/// <summary>
/// Get the CRL entry, if any, for the given certificate.
///
/// <para>This method can be used to lookup CRL entries in indirect CRLs,
/// that means CRLs that contain entries from issuers other than the CRL
/// issuer. The default implementation will only return entries for
/// certificates issued by the CRL issuer. Subclasses that wish to
/// support indirect CRLs should override this method.
///
/// </para>
/// </summary>
/// <param name="certificate"> the certificate for which a CRL entry is to be looked
/// up </param>
/// <returns> the entry for the given certificate, or null if no such entry
/// exists in this CRL. </returns>
/// <exception cref="NullPointerException"> if certificate is null
///
/// @since 1.5 </exception>
public virtual X509CRLEntry GetRevokedCertificate(X509Certificate certificate)
{
X500Principal certIssuer = certificate.IssuerX500Principal;
X500Principal crlIssuer = IssuerX500Principal;
if (certIssuer.Equals(crlIssuer) == false)
{
return(null);
}
return(GetRevokedCertificate(certificate.SerialNumber));
}
/// <summary>
/// Creates an instance of {@code TrustAnchor} where the
/// most-trusted CA is specified as an X500Principal and public key.
/// Name constraints are an optional parameter, and are intended to be used
/// as additional constraints when validating an X.509 certification path.
/// <para>
/// The name constraints are specified as a byte array. This byte array
/// contains the DER encoded form of the name constraints, as they
/// would appear in the NameConstraints structure defined in RFC 3280
/// and X.509. The ASN.1 notation for this structure is supplied in the
/// documentation for
/// {@link #TrustAnchor(X509Certificate, byte[])
/// TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) }.
/// </para>
/// <para>
/// Note that the name constraints byte array supplied here is cloned to
/// protect against subsequent modifications.
///
/// </para>
/// </summary>
/// <param name="caPrincipal"> the name of the most-trusted CA as X500Principal </param>
/// <param name="pubKey"> the public key of the most-trusted CA </param>
/// <param name="nameConstraints"> a byte array containing the ASN.1 DER encoding of
/// a NameConstraints extension to be used for checking name constraints.
/// Only the value of the extension is included, not the OID or criticality
/// flag. Specify {@code null} to omit the parameter. </param>
/// <exception cref="NullPointerException"> if the specified {@code caPrincipal} or
/// {@code pubKey} parameter is {@code null}
/// @since 1.5 </exception>
public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey, sbyte[] nameConstraints)
{
if ((caPrincipal == null) || (pubKey == null))
{
throw new NullPointerException();
}
this.TrustedCert_Renamed = null;
this.CaPrincipal = caPrincipal;
this.CaName = caPrincipal.Name;
this.PubKey = pubKey;
NameConstraints = nameConstraints;
}
/// <summary>
/// Creates an instance of {@code TrustAnchor} with the specified
/// {@code X509Certificate} and optional name constraints, which
/// are intended to be used as additional constraints when validating
/// an X.509 certification path.
/// <para>
/// The name constraints are specified as a byte array. This byte array
/// should contain the DER encoded form of the name constraints, as they
/// would appear in the NameConstraints structure defined in
/// <a href="http://www.ietf.org/rfc/rfc3280">RFC 3280</a>
/// and X.509. The ASN.1 definition of this structure appears below.
///
/// <pre>{@code
/// NameConstraints ::= SEQUENCE {
/// permittedSubtrees [0] GeneralSubtrees OPTIONAL,
/// excludedSubtrees [1] GeneralSubtrees OPTIONAL }
///
/// GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
///
/// GeneralSubtree ::= SEQUENCE {
/// base GeneralName,
/// minimum [0] BaseDistance DEFAULT 0,
/// maximum [1] BaseDistance OPTIONAL }
///
/// BaseDistance ::= INTEGER (0..MAX)
///
/// GeneralName ::= CHOICE {
/// otherName [0] OtherName,
/// rfc822Name [1] IA5String,
/// dNSName [2] IA5String,
/// x400Address [3] ORAddress,
/// directoryName [4] Name,
/// ediPartyName [5] EDIPartyName,
/// uniformResourceIdentifier [6] IA5String,
/// iPAddress [7] OCTET STRING,
/// registeredID [8] OBJECT IDENTIFIER}
/// }</pre>
/// </para>
/// <para>
/// Note that the name constraints byte array supplied is cloned to protect
/// against subsequent modifications.
///
/// </para>
/// </summary>
/// <param name="trustedCert"> a trusted {@code X509Certificate} </param>
/// <param name="nameConstraints"> a byte array containing the ASN.1 DER encoding of
/// a NameConstraints extension to be used for checking name constraints.
/// Only the value of the extension is included, not the OID or criticality
/// flag. Specify {@code null} to omit the parameter. </param>
/// <exception cref="IllegalArgumentException"> if the name constraints cannot be
/// decoded </exception>
/// <exception cref="NullPointerException"> if the specified
/// {@code X509Certificate} is {@code null} </exception>
public TrustAnchor(X509Certificate trustedCert, sbyte[] nameConstraints)
{
if (trustedCert == null)
{
throw new NullPointerException("the trustedCert parameter must " + "be non-null");
}
this.TrustedCert_Renamed = trustedCert;
this.PubKey = null;
this.CaName = null;
this.CaPrincipal = null;
NameConstraints = nameConstraints;
}
/// <summary>
/// A private method that adds a name (String or byte array) to the
/// issuerNames criterion. The issuer distinguished
/// name in the {@code X509CRL} must match at least one of the specified
/// distinguished names.
/// </summary>
/// <param name="name"> the name in string or byte array form </param>
/// <param name="principal"> the name in X500Principal form </param>
/// <exception cref="IOException"> if a parsing error occurs </exception>
private void AddIssuerNameInternal(Object name, X500Principal principal)
{
if (IssuerNames_Renamed == null)
{
IssuerNames_Renamed = new HashSet <Object>();
}
if (IssuerX500Principals == null)
{
IssuerX500Principals = new HashSet <X500Principal>();
}
IssuerNames_Renamed.Add(name);
IssuerX500Principals.Add(principal);
}
/// <summary>
/// Constructs a {@code CertificateRevokedException} with
/// the specified revocation date, reason code, authority name, and map
/// of extensions.
/// </summary>
/// <param name="revocationDate"> the date on which the certificate was revoked. The
/// date is copied to protect against subsequent modification. </param>
/// <param name="reason"> the revocation reason </param>
/// <param name="extensions"> a map of X.509 Extensions. Each key is an OID String
/// that maps to the corresponding Extension. The map is copied to
/// prevent subsequent modification. </param>
/// <param name="authority"> the {@code X500Principal} that represents the name
/// of the authority that signed the certificate's revocation status
/// information </param>
/// <exception cref="NullPointerException"> if {@code revocationDate},
/// {@code reason}, {@code authority}, or
/// {@code extensions} is {@code null} </exception>
public CertificateRevokedException(DateTime revocationDate, CRLReason reason, X500Principal authority, IDictionary <String, Extension> extensions)
{
if (revocationDate == null || reason == null || authority == null || extensions == null)
{
throw new NullPointerException();
}
this.RevocationDate_Renamed = new DateTime(revocationDate.Ticks);
this.Reason = reason;
this.Authority = authority;
// make sure Map only contains correct types
this.Extensions_Renamed = Collections.CheckedMap(new Dictionary <>(), typeof(String), typeof(Extension));
//JAVA TO C# CONVERTER TODO TASK: There is no .NET Dictionary equivalent to the Java 'putAll' method:
this.Extensions_Renamed.putAll(extensions);
}
private void GenerateStoreKey(bool withDate)
{
if (_keyStore.ContainsAlias(KeyAlias))
{
return;
}
ClearSettings();
var end = Calendar.Instance;
end.Add(CalendarField.Year, 99);
if (_oldAndroid)
{
var subject = new X500Principal($"CN={KeyAlias}");
var builder = new KeyPairGeneratorSpec.Builder(Application.Context)
.SetAlias(KeyAlias)
.SetSubject(subject)
.SetSerialNumber(BigInteger.Ten);
if (withDate)
{
builder.SetStartDate(new Date(0)).SetEndDate(end.Time);
}
var spec = builder.Build();
var gen = KeyPairGenerator.GetInstance(KeyProperties.KeyAlgorithmRsa, AndroidKeyStore);
gen.Initialize(spec);
gen.GenerateKeyPair();
}
else
{
var builder = new KeyGenParameterSpec.Builder(KeyAlias, KeyStorePurpose.Decrypt | KeyStorePurpose.Encrypt)
.SetBlockModes(KeyProperties.BlockModeGcm)
.SetEncryptionPaddings(KeyProperties.EncryptionPaddingNone);
if (withDate)
{
builder.SetKeyValidityStart(new Date(0)).SetKeyValidityEnd(end.Time);
}
var spec = builder.Build();
var gen = KeyGenerator.GetInstance(KeyProperties.KeyAlgorithmAes, AndroidKeyStore);
gen.Init(spec);
gen.GenerateKey();
}
}
/// <exception cref="CertificateEncodingException"/>
/// <exception cref="InvalidKeyException"/>
/// <exception cref="System.InvalidOperationException"/>
/// <exception cref="NoSuchProviderException"/>
/// <exception cref="NoSuchAlgorithmException"/>
/// <exception cref="SignatureException"/>
public static X509Certificate GenerateCertificate(string dn, KeyPair pair
, int days, string algorithm)
{
DateTime from = new DateTime();
DateTime to = Extensions.CreateDate(from.GetTime() + days * 86400000l);
BigInteger sn = new BigInteger(64, new SecureRandom());
KeyPair keyPair = pair;
X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
X500Principal dnName = new X500Principal(dn);
certGen.SetSerialNumber(sn);
certGen.SetIssuerDN(dnName);
certGen.SetNotBefore(from);
certGen.SetNotAfter(to);
certGen.SetSubjectDN(dnName);
certGen.SetPublicKey(keyPair.GetPublic());
certGen.SetSignatureAlgorithm(algorithm);
X509Certificate cert = certGen.Generate(pair.GetPrivate());
return(cert);
}
/// <summary>
/// Creates an instance of {@code TrustAnchor} where the
/// most-trusted CA is specified as a distinguished name and public key.
/// Name constraints are an optional parameter, and are intended to be used
/// as additional constraints when validating an X.509 certification path.
/// <para>
/// The name constraints are specified as a byte array. This byte array
/// contains the DER encoded form of the name constraints, as they
/// would appear in the NameConstraints structure defined in RFC 3280
/// and X.509. The ASN.1 notation for this structure is supplied in the
/// documentation for
/// {@link #TrustAnchor(X509Certificate, byte[])
/// TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) }.
/// </para>
/// <para>
/// Note that the name constraints byte array supplied here is cloned to
/// protect against subsequent modifications.
///
/// </para>
/// </summary>
/// <param name="caName"> the X.500 distinguished name of the most-trusted CA in
/// <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a>
/// {@code String} format </param>
/// <param name="pubKey"> the public key of the most-trusted CA </param>
/// <param name="nameConstraints"> a byte array containing the ASN.1 DER encoding of
/// a NameConstraints extension to be used for checking name constraints.
/// Only the value of the extension is included, not the OID or criticality
/// flag. Specify {@code null} to omit the parameter. </param>
/// <exception cref="IllegalArgumentException"> if the specified
/// {@code caName} parameter is empty {@code (caName.length() == 0)}
/// or incorrectly formatted or the name constraints cannot be decoded </exception>
/// <exception cref="NullPointerException"> if the specified {@code caName} or
/// {@code pubKey} parameter is {@code null} </exception>
public TrustAnchor(String caName, PublicKey pubKey, sbyte[] nameConstraints)
{
if (pubKey == null)
{
throw new NullPointerException("the pubKey parameter must be " + "non-null");
}
if (caName == null)
{
throw new NullPointerException("the caName parameter must be " + "non-null");
}
if (caName.Length() == 0)
{
throw new IllegalArgumentException("the caName " + "parameter must be a non-empty String");
}
// check if caName is formatted correctly
this.CaPrincipal = new X500Principal(caName);
this.PubKey = pubKey;
this.CaName = caName;
this.TrustedCert_Renamed = null;
NameConstraints = nameConstraints;
}
/// <summary>
/// Decides whether a {@code CRL} should be selected.
/// </summary>
/// <param name="crl"> the {@code CRL} to be checked </param>
/// <returns> {@code true} if the {@code CRL} should be selected,
/// {@code false} otherwise </returns>
public virtual bool Match(CRL crl)
{
if (!(crl is X509CRL))
{
return(false);
}
X509CRL xcrl = (X509CRL)crl;
/* match on issuer name */
if (IssuerNames_Renamed != null)
{
X500Principal issuer = xcrl.IssuerX500Principal;
Iterator <X500Principal> i = IssuerX500Principals.Iterator();
bool found = false;
while (!found && i.HasNext())
{
if (i.Next().Equals(issuer))
{
found = true;
}
}
if (!found)
{
if (Debug != null)
{
Debug.println("X509CRLSelector.match: issuer DNs " + "don't match");
}
return(false);
}
}
if ((MinCRL_Renamed != null) || (MaxCRL_Renamed != null))
{
/* Get CRL number extension from CRL */
sbyte[] crlNumExtVal = xcrl.GetExtensionValue("2.5.29.20");
if (crlNumExtVal == null)
{
if (Debug != null)
{
Debug.println("X509CRLSelector.match: no CRLNumber");
}
}
System.Numerics.BigInteger crlNum;
try
{
DerInputStream @in = new DerInputStream(crlNumExtVal);
sbyte[] encoded = @in.OctetString;
CRLNumberExtension crlNumExt = new CRLNumberExtension(false, encoded);
crlNum = crlNumExt.get(CRLNumberExtension.NUMBER);
}
catch (IOException)
{
if (Debug != null)
{
Debug.println("X509CRLSelector.match: exception in " + "decoding CRL number");
}
return(false);
}
/* match on minCRLNumber */
if (MinCRL_Renamed != null)
{
if (crlNum.CompareTo(MinCRL_Renamed) < 0)
{
if (Debug != null)
{
Debug.println("X509CRLSelector.match: CRLNumber too small");
}
return(false);
}
}
/* match on maxCRLNumber */
if (MaxCRL_Renamed != null)
{
if (crlNum.CompareTo(MaxCRL_Renamed) > 0)
{
if (Debug != null)
{
Debug.println("X509CRLSelector.match: CRLNumber too large");
}
return(false);
}
}
}
/* match on dateAndTime */
if (DateAndTime_Renamed != null)
{
Date crlThisUpdate = xcrl.ThisUpdate;
Date nextUpdate = xcrl.NextUpdate;
if (nextUpdate == null)
{
if (Debug != null)
{
Debug.println("X509CRLSelector.match: nextUpdate null");
}
return(false);
}
Date nowPlusSkew = DateAndTime_Renamed;
Date nowMinusSkew = DateAndTime_Renamed;
if (Skew > 0)
{
nowPlusSkew = new Date(DateAndTime_Renamed.Time + Skew);
nowMinusSkew = new Date(DateAndTime_Renamed.Time - Skew);
}
// Check that the test date is within the validity interval:
// [ thisUpdate - MAX_CLOCK_SKEW,
// nextUpdate + MAX_CLOCK_SKEW ]
if (nowMinusSkew.After(nextUpdate) || nowPlusSkew.Before(crlThisUpdate))
{
if (Debug != null)
{
Debug.println("X509CRLSelector.match: update out-of-range");
}
return(false);
}
}
return(true);
}
/// <summary>
/// Adds a name to the issuerNames criterion. The issuer distinguished
/// name in the {@code X509CRL} must match at least one of the specified
/// distinguished names.
/// <para>
/// This method allows the caller to add a name to the set of issuer names
/// which {@code X509CRLs} may contain. The specified name is added to
/// any previous value for the issuerNames criterion.
/// If the specified name is a duplicate, it may be ignored.
///
/// </para>
/// </summary>
/// <param name="issuer"> the issuer as X500Principal
/// @since 1.5 </param>
public virtual void AddIssuer(X500Principal issuer)
{
AddIssuerNameInternal(issuer.Encoded, issuer);
}
