/// Constructors public PkixPolicyNode( IList children, int depth, ISet expectedPolicies, PkixPolicyNode parent, ISet policyQualifiers, string validPolicy, bool critical) { if (children == null) { this.mChildren = Platform.CreateArrayList(); } else { this.mChildren = Platform.CreateArrayList(children); } this.mDepth = depth; this.mExpectedPolicies = expectedPolicies; this.mParent = parent; this.mPolicyQualifiers = policyQualifiers; this.mValidPolicy = validPolicy; this.mCritical = critical; }
public virtual string ToString(string indent) { //IL_0000: Unknown result type (might be due to invalid IL or missing references) //IL_0006: Expected O, but got Unknown StringBuilder val = new StringBuilder(); val.Append(indent); val.Append(mValidPolicy); val.Append(" {"); val.Append(Platform.NewLine); global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)mChildren).GetEnumerator(); try { while (enumerator.MoveNext()) { PkixPolicyNode pkixPolicyNode = (PkixPolicyNode)enumerator.get_Current(); val.Append(pkixPolicyNode.ToString(indent + " ")); } } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } val.Append(indent); val.Append("}"); val.Append(Platform.NewLine); return(val.ToString()); }
public virtual PkixPolicyNode Copy() { PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), mDepth, new HashSet(mExpectedPolicies), null, new HashSet(mPolicyQualifiers), mValidPolicy, mCritical); global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)mChildren).GetEnumerator(); try { while (enumerator.MoveNext()) { PkixPolicyNode pkixPolicyNode2 = (PkixPolicyNode)enumerator.get_Current(); PkixPolicyNode pkixPolicyNode3 = pkixPolicyNode2.Copy(); pkixPolicyNode3.Parent = pkixPolicyNode; pkixPolicyNode.AddChild(pkixPolicyNode3); } return(pkixPolicyNode); } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } }
internal static PkixPolicyNode RemovePolicyNode( PkixPolicyNode validPolicyTree, IList[] policyNodes, PkixPolicyNode _node) { PkixPolicyNode _parent = (PkixPolicyNode)_node.Parent; if (validPolicyTree == null) { return(null); } if (_parent == null) { for (int j = 0; j < policyNodes.Length; j++) { policyNodes[j] = Platform.CreateArrayList(); } return(null); } else { _parent.RemoveChild(_node); RemovePolicyNodeRecurse(policyNodes, _node); return(validPolicyTree); } }
internal static void ProcessCertD1ii( int index, IList[] policyNodes, DerObjectIdentifier _poid, ISet _pq) { IList policyNodeVec = policyNodes[index - 1]; for (int j = 0; j < policyNodeVec.Count; j++) { PkixPolicyNode _node = (PkixPolicyNode)policyNodeVec[j]; if (ANY_POLICY.Equals(_node.ValidPolicy)) { ISet _childExpectedPolicies = new HashSet(); _childExpectedPolicies.Add(_poid.Id); PkixPolicyNode _child = new PkixPolicyNode(Platform.CreateArrayList(), index, _childExpectedPolicies, _node, _pq, _poid.Id, false); _node.AddChild(_child); policyNodes[index].Add(_child); return; } } }
private static void RemovePolicyNodeRecurse(global::System.Collections.IList[] policyNodes, PkixPolicyNode _node) { policyNodes[_node.Depth].Remove((object)_node); if (!_node.HasChildren) { return; } global::System.Collections.IEnumerator enumerator = _node.Children.GetEnumerator(); try { while (enumerator.MoveNext()) { PkixPolicyNode node = (PkixPolicyNode)enumerator.get_Current(); RemovePolicyNodeRecurse(policyNodes, node); } } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } }
internal static PkixPolicyNode PrepareNextCertB2(int i, IList[] policyNodes, string id_p, PkixPolicyNode validPolicyTree) { int num = 0; foreach (PkixPolicyNode pkixPolicyNode in Platform.CreateArrayList(policyNodes[i])) { if (pkixPolicyNode.ValidPolicy.Equals(id_p)) { PkixPolicyNode parent = pkixPolicyNode.Parent; parent.RemoveChild(pkixPolicyNode); policyNodes[i].RemoveAt(num); for (int j = i - 1; j >= 0; j--) { IList list = policyNodes[j]; for (int k = 0; k < list.Count; k++) { PkixPolicyNode pkixPolicyNode2 = (PkixPolicyNode)list[k]; if (!pkixPolicyNode2.HasChildren) { validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, pkixPolicyNode2); if (validPolicyTree == null) { break; } } } } } else { num++; } } return(validPolicyTree); }
internal static bool ProcessCertD1i( int index, IList[] policyNodes, DerObjectIdentifier pOid, ISet pq) { IList policyNodeVec = policyNodes[index - 1]; for (int j = 0; j < policyNodeVec.Count; j++) { PkixPolicyNode node = (PkixPolicyNode)policyNodeVec[j]; ISet expectedPolicies = node.ExpectedPolicies; if (expectedPolicies.Contains(pOid.Id)) { ISet childExpectedPolicies = new HashSet(); childExpectedPolicies.Add(pOid.Id); PkixPolicyNode child = new PkixPolicyNode(Platform.CreateArrayList(), index, childExpectedPolicies, node, pq, pOid.Id, false); node.AddChild(child); policyNodes[index].Add(child); return(true); } } return(false); }
private static void RemovePolicyNodeRecurse(IList[] policyNodes, PkixPolicyNode _node) { policyNodes[_node.Depth].Remove(_node); if (_node.HasChildren) { foreach (PkixPolicyNode node in _node.Children) { PkixCertPathValidatorUtilities.RemovePolicyNodeRecurse(policyNodes, node); } } }
public PkixCertPathBuilderResult( PkixCertPath certPath, TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey) : base(trustAnchor, policyTree, subjectPublicKey) { if (certPath == null) throw new ArgumentNullException("certPath"); this.certPath = certPath; }
private static void RemovePolicyNodeRecurse(IList[] policyNodes, PkixPolicyNode _node) { policyNodes[_node.Depth].Remove(_node); if (_node.HasChildren) { foreach (PkixPolicyNode _child in _node.Children) { RemovePolicyNodeRecurse(policyNodes, _child); } } }
public virtual PkixPolicyNode Copy() { PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), this.mDepth, new HashSet(this.mExpectedPolicies), null, new HashSet(this.mPolicyQualifiers), this.mValidPolicy, this.mCritical); foreach (PkixPolicyNode pkixPolicyNode2 in this.mChildren) { PkixPolicyNode pkixPolicyNode3 = pkixPolicyNode2.Copy(); pkixPolicyNode3.Parent = pkixPolicyNode; pkixPolicyNode.AddChild(pkixPolicyNode3); } return(pkixPolicyNode); }
public PkixCertPathValidatorResult(TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey) { if (subjectPublicKey == null) { throw new NullReferenceException("subjectPublicKey must be non-null"); } if (trustAnchor == null) { throw new NullReferenceException("trustAnchor must be non-null"); } this.trustAnchor = trustAnchor; this.policyTree = policyTree; this.subjectPublicKey = subjectPublicKey; }
public PkixCertPathBuilderResult( PkixCertPath certPath, TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey) : base(trustAnchor, policyTree, subjectPublicKey) { if (certPath == null) { throw new ArgumentNullException("certPath"); } this.certPath = certPath; }
internal static PkixPolicyNode PrepareNextCertB2(int i, global::System.Collections.IList[] policyNodes, string id_p, PkixPolicyNode validPolicyTree) { int num = 0; global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)Platform.CreateArrayList((global::System.Collections.ICollection)policyNodes[i])).GetEnumerator(); try { while (enumerator.MoveNext()) { PkixPolicyNode pkixPolicyNode = (PkixPolicyNode)enumerator.get_Current(); if (pkixPolicyNode.ValidPolicy.Equals(id_p)) { PkixPolicyNode parent = pkixPolicyNode.Parent; parent.RemoveChild(pkixPolicyNode); policyNodes[i].RemoveAt(num); for (int num2 = i - 1; num2 >= 0; num2--) { global::System.Collections.IList list = policyNodes[num2]; for (int j = 0; j < ((global::System.Collections.ICollection)list).get_Count(); j++) { PkixPolicyNode pkixPolicyNode2 = (PkixPolicyNode)list.get_Item(j); if (!pkixPolicyNode2.HasChildren) { validPolicyTree = RemovePolicyNode(validPolicyTree, policyNodes, pkixPolicyNode2); if (validPolicyTree == null) { break; } } } } } else { num++; } } return(validPolicyTree); } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } }
public PkixCertPathValidatorResult(TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey) { //IL_000e: Unknown result type (might be due to invalid IL or missing references) //IL_001c: Unknown result type (might be due to invalid IL or missing references) if (subjectPublicKey == null) { throw new NullReferenceException("subjectPublicKey must be non-null"); } if (trustAnchor == null) { throw new NullReferenceException("trustAnchor must be non-null"); } this.trustAnchor = trustAnchor; this.policyTree = policyTree; this.subjectPublicKey = subjectPublicKey; }
public PkixPolicyNode(global::System.Collections.IList children, int depth, ISet expectedPolicies, PkixPolicyNode parent, ISet policyQualifiers, string validPolicy, bool critical) { if (children == null) { mChildren = Platform.CreateArrayList(); } else { mChildren = Platform.CreateArrayList((global::System.Collections.ICollection)children); } mDepth = depth; mExpectedPolicies = expectedPolicies; mParent = parent; mPolicyQualifiers = policyQualifiers; mValidPolicy = validPolicy; mCritical = critical; }
internal static void ProcessCertD1ii(int index, global::System.Collections.IList[] policyNodes, DerObjectIdentifier _poid, ISet _pq) { global::System.Collections.IList list = policyNodes[index - 1]; for (int i = 0; i < ((global::System.Collections.ICollection)list).get_Count(); i++) { PkixPolicyNode pkixPolicyNode = (PkixPolicyNode)list.get_Item(i); if (ANY_POLICY.Equals(pkixPolicyNode.ValidPolicy)) { ISet set = new HashSet(); set.Add(_poid.Id); PkixPolicyNode pkixPolicyNode2 = new PkixPolicyNode(Platform.CreateArrayList(), index, set, pkixPolicyNode, _pq, _poid.Id, critical: false); pkixPolicyNode.AddChild(pkixPolicyNode2); policyNodes[index].Add((object)pkixPolicyNode2); break; } } }
internal static void ProcessCertD1ii(int index, IList[] policyNodes, DerObjectIdentifier _poid, ISet _pq) { IList list = policyNodes[index - 1]; for (int i = 0; i < list.Count; i++) { PkixPolicyNode pkixPolicyNode = (PkixPolicyNode)list[i]; if (PkixCertPathValidatorUtilities.ANY_POLICY.Equals(pkixPolicyNode.ValidPolicy)) { ISet set = new HashSet(); set.Add(_poid.Id); PkixPolicyNode pkixPolicyNode2 = new PkixPolicyNode(Platform.CreateArrayList(), index, set, pkixPolicyNode, _pq, _poid.Id, false); pkixPolicyNode.AddChild(pkixPolicyNode2); policyNodes[index].Add(pkixPolicyNode2); return; } } }
public PkixCertPathValidatorResult( TrustAnchor trustAnchor, PkixPolicyNode policyTree, IAsymmetricKeyParameter subjectPublicKey) { if (subjectPublicKey == null) { throw new NullReferenceException("subjectPublicKey must be non-null"); } if (trustAnchor == null) { throw new NullReferenceException("trustAnchor must be non-null"); } this.trustAnchor = trustAnchor; this.policyTree = policyTree; this.subjectPublicKey = subjectPublicKey; }
internal static PkixPolicyNode PrepareNextCertB2( int i, IList[] policyNodes, string id_p, PkixPolicyNode validPolicyTree) { int pos = 0; // Copy to avoid RemoveAt calls interfering with enumeration foreach (PkixPolicyNode node in Platform.CreateArrayList(policyNodes[i])) { if (node.ValidPolicy.Equals(id_p)) { PkixPolicyNode p_node = (PkixPolicyNode)node.Parent; p_node.RemoveChild(node); // Removal of element at current iterator position not supported in C# //nodes_i.remove(); policyNodes[i].RemoveAt(pos); for (int k = (i - 1); k >= 0; k--) { IList nodes = policyNodes[k]; for (int l = 0; l < nodes.Count; l++) { PkixPolicyNode node2 = (PkixPolicyNode)nodes[l]; if (!node2.HasChildren) { validPolicyTree = RemovePolicyNode(validPolicyTree, policyNodes, node2); if (validPolicyTree == null) { break; } } } } } else { ++pos; } } return(validPolicyTree); }
internal static bool ProcessCertD1i(int index, global::System.Collections.IList[] policyNodes, DerObjectIdentifier pOid, ISet pq) { global::System.Collections.IList list = policyNodes[index - 1]; for (int i = 0; i < ((global::System.Collections.ICollection)list).get_Count(); i++) { PkixPolicyNode pkixPolicyNode = (PkixPolicyNode)list.get_Item(i); ISet expectedPolicies = pkixPolicyNode.ExpectedPolicies; if (expectedPolicies.Contains(pOid.Id)) { ISet set = new HashSet(); set.Add(pOid.Id); PkixPolicyNode pkixPolicyNode2 = new PkixPolicyNode(Platform.CreateArrayList(), index, set, pkixPolicyNode, pq, pOid.Id, critical: false); pkixPolicyNode.AddChild(pkixPolicyNode2); policyNodes[index].Add((object)pkixPolicyNode2); return(true); } } return(false); }
internal static PkixPolicyNode RemovePolicyNode(PkixPolicyNode validPolicyTree, global::System.Collections.IList[] policyNodes, PkixPolicyNode _node) { PkixPolicyNode parent = _node.Parent; if (validPolicyTree == null) { return(null); } if (parent == null) { for (int i = 0; i < policyNodes.Length; i++) { policyNodes[i] = Platform.CreateArrayList(); } return(null); } parent.RemoveChild(_node); RemovePolicyNodeRecurse(policyNodes, _node); return(validPolicyTree); }
internal static PkixPolicyNode RemovePolicyNode(PkixPolicyNode validPolicyTree, IList[] policyNodes, PkixPolicyNode _node) { PkixPolicyNode parent = _node.Parent; if (validPolicyTree == null) { return(null); } if (parent == null) { for (int i = 0; i < policyNodes.Length; i++) { policyNodes[i] = Platform.CreateArrayList(); } return(null); } parent.RemoveChild(_node); PkixCertPathValidatorUtilities.RemovePolicyNodeRecurse(policyNodes, _node); return(validPolicyTree); }
public virtual PkixPolicyNode Copy() { PkixPolicyNode node = new PkixPolicyNode( Platform.CreateArrayList(), mDepth, new HashSet(mExpectedPolicies), null, new HashSet(mPolicyQualifiers), mValidPolicy, mCritical); foreach (PkixPolicyNode child in mChildren) { PkixPolicyNode copy = child.Copy(); copy.Parent = node; node.AddChild(copy); } return(node); }
internal static bool ProcessCertD1i(int index, IList[] policyNodes, DerObjectIdentifier pOid, ISet pq) { IList list = policyNodes[index - 1]; for (int i = 0; i < list.Count; i++) { PkixPolicyNode pkixPolicyNode = (PkixPolicyNode)list[i]; ISet expectedPolicies = pkixPolicyNode.ExpectedPolicies; if (expectedPolicies.Contains(pOid.Id)) { ISet set = new HashSet(); set.Add(pOid.Id); PkixPolicyNode pkixPolicyNode2 = new PkixPolicyNode(Platform.CreateArrayList(), index, set, pkixPolicyNode, pq, pOid.Id, false); pkixPolicyNode.AddChild(pkixPolicyNode2); policyNodes[index].Add(pkixPolicyNode2); return(true); } } return(false); }
/// Constructors public PkixPolicyNode( IList children, int depth, ISet expectedPolicies, PkixPolicyNode parent, ISet policyQualifiers, string validPolicy, bool critical) { ArrayList newChildren = new ArrayList(); if (children != null) { newChildren.AddRange(children); } this.mChildren = newChildren; this.mDepth = depth; this.mExpectedPolicies = expectedPolicies; this.mParent = parent; this.mPolicyQualifiers = policyQualifiers; this.mValidPolicy = validPolicy; this.mCritical = critical; }
internal static PkixPolicyNode PrepareCertB( PkixCertPath certPath, int index, IList[] policyNodes, PkixPolicyNode validPolicyTree, int policyMapping) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; int n = certs.Count; // i as defined in the algorithm description int i = n - index; // (b) // Asn1Sequence pm = null; try { pm = (Asn1Sequence)Asn1Sequence.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyMappings)); } catch (Exception ex) { throw new PkixCertPathValidatorException( "Policy mappings extension could not be decoded.", ex, certPath, index); } PkixPolicyNode _validPolicyTree = validPolicyTree; if (pm != null) { Asn1Sequence mappings = (Asn1Sequence)pm; IDictionary m_idp = Platform.CreateHashtable(); ISet s_idp = new HashSet(); for (int j = 0; j < mappings.Count; j++) { Asn1Sequence mapping = (Asn1Sequence) mappings[j]; string id_p = ((DerObjectIdentifier) mapping[0]).Id; string sd_p = ((DerObjectIdentifier) mapping[1]).Id; ISet tmp; if (!m_idp.Contains(id_p)) { tmp = new HashSet(); tmp.Add(sd_p); m_idp[id_p] = tmp; s_idp.Add(id_p); } else { tmp = (ISet)m_idp[id_p]; tmp.Add(sd_p); } } IEnumerator it_idp = s_idp.GetEnumerator(); while (it_idp.MoveNext()) { string id_p = (string)it_idp.Current; // // (1) // if (policyMapping > 0) { bool idp_found = false; IEnumerator nodes_i = policyNodes[i].GetEnumerator(); while (nodes_i.MoveNext()) { PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current; if (node.ValidPolicy.Equals(id_p)) { idp_found = true; node.ExpectedPolicies = (ISet)m_idp[id_p]; break; } } if (!idp_found) { nodes_i = policyNodes[i].GetEnumerator(); while (nodes_i.MoveNext()) { PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current; if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(node.ValidPolicy)) { ISet pq = null; Asn1Sequence policies = null; try { policies = (Asn1Sequence)PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies); } catch (Exception e) { throw new PkixCertPathValidatorException( "Certificate policies extension could not be decoded.", e, certPath, index); } foreach (Asn1Encodable ae in policies) { PolicyInformation pinfo = null; try { pinfo = PolicyInformation.GetInstance(ae.ToAsn1Object()); } catch (Exception ex) { throw new PkixCertPathValidatorException( "Policy information could not be decoded.", ex, certPath, index); } if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id)) { try { pq = PkixCertPathValidatorUtilities .GetQualifierSet(pinfo.PolicyQualifiers); } catch (PkixCertPathValidatorException ex) { throw new PkixCertPathValidatorException( "Policy qualifier info set could not be decoded.", ex, certPath, index); } break; } } bool ci = false; ISet critExtOids = cert.GetCriticalExtensionOids(); if (critExtOids != null) { ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id); } PkixPolicyNode p_node = (PkixPolicyNode)node.Parent; if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(p_node.ValidPolicy)) { PkixPolicyNode c_node = new PkixPolicyNode(Platform.CreateArrayList(), i, (ISet)m_idp[id_p], p_node, pq, id_p, ci); p_node.AddChild(c_node); policyNodes[i].Add(c_node); } break; } } } // // (2) // } else if (policyMapping <= 0) { foreach (PkixPolicyNode node in Platform.CreateArrayList(policyNodes[i])) { if (node.ValidPolicy.Equals(id_p)) { node.Parent.RemoveChild(node); for (int k = i - 1; k >= 0; k--) { foreach (PkixPolicyNode node2 in Platform.CreateArrayList(policyNodes[k])) { if (!node2.HasChildren) { _validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode( _validPolicyTree, policyNodes, node2); if (_validPolicyTree == null) break; } } } } } } } } return _validPolicyTree; }
public virtual PkixPolicyNode Copy() { PkixPolicyNode node = new PkixPolicyNode( new ArrayList(), mDepth, new HashSet(mExpectedPolicies), null, new HashSet(mPolicyQualifiers), mValidPolicy, mCritical); foreach (PkixPolicyNode child in mChildren) { PkixPolicyNode copy = child.Copy(); copy.Parent = node; node.AddChild(copy); } return node; }
public virtual void AddChild( PkixPolicyNode child) { child.Parent = this; mChildren.Add(child); }
public virtual void RemoveChild( PkixPolicyNode child) { mChildren.Remove(child); }
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix) { if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } IList certificates = certPath.Certificates; int count = certificates.Count; if (certificates.Count == 0) { throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); } ISet initialPolicies = paramsPkix.GetInitialPolicies(); TrustAnchor trustAnchor; try { trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates[certificates.Count - 1], paramsPkix.GetTrustAnchors()); } catch (Exception ex) { throw new PkixCertPathValidatorException(ex.Message, ex, certPath, certificates.Count - 1); } if (trustAnchor == null) { throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); } int i = 0; IList[] array = new IList[count + 1]; for (int j = 0; j < array.Length; j++) { array[j] = Platform.CreateArrayList(); } ISet set = new HashSet(); set.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false); array[0].Add(pkixPolicyNode); PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); ISet acceptablePolicies = new HashSet(); int num; if (paramsPkix.IsExplicitPolicyRequired) { num = 0; } else { num = count + 1; } int inhibitAnyPolicy; if (paramsPkix.IsAnyPolicyInhibited) { inhibitAnyPolicy = 0; } else { inhibitAnyPolicy = count + 1; } int policyMapping; if (paramsPkix.IsPolicyMappingInhibited) { policyMapping = 0; } else { policyMapping = count + 1; } X509Certificate x509Certificate = trustAnchor.TrustedCert; X509Name workingIssuerName; AsymmetricKeyParameter asymmetricKeyParameter; try { if (x509Certificate != null) { workingIssuerName = x509Certificate.SubjectDN; asymmetricKeyParameter = x509Certificate.GetPublicKey(); } else { workingIssuerName = new X509Name(trustAnchor.CAName); asymmetricKeyParameter = trustAnchor.CAPublicKey; } } catch (ArgumentException cause) { throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", cause, certPath, -1); } try { PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } catch (PkixCertPathValidatorException cause2) { throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1); } int maxPathLength = count; X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints(); if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates[0])) { throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } IList certPathCheckers = paramsPkix.GetCertPathCheckers(); IEnumerator enumerator = certPathCheckers.GetEnumerator(); while (enumerator.MoveNext()) { ((PkixCertPathChecker)enumerator.Current).Init(false); } X509Certificate x509Certificate2 = null; for (i = certificates.Count - 1; i >= 0; i--) { int num2 = count - i; x509Certificate2 = (X509Certificate)certificates[i]; Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, i, asymmetricKeyParameter, workingIssuerName, x509Certificate); Rfc3280CertPathUtilities.ProcessCertBC(certPath, i, nameConstraintValidator); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, i, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, i, pkixPolicyNode); Rfc3280CertPathUtilities.ProcessCertF(certPath, i, pkixPolicyNode, num); if (num2 != count) { if (x509Certificate2 != null && x509Certificate2.Version == 1) { throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, i); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, i); pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, i, array, pkixPolicyNode, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, i, nameConstraintValidator); num = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, i, num); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, i, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, i, inhibitAnyPolicy); num = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, i, num); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, i, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, i, inhibitAnyPolicy); Rfc3280CertPathUtilities.PrepareNextCertK(certPath, i); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, i, maxPathLength); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, i, maxPathLength); Rfc3280CertPathUtilities.PrepareNextCertN(certPath, i); ISet set2 = x509Certificate2.GetCriticalExtensionOids(); if (set2 != null) { set2 = new HashSet(set2); set2.Remove(X509Extensions.KeyUsage.Id); set2.Remove(X509Extensions.CertificatePolicies.Id); set2.Remove(X509Extensions.PolicyMappings.Id); set2.Remove(X509Extensions.InhibitAnyPolicy.Id); set2.Remove(X509Extensions.IssuingDistributionPoint.Id); set2.Remove(X509Extensions.DeltaCrlIndicator.Id); set2.Remove(X509Extensions.PolicyConstraints.Id); set2.Remove(X509Extensions.BasicConstraints.Id); set2.Remove(X509Extensions.SubjectAlternativeName.Id); set2.Remove(X509Extensions.NameConstraints.Id); } else { set2 = new HashSet(); } Rfc3280CertPathUtilities.PrepareNextCertO(certPath, i, set2, certPathCheckers); x509Certificate = x509Certificate2; workingIssuerName = x509Certificate.SubjectDN; try { asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, i); } catch (PkixCertPathValidatorException cause3) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, i); } PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } } num = Rfc3280CertPathUtilities.WrapupCertA(num, x509Certificate2); num = Rfc3280CertPathUtilities.WrapupCertB(certPath, i + 1, num); ISet set3 = x509Certificate2.GetCriticalExtensionOids(); if (set3 != null) { set3 = new HashSet(set3); set3.Remove(X509Extensions.KeyUsage.Id); set3.Remove(X509Extensions.CertificatePolicies.Id); set3.Remove(X509Extensions.PolicyMappings.Id); set3.Remove(X509Extensions.InhibitAnyPolicy.Id); set3.Remove(X509Extensions.IssuingDistributionPoint.Id); set3.Remove(X509Extensions.DeltaCrlIndicator.Id); set3.Remove(X509Extensions.PolicyConstraints.Id); set3.Remove(X509Extensions.BasicConstraints.Id); set3.Remove(X509Extensions.SubjectAlternativeName.Id); set3.Remove(X509Extensions.NameConstraints.Id); set3.Remove(X509Extensions.CrlDistributionPoints.Id); } else { set3 = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, i + 1, certPathCheckers, set3); PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, i + 1, array, pkixPolicyNode, acceptablePolicies); if (num > 0 || pkixPolicyNode2 != null) { return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey())); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, i); }
internal static PkixPolicyNode PrepareNextCertB2( int i, IList[] policyNodes, string id_p, PkixPolicyNode validPolicyTree) { int pos = 0; // Copy to avoid RemoveAt calls interfering with enumeration foreach (PkixPolicyNode node in Platform.CreateArrayList(policyNodes[i])) { if (node.ValidPolicy.Equals(id_p)) { PkixPolicyNode p_node = (PkixPolicyNode)node.Parent; p_node.RemoveChild(node); // Removal of element at current iterator position not supported in C# //nodes_i.remove(); policyNodes[i].RemoveAt(pos); for (int k = (i - 1); k >= 0; k--) { IList nodes = policyNodes[k]; for (int l = 0; l < nodes.Count; l++) { PkixPolicyNode node2 = (PkixPolicyNode)nodes[l]; if (!node2.HasChildren) { validPolicyTree = RemovePolicyNode(validPolicyTree, policyNodes, node2); if (validPolicyTree == null) break; } } } } else { ++pos; } } return validPolicyTree; }
internal static PkixPolicyNode RemovePolicyNode( PkixPolicyNode validPolicyTree, IList[] policyNodes, PkixPolicyNode _node) { PkixPolicyNode _parent = (PkixPolicyNode)_node.Parent; if (validPolicyTree == null) { return null; } if (_parent == null) { for (int j = 0; j < policyNodes.Length; j++) { policyNodes[j] = Platform.CreateArrayList(); } return null; } else { _parent.RemoveChild(_node); RemovePolicyNodeRecurse(policyNodes, _node); return validPolicyTree; } }
internal static bool ProcessCertD1i( int index, IList[] policyNodes, DerObjectIdentifier pOid, ISet pq) { IList policyNodeVec = policyNodes[index - 1]; for (int j = 0; j < policyNodeVec.Count; j++) { PkixPolicyNode node = (PkixPolicyNode)policyNodeVec[j]; ISet expectedPolicies = node.ExpectedPolicies; if (expectedPolicies.Contains(pOid.Id)) { ISet childExpectedPolicies = new HashSet(); childExpectedPolicies.Add(pOid.Id); PkixPolicyNode child = new PkixPolicyNode(Platform.CreateArrayList(), index, childExpectedPolicies, node, pq, pOid.Id, false); node.AddChild(child); policyNodes[index].Add(child); return true; } } return false; }
internal static PkixPolicyNode ProcessCertE( PkixCertPath certPath, int index, PkixPolicyNode validPolicyTree) { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (e) // Asn1Sequence certPolicies = null; try { certPolicies = DerSequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies)); } catch (Exception e) { throw new PkixCertPathValidatorException("Could not read certificate policies extension from certificate.", e, certPath, index); } if (certPolicies == null) { validPolicyTree = null; } return validPolicyTree; }
public virtual PkixCertPathValidatorResult Validate( PkixCertPath certPath, PkixParameters paramsPkix) { if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException( "trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } // // 6.1.1 - inputs // // // (a) // IList certs = certPath.Certificates; int n = certs.Count; if (certs.Count == 0) { throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); } // // (b) // // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix); // // (c) // ISet userInitialPolicySet = paramsPkix.GetInitialPolicies(); // // (d) // TrustAnchor trust; try { trust = PkixCertPathValidatorUtilities.FindTrustAnchor( (X509Certificate)certs[certs.Count - 1], paramsPkix.GetTrustAnchors()); } catch (Exception e) { throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1); } if (trust == null) { throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); } // // (e), (f), (g) are part of the paramsPkix object. // IEnumerator certIter; int index = 0; int i; // Certificate for each interation of the validation loop // Signature information for each iteration of the validation loop // // 6.1.2 - setup // // // (a) // IList[] policyNodes = new IList[n + 1]; for (int j = 0; j < policyNodes.Length; j++) { policyNodes[j] = Platform.CreateArrayList(); } ISet policySet = new HashSet(); policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false); policyNodes[0].Add(validPolicyTree); // // (b) and (c) // PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); // (d) // int explicitPolicy; ISet acceptablePolicies = new HashSet(); if (paramsPkix.IsExplicitPolicyRequired) { explicitPolicy = 0; } else { explicitPolicy = n + 1; } // // (e) // int inhibitAnyPolicy; if (paramsPkix.IsAnyPolicyInhibited) { inhibitAnyPolicy = 0; } else { inhibitAnyPolicy = n + 1; } // // (f) // int policyMapping; if (paramsPkix.IsPolicyMappingInhibited) { policyMapping = 0; } else { policyMapping = n + 1; } // // (g), (h), (i), (j) // AsymmetricKeyParameter workingPublicKey; X509Name workingIssuerName; X509Certificate sign = trust.TrustedCert; try { if (sign != null) { workingIssuerName = sign.SubjectDN; workingPublicKey = sign.GetPublicKey(); } else { workingIssuerName = new X509Name(trust.CAName); workingPublicKey = trust.CAPublicKey; } } catch (ArgumentException ex) { throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, -1); } //AlgorithmIdentifier workingAlgId = null; try { /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException( "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1); } // DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID; // Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters; // // (k) // int maxPathLength = n; // // 6.1.3 // X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints(); if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0])) { throw new PkixCertPathValidatorException( "Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } // // initialize CertPathChecker's // IList pathCheckers = paramsPkix.GetCertPathCheckers(); certIter = pathCheckers.GetEnumerator(); while (certIter.MoveNext()) { ((PkixCertPathChecker)certIter.Current).Init(false); } X509Certificate cert = null; for (index = certs.Count - 1; index >= 0; index--) { // try // { // // i as defined in the algorithm description // i = n - index; // // set certificate to be checked in this round // sign and workingPublicKey and workingIssuerName are set // at the end of the for loop and initialized the // first time from the TrustAnchor // cert = (X509Certificate)certs[index]; // // 6.1.3 // Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey, workingIssuerName, sign); Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index, acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree); Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy); // // 6.1.4 // if (i != n) { if (cert != null && cert.Version == 1) { throw new PkixCertPathValidatorException( "Version 1 certificates can't be used as CA ones.", null, certPath, index); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index); validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes, validPolicyTree, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator); // (h) explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy); // // (i) // explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping); // (j) inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy); // (k) Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index); // (l) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength); // (m) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength); // (n) Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index); ISet criticalExtensions1 = cert.GetCriticalExtensionOids(); if (criticalExtensions1 != null) { criticalExtensions1 = new HashSet(criticalExtensions1); // these extensions are handled by the algorithm criticalExtensions1.Remove(X509Extensions.KeyUsage.Id); criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions1.Remove(X509Extensions.NameConstraints.Id); } else { criticalExtensions1 = new HashSet(); } // (o) Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers); // set signing certificate for next round sign = cert; // (c) workingIssuerName = sign.SubjectDN; // (d) try { workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index); } /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); // (f) // workingPublicKeyAlgorithm = workingAlgId.ObjectID; // (e) // workingPublicKeyParameters = workingAlgId.Parameters; } } // // 6.1.5 Wrap-up procedure // explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert); explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy); // // (c) (d) and (e) are already done // // // (f) // ISet criticalExtensions = cert.GetCriticalExtensionOids(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); // Requires .Id // these extensions are handled by the algorithm criticalExtensions.Remove(X509Extensions.KeyUsage.Id); criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions.Remove(X509Extensions.NameConstraints.Id); criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id); } else { criticalExtensions = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions); PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies); if ((explicitPolicy > 0) || (intersection != null)) { return(new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey())); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index); }
internal static void ProcessCertF( PkixCertPath certPath, int index, PkixPolicyNode validPolicyTree, int explicitPolicy) { // // (f) // if (explicitPolicy <= 0 && validPolicyTree == null) { throw new PkixCertPathValidatorException( "No valid policy tree found when one expected.", null, certPath, index); } }
internal static void PrepareNextCertB1( int i, IList[] policyNodes, string id_p, IDictionary m_idp, X509Certificate cert) { bool idp_found = false; IEnumerator nodes_i = policyNodes[i].GetEnumerator(); while (nodes_i.MoveNext()) { PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current; if (node.ValidPolicy.Equals(id_p)) { idp_found = true; node.ExpectedPolicies = (ISet)m_idp[id_p]; break; } } if (!idp_found) { nodes_i = policyNodes[i].GetEnumerator(); while (nodes_i.MoveNext()) { PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current; if (ANY_POLICY.Equals(node.ValidPolicy)) { ISet pq = null; Asn1Sequence policies = null; try { policies = DerSequence.GetInstance(GetExtensionValue(cert, X509Extensions.CertificatePolicies)); } catch (Exception e) { throw new Exception("Certificate policies cannot be decoded.", e); } IEnumerator enm = policies.GetEnumerator(); while (enm.MoveNext()) { PolicyInformation pinfo = null; try { pinfo = PolicyInformation.GetInstance(enm.Current); } catch (Exception ex) { throw new Exception("Policy information cannot be decoded.", ex); } if (ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id)) { try { pq = GetQualifierSet(pinfo.PolicyQualifiers); } catch (PkixCertPathValidatorException ex) { throw new PkixCertPathValidatorException( "Policy qualifier info set could not be built.", ex); } break; } } bool ci = false; ISet critExtOids = cert.GetCriticalExtensionOids(); if (critExtOids != null) { ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id); } PkixPolicyNode p_node = (PkixPolicyNode)node.Parent; if (ANY_POLICY.Equals(p_node.ValidPolicy)) { PkixPolicyNode c_node = new PkixPolicyNode( Platform.CreateArrayList(), i, (ISet)m_idp[id_p], p_node, pq, id_p, ci); p_node.AddChild(c_node); policyNodes[i].Add(c_node); } break; } } } }
internal static PkixPolicyNode WrapupCertG( PkixCertPath certPath, PkixParameters paramsPKIX, ISet userInitialPolicySet, int index, IList[] policyNodes, PkixPolicyNode validPolicyTree, ISet acceptablePolicies) { int n = certPath.Certificates.Count; // // (g) // PkixPolicyNode intersection; // // (g) (i) // if (validPolicyTree == null) { if (paramsPKIX.IsExplicitPolicyRequired) { throw new PkixCertPathValidatorException( "Explicit policy requested but none available.", null, certPath, index); } intersection = null; } else if (PkixCertPathValidatorUtilities.IsAnyPolicy(userInitialPolicySet)) // (g) // (ii) { if (paramsPKIX.IsExplicitPolicyRequired) { if (acceptablePolicies.IsEmpty) { throw new PkixCertPathValidatorException( "Explicit policy requested but none available.", null, certPath, index); } else { ISet _validPolicyNodeSet = new HashSet(); for (int j = 0; j < policyNodes.Length; j++) { IList _nodeDepth = policyNodes[j]; for (int k = 0; k < _nodeDepth.Count; k++) { PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k]; if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy)) { foreach (object o in _node.Children) { _validPolicyNodeSet.Add(o); } } } } foreach (PkixPolicyNode _node in _validPolicyNodeSet) { string _validPolicy = _node.ValidPolicy; if (!acceptablePolicies.Contains(_validPolicy)) { // TODO? // validPolicyTree = // removePolicyNode(validPolicyTree, policyNodes, // _node); } } if (validPolicyTree != null) { for (int j = (n - 1); j >= 0; j--) { IList nodes = policyNodes[j]; for (int k = 0; k < nodes.Count; k++) { PkixPolicyNode node = (PkixPolicyNode)nodes[k]; if (!node.HasChildren) { validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, node); } } } } } } intersection = validPolicyTree; } else { // // (g) (iii) // // This implementation is not exactly same as the one described in // RFC3280. // However, as far as the validation result is concerned, both // produce // adequate result. The only difference is whether AnyPolicy is // remain // in the policy tree or not. // // (g) (iii) 1 // ISet _validPolicyNodeSet = new HashSet(); for (int j = 0; j < policyNodes.Length; j++) { IList _nodeDepth = policyNodes[j]; for (int k = 0; k < _nodeDepth.Count; k++) { PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k]; if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy)) { foreach (PkixPolicyNode _c_node in _node.Children) { if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(_c_node.ValidPolicy)) { _validPolicyNodeSet.Add(_c_node); } } } } } // // (g) (iii) 2 // IEnumerator _vpnsIter = _validPolicyNodeSet.GetEnumerator(); while (_vpnsIter.MoveNext()) { PkixPolicyNode _node = (PkixPolicyNode)_vpnsIter.Current; string _validPolicy = _node.ValidPolicy; if (!userInitialPolicySet.Contains(_validPolicy)) { validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, _node); } } // // (g) (iii) 4 // if (validPolicyTree != null) { for (int j = (n - 1); j >= 0; j--) { IList nodes = policyNodes[j]; for (int k = 0; k < nodes.Count; k++) { PkixPolicyNode node = (PkixPolicyNode)nodes[k]; if (!node.HasChildren) { validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, node); } } } } intersection = validPolicyTree; } return intersection; }
internal static PkixPolicyNode ProcessCertD( PkixCertPath certPath, int index, ISet acceptablePolicies, PkixPolicyNode validPolicyTree, IList[] policyNodes, int inhibitAnyPolicy) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; int n = certs.Count; // i as defined in the algorithm description int i = n - index; // // (d) policy Information checking against initial policy and // policy mapping // Asn1Sequence certPolicies = null; try { certPolicies = DerSequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies)); } catch (Exception e) { throw new PkixCertPathValidatorException( "Could not read certificate policies extension from certificate.", e, certPath, index); } if (certPolicies != null && validPolicyTree != null) { // // (d) (1) // ISet pols = new HashSet(); foreach (Asn1Encodable ae in certPolicies) { PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object()); DerObjectIdentifier pOid = pInfo.PolicyIdentifier; pols.Add(pOid.Id); if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(pOid.Id)) { ISet pq = null; try { pq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers); } catch (PkixCertPathValidatorException ex) { throw new PkixCertPathValidatorException( "Policy qualifier info set could not be build.", ex, certPath, index); } bool match = PkixCertPathValidatorUtilities.ProcessCertD1i(i, policyNodes, pOid, pq); if (!match) { PkixCertPathValidatorUtilities.ProcessCertD1ii(i, policyNodes, pOid, pq); } } } if (acceptablePolicies.IsEmpty || acceptablePolicies.Contains(Rfc3280CertPathUtilities.ANY_POLICY)) { acceptablePolicies.Clear(); acceptablePolicies.AddAll(pols); } else { ISet t1 = new HashSet(); foreach (object o in acceptablePolicies) { if (pols.Contains(o)) { t1.Add(o); } } acceptablePolicies.Clear(); acceptablePolicies.AddAll(t1); } // // (d) (2) // if ((inhibitAnyPolicy > 0) || ((i < n) && PkixCertPathValidatorUtilities.IsSelfIssued(cert))) { foreach (Asn1Encodable ae in certPolicies) { PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object()); if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(pInfo.PolicyIdentifier.Id)) { ISet _apq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers); IList _nodes = policyNodes[i - 1]; for (int k = 0; k < _nodes.Count; k++) { PkixPolicyNode _node = (PkixPolicyNode)_nodes[k]; IEnumerator _policySetIter = _node.ExpectedPolicies.GetEnumerator(); while (_policySetIter.MoveNext()) { object _tmp = _policySetIter.Current; string _policy; if (_tmp is string) { _policy = (string)_tmp; } else if (_tmp is DerObjectIdentifier) { _policy = ((DerObjectIdentifier)_tmp).Id; } else { continue; } bool _found = false; foreach (PkixPolicyNode _child in _node.Children) { if (_policy.Equals(_child.ValidPolicy)) { _found = true; } } if (!_found) { ISet _newChildExpectedPolicies = new HashSet(); _newChildExpectedPolicies.Add(_policy); PkixPolicyNode _newChild = new PkixPolicyNode(Platform.CreateArrayList(), i, _newChildExpectedPolicies, _node, _apq, _policy, false); _node.AddChild(_newChild); policyNodes[i].Add(_newChild); } } } break; } } } PkixPolicyNode _validPolicyTree = validPolicyTree; // // (d) (3) // for (int j = (i - 1); j >= 0; j--) { IList nodes = policyNodes[j]; for (int k = 0; k < nodes.Count; k++) { PkixPolicyNode node = (PkixPolicyNode)nodes[k]; if (!node.HasChildren) { _validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(_validPolicyTree, policyNodes, node); if (_validPolicyTree == null) { break; } } } } // // d (4) // ISet criticalExtensionOids = cert.GetCriticalExtensionOids(); if (criticalExtensionOids != null) { bool critical = criticalExtensionOids.Contains(X509Extensions.CertificatePolicies.Id); IList nodes = policyNodes[i]; for (int j = 0; j < nodes.Count; j++) { PkixPolicyNode node = (PkixPolicyNode)nodes[j]; node.IsCritical = critical; } } return _validPolicyTree; } return null; }
public virtual PkixCertPathValidatorResult Validate( PkixCertPath certPath, PkixParameters paramsPkix) { if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException( @"trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } // // 6.1.1 - inputs // // // (a) // IList certs = certPath.Certificates; int n = certs.Count; if (certs.Count == 0) throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); // // (b) // // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix); // // (c) // ISet userInitialPolicySet = paramsPkix.GetInitialPolicies(); // // (d) // TrustAnchor trust; try { trust = PkixCertPathValidatorUtilities.FindTrustAnchor( (X509Certificate)certs[certs.Count - 1], paramsPkix.GetTrustAnchors()); } catch (Exception e) { throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1); } if (trust == null) throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); // // (e), (f), (g) are part of the paramsPkix object. // IEnumerator certIter; int index = 0; int i; // Certificate for each interation of the validation loop // Signature information for each iteration of the validation loop // // 6.1.2 - setup // // // (a) // IList[] policyNodes = new IList[n + 1]; for (int j = 0; j < policyNodes.Length; j++) { policyNodes[j] = Platform.CreateArrayList(); } ISet policySet = new HashSet(); policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false); policyNodes[0].Add(validPolicyTree); // // (b) and (c) // PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); // (d) // int explicitPolicy; ISet acceptablePolicies = new HashSet(); if (paramsPkix.IsExplicitPolicyRequired) { explicitPolicy = 0; } else { explicitPolicy = n + 1; } // // (e) // int inhibitAnyPolicy; if (paramsPkix.IsAnyPolicyInhibited) { inhibitAnyPolicy = 0; } else { inhibitAnyPolicy = n + 1; } // // (f) // int policyMapping; if (paramsPkix.IsPolicyMappingInhibited) { policyMapping = 0; } else { policyMapping = n + 1; } // // (g), (h), (i), (j) // IAsymmetricKeyParameter workingPublicKey; X509Name workingIssuerName; X509Certificate sign = trust.TrustedCert; try { if (sign != null) { workingIssuerName = sign.SubjectDN; workingPublicKey = sign.GetPublicKey(); } else { workingIssuerName = new X509Name(trust.CAName); workingPublicKey = trust.CAPublicKey; } } catch (ArgumentException ex) { throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, -1); } AlgorithmIdentifier workingAlgId = null; try { workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException( "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1); } // DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID; // Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters; // // (k) // int maxPathLength = n; // // 6.1.3 // X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints(); if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0])) { throw new PkixCertPathValidatorException( "Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } // // initialize CertPathChecker's // IList pathCheckers = paramsPkix.GetCertPathCheckers(); certIter = pathCheckers.GetEnumerator(); while (certIter.MoveNext()) { ((PkixCertPathChecker)certIter.Current).Init(false); } X509Certificate cert = null; for (index = certs.Count - 1; index >= 0; index--) { // try // { // // i as defined in the algorithm description // i = n - index; // // set certificate to be checked in this round // sign and workingPublicKey and workingIssuerName are set // at the end of the for loop and initialized the // first time from the TrustAnchor // cert = (X509Certificate)certs[index]; // // 6.1.3 // Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey, workingIssuerName, sign); Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index, acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree); Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy); // // 6.1.4 // if (i != n) { if (cert != null && cert.Version == 1) { throw new PkixCertPathValidatorException( "Version 1 certificates can't be used as CA ones.", null, certPath, index); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index); validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes, validPolicyTree, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator); // (h) explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy); // // (i) // explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping); // (j) inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy); // (k) Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index); // (l) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength); // (m) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength); // (n) Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index); ISet criticalExtensions1 = cert.GetCriticalExtensionOids(); if (criticalExtensions1 != null) { criticalExtensions1 = new HashSet(criticalExtensions1); // these extensions are handled by the algorithm criticalExtensions1.Remove(X509Extensions.KeyUsage.Id); criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions1.Remove(X509Extensions.NameConstraints.Id); } else { criticalExtensions1 = new HashSet(); } // (o) Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers); // set signing certificate for next round sign = cert; // (c) workingIssuerName = sign.SubjectDN; // (d) try { workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index); } workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); // (f) // workingPublicKeyAlgorithm = workingAlgId.ObjectID; // (e) // workingPublicKeyParameters = workingAlgId.Parameters; } } // // 6.1.5 Wrap-up procedure // explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert); explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy); // // (c) (d) and (e) are already done // // // (f) // ISet criticalExtensions = cert.GetCriticalExtensionOids(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); // Requires .Id // these extensions are handled by the algorithm criticalExtensions.Remove(X509Extensions.KeyUsage.Id); criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions.Remove(X509Extensions.NameConstraints.Id); criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id); } else { criticalExtensions = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions); PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies); if ((explicitPolicy > 0) || (intersection != null)) { return new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey()); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index); }