internal X509ExtensionCollection(MX.X509Certificate cert)
{
_list = new ArrayList(cert.Extensions.Count);
if (cert.Extensions.Count == 0)
{
return;
}
#if !MOONLIGHT
object[] parameters = new object [2];
#endif
foreach (MX.X509Extension ext in cert.Extensions)
{
bool critical = ext.Critical;
string oid = ext.Oid;
byte[] raw_data = null;
// extension data is embedded in an octet stream (4)
ASN1 value = ext.Value;
if ((value.Tag == 0x04) && (value.Count > 0))
{
raw_data = value [0].GetBytes();
}
X509Extension newt = null;
#if MOONLIGHT
// non-extensible
switch (oid)
{
case "2.5.29.14":
newt = new X509SubjectKeyIdentifierExtension(new AsnEncodedData(oid, raw_data), critical);
break;
case "2.5.29.15":
newt = new X509KeyUsageExtension(new AsnEncodedData(oid, raw_data), critical);
break;
case "2.5.29.19":
newt = new X509BasicConstraintsExtension(new AsnEncodedData(oid, raw_data), critical);
break;
case "2.5.29.37":
newt = new X509EnhancedKeyUsageExtension(new AsnEncodedData(oid, raw_data), critical);
break;
}
#else
parameters [0] = new AsnEncodedData(oid, raw_data);
parameters [1] = critical;
newt = (X509Extension)CryptoConfig.CreateFromName(oid, parameters);
#endif
if (newt == null)
{
// not registred in CryptoConfig, using default
newt = new X509Extension(oid, raw_data, critical);
}
_list.Add(newt);
}
}
public void ConstructorEmpty ()
{
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension ();
Assert.IsFalse (bc.Critical, "Critical");
Assert.IsNull (bc.RawData, "RawData");
Assert.AreEqual (oid, bc.Oid.Value, "Oid.Value");
Assert.AreEqual (fname, bc.Oid.FriendlyName, "Oid.FriendlyName");
Assert.AreEqual (String.Empty, bc.Format (true), "Format(true)");
Assert.AreEqual (String.Empty, bc.Format (false), "Format(false)");
}
public void ConstructorEmpty ()
{
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension ();
Assert.IsFalse (bc.Critical, "Critical");
Assert.IsNull (bc.RawData, "RawData");
Assert.AreEqual (oid, bc.Oid.Value, "Oid.Value");
// FIXME: Don't expect that FriendlyName is English. This test fails under non-English Windows.
//Assert.AreEqual (fname, bc.Oid.FriendlyName, "Oid.FriendlyName");
Assert.AreEqual (String.Empty, bc.Format (true), "Format(true)");
Assert.AreEqual (String.Empty, bc.Format (false), "Format(false)");
}
public void ConstructorAsnEncodedData ()
{
AsnEncodedData aed = new AsnEncodedData (new byte[] { 0x30, 0x06, 0x01, 0x01, 0xFF, 0x02, 0x01, 0x01 });
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (aed, true);
Assert.IsTrue (bc.Critical, "Critical");
Assert.AreEqual (8, bc.RawData.Length, "RawData"); // original Oid ignored
Assert.AreEqual (oid, bc.Oid.Value, "Oid.Value");
Assert.AreEqual (fname, bc.Oid.FriendlyName, "Oid.FriendlyName");
Assert.IsTrue (bc.CertificateAuthority, "CertificateAuthority");
Assert.IsTrue (bc.HasPathLengthConstraint, "HasPathLengthConstraint");
Assert.AreEqual (1, bc.PathLengthConstraint, "PathLengthConstraint");
Assert.AreEqual ("Subject Type=CA" + Environment.NewLine + "Path Length Constraint=1" + Environment.NewLine, bc.Format (true), "Format(true)");
Assert.AreEqual ("Subject Type=CA, Path Length Constraint=1", bc.Format (false), "Format(false)");
}
private void PrepareForNextCertificate(int n)
{
X509ChainElement x509ChainElement = this.elements[n];
X509Certificate2 certificate = x509ChainElement.Certificate;
this.working_issuer_name = certificate.SubjectName;
this.working_public_key = certificate.PublicKey.Key;
X509BasicConstraintsExtension x509BasicConstraintsExtension = (X509BasicConstraintsExtension)certificate.Extensions["2.5.29.19"];
if (x509BasicConstraintsExtension != null)
{
if (!x509BasicConstraintsExtension.CertificateAuthority)
{
x509ChainElement.StatusFlags |= X509ChainStatusFlags.InvalidBasicConstraints;
}
}
else if (certificate.Version >= 3)
{
x509ChainElement.StatusFlags |= X509ChainStatusFlags.InvalidBasicConstraints;
}
if (!this.IsSelfIssued(certificate))
{
if (this.max_path_length > 0)
{
this.max_path_length--;
}
else if (this.bce_restriction != null)
{
this.bce_restriction.StatusFlags |= X509ChainStatusFlags.InvalidBasicConstraints;
}
}
if (x509BasicConstraintsExtension != null && x509BasicConstraintsExtension.HasPathLengthConstraint && x509BasicConstraintsExtension.PathLengthConstraint < this.max_path_length)
{
this.max_path_length = x509BasicConstraintsExtension.PathLengthConstraint;
this.bce_restriction = x509ChainElement;
}
X509KeyUsageExtension x509KeyUsageExtension = (X509KeyUsageExtension)certificate.Extensions["2.5.29.15"];
if (x509KeyUsageExtension != null)
{
X509KeyUsageFlags x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign;
if ((x509KeyUsageExtension.KeyUsages & x509KeyUsageFlags) != x509KeyUsageFlags)
{
x509ChainElement.StatusFlags |= X509ChainStatusFlags.NotValidForUsage;
}
}
this.ProcessCertificateExtensions(x509ChainElement);
}
internal X509ExtensionCollection (MX.X509Certificate cert)
{
_list = new ArrayList (cert.Extensions.Count);
if (cert.Extensions.Count == 0)
return;
#if !MOONLIGHT
object[] parameters = new object [2];
#endif
foreach (MX.X509Extension ext in cert.Extensions) {
bool critical = ext.Critical;
string oid = ext.Oid;
byte[] raw_data = null;
// extension data is embedded in an octet stream (4)
ASN1 value = ext.Value;
if ((value.Tag == 0x04) && (value.Count > 0))
raw_data = value [0].GetBytes ();
X509Extension newt = null;
#if MOONLIGHT || FULL_AOT_RUNTIME
// non-extensible
switch (oid) {
case "2.5.29.14":
newt = new X509SubjectKeyIdentifierExtension (new AsnEncodedData (oid, raw_data), critical);
break;
case "2.5.29.15":
newt = new X509KeyUsageExtension (new AsnEncodedData (oid, raw_data), critical);
break;
case "2.5.29.19":
newt = new X509BasicConstraintsExtension (new AsnEncodedData (oid, raw_data), critical);
break;
case "2.5.29.37":
newt = new X509EnhancedKeyUsageExtension (new AsnEncodedData (oid, raw_data), critical);
break;
}
#else
parameters [0] = new AsnEncodedData (oid, raw_data ?? Empty);
parameters [1] = critical;
newt = (X509Extension) CryptoConfig.CreateFromName (oid, parameters);
#endif
if (newt == null) {
// not registred in CryptoConfig, using default
newt = new X509Extension (oid, raw_data ?? Empty, critical);
}
_list.Add (newt);
}
}
public void CopyFrom_Null ()
{
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension ();
bc.CopyFrom (null);
}
public void WrongAsnEncodedData ()
{
AsnEncodedData aed = new AsnEncodedData (new byte[0]);
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (false, true, 1, false);
bc.CopyFrom (aed); // note: not the same behaviour than using the constructor!
}
public void WrongExtension_X509Extension_CertificateAuthority ()
{
X509Extension ex = new X509Extension ("1.2.3", new byte[0], true);
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension ();
bc.CopyFrom (ex);
bool b = bc.CertificateAuthority;
}
// CTL == Certificate Trust List / NOT SUPPORTED
// TODO - check for X509ChainStatusFlags.CtlNotTimeValid
// TODO - check for X509ChainStatusFlags.CtlNotSignatureValid
// TODO - check for X509ChainStatusFlags.CtlNotValidForUsage
private void PrepareForNextCertificate(int n)
{
X509ChainElement element = elements [n];
X509Certificate2 certificate = element.Certificate;
// TODO 6.1.4.a-b
// 6.1.4.c
working_issuer_name = certificate.SubjectName;
// 6.1.4.d-e - our key includes both the public key and it's parameters
working_public_key = certificate.PublicKey.Key;
// 6.1.4.f
// working_public_key_algorithm = certificate.PublicKey.Oid.Value;
// TODO 6.1.4.g-j
// 6.1.4.k - Verify that the certificate is a CA certificate
X509BasicConstraintsExtension bce = (certificate.Extensions["2.5.29.19"] as X509BasicConstraintsExtension);
if (bce != null)
{
if (!bce.CertificateAuthority)
{
element.StatusFlags |= X509ChainStatusFlags.InvalidBasicConstraints;
}
}
else if (certificate.Version >= 3)
{
// recent (v3+) CA certificates must include BCE
element.StatusFlags |= X509ChainStatusFlags.InvalidBasicConstraints;
}
// 6.1.4.l - if the certificate isn't self-issued...
if (!IsSelfIssued(certificate))
{
// ... verify that max_path_length > 0
if (max_path_length > 0)
{
max_path_length--;
}
else
{
// to match MS the reported status must be against the certificate
// with the BCE and not where the path is too long. It also means
// that this condition has to be reported only once
if (bce_restriction != null)
{
bce_restriction.StatusFlags |= X509ChainStatusFlags.InvalidBasicConstraints;
}
}
}
// 6.1.4.m - if pathLengthConstraint is present...
if ((bce != null) && (bce.HasPathLengthConstraint))
{
// ... and is less that max_path_length, set max_path_length to it's value
if (bce.PathLengthConstraint < max_path_length)
{
max_path_length = bce.PathLengthConstraint;
bce_restriction = element;
}
}
// 6.1.4.n - if key usage extension is present...
X509KeyUsageExtension kue = (certificate.Extensions["2.5.29.15"] as X509KeyUsageExtension);
if (kue != null)
{
// ... verify keyCertSign is set
X509KeyUsageFlags success = X509KeyUsageFlags.KeyCertSign;
if ((kue.KeyUsages & success) != success)
{
element.StatusFlags |= X509ChainStatusFlags.NotValidForUsage;
}
}
// 6.1.4.o - recognize and process other critical extension present in the certificate
ProcessCertificateExtensions(element);
}
// Indirectly (undocumented but) supported extensions
internal string BasicConstraintsExtension (bool multiLine)
{
try {
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (this, false);
return bc.ToString (multiLine);
}
catch {
return String.Empty;
}
}
/// <summary>
/// Initializes a new instance of the <see cref="X509ExtensionWrapper"/> class.
/// </summary>
/// <param name="extension">The extension.</param>
public X509BasicConstraintsExtensionWrapper(X509BasicConstraintsExtension extension)
: base(extension)
{
x509 = extension;
}
public void ConstructorEmpty_CertificateAuthority ()
{
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension ();
Assert.AreEqual (false, bc.CertificateAuthority, "CertificateAuthority");
}
public void Constructor_TrueTrueZero ()
{
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (true, true, 0, true);
Assert.IsTrue (bc.CertificateAuthority, "CertificateAuthority");
Assert.IsTrue (bc.HasPathLengthConstraint, "HasPathLengthConstraint");
Assert.AreEqual (0, bc.PathLengthConstraint, "PathLengthConstraint");
Assert.AreEqual ("30-06-01-01-FF-02-01-00", BitConverter.ToString (bc.RawData), "RawData");
Assert.AreEqual ("Subject Type=CA" + Environment.NewLine + "Path Length Constraint=0" + Environment.NewLine, bc.Format (true), "Format(true)");
Assert.AreEqual ("Subject Type=CA, Path Length Constraint=0", bc.Format (false), "Format(false)");
}
public void ConstructorAsnEncodedData_Null ()
{
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (null, true);
}
public void ConstructorAsnEncodedData_SmallestValid ()
{
AsnEncodedData aed = new AsnEncodedData ("1.2.3", new byte[] { 0x30, 0x00 });
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (aed, true);
Assert.IsFalse (bc.CertificateAuthority, "CertificateAuthority");
Assert.IsFalse (bc.HasPathLengthConstraint, "HasPathLengthConstraint");
Assert.AreEqual (0, bc.PathLengthConstraint, "PathLengthConstraint");
Assert.AreEqual ("30-00", BitConverter.ToString (bc.RawData), "RawData");
Assert.AreEqual ("Subject Type=End Entity" + Environment.NewLine + "Path Length Constraint=None" + Environment.NewLine, bc.Format (true), "Format(true)");
Assert.AreEqual ("Subject Type=End Entity, Path Length Constraint=None", bc.Format (false), "Format(false)");
}
public void ConstructorAsnEncodedData_BadAsnLength ()
{
AsnEncodedData aed = new AsnEncodedData ("1.2.3", new byte[] { 0x30, 0x01 });
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (aed, true);
Assert.AreEqual ("3001", bc.Format (true), "Format(true)");
Assert.AreEqual ("3001", bc.Format (false), "Format(false)");
bool b = bc.CertificateAuthority;
}
public void CopyFrom_Self ()
{
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (false, false, -1, true);
Assert.IsTrue (bc.Critical, "Critical");
byte[] raw = bc.RawData;
Assert.AreEqual ("30-00", BitConverter.ToString (raw), "RawData");
AsnEncodedData aed = new AsnEncodedData (raw);
X509BasicConstraintsExtension copy = new X509BasicConstraintsExtension (aed, false);
Assert.IsFalse (copy.Critical, "Critical");
Assert.AreEqual (2, copy.RawData.Length, "RawData"); // original Oid ignored
Assert.AreEqual (oid, copy.Oid.Value, "Oid.Value");
// FIXME: Don't expect that FriendlyName is English. This test fails under non-English Windows.
//Assert.AreEqual (fname, copy.Oid.FriendlyName, "Oid.FriendlyName");
Assert.IsFalse (copy.CertificateAuthority, "CertificateAuthority");
Assert.IsFalse (copy.HasPathLengthConstraint, "HasPathLengthConstraint");
Assert.AreEqual (0, copy.PathLengthConstraint, "PathLengthConstraint");
}
public void Constructor_TrueTrueMaxInt ()
{
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (true, true, Int32.MaxValue, true);
Assert.IsTrue (bc.CertificateAuthority, "CertificateAuthority");
Assert.IsTrue (bc.HasPathLengthConstraint, "HasPathLengthConstraint");
Assert.AreEqual (Int32.MaxValue, bc.PathLengthConstraint, "PathLengthConstraint");
Assert.AreEqual ("30-09-01-01-FF-02-04-7F-FF-FF-FF", BitConverter.ToString (bc.RawData), "RawData");
Assert.AreEqual ("Subject Type=CA" + Environment.NewLine + "Path Length Constraint=2147483647" + Environment.NewLine, bc.Format (true), "Format(true)");
Assert.AreEqual ("Subject Type=CA, Path Length Constraint=2147483647", bc.Format (false), "Format(false)");
}
public void ConstructorEmpty_PathLengthConstraint ()
{
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension ();
Assert.AreEqual (0, bc.PathLengthConstraint, "PathLengthConstraint");
}
public void ConstructorEmpty_HasPathLengthConstraint ()
{
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension ();
Assert.AreEqual (false, bc.HasPathLengthConstraint, "HasPathLengthConstraint");
}
public void Constructor_FalseTrueNegative ()
{
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (false, true, -1, true);
}
public void ConstructorAsnEncodedData_BadAsn ()
{
AsnEncodedData aed = new AsnEncodedData ("1.2.3", new byte[0]);
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (aed, true);
Assert.AreEqual (String.Empty, bc.Format (true), "Format(true)");
Assert.AreEqual (String.Empty, bc.Format (false), "Format(false)");
bool b = bc.CertificateAuthority;
}
public void Constructor_FalseFalseNegative ()
{
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (false, false, -1, true);
Assert.IsFalse (bc.CertificateAuthority, "CertificateAuthority");
Assert.IsFalse (bc.HasPathLengthConstraint, "HasPathLengthConstraint");
Assert.AreEqual (0, bc.PathLengthConstraint, "PathLengthConstraint");
Assert.AreEqual ("30-00", BitConverter.ToString (bc.RawData), "RawData");
Assert.AreEqual ("Subject Type=End Entity" + Environment.NewLine + "Path Length Constraint=None" + Environment.NewLine, bc.Format (true), "Format(true)");
Assert.AreEqual ("Subject Type=End Entity, Path Length Constraint=None", bc.Format (false), "Format(false)");
}
/// <summary>
/// Determines whether the certificate is allowed to be an issuer.
/// </summary>
private bool IsIssuerAllowed(X509Certificate2 certificate)
{
X509BasicConstraintsExtension constraints = new X509BasicConstraintsExtension();
for (int ii = 0; ii < certificate.Extensions.Count; ii++)
{
constraints = certificate.Extensions[ii] as X509BasicConstraintsExtension;
if (constraints != null)
{
return constraints.CertificateAuthority;
}
}
return false;
}
public void WrongExtension_X509KeyUsageExtension ()
{
X509KeyUsageExtension ku = new X509KeyUsageExtension ();
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension ();
bc.CopyFrom (ku);
}
public void WrongExtension_X509Extension ()
{
X509Extension ex = new X509Extension ("1.2.3", new byte[0], true);
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (false, true, 1, false);
Assert.IsFalse (bc.Critical, "Critical");
bc.CopyFrom (ex);
Assert.IsTrue (bc.Critical, "Critical");
Assert.AreEqual (String.Empty, BitConverter.ToString (bc.RawData), "RawData");
Assert.AreEqual ("1.2.3", bc.Oid.Value, "Oid.Value");
Assert.IsNull (bc.Oid.FriendlyName, "Oid.FriendlyName");
}
internal string BasicConstraintsExtension(bool multiLine)
{
string result;
try
{
System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension x509BasicConstraintsExtension = new System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension(this, false);
result = x509BasicConstraintsExtension.ToString(multiLine);
}
catch
{
result = string.Empty;
}
return(result);
}
