internal bool MatchesApplicationPolicies(Oid policyOid) { string oidToCheck = policyOid.Value !; for (int i = 1; i <= _policies.Length; i++) { // The loop variable (i) matches the definition in RFC 3280, // section 6.1.3. In that description i=1 is the root CA, and n // is the EE/leaf certificate. In our chain object 0 is the EE cert // and _policies.Length-1 is the root cert. So we will index things as // _policies.Length - i (because i is 1 indexed). int dataIdx = _policies.Length - i; CertificatePolicy policy = _policies[dataIdx]; if (policy.AllowsAnyApplicationPolicy) { continue; } if (policy.DeclaredApplicationPolicies == null) { return(false); } if (!policy.DeclaredApplicationPolicies.Contains(oidToCheck)) { return(false); } } return(true); }
private static void ReadCertPolicyConstraintsExtension(byte[] rawData, CertificatePolicy policy) { PolicyConstraintsAsn constraints = PolicyConstraintsAsn.Decode( rawData, AsnEncodingRules.DER); policy.RequireExplicitPolicyDepth = constraints.RequireExplicitPolicyDepth; policy.InhibitMappingDepth = constraints.InhibitMappingDepth; }
private static CertificatePolicy ReadPolicy(X509Certificate2 cert) { // If no ApplicationCertPolicies extension is provided then it uses the EKU // OIDS. ISet <string>? applicationCertPolicies = null; ISet <string>? ekus = null; CertificatePolicy policy = new CertificatePolicy(); PolicyData policyData = cert.Pal.GetPolicyData(); if (policyData.ApplicationCertPolicies != null) { applicationCertPolicies = ReadCertPolicyExtension(policyData.ApplicationCertPolicies); } if (policyData.CertPolicies != null) { policy.DeclaredCertificatePolicies = ReadCertPolicyExtension(policyData.CertPolicies); } if (policyData.CertPolicyMappings != null) { policy.PolicyMapping = ReadCertPolicyMappingsExtension(policyData.CertPolicyMappings); } if (policyData.CertPolicyConstraints != null) { ReadCertPolicyConstraintsExtension(policyData.CertPolicyConstraints, policy); } if (policyData.EnhancedKeyUsage != null && applicationCertPolicies == null) { // No reason to do this if the applicationCertPolicies was already read ekus = ReadExtendedKeyUsageExtension(policyData.EnhancedKeyUsage); } if (policyData.InhibitAnyPolicyExtension != null) { policy.InhibitAnyDepth = ReadInhibitAnyPolicyExtension(policyData.InhibitAnyPolicyExtension); } policy.DeclaredApplicationPolicies = applicationCertPolicies ?? ekus; policy.ImplicitAnyApplicationPolicy = policy.DeclaredApplicationPolicies == null; policy.ImplicitAnyCertificatePolicy = policy.DeclaredCertificatePolicies == null; policy.SpecifiedAnyApplicationPolicy = CheckExplicitAnyPolicy(policy.DeclaredApplicationPolicies); policy.SpecifiedAnyCertificatePolicy = CheckExplicitAnyPolicy(policy.DeclaredCertificatePolicies); return(policy); }
internal bool MatchesCertificatePolicies(Oid policyOid) { if (_failAllCertificatePolicies) { return(false); } string nextOid = policyOid.Value !; for (int i = 1; i <= _policies.Length; i++) { // The loop variable (i) matches the definition in RFC 3280, // section 6.1.3. In that description i=1 is the root CA, and n // is the EE/leaf certificate. In our chain object 0 is the EE cert // and _policies.Length-1 is the root cert. So we will index things as // _policies.Length - i (because i is 1 indexed). int dataIdx = _policies.Length - i; CertificatePolicy policy = _policies[dataIdx]; string oidToCheck = nextOid; if (policy.PolicyMapping != null) { for (int iMapping = 0; iMapping < policy.PolicyMapping.Count; iMapping++) { CertificatePolicyMappingAsn mapping = policy.PolicyMapping[iMapping]; if (StringComparer.Ordinal.Equals(mapping.IssuerDomainPolicy, oidToCheck)) { nextOid = mapping.SubjectDomainPolicy; } } } if (policy.AllowsAnyCertificatePolicy) { continue; } if (policy.DeclaredCertificatePolicies == null) { return(false); } if (!policy.DeclaredCertificatePolicies.Contains(oidToCheck)) { return(false); } } return(true); }
private void ReadPolicies(List <X509Certificate2> chain) { for (int i = 0; i < chain.Count; i++) { _policies[i] = ReadPolicy(chain[i]); } int explicitPolicyDepth = chain.Count; int inhibitAnyPolicyDepth = explicitPolicyDepth; int inhibitPolicyMappingDepth = explicitPolicyDepth; for (int i = 1; i <= chain.Count; i++) { // The loop variable (i) matches the definition in RFC 3280, // section 6.1.3. In that description i=1 is the root CA, and n // is the EE/leaf certificate. In our chain object 0 is the EE cert // and chain.Count-1 is the root cert. So we will index things as // chain.Count - i (because i is 1 indexed). int dataIdx = chain.Count - i; CertificatePolicy policy = _policies[dataIdx]; if (policy.DeclaredCertificatePolicies == null && explicitPolicyDepth <= 0) { _failAllCertificatePolicies = true; } if (inhibitAnyPolicyDepth <= 0) { policy.ImplicitAnyCertificatePolicy = false; policy.SpecifiedAnyCertificatePolicy = false; } else { inhibitAnyPolicyDepth--; } if (inhibitPolicyMappingDepth <= 0) { policy.PolicyMapping = null; } else { inhibitAnyPolicyDepth--; } if (explicitPolicyDepth <= 0) { policy.ImplicitAnyCertificatePolicy = false; policy.ImplicitAnyApplicationPolicy = false; } else { explicitPolicyDepth--; } ApplyRestriction(ref inhibitAnyPolicyDepth, policy.InhibitAnyDepth); ApplyRestriction(ref inhibitPolicyMappingDepth, policy.InhibitMappingDepth); ApplyRestriction(ref explicitPolicyDepth, policy.RequireExplicitPolicyDepth); } }