internal static void PrepareNextCertG( PkixCertPath certPath, int index, PkixNameConstraintValidator nameConstraintValidator) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (g) handle the name constraints extension // NameConstraints nc = null; try { Asn1Sequence ncSeq = DerSequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.NameConstraints)); if (ncSeq != null) { nc = new NameConstraints(ncSeq); } } catch (Exception e) { throw new PkixCertPathValidatorException( "Name constraints extension could not be decoded.", e, certPath, index); } if (nc != null) { // // (g) (1) permitted subtrees // Asn1Sequence permitted = nc.PermittedSubtrees; if (permitted != null) { try { nameConstraintValidator.IntersectPermittedSubtree(permitted); } catch (Exception ex) { throw new PkixCertPathValidatorException( "Permitted subtrees cannot be build from name constraints extension.", ex, certPath, index); } } // // (g) (2) excluded subtrees // Asn1Sequence excluded = nc.ExcludedSubtrees; if (excluded != null) { IEnumerator e = excluded.GetEnumerator(); try { while (e.MoveNext()) { GeneralSubtree subtree = GeneralSubtree.GetInstance(e.Current); nameConstraintValidator.AddExcludedSubtree(subtree); } } catch (Exception ex) { throw new PkixCertPathValidatorException( "Excluded subtrees cannot be build from name constraints extension.", ex, certPath, index); } } } }
/** * Tests byte array based GeneralNames for inclusion or exclusion. * * @param nameType The {@link GeneralName} type to test. * @param testName The name to test. * @param testNameIsConstraint The names where <code>testName</code> must * be included and excluded. * @param testNameIsNotConstraint The names where <code>testName</code> * must not be excluded and included. * @param testNames1 Operand 1 of test names to use for union and * intersection testing. * @param testNames2 Operand 2 of test names to use for union and * intersection testing. * @param testUnion The union results. * @param testInterSection The intersection results. * @throws Exception If an unexpected exception occurs. */ private void TestConstraints( int nameType, byte[] testName, byte[][] testNameIsConstraint, byte[][] testNameIsNotConstraint, byte[][] testNames1, byte[][] testNames2, byte[][][] testUnion, byte[][] testInterSection) { for (int i = 0; i < testNameIsConstraint.Length; i++) { PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator(); constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree( new GeneralName(nameType, new DerOctetString( testNameIsConstraint[i]))))); constraintValidator.checkPermitted(new GeneralName(nameType, new DerOctetString(testName))); } for (int i = 0; i < testNameIsNotConstraint.Length; i++) { PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator(); constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree( new GeneralName(nameType, new DerOctetString( testNameIsNotConstraint[i]))))); try { constraintValidator.checkPermitted(new GeneralName(nameType, new DerOctetString(testName))); Fail("not permitted name allowed: " + nameType); } catch (PkixNameConstraintValidatorException) { // expected } } for (int i = 0; i < testNameIsConstraint.Length; i++) { PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator(); constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName( nameType, new DerOctetString(testNameIsConstraint[i])))); try { constraintValidator.checkExcluded(new GeneralName(nameType, new DerOctetString(testName))); Fail("excluded name missed: " + nameType); } catch (PkixNameConstraintValidatorException) { // expected } } for (int i = 0; i < testNameIsNotConstraint.Length; i++) { PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator(); constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName( nameType, new DerOctetString(testNameIsNotConstraint[i])))); constraintValidator.checkExcluded(new GeneralName(nameType, new DerOctetString(testName))); } for (int i = 0; i < testNames1.Length; i++) { PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator(); constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName( nameType, new DerOctetString(testNames1[i])))); constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName( nameType, new DerOctetString(testNames2[i])))); PkixNameConstraintValidator constraints2 = new PkixNameConstraintValidator(); for (int j = 0; j < testUnion[i].Length; j++) { constraints2.AddExcludedSubtree(new GeneralSubtree( new GeneralName(nameType, new DerOctetString( testUnion[i][j])))); } if (!constraints2.Equals(constraintValidator)) { Fail("union wrong: " + nameType); } constraintValidator = new PkixNameConstraintValidator(); constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree( new GeneralName(nameType, new DerOctetString(testNames1[i]))))); constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree( new GeneralName(nameType, new DerOctetString(testNames2[i]))))); constraints2 = new PkixNameConstraintValidator(); if (testInterSection[i] != null) { constraints2.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree( new GeneralName(nameType, new DerOctetString( testInterSection[i]))))); } else { constraints2.IntersectEmptyPermittedSubtree(nameType); } if (!constraints2.Equals(constraintValidator)) { Fail("intersection wrong: " + nameType); } } }