
lastException = new Exception(
"No valid CRL for distribution point found.", e);
}
}
if (!validCrlFound)
{
throw new PkixCertPathValidatorException(
"No valid CRL found.", lastException);
}
if (certStatus.Status != CertStatus.Unrevoked)
{
// TODO This format is forced by the NistCertPath tests
string formattedDate = certStatus.RevocationDate.Value.ToString(
"G", new CultureInfo("en-us"));
string message = "Attribute certificate revocation after "
+ formattedDate;
message += ", reason: "
+ Rfc3280CertPathUtilities.CrlReasons[certStatus.Status];
throw new PkixCertPathValidatorException(message);
}
if (!reasonsMask.IsAllReasons
&& certStatus.Status == CertStatus.Unrevoked)
{
certStatus.Status = CertStatus.Undetermined;
}
if (certStatus.Status == CertStatus.Undetermined)
{
throw new PkixCertPathValidatorException(
"Attribute certificate status could not be determined.");
}
}
else
{
if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null
|| attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null)
{
throw new PkixCertPathValidatorException(
"No rev avail extension is set, but also an AC revocation pointer.");
}
}
}
}
/**
* Searches for a holder public key certificate and verifies its
* certification path.
*
* @param attrCert the attribute certificate.
* @param pkixParams The PKIX parameters.
* @return The certificate path of the holder certificate.
* @throws Exception if
* <ul>
* <li>no public key certificate can be found although holder
* information is given by an entity name or a base certificate
* ID</li>
* <li>support classes cannot be created</li>
* <li>no certification path for the public key certificate can
* be built</li>
* </ul>
*/
internal static PkixCertPath ProcessAttrCert1(
IX509AttributeCertificate attrCert,
PkixParameters pkixParams)
{
PkixCertPathBuilderResult result = null;
// find holder PKCs
ISet holderPKCs = new HashSet();
if (attrCert.Holder.GetIssuer() != null)
{
X509CertStoreSelector selector = new X509CertStoreSelector();
selector.SerialNumber = attrCert.Holder.SerialNumber;
X509Name[] principals = attrCert.Holder.GetIssuer();
for (int i = 0; i < principals.Length; i++)
{
try
{
// if (principals[i] is X500Principal)
{
selector.Issuer = principals[i];
}
holderPKCs.AddAll(PkixCertPathValidatorUtilities
.FindCertificates(selector, pkixParams.GetStores()));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Public key certificate for attribute certificate cannot be searched.",
e);
}
}
if (holderPKCs.IsEmpty)
{
throw new PkixCertPathValidatorException(
"Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
}
}
if (attrCert.Holder.GetEntityNames() != null)
{
X509CertStoreSelector selector = new X509CertStoreSelector();
X509Name[] principals = attrCert.Holder.GetEntityNames();
for (int i = 0; i < principals.Length; i++)
{
try
{
// if (principals[i] is X500Principal)
{
selector.Issuer = principals[i];
}
holderPKCs.AddAll(PkixCertPathValidatorUtilities
.FindCertificates(selector, pkixParams.GetStores()));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Public key certificate for attribute certificate cannot be searched.",
e);
}
}
if (holderPKCs.IsEmpty)
{
throw new PkixCertPathValidatorException(
"Public key certificate specified in entity name for attribute certificate cannot be found.");
}
}
// verify cert paths for PKCs
PkixBuilderParameters parameters = (PkixBuilderParameters)
PkixBuilderParameters.GetInstance(pkixParams);
PkixCertPathValidatorException lastException = null;
foreach (X509Certificate cert in holderPKCs)
{
X509CertStoreSelector selector = new X509CertStoreSelector();
selector.Certificate = cert;
parameters.SetTargetConstraints(selector);
PkixCertPathBuilder builder = new PkixCertPathBuilder();
try
{
result = builder.Build(PkixBuilderParameters.GetInstance(parameters));
}
catch (PkixCertPathBuilderException e)
{
lastException = new PkixCertPathValidatorException(
"Certification path for public key certificate of attribute certificate could not be build.",
e);
}
}
if (lastException != null)
{
throw lastException;
}
return result.CertPath;
}
/**
*
* Checks a distribution point for revocation information for the
* certificate <code>attrCert</code>.
*
* @param dp The distribution point to consider.
* @param attrCert The attribute certificate which should be checked.
* @param paramsPKIX PKIX parameters.
* @param validDate The date when the certificate revocation status should
* be checked.
* @param issuerCert Certificate to check if it is revoked.
* @param reasonMask The reasons mask which is already checked.
* @param certPathCerts The certificates of the certification path to be
* checked.
* @throws Exception if the certificate is revoked or the status
* cannot be checked or some error occurs.
*/
private static void CheckCrl(
DistributionPoint dp,
IX509AttributeCertificate attrCert,
PkixParameters paramsPKIX,
DateTime validDate,
X509Certificate issuerCert,
CertStatus certStatus,
ReasonsMask reasonMask,
IList certPathCerts)
{
/*
* 4.3.6 No Revocation Available
*
* The noRevAvail extension, defined in [X.509-2000], allows an AC
* issuer to indicate that no revocation information will be made
* available for this AC.
*/
if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null)
{
return;
}
DateTime currentDate = DateTime.UtcNow;
if (validDate.CompareTo(currentDate) > 0)
{
throw new Exception("Validation time is in future.");
}
// (a)
/*
* We always get timely valid CRLs, so there is no step (a) (1).
* "locally cached" CRLs are assumed to be in getStore(), additional
* CRLs must be enabled in the ExtendedPkixParameters and are in
* getAdditionalStore()
*/
ISet crls = PkixCertPathValidatorUtilities.GetCompleteCrls(dp, attrCert,
currentDate, paramsPKIX);
bool validCrlFound = false;
Exception lastException = null;
IEnumerator crl_iter = crls.GetEnumerator();
while (crl_iter.MoveNext()
&& certStatus.Status == CertStatus.Unrevoked
&& !reasonMask.IsAllReasons)
{
try
{
X509Crl crl = (X509Crl) crl_iter.Current;
// (d)
ReasonsMask interimReasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(crl, dp);
// (e)
/*
* The reasons mask is updated at the end, so only valid CRLs
* can update it. If this CRL does not contain new reasons it
* must be ignored.
*/
if (!interimReasonsMask.HasNewReasons(reasonMask))
{
continue;
}
// (f)
ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, attrCert,
null, null, paramsPKIX, certPathCerts);
// (g)
AsymmetricKeyParameter pubKey = Rfc3280CertPathUtilities.ProcessCrlG(crl, keys);
X509Crl deltaCRL = null;
if (paramsPKIX.IsUseDeltasEnabled)
{
// get delta CRLs
ISet deltaCRLs = PkixCertPathValidatorUtilities.GetDeltaCrls(
currentDate, paramsPKIX, crl);
// we only want one valid delta CRL
// (h)
deltaCRL = Rfc3280CertPathUtilities.ProcessCrlH(deltaCRLs, pubKey);
}
/*
* CRL must be be valid at the current time, not the validation
* time. If a certificate is revoked with reason keyCompromise,
* cACompromise, it can be used for forgery, also for the past.
* This reason may not be contained in older CRLs.
*/
/*
* in the chain model signatures stay valid also after the
* certificate has been expired, so they do not have to be in
* the CRL vality time
*/
if (paramsPKIX.ValidityModel != PkixParameters.ChainValidityModel)
{
/*
* if a certificate has expired, but was revoked, it is not
* more in the CRL, so it would be regarded as valid if the
* first check is not done
*/
if (attrCert.NotAfter.CompareTo(crl.ThisUpdate) < 0)
{
throw new Exception(
"No valid CRL for current time found.");
}
}
Rfc3280CertPathUtilities.ProcessCrlB1(dp, attrCert, crl);
// (b) (2)
Rfc3280CertPathUtilities.ProcessCrlB2(dp, attrCert, crl);
// (c)
Rfc3280CertPathUtilities.ProcessCrlC(deltaCRL, crl, paramsPKIX);
// (i)
Rfc3280CertPathUtilities.ProcessCrlI(validDate, deltaCRL,
attrCert, certStatus, paramsPKIX);
// (j)
Rfc3280CertPathUtilities.ProcessCrlJ(validDate, crl, attrCert,
certStatus);
// (k)
if (certStatus.Status == CrlReason.RemoveFromCrl)
{
certStatus.Status = CertStatus.Unrevoked;
}
// update reasons mask
reasonMask.AddReasons(interimReasonsMask);
validCrlFound = true;
}
catch (Exception e)
{
lastException = e;
}
}
if (!validCrlFound)
{
throw lastException;
}
}
internal static PkixCertPath ProcessAttrCert1(IX509AttributeCertificate attrCert, PkixParameters pkixParams)
{
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
ISet set = new HashSet();
if (attrCert.Holder.GetIssuer() != null)
{
X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
x509CertStoreSelector.SerialNumber = attrCert.Holder.SerialNumber;
X509Name[] issuer = attrCert.Holder.GetIssuer();
for (int i = 0; i < issuer.Length; i++)
{
try
{
x509CertStoreSelector.Issuer = issuer[i];
set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
}
catch (global::System.Exception cause)
{
throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause);
}
}
if (set.IsEmpty)
{
throw new PkixCertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
}
}
if (attrCert.Holder.GetEntityNames() != null)
{
X509CertStoreSelector x509CertStoreSelector2 = new X509CertStoreSelector();
X509Name[] entityNames = attrCert.Holder.GetEntityNames();
for (int j = 0; j < entityNames.Length; j++)
{
try
{
x509CertStoreSelector2.Issuer = entityNames[j];
set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector2, pkixParams.GetStores()));
}
catch (global::System.Exception cause2)
{
throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause2);
}
}
if (set.IsEmpty)
{
throw new PkixCertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found.");
}
}
PkixBuilderParameters instance = PkixBuilderParameters.GetInstance(pkixParams);
PkixCertPathValidatorException ex = null;
global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator();
try
{
while (enumerator.MoveNext())
{
X509Certificate certificate = (X509Certificate)enumerator.get_Current();
X509CertStoreSelector x509CertStoreSelector3 = new X509CertStoreSelector();
x509CertStoreSelector3.Certificate = certificate;
instance.SetTargetConstraints(x509CertStoreSelector3);
PkixCertPathBuilder pkixCertPathBuilder = new PkixCertPathBuilder();
try
{
pkixCertPathBuilderResult = pkixCertPathBuilder.Build(PkixBuilderParameters.GetInstance(instance));
}
catch (PkixCertPathBuilderException cause3)
{
ex = new PkixCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", cause3);
}
}
}
finally
{
global::System.IDisposable disposable = enumerator as global::System.IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}
if (ex != null)
{
throw ex;
}
return(pkixCertPathBuilderResult.CertPath);
}
internal static void ProcessAttrCert5(
IX509AttributeCertificate attrCert,
PkixParameters pkixParams)
{
try
{
attrCert.CheckValidity(PkixCertPathValidatorUtilities.GetValidDate(pkixParams));
}
catch (CertificateExpiredException e)
{
throw new PkixCertPathValidatorException(
"Attribute certificate is not valid.", e);
}
catch (CertificateNotYetValidException e)
{
throw new PkixCertPathValidatorException(
"Attribute certificate is not valid.", e);
}
}
/** * Performs checks on the specified attribute certificate. Every handled * extension is rmeoved from the <code>unresolvedCritExts</code> * collection. * * @param attrCert The attribute certificate to be checked. * @param certPath The certificate path which belongs to the attribute * certificate issuer public key certificate. * @param holderCertPath The certificate path which belongs to the holder * certificate. * @param unresolvedCritExts a <code>Collection</code> of OID strings * representing the current set of unresolved critical extensions * @throws CertPathValidatorException if the specified attribute certificate * does not pass the check. */ public abstract void Check(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, ICollection unresolvedCritExts);
/**
* Fetches complete CRLs according to RFC 3280.
*
* @param dp The distribution point for which the complete CRL
* @param cert The <code>X509Certificate</code> or
* {@link org.bouncycastle.x509.X509AttributeCertificate} for
* which the CRL should be searched.
* @param currentDate The date for which the delta CRLs must be valid.
* @param paramsPKIX The extended PKIX parameters.
* @return A <code>Set</code> of <code>X509CRL</code>s with complete
* CRLs.
* @throws Exception if an exception occurs while picking the CRLs
* or no CRLs are found.
*/
internal static ISet GetCompleteCrls(
DistributionPoint dp,
object cert,
DateTime currentDate,
PkixParameters paramsPKIX)
{
X509CrlStoreSelector crlselect = new X509CrlStoreSelector();
try
{
ISet issuers = new HashSet();
if (cert is X509V2AttributeCertificate)
{
issuers.Add(((X509V2AttributeCertificate)cert)
.Issuer.GetPrincipals()[0]);
}
else
{
issuers.Add(GetIssuerPrincipal(cert));
}
PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
}
catch (Exception e)
{
new Exception("Could not get issuer information from distribution point.", e);
}
if (cert is X509Certificate)
{
crlselect.CertificateChecking = (X509Certificate)cert;
}
else if (cert is X509V2AttributeCertificate)
{
crlselect.AttrCertChecking = (IX509AttributeCertificate)cert;
}
if (paramsPKIX.Date != null)
{
crlselect.DateAndTime = paramsPKIX.Date;
}
else
{
crlselect.DateAndTime = new DateTimeObject(currentDate);
}
crlselect.CompleteCrlEnabled = true;
ISet crls = new HashSet();
try
{
crls.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetStores()));
crls.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetAdditionalStores()));
}
catch (Exception e)
{
throw new Exception("Could not search for CRLs.", e);
}
if (crls.IsEmpty)
{
if (cert is IX509AttributeCertificate)
{
IX509AttributeCertificate aCert = (IX509AttributeCertificate)cert;
throw new Exception("No CRLs found for issuer \"" + aCert.Issuer.GetPrincipals()[0] + "\"");
}
else
{
X509Certificate xCert = (X509Certificate)cert;
throw new Exception("No CRLs found for issuer \"" + xCert.IssuerDN + "\"");
}
}
return(crls);
}
private PkixCertPathBuilderResult Build(
IX509AttributeCertificate attrCert,
X509Certificate tbvCert,
PkixBuilderParameters pkixParams,
IList tbvPath)
{
// If tbvCert is readily present in tbvPath, it indicates having run
// into a cycle in the
// PKI graph.
if (tbvPath.Contains(tbvCert))
return null;
// step out, the certificate is not allowed to appear in a certification
// chain
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
return null;
// test if certificate path exceeds maximum length
if (pkixParams.MaxPathLength != -1)
{
if (tbvPath.Count - 1 > pkixParams.MaxPathLength)
return null;
}
tbvPath.Add(tbvCert);
PkixCertPathBuilderResult builderResult = null;
// X509CertificateParser certParser = new X509CertificateParser();
PkixAttrCertPathValidator validator = new PkixAttrCertPathValidator();
try
{
// check whether the issuer of <tbvCert> is a TrustAnchor
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
PkixCertPath certPath = new PkixCertPath(tbvPath);
PkixCertPathValidatorResult result;
try
{
result = validator.Validate(certPath, pkixParams);
}
catch (Exception e)
{
throw new Exception("Certification path could not be validated.", e);
}
return new PkixCertPathBuilderResult(certPath, result.TrustAnchor,
result.PolicyTree, result.SubjectPublicKey);
}
else
{
// add additional X.509 stores from locations in certificate
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
}
catch (CertificateParsingException e)
{
throw new Exception("No additional X.509 stores can be added from certificate locations.", e);
}
// try to get the issuer certificate from one of the stores
ISet issuers = new HashSet();
try
{
issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (Exception e)
{
throw new Exception("Cannot find issuer certificate for certificate in certification path.", e);
}
if (issuers.IsEmpty)
throw new Exception("No issuer certificate for certificate in certification path found.");
foreach (X509Certificate issuer in issuers)
{
// if untrusted self signed certificate continue
if (PkixCertPathValidatorUtilities.IsSelfIssued(issuer))
continue;
builderResult = Build(attrCert, issuer, pkixParams, tbvPath);
if (builderResult != null)
break;
}
}
}
catch (Exception e)
{
certPathException = new Exception("No valid certification path could be build.", e);
}
if (builderResult == null)
{
tbvPath.Remove(tbvCert);
}
return builderResult;
}
private void equalityAndHashCodeTest(
IX509AttributeCertificate attrCert,
byte[] encoding)
{
if (!attrCert.Equals(attrCert))
{
Fail("same certificate not equal");
}
if (!attrCert.Holder.Equals(attrCert.Holder))
{
Fail("same holder not equal");
}
if (!attrCert.Issuer.Equals(attrCert.Issuer))
{
Fail("same issuer not equal");
}
if (attrCert.Holder.Equals(attrCert.Issuer))
{
Fail("wrong holder equal");
}
if (attrCert.Issuer.Equals(attrCert.Holder))
{
Fail("wrong issuer equal");
}
IX509AttributeCertificate attrCert2 = new X509V2AttributeCertificate(encoding);
if (attrCert2.Holder.GetHashCode() != attrCert.Holder.GetHashCode())
{
Fail("holder hashCode test failed");
}
if (!attrCert2.Holder.Equals(attrCert.Holder))
{
Fail("holder Equals test failed");
}
if (attrCert2.Issuer.GetHashCode() != attrCert.Issuer.GetHashCode())
{
Fail("issuer hashCode test failed");
}
if (!attrCert2.Issuer.Equals(attrCert.Issuer))
{
Fail("issuer Equals test failed");
}
}
public bool Match(object obj)
{
if (obj == null)
{
throw new ArgumentNullException("obj");
}
IX509AttributeCertificate iX509AttributeCertificate = obj as IX509AttributeCertificate;
if (iX509AttributeCertificate == null)
{
return(false);
}
if (this.attributeCert != null && !this.attributeCert.Equals(iX509AttributeCertificate))
{
return(false);
}
if (this.serialNumber != null && !iX509AttributeCertificate.SerialNumber.Equals(this.serialNumber))
{
return(false);
}
if (this.holder != null && !iX509AttributeCertificate.Holder.Equals(this.holder))
{
return(false);
}
if (this.issuer != null && !iX509AttributeCertificate.Issuer.Equals(this.issuer))
{
return(false);
}
if (this.attributeCertificateValid != null && !iX509AttributeCertificate.IsValid(this.attributeCertificateValid.Value))
{
return(false);
}
if (this.targetNames.Count > 0 || this.targetGroups.Count > 0)
{
Asn1OctetString extensionValue = iX509AttributeCertificate.GetExtensionValue(X509Extensions.TargetInformation);
if (extensionValue != null)
{
TargetInformation instance;
try
{
instance = TargetInformation.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue));
}
catch (Exception)
{
bool result = false;
return(result);
}
Targets[] targetsObjects = instance.GetTargetsObjects();
if (this.targetNames.Count > 0)
{
bool flag = false;
int num = 0;
while (num < targetsObjects.Length && !flag)
{
Target[] targets = targetsObjects[num].GetTargets();
for (int i = 0; i < targets.Length; i++)
{
GeneralName targetName = targets[i].TargetName;
if (targetName != null && this.targetNames.Contains(targetName))
{
flag = true;
break;
}
}
num++;
}
if (!flag)
{
return(false);
}
}
if (this.targetGroups.Count <= 0)
{
return(true);
}
bool flag2 = false;
int num2 = 0;
while (num2 < targetsObjects.Length && !flag2)
{
Target[] targets2 = targetsObjects[num2].GetTargets();
for (int j = 0; j < targets2.Length; j++)
{
GeneralName targetGroup = targets2[j].TargetGroup;
if (targetGroup != null && this.targetGroups.Contains(targetGroup))
{
flag2 = true;
break;
}
}
num2++;
}
if (!flag2)
{
return(false);
}
return(true);
}
}
return(true);
}
public bool Match(object obj)
{
if (obj == null)
{
throw new ArgumentNullException("obj");
}
IX509AttributeCertificate iX509AttributeCertificate = obj as IX509AttributeCertificate;
if (iX509AttributeCertificate == null)
{
return(false);
}
if (attributeCert != null && !attributeCert.Equals(iX509AttributeCertificate))
{
return(false);
}
if (serialNumber != null && !iX509AttributeCertificate.SerialNumber.Equals(serialNumber))
{
return(false);
}
if (holder != null && !iX509AttributeCertificate.Holder.Equals(holder))
{
return(false);
}
if (issuer != null && !iX509AttributeCertificate.Issuer.Equals(issuer))
{
return(false);
}
if (attributeCertificateValid != null && !iX509AttributeCertificate.IsValid(attributeCertificateValid.Value))
{
return(false);
}
if (targetNames.Count > 0 || targetGroups.Count > 0)
{
Asn1OctetString extensionValue = iX509AttributeCertificate.GetExtensionValue(X509Extensions.TargetInformation);
if (extensionValue != null)
{
TargetInformation instance;
try
{
instance = TargetInformation.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue));
}
catch (Exception)
{
return(false);
}
Targets[] targetsObjects = instance.GetTargetsObjects();
if (targetNames.Count > 0)
{
bool flag = false;
for (int i = 0; i < targetsObjects.Length; i++)
{
if (flag)
{
break;
}
Target[] targets = targetsObjects[i].GetTargets();
for (int j = 0; j < targets.Length; j++)
{
GeneralName targetName = targets[j].TargetName;
if (targetName != null && targetNames.Contains(targetName))
{
flag = true;
break;
}
}
}
if (!flag)
{
return(false);
}
}
if (targetGroups.Count > 0)
{
bool flag2 = false;
for (int k = 0; k < targetsObjects.Length; k++)
{
if (flag2)
{
break;
}
Target[] targets2 = targetsObjects[k].GetTargets();
for (int l = 0; l < targets2.Length; l++)
{
GeneralName targetGroup = targets2[l].TargetGroup;
if (targetGroup != null && targetGroups.Contains(targetGroup))
{
flag2 = true;
break;
}
}
}
if (!flag2)
{
return(false);
}
}
}
}
return(true);
}
private void doTestGenerateWithPrincipal()
{
X509CertificateParser fact = new X509CertificateParser();
X509Certificate iCert = fact.ReadCertificate(signCert);
//
// a sample key pair.
//
RsaKeyParameters pubKey = new RsaKeyParameters(
false,
new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16),
new BigInteger("11", 16));
//
// set up the keys
//
// PrivateKey privKey;
// PublicKey pubKey;
//
// KeyFactory kFact = KeyFactory.getInstance("RSA");
//
// privKey = kFact.generatePrivate(RSA_PRIVATE_KEY_SPEC);
// pubKey = kFact.generatePublic(pubKeySpec);
AsymmetricKeyParameter privKey = RSA_PRIVATE_KEY_SPEC;
X509V2AttributeCertificateGenerator gen = new X509V2AttributeCertificateGenerator();
// the actual attributes
GeneralName roleName = new GeneralName(GeneralName.Rfc822Name, "DAU123456789");
// roleSyntax OID: 2.5.24.72
X509Attribute attributes = new X509Attribute("2.5.24.72",
new DerSequence(roleName));
gen.AddAttribute(attributes);
gen.SetHolder(new AttributeCertificateHolder(iCert.SubjectDN));
gen.SetIssuer(new AttributeCertificateIssuer(new X509Name("cn=test")));
gen.SetNotBefore(DateTime.UtcNow.AddSeconds(-50));
gen.SetNotAfter(DateTime.UtcNow.AddSeconds(50));
gen.SetSerialNumber(BigInteger.One);
gen.SetSignatureAlgorithm("SHA1WithRSAEncryption");
IX509AttributeCertificate aCert = gen.Generate(privKey);
aCert.CheckValidity();
aCert.Verify(pubKey);
AttributeCertificateHolder holder = aCert.Holder;
if (holder.GetEntityNames() == null)
{
Fail("entity names not set when expected");
}
if (holder.SerialNumber != null)
{
Fail("holder serial number found when none expected");
}
if (holder.GetIssuer() != null)
{
Fail("holder issuer found when none expected");
}
if (!holder.Match(iCert))
{
Fail("generated holder not matching holder certificate");
}
X509Certificate sCert = fact.ReadCertificate(holderCertWithBaseCertificateID);
if (holder.Match(sCert))
{
Fail("principal generated holder matching wrong certificate");
}
equalityAndHashCodeTest(aCert, aCert.GetEncoded());
}
