/**
* Validates an attribute certificate with the given certificate path.
*
* <p>
* <code>params</code> must be an instance of
* <code>ExtendedPkixParameters</code>.
* </p><p>
* The target constraints in the <code>params</code> must be an
* <code>X509AttrCertStoreSelector</code> with at least the attribute
* certificate criterion set. Obey that also target informations may be
* necessary to correctly validate this attribute certificate.
* </p><p>
* The attribute certificate issuer must be added to the trusted attribute
* issuers with {@link ExtendedPkixParameters#setTrustedACIssuers(Set)}.
* </p>
* @param certPath The certificate path which belongs to the attribute
* certificate issuer public key certificate.
* @param params The PKIX parameters.
* @return A <code>PKIXCertPathValidatorResult</code> of the result of
* validating the <code>certPath</code>.
* @throws InvalidAlgorithmParameterException if <code>params</code> is
* inappropriate for this validator.
* @throws CertPathValidatorException if the verification fails.
*/
public virtual PkixCertPathValidatorResult Validate(
PkixCertPath certPath,
PkixParameters pkixParams)
{
IX509Selector certSelect = pkixParams.GetTargetConstraints();
if (!(certSelect is X509AttrCertStoreSelector))
{
throw new ArgumentException(
"TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName,
"pkixParams");
}
IX509AttributeCertificate attrCert = ((X509AttrCertStoreSelector) certSelect).AttributeCert;
PkixCertPath holderCertPath = Rfc3281CertPathUtilities.ProcessAttrCert1(attrCert, pkixParams);
PkixCertPathValidatorResult result = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams);
X509Certificate issuerCert = (X509Certificate)certPath.Certificates[0];
Rfc3281CertPathUtilities.ProcessAttrCert3(issuerCert, pkixParams);
Rfc3281CertPathUtilities.ProcessAttrCert4(issuerCert, pkixParams);
Rfc3281CertPathUtilities.ProcessAttrCert5(attrCert, pkixParams);
// 6 already done in X509AttrCertStoreSelector
Rfc3281CertPathUtilities.ProcessAttrCert7(attrCert, certPath, holderCertPath, pkixParams);
Rfc3281CertPathUtilities.AdditionalChecks(attrCert, pkixParams);
DateTime date;
try
{
date = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1);
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Could not get validity date from attribute certificate.", e);
}
Rfc3281CertPathUtilities.CheckCrls(attrCert, pkixParams, issuerCert, date, certPath.Certificates);
return result;
}
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters pkixParams)
{
//IL_002d: Unknown result type (might be due to invalid IL or missing references)
IX509Selector targetConstraints = pkixParams.GetTargetConstraints();
if (!(targetConstraints is X509AttrCertStoreSelector))
{
throw new ArgumentException("TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).get_FullName(), "pkixParams");
}
IX509AttributeCertificate attributeCert = ((X509AttrCertStoreSelector)targetConstraints).AttributeCert;
PkixCertPath holderCertPath = Rfc3281CertPathUtilities.ProcessAttrCert1(attributeCert, pkixParams);
PkixCertPathValidatorResult result = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams);
X509Certificate x509Certificate = (X509Certificate)certPath.Certificates.get_Item(0);
Rfc3281CertPathUtilities.ProcessAttrCert3(x509Certificate, pkixParams);
Rfc3281CertPathUtilities.ProcessAttrCert4(x509Certificate, pkixParams);
Rfc3281CertPathUtilities.ProcessAttrCert5(attributeCert, pkixParams);
Rfc3281CertPathUtilities.ProcessAttrCert7(attributeCert, certPath, holderCertPath, pkixParams);
Rfc3281CertPathUtilities.AdditionalChecks(attributeCert, pkixParams);
global::System.DateTime validCertDateFromValidityModel;
try
{
validCertDateFromValidityModel = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1);
}
catch (global::System.Exception cause)
{
throw new PkixCertPathValidatorException("Could not get validity date from attribute certificate.", cause);
}
Rfc3281CertPathUtilities.CheckCrls(attributeCert, pkixParams, x509Certificate, validCertDateFromValidityModel, certPath.Certificates);
return(result);
}
internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
{
ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();
if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
{
try
{
TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
}
catch (Exception cause)
{
throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
}
}
criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id);
foreach (PkixAttrCertChecker pkixAttrCertChecker in pkixParams.GetAttrCertCheckers())
{
pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
}
if (!criticalExtensionOids.IsEmpty)
{
throw new PkixCertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + criticalExtensionOids);
}
}
public CertificateValidationResult Validate(Certificate certificate)
{
if (certificate == null)
throw new ArgumentNullException("certificate");
try
{
var x509Certs = new List<X509Certificate>();
x509Certs.AddRange(_chain.Select(c => c.BouncyX509Certificate));
x509Certs.Add(certificate.BouncyX509Certificate);
IX509Store x509CertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(x509Certs));
var x509Certificates = x509Certs.Skip(1).ToList();
var certPath = new PkixCertPath(x509Certificates);
ISet trust = new HashSet { new TrustAnchor(x509Certs.First(), null) };
var certPathValidator = new PkixCertPathValidator();
var paramsPkix = new PkixParameters(trust);
paramsPkix.AddStore(x509CertStore);
paramsPkix.IsRevocationEnabled = false;
var pkixResult = certPathValidator.Validate(certPath, paramsPkix);
return new CertificateValidationResult(pkixResult);
}
catch (Exception e)
{
return new CertificateValidationResult(e);
}
}
public override bool Equals(object obj)
{
if (this == obj)
{
return(true);
}
PkixCertPath pkixCertPath = obj as PkixCertPath;
if (pkixCertPath == null)
{
return(false);
}
IList list = this.Certificates;
IList list2 = pkixCertPath.Certificates;
if (list.Count != list2.Count)
{
return(false);
}
IEnumerator enumerator = list.GetEnumerator();
IEnumerator enumerator2 = list.GetEnumerator();
while (enumerator.MoveNext())
{
enumerator2.MoveNext();
if (!object.Equals(enumerator.Current, enumerator2.Current))
{
return(false);
}
}
return(true);
}
public override bool Equals(object obj)
{
if (this == obj)
{
return(true);
}
PkixCertPath pkixCertPath = obj as PkixCertPath;
if (pkixCertPath == null)
{
return(false);
}
global::System.Collections.IList list = Certificates;
global::System.Collections.IList list2 = pkixCertPath.Certificates;
if (((global::System.Collections.ICollection)list).get_Count() != ((global::System.Collections.ICollection)list2).get_Count())
{
return(false);
}
global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)list).GetEnumerator();
global::System.Collections.IEnumerator enumerator2 = ((global::System.Collections.IEnumerable)list).GetEnumerator();
while (enumerator.MoveNext())
{
enumerator2.MoveNext();
if (!object.Equals(enumerator.get_Current(), enumerator2.get_Current()))
{
return(false);
}
}
return(true);
}
public PkixCertPathBuilderResult(PkixCertPath certPath, TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey) : base(trustAnchor, policyTree, subjectPublicKey)
{
if (certPath == null)
{
throw new ArgumentNullException("certPath");
}
this.certPath = certPath;
}
public PkixCertPathBuilderResult(PkixCertPath certPath, TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey)
: base(trustAnchor, policyTree, subjectPublicKey)
{
//IL_0012: Unknown result type (might be due to invalid IL or missing references)
if (certPath == null)
{
throw new ArgumentNullException("certPath");
}
this.certPath = certPath;
}
public PkixCertPathBuilderResult(
PkixCertPath certPath,
TrustAnchor trustAnchor,
PkixPolicyNode policyTree,
AsymmetricKeyParameter subjectPublicKey)
: base(trustAnchor, policyTree, subjectPublicKey)
{
if (certPath == null)
throw new ArgumentNullException("certPath");
this.certPath = certPath;
}
internal static PkixCertPathValidatorResult ProcessAttrCert2(PkixCertPath certPath, PkixParameters pkixParams)
{
PkixCertPathValidator pkixCertPathValidator = new PkixCertPathValidator();
try
{
return(pkixCertPathValidator.Validate(certPath, pkixParams));
}
catch (PkixCertPathValidatorException cause)
{
throw new PkixCertPathValidatorException("Certification path for issuer certificate of attribute certificate could not be validated.", cause);
}
}
public PkixCertPathValidatorException(string message, Exception cause, PkixCertPath certPath, int index) : base(message)
{
if (certPath == null && index != -1)
{
throw new ArgumentNullException("certPath = null and index != -1");
}
if (index < -1 || (certPath != null && index >= certPath.Certificates.Count))
{
throw new IndexOutOfRangeException(" index < -1 or out of bound of certPath.getCertificates()");
}
this.cause = cause;
this.certPath = certPath;
this.index = index;
}
internal static DateTime GetValidCertDateFromValidityModel(
PkixParameters paramsPkix,
PkixCertPath certPath,
int index)
{
if (paramsPkix.ValidityModel != PkixParameters.ChainValidityModel)
{
return(GetValidDate(paramsPkix));
}
// if end cert use given signing/encryption/... time
if (index <= 0)
{
return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix));
// else use time when previous cert was created
}
if (index - 1 == 0)
{
DerGeneralizedTime dateOfCertgen = null;
try
{
X509Certificate cert = (X509Certificate)certPath.Certificates[index - 1];
Asn1OctetString extVal = cert.GetExtensionValue(
IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen);
dateOfCertgen = DerGeneralizedTime.GetInstance(extVal);
}
catch (ArgumentException)
{
throw new Exception(
"Date of cert gen extension could not be read.");
}
if (dateOfCertgen != null)
{
try
{
return(dateOfCertgen.ToDateTime());
}
catch (ArgumentException e)
{
throw new Exception(
"Date from date of cert gen extension could not be parsed.",
e);
}
}
}
return(((X509Certificate)certPath.Certificates[index - 1]).NotBefore);
}
public PkixCertPathValidatorException(string message, global::System.Exception cause, PkixCertPath certPath, int index)
: base(message)
{
//IL_001b: Unknown result type (might be due to invalid IL or missing references)
//IL_003d: Unknown result type (might be due to invalid IL or missing references)
if (certPath == null && index != -1)
{
throw new ArgumentNullException("certPath = null and index != -1");
}
if (index < -1 || (certPath != null && index >= ((global::System.Collections.ICollection)certPath.Certificates).get_Count()))
{
throw new IndexOutOfRangeException(" index < -1 or out of bound of certPath.getCertificates()");
}
this.cause = cause;
this.certPath = certPath;
this.index = index;
}
/**
* Compares this certification path for equality with the specified object.
* Two CertPaths are equal if and only if their types are equal and their
* certificate Lists (and by implication the Certificates in those Lists)
* are equal. A CertPath is never equal to an object that is not a CertPath.<br />
* <br />
* This algorithm is implemented by this method. If it is overridden, the
* behavior specified here must be maintained.
*
* @param other
* the object to test for equality with this certification path
*
* @return true if the specified object is equal to this certification path,
* false otherwise
*
* @see Object#hashCode() Object.hashCode()
*/
public override bool Equals(
object obj)
{
if (this == obj)
{
return(true);
}
PkixCertPath other = obj as PkixCertPath;
if (other == null)
{
return(false);
}
// if (!this.Type.Equals(other.Type))
// return false;
//return this.Certificates.Equals(other.Certificates);
// TODO Extract this to a utility class
IList thisCerts = this.Certificates;
IList otherCerts = other.Certificates;
if (thisCerts.Count != otherCerts.Count)
{
return(false);
}
IEnumerator e1 = thisCerts.GetEnumerator();
IEnumerator e2 = thisCerts.GetEnumerator();
while (e1.MoveNext())
{
e2.MoveNext();
if (!Platform.Equals(e1.Current, e2.Current))
{
return(false);
}
}
return(true);
}
internal static void ProcessAttrCert7(
IX509AttributeCertificate attrCert,
PkixCertPath certPath,
PkixCertPath holderCertPath,
PkixParameters pkixParams)
{
// TODO:
// AA Controls
// Attribute encryption
// Proxy
ISet critExtOids = attrCert.GetCriticalExtensionOids();
// 7.1
// process extensions
// target information checked in step 6 / X509AttributeCertStoreSelector
if (critExtOids.Contains(X509Extensions.TargetInformation.Id))
{
try
{
TargetInformation.GetInstance(PkixCertPathValidatorUtilities
.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Target information extension could not be read.", e);
}
}
critExtOids.Remove(X509Extensions.TargetInformation.Id);
foreach (PkixAttrCertChecker checker in pkixParams.GetAttrCertCheckers())
{
checker.Check(attrCert, certPath, holderCertPath, critExtOids);
}
if (!critExtOids.IsEmpty)
{
throw new PkixCertPathValidatorException(
"Attribute certificate contains unsupported critical extensions: "
+ critExtOids);
}
}
public PkixCertPath(Stream inStream, string encoding)
{
string text = encoding.ToUpper();
IList list;
try
{
if (text.Equals("PkiPath".ToUpper()))
{
Asn1InputStream asn1InputStream = new Asn1InputStream(inStream);
Asn1Object asn1Object = asn1InputStream.ReadObject();
if (!(asn1Object is Asn1Sequence))
{
throw new CertificateException("input stream does not contain a ASN1 SEQUENCE while reading PkiPath encoded data to load CertPath");
}
list = Platform.CreateArrayList();
using (IEnumerator enumerator = ((Asn1Sequence)asn1Object).GetEnumerator())
{
while (enumerator.MoveNext())
{
Asn1Encodable asn1Encodable = (Asn1Encodable)enumerator.Current;
byte[] encoded = asn1Encodable.GetEncoded("DER");
Stream inStream2 = new MemoryStream(encoded, false);
list.Insert(0, new X509CertificateParser().ReadCertificate(inStream2));
}
goto IL_EF;
}
}
if (!text.Equals("PKCS7") && !text.Equals("PEM"))
{
throw new CertificateException("unsupported encoding: " + encoding);
}
list = Platform.CreateArrayList(new X509CertificateParser().ReadCertificates(inStream));
IL_EF :;
}
catch (IOException ex)
{
throw new CertificateException("IOException throw while decoding CertPath:\n" + ex.ToString());
}
this.certificates = PkixCertPath.SortCerts(list);
}
internal static void ProcessAttrCert7(
IX509AttributeCertificate attrCert,
PkixCertPath certPath,
PkixCertPath holderCertPath,
PkixParameters pkixParams)
{
// TODO:
// AA Controls
// Attribute encryption
// Proxy
ISet critExtOids = attrCert.GetCriticalExtensionOids();
// 7.1
// process extensions
// target information checked in step 6 / X509AttributeCertStoreSelector
if (critExtOids.Contains(X509Extensions.TargetInformation.Id))
{
try
{
TargetInformation.GetInstance(PkixCertPathValidatorUtilities
.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Target information extension could not be read.", e);
}
}
critExtOids.Remove(X509Extensions.TargetInformation.Id);
foreach (PkixAttrCertChecker checker in pkixParams.GetAttrCertCheckers())
{
checker.Check(attrCert, certPath, holderCertPath, critExtOids);
}
if (!critExtOids.IsEmpty)
{
throw new PkixCertPathValidatorException(
"Attribute certificate contains unsupported critical extensions: "
+ critExtOids);
}
}
/**
* Validates an attribute certificate with the given certificate path.
*
* <p>
* <code>params</code> must be an instance of
* <code>ExtendedPkixParameters</code>.
* </p><p>
* The target constraints in the <code>params</code> must be an
* <code>X509AttrCertStoreSelector</code> with at least the attribute
* certificate criterion set. Obey that also target informations may be
* necessary to correctly validate this attribute certificate.
* </p><p>
* The attribute certificate issuer must be added to the trusted attribute
* issuers with {@link ExtendedPkixParameters#setTrustedACIssuers(Set)}.
* </p>
* @param certPath The certificate path which belongs to the attribute
* certificate issuer public key certificate.
* @param params The PKIX parameters.
* @return A <code>PKIXCertPathValidatorResult</code> of the result of
* validating the <code>certPath</code>.
* @throws InvalidAlgorithmParameterException if <code>params</code> is
* inappropriate for this validator.
* @throws CertPathValidatorException if the verification fails.
*/
public virtual PkixCertPathValidatorResult Validate(
PkixCertPath certPath,
PkixParameters pkixParams)
{
IX509Selector certSelect = pkixParams.GetTargetConstraints();
if (!(certSelect is X509AttrCertStoreSelector))
{
throw new ArgumentException(
"TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName,
"pkixParams");
}
IX509AttributeCertificate attrCert = ((X509AttrCertStoreSelector)certSelect).AttributeCert;
PkixCertPath holderCertPath = Rfc3281CertPathUtilities.ProcessAttrCert1(attrCert, pkixParams);
PkixCertPathValidatorResult result = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams);
X509Certificate issuerCert = (X509Certificate)certPath.Certificates[0];
Rfc3281CertPathUtilities.ProcessAttrCert3(issuerCert, pkixParams);
Rfc3281CertPathUtilities.ProcessAttrCert4(issuerCert, pkixParams);
Rfc3281CertPathUtilities.ProcessAttrCert5(attrCert, pkixParams);
// 6 already done in X509AttrCertStoreSelector
Rfc3281CertPathUtilities.ProcessAttrCert7(attrCert, certPath, holderCertPath, pkixParams);
Rfc3281CertPathUtilities.AdditionalChecks(attrCert, pkixParams);
DateTime date;
try
{
date = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1);
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Could not get validity date from attribute certificate.", e);
}
Rfc3281CertPathUtilities.CheckCrls(attrCert, pkixParams, issuerCert, date, certPath.Certificates);
return(result);
}
internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
{
ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();
if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
{
try
{
TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
}
catch (global::System.Exception cause)
{
throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
}
}
criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id);
global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)pkixParams.GetAttrCertCheckers()).GetEnumerator();
try
{
while (enumerator.MoveNext())
{
PkixAttrCertChecker pkixAttrCertChecker = (PkixAttrCertChecker)enumerator.get_Current();
pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
}
}
finally
{
global::System.IDisposable disposable = enumerator as global::System.IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}
if (!criticalExtensionOids.IsEmpty)
{
throw new PkixCertPathValidatorException(string.Concat((object)"Attribute certificate contains unsupported critical extensions: ", (object)criticalExtensionOids));
}
}
/// <summary>
/// Creates a <code>PkixCertPathValidatorException</code> with the specified
/// detail message, cause, certification path, and index.
/// </summary>
/// <param name="message">the detail message (or <code>null</code> if none)</param>
/// <param name="cause">the cause (or <code>null</code> if none)</param>
/// <param name="certPath">the certification path that was in the process of being
/// validated when the error was encountered</param>
/// <param name="index">the index of the certificate in the certification path that</param> *
public PkixCertPathValidatorException(
string message,
Exception cause,
PkixCertPath certPath,
int index)
: base(message)
{
if (certPath == null && index != -1)
{
throw new ArgumentNullException(
"certPath = null and index != -1");
}
if (index < -1
|| (certPath != null && index >= certPath.Certificates.Count))
{
throw new IndexOutOfRangeException(
" index < -1 or out of bound of certPath.getCertificates()");
}
this.cause = cause;
this.certPath = certPath;
this.index = index;
}
internal static global::System.DateTime GetValidCertDateFromValidityModel(PkixParameters paramsPkix, PkixCertPath certPath, int index)
{
//IL_0065: Expected O, but got Unknown
if (paramsPkix.ValidityModel != 1)
{
return(GetValidDate(paramsPkix));
}
if (index <= 0)
{
return(GetValidDate(paramsPkix));
}
if (index - 1 == 0)
{
DerGeneralizedTime derGeneralizedTime = null;
try
{
X509Certificate x509Certificate = (X509Certificate)certPath.Certificates.get_Item(index - 1);
Asn1OctetString extensionValue = x509Certificate.GetExtensionValue(IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen);
derGeneralizedTime = DerGeneralizedTime.GetInstance(extensionValue);
}
catch (ArgumentException)
{
throw new global::System.Exception("Date of cert gen extension could not be read.");
}
if (derGeneralizedTime != null)
{
try
{
return(derGeneralizedTime.ToDateTime());
}
catch (ArgumentException val2)
{
ArgumentException val3 = val2;
throw new global::System.Exception("Date from date of cert gen extension could not be parsed.", (global::System.Exception)(object) val3);
}
}
}
return(((X509Certificate)certPath.Certificates.get_Item(index - 1)).NotBefore);
}
internal static int PrepareNextCertH3(
PkixCertPath certPath,
int index,
int inhibitAnyPolicy)
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (h)
//
if (!PkixCertPathValidatorUtilities.IsSelfIssued(cert))
{
//
// (3)
//
if (inhibitAnyPolicy != 0)
return inhibitAnyPolicy - 1;
}
return inhibitAnyPolicy;
}
internal static void PrepareNextCertO(
PkixCertPath certPath,
int index,
ISet criticalExtensions,
IList pathCheckers)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (o)
//
IEnumerator tmpIter = pathCheckers.GetEnumerator();
while (tmpIter.MoveNext())
{
try
{
((PkixCertPathChecker)tmpIter.Current).Check(cert, criticalExtensions);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException(e.Message, e.InnerException, certPath, index);
}
}
if (!criticalExtensions.IsEmpty)
{
throw new PkixCertPathValidatorException("Certificate has unsupported critical extension.", null, certPath,
index);
}
}
internal static int PrepareNextCertM(
PkixCertPath certPath,
int index,
int maxPathLength)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (m)
//
BasicConstraints bc = null;
try
{
bc = BasicConstraints.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.BasicConstraints));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath,
index);
}
if (bc != null)
{
BigInteger _pathLengthConstraint = bc.PathLenConstraint;
if (_pathLengthConstraint != null)
{
int _plc = _pathLengthConstraint.IntValue;
if (_plc < maxPathLength)
{
return _plc;
}
}
}
return maxPathLength;
}
internal static void PrepareNextCertK(
PkixCertPath certPath,
int index)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (k)
//
BasicConstraints bc = null;
try
{
bc = BasicConstraints.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.BasicConstraints));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath,
index);
}
if (bc != null)
{
if (!(bc.IsCA()))
throw new PkixCertPathValidatorException("Not a CA certificate");
}
else
{
throw new PkixCertPathValidatorException("Intermediate certificate lacks BasicConstraints");
}
}
internal static void PrepareNextCertG(
PkixCertPath certPath,
int index,
PkixNameConstraintValidator nameConstraintValidator)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (g) handle the name constraints extension
//
NameConstraints nc = null;
try
{
Asn1Sequence ncSeq = DerSequence.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.NameConstraints));
if (ncSeq != null)
{
nc = new NameConstraints(ncSeq);
}
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Name constraints extension could not be decoded.", e, certPath, index);
}
if (nc != null)
{
//
// (g) (1) permitted subtrees
//
Asn1Sequence permitted = nc.PermittedSubtrees;
if (permitted != null)
{
try
{
nameConstraintValidator.IntersectPermittedSubtree(permitted);
}
catch (Exception ex)
{
throw new PkixCertPathValidatorException(
"Permitted subtrees cannot be build from name constraints extension.", ex, certPath, index);
}
}
//
// (g) (2) excluded subtrees
//
Asn1Sequence excluded = nc.ExcludedSubtrees;
if (excluded != null)
{
IEnumerator e = excluded.GetEnumerator();
try
{
while (e.MoveNext())
{
GeneralSubtree subtree = GeneralSubtree.GetInstance(e.Current);
nameConstraintValidator.AddExcludedSubtree(subtree);
}
}
catch (Exception ex)
{
throw new PkixCertPathValidatorException(
"Excluded subtrees cannot be build from name constraints extension.", ex, certPath, index);
}
}
}
}
internal static void ProcessCertA(
PkixCertPath certPath,
PkixParameters paramsPKIX,
int index,
AsymmetricKeyParameter workingPublicKey,
X509Name workingIssuerName,
X509Certificate sign)
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (a) verify
//
try
{
// (a) (1)
//
cert.Verify(workingPublicKey);
}
catch (GeneralSecurityException e)
{
throw new PkixCertPathValidatorException("Could not validate certificate signature.", e, certPath, index);
}
try
{
// (a) (2)
//
cert.CheckValidity(PkixCertPathValidatorUtilities
.GetValidCertDateFromValidityModel(paramsPKIX, certPath, index));
}
catch (CertificateExpiredException e)
{
throw new PkixCertPathValidatorException("Could not validate certificate: " + e.Message, e, certPath, index);
}
catch (CertificateNotYetValidException e)
{
throw new PkixCertPathValidatorException("Could not validate certificate: " + e.Message, e, certPath, index);
}
catch (Exception e)
{
throw new PkixCertPathValidatorException("Could not validate time of certificate.", e, certPath, index);
}
//
// (a) (3)
//
if (paramsPKIX.IsRevocationEnabled)
{
try
{
CheckCrls(paramsPKIX, cert, PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(paramsPKIX,
certPath, index), sign, workingPublicKey, certs);
}
catch (Exception e)
{
Exception cause = e.InnerException;
if (cause == null)
{
cause = e;
}
throw new PkixCertPathValidatorException(e.Message, cause, certPath, index);
}
}
//
// (a) (4) name chaining
//
X509Name issuer = PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert);
if (!issuer.Equivalent(workingIssuerName, true))
{
throw new PkixCertPathValidatorException("IssuerName(" + issuer
+ ") does not match SubjectName(" + workingIssuerName + ") of signing certificate.", null,
certPath, index);
}
}
public override void PerformTest()
{
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
// initialise CertStore
X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);
IList x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
IList x509Crls = new ArrayList();
x509Crls.Add(rootCrl);
x509Crls.Add(interCrl);
// CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.GetInstance("Collection", ccsp);
// X509CollectionStoreParameters ccsp = new X509CollectionStoreParameters(list);
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// NB: Month is 1-based in .NET
//DateTime validDate = new DateTime(2008,9,4,14,49,10).ToUniversalTime();
DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);
//validating path
IList certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// CertPath cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
PkixCertPath cp = new PkixCertPath(certchain);
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// CertPathValidator cpv = CertPathValidator.GetInstance("PKIX");
PkixCertPathValidator cpv = new PkixCertPathValidator();
PkixParameters param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.AddStore(x509CrlStore);
param.Date = new DateTimeObject(validDate);
MyChecker checker = new MyChecker();
param.AddCertPathChecker(checker);
PkixCertPathValidatorResult result = (PkixCertPathValidatorResult) cpv.Validate(cp, param);
PkixPolicyNode policyTree = result.PolicyTree;
AsymmetricKeyParameter subjectPublicKey = result.SubjectPublicKey;
if (checker.GetCount() != 2)
{
Fail("checker not evaluated for each certificate");
}
if (!subjectPublicKey.Equals(finalCert.GetPublicKey()))
{
Fail("wrong public key returned");
}
//
// invalid path containing a valid one test
//
try
{
// initialise CertStore
rootCert = certParser.ReadCertificate(AC_RAIZ_ICPBRASIL);
interCert = certParser.ReadCertificate(AC_PR);
finalCert = certParser.ReadCertificate(schefer);
x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
// ccsp = new CollectionCertStoreParameters(list);
// store = CertStore.GetInstance("Collection", ccsp);
// ccsp = new X509CollectionStoreParameters(list);
x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
// NB: Month is 1-based in .NET
validDate = new DateTime(2004,3,21,2,21,10).ToUniversalTime();
//validating path
certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
cp = new PkixCertPath(certchain);
trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// cpv = CertPathValidator.GetInstance("PKIX");
cpv = new PkixCertPathValidator();
param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.IsRevocationEnabled = false;
param.Date = new DateTimeObject(validDate);
result =(PkixCertPathValidatorResult) cpv.Validate(cp, param);
policyTree = result.PolicyTree;
subjectPublicKey = result.SubjectPublicKey;
Fail("Invalid path validated");
}
catch (Exception e)
{
if (e is PkixCertPathValidatorException
&& e.Message.StartsWith("Could not validate certificate signature."))
{
return;
}
Fail("unexpected exception", e);
}
}
internal static void PrepareNextCertA(
PkixCertPath certPath,
int index)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
//
// (a) check the policy mappings
//
Asn1Sequence pm = null;
try
{
pm = Asn1Sequence.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyMappings));
}
catch (Exception ex)
{
throw new PkixCertPathValidatorException(
"Policy mappings extension could not be decoded.", ex, certPath, index);
}
if (pm != null)
{
Asn1Sequence mappings = pm;
for (int j = 0; j < mappings.Count; j++)
{
DerObjectIdentifier issuerDomainPolicy = null;
DerObjectIdentifier subjectDomainPolicy = null;
try
{
Asn1Sequence mapping = DerSequence.GetInstance(mappings[j]);
issuerDomainPolicy = DerObjectIdentifier.GetInstance(mapping[0]);
subjectDomainPolicy = DerObjectIdentifier.GetInstance(mapping[1]);
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Policy mappings extension contents could not be decoded.", e, certPath, index);
}
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(issuerDomainPolicy.Id))
throw new PkixCertPathValidatorException(
"IssuerDomainPolicy is anyPolicy", null, certPath, index);
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(subjectDomainPolicy.Id))
throw new PkixCertPathValidatorException(
"SubjectDomainPolicy is anyPolicy,", null, certPath, index);
}
}
}
internal static void ProcessCertBC(
PkixCertPath certPath,
int index,
PkixNameConstraintValidator nameConstraintValidator)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
int n = certs.Count;
// i as defined in the algorithm description
int i = n - index;
//
// (b), (c) permitted and excluded subtree checking.
//
if (!(PkixCertPathValidatorUtilities.IsSelfIssued(cert) && (i < n)))
{
X509Name principal = cert.SubjectDN;
Asn1InputStream aIn = new Asn1InputStream(principal.GetEncoded());
Asn1Sequence dns;
try
{
dns = DerSequence.GetInstance(aIn.ReadObject());
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Exception extracting subject name when checking subtrees.", e, certPath, index);
}
try
{
nameConstraintValidator.CheckPermittedDN(dns);
nameConstraintValidator.CheckExcludedDN(dns);
}
catch (PkixNameConstraintValidatorException e)
{
throw new PkixCertPathValidatorException(
"Subtree check for certificate subject failed.", e, certPath, index);
}
GeneralNames altName = null;
try
{
altName = GeneralNames.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.SubjectAlternativeName));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Subject alternative name extension could not be decoded.", e, certPath, index);
}
IList emails = X509Name.GetInstance(dns).GetValueList(X509Name.EmailAddress);
foreach (string email in emails)
{
GeneralName emailAsGeneralName = new GeneralName(GeneralName.Rfc822Name, email);
try
{
nameConstraintValidator.checkPermitted(emailAsGeneralName);
nameConstraintValidator.checkExcluded(emailAsGeneralName);
}
catch (PkixNameConstraintValidatorException ex)
{
throw new PkixCertPathValidatorException(
"Subtree check for certificate subject alternative email failed.", ex, certPath, index);
}
}
if (altName != null)
{
GeneralName[] genNames = null;
try
{
genNames = altName.GetNames();
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Subject alternative name contents could not be decoded.", e, certPath, index);
}
foreach (GeneralName genName in genNames)
{
try
{
nameConstraintValidator.checkPermitted(genName);
nameConstraintValidator.checkExcluded(genName);
}
catch (PkixNameConstraintValidatorException e)
{
throw new PkixCertPathValidatorException(
"Subtree check for certificate subject alternative name failed.", e, certPath, index);
}
}
}
}
}
internal static void WrapupCertF(
PkixCertPath certPath,
int index,
IList pathCheckers,
ISet criticalExtensions)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
IEnumerator tmpIter = pathCheckers.GetEnumerator();
while (tmpIter.MoveNext())
{
try
{
((PkixCertPathChecker)tmpIter.Current).Check(cert, criticalExtensions);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException("Additional certificate path checker failed.", e, certPath,
index);
}
}
if (!criticalExtensions.IsEmpty)
{
throw new PkixCertPathValidatorException("Certificate has unsupported critical extension",
null, certPath, index);
}
}
private PkixCertPathBuilderResult Build(
IX509AttributeCertificate attrCert,
X509Certificate tbvCert,
PkixBuilderParameters pkixParams,
IList tbvPath)
{
// If tbvCert is readily present in tbvPath, it indicates having run
// into a cycle in the
// PKI graph.
if (tbvPath.Contains(tbvCert))
return null;
// step out, the certificate is not allowed to appear in a certification
// chain
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
return null;
// test if certificate path exceeds maximum length
if (pkixParams.MaxPathLength != -1)
{
if (tbvPath.Count - 1 > pkixParams.MaxPathLength)
return null;
}
tbvPath.Add(tbvCert);
PkixCertPathBuilderResult builderResult = null;
// X509CertificateParser certParser = new X509CertificateParser();
PkixAttrCertPathValidator validator = new PkixAttrCertPathValidator();
try
{
// check whether the issuer of <tbvCert> is a TrustAnchor
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
PkixCertPath certPath = new PkixCertPath(tbvPath);
PkixCertPathValidatorResult result;
try
{
result = validator.Validate(certPath, pkixParams);
}
catch (Exception e)
{
throw new Exception("Certification path could not be validated.", e);
}
return new PkixCertPathBuilderResult(certPath, result.TrustAnchor,
result.PolicyTree, result.SubjectPublicKey);
}
else
{
// add additional X.509 stores from locations in certificate
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
}
catch (CertificateParsingException e)
{
throw new Exception("No additional X.509 stores can be added from certificate locations.", e);
}
// try to get the issuer certificate from one of the stores
ISet issuers = new HashSet();
try
{
issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (Exception e)
{
throw new Exception("Cannot find issuer certificate for certificate in certification path.", e);
}
if (issuers.IsEmpty)
throw new Exception("No issuer certificate for certificate in certification path found.");
foreach (X509Certificate issuer in issuers)
{
// if untrusted self signed certificate continue
if (PkixCertPathValidatorUtilities.IsSelfIssued(issuer))
continue;
builderResult = Build(attrCert, issuer, pkixParams, tbvPath);
if (builderResult != null)
break;
}
}
}
catch (Exception e)
{
certPathException = new Exception("No valid certification path could be build.", e);
}
if (builderResult == null)
{
tbvPath.Remove(tbvCert);
}
return builderResult;
}
internal static DateTime GetValidCertDateFromValidityModel(PkixParameters paramsPkix, PkixCertPath certPath, int index)
{
if (paramsPkix.ValidityModel != 1)
{
return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix));
}
if (index <= 0)
{
return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix));
}
if (index - 1 == 0)
{
DerGeneralizedTime derGeneralizedTime = null;
try
{
X509Certificate x509Certificate = (X509Certificate)certPath.Certificates[index - 1];
Asn1OctetString extensionValue = x509Certificate.GetExtensionValue(IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen);
derGeneralizedTime = DerGeneralizedTime.GetInstance(extensionValue);
}
catch (ArgumentException)
{
throw new Exception("Date of cert gen extension could not be read.");
}
if (derGeneralizedTime != null)
{
try
{
return(derGeneralizedTime.ToDateTime());
}
catch (ArgumentException innerException)
{
throw new Exception("Date from date of cert gen extension could not be parsed.", innerException);
}
}
}
return(((X509Certificate)certPath.Certificates[index - 1]).NotBefore);
}
public virtual PkixCertPathValidatorResult Validate(
PkixCertPath certPath,
PkixParameters paramsPkix)
{
if (paramsPkix.GetTrustAnchors() == null)
{
throw new ArgumentException(
"trustAnchors is null, this is not allowed for certification path validation.",
"parameters");
}
//
// 6.1.1 - inputs
//
//
// (a)
//
IList certs = certPath.Certificates;
int n = certs.Count;
if (certs.Count == 0)
{
throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
}
//
// (b)
//
// DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);
//
// (c)
//
ISet userInitialPolicySet = paramsPkix.GetInitialPolicies();
//
// (d)
//
TrustAnchor trust;
try
{
trust = PkixCertPathValidatorUtilities.FindTrustAnchor(
(X509Certificate)certs[certs.Count - 1],
paramsPkix.GetTrustAnchors());
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1);
}
if (trust == null)
{
throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
}
//
// (e), (f), (g) are part of the paramsPkix object.
//
IEnumerator certIter;
int index = 0;
int i;
// Certificate for each interation of the validation loop
// Signature information for each iteration of the validation loop
//
// 6.1.2 - setup
//
//
// (a)
//
IList[] policyNodes = new IList[n + 1];
for (int j = 0; j < policyNodes.Length; j++)
{
policyNodes[j] = Platform.CreateArrayList();
}
ISet policySet = new HashSet();
policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY);
PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(),
Rfc3280CertPathUtilities.ANY_POLICY, false);
policyNodes[0].Add(validPolicyTree);
//
// (b) and (c)
//
PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
// (d)
//
int explicitPolicy;
ISet acceptablePolicies = new HashSet();
if (paramsPkix.IsExplicitPolicyRequired)
{
explicitPolicy = 0;
}
else
{
explicitPolicy = n + 1;
}
//
// (e)
//
int inhibitAnyPolicy;
if (paramsPkix.IsAnyPolicyInhibited)
{
inhibitAnyPolicy = 0;
}
else
{
inhibitAnyPolicy = n + 1;
}
//
// (f)
//
int policyMapping;
if (paramsPkix.IsPolicyMappingInhibited)
{
policyMapping = 0;
}
else
{
policyMapping = n + 1;
}
//
// (g), (h), (i), (j)
//
AsymmetricKeyParameter workingPublicKey;
X509Name workingIssuerName;
X509Certificate sign = trust.TrustedCert;
try
{
if (sign != null)
{
workingIssuerName = sign.SubjectDN;
workingPublicKey = sign.GetPublicKey();
}
else
{
workingIssuerName = new X509Name(trust.CAName);
workingPublicKey = trust.CAPublicKey;
}
}
catch (ArgumentException ex)
{
throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath,
-1);
}
//AlgorithmIdentifier workingAlgId = null;
try
{
/*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException(
"Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
}
// DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID;
// Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters;
//
// (k)
//
int maxPathLength = n;
//
// 6.1.3
//
X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints();
if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0]))
{
throw new PkixCertPathValidatorException(
"Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
}
//
// initialize CertPathChecker's
//
IList pathCheckers = paramsPkix.GetCertPathCheckers();
certIter = pathCheckers.GetEnumerator();
while (certIter.MoveNext())
{
((PkixCertPathChecker)certIter.Current).Init(false);
}
X509Certificate cert = null;
for (index = certs.Count - 1; index >= 0; index--)
{
// try
// {
//
// i as defined in the algorithm description
//
i = n - index;
//
// set certificate to be checked in this round
// sign and workingPublicKey and workingIssuerName are set
// at the end of the for loop and initialized the
// first time from the TrustAnchor
//
cert = (X509Certificate)certs[index];
//
// 6.1.3
//
Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey,
workingIssuerName, sign);
Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator);
validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index,
acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);
validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree);
Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy);
//
// 6.1.4
//
if (i != n)
{
if (cert != null && cert.Version == 1)
{
throw new PkixCertPathValidatorException(
"Version 1 certificates can't be used as CA ones.", null, certPath, index);
}
Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index);
validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes,
validPolicyTree, policyMapping);
Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator);
// (h)
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping);
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy);
//
// (i)
//
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping);
// (j)
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy);
// (k)
Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index);
// (l)
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength);
// (m)
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength);
// (n)
Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index);
ISet criticalExtensions1 = cert.GetCriticalExtensionOids();
if (criticalExtensions1 != null)
{
criticalExtensions1 = new HashSet(criticalExtensions1);
// these extensions are handled by the algorithm
criticalExtensions1.Remove(X509Extensions.KeyUsage.Id);
criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensions1.Remove(X509Extensions.NameConstraints.Id);
}
else
{
criticalExtensions1 = new HashSet();
}
// (o)
Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers);
// set signing certificate for next round
sign = cert;
// (c)
workingIssuerName = sign.SubjectDN;
// (d)
try
{
workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
}
/*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
// (f)
// workingPublicKeyAlgorithm = workingAlgId.ObjectID;
// (e)
// workingPublicKeyParameters = workingAlgId.Parameters;
}
}
//
// 6.1.5 Wrap-up procedure
//
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert);
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy);
//
// (c) (d) and (e) are already done
//
//
// (f)
//
ISet criticalExtensions = cert.GetCriticalExtensionOids();
if (criticalExtensions != null)
{
criticalExtensions = new HashSet(criticalExtensions);
// Requires .Id
// these extensions are handled by the algorithm
criticalExtensions.Remove(X509Extensions.KeyUsage.Id);
criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensions.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensions.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensions.Remove(X509Extensions.NameConstraints.Id);
criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id);
}
else
{
criticalExtensions = new HashSet();
}
Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);
PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet,
index + 1, policyNodes, validPolicyTree, acceptablePolicies);
if ((explicitPolicy > 0) || (intersection != null))
{
return(new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey()));
}
throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index);
}
internal static PkixPolicyNode PrepareCertB(
PkixCertPath certPath,
int index,
IList[] policyNodes,
PkixPolicyNode validPolicyTree,
int policyMapping)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
int n = certs.Count;
// i as defined in the algorithm description
int i = n - index;
// (b)
//
Asn1Sequence pm = null;
try
{
pm = (Asn1Sequence)Asn1Sequence.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyMappings));
}
catch (Exception ex)
{
throw new PkixCertPathValidatorException(
"Policy mappings extension could not be decoded.", ex, certPath, index);
}
PkixPolicyNode _validPolicyTree = validPolicyTree;
if (pm != null)
{
Asn1Sequence mappings = (Asn1Sequence)pm;
IDictionary m_idp = Platform.CreateHashtable();
ISet s_idp = new HashSet();
for (int j = 0; j < mappings.Count; j++)
{
Asn1Sequence mapping = (Asn1Sequence) mappings[j];
string id_p = ((DerObjectIdentifier) mapping[0]).Id;
string sd_p = ((DerObjectIdentifier) mapping[1]).Id;
ISet tmp;
if (!m_idp.Contains(id_p))
{
tmp = new HashSet();
tmp.Add(sd_p);
m_idp[id_p] = tmp;
s_idp.Add(id_p);
}
else
{
tmp = (ISet)m_idp[id_p];
tmp.Add(sd_p);
}
}
IEnumerator it_idp = s_idp.GetEnumerator();
while (it_idp.MoveNext())
{
string id_p = (string)it_idp.Current;
//
// (1)
//
if (policyMapping > 0)
{
bool idp_found = false;
IEnumerator nodes_i = policyNodes[i].GetEnumerator();
while (nodes_i.MoveNext())
{
PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
if (node.ValidPolicy.Equals(id_p))
{
idp_found = true;
node.ExpectedPolicies = (ISet)m_idp[id_p];
break;
}
}
if (!idp_found)
{
nodes_i = policyNodes[i].GetEnumerator();
while (nodes_i.MoveNext())
{
PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(node.ValidPolicy))
{
ISet pq = null;
Asn1Sequence policies = null;
try
{
policies = (Asn1Sequence)PkixCertPathValidatorUtilities.GetExtensionValue(cert,
X509Extensions.CertificatePolicies);
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Certificate policies extension could not be decoded.", e, certPath, index);
}
foreach (Asn1Encodable ae in policies)
{
PolicyInformation pinfo = null;
try
{
pinfo = PolicyInformation.GetInstance(ae.ToAsn1Object());
}
catch (Exception ex)
{
throw new PkixCertPathValidatorException(
"Policy information could not be decoded.", ex, certPath, index);
}
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id))
{
try
{
pq = PkixCertPathValidatorUtilities
.GetQualifierSet(pinfo.PolicyQualifiers);
}
catch (PkixCertPathValidatorException ex)
{
throw new PkixCertPathValidatorException(
"Policy qualifier info set could not be decoded.", ex, certPath,
index);
}
break;
}
}
bool ci = false;
ISet critExtOids = cert.GetCriticalExtensionOids();
if (critExtOids != null)
{
ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id);
}
PkixPolicyNode p_node = (PkixPolicyNode)node.Parent;
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(p_node.ValidPolicy))
{
PkixPolicyNode c_node = new PkixPolicyNode(Platform.CreateArrayList(), i,
(ISet)m_idp[id_p], p_node, pq, id_p, ci);
p_node.AddChild(c_node);
policyNodes[i].Add(c_node);
}
break;
}
}
}
//
// (2)
//
}
else if (policyMapping <= 0)
{
foreach (PkixPolicyNode node in Platform.CreateArrayList(policyNodes[i]))
{
if (node.ValidPolicy.Equals(id_p))
{
node.Parent.RemoveChild(node);
for (int k = i - 1; k >= 0; k--)
{
foreach (PkixPolicyNode node2 in Platform.CreateArrayList(policyNodes[k]))
{
if (!node2.HasChildren)
{
_validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(
_validPolicyTree, policyNodes, node2);
if (_validPolicyTree == null)
break;
}
}
}
}
}
}
}
}
return _validPolicyTree;
}
internal static void ProcessCertF(
PkixCertPath certPath,
int index,
PkixPolicyNode validPolicyTree,
int explicitPolicy)
{
//
// (f)
//
if (explicitPolicy <= 0 && validPolicyTree == null)
{
throw new PkixCertPathValidatorException(
"No valid policy tree found when one expected.", null, certPath, index);
}
}
internal static DateTime GetValidCertDateFromValidityModel(
PkixParameters paramsPkix,
PkixCertPath certPath,
int index)
{
if (paramsPkix.ValidityModel != PkixParameters.ChainValidityModel)
{
return GetValidDate(paramsPkix);
}
// if end cert use given signing/encryption/... time
if (index <= 0)
{
return PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);
// else use time when previous cert was created
}
if (index - 1 == 0)
{
DerGeneralizedTime dateOfCertgen = null;
try
{
X509Certificate cert = (X509Certificate)certPath.Certificates[index - 1];
Asn1OctetString extVal = cert.GetExtensionValue(
IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen);
dateOfCertgen = DerGeneralizedTime.GetInstance(extVal);
}
catch (ArgumentException)
{
throw new Exception(
"Date of cert gen extension could not be read.");
}
if (dateOfCertgen != null)
{
try
{
return dateOfCertgen.ToDateTime();
}
catch (ArgumentException e)
{
throw new Exception(
"Date from date of cert gen extension could not be parsed.",
e);
}
}
}
return ((X509Certificate)certPath.Certificates[index - 1]).NotBefore;
}
internal static int PrepareNextCertI2(
PkixCertPath certPath,
int index,
int policyMapping)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (i)
//
Asn1Sequence pc = null;
try
{
pc = DerSequence.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyConstraints));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Policy constraints extension cannot be decoded.", e, certPath, index);
}
int tmpInt;
if (pc != null)
{
IEnumerator policyConstraints = pc.GetEnumerator();
while (policyConstraints.MoveNext())
{
try
{
Asn1TaggedObject constraint = Asn1TaggedObject.GetInstance(policyConstraints.Current);
if (constraint.TagNo == 1)
{
tmpInt = DerInteger.GetInstance(constraint, false).Value.IntValue;
if (tmpInt < policyMapping)
{
return tmpInt;
}
break;
}
}
catch (ArgumentException e)
{
throw new PkixCertPathValidatorException(
"Policy constraints extension contents cannot be decoded.", e, certPath, index);
}
}
}
return policyMapping;
}
private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, global::System.Collections.IList tbvPath)
{
if (tbvPath.Contains((object)tbvCert))
{
return(null);
}
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
{
return(null);
}
if (pkixParams.MaxPathLength != -1 && ((global::System.Collections.ICollection)tbvPath).get_Count() - 1 > pkixParams.MaxPathLength)
{
return(null);
}
tbvPath.Add((object)tbvCert);
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator();
try
{
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
PkixCertPath certPath = new PkixCertPath((global::System.Collections.ICollection)tbvPath);
PkixCertPathValidatorResult pkixCertPathValidatorResult;
try
{
pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams);
}
catch (global::System.Exception ex)
{
throw new global::System.Exception("Certification path could not be validated.", ex);
}
return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey));
}
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
}
catch (CertificateParsingException ex2)
{
throw new global::System.Exception("No additional X.509 stores can be added from certificate locations.", (global::System.Exception)ex2);
}
ISet set = new HashSet();
try
{
set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (global::System.Exception ex3)
{
throw new global::System.Exception("Cannot find issuer certificate for certificate in certification path.", ex3);
}
if (set.IsEmpty)
{
throw new global::System.Exception("No issuer certificate for certificate in certification path found.");
}
global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator();
try
{
while (enumerator.MoveNext())
{
X509Certificate x509Certificate = (X509Certificate)enumerator.get_Current();
if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate))
{
pkixCertPathBuilderResult = Build(attrCert, x509Certificate, pkixParams, tbvPath);
if (pkixCertPathBuilderResult != null)
{
break;
}
}
}
}
finally
{
global::System.IDisposable disposable = enumerator as global::System.IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}
}
catch (global::System.Exception ex4)
{
certPathException = new global::System.Exception("No valid certification path could be build.", ex4);
}
if (pkixCertPathBuilderResult == null)
{
tbvPath.Remove((object)tbvCert);
}
return(pkixCertPathBuilderResult);
}
internal static int PrepareNextCertJ(
PkixCertPath certPath,
int index,
int inhibitAnyPolicy)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (j)
//
DerInteger iap = null;
try
{
iap = DerInteger.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.InhibitAnyPolicy));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Inhibit any-policy extension cannot be decoded.", e, certPath, index);
}
if (iap != null)
{
int _inhibitAnyPolicy = iap.Value.IntValue;
if (_inhibitAnyPolicy < inhibitAnyPolicy)
return _inhibitAnyPolicy;
}
return inhibitAnyPolicy;
}
internal static PkixCertPathValidatorResult ProcessAttrCert2(
PkixCertPath certPath,
PkixParameters pkixParams)
{
PkixCertPathValidator validator = new PkixCertPathValidator();
try
{
return validator.Validate(certPath, pkixParams);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException(
"Certification path for issuer certificate of attribute certificate could not be validated.",
e);
}
}
internal static int PrepareNextCertL(
PkixCertPath certPath,
int index,
int maxPathLength)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (l)
//
if (!PkixCertPathValidatorUtilities.IsSelfIssued(cert))
{
if (maxPathLength <= 0)
{
throw new PkixCertPathValidatorException("Max path length not greater than zero", null, certPath, index);
}
return maxPathLength - 1;
}
return maxPathLength;
}
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix)
{
if (paramsPkix.GetTrustAnchors() == null)
{
throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters");
}
IList certificates = certPath.Certificates;
int count = certificates.Count;
if (certificates.Count == 0)
{
throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
}
ISet initialPolicies = paramsPkix.GetInitialPolicies();
TrustAnchor trustAnchor;
try
{
trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates[certificates.Count - 1], paramsPkix.GetTrustAnchors());
}
catch (Exception ex)
{
throw new PkixCertPathValidatorException(ex.Message, ex, certPath, certificates.Count - 1);
}
if (trustAnchor == null)
{
throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
}
int i = 0;
IList[] array = new IList[count + 1];
for (int j = 0; j < array.Length; j++)
{
array[j] = Platform.CreateArrayList();
}
ISet set = new HashSet();
set.Add(Rfc3280CertPathUtilities.ANY_POLICY);
PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false);
array[0].Add(pkixPolicyNode);
PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
ISet acceptablePolicies = new HashSet();
int num;
if (paramsPkix.IsExplicitPolicyRequired)
{
num = 0;
}
else
{
num = count + 1;
}
int inhibitAnyPolicy;
if (paramsPkix.IsAnyPolicyInhibited)
{
inhibitAnyPolicy = 0;
}
else
{
inhibitAnyPolicy = count + 1;
}
int policyMapping;
if (paramsPkix.IsPolicyMappingInhibited)
{
policyMapping = 0;
}
else
{
policyMapping = count + 1;
}
X509Certificate x509Certificate = trustAnchor.TrustedCert;
X509Name workingIssuerName;
AsymmetricKeyParameter asymmetricKeyParameter;
try
{
if (x509Certificate != null)
{
workingIssuerName = x509Certificate.SubjectDN;
asymmetricKeyParameter = x509Certificate.GetPublicKey();
}
else
{
workingIssuerName = new X509Name(trustAnchor.CAName);
asymmetricKeyParameter = trustAnchor.CAPublicKey;
}
}
catch (ArgumentException cause)
{
throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", cause, certPath, -1);
}
try
{
PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
}
catch (PkixCertPathValidatorException cause2)
{
throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1);
}
int maxPathLength = count;
X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints();
if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates[0]))
{
throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
}
IList certPathCheckers = paramsPkix.GetCertPathCheckers();
IEnumerator enumerator = certPathCheckers.GetEnumerator();
while (enumerator.MoveNext())
{
((PkixCertPathChecker)enumerator.Current).Init(false);
}
X509Certificate x509Certificate2 = null;
for (i = certificates.Count - 1; i >= 0; i--)
{
int num2 = count - i;
x509Certificate2 = (X509Certificate)certificates[i];
Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, i, asymmetricKeyParameter, workingIssuerName, x509Certificate);
Rfc3280CertPathUtilities.ProcessCertBC(certPath, i, nameConstraintValidator);
pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, i, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy);
pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, i, pkixPolicyNode);
Rfc3280CertPathUtilities.ProcessCertF(certPath, i, pkixPolicyNode, num);
if (num2 != count)
{
if (x509Certificate2 != null && x509Certificate2.Version == 1)
{
throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, i);
}
Rfc3280CertPathUtilities.PrepareNextCertA(certPath, i);
pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, i, array, pkixPolicyNode, policyMapping);
Rfc3280CertPathUtilities.PrepareNextCertG(certPath, i, nameConstraintValidator);
num = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, i, num);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, i, policyMapping);
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, i, inhibitAnyPolicy);
num = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, i, num);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, i, policyMapping);
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, i, inhibitAnyPolicy);
Rfc3280CertPathUtilities.PrepareNextCertK(certPath, i);
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, i, maxPathLength);
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, i, maxPathLength);
Rfc3280CertPathUtilities.PrepareNextCertN(certPath, i);
ISet set2 = x509Certificate2.GetCriticalExtensionOids();
if (set2 != null)
{
set2 = new HashSet(set2);
set2.Remove(X509Extensions.KeyUsage.Id);
set2.Remove(X509Extensions.CertificatePolicies.Id);
set2.Remove(X509Extensions.PolicyMappings.Id);
set2.Remove(X509Extensions.InhibitAnyPolicy.Id);
set2.Remove(X509Extensions.IssuingDistributionPoint.Id);
set2.Remove(X509Extensions.DeltaCrlIndicator.Id);
set2.Remove(X509Extensions.PolicyConstraints.Id);
set2.Remove(X509Extensions.BasicConstraints.Id);
set2.Remove(X509Extensions.SubjectAlternativeName.Id);
set2.Remove(X509Extensions.NameConstraints.Id);
}
else
{
set2 = new HashSet();
}
Rfc3280CertPathUtilities.PrepareNextCertO(certPath, i, set2, certPathCheckers);
x509Certificate = x509Certificate2;
workingIssuerName = x509Certificate.SubjectDN;
try
{
asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, i);
}
catch (PkixCertPathValidatorException cause3)
{
throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, i);
}
PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
}
}
num = Rfc3280CertPathUtilities.WrapupCertA(num, x509Certificate2);
num = Rfc3280CertPathUtilities.WrapupCertB(certPath, i + 1, num);
ISet set3 = x509Certificate2.GetCriticalExtensionOids();
if (set3 != null)
{
set3 = new HashSet(set3);
set3.Remove(X509Extensions.KeyUsage.Id);
set3.Remove(X509Extensions.CertificatePolicies.Id);
set3.Remove(X509Extensions.PolicyMappings.Id);
set3.Remove(X509Extensions.InhibitAnyPolicy.Id);
set3.Remove(X509Extensions.IssuingDistributionPoint.Id);
set3.Remove(X509Extensions.DeltaCrlIndicator.Id);
set3.Remove(X509Extensions.PolicyConstraints.Id);
set3.Remove(X509Extensions.BasicConstraints.Id);
set3.Remove(X509Extensions.SubjectAlternativeName.Id);
set3.Remove(X509Extensions.NameConstraints.Id);
set3.Remove(X509Extensions.CrlDistributionPoints.Id);
}
else
{
set3 = new HashSet();
}
Rfc3280CertPathUtilities.WrapupCertF(certPath, i + 1, certPathCheckers, set3);
PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, i + 1, array, pkixPolicyNode, acceptablePolicies);
if (num > 0 || pkixPolicyNode2 != null)
{
return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey()));
}
throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, i);
}
internal static void PrepareNextCertN(
PkixCertPath certPath,
int index)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (n)
//
bool[] _usage = cert.GetKeyUsage();
if ((_usage != null) && !_usage[Rfc3280CertPathUtilities.KEY_CERT_SIGN])
{
throw new PkixCertPathValidatorException(
"Issuer certificate keyusage extension is critical and does not permit key signing.", null,
certPath, index);
}
}
public PkixCertPath(ICollection certificates)
{
this.certificates = PkixCertPath.SortCerts(Platform.CreateArrayList(certificates));
}
internal static int PrepareNextCertH2(
PkixCertPath certPath,
int index,
int policyMapping)
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (h)
//
if (!PkixCertPathValidatorUtilities.IsSelfIssued(cert))
{
//
// (2)
//
if (policyMapping != 0)
return policyMapping - 1;
}
return policyMapping;
}
private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath)
{
if (tbvPath.Contains(tbvCert))
{
return(null);
}
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
{
return(null);
}
if (pkixParams.MaxPathLength != -1 && tbvPath.Count - 1 > pkixParams.MaxPathLength)
{
return(null);
}
tbvPath.Add(tbvCert);
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator();
try
{
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
PkixCertPath certPath = new PkixCertPath(tbvPath);
PkixCertPathValidatorResult pkixCertPathValidatorResult;
try
{
pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams);
}
catch (Exception innerException)
{
throw new Exception("Certification path could not be validated.", innerException);
}
return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey));
}
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
}
catch (CertificateParsingException innerException2)
{
throw new Exception("No additional X.509 stores can be added from certificate locations.", innerException2);
}
ISet set = new HashSet();
try
{
set.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (Exception innerException3)
{
throw new Exception("Cannot find issuer certificate for certificate in certification path.", innerException3);
}
if (set.IsEmpty)
{
throw new Exception("No issuer certificate for certificate in certification path found.");
}
foreach (X509Certificate x509Certificate in set)
{
if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate))
{
pkixCertPathBuilderResult = this.Build(attrCert, x509Certificate, pkixParams, tbvPath);
if (pkixCertPathBuilderResult != null)
{
break;
}
}
}
}
catch (Exception innerException4)
{
this.certPathException = new Exception("No valid certification path could be build.", innerException4);
}
if (pkixCertPathBuilderResult == null)
{
tbvPath.Remove(tbvCert);
}
return(pkixCertPathBuilderResult);
}
internal static int WrapupCertB(
PkixCertPath certPath,
int index,
int explicitPolicy)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (b)
//
int tmpInt;
Asn1Sequence pc = null;
try
{
pc = DerSequence.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyConstraints));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException("Policy constraints could not be decoded.", e, certPath, index);
}
if (pc != null)
{
IEnumerator policyConstraints = pc.GetEnumerator();
while (policyConstraints.MoveNext())
{
Asn1TaggedObject constraint = (Asn1TaggedObject)policyConstraints.Current;
switch (constraint.TagNo)
{
case 0:
try
{
tmpInt = DerInteger.GetInstance(constraint, false).Value.IntValue;
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Policy constraints requireExplicitPolicy field could not be decoded.", e, certPath,
index);
}
if (tmpInt == 0)
{
return 0;
}
break;
}
}
}
return explicitPolicy;
}
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix)
{
//IL_0012: Unknown result type (might be due to invalid IL or missing references)
//IL_0170: Expected O, but got Unknown
if (paramsPkix.GetTrustAnchors() == null)
{
throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters");
}
global::System.Collections.IList certificates = certPath.Certificates;
int count = ((global::System.Collections.ICollection)certificates).get_Count();
if (((global::System.Collections.ICollection)certificates).get_Count() == 0)
{
throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
}
ISet initialPolicies = paramsPkix.GetInitialPolicies();
TrustAnchor trustAnchor;
try
{
trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates.get_Item(((global::System.Collections.ICollection)certificates).get_Count() - 1), paramsPkix.GetTrustAnchors());
}
catch (global::System.Exception ex)
{
throw new PkixCertPathValidatorException(ex.get_Message(), ex, certPath, ((global::System.Collections.ICollection)certificates).get_Count() - 1);
}
if (trustAnchor == null)
{
throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
}
int num = 0;
global::System.Collections.IList[] array = new global::System.Collections.IList[count + 1];
for (int i = 0; i < array.Length; i++)
{
array[i] = Platform.CreateArrayList();
}
ISet set = new HashSet();
set.Add(Rfc3280CertPathUtilities.ANY_POLICY);
PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, critical: false);
array[0].Add((object)pkixPolicyNode);
PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
ISet acceptablePolicies = new HashSet();
int explicitPolicy = ((!paramsPkix.IsExplicitPolicyRequired) ? (count + 1) : 0);
int inhibitAnyPolicy = ((!paramsPkix.IsAnyPolicyInhibited) ? (count + 1) : 0);
int policyMapping = ((!paramsPkix.IsPolicyMappingInhibited) ? (count + 1) : 0);
X509Certificate x509Certificate = trustAnchor.TrustedCert;
X509Name workingIssuerName;
AsymmetricKeyParameter asymmetricKeyParameter;
try
{
if (x509Certificate != null)
{
workingIssuerName = x509Certificate.SubjectDN;
asymmetricKeyParameter = x509Certificate.GetPublicKey();
}
else
{
workingIssuerName = new X509Name(trustAnchor.CAName);
asymmetricKeyParameter = trustAnchor.CAPublicKey;
}
}
catch (ArgumentException val)
{
ArgumentException cause = val;
throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", (global::System.Exception)(object) cause, certPath, -1);
}
try
{
PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
}
catch (PkixCertPathValidatorException cause2)
{
throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1);
}
int maxPathLength = count;
X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints();
if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates.get_Item(0)))
{
throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
}
global::System.Collections.IList certPathCheckers = paramsPkix.GetCertPathCheckers();
global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)certPathCheckers).GetEnumerator();
while (enumerator.MoveNext())
{
((PkixCertPathChecker)enumerator.get_Current()).Init(forward: false);
}
X509Certificate x509Certificate2 = null;
for (num = ((global::System.Collections.ICollection)certificates).get_Count() - 1; num >= 0; num--)
{
int num2 = count - num;
x509Certificate2 = (X509Certificate)certificates.get_Item(num);
Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, num, asymmetricKeyParameter, workingIssuerName, x509Certificate);
Rfc3280CertPathUtilities.ProcessCertBC(certPath, num, nameConstraintValidator);
pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, num, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy);
pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, num, pkixPolicyNode);
Rfc3280CertPathUtilities.ProcessCertF(certPath, num, pkixPolicyNode, explicitPolicy);
if (num2 != count)
{
if (x509Certificate2 != null && x509Certificate2.Version == 1)
{
throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, num);
}
Rfc3280CertPathUtilities.PrepareNextCertA(certPath, num);
pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, num, array, pkixPolicyNode, policyMapping);
Rfc3280CertPathUtilities.PrepareNextCertG(certPath, num, nameConstraintValidator);
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, num, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, num, policyMapping);
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, num, inhibitAnyPolicy);
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, num, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, num, policyMapping);
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, num, inhibitAnyPolicy);
Rfc3280CertPathUtilities.PrepareNextCertK(certPath, num);
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, num, maxPathLength);
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, num, maxPathLength);
Rfc3280CertPathUtilities.PrepareNextCertN(certPath, num);
ISet criticalExtensionOids = x509Certificate2.GetCriticalExtensionOids();
if (criticalExtensionOids != null)
{
criticalExtensionOids = new HashSet(criticalExtensionOids);
criticalExtensionOids.Remove(X509Extensions.KeyUsage.Id);
criticalExtensionOids.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensionOids.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensionOids.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensionOids.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensionOids.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensionOids.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensionOids.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensionOids.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensionOids.Remove(X509Extensions.NameConstraints.Id);
}
else
{
criticalExtensionOids = new HashSet();
}
Rfc3280CertPathUtilities.PrepareNextCertO(certPath, num, criticalExtensionOids, certPathCheckers);
x509Certificate = x509Certificate2;
workingIssuerName = x509Certificate.SubjectDN;
try
{
asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, num);
}
catch (PkixCertPathValidatorException cause3)
{
throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, num);
}
PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
}
}
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, x509Certificate2);
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, num + 1, explicitPolicy);
ISet criticalExtensionOids2 = x509Certificate2.GetCriticalExtensionOids();
if (criticalExtensionOids2 != null)
{
criticalExtensionOids2 = new HashSet(criticalExtensionOids2);
criticalExtensionOids2.Remove(X509Extensions.KeyUsage.Id);
criticalExtensionOids2.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensionOids2.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensionOids2.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensionOids2.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensionOids2.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensionOids2.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensionOids2.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensionOids2.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensionOids2.Remove(X509Extensions.NameConstraints.Id);
criticalExtensionOids2.Remove(X509Extensions.CrlDistributionPoints.Id);
}
else
{
criticalExtensionOids2 = new HashSet();
}
Rfc3280CertPathUtilities.WrapupCertF(certPath, num + 1, certPathCheckers, criticalExtensionOids2);
PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, num + 1, array, pkixPolicyNode, acceptablePolicies);
if (explicitPolicy > 0 || pkixPolicyNode2 != null)
{
return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey()));
}
throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, num);
}
internal static PkixPolicyNode WrapupCertG(
PkixCertPath certPath,
PkixParameters paramsPKIX,
ISet userInitialPolicySet,
int index,
IList[] policyNodes,
PkixPolicyNode validPolicyTree,
ISet acceptablePolicies)
{
int n = certPath.Certificates.Count;
//
// (g)
//
PkixPolicyNode intersection;
//
// (g) (i)
//
if (validPolicyTree == null)
{
if (paramsPKIX.IsExplicitPolicyRequired)
{
throw new PkixCertPathValidatorException(
"Explicit policy requested but none available.", null, certPath, index);
}
intersection = null;
}
else if (PkixCertPathValidatorUtilities.IsAnyPolicy(userInitialPolicySet)) // (g)
// (ii)
{
if (paramsPKIX.IsExplicitPolicyRequired)
{
if (acceptablePolicies.IsEmpty)
{
throw new PkixCertPathValidatorException(
"Explicit policy requested but none available.", null, certPath, index);
}
else
{
ISet _validPolicyNodeSet = new HashSet();
for (int j = 0; j < policyNodes.Length; j++)
{
IList _nodeDepth = policyNodes[j];
for (int k = 0; k < _nodeDepth.Count; k++)
{
PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k];
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy))
{
foreach (object o in _node.Children)
{
_validPolicyNodeSet.Add(o);
}
}
}
}
foreach (PkixPolicyNode _node in _validPolicyNodeSet)
{
string _validPolicy = _node.ValidPolicy;
if (!acceptablePolicies.Contains(_validPolicy))
{
// TODO?
// validPolicyTree =
// removePolicyNode(validPolicyTree, policyNodes,
// _node);
}
}
if (validPolicyTree != null)
{
for (int j = (n - 1); j >= 0; j--)
{
IList nodes = policyNodes[j];
for (int k = 0; k < nodes.Count; k++)
{
PkixPolicyNode node = (PkixPolicyNode)nodes[k];
if (!node.HasChildren)
{
validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree,
policyNodes, node);
}
}
}
}
}
}
intersection = validPolicyTree;
}
else
{
//
// (g) (iii)
//
// This implementation is not exactly same as the one described in
// RFC3280.
// However, as far as the validation result is concerned, both
// produce
// adequate result. The only difference is whether AnyPolicy is
// remain
// in the policy tree or not.
//
// (g) (iii) 1
//
ISet _validPolicyNodeSet = new HashSet();
for (int j = 0; j < policyNodes.Length; j++)
{
IList _nodeDepth = policyNodes[j];
for (int k = 0; k < _nodeDepth.Count; k++)
{
PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k];
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy))
{
foreach (PkixPolicyNode _c_node in _node.Children)
{
if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(_c_node.ValidPolicy))
{
_validPolicyNodeSet.Add(_c_node);
}
}
}
}
}
//
// (g) (iii) 2
//
IEnumerator _vpnsIter = _validPolicyNodeSet.GetEnumerator();
while (_vpnsIter.MoveNext())
{
PkixPolicyNode _node = (PkixPolicyNode)_vpnsIter.Current;
string _validPolicy = _node.ValidPolicy;
if (!userInitialPolicySet.Contains(_validPolicy))
{
validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, _node);
}
}
//
// (g) (iii) 4
//
if (validPolicyTree != null)
{
for (int j = (n - 1); j >= 0; j--)
{
IList nodes = policyNodes[j];
for (int k = 0; k < nodes.Count; k++)
{
PkixPolicyNode node = (PkixPolicyNode)nodes[k];
if (!node.HasChildren)
{
validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes,
node);
}
}
}
}
intersection = validPolicyTree;
}
return intersection;
}
/**
* Performs checks on the specified attribute certificate. Every handled
* extension is rmeoved from the <code>unresolvedCritExts</code>
* collection.
*
* @param attrCert The attribute certificate to be checked.
* @param certPath The certificate path which belongs to the attribute
* certificate issuer public key certificate.
* @param holderCertPath The certificate path which belongs to the holder
* certificate.
* @param unresolvedCritExts a <code>Collection</code> of OID strings
* representing the current set of unresolved critical extensions
* @throws CertPathValidatorException if the specified attribute certificate
* does not pass the check.
*/
public abstract void Check(IX509AttributeCertificate attrCert, PkixCertPath certPath,
PkixCertPath holderCertPath, ICollection unresolvedCritExts);
internal static PkixPolicyNode ProcessCertE(
PkixCertPath certPath,
int index,
PkixPolicyNode validPolicyTree)
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
//
// (e)
//
Asn1Sequence certPolicies = null;
try
{
certPolicies = DerSequence.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException("Could not read certificate policies extension from certificate.",
e, certPath, index);
}
if (certPolicies == null)
{
validPolicyTree = null;
}
return validPolicyTree;
}
public virtual PkixCertPathValidatorResult Validate(
PkixCertPath certPath,
PkixParameters paramsPkix)
{
if (paramsPkix.GetTrustAnchors() == null)
{
throw new ArgumentException(
@"trustAnchors is null, this is not allowed for certification path validation.",
"parameters");
}
//
// 6.1.1 - inputs
//
//
// (a)
//
IList certs = certPath.Certificates;
int n = certs.Count;
if (certs.Count == 0)
throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
//
// (b)
//
// DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);
//
// (c)
//
ISet userInitialPolicySet = paramsPkix.GetInitialPolicies();
//
// (d)
//
TrustAnchor trust;
try
{
trust = PkixCertPathValidatorUtilities.FindTrustAnchor(
(X509Certificate)certs[certs.Count - 1],
paramsPkix.GetTrustAnchors());
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1);
}
if (trust == null)
throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
//
// (e), (f), (g) are part of the paramsPkix object.
//
IEnumerator certIter;
int index = 0;
int i;
// Certificate for each interation of the validation loop
// Signature information for each iteration of the validation loop
//
// 6.1.2 - setup
//
//
// (a)
//
IList[] policyNodes = new IList[n + 1];
for (int j = 0; j < policyNodes.Length; j++)
{
policyNodes[j] = Platform.CreateArrayList();
}
ISet policySet = new HashSet();
policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY);
PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(),
Rfc3280CertPathUtilities.ANY_POLICY, false);
policyNodes[0].Add(validPolicyTree);
//
// (b) and (c)
//
PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
// (d)
//
int explicitPolicy;
ISet acceptablePolicies = new HashSet();
if (paramsPkix.IsExplicitPolicyRequired)
{
explicitPolicy = 0;
}
else
{
explicitPolicy = n + 1;
}
//
// (e)
//
int inhibitAnyPolicy;
if (paramsPkix.IsAnyPolicyInhibited)
{
inhibitAnyPolicy = 0;
}
else
{
inhibitAnyPolicy = n + 1;
}
//
// (f)
//
int policyMapping;
if (paramsPkix.IsPolicyMappingInhibited)
{
policyMapping = 0;
}
else
{
policyMapping = n + 1;
}
//
// (g), (h), (i), (j)
//
IAsymmetricKeyParameter workingPublicKey;
X509Name workingIssuerName;
X509Certificate sign = trust.TrustedCert;
try
{
if (sign != null)
{
workingIssuerName = sign.SubjectDN;
workingPublicKey = sign.GetPublicKey();
}
else
{
workingIssuerName = new X509Name(trust.CAName);
workingPublicKey = trust.CAPublicKey;
}
}
catch (ArgumentException ex)
{
throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath,
-1);
}
AlgorithmIdentifier workingAlgId = null;
try
{
workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException(
"Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
}
// DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID;
// Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters;
//
// (k)
//
int maxPathLength = n;
//
// 6.1.3
//
X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints();
if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0]))
{
throw new PkixCertPathValidatorException(
"Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
}
//
// initialize CertPathChecker's
//
IList pathCheckers = paramsPkix.GetCertPathCheckers();
certIter = pathCheckers.GetEnumerator();
while (certIter.MoveNext())
{
((PkixCertPathChecker)certIter.Current).Init(false);
}
X509Certificate cert = null;
for (index = certs.Count - 1; index >= 0; index--)
{
// try
// {
//
// i as defined in the algorithm description
//
i = n - index;
//
// set certificate to be checked in this round
// sign and workingPublicKey and workingIssuerName are set
// at the end of the for loop and initialized the
// first time from the TrustAnchor
//
cert = (X509Certificate)certs[index];
//
// 6.1.3
//
Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey,
workingIssuerName, sign);
Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator);
validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index,
acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);
validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree);
Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy);
//
// 6.1.4
//
if (i != n)
{
if (cert != null && cert.Version == 1)
{
throw new PkixCertPathValidatorException(
"Version 1 certificates can't be used as CA ones.", null, certPath, index);
}
Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index);
validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes,
validPolicyTree, policyMapping);
Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator);
// (h)
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping);
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy);
//
// (i)
//
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping);
// (j)
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy);
// (k)
Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index);
// (l)
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength);
// (m)
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength);
// (n)
Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index);
ISet criticalExtensions1 = cert.GetCriticalExtensionOids();
if (criticalExtensions1 != null)
{
criticalExtensions1 = new HashSet(criticalExtensions1);
// these extensions are handled by the algorithm
criticalExtensions1.Remove(X509Extensions.KeyUsage.Id);
criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensions1.Remove(X509Extensions.NameConstraints.Id);
}
else
{
criticalExtensions1 = new HashSet();
}
// (o)
Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers);
// set signing certificate for next round
sign = cert;
// (c)
workingIssuerName = sign.SubjectDN;
// (d)
try
{
workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index);
}
catch (PkixCertPathValidatorException e)
{
throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
}
workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey);
// (f)
// workingPublicKeyAlgorithm = workingAlgId.ObjectID;
// (e)
// workingPublicKeyParameters = workingAlgId.Parameters;
}
}
//
// 6.1.5 Wrap-up procedure
//
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert);
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy);
//
// (c) (d) and (e) are already done
//
//
// (f)
//
ISet criticalExtensions = cert.GetCriticalExtensionOids();
if (criticalExtensions != null)
{
criticalExtensions = new HashSet(criticalExtensions);
// Requires .Id
// these extensions are handled by the algorithm
criticalExtensions.Remove(X509Extensions.KeyUsage.Id);
criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensions.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensions.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensions.Remove(X509Extensions.NameConstraints.Id);
criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id);
}
else
{
criticalExtensions = new HashSet();
}
Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);
PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet,
index + 1, policyNodes, validPolicyTree, acceptablePolicies);
if ((explicitPolicy > 0) || (intersection != null))
{
return new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey());
}
throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index);
}
internal static PkixPolicyNode ProcessCertD(
PkixCertPath certPath,
int index,
ISet acceptablePolicies,
PkixPolicyNode validPolicyTree,
IList[] policyNodes,
int inhibitAnyPolicy)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
int n = certs.Count;
// i as defined in the algorithm description
int i = n - index;
//
// (d) policy Information checking against initial policy and
// policy mapping
//
Asn1Sequence certPolicies = null;
try
{
certPolicies = DerSequence.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Could not read certificate policies extension from certificate.", e, certPath, index);
}
if (certPolicies != null && validPolicyTree != null)
{
//
// (d) (1)
//
ISet pols = new HashSet();
foreach (Asn1Encodable ae in certPolicies)
{
PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object());
DerObjectIdentifier pOid = pInfo.PolicyIdentifier;
pols.Add(pOid.Id);
if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(pOid.Id))
{
ISet pq = null;
try
{
pq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers);
}
catch (PkixCertPathValidatorException ex)
{
throw new PkixCertPathValidatorException(
"Policy qualifier info set could not be build.", ex, certPath, index);
}
bool match = PkixCertPathValidatorUtilities.ProcessCertD1i(i, policyNodes, pOid, pq);
if (!match)
{
PkixCertPathValidatorUtilities.ProcessCertD1ii(i, policyNodes, pOid, pq);
}
}
}
if (acceptablePolicies.IsEmpty || acceptablePolicies.Contains(Rfc3280CertPathUtilities.ANY_POLICY))
{
acceptablePolicies.Clear();
acceptablePolicies.AddAll(pols);
}
else
{
ISet t1 = new HashSet();
foreach (object o in acceptablePolicies)
{
if (pols.Contains(o))
{
t1.Add(o);
}
}
acceptablePolicies.Clear();
acceptablePolicies.AddAll(t1);
}
//
// (d) (2)
//
if ((inhibitAnyPolicy > 0) || ((i < n) && PkixCertPathValidatorUtilities.IsSelfIssued(cert)))
{
foreach (Asn1Encodable ae in certPolicies)
{
PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object());
if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(pInfo.PolicyIdentifier.Id))
{
ISet _apq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers);
IList _nodes = policyNodes[i - 1];
for (int k = 0; k < _nodes.Count; k++)
{
PkixPolicyNode _node = (PkixPolicyNode)_nodes[k];
IEnumerator _policySetIter = _node.ExpectedPolicies.GetEnumerator();
while (_policySetIter.MoveNext())
{
object _tmp = _policySetIter.Current;
string _policy;
if (_tmp is string)
{
_policy = (string)_tmp;
}
else if (_tmp is DerObjectIdentifier)
{
_policy = ((DerObjectIdentifier)_tmp).Id;
}
else
{
continue;
}
bool _found = false;
foreach (PkixPolicyNode _child in _node.Children)
{
if (_policy.Equals(_child.ValidPolicy))
{
_found = true;
}
}
if (!_found)
{
ISet _newChildExpectedPolicies = new HashSet();
_newChildExpectedPolicies.Add(_policy);
PkixPolicyNode _newChild = new PkixPolicyNode(Platform.CreateArrayList(), i,
_newChildExpectedPolicies, _node, _apq, _policy, false);
_node.AddChild(_newChild);
policyNodes[i].Add(_newChild);
}
}
}
break;
}
}
}
PkixPolicyNode _validPolicyTree = validPolicyTree;
//
// (d) (3)
//
for (int j = (i - 1); j >= 0; j--)
{
IList nodes = policyNodes[j];
for (int k = 0; k < nodes.Count; k++)
{
PkixPolicyNode node = (PkixPolicyNode)nodes[k];
if (!node.HasChildren)
{
_validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(_validPolicyTree, policyNodes,
node);
if (_validPolicyTree == null)
{
break;
}
}
}
}
//
// d (4)
//
ISet criticalExtensionOids = cert.GetCriticalExtensionOids();
if (criticalExtensionOids != null)
{
bool critical = criticalExtensionOids.Contains(X509Extensions.CertificatePolicies.Id);
IList nodes = policyNodes[i];
for (int j = 0; j < nodes.Count; j++)
{
PkixPolicyNode node = (PkixPolicyNode)nodes[j];
node.IsCritical = critical;
}
}
return _validPolicyTree;
}
return null;
}
protected virtual PkixCertPathBuilderResult Build(
X509Certificate tbvCert,
PkixBuilderParameters pkixParams,
IList tbvPath)
{
// If tbvCert is readily present in tbvPath, it indicates having run
// into a cycle in the PKI graph.
if (tbvPath.Contains(tbvCert))
{
return(null);
}
// step out, the certificate is not allowed to appear in a certification
// chain.
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
{
return(null);
}
// test if certificate path exceeds maximum length
if (pkixParams.MaxPathLength != -1)
{
if (tbvPath.Count - 1 > pkixParams.MaxPathLength)
{
return(null);
}
}
tbvPath.Add(tbvCert);
X509CertificateParser certParser = new X509CertificateParser();
PkixCertPathBuilderResult builderResult = null;
PkixCertPathValidator validator = new PkixCertPathValidator();
try
{
// check whether the issuer of <tbvCert> is a TrustAnchor
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
// exception message from possibly later tried certification
// chains
PkixCertPath certPath = null;
try
{
certPath = new PkixCertPath(tbvPath);
}
catch (Exception e)
{
throw new Exception(
"Certification path could not be constructed from certificate list.",
e);
}
PkixCertPathValidatorResult result = null;
try
{
result = (PkixCertPathValidatorResult)validator.Validate(
certPath, pkixParams);
}
catch (Exception e)
{
throw new Exception(
"Certification path could not be validated.", e);
}
return(new PkixCertPathBuilderResult(certPath, result.TrustAnchor,
result.PolicyTree, result.SubjectPublicKey));
}
else
{
// add additional X.509 stores from locations in certificate
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(
tbvCert, pkixParams);
}
catch (CertificateParsingException e)
{
throw new Exception(
"No additiontal X.509 stores can be added from certificate locations.",
e);
}
// try to get the issuer certificate from one of the stores
HashSet issuers = new HashSet();
try
{
issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (Exception e)
{
throw new Exception(
"Cannot find issuer certificate for certificate in certification path.",
e);
}
if (issuers.IsEmpty)
{
throw new Exception("No issuer certificate for certificate in certification path found.");
}
foreach (X509Certificate issuer in issuers)
{
builderResult = Build(issuer, pkixParams, tbvPath);
if (builderResult != null)
{
break;
}
}
}
}
catch (Exception e)
{
certPathException = e;
}
if (builderResult == null)
{
tbvPath.Remove(tbvCert);
}
return(builderResult);
}
