GetTargetCertConstraints() public method

public GetTargetCertConstraints ( ) : X509CertStoreSelector
return Org.BouncyCastle.X509.Store.X509CertStoreSelector
        /**
         * Method to support <code>Clone()</code> under J2ME.
         * <code>super.Clone()</code> does not exist and fields are not copied.
         *
         * @param params Parameters to set. If this are
         *            <code>ExtendedPkixParameters</code> they are copied to.
         */
        protected virtual void SetParams(
            PkixParameters parameters)
        {
            Date = parameters.Date;
            SetCertPathCheckers(parameters.GetCertPathCheckers());
            IsAnyPolicyInhibited     = parameters.IsAnyPolicyInhibited;
            IsExplicitPolicyRequired = parameters.IsExplicitPolicyRequired;
            IsPolicyMappingInhibited = parameters.IsPolicyMappingInhibited;
            IsRevocationEnabled      = parameters.IsRevocationEnabled;
            SetInitialPolicies(parameters.GetInitialPolicies());
            IsPolicyQualifiersRejected = parameters.IsPolicyQualifiersRejected;
            SetTargetCertConstraints(parameters.GetTargetCertConstraints());
            SetTrustAnchors(parameters.GetTrustAnchors());

            validityModel = parameters.validityModel;
            useDeltas     = parameters.useDeltas;
            additionalLocationsEnabled = parameters.additionalLocationsEnabled;
            selector = parameters.selector == null ? null
                                : (IX509Selector)parameters.selector.Clone();
            stores                 = Platform.CreateArrayList(parameters.stores);
            additionalStores       = Platform.CreateArrayList(parameters.additionalStores);
            trustedACIssuers       = new HashSet(parameters.trustedACIssuers);
            prohibitedACAttributes = new HashSet(parameters.prohibitedACAttributes);
            necessaryACAttributes  = new HashSet(parameters.necessaryACAttributes);
            attrCertCheckers       = new HashSet(parameters.attrCertCheckers);
        }
Exemplo n.º 2
0
		/**
		* Returns an instance of <code>PkixBuilderParameters</code>.
		* <p>
		* This method can be used to get a copy from other
		* <code>PKIXBuilderParameters</code>, <code>PKIXParameters</code>,
		* and <code>ExtendedPKIXParameters</code> instances.
		* </p>
		*
		* @param pkixParams The PKIX parameters to create a copy of.
		* @return An <code>PkixBuilderParameters</code> instance.
		*/
		public static PkixBuilderParameters GetInstance(
			PkixParameters pkixParams)
		{
			PkixBuilderParameters parameters = new PkixBuilderParameters(
				pkixParams.GetTrustAnchors(),
				new X509CertStoreSelector(pkixParams.GetTargetCertConstraints()));
			parameters.SetParams(pkixParams);
			return parameters;
		}
Exemplo n.º 3
0
        /**
         * Returns an instance of <code>PkixBuilderParameters</code>.
         * <p>
         * This method can be used to get a copy from other
         * <code>PKIXBuilderParameters</code>, <code>PKIXParameters</code>,
         * and <code>ExtendedPKIXParameters</code> instances.
         * </p>
         *
         * @param pkixParams The PKIX parameters to create a copy of.
         * @return An <code>PkixBuilderParameters</code> instance.
         */
        public static PkixBuilderParameters GetInstance(
            PkixParameters pkixParams)
        {
            PkixBuilderParameters parameters = new PkixBuilderParameters(
                pkixParams.GetTrustAnchors(),
                new X509CertStoreSelector(pkixParams.GetTargetCertConstraints()));

            parameters.SetParams(pkixParams);
            return(parameters);
        }
        public virtual PkixCertPathValidatorResult Validate(
			PkixCertPath	certPath,
			PkixParameters	paramsPkix)
        {
            if (paramsPkix.GetTrustAnchors() == null)
            {
                throw new ArgumentException(
                    @"trustAnchors is null, this is not allowed for certification path validation.",
                    "parameters");
            }

            //
            // 6.1.1 - inputs
            //

            //
            // (a)
            //
            IList certs = certPath.Certificates;
            int n = certs.Count;

            if (certs.Count == 0)
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);

            //
            // (b)
            //
            // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);

            //
            // (c)
            //
            ISet userInitialPolicySet = paramsPkix.GetInitialPolicies();

            //
            // (d)
            //
            TrustAnchor trust;
            try
            {
                trust = PkixCertPathValidatorUtilities.FindTrustAnchor(
                    (X509Certificate)certs[certs.Count - 1],
                    paramsPkix.GetTrustAnchors());
            }
            catch (Exception e)
            {
                throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1);
            }

            if (trust == null)
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);

            //
            // (e), (f), (g) are part of the paramsPkix object.
            //
            IEnumerator certIter;
            int index = 0;
            int i;
            // Certificate for each interation of the validation loop
            // Signature information for each iteration of the validation loop
            //
            // 6.1.2 - setup
            //

            //
            // (a)
            //
            IList[] policyNodes = new IList[n + 1];
            for (int j = 0; j < policyNodes.Length; j++)
            {
                policyNodes[j] = Platform.CreateArrayList();
            }

            ISet policySet = new HashSet();

            policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY);

            PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(),
                    Rfc3280CertPathUtilities.ANY_POLICY, false);

            policyNodes[0].Add(validPolicyTree);

            //
            // (b) and (c)
            //
            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();

            // (d)
            //
            int explicitPolicy;
            ISet acceptablePolicies = new HashSet();

            if (paramsPkix.IsExplicitPolicyRequired)
            {
                explicitPolicy = 0;
            }
            else
            {
                explicitPolicy = n + 1;
            }

            //
            // (e)
            //
            int inhibitAnyPolicy;

            if (paramsPkix.IsAnyPolicyInhibited)
            {
                inhibitAnyPolicy = 0;
            }
            else
            {
                inhibitAnyPolicy = n + 1;
            }

            //
            // (f)
            //
            int policyMapping;

            if (paramsPkix.IsPolicyMappingInhibited)
            {
                policyMapping = 0;
            }
            else
            {
                policyMapping = n + 1;
            }

            //
            // (g), (h), (i), (j)
            //
            IAsymmetricKeyParameter workingPublicKey;
            X509Name workingIssuerName;

            X509Certificate sign = trust.TrustedCert;
            try
            {
                if (sign != null)
                {
                    workingIssuerName = sign.SubjectDN;
                    workingPublicKey = sign.GetPublicKey();
                }
                else
                {
                    workingIssuerName = new X509Name(trust.CAName);
                    workingPublicKey = trust.CAPublicKey;
                }
            }
            catch (ArgumentException ex)
            {
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath,
                        -1);
            }

            AlgorithmIdentifier workingAlgId = null;
            try
            {
                workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
            }
            catch (PkixCertPathValidatorException e)
            {
                throw new PkixCertPathValidatorException(
                        "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
            }

            //			DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID;
            //			Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters;

            //
            // (k)
            //
            int maxPathLength = n;

            //
            // 6.1.3
            //

            X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints();
            if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0]))
            {
                throw new PkixCertPathValidatorException(
                    "Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            }

            //
            // initialize CertPathChecker's
            //
            IList pathCheckers = paramsPkix.GetCertPathCheckers();
            certIter = pathCheckers.GetEnumerator();

            while (certIter.MoveNext())
            {
                ((PkixCertPathChecker)certIter.Current).Init(false);
            }

            X509Certificate cert = null;

            for (index = certs.Count - 1; index >= 0; index--)
            {
                // try
                // {
                //
                // i as defined in the algorithm description
                //
                i = n - index;

                //
                // set certificate to be checked in this round
                // sign and workingPublicKey and workingIssuerName are set
                // at the end of the for loop and initialized the
                // first time from the TrustAnchor
                //
                cert = (X509Certificate)certs[index];

                //
                // 6.1.3
                //

                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey,
                    workingIssuerName, sign);

                Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index,
                    acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree);

                Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy);

                //
                // 6.1.4
                //

                if (i != n)
                {
                    if (cert != null && cert.Version == 1)
                    {
                        throw new PkixCertPathValidatorException(
                            "Version 1 certificates can't be used as CA ones.", null, certPath, index);
                    }

                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index);

                    validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes,
                        validPolicyTree, policyMapping);

                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator);

                    // (h)
                    explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy);
                    policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy);

                    //
                    // (i)
                    //
                    explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy);
                    policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping);

                    // (j)
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy);

                    // (k)
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index);

                    // (l)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength);

                    // (m)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength);

                    // (n)
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index);

                    ISet criticalExtensions1 = cert.GetCriticalExtensionOids();

                    if (criticalExtensions1 != null)
                    {
                        criticalExtensions1 = new HashSet(criticalExtensions1);

                        // these extensions are handled by the algorithm
                        criticalExtensions1.Remove(X509Extensions.KeyUsage.Id);
                        criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id);
                        criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id);
                        criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id);
                        criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id);
                        criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id);
                        criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id);
                        criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id);
                        criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id);
                        criticalExtensions1.Remove(X509Extensions.NameConstraints.Id);
                    }
                    else
                    {
                        criticalExtensions1 = new HashSet();
                    }

                    // (o)
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers);

                    // set signing certificate for next round
                    sign = cert;

                    // (c)
                    workingIssuerName = sign.SubjectDN;

                    // (d)
                    try
                    {
                        workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index);
                    }
                    catch (PkixCertPathValidatorException e)
                    {
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
                    }

                    workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
                    // (f)
            //                    workingPublicKeyAlgorithm = workingAlgId.ObjectID;
                    // (e)
            //                    workingPublicKeyParameters = workingAlgId.Parameters;
                }
            }

            //
            // 6.1.5 Wrap-up procedure
            //

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert);

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy);

            //
            // (c) (d) and (e) are already done
            //

            //
            // (f)
            //
            ISet criticalExtensions = cert.GetCriticalExtensionOids();

            if (criticalExtensions != null)
            {
                criticalExtensions = new HashSet(criticalExtensions);

                // Requires .Id
                // these extensions are handled by the algorithm
                criticalExtensions.Remove(X509Extensions.KeyUsage.Id);
                criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id);
                criticalExtensions.Remove(X509Extensions.PolicyMappings.Id);
                criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id);
                criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id);
                criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id);
                criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id);
                criticalExtensions.Remove(X509Extensions.BasicConstraints.Id);
                criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id);
                criticalExtensions.Remove(X509Extensions.NameConstraints.Id);
                criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id);
            }
            else
            {
                criticalExtensions = new HashSet();
            }

            Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);

            PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet,
                    index + 1, policyNodes, validPolicyTree, acceptablePolicies);

            if ((explicitPolicy > 0) || (intersection != null))
            {
                return new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey());
            }

            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index);
        }
        public virtual PkixCertPathValidatorResult Validate(
            PkixCertPath certPath,
            PkixParameters paramsPkix)
        {
            if (paramsPkix.GetTrustAnchors() == null)
            {
                throw new ArgumentException(
                          "trustAnchors is null, this is not allowed for certification path validation.",
                          "parameters");
            }

            //
            // 6.1.1 - inputs
            //

            //
            // (a)
            //
            IList certs = certPath.Certificates;
            int   n     = certs.Count;

            if (certs.Count == 0)
            {
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
            }

            //
            // (b)
            //
            // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);

            //
            // (c)
            //
            ISet userInitialPolicySet = paramsPkix.GetInitialPolicies();

            //
            // (d)
            //
            TrustAnchor trust;

            try
            {
                trust = PkixCertPathValidatorUtilities.FindTrustAnchor(
                    (X509Certificate)certs[certs.Count - 1],
                    paramsPkix.GetTrustAnchors());
            }
            catch (Exception e)
            {
                throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1);
            }

            if (trust == null)
            {
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
            }

            //
            // (e), (f), (g) are part of the paramsPkix object.
            //
            IEnumerator certIter;
            int         index = 0;
            int         i;

            // Certificate for each interation of the validation loop
            // Signature information for each iteration of the validation loop
            //
            // 6.1.2 - setup
            //

            //
            // (a)
            //
            IList[] policyNodes = new IList[n + 1];
            for (int j = 0; j < policyNodes.Length; j++)
            {
                policyNodes[j] = Platform.CreateArrayList();
            }

            ISet policySet = new HashSet();

            policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY);

            PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(),
                                                                Rfc3280CertPathUtilities.ANY_POLICY, false);

            policyNodes[0].Add(validPolicyTree);

            //
            // (b) and (c)
            //
            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();

            // (d)
            //
            int  explicitPolicy;
            ISet acceptablePolicies = new HashSet();

            if (paramsPkix.IsExplicitPolicyRequired)
            {
                explicitPolicy = 0;
            }
            else
            {
                explicitPolicy = n + 1;
            }

            //
            // (e)
            //
            int inhibitAnyPolicy;

            if (paramsPkix.IsAnyPolicyInhibited)
            {
                inhibitAnyPolicy = 0;
            }
            else
            {
                inhibitAnyPolicy = n + 1;
            }

            //
            // (f)
            //
            int policyMapping;

            if (paramsPkix.IsPolicyMappingInhibited)
            {
                policyMapping = 0;
            }
            else
            {
                policyMapping = n + 1;
            }

            //
            // (g), (h), (i), (j)
            //
            AsymmetricKeyParameter workingPublicKey;
            X509Name workingIssuerName;

            X509Certificate sign = trust.TrustedCert;

            try
            {
                if (sign != null)
                {
                    workingIssuerName = sign.SubjectDN;
                    workingPublicKey  = sign.GetPublicKey();
                }
                else
                {
                    workingIssuerName = new X509Name(trust.CAName);
                    workingPublicKey  = trust.CAPublicKey;
                }
            }
            catch (ArgumentException ex)
            {
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath,
                                                         -1);
            }

            //AlgorithmIdentifier workingAlgId = null;
            try
            {
                /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
            }
            catch (PkixCertPathValidatorException e)
            {
                throw new PkixCertPathValidatorException(
                          "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
            }

//			DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID;
//			Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters;

            //
            // (k)
            //
            int maxPathLength = n;

            //
            // 6.1.3
            //

            X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints();

            if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0]))
            {
                throw new PkixCertPathValidatorException(
                          "Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            }

            //
            // initialize CertPathChecker's
            //
            IList pathCheckers = paramsPkix.GetCertPathCheckers();

            certIter = pathCheckers.GetEnumerator();

            while (certIter.MoveNext())
            {
                ((PkixCertPathChecker)certIter.Current).Init(false);
            }

            X509Certificate cert = null;

            for (index = certs.Count - 1; index >= 0; index--)
            {
                // try
                // {
                //
                // i as defined in the algorithm description
                //
                i = n - index;

                //
                // set certificate to be checked in this round
                // sign and workingPublicKey and workingIssuerName are set
                // at the end of the for loop and initialized the
                // first time from the TrustAnchor
                //
                cert = (X509Certificate)certs[index];

                //
                // 6.1.3
                //

                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey,
                                                      workingIssuerName, sign);

                Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index,
                                                                        acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);

                validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree);

                Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy);

                //
                // 6.1.4
                //

                if (i != n)
                {
                    if (cert != null && cert.Version == 1)
                    {
                        throw new PkixCertPathValidatorException(
                                  "Version 1 certificates can't be used as CA ones.", null, certPath, index);
                    }

                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index);

                    validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes,
                                                                            validPolicyTree, policyMapping);

                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator);

                    // (h)
                    explicitPolicy   = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy);

                    //
                    // (i)
                    //
                    explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy);
                    policyMapping  = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping);

                    // (j)
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy);

                    // (k)
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index);

                    // (l)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength);

                    // (m)
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength);

                    // (n)
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index);

                    ISet criticalExtensions1 = cert.GetCriticalExtensionOids();

                    if (criticalExtensions1 != null)
                    {
                        criticalExtensions1 = new HashSet(criticalExtensions1);

                        // these extensions are handled by the algorithm
                        criticalExtensions1.Remove(X509Extensions.KeyUsage.Id);
                        criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id);
                        criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id);
                        criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id);
                        criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id);
                        criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id);
                        criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id);
                        criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id);
                        criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id);
                        criticalExtensions1.Remove(X509Extensions.NameConstraints.Id);
                    }
                    else
                    {
                        criticalExtensions1 = new HashSet();
                    }

                    // (o)
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers);

                    // set signing certificate for next round
                    sign = cert;

                    // (c)
                    workingIssuerName = sign.SubjectDN;

                    // (d)
                    try
                    {
                        workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index);
                    }
                    catch (PkixCertPathValidatorException e)
                    {
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
                    }

                    /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
                    // (f)
//                    workingPublicKeyAlgorithm = workingAlgId.ObjectID;
                    // (e)
//                    workingPublicKeyParameters = workingAlgId.Parameters;
                }
            }

            //
            // 6.1.5 Wrap-up procedure
            //

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert);

            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy);

            //
            // (c) (d) and (e) are already done
            //

            //
            // (f)
            //
            ISet criticalExtensions = cert.GetCriticalExtensionOids();

            if (criticalExtensions != null)
            {
                criticalExtensions = new HashSet(criticalExtensions);

                // Requires .Id
                // these extensions are handled by the algorithm
                criticalExtensions.Remove(X509Extensions.KeyUsage.Id);
                criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id);
                criticalExtensions.Remove(X509Extensions.PolicyMappings.Id);
                criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id);
                criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id);
                criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id);
                criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id);
                criticalExtensions.Remove(X509Extensions.BasicConstraints.Id);
                criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id);
                criticalExtensions.Remove(X509Extensions.NameConstraints.Id);
                criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id);
            }
            else
            {
                criticalExtensions = new HashSet();
            }

            Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);

            PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet,
                                                                               index + 1, policyNodes, validPolicyTree, acceptablePolicies);

            if ((explicitPolicy > 0) || (intersection != null))
            {
                return(new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey()));
            }

            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index);
        }
Exemplo n.º 6
0
        public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix)
        {
            if (paramsPkix.GetTrustAnchors() == null)
            {
                throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters");
            }
            IList certificates = certPath.Certificates;
            int   count        = certificates.Count;

            if (certificates.Count == 0)
            {
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
            }
            ISet        initialPolicies = paramsPkix.GetInitialPolicies();
            TrustAnchor trustAnchor;

            try
            {
                trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates[certificates.Count - 1], paramsPkix.GetTrustAnchors());
            }
            catch (Exception ex)
            {
                throw new PkixCertPathValidatorException(ex.Message, ex, certPath, certificates.Count - 1);
            }
            if (trustAnchor == null)
            {
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
            }
            int i = 0;

            IList[] array = new IList[count + 1];
            for (int j = 0; j < array.Length; j++)
            {
                array[j] = Platform.CreateArrayList();
            }
            ISet set = new HashSet();

            set.Add(Rfc3280CertPathUtilities.ANY_POLICY);
            PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false);

            array[0].Add(pkixPolicyNode);
            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
            ISet acceptablePolicies = new HashSet();
            int  num;

            if (paramsPkix.IsExplicitPolicyRequired)
            {
                num = 0;
            }
            else
            {
                num = count + 1;
            }
            int inhibitAnyPolicy;

            if (paramsPkix.IsAnyPolicyInhibited)
            {
                inhibitAnyPolicy = 0;
            }
            else
            {
                inhibitAnyPolicy = count + 1;
            }
            int policyMapping;

            if (paramsPkix.IsPolicyMappingInhibited)
            {
                policyMapping = 0;
            }
            else
            {
                policyMapping = count + 1;
            }
            X509Certificate        x509Certificate = trustAnchor.TrustedCert;
            X509Name               workingIssuerName;
            AsymmetricKeyParameter asymmetricKeyParameter;

            try
            {
                if (x509Certificate != null)
                {
                    workingIssuerName      = x509Certificate.SubjectDN;
                    asymmetricKeyParameter = x509Certificate.GetPublicKey();
                }
                else
                {
                    workingIssuerName      = new X509Name(trustAnchor.CAName);
                    asymmetricKeyParameter = trustAnchor.CAPublicKey;
                }
            }
            catch (ArgumentException cause)
            {
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", cause, certPath, -1);
            }
            try
            {
                PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
            }
            catch (PkixCertPathValidatorException cause2)
            {
                throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1);
            }
            int maxPathLength = count;
            X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints();

            if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates[0]))
            {
                throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            }
            IList       certPathCheckers = paramsPkix.GetCertPathCheckers();
            IEnumerator enumerator       = certPathCheckers.GetEnumerator();

            while (enumerator.MoveNext())
            {
                ((PkixCertPathChecker)enumerator.Current).Init(false);
            }
            X509Certificate x509Certificate2 = null;

            for (i = certificates.Count - 1; i >= 0; i--)
            {
                int num2 = count - i;
                x509Certificate2 = (X509Certificate)certificates[i];
                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, i, asymmetricKeyParameter, workingIssuerName, x509Certificate);
                Rfc3280CertPathUtilities.ProcessCertBC(certPath, i, nameConstraintValidator);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, i, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, i, pkixPolicyNode);
                Rfc3280CertPathUtilities.ProcessCertF(certPath, i, pkixPolicyNode, num);
                if (num2 != count)
                {
                    if (x509Certificate2 != null && x509Certificate2.Version == 1)
                    {
                        throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, i);
                    }
                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, i);
                    pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, i, array, pkixPolicyNode, policyMapping);
                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, i, nameConstraintValidator);
                    num              = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, i, num);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, i, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, i, inhibitAnyPolicy);
                    num              = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, i, num);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, i, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, i, inhibitAnyPolicy);
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, i);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, i, maxPathLength);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, i, maxPathLength);
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, i);
                    ISet set2 = x509Certificate2.GetCriticalExtensionOids();
                    if (set2 != null)
                    {
                        set2 = new HashSet(set2);
                        set2.Remove(X509Extensions.KeyUsage.Id);
                        set2.Remove(X509Extensions.CertificatePolicies.Id);
                        set2.Remove(X509Extensions.PolicyMappings.Id);
                        set2.Remove(X509Extensions.InhibitAnyPolicy.Id);
                        set2.Remove(X509Extensions.IssuingDistributionPoint.Id);
                        set2.Remove(X509Extensions.DeltaCrlIndicator.Id);
                        set2.Remove(X509Extensions.PolicyConstraints.Id);
                        set2.Remove(X509Extensions.BasicConstraints.Id);
                        set2.Remove(X509Extensions.SubjectAlternativeName.Id);
                        set2.Remove(X509Extensions.NameConstraints.Id);
                    }
                    else
                    {
                        set2 = new HashSet();
                    }
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, i, set2, certPathCheckers);
                    x509Certificate   = x509Certificate2;
                    workingIssuerName = x509Certificate.SubjectDN;
                    try
                    {
                        asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, i);
                    }
                    catch (PkixCertPathValidatorException cause3)
                    {
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, i);
                    }
                    PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
                }
            }
            num = Rfc3280CertPathUtilities.WrapupCertA(num, x509Certificate2);
            num = Rfc3280CertPathUtilities.WrapupCertB(certPath, i + 1, num);
            ISet set3 = x509Certificate2.GetCriticalExtensionOids();

            if (set3 != null)
            {
                set3 = new HashSet(set3);
                set3.Remove(X509Extensions.KeyUsage.Id);
                set3.Remove(X509Extensions.CertificatePolicies.Id);
                set3.Remove(X509Extensions.PolicyMappings.Id);
                set3.Remove(X509Extensions.InhibitAnyPolicy.Id);
                set3.Remove(X509Extensions.IssuingDistributionPoint.Id);
                set3.Remove(X509Extensions.DeltaCrlIndicator.Id);
                set3.Remove(X509Extensions.PolicyConstraints.Id);
                set3.Remove(X509Extensions.BasicConstraints.Id);
                set3.Remove(X509Extensions.SubjectAlternativeName.Id);
                set3.Remove(X509Extensions.NameConstraints.Id);
                set3.Remove(X509Extensions.CrlDistributionPoints.Id);
            }
            else
            {
                set3 = new HashSet();
            }
            Rfc3280CertPathUtilities.WrapupCertF(certPath, i + 1, certPathCheckers, set3);
            PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, i + 1, array, pkixPolicyNode, acceptablePolicies);

            if (num > 0 || pkixPolicyNode2 != null)
            {
                return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey()));
            }
            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, i);
        }
Exemplo n.º 7
0
		/**
		* Method to support <code>Clone()</code> under J2ME.
		* <code>super.Clone()</code> does not exist and fields are not copied.
		*
		* @param params Parameters to set. If this are
		*            <code>ExtendedPkixParameters</code> they are copied to.
		*/
		protected virtual void SetParams(
			PkixParameters parameters)
		{
			Date = parameters.Date;
			SetCertPathCheckers(parameters.GetCertPathCheckers());
			IsAnyPolicyInhibited = parameters.IsAnyPolicyInhibited;
			IsExplicitPolicyRequired = parameters.IsExplicitPolicyRequired;
			IsPolicyMappingInhibited = parameters.IsPolicyMappingInhibited;
			IsRevocationEnabled = parameters.IsRevocationEnabled;
			SetInitialPolicies(parameters.GetInitialPolicies());
			IsPolicyQualifiersRejected = parameters.IsPolicyQualifiersRejected;
			SetTargetCertConstraints(parameters.GetTargetCertConstraints());
			SetTrustAnchors(parameters.GetTrustAnchors());

			validityModel = parameters.validityModel;
			useDeltas = parameters.useDeltas;
			additionalLocationsEnabled = parameters.additionalLocationsEnabled;
			selector = parameters.selector == null ? null
				: (IX509Selector) parameters.selector.Clone();
			stores = Platform.CreateArrayList(parameters.stores);
            additionalStores = Platform.CreateArrayList(parameters.additionalStores);
			trustedACIssuers = new HashSet(parameters.trustedACIssuers);
			prohibitedACAttributes = new HashSet(parameters.prohibitedACAttributes);
			necessaryACAttributes = new HashSet(parameters.necessaryACAttributes);
			attrCertCheckers = new HashSet(parameters.attrCertCheckers);
		}
Exemplo n.º 8
0
        public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix)
        {
            //IL_0012: Unknown result type (might be due to invalid IL or missing references)
            //IL_0170: Expected O, but got Unknown
            if (paramsPkix.GetTrustAnchors() == null)
            {
                throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters");
            }
            global::System.Collections.IList certificates = certPath.Certificates;
            int count = ((global::System.Collections.ICollection)certificates).get_Count();

            if (((global::System.Collections.ICollection)certificates).get_Count() == 0)
            {
                throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
            }
            ISet        initialPolicies = paramsPkix.GetInitialPolicies();
            TrustAnchor trustAnchor;

            try
            {
                trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates.get_Item(((global::System.Collections.ICollection)certificates).get_Count() - 1), paramsPkix.GetTrustAnchors());
            }
            catch (global::System.Exception ex)
            {
                throw new PkixCertPathValidatorException(ex.get_Message(), ex, certPath, ((global::System.Collections.ICollection)certificates).get_Count() - 1);
            }
            if (trustAnchor == null)
            {
                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
            }
            int num = 0;

            global::System.Collections.IList[] array = new global::System.Collections.IList[count + 1];
            for (int i = 0; i < array.Length; i++)
            {
                array[i] = Platform.CreateArrayList();
            }
            ISet set = new HashSet();

            set.Add(Rfc3280CertPathUtilities.ANY_POLICY);
            PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, critical: false);

            array[0].Add((object)pkixPolicyNode);
            PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
            ISet                   acceptablePolicies           = new HashSet();
            int                    explicitPolicy   = ((!paramsPkix.IsExplicitPolicyRequired) ? (count + 1) : 0);
            int                    inhibitAnyPolicy = ((!paramsPkix.IsAnyPolicyInhibited) ? (count + 1) : 0);
            int                    policyMapping    = ((!paramsPkix.IsPolicyMappingInhibited) ? (count + 1) : 0);
            X509Certificate        x509Certificate  = trustAnchor.TrustedCert;
            X509Name               workingIssuerName;
            AsymmetricKeyParameter asymmetricKeyParameter;

            try
            {
                if (x509Certificate != null)
                {
                    workingIssuerName      = x509Certificate.SubjectDN;
                    asymmetricKeyParameter = x509Certificate.GetPublicKey();
                }
                else
                {
                    workingIssuerName      = new X509Name(trustAnchor.CAName);
                    asymmetricKeyParameter = trustAnchor.CAPublicKey;
                }
            }
            catch (ArgumentException val)
            {
                ArgumentException cause = val;
                throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", (global::System.Exception)(object) cause, certPath, -1);
            }
            try
            {
                PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
            }
            catch (PkixCertPathValidatorException cause2)
            {
                throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1);
            }
            int maxPathLength = count;
            X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints();

            if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates.get_Item(0)))
            {
                throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
            }
            global::System.Collections.IList       certPathCheckers = paramsPkix.GetCertPathCheckers();
            global::System.Collections.IEnumerator enumerator       = ((global::System.Collections.IEnumerable)certPathCheckers).GetEnumerator();
            while (enumerator.MoveNext())
            {
                ((PkixCertPathChecker)enumerator.get_Current()).Init(forward: false);
            }
            X509Certificate x509Certificate2 = null;

            for (num = ((global::System.Collections.ICollection)certificates).get_Count() - 1; num >= 0; num--)
            {
                int num2 = count - num;
                x509Certificate2 = (X509Certificate)certificates.get_Item(num);
                Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, num, asymmetricKeyParameter, workingIssuerName, x509Certificate);
                Rfc3280CertPathUtilities.ProcessCertBC(certPath, num, nameConstraintValidator);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, num, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy);
                pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, num, pkixPolicyNode);
                Rfc3280CertPathUtilities.ProcessCertF(certPath, num, pkixPolicyNode, explicitPolicy);
                if (num2 != count)
                {
                    if (x509Certificate2 != null && x509Certificate2.Version == 1)
                    {
                        throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, num);
                    }
                    Rfc3280CertPathUtilities.PrepareNextCertA(certPath, num);
                    pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, num, array, pkixPolicyNode, policyMapping);
                    Rfc3280CertPathUtilities.PrepareNextCertG(certPath, num, nameConstraintValidator);
                    explicitPolicy   = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, num, explicitPolicy);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, num, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, num, inhibitAnyPolicy);
                    explicitPolicy   = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, num, explicitPolicy);
                    policyMapping    = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, num, policyMapping);
                    inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, num, inhibitAnyPolicy);
                    Rfc3280CertPathUtilities.PrepareNextCertK(certPath, num);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, num, maxPathLength);
                    maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, num, maxPathLength);
                    Rfc3280CertPathUtilities.PrepareNextCertN(certPath, num);
                    ISet criticalExtensionOids = x509Certificate2.GetCriticalExtensionOids();
                    if (criticalExtensionOids != null)
                    {
                        criticalExtensionOids = new HashSet(criticalExtensionOids);
                        criticalExtensionOids.Remove(X509Extensions.KeyUsage.Id);
                        criticalExtensionOids.Remove(X509Extensions.CertificatePolicies.Id);
                        criticalExtensionOids.Remove(X509Extensions.PolicyMappings.Id);
                        criticalExtensionOids.Remove(X509Extensions.InhibitAnyPolicy.Id);
                        criticalExtensionOids.Remove(X509Extensions.IssuingDistributionPoint.Id);
                        criticalExtensionOids.Remove(X509Extensions.DeltaCrlIndicator.Id);
                        criticalExtensionOids.Remove(X509Extensions.PolicyConstraints.Id);
                        criticalExtensionOids.Remove(X509Extensions.BasicConstraints.Id);
                        criticalExtensionOids.Remove(X509Extensions.SubjectAlternativeName.Id);
                        criticalExtensionOids.Remove(X509Extensions.NameConstraints.Id);
                    }
                    else
                    {
                        criticalExtensionOids = new HashSet();
                    }
                    Rfc3280CertPathUtilities.PrepareNextCertO(certPath, num, criticalExtensionOids, certPathCheckers);
                    x509Certificate   = x509Certificate2;
                    workingIssuerName = x509Certificate.SubjectDN;
                    try
                    {
                        asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, num);
                    }
                    catch (PkixCertPathValidatorException cause3)
                    {
                        throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, num);
                    }
                    PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
                }
            }
            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, x509Certificate2);
            explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, num + 1, explicitPolicy);
            ISet criticalExtensionOids2 = x509Certificate2.GetCriticalExtensionOids();

            if (criticalExtensionOids2 != null)
            {
                criticalExtensionOids2 = new HashSet(criticalExtensionOids2);
                criticalExtensionOids2.Remove(X509Extensions.KeyUsage.Id);
                criticalExtensionOids2.Remove(X509Extensions.CertificatePolicies.Id);
                criticalExtensionOids2.Remove(X509Extensions.PolicyMappings.Id);
                criticalExtensionOids2.Remove(X509Extensions.InhibitAnyPolicy.Id);
                criticalExtensionOids2.Remove(X509Extensions.IssuingDistributionPoint.Id);
                criticalExtensionOids2.Remove(X509Extensions.DeltaCrlIndicator.Id);
                criticalExtensionOids2.Remove(X509Extensions.PolicyConstraints.Id);
                criticalExtensionOids2.Remove(X509Extensions.BasicConstraints.Id);
                criticalExtensionOids2.Remove(X509Extensions.SubjectAlternativeName.Id);
                criticalExtensionOids2.Remove(X509Extensions.NameConstraints.Id);
                criticalExtensionOids2.Remove(X509Extensions.CrlDistributionPoints.Id);
            }
            else
            {
                criticalExtensionOids2 = new HashSet();
            }
            Rfc3280CertPathUtilities.WrapupCertF(certPath, num + 1, certPathCheckers, criticalExtensionOids2);
            PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, num + 1, array, pkixPolicyNode, acceptablePolicies);

            if (explicitPolicy > 0 || pkixPolicyNode2 != null)
            {
                return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey()));
            }
            throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, num);
        }