Пример #1
0
        internal bool MatchesApplicationPolicies(Oid policyOid)
        {
            string oidToCheck = policyOid.Value !;

            for (int i = 1; i <= _policies.Length; i++)
            {
                // The loop variable (i) matches the definition in RFC 3280,
                // section 6.1.3. In that description i=1 is the root CA, and n
                // is the EE/leaf certificate.  In our chain object 0 is the EE cert
                // and _policies.Length-1 is the root cert.  So we will index things as
                // _policies.Length - i (because i is 1 indexed).
                int dataIdx = _policies.Length - i;
                CertificatePolicy policy = _policies[dataIdx];

                if (policy.AllowsAnyApplicationPolicy)
                {
                    continue;
                }

                if (policy.DeclaredApplicationPolicies == null)
                {
                    return(false);
                }

                if (!policy.DeclaredApplicationPolicies.Contains(oidToCheck))
                {
                    return(false);
                }
            }

            return(true);
        }
Пример #2
0
        private static void ReadCertPolicyConstraintsExtension(byte[] rawData, CertificatePolicy policy)
        {
            PolicyConstraintsAsn constraints = PolicyConstraintsAsn.Decode(
                rawData,
                AsnEncodingRules.DER);

            policy.RequireExplicitPolicyDepth = constraints.RequireExplicitPolicyDepth;
            policy.InhibitMappingDepth        = constraints.InhibitMappingDepth;
        }
Пример #3
0
        private static CertificatePolicy ReadPolicy(X509Certificate2 cert)
        {
            // If no ApplicationCertPolicies extension is provided then it uses the EKU
            // OIDS.
            ISet <string>?    applicationCertPolicies = null;
            ISet <string>?    ekus   = null;
            CertificatePolicy policy = new CertificatePolicy();

            PolicyData policyData = cert.Pal.GetPolicyData();

            if (policyData.ApplicationCertPolicies != null)
            {
                applicationCertPolicies = ReadCertPolicyExtension(policyData.ApplicationCertPolicies);
            }

            if (policyData.CertPolicies != null)
            {
                policy.DeclaredCertificatePolicies = ReadCertPolicyExtension(policyData.CertPolicies);
            }

            if (policyData.CertPolicyMappings != null)
            {
                policy.PolicyMapping = ReadCertPolicyMappingsExtension(policyData.CertPolicyMappings);
            }

            if (policyData.CertPolicyConstraints != null)
            {
                ReadCertPolicyConstraintsExtension(policyData.CertPolicyConstraints, policy);
            }

            if (policyData.EnhancedKeyUsage != null && applicationCertPolicies == null)
            {
                // No reason to do this if the applicationCertPolicies was already read
                ekus = ReadExtendedKeyUsageExtension(policyData.EnhancedKeyUsage);
            }

            if (policyData.InhibitAnyPolicyExtension != null)
            {
                policy.InhibitAnyDepth = ReadInhibitAnyPolicyExtension(policyData.InhibitAnyPolicyExtension);
            }

            policy.DeclaredApplicationPolicies = applicationCertPolicies ?? ekus;

            policy.ImplicitAnyApplicationPolicy = policy.DeclaredApplicationPolicies == null;
            policy.ImplicitAnyCertificatePolicy = policy.DeclaredCertificatePolicies == null;

            policy.SpecifiedAnyApplicationPolicy = CheckExplicitAnyPolicy(policy.DeclaredApplicationPolicies);
            policy.SpecifiedAnyCertificatePolicy = CheckExplicitAnyPolicy(policy.DeclaredCertificatePolicies);

            return(policy);
        }
Пример #4
0
        internal bool MatchesCertificatePolicies(Oid policyOid)
        {
            if (_failAllCertificatePolicies)
            {
                return(false);
            }

            string nextOid = policyOid.Value !;

            for (int i = 1; i <= _policies.Length; i++)
            {
                // The loop variable (i) matches the definition in RFC 3280,
                // section 6.1.3. In that description i=1 is the root CA, and n
                // is the EE/leaf certificate.  In our chain object 0 is the EE cert
                // and _policies.Length-1 is the root cert.  So we will index things as
                // _policies.Length - i (because i is 1 indexed).
                int dataIdx = _policies.Length - i;
                CertificatePolicy policy     = _policies[dataIdx];
                string            oidToCheck = nextOid;

                if (policy.PolicyMapping != null)
                {
                    for (int iMapping = 0; iMapping < policy.PolicyMapping.Count; iMapping++)
                    {
                        CertificatePolicyMappingAsn mapping = policy.PolicyMapping[iMapping];
                        if (StringComparer.Ordinal.Equals(mapping.IssuerDomainPolicy, oidToCheck))
                        {
                            nextOid = mapping.SubjectDomainPolicy;
                        }
                    }
                }

                if (policy.AllowsAnyCertificatePolicy)
                {
                    continue;
                }

                if (policy.DeclaredCertificatePolicies == null)
                {
                    return(false);
                }

                if (!policy.DeclaredCertificatePolicies.Contains(oidToCheck))
                {
                    return(false);
                }
            }

            return(true);
        }
Пример #5
0
        private void ReadPolicies(List <X509Certificate2> chain)
        {
            for (int i = 0; i < chain.Count; i++)
            {
                _policies[i] = ReadPolicy(chain[i]);
            }

            int explicitPolicyDepth       = chain.Count;
            int inhibitAnyPolicyDepth     = explicitPolicyDepth;
            int inhibitPolicyMappingDepth = explicitPolicyDepth;

            for (int i = 1; i <= chain.Count; i++)
            {
                // The loop variable (i) matches the definition in RFC 3280,
                // section 6.1.3. In that description i=1 is the root CA, and n
                // is the EE/leaf certificate.  In our chain object 0 is the EE cert
                // and chain.Count-1 is the root cert.  So we will index things as
                // chain.Count - i (because i is 1 indexed).
                int dataIdx = chain.Count - i;

                CertificatePolicy policy = _policies[dataIdx];

                if (policy.DeclaredCertificatePolicies == null && explicitPolicyDepth <= 0)
                {
                    _failAllCertificatePolicies = true;
                }

                if (inhibitAnyPolicyDepth <= 0)
                {
                    policy.ImplicitAnyCertificatePolicy  = false;
                    policy.SpecifiedAnyCertificatePolicy = false;
                }
                else
                {
                    inhibitAnyPolicyDepth--;
                }

                if (inhibitPolicyMappingDepth <= 0)
                {
                    policy.PolicyMapping = null;
                }
                else
                {
                    inhibitAnyPolicyDepth--;
                }

                if (explicitPolicyDepth <= 0)
                {
                    policy.ImplicitAnyCertificatePolicy = false;
                    policy.ImplicitAnyApplicationPolicy = false;
                }
                else
                {
                    explicitPolicyDepth--;
                }

                ApplyRestriction(ref inhibitAnyPolicyDepth, policy.InhibitAnyDepth);
                ApplyRestriction(ref inhibitPolicyMappingDepth, policy.InhibitMappingDepth);
                ApplyRestriction(ref explicitPolicyDepth, policy.RequireExplicitPolicyDepth);
            }
        }