internal bool MatchesApplicationPolicies(Oid policyOid) { string oidToCheck = policyOid.Value; for (int i = 1; i <= _policies.Length; i++) { // The loop variable (i) matches the definition in RFC 3280, // section 6.1.3. In that description i=1 is the root CA, and n // is the EE/leaf certificate. In our chain object 0 is the EE cert // and _policies.Length-1 is the root cert. So we will index things as // _policies.Length - i (because i is 1 indexed). int dataIdx = _policies.Length - i; CertificatePolicy policy = _policies[dataIdx]; if (policy.AllowsAnyApplicationPolicy) { continue; } if (policy.DeclaredApplicationPolicies == null) { return(false); } if (!policy.DeclaredApplicationPolicies.Contains(oidToCheck)) { return(false); } } return(true); }
private static void ReadCertPolicyConstraintsExtension(byte[] rawData, CertificatePolicy policy) { PolicyConstraintsAsn constraints = PolicyConstraintsAsn.Decode( rawData, AsnEncodingRules.DER); policy.RequireExplicitPolicyDepth = constraints.RequireExplicitPolicyDepth; policy.InhibitMappingDepth = constraints.InhibitMappingDepth; }
private static CertificatePolicy ReadPolicy(X509Certificate2 cert) { // If no ApplicationCertPolicies extension is provided then it uses the EKU // OIDS. ISet <string> applicationCertPolicies = null; ISet <string> ekus = null; CertificatePolicy policy = new CertificatePolicy(); foreach (X509Extension extension in cert.Extensions) { switch (extension.Oid.Value) { case Oids.ApplicationCertPolicies: applicationCertPolicies = ReadCertPolicyExtension(extension); break; case Oids.CertPolicies: policy.DeclaredCertificatePolicies = ReadCertPolicyExtension(extension); break; case Oids.CertPolicyMappings: policy.PolicyMapping = ReadCertPolicyMappingsExtension(extension); break; case Oids.CertPolicyConstraints: ReadCertPolicyConstraintsExtension(extension, policy); break; case Oids.EnhancedKeyUsage: if (applicationCertPolicies == null) { // No reason to do this if the applicationCertPolicies was already read ekus = ReadExtendedKeyUsageExtension(extension); } break; case Oids.InhibitAnyPolicyExtension: policy.InhibitAnyDepth = ReadInhibitAnyPolicyExtension(extension); break; } } policy.DeclaredApplicationPolicies = applicationCertPolicies ?? ekus; policy.ImplicitAnyApplicationPolicy = policy.DeclaredApplicationPolicies == null; policy.ImplicitAnyCertificatePolicy = policy.DeclaredCertificatePolicies == null; policy.SpecifiedAnyApplicationPolicy = CheckExplicitAnyPolicy(policy.DeclaredApplicationPolicies); policy.SpecifiedAnyCertificatePolicy = CheckExplicitAnyPolicy(policy.DeclaredCertificatePolicies); return(policy); }
internal bool MatchesCertificatePolicies(Oid policyOid) { if (_failAllCertificatePolicies) { return(false); } string nextOid = policyOid.Value; for (int i = 1; i <= _policies.Length; i++) { // The loop variable (i) matches the definition in RFC 3280, // section 6.1.3. In that description i=1 is the root CA, and n // is the EE/leaf certificate. In our chain object 0 is the EE cert // and _policies.Length-1 is the root cert. So we will index things as // _policies.Length - i (because i is 1 indexed). int dataIdx = _policies.Length - i; CertificatePolicy policy = _policies[dataIdx]; string oidToCheck = nextOid; if (policy.PolicyMapping != null) { for (int iMapping = 0; iMapping < policy.PolicyMapping.Count; iMapping++) { CertificatePolicyMapping mapping = policy.PolicyMapping[iMapping]; if (StringComparer.Ordinal.Equals(mapping.IssuerDomainPolicy, oidToCheck)) { nextOid = mapping.SubjectDomainPolicy; } } } if (policy.AllowsAnyCertificatePolicy) { continue; } if (policy.DeclaredCertificatePolicies == null) { return(false); } if (!policy.DeclaredCertificatePolicies.Contains(oidToCheck)) { return(false); } } return(true); }
private static CertificatePolicy ReadPolicy(X509Certificate2 cert) { // If no ApplicationCertPolicies extension is provided then it uses the EKU // OIDS. ISet <string>? applicationCertPolicies = null; ISet <string>? ekus = null; CertificatePolicy policy = new CertificatePolicy(); PolicyData policyData = cert.Pal.GetPolicyData(); if (policyData.ApplicationCertPolicies != null) { applicationCertPolicies = ReadCertPolicyExtension(policyData.ApplicationCertPolicies); } if (policyData.CertPolicies != null) { policy.DeclaredCertificatePolicies = ReadCertPolicyExtension(policyData.CertPolicies); } if (policyData.CertPolicyMappings != null) { policy.PolicyMapping = ReadCertPolicyMappingsExtension(policyData.CertPolicyMappings); } if (policyData.CertPolicyConstraints != null) { ReadCertPolicyConstraintsExtension(policyData.CertPolicyConstraints, policy); } if (policyData.EnhancedKeyUsage != null && applicationCertPolicies == null) { // No reason to do this if the applicationCertPolicies was already read ekus = ReadExtendedKeyUsageExtension(policyData.EnhancedKeyUsage); } if (policyData.InhibitAnyPolicyExtension != null) { policy.InhibitAnyDepth = ReadInhibitAnyPolicyExtension(policyData.InhibitAnyPolicyExtension); } policy.DeclaredApplicationPolicies = applicationCertPolicies ?? ekus; policy.ImplicitAnyApplicationPolicy = policy.DeclaredApplicationPolicies == null; policy.ImplicitAnyCertificatePolicy = policy.DeclaredCertificatePolicies == null; policy.SpecifiedAnyApplicationPolicy = CheckExplicitAnyPolicy(policy.DeclaredApplicationPolicies); policy.SpecifiedAnyCertificatePolicy = CheckExplicitAnyPolicy(policy.DeclaredCertificatePolicies); return(policy); }
private static void ReadCertPolicyConstraintsExtension(X509Extension extension, CertificatePolicy policy) { DerSequenceReader reader = new DerSequenceReader(extension.RawData); while (reader.HasData) { // Policy Constraints context specific tag values are defined in RFC 3280 4.2.1.12, // and restated (unchanged) in RFC 5280 4.2.1.11. switch (reader.PeekTag()) { case DerSequenceReader.ContextSpecificTagFlag | 0: policy.RequireExplicitPolicyDepth = reader.ReadInteger(); break; case DerSequenceReader.ContextSpecificTagFlag | 1: policy.InhibitMappingDepth = reader.ReadInteger(); break; default: if (extension.Critical) { // If an unknown value is read, but we're marked as critical, // then we don't know what we're doing and MUST fail validation // (RFC 3280). // If it isn't critical then it means we're allowed to be ignorant // of data defined more recently than we understand. throw new CryptographicException(); } break; } } }
private void ReadPolicies(X509Certificate2Collection chain) { for (int i = 0; i < chain.Count; i++) { _policies[i] = ReadPolicy(chain[i]); } int explicitPolicyDepth = chain.Count; int inhibitAnyPolicyDepth = explicitPolicyDepth; int inhibitPolicyMappingDepth = explicitPolicyDepth; for (int i = 1; i <= chain.Count; i++) { // The loop variable (i) matches the definition in RFC 3280, // section 6.1.3. In that description i=1 is the root CA, and n // is the EE/leaf certificate. In our chain object 0 is the EE cert // and chain.Count-1 is the root cert. So we will index things as // chain.Count - i (because i is 1 indexed). int dataIdx = chain.Count - i; CertificatePolicy policy = _policies[dataIdx]; if (policy.DeclaredCertificatePolicies == null && explicitPolicyDepth <= 0) { _failAllCertificatePolicies = true; } if (inhibitAnyPolicyDepth <= 0) { policy.ImplicitAnyCertificatePolicy = false; policy.SpecifiedAnyCertificatePolicy = false; } else { inhibitAnyPolicyDepth--; } if (inhibitPolicyMappingDepth <= 0) { policy.PolicyMapping = null; } else { inhibitAnyPolicyDepth--; } if (explicitPolicyDepth <= 0) { policy.ImplicitAnyCertificatePolicy = false; policy.ImplicitAnyApplicationPolicy = false; } else { explicitPolicyDepth--; } ApplyRestriction(ref inhibitAnyPolicyDepth, policy.InhibitAnyDepth); ApplyRestriction(ref inhibitPolicyMappingDepth, policy.InhibitMappingDepth); ApplyRestriction(ref explicitPolicyDepth, policy.RequireExplicitPolicyDepth); } }
private static CertificatePolicy ReadPolicy(X509Certificate2 cert) { // If no ApplicationCertPolicies extension is provided then it uses the EKU // OIDS. ISet<string> applicationCertPolicies = null; ISet<string> ekus = null; CertificatePolicy policy = new CertificatePolicy(); foreach (X509Extension extension in cert.Extensions) { switch (extension.Oid.Value) { case Oids.ApplicationCertPolicies: applicationCertPolicies = ReadCertPolicyExtension(extension); break; case Oids.CertPolicies: policy.DeclaredCertificatePolicies = ReadCertPolicyExtension(extension); break; case Oids.CertPolicyMappings: policy.PolicyMapping = ReadCertPolicyMappingsExtension(extension); break; case Oids.CertPolicyConstraints: ReadCertPolicyConstraintsExtension(extension, policy); break; case Oids.EnhancedKeyUsage: if (applicationCertPolicies == null) { // No reason to do this if the applicationCertPolicies was already read ekus = ReadExtendedKeyUsageExtension(extension); } break; case Oids.InhibitAnyPolicyExtension: policy.InhibitAnyDepth = ReadInhibitAnyPolicyExtension(extension); break; } } policy.DeclaredApplicationPolicies = applicationCertPolicies ?? ekus; policy.ImplicitAnyApplicationPolicy = policy.DeclaredApplicationPolicies == null; policy.ImplicitAnyCertificatePolicy = policy.DeclaredCertificatePolicies == null; policy.SpecifiedAnyApplicationPolicy = CheckExplicitAnyPolicy(policy.DeclaredApplicationPolicies); policy.SpecifiedAnyCertificatePolicy = CheckExplicitAnyPolicy(policy.DeclaredCertificatePolicies); return policy; }