/// Constructors public PkixPolicyNode( IList children, int depth, ISet expectedPolicies, PkixPolicyNode parent, ISet policyQualifiers, string validPolicy, bool critical) { if (children == null) { this.mChildren = Platform.CreateArrayList(); } else { this.mChildren = Platform.CreateArrayList(children); } this.mDepth = depth; this.mExpectedPolicies = expectedPolicies; this.mParent = parent; this.mPolicyQualifiers = policyQualifiers; this.mValidPolicy = validPolicy; this.mCritical = critical; }
internal static PkixPolicyNode RemovePolicyNode( PkixPolicyNode validPolicyTree, IList[] policyNodes, PkixPolicyNode _node) { PkixPolicyNode _parent = (PkixPolicyNode)_node.Parent; if (validPolicyTree == null) { return(null); } if (_parent == null) { for (int j = 0; j < policyNodes.Length; j++) { policyNodes[j] = Platform.CreateArrayList(); } return(null); } else { _parent.RemoveChild(_node); RemovePolicyNodeRecurse(policyNodes, _node); return(validPolicyTree); } }
internal static void ProcessCertD1ii( int index, IList[] policyNodes, DerObjectIdentifier _poid, ISet _pq) { IList policyNodeVec = policyNodes[index - 1]; for (int j = 0; j < policyNodeVec.Count; j++) { PkixPolicyNode _node = (PkixPolicyNode)policyNodeVec[j]; if (ANY_POLICY.Equals(_node.ValidPolicy)) { ISet _childExpectedPolicies = new HashSet(); _childExpectedPolicies.Add(_poid.Id); PkixPolicyNode _child = new PkixPolicyNode(Platform.CreateArrayList(), index, _childExpectedPolicies, _node, _pq, _poid.Id, false); _node.AddChild(_child); policyNodes[index].Add(_child); return; } } }
internal static bool ProcessCertD1i( int index, IList[] policyNodes, DerObjectIdentifier pOid, ISet pq) { IList policyNodeVec = policyNodes[index - 1]; for (int j = 0; j < policyNodeVec.Count; j++) { PkixPolicyNode node = (PkixPolicyNode)policyNodeVec[j]; ISet expectedPolicies = node.ExpectedPolicies; if (expectedPolicies.Contains(pOid.Id)) { ISet childExpectedPolicies = new HashSet(); childExpectedPolicies.Add(pOid.Id); PkixPolicyNode child = new PkixPolicyNode(Platform.CreateArrayList(), index, childExpectedPolicies, node, pq, pOid.Id, false); node.AddChild(child); policyNodes[index].Add(child); return(true); } } return(false); }
private static void RemovePolicyNodeRecurse(IList[] policyNodes, PkixPolicyNode _node) { policyNodes[_node.Depth].Remove(_node); if (_node.HasChildren) { foreach (PkixPolicyNode _child in _node.Children) { RemovePolicyNodeRecurse(policyNodes, _child); } } }
public PkixCertPathBuilderResult( PkixCertPath certPath, TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey) : base(trustAnchor, policyTree, subjectPublicKey) { if (certPath == null) { throw new ArgumentNullException("certPath"); } this.certPath = certPath; }
public PkixCertPathValidatorResult( TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey) { if (subjectPublicKey == null) { throw new NullReferenceException("subjectPublicKey must be non-null"); } if (trustAnchor == null) { throw new NullReferenceException("trustAnchor must be non-null"); } this.trustAnchor = trustAnchor; this.policyTree = policyTree; this.subjectPublicKey = subjectPublicKey; }
internal static PkixPolicyNode PrepareNextCertB2( int i, IList[] policyNodes, string id_p, PkixPolicyNode validPolicyTree) { int pos = 0; // Copy to avoid RemoveAt calls interfering with enumeration foreach (PkixPolicyNode node in Platform.CreateArrayList(policyNodes[i])) { if (node.ValidPolicy.Equals(id_p)) { PkixPolicyNode p_node = (PkixPolicyNode)node.Parent; p_node.RemoveChild(node); // Removal of element at current iterator position not supported in C# //nodes_i.remove(); policyNodes[i].RemoveAt(pos); for (int k = (i - 1); k >= 0; k--) { IList nodes = policyNodes[k]; for (int l = 0; l < nodes.Count; l++) { PkixPolicyNode node2 = (PkixPolicyNode)nodes[l]; if (!node2.HasChildren) { validPolicyTree = RemovePolicyNode(validPolicyTree, policyNodes, node2); if (validPolicyTree == null) { break; } } } } } else { ++pos; } } return(validPolicyTree); }
public virtual PkixPolicyNode Copy() { PkixPolicyNode node = new PkixPolicyNode( Platform.CreateArrayList(), mDepth, new HashSet(mExpectedPolicies), null, new HashSet(mPolicyQualifiers), mValidPolicy, mCritical); foreach (PkixPolicyNode child in mChildren) { PkixPolicyNode copy = child.Copy(); copy.Parent = node; node.AddChild(copy); } return(node); }
public virtual PkixCertPathValidatorResult Validate( PkixCertPath certPath, PkixParameters paramsPkix) { if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException( "trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } // // 6.1.1 - inputs // // // (a) // IList certs = certPath.Certificates; int n = certs.Count; if (certs.Count == 0) { throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); } // // (b) // // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix); // // (c) // ISet userInitialPolicySet = paramsPkix.GetInitialPolicies(); // // (d) // TrustAnchor trust; try { trust = PkixCertPathValidatorUtilities.FindTrustAnchor( (X509Certificate)certs[certs.Count - 1], paramsPkix.GetTrustAnchors()); } catch (Exception e) { throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1); } if (trust == null) { throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); } // // (e), (f), (g) are part of the paramsPkix object. // IEnumerator certIter; int index = 0; int i; // Certificate for each interation of the validation loop // Signature information for each iteration of the validation loop // // 6.1.2 - setup // // // (a) // IList[] policyNodes = new IList[n + 1]; for (int j = 0; j < policyNodes.Length; j++) { policyNodes[j] = Platform.CreateArrayList(); } ISet policySet = new HashSet(); policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false); policyNodes[0].Add(validPolicyTree); // // (b) and (c) // PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); // (d) // int explicitPolicy; ISet acceptablePolicies = new HashSet(); if (paramsPkix.IsExplicitPolicyRequired) { explicitPolicy = 0; } else { explicitPolicy = n + 1; } // // (e) // int inhibitAnyPolicy; if (paramsPkix.IsAnyPolicyInhibited) { inhibitAnyPolicy = 0; } else { inhibitAnyPolicy = n + 1; } // // (f) // int policyMapping; if (paramsPkix.IsPolicyMappingInhibited) { policyMapping = 0; } else { policyMapping = n + 1; } // // (g), (h), (i), (j) // AsymmetricKeyParameter workingPublicKey; X509Name workingIssuerName; X509Certificate sign = trust.TrustedCert; try { if (sign != null) { workingIssuerName = sign.SubjectDN; workingPublicKey = sign.GetPublicKey(); } else { workingIssuerName = new X509Name(trust.CAName); workingPublicKey = trust.CAPublicKey; } } catch (ArgumentException ex) { throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, -1); } AlgorithmIdentifier workingAlgId = null; try { workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException( "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1); } // DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.Algorithm; // Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters; // // (k) // int maxPathLength = n; // // 6.1.3 // X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints(); if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0])) { throw new PkixCertPathValidatorException( "Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } // // initialize CertPathChecker's // IList pathCheckers = paramsPkix.GetCertPathCheckers(); certIter = pathCheckers.GetEnumerator(); while (certIter.MoveNext()) { ((PkixCertPathChecker)certIter.Current).Init(false); } X509Certificate cert = null; for (index = certs.Count - 1; index >= 0; index--) { // try // { // // i as defined in the algorithm description // i = n - index; // // set certificate to be checked in this round // sign and workingPublicKey and workingIssuerName are set // at the end of the for loop and initialized the // first time from the TrustAnchor // cert = (X509Certificate)certs[index]; // // 6.1.3 // Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey, workingIssuerName, sign); Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index, acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree); Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy); // // 6.1.4 // if (i != n) { if (cert != null && cert.Version == 1) { throw new PkixCertPathValidatorException( "Version 1 certificates can't be used as CA ones.", null, certPath, index); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index); validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes, validPolicyTree, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator); // (h) explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy); // // (i) // explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping); // (j) inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy); // (k) Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index); // (l) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength); // (m) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength); // (n) Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index); ISet criticalExtensions1 = cert.GetCriticalExtensionOids(); if (criticalExtensions1 != null) { criticalExtensions1 = new HashSet(criticalExtensions1); // these extensions are handled by the algorithm criticalExtensions1.Remove(X509Extensions.KeyUsage.Id); criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions1.Remove(X509Extensions.NameConstraints.Id); } else { criticalExtensions1 = new HashSet(); } // (o) Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers); // set signing certificate for next round sign = cert; // (c) workingIssuerName = sign.SubjectDN; // (d) try { workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index); } workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); // (f) // workingPublicKeyAlgorithm = workingAlgId.Algorithm; // (e) // workingPublicKeyParameters = workingAlgId.Parameters; } } // // 6.1.5 Wrap-up procedure // explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert); explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy); // // (c) (d) and (e) are already done // // // (f) // ISet criticalExtensions = cert.GetCriticalExtensionOids(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); // Requires .Id // these extensions are handled by the algorithm criticalExtensions.Remove(X509Extensions.KeyUsage.Id); criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions.Remove(X509Extensions.NameConstraints.Id); criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id); } else { criticalExtensions = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions); PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies); if ((explicitPolicy > 0) || (intersection != null)) { return(new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey())); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index); }
public virtual void AddChild( PkixPolicyNode child) { child.Parent = this; mChildren.Add(child); }
public virtual void RemoveChild( PkixPolicyNode child) { mChildren.Remove(child); }
internal static void PrepareNextCertB1( int i, IList[] policyNodes, string id_p, IDictionary m_idp, X509Certificate cert) { bool idp_found = false; IEnumerator nodes_i = policyNodes[i].GetEnumerator(); while (nodes_i.MoveNext()) { PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current; if (node.ValidPolicy.Equals(id_p)) { idp_found = true; node.ExpectedPolicies = (ISet)m_idp[id_p]; break; } } if (!idp_found) { nodes_i = policyNodes[i].GetEnumerator(); while (nodes_i.MoveNext()) { PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current; if (ANY_POLICY.Equals(node.ValidPolicy)) { ISet pq = null; Asn1Sequence policies = null; try { policies = DerSequence.GetInstance(GetExtensionValue(cert, X509Extensions.CertificatePolicies)); } catch (Exception e) { throw new Exception("Certificate policies cannot be decoded.", e); } IEnumerator enm = policies.GetEnumerator(); while (enm.MoveNext()) { PolicyInformation pinfo = null; try { pinfo = PolicyInformation.GetInstance(enm.Current); } catch (Exception ex) { throw new Exception("Policy information cannot be decoded.", ex); } if (ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id)) { try { pq = GetQualifierSet(pinfo.PolicyQualifiers); } catch (PkixCertPathValidatorException ex) { throw new PkixCertPathValidatorException( "Policy qualifier info set could not be built.", ex); } break; } } bool ci = false; ISet critExtOids = cert.GetCriticalExtensionOids(); if (critExtOids != null) { ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id); } PkixPolicyNode p_node = (PkixPolicyNode)node.Parent; if (ANY_POLICY.Equals(p_node.ValidPolicy)) { PkixPolicyNode c_node = new PkixPolicyNode( Platform.CreateArrayList(), i, (ISet)m_idp[id_p], p_node, pq, id_p, ci); p_node.AddChild(c_node); policyNodes[i].Add(c_node); } break; } } } }