GetExtensionValue() static private method

Extract the value of the given extension, if it exists.
if the extension cannot be read.
static private GetExtensionValue ( IX509Extension ext, DerObjectIdentifier oid ) : Asn1Object
ext IX509Extension The extension object.
oid Org.BouncyCastle.Asn1.DerObjectIdentifier The object identifier to obtain.
return Org.BouncyCastle.Asn1.Asn1Object
        internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
        {
            ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();

            if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
            {
                try
                {
                    TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
                }
                catch (Exception cause)
                {
                    throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
                }
            }
            criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id);
            foreach (PkixAttrCertChecker pkixAttrCertChecker in pkixParams.GetAttrCertCheckers())
            {
                pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
            }
            if (!criticalExtensionOids.IsEmpty)
            {
                throw new PkixCertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + criticalExtensionOids);
            }
        }
Exemplo n.º 2
0
        internal static ISet GetDeltaCrls(DateTime currentDate, PkixParameters paramsPKIX, X509Crl completeCRL)
        {
            X509CrlStoreSelector x509CrlStoreSelector = new X509CrlStoreSelector();

            try
            {
                IList list = Platform.CreateArrayList();
                list.Add(completeCRL.IssuerDN);
                x509CrlStoreSelector.Issuers = list;
            }
            catch (IOException innerException)
            {
                throw new Exception("Cannot extract issuer from CRL.", innerException);
            }
            BigInteger bigInteger = null;

            try
            {
                Asn1Object extensionValue = PkixCertPathValidatorUtilities.GetExtensionValue(completeCRL, X509Extensions.CrlNumber);
                if (extensionValue != null)
                {
                    bigInteger = DerInteger.GetInstance(extensionValue).PositiveValue;
                }
            }
            catch (Exception innerException2)
            {
                throw new Exception("CRL number extension could not be extracted from CRL.", innerException2);
            }
            byte[] issuingDistributionPoint = null;
            try
            {
                Asn1Object extensionValue2 = PkixCertPathValidatorUtilities.GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint);
                if (extensionValue2 != null)
                {
                    issuingDistributionPoint = extensionValue2.GetDerEncoded();
                }
            }
            catch (Exception innerException3)
            {
                throw new Exception("Issuing distribution point extension value could not be read.", innerException3);
            }
            x509CrlStoreSelector.MinCrlNumber                    = ((bigInteger == null) ? null : bigInteger.Add(BigInteger.One));
            x509CrlStoreSelector.IssuingDistributionPoint        = issuingDistributionPoint;
            x509CrlStoreSelector.IssuingDistributionPointEnabled = true;
            x509CrlStoreSelector.MaxBaseCrlNumber                = bigInteger;
            ISet set  = PkixCertPathValidatorUtilities.CrlUtilities.FindCrls(x509CrlStoreSelector, paramsPKIX, currentDate);
            ISet set2 = new HashSet();

            foreach (X509Crl x509Crl in set)
            {
                if (PkixCertPathValidatorUtilities.isDeltaCrl(x509Crl))
                {
                    set2.Add(x509Crl);
                }
            }
            return(set2);
        }
Exemplo n.º 3
0
        internal static void GetCertStatus(DateTime validDate, X509Crl crl, object cert, CertStatus certStatus)
        {
            X509Crl x509Crl = null;

            try
            {
                x509Crl = new X509Crl(CertificateList.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(crl.GetEncoded())));
            }
            catch (Exception innerException)
            {
                throw new Exception("Bouncy Castle X509Crl could not be created.", innerException);
            }
            X509CrlEntry revokedCertificate = x509Crl.GetRevokedCertificate(PkixCertPathValidatorUtilities.GetSerialNumber(cert));

            if (revokedCertificate == null)
            {
                return;
            }
            X509Name issuerPrincipal = PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert);

            if (issuerPrincipal.Equivalent(revokedCertificate.GetCertificateIssuer(), true) || issuerPrincipal.Equivalent(crl.IssuerDN, true))
            {
                DerEnumerated derEnumerated = null;
                if (revokedCertificate.HasExtensions)
                {
                    try
                    {
                        derEnumerated = DerEnumerated.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(revokedCertificate, X509Extensions.ReasonCode));
                    }
                    catch (Exception innerException2)
                    {
                        throw new Exception("Reason code CRL entry extension could not be decoded.", innerException2);
                    }
                }
                if (validDate.Ticks >= revokedCertificate.RevocationDate.Ticks || derEnumerated == null || derEnumerated.Value.TestBit(0) || derEnumerated.Value.TestBit(1) || derEnumerated.Value.TestBit(2) || derEnumerated.Value.TestBit(8))
                {
                    if (derEnumerated != null)
                    {
                        certStatus.Status = derEnumerated.Value.SignValue;
                    }
                    else
                    {
                        certStatus.Status = 0;
                    }
                    certStatus.RevocationDate = new DateTimeObject(revokedCertificate.RevocationDate);
                }
            }
        }
Exemplo n.º 4
0
        internal static void ProcessAttrCert7(
            IX509AttributeCertificate attrCert,
            PkixCertPath certPath,
            PkixCertPath holderCertPath,
            PkixParameters pkixParams)
        {
            // TODO:
            // AA Controls
            // Attribute encryption
            // Proxy
            ISet critExtOids = attrCert.GetCriticalExtensionOids();

            // 7.1
            // process extensions

            // target information checked in step 6 / X509AttributeCertStoreSelector
            if (critExtOids.Contains(X509Extensions.TargetInformation.Id))
            {
                try
                {
                    TargetInformation.GetInstance(PkixCertPathValidatorUtilities
                                                  .GetExtensionValue(attrCert, X509Extensions.TargetInformation));
                }
                catch (Exception e)
                {
                    throw new PkixCertPathValidatorException(
                              "Target information extension could not be read.", e);
                }
            }
            critExtOids.Remove(X509Extensions.TargetInformation.Id);
            foreach (PkixAttrCertChecker checker in pkixParams.GetAttrCertCheckers())
            {
                checker.Check(attrCert, certPath, holderCertPath, critExtOids);
            }
            if (!critExtOids.IsEmpty)
            {
                throw new PkixCertPathValidatorException(
                          "Attribute certificate contains unsupported critical extensions: "
                          + critExtOids);
            }
        }
        internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
        {
            ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();

            if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
            {
                try
                {
                    TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
                }
                catch (global::System.Exception cause)
                {
                    throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
                }
            }
            criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id);
            global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)pkixParams.GetAttrCertCheckers()).GetEnumerator();
            try
            {
                while (enumerator.MoveNext())
                {
                    PkixAttrCertChecker pkixAttrCertChecker = (PkixAttrCertChecker)enumerator.get_Current();
                    pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
                }
            }
            finally
            {
                global::System.IDisposable disposable = enumerator as global::System.IDisposable;
                if (disposable != null)
                {
                    disposable.Dispose();
                }
            }
            if (!criticalExtensionOids.IsEmpty)
            {
                throw new PkixCertPathValidatorException(string.Concat((object)"Attribute certificate contains unsupported critical extensions: ", (object)criticalExtensionOids));
            }
        }
Exemplo n.º 6
0
        /**
         * Checks if an attribute certificate is revoked.
         *
         * @param attrCert Attribute certificate to check if it is revoked.
         * @param paramsPKIX PKIX parameters.
         * @param issuerCert The issuer certificate of the attribute certificate
         *            <code>attrCert</code>.
         * @param validDate The date when the certificate revocation status should
         *            be checked.
         * @param certPathCerts The certificates of the certification path to be
         *            checked.
         *
         * @throws CertPathValidatorException if the certificate is revoked or the
         *             status cannot be checked or some error occurs.
         */
        internal static void CheckCrls(
            IX509AttributeCertificate attrCert,
            PkixParameters paramsPKIX,
            X509Certificate issuerCert,
            DateTime validDate,
            IList certPathCerts)
        {
            if (!paramsPKIX.IsRevocationEnabled)
            {
                return;
            }

            // check if revocation is available
            if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null)
            {
                if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null ||
                    attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null)
                {
                    throw new PkixCertPathValidatorException(
                              "No rev avail extension is set, but also an AC revocation pointer.");
                }

                return;
            }

            CrlDistPoint crldp = null;

            try
            {
                crldp = CrlDistPoint.GetInstance(
                    PkixCertPathValidatorUtilities.GetExtensionValue(
                        attrCert, X509Extensions.CrlDistributionPoints));
            }
            catch (Exception e)
            {
                throw new PkixCertPathValidatorException(
                          "CRL distribution point extension could not be read.", e);
            }
            try
            {
                PkixCertPathValidatorUtilities
                .AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX);
            }
            catch (Exception e)
            {
                throw new PkixCertPathValidatorException(
                          "No additional CRL locations could be decoded from CRL distribution point extension.", e);
            }

            CertStatus  certStatus  = new CertStatus();
            ReasonsMask reasonsMask = new ReasonsMask();

            Exception lastException = null;
            bool      validCrlFound = false;

            // for each distribution point
            if (crldp != null)
            {
                DistributionPoint[] dps = null;
                try
                {
                    dps = crldp.GetDistributionPoints();
                }
                catch (Exception e)
                {
                    throw new PkixCertPathValidatorException(
                              "Distribution points could not be read.", e);
                }
                try
                {
                    for (int i = 0; i < dps.Length &&
                         certStatus.Status == CertStatus.Unrevoked &&
                         !reasonsMask.IsAllReasons; i++)
                    {
                        PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX
                                                         .Clone();
                        CheckCrl(dps[i], attrCert, paramsPKIXClone,
                                 validDate, issuerCert, certStatus, reasonsMask,
                                 certPathCerts);
                        validCrlFound = true;
                    }
                }
                catch (Exception e)
                {
                    lastException = new Exception(
                        "No valid CRL for distribution point found.", e);
                }
            }

            /*
             * If the revocation status has not been determined, repeat the
             * process above with any available CRLs not specified in a
             * distribution point but issued by the certificate issuer.
             */

            if (certStatus.Status == CertStatus.Unrevoked &&
                !reasonsMask.IsAllReasons)
            {
                try
                {
                    /*
                     * assume a DP with both the reasons and the cRLIssuer
                     * fields omitted and a distribution point name of the
                     * certificate issuer.
                     */
                    X509Name issuer;
                    try
                    {
                        issuer = X509Name.GetInstance(attrCert.Issuer.GetPrincipals()[0].GetEncoded());
                    }
                    catch (Exception e)
                    {
                        throw new Exception(
                                  "Issuer from certificate for CRL could not be reencoded.",
                                  e);
                    }
                    DistributionPoint dp = new DistributionPoint(
                        new DistributionPointName(0, new GeneralNames(
                                                      new GeneralName(GeneralName.DirectoryName, issuer))), null, null);
                    PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone();
                    CheckCrl(dp, attrCert, paramsPKIXClone, validDate,
                             issuerCert, certStatus, reasonsMask, certPathCerts);
                    validCrlFound = true;
                }
                catch (Exception e)
                {
                    lastException = new Exception(
                        "No valid CRL for distribution point found.", e);
                }
            }

            if (!validCrlFound)
            {
                throw new PkixCertPathValidatorException(
                          "No valid CRL found.", lastException);
            }
            if (certStatus.Status != CertStatus.Unrevoked)
            {
                // This format is enforced by the NistCertPath tests
                string formattedDate = certStatus.RevocationDate.Value.ToString(
                    "ddd MMM dd HH:mm:ss K yyyy");
                string message = "Attribute certificate revocation after "
                                 + formattedDate;
                message += ", reason: "
                           + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status];
                throw new PkixCertPathValidatorException(message);
            }
            if (!reasonsMask.IsAllReasons &&
                certStatus.Status == CertStatus.Unrevoked)
            {
                certStatus.Status = CertStatus.Undetermined;
            }
            if (certStatus.Status == CertStatus.Undetermined)
            {
                throw new PkixCertPathValidatorException(
                          "Attribute certificate status could not be determined.");
            }
        }
 internal static void CheckCrls(IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, X509Certificate issuerCert, DateTime validDate, IList certPathCerts)
 {
     if (paramsPKIX.IsRevocationEnabled)
     {
         if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) == null)
         {
             CrlDistPoint crlDistPoint = null;
             try
             {
                 crlDistPoint = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.CrlDistributionPoints));
             }
             catch (Exception cause)
             {
                 throw new PkixCertPathValidatorException("CRL distribution point extension could not be read.", cause);
             }
             try
             {
                 PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(crlDistPoint, paramsPKIX);
             }
             catch (Exception cause2)
             {
                 throw new PkixCertPathValidatorException("No additional CRL locations could be decoded from CRL distribution point extension.", cause2);
             }
             CertStatus  certStatus  = new CertStatus();
             ReasonsMask reasonsMask = new ReasonsMask();
             Exception   cause3      = null;
             bool        flag        = false;
             if (crlDistPoint != null)
             {
                 DistributionPoint[] array = null;
                 try
                 {
                     array = crlDistPoint.GetDistributionPoints();
                 }
                 catch (Exception cause4)
                 {
                     throw new PkixCertPathValidatorException("Distribution points could not be read.", cause4);
                 }
                 try
                 {
                     int num = 0;
                     while (num < array.Length && certStatus.Status == 11 && !reasonsMask.IsAllReasons)
                     {
                         PkixParameters paramsPKIX2 = (PkixParameters)paramsPKIX.Clone();
                         Rfc3281CertPathUtilities.CheckCrl(array[num], attrCert, paramsPKIX2, validDate, issuerCert, certStatus, reasonsMask, certPathCerts);
                         flag = true;
                         num++;
                     }
                 }
                 catch (Exception innerException)
                 {
                     cause3 = new Exception("No valid CRL for distribution point found.", innerException);
                 }
             }
             if (certStatus.Status == 11 && !reasonsMask.IsAllReasons)
             {
                 try
                 {
                     Asn1Object name = null;
                     try
                     {
                         name = new Asn1InputStream(attrCert.Issuer.GetPrincipals()[0].GetEncoded()).ReadObject();
                     }
                     catch (Exception innerException2)
                     {
                         throw new Exception("Issuer from certificate for CRL could not be reencoded.", innerException2);
                     }
                     DistributionPoint dp          = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(4, name))), null, null);
                     PkixParameters    paramsPKIX3 = (PkixParameters)paramsPKIX.Clone();
                     Rfc3281CertPathUtilities.CheckCrl(dp, attrCert, paramsPKIX3, validDate, issuerCert, certStatus, reasonsMask, certPathCerts);
                     flag = true;
                 }
                 catch (Exception innerException3)
                 {
                     cause3 = new Exception("No valid CRL for distribution point found.", innerException3);
                 }
             }
             if (!flag)
             {
                 throw new PkixCertPathValidatorException("No valid CRL found.", cause3);
             }
             if (certStatus.Status != 11)
             {
                 string str  = certStatus.RevocationDate.Value.ToString("ddd MMM dd HH:mm:ss K yyyy");
                 string text = "Attribute certificate revocation after " + str;
                 text = text + ", reason: " + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status];
                 throw new PkixCertPathValidatorException(text);
             }
             if (!reasonsMask.IsAllReasons && certStatus.Status == 11)
             {
                 certStatus.Status = 12;
             }
             if (certStatus.Status == 12)
             {
                 throw new PkixCertPathValidatorException("Attribute certificate status could not be determined.");
             }
         }
         else if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null || attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null)
         {
             throw new PkixCertPathValidatorException("No rev avail extension is set, but also an AC revocation pointer.");
         }
     }
 }
Exemplo n.º 8
0
        internal static void PrepareNextCertB1(int i, IList[] policyNodes, string id_p, IDictionary m_idp, X509Certificate cert)
        {
            bool        flag       = false;
            IEnumerator enumerator = policyNodes[i].GetEnumerator();

            while (enumerator.MoveNext())
            {
                PkixPolicyNode pkixPolicyNode = (PkixPolicyNode)enumerator.Current;
                if (pkixPolicyNode.ValidPolicy.Equals(id_p))
                {
                    flag = true;
                    pkixPolicyNode.ExpectedPolicies = (ISet)m_idp[id_p];
                    break;
                }
            }
            if (!flag)
            {
                enumerator = policyNodes[i].GetEnumerator();
                while (enumerator.MoveNext())
                {
                    PkixPolicyNode pkixPolicyNode2 = (PkixPolicyNode)enumerator.Current;
                    if (PkixCertPathValidatorUtilities.ANY_POLICY.Equals(pkixPolicyNode2.ValidPolicy))
                    {
                        ISet         policyQualifiers = null;
                        Asn1Sequence asn1Sequence     = null;
                        try
                        {
                            asn1Sequence = Asn1Sequence.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies));
                        }
                        catch (Exception innerException)
                        {
                            throw new Exception("Certificate policies cannot be decoded.", innerException);
                        }
                        IEnumerator enumerator2 = asn1Sequence.GetEnumerator();
                        while (enumerator2.MoveNext())
                        {
                            PolicyInformation policyInformation = null;
                            try
                            {
                                policyInformation = PolicyInformation.GetInstance(enumerator2.Current);
                            }
                            catch (Exception innerException2)
                            {
                                throw new Exception("Policy information cannot be decoded.", innerException2);
                            }
                            if (PkixCertPathValidatorUtilities.ANY_POLICY.Equals(policyInformation.PolicyIdentifier.Id))
                            {
                                try
                                {
                                    policyQualifiers = PkixCertPathValidatorUtilities.GetQualifierSet(policyInformation.PolicyQualifiers);
                                    break;
                                }
                                catch (PkixCertPathValidatorException cause)
                                {
                                    throw new PkixCertPathValidatorException("Policy qualifier info set could not be built.", cause);
                                }
                            }
                        }
                        bool critical = false;
                        ISet criticalExtensionOids = cert.GetCriticalExtensionOids();
                        if (criticalExtensionOids != null)
                        {
                            critical = criticalExtensionOids.Contains(X509Extensions.CertificatePolicies.Id);
                        }
                        PkixPolicyNode parent = pkixPolicyNode2.Parent;
                        if (PkixCertPathValidatorUtilities.ANY_POLICY.Equals(parent.ValidPolicy))
                        {
                            PkixPolicyNode pkixPolicyNode3 = new PkixPolicyNode(Platform.CreateArrayList(), i, (ISet)m_idp[id_p], parent, policyQualifiers, id_p, critical);
                            parent.AddChild(pkixPolicyNode3);
                            policyNodes[i].Add(pkixPolicyNode3);
                            return;
                        }
                        break;
                    }
                }
            }
        }