|
public Validate ( |
||
| certPath | ||
| paramsPkix | ||
| Résultat | ||
public CertificateValidationResult Validate(Certificate certificate)
{
if (certificate == null)
throw new ArgumentNullException("certificate");
try
{
var x509Certs = new List<X509Certificate>();
x509Certs.AddRange(_chain.Select(c => c.BouncyX509Certificate));
x509Certs.Add(certificate.BouncyX509Certificate);
IX509Store x509CertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(x509Certs));
var x509Certificates = x509Certs.Skip(1).ToList();
var certPath = new PkixCertPath(x509Certificates);
ISet trust = new HashSet { new TrustAnchor(x509Certs.First(), null) };
var certPathValidator = new PkixCertPathValidator();
var paramsPkix = new PkixParameters(trust);
paramsPkix.AddStore(x509CertStore);
paramsPkix.IsRevocationEnabled = false;
var pkixResult = certPathValidator.Validate(certPath, paramsPkix);
return new CertificateValidationResult(pkixResult);
}
catch (Exception e)
{
return new CertificateValidationResult(e);
}
}
internal static PkixCertPathValidatorResult ProcessAttrCert2(PkixCertPath certPath, PkixParameters pkixParams)
{
PkixCertPathValidator pkixCertPathValidator = new PkixCertPathValidator();
try
{
return(pkixCertPathValidator.Validate(certPath, pkixParams));
}
catch (PkixCertPathValidatorException cause)
{
throw new PkixCertPathValidatorException("Certification path for issuer certificate of attribute certificate could not be validated.", cause);
}
}
internal static PkixCertPathValidatorResult ProcessAttrCert2(
PkixCertPath certPath,
PkixParameters pkixParams)
{
PkixCertPathValidator validator = new PkixCertPathValidator();
try
{
return validator.Validate(certPath, pkixParams);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException(
"Certification path for issuer certificate of attribute certificate could not be validated.",
e);
}
}
protected virtual PkixCertPathBuilderResult Build(
X509Certificate tbvCert,
PkixBuilderParameters pkixParams,
IList tbvPath)
{
// If tbvCert is readily present in tbvPath, it indicates having run
// into a cycle in the PKI graph.
if (tbvPath.Contains(tbvCert))
{
return(null);
}
// step out, the certificate is not allowed to appear in a certification
// chain.
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
{
return(null);
}
// test if certificate path exceeds maximum length
if (pkixParams.MaxPathLength != -1)
{
if (tbvPath.Count - 1 > pkixParams.MaxPathLength)
{
return(null);
}
}
tbvPath.Add(tbvCert);
X509CertificateParser certParser = new X509CertificateParser();
PkixCertPathBuilderResult builderResult = null;
PkixCertPathValidator validator = new PkixCertPathValidator();
try
{
// check whether the issuer of <tbvCert> is a TrustAnchor
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
// exception message from possibly later tried certification
// chains
PkixCertPath certPath = null;
try
{
certPath = new PkixCertPath(tbvPath);
}
catch (Exception e)
{
throw new Exception(
"Certification path could not be constructed from certificate list.",
e);
}
PkixCertPathValidatorResult result = null;
try
{
result = (PkixCertPathValidatorResult)validator.Validate(
certPath, pkixParams);
}
catch (Exception e)
{
throw new Exception(
"Certification path could not be validated.", e);
}
return(new PkixCertPathBuilderResult(certPath, result.TrustAnchor,
result.PolicyTree, result.SubjectPublicKey));
}
else
{
// add additional X.509 stores from locations in certificate
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(
tbvCert, pkixParams);
}
catch (CertificateParsingException e)
{
throw new Exception(
"No additiontal X.509 stores can be added from certificate locations.",
e);
}
// try to get the issuer certificate from one of the stores
HashSet issuers = new HashSet();
try
{
issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (Exception e)
{
throw new Exception(
"Cannot find issuer certificate for certificate in certification path.",
e);
}
if (issuers.IsEmpty)
{
throw new Exception("No issuer certificate for certificate in certification path found.");
}
foreach (X509Certificate issuer in issuers)
{
builderResult = Build(issuer, pkixParams, tbvPath);
if (builderResult != null)
{
break;
}
}
}
}
catch (Exception e)
{
certPathException = e;
}
if (builderResult == null)
{
tbvPath.Remove(tbvCert);
}
return(builderResult);
}
public override void PerformTest()
{
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
// initialise CertStore
X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);
IList x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
IList x509Crls = new ArrayList();
x509Crls.Add(rootCrl);
x509Crls.Add(interCrl);
// CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.GetInstance("Collection", ccsp);
// X509CollectionStoreParameters ccsp = new X509CollectionStoreParameters(list);
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// NB: Month is 1-based in .NET
//DateTime validDate = new DateTime(2008,9,4,14,49,10).ToUniversalTime();
DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);
//validating path
IList certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// CertPath cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
PkixCertPath cp = new PkixCertPath(certchain);
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// CertPathValidator cpv = CertPathValidator.GetInstance("PKIX");
PkixCertPathValidator cpv = new PkixCertPathValidator();
PkixParameters param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.AddStore(x509CrlStore);
param.Date = new DateTimeObject(validDate);
MyChecker checker = new MyChecker();
param.AddCertPathChecker(checker);
PkixCertPathValidatorResult result = (PkixCertPathValidatorResult) cpv.Validate(cp, param);
PkixPolicyNode policyTree = result.PolicyTree;
AsymmetricKeyParameter subjectPublicKey = result.SubjectPublicKey;
if (checker.GetCount() != 2)
{
Fail("checker not evaluated for each certificate");
}
if (!subjectPublicKey.Equals(finalCert.GetPublicKey()))
{
Fail("wrong public key returned");
}
//
// invalid path containing a valid one test
//
try
{
// initialise CertStore
rootCert = certParser.ReadCertificate(AC_RAIZ_ICPBRASIL);
interCert = certParser.ReadCertificate(AC_PR);
finalCert = certParser.ReadCertificate(schefer);
x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
// ccsp = new CollectionCertStoreParameters(list);
// store = CertStore.GetInstance("Collection", ccsp);
// ccsp = new X509CollectionStoreParameters(list);
x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
// NB: Month is 1-based in .NET
validDate = new DateTime(2004,3,21,2,21,10).ToUniversalTime();
//validating path
certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
cp = new PkixCertPath(certchain);
trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// cpv = CertPathValidator.GetInstance("PKIX");
cpv = new PkixCertPathValidator();
param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.IsRevocationEnabled = false;
param.Date = new DateTimeObject(validDate);
result =(PkixCertPathValidatorResult) cpv.Validate(cp, param);
policyTree = result.PolicyTree;
subjectPublicKey = result.SubjectPublicKey;
Fail("Invalid path validated");
}
catch (Exception e)
{
if (e is PkixCertPathValidatorException
&& e.Message.StartsWith("Could not validate certificate signature."))
{
return;
}
Fail("unexpected exception", e);
}
}
private PkixCertPathValidatorResult DoTest(
string trustAnchor,
string[] certs,
string[] crls,
ISet policies)
{
ISet trustedSet = new HashSet();
trustedSet.Add(GetTrustAnchor(trustAnchor));
IList x509Certs = new ArrayList();
IList x509Crls = new ArrayList();
X509Certificate endCert = LoadCert(certs[certs.Length - 1]);
for (int i = 0; i != certs.Length - 1; i++)
{
x509Certs.Add(LoadCert(certs[i]));
}
x509Certs.Add(endCert);
PkixCertPath certPath = new PkixCertPath(x509Certs);
for (int i = 0; i != crls.Length; i++)
{
x509Crls.Add(LoadCrl(crls[i]));
}
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// CertPathValidator validator = CertPathValidator.GetInstance("PKIX");
PkixCertPathValidator validator = new PkixCertPathValidator();
PkixParameters parameters = new PkixParameters(trustedSet);
parameters.AddStore(x509CertStore);
parameters.AddStore(x509CrlStore);
parameters.IsRevocationEnabled = true;
if (policies != null)
{
parameters.IsExplicitPolicyRequired = true;
parameters.SetInitialPolicies(policies);
}
// Perform validation as of this date since test certs expired
parameters.Date = new DateTimeObject(DateTime.Parse("1/1/2011"));
return validator.Validate(certPath, parameters);
}
protected virtual PkixCertPathBuilderResult Build(
X509Certificate tbvCert,
PkixBuilderParameters pkixParams,
IList tbvPath)
{
// If tbvCert is readily present in tbvPath, it indicates having run
// into a cycle in the PKI graph.
if (tbvPath.Contains(tbvCert))
return null;
// step out, the certificate is not allowed to appear in a certification
// chain.
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
return null;
// test if certificate path exceeds maximum length
if (pkixParams.MaxPathLength != -1)
{
if (tbvPath.Count - 1 > pkixParams.MaxPathLength)
return null;
}
tbvPath.Add(tbvCert);
// X509CertificateParser certParser = new X509CertificateParser();
PkixCertPathBuilderResult builderResult = null;
PkixCertPathValidator validator = new PkixCertPathValidator();
try
{
// check whether the issuer of <tbvCert> is a TrustAnchor
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
// exception message from possibly later tried certification
// chains
PkixCertPath certPath = null;
try
{
certPath = new PkixCertPath(tbvPath);
}
catch (Exception e)
{
throw new Exception(
"Certification path could not be constructed from certificate list.",
e);
}
PkixCertPathValidatorResult result = null;
try
{
result = (PkixCertPathValidatorResult)validator.Validate(
certPath, pkixParams);
}
catch (Exception e)
{
throw new Exception(
"Certification path could not be validated.", e);
}
return new PkixCertPathBuilderResult(certPath, result.TrustAnchor,
result.PolicyTree, result.SubjectPublicKey);
}
else
{
// add additional X.509 stores from locations in certificate
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(
tbvCert, pkixParams);
}
catch (CertificateParsingException e)
{
throw new Exception(
"No additiontal X.509 stores can be added from certificate locations.",
e);
}
// try to get the issuer certificate from one of the stores
HashSet issuers = new HashSet();
try
{
issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (Exception e)
{
throw new Exception(
"Cannot find issuer certificate for certificate in certification path.",
e);
}
if (issuers.IsEmpty)
throw new Exception("No issuer certificate for certificate in certification path found.");
foreach (X509Certificate issuer in issuers)
{
builderResult = Build(issuer, pkixParams, tbvPath);
if (builderResult != null)
break;
}
}
}
catch (Exception e)
{
certPathException = e;
}
if (builderResult == null)
{
tbvPath.Remove(tbvCert);
}
return builderResult;
}
protected virtual PkixCertPathBuilderResult Build(X509Certificate tbvCert, PkixBuilderParameters pkixParams, global::System.Collections.IList tbvPath)
{
if (tbvPath.Contains((object)tbvCert))
{
return(null);
}
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
{
return(null);
}
if (pkixParams.MaxPathLength != -1 && ((global::System.Collections.ICollection)tbvPath).get_Count() - 1 > pkixParams.MaxPathLength)
{
return(null);
}
tbvPath.Add((object)tbvCert);
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
PkixCertPathValidator pkixCertPathValidator = new PkixCertPathValidator();
try
{
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
PkixCertPath pkixCertPath = null;
try
{
pkixCertPath = new PkixCertPath((global::System.Collections.ICollection)tbvPath);
}
catch (global::System.Exception ex)
{
throw new global::System.Exception("Certification path could not be constructed from certificate list.", ex);
}
PkixCertPathValidatorResult pkixCertPathValidatorResult = null;
try
{
pkixCertPathValidatorResult = pkixCertPathValidator.Validate(pkixCertPath, pkixParams);
}
catch (global::System.Exception ex2)
{
throw new global::System.Exception("Certification path could not be validated.", ex2);
}
return(new PkixCertPathBuilderResult(pkixCertPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey));
}
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
}
catch (CertificateParsingException ex3)
{
throw new global::System.Exception("No additiontal X.509 stores can be added from certificate locations.", (global::System.Exception)ex3);
}
HashSet hashSet = new HashSet();
try
{
hashSet.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (global::System.Exception ex4)
{
throw new global::System.Exception("Cannot find issuer certificate for certificate in certification path.", ex4);
}
if (hashSet.IsEmpty)
{
throw new global::System.Exception("No issuer certificate for certificate in certification path found.");
}
global::System.Collections.IEnumerator enumerator = hashSet.GetEnumerator();
try
{
while (enumerator.MoveNext())
{
X509Certificate tbvCert2 = (X509Certificate)enumerator.get_Current();
pkixCertPathBuilderResult = Build(tbvCert2, pkixParams, tbvPath);
if (pkixCertPathBuilderResult != null)
{
break;
}
}
}
finally
{
global::System.IDisposable disposable = enumerator as global::System.IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}
}
catch (global::System.Exception ex5)
{
global::System.Exception ex6 = (certPathException = ex5);
}
if (pkixCertPathBuilderResult == null)
{
tbvPath.Remove((object)tbvCert);
}
return(pkixCertPathBuilderResult);
}
protected virtual PkixCertPathBuilderResult Build(X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath)
{
if (tbvPath.Contains(tbvCert))
{
return(null);
}
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
{
return(null);
}
if (pkixParams.MaxPathLength != -1 && tbvPath.Count - 1 > pkixParams.MaxPathLength)
{
return(null);
}
tbvPath.Add(tbvCert);
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
PkixCertPathValidator pkixCertPathValidator = new PkixCertPathValidator();
try
{
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
PkixCertPath certPath = null;
try
{
certPath = new PkixCertPath(tbvPath);
}
catch (Exception innerException)
{
throw new Exception("Certification path could not be constructed from certificate list.", innerException);
}
PkixCertPathValidatorResult pkixCertPathValidatorResult = null;
try
{
pkixCertPathValidatorResult = pkixCertPathValidator.Validate(certPath, pkixParams);
}
catch (Exception innerException2)
{
throw new Exception("Certification path could not be validated.", innerException2);
}
return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey));
}
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
}
catch (CertificateParsingException innerException3)
{
throw new Exception("No additiontal X.509 stores can be added from certificate locations.", innerException3);
}
HashSet hashSet = new HashSet();
try
{
hashSet.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (Exception innerException4)
{
throw new Exception("Cannot find issuer certificate for certificate in certification path.", innerException4);
}
if (hashSet.IsEmpty)
{
throw new Exception("No issuer certificate for certificate in certification path found.");
}
foreach (X509Certificate tbvCert2 in hashSet)
{
pkixCertPathBuilderResult = this.Build(tbvCert2, pkixParams, tbvPath);
if (pkixCertPathBuilderResult != null)
{
break;
}
}
}
catch (Exception ex)
{
this.certPathException = ex;
}
if (pkixCertPathBuilderResult == null)
{
tbvPath.Remove(tbvCert);
}
return(pkixCertPathBuilderResult);
}