GetAdditionalStores() public méthode

public GetAdditionalStores ( ) : IList
Résultat IList
Exemple #1
0
        public virtual ISet FindCrls(X509CrlStoreSelector crlselect, PkixParameters paramsPkix, DateTime currentDate)
        {
            ISet initialSet = new HashSet();

            // get complete CRL(s)
            try
            {
                initialSet.AddAll(FindCrls(crlselect, paramsPkix.GetAdditionalStores()));
                initialSet.AddAll(FindCrls(crlselect, paramsPkix.GetStores()));
            }
            catch (Exception e)
            {
                throw new Exception("Exception obtaining complete CRLs.", e);
            }

            ISet     finalSet     = new HashSet();
            DateTime validityDate = currentDate;

            if (paramsPkix.Date != null)
            {
                validityDate = paramsPkix.Date.Value;
            }

            // based on RFC 5280 6.3.3
            foreach (X509Crl crl in initialSet)
            {
                if (crl.NextUpdate.Value.CompareTo(validityDate) > 0)
                {
                    X509Certificate cert = crlselect.CertificateChecking;

                    if (cert != null)
                    {
                        if (crl.ThisUpdate.CompareTo(cert.NotAfter) < 0)
                        {
                            finalSet.Add(crl);
                        }
                    }
                    else
                    {
                        finalSet.Add(crl);
                    }
                }
            }

            return(finalSet);
        }
Exemple #2
0
		public virtual ISet FindCrls(X509CrlStoreSelector crlselect, PkixParameters paramsPkix, DateTime currentDate)
		{
			ISet initialSet = new HashSet();

			// get complete CRL(s)
			try
			{
				initialSet.AddAll(FindCrls(crlselect, paramsPkix.GetAdditionalStores()));
				initialSet.AddAll(FindCrls(crlselect, paramsPkix.GetStores()));
			}
			catch (Exception e)
			{
				throw new Exception("Exception obtaining complete CRLs.", e);
			}

			ISet finalSet = new HashSet();
			DateTime validityDate = currentDate;

			if (paramsPkix.Date != null)
			{
				validityDate = paramsPkix.Date.Value;
			}

			// based on RFC 5280 6.3.3
			foreach (X509Crl crl in initialSet)
			{
				if (crl.NextUpdate.Value.CompareTo(validityDate) > 0)
				{
					X509Certificate cert = crlselect.CertificateChecking;

					if (cert != null)
					{
						if (crl.ThisUpdate.CompareTo(cert.NotAfter) < 0)
						{
							finalSet.Add(crl);
						}
					}
					else
					{
						finalSet.Add(crl);
					}
				}
			}

			return finalSet;
		}
Exemple #3
0
        public virtual ISet FindCrls(X509CrlStoreSelector crlselect, PkixParameters paramsPkix, DateTime currentDate)
        {
            ISet set = new HashSet();

            try
            {
                set.AddAll(this.FindCrls(crlselect, paramsPkix.GetAdditionalStores()));
                set.AddAll(this.FindCrls(crlselect, paramsPkix.GetStores()));
            }
            catch (Exception innerException)
            {
                throw new Exception("Exception obtaining complete CRLs.", innerException);
            }
            ISet     set2  = new HashSet();
            DateTime value = currentDate;

            if (paramsPkix.Date != null)
            {
                value = paramsPkix.Date.Value;
            }
            foreach (X509Crl x509Crl in set)
            {
                if (x509Crl.NextUpdate.Value.CompareTo(value) > 0)
                {
                    X509Certificate certificateChecking = crlselect.CertificateChecking;
                    if (certificateChecking != null)
                    {
                        if (x509Crl.ThisUpdate.CompareTo(certificateChecking.NotAfter) < 0)
                        {
                            set2.Add(x509Crl);
                        }
                    }
                    else
                    {
                        set2.Add(x509Crl);
                    }
                }
            }
            return(set2);
        }
		/**
		* Obtain and validate the certification path for the complete CRL issuer.
		* If a key usage extension is present in the CRL issuer's certificate,
		* verify that the cRLSign bit is set.
		*
		* @param crl                CRL which contains revocation information for the certificate
		*                           <code>cert</code>.
		* @param cert               The attribute certificate or certificate to check if it is
		*                           revoked.
		* @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
		* @param defaultCRLSignKey  The public key of the issuer certificate
		*                           <code>defaultCRLSignCert</code>.
		* @param paramsPKIX         paramsPKIX PKIX parameters.
		* @param certPathCerts      The certificates on the certification path.
		* @return A <code>Set</code> with all keys of possible CRL issuer
		*         certificates.
		* @throws AnnotatedException if the CRL is not valid or the status cannot be checked or
		*                            some error occurs.
		*/
		internal static ISet ProcessCrlF(
			X509Crl					crl,
			object					cert,
			X509Certificate			defaultCRLSignCert,
			AsymmetricKeyParameter	defaultCRLSignKey,
			PkixParameters			paramsPKIX,
			IList					certPathCerts)
		{
			// (f)

			// get issuer from CRL
			X509CertStoreSelector selector = new X509CertStoreSelector();
			try
			{
				selector.Subject = crl.IssuerDN;
			}
			catch (IOException e)
			{
				throw new Exception(
					"Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e);
			}

			// get CRL signing certs
			IList coll = Platform.CreateArrayList();

			try
			{
                CollectionUtilities.AddRange(coll, PkixCertPathValidatorUtilities.FindCertificates(selector, paramsPKIX.GetStores()));
                CollectionUtilities.AddRange(coll, PkixCertPathValidatorUtilities.FindCertificates(selector, paramsPKIX.GetAdditionalStores()));
			}
			catch (Exception e)
			{
				throw new Exception("Issuer certificate for CRL cannot be searched.", e);
			}

			coll.Add(defaultCRLSignCert);

			IEnumerator cert_it = coll.GetEnumerator();

            IList validCerts = Platform.CreateArrayList();
            IList validKeys = Platform.CreateArrayList();

			while (cert_it.MoveNext())
			{
				X509Certificate signingCert = (X509Certificate)cert_it.Current;

				/*
				 * CA of the certificate, for which this CRL is checked, has also
				 * signed CRL, so skip the path validation, because is already done
				 */
				if (signingCert.Equals(defaultCRLSignCert))
				{
					validCerts.Add(signingCert);
					validKeys.Add(defaultCRLSignKey);
					continue;
				}
				try
				{
//					CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX");
					PkixCertPathBuilder builder = new PkixCertPathBuilder();
					selector = new X509CertStoreSelector();
					selector.Certificate = signingCert;

					PkixParameters temp = (PkixParameters)paramsPKIX.Clone();
					temp.SetTargetCertConstraints(selector);

					PkixBuilderParameters parameters = (PkixBuilderParameters)
						PkixBuilderParameters.GetInstance(temp);

					/*
					 * if signingCert is placed not higher on the cert path a
					 * dependency loop results. CRL for cert is checked, but
					 * signingCert is needed for checking the CRL which is dependent
					 * on checking cert because it is higher in the cert path and so
					 * signing signingCert transitively. so, revocation is disabled,
					 * forgery attacks of the CRL are detected in this outer loop
					 * for all other it must be enabled to prevent forgery attacks
					 */
					if (certPathCerts.Contains(signingCert))
					{
						parameters.IsRevocationEnabled = false;
					}
					else
					{
						parameters.IsRevocationEnabled = true;
					}
					IList certs = builder.Build(parameters).CertPath.Certificates;
					validCerts.Add(signingCert);
					validKeys.Add(PkixCertPathValidatorUtilities.GetNextWorkingKey(certs, 0));
				}
				catch (PkixCertPathBuilderException e)
				{
					throw new Exception("Internal error.", e);
				}
				catch (PkixCertPathValidatorException e)
				{
					throw new Exception("Public key of issuer certificate of CRL could not be retrieved.", e);
				}
				//catch (Exception e)
				//{
				//    throw new Exception(e.Message);
				//}
			}

			ISet checkKeys = new HashSet();

			Exception lastException = null;
			for (int i = 0; i < validCerts.Count; i++)
			{
				X509Certificate signCert = (X509Certificate)validCerts[i];
				bool[] keyusage = signCert.GetKeyUsage();

				if (keyusage != null && (keyusage.Length < 7 || !keyusage[CRL_SIGN]))
				{
					lastException = new Exception(
						"Issuer certificate key usage extension does not permit CRL signing.");
				}
				else
				{
					checkKeys.Add(validKeys[i]);
				}
			}

			if ((checkKeys.Count == 0) && lastException == null)
			{
				throw new Exception("Cannot find a valid issuer certificate.");
			}
			if ((checkKeys.Count == 0) && lastException != null)
			{
				throw lastException;
			}

			return checkKeys;
		}
Exemple #5
0
        public virtual ISet FindCrls(X509CrlStoreSelector crlselect, PkixParameters paramsPkix, global::System.DateTime currentDate)
        {
            ISet set = new HashSet();

            try
            {
                set.AddAll((global::System.Collections.IEnumerable)FindCrls(crlselect, paramsPkix.GetAdditionalStores()));
                set.AddAll((global::System.Collections.IEnumerable)FindCrls(crlselect, paramsPkix.GetStores()));
            }
            catch (global::System.Exception ex)
            {
                throw new global::System.Exception("Exception obtaining complete CRLs.", ex);
            }
            ISet set2 = new HashSet();

            global::System.DateTime dateTime = currentDate;
            if (paramsPkix.Date != null)
            {
                dateTime = paramsPkix.Date.Value;
            }
            global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator();
            try
            {
                while (enumerator.MoveNext())
                {
                    X509Crl x509Crl = (X509Crl)enumerator.get_Current();
                    if (x509Crl.NextUpdate.Value.CompareTo((object)dateTime) <= 0)
                    {
                        continue;
                    }
                    X509Certificate certificateChecking = crlselect.CertificateChecking;
                    if (certificateChecking != null)
                    {
                        if (x509Crl.ThisUpdate.CompareTo((object)certificateChecking.NotAfter) < 0)
                        {
                            set2.Add(x509Crl);
                        }
                    }
                    else
                    {
                        set2.Add(x509Crl);
                    }
                }
                return(set2);
            }
            finally
            {
                global::System.IDisposable disposable = enumerator as global::System.IDisposable;
                if (disposable != null)
                {
                    disposable.Dispose();
                }
            }
        }
        /**
         * Fetches delta CRLs according to RFC 3280 section 5.2.4.
         *
         * @param currentDate The date for which the delta CRLs must be valid.
         * @param paramsPKIX The extended PKIX parameters.
         * @param completeCRL The complete CRL the delta CRL is for.
         * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
         * @throws Exception if an exception occurs while picking the delta
         *             CRLs.
         */
        internal static ISet GetDeltaCrls(
            DateTime currentDate,
            PkixParameters paramsPKIX,
            X509Crl completeCRL)
        {
            X509CrlStoreSelector deltaSelect = new X509CrlStoreSelector();

            if (paramsPKIX.Date != null)
            {
                deltaSelect.DateAndTime = paramsPKIX.Date;
            }
            else
            {
                deltaSelect.DateAndTime = new DateTimeObject(currentDate);
            }

            // 5.2.4 (a)
            try
            {
                IList deltaSelectIssuer = new ArrayList();
                deltaSelectIssuer.Add(completeCRL.IssuerDN);
                deltaSelect.Issuers = deltaSelectIssuer;
            }
            catch (IOException e)
            {
                new Exception("Cannot extract issuer from CRL.", e);
            }

            BigInteger completeCRLNumber = null;

            try
            {
                Asn1Object asn1Object = GetExtensionValue(completeCRL, X509Extensions.CrlNumber);
                if (asn1Object != null)
                {
                    completeCRLNumber = CrlNumber.GetInstance(asn1Object).PositiveValue;
                }
            }
            catch (Exception e)
            {
                throw new Exception(
                          "CRL number extension could not be extracted from CRL.", e);
            }

            // 5.2.4 (b)
            byte[] idp = null;

            try
            {
                Asn1Object obj = GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint);
                if (obj != null)
                {
                    idp = obj.GetDerEncoded();
                }
            }
            catch (Exception e)
            {
                throw new Exception(
                          "Issuing distribution point extension value could not be read.",
                          e);
            }

            // 5.2.4 (d)

            deltaSelect.MinCrlNumber = (completeCRLNumber == null)
                                ?       null
                                :       completeCRLNumber.Add(BigInteger.One);

            deltaSelect.IssuingDistributionPoint        = idp;
            deltaSelect.IssuingDistributionPointEnabled = true;

            // 5.2.4 (c)
            deltaSelect.MaxBaseCrlNumber = completeCRLNumber;

            ISet temp = new HashSet();

            // find delta CRLs
            try
            {
                temp.AddAll(PkixCertPathValidatorUtilities.FindCrls(deltaSelect, paramsPKIX.GetAdditionalStores()));
                temp.AddAll(PkixCertPathValidatorUtilities.FindCrls(deltaSelect, paramsPKIX.GetStores()));
            }
            catch (Exception e)
            {
                throw new Exception("Could not search for delta CRLs.", e);
            }

            ISet result = new HashSet();

            foreach (X509Crl crl in temp)
            {
                if (isDeltaCrl(crl))
                {
                    result.Add(crl);
                }
            }

            return(result);
        }
        /**
         * Fetches complete CRLs according to RFC 3280.
         *
         * @param dp The distribution point for which the complete CRL
         * @param cert The <code>X509Certificate</code> or
         *            {@link org.bouncycastle.x509.X509AttributeCertificate} for
         *            which the CRL should be searched.
         * @param currentDate The date for which the delta CRLs must be valid.
         * @param paramsPKIX The extended PKIX parameters.
         * @return A <code>Set</code> of <code>X509CRL</code>s with complete
         *         CRLs.
         * @throws Exception if an exception occurs while picking the CRLs
         *             or no CRLs are found.
         */
        internal static ISet GetCompleteCrls(
            DistributionPoint dp,
            object cert,
            DateTime currentDate,
            PkixParameters paramsPKIX)
        {
            X509CrlStoreSelector crlselect = new X509CrlStoreSelector();

            try
            {
                ISet issuers = new HashSet();
                if (cert is X509V2AttributeCertificate)
                {
                    issuers.Add(((X509V2AttributeCertificate)cert)
                                .Issuer.GetPrincipals()[0]);
                }
                else
                {
                    issuers.Add(GetIssuerPrincipal(cert));
                }
                PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
            }
            catch (Exception e)
            {
                new Exception("Could not get issuer information from distribution point.", e);
            }

            if (cert is X509Certificate)
            {
                crlselect.CertificateChecking = (X509Certificate)cert;
            }
            else if (cert is X509V2AttributeCertificate)
            {
                crlselect.AttrCertChecking = (IX509AttributeCertificate)cert;
            }

            if (paramsPKIX.Date != null)
            {
                crlselect.DateAndTime = paramsPKIX.Date;
            }
            else
            {
                crlselect.DateAndTime = new DateTimeObject(currentDate);
            }

            crlselect.CompleteCrlEnabled = true;

            ISet crls = new HashSet();

            try
            {
                crls.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetStores()));
                crls.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetAdditionalStores()));
            }
            catch (Exception e)
            {
                throw new Exception("Could not search for CRLs.", e);
            }

            if (crls.IsEmpty)
            {
                throw new Exception("No CRLs found.");
            }

            return(crls);
        }
		internal static ISet[] ProcessCrlA1ii(
			DateTime		currentDate,
			PkixParameters	paramsPKIX,
			X509Certificate	cert,
			X509Crl			crl)
		{
			ISet completeSet = new HashSet();
			ISet deltaSet = new HashSet();
			X509CrlStoreSelector crlselect = new X509CrlStoreSelector();
			crlselect.CertificateChecking = cert;

			if (paramsPKIX.Date != null)
			{
				crlselect.DateAndTime = paramsPKIX.Date;
			}
			else
			{
				crlselect.DateAndTime = new DateTimeObject(currentDate);
			}

			try
			{                
				IList issuer = new ArrayList();
				issuer.Add(crl.IssuerDN);
				crlselect.Issuers = issuer;
			}
			catch (IOException e)
			{
				throw new Exception("Cannot extract issuer from CRL." + e, e);
			}

			crlselect.CompleteCrlEnabled = true;

			// get complete CRL(s)
			try
			{
				completeSet.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetAdditionalStores()));
				completeSet.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetStores()));
			}
			catch (Exception e)
			{
				throw new Exception("Exception obtaining complete CRLs.", e);
			}
			if (paramsPKIX.IsUseDeltasEnabled)
			{
				// get delta CRL(s)
				try
				{
					deltaSet.AddAll(PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl));
				}
				catch (Exception e)
				{
					throw new Exception("Exception obtaining delta CRLs.", e);
				}
			}
			return new ISet[]
			{
				completeSet,
				deltaSet};
		}
		/**
		 * Fetches delta CRLs according to RFC 3280 section 5.2.4.
		 *
		 * @param currentDate The date for which the delta CRLs must be valid.
		 * @param paramsPKIX The extended PKIX parameters.
		 * @param completeCRL The complete CRL the delta CRL is for.
		 * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
		 * @throws Exception if an exception occurs while picking the delta
		 *             CRLs.
		 */
		internal static ISet GetDeltaCrls(
			DateTime		currentDate,
			PkixParameters	paramsPKIX,
			X509Crl			completeCRL)
		{
			X509CrlStoreSelector deltaSelect = new X509CrlStoreSelector();

			if (paramsPKIX.Date != null)
			{
				deltaSelect.DateAndTime = paramsPKIX.Date;
			}
			else
			{
				deltaSelect.DateAndTime = new DateTimeObject(currentDate);
			}

			// 5.2.4 (a)
			try
			{
				IList deltaSelectIssuer = new ArrayList();
				deltaSelectIssuer.Add(completeCRL.IssuerDN);
				deltaSelect.Issuers = deltaSelectIssuer;
			}
			catch (IOException e)
			{
				new Exception("Cannot extract issuer from CRL.", e);
			}

			BigInteger completeCRLNumber = null;
			try
			{
				Asn1Object asn1Object = GetExtensionValue(completeCRL, X509Extensions.CrlNumber);
				if (asn1Object != null)
				{
					completeCRLNumber = CrlNumber.GetInstance(asn1Object).PositiveValue;
				}
			}
			catch (Exception e)
			{
				throw new Exception(
					"CRL number extension could not be extracted from CRL.", e);
			}

			// 5.2.4 (b)
			byte[] idp = null;

			try
			{
				Asn1Object obj = GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint);
				if (obj != null)
				{
					idp = obj.GetDerEncoded();
				}
			}
			catch (Exception e)
			{
				throw new Exception(
					"Issuing distribution point extension value could not be read.",
					e);
			}

			// 5.2.4 (d)

			deltaSelect.MinCrlNumber = (completeCRLNumber == null)
				?	null
				:	completeCRLNumber.Add(BigInteger.One);

			deltaSelect.IssuingDistributionPoint = idp;
			deltaSelect.IssuingDistributionPointEnabled = true;

			// 5.2.4 (c)
			deltaSelect.MaxBaseCrlNumber = completeCRLNumber;

			ISet temp = new HashSet();
			// find delta CRLs
			try
			{
				temp.AddAll(PkixCertPathValidatorUtilities.FindCrls(deltaSelect, paramsPKIX.GetAdditionalStores()));
				temp.AddAll(PkixCertPathValidatorUtilities.FindCrls(deltaSelect, paramsPKIX.GetStores()));
			}
			catch (Exception e)
			{
				throw new Exception("Could not search for delta CRLs.", e);
			}

			ISet result = new HashSet();

			foreach (X509Crl crl in temp)
			{
				if (isDeltaCrl(crl))
				{
					result.Add(crl);
				}
			}

			return result;
		}
		/**
		 * Fetches complete CRLs according to RFC 3280.
		 *
		 * @param dp The distribution point for which the complete CRL
		 * @param cert The <code>X509Certificate</code> or
		 *            {@link org.bouncycastle.x509.X509AttributeCertificate} for
		 *            which the CRL should be searched.
		 * @param currentDate The date for which the delta CRLs must be valid.
		 * @param paramsPKIX The extended PKIX parameters.
		 * @return A <code>Set</code> of <code>X509CRL</code>s with complete
		 *         CRLs.
		 * @throws Exception if an exception occurs while picking the CRLs
		 *             or no CRLs are found.
		 */
		internal static ISet GetCompleteCrls(
			DistributionPoint	dp,
			object				cert,
			DateTime			currentDate,
			PkixParameters		paramsPKIX)
		{
			X509CrlStoreSelector crlselect = new X509CrlStoreSelector();
			try
			{
				ISet issuers = new HashSet();
				if (cert is X509V2AttributeCertificate)
				{
					issuers.Add(((X509V2AttributeCertificate)cert)
						.Issuer.GetPrincipals()[0]);
				}
				else
				{
					issuers.Add(GetIssuerPrincipal(cert));
				}
				PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
			}
			catch (Exception e)
			{
				new Exception("Could not get issuer information from distribution point.", e);
			}

			if (cert is X509Certificate)
			{
				crlselect.CertificateChecking = (X509Certificate)cert;
			}
			else if (cert is X509V2AttributeCertificate)
			{
				crlselect.AttrCertChecking = (IX509AttributeCertificate)cert;
			}

			if (paramsPKIX.Date != null)
			{
				crlselect.DateAndTime = paramsPKIX.Date;
			}
			else
			{
				crlselect.DateAndTime = new DateTimeObject(currentDate);
			}

			crlselect.CompleteCrlEnabled = true;

			ISet crls = new HashSet();
			try
			{
				crls.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetStores()));
				crls.AddAll(PkixCertPathValidatorUtilities.FindCrls(crlselect, paramsPKIX.GetAdditionalStores()));
			}
			catch (Exception e)
			{
				throw new Exception("Could not search for CRLs.", e);
			}

			if (crls.IsEmpty)
				throw new Exception("No CRLs found.");

			return crls;
		}