|
public checkExcluded ( |
||
| name | ||
| Результат | void | |
internal static void ProcessCertBC(
PkixCertPath certPath,
int index,
PkixNameConstraintValidator nameConstraintValidator)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
int n = certs.Count;
// i as defined in the algorithm description
int i = n - index;
//
// (b), (c) permitted and excluded subtree checking.
//
if (!(PkixCertPathValidatorUtilities.IsSelfIssued(cert) && (i < n)))
{
X509Name principal = cert.SubjectDN;
Asn1InputStream aIn = new Asn1InputStream(principal.GetEncoded());
Asn1Sequence dns;
try
{
dns = DerSequence.GetInstance(aIn.ReadObject());
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Exception extracting subject name when checking subtrees.", e, certPath, index);
}
try
{
nameConstraintValidator.CheckPermittedDN(dns);
nameConstraintValidator.CheckExcludedDN(dns);
}
catch (PkixNameConstraintValidatorException e)
{
throw new PkixCertPathValidatorException(
"Subtree check for certificate subject failed.", e, certPath, index);
}
GeneralNames altName = null;
try
{
altName = GeneralNames.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.SubjectAlternativeName));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Subject alternative name extension could not be decoded.", e, certPath, index);
}
IList emails = X509Name.GetInstance(dns).GetValueList(X509Name.EmailAddress);
foreach (string email in emails)
{
GeneralName emailAsGeneralName = new GeneralName(GeneralName.Rfc822Name, email);
try
{
nameConstraintValidator.checkPermitted(emailAsGeneralName);
nameConstraintValidator.checkExcluded(emailAsGeneralName);
}
catch (PkixNameConstraintValidatorException ex)
{
throw new PkixCertPathValidatorException(
"Subtree check for certificate subject alternative email failed.", ex, certPath, index);
}
}
if (altName != null)
{
GeneralName[] genNames = null;
try
{
genNames = altName.GetNames();
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Subject alternative name contents could not be decoded.", e, certPath, index);
}
foreach (GeneralName genName in genNames)
{
try
{
nameConstraintValidator.checkPermitted(genName);
nameConstraintValidator.checkExcluded(genName);
}
catch (PkixNameConstraintValidatorException e)
{
throw new PkixCertPathValidatorException(
"Subtree check for certificate subject alternative name failed.", e, certPath, index);
}
}
}
}
}
/**
* Tests byte array based GeneralNames for inclusion or exclusion.
*
* @param nameType The {@link GeneralName} type to test.
* @param testName The name to test.
* @param testNameIsConstraint The names where <code>testName</code> must
* be included and excluded.
* @param testNameIsNotConstraint The names where <code>testName</code>
* must not be excluded and included.
* @param testNames1 Operand 1 of test names to use for union and
* intersection testing.
* @param testNames2 Operand 2 of test names to use for union and
* intersection testing.
* @param testUnion The union results.
* @param testInterSection The intersection results.
* @throws Exception If an unexpected exception occurs.
*/
private void TestConstraints(
int nameType,
byte[] testName,
byte[][] testNameIsConstraint,
byte[][] testNameIsNotConstraint,
byte[][] testNames1,
byte[][] testNames2,
byte[][][] testUnion,
byte[][] testInterSection)
{
for (int i = 0; i < testNameIsConstraint.Length; i++)
{
PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
new GeneralName(nameType, new DerOctetString(
testNameIsConstraint[i])))));
constraintValidator.checkPermitted(new GeneralName(nameType,
new DerOctetString(testName)));
}
for (int i = 0; i < testNameIsNotConstraint.Length; i++)
{
PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
new GeneralName(nameType, new DerOctetString(
testNameIsNotConstraint[i])))));
try
{
constraintValidator.checkPermitted(new GeneralName(nameType,
new DerOctetString(testName)));
Fail("not permitted name allowed: " + nameType);
}
catch (PkixNameConstraintValidatorException)
{
// expected
}
}
for (int i = 0; i < testNameIsConstraint.Length; i++)
{
PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName(
nameType, new DerOctetString(testNameIsConstraint[i]))));
try
{
constraintValidator.checkExcluded(new GeneralName(nameType,
new DerOctetString(testName)));
Fail("excluded name missed: " + nameType);
}
catch (PkixNameConstraintValidatorException)
{
// expected
}
}
for (int i = 0; i < testNameIsNotConstraint.Length; i++)
{
PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName(
nameType, new DerOctetString(testNameIsNotConstraint[i]))));
constraintValidator.checkExcluded(new GeneralName(nameType,
new DerOctetString(testName)));
}
for (int i = 0; i < testNames1.Length; i++)
{
PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName(
nameType, new DerOctetString(testNames1[i]))));
constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName(
nameType, new DerOctetString(testNames2[i]))));
PkixNameConstraintValidator constraints2 = new PkixNameConstraintValidator();
for (int j = 0; j < testUnion[i].Length; j++)
{
constraints2.AddExcludedSubtree(new GeneralSubtree(
new GeneralName(nameType, new DerOctetString(
testUnion[i][j]))));
}
if (!constraints2.Equals(constraintValidator))
{
Fail("union wrong: " + nameType);
}
constraintValidator = new PkixNameConstraintValidator();
constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
new GeneralName(nameType, new DerOctetString(testNames1[i])))));
constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
new GeneralName(nameType, new DerOctetString(testNames2[i])))));
constraints2 = new PkixNameConstraintValidator();
if (testInterSection[i] != null)
{
constraints2.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
new GeneralName(nameType, new DerOctetString(
testInterSection[i])))));
}
else
{
constraints2.IntersectEmptyPermittedSubtree(nameType);
}
if (!constraints2.Equals(constraintValidator))
{
Fail("intersection wrong: " + nameType);
}
}
}
