static private GetExtensionValue ( IX509Extension ext, |
||
ext | IX509Extension | The extension object. |
oid | The object identifier to obtain. | |
Résultat |
internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams) { ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids(); if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id)) { try { TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation)); } catch (Exception cause) { throw new PkixCertPathValidatorException("Target information extension could not be read.", cause); } } criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id); foreach (PkixAttrCertChecker pkixAttrCertChecker in pkixParams.GetAttrCertCheckers()) { pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids); } if (!criticalExtensionOids.IsEmpty) { throw new PkixCertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + criticalExtensionOids); } }
internal static ISet GetDeltaCrls(DateTime currentDate, PkixParameters paramsPKIX, X509Crl completeCRL) { X509CrlStoreSelector x509CrlStoreSelector = new X509CrlStoreSelector(); try { IList list = Platform.CreateArrayList(); list.Add(completeCRL.IssuerDN); x509CrlStoreSelector.Issuers = list; } catch (IOException innerException) { throw new Exception("Cannot extract issuer from CRL.", innerException); } BigInteger bigInteger = null; try { Asn1Object extensionValue = PkixCertPathValidatorUtilities.GetExtensionValue(completeCRL, X509Extensions.CrlNumber); if (extensionValue != null) { bigInteger = DerInteger.GetInstance(extensionValue).PositiveValue; } } catch (Exception innerException2) { throw new Exception("CRL number extension could not be extracted from CRL.", innerException2); } byte[] issuingDistributionPoint = null; try { Asn1Object extensionValue2 = PkixCertPathValidatorUtilities.GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint); if (extensionValue2 != null) { issuingDistributionPoint = extensionValue2.GetDerEncoded(); } } catch (Exception innerException3) { throw new Exception("Issuing distribution point extension value could not be read.", innerException3); } x509CrlStoreSelector.MinCrlNumber = ((bigInteger == null) ? null : bigInteger.Add(BigInteger.One)); x509CrlStoreSelector.IssuingDistributionPoint = issuingDistributionPoint; x509CrlStoreSelector.IssuingDistributionPointEnabled = true; x509CrlStoreSelector.MaxBaseCrlNumber = bigInteger; ISet set = PkixCertPathValidatorUtilities.CrlUtilities.FindCrls(x509CrlStoreSelector, paramsPKIX, currentDate); ISet set2 = new HashSet(); foreach (X509Crl x509Crl in set) { if (PkixCertPathValidatorUtilities.isDeltaCrl(x509Crl)) { set2.Add(x509Crl); } } return(set2); }
internal static void GetCertStatus(DateTime validDate, X509Crl crl, object cert, CertStatus certStatus) { X509Crl x509Crl = null; try { x509Crl = new X509Crl(CertificateList.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(crl.GetEncoded()))); } catch (Exception innerException) { throw new Exception("Bouncy Castle X509Crl could not be created.", innerException); } X509CrlEntry revokedCertificate = x509Crl.GetRevokedCertificate(PkixCertPathValidatorUtilities.GetSerialNumber(cert)); if (revokedCertificate == null) { return; } X509Name issuerPrincipal = PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert); if (issuerPrincipal.Equivalent(revokedCertificate.GetCertificateIssuer(), true) || issuerPrincipal.Equivalent(crl.IssuerDN, true)) { DerEnumerated derEnumerated = null; if (revokedCertificate.HasExtensions) { try { derEnumerated = DerEnumerated.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(revokedCertificate, X509Extensions.ReasonCode)); } catch (Exception innerException2) { throw new Exception("Reason code CRL entry extension could not be decoded.", innerException2); } } if (validDate.Ticks >= revokedCertificate.RevocationDate.Ticks || derEnumerated == null || derEnumerated.Value.TestBit(0) || derEnumerated.Value.TestBit(1) || derEnumerated.Value.TestBit(2) || derEnumerated.Value.TestBit(8)) { if (derEnumerated != null) { certStatus.Status = derEnumerated.Value.SignValue; } else { certStatus.Status = 0; } certStatus.RevocationDate = new DateTimeObject(revokedCertificate.RevocationDate); } } }
internal static void ProcessAttrCert7( IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams) { // TODO: // AA Controls // Attribute encryption // Proxy ISet critExtOids = attrCert.GetCriticalExtensionOids(); // 7.1 // process extensions // target information checked in step 6 / X509AttributeCertStoreSelector if (critExtOids.Contains(X509Extensions.TargetInformation.Id)) { try { TargetInformation.GetInstance(PkixCertPathValidatorUtilities .GetExtensionValue(attrCert, X509Extensions.TargetInformation)); } catch (Exception e) { throw new PkixCertPathValidatorException( "Target information extension could not be read.", e); } } critExtOids.Remove(X509Extensions.TargetInformation.Id); foreach (PkixAttrCertChecker checker in pkixParams.GetAttrCertCheckers()) { checker.Check(attrCert, certPath, holderCertPath, critExtOids); } if (!critExtOids.IsEmpty) { throw new PkixCertPathValidatorException( "Attribute certificate contains unsupported critical extensions: " + critExtOids); } }
internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams) { ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids(); if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id)) { try { TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation)); } catch (global::System.Exception cause) { throw new PkixCertPathValidatorException("Target information extension could not be read.", cause); } } criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id); global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)pkixParams.GetAttrCertCheckers()).GetEnumerator(); try { while (enumerator.MoveNext()) { PkixAttrCertChecker pkixAttrCertChecker = (PkixAttrCertChecker)enumerator.get_Current(); pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids); } } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } if (!criticalExtensionOids.IsEmpty) { throw new PkixCertPathValidatorException(string.Concat((object)"Attribute certificate contains unsupported critical extensions: ", (object)criticalExtensionOids)); } }
/** * Checks if an attribute certificate is revoked. * * @param attrCert Attribute certificate to check if it is revoked. * @param paramsPKIX PKIX parameters. * @param issuerCert The issuer certificate of the attribute certificate * <code>attrCert</code>. * @param validDate The date when the certificate revocation status should * be checked. * @param certPathCerts The certificates of the certification path to be * checked. * * @throws CertPathValidatorException if the certificate is revoked or the * status cannot be checked or some error occurs. */ internal static void CheckCrls( IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, X509Certificate issuerCert, DateTime validDate, IList certPathCerts) { if (!paramsPKIX.IsRevocationEnabled) { return; } // check if revocation is available if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null) { if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null || attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null) { throw new PkixCertPathValidatorException( "No rev avail extension is set, but also an AC revocation pointer."); } return; } CrlDistPoint crldp = null; try { crldp = CrlDistPoint.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue( attrCert, X509Extensions.CrlDistributionPoints)); } catch (Exception e) { throw new PkixCertPathValidatorException( "CRL distribution point extension could not be read.", e); } try { PkixCertPathValidatorUtilities .AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX); } catch (Exception e) { throw new PkixCertPathValidatorException( "No additional CRL locations could be decoded from CRL distribution point extension.", e); } CertStatus certStatus = new CertStatus(); ReasonsMask reasonsMask = new ReasonsMask(); Exception lastException = null; bool validCrlFound = false; // for each distribution point if (crldp != null) { DistributionPoint[] dps = null; try { dps = crldp.GetDistributionPoints(); } catch (Exception e) { throw new PkixCertPathValidatorException( "Distribution points could not be read.", e); } try { for (int i = 0; i < dps.Length && certStatus.Status == CertStatus.Unrevoked && !reasonsMask.IsAllReasons; i++) { PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX .Clone(); CheckCrl(dps[i], attrCert, paramsPKIXClone, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } } catch (Exception e) { lastException = new Exception( "No valid CRL for distribution point found.", e); } } /* * If the revocation status has not been determined, repeat the * process above with any available CRLs not specified in a * distribution point but issued by the certificate issuer. */ if (certStatus.Status == CertStatus.Unrevoked && !reasonsMask.IsAllReasons) { try { /* * assume a DP with both the reasons and the cRLIssuer * fields omitted and a distribution point name of the * certificate issuer. */ X509Name issuer; try { issuer = X509Name.GetInstance(attrCert.Issuer.GetPrincipals()[0].GetEncoded()); } catch (Exception e) { throw new Exception( "Issuer from certificate for CRL could not be reencoded.", e); } DistributionPoint dp = new DistributionPoint( new DistributionPointName(0, new GeneralNames( new GeneralName(GeneralName.DirectoryName, issuer))), null, null); PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone(); CheckCrl(dp, attrCert, paramsPKIXClone, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } catch (Exception e) { lastException = new Exception( "No valid CRL for distribution point found.", e); } } if (!validCrlFound) { throw new PkixCertPathValidatorException( "No valid CRL found.", lastException); } if (certStatus.Status != CertStatus.Unrevoked) { // This format is enforced by the NistCertPath tests string formattedDate = certStatus.RevocationDate.Value.ToString( "ddd MMM dd HH:mm:ss K yyyy"); string message = "Attribute certificate revocation after " + formattedDate; message += ", reason: " + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status]; throw new PkixCertPathValidatorException(message); } if (!reasonsMask.IsAllReasons && certStatus.Status == CertStatus.Unrevoked) { certStatus.Status = CertStatus.Undetermined; } if (certStatus.Status == CertStatus.Undetermined) { throw new PkixCertPathValidatorException( "Attribute certificate status could not be determined."); } }
internal static void CheckCrls(IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, X509Certificate issuerCert, DateTime validDate, IList certPathCerts) { if (paramsPKIX.IsRevocationEnabled) { if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) == null) { CrlDistPoint crlDistPoint = null; try { crlDistPoint = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.CrlDistributionPoints)); } catch (Exception cause) { throw new PkixCertPathValidatorException("CRL distribution point extension could not be read.", cause); } try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(crlDistPoint, paramsPKIX); } catch (Exception cause2) { throw new PkixCertPathValidatorException("No additional CRL locations could be decoded from CRL distribution point extension.", cause2); } CertStatus certStatus = new CertStatus(); ReasonsMask reasonsMask = new ReasonsMask(); Exception cause3 = null; bool flag = false; if (crlDistPoint != null) { DistributionPoint[] array = null; try { array = crlDistPoint.GetDistributionPoints(); } catch (Exception cause4) { throw new PkixCertPathValidatorException("Distribution points could not be read.", cause4); } try { int num = 0; while (num < array.Length && certStatus.Status == 11 && !reasonsMask.IsAllReasons) { PkixParameters paramsPKIX2 = (PkixParameters)paramsPKIX.Clone(); Rfc3281CertPathUtilities.CheckCrl(array[num], attrCert, paramsPKIX2, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); flag = true; num++; } } catch (Exception innerException) { cause3 = new Exception("No valid CRL for distribution point found.", innerException); } } if (certStatus.Status == 11 && !reasonsMask.IsAllReasons) { try { Asn1Object name = null; try { name = new Asn1InputStream(attrCert.Issuer.GetPrincipals()[0].GetEncoded()).ReadObject(); } catch (Exception innerException2) { throw new Exception("Issuer from certificate for CRL could not be reencoded.", innerException2); } DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(4, name))), null, null); PkixParameters paramsPKIX3 = (PkixParameters)paramsPKIX.Clone(); Rfc3281CertPathUtilities.CheckCrl(dp, attrCert, paramsPKIX3, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); flag = true; } catch (Exception innerException3) { cause3 = new Exception("No valid CRL for distribution point found.", innerException3); } } if (!flag) { throw new PkixCertPathValidatorException("No valid CRL found.", cause3); } if (certStatus.Status != 11) { string str = certStatus.RevocationDate.Value.ToString("ddd MMM dd HH:mm:ss K yyyy"); string text = "Attribute certificate revocation after " + str; text = text + ", reason: " + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status]; throw new PkixCertPathValidatorException(text); } if (!reasonsMask.IsAllReasons && certStatus.Status == 11) { certStatus.Status = 12; } if (certStatus.Status == 12) { throw new PkixCertPathValidatorException("Attribute certificate status could not be determined."); } } else if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null || attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null) { throw new PkixCertPathValidatorException("No rev avail extension is set, but also an AC revocation pointer."); } } }
internal static void PrepareNextCertB1(int i, IList[] policyNodes, string id_p, IDictionary m_idp, X509Certificate cert) { bool flag = false; IEnumerator enumerator = policyNodes[i].GetEnumerator(); while (enumerator.MoveNext()) { PkixPolicyNode pkixPolicyNode = (PkixPolicyNode)enumerator.Current; if (pkixPolicyNode.ValidPolicy.Equals(id_p)) { flag = true; pkixPolicyNode.ExpectedPolicies = (ISet)m_idp[id_p]; break; } } if (!flag) { enumerator = policyNodes[i].GetEnumerator(); while (enumerator.MoveNext()) { PkixPolicyNode pkixPolicyNode2 = (PkixPolicyNode)enumerator.Current; if (PkixCertPathValidatorUtilities.ANY_POLICY.Equals(pkixPolicyNode2.ValidPolicy)) { ISet policyQualifiers = null; Asn1Sequence asn1Sequence = null; try { asn1Sequence = Asn1Sequence.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies)); } catch (Exception innerException) { throw new Exception("Certificate policies cannot be decoded.", innerException); } IEnumerator enumerator2 = asn1Sequence.GetEnumerator(); while (enumerator2.MoveNext()) { PolicyInformation policyInformation = null; try { policyInformation = PolicyInformation.GetInstance(enumerator2.Current); } catch (Exception innerException2) { throw new Exception("Policy information cannot be decoded.", innerException2); } if (PkixCertPathValidatorUtilities.ANY_POLICY.Equals(policyInformation.PolicyIdentifier.Id)) { try { policyQualifiers = PkixCertPathValidatorUtilities.GetQualifierSet(policyInformation.PolicyQualifiers); break; } catch (PkixCertPathValidatorException cause) { throw new PkixCertPathValidatorException("Policy qualifier info set could not be built.", cause); } } } bool critical = false; ISet criticalExtensionOids = cert.GetCriticalExtensionOids(); if (criticalExtensionOids != null) { critical = criticalExtensionOids.Contains(X509Extensions.CertificatePolicies.Id); } PkixPolicyNode parent = pkixPolicyNode2.Parent; if (PkixCertPathValidatorUtilities.ANY_POLICY.Equals(parent.ValidPolicy)) { PkixPolicyNode pkixPolicyNode3 = new PkixPolicyNode(Platform.CreateArrayList(), i, (ISet)m_idp[id_p], parent, policyQualifiers, id_p, critical); parent.AddChild(pkixPolicyNode3); policyNodes[i].Add(pkixPolicyNode3); return; } break; } } } }