Summary description for PkixParameters.
        public CertificateValidationResult Validate(Certificate certificate)
            if (certificate == null)
                throw new ArgumentNullException("certificate");

                var x509Certs = new List<X509Certificate>();
                x509Certs.AddRange(_chain.Select(c => c.BouncyX509Certificate));

                IX509Store x509CertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(x509Certs));

                var x509Certificates = x509Certs.Skip(1).ToList();

                var certPath = new PkixCertPath(x509Certificates);

                ISet trust = new HashSet { new TrustAnchor(x509Certs.First(), null) };

                var certPathValidator = new PkixCertPathValidator();

                var paramsPkix = new PkixParameters(trust);
                paramsPkix.IsRevocationEnabled = false;

                var pkixResult = certPathValidator.Validate(certPath, paramsPkix);

                return new CertificateValidationResult(pkixResult);
            catch (Exception e)
                return new CertificateValidationResult(e);
		* Validates an attribute certificate with the given certificate path.
		* <p>
		* <code>params</code> must be an instance of
		* <code>ExtendedPkixParameters</code>.
		* </p><p>
		* The target constraints in the <code>params</code> must be an
		* <code>X509AttrCertStoreSelector</code> with at least the attribute
		* certificate criterion set. Obey that also target informations may be
		* necessary to correctly validate this attribute certificate.
		* </p><p>
		* The attribute certificate issuer must be added to the trusted attribute
		* issuers with {@link ExtendedPkixParameters#setTrustedACIssuers(Set)}.
		* </p>
		* @param certPath The certificate path which belongs to the attribute
		*            certificate issuer public key certificate.
		* @param params The PKIX parameters.
		* @return A <code>PKIXCertPathValidatorResult</code> of the result of
		*         validating the <code>certPath</code>.
		* @throws InvalidAlgorithmParameterException if <code>params</code> is
		*             inappropriate for this validator.
		* @throws CertPathValidatorException if the verification fails.
		public virtual PkixCertPathValidatorResult Validate(
			PkixCertPath	certPath,
			PkixParameters	pkixParams)
			IX509Selector certSelect = pkixParams.GetTargetConstraints();
			if (!(certSelect is X509AttrCertStoreSelector))
				throw new ArgumentException(
					"TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName,
			IX509AttributeCertificate attrCert = ((X509AttrCertStoreSelector) certSelect).AttributeCert;

			PkixCertPath holderCertPath = Rfc3281CertPathUtilities.ProcessAttrCert1(attrCert, pkixParams);
			PkixCertPathValidatorResult result = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams);
			X509Certificate issuerCert = (X509Certificate)certPath.Certificates[0];
			Rfc3281CertPathUtilities.ProcessAttrCert3(issuerCert, pkixParams);
			Rfc3281CertPathUtilities.ProcessAttrCert4(issuerCert, pkixParams);
			Rfc3281CertPathUtilities.ProcessAttrCert5(attrCert, pkixParams);
			// 6 already done in X509AttrCertStoreSelector
			Rfc3281CertPathUtilities.ProcessAttrCert7(attrCert, certPath, holderCertPath, pkixParams);
			Rfc3281CertPathUtilities.AdditionalChecks(attrCert, pkixParams);
			DateTime date;
				date = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1);
			catch (Exception e)
				throw new PkixCertPathValidatorException(
					"Could not get validity date from attribute certificate.", e);
			Rfc3281CertPathUtilities.CheckCrls(attrCert, pkixParams, issuerCert, date, certPath.Certificates);
			return result;
		* Returns an instance of <code>PkixBuilderParameters</code>.
		* <p>
		* This method can be used to get a copy from other
		* <code>PKIXBuilderParameters</code>, <code>PKIXParameters</code>,
		* and <code>ExtendedPKIXParameters</code> instances.
		* </p>
		* @param pkixParams The PKIX parameters to create a copy of.
		* @return An <code>PkixBuilderParameters</code> instance.
		public static PkixBuilderParameters GetInstance(
			PkixParameters pkixParams)
			PkixBuilderParameters parameters = new PkixBuilderParameters(
				new X509CertStoreSelector(pkixParams.GetTargetCertConstraints()));
			return parameters;
        internal static void AddAdditionalStoreFromLocation(
			string			location,
			PkixParameters	pkixParams)
            if (pkixParams.IsAdditionalLocationsEnabled)
                    if (location.StartsWith("ldap://"))
                        // ldap://
                        // Qualified CA 2003 1:PN,O=D-Trust GmbH,C=DE
                        // skip "ldap://"
                        location = location.Substring(7);
                        // after first / baseDN starts
                        string url;//, baseDN;
                        int slashPos = location.IndexOf('/');
                        if (slashPos != -1)
                            url = "ldap://" + location.Substring(0, slashPos);
            //							baseDN = location.Substring(slashPos);
                            url = "ldap://" + location;
            //							baseDN = nsull;

                        throw Platform.CreateNotImplementedException("LDAP cert/CRL stores");

                        // use all purpose parameters
                        //X509LDAPCertStoreParameters ldapParams = new X509LDAPCertStoreParameters.Builder(
                        //                                url, baseDN).build();
                        //    "CERTIFICATE/LDAP", ldapParams));
                        //    "CRL/LDAP", ldapParams));
                        //    "ATTRIBUTECERTIFICATE/LDAP", ldapParams));
                        //    "CERTIFICATEPAIR/LDAP", ldapParams));
                catch (Exception)
                    // cannot happen
                    throw new Exception("Exception adding X.509 stores.");
		public virtual ISet FindCrls(X509CrlStoreSelector crlselect, PkixParameters paramsPkix)
			ISet completeSet = new HashSet();

			// get complete CRL(s)
				completeSet.AddAll(FindCrls(crlselect, paramsPkix.GetStores()));
			catch (Exception e)
				throw new Exception("Exception obtaining complete CRLs.", e);

			return completeSet;
Exemple #6
		public virtual ISet FindCrls(X509CrlStoreSelector crlselect, PkixParameters paramsPkix, DateTime currentDate)
			ISet initialSet = new HashSet();

			// get complete CRL(s)
				initialSet.AddAll(FindCrls(crlselect, paramsPkix.GetAdditionalStores()));
				initialSet.AddAll(FindCrls(crlselect, paramsPkix.GetStores()));
			catch (Exception e)
				throw new Exception("Exception obtaining complete CRLs.", e);

			ISet finalSet = new HashSet();
			DateTime validityDate = currentDate;

			if (paramsPkix.Date != null)
				validityDate = paramsPkix.Date.Value;

			// based on RFC 5280 6.3.3
			foreach (X509Crl crl in initialSet)
				if (crl.NextUpdate.Value.CompareTo(validityDate) > 0)
					X509Certificate cert = crlselect.CertificateChecking;

					if (cert != null)
						if (crl.ThisUpdate.CompareTo(cert.NotAfter) < 0)

			return finalSet;
		internal static void ProcessAttrCert7(
			IX509AttributeCertificate	attrCert,
			PkixCertPath				certPath,
			PkixCertPath				holderCertPath,
			PkixParameters				pkixParams)
			// TODO:
			// AA Controls
			// Attribute encryption
			// Proxy
			ISet critExtOids = attrCert.GetCriticalExtensionOids();

			// 7.1
			// process extensions

			// target information checked in step 6 / X509AttributeCertStoreSelector
			if (critExtOids.Contains(X509Extensions.TargetInformation.Id))
						.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
				catch (Exception e)
					throw new PkixCertPathValidatorException(
						"Target information extension could not be read.", e);
			foreach (PkixAttrCertChecker checker in pkixParams.GetAttrCertCheckers())
				checker.Check(attrCert, certPath, holderCertPath, critExtOids);
			if (!critExtOids.IsEmpty)
				throw new PkixCertPathValidatorException(
					"Attribute certificate contains unsupported critical extensions: "
						+ critExtOids);
Exemple #8
 internal static void AddAdditionalStoresFromAltNames(
     X509Certificate cert,
     PkixParameters pkixParams)
     // if in the IssuerAltName extension an URI
     // is given, add an additinal X.509 store
     if (cert.GetIssuerAlternativeNames() != null)
         IEnumerator it = cert.GetIssuerAlternativeNames().GetEnumerator();
         while (it.MoveNext())
             // look for URI
             IList list = (IList)it.Current;
             //if (list[0].Equals(new Integer(GeneralName.UniformResourceIdentifier)))
             if (list[0].Equals(GeneralName.UniformResourceIdentifier))
                 // found
                 string temp = (string)list[1];
                 PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(temp, pkixParams);
 protected virtual void SetParams(PkixParameters parameters)
     Date = parameters.Date;
     IsAnyPolicyInhibited     = parameters.IsAnyPolicyInhibited;
     IsExplicitPolicyRequired = parameters.IsExplicitPolicyRequired;
     IsPolicyMappingInhibited = parameters.IsPolicyMappingInhibited;
     IsRevocationEnabled      = parameters.IsRevocationEnabled;
     IsPolicyQualifiersRejected = parameters.IsPolicyQualifiersRejected;
     validityModel = parameters.validityModel;
     useDeltas     = parameters.useDeltas;
     additionalLocationsEnabled = parameters.additionalLocationsEnabled;
     selector               = ((parameters.selector == null) ? null : ((IX509Selector)((ICloneable)parameters.selector).Clone()));
     stores                 = Platform.CreateArrayList((global::System.Collections.ICollection)parameters.stores);
     additionalStores       = Platform.CreateArrayList((global::System.Collections.ICollection)parameters.additionalStores);
     trustedACIssuers       = new HashSet(parameters.trustedACIssuers);
     prohibitedACAttributes = new HashSet(parameters.prohibitedACAttributes);
     necessaryACAttributes  = new HashSet(parameters.necessaryACAttributes);
     attrCertCheckers       = new HashSet(parameters.attrCertCheckers);
Exemple #10
 internal static DateTime GetValidCertDateFromValidityModel(PkixParameters paramsPkix, PkixCertPath certPath, int index)
     if (paramsPkix.ValidityModel != 1)
     if (index <= 0)
     if (index - 1 == 0)
         DerGeneralizedTime derGeneralizedTime = null;
             X509Certificate x509Certificate = (X509Certificate)certPath.Certificates[index - 1];
             Asn1OctetString extensionValue  = x509Certificate.GetExtensionValue(IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen);
             derGeneralizedTime = DerGeneralizedTime.GetInstance(extensionValue);
         catch (ArgumentException)
             throw new Exception("Date of cert gen extension could not be read.");
         if (derGeneralizedTime != null)
             catch (ArgumentException innerException)
                 throw new Exception("Date from date of cert gen extension could not be parsed.", innerException);
     return(((X509Certificate)certPath.Certificates[index - 1]).NotBefore);
        public virtual object Clone()
            // FIXME Check this whole method against the Java implementation!

            PkixParameters parameters = new PkixParameters(GetTrustAnchors());


//			PkixParameters obj = new PkixParameters(new HashSet());
////			(PkixParameters) this.MemberwiseClone();
//			obj.x509Stores = new ArrayList(x509Stores);
//			obj.certPathCheckers = new ArrayList(certPathCheckers);
//			//Iterator iter = certPathCheckers.iterator();
//			//obj.certPathCheckers = new ArrayList();
//			//while (iter.hasNext())
//			//{
//			//	obj.certPathCheckers.add(((PKIXCertPathChecker)
//			//		.clone());
//			//}
//			//if (initialPolicies != null)
//			//{
//			//	obj.initialPolicies = new HashSet(initialPolicies);
//			//}
////			if (trustAnchors != null)
////			{
////				obj.trustAnchors = new HashSet(trustAnchors);
////			}
////			if (certSelector != null)
////			{
////				obj.certSelector = (X509CertStoreSelector) certSelector.Clone();
////			}
//			return obj;
        internal static void AdditionalChecks(
			IX509AttributeCertificate	attrCert,
			PkixParameters				pkixParams)
            // 1
            foreach (string oid in pkixParams.GetProhibitedACAttributes())
                if (attrCert.GetAttributes(oid) != null)
                    throw new PkixCertPathValidatorException(
                        "Attribute certificate contains prohibited attribute: "
                            + oid + ".");
            foreach (string oid in pkixParams.GetNecessaryACAttributes())
                if (attrCert.GetAttributes(oid) == null)
                    throw new PkixCertPathValidatorException(
                        "Attribute certificate does not contain necessary attribute: "
                            + oid + ".");
Exemple #13
 internal static void AdditionalChecks(
     IX509AttributeCertificate attrCert,
     PkixParameters pkixParams)
     // 1
     foreach (string oid in pkixParams.GetProhibitedACAttributes())
         if (attrCert.GetAttributes(oid) != null)
             throw new PkixCertPathValidatorException(
                       "Attribute certificate contains prohibited attribute: "
                       + oid + ".");
     foreach (string oid in pkixParams.GetNecessaryACAttributes())
         if (attrCert.GetAttributes(oid) == null)
             throw new PkixCertPathValidatorException(
                       "Attribute certificate does not contain necessary attribute: "
                       + oid + ".");
		internal static void ProcessAttrCert4(
			X509Certificate	acIssuerCert,
			PkixParameters	pkixParams)
			ISet set = pkixParams.GetTrustedACIssuers();
			bool trusted = false;
			foreach (TrustAnchor anchor in set)
                IDictionary symbols = X509Name.RFC2253Symbols;
                if (acIssuerCert.SubjectDN.ToString(false, symbols).Equals(anchor.CAName)
					|| acIssuerCert.Equals(anchor.TrustedCert))
					trusted = true;
			if (!trusted)
				throw new PkixCertPathValidatorException(
					"Attribute certificate issuer is not directly trusted.");
Exemple #15
        internal static ISet GetCompleteCrls(DistributionPoint dp, object cert, DateTime currentDate, PkixParameters paramsPKIX)
            X509CrlStoreSelector x509CrlStoreSelector = new X509CrlStoreSelector();

                ISet set = new HashSet();
                if (cert is X509V2AttributeCertificate)
                PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, set, x509CrlStoreSelector, paramsPKIX);
            catch (Exception innerException)
                throw new Exception("Could not get issuer information from distribution point.", innerException);
            if (cert is X509Certificate)
                x509CrlStoreSelector.CertificateChecking = (X509Certificate)cert;
            else if (cert is X509V2AttributeCertificate)
                x509CrlStoreSelector.AttrCertChecking = (IX509AttributeCertificate)cert;
            x509CrlStoreSelector.CompleteCrlEnabled = true;
            ISet set2 = PkixCertPathValidatorUtilities.CrlUtilities.FindCrls(x509CrlStoreSelector, paramsPKIX, currentDate);

            if (!set2.IsEmpty)
            if (cert is IX509AttributeCertificate)
                IX509AttributeCertificate iX509AttributeCertificate = (IX509AttributeCertificate)cert;
                throw new Exception("No CRLs found for issuer \"" + iX509AttributeCertificate.Issuer.GetPrincipals()[0] + "\"");
            X509Certificate x509Certificate = (X509Certificate)cert;

            throw new Exception("No CRLs found for issuer \"" + x509Certificate.IssuerDN + "\"");
		 * Fetches delta CRLs according to RFC 3280 section 5.2.4.
		 * @param currentDate The date for which the delta CRLs must be valid.
		 * @param paramsPKIX The extended PKIX parameters.
		 * @param completeCRL The complete CRL the delta CRL is for.
		 * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
		 * @throws Exception if an exception occurs while picking the delta
		 *             CRLs.
		internal static ISet GetDeltaCrls(
			DateTime		currentDate,
			PkixParameters	paramsPKIX,
			X509Crl			completeCRL)
			X509CrlStoreSelector deltaSelect = new X509CrlStoreSelector();

			// 5.2.4 (a)
                IList deltaSelectIssuer = Platform.CreateArrayList();
				deltaSelect.Issuers = deltaSelectIssuer;
			catch (IOException e)
				throw new Exception("Cannot extract issuer from CRL.", e);

			BigInteger completeCRLNumber = null;
				Asn1Object asn1Object = GetExtensionValue(completeCRL, X509Extensions.CrlNumber);
				if (asn1Object != null)
					completeCRLNumber = CrlNumber.GetInstance(asn1Object).PositiveValue;
			catch (Exception e)
				throw new Exception(
					"CRL number extension could not be extracted from CRL.", e);

			// 5.2.4 (b)
			byte[] idp = null;

				Asn1Object obj = GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint);
				if (obj != null)
					idp = obj.GetDerEncoded();
			catch (Exception e)
				throw new Exception(
					"Issuing distribution point extension value could not be read.",

			// 5.2.4 (d)

			deltaSelect.MinCrlNumber = (completeCRLNumber == null)
				?	null
				:	completeCRLNumber.Add(BigInteger.One);

			deltaSelect.IssuingDistributionPoint = idp;
			deltaSelect.IssuingDistributionPointEnabled = true;

			// 5.2.4 (c)
			deltaSelect.MaxBaseCrlNumber = completeCRLNumber;

			// find delta CRLs
			ISet temp = CrlUtilities.FindCrls(deltaSelect, paramsPKIX, currentDate);

			ISet result = new HashSet();

			foreach (X509Crl crl in temp)
				if (isDeltaCrl(crl))

			return result;
		* Obtain and validate the certification path for the complete CRL issuer.
		* If a key usage extension is present in the CRL issuer's certificate,
		* verify that the cRLSign bit is set.
		* @param crl                CRL which contains revocation information for the certificate
		*                           <code>cert</code>.
		* @param cert               The attribute certificate or certificate to check if it is
		*                           revoked.
		* @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
		* @param defaultCRLSignKey  The public key of the issuer certificate
		*                           <code>defaultCRLSignCert</code>.
		* @param paramsPKIX         paramsPKIX PKIX parameters.
		* @param certPathCerts      The certificates on the certification path.
		* @return A <code>Set</code> with all keys of possible CRL issuer
		*         certificates.
		* @throws AnnotatedException if the CRL is not valid or the status cannot be checked or
		*                            some error occurs.
		internal static ISet ProcessCrlF(
			X509Crl					crl,
			object					cert,
			X509Certificate			defaultCRLSignCert,
			AsymmetricKeyParameter	defaultCRLSignKey,
			PkixParameters			paramsPKIX,
			IList					certPathCerts)
			// (f)

			// get issuer from CRL
			X509CertStoreSelector selector = new X509CertStoreSelector();
				selector.Subject = crl.IssuerDN;
			catch (IOException e)
				throw new Exception(
					"Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e);

			// get CRL signing certs
			IList coll = Platform.CreateArrayList();

                CollectionUtilities.AddRange(coll, PkixCertPathValidatorUtilities.FindCertificates(selector, paramsPKIX.GetStores()));
                CollectionUtilities.AddRange(coll, PkixCertPathValidatorUtilities.FindCertificates(selector, paramsPKIX.GetAdditionalStores()));
			catch (Exception e)
				throw new Exception("Issuer certificate for CRL cannot be searched.", e);


			IEnumerator cert_it = coll.GetEnumerator();

            IList validCerts = Platform.CreateArrayList();
            IList validKeys = Platform.CreateArrayList();

			while (cert_it.MoveNext())
				X509Certificate signingCert = (X509Certificate)cert_it.Current;

				 * CA of the certificate, for which this CRL is checked, has also
				 * signed CRL, so skip the path validation, because is already done
				if (signingCert.Equals(defaultCRLSignCert))
//					CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX");
					PkixCertPathBuilder builder = new PkixCertPathBuilder();
					selector = new X509CertStoreSelector();
					selector.Certificate = signingCert;

					PkixParameters temp = (PkixParameters)paramsPKIX.Clone();

					PkixBuilderParameters parameters = (PkixBuilderParameters)

					 * if signingCert is placed not higher on the cert path a
					 * dependency loop results. CRL for cert is checked, but
					 * signingCert is needed for checking the CRL which is dependent
					 * on checking cert because it is higher in the cert path and so
					 * signing signingCert transitively. so, revocation is disabled,
					 * forgery attacks of the CRL are detected in this outer loop
					 * for all other it must be enabled to prevent forgery attacks
					if (certPathCerts.Contains(signingCert))
						parameters.IsRevocationEnabled = false;
						parameters.IsRevocationEnabled = true;
					IList certs = builder.Build(parameters).CertPath.Certificates;
					validKeys.Add(PkixCertPathValidatorUtilities.GetNextWorkingKey(certs, 0));
				catch (PkixCertPathBuilderException e)
					throw new Exception("Internal error.", e);
				catch (PkixCertPathValidatorException e)
					throw new Exception("Public key of issuer certificate of CRL could not be retrieved.", e);
				//catch (Exception e)
				//    throw new Exception(e.Message);

			ISet checkKeys = new HashSet();

			Exception lastException = null;
			for (int i = 0; i < validCerts.Count; i++)
				X509Certificate signCert = (X509Certificate)validCerts[i];
				bool[] keyusage = signCert.GetKeyUsage();

				if (keyusage != null && (keyusage.Length < 7 || !keyusage[CRL_SIGN]))
					lastException = new Exception(
						"Issuer certificate key usage extension does not permit CRL signing.");

			if ((checkKeys.Count == 0) && lastException == null)
				throw new Exception("Cannot find a valid issuer certificate.");
			if ((checkKeys.Count == 0) && lastException != null)
				throw lastException;

			return checkKeys;
		internal static void ProcessCertA(
			PkixCertPath			certPath,
			PkixParameters			paramsPKIX,
			int						index,
			AsymmetricKeyParameter	workingPublicKey,
			X509Name				workingIssuerName,
			X509Certificate			sign)
			IList certs = certPath.Certificates;
			X509Certificate cert = (X509Certificate)certs[index];
			// (a) verify
				// (a) (1)
			catch (GeneralSecurityException e)
				throw new PkixCertPathValidatorException("Could not validate certificate signature.", e, certPath, index);

				// (a) (2)
					.GetValidCertDateFromValidityModel(paramsPKIX, certPath, index));
			catch (CertificateExpiredException e)
				throw new PkixCertPathValidatorException("Could not validate certificate: " + e.Message, e, certPath, index);
			catch (CertificateNotYetValidException e)
				throw new PkixCertPathValidatorException("Could not validate certificate: " + e.Message, e, certPath, index);
			catch (Exception e)
				throw new PkixCertPathValidatorException("Could not validate time of certificate.", e, certPath, index);

			// (a) (3)
			if (paramsPKIX.IsRevocationEnabled)
					CheckCrls(paramsPKIX, cert, PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(paramsPKIX,
						certPath, index), sign, workingPublicKey, certs);
				catch (Exception e)
					Exception cause = e.InnerException;
					if (cause == null)
						cause = e;
					throw new PkixCertPathValidatorException(e.Message, cause, certPath, index);

			// (a) (4) name chaining
			X509Name issuer = PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert);
			if (!issuer.Equivalent(workingIssuerName, true))
				throw new PkixCertPathValidatorException("IssuerName(" + issuer
					+ ") does not match SubjectName(" + workingIssuerName + ") of signing certificate.", null,
					certPath, index);
Exemple #19
 internal static void GetCrlIssuersFromDistributionPoint(DistributionPoint dp, global::System.Collections.ICollection issuerPrincipals, X509CrlStoreSelector selector, PkixParameters pkixParams)
     //IL_0045: Expected O, but got Unknown
     global::System.Collections.IList list = Platform.CreateArrayList();
     if (dp.CrlIssuer != null)
         GeneralName[] names = dp.CrlIssuer.GetNames();
         for (int i = 0; i < names.Length; i++)
             if (names[i].TagNo == 4)
                 catch (IOException val)
                     IOException val2 = val;
                     throw new global::System.Exception("CRL issuer information from distribution point cannot be decoded.", (global::System.Exception)(object) val2);
         if (dp.DistributionPointName == null)
             throw new global::System.Exception("CRL issuer is omitted from distribution point but no distributionPoint field present.");
         global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)issuerPrincipals).GetEnumerator();
         while (enumerator.MoveNext())
     selector.Issuers = (global::System.Collections.ICollection)list;
Exemple #20
        internal static ISet GetCompleteCrls(DistributionPoint dp, object cert, global::System.DateTime currentDate, PkixParameters paramsPKIX)
            X509CrlStoreSelector x509CrlStoreSelector = new X509CrlStoreSelector();

                ISet set = new HashSet();
                if (cert is X509V2AttributeCertificate)
                GetCrlIssuersFromDistributionPoint(dp, set, x509CrlStoreSelector, paramsPKIX);
            catch (global::System.Exception ex)
                throw new global::System.Exception("Could not get issuer information from distribution point.", ex);
            if (cert is X509Certificate)
                x509CrlStoreSelector.CertificateChecking = (X509Certificate)cert;
            else if (cert is X509V2AttributeCertificate)
                x509CrlStoreSelector.AttrCertChecking = (IX509AttributeCertificate)cert;
            x509CrlStoreSelector.CompleteCrlEnabled = true;
            ISet set2 = CrlUtilities.FindCrls(x509CrlStoreSelector, paramsPKIX, currentDate);

            if (set2.IsEmpty)
                if (cert is IX509AttributeCertificate)
                    IX509AttributeCertificate iX509AttributeCertificate = (IX509AttributeCertificate)cert;
                    throw new global::System.Exception(string.Concat((object)"No CRLs found for issuer \"", (object)iX509AttributeCertificate.Issuer.GetPrincipals()[0], (object)"\""));
                X509Certificate x509Certificate = (X509Certificate)cert;
                throw new global::System.Exception(string.Concat((object)"No CRLs found for issuer \"", (object)x509Certificate.IssuerDN, (object)"\""));
         * Fetches complete CRLs according to RFC 3280.
         * @param dp The distribution point for which the complete CRL
         * @param cert The <code>X509Certificate</code> or
         *            {@link org.bouncycastle.x509.X509AttributeCertificate} for
         *            which the CRL should be searched.
         * @param currentDate The date for which the delta CRLs must be valid.
         * @param paramsPKIX The extended PKIX parameters.
         * @return A <code>Set</code> of <code>X509CRL</code>s with complete
         *         CRLs.
         * @throws Exception if an exception occurs while picking the CRLs
         *             or no CRLs are found.
        internal static ISet GetCompleteCrls(
            DistributionPoint dp,
            object cert,
            DateTime currentDate,
            PkixParameters paramsPKIX)
            X509CrlStoreSelector crlselect = new X509CrlStoreSelector();

                ISet issuers = new HashSet();
                if (cert is X509V2AttributeCertificate)
                PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
            catch (Exception e)
                new Exception("Could not get issuer information from distribution point.", e);

            if (cert is X509Certificate)
                crlselect.CertificateChecking = (X509Certificate)cert;
            else if (cert is X509V2AttributeCertificate)
                crlselect.AttrCertChecking = (IX509AttributeCertificate)cert;

            if (paramsPKIX.Date != null)
                crlselect.DateAndTime = paramsPKIX.Date;
                crlselect.DateAndTime = new DateTimeObject(currentDate);

            crlselect.CompleteCrlEnabled = true;

            ISet crls = new HashSet();

                crls.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetStores()));
                crls.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetAdditionalStores()));
            catch (Exception e)
                throw new Exception("Could not search for CRLs.", e);

            if (crls.IsEmpty)
                throw new Exception("No CRLs found.");

Exemple #22
        internal static ISet GetDeltaCrls(global::System.DateTime currentDate, PkixParameters paramsPKIX, X509Crl completeCRL)
            //IL_0023: Expected O, but got Unknown
            X509CrlStoreSelector x509CrlStoreSelector = new X509CrlStoreSelector();

                global::System.Collections.IList list = Platform.CreateArrayList();
                x509CrlStoreSelector.Issuers = (global::System.Collections.ICollection)list;
            catch (IOException val)
                IOException val2 = val;
                throw new global::System.Exception("Cannot extract issuer from CRL.", (global::System.Exception)(object) val2);
            BigInteger bigInteger = null;

                Asn1Object extensionValue = GetExtensionValue(completeCRL, X509Extensions.CrlNumber);
                if (extensionValue != null)
                    bigInteger = DerInteger.GetInstance(extensionValue).PositiveValue;
            catch (global::System.Exception ex)
                throw new global::System.Exception("CRL number extension could not be extracted from CRL.", ex);
            byte[] issuingDistributionPoint = null;
                Asn1Object extensionValue2 = GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint);
                if (extensionValue2 != null)
                    issuingDistributionPoint = extensionValue2.GetDerEncoded();
            catch (global::System.Exception ex2)
                throw new global::System.Exception("Issuing distribution point extension value could not be read.", ex2);
            x509CrlStoreSelector.MinCrlNumber                    = bigInteger?.Add(BigInteger.One);
            x509CrlStoreSelector.IssuingDistributionPoint        = issuingDistributionPoint;
            x509CrlStoreSelector.IssuingDistributionPointEnabled = true;
            x509CrlStoreSelector.MaxBaseCrlNumber                = bigInteger;
            ISet set  = CrlUtilities.FindCrls(x509CrlStoreSelector, paramsPKIX, currentDate);
            ISet set2 = new HashSet();

            global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator();
                while (enumerator.MoveNext())
                    X509Crl x509Crl = (X509Crl)enumerator.get_Current();
                    if (isDeltaCrl(x509Crl))
                global::System.IDisposable disposable = enumerator as global::System.IDisposable;
                if (disposable != null)
Exemple #23
 internal static void AddAdditionalStoresFromCrlDistributionPoint(CrlDistPoint crldp, PkixParameters pkixParams)
     if (crldp == null)
     DistributionPoint[] array = null;
         array = crldp.GetDistributionPoints();
     catch (global::System.Exception ex)
         throw new global::System.Exception("Distribution points could not be read.", ex);
     for (int i = 0; i < array.Length; i++)
         DistributionPointName distributionPointName = array[i].DistributionPointName;
         if (distributionPointName == null || distributionPointName.PointType != 0)
         GeneralName[] names = GeneralNames.GetInstance(distributionPointName.Name).GetNames();
         for (int j = 0; j < names.Length; j++)
             if (names[j].TagNo == 6)
                 string @string = DerIA5String.GetInstance(names[j].Name).GetString();
                 AddAdditionalStoreFromLocation(@string, pkixParams);
        internal static PkixCertPath ProcessAttrCert1(IX509AttributeCertificate attrCert, PkixParameters pkixParams)
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
            ISet set = new HashSet();

            if (attrCert.Holder.GetIssuer() != null)
                X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
                x509CertStoreSelector.SerialNumber = attrCert.Holder.SerialNumber;
                X509Name[] issuer = attrCert.Holder.GetIssuer();
                for (int i = 0; i < issuer.Length; i++)
                        x509CertStoreSelector.Issuer = issuer[i];
                        set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
                    catch (global::System.Exception cause)
                        throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause);
                if (set.IsEmpty)
                    throw new PkixCertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
            if (attrCert.Holder.GetEntityNames() != null)
                X509CertStoreSelector x509CertStoreSelector2 = new X509CertStoreSelector();
                X509Name[]            entityNames            = attrCert.Holder.GetEntityNames();
                for (int j = 0; j < entityNames.Length; j++)
                        x509CertStoreSelector2.Issuer = entityNames[j];
                        set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector2, pkixParams.GetStores()));
                    catch (global::System.Exception cause2)
                        throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause2);
                if (set.IsEmpty)
                    throw new PkixCertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found.");
            PkixBuilderParameters          instance = PkixBuilderParameters.GetInstance(pkixParams);
            PkixCertPathValidatorException ex       = null;

            global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator();
                while (enumerator.MoveNext())
                    X509Certificate       certificate            = (X509Certificate)enumerator.get_Current();
                    X509CertStoreSelector x509CertStoreSelector3 = new X509CertStoreSelector();
                    x509CertStoreSelector3.Certificate = certificate;
                    PkixCertPathBuilder pkixCertPathBuilder = new PkixCertPathBuilder();
                        pkixCertPathBuilderResult = pkixCertPathBuilder.Build(PkixBuilderParameters.GetInstance(instance));
                    catch (PkixCertPathBuilderException cause3)
                        ex = new PkixCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", cause3);
                global::System.IDisposable disposable = enumerator as global::System.IDisposable;
                if (disposable != null)
            if (ex != null)
                throw ex;
		internal static PkixCertPathValidatorResult ProcessAttrCert2(
			PkixCertPath	certPath,
			PkixParameters	pkixParams)
			PkixCertPathValidator validator = new PkixCertPathValidator();

				return validator.Validate(certPath, pkixParams);
			catch (PkixCertPathValidatorException e)
				throw new PkixCertPathValidatorException(
					"Certification path for issuer certificate of attribute certificate could not be validated.",
		* Checks a distribution point for revocation information for the
		* certificate <code>attrCert</code>.
		* @param dp The distribution point to consider.
		* @param attrCert The attribute certificate which should be checked.
		* @param paramsPKIX PKIX parameters.
		* @param validDate The date when the certificate revocation status should
		*            be checked.
		* @param issuerCert Certificate to check if it is revoked.
		* @param reasonMask The reasons mask which is already checked.
		* @param certPathCerts The certificates of the certification path to be
		*            checked.
		* @throws Exception if the certificate is revoked or the status
		*             cannot be checked or some error occurs.
		private static void CheckCrl(
			DistributionPoint			dp,
			IX509AttributeCertificate	attrCert,
			PkixParameters				paramsPKIX,
			DateTime					validDate,
			X509Certificate				issuerCert,
			CertStatus					certStatus,
			ReasonsMask					reasonMask,
			IList						certPathCerts)
			* 4.3.6 No Revocation Available
			* The noRevAvail extension, defined in [X.509-2000], allows an AC
			* issuer to indicate that no revocation information will be made
			* available for this AC.
			if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null)

			DateTime currentDate = DateTime.UtcNow;
			if (validDate.CompareTo(currentDate) > 0)
				throw new Exception("Validation time is in future.");

			// (a)
			* We always get timely valid CRLs, so there is no step (a) (1).
			* "locally cached" CRLs are assumed to be in getStore(), additional
			* CRLs must be enabled in the ExtendedPkixParameters and are in
			* getAdditionalStore()
			ISet crls = PkixCertPathValidatorUtilities.GetCompleteCrls(dp, attrCert,
				currentDate, paramsPKIX);
			bool validCrlFound = false;
			Exception lastException = null;

			IEnumerator crl_iter = crls.GetEnumerator();

			while (crl_iter.MoveNext()
				&& certStatus.Status == CertStatus.Unrevoked
				&& !reasonMask.IsAllReasons)
					X509Crl crl = (X509Crl) crl_iter.Current;

					// (d)
					ReasonsMask interimReasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(crl, dp);

					// (e)
					* The reasons mask is updated at the end, so only valid CRLs
					* can update it. If this CRL does not contain new reasons it
					* must be ignored.
					if (!interimReasonsMask.HasNewReasons(reasonMask))

					// (f)
					ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, attrCert,
						null, null, paramsPKIX, certPathCerts);
					// (g)
					AsymmetricKeyParameter pubKey = Rfc3280CertPathUtilities.ProcessCrlG(crl, keys);

					X509Crl deltaCRL = null;

					if (paramsPKIX.IsUseDeltasEnabled)
						// get delta CRLs
						ISet deltaCRLs = PkixCertPathValidatorUtilities.GetDeltaCrls(
							currentDate, paramsPKIX, crl);
						// we only want one valid delta CRL
						// (h)
						deltaCRL = Rfc3280CertPathUtilities.ProcessCrlH(deltaCRLs, pubKey);

					* CRL must be be valid at the current time, not the validation
					* time. If a certificate is revoked with reason keyCompromise,
					* cACompromise, it can be used for forgery, also for the past.
					* This reason may not be contained in older CRLs.

					* in the chain model signatures stay valid also after the
					* certificate has been expired, so they do not have to be in
					* the CRL vality time
					if (paramsPKIX.ValidityModel != PkixParameters.ChainValidityModel)
						* if a certificate has expired, but was revoked, it is not
						* more in the CRL, so it would be regarded as valid if the
						* first check is not done
						if (attrCert.NotAfter.CompareTo(crl.ThisUpdate) < 0)
							throw new Exception(
								"No valid CRL for current time found.");

					Rfc3280CertPathUtilities.ProcessCrlB1(dp, attrCert, crl);

					// (b) (2)
					Rfc3280CertPathUtilities.ProcessCrlB2(dp, attrCert, crl);

					// (c)
					Rfc3280CertPathUtilities.ProcessCrlC(deltaCRL, crl, paramsPKIX);

					// (i)
					Rfc3280CertPathUtilities.ProcessCrlI(validDate, deltaCRL,
						attrCert, certStatus, paramsPKIX);

					// (j)
					Rfc3280CertPathUtilities.ProcessCrlJ(validDate, crl, attrCert,

					// (k)
					if (certStatus.Status == CrlReason.RemoveFromCrl)
						certStatus.Status = CertStatus.Unrevoked;

					// update reasons mask
					validCrlFound = true;
				catch (Exception e)
					lastException = e;
			if (!validCrlFound)
				throw lastException;
Exemple #27
 internal static global::System.DateTime GetValidDate(PkixParameters paramsPKIX)
     return(paramsPKIX.Date?.Value ?? global::System.DateTime.get_UtcNow());
Exemple #28
         * Checks a distribution point for revocation information for the
         * certificate <code>attrCert</code>.
         * @param dp The distribution point to consider.
         * @param attrCert The attribute certificate which should be checked.
         * @param paramsPKIX PKIX parameters.
         * @param validDate The date when the certificate revocation status should
         *            be checked.
         * @param issuerCert Certificate to check if it is revoked.
         * @param reasonMask The reasons mask which is already checked.
         * @param certPathCerts The certificates of the certification path to be
         *            checked.
         * @throws Exception if the certificate is revoked or the status
         *             cannot be checked or some error occurs.
        private static void CheckCrl(
            DistributionPoint dp,
            IX509AttributeCertificate attrCert,
            PkixParameters paramsPKIX,
            DateTime validDate,
            X509Certificate issuerCert,
            CertStatus certStatus,
            ReasonsMask reasonMask,
            IList certPathCerts)
             * 4.3.6 No Revocation Available
             * The noRevAvail extension, defined in [X.509-2000], allows an AC
             * issuer to indicate that no revocation information will be made
             * available for this AC.
            if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null)

            DateTime currentDate = DateTime.UtcNow;

            if (validDate.CompareTo(currentDate) > 0)
                throw new Exception("Validation time is in future.");

            // (a)

             * We always get timely valid CRLs, so there is no step (a) (1).
             * "locally cached" CRLs are assumed to be in getStore(), additional
             * CRLs must be enabled in the ExtendedPkixParameters and are in
             * getAdditionalStore()
            ISet crls = PkixCertPathValidatorUtilities.GetCompleteCrls(dp, attrCert,
                                                                       currentDate, paramsPKIX);
            bool      validCrlFound = false;
            Exception lastException = null;

            IEnumerator crl_iter = crls.GetEnumerator();

            while (crl_iter.MoveNext() &&
                   certStatus.Status == CertStatus.Unrevoked &&
                    X509Crl crl = (X509Crl)crl_iter.Current;

                    // (d)
                    ReasonsMask interimReasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(crl, dp);

                    // (e)

                     * The reasons mask is updated at the end, so only valid CRLs
                     * can update it. If this CRL does not contain new reasons it
                     * must be ignored.
                    if (!interimReasonsMask.HasNewReasons(reasonMask))

                    // (f)
                    ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, attrCert,
                                                                     null, null, paramsPKIX, certPathCerts);
                    // (g)
                    AsymmetricKeyParameter pubKey = Rfc3280CertPathUtilities.ProcessCrlG(crl, keys);

                    X509Crl deltaCRL = null;

                    if (paramsPKIX.IsUseDeltasEnabled)
                        // get delta CRLs
                        ISet deltaCRLs = PkixCertPathValidatorUtilities.GetDeltaCrls(
                            currentDate, paramsPKIX, crl);
                        // we only want one valid delta CRL
                        // (h)
                        deltaCRL = Rfc3280CertPathUtilities.ProcessCrlH(deltaCRLs, pubKey);

                     * CRL must be be valid at the current time, not the validation
                     * time. If a certificate is revoked with reason keyCompromise,
                     * cACompromise, it can be used for forgery, also for the past.
                     * This reason may not be contained in older CRLs.

                     * in the chain model signatures stay valid also after the
                     * certificate has been expired, so they do not have to be in
                     * the CRL vality time
                    if (paramsPKIX.ValidityModel != PkixParameters.ChainValidityModel)
                         * if a certificate has expired, but was revoked, it is not
                         * more in the CRL, so it would be regarded as valid if the
                         * first check is not done
                        if (attrCert.NotAfter.CompareTo(crl.ThisUpdate) < 0)
                            throw new Exception(
                                      "No valid CRL for current time found.");

                    Rfc3280CertPathUtilities.ProcessCrlB1(dp, attrCert, crl);

                    // (b) (2)
                    Rfc3280CertPathUtilities.ProcessCrlB2(dp, attrCert, crl);

                    // (c)
                    Rfc3280CertPathUtilities.ProcessCrlC(deltaCRL, crl, paramsPKIX);

                    // (i)
                    Rfc3280CertPathUtilities.ProcessCrlI(validDate, deltaCRL,
                                                         attrCert, certStatus, paramsPKIX);

                    // (j)
                    Rfc3280CertPathUtilities.ProcessCrlJ(validDate, crl, attrCert,

                    // (k)
                    if (certStatus.Status == CrlReason.RemoveFromCrl)
                        certStatus.Status = CertStatus.Unrevoked;

                    // update reasons mask
                    validCrlFound = true;
                catch (Exception e)
                    lastException = e;
            if (!validCrlFound)
                throw lastException;
        internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
            ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();

            if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
                    TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
                catch (Exception cause)
                    throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
            foreach (PkixAttrCertChecker pkixAttrCertChecker in pkixParams.GetAttrCertCheckers())
                pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
            if (!criticalExtensionOids.IsEmpty)
                throw new PkixCertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + criticalExtensionOids);
		internal static ISet[] ProcessCrlA1ii(
			DateTime		currentDate,
			PkixParameters	paramsPKIX,
			X509Certificate	cert,
			X509Crl			crl)
			ISet deltaSet = new HashSet();
			X509CrlStoreSelector crlselect = new X509CrlStoreSelector();
			crlselect.CertificateChecking = cert;

				IList issuer = Platform.CreateArrayList();
				crlselect.Issuers = issuer;
			catch (IOException e)
				throw new Exception("Cannot extract issuer from CRL." + e, e);

			crlselect.CompleteCrlEnabled = true;
			ISet completeSet = CrlUtilities.FindCrls(crlselect, paramsPKIX, currentDate);

			if (paramsPKIX.IsUseDeltasEnabled)
				// get delta CRL(s)
					deltaSet.AddAll(PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl));
				catch (Exception e)
					throw new Exception("Exception obtaining delta CRLs.", e);

			return new ISet[]{ completeSet, deltaSet };
        internal static PkixCertPathValidatorResult ProcessAttrCert2(PkixCertPath certPath, PkixParameters pkixParams)
            PkixCertPathValidator       pkixCertPathValidator = new PkixCertPathValidator();
            PkixCertPathValidatorResult result;

                result = pkixCertPathValidator.Validate(certPath, pkixParams);
            catch (PkixCertPathValidatorException cause)
                throw new PkixCertPathValidatorException("Certification path for issuer certificate of attribute certificate could not be validated.", cause);
		* If use-deltas is set, verify the issuer and scope of the delta CRL.
		* @param deltaCRL    The delta CRL.
		* @param completeCRL The complete CRL.
		* @param pkixParams  The PKIX paramaters.
		* @throws AnnotatedException if an exception occurs.
		internal static void ProcessCrlC(
			X509Crl			deltaCRL,
			X509Crl			completeCRL,
			PkixParameters	pkixParams)
			if (deltaCRL == null)

			IssuingDistributionPoint completeidp = null;
				completeidp = IssuingDistributionPoint.GetInstance(
					PkixCertPathValidatorUtilities.GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint));
			catch (Exception e)
				throw new Exception("000 Issuing distribution point extension could not be decoded.", e);

			if (pkixParams.IsUseDeltasEnabled)
				// (c) (1)
				if (!deltaCRL.IssuerDN.Equivalent(completeCRL.IssuerDN, true))
					throw new Exception("Complete CRL issuer does not match delta CRL issuer.");

				// (c) (2)
				IssuingDistributionPoint deltaidp = null;
					deltaidp = IssuingDistributionPoint.GetInstance(
						PkixCertPathValidatorUtilities.GetExtensionValue(deltaCRL, X509Extensions.IssuingDistributionPoint));
				catch (Exception e)
					throw new Exception(
						"Issuing distribution point extension from delta CRL could not be decoded.", e);

				if (!Platform.Equals(completeidp, deltaidp))
					throw new Exception(
						"Issuing distribution point extension from delta CRL and complete CRL does not match.");

				// (c) (3)
				Asn1Object completeKeyIdentifier = null;
					completeKeyIdentifier = PkixCertPathValidatorUtilities.GetExtensionValue(
						completeCRL, X509Extensions.AuthorityKeyIdentifier);
				catch (Exception e)
					throw new Exception(
						"Authority key identifier extension could not be extracted from complete CRL.", e);

				Asn1Object deltaKeyIdentifier = null;
					deltaKeyIdentifier = PkixCertPathValidatorUtilities.GetExtensionValue(
						deltaCRL, X509Extensions.AuthorityKeyIdentifier);
				catch (Exception e)
					throw new Exception(
						"Authority key identifier extension could not be extracted from delta CRL.", e);

				if (completeKeyIdentifier == null)
					throw new Exception("CRL authority key identifier is null.");

				if (deltaKeyIdentifier == null)
					throw new Exception("Delta CRL authority key identifier is null.");

				if (!completeKeyIdentifier.Equals(deltaKeyIdentifier))
					throw new Exception(
						"Delta CRL authority key identifier does not match complete CRL authority key identifier.");
        internal static PkixCertPath ProcessAttrCert1(IX509AttributeCertificate attrCert, PkixParameters pkixParams)
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
            ISet set = new HashSet();

            if (attrCert.Holder.GetIssuer() != null)
                X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
                x509CertStoreSelector.SerialNumber = attrCert.Holder.SerialNumber;
                X509Name[] issuer = attrCert.Holder.GetIssuer();
                for (int i = 0; i < issuer.Length; i++)
                        x509CertStoreSelector.Issuer = issuer[i];
                        set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
                    catch (Exception cause)
                        throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause);
                if (set.IsEmpty)
                    throw new PkixCertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
            if (attrCert.Holder.GetEntityNames() != null)
                X509CertStoreSelector x509CertStoreSelector2 = new X509CertStoreSelector();
                X509Name[]            entityNames            = attrCert.Holder.GetEntityNames();
                for (int j = 0; j < entityNames.Length; j++)
                        x509CertStoreSelector2.Issuer = entityNames[j];
                        set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector2, pkixParams.GetStores()));
                    catch (Exception cause2)
                        throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause2);
                if (set.IsEmpty)
                    throw new PkixCertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found.");
            PkixBuilderParameters          instance = PkixBuilderParameters.GetInstance(pkixParams);
            PkixCertPathValidatorException ex       = null;

            foreach (X509Certificate certificate in set)
                instance.SetTargetConstraints(new X509CertStoreSelector
                    Certificate = certificate
                PkixCertPathBuilder pkixCertPathBuilder = new PkixCertPathBuilder();
                    pkixCertPathBuilderResult = pkixCertPathBuilder.Build(PkixBuilderParameters.GetInstance(instance));
                catch (PkixCertPathBuilderException cause3)
                    ex = new PkixCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", cause3);
            if (ex != null)
                throw ex;
        internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
            ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();

            if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
                    TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
                catch (global::System.Exception cause)
                    throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
            global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)pkixParams.GetAttrCertCheckers()).GetEnumerator();
                while (enumerator.MoveNext())
                    PkixAttrCertChecker pkixAttrCertChecker = (PkixAttrCertChecker)enumerator.get_Current();
                    pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
                global::System.IDisposable disposable = enumerator as global::System.IDisposable;
                if (disposable != null)
            if (!criticalExtensionOids.IsEmpty)
                throw new PkixCertPathValidatorException(string.Concat((object)"Attribute certificate contains unsupported critical extensions: ", (object)criticalExtensionOids));
        private static void CheckCrl(DistributionPoint dp, IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, DateTime validDate, X509Certificate issuerCert, CertStatus certStatus, ReasonsMask reasonMask, IList certPathCerts)
            if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null)
            DateTime utcNow = DateTime.UtcNow;

            if (validDate.CompareTo(utcNow) > 0)
                throw new Exception("Validation time is in future.");
            ISet        completeCrls = PkixCertPathValidatorUtilities.GetCompleteCrls(dp, attrCert, utcNow, paramsPKIX);
            bool        flag         = false;
            Exception   ex           = null;
            IEnumerator enumerator   = completeCrls.GetEnumerator();

            while (enumerator.MoveNext() && certStatus.Status == 11 && !reasonMask.IsAllReasons)
                    X509Crl     x509Crl     = (X509Crl)enumerator.Current;
                    ReasonsMask reasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(x509Crl, dp);
                    if (reasonsMask.HasNewReasons(reasonMask))
                        ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(x509Crl, attrCert, null, null, paramsPKIX, certPathCerts);
                        AsymmetricKeyParameter key = Rfc3280CertPathUtilities.ProcessCrlG(x509Crl, keys);
                        X509Crl x509Crl2           = null;
                        if (paramsPKIX.IsUseDeltasEnabled)
                            ISet deltaCrls = PkixCertPathValidatorUtilities.GetDeltaCrls(utcNow, paramsPKIX, x509Crl);
                            x509Crl2 = Rfc3280CertPathUtilities.ProcessCrlH(deltaCrls, key);
                        if (paramsPKIX.ValidityModel != 1 && attrCert.NotAfter.CompareTo(x509Crl.ThisUpdate) < 0)
                            throw new Exception("No valid CRL for current time found.");
                        Rfc3280CertPathUtilities.ProcessCrlB1(dp, attrCert, x509Crl);
                        Rfc3280CertPathUtilities.ProcessCrlB2(dp, attrCert, x509Crl);
                        Rfc3280CertPathUtilities.ProcessCrlC(x509Crl2, x509Crl, paramsPKIX);
                        Rfc3280CertPathUtilities.ProcessCrlI(validDate, x509Crl2, attrCert, certStatus, paramsPKIX);
                        Rfc3280CertPathUtilities.ProcessCrlJ(validDate, x509Crl, attrCert, certStatus);
                        if (certStatus.Status == 8)
                            certStatus.Status = 11;
                        flag = true;
                catch (Exception ex2)
                    ex = ex2;
            if (!flag)
                throw ex;
Exemple #36
 internal static void AddAdditionalStoresFromCrlDistributionPoint(CrlDistPoint crldp, PkixParameters pkixParams)
     if (crldp != null)
         DistributionPoint[] array = null;
             array = crldp.GetDistributionPoints();
         catch (Exception innerException)
             throw new Exception("Distribution points could not be read.", innerException);
         for (int i = 0; i < array.Length; i++)
             DistributionPointName distributionPointName = array[i].DistributionPointName;
             if (distributionPointName != null && distributionPointName.PointType == 0)
                 GeneralName[] names = GeneralNames.GetInstance(distributionPointName.Name).GetNames();
                 for (int j = 0; j < names.Length; j++)
                     if (names[j].TagNo == 6)
                         string @string = DerIA5String.GetInstance(names[j].Name).GetString();
                         PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(@string, pkixParams);
 internal static void CheckCrls(IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, X509Certificate issuerCert, DateTime validDate, IList certPathCerts)
     if (paramsPKIX.IsRevocationEnabled)
         if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) == null)
             CrlDistPoint crlDistPoint = null;
                 crlDistPoint = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.CrlDistributionPoints));
             catch (Exception cause)
                 throw new PkixCertPathValidatorException("CRL distribution point extension could not be read.", cause);
                 PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(crlDistPoint, paramsPKIX);
             catch (Exception cause2)
                 throw new PkixCertPathValidatorException("No additional CRL locations could be decoded from CRL distribution point extension.", cause2);
             CertStatus  certStatus  = new CertStatus();
             ReasonsMask reasonsMask = new ReasonsMask();
             Exception   cause3      = null;
             bool        flag        = false;
             if (crlDistPoint != null)
                 DistributionPoint[] array = null;
                     array = crlDistPoint.GetDistributionPoints();
                 catch (Exception cause4)
                     throw new PkixCertPathValidatorException("Distribution points could not be read.", cause4);
                     int num = 0;
                     while (num < array.Length && certStatus.Status == 11 && !reasonsMask.IsAllReasons)
                         PkixParameters paramsPKIX2 = (PkixParameters)paramsPKIX.Clone();
                         Rfc3281CertPathUtilities.CheckCrl(array[num], attrCert, paramsPKIX2, validDate, issuerCert, certStatus, reasonsMask, certPathCerts);
                         flag = true;
                 catch (Exception innerException)
                     cause3 = new Exception("No valid CRL for distribution point found.", innerException);
             if (certStatus.Status == 11 && !reasonsMask.IsAllReasons)
                     Asn1Object name = null;
                         name = new Asn1InputStream(attrCert.Issuer.GetPrincipals()[0].GetEncoded()).ReadObject();
                     catch (Exception innerException2)
                         throw new Exception("Issuer from certificate for CRL could not be reencoded.", innerException2);
                     DistributionPoint dp          = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(4, name))), null, null);
                     PkixParameters    paramsPKIX3 = (PkixParameters)paramsPKIX.Clone();
                     Rfc3281CertPathUtilities.CheckCrl(dp, attrCert, paramsPKIX3, validDate, issuerCert, certStatus, reasonsMask, certPathCerts);
                     flag = true;
                 catch (Exception innerException3)
                     cause3 = new Exception("No valid CRL for distribution point found.", innerException3);
             if (!flag)
                 throw new PkixCertPathValidatorException("No valid CRL found.", cause3);
             if (certStatus.Status != 11)
                 string str  = certStatus.RevocationDate.Value.ToString("ddd MMM dd HH:mm:ss K yyyy");
                 string text = "Attribute certificate revocation after " + str;
                 text = text + ", reason: " + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status];
                 throw new PkixCertPathValidatorException(text);
             if (!reasonsMask.IsAllReasons && certStatus.Status == 11)
                 certStatus.Status = 12;
             if (certStatus.Status == 12)
                 throw new PkixCertPathValidatorException("Attribute certificate status could not be determined.");
         else if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null || attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null)
             throw new PkixCertPathValidatorException("No rev avail extension is set, but also an AC revocation pointer.");
		internal static void ProcessAttrCert5(
			IX509AttributeCertificate	attrCert,
			PkixParameters				pkixParams)
			catch (CertificateExpiredException e)
				throw new PkixCertPathValidatorException(
					"Attribute certificate is not valid.", e);
			catch (CertificateNotYetValidException e)
				throw new PkixCertPathValidatorException(
					"Attribute certificate is not valid.", e);
Exemple #39
        public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix)
            if (paramsPkix.GetTrustAnchors() == null)
                throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters");
            IList certificates = certPath.Certificates;
            int   count        = certificates.Count;

            if (certificates.Count == 0)
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
            ISet        initialPolicies = paramsPkix.GetInitialPolicies();
            TrustAnchor trustAnchor;

                trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates[certificates.Count - 1], paramsPkix.GetTrustAnchors());
            catch (Exception ex)
                throw new PkixCertPathValidatorException(ex.Message, ex, certPath, certificates.Count - 1);
            if (trustAnchor == null)
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
            int i = 0;

            IList[] array = new IList[count + 1];
            for (int j = 0; j < array.Length; j++)
                array[j] = Platform.CreateArrayList();
            ISet set = new HashSet();

            PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false);

            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
            ISet acceptablePolicies = new HashSet();
            int  num;

            if (paramsPkix.IsExplicitPolicyRequired)
                num = 0;
                num = count + 1;
            int inhibitAnyPolicy;

            if (paramsPkix.IsAnyPolicyInhibited)
                inhibitAnyPolicy = 0;
                inhibitAnyPolicy = count + 1;
            int policyMapping;

            if (paramsPkix.IsPolicyMappingInhibited)
                policyMapping = 0;
                policyMapping = count + 1;
            X509Certificate        x509Certificate = trustAnchor.TrustedCert;
            X509Name               workingIssuerName;
            AsymmetricKeyParameter asymmetricKeyParameter;

                if (x509Certificate != null)
                    workingIssuerName      = x509Certificate.SubjectDN;
                    asymmetricKeyParameter = x509Certificate.GetPublicKey();
                    workingIssuerName      = new X509Name(trustAnchor.CAName);
                    asymmetricKeyParameter = trustAnchor.CAPublicKey;
            catch (ArgumentException cause)
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", cause, certPath, -1);
            catch (PkixCertPathValidatorException cause2)
                throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1);
            int maxPathLength = count;
            X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints();

            if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates[0]))
                throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            IList       certPathCheckers = paramsPkix.GetCertPathCheckers();
            IEnumerator enumerator       = certPathCheckers.GetEnumerator();

            while (enumerator.MoveNext())
            X509Certificate x509Certificate2 = null;

            for (i = certificates.Count - 1; i >= 0; i--)
                int num2 = count - i;
                x509Certificate2 = (X509Certificate)certificates[i];
                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, i, asymmetricKeyParameter, workingIssuerName, x509Certificate);
                Rfc3280CertPathUtilities.ProcessCertBC(certPath, i, nameConstraintValidator);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, i, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, i, pkixPolicyNode);
                Rfc3280CertPathUtilities.ProcessCertF(certPath, i, pkixPolicyNode, num);
                if (num2 != count)
                    if (x509Certificate2 != null && x509Certificate2.Version == 1)
                        throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, i);
                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, i);
                    pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, i, array, pkixPolicyNode, policyMapping);
                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, i, nameConstraintValidator);
                    num              = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, i, num);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, i, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, i, inhibitAnyPolicy);
                    num              = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, i, num);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, i, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, i, inhibitAnyPolicy);
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, i);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, i, maxPathLength);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, i, maxPathLength);
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, i);
                    ISet set2 = x509Certificate2.GetCriticalExtensionOids();
                    if (set2 != null)
                        set2 = new HashSet(set2);
                        set2 = new HashSet();
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, i, set2, certPathCheckers);
                    x509Certificate   = x509Certificate2;
                    workingIssuerName = x509Certificate.SubjectDN;
                        asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, i);
                    catch (PkixCertPathValidatorException cause3)
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, i);
            num = Rfc3280CertPathUtilities.WrapupCertA(num, x509Certificate2);
            num = Rfc3280CertPathUtilities.WrapupCertB(certPath, i + 1, num);
            ISet set3 = x509Certificate2.GetCriticalExtensionOids();

            if (set3 != null)
                set3 = new HashSet(set3);
                set3 = new HashSet();
            Rfc3280CertPathUtilities.WrapupCertF(certPath, i + 1, certPathCheckers, set3);
            PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, i + 1, array, pkixPolicyNode, acceptablePolicies);

            if (num > 0 || pkixPolicyNode2 != null)
                return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey()));
            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, i);
		internal static void ProcessAttrCert3(
			X509Certificate	acIssuerCert,
			PkixParameters	pkixParams)
			if (acIssuerCert.GetKeyUsage() != null
				&& (!acIssuerCert.GetKeyUsage()[0] && !acIssuerCert.GetKeyUsage()[1]))
				throw new PkixCertPathValidatorException(
					"Attribute certificate issuer public key cannot be used to validate digital signatures.");
			if (acIssuerCert.GetBasicConstraints() != -1)
				throw new PkixCertPathValidatorException(
					"Attribute certificate issuer is also a public key certificate issuer.");
Exemple #41
         * Add the CRL issuers from the cRLIssuer field of the distribution point or
         * from the certificate if not given to the issuer criterion of the
         * <code>selector</code>.
         * <p>
         * The <code>issuerPrincipals</code> are a collection with a single
         * <code>X500Principal</code> for <code>X509Certificate</code>s. For
         * {@link X509AttributeCertificate}s the issuer may contain more than one
         * <code>X500Principal</code>.
         * </p>
         * @param dp The distribution point.
         * @param issuerPrincipals The issuers of the certificate or attribute
         *            certificate which contains the distribution point.
         * @param selector The CRL selector.
         * @param pkixParams The PKIX parameters containing the cert stores.
         * @throws Exception if an exception occurs while processing.
         * @throws ClassCastException if <code>issuerPrincipals</code> does not
         * contain only <code>X500Principal</code>s.
        internal static void GetCrlIssuersFromDistributionPoint(
            DistributionPoint dp,
            ICollection issuerPrincipals,
            X509CrlStoreSelector selector,
            PkixParameters pkixParams)
            IList issuers = Platform.CreateArrayList();

            // indirect CRL
            if (dp.CrlIssuer != null)
                GeneralName[] genNames = dp.CrlIssuer.GetNames();
                // look for a DN
                for (int j = 0; j < genNames.Length; j++)
                    if (genNames[j].TagNo == GeneralName.DirectoryName)
                        catch (IOException e)
                            throw new Exception(
                                      "CRL issuer information from distribution point cannot be decoded.",
                 * certificate issuer is CRL issuer, distributionPoint field MUST be
                 * present.
                if (dp.DistributionPointName == null)
                    throw new Exception(
                              "CRL issuer is omitted from distribution point but no distributionPoint field present.");

                // add and check issuer principals
                for (IEnumerator it = issuerPrincipals.GetEnumerator(); it.MoveNext();)
            // TODO: is not found although this should correctly add the rel name. selector of Sun is buggy here or PKI test case is invalid
            // distributionPoint
            //        if (dp.getDistributionPoint() != null)
            //        {
            //            // look for nameRelativeToCRLIssuer
            //            if (dp.getDistributionPoint().getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER)
            //            {
            //                // append fragment to issuer, only one
            //                // issuer can be there, if this is given
            //                if (issuers.size() != 1)
            //                {
            //                    throw new AnnotatedException(
            //                        "nameRelativeToCRLIssuer field is given but more than one CRL issuer is given.");
            //                }
            //                DEREncodable relName = dp.getDistributionPoint().getName();
            //                Iterator it = issuers.iterator();
            //                List issuersTemp = new ArrayList(issuers.size());
            //                while (it.hasNext())
            //                {
            //                    Enumeration e = null;
            //                    try
            //                    {
            //                        e = ASN1Sequence.getInstance(
            //                            new ASN1InputStream(((X500Principal)
            //                                .getEncoded()).readObject()).getObjects();
            //                    }
            //                    catch (IOException ex)
            //                    {
            //                        throw new AnnotatedException(
            //                            "Cannot decode CRL issuer information.", ex);
            //                    }
            //                    ASN1EncodableVector v = new ASN1EncodableVector();
            //                    while (e.hasMoreElements())
            //                    {
            //                        v.add((DEREncodable) e.nextElement());
            //                    }
            //                    v.add(relName);
            //                    issuersTemp.add(new X500Principal(new DERSequence(v)
            //                        .getDEREncoded()));
            //                }
            //                issuers.clear();
            //                issuers.addAll(issuersTemp);
            //            }
            //        }

            selector.Issuers = issuers;
		* Searches for a holder public key certificate and verifies its
		* certification path.
		* @param attrCert the attribute certificate.
		* @param pkixParams The PKIX parameters.
		* @return The certificate path of the holder certificate.
		* @throws Exception if
		*             <ul>
		*             <li>no public key certificate can be found although holder
		*             information is given by an entity name or a base certificate
		*             ID</li>
		*             <li>support classes cannot be created</li>
		*             <li>no certification path for the public key certificate can
		*             be built</li>
		*             </ul>
		internal static PkixCertPath ProcessAttrCert1(
			IX509AttributeCertificate	attrCert,
			PkixParameters				pkixParams)
			PkixCertPathBuilderResult result = null;
			// find holder PKCs
			ISet holderPKCs = new HashSet();
			if (attrCert.Holder.GetIssuer() != null)
				X509CertStoreSelector selector = new X509CertStoreSelector();
				selector.SerialNumber = attrCert.Holder.SerialNumber;
				X509Name[] principals = attrCert.Holder.GetIssuer();
				for (int i = 0; i < principals.Length; i++)
//						if (principals[i] is X500Principal)
							selector.Issuer = principals[i];
							.FindCertificates(selector, pkixParams.GetStores()));
					catch (Exception e)
						throw new PkixCertPathValidatorException(
							"Public key certificate for attribute certificate cannot be searched.",
				if (holderPKCs.IsEmpty)
					throw new PkixCertPathValidatorException(
						"Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
			if (attrCert.Holder.GetEntityNames() != null)
				X509CertStoreSelector selector = new X509CertStoreSelector();
				X509Name[] principals = attrCert.Holder.GetEntityNames();
				for (int i = 0; i < principals.Length; i++)
//						if (principals[i] is X500Principal)
							selector.Issuer = principals[i];
							.FindCertificates(selector, pkixParams.GetStores()));
					catch (Exception e)
						throw new PkixCertPathValidatorException(
							"Public key certificate for attribute certificate cannot be searched.",
				if (holderPKCs.IsEmpty)
					throw new PkixCertPathValidatorException(
						"Public key certificate specified in entity name for attribute certificate cannot be found.");

			// verify cert paths for PKCs
			PkixBuilderParameters parameters = (PkixBuilderParameters)

			PkixCertPathValidatorException lastException = null;
			foreach (X509Certificate cert in holderPKCs)
				X509CertStoreSelector selector = new X509CertStoreSelector();
				selector.Certificate = cert;

				PkixCertPathBuilder builder = new PkixCertPathBuilder();

					result = builder.Build(PkixBuilderParameters.GetInstance(parameters));
				catch (PkixCertPathBuilderException e)
					lastException = new PkixCertPathValidatorException(
						"Certification path for public key certificate of attribute certificate could not be build.",
			if (lastException != null)
				throw lastException;
			return result.CertPath;
Exemple #43
         * Fetches delta CRLs according to RFC 3280 section 5.2.4.
         * @param currentDate The date for which the delta CRLs must be valid.
         * @param paramsPKIX The extended PKIX parameters.
         * @param completeCRL The complete CRL the delta CRL is for.
         * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
         * @throws Exception if an exception occurs while picking the delta
         *             CRLs.
        internal static ISet GetDeltaCrls(
            DateTime currentDate,
            PkixParameters paramsPKIX,
            X509Crl completeCRL)
            X509CrlStoreSelector deltaSelect = new X509CrlStoreSelector();

            // 5.2.4 (a)
                IList deltaSelectIssuer = Platform.CreateArrayList();
                deltaSelect.Issuers = deltaSelectIssuer;
            catch (IOException e)
                throw new Exception("Cannot extract issuer from CRL.", e);

            BigInteger completeCRLNumber = null;

                Asn1Object asn1Object = GetExtensionValue(completeCRL, X509Extensions.CrlNumber);
                if (asn1Object != null)
                    completeCRLNumber = CrlNumber.GetInstance(asn1Object).PositiveValue;
            catch (Exception e)
                throw new Exception(
                          "CRL number extension could not be extracted from CRL.", e);

            // 5.2.4 (b)
            byte[] idp = null;

                Asn1Object obj = GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint);
                if (obj != null)
                    idp = obj.GetDerEncoded();
            catch (Exception e)
                throw new Exception(
                          "Issuing distribution point extension value could not be read.",

            // 5.2.4 (d)

            deltaSelect.MinCrlNumber = (completeCRLNumber == null)
                                ?       null
                                :       completeCRLNumber.Add(BigInteger.One);

            deltaSelect.IssuingDistributionPoint        = idp;
            deltaSelect.IssuingDistributionPointEnabled = true;

            // 5.2.4 (c)
            deltaSelect.MaxBaseCrlNumber = completeCRLNumber;

            // find delta CRLs
            ISet temp = CrlUtilities.FindCrls(deltaSelect, paramsPKIX, currentDate);

            ISet result = new HashSet();

            foreach (X509Crl crl in temp)
                if (isDeltaCrl(crl))

		* Checks if an attribute certificate is revoked.
		* @param attrCert Attribute certificate to check if it is revoked.
		* @param paramsPKIX PKIX parameters.
		* @param issuerCert The issuer certificate of the attribute certificate
		*            <code>attrCert</code>.
		* @param validDate The date when the certificate revocation status should
		*            be checked.
		* @param certPathCerts The certificates of the certification path to be
		*            checked.
		* @throws CertPathValidatorException if the certificate is revoked or the
		*             status cannot be checked or some error occurs.
		internal static void CheckCrls(
			IX509AttributeCertificate	attrCert,
			PkixParameters				paramsPKIX,
			X509Certificate				issuerCert,
			DateTime					validDate,
			IList						certPathCerts)
			if (paramsPKIX.IsRevocationEnabled)
				// check if revocation is available
				if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) == null)
					CrlDistPoint crldp = null;
						crldp = CrlDistPoint.GetInstance(
								attrCert, X509Extensions.CrlDistributionPoints));
					catch (Exception e)
						throw new PkixCertPathValidatorException(
							"CRL distribution point extension could not be read.", e);
							.AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX);
					catch (Exception e)
						throw new PkixCertPathValidatorException(
							"No additional CRL locations could be decoded from CRL distribution point extension.", e);
					CertStatus certStatus = new CertStatus();
					ReasonsMask reasonsMask = new ReasonsMask();

					Exception lastException = null;
					bool validCrlFound = false;
					// for each distribution point
					if (crldp != null)
						DistributionPoint[] dps = null;
							dps = crldp.GetDistributionPoints();
						catch (Exception e)
							throw new PkixCertPathValidatorException(
								"Distribution points could not be read.", e);
							for (int i = 0; i < dps.Length
								&& certStatus.Status == CertStatus.Unrevoked
								&& !reasonsMask.IsAllReasons; i++)
								PkixParameters paramsPKIXClone = (PkixParameters) paramsPKIX
								CheckCrl(dps[i], attrCert, paramsPKIXClone,
									validDate, issuerCert, certStatus, reasonsMask,
								validCrlFound = true;
						catch (Exception e)
							lastException = new Exception(
								"No valid CRL for distribution point found.", e);

					* If the revocation status has not been determined, repeat the
					* process above with any available CRLs not specified in a
					* distribution point but issued by the certificate issuer.

					if (certStatus.Status == CertStatus.Unrevoked
						&& !reasonsMask.IsAllReasons)
							* assume a DP with both the reasons and the cRLIssuer
							* fields omitted and a distribution point name of the
							* certificate issuer.
							Asn1Object issuer = null;
								issuer = new Asn1InputStream(
							catch (Exception e)
								throw new Exception(
									"Issuer from certificate for CRL could not be reencoded.",
							DistributionPoint dp = new DistributionPoint(
								new DistributionPointName(0, new GeneralNames(
									new GeneralName(GeneralName.DirectoryName, issuer))), null, null);
							PkixParameters paramsPKIXClone = (PkixParameters) paramsPKIX.Clone();
							CheckCrl(dp, attrCert, paramsPKIXClone, validDate,
								issuerCert, certStatus, reasonsMask, certPathCerts);
							validCrlFound = true;
						catch (Exception e)
							lastException = new Exception(
								"No valid CRL for distribution point found.", e);

					if (!validCrlFound)
						throw new PkixCertPathValidatorException(
							"No valid CRL found.", lastException);
					if (certStatus.Status != CertStatus.Unrevoked)
						// TODO This format is forced by the NistCertPath tests
						string formattedDate = certStatus.RevocationDate.Value.ToString(
                            "G", new CultureInfo("en-us"));
						string message = "Attribute certificate revocation after "
							+ formattedDate;
						message += ", reason: "
							+ Rfc3280CertPathUtilities.CrlReasons[certStatus.Status];
						throw new PkixCertPathValidatorException(message);
					if (!reasonsMask.IsAllReasons
						&& certStatus.Status == CertStatus.Unrevoked)
						certStatus.Status = CertStatus.Undetermined;
					if (certStatus.Status == CertStatus.Undetermined)
						throw new PkixCertPathValidatorException(
							"Attribute certificate status could not be determined.");

					if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null
						|| attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null)
						throw new PkixCertPathValidatorException(
							"No rev avail extension is set, but also an AC revocation pointer.");
        public virtual PkixCertPathValidatorResult Validate(
            PkixCertPath certPath,
            PkixParameters paramsPkix)
            if (paramsPkix.GetTrustAnchors() == null)
                throw new ArgumentException(
                          "trustAnchors is null, this is not allowed for certification path validation.",

            // 6.1.1 - inputs

            // (a)
            IList certs = certPath.Certificates;
            int   n     = certs.Count;

            if (certs.Count == 0)
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);

            // (b)
            // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);

            // (c)
            ISet userInitialPolicySet = paramsPkix.GetInitialPolicies();

            // (d)
            TrustAnchor trust;

                trust = PkixCertPathValidatorUtilities.FindTrustAnchor(
                    (X509Certificate)certs[certs.Count - 1],
            catch (Exception e)
                throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1);

            if (trust == null)
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);

            // (e), (f), (g) are part of the paramsPkix object.
            IEnumerator certIter;
            int         index = 0;
            int         i;

            // Certificate for each interation of the validation loop
            // Signature information for each iteration of the validation loop
            // 6.1.2 - setup

            // (a)
            IList[] policyNodes = new IList[n + 1];
            for (int j = 0; j < policyNodes.Length; j++)
                policyNodes[j] = Platform.CreateArrayList();

            ISet policySet = new HashSet();


            PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(),
                                                                Rfc3280CertPathUtilities.ANY_POLICY, false);


            // (b) and (c)
            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();

            // (d)
            int  explicitPolicy;
            ISet acceptablePolicies = new HashSet();

            if (paramsPkix.IsExplicitPolicyRequired)
                explicitPolicy = 0;
                explicitPolicy = n + 1;

            // (e)
            int inhibitAnyPolicy;

            if (paramsPkix.IsAnyPolicyInhibited)
                inhibitAnyPolicy = 0;
                inhibitAnyPolicy = n + 1;

            // (f)
            int policyMapping;

            if (paramsPkix.IsPolicyMappingInhibited)
                policyMapping = 0;
                policyMapping = n + 1;

            // (g), (h), (i), (j)
            AsymmetricKeyParameter workingPublicKey;
            X509Name workingIssuerName;

            X509Certificate sign = trust.TrustedCert;

                if (sign != null)
                    workingIssuerName = sign.SubjectDN;
                    workingPublicKey  = sign.GetPublicKey();
                    workingIssuerName = new X509Name(trust.CAName);
                    workingPublicKey  = trust.CAPublicKey;
            catch (ArgumentException ex)
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath,

            //AlgorithmIdentifier workingAlgId = null;
                /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
            catch (PkixCertPathValidatorException e)
                throw new PkixCertPathValidatorException(
                          "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);

//			DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID;
//			Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters;

            // (k)
            int maxPathLength = n;

            // 6.1.3

            X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints();

            if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0]))
                throw new PkixCertPathValidatorException(
                          "Target certificate in certification path does not match targetConstraints.", null, certPath, 0);

            // initialize CertPathChecker's
            IList pathCheckers = paramsPkix.GetCertPathCheckers();

            certIter = pathCheckers.GetEnumerator();

            while (certIter.MoveNext())

            X509Certificate cert = null;

            for (index = certs.Count - 1; index >= 0; index--)
                // try
                // {
                // i as defined in the algorithm description
                i = n - index;

                // set certificate to be checked in this round
                // sign and workingPublicKey and workingIssuerName are set
                // at the end of the for loop and initialized the
                // first time from the TrustAnchor
                cert = (X509Certificate)certs[index];

                // 6.1.3

                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey,
                                                      workingIssuerName, sign);

                Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index,
                                                                        acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree);

                Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy);

                // 6.1.4

                if (i != n)
                    if (cert != null && cert.Version == 1)
                        throw new PkixCertPathValidatorException(
                                  "Version 1 certificates can't be used as CA ones.", null, certPath, index);

                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index);

                    validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes,
                                                                            validPolicyTree, policyMapping);

                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator);

                    // (h)
                    explicitPolicy   = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy);

                    // (i)
                    explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy);
                    policyMapping  = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping);

                    // (j)
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy);

                    // (k)
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index);

                    // (l)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength);

                    // (m)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength);

                    // (n)
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index);

                    ISet criticalExtensions1 = cert.GetCriticalExtensionOids();

                    if (criticalExtensions1 != null)
                        criticalExtensions1 = new HashSet(criticalExtensions1);

                        // these extensions are handled by the algorithm
                        criticalExtensions1 = new HashSet();

                    // (o)
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers);

                    // set signing certificate for next round
                    sign = cert;

                    // (c)
                    workingIssuerName = sign.SubjectDN;

                    // (d)
                        workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index);
                    catch (PkixCertPathValidatorException e)
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);

                    /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
                    // (f)
//                    workingPublicKeyAlgorithm = workingAlgId.ObjectID;
                    // (e)
//                    workingPublicKeyParameters = workingAlgId.Parameters;

            // 6.1.5 Wrap-up procedure

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert);

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy);

            // (c) (d) and (e) are already done

            // (f)
            ISet criticalExtensions = cert.GetCriticalExtensionOids();

            if (criticalExtensions != null)
                criticalExtensions = new HashSet(criticalExtensions);

                // Requires .Id
                // these extensions are handled by the algorithm
                criticalExtensions = new HashSet();

            Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);

            PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet,
                                                                               index + 1, policyNodes, validPolicyTree, acceptablePolicies);

            if ((explicitPolicy > 0) || (intersection != null))
                return(new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey()));

            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index);
Exemple #46
         * Searches for a holder public key certificate and verifies its
         * certification path.
         * @param attrCert the attribute certificate.
         * @param pkixParams The PKIX parameters.
         * @return The certificate path of the holder certificate.
         * @throws Exception if
         *             <ul>
         *             <li>no public key certificate can be found although holder
         *             information is given by an entity name or a base certificate
         *             ID</li>
         *             <li>support classes cannot be created</li>
         *             <li>no certification path for the public key certificate can
         *             be built</li>
         *             </ul>
        internal static PkixCertPath ProcessAttrCert1(
            IX509AttributeCertificate attrCert,
            PkixParameters pkixParams)
            PkixCertPathBuilderResult result = null;
            // find holder PKCs
            ISet holderPKCs = new HashSet();

            if (attrCert.Holder.GetIssuer() != null)
                X509CertStoreSelector selector = new X509CertStoreSelector();
                selector.SerialNumber = attrCert.Holder.SerialNumber;
                X509Name[] principals = attrCert.Holder.GetIssuer();
                for (int i = 0; i < principals.Length; i++)
//						if (principals[i] is X500Principal)
                            selector.Issuer = principals[i];
                                          .FindCertificates(selector, pkixParams.GetStores()));
                    catch (Exception e)
                        throw new PkixCertPathValidatorException(
                                  "Public key certificate for attribute certificate cannot be searched.",
                if (holderPKCs.IsEmpty)
                    throw new PkixCertPathValidatorException(
                              "Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
            if (attrCert.Holder.GetEntityNames() != null)
                X509CertStoreSelector selector   = new X509CertStoreSelector();
                X509Name[]            principals = attrCert.Holder.GetEntityNames();
                for (int i = 0; i < principals.Length; i++)
//						if (principals[i] is X500Principal)
                            selector.Issuer = principals[i];
                                          .FindCertificates(selector, pkixParams.GetStores()));
                    catch (Exception e)
                        throw new PkixCertPathValidatorException(
                                  "Public key certificate for attribute certificate cannot be searched.",
                if (holderPKCs.IsEmpty)
                    throw new PkixCertPathValidatorException(
                              "Public key certificate specified in entity name for attribute certificate cannot be found.");

            // verify cert paths for PKCs
            PkixBuilderParameters parameters = (PkixBuilderParameters)

            PkixCertPathValidatorException lastException = null;

            foreach (X509Certificate cert in holderPKCs)
                X509CertStoreSelector selector = new X509CertStoreSelector();
                selector.Certificate = cert;

                PkixCertPathBuilder builder = new PkixCertPathBuilder();

                    result = builder.Build(PkixBuilderParameters.GetInstance(parameters));
                catch (PkixCertPathBuilderException e)
                    lastException = new PkixCertPathValidatorException(
                        "Certification path for public key certificate of attribute certificate could not be build.",
            if (lastException != null)
                throw lastException;
Exemple #47
        internal static void GetCrlIssuersFromDistributionPoint(DistributionPoint dp, ICollection issuerPrincipals, X509CrlStoreSelector selector, PkixParameters pkixParams)
            IList list = Platform.CreateArrayList();

            if (dp.CrlIssuer != null)
                GeneralName[] names = dp.CrlIssuer.GetNames();
                for (int i = 0; i < names.Length; i++)
                    if (names[i].TagNo == 4)
                        catch (IOException innerException)
                            throw new Exception("CRL issuer information from distribution point cannot be decoded.", innerException);
                if (dp.DistributionPointName == null)
                    throw new Exception("CRL issuer is omitted from distribution point but no distributionPoint field present.");
                IEnumerator enumerator = issuerPrincipals.GetEnumerator();
                while (enumerator.MoveNext())
            selector.Issuers = list;
Exemple #48
         * Checks if an attribute certificate is revoked.
         * @param attrCert Attribute certificate to check if it is revoked.
         * @param paramsPKIX PKIX parameters.
         * @param issuerCert The issuer certificate of the attribute certificate
         *            <code>attrCert</code>.
         * @param validDate The date when the certificate revocation status should
         *            be checked.
         * @param certPathCerts The certificates of the certification path to be
         *            checked.
         * @throws CertPathValidatorException if the certificate is revoked or the
         *             status cannot be checked or some error occurs.
        internal static void CheckCrls(
            IX509AttributeCertificate attrCert,
            PkixParameters paramsPKIX,
            X509Certificate issuerCert,
            DateTime validDate,
            IList certPathCerts)
            if (!paramsPKIX.IsRevocationEnabled)

            // check if revocation is available
            if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null)
                if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null ||
                    attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null)
                    throw new PkixCertPathValidatorException(
                              "No rev avail extension is set, but also an AC revocation pointer.");


            CrlDistPoint crldp = null;

                crldp = CrlDistPoint.GetInstance(
                        attrCert, X509Extensions.CrlDistributionPoints));
            catch (Exception e)
                throw new PkixCertPathValidatorException(
                          "CRL distribution point extension could not be read.", e);
                .AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX);
            catch (Exception e)
                throw new PkixCertPathValidatorException(
                          "No additional CRL locations could be decoded from CRL distribution point extension.", e);

            CertStatus  certStatus  = new CertStatus();
            ReasonsMask reasonsMask = new ReasonsMask();

            Exception lastException = null;
            bool      validCrlFound = false;

            // for each distribution point
            if (crldp != null)
                DistributionPoint[] dps = null;
                    dps = crldp.GetDistributionPoints();
                catch (Exception e)
                    throw new PkixCertPathValidatorException(
                              "Distribution points could not be read.", e);
                    for (int i = 0; i < dps.Length &&
                         certStatus.Status == CertStatus.Unrevoked &&
                         !reasonsMask.IsAllReasons; i++)
                        PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX
                        CheckCrl(dps[i], attrCert, paramsPKIXClone,
                                 validDate, issuerCert, certStatus, reasonsMask,
                        validCrlFound = true;
                catch (Exception e)
                    lastException = new Exception(
                        "No valid CRL for distribution point found.", e);

             * If the revocation status has not been determined, repeat the
             * process above with any available CRLs not specified in a
             * distribution point but issued by the certificate issuer.

            if (certStatus.Status == CertStatus.Unrevoked &&
                     * assume a DP with both the reasons and the cRLIssuer
                     * fields omitted and a distribution point name of the
                     * certificate issuer.
                    X509Name issuer;
                        issuer = X509Name.GetInstance(attrCert.Issuer.GetPrincipals()[0].GetEncoded());
                    catch (Exception e)
                        throw new Exception(
                                  "Issuer from certificate for CRL could not be reencoded.",
                    DistributionPoint dp = new DistributionPoint(
                        new DistributionPointName(0, new GeneralNames(
                                                      new GeneralName(GeneralName.DirectoryName, issuer))), null, null);
                    PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone();
                    CheckCrl(dp, attrCert, paramsPKIXClone, validDate,
                             issuerCert, certStatus, reasonsMask, certPathCerts);
                    validCrlFound = true;
                catch (Exception e)
                    lastException = new Exception(
                        "No valid CRL for distribution point found.", e);

            if (!validCrlFound)
                throw new PkixCertPathValidatorException(
                          "No valid CRL found.", lastException);
            if (certStatus.Status != CertStatus.Unrevoked)
                // This format is enforced by the NistCertPath tests
                string formattedDate = certStatus.RevocationDate.Value.ToString(
                    "ddd MMM dd HH:mm:ss K yyyy");
                string message = "Attribute certificate revocation after "
                                 + formattedDate;
                message += ", reason: "
                           + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status];
                throw new PkixCertPathValidatorException(message);
            if (!reasonsMask.IsAllReasons &&
                certStatus.Status == CertStatus.Unrevoked)
                certStatus.Status = CertStatus.Undetermined;
            if (certStatus.Status == CertStatus.Undetermined)
                throw new PkixCertPathValidatorException(
                          "Attribute certificate status could not be determined.");
		internal static void AddAdditionalStoresFromAltNames(
			X509Certificate	cert,
			PkixParameters	pkixParams)
			// if in the IssuerAltName extension an URI
			// is given, add an additinal X.509 store
			if (cert.GetIssuerAlternativeNames() != null)
				IEnumerator it = cert.GetIssuerAlternativeNames().GetEnumerator();
				while (it.MoveNext())
					// look for URI
					IList list = (IList)it.Current;
					//if (list[0].Equals(new Integer(GeneralName.UniformResourceIdentifier)))
					if (list[0].Equals(GeneralName.UniformResourceIdentifier))
						// found
						string temp = (string)list[1];
						PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(temp, pkixParams);
		 * Checks a certificate if it is revoked.
		 * @param paramsPKIX       PKIX parameters.
		 * @param cert             Certificate to check if it is revoked.
		 * @param validDate        The date when the certificate revocation status should be
		 *                         checked.
		 * @param sign             The issuer certificate of the certificate <code>cert</code>.
		 * @param workingPublicKey The public key of the issuer certificate <code>sign</code>.
		 * @param certPathCerts    The certificates of the certification path.
		 * @throws AnnotatedException if the certificate is revoked or the status cannot be checked
		 *                            or some error occurs.
		protected static void CheckCrls(
			PkixParameters			paramsPKIX,
			X509Certificate			cert,
			DateTime				validDate,
			X509Certificate			sign,
			AsymmetricKeyParameter	workingPublicKey,
			IList					certPathCerts)
			Exception lastException = null;
			CrlDistPoint crldp = null;

				crldp = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CrlDistributionPoints));
			catch (Exception e)
				throw new Exception("CRL distribution point extension could not be read.", e);

				PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX);
			catch (Exception e)
				throw new Exception(
					"No additional CRL locations could be decoded from CRL distribution point extension.", e);
			CertStatus certStatus = new CertStatus();
			ReasonsMask reasonsMask = new ReasonsMask();

			bool validCrlFound = false;

			// for each distribution point
			if (crldp != null)
				DistributionPoint[] dps = null;
					dps = crldp.GetDistributionPoints();
				catch (Exception e)
					throw new Exception("Distribution points could not be read.", e);
				if (dps != null)
					for (int i = 0; i < dps.Length && certStatus.Status == CertStatus.Unrevoked && !reasonsMask.IsAllReasons; i++)
						PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone();
							CheckCrl(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts);
							validCrlFound = true;
						catch (Exception e)
							lastException = e;

			 * If the revocation status has not been determined, repeat the process
			 * above with any available CRLs not specified in a distribution point
			 * but issued by the certificate issuer.

			if (certStatus.Status == CertStatus.Unrevoked && !reasonsMask.IsAllReasons)
					 * assume a DP with both the reasons and the cRLIssuer fields
					 * omitted and a distribution point name of the certificate
					 * issuer.
					Asn1Object issuer = null;
						issuer = new Asn1InputStream(cert.IssuerDN.GetEncoded()).ReadObject();
					catch (Exception e)
						throw new Exception("Issuer from certificate for CRL could not be reencoded.", e);
					DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(
						new GeneralName(GeneralName.DirectoryName, issuer))), null, null);
					PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone();

					CheckCrl(dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask,

					validCrlFound = true;
				catch (Exception e)
					lastException = e;

			if (!validCrlFound)
				throw lastException;
			if (certStatus.Status != CertStatus.Unrevoked)
				// TODO This format is forced by the NistCertPath tests
				string formattedDate = certStatus.RevocationDate.Value.ToString(
					"G", System.util.Util.GetStandartEnUSLocale());
				string message = "Certificate revocation after " + formattedDate;
				message += ", reason: " + CrlReasons[certStatus.Status];
				throw new Exception(message);

			if (!reasonsMask.IsAllReasons && certStatus.Status == CertStatus.Unrevoked)
				certStatus.Status = CertStatus.Undetermined;

			if (certStatus.Status == CertStatus.Undetermined)
				throw new Exception("Certificate status could not be determined.");
		internal static DateTime GetValidDate(PkixParameters paramsPKIX)
			DateTimeObject validDate = paramsPKIX.Date;

			if (validDate == null)
				return DateTime.UtcNow;

			return validDate.Value;
		internal static ISet ProcessCrlA1i(
			DateTime		currentDate,
			PkixParameters	paramsPKIX,
			X509Certificate	cert,
			X509Crl			crl)
			ISet deltaSet = new HashSet();
			if (paramsPKIX.IsUseDeltasEnabled)
				CrlDistPoint freshestCRL = null;
					freshestCRL = CrlDistPoint.GetInstance(
						PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.FreshestCrl));
				catch (Exception e)
					throw new Exception("Freshest CRL extension could not be decoded from certificate.", e);

				if (freshestCRL == null)
						freshestCRL = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(crl, X509Extensions.FreshestCrl));
					catch (Exception e)
						throw new Exception("Freshest CRL extension could not be decoded from CRL.", e);
				if (freshestCRL != null)
						PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(freshestCRL, paramsPKIX);
					catch (Exception e)
						throw new Exception(
							"No new delta CRL locations could be added from Freshest CRL extension.", e);
					// get delta CRL(s)
						deltaSet.AddAll(PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl));
					catch (Exception e)
						throw new Exception("Exception obtaining delta CRLs.", e);
			return deltaSet;
		internal static DateTime GetValidCertDateFromValidityModel(
			PkixParameters	paramsPkix,
			PkixCertPath	certPath,
			int				index)
			if (paramsPkix.ValidityModel != PkixParameters.ChainValidityModel)
				return GetValidDate(paramsPkix);

			// if end cert use given signing/encryption/... time
			if (index <= 0)
				return PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);
				// else use time when previous cert was created

			if (index - 1 == 0)
				DerGeneralizedTime dateOfCertgen = null;
					X509Certificate cert = (X509Certificate)certPath.Certificates[index - 1];
					Asn1OctetString extVal = cert.GetExtensionValue(
					dateOfCertgen = DerGeneralizedTime.GetInstance(extVal);
				catch (ArgumentException)
					throw new Exception(
						"Date of cert gen extension could not be read.");
				if (dateOfCertgen != null)
						return dateOfCertgen.ToDateTime();
					catch (ArgumentException e)
						throw new Exception(
							"Date from date of cert gen extension could not be parsed.",

			return ((X509Certificate)certPath.Certificates[index - 1]).NotBefore;
		internal static PkixPolicyNode WrapupCertG(
			PkixCertPath	certPath,
			PkixParameters	paramsPKIX,
			ISet			userInitialPolicySet,
			int				index,
			IList[]			policyNodes,
			PkixPolicyNode	validPolicyTree,
			ISet			acceptablePolicies)
			int n = certPath.Certificates.Count;

			// (g)
			PkixPolicyNode intersection;

			// (g) (i)
			if (validPolicyTree == null)
				if (paramsPKIX.IsExplicitPolicyRequired)
					throw new PkixCertPathValidatorException(
						"Explicit policy requested but none available.", null, certPath, index);
				intersection = null;
			else if (PkixCertPathValidatorUtilities.IsAnyPolicy(userInitialPolicySet)) // (g)
				// (ii)
				if (paramsPKIX.IsExplicitPolicyRequired)
					if (acceptablePolicies.IsEmpty)
						throw new PkixCertPathValidatorException(
							"Explicit policy requested but none available.", null, certPath, index);
						ISet _validPolicyNodeSet = new HashSet();

						for (int j = 0; j < policyNodes.Length; j++)
							IList _nodeDepth = policyNodes[j];

							for (int k = 0; k < _nodeDepth.Count; k++)
								PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k];

								if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy))
									foreach (object o in _node.Children)

						foreach (PkixPolicyNode _node in _validPolicyNodeSet)
							string _validPolicy = _node.ValidPolicy;

							if (!acceptablePolicies.Contains(_validPolicy))
								// TODO?
								// validPolicyTree =
								// removePolicyNode(validPolicyTree, policyNodes,
								// _node);
						if (validPolicyTree != null)
							for (int j = (n - 1); j >= 0; j--)
								IList nodes = policyNodes[j];

								for (int k = 0; k < nodes.Count; k++)
									PkixPolicyNode node = (PkixPolicyNode)nodes[k];
									if (!node.HasChildren)
										validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree,
											policyNodes, node);

				intersection = validPolicyTree;
				// (g) (iii)
				// This implementation is not exactly same as the one described in
				// RFC3280.
				// However, as far as the validation result is concerned, both
				// produce
				// adequate result. The only difference is whether AnyPolicy is
				// remain
				// in the policy tree or not.
				// (g) (iii) 1
				ISet _validPolicyNodeSet = new HashSet();

				for (int j = 0; j < policyNodes.Length; j++)
					IList _nodeDepth = policyNodes[j];

					for (int k = 0; k < _nodeDepth.Count; k++)
						PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k];

						if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy))
							foreach (PkixPolicyNode _c_node in _node.Children)
								if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(_c_node.ValidPolicy))

				// (g) (iii) 2
				IEnumerator _vpnsIter = _validPolicyNodeSet.GetEnumerator();
				while (_vpnsIter.MoveNext())
					PkixPolicyNode _node = (PkixPolicyNode)_vpnsIter.Current;
					string _validPolicy = _node.ValidPolicy;

					if (!userInitialPolicySet.Contains(_validPolicy))
						validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, _node);

				// (g) (iii) 4
				if (validPolicyTree != null)
					for (int j = (n - 1); j >= 0; j--)
						IList nodes = policyNodes[j];

						for (int k = 0; k < nodes.Count; k++)
							PkixPolicyNode node = (PkixPolicyNode)nodes[k];
							if (!node.HasChildren)
								validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes,

				intersection = validPolicyTree;
			return intersection;
		* Add the CRL issuers from the cRLIssuer field of the distribution point or
		* from the certificate if not given to the issuer criterion of the
		* <code>selector</code>.
		* <p>
		* The <code>issuerPrincipals</code> are a collection with a single
		* <code>X500Principal</code> for <code>X509Certificate</code>s. For
		* {@link X509AttributeCertificate}s the issuer may contain more than one
		* <code>X500Principal</code>.
		* </p>
		* @param dp The distribution point.
		* @param issuerPrincipals The issuers of the certificate or attribute
		*            certificate which contains the distribution point.
		* @param selector The CRL selector.
		* @param pkixParams The PKIX parameters containing the cert stores.
		* @throws Exception if an exception occurs while processing.
		* @throws ClassCastException if <code>issuerPrincipals</code> does not
		* contain only <code>X500Principal</code>s.
		internal static void GetCrlIssuersFromDistributionPoint(
			DistributionPoint		dp,
			ICollection				issuerPrincipals,
			X509CrlStoreSelector	selector,
			PkixParameters			pkixParams)
            IList issuers = Platform.CreateArrayList();
			// indirect CRL
			if (dp.CrlIssuer != null)
				GeneralName[] genNames = dp.CrlIssuer.GetNames();
				// look for a DN
				for (int j = 0; j < genNames.Length; j++)
					if (genNames[j].TagNo == GeneralName.DirectoryName)
						catch (IOException e)
							throw new Exception(
								"CRL issuer information from distribution point cannot be decoded.",
				 * certificate issuer is CRL issuer, distributionPoint field MUST be
				 * present.
				if (dp.DistributionPointName == null)
					throw new Exception(
						"CRL issuer is omitted from distribution point but no distributionPoint field present.");

				// add and check issuer principals
				for (IEnumerator it = issuerPrincipals.GetEnumerator(); it.MoveNext(); )
			// TODO: is not found although this should correctly add the rel name. selector of Sun is buggy here or PKI test case is invalid
			// distributionPoint
			//        if (dp.getDistributionPoint() != null)
			//        {
			//            // look for nameRelativeToCRLIssuer
			//            if (dp.getDistributionPoint().getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER)
			//            {
			//                // append fragment to issuer, only one
			//                // issuer can be there, if this is given
			//                if (issuers.size() != 1)
			//                {
			//                    throw new AnnotatedException(
			//                        "nameRelativeToCRLIssuer field is given but more than one CRL issuer is given.");
			//                }
			//                DEREncodable relName = dp.getDistributionPoint().getName();
			//                Iterator it = issuers.iterator();
			//                List issuersTemp = new ArrayList(issuers.size());
			//                while (it.hasNext())
			//                {
			//                    Enumeration e = null;
			//                    try
			//                    {
			//                        e = ASN1Sequence.getInstance(
			//                            new ASN1InputStream(((X500Principal)
			//                                .getEncoded()).readObject()).getObjects();
			//                    }
			//                    catch (IOException ex)
			//                    {
			//                        throw new AnnotatedException(
			//                            "Cannot decode CRL issuer information.", ex);
			//                    }
			//                    ASN1EncodableVector v = new ASN1EncodableVector();
			//                    while (e.hasMoreElements())
			//                    {
			//                        v.add((DEREncodable) e.nextElement());
			//                    }
			//                    v.add(relName);
			//                    issuersTemp.add(new X500Principal(new DERSequence(v)
			//                        .getDEREncoded()));
			//                }
			//                issuers.clear();
			//                issuers.addAll(issuersTemp);
			//            }
			//        }

			selector.Issuers = issuers;
		internal static void ProcessCrlI(
			DateTime		validDate,
			X509Crl			deltacrl,
			object			cert,
			CertStatus		certStatus,
			PkixParameters	pkixParams)
			if (pkixParams.IsUseDeltasEnabled && deltacrl != null)
				PkixCertPathValidatorUtilities.GetCertStatus(validDate, deltacrl, cert, certStatus);
		 * Fetches complete CRLs according to RFC 3280.
		 * @param dp The distribution point for which the complete CRL
		 * @param cert The <code>X509Certificate</code> or
		 *            {@link org.bouncycastle.x509.X509AttributeCertificate} for
		 *            which the CRL should be searched.
		 * @param currentDate The date for which the delta CRLs must be valid.
		 * @param paramsPKIX The extended PKIX parameters.
		 * @return A <code>Set</code> of <code>X509CRL</code>s with complete
		 *         CRLs.
		 * @throws Exception if an exception occurs while picking the CRLs
		 *             or no CRLs are found.
		internal static ISet GetCompleteCrls(
			DistributionPoint	dp,
			object				cert,
			DateTime			currentDate,
			PkixParameters		paramsPKIX)
			X509CrlStoreSelector crlselect = new X509CrlStoreSelector();
				ISet issuers = new HashSet();
				if (cert is X509V2AttributeCertificate)
				PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
			catch (Exception e)
				throw new Exception("Could not get issuer information from distribution point.", e);

			if (cert is X509Certificate)
				crlselect.CertificateChecking = (X509Certificate)cert;
			else if (cert is X509V2AttributeCertificate)
				crlselect.AttrCertChecking = (IX509AttributeCertificate)cert;

			crlselect.CompleteCrlEnabled = true;
			ISet crls = CrlUtilities.FindCrls(crlselect, paramsPKIX, currentDate);

			if (crls.IsEmpty)
				if (cert is IX509AttributeCertificate)
					IX509AttributeCertificate aCert = (IX509AttributeCertificate)cert;

					throw new Exception("No CRLs found for issuer \"" + aCert.Issuer.GetPrincipals()[0] + "\"");
					X509Certificate xCert = (X509Certificate)cert;

					throw new Exception("No CRLs found for issuer \"" + xCert.IssuerDN + "\"");

			return crls;
		* Checks a distribution point for revocation information for the
		* certificate <code>cert</code>.
		* @param dp                 The distribution point to consider.
		* @param paramsPKIX         PKIX parameters.
		* @param cert               Certificate to check if it is revoked.
		* @param validDate          The date when the certificate revocation status should be
		*                           checked.
		* @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
		* @param defaultCRLSignKey  The public key of the issuer certificate
		*                           <code>defaultCRLSignCert</code>.
		* @param certStatus         The current certificate revocation status.
		* @param reasonMask         The reasons mask which is already checked.
		* @param certPathCerts      The certificates of the certification path.
		* @throws AnnotatedException if the certificate is revoked or the status cannot be checked
		*                            or some error occurs.
		private static void CheckCrl(
			DistributionPoint dp,
			PkixParameters paramsPKIX,
			X509Certificate cert,
			DateTime validDate,
			X509Certificate defaultCRLSignCert,
			AsymmetricKeyParameter defaultCRLSignKey,
			CertStatus certStatus,
			ReasonsMask reasonMask,
			IList certPathCerts)
			//throws AnnotatedException
			DateTime currentDate = DateTime.UtcNow;

			if (validDate.Ticks > currentDate.Ticks)
				throw new Exception("Validation time is in future.");

			// (a)
			 * We always get timely valid CRLs, so there is no step (a) (1).
			 * "locally cached" CRLs are assumed to be in getStore(), additional
			 * CRLs must be enabled in the ExtendedPKIXParameters and are in
			 * getAdditionalStore()

			ISet crls = PkixCertPathValidatorUtilities.GetCompleteCrls(dp, cert, currentDate, paramsPKIX);
			bool validCrlFound = false;
			Exception lastException = null;

			IEnumerator crl_iter = crls.GetEnumerator();

			while (crl_iter.MoveNext() && certStatus.Status == CertStatus.Unrevoked && !reasonMask.IsAllReasons)
					X509Crl crl = (X509Crl)crl_iter.Current;

					// (d)
					ReasonsMask interimReasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(crl, dp);

					// (e)
					 * The reasons mask is updated at the end, so only valid CRLs
					 * can update it. If this CRL does not contain new reasons it
					 * must be ignored.
					if (!interimReasonsMask.HasNewReasons(reasonMask))

					// (f)
					ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, cert, defaultCRLSignCert, defaultCRLSignKey,
						paramsPKIX, certPathCerts);
					// (g)
					AsymmetricKeyParameter key = Rfc3280CertPathUtilities.ProcessCrlG(crl, keys);

					X509Crl deltaCRL = null;

					if (paramsPKIX.IsUseDeltasEnabled)
						// get delta CRLs
						ISet deltaCRLs = PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl);
						// we only want one valid delta CRL
						// (h)
						deltaCRL = Rfc3280CertPathUtilities.ProcessCrlH(deltaCRLs, key);

					 * CRL must be be valid at the current time, not the validation
					 * time. If a certificate is revoked with reason keyCompromise,
					 * cACompromise, it can be used for forgery, also for the past.
					 * This reason may not be contained in older CRLs.

					 * in the chain model signatures stay valid also after the
					 * certificate has been expired, so they do not have to be in
					 * the CRL validity time

					if (paramsPKIX.ValidityModel != PkixParameters.ChainValidityModel)
						 * if a certificate has expired, but was revoked, it is not
						 * more in the CRL, so it would be regarded as valid if the
						 * first check is not done
						if (cert.NotAfter.Ticks < crl.ThisUpdate.Ticks)
							throw new Exception("No valid CRL for current time found.");

					Rfc3280CertPathUtilities.ProcessCrlB1(dp, cert, crl);

					// (b) (2)
					Rfc3280CertPathUtilities.ProcessCrlB2(dp, cert, crl);

					// (c)
					Rfc3280CertPathUtilities.ProcessCrlC(deltaCRL, crl, paramsPKIX);

					// (i)
					Rfc3280CertPathUtilities.ProcessCrlI(validDate, deltaCRL, cert, certStatus, paramsPKIX);

					// (j)
					Rfc3280CertPathUtilities.ProcessCrlJ(validDate, crl, cert, certStatus);

					// (k)
					if (certStatus.Status == CrlReason.RemoveFromCrl)
						certStatus.Status = CertStatus.Unrevoked;

					// update reasons mask

					ISet criticalExtensions = crl.GetCriticalExtensionOids();

					if (criticalExtensions != null)
						criticalExtensions = new HashSet(criticalExtensions);

						if (!criticalExtensions.IsEmpty)
							throw new Exception("CRL contains unsupported critical extensions.");

					if (deltaCRL != null)
						criticalExtensions = deltaCRL.GetCriticalExtensionOids();
						if (criticalExtensions != null)
							criticalExtensions = new HashSet(criticalExtensions);

							if (!criticalExtensions.IsEmpty)
								throw new Exception("Delta CRL contains unsupported critical extension.");

					validCrlFound = true;
				catch (Exception e)
					lastException = e;
			if (!validCrlFound)
				throw lastException;
Exemple #59
        public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix)
            //IL_0012: Unknown result type (might be due to invalid IL or missing references)
            //IL_0170: Expected O, but got Unknown
            if (paramsPkix.GetTrustAnchors() == null)
                throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters");
            global::System.Collections.IList certificates = certPath.Certificates;
            int count = ((global::System.Collections.ICollection)certificates).get_Count();

            if (((global::System.Collections.ICollection)certificates).get_Count() == 0)
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
            ISet        initialPolicies = paramsPkix.GetInitialPolicies();
            TrustAnchor trustAnchor;

                trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates.get_Item(((global::System.Collections.ICollection)certificates).get_Count() - 1), paramsPkix.GetTrustAnchors());
            catch (global::System.Exception ex)
                throw new PkixCertPathValidatorException(ex.get_Message(), ex, certPath, ((global::System.Collections.ICollection)certificates).get_Count() - 1);
            if (trustAnchor == null)
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
            int num = 0;

            global::System.Collections.IList[] array = new global::System.Collections.IList[count + 1];
            for (int i = 0; i < array.Length; i++)
                array[i] = Platform.CreateArrayList();
            ISet set = new HashSet();

            PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, critical: false);

            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
            ISet                   acceptablePolicies           = new HashSet();
            int                    explicitPolicy   = ((!paramsPkix.IsExplicitPolicyRequired) ? (count + 1) : 0);
            int                    inhibitAnyPolicy = ((!paramsPkix.IsAnyPolicyInhibited) ? (count + 1) : 0);
            int                    policyMapping    = ((!paramsPkix.IsPolicyMappingInhibited) ? (count + 1) : 0);
            X509Certificate        x509Certificate  = trustAnchor.TrustedCert;
            X509Name               workingIssuerName;
            AsymmetricKeyParameter asymmetricKeyParameter;

                if (x509Certificate != null)
                    workingIssuerName      = x509Certificate.SubjectDN;
                    asymmetricKeyParameter = x509Certificate.GetPublicKey();
                    workingIssuerName      = new X509Name(trustAnchor.CAName);
                    asymmetricKeyParameter = trustAnchor.CAPublicKey;
            catch (ArgumentException val)
                ArgumentException cause = val;
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", (global::System.Exception)(object) cause, certPath, -1);
            catch (PkixCertPathValidatorException cause2)
                throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1);
            int maxPathLength = count;
            X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints();

            if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates.get_Item(0)))
                throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            global::System.Collections.IList       certPathCheckers = paramsPkix.GetCertPathCheckers();
            global::System.Collections.IEnumerator enumerator       = ((global::System.Collections.IEnumerable)certPathCheckers).GetEnumerator();
            while (enumerator.MoveNext())
                ((PkixCertPathChecker)enumerator.get_Current()).Init(forward: false);
            X509Certificate x509Certificate2 = null;

            for (num = ((global::System.Collections.ICollection)certificates).get_Count() - 1; num >= 0; num--)
                int num2 = count - num;
                x509Certificate2 = (X509Certificate)certificates.get_Item(num);
                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, num, asymmetricKeyParameter, workingIssuerName, x509Certificate);
                Rfc3280CertPathUtilities.ProcessCertBC(certPath, num, nameConstraintValidator);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, num, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, num, pkixPolicyNode);
                Rfc3280CertPathUtilities.ProcessCertF(certPath, num, pkixPolicyNode, explicitPolicy);
                if (num2 != count)
                    if (x509Certificate2 != null && x509Certificate2.Version == 1)
                        throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, num);
                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, num);
                    pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, num, array, pkixPolicyNode, policyMapping);
                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, num, nameConstraintValidator);
                    explicitPolicy   = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, num, explicitPolicy);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, num, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, num, inhibitAnyPolicy);
                    explicitPolicy   = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, num, explicitPolicy);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, num, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, num, inhibitAnyPolicy);
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, num);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, num, maxPathLength);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, num, maxPathLength);
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, num);
                    ISet criticalExtensionOids = x509Certificate2.GetCriticalExtensionOids();
                    if (criticalExtensionOids != null)
                        criticalExtensionOids = new HashSet(criticalExtensionOids);
                        criticalExtensionOids = new HashSet();
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, num, criticalExtensionOids, certPathCheckers);
                    x509Certificate   = x509Certificate2;
                    workingIssuerName = x509Certificate.SubjectDN;
                        asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, num);
                    catch (PkixCertPathValidatorException cause3)
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, num);
            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, x509Certificate2);
            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, num + 1, explicitPolicy);
            ISet criticalExtensionOids2 = x509Certificate2.GetCriticalExtensionOids();

            if (criticalExtensionOids2 != null)
                criticalExtensionOids2 = new HashSet(criticalExtensionOids2);
                criticalExtensionOids2 = new HashSet();
            Rfc3280CertPathUtilities.WrapupCertF(certPath, num + 1, certPathCheckers, criticalExtensionOids2);
            PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, num + 1, array, pkixPolicyNode, acceptablePolicies);

            if (explicitPolicy > 0 || pkixPolicyNode2 != null)
                return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey()));
            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, num);