Esempio n. 1
0
        public override void PerformTest()
        {
            TestConstraints(GeneralName.Rfc822Name, testEmail,
                            testEmailIsConstraint, testEmailIsNotConstraint, email1, email2,
                            emailunion, emailintersect);
            TestConstraints(GeneralName.DnsName, testDNS, testDNSIsConstraint,
                            testDNSIsNotConstraint, dns1, dns2, dnsunion, dnsintersect);
            TestConstraints(GeneralName.DirectoryName, testDN, testDNIsConstraint,
                            testDNIsNotConstraint, dn1, dn2, dnUnion, dnIntersection);
            TestConstraints(GeneralName.UniformResourceIdentifier, testURI,
                            testURIIsConstraint, testURIIsNotConstraint, uri1, uri2, uriunion,
                            uriintersect);
            TestConstraints(GeneralName.IPAddress, testIP, testIPIsConstraint,
                            testIPIsNotConstraint, ip1, ip2, ipunion, ipintersect);

            PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();

            constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
                                                                              new GeneralName(GeneralName.DirectoryName,
                                                                                              new X509Name(true, "ou=permittedSubtree1, o=Test Certificates 2011, c=US")))));
            constraintValidator.checkPermitted(
                new GeneralName(GeneralName.DirectoryName,
                                new X509Name(true, "cn=Valid DN nameConstraints EE Certificate Test1, ou=permittedSubtree1, o=Test Certificates 2011, c=US")));

            GeneralName    name    = new GeneralName(GeneralName.OtherName, new OtherName(new DerObjectIdentifier("1.1"), DerNull.Instance));
            GeneralSubtree subtree = new GeneralSubtree(name);

            PkixNameConstraintValidator validator = new PkixNameConstraintValidator();

            validator.IntersectPermittedSubtree(new DerSequence(subtree));

            name    = new GeneralName(GeneralName.OtherName, new OtherName(new DerObjectIdentifier("1.1"), DerNull.Instance));
            subtree = new GeneralSubtree(name);

            validator = new PkixNameConstraintValidator();
            validator.IntersectPermittedSubtree(new DerSequence(subtree));
            validator.AddExcludedSubtree(subtree);

            try
            {
                validator.checkExcluded(name);
            }
            catch (PkixNameConstraintValidatorException e)
            {
                IsEquals("OtherName is from an excluded subtree.", e.Message);
            }

            try
            {
                validator.checkPermitted(name);
            }
            catch (PkixNameConstraintValidatorException e)
            {
                Fail(e.Message);
            }
        }
Esempio n. 2
0
    public override bool Equals(object o)
    {
        if (!(o is PkixNameConstraintValidator))
        {
            return(false);
        }
        PkixNameConstraintValidator pkixNameConstraintValidator = (PkixNameConstraintValidator)o;

        if (CollectionsAreEqual(pkixNameConstraintValidator.excludedSubtreesDN, excludedSubtreesDN) && CollectionsAreEqual(pkixNameConstraintValidator.excludedSubtreesDNS, excludedSubtreesDNS) && CollectionsAreEqual(pkixNameConstraintValidator.excludedSubtreesEmail, excludedSubtreesEmail) && CollectionsAreEqual(pkixNameConstraintValidator.excludedSubtreesIP, excludedSubtreesIP) && CollectionsAreEqual(pkixNameConstraintValidator.excludedSubtreesURI, excludedSubtreesURI) && CollectionsAreEqual(pkixNameConstraintValidator.permittedSubtreesDN, permittedSubtreesDN) && CollectionsAreEqual(pkixNameConstraintValidator.permittedSubtreesDNS, permittedSubtreesDNS) && CollectionsAreEqual(pkixNameConstraintValidator.permittedSubtreesEmail, permittedSubtreesEmail) && CollectionsAreEqual(pkixNameConstraintValidator.permittedSubtreesIP, permittedSubtreesIP))
        {
            return(CollectionsAreEqual(pkixNameConstraintValidator.permittedSubtreesURI, permittedSubtreesURI));
        }
        return(false);
    }
Esempio n. 3
0
        public override void PerformTest()
        {
            TestConstraints(GeneralName.Rfc822Name, testEmail,
                            testEmailIsConstraint, testEmailIsNotConstraint, email1, email2,
                            emailunion, emailintersect);
            TestConstraints(GeneralName.DnsName, testDNS, testDNSIsConstraint,
                            testDNSIsNotConstraint, dns1, dns2, dnsunion, dnsintersect);
            TestConstraints(GeneralName.DirectoryName, testDN, testDNIsConstraint,
                            testDNIsNotConstraint, dn1, dn2, dnUnion, dnIntersection);
            TestConstraints(GeneralName.UniformResourceIdentifier, testURI,
                            testURIIsConstraint, testURIIsNotConstraint, uri1, uri2, uriunion,
                            uriintersect);
            TestConstraints(GeneralName.IPAddress, testIP, testIPIsConstraint,
                            testIPIsNotConstraint, ip1, ip2, ipunion, ipintersect);

            PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();

            constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
                                                                              new GeneralName(GeneralName.DirectoryName,
                                                                                              new X509Name(true, "ou=permittedSubtree1, o=Test Certificates 2011, c=US")))));
            constraintValidator.checkPermitted(
                new GeneralName(GeneralName.DirectoryName,
                                new X509Name(true, "cn=Valid DN nameConstraints EE Certificate Test1, ou=permittedSubtree1, o=Test Certificates 2011, c=US")));
        }
        public virtual PkixCertPathValidatorResult Validate(
            PkixCertPath certPath,
            PkixParameters paramsPkix)
        {
            if (paramsPkix.GetTrustAnchors() == null)
            {
                throw new ArgumentException(
                          "trustAnchors is null, this is not allowed for certification path validation.",
                          "parameters");
            }

            //
            // 6.1.1 - inputs
            //

            //
            // (a)
            //
            IList certs = certPath.Certificates;
            int   n     = certs.Count;

            if (certs.Count == 0)
            {
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
            }

            //
            // (b)
            //
            // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);

            //
            // (c)
            //
            ISet userInitialPolicySet = paramsPkix.GetInitialPolicies();

            //
            // (d)
            //
            TrustAnchor trust;

            try
            {
                trust = PkixCertPathValidatorUtilities.FindTrustAnchor(
                    (X509Certificate)certs[certs.Count - 1],
                    paramsPkix.GetTrustAnchors());
            }
            catch (Exception e)
            {
                throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1);
            }

            if (trust == null)
            {
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
            }

            //
            // (e), (f), (g) are part of the paramsPkix object.
            //
            IEnumerator certIter;
            int         index = 0;
            int         i;

            // Certificate for each interation of the validation loop
            // Signature information for each iteration of the validation loop
            //
            // 6.1.2 - setup
            //

            //
            // (a)
            //
            IList[] policyNodes = new IList[n + 1];
            for (int j = 0; j < policyNodes.Length; j++)
            {
                policyNodes[j] = Platform.CreateArrayList();
            }

            ISet policySet = new HashSet();

            policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY);

            PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(),
                                                                Rfc3280CertPathUtilities.ANY_POLICY, false);

            policyNodes[0].Add(validPolicyTree);

            //
            // (b) and (c)
            //
            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();

            // (d)
            //
            int  explicitPolicy;
            ISet acceptablePolicies = new HashSet();

            if (paramsPkix.IsExplicitPolicyRequired)
            {
                explicitPolicy = 0;
            }
            else
            {
                explicitPolicy = n + 1;
            }

            //
            // (e)
            //
            int inhibitAnyPolicy;

            if (paramsPkix.IsAnyPolicyInhibited)
            {
                inhibitAnyPolicy = 0;
            }
            else
            {
                inhibitAnyPolicy = n + 1;
            }

            //
            // (f)
            //
            int policyMapping;

            if (paramsPkix.IsPolicyMappingInhibited)
            {
                policyMapping = 0;
            }
            else
            {
                policyMapping = n + 1;
            }

            //
            // (g), (h), (i), (j)
            //
            AsymmetricKeyParameter workingPublicKey;
            X509Name workingIssuerName;

            X509Certificate sign = trust.TrustedCert;

            try
            {
                if (sign != null)
                {
                    workingIssuerName = sign.SubjectDN;
                    workingPublicKey  = sign.GetPublicKey();
                }
                else
                {
                    workingIssuerName = new X509Name(trust.CAName);
                    workingPublicKey  = trust.CAPublicKey;
                }
            }
            catch (ArgumentException ex)
            {
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath,
                                                         -1);
            }

            AlgorithmIdentifier workingAlgId = null;

            try
            {
                workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
            }
            catch (PkixCertPathValidatorException e)
            {
                throw new PkixCertPathValidatorException(
                          "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
            }

//			DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID;
//			Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters;

            //
            // (k)
            //
            int maxPathLength = n;

            //
            // 6.1.3
            //

            X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints();

            if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0]))
            {
                throw new PkixCertPathValidatorException(
                          "Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            }

            //
            // initialize CertPathChecker's
            //
            IList pathCheckers = paramsPkix.GetCertPathCheckers();

            certIter = pathCheckers.GetEnumerator();

            while (certIter.MoveNext())
            {
                ((PkixCertPathChecker)certIter.Current).Init(false);
            }

            X509Certificate cert = null;

            for (index = certs.Count - 1; index >= 0; index--)
            {
                // try
                // {
                //
                // i as defined in the algorithm description
                //
                i = n - index;

                //
                // set certificate to be checked in this round
                // sign and workingPublicKey and workingIssuerName are set
                // at the end of the for loop and initialized the
                // first time from the TrustAnchor
                //
                cert = (X509Certificate)certs[index];

                //
                // 6.1.3
                //

                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey,
                                                      workingIssuerName, sign);

                Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index,
                                                                        acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree);

                Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy);

                //
                // 6.1.4
                //

                if (i != n)
                {
                    if (cert != null && cert.Version == 1)
                    {
                        throw new PkixCertPathValidatorException(
                                  "Version 1 certificates can't be used as CA ones.", null, certPath, index);
                    }

                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index);

                    validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes,
                                                                            validPolicyTree, policyMapping);

                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator);

                    // (h)
                    explicitPolicy   = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy);

                    //
                    // (i)
                    //
                    explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy);
                    policyMapping  = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping);

                    // (j)
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy);

                    // (k)
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index);

                    // (l)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength);

                    // (m)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength);

                    // (n)
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index);

                    ISet criticalExtensions1 = cert.GetCriticalExtensionOids();

                    if (criticalExtensions1 != null)
                    {
                        criticalExtensions1 = new HashSet(criticalExtensions1);

                        // these extensions are handled by the algorithm
                        criticalExtensions1.Remove(X509Extensions.KeyUsage.Id);
                        criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id);
                        criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id);
                        criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id);
                        criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id);
                        criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id);
                        criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id);
                        criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id);
                        criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id);
                        criticalExtensions1.Remove(X509Extensions.NameConstraints.Id);
                    }
                    else
                    {
                        criticalExtensions1 = new HashSet();
                    }

                    // (o)
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers);

                    // set signing certificate for next round
                    sign = cert;

                    // (c)
                    workingIssuerName = sign.SubjectDN;

                    // (d)
                    try
                    {
                        workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index);
                    }
                    catch (PkixCertPathValidatorException e)
                    {
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
                    }

                    workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
                    // (f)
//                    workingPublicKeyAlgorithm = workingAlgId.ObjectID;
                    // (e)
//                    workingPublicKeyParameters = workingAlgId.Parameters;
                }
            }

            //
            // 6.1.5 Wrap-up procedure
            //

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert);

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy);

            //
            // (c) (d) and (e) are already done
            //

            //
            // (f)
            //
            ISet criticalExtensions = cert.GetCriticalExtensionOids();

            if (criticalExtensions != null)
            {
                criticalExtensions = new HashSet(criticalExtensions);

                // Requires .Id
                // these extensions are handled by the algorithm
                criticalExtensions.Remove(X509Extensions.KeyUsage.Id);
                criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id);
                criticalExtensions.Remove(X509Extensions.PolicyMappings.Id);
                criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id);
                criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id);
                criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id);
                criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id);
                criticalExtensions.Remove(X509Extensions.BasicConstraints.Id);
                criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id);
                criticalExtensions.Remove(X509Extensions.NameConstraints.Id);
                criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id);
            }
            else
            {
                criticalExtensions = new HashSet();
            }

            Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);

            PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet,
                                                                               index + 1, policyNodes, validPolicyTree, acceptablePolicies);

            if ((explicitPolicy > 0) || (intersection != null))
            {
                return(new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey()));
            }

            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index);
        }
Esempio n. 5
0
        public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix)
        {
            if (paramsPkix.GetTrustAnchors() == null)
            {
                throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters");
            }
            IList certificates = certPath.Certificates;
            int   count        = certificates.Count;

            if (certificates.Count == 0)
            {
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
            }
            ISet        initialPolicies = paramsPkix.GetInitialPolicies();
            TrustAnchor trustAnchor;

            try
            {
                trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates[certificates.Count - 1], paramsPkix.GetTrustAnchors());
            }
            catch (Exception ex)
            {
                throw new PkixCertPathValidatorException(ex.Message, ex, certPath, certificates.Count - 1);
            }
            if (trustAnchor == null)
            {
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
            }
            int i = 0;

            IList[] array = new IList[count + 1];
            for (int j = 0; j < array.Length; j++)
            {
                array[j] = Platform.CreateArrayList();
            }
            ISet set = new HashSet();

            set.Add(Rfc3280CertPathUtilities.ANY_POLICY);
            PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false);

            array[0].Add(pkixPolicyNode);
            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
            ISet acceptablePolicies = new HashSet();
            int  num;

            if (paramsPkix.IsExplicitPolicyRequired)
            {
                num = 0;
            }
            else
            {
                num = count + 1;
            }
            int inhibitAnyPolicy;

            if (paramsPkix.IsAnyPolicyInhibited)
            {
                inhibitAnyPolicy = 0;
            }
            else
            {
                inhibitAnyPolicy = count + 1;
            }
            int policyMapping;

            if (paramsPkix.IsPolicyMappingInhibited)
            {
                policyMapping = 0;
            }
            else
            {
                policyMapping = count + 1;
            }
            X509Certificate        x509Certificate = trustAnchor.TrustedCert;
            X509Name               workingIssuerName;
            AsymmetricKeyParameter asymmetricKeyParameter;

            try
            {
                if (x509Certificate != null)
                {
                    workingIssuerName      = x509Certificate.SubjectDN;
                    asymmetricKeyParameter = x509Certificate.GetPublicKey();
                }
                else
                {
                    workingIssuerName      = new X509Name(trustAnchor.CAName);
                    asymmetricKeyParameter = trustAnchor.CAPublicKey;
                }
            }
            catch (ArgumentException cause)
            {
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", cause, certPath, -1);
            }
            try
            {
                PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
            }
            catch (PkixCertPathValidatorException cause2)
            {
                throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1);
            }
            int maxPathLength = count;
            X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints();

            if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates[0]))
            {
                throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            }
            IList       certPathCheckers = paramsPkix.GetCertPathCheckers();
            IEnumerator enumerator       = certPathCheckers.GetEnumerator();

            while (enumerator.MoveNext())
            {
                ((PkixCertPathChecker)enumerator.Current).Init(false);
            }
            X509Certificate x509Certificate2 = null;

            for (i = certificates.Count - 1; i >= 0; i--)
            {
                int num2 = count - i;
                x509Certificate2 = (X509Certificate)certificates[i];
                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, i, asymmetricKeyParameter, workingIssuerName, x509Certificate);
                Rfc3280CertPathUtilities.ProcessCertBC(certPath, i, nameConstraintValidator);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, i, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, i, pkixPolicyNode);
                Rfc3280CertPathUtilities.ProcessCertF(certPath, i, pkixPolicyNode, num);
                if (num2 != count)
                {
                    if (x509Certificate2 != null && x509Certificate2.Version == 1)
                    {
                        throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, i);
                    }
                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, i);
                    pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, i, array, pkixPolicyNode, policyMapping);
                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, i, nameConstraintValidator);
                    num              = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, i, num);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, i, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, i, inhibitAnyPolicy);
                    num              = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, i, num);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, i, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, i, inhibitAnyPolicy);
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, i);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, i, maxPathLength);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, i, maxPathLength);
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, i);
                    ISet set2 = x509Certificate2.GetCriticalExtensionOids();
                    if (set2 != null)
                    {
                        set2 = new HashSet(set2);
                        set2.Remove(X509Extensions.KeyUsage.Id);
                        set2.Remove(X509Extensions.CertificatePolicies.Id);
                        set2.Remove(X509Extensions.PolicyMappings.Id);
                        set2.Remove(X509Extensions.InhibitAnyPolicy.Id);
                        set2.Remove(X509Extensions.IssuingDistributionPoint.Id);
                        set2.Remove(X509Extensions.DeltaCrlIndicator.Id);
                        set2.Remove(X509Extensions.PolicyConstraints.Id);
                        set2.Remove(X509Extensions.BasicConstraints.Id);
                        set2.Remove(X509Extensions.SubjectAlternativeName.Id);
                        set2.Remove(X509Extensions.NameConstraints.Id);
                    }
                    else
                    {
                        set2 = new HashSet();
                    }
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, i, set2, certPathCheckers);
                    x509Certificate   = x509Certificate2;
                    workingIssuerName = x509Certificate.SubjectDN;
                    try
                    {
                        asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, i);
                    }
                    catch (PkixCertPathValidatorException cause3)
                    {
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, i);
                    }
                    PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
                }
            }
            num = Rfc3280CertPathUtilities.WrapupCertA(num, x509Certificate2);
            num = Rfc3280CertPathUtilities.WrapupCertB(certPath, i + 1, num);
            ISet set3 = x509Certificate2.GetCriticalExtensionOids();

            if (set3 != null)
            {
                set3 = new HashSet(set3);
                set3.Remove(X509Extensions.KeyUsage.Id);
                set3.Remove(X509Extensions.CertificatePolicies.Id);
                set3.Remove(X509Extensions.PolicyMappings.Id);
                set3.Remove(X509Extensions.InhibitAnyPolicy.Id);
                set3.Remove(X509Extensions.IssuingDistributionPoint.Id);
                set3.Remove(X509Extensions.DeltaCrlIndicator.Id);
                set3.Remove(X509Extensions.PolicyConstraints.Id);
                set3.Remove(X509Extensions.BasicConstraints.Id);
                set3.Remove(X509Extensions.SubjectAlternativeName.Id);
                set3.Remove(X509Extensions.NameConstraints.Id);
                set3.Remove(X509Extensions.CrlDistributionPoints.Id);
            }
            else
            {
                set3 = new HashSet();
            }
            Rfc3280CertPathUtilities.WrapupCertF(certPath, i + 1, certPathCheckers, set3);
            PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, i + 1, array, pkixPolicyNode, acceptablePolicies);

            if (num > 0 || pkixPolicyNode2 != null)
            {
                return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey()));
            }
            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, i);
        }
Esempio n. 6
0
        /**
         * Tests byte array based GeneralNames for inclusion or exclusion.
         *
         * @param nameType The {@link GeneralName} type to test.
         * @param testName The name to test.
         * @param testNameIsConstraint The names where <code>testName</code> must
         *            be included and excluded.
         * @param testNameIsNotConstraint The names where <code>testName</code>
         *            must not be excluded and included.
         * @param testNames1 Operand 1 of test names to use for union and
         *            intersection testing.
         * @param testNames2 Operand 2 of test names to use for union and
         *            intersection testing.
         * @param testUnion The union results.
         * @param testInterSection The intersection results.
         * @throws Exception If an unexpected exception occurs.
         */
        private void TestConstraints(
            int nameType,
            byte[] testName,
            byte[][] testNameIsConstraint,
            byte[][] testNameIsNotConstraint,
            byte[][] testNames1,
            byte[][] testNames2,
            byte[][][] testUnion,
            byte[][] testInterSection)
        {
            for (int i = 0; i < testNameIsConstraint.Length; i++)
            {
                PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
                constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
                                                                                  new GeneralName(nameType, new DerOctetString(
                                                                                                      testNameIsConstraint[i])))));
                constraintValidator.checkPermitted(new GeneralName(nameType,
                                                                   new DerOctetString(testName)));
            }
            for (int i = 0; i < testNameIsNotConstraint.Length; i++)
            {
                PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
                constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
                                                                                  new GeneralName(nameType, new DerOctetString(
                                                                                                      testNameIsNotConstraint[i])))));
                try
                {
                    constraintValidator.checkPermitted(new GeneralName(nameType,
                                                                       new DerOctetString(testName)));
                    Fail("not permitted name allowed: " + nameType);
                }
                catch (PkixNameConstraintValidatorException)
                {
                    // expected
                }
            }
            for (int i = 0; i < testNameIsConstraint.Length; i++)
            {
                PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
                constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName(
                                                                              nameType, new DerOctetString(testNameIsConstraint[i]))));
                try
                {
                    constraintValidator.checkExcluded(new GeneralName(nameType,
                                                                      new DerOctetString(testName)));
                    Fail("excluded name missed: " + nameType);
                }
                catch (PkixNameConstraintValidatorException)
                {
                    // expected
                }
            }
            for (int i = 0; i < testNameIsNotConstraint.Length; i++)
            {
                PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
                constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName(
                                                                              nameType, new DerOctetString(testNameIsNotConstraint[i]))));
                constraintValidator.checkExcluded(new GeneralName(nameType,
                                                                  new DerOctetString(testName)));
            }
            for (int i = 0; i < testNames1.Length; i++)
            {
                PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
                constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName(
                                                                              nameType, new DerOctetString(testNames1[i]))));
                constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName(
                                                                              nameType, new DerOctetString(testNames2[i]))));
                PkixNameConstraintValidator constraints2 = new PkixNameConstraintValidator();
                for (int j = 0; j < testUnion[i].Length; j++)
                {
                    constraints2.AddExcludedSubtree(new GeneralSubtree(
                                                        new GeneralName(nameType, new DerOctetString(
                                                                            testUnion[i][j]))));
                }
                if (!constraints2.Equals(constraintValidator))
                {
                    Fail("union wrong: " + nameType);
                }
                constraintValidator = new PkixNameConstraintValidator();
                constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
                                                                                  new GeneralName(nameType, new DerOctetString(testNames1[i])))));
                constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
                                                                                  new GeneralName(nameType, new DerOctetString(testNames2[i])))));
                constraints2 = new PkixNameConstraintValidator();
                if (testInterSection[i] != null)
                {
                    constraints2.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
                                                                               new GeneralName(nameType, new DerOctetString(
                                                                                                   testInterSection[i])))));
                }
                else
                {
                    constraints2.IntersectEmptyPermittedSubtree(nameType);
                }

                if (!constraints2.Equals(constraintValidator))
                {
                    Fail("intersection wrong: " + nameType);
                }
            }
        }
Esempio n. 7
0
        public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix)
        {
            //IL_0012: Unknown result type (might be due to invalid IL or missing references)
            //IL_0170: Expected O, but got Unknown
            if (paramsPkix.GetTrustAnchors() == null)
            {
                throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters");
            }
            global::System.Collections.IList certificates = certPath.Certificates;
            int count = ((global::System.Collections.ICollection)certificates).get_Count();

            if (((global::System.Collections.ICollection)certificates).get_Count() == 0)
            {
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
            }
            ISet        initialPolicies = paramsPkix.GetInitialPolicies();
            TrustAnchor trustAnchor;

            try
            {
                trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates.get_Item(((global::System.Collections.ICollection)certificates).get_Count() - 1), paramsPkix.GetTrustAnchors());
            }
            catch (global::System.Exception ex)
            {
                throw new PkixCertPathValidatorException(ex.get_Message(), ex, certPath, ((global::System.Collections.ICollection)certificates).get_Count() - 1);
            }
            if (trustAnchor == null)
            {
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
            }
            int num = 0;

            global::System.Collections.IList[] array = new global::System.Collections.IList[count + 1];
            for (int i = 0; i < array.Length; i++)
            {
                array[i] = Platform.CreateArrayList();
            }
            ISet set = new HashSet();

            set.Add(Rfc3280CertPathUtilities.ANY_POLICY);
            PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, critical: false);

            array[0].Add((object)pkixPolicyNode);
            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
            ISet                   acceptablePolicies           = new HashSet();
            int                    explicitPolicy   = ((!paramsPkix.IsExplicitPolicyRequired) ? (count + 1) : 0);
            int                    inhibitAnyPolicy = ((!paramsPkix.IsAnyPolicyInhibited) ? (count + 1) : 0);
            int                    policyMapping    = ((!paramsPkix.IsPolicyMappingInhibited) ? (count + 1) : 0);
            X509Certificate        x509Certificate  = trustAnchor.TrustedCert;
            X509Name               workingIssuerName;
            AsymmetricKeyParameter asymmetricKeyParameter;

            try
            {
                if (x509Certificate != null)
                {
                    workingIssuerName      = x509Certificate.SubjectDN;
                    asymmetricKeyParameter = x509Certificate.GetPublicKey();
                }
                else
                {
                    workingIssuerName      = new X509Name(trustAnchor.CAName);
                    asymmetricKeyParameter = trustAnchor.CAPublicKey;
                }
            }
            catch (ArgumentException val)
            {
                ArgumentException cause = val;
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", (global::System.Exception)(object) cause, certPath, -1);
            }
            try
            {
                PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
            }
            catch (PkixCertPathValidatorException cause2)
            {
                throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1);
            }
            int maxPathLength = count;
            X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints();

            if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates.get_Item(0)))
            {
                throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            }
            global::System.Collections.IList       certPathCheckers = paramsPkix.GetCertPathCheckers();
            global::System.Collections.IEnumerator enumerator       = ((global::System.Collections.IEnumerable)certPathCheckers).GetEnumerator();
            while (enumerator.MoveNext())
            {
                ((PkixCertPathChecker)enumerator.get_Current()).Init(forward: false);
            }
            X509Certificate x509Certificate2 = null;

            for (num = ((global::System.Collections.ICollection)certificates).get_Count() - 1; num >= 0; num--)
            {
                int num2 = count - num;
                x509Certificate2 = (X509Certificate)certificates.get_Item(num);
                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, num, asymmetricKeyParameter, workingIssuerName, x509Certificate);
                Rfc3280CertPathUtilities.ProcessCertBC(certPath, num, nameConstraintValidator);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, num, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, num, pkixPolicyNode);
                Rfc3280CertPathUtilities.ProcessCertF(certPath, num, pkixPolicyNode, explicitPolicy);
                if (num2 != count)
                {
                    if (x509Certificate2 != null && x509Certificate2.Version == 1)
                    {
                        throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, num);
                    }
                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, num);
                    pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, num, array, pkixPolicyNode, policyMapping);
                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, num, nameConstraintValidator);
                    explicitPolicy   = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, num, explicitPolicy);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, num, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, num, inhibitAnyPolicy);
                    explicitPolicy   = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, num, explicitPolicy);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, num, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, num, inhibitAnyPolicy);
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, num);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, num, maxPathLength);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, num, maxPathLength);
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, num);
                    ISet criticalExtensionOids = x509Certificate2.GetCriticalExtensionOids();
                    if (criticalExtensionOids != null)
                    {
                        criticalExtensionOids = new HashSet(criticalExtensionOids);
                        criticalExtensionOids.Remove(X509Extensions.KeyUsage.Id);
                        criticalExtensionOids.Remove(X509Extensions.CertificatePolicies.Id);
                        criticalExtensionOids.Remove(X509Extensions.PolicyMappings.Id);
                        criticalExtensionOids.Remove(X509Extensions.InhibitAnyPolicy.Id);
                        criticalExtensionOids.Remove(X509Extensions.IssuingDistributionPoint.Id);
                        criticalExtensionOids.Remove(X509Extensions.DeltaCrlIndicator.Id);
                        criticalExtensionOids.Remove(X509Extensions.PolicyConstraints.Id);
                        criticalExtensionOids.Remove(X509Extensions.BasicConstraints.Id);
                        criticalExtensionOids.Remove(X509Extensions.SubjectAlternativeName.Id);
                        criticalExtensionOids.Remove(X509Extensions.NameConstraints.Id);
                    }
                    else
                    {
                        criticalExtensionOids = new HashSet();
                    }
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, num, criticalExtensionOids, certPathCheckers);
                    x509Certificate   = x509Certificate2;
                    workingIssuerName = x509Certificate.SubjectDN;
                    try
                    {
                        asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, num);
                    }
                    catch (PkixCertPathValidatorException cause3)
                    {
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, num);
                    }
                    PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
                }
            }
            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, x509Certificate2);
            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, num + 1, explicitPolicy);
            ISet criticalExtensionOids2 = x509Certificate2.GetCriticalExtensionOids();

            if (criticalExtensionOids2 != null)
            {
                criticalExtensionOids2 = new HashSet(criticalExtensionOids2);
                criticalExtensionOids2.Remove(X509Extensions.KeyUsage.Id);
                criticalExtensionOids2.Remove(X509Extensions.CertificatePolicies.Id);
                criticalExtensionOids2.Remove(X509Extensions.PolicyMappings.Id);
                criticalExtensionOids2.Remove(X509Extensions.InhibitAnyPolicy.Id);
                criticalExtensionOids2.Remove(X509Extensions.IssuingDistributionPoint.Id);
                criticalExtensionOids2.Remove(X509Extensions.DeltaCrlIndicator.Id);
                criticalExtensionOids2.Remove(X509Extensions.PolicyConstraints.Id);
                criticalExtensionOids2.Remove(X509Extensions.BasicConstraints.Id);
                criticalExtensionOids2.Remove(X509Extensions.SubjectAlternativeName.Id);
                criticalExtensionOids2.Remove(X509Extensions.NameConstraints.Id);
                criticalExtensionOids2.Remove(X509Extensions.CrlDistributionPoints.Id);
            }
            else
            {
                criticalExtensionOids2 = new HashSet();
            }
            Rfc3280CertPathUtilities.WrapupCertF(certPath, num + 1, certPathCheckers, criticalExtensionOids2);
            PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, num + 1, array, pkixPolicyNode, acceptablePolicies);

            if (explicitPolicy > 0 || pkixPolicyNode2 != null)
            {
                return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey()));
            }
            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, num);
        }