Esempio n. 1
0
        internal static PkixPolicyNode RemovePolicyNode(
            PkixPolicyNode validPolicyTree,
            IList[] policyNodes,
            PkixPolicyNode _node)
        {
            PkixPolicyNode _parent = (PkixPolicyNode)_node.Parent;

            if (validPolicyTree == null)
            {
                return(null);
            }

            if (_parent == null)
            {
                for (int j = 0; j < policyNodes.Length; j++)
                {
                    policyNodes[j] = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList();
                }

                return(null);
            }
            else
            {
                _parent.RemoveChild(_node);
                RemovePolicyNodeRecurse(policyNodes, _node);

                return(validPolicyTree);
            }
        }
Esempio n. 2
0
        internal static bool ProcessCertD1i(
            int index,
            IList[]                         policyNodes,
            DerObjectIdentifier pOid,
            ISet pq)
        {
            IList policyNodeVec = policyNodes[index - 1];

            for (int j = 0; j < policyNodeVec.Count; j++)
            {
                PkixPolicyNode node             = (PkixPolicyNode)policyNodeVec[j];
                ISet           expectedPolicies = node.ExpectedPolicies;

                if (expectedPolicies.Contains(pOid.Id))
                {
                    ISet childExpectedPolicies = new HashSet();
                    childExpectedPolicies.Add(pOid.Id);

                    PkixPolicyNode child = new PkixPolicyNode(BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList(),
                                                              index,
                                                              childExpectedPolicies,
                                                              node,
                                                              pq,
                                                              pOid.Id,
                                                              false);
                    node.AddChild(child);
                    policyNodes[index].Add(child);

                    return(true);
                }
            }

            return(false);
        }
Esempio n. 3
0
        internal static void ProcessCertD1ii(
            int index,
            IList[]                         policyNodes,
            DerObjectIdentifier _poid,
            ISet _pq)
        {
            IList policyNodeVec = policyNodes[index - 1];

            for (int j = 0; j < policyNodeVec.Count; j++)
            {
                PkixPolicyNode _node = (PkixPolicyNode)policyNodeVec[j];

                if (ANY_POLICY.Equals(_node.ValidPolicy))
                {
                    ISet _childExpectedPolicies = new HashSet();
                    _childExpectedPolicies.Add(_poid.Id);

                    PkixPolicyNode _child = new PkixPolicyNode(BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList(),
                                                               index,
                                                               _childExpectedPolicies,
                                                               _node,
                                                               _pq,
                                                               _poid.Id,
                                                               false);
                    _node.AddChild(_child);
                    policyNodes[index].Add(_child);
                    return;
                }
            }
        }
Esempio n. 4
0
        /// Constructors
        public PkixPolicyNode(
            IList children,
            int depth,
            ISet expectedPolicies,
            PkixPolicyNode parent,
            ISet policyQualifiers,
            string validPolicy,
            bool critical)
        {
            if (children == null)
            {
                this.mChildren = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList();
            }
            else
            {
                this.mChildren = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList(children);
            }

            this.mDepth            = depth;
            this.mExpectedPolicies = expectedPolicies;
            this.mParent           = parent;
            this.mPolicyQualifiers = policyQualifiers;
            this.mValidPolicy      = validPolicy;
            this.mCritical         = critical;
        }
Esempio n. 5
0
        private static void RemovePolicyNodeRecurse(IList[] policyNodes, PkixPolicyNode _node)
        {
            policyNodes[_node.Depth].Remove(_node);

            if (_node.HasChildren)
            {
                foreach (PkixPolicyNode _child in _node.Children)
                {
                    RemovePolicyNodeRecurse(policyNodes, _child);
                }
            }
        }
Esempio n. 6
0
        public PkixCertPathBuilderResult(
            PkixCertPath certPath,
            TrustAnchor trustAnchor,
            PkixPolicyNode policyTree,
            AsymmetricKeyParameter subjectPublicKey)
            : base(trustAnchor, policyTree, subjectPublicKey)
        {
            if (certPath == null)
            {
                throw new ArgumentNullException("certPath");
            }

            this.certPath = certPath;
        }
Esempio n. 7
0
        public PkixCertPathValidatorResult(
            TrustAnchor trustAnchor,
            PkixPolicyNode policyTree,
            AsymmetricKeyParameter subjectPublicKey)
        {
            if (subjectPublicKey == null)
            {
                throw new NullReferenceException("subjectPublicKey must be non-null");
            }
            if (trustAnchor == null)
            {
                throw new NullReferenceException("trustAnchor must be non-null");
            }

            this.trustAnchor      = trustAnchor;
            this.policyTree       = policyTree;
            this.subjectPublicKey = subjectPublicKey;
        }
Esempio n. 8
0
        internal static PkixPolicyNode PrepareNextCertB2(
            int i,
            IList[]                 policyNodes,
            string id_p,
            PkixPolicyNode validPolicyTree)
        {
            int pos = 0;

            // Copy to avoid RemoveAt calls interfering with enumeration
            foreach (PkixPolicyNode node in BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList(policyNodes[i]))
            {
                if (node.ValidPolicy.Equals(id_p))
                {
                    PkixPolicyNode p_node = (PkixPolicyNode)node.Parent;
                    p_node.RemoveChild(node);

                    // Removal of element at current iterator position not supported in C#
                    //nodes_i.remove();
                    policyNodes[i].RemoveAt(pos);

                    for (int k = (i - 1); k >= 0; k--)
                    {
                        IList nodes = policyNodes[k];
                        for (int l = 0; l < nodes.Count; l++)
                        {
                            PkixPolicyNode node2 = (PkixPolicyNode)nodes[l];
                            if (!node2.HasChildren)
                            {
                                validPolicyTree = RemovePolicyNode(validPolicyTree, policyNodes, node2);
                                if (validPolicyTree == null)
                                {
                                    break;
                                }
                            }
                        }
                    }
                }
                else
                {
                    ++pos;
                }
            }
            return(validPolicyTree);
        }
Esempio n. 9
0
        public virtual PkixPolicyNode Copy()
        {
            PkixPolicyNode node = new PkixPolicyNode(
                BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList(),
                mDepth,
                new HashSet(mExpectedPolicies),
                null,
                new HashSet(mPolicyQualifiers),
                mValidPolicy,
                mCritical);

            foreach (PkixPolicyNode child in mChildren)
            {
                PkixPolicyNode copy = child.Copy();
                copy.Parent = node;
                node.AddChild(copy);
            }

            return(node);
        }
Esempio n. 10
0
        public virtual PkixCertPathValidatorResult Validate(
            PkixCertPath certPath,
            PkixParameters paramsPkix)
        {
            if (paramsPkix.GetTrustAnchors() == null)
            {
                throw new ArgumentException(
                          "trustAnchors is null, this is not allowed for certification path validation.",
                          "parameters");
            }

            //
            // 6.1.1 - inputs
            //

            //
            // (a)
            //
            IList certs = certPath.Certificates;
            int   n     = certs.Count;

            if (certs.Count == 0)
            {
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
            }

            //
            // (b)
            //
            // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);

            //
            // (c)
            //
            ISet userInitialPolicySet = paramsPkix.GetInitialPolicies();

            //
            // (d)
            //
            TrustAnchor trust;

            try
            {
                trust = PkixCertPathValidatorUtilities.FindTrustAnchor(
                    (X509Certificate)certs[certs.Count - 1],
                    paramsPkix.GetTrustAnchors());

                if (trust == null)
                {
                    throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
                }

                CheckCertificate(trust.TrustedCert);
            }
            catch (Exception e)
            {
                throw new PkixCertPathValidatorException(e.Message, e.InnerException, certPath, certs.Count - 1);
            }

            //
            // (e), (f), (g) are part of the paramsPkix object.
            //
            IEnumerator certIter;
            int         index = 0;
            int         i;

            // Certificate for each interation of the validation loop
            // Signature information for each iteration of the validation loop
            //
            // 6.1.2 - setup
            //

            //
            // (a)
            //
            IList[] policyNodes = new IList[n + 1];
            for (int j = 0; j < policyNodes.Length; j++)
            {
                policyNodes[j] = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList();
            }

            ISet policySet = new HashSet();

            policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY);

            PkixPolicyNode validPolicyTree = new PkixPolicyNode(BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList(), 0, policySet, null, new HashSet(),
                                                                Rfc3280CertPathUtilities.ANY_POLICY, false);

            policyNodes[0].Add(validPolicyTree);

            //
            // (b) and (c)
            //
            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();

            // (d)
            //
            int  explicitPolicy;
            ISet acceptablePolicies = new HashSet();

            if (paramsPkix.IsExplicitPolicyRequired)
            {
                explicitPolicy = 0;
            }
            else
            {
                explicitPolicy = n + 1;
            }

            //
            // (e)
            //
            int inhibitAnyPolicy;

            if (paramsPkix.IsAnyPolicyInhibited)
            {
                inhibitAnyPolicy = 0;
            }
            else
            {
                inhibitAnyPolicy = n + 1;
            }

            //
            // (f)
            //
            int policyMapping;

            if (paramsPkix.IsPolicyMappingInhibited)
            {
                policyMapping = 0;
            }
            else
            {
                policyMapping = n + 1;
            }

            //
            // (g), (h), (i), (j)
            //
            AsymmetricKeyParameter workingPublicKey;
            X509Name workingIssuerName;

            X509Certificate sign = trust.TrustedCert;

            try
            {
                if (sign != null)
                {
                    workingIssuerName = sign.SubjectDN;
                    workingPublicKey  = sign.GetPublicKey();
                }
                else
                {
                    workingIssuerName = new X509Name(trust.CAName);
                    workingPublicKey  = trust.CAPublicKey;
                }
            }
            catch (ArgumentException ex)
            {
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath,
                                                         -1);
            }

            AlgorithmIdentifier workingAlgId = null;

            try
            {
                workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
            }
            catch (PkixCertPathValidatorException e)
            {
                throw new PkixCertPathValidatorException(
                          "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
            }

//			DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.Algorithm;
//			Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters;

            //
            // (k)
            //
            int maxPathLength = n;

            //
            // 6.1.3
            //

            X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints();

            if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0]))
            {
                throw new PkixCertPathValidatorException(
                          "Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            }

            //
            // initialize CertPathChecker's
            //
            IList pathCheckers = paramsPkix.GetCertPathCheckers();

            certIter = pathCheckers.GetEnumerator();

            while (certIter.MoveNext())
            {
                ((PkixCertPathChecker)certIter.Current).Init(false);
            }

            X509Certificate cert = null;

            for (index = certs.Count - 1; index >= 0; index--)
            {
                // try
                // {
                //
                // i as defined in the algorithm description
                //
                i = n - index;

                //
                // set certificate to be checked in this round
                // sign and workingPublicKey and workingIssuerName are set
                // at the end of the for loop and initialized the
                // first time from the TrustAnchor
                //
                cert = (X509Certificate)certs[index];

                try
                {
                    CheckCertificate(cert);
                }
                catch (Exception e)
                {
                    throw new PkixCertPathValidatorException(e.Message, e.InnerException, certPath, index);
                }

                //
                // 6.1.3
                //

                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey,
                                                      workingIssuerName, sign);

                Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index,
                                                                        acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree);

                Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy);

                //
                // 6.1.4
                //

                if (i != n)
                {
                    if (cert != null && cert.Version == 1)
                    {
                        // we've found the trust anchor at the top of the path, ignore and keep going
                        if ((i == 1) && cert.Equals(trust.TrustedCert))
                        {
                            continue;
                        }

                        throw new PkixCertPathValidatorException(
                                  "Version 1 certificates can't be used as CA ones.", null, certPath, index);
                    }

                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index);

                    validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes,
                                                                            validPolicyTree, policyMapping);

                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator);

                    // (h)
                    explicitPolicy   = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy);

                    //
                    // (i)
                    //
                    explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy);
                    policyMapping  = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping);

                    // (j)
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy);

                    // (k)
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index);

                    // (l)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength);

                    // (m)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength);

                    // (n)
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index);

                    ISet criticalExtensions1 = cert.GetCriticalExtensionOids();

                    if (criticalExtensions1 != null)
                    {
                        criticalExtensions1 = new HashSet(criticalExtensions1);

                        // these extensions are handled by the algorithm
                        criticalExtensions1.Remove(X509Extensions.KeyUsage.Id);
                        criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id);
                        criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id);
                        criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id);
                        criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id);
                        criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id);
                        criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id);
                        criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id);
                        criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id);
                        criticalExtensions1.Remove(X509Extensions.NameConstraints.Id);
                    }
                    else
                    {
                        criticalExtensions1 = new HashSet();
                    }

                    // (o)
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers);

                    // set signing certificate for next round
                    sign = cert;

                    // (c)
                    workingIssuerName = sign.SubjectDN;

                    // (d)
                    try
                    {
                        workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index);
                    }
                    catch (PkixCertPathValidatorException e)
                    {
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
                    }

                    workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
                    // (f)
//                    workingPublicKeyAlgorithm = workingAlgId.Algorithm;
                    // (e)
//                    workingPublicKeyParameters = workingAlgId.Parameters;
                }
            }

            //
            // 6.1.5 Wrap-up procedure
            //

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert);

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy);

            //
            // (c) (d) and (e) are already done
            //

            //
            // (f)
            //
            ISet criticalExtensions = cert.GetCriticalExtensionOids();

            if (criticalExtensions != null)
            {
                criticalExtensions = new HashSet(criticalExtensions);

                // Requires .Id
                // these extensions are handled by the algorithm
                criticalExtensions.Remove(X509Extensions.KeyUsage.Id);
                criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id);
                criticalExtensions.Remove(X509Extensions.PolicyMappings.Id);
                criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id);
                criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id);
                criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id);
                criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id);
                criticalExtensions.Remove(X509Extensions.BasicConstraints.Id);
                criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id);
                criticalExtensions.Remove(X509Extensions.NameConstraints.Id);
                criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id);
            }
            else
            {
                criticalExtensions = new HashSet();
            }

            Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);

            PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet,
                                                                               index + 1, policyNodes, validPolicyTree, acceptablePolicies);

            if ((explicitPolicy > 0) || (intersection != null))
            {
                return(new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey()));
            }

            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index);
        }
Esempio n. 11
0
        internal static void PrepareNextCertB1(
            int i,
            IList[] policyNodes,
            string id_p,
            IDictionary m_idp,
            X509Certificate cert)
        {
            bool        idp_found = false;
            IEnumerator nodes_i   = policyNodes[i].GetEnumerator();

            while (nodes_i.MoveNext())
            {
                PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
                if (node.ValidPolicy.Equals(id_p))
                {
                    idp_found             = true;
                    node.ExpectedPolicies = (ISet)m_idp[id_p];
                    break;
                }
            }

            if (!idp_found)
            {
                nodes_i = policyNodes[i].GetEnumerator();
                while (nodes_i.MoveNext())
                {
                    PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
                    if (ANY_POLICY.Equals(node.ValidPolicy))
                    {
                        ISet         pq       = null;
                        Asn1Sequence policies = null;
                        try
                        {
                            policies = DerSequence.GetInstance(GetExtensionValue(cert, X509Extensions.CertificatePolicies));
                        }
                        catch (Exception e)
                        {
                            throw new Exception("Certificate policies cannot be decoded.", e);
                        }

                        IEnumerator enm = policies.GetEnumerator();
                        while (enm.MoveNext())
                        {
                            PolicyInformation pinfo = null;

                            try
                            {
                                pinfo = PolicyInformation.GetInstance(enm.Current);
                            }
                            catch (Exception ex)
                            {
                                throw new Exception("Policy information cannot be decoded.", ex);
                            }

                            if (ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id))
                            {
                                try
                                {
                                    pq = GetQualifierSet(pinfo.PolicyQualifiers);
                                }
                                catch (PkixCertPathValidatorException ex)
                                {
                                    throw new PkixCertPathValidatorException(
                                              "Policy qualifier info set could not be built.", ex);
                                }
                                break;
                            }
                        }
                        bool ci          = false;
                        ISet critExtOids = cert.GetCriticalExtensionOids();
                        if (critExtOids != null)
                        {
                            ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id);
                        }

                        PkixPolicyNode p_node = (PkixPolicyNode)node.Parent;
                        if (ANY_POLICY.Equals(p_node.ValidPolicy))
                        {
                            PkixPolicyNode c_node = new PkixPolicyNode(
                                BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList(), i,
                                (ISet)m_idp[id_p],
                                p_node, pq, id_p, ci);
                            p_node.AddChild(c_node);
                            policyNodes[i].Add(c_node);
                        }
                        break;
                    }
                }
            }
        }
Esempio n. 12
0
 public virtual void AddChild(
     PkixPolicyNode child)
 {
     child.Parent = this;
     mChildren.Add(child);
 }
Esempio n. 13
0
 public virtual void RemoveChild(
     PkixPolicyNode child)
 {
     mChildren.Remove(child);
 }