/// <summary>
/// Builds certification path for provided signing certificate
/// </summary>
/// <param name="signingCertificate">Signing certificate</param>
/// <param name="otherCertificates">Other certificates that should be used in path building process. Self-signed certificates from this list are used as trust anchors.</param>
/// <returns>Certification path for provided signing certificate</returns>
public static ICollection <BCX509.X509Certificate> BuildCertPath(byte[] signingCertificate, List <byte[]> otherCertificates)
{
if (signingCertificate == null)
{
throw new ArgumentNullException("signingCertificate");
}
List <BCX509.X509Certificate> result = new List <BCX509.X509Certificate>();
BCX509.X509Certificate signingCert = ToBouncyCastleObject(signingCertificate);
BCCollections.ISet trustAnchors = new BCCollections.HashSet();
List <BCX509.X509Certificate> otherCerts = new List <BCX509.X509Certificate>();
if (IsSelfSigned(signingCert))
{
result.Add(signingCert);
}
else
{
otherCerts.Add(signingCert);
if (otherCertificates != null)
{
foreach (byte[] otherCertificate in otherCertificates)
{
BCX509.X509Certificate otherCert = ToBouncyCastleObject(otherCertificate);
otherCerts.Add(ToBouncyCastleObject(otherCertificate));
if (IsSelfSigned(otherCert))
{
trustAnchors.Add(new TrustAnchor(otherCert, null));
}
}
}
if (trustAnchors.Count < 1)
{
throw new PkixCertPathBuilderException("Provided certificates do not contain self-signed root certificate");
}
X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
targetConstraints.Certificate = signingCert;
PkixBuilderParameters certPathBuilderParameters = new PkixBuilderParameters(trustAnchors, targetConstraints);
certPathBuilderParameters.AddStore(X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(otherCerts)));
certPathBuilderParameters.IsRevocationEnabled = false;
PkixCertPathBuilder certPathBuilder = new PkixCertPathBuilder();
PkixCertPathBuilderResult certPathBuilderResult = certPathBuilder.Build(certPathBuilderParameters);
foreach (BCX509.X509Certificate certPathCert in certPathBuilderResult.CertPath.Certificates)
{
result.Add(certPathCert);
}
result.Add(certPathBuilderResult.TrustAnchor.TrustedCert);
}
return(result);
}
public virtual ISet FindCrls(X509CrlStoreSelector crlselect, PkixParameters paramsPkix, DateTime currentDate)
{
ISet initialSet = new HashSet();
// get complete CRL(s)
try
{
initialSet.AddAll(FindCrls(crlselect, paramsPkix.GetAdditionalStores()));
initialSet.AddAll(FindCrls(crlselect, paramsPkix.GetStores()));
}
catch (Exception e)
{
throw new Exception("Exception obtaining complete CRLs.", e);
}
ISet finalSet = new HashSet();
DateTime validityDate = currentDate;
if (paramsPkix.Date != null)
{
validityDate = paramsPkix.Date.Value;
}
// based on RFC 5280 6.3.3
foreach (X509Crl crl in initialSet)
{
if (crl.NextUpdate.Value.CompareTo(validityDate) > 0)
{
X509Certificate cert = crlselect.CertificateChecking;
if (cert != null)
{
if (crl.ThisUpdate.CompareTo(cert.NotAfter) < 0)
{
finalSet.Add(crl);
}
}
else
{
finalSet.Add(crl);
}
}
}
return finalSet;
}
private void baseTest()
{
// CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
// initialise CertStore
X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);
IList certList = new ArrayList();
certList.Add(rootCert);
certList.Add(interCert);
certList.Add(finalCert);
IList crlList = new ArrayList();
crlList.Add(rootCrl);
crlList.Add(interCrl);
// CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.getInstance("Collection", ccsp, "BC");
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(crlList));
// NB: Month is 1-based in .NET
//DateTime validDate = new DateTime(2008, 9, 4, 14, 49, 10).ToUniversalTime();
DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);//.ToUniversalTime();
//Searching for rootCert by subjectDN without CRL
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX","BC");
PkixCertPathBuilder cpb = new PkixCertPathBuilder();
X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
targetConstraints.Subject = finalCert.SubjectDN;
PkixBuilderParameters parameters = new PkixBuilderParameters(trust, targetConstraints);
// parameters.addCertStore(store);
parameters.AddStore(x509CertStore);
parameters.AddStore(x509CrlStore);
parameters.Date = new DateTimeObject(validDate);
PkixCertPathBuilderResult result = cpb.Build(parameters);
PkixCertPath path = result.CertPath;
if (path.Certificates.Count != 2)
{
Fail("wrong number of certs in baseTest path");
}
}
/// <summary>
/// Builds certification path for provided signing certificate
/// </summary>
/// <param name="signingCertificate">Signing certificate</param>
/// <param name="otherCertificates">Other certificates that should be used in path building process. Self-signed certificates from this list are used as trust anchors.</param>
/// <param name="includeRoot">Flag indicating whether root certificate should be included int the certification path.</param>
/// <returns>Certification path for provided signing certificate</returns>
public static ICollection<BCX509.X509Certificate> BuildCertPath(byte[] signingCertificate, List<byte[]> otherCertificates, bool includeRoot)
{
if (signingCertificate == null)
throw new ArgumentNullException("signingCertificate");
List<BCX509.X509Certificate> result = new List<BCX509.X509Certificate>();
BCX509.X509Certificate signingCert = ToBouncyCastleObject(signingCertificate);
BCCollections.ISet trustAnchors = new BCCollections.HashSet();
List<BCX509.X509Certificate> otherCerts = new List<BCX509.X509Certificate>();
if (IsSelfSigned(signingCert))
{
if (includeRoot)
result.Add(signingCert);
}
else
{
otherCerts.Add(signingCert);
if (otherCertificates != null)
{
foreach (byte[] otherCertificate in otherCertificates)
{
BCX509.X509Certificate otherCert = ToBouncyCastleObject(otherCertificate);
otherCerts.Add(ToBouncyCastleObject(otherCertificate));
if (IsSelfSigned(otherCert))
trustAnchors.Add(new TrustAnchor(otherCert, null));
}
}
if (trustAnchors.Count < 1)
throw new PkixCertPathBuilderException("Provided certificates do not contain self-signed root certificate");
X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
targetConstraints.Certificate = signingCert;
PkixBuilderParameters certPathBuilderParameters = new PkixBuilderParameters(trustAnchors, targetConstraints);
certPathBuilderParameters.AddStore(X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(otherCerts)));
certPathBuilderParameters.IsRevocationEnabled = false;
PkixCertPathBuilder certPathBuilder = new PkixCertPathBuilder();
PkixCertPathBuilderResult certPathBuilderResult = certPathBuilder.Build(certPathBuilderParameters);
foreach (BCX509.X509Certificate certPathCert in certPathBuilderResult.CertPath.Certificates)
result.Add(certPathCert);
if (includeRoot)
result.Add(certPathBuilderResult.TrustAnchor.TrustedCert);
}
return result;
}
protected virtual ISet GetExtensionOids(
bool critical)
{
X509Extensions extensions = GetX509Extensions();
if (extensions != null)
{
HashSet set = new HashSet();
foreach (DerObjectIdentifier oid in extensions.ExtensionOids)
{
X509Extension ext = extensions.GetExtension(oid);
if (ext.IsCritical == critical)
{
set.Add(oid.Id);
}
}
return set;
}
return null;
}
internal static PkixPolicyNode ProcessCertD(
PkixCertPath certPath,
int index,
ISet acceptablePolicies,
PkixPolicyNode validPolicyTree,
IList[] policyNodes,
int inhibitAnyPolicy)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
int n = certs.Count;
// i as defined in the algorithm description
int i = n - index;
//
// (d) policy Information checking against initial policy and
// policy mapping
//
Asn1Sequence certPolicies = null;
try
{
certPolicies = DerSequence.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Could not read certificate policies extension from certificate.", e, certPath, index);
}
if (certPolicies != null && validPolicyTree != null)
{
//
// (d) (1)
//
ISet pols = new HashSet();
foreach (Asn1Encodable ae in certPolicies)
{
PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object());
DerObjectIdentifier pOid = pInfo.PolicyIdentifier;
pols.Add(pOid.Id);
if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(pOid.Id))
{
ISet pq = null;
try
{
pq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers);
}
catch (PkixCertPathValidatorException ex)
{
throw new PkixCertPathValidatorException(
"Policy qualifier info set could not be build.", ex, certPath, index);
}
bool match = PkixCertPathValidatorUtilities.ProcessCertD1i(i, policyNodes, pOid, pq);
if (!match)
{
PkixCertPathValidatorUtilities.ProcessCertD1ii(i, policyNodes, pOid, pq);
}
}
}
if (acceptablePolicies.IsEmpty || acceptablePolicies.Contains(Rfc3280CertPathUtilities.ANY_POLICY))
{
acceptablePolicies.Clear();
acceptablePolicies.AddAll(pols);
}
else
{
ISet t1 = new HashSet();
foreach (object o in acceptablePolicies)
{
if (pols.Contains(o))
{
t1.Add(o);
}
}
acceptablePolicies.Clear();
acceptablePolicies.AddAll(t1);
}
//
// (d) (2)
//
if ((inhibitAnyPolicy > 0) || ((i < n) && PkixCertPathValidatorUtilities.IsSelfIssued(cert)))
{
foreach (Asn1Encodable ae in certPolicies)
{
PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object());
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(pInfo.PolicyIdentifier.Id))
{
ISet _apq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers);
IList _nodes = policyNodes[i - 1];
for (int k = 0; k < _nodes.Count; k++)
{
PkixPolicyNode _node = (PkixPolicyNode)_nodes[k];
IEnumerator _policySetIter = _node.ExpectedPolicies.GetEnumerator();
while (_policySetIter.MoveNext())
{
object _tmp = _policySetIter.Current;
string _policy;
if (_tmp is string)
{
_policy = (string)_tmp;
}
else if (_tmp is DerObjectIdentifier)
{
_policy = ((DerObjectIdentifier)_tmp).Id;
}
else
{
continue;
}
bool _found = false;
foreach (PkixPolicyNode _child in _node.Children)
{
if (_policy.Equals(_child.ValidPolicy))
{
_found = true;
}
}
if (!_found)
{
ISet _newChildExpectedPolicies = new HashSet();
_newChildExpectedPolicies.Add(_policy);
PkixPolicyNode _newChild = new PkixPolicyNode(Platform.CreateArrayList(), i,
_newChildExpectedPolicies, _node, _apq, _policy, false);
_node.AddChild(_newChild);
policyNodes[i].Add(_newChild);
}
}
}
break;
}
}
}
PkixPolicyNode _validPolicyTree = validPolicyTree;
//
// (d) (3)
//
for (int j = (i - 1); j >= 0; j--)
{
IList nodes = policyNodes[j];
for (int k = 0; k < nodes.Count; k++)
{
PkixPolicyNode node = (PkixPolicyNode)nodes[k];
if (!node.HasChildren)
{
_validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(_validPolicyTree, policyNodes,
node);
if (_validPolicyTree == null)
{
break;
}
}
}
}
//
// d (4)
//
ISet criticalExtensionOids = cert.GetCriticalExtensionOids();
if (criticalExtensionOids != null)
{
bool critical = criticalExtensionOids.Contains(X509Extensions.CertificatePolicies.Id);
IList nodes = policyNodes[i];
for (int j = 0; j < nodes.Count; j++)
{
PkixPolicyNode node = (PkixPolicyNode)nodes[j];
node.IsCritical = critical;
}
}
return _validPolicyTree;
}
return null;
}
internal static PkixPolicyNode PrepareCertB(
PkixCertPath certPath,
int index,
IList[] policyNodes,
PkixPolicyNode validPolicyTree,
int policyMapping)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
int n = certs.Count;
// i as defined in the algorithm description
int i = n - index;
// (b)
//
Asn1Sequence pm = null;
try
{
pm = (Asn1Sequence)Asn1Sequence.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyMappings));
}
catch (Exception ex)
{
throw new PkixCertPathValidatorException(
"Policy mappings extension could not be decoded.", ex, certPath, index);
}
PkixPolicyNode _validPolicyTree = validPolicyTree;
if (pm != null)
{
Asn1Sequence mappings = (Asn1Sequence)pm;
IDictionary m_idp = Platform.CreateHashtable();
ISet s_idp = new HashSet();
for (int j = 0; j < mappings.Count; j++)
{
Asn1Sequence mapping = (Asn1Sequence) mappings[j];
string id_p = ((DerObjectIdentifier) mapping[0]).Id;
string sd_p = ((DerObjectIdentifier) mapping[1]).Id;
ISet tmp;
if (!m_idp.Contains(id_p))
{
tmp = new HashSet();
tmp.Add(sd_p);
m_idp[id_p] = tmp;
s_idp.Add(id_p);
}
else
{
tmp = (ISet)m_idp[id_p];
tmp.Add(sd_p);
}
}
IEnumerator it_idp = s_idp.GetEnumerator();
while (it_idp.MoveNext())
{
string id_p = (string)it_idp.Current;
//
// (1)
//
if (policyMapping > 0)
{
bool idp_found = false;
IEnumerator nodes_i = policyNodes[i].GetEnumerator();
while (nodes_i.MoveNext())
{
PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
if (node.ValidPolicy.Equals(id_p))
{
idp_found = true;
node.ExpectedPolicies = (ISet)m_idp[id_p];
break;
}
}
if (!idp_found)
{
nodes_i = policyNodes[i].GetEnumerator();
while (nodes_i.MoveNext())
{
PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(node.ValidPolicy))
{
ISet pq = null;
Asn1Sequence policies = null;
try
{
policies = (Asn1Sequence)PkixCertPathValidatorUtilities.GetExtensionValue(cert,
X509Extensions.CertificatePolicies);
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Certificate policies extension could not be decoded.", e, certPath, index);
}
foreach (Asn1Encodable ae in policies)
{
PolicyInformation pinfo = null;
try
{
pinfo = PolicyInformation.GetInstance(ae.ToAsn1Object());
}
catch (Exception ex)
{
throw new PkixCertPathValidatorException(
"Policy information could not be decoded.", ex, certPath, index);
}
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id))
{
try
{
pq = PkixCertPathValidatorUtilities
.GetQualifierSet(pinfo.PolicyQualifiers);
}
catch (PkixCertPathValidatorException ex)
{
throw new PkixCertPathValidatorException(
"Policy qualifier info set could not be decoded.", ex, certPath,
index);
}
break;
}
}
bool ci = false;
ISet critExtOids = cert.GetCriticalExtensionOids();
if (critExtOids != null)
{
ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id);
}
PkixPolicyNode p_node = (PkixPolicyNode)node.Parent;
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(p_node.ValidPolicy))
{
PkixPolicyNode c_node = new PkixPolicyNode(Platform.CreateArrayList(), i,
(ISet)m_idp[id_p], p_node, pq, id_p, ci);
p_node.AddChild(c_node);
policyNodes[i].Add(c_node);
}
break;
}
}
}
//
// (2)
//
}
else if (policyMapping <= 0)
{
foreach (PkixPolicyNode node in Platform.CreateArrayList(policyNodes[i]))
{
if (node.ValidPolicy.Equals(id_p))
{
node.Parent.RemoveChild(node);
for (int k = i - 1; k >= 0; k--)
{
foreach (PkixPolicyNode node2 in Platform.CreateArrayList(policyNodes[k]))
{
if (!node2.HasChildren)
{
_validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(
_validPolicyTree, policyNodes, node2);
if (_validPolicyTree == null)
break;
}
}
}
}
}
}
}
}
return _validPolicyTree;
}
/**
* Fetches delta CRLs according to RFC 3280 section 5.2.4.
*
* @param currentDate The date for which the delta CRLs must be valid.
* @param paramsPKIX The extended PKIX parameters.
* @param completeCRL The complete CRL the delta CRL is for.
* @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
* @throws Exception if an exception occurs while picking the delta
* CRLs.
*/
internal static ISet GetDeltaCrls(
DateTime currentDate,
PkixParameters paramsPKIX,
X509Crl completeCRL)
{
X509CrlStoreSelector deltaSelect = new X509CrlStoreSelector();
// 5.2.4 (a)
try
{
IList deltaSelectIssuer = Platform.CreateArrayList();
deltaSelectIssuer.Add(completeCRL.IssuerDN);
deltaSelect.Issuers = deltaSelectIssuer;
}
catch (IOException e)
{
throw new Exception("Cannot extract issuer from CRL.", e);
}
BigInteger completeCRLNumber = null;
try
{
Asn1Object asn1Object = GetExtensionValue(completeCRL, X509Extensions.CrlNumber);
if (asn1Object != null)
{
completeCRLNumber = CrlNumber.GetInstance(asn1Object).PositiveValue;
}
}
catch (Exception e)
{
throw new Exception(
"CRL number extension could not be extracted from CRL.", e);
}
// 5.2.4 (b)
byte[] idp = null;
try
{
Asn1Object obj = GetExtensionValue(completeCRL, X509Extensions.IssuingDistributionPoint);
if (obj != null)
{
idp = obj.GetDerEncoded();
}
}
catch (Exception e)
{
throw new Exception(
"Issuing distribution point extension value could not be read.",
e);
}
// 5.2.4 (d)
deltaSelect.MinCrlNumber = (completeCRLNumber == null)
? null
: completeCRLNumber.Add(BigInteger.One);
deltaSelect.IssuingDistributionPoint = idp;
deltaSelect.IssuingDistributionPointEnabled = true;
// 5.2.4 (c)
deltaSelect.MaxBaseCrlNumber = completeCRLNumber;
// find delta CRLs
ISet temp = CrlUtilities.FindCrls(deltaSelect, paramsPKIX, currentDate);
ISet result = new HashSet();
foreach (X509Crl crl in temp)
{
if (isDeltaCrl(crl))
{
result.Add(crl);
}
}
return result;
}
//
// policy checking
//
internal static ISet GetQualifierSet(Asn1Sequence qualifiers)
{
ISet pq = new HashSet();
if (qualifiers == null)
{
return pq;
}
foreach (Asn1Encodable ae in qualifiers)
{
try
{
// pq.Add(PolicyQualifierInfo.GetInstance(Asn1Object.FromByteArray(ae.GetEncoded())));
pq.Add(PolicyQualifierInfo.GetInstance(ae.ToAsn1Object()));
}
catch (IOException ex)
{
throw new PkixCertPathValidatorException("Policy qualifier info cannot be decoded.", ex);
}
}
return pq;
}
internal static bool ProcessCertD1i(
int index,
IList[] policyNodes,
DerObjectIdentifier pOid,
ISet pq)
{
IList policyNodeVec = policyNodes[index - 1];
for (int j = 0; j < policyNodeVec.Count; j++)
{
PkixPolicyNode node = (PkixPolicyNode)policyNodeVec[j];
ISet expectedPolicies = node.ExpectedPolicies;
if (expectedPolicies.Contains(pOid.Id))
{
ISet childExpectedPolicies = new HashSet();
childExpectedPolicies.Add(pOid.Id);
PkixPolicyNode child = new PkixPolicyNode(Platform.CreateArrayList(),
index,
childExpectedPolicies,
node,
pq,
pOid.Id,
false);
node.AddChild(child);
policyNodes[index].Add(child);
return true;
}
}
return false;
}
static IEnumerable<Org.BouncyCastle.X509.X509Certificate> BuildCertificateChainBC(byte[] primary, IEnumerable<byte[]> additional)
{
X509CertificateParser parser = new X509CertificateParser();
PkixCertPathBuilder builder = new PkixCertPathBuilder();
// Separate root from itermediate
var intermediateCerts = new List<Org.BouncyCastle.X509.X509Certificate>();
HashSet rootCerts = new HashSet();
foreach (byte[] cert in additional)
{
var x509Cert = parser.ReadCertificate(cert);
// Separate root and subordinate certificates
if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN))
rootCerts.Add(new TrustAnchor(x509Cert, null));
else
intermediateCerts.Add(x509Cert);
}
// Create chain for this certificate
X509CertStoreSelector holder = new X509CertStoreSelector();
holder.Certificate = parser.ReadCertificate(primary);
// WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
intermediateCerts.Add(holder.Certificate);
PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
builderParams.IsRevocationEnabled = false;
X509CollectionStoreParameters intermediateStoreParameters =
new X509CollectionStoreParameters(intermediateCerts);
builderParams.AddStore(X509StoreFactory.Create(
"Certificate/Collection", intermediateStoreParameters));
PkixCertPathBuilderResult result = builder.Build(builderParams);
return result.CertPath.Certificates.Cast<Org.BouncyCastle.X509.X509Certificate>();
}
public string SelectAppropriateIndex(string entityName, IndexQuery indexQuery)
{
// There isn't much point for query optimizer of aggregation indexes
// the main reason is that we must always aggregate on the same items, and using the same
// aggregation. Therefore we can't reuse one aggregate index for another query.
// We decline to suggest an index here and choose to use the default index created for this
// sort of query, which is what we would have to choose anyway.
if(indexQuery.AggregationOperation != AggregationOperation.None)
return null;
if (string.IsNullOrEmpty(indexQuery.Query) && // we optimize for empty queries to use Raven/DocumentsByEntityName
(indexQuery.SortedFields == null || indexQuery.SortedFields.Length == 0) && // and no sorting was requested
database.IndexDefinitionStorage.Contains("Raven/DocumentsByEntityName")) // and Raven/DocumentsByEntityName exists
{
if (string.IsNullOrEmpty(entityName) == false)
indexQuery.Query = "Tag:" + entityName;
return "Raven/DocumentsByEntityName";
}
var fieldsQueriedUpon = SimpleQueryParser.GetFieldsForDynamicQuery(indexQuery).Select(x => x.Item2).ToArray();
var normalizedFieldsQueriedUpon =
fieldsQueriedUpon.Select(DynamicQueryMapping.ReplaceIndavlidCharactersForFields).ToArray();
var distinctSelectManyFields = new HashSet<string>();
foreach (var field in fieldsQueriedUpon)
{
var parts = field.Split(new[]{','}, StringSplitOptions.RemoveEmptyEntries);
for (int i = 1; i < parts.Length; i++)
{
distinctSelectManyFields.Add(string.Join(",", parts.Take(i)));
}
}
return database.IndexDefinitionStorage.IndexNames
.Where(indexName =>
{
var abstractViewGenerator = database.IndexDefinitionStorage.GetViewGenerator(indexName);
if (abstractViewGenerator == null) // there is no matching view generator
return false;
if (abstractViewGenerator.ReduceDefinition != null) // we can't choose a map/reduce index
return false;
if (abstractViewGenerator.TransformResultsDefinition != null)// we can't choose an index with transform results
return false;
if (abstractViewGenerator.HasWhereClause) // without a where clause
return false;
// we can't select an index that has SelectMany in it, because it result in invalid results when
// you query it for things like Count, see https://github.com/ravendb/ravendb/issues/250
// for indexes with internal projections, we use the exact match based on the generated index name
// rather than selecting the optimal one
// in order to handle that, we count the number of select many that would happen because of the query
// and match it to the number of select many in the index
if (abstractViewGenerator.CountOfSelectMany != distinctSelectManyFields.Count)
return false;
if(entityName == null)
{
if (abstractViewGenerator.ForEntityNames.Count != 0)
return false;
}
else
{
if (abstractViewGenerator.ForEntityNames.Count != 1 || // we only allow indexes with a single entity name
abstractViewGenerator.ForEntityNames.Contains(entityName) == false) // for the specified entity name
return false;
}
if (normalizedFieldsQueriedUpon.All(abstractViewGenerator.ContainsFieldOnMap) == false)
return false;
var indexDefinition = database.IndexDefinitionStorage.GetIndexDefinition(indexName);
if (indexDefinition == null)
return false;
if (indexQuery.SortedFields != null && indexQuery.SortedFields.Length> 0)
{
var sortInfo = DynamicQueryMapping.GetSortInfo(s => { });
foreach (var sortedField in indexQuery.SortedFields) // with matching sort options
{
if(sortedField.Field.StartsWith(Constants.RandomFieldName))
continue;
// if the field is not in the output, then we can't sort on it.
if (abstractViewGenerator.ContainsField(sortedField.Field) == false)
return false;
var dynamicSortInfo = sortInfo.FirstOrDefault(x=>x.Field == sortedField.Field);
if (dynamicSortInfo == null)// no sort order specified, we don't care, probably
continue;
SortOptions value;
if (indexDefinition.SortOptions.TryGetValue(sortedField.Field, out value) == false)
{
switch (dynamicSortInfo.FieldType)// if we can't find the value, we check if we asked for the default sorting
{
case SortOptions.String:
case SortOptions.None:
continue;
default:
return false;
}
}
if(value != dynamicSortInfo.FieldType)
return false; // different sort order, there is a problem here
}
}
if (indexDefinition.Analyzers != null && indexDefinition.Analyzers.Count > 0)
{
// none of the fields have custom analyzers
if (normalizedFieldsQueriedUpon.Any(indexDefinition.Analyzers.ContainsKey))
return false;
}
if (indexDefinition.Indexes != null && indexDefinition.Indexes.Count > 0)
{
//If any of the fields we want to query on are set to something other than the default, don't use the index
var anyFieldWithNonDefaultIndexing = normalizedFieldsQueriedUpon.Any(x =>
{
FieldIndexing analysedInfo;
if (indexDefinition.Indexes.TryGetValue(x, out analysedInfo))
{
if (analysedInfo != FieldIndexing.Default)
return true;
}
return false;
});
if (anyFieldWithNonDefaultIndexing)
return false;
}
return true;
})
.OrderByDescending(indexName =>
{
// We select the widest index, because we want to encourage bigger indexes
// Over time, it means that we smaller indexes would wither away and die, while
// bigger indexes will be selected more often and then upgrade to permanent indexes
var abstractViewGenerator = database.IndexDefinitionStorage.GetViewGenerator(indexName);
if (abstractViewGenerator == null) // there is a matching view generator
return -1;
return abstractViewGenerator.CountOfFields;
})
.FirstOrDefault();
}
private ISet ExtractGeneralNames(
IEnumerable names)
{
ISet result = new HashSet();
if (names != null)
{
foreach (object o in names)
{
if (o is GeneralName)
{
result.Add(o);
}
else
{
result.Add(GeneralName.GetInstance(Asn1Object.FromByteArray((byte[]) o)));
}
}
}
return result;
}
public void TestMultiply()
{
ArrayList nameList = new ArrayList();
CollectionUtilities.AddRange(nameList, ECNamedCurveTable.Names);
string[] names = (string[])nameList.ToArray(typeof(string));
Array.Sort(names);
ISet oids = new HashSet();
foreach (string name in names)
{
DerObjectIdentifier oid = ECNamedCurveTable.GetOid(name);
if (!oids.Contains(oid))
{
oids.Add(oid);
RandMult(name);
}
}
}
private void doTestExceptions()
{
byte[] enc = { (byte)0, (byte)2, (byte)3, (byte)4, (byte)5 };
// MyCertPath mc = new MyCertPath(enc);
MemoryStream os = new MemoryStream();
MemoryStream ins;
byte[] arr;
// TODO Support serialization of cert paths?
// ObjectOutputStream oos = new ObjectOutputStream(os);
// oos.WriteObject(mc);
// oos.Flush();
// oos.Close();
try
{
// CertificateFactory cFac = CertificateFactory.GetInstance("X.509");
arr = os.ToArray();
ins = new MemoryStream(arr, false);
// cFac.generateCertPath(ins);
new PkixCertPath(ins);
}
catch (CertificateException)
{
// ignore okay
}
// CertificateFactory cf = CertificateFactory.GetInstance("X.509");
X509CertificateParser cf = new X509CertificateParser();
IList certCol = new ArrayList();
certCol.Add(cf.ReadCertificate(certA));
certCol.Add(cf.ReadCertificate(certB));
certCol.Add(cf.ReadCertificate(certC));
certCol.Add(cf.ReadCertificate(certD));
// CertPathBuilder pathBuilder = CertPathBuilder.GetInstance("PKIX");
PkixCertPathBuilder pathBuilder = new PkixCertPathBuilder();
X509CertStoreSelector select = new X509CertStoreSelector();
select.Subject = ((X509Certificate)certCol[0]).SubjectDN;
ISet trustanchors = new HashSet();
trustanchors.Add(new TrustAnchor(cf.ReadCertificate(rootCertBin), null));
// CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol));
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certCol));
PkixBuilderParameters parameters = new PkixBuilderParameters(trustanchors, select);
parameters.AddStore(x509CertStore);
try
{
PkixCertPathBuilderResult result = pathBuilder.Build(parameters);
PkixCertPath path = result.CertPath;
Fail("found cert path in circular set");
}
catch (PkixCertPathBuilderException)
{
// expected
}
}
private ISet LoadCrlEntries()
{
ISet entrySet = new HashSet();
IEnumerable certs = c.GetRevokedCertificateEnumeration();
X509Name previousCertificateIssuer = IssuerDN;
foreach (CrlEntry entry in certs)
{
X509CrlEntry crlEntry = new X509CrlEntry(entry, isIndirect, previousCertificateIssuer);
entrySet.Add(crlEntry);
previousCertificateIssuer = crlEntry.GetCertificateIssuer();
}
return entrySet;
}
public override void PerformTest()
{
//
// personal keys
//
RsaPublicKeyStructure pubKeySpec = new RsaPublicKeyStructure(
new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16),
new BigInteger("11", 16));
RsaPrivateCrtKeyParameters privKeySpec = new RsaPrivateCrtKeyParameters(
new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16),
new BigInteger("11", 16),
new BigInteger("9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", 16),
new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16),
new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16),
new BigInteger("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16),
new BigInteger("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16),
new BigInteger("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16));
//
// intermediate keys.
//
RsaPublicKeyStructure intPubKeySpec = new RsaPublicKeyStructure(
new BigInteger("8de0d113c5e736969c8d2b047a243f8fe18edad64cde9e842d3669230ca486f7cfdde1f8eec54d1905fff04acc85e61093e180cadc6cea407f193d44bb0e9449b8dbb49784cd9e36260c39e06a947299978c6ed8300724e887198cfede20f3fbde658fa2bd078be946a392bd349f2b49c486e20c405588e306706c9017308e69", 16),
new BigInteger("ffff", 16));
RsaPrivateCrtKeyParameters intPrivKeySpec = new RsaPrivateCrtKeyParameters(
new BigInteger("8de0d113c5e736969c8d2b047a243f8fe18edad64cde9e842d3669230ca486f7cfdde1f8eec54d1905fff04acc85e61093e180cadc6cea407f193d44bb0e9449b8dbb49784cd9e36260c39e06a947299978c6ed8300724e887198cfede20f3fbde658fa2bd078be946a392bd349f2b49c486e20c405588e306706c9017308e69", 16),
new BigInteger("ffff", 16),
new BigInteger("7deb1b194a85bcfd29cf871411468adbc987650903e3bacc8338c449ca7b32efd39ffc33bc84412fcd7df18d23ce9d7c25ea910b1ae9985373e0273b4dca7f2e0db3b7314056ac67fd277f8f89cf2fd73c34c6ca69f9ba477143d2b0e2445548aa0b4a8473095182631da46844c356f5e5c7522eb54b5a33f11d730ead9c0cff", 16),
new BigInteger("ef4cede573cea47f83699b814de4302edb60eefe426c52e17bd7870ec7c6b7a24fe55282ebb73775f369157726fcfb988def2b40350bdca9e5b418340288f649", 16),
new BigInteger("97c7737d1b9a0088c3c7b528539247fd2a1593e7e01cef18848755be82f4a45aa093276cb0cbf118cb41117540a78f3fc471ba5d69f0042274defc9161265721", 16),
new BigInteger("6c641094e24d172728b8da3c2777e69adfd0839085be7e38c7c4a2dd00b1ae969f2ec9d23e7e37090fcd449a40af0ed463fe1c612d6810d6b4f58b7bfa31eb5f", 16),
new BigInteger("70b7123e8e69dfa76feb1236d0a686144b00e9232ed52b73847e74ef3af71fb45ccb24261f40d27f98101e230cf27b977a5d5f1f15f6cf48d5cb1da2a3a3b87f", 16),
new BigInteger("e38f5750d97e270996a286df2e653fd26c242106436f5bab0f4c7a9e654ce02665d5a281f2c412456f2d1fa26586ef04a9adac9004ca7f913162cb28e13bf40d", 16));
//
// ca keys
//
RsaPublicKeyStructure caPubKeySpec = new RsaPublicKeyStructure(
new BigInteger("b259d2d6e627a768c94be36164c2d9fc79d97aab9253140e5bf17751197731d6f7540d2509e7b9ffee0a70a6e26d56e92d2edd7f85aba85600b69089f35f6bdbf3c298e05842535d9f064e6b0391cb7d306e0a2d20c4dfb4e7b49a9640bdea26c10ad69c3f05007ce2513cee44cfe01998e62b6c3637d3fc0391079b26ee36d5", 16),
new BigInteger("11", 16));
RsaPrivateCrtKeyParameters caPrivKeySpec = new RsaPrivateCrtKeyParameters(
new BigInteger("b259d2d6e627a768c94be36164c2d9fc79d97aab9253140e5bf17751197731d6f7540d2509e7b9ffee0a70a6e26d56e92d2edd7f85aba85600b69089f35f6bdbf3c298e05842535d9f064e6b0391cb7d306e0a2d20c4dfb4e7b49a9640bdea26c10ad69c3f05007ce2513cee44cfe01998e62b6c3637d3fc0391079b26ee36d5", 16),
new BigInteger("11", 16),
new BigInteger("92e08f83cc9920746989ca5034dcb384a094fb9c5a6288fcc4304424ab8f56388f72652d8fafc65a4b9020896f2cde297080f2a540e7b7ce5af0b3446e1258d1dd7f245cf54124b4c6e17da21b90a0ebd22605e6f45c9f136d7a13eaac1c0f7487de8bd6d924972408ebb58af71e76fd7b012a8d0e165f3ae2e5077a8648e619", 16),
new BigInteger("f75e80839b9b9379f1cf1128f321639757dba514642c206bbbd99f9a4846208b3e93fbbe5e0527cc59b1d4b929d9555853004c7c8b30ee6a213c3d1bb7415d03", 16),
new BigInteger("b892d9ebdbfc37e397256dd8a5d3123534d1f03726284743ddc6be3a709edb696fc40c7d902ed804c6eee730eee3d5b20bf6bd8d87a296813c87d3b3cc9d7947", 16),
new BigInteger("1d1a2d3ca8e52068b3094d501c9a842fec37f54db16e9a67070a8b3f53cc03d4257ad252a1a640eadd603724d7bf3737914b544ae332eedf4f34436cac25ceb5", 16),
new BigInteger("6c929e4e81672fef49d9c825163fec97c4b7ba7acb26c0824638ac22605d7201c94625770984f78a56e6e25904fe7db407099cad9b14588841b94f5ab498dded", 16),
new BigInteger("dae7651ee69ad1d081ec5e7188ae126f6004ff39556bde90e0b870962fa7b926d070686d8244fe5a9aa709a95686a104614834b0ada4b10f53197a5cb4c97339", 16));
//
// set up the keys
//
AsymmetricKeyParameter caPrivKey = caPrivKeySpec;
RsaKeyParameters caPubKey = new RsaKeyParameters(false, caPubKeySpec.Modulus, caPubKeySpec.PublicExponent);
AsymmetricKeyParameter intPrivKey = intPrivKeySpec;
RsaKeyParameters intPubKey = new RsaKeyParameters(false, intPubKeySpec.Modulus, intPubKeySpec.PublicExponent);
AsymmetricKeyParameter privKey = privKeySpec;
RsaKeyParameters pubKey = new RsaKeyParameters(false, pubKeySpec.Modulus, intPubKeySpec.PublicExponent);
X509Certificate trustCert = CreateTrustCert(caPubKey, caPrivKeySpec);
Asn1EncodableVector intPolicies = null;
Hashtable map = null;
Asn1EncodableVector policies = null;
ISet requirePolicies = null;
X509Certificate intCert = null;
X509Certificate endCert = null;
// valid test_00
intPolicies = new Asn1EncodableVector();
intPolicies.Add(new PolicyInformation(new DerObjectIdentifier("2.5.29.32.0")));
map = new Hashtable();
map["2.16.840.1.101.3.2.1.48.1"] = "2.16.840.1.101.3.2.1.48.2";
intCert = CreateIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map);
policies = new Asn1EncodableVector();
policies.Add(new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.3.2.1.48.2")));
endCert = CreateEndEntityCert(pubKey, intPrivKey, intPubKey, policies);
requirePolicies = null;
string msg = TestPolicies(0, trustCert, intCert, endCert, requirePolicies, true);
CheckMessage(0, msg, "");
// test_01
intPolicies = new Asn1EncodableVector();
intPolicies.Add(new PolicyInformation(new DerObjectIdentifier("2.5.29.32.0")));
map = new Hashtable();
map["2.16.840.1.101.3.2.1.48.1"] = "2.16.840.1.101.3.2.1.48.2";
intCert = CreateIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map);
policies = new Asn1EncodableVector();
policies.Add(new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.3.2.1.48.2")));
endCert = CreateEndEntityCert(pubKey, intPrivKey, intPubKey, policies);
requirePolicies = new HashSet();
requirePolicies.Add("2.16.840.1.101.3.2.1.48.1");
msg = TestPolicies(1, trustCert, intCert, endCert, requirePolicies, true);
CheckMessage(1, msg, "");
// test_02
intPolicies = new Asn1EncodableVector();
intPolicies.Add(new PolicyInformation(new DerObjectIdentifier("2.5.29.32.0")));
map = new Hashtable();
map["2.16.840.1.101.3.2.1.48.1"] = "2.16.840.1.101.3.2.1.48.2";
intCert = CreateIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map);
policies = new Asn1EncodableVector();
policies.Add(new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.3.2.1.48.2")));
endCert = CreateEndEntityCert(pubKey, intPrivKey, intPubKey, policies);
requirePolicies = new HashSet();
requirePolicies.Add("2.5.29.32.0");
msg = TestPolicies(2, trustCert, intCert, endCert, requirePolicies, true);
CheckMessage(2, msg, "");
// test_03
intPolicies = new Asn1EncodableVector();
intPolicies.Add(new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.3.2.1.48.3")));
intPolicies.Add(new PolicyInformation(new DerObjectIdentifier("2.5.29.32.0")));
map = new Hashtable();
map["2.16.840.1.101.3.2.1.48.1"] = "2.16.840.1.101.3.2.1.48.2";
intCert = CreateIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map);
policies = new Asn1EncodableVector();
policies.Add(new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.3.2.1.48.2")));
endCert = CreateEndEntityCert(pubKey, intPrivKey, intPubKey, policies);
requirePolicies = new HashSet();
requirePolicies.Add("2.16.840.1.101.3.2.1.48.1");
msg = TestPolicies(3, trustCert, intCert, endCert, requirePolicies, true);
CheckMessage(3, msg, "");
// test_04
intPolicies = new Asn1EncodableVector();
intPolicies.Add(new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.3.2.1.48.3")));
intPolicies.Add(new PolicyInformation(new DerObjectIdentifier("2.5.29.32.0")));
map = new Hashtable();
map["2.16.840.1.101.3.2.1.48.1"] = "2.16.840.1.101.3.2.1.48.2";
intCert = CreateIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map);
policies = new Asn1EncodableVector();
policies.Add(new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.3.2.1.48.3")));
endCert = CreateEndEntityCert(pubKey, intPrivKey, intPubKey, policies);
requirePolicies = new HashSet();
requirePolicies.Add("2.16.840.1.101.3.2.1.48.3");
msg = TestPolicies(4, trustCert, intCert, endCert, requirePolicies, true);
CheckMessage(4, msg, "");
// test_05
intPolicies = new Asn1EncodableVector();
intPolicies.Add(new PolicyInformation(new DerObjectIdentifier("2.5.29.32.0")));
map = new Hashtable();
map["2.16.840.1.101.3.2.1.48.1"] = "2.16.840.1.101.3.2.1.48.2";
intCert = CreateIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map);
policies = new Asn1EncodableVector();
policies.Add(new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.3.2.1.48.2")));
endCert = CreateEndEntityCert(pubKey, intPrivKey, intPubKey, policies);
requirePolicies = new HashSet();
requirePolicies.Add("2.16.840.1.101.3.2.1.48.2");
msg = TestPolicies(5, trustCert, intCert, endCert, requirePolicies, false);
CheckMessage(5, msg, "Path processing failed on policy.");
// test_06
intPolicies = new Asn1EncodableVector();
intPolicies.Add(new PolicyInformation(new DerObjectIdentifier("2.5.29.32.0")));
map = new Hashtable();
map["2.16.840.1.101.3.2.1.48.1"] = "2.16.840.1.101.3.2.1.48.2";
intCert = CreateIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map);
policies = new Asn1EncodableVector();
policies.Add(new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.3.2.1.48.1")));
endCert = CreateEndEntityCert(pubKey, intPrivKey, intPubKey, policies);
requirePolicies = new HashSet();
requirePolicies.Add("2.16.840.1.101.3.2.1.48.1");
msg = TestPolicies(6, trustCert, intCert, endCert, requirePolicies, true);
CheckMessage(6, msg, "");
// test_07
intPolicies = new Asn1EncodableVector();
intPolicies.Add(new PolicyInformation(new DerObjectIdentifier("2.5.29.32.0")));
map = new Hashtable();
map["2.16.840.1.101.3.2.1.48.1"] = "2.16.840.1.101.3.2.1.48.2";
intCert = CreateIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map);
policies = new Asn1EncodableVector();
policies.Add(new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.3.2.1.48.2")));
endCert = CreateEndEntityCert(pubKey, intPrivKey, intPubKey, policies);
requirePolicies = new HashSet();
requirePolicies.Add("2.16.840.1.101.3.2.1.48.3");
msg = TestPolicies(7, trustCert, intCert, endCert, requirePolicies, false);
CheckMessage(7, msg, "Path processing failed on policy.");
// test_08
intPolicies = new Asn1EncodableVector();
intPolicies.Add(new PolicyInformation(new DerObjectIdentifier("2.5.29.32.0")));
map = new Hashtable();
map["2.16.840.1.101.3.2.1.48.1"] = "2.16.840.1.101.3.2.1.48.2";
intCert = CreateIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map);
policies = new Asn1EncodableVector();
policies.Add(new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.3.2.1.48.3")));
endCert = CreateEndEntityCert(pubKey, intPrivKey, intPubKey, policies);
requirePolicies = new HashSet();
requirePolicies.Add("2.16.840.1.101.3.2.1.48.1");
msg = TestPolicies(8, trustCert, intCert, endCert, requirePolicies, false);
CheckMessage(8, msg, "Path processing failed on policy.");
}
public virtual PkixCertPathValidatorResult Validate(
PkixCertPath certPath,
PkixParameters paramsPkix)
{
if (paramsPkix.GetTrustAnchors() == null)
{
throw new ArgumentException(
@"trustAnchors is null, this is not allowed for certification path validation.",
"parameters");
}
//
// 6.1.1 - inputs
//
//
// (a)
//
IList certs = certPath.Certificates;
int n = certs.Count;
if (certs.Count == 0)
throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
//
// (b)
//
// DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);
//
// (c)
//
ISet userInitialPolicySet = paramsPkix.GetInitialPolicies();
//
// (d)
//
TrustAnchor trust;
try
{
trust = PkixCertPathValidatorUtilities.FindTrustAnchor(
(X509Certificate)certs[certs.Count - 1],
paramsPkix.GetTrustAnchors());
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1);
}
if (trust == null)
throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
//
// (e), (f), (g) are part of the paramsPkix object.
//
IEnumerator certIter;
int index = 0;
int i;
// Certificate for each interation of the validation loop
// Signature information for each iteration of the validation loop
//
// 6.1.2 - setup
//
//
// (a)
//
IList[] policyNodes = new IList[n + 1];
for (int j = 0; j < policyNodes.Length; j++)
{
policyNodes[j] = Platform.CreateArrayList();
}
ISet policySet = new HashSet();
policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY);
PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(),
Rfc3280CertPathUtilities.ANY_POLICY, false);
policyNodes[0].Add(validPolicyTree);
//
// (b) and (c)
//
PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
// (d)
//
int explicitPolicy;
ISet acceptablePolicies = new HashSet();
if (paramsPkix.IsExplicitPolicyRequired)
{
explicitPolicy = 0;
}
else
{
explicitPolicy = n + 1;
}
//
// (e)
//
int inhibitAnyPolicy;
if (paramsPkix.IsAnyPolicyInhibited)
{
inhibitAnyPolicy = 0;
}
else
{
inhibitAnyPolicy = n + 1;
}
//
// (f)
//
int policyMapping;
if (paramsPkix.IsPolicyMappingInhibited)
{
policyMapping = 0;
}
else
{
policyMapping = n + 1;
}
//
// (g), (h), (i), (j)
//
IAsymmetricKeyParameter workingPublicKey;
X509Name workingIssuerName;
X509Certificate sign = trust.TrustedCert;
try
{
if (sign != null)
{
workingIssuerName = sign.SubjectDN;
workingPublicKey = sign.GetPublicKey();
}
else
{
workingIssuerName = new X509Name(trust.CAName);
workingPublicKey = trust.CAPublicKey;
}
}
catch (ArgumentException ex)
{
throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath,
-1);
}
AlgorithmIdentifier workingAlgId = null;
try
{
workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException(
"Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
}
// DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID;
// Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters;
//
// (k)
//
int maxPathLength = n;
//
// 6.1.3
//
X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints();
if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0]))
{
throw new PkixCertPathValidatorException(
"Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
}
//
// initialize CertPathChecker's
//
IList pathCheckers = paramsPkix.GetCertPathCheckers();
certIter = pathCheckers.GetEnumerator();
while (certIter.MoveNext())
{
((PkixCertPathChecker)certIter.Current).Init(false);
}
X509Certificate cert = null;
for (index = certs.Count - 1; index >= 0; index--)
{
// try
// {
//
// i as defined in the algorithm description
//
i = n - index;
//
// set certificate to be checked in this round
// sign and workingPublicKey and workingIssuerName are set
// at the end of the for loop and initialized the
// first time from the TrustAnchor
//
cert = (X509Certificate)certs[index];
//
// 6.1.3
//
Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey,
workingIssuerName, sign);
Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator);
validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index,
acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);
validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree);
Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy);
//
// 6.1.4
//
if (i != n)
{
if (cert != null && cert.Version == 1)
{
throw new PkixCertPathValidatorException(
"Version 1 certificates can't be used as CA ones.", null, certPath, index);
}
Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index);
validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes,
validPolicyTree, policyMapping);
Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator);
// (h)
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping);
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy);
//
// (i)
//
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping);
// (j)
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy);
// (k)
Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index);
// (l)
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength);
// (m)
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength);
// (n)
Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index);
ISet criticalExtensions1 = cert.GetCriticalExtensionOids();
if (criticalExtensions1 != null)
{
criticalExtensions1 = new HashSet(criticalExtensions1);
// these extensions are handled by the algorithm
criticalExtensions1.Remove(X509Extensions.KeyUsage.Id);
criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensions1.Remove(X509Extensions.NameConstraints.Id);
}
else
{
criticalExtensions1 = new HashSet();
}
// (o)
Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers);
// set signing certificate for next round
sign = cert;
// (c)
workingIssuerName = sign.SubjectDN;
// (d)
try
{
workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
}
workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
// (f)
// workingPublicKeyAlgorithm = workingAlgId.ObjectID;
// (e)
// workingPublicKeyParameters = workingAlgId.Parameters;
}
}
//
// 6.1.5 Wrap-up procedure
//
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert);
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy);
//
// (c) (d) and (e) are already done
//
//
// (f)
//
ISet criticalExtensions = cert.GetCriticalExtensionOids();
if (criticalExtensions != null)
{
criticalExtensions = new HashSet(criticalExtensions);
// Requires .Id
// these extensions are handled by the algorithm
criticalExtensions.Remove(X509Extensions.KeyUsage.Id);
criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensions.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensions.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensions.Remove(X509Extensions.NameConstraints.Id);
criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id);
}
else
{
criticalExtensions = new HashSet();
}
Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);
PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet,
index + 1, policyNodes, validPolicyTree, acceptablePolicies);
if ((explicitPolicy > 0) || (intersection != null))
{
return new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey());
}
throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index);
}
private string TestPolicies(
int index,
X509Certificate trustCert,
X509Certificate intCert,
X509Certificate endCert,
ISet requirePolicies,
bool okay)
{
ISet trust = new HashSet();
trust.Add(new TrustAnchor(trustCert, null));
X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
targetConstraints.Subject = endCert.SubjectDN;
PkixBuilderParameters pbParams = new PkixBuilderParameters(trust, targetConstraints);
ISet certs = new HashSet();
certs.Add(intCert);
certs.Add(endCert);
IX509Store store = X509StoreFactory.Create(
"CERTIFICATE/COLLECTION",
new X509CollectionStoreParameters(certs));
pbParams.AddStore(store);
pbParams.IsRevocationEnabled = false;
if (requirePolicies != null)
{
pbParams.IsExplicitPolicyRequired = true;
pbParams.SetInitialPolicies(requirePolicies);
}
// CertPathBuilder cpb = CertPathBuilder.GetInstance("PKIX");
PkixCertPathBuilder cpb = new PkixCertPathBuilder();
PkixCertPathBuilderResult result = null;
try
{
result = (PkixCertPathBuilderResult)cpb.Build(pbParams);
if (!okay)
{
Fail(index + ": path validated when failure expected.");
}
// if (result.getPolicyTree() != null)
// {
// Console.WriteLine("OK");
// Console.WriteLine("policy: " + result.getPolicyTree());
// }
// else
// {
// Console.WriteLine("OK: policy tree = null");
// }
return "";
}
catch (TestFailedException e)
{
throw e;
}
catch (Exception e)
{
if (okay)
{
Fail(index + ": path failed to validate when success expected.");
}
Exception ee = e.InnerException;
if (ee != null)
{
return ee.Message;
}
return e.Message;
}
}
internal static void ProcessCertD1ii(
int index,
IList[] policyNodes,
DerObjectIdentifier _poid,
ISet _pq)
{
IList policyNodeVec = policyNodes[index - 1];
for (int j = 0; j < policyNodeVec.Count; j++)
{
PkixPolicyNode _node = (PkixPolicyNode)policyNodeVec[j];
if (ANY_POLICY.Equals(_node.ValidPolicy))
{
ISet _childExpectedPolicies = new HashSet();
_childExpectedPolicies.Add(_poid.Id);
PkixPolicyNode _child = new PkixPolicyNode(Platform.CreateArrayList(),
index,
_childExpectedPolicies,
_node,
_pq,
_poid.Id,
false);
_node.AddChild(_child);
policyNodes[index].Add(_child);
return;
}
}
}
private PkixCertPathValidatorResult DoTest(
string trustAnchor,
string[] certs,
string[] crls,
ISet policies)
{
ISet trustedSet = new HashSet();
trustedSet.Add(GetTrustAnchor(trustAnchor));
IList x509Certs = new ArrayList();
IList x509Crls = new ArrayList();
X509Certificate endCert = LoadCert(certs[certs.Length - 1]);
for (int i = 0; i != certs.Length - 1; i++)
{
x509Certs.Add(LoadCert(certs[i]));
}
x509Certs.Add(endCert);
PkixCertPath certPath = new PkixCertPath(x509Certs);
for (int i = 0; i != crls.Length; i++)
{
x509Crls.Add(LoadCrl(crls[i]));
}
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// CertPathValidator validator = CertPathValidator.GetInstance("PKIX");
PkixCertPathValidator validator = new PkixCertPathValidator();
PkixParameters parameters = new PkixParameters(trustedSet);
parameters.AddStore(x509CertStore);
parameters.AddStore(x509CrlStore);
parameters.IsRevocationEnabled = true;
if (policies != null)
{
parameters.IsExplicitPolicyRequired = true;
parameters.SetInitialPolicies(policies);
}
// Perform validation as of this date since test certs expired
parameters.Date = new DateTimeObject(DateTime.Parse("1/1/2011"));
return validator.Validate(certPath, parameters);
}
/**
* Fetches complete CRLs according to RFC 3280.
*
* @param dp The distribution point for which the complete CRL
* @param cert The <code>X509Certificate</code> or
* {@link org.bouncycastle.x509.X509AttributeCertificate} for
* which the CRL should be searched.
* @param currentDate The date for which the delta CRLs must be valid.
* @param paramsPKIX The extended PKIX parameters.
* @return A <code>Set</code> of <code>X509CRL</code>s with complete
* CRLs.
* @throws Exception if an exception occurs while picking the CRLs
* or no CRLs are found.
*/
internal static ISet GetCompleteCrls(
DistributionPoint dp,
object cert,
DateTime currentDate,
PkixParameters paramsPKIX)
{
X509CrlStoreSelector crlselect = new X509CrlStoreSelector();
try
{
ISet issuers = new HashSet();
if (cert is X509V2AttributeCertificate)
{
issuers.Add(((X509V2AttributeCertificate)cert)
.Issuer.GetPrincipals()[0]);
}
else
{
issuers.Add(GetIssuerPrincipal(cert));
}
PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
}
catch (Exception e)
{
throw new Exception("Could not get issuer information from distribution point.", e);
}
if (cert is X509Certificate)
{
crlselect.CertificateChecking = (X509Certificate)cert;
}
else if (cert is X509V2AttributeCertificate)
{
crlselect.AttrCertChecking = (IX509AttributeCertificate)cert;
}
crlselect.CompleteCrlEnabled = true;
ISet crls = CrlUtilities.FindCrls(crlselect, paramsPKIX, currentDate);
if (crls.IsEmpty)
{
if (cert is IX509AttributeCertificate)
{
IX509AttributeCertificate aCert = (IX509AttributeCertificate)cert;
throw new Exception("No CRLs found for issuer \"" + aCert.Issuer.GetPrincipals()[0] + "\"");
}
else
{
X509Certificate xCert = (X509Certificate)cert;
throw new Exception("No CRLs found for issuer \"" + xCert.IssuerDN + "\"");
}
}
return crls;
}
private PkixCertPathBuilderResult doBuilderTest(
string trustAnchor,
string[] certs,
string[] crls,
ISet initialPolicies,
bool policyMappingInhibited,
bool anyPolicyInhibited)
{
ISet trustedSet = new HashSet();
trustedSet.Add(GetTrustAnchor(trustAnchor));
IList x509Certs = new ArrayList();
IList x509Crls = new ArrayList();
X509Certificate endCert = LoadCert(certs[certs.Length - 1]);
for (int i = 0; i != certs.Length - 1; i++)
{
x509Certs.Add(LoadCert(certs[i]));
}
x509Certs.Add(endCert);
for (int i = 0; i != crls.Length; i++)
{
x509Crls.Add(LoadCrl(crls[i]));
}
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX");
PkixCertPathBuilder builder = new PkixCertPathBuilder();
X509CertStoreSelector endSelector = new X509CertStoreSelector();
endSelector.Certificate = endCert;
PkixBuilderParameters builderParams = new PkixBuilderParameters(trustedSet, endSelector);
if (initialPolicies != null)
{
builderParams.SetInitialPolicies(initialPolicies);
builderParams.IsExplicitPolicyRequired = true;
}
if (policyMappingInhibited)
{
builderParams.IsPolicyMappingInhibited = policyMappingInhibited;
}
if (anyPolicyInhibited)
{
builderParams.IsAnyPolicyInhibited = anyPolicyInhibited;
}
builderParams.AddStore(x509CertStore);
builderParams.AddStore(x509CrlStore);
// Perform validation as of this date since test certs expired
builderParams.Date = new DateTimeObject(DateTime.Parse("1/1/2011"));
try
{
return (PkixCertPathBuilderResult) builder.Build(builderParams);
}
catch (PkixCertPathBuilderException e)
{
throw e.InnerException;
}
}
internal static ICollection FindCertificates(
X509AttrCertStoreSelector certSelect,
IList certStores)
{
ISet certs = new HashSet();
foreach (IX509Store certStore in certStores)
{
try
{
// certs.AddAll(certStore.GetMatches(certSelect));
foreach (X509V2AttributeCertificate ac in certStore.GetMatches(certSelect))
{
certs.Add(ac);
}
}
catch (Exception e)
{
throw new Exception(
"Problem while picking certificates from X.509 store.", e);
}
}
return certs;
}
public override void PerformTest()
{
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
// initialise CertStore
X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);
IList x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
IList x509Crls = new ArrayList();
x509Crls.Add(rootCrl);
x509Crls.Add(interCrl);
// CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.GetInstance("Collection", ccsp);
// X509CollectionStoreParameters ccsp = new X509CollectionStoreParameters(list);
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// NB: Month is 1-based in .NET
//DateTime validDate = new DateTime(2008,9,4,14,49,10).ToUniversalTime();
DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);
//validating path
IList certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// CertPath cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
PkixCertPath cp = new PkixCertPath(certchain);
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// CertPathValidator cpv = CertPathValidator.GetInstance("PKIX");
PkixCertPathValidator cpv = new PkixCertPathValidator();
PkixParameters param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.AddStore(x509CrlStore);
param.Date = new DateTimeObject(validDate);
MyChecker checker = new MyChecker();
param.AddCertPathChecker(checker);
PkixCertPathValidatorResult result = (PkixCertPathValidatorResult) cpv.Validate(cp, param);
PkixPolicyNode policyTree = result.PolicyTree;
AsymmetricKeyParameter subjectPublicKey = result.SubjectPublicKey;
if (checker.GetCount() != 2)
{
Fail("checker not evaluated for each certificate");
}
if (!subjectPublicKey.Equals(finalCert.GetPublicKey()))
{
Fail("wrong public key returned");
}
//
// invalid path containing a valid one test
//
try
{
// initialise CertStore
rootCert = certParser.ReadCertificate(AC_RAIZ_ICPBRASIL);
interCert = certParser.ReadCertificate(AC_PR);
finalCert = certParser.ReadCertificate(schefer);
x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
// ccsp = new CollectionCertStoreParameters(list);
// store = CertStore.GetInstance("Collection", ccsp);
// ccsp = new X509CollectionStoreParameters(list);
x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
// NB: Month is 1-based in .NET
validDate = new DateTime(2004,3,21,2,21,10).ToUniversalTime();
//validating path
certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
cp = new PkixCertPath(certchain);
trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// cpv = CertPathValidator.GetInstance("PKIX");
cpv = new PkixCertPathValidator();
param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.IsRevocationEnabled = false;
param.Date = new DateTimeObject(validDate);
result =(PkixCertPathValidatorResult) cpv.Validate(cp, param);
policyTree = result.PolicyTree;
subjectPublicKey = result.SubjectPublicKey;
Fail("Invalid path validated");
}
catch (Exception e)
{
if (e is PkixCertPathValidatorException
&& e.Message.StartsWith("Could not validate certificate signature."))
{
return;
}
Fail("unexpected exception", e);
}
}
internal static PkixPolicyNode WrapupCertG(
PkixCertPath certPath,
PkixParameters paramsPKIX,
ISet userInitialPolicySet,
int index,
IList[] policyNodes,
PkixPolicyNode validPolicyTree,
ISet acceptablePolicies)
{
int n = certPath.Certificates.Count;
//
// (g)
//
PkixPolicyNode intersection;
//
// (g) (i)
//
if (validPolicyTree == null)
{
if (paramsPKIX.IsExplicitPolicyRequired)
{
throw new PkixCertPathValidatorException(
"Explicit policy requested but none available.", null, certPath, index);
}
intersection = null;
}
else if (PkixCertPathValidatorUtilities.IsAnyPolicy(userInitialPolicySet)) // (g)
// (ii)
{
if (paramsPKIX.IsExplicitPolicyRequired)
{
if (acceptablePolicies.IsEmpty)
{
throw new PkixCertPathValidatorException(
"Explicit policy requested but none available.", null, certPath, index);
}
else
{
ISet _validPolicyNodeSet = new HashSet();
for (int j = 0; j < policyNodes.Length; j++)
{
IList _nodeDepth = policyNodes[j];
for (int k = 0; k < _nodeDepth.Count; k++)
{
PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k];
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy))
{
foreach (object o in _node.Children)
{
_validPolicyNodeSet.Add(o);
}
}
}
}
foreach (PkixPolicyNode _node in _validPolicyNodeSet)
{
string _validPolicy = _node.ValidPolicy;
if (!acceptablePolicies.Contains(_validPolicy))
{
// TODO?
// validPolicyTree =
// removePolicyNode(validPolicyTree, policyNodes,
// _node);
}
}
if (validPolicyTree != null)
{
for (int j = (n - 1); j >= 0; j--)
{
IList nodes = policyNodes[j];
for (int k = 0; k < nodes.Count; k++)
{
PkixPolicyNode node = (PkixPolicyNode)nodes[k];
if (!node.HasChildren)
{
validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree,
policyNodes, node);
}
}
}
}
}
}
intersection = validPolicyTree;
}
else
{
//
// (g) (iii)
//
// This implementation is not exactly same as the one described in
// RFC3280.
// However, as far as the validation result is concerned, both
// produce
// adequate result. The only difference is whether AnyPolicy is
// remain
// in the policy tree or not.
//
// (g) (iii) 1
//
ISet _validPolicyNodeSet = new HashSet();
for (int j = 0; j < policyNodes.Length; j++)
{
IList _nodeDepth = policyNodes[j];
for (int k = 0; k < _nodeDepth.Count; k++)
{
PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k];
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy))
{
foreach (PkixPolicyNode _c_node in _node.Children)
{
if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(_c_node.ValidPolicy))
{
_validPolicyNodeSet.Add(_c_node);
}
}
}
}
}
//
// (g) (iii) 2
//
IEnumerator _vpnsIter = _validPolicyNodeSet.GetEnumerator();
while (_vpnsIter.MoveNext())
{
PkixPolicyNode _node = (PkixPolicyNode)_vpnsIter.Current;
string _validPolicy = _node.ValidPolicy;
if (!userInitialPolicySet.Contains(_validPolicy))
{
validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, _node);
}
}
//
// (g) (iii) 4
//
if (validPolicyTree != null)
{
for (int j = (n - 1); j >= 0; j--)
{
IList nodes = policyNodes[j];
for (int k = 0; k < nodes.Count; k++)
{
PkixPolicyNode node = (PkixPolicyNode)nodes[k];
if (!node.HasChildren)
{
validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes,
node);
}
}
}
}
intersection = validPolicyTree;
}
return intersection;
}
/// <summary>
/// Serializes the metadata in compact manner. </summary>
/// <param name="level"> indent level to start with </param>
/// <exception cref="IOException"> Forwarded writer exceptions </exception>
/// <exception cref="XmpException"> </exception>
private void SerializeCompactRdfSchemas(int level) {
// Begin the rdf:Description start tag.
WriteIndent(level + 1);
Write(RDF_SCHEMA_START);
WriteTreeName();
// Write all necessary xmlns attributes.
ISet usedPrefixes = new HashSet();
usedPrefixes.Add("xml");
usedPrefixes.Add("rdf");
for (IEnumerator it = _xmp.Root.IterateChildren(); it.MoveNext();) {
XmpNode schema = (XmpNode) it.Current;
DeclareUsedNamespaces(schema, usedPrefixes, level + 3);
}
// Write the top level "attrProps" and close the rdf:Description start tag.
bool allAreAttrs = true;
for (IEnumerator it = _xmp.Root.IterateChildren(); it.MoveNext();) {
XmpNode schema = (XmpNode) it.Current;
allAreAttrs &= SerializeCompactRdfAttrProps(schema, level + 2);
}
if (!allAreAttrs) {
Write('>');
WriteNewline();
}
else {
Write("/>");
WriteNewline();
return; // ! Done if all properties in all schema are written as attributes.
}
// Write the remaining properties for each schema.
for (IEnumerator it = _xmp.Root.IterateChildren(); it.MoveNext();) {
XmpNode schema = (XmpNode) it.Current;
SerializeCompactRdfElementProps(schema, level + 2);
}
// Write the rdf:Description end tag.
WriteIndent(level + 1);
Write(RDF_SCHEMA_END);
WriteNewline();
}
/**
* Obtain and validate the certification path for the complete CRL issuer.
* If a key usage extension is present in the CRL issuer's certificate,
* verify that the cRLSign bit is set.
*
* @param crl CRL which contains revocation information for the certificate
* <code>cert</code>.
* @param cert The attribute certificate or certificate to check if it is
* revoked.
* @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
* @param defaultCRLSignKey The public key of the issuer certificate
* <code>defaultCRLSignCert</code>.
* @param paramsPKIX paramsPKIX PKIX parameters.
* @param certPathCerts The certificates on the certification path.
* @return A <code>Set</code> with all keys of possible CRL issuer
* certificates.
* @throws AnnotatedException if the CRL is not valid or the status cannot be checked or
* some error occurs.
*/
internal static ISet ProcessCrlF(
X509Crl crl,
object cert,
X509Certificate defaultCRLSignCert,
AsymmetricKeyParameter defaultCRLSignKey,
PkixParameters paramsPKIX,
IList certPathCerts)
{
// (f)
// get issuer from CRL
X509CertStoreSelector selector = new X509CertStoreSelector();
try
{
selector.Subject = crl.IssuerDN;
}
catch (IOException e)
{
throw new Exception(
"Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e);
}
// get CRL signing certs
IList coll = Platform.CreateArrayList();
try
{
CollectionUtilities.AddRange(coll, PkixCertPathValidatorUtilities.FindCertificates(selector, paramsPKIX.GetStores()));
CollectionUtilities.AddRange(coll, PkixCertPathValidatorUtilities.FindCertificates(selector, paramsPKIX.GetAdditionalStores()));
}
catch (Exception e)
{
throw new Exception("Issuer certificate for CRL cannot be searched.", e);
}
coll.Add(defaultCRLSignCert);
IEnumerator cert_it = coll.GetEnumerator();
IList validCerts = Platform.CreateArrayList();
IList validKeys = Platform.CreateArrayList();
while (cert_it.MoveNext())
{
X509Certificate signingCert = (X509Certificate)cert_it.Current;
/*
* CA of the certificate, for which this CRL is checked, has also
* signed CRL, so skip the path validation, because is already done
*/
if (signingCert.Equals(defaultCRLSignCert))
{
validCerts.Add(signingCert);
validKeys.Add(defaultCRLSignKey);
continue;
}
try
{
// CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX");
PkixCertPathBuilder builder = new PkixCertPathBuilder();
selector = new X509CertStoreSelector();
selector.Certificate = signingCert;
PkixParameters temp = (PkixParameters)paramsPKIX.Clone();
temp.SetTargetCertConstraints(selector);
PkixBuilderParameters parameters = (PkixBuilderParameters)
PkixBuilderParameters.GetInstance(temp);
/*
* if signingCert is placed not higher on the cert path a
* dependency loop results. CRL for cert is checked, but
* signingCert is needed for checking the CRL which is dependent
* on checking cert because it is higher in the cert path and so
* signing signingCert transitively. so, revocation is disabled,
* forgery attacks of the CRL are detected in this outer loop
* for all other it must be enabled to prevent forgery attacks
*/
if (certPathCerts.Contains(signingCert))
{
parameters.IsRevocationEnabled = false;
}
else
{
parameters.IsRevocationEnabled = true;
}
IList certs = builder.Build(parameters).CertPath.Certificates;
validCerts.Add(signingCert);
validKeys.Add(PkixCertPathValidatorUtilities.GetNextWorkingKey(certs, 0));
}
catch (PkixCertPathBuilderException e)
{
throw new Exception("Internal error.", e);
}
catch (PkixCertPathValidatorException e)
{
throw new Exception("Public key of issuer certificate of CRL could not be retrieved.", e);
}
//catch (Exception e)
//{
// throw new Exception(e.Message);
//}
}
ISet checkKeys = new HashSet();
Exception lastException = null;
for (int i = 0; i < validCerts.Count; i++)
{
X509Certificate signCert = (X509Certificate)validCerts[i];
bool[] keyusage = signCert.GetKeyUsage();
if (keyusage != null && (keyusage.Length < 7 || !keyusage[CRL_SIGN]))
{
lastException = new Exception(
"Issuer certificate key usage extension does not permit CRL signing.");
}
else
{
checkKeys.Add(validKeys[i]);
}
}
if ((checkKeys.Count == 0) && lastException == null)
{
throw new Exception("Cannot find a valid issuer certificate.");
}
if ((checkKeys.Count == 0) && lastException != null)
{
throw lastException;
}
return checkKeys;
}
/// <summary>
/// Start the outer rdf:Description element, including all needed xmlns attributes.
/// Leave the element open so that the compact form can add property attributes.
/// </summary>
/// <exception cref="IOException"> If the writing to </exception>
private void StartOuterRdfDescription(XmpNode schemaNode, int level) {
WriteIndent(level + 1);
Write(RDF_SCHEMA_START);
WriteTreeName();
ISet usedPrefixes = new HashSet();
usedPrefixes.Add("xml");
usedPrefixes.Add("rdf");
DeclareUsedNamespaces(schemaNode, usedPrefixes, level + 3);
Write('>');
WriteNewline();
}
private void v0Test()
{
// create certificates and CRLs
AsymmetricCipherKeyPair rootPair = TestUtilities.GenerateRsaKeyPair();
AsymmetricCipherKeyPair interPair = TestUtilities.GenerateRsaKeyPair();
AsymmetricCipherKeyPair endPair = TestUtilities.GenerateRsaKeyPair();
X509Certificate rootCert = TestUtilities.GenerateRootCert(rootPair);
X509Certificate interCert = TestUtilities.GenerateIntermediateCert(interPair.Public, rootPair.Private, rootCert);
X509Certificate endCert = TestUtilities.GenerateEndEntityCert(endPair.Public, interPair.Private, interCert);
BigInteger revokedSerialNumber = BigInteger.Two;
X509Crl rootCRL = TestUtilities.CreateCrl(rootCert, rootPair.Private, revokedSerialNumber);
X509Crl interCRL = TestUtilities.CreateCrl(interCert, interPair.Private, revokedSerialNumber);
// create CertStore to support path building
IList certList = new ArrayList();
certList.Add(rootCert);
certList.Add(interCert);
certList.Add(endCert);
IList crlList = new ArrayList();
crlList.Add(rootCRL);
crlList.Add(interCRL);
// CollectionCertStoreParameters parameters = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.getInstance("Collection", parameters);
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(crlList));
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// build the path
// CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
PkixCertPathBuilder builder = new PkixCertPathBuilder();
X509CertStoreSelector pathConstraints = new X509CertStoreSelector();
pathConstraints.Subject = endCert.SubjectDN;
PkixBuilderParameters buildParams = new PkixBuilderParameters(trust, pathConstraints);
// buildParams.addCertStore(store);
buildParams.AddStore(x509CertStore);
buildParams.AddStore(x509CrlStore);
buildParams.Date = new DateTimeObject(DateTime.UtcNow);
PkixCertPathBuilderResult result = builder.Build(buildParams);
PkixCertPath path = result.CertPath;
if (path.Certificates.Count != 2)
{
Fail("wrong number of certs in v0Test path");
}
}
public void Save(
Stream stream,
char[] password,
SecureRandom random)
{
if (stream == null)
throw new ArgumentNullException("stream");
if (random == null)
throw new ArgumentNullException("random");
//
// handle the keys
//
Asn1EncodableVector keyBags = new Asn1EncodableVector();
foreach (string name in keys.Keys)
{
byte[] kSalt = new byte[SaltSize];
random.NextBytes(kSalt);
AsymmetricKeyEntry privKey = (AsymmetricKeyEntry)keys[name];
DerObjectIdentifier bagOid;
Asn1Encodable bagData;
if (password == null)
{
bagOid = PkcsObjectIdentifiers.KeyBag;
bagData = PrivateKeyInfoFactory.CreatePrivateKeyInfo(privKey.Key);
}
else
{
bagOid = PkcsObjectIdentifiers.Pkcs8ShroudedKeyBag;
bagData = EncryptedPrivateKeyInfoFactory.CreateEncryptedPrivateKeyInfo(
keyAlgorithm, password, kSalt, MinIterations, privKey.Key);
}
Asn1EncodableVector kName = new Asn1EncodableVector();
foreach (string oid in privKey.BagAttributeKeys)
{
Asn1Encodable entry = privKey[oid];
// NB: Ignore any existing FriendlyName
if (oid.Equals(PkcsObjectIdentifiers.Pkcs9AtFriendlyName.Id))
continue;
kName.Add(
new DerSequence(
new DerObjectIdentifier(oid),
new DerSet(entry)));
}
//
// make sure we are using the local alias on store
//
// NB: We always set the FriendlyName based on 'name'
//if (privKey[PkcsObjectIdentifiers.Pkcs9AtFriendlyName] == null)
{
kName.Add(
new DerSequence(
PkcsObjectIdentifiers.Pkcs9AtFriendlyName,
new DerSet(new DerBmpString(name))));
}
//
// make sure we have a local key-id
//
if (privKey[PkcsObjectIdentifiers.Pkcs9AtLocalKeyID] == null)
{
X509CertificateEntry ct = GetCertificate(name);
AsymmetricKeyParameter pubKey = ct.Certificate.GetPublicKey();
SubjectKeyIdentifier subjectKeyID = CreateSubjectKeyID(pubKey);
kName.Add(
new DerSequence(
PkcsObjectIdentifiers.Pkcs9AtLocalKeyID,
new DerSet(subjectKeyID)));
}
keyBags.Add(new SafeBag(bagOid, bagData.ToAsn1Object(), new DerSet(kName)));
}
byte[] keyBagsEncoding = new DerSequence(keyBags).GetDerEncoded();
ContentInfo keysInfo = new ContentInfo(PkcsObjectIdentifiers.Data, new BerOctetString(keyBagsEncoding));
//
// certificate processing
//
byte[] cSalt = new byte[SaltSize];
random.NextBytes(cSalt);
Asn1EncodableVector certBags = new Asn1EncodableVector();
Pkcs12PbeParams cParams = new Pkcs12PbeParams(cSalt, MinIterations);
AlgorithmIdentifier cAlgId = new AlgorithmIdentifier(certAlgorithm, cParams.ToAsn1Object());
ISet doneCerts = new HashSet();
foreach (string name in keys.Keys)
{
X509CertificateEntry certEntry = GetCertificate(name);
CertBag cBag = new CertBag(
PkcsObjectIdentifiers.X509Certificate,
new DerOctetString(certEntry.Certificate.GetEncoded()));
Asn1EncodableVector fName = new Asn1EncodableVector();
foreach (string oid in certEntry.BagAttributeKeys)
{
Asn1Encodable entry = certEntry[oid];
// NB: Ignore any existing FriendlyName
if (oid.Equals(PkcsObjectIdentifiers.Pkcs9AtFriendlyName.Id))
continue;
fName.Add(
new DerSequence(
new DerObjectIdentifier(oid),
new DerSet(entry)));
}
//
// make sure we are using the local alias on store
//
// NB: We always set the FriendlyName based on 'name'
//if (certEntry[PkcsObjectIdentifiers.Pkcs9AtFriendlyName] == null)
{
fName.Add(
new DerSequence(
PkcsObjectIdentifiers.Pkcs9AtFriendlyName,
new DerSet(new DerBmpString(name))));
}
//
// make sure we have a local key-id
//
if (certEntry[PkcsObjectIdentifiers.Pkcs9AtLocalKeyID] == null)
{
AsymmetricKeyParameter pubKey = certEntry.Certificate.GetPublicKey();
SubjectKeyIdentifier subjectKeyID = CreateSubjectKeyID(pubKey);
fName.Add(
new DerSequence(
PkcsObjectIdentifiers.Pkcs9AtLocalKeyID,
new DerSet(subjectKeyID)));
}
certBags.Add(new SafeBag(PkcsObjectIdentifiers.CertBag, cBag.ToAsn1Object(), new DerSet(fName)));
doneCerts.Add(certEntry.Certificate);
}
foreach (string certId in certs.Keys)
{
X509CertificateEntry cert = (X509CertificateEntry)certs[certId];
if (keys[certId] != null)
continue;
CertBag cBag = new CertBag(
PkcsObjectIdentifiers.X509Certificate,
new DerOctetString(cert.Certificate.GetEncoded()));
Asn1EncodableVector fName = new Asn1EncodableVector();
foreach (string oid in cert.BagAttributeKeys)
{
// a certificate not immediately linked to a key doesn't require
// a localKeyID and will confuse some PKCS12 implementations.
//
// If we find one, we'll prune it out.
if (oid.Equals(PkcsObjectIdentifiers.Pkcs9AtLocalKeyID.Id))
continue;
Asn1Encodable entry = cert[oid];
// NB: Ignore any existing FriendlyName
if (oid.Equals(PkcsObjectIdentifiers.Pkcs9AtFriendlyName.Id))
continue;
fName.Add(
new DerSequence(
new DerObjectIdentifier(oid),
new DerSet(entry)));
}
//
// make sure we are using the local alias on store
//
// NB: We always set the FriendlyName based on 'certId'
//if (cert[PkcsObjectIdentifiers.Pkcs9AtFriendlyName] == null)
{
fName.Add(
new DerSequence(
PkcsObjectIdentifiers.Pkcs9AtFriendlyName,
new DerSet(new DerBmpString(certId))));
}
certBags.Add(new SafeBag(PkcsObjectIdentifiers.CertBag, cBag.ToAsn1Object(), new DerSet(fName)));
doneCerts.Add(cert.Certificate);
}
foreach (CertId certId in chainCerts.Keys)
{
X509CertificateEntry cert = (X509CertificateEntry)chainCerts[certId];
if (doneCerts.Contains(cert.Certificate))
continue;
CertBag cBag = new CertBag(
PkcsObjectIdentifiers.X509Certificate,
new DerOctetString(cert.Certificate.GetEncoded()));
Asn1EncodableVector fName = new Asn1EncodableVector();
foreach (string oid in cert.BagAttributeKeys)
{
// a certificate not immediately linked to a key doesn't require
// a localKeyID and will confuse some PKCS12 implementations.
//
// If we find one, we'll prune it out.
if (oid.Equals(PkcsObjectIdentifiers.Pkcs9AtLocalKeyID.Id))
continue;
fName.Add(
new DerSequence(
new DerObjectIdentifier(oid),
new DerSet(cert[oid])));
}
certBags.Add(new SafeBag(PkcsObjectIdentifiers.CertBag, cBag.ToAsn1Object(), new DerSet(fName)));
}
byte[] certBagsEncoding = new DerSequence(certBags).GetDerEncoded();
ContentInfo certsInfo;
if (password == null)
{
certsInfo = new ContentInfo(PkcsObjectIdentifiers.Data, new BerOctetString(certBagsEncoding));
}
else
{
byte[] certBytes = CryptPbeData(true, cAlgId, password, false, certBagsEncoding);
EncryptedData cInfo = new EncryptedData(PkcsObjectIdentifiers.Data, cAlgId, new BerOctetString(certBytes));
certsInfo = new ContentInfo(PkcsObjectIdentifiers.EncryptedData, cInfo.ToAsn1Object());
}
ContentInfo[] info = new ContentInfo[]{ keysInfo, certsInfo };
byte[] data = new AuthenticatedSafe(info).GetEncoded(
useDerEncoding ? Asn1Encodable.Der : Asn1Encodable.Ber);
ContentInfo mainInfo = new ContentInfo(PkcsObjectIdentifiers.Data, new BerOctetString(data));
//
// create the mac
//
MacData macData = null;
if (password != null)
{
byte[] mSalt = new byte[20];
random.NextBytes(mSalt);
byte[] mac = CalculatePbeMac(OiwObjectIdentifiers.IdSha1,
mSalt, MinIterations, password, false, data);
AlgorithmIdentifier algId = new AlgorithmIdentifier(
OiwObjectIdentifiers.IdSha1, DerNull.Instance);
DigestInfo dInfo = new DigestInfo(algId, mac);
macData = new MacData(dInfo, mSalt, MinIterations);
}
//
// output the Pfx
//
Pfx pfx = new Pfx(mainInfo, macData);
DerOutputStream derOut;
if (useDerEncoding)
{
derOut = new DerOutputStream(stream);
}
else
{
derOut = new BerOutputStream(stream);
}
derOut.WriteObject(pfx);
}
