/** * Method to support <code>Clone()</code> under J2ME. * <code>super.Clone()</code> does not exist and fields are not copied. * * @param params Parameters to set. If this are * <code>ExtendedPkixParameters</code> they are copied to. */ protected virtual void SetParams( PkixParameters parameters) { Date = parameters.Date; SetCertPathCheckers(parameters.GetCertPathCheckers()); IsAnyPolicyInhibited = parameters.IsAnyPolicyInhibited; IsExplicitPolicyRequired = parameters.IsExplicitPolicyRequired; IsPolicyMappingInhibited = parameters.IsPolicyMappingInhibited; IsRevocationEnabled = parameters.IsRevocationEnabled; SetInitialPolicies(parameters.GetInitialPolicies()); IsPolicyQualifiersRejected = parameters.IsPolicyQualifiersRejected; SetTargetCertConstraints(parameters.GetTargetCertConstraints()); SetTrustAnchors(parameters.GetTrustAnchors()); validityModel = parameters.validityModel; useDeltas = parameters.useDeltas; additionalLocationsEnabled = parameters.additionalLocationsEnabled; selector = parameters.selector == null ? null : (IX509Selector)parameters.selector.Clone(); stores = Platform.CreateArrayList(parameters.stores); additionalStores = Platform.CreateArrayList(parameters.additionalStores); trustedACIssuers = new HashSet(parameters.trustedACIssuers); prohibitedACAttributes = new HashSet(parameters.prohibitedACAttributes); necessaryACAttributes = new HashSet(parameters.necessaryACAttributes); attrCertCheckers = new HashSet(parameters.attrCertCheckers); }
public virtual PkixCertPathValidatorResult Validate( PkixCertPath certPath, PkixParameters paramsPkix) { if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException( @"trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } // // 6.1.1 - inputs // // // (a) // IList certs = certPath.Certificates; int n = certs.Count; if (certs.Count == 0) throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); // // (b) // // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix); // // (c) // ISet userInitialPolicySet = paramsPkix.GetInitialPolicies(); // // (d) // TrustAnchor trust; try { trust = PkixCertPathValidatorUtilities.FindTrustAnchor( (X509Certificate)certs[certs.Count - 1], paramsPkix.GetTrustAnchors()); } catch (Exception e) { throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1); } if (trust == null) throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); // // (e), (f), (g) are part of the paramsPkix object. // IEnumerator certIter; int index = 0; int i; // Certificate for each interation of the validation loop // Signature information for each iteration of the validation loop // // 6.1.2 - setup // // // (a) // IList[] policyNodes = new IList[n + 1]; for (int j = 0; j < policyNodes.Length; j++) { policyNodes[j] = Platform.CreateArrayList(); } ISet policySet = new HashSet(); policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false); policyNodes[0].Add(validPolicyTree); // // (b) and (c) // PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); // (d) // int explicitPolicy; ISet acceptablePolicies = new HashSet(); if (paramsPkix.IsExplicitPolicyRequired) { explicitPolicy = 0; } else { explicitPolicy = n + 1; } // // (e) // int inhibitAnyPolicy; if (paramsPkix.IsAnyPolicyInhibited) { inhibitAnyPolicy = 0; } else { inhibitAnyPolicy = n + 1; } // // (f) // int policyMapping; if (paramsPkix.IsPolicyMappingInhibited) { policyMapping = 0; } else { policyMapping = n + 1; } // // (g), (h), (i), (j) // IAsymmetricKeyParameter workingPublicKey; X509Name workingIssuerName; X509Certificate sign = trust.TrustedCert; try { if (sign != null) { workingIssuerName = sign.SubjectDN; workingPublicKey = sign.GetPublicKey(); } else { workingIssuerName = new X509Name(trust.CAName); workingPublicKey = trust.CAPublicKey; } } catch (ArgumentException ex) { throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, -1); } AlgorithmIdentifier workingAlgId = null; try { workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException( "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1); } // DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID; // Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters; // // (k) // int maxPathLength = n; // // 6.1.3 // X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints(); if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0])) { throw new PkixCertPathValidatorException( "Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } // // initialize CertPathChecker's // IList pathCheckers = paramsPkix.GetCertPathCheckers(); certIter = pathCheckers.GetEnumerator(); while (certIter.MoveNext()) { ((PkixCertPathChecker)certIter.Current).Init(false); } X509Certificate cert = null; for (index = certs.Count - 1; index >= 0; index--) { // try // { // // i as defined in the algorithm description // i = n - index; // // set certificate to be checked in this round // sign and workingPublicKey and workingIssuerName are set // at the end of the for loop and initialized the // first time from the TrustAnchor // cert = (X509Certificate)certs[index]; // // 6.1.3 // Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey, workingIssuerName, sign); Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index, acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree); Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy); // // 6.1.4 // if (i != n) { if (cert != null && cert.Version == 1) { throw new PkixCertPathValidatorException( "Version 1 certificates can't be used as CA ones.", null, certPath, index); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index); validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes, validPolicyTree, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator); // (h) explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy); // // (i) // explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping); // (j) inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy); // (k) Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index); // (l) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength); // (m) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength); // (n) Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index); ISet criticalExtensions1 = cert.GetCriticalExtensionOids(); if (criticalExtensions1 != null) { criticalExtensions1 = new HashSet(criticalExtensions1); // these extensions are handled by the algorithm criticalExtensions1.Remove(X509Extensions.KeyUsage.Id); criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions1.Remove(X509Extensions.NameConstraints.Id); } else { criticalExtensions1 = new HashSet(); } // (o) Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers); // set signing certificate for next round sign = cert; // (c) workingIssuerName = sign.SubjectDN; // (d) try { workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index); } workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); // (f) // workingPublicKeyAlgorithm = workingAlgId.ObjectID; // (e) // workingPublicKeyParameters = workingAlgId.Parameters; } } // // 6.1.5 Wrap-up procedure // explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert); explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy); // // (c) (d) and (e) are already done // // // (f) // ISet criticalExtensions = cert.GetCriticalExtensionOids(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); // Requires .Id // these extensions are handled by the algorithm criticalExtensions.Remove(X509Extensions.KeyUsage.Id); criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions.Remove(X509Extensions.NameConstraints.Id); criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id); } else { criticalExtensions = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions); PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies); if ((explicitPolicy > 0) || (intersection != null)) { return new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey()); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index); }
public virtual PkixCertPathValidatorResult Validate( PkixCertPath certPath, PkixParameters paramsPkix) { if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException( "trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } // // 6.1.1 - inputs // // // (a) // IList certs = certPath.Certificates; int n = certs.Count; if (certs.Count == 0) { throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); } // // (b) // // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix); // // (c) // ISet userInitialPolicySet = paramsPkix.GetInitialPolicies(); // // (d) // TrustAnchor trust; try { trust = PkixCertPathValidatorUtilities.FindTrustAnchor( (X509Certificate)certs[certs.Count - 1], paramsPkix.GetTrustAnchors()); } catch (Exception e) { throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1); } if (trust == null) { throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); } // // (e), (f), (g) are part of the paramsPkix object. // IEnumerator certIter; int index = 0; int i; // Certificate for each interation of the validation loop // Signature information for each iteration of the validation loop // // 6.1.2 - setup // // // (a) // IList[] policyNodes = new IList[n + 1]; for (int j = 0; j < policyNodes.Length; j++) { policyNodes[j] = Platform.CreateArrayList(); } ISet policySet = new HashSet(); policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false); policyNodes[0].Add(validPolicyTree); // // (b) and (c) // PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); // (d) // int explicitPolicy; ISet acceptablePolicies = new HashSet(); if (paramsPkix.IsExplicitPolicyRequired) { explicitPolicy = 0; } else { explicitPolicy = n + 1; } // // (e) // int inhibitAnyPolicy; if (paramsPkix.IsAnyPolicyInhibited) { inhibitAnyPolicy = 0; } else { inhibitAnyPolicy = n + 1; } // // (f) // int policyMapping; if (paramsPkix.IsPolicyMappingInhibited) { policyMapping = 0; } else { policyMapping = n + 1; } // // (g), (h), (i), (j) // AsymmetricKeyParameter workingPublicKey; X509Name workingIssuerName; X509Certificate sign = trust.TrustedCert; try { if (sign != null) { workingIssuerName = sign.SubjectDN; workingPublicKey = sign.GetPublicKey(); } else { workingIssuerName = new X509Name(trust.CAName); workingPublicKey = trust.CAPublicKey; } } catch (ArgumentException ex) { throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, -1); } //AlgorithmIdentifier workingAlgId = null; try { /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException( "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1); } // DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID; // Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters; // // (k) // int maxPathLength = n; // // 6.1.3 // X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints(); if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0])) { throw new PkixCertPathValidatorException( "Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } // // initialize CertPathChecker's // IList pathCheckers = paramsPkix.GetCertPathCheckers(); certIter = pathCheckers.GetEnumerator(); while (certIter.MoveNext()) { ((PkixCertPathChecker)certIter.Current).Init(false); } X509Certificate cert = null; for (index = certs.Count - 1; index >= 0; index--) { // try // { // // i as defined in the algorithm description // i = n - index; // // set certificate to be checked in this round // sign and workingPublicKey and workingIssuerName are set // at the end of the for loop and initialized the // first time from the TrustAnchor // cert = (X509Certificate)certs[index]; // // 6.1.3 // Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey, workingIssuerName, sign); Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index, acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree); Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy); // // 6.1.4 // if (i != n) { if (cert != null && cert.Version == 1) { throw new PkixCertPathValidatorException( "Version 1 certificates can't be used as CA ones.", null, certPath, index); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index); validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes, validPolicyTree, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator); // (h) explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy); // // (i) // explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping); // (j) inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy); // (k) Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index); // (l) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength); // (m) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength); // (n) Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index); ISet criticalExtensions1 = cert.GetCriticalExtensionOids(); if (criticalExtensions1 != null) { criticalExtensions1 = new HashSet(criticalExtensions1); // these extensions are handled by the algorithm criticalExtensions1.Remove(X509Extensions.KeyUsage.Id); criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions1.Remove(X509Extensions.NameConstraints.Id); } else { criticalExtensions1 = new HashSet(); } // (o) Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers); // set signing certificate for next round sign = cert; // (c) workingIssuerName = sign.SubjectDN; // (d) try { workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index); } /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); // (f) // workingPublicKeyAlgorithm = workingAlgId.ObjectID; // (e) // workingPublicKeyParameters = workingAlgId.Parameters; } } // // 6.1.5 Wrap-up procedure // explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert); explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy); // // (c) (d) and (e) are already done // // // (f) // ISet criticalExtensions = cert.GetCriticalExtensionOids(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); // Requires .Id // these extensions are handled by the algorithm criticalExtensions.Remove(X509Extensions.KeyUsage.Id); criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions.Remove(X509Extensions.NameConstraints.Id); criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id); } else { criticalExtensions = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions); PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies); if ((explicitPolicy > 0) || (intersection != null)) { return(new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey())); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index); }
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix) { if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } IList certificates = certPath.Certificates; int count = certificates.Count; if (certificates.Count == 0) { throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); } ISet initialPolicies = paramsPkix.GetInitialPolicies(); TrustAnchor trustAnchor; try { trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates[certificates.Count - 1], paramsPkix.GetTrustAnchors()); } catch (Exception ex) { throw new PkixCertPathValidatorException(ex.Message, ex, certPath, certificates.Count - 1); } if (trustAnchor == null) { throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); } int i = 0; IList[] array = new IList[count + 1]; for (int j = 0; j < array.Length; j++) { array[j] = Platform.CreateArrayList(); } ISet set = new HashSet(); set.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false); array[0].Add(pkixPolicyNode); PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); ISet acceptablePolicies = new HashSet(); int num; if (paramsPkix.IsExplicitPolicyRequired) { num = 0; } else { num = count + 1; } int inhibitAnyPolicy; if (paramsPkix.IsAnyPolicyInhibited) { inhibitAnyPolicy = 0; } else { inhibitAnyPolicy = count + 1; } int policyMapping; if (paramsPkix.IsPolicyMappingInhibited) { policyMapping = 0; } else { policyMapping = count + 1; } X509Certificate x509Certificate = trustAnchor.TrustedCert; X509Name workingIssuerName; AsymmetricKeyParameter asymmetricKeyParameter; try { if (x509Certificate != null) { workingIssuerName = x509Certificate.SubjectDN; asymmetricKeyParameter = x509Certificate.GetPublicKey(); } else { workingIssuerName = new X509Name(trustAnchor.CAName); asymmetricKeyParameter = trustAnchor.CAPublicKey; } } catch (ArgumentException cause) { throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", cause, certPath, -1); } try { PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } catch (PkixCertPathValidatorException cause2) { throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1); } int maxPathLength = count; X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints(); if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates[0])) { throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } IList certPathCheckers = paramsPkix.GetCertPathCheckers(); IEnumerator enumerator = certPathCheckers.GetEnumerator(); while (enumerator.MoveNext()) { ((PkixCertPathChecker)enumerator.Current).Init(false); } X509Certificate x509Certificate2 = null; for (i = certificates.Count - 1; i >= 0; i--) { int num2 = count - i; x509Certificate2 = (X509Certificate)certificates[i]; Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, i, asymmetricKeyParameter, workingIssuerName, x509Certificate); Rfc3280CertPathUtilities.ProcessCertBC(certPath, i, nameConstraintValidator); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, i, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, i, pkixPolicyNode); Rfc3280CertPathUtilities.ProcessCertF(certPath, i, pkixPolicyNode, num); if (num2 != count) { if (x509Certificate2 != null && x509Certificate2.Version == 1) { throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, i); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, i); pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, i, array, pkixPolicyNode, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, i, nameConstraintValidator); num = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, i, num); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, i, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, i, inhibitAnyPolicy); num = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, i, num); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, i, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, i, inhibitAnyPolicy); Rfc3280CertPathUtilities.PrepareNextCertK(certPath, i); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, i, maxPathLength); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, i, maxPathLength); Rfc3280CertPathUtilities.PrepareNextCertN(certPath, i); ISet set2 = x509Certificate2.GetCriticalExtensionOids(); if (set2 != null) { set2 = new HashSet(set2); set2.Remove(X509Extensions.KeyUsage.Id); set2.Remove(X509Extensions.CertificatePolicies.Id); set2.Remove(X509Extensions.PolicyMappings.Id); set2.Remove(X509Extensions.InhibitAnyPolicy.Id); set2.Remove(X509Extensions.IssuingDistributionPoint.Id); set2.Remove(X509Extensions.DeltaCrlIndicator.Id); set2.Remove(X509Extensions.PolicyConstraints.Id); set2.Remove(X509Extensions.BasicConstraints.Id); set2.Remove(X509Extensions.SubjectAlternativeName.Id); set2.Remove(X509Extensions.NameConstraints.Id); } else { set2 = new HashSet(); } Rfc3280CertPathUtilities.PrepareNextCertO(certPath, i, set2, certPathCheckers); x509Certificate = x509Certificate2; workingIssuerName = x509Certificate.SubjectDN; try { asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, i); } catch (PkixCertPathValidatorException cause3) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, i); } PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } } num = Rfc3280CertPathUtilities.WrapupCertA(num, x509Certificate2); num = Rfc3280CertPathUtilities.WrapupCertB(certPath, i + 1, num); ISet set3 = x509Certificate2.GetCriticalExtensionOids(); if (set3 != null) { set3 = new HashSet(set3); set3.Remove(X509Extensions.KeyUsage.Id); set3.Remove(X509Extensions.CertificatePolicies.Id); set3.Remove(X509Extensions.PolicyMappings.Id); set3.Remove(X509Extensions.InhibitAnyPolicy.Id); set3.Remove(X509Extensions.IssuingDistributionPoint.Id); set3.Remove(X509Extensions.DeltaCrlIndicator.Id); set3.Remove(X509Extensions.PolicyConstraints.Id); set3.Remove(X509Extensions.BasicConstraints.Id); set3.Remove(X509Extensions.SubjectAlternativeName.Id); set3.Remove(X509Extensions.NameConstraints.Id); set3.Remove(X509Extensions.CrlDistributionPoints.Id); } else { set3 = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, i + 1, certPathCheckers, set3); PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, i + 1, array, pkixPolicyNode, acceptablePolicies); if (num > 0 || pkixPolicyNode2 != null) { return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey())); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, i); }
/** * Method to support <code>Clone()</code> under J2ME. * <code>super.Clone()</code> does not exist and fields are not copied. * * @param params Parameters to set. If this are * <code>ExtendedPkixParameters</code> they are copied to. */ protected virtual void SetParams( PkixParameters parameters) { Date = parameters.Date; SetCertPathCheckers(parameters.GetCertPathCheckers()); IsAnyPolicyInhibited = parameters.IsAnyPolicyInhibited; IsExplicitPolicyRequired = parameters.IsExplicitPolicyRequired; IsPolicyMappingInhibited = parameters.IsPolicyMappingInhibited; IsRevocationEnabled = parameters.IsRevocationEnabled; SetInitialPolicies(parameters.GetInitialPolicies()); IsPolicyQualifiersRejected = parameters.IsPolicyQualifiersRejected; SetTargetCertConstraints(parameters.GetTargetCertConstraints()); SetTrustAnchors(parameters.GetTrustAnchors()); validityModel = parameters.validityModel; useDeltas = parameters.useDeltas; additionalLocationsEnabled = parameters.additionalLocationsEnabled; selector = parameters.selector == null ? null : (IX509Selector) parameters.selector.Clone(); stores = Platform.CreateArrayList(parameters.stores); additionalStores = Platform.CreateArrayList(parameters.additionalStores); trustedACIssuers = new HashSet(parameters.trustedACIssuers); prohibitedACAttributes = new HashSet(parameters.prohibitedACAttributes); necessaryACAttributes = new HashSet(parameters.necessaryACAttributes); attrCertCheckers = new HashSet(parameters.attrCertCheckers); }
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix) { //IL_0012: Unknown result type (might be due to invalid IL or missing references) //IL_0170: Expected O, but got Unknown if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } global::System.Collections.IList certificates = certPath.Certificates; int count = ((global::System.Collections.ICollection)certificates).get_Count(); if (((global::System.Collections.ICollection)certificates).get_Count() == 0) { throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); } ISet initialPolicies = paramsPkix.GetInitialPolicies(); TrustAnchor trustAnchor; try { trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates.get_Item(((global::System.Collections.ICollection)certificates).get_Count() - 1), paramsPkix.GetTrustAnchors()); } catch (global::System.Exception ex) { throw new PkixCertPathValidatorException(ex.get_Message(), ex, certPath, ((global::System.Collections.ICollection)certificates).get_Count() - 1); } if (trustAnchor == null) { throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); } int num = 0; global::System.Collections.IList[] array = new global::System.Collections.IList[count + 1]; for (int i = 0; i < array.Length; i++) { array[i] = Platform.CreateArrayList(); } ISet set = new HashSet(); set.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, critical: false); array[0].Add((object)pkixPolicyNode); PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); ISet acceptablePolicies = new HashSet(); int explicitPolicy = ((!paramsPkix.IsExplicitPolicyRequired) ? (count + 1) : 0); int inhibitAnyPolicy = ((!paramsPkix.IsAnyPolicyInhibited) ? (count + 1) : 0); int policyMapping = ((!paramsPkix.IsPolicyMappingInhibited) ? (count + 1) : 0); X509Certificate x509Certificate = trustAnchor.TrustedCert; X509Name workingIssuerName; AsymmetricKeyParameter asymmetricKeyParameter; try { if (x509Certificate != null) { workingIssuerName = x509Certificate.SubjectDN; asymmetricKeyParameter = x509Certificate.GetPublicKey(); } else { workingIssuerName = new X509Name(trustAnchor.CAName); asymmetricKeyParameter = trustAnchor.CAPublicKey; } } catch (ArgumentException val) { ArgumentException cause = val; throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", (global::System.Exception)(object) cause, certPath, -1); } try { PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } catch (PkixCertPathValidatorException cause2) { throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1); } int maxPathLength = count; X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints(); if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates.get_Item(0))) { throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } global::System.Collections.IList certPathCheckers = paramsPkix.GetCertPathCheckers(); global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)certPathCheckers).GetEnumerator(); while (enumerator.MoveNext()) { ((PkixCertPathChecker)enumerator.get_Current()).Init(forward: false); } X509Certificate x509Certificate2 = null; for (num = ((global::System.Collections.ICollection)certificates).get_Count() - 1; num >= 0; num--) { int num2 = count - num; x509Certificate2 = (X509Certificate)certificates.get_Item(num); Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, num, asymmetricKeyParameter, workingIssuerName, x509Certificate); Rfc3280CertPathUtilities.ProcessCertBC(certPath, num, nameConstraintValidator); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, num, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, num, pkixPolicyNode); Rfc3280CertPathUtilities.ProcessCertF(certPath, num, pkixPolicyNode, explicitPolicy); if (num2 != count) { if (x509Certificate2 != null && x509Certificate2.Version == 1) { throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, num); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, num); pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, num, array, pkixPolicyNode, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, num, nameConstraintValidator); explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, num, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, num, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, num, inhibitAnyPolicy); explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, num, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, num, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, num, inhibitAnyPolicy); Rfc3280CertPathUtilities.PrepareNextCertK(certPath, num); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, num, maxPathLength); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, num, maxPathLength); Rfc3280CertPathUtilities.PrepareNextCertN(certPath, num); ISet criticalExtensionOids = x509Certificate2.GetCriticalExtensionOids(); if (criticalExtensionOids != null) { criticalExtensionOids = new HashSet(criticalExtensionOids); criticalExtensionOids.Remove(X509Extensions.KeyUsage.Id); criticalExtensionOids.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensionOids.Remove(X509Extensions.PolicyMappings.Id); criticalExtensionOids.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensionOids.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensionOids.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensionOids.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensionOids.Remove(X509Extensions.BasicConstraints.Id); criticalExtensionOids.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensionOids.Remove(X509Extensions.NameConstraints.Id); } else { criticalExtensionOids = new HashSet(); } Rfc3280CertPathUtilities.PrepareNextCertO(certPath, num, criticalExtensionOids, certPathCheckers); x509Certificate = x509Certificate2; workingIssuerName = x509Certificate.SubjectDN; try { asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, num); } catch (PkixCertPathValidatorException cause3) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, num); } PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } } explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, x509Certificate2); explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, num + 1, explicitPolicy); ISet criticalExtensionOids2 = x509Certificate2.GetCriticalExtensionOids(); if (criticalExtensionOids2 != null) { criticalExtensionOids2 = new HashSet(criticalExtensionOids2); criticalExtensionOids2.Remove(X509Extensions.KeyUsage.Id); criticalExtensionOids2.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensionOids2.Remove(X509Extensions.PolicyMappings.Id); criticalExtensionOids2.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensionOids2.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensionOids2.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensionOids2.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensionOids2.Remove(X509Extensions.BasicConstraints.Id); criticalExtensionOids2.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensionOids2.Remove(X509Extensions.NameConstraints.Id); criticalExtensionOids2.Remove(X509Extensions.CrlDistributionPoints.Id); } else { criticalExtensionOids2 = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, num + 1, certPathCheckers, criticalExtensionOids2); PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, num + 1, array, pkixPolicyNode, acceptablePolicies); if (explicitPolicy > 0 || pkixPolicyNode2 != null) { return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey())); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, num); }