internal bool MatchesApplicationPolicies(Oid policyOid)
{
string oidToCheck = policyOid.Value !;
for (int i = 1; i <= _policies.Length; i++)
{
// The loop variable (i) matches the definition in RFC 3280,
// section 6.1.3. In that description i=1 is the root CA, and n
// is the EE/leaf certificate. In our chain object 0 is the EE cert
// and _policies.Length-1 is the root cert. So we will index things as
// _policies.Length - i (because i is 1 indexed).
int dataIdx = _policies.Length - i;
CertificatePolicy policy = _policies[dataIdx];
if (policy.AllowsAnyApplicationPolicy)
{
continue;
}
if (policy.DeclaredApplicationPolicies == null)
{
return(false);
}
if (!policy.DeclaredApplicationPolicies.Contains(oidToCheck))
{
return(false);
}
}
return(true);
}
private static void ReadCertPolicyConstraintsExtension(byte[] rawData, CertificatePolicy policy)
{
PolicyConstraintsAsn constraints = PolicyConstraintsAsn.Decode(
rawData,
AsnEncodingRules.DER);
policy.RequireExplicitPolicyDepth = constraints.RequireExplicitPolicyDepth;
policy.InhibitMappingDepth = constraints.InhibitMappingDepth;
}
private static CertificatePolicy ReadPolicy(X509Certificate2 cert)
{
// If no ApplicationCertPolicies extension is provided then it uses the EKU
// OIDS.
ISet <string>? applicationCertPolicies = null;
ISet <string>? ekus = null;
CertificatePolicy policy = new CertificatePolicy();
PolicyData policyData = cert.Pal.GetPolicyData();
if (policyData.ApplicationCertPolicies != null)
{
applicationCertPolicies = ReadCertPolicyExtension(policyData.ApplicationCertPolicies);
}
if (policyData.CertPolicies != null)
{
policy.DeclaredCertificatePolicies = ReadCertPolicyExtension(policyData.CertPolicies);
}
if (policyData.CertPolicyMappings != null)
{
policy.PolicyMapping = ReadCertPolicyMappingsExtension(policyData.CertPolicyMappings);
}
if (policyData.CertPolicyConstraints != null)
{
ReadCertPolicyConstraintsExtension(policyData.CertPolicyConstraints, policy);
}
if (policyData.EnhancedKeyUsage != null && applicationCertPolicies == null)
{
// No reason to do this if the applicationCertPolicies was already read
ekus = ReadExtendedKeyUsageExtension(policyData.EnhancedKeyUsage);
}
if (policyData.InhibitAnyPolicyExtension != null)
{
policy.InhibitAnyDepth = ReadInhibitAnyPolicyExtension(policyData.InhibitAnyPolicyExtension);
}
policy.DeclaredApplicationPolicies = applicationCertPolicies ?? ekus;
policy.ImplicitAnyApplicationPolicy = policy.DeclaredApplicationPolicies == null;
policy.ImplicitAnyCertificatePolicy = policy.DeclaredCertificatePolicies == null;
policy.SpecifiedAnyApplicationPolicy = CheckExplicitAnyPolicy(policy.DeclaredApplicationPolicies);
policy.SpecifiedAnyCertificatePolicy = CheckExplicitAnyPolicy(policy.DeclaredCertificatePolicies);
return(policy);
}
internal bool MatchesCertificatePolicies(Oid policyOid)
{
if (_failAllCertificatePolicies)
{
return(false);
}
string nextOid = policyOid.Value !;
for (int i = 1; i <= _policies.Length; i++)
{
// The loop variable (i) matches the definition in RFC 3280,
// section 6.1.3. In that description i=1 is the root CA, and n
// is the EE/leaf certificate. In our chain object 0 is the EE cert
// and _policies.Length-1 is the root cert. So we will index things as
// _policies.Length - i (because i is 1 indexed).
int dataIdx = _policies.Length - i;
CertificatePolicy policy = _policies[dataIdx];
string oidToCheck = nextOid;
if (policy.PolicyMapping != null)
{
for (int iMapping = 0; iMapping < policy.PolicyMapping.Count; iMapping++)
{
CertificatePolicyMappingAsn mapping = policy.PolicyMapping[iMapping];
if (StringComparer.Ordinal.Equals(mapping.IssuerDomainPolicy, oidToCheck))
{
nextOid = mapping.SubjectDomainPolicy;
}
}
}
if (policy.AllowsAnyCertificatePolicy)
{
continue;
}
if (policy.DeclaredCertificatePolicies == null)
{
return(false);
}
if (!policy.DeclaredCertificatePolicies.Contains(oidToCheck))
{
return(false);
}
}
return(true);
}
private void ReadPolicies(List <X509Certificate2> chain)
{
for (int i = 0; i < chain.Count; i++)
{
_policies[i] = ReadPolicy(chain[i]);
}
int explicitPolicyDepth = chain.Count;
int inhibitAnyPolicyDepth = explicitPolicyDepth;
int inhibitPolicyMappingDepth = explicitPolicyDepth;
for (int i = 1; i <= chain.Count; i++)
{
// The loop variable (i) matches the definition in RFC 3280,
// section 6.1.3. In that description i=1 is the root CA, and n
// is the EE/leaf certificate. In our chain object 0 is the EE cert
// and chain.Count-1 is the root cert. So we will index things as
// chain.Count - i (because i is 1 indexed).
int dataIdx = chain.Count - i;
CertificatePolicy policy = _policies[dataIdx];
if (policy.DeclaredCertificatePolicies == null && explicitPolicyDepth <= 0)
{
_failAllCertificatePolicies = true;
}
if (inhibitAnyPolicyDepth <= 0)
{
policy.ImplicitAnyCertificatePolicy = false;
policy.SpecifiedAnyCertificatePolicy = false;
}
else
{
inhibitAnyPolicyDepth--;
}
if (inhibitPolicyMappingDepth <= 0)
{
policy.PolicyMapping = null;
}
else
{
inhibitAnyPolicyDepth--;
}
if (explicitPolicyDepth <= 0)
{
policy.ImplicitAnyCertificatePolicy = false;
policy.ImplicitAnyApplicationPolicy = false;
}
else
{
explicitPolicyDepth--;
}
ApplyRestriction(ref inhibitAnyPolicyDepth, policy.InhibitAnyDepth);
ApplyRestriction(ref inhibitPolicyMappingDepth, policy.InhibitMappingDepth);
ApplyRestriction(ref explicitPolicyDepth, policy.RequireExplicitPolicyDepth);
}
}
