internal static void PrepareNextCertB1( int i, IList[] policyNodes, string id_p, IDictionary m_idp, X509Certificate cert) { bool idp_found = false; IEnumerator nodes_i = policyNodes[i].GetEnumerator(); while (nodes_i.MoveNext()) { PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current; if (node.ValidPolicy.Equals(id_p)) { idp_found = true; node.ExpectedPolicies = (ISet)m_idp[id_p]; break; } } if (!idp_found) { nodes_i = policyNodes[i].GetEnumerator(); while (nodes_i.MoveNext()) { PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current; if (ANY_POLICY.Equals(node.ValidPolicy)) { ISet pq = null; Asn1Sequence policies = null; try { policies = DerSequence.GetInstance(GetExtensionValue(cert, X509Extensions.CertificatePolicies)); } catch (Exception e) { throw new Exception("Certificate policies cannot be decoded.", e); } IEnumerator enm = policies.GetEnumerator(); while (enm.MoveNext()) { PolicyInformation pinfo = null; try { pinfo = PolicyInformation.GetInstance(enm.Current); } catch (Exception ex) { throw new Exception("Policy information cannot be decoded.", ex); } if (ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id)) { try { pq = GetQualifierSet(pinfo.PolicyQualifiers); } catch (PkixCertPathValidatorException ex) { throw new PkixCertPathValidatorException( "Policy qualifier info set could not be built.", ex); } break; } } bool ci = false; ISet critExtOids = cert.GetCriticalExtensionOids(); if (critExtOids != null) { ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id); } PkixPolicyNode p_node = (PkixPolicyNode)node.Parent; if (ANY_POLICY.Equals(p_node.ValidPolicy)) { PkixPolicyNode c_node = new PkixPolicyNode( Platform.CreateArrayList(), i, (ISet)m_idp[id_p], p_node, pq, id_p, ci); p_node.AddChild(c_node); policyNodes[i].Add(c_node); } break; } } } }
/** * Validate the passed in certificate as being of the correct type to be used * for time stamping. To be valid it must have an ExtendedKeyUsage extension * which has a key purpose identifier of id-kp-timeStamping. * * @param cert the certificate of interest. * @throws TspValidationException if the certicate fails on one of the check points. */ public static void ValidateCertificate( X509Certificate cert) { if (cert.Version != 3) throw new ArgumentException("Certificate must have an ExtendedKeyUsage extension."); Asn1OctetString ext = cert.GetExtensionValue(X509Extensions.ExtendedKeyUsage); if (ext == null) throw new TspValidationException("Certificate must have an ExtendedKeyUsage extension."); if (!cert.GetCriticalExtensionOids().Contains(X509Extensions.ExtendedKeyUsage.Id)) throw new TspValidationException("Certificate must have an ExtendedKeyUsage extension marked as critical."); try { ExtendedKeyUsage extKey = ExtendedKeyUsage.GetInstance( Asn1Object.FromByteArray(ext.GetOctets())); if (!extKey.HasKeyPurposeId(KeyPurposeID.IdKPTimeStamping) || extKey.Count != 1) throw new TspValidationException("ExtendedKeyUsage not solely time stamping."); } catch (IOException) { throw new TspValidationException("cannot process ExtendedKeyUsage extension"); } }