/** * Validates an attribute certificate with the given certificate path. * * <p> * <code>params</code> must be an instance of * <code>ExtendedPkixParameters</code>. * </p><p> * The target constraints in the <code>params</code> must be an * <code>X509AttrCertStoreSelector</code> with at least the attribute * certificate criterion set. Obey that also target informations may be * necessary to correctly validate this attribute certificate. * </p><p> * The attribute certificate issuer must be added to the trusted attribute * issuers with {@link ExtendedPkixParameters#setTrustedACIssuers(Set)}. * </p> * @param certPath The certificate path which belongs to the attribute * certificate issuer public key certificate. * @param params The PKIX parameters. * @return A <code>PKIXCertPathValidatorResult</code> of the result of * validating the <code>certPath</code>. * @throws InvalidAlgorithmParameterException if <code>params</code> is * inappropriate for this validator. * @throws CertPathValidatorException if the verification fails. */ public virtual PkixCertPathValidatorResult Validate( PkixCertPath certPath, PkixParameters pkixParams) { IX509Selector certSelect = pkixParams.GetTargetConstraints(); if (!(certSelect is X509AttrCertStoreSelector)) { throw new ArgumentException( "TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName, "pkixParams"); } IX509AttributeCertificate attrCert = ((X509AttrCertStoreSelector) certSelect).AttributeCert; PkixCertPath holderCertPath = Rfc3281CertPathUtilities.ProcessAttrCert1(attrCert, pkixParams); PkixCertPathValidatorResult result = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams); X509Certificate issuerCert = (X509Certificate)certPath.Certificates[0]; Rfc3281CertPathUtilities.ProcessAttrCert3(issuerCert, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert4(issuerCert, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert5(attrCert, pkixParams); // 6 already done in X509AttrCertStoreSelector Rfc3281CertPathUtilities.ProcessAttrCert7(attrCert, certPath, holderCertPath, pkixParams); Rfc3281CertPathUtilities.AdditionalChecks(attrCert, pkixParams); DateTime date; try { date = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1); } catch (Exception e) { throw new PkixCertPathValidatorException( "Could not get validity date from attribute certificate.", e); } Rfc3281CertPathUtilities.CheckCrls(attrCert, pkixParams, issuerCert, date, certPath.Certificates); return result; }
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters pkixParams) { //IL_002d: Unknown result type (might be due to invalid IL or missing references) IX509Selector targetConstraints = pkixParams.GetTargetConstraints(); if (!(targetConstraints is X509AttrCertStoreSelector)) { throw new ArgumentException("TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).get_FullName(), "pkixParams"); } IX509AttributeCertificate attributeCert = ((X509AttrCertStoreSelector)targetConstraints).AttributeCert; PkixCertPath holderCertPath = Rfc3281CertPathUtilities.ProcessAttrCert1(attributeCert, pkixParams); PkixCertPathValidatorResult result = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams); X509Certificate x509Certificate = (X509Certificate)certPath.Certificates.get_Item(0); Rfc3281CertPathUtilities.ProcessAttrCert3(x509Certificate, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert4(x509Certificate, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert5(attributeCert, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert7(attributeCert, certPath, holderCertPath, pkixParams); Rfc3281CertPathUtilities.AdditionalChecks(attributeCert, pkixParams); global::System.DateTime validCertDateFromValidityModel; try { validCertDateFromValidityModel = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1); } catch (global::System.Exception cause) { throw new PkixCertPathValidatorException("Could not get validity date from attribute certificate.", cause); } Rfc3281CertPathUtilities.CheckCrls(attributeCert, pkixParams, x509Certificate, validCertDateFromValidityModel, certPath.Certificates); return(result); }
internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams) { ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids(); if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id)) { try { TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation)); } catch (Exception cause) { throw new PkixCertPathValidatorException("Target information extension could not be read.", cause); } } criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id); foreach (PkixAttrCertChecker pkixAttrCertChecker in pkixParams.GetAttrCertCheckers()) { pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids); } if (!criticalExtensionOids.IsEmpty) { throw new PkixCertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + criticalExtensionOids); } }
public CertificateValidationResult Validate(Certificate certificate) { if (certificate == null) throw new ArgumentNullException("certificate"); try { var x509Certs = new List<X509Certificate>(); x509Certs.AddRange(_chain.Select(c => c.BouncyX509Certificate)); x509Certs.Add(certificate.BouncyX509Certificate); IX509Store x509CertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(x509Certs)); var x509Certificates = x509Certs.Skip(1).ToList(); var certPath = new PkixCertPath(x509Certificates); ISet trust = new HashSet { new TrustAnchor(x509Certs.First(), null) }; var certPathValidator = new PkixCertPathValidator(); var paramsPkix = new PkixParameters(trust); paramsPkix.AddStore(x509CertStore); paramsPkix.IsRevocationEnabled = false; var pkixResult = certPathValidator.Validate(certPath, paramsPkix); return new CertificateValidationResult(pkixResult); } catch (Exception e) { return new CertificateValidationResult(e); } }
public override bool Equals(object obj) { if (this == obj) { return(true); } PkixCertPath pkixCertPath = obj as PkixCertPath; if (pkixCertPath == null) { return(false); } IList list = this.Certificates; IList list2 = pkixCertPath.Certificates; if (list.Count != list2.Count) { return(false); } IEnumerator enumerator = list.GetEnumerator(); IEnumerator enumerator2 = list.GetEnumerator(); while (enumerator.MoveNext()) { enumerator2.MoveNext(); if (!object.Equals(enumerator.Current, enumerator2.Current)) { return(false); } } return(true); }
public override bool Equals(object obj) { if (this == obj) { return(true); } PkixCertPath pkixCertPath = obj as PkixCertPath; if (pkixCertPath == null) { return(false); } global::System.Collections.IList list = Certificates; global::System.Collections.IList list2 = pkixCertPath.Certificates; if (((global::System.Collections.ICollection)list).get_Count() != ((global::System.Collections.ICollection)list2).get_Count()) { return(false); } global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)list).GetEnumerator(); global::System.Collections.IEnumerator enumerator2 = ((global::System.Collections.IEnumerable)list).GetEnumerator(); while (enumerator.MoveNext()) { enumerator2.MoveNext(); if (!object.Equals(enumerator.get_Current(), enumerator2.get_Current())) { return(false); } } return(true); }
public PkixCertPathBuilderResult(PkixCertPath certPath, TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey) : base(trustAnchor, policyTree, subjectPublicKey) { if (certPath == null) { throw new ArgumentNullException("certPath"); } this.certPath = certPath; }
public PkixCertPathBuilderResult(PkixCertPath certPath, TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey) : base(trustAnchor, policyTree, subjectPublicKey) { //IL_0012: Unknown result type (might be due to invalid IL or missing references) if (certPath == null) { throw new ArgumentNullException("certPath"); } this.certPath = certPath; }
public PkixCertPathBuilderResult( PkixCertPath certPath, TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey) : base(trustAnchor, policyTree, subjectPublicKey) { if (certPath == null) throw new ArgumentNullException("certPath"); this.certPath = certPath; }
internal static PkixCertPathValidatorResult ProcessAttrCert2(PkixCertPath certPath, PkixParameters pkixParams) { PkixCertPathValidator pkixCertPathValidator = new PkixCertPathValidator(); try { return(pkixCertPathValidator.Validate(certPath, pkixParams)); } catch (PkixCertPathValidatorException cause) { throw new PkixCertPathValidatorException("Certification path for issuer certificate of attribute certificate could not be validated.", cause); } }
public PkixCertPathValidatorException(string message, Exception cause, PkixCertPath certPath, int index) : base(message) { if (certPath == null && index != -1) { throw new ArgumentNullException("certPath = null and index != -1"); } if (index < -1 || (certPath != null && index >= certPath.Certificates.Count)) { throw new IndexOutOfRangeException(" index < -1 or out of bound of certPath.getCertificates()"); } this.cause = cause; this.certPath = certPath; this.index = index; }
internal static DateTime GetValidCertDateFromValidityModel( PkixParameters paramsPkix, PkixCertPath certPath, int index) { if (paramsPkix.ValidityModel != PkixParameters.ChainValidityModel) { return(GetValidDate(paramsPkix)); } // if end cert use given signing/encryption/... time if (index <= 0) { return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix)); // else use time when previous cert was created } if (index - 1 == 0) { DerGeneralizedTime dateOfCertgen = null; try { X509Certificate cert = (X509Certificate)certPath.Certificates[index - 1]; Asn1OctetString extVal = cert.GetExtensionValue( IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen); dateOfCertgen = DerGeneralizedTime.GetInstance(extVal); } catch (ArgumentException) { throw new Exception( "Date of cert gen extension could not be read."); } if (dateOfCertgen != null) { try { return(dateOfCertgen.ToDateTime()); } catch (ArgumentException e) { throw new Exception( "Date from date of cert gen extension could not be parsed.", e); } } } return(((X509Certificate)certPath.Certificates[index - 1]).NotBefore); }
public PkixCertPathValidatorException(string message, global::System.Exception cause, PkixCertPath certPath, int index) : base(message) { //IL_001b: Unknown result type (might be due to invalid IL or missing references) //IL_003d: Unknown result type (might be due to invalid IL or missing references) if (certPath == null && index != -1) { throw new ArgumentNullException("certPath = null and index != -1"); } if (index < -1 || (certPath != null && index >= ((global::System.Collections.ICollection)certPath.Certificates).get_Count())) { throw new IndexOutOfRangeException(" index < -1 or out of bound of certPath.getCertificates()"); } this.cause = cause; this.certPath = certPath; this.index = index; }
/** * Compares this certification path for equality with the specified object. * Two CertPaths are equal if and only if their types are equal and their * certificate Lists (and by implication the Certificates in those Lists) * are equal. A CertPath is never equal to an object that is not a CertPath.<br /> * <br /> * This algorithm is implemented by this method. If it is overridden, the * behavior specified here must be maintained. * * @param other * the object to test for equality with this certification path * * @return true if the specified object is equal to this certification path, * false otherwise * * @see Object#hashCode() Object.hashCode() */ public override bool Equals( object obj) { if (this == obj) { return(true); } PkixCertPath other = obj as PkixCertPath; if (other == null) { return(false); } // if (!this.Type.Equals(other.Type)) // return false; //return this.Certificates.Equals(other.Certificates); // TODO Extract this to a utility class IList thisCerts = this.Certificates; IList otherCerts = other.Certificates; if (thisCerts.Count != otherCerts.Count) { return(false); } IEnumerator e1 = thisCerts.GetEnumerator(); IEnumerator e2 = thisCerts.GetEnumerator(); while (e1.MoveNext()) { e2.MoveNext(); if (!Platform.Equals(e1.Current, e2.Current)) { return(false); } } return(true); }
internal static void ProcessAttrCert7( IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams) { // TODO: // AA Controls // Attribute encryption // Proxy ISet critExtOids = attrCert.GetCriticalExtensionOids(); // 7.1 // process extensions // target information checked in step 6 / X509AttributeCertStoreSelector if (critExtOids.Contains(X509Extensions.TargetInformation.Id)) { try { TargetInformation.GetInstance(PkixCertPathValidatorUtilities .GetExtensionValue(attrCert, X509Extensions.TargetInformation)); } catch (Exception e) { throw new PkixCertPathValidatorException( "Target information extension could not be read.", e); } } critExtOids.Remove(X509Extensions.TargetInformation.Id); foreach (PkixAttrCertChecker checker in pkixParams.GetAttrCertCheckers()) { checker.Check(attrCert, certPath, holderCertPath, critExtOids); } if (!critExtOids.IsEmpty) { throw new PkixCertPathValidatorException( "Attribute certificate contains unsupported critical extensions: " + critExtOids); } }
public PkixCertPath(Stream inStream, string encoding) { string text = encoding.ToUpper(); IList list; try { if (text.Equals("PkiPath".ToUpper())) { Asn1InputStream asn1InputStream = new Asn1InputStream(inStream); Asn1Object asn1Object = asn1InputStream.ReadObject(); if (!(asn1Object is Asn1Sequence)) { throw new CertificateException("input stream does not contain a ASN1 SEQUENCE while reading PkiPath encoded data to load CertPath"); } list = Platform.CreateArrayList(); using (IEnumerator enumerator = ((Asn1Sequence)asn1Object).GetEnumerator()) { while (enumerator.MoveNext()) { Asn1Encodable asn1Encodable = (Asn1Encodable)enumerator.Current; byte[] encoded = asn1Encodable.GetEncoded("DER"); Stream inStream2 = new MemoryStream(encoded, false); list.Insert(0, new X509CertificateParser().ReadCertificate(inStream2)); } goto IL_EF; } } if (!text.Equals("PKCS7") && !text.Equals("PEM")) { throw new CertificateException("unsupported encoding: " + encoding); } list = Platform.CreateArrayList(new X509CertificateParser().ReadCertificates(inStream)); IL_EF :; } catch (IOException ex) { throw new CertificateException("IOException throw while decoding CertPath:\n" + ex.ToString()); } this.certificates = PkixCertPath.SortCerts(list); }
/** * Validates an attribute certificate with the given certificate path. * * <p> * <code>params</code> must be an instance of * <code>ExtendedPkixParameters</code>. * </p><p> * The target constraints in the <code>params</code> must be an * <code>X509AttrCertStoreSelector</code> with at least the attribute * certificate criterion set. Obey that also target informations may be * necessary to correctly validate this attribute certificate. * </p><p> * The attribute certificate issuer must be added to the trusted attribute * issuers with {@link ExtendedPkixParameters#setTrustedACIssuers(Set)}. * </p> * @param certPath The certificate path which belongs to the attribute * certificate issuer public key certificate. * @param params The PKIX parameters. * @return A <code>PKIXCertPathValidatorResult</code> of the result of * validating the <code>certPath</code>. * @throws InvalidAlgorithmParameterException if <code>params</code> is * inappropriate for this validator. * @throws CertPathValidatorException if the verification fails. */ public virtual PkixCertPathValidatorResult Validate( PkixCertPath certPath, PkixParameters pkixParams) { IX509Selector certSelect = pkixParams.GetTargetConstraints(); if (!(certSelect is X509AttrCertStoreSelector)) { throw new ArgumentException( "TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName, "pkixParams"); } IX509AttributeCertificate attrCert = ((X509AttrCertStoreSelector)certSelect).AttributeCert; PkixCertPath holderCertPath = Rfc3281CertPathUtilities.ProcessAttrCert1(attrCert, pkixParams); PkixCertPathValidatorResult result = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams); X509Certificate issuerCert = (X509Certificate)certPath.Certificates[0]; Rfc3281CertPathUtilities.ProcessAttrCert3(issuerCert, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert4(issuerCert, pkixParams); Rfc3281CertPathUtilities.ProcessAttrCert5(attrCert, pkixParams); // 6 already done in X509AttrCertStoreSelector Rfc3281CertPathUtilities.ProcessAttrCert7(attrCert, certPath, holderCertPath, pkixParams); Rfc3281CertPathUtilities.AdditionalChecks(attrCert, pkixParams); DateTime date; try { date = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1); } catch (Exception e) { throw new PkixCertPathValidatorException( "Could not get validity date from attribute certificate.", e); } Rfc3281CertPathUtilities.CheckCrls(attrCert, pkixParams, issuerCert, date, certPath.Certificates); return(result); }
internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams) { ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids(); if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id)) { try { TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation)); } catch (global::System.Exception cause) { throw new PkixCertPathValidatorException("Target information extension could not be read.", cause); } } criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id); global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)pkixParams.GetAttrCertCheckers()).GetEnumerator(); try { while (enumerator.MoveNext()) { PkixAttrCertChecker pkixAttrCertChecker = (PkixAttrCertChecker)enumerator.get_Current(); pkixAttrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids); } } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } if (!criticalExtensionOids.IsEmpty) { throw new PkixCertPathValidatorException(string.Concat((object)"Attribute certificate contains unsupported critical extensions: ", (object)criticalExtensionOids)); } }
/// <summary> /// Creates a <code>PkixCertPathValidatorException</code> with the specified /// detail message, cause, certification path, and index. /// </summary> /// <param name="message">the detail message (or <code>null</code> if none)</param> /// <param name="cause">the cause (or <code>null</code> if none)</param> /// <param name="certPath">the certification path that was in the process of being /// validated when the error was encountered</param> /// <param name="index">the index of the certificate in the certification path that</param> * public PkixCertPathValidatorException( string message, Exception cause, PkixCertPath certPath, int index) : base(message) { if (certPath == null && index != -1) { throw new ArgumentNullException( "certPath = null and index != -1"); } if (index < -1 || (certPath != null && index >= certPath.Certificates.Count)) { throw new IndexOutOfRangeException( " index < -1 or out of bound of certPath.getCertificates()"); } this.cause = cause; this.certPath = certPath; this.index = index; }
internal static global::System.DateTime GetValidCertDateFromValidityModel(PkixParameters paramsPkix, PkixCertPath certPath, int index) { //IL_0065: Expected O, but got Unknown if (paramsPkix.ValidityModel != 1) { return(GetValidDate(paramsPkix)); } if (index <= 0) { return(GetValidDate(paramsPkix)); } if (index - 1 == 0) { DerGeneralizedTime derGeneralizedTime = null; try { X509Certificate x509Certificate = (X509Certificate)certPath.Certificates.get_Item(index - 1); Asn1OctetString extensionValue = x509Certificate.GetExtensionValue(IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen); derGeneralizedTime = DerGeneralizedTime.GetInstance(extensionValue); } catch (ArgumentException) { throw new global::System.Exception("Date of cert gen extension could not be read."); } if (derGeneralizedTime != null) { try { return(derGeneralizedTime.ToDateTime()); } catch (ArgumentException val2) { ArgumentException val3 = val2; throw new global::System.Exception("Date from date of cert gen extension could not be parsed.", (global::System.Exception)(object) val3); } } } return(((X509Certificate)certPath.Certificates.get_Item(index - 1)).NotBefore); }
internal static int PrepareNextCertH3( PkixCertPath certPath, int index, int inhibitAnyPolicy) { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (h) // if (!PkixCertPathValidatorUtilities.IsSelfIssued(cert)) { // // (3) // if (inhibitAnyPolicy != 0) return inhibitAnyPolicy - 1; } return inhibitAnyPolicy; }
internal static void PrepareNextCertO( PkixCertPath certPath, int index, ISet criticalExtensions, IList pathCheckers) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (o) // IEnumerator tmpIter = pathCheckers.GetEnumerator(); while (tmpIter.MoveNext()) { try { ((PkixCertPathChecker)tmpIter.Current).Check(cert, criticalExtensions); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException(e.Message, e.InnerException, certPath, index); } } if (!criticalExtensions.IsEmpty) { throw new PkixCertPathValidatorException("Certificate has unsupported critical extension.", null, certPath, index); } }
internal static int PrepareNextCertM( PkixCertPath certPath, int index, int maxPathLength) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (m) // BasicConstraints bc = null; try { bc = BasicConstraints.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.BasicConstraints)); } catch (Exception e) { throw new PkixCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath, index); } if (bc != null) { BigInteger _pathLengthConstraint = bc.PathLenConstraint; if (_pathLengthConstraint != null) { int _plc = _pathLengthConstraint.IntValue; if (_plc < maxPathLength) { return _plc; } } } return maxPathLength; }
internal static void PrepareNextCertK( PkixCertPath certPath, int index) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (k) // BasicConstraints bc = null; try { bc = BasicConstraints.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.BasicConstraints)); } catch (Exception e) { throw new PkixCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath, index); } if (bc != null) { if (!(bc.IsCA())) throw new PkixCertPathValidatorException("Not a CA certificate"); } else { throw new PkixCertPathValidatorException("Intermediate certificate lacks BasicConstraints"); } }
internal static void PrepareNextCertG( PkixCertPath certPath, int index, PkixNameConstraintValidator nameConstraintValidator) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (g) handle the name constraints extension // NameConstraints nc = null; try { Asn1Sequence ncSeq = DerSequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.NameConstraints)); if (ncSeq != null) { nc = new NameConstraints(ncSeq); } } catch (Exception e) { throw new PkixCertPathValidatorException( "Name constraints extension could not be decoded.", e, certPath, index); } if (nc != null) { // // (g) (1) permitted subtrees // Asn1Sequence permitted = nc.PermittedSubtrees; if (permitted != null) { try { nameConstraintValidator.IntersectPermittedSubtree(permitted); } catch (Exception ex) { throw new PkixCertPathValidatorException( "Permitted subtrees cannot be build from name constraints extension.", ex, certPath, index); } } // // (g) (2) excluded subtrees // Asn1Sequence excluded = nc.ExcludedSubtrees; if (excluded != null) { IEnumerator e = excluded.GetEnumerator(); try { while (e.MoveNext()) { GeneralSubtree subtree = GeneralSubtree.GetInstance(e.Current); nameConstraintValidator.AddExcludedSubtree(subtree); } } catch (Exception ex) { throw new PkixCertPathValidatorException( "Excluded subtrees cannot be build from name constraints extension.", ex, certPath, index); } } } }
internal static void ProcessCertA( PkixCertPath certPath, PkixParameters paramsPKIX, int index, AsymmetricKeyParameter workingPublicKey, X509Name workingIssuerName, X509Certificate sign) { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (a) verify // try { // (a) (1) // cert.Verify(workingPublicKey); } catch (GeneralSecurityException e) { throw new PkixCertPathValidatorException("Could not validate certificate signature.", e, certPath, index); } try { // (a) (2) // cert.CheckValidity(PkixCertPathValidatorUtilities .GetValidCertDateFromValidityModel(paramsPKIX, certPath, index)); } catch (CertificateExpiredException e) { throw new PkixCertPathValidatorException("Could not validate certificate: " + e.Message, e, certPath, index); } catch (CertificateNotYetValidException e) { throw new PkixCertPathValidatorException("Could not validate certificate: " + e.Message, e, certPath, index); } catch (Exception e) { throw new PkixCertPathValidatorException("Could not validate time of certificate.", e, certPath, index); } // // (a) (3) // if (paramsPKIX.IsRevocationEnabled) { try { CheckCrls(paramsPKIX, cert, PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(paramsPKIX, certPath, index), sign, workingPublicKey, certs); } catch (Exception e) { Exception cause = e.InnerException; if (cause == null) { cause = e; } throw new PkixCertPathValidatorException(e.Message, cause, certPath, index); } } // // (a) (4) name chaining // X509Name issuer = PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert); if (!issuer.Equivalent(workingIssuerName, true)) { throw new PkixCertPathValidatorException("IssuerName(" + issuer + ") does not match SubjectName(" + workingIssuerName + ") of signing certificate.", null, certPath, index); } }
public override void PerformTest() { X509CertificateParser certParser = new X509CertificateParser(); X509CrlParser crlParser = new X509CrlParser(); // initialise CertStore X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin); X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin); X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin); X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin); X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin); IList x509Certs = new ArrayList(); x509Certs.Add(rootCert); x509Certs.Add(interCert); x509Certs.Add(finalCert); IList x509Crls = new ArrayList(); x509Crls.Add(rootCrl); x509Crls.Add(interCrl); // CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); // CertStore store = CertStore.GetInstance("Collection", ccsp); // X509CollectionStoreParameters ccsp = new X509CollectionStoreParameters(list); IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(x509Certs)); IX509Store x509CrlStore = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(x509Crls)); // NB: Month is 1-based in .NET //DateTime validDate = new DateTime(2008,9,4,14,49,10).ToUniversalTime(); DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10); //validating path IList certchain = new ArrayList(); certchain.Add(finalCert); certchain.Add(interCert); // CertPath cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain); PkixCertPath cp = new PkixCertPath(certchain); ISet trust = new HashSet(); trust.Add(new TrustAnchor(rootCert, null)); // CertPathValidator cpv = CertPathValidator.GetInstance("PKIX"); PkixCertPathValidator cpv = new PkixCertPathValidator(); PkixParameters param = new PkixParameters(trust); param.AddStore(x509CertStore); param.AddStore(x509CrlStore); param.Date = new DateTimeObject(validDate); MyChecker checker = new MyChecker(); param.AddCertPathChecker(checker); PkixCertPathValidatorResult result = (PkixCertPathValidatorResult) cpv.Validate(cp, param); PkixPolicyNode policyTree = result.PolicyTree; AsymmetricKeyParameter subjectPublicKey = result.SubjectPublicKey; if (checker.GetCount() != 2) { Fail("checker not evaluated for each certificate"); } if (!subjectPublicKey.Equals(finalCert.GetPublicKey())) { Fail("wrong public key returned"); } // // invalid path containing a valid one test // try { // initialise CertStore rootCert = certParser.ReadCertificate(AC_RAIZ_ICPBRASIL); interCert = certParser.ReadCertificate(AC_PR); finalCert = certParser.ReadCertificate(schefer); x509Certs = new ArrayList(); x509Certs.Add(rootCert); x509Certs.Add(interCert); x509Certs.Add(finalCert); // ccsp = new CollectionCertStoreParameters(list); // store = CertStore.GetInstance("Collection", ccsp); // ccsp = new X509CollectionStoreParameters(list); x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(x509Certs)); // NB: Month is 1-based in .NET validDate = new DateTime(2004,3,21,2,21,10).ToUniversalTime(); //validating path certchain = new ArrayList(); certchain.Add(finalCert); certchain.Add(interCert); // cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain); cp = new PkixCertPath(certchain); trust = new HashSet(); trust.Add(new TrustAnchor(rootCert, null)); // cpv = CertPathValidator.GetInstance("PKIX"); cpv = new PkixCertPathValidator(); param = new PkixParameters(trust); param.AddStore(x509CertStore); param.IsRevocationEnabled = false; param.Date = new DateTimeObject(validDate); result =(PkixCertPathValidatorResult) cpv.Validate(cp, param); policyTree = result.PolicyTree; subjectPublicKey = result.SubjectPublicKey; Fail("Invalid path validated"); } catch (Exception e) { if (e is PkixCertPathValidatorException && e.Message.StartsWith("Could not validate certificate signature.")) { return; } Fail("unexpected exception", e); } }
internal static void PrepareNextCertA( PkixCertPath certPath, int index) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // // (a) check the policy mappings // Asn1Sequence pm = null; try { pm = Asn1Sequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyMappings)); } catch (Exception ex) { throw new PkixCertPathValidatorException( "Policy mappings extension could not be decoded.", ex, certPath, index); } if (pm != null) { Asn1Sequence mappings = pm; for (int j = 0; j < mappings.Count; j++) { DerObjectIdentifier issuerDomainPolicy = null; DerObjectIdentifier subjectDomainPolicy = null; try { Asn1Sequence mapping = DerSequence.GetInstance(mappings[j]); issuerDomainPolicy = DerObjectIdentifier.GetInstance(mapping[0]); subjectDomainPolicy = DerObjectIdentifier.GetInstance(mapping[1]); } catch (Exception e) { throw new PkixCertPathValidatorException( "Policy mappings extension contents could not be decoded.", e, certPath, index); } if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(issuerDomainPolicy.Id)) throw new PkixCertPathValidatorException( "IssuerDomainPolicy is anyPolicy", null, certPath, index); if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(subjectDomainPolicy.Id)) throw new PkixCertPathValidatorException( "SubjectDomainPolicy is anyPolicy,", null, certPath, index); } } }
internal static void ProcessCertBC( PkixCertPath certPath, int index, PkixNameConstraintValidator nameConstraintValidator) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; int n = certs.Count; // i as defined in the algorithm description int i = n - index; // // (b), (c) permitted and excluded subtree checking. // if (!(PkixCertPathValidatorUtilities.IsSelfIssued(cert) && (i < n))) { X509Name principal = cert.SubjectDN; Asn1InputStream aIn = new Asn1InputStream(principal.GetEncoded()); Asn1Sequence dns; try { dns = DerSequence.GetInstance(aIn.ReadObject()); } catch (Exception e) { throw new PkixCertPathValidatorException( "Exception extracting subject name when checking subtrees.", e, certPath, index); } try { nameConstraintValidator.CheckPermittedDN(dns); nameConstraintValidator.CheckExcludedDN(dns); } catch (PkixNameConstraintValidatorException e) { throw new PkixCertPathValidatorException( "Subtree check for certificate subject failed.", e, certPath, index); } GeneralNames altName = null; try { altName = GeneralNames.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.SubjectAlternativeName)); } catch (Exception e) { throw new PkixCertPathValidatorException( "Subject alternative name extension could not be decoded.", e, certPath, index); } IList emails = X509Name.GetInstance(dns).GetValueList(X509Name.EmailAddress); foreach (string email in emails) { GeneralName emailAsGeneralName = new GeneralName(GeneralName.Rfc822Name, email); try { nameConstraintValidator.checkPermitted(emailAsGeneralName); nameConstraintValidator.checkExcluded(emailAsGeneralName); } catch (PkixNameConstraintValidatorException ex) { throw new PkixCertPathValidatorException( "Subtree check for certificate subject alternative email failed.", ex, certPath, index); } } if (altName != null) { GeneralName[] genNames = null; try { genNames = altName.GetNames(); } catch (Exception e) { throw new PkixCertPathValidatorException( "Subject alternative name contents could not be decoded.", e, certPath, index); } foreach (GeneralName genName in genNames) { try { nameConstraintValidator.checkPermitted(genName); nameConstraintValidator.checkExcluded(genName); } catch (PkixNameConstraintValidatorException e) { throw new PkixCertPathValidatorException( "Subtree check for certificate subject alternative name failed.", e, certPath, index); } } } } }
internal static void WrapupCertF( PkixCertPath certPath, int index, IList pathCheckers, ISet criticalExtensions) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; IEnumerator tmpIter = pathCheckers.GetEnumerator(); while (tmpIter.MoveNext()) { try { ((PkixCertPathChecker)tmpIter.Current).Check(cert, criticalExtensions); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException("Additional certificate path checker failed.", e, certPath, index); } } if (!criticalExtensions.IsEmpty) { throw new PkixCertPathValidatorException("Certificate has unsupported critical extension", null, certPath, index); } }
private PkixCertPathBuilderResult Build( IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath) { // If tbvCert is readily present in tbvPath, it indicates having run // into a cycle in the // PKI graph. if (tbvPath.Contains(tbvCert)) return null; // step out, the certificate is not allowed to appear in a certification // chain if (pkixParams.GetExcludedCerts().Contains(tbvCert)) return null; // test if certificate path exceeds maximum length if (pkixParams.MaxPathLength != -1) { if (tbvPath.Count - 1 > pkixParams.MaxPathLength) return null; } tbvPath.Add(tbvCert); PkixCertPathBuilderResult builderResult = null; // X509CertificateParser certParser = new X509CertificateParser(); PkixAttrCertPathValidator validator = new PkixAttrCertPathValidator(); try { // check whether the issuer of <tbvCert> is a TrustAnchor if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null) { PkixCertPath certPath = new PkixCertPath(tbvPath); PkixCertPathValidatorResult result; try { result = validator.Validate(certPath, pkixParams); } catch (Exception e) { throw new Exception("Certification path could not be validated.", e); } return new PkixCertPathBuilderResult(certPath, result.TrustAnchor, result.PolicyTree, result.SubjectPublicKey); } else { // add additional X.509 stores from locations in certificate try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams); } catch (CertificateParsingException e) { throw new Exception("No additional X.509 stores can be added from certificate locations.", e); } // try to get the issuer certificate from one of the stores ISet issuers = new HashSet(); try { issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams)); } catch (Exception e) { throw new Exception("Cannot find issuer certificate for certificate in certification path.", e); } if (issuers.IsEmpty) throw new Exception("No issuer certificate for certificate in certification path found."); foreach (X509Certificate issuer in issuers) { // if untrusted self signed certificate continue if (PkixCertPathValidatorUtilities.IsSelfIssued(issuer)) continue; builderResult = Build(attrCert, issuer, pkixParams, tbvPath); if (builderResult != null) break; } } } catch (Exception e) { certPathException = new Exception("No valid certification path could be build.", e); } if (builderResult == null) { tbvPath.Remove(tbvCert); } return builderResult; }
internal static DateTime GetValidCertDateFromValidityModel(PkixParameters paramsPkix, PkixCertPath certPath, int index) { if (paramsPkix.ValidityModel != 1) { return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix)); } if (index <= 0) { return(PkixCertPathValidatorUtilities.GetValidDate(paramsPkix)); } if (index - 1 == 0) { DerGeneralizedTime derGeneralizedTime = null; try { X509Certificate x509Certificate = (X509Certificate)certPath.Certificates[index - 1]; Asn1OctetString extensionValue = x509Certificate.GetExtensionValue(IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen); derGeneralizedTime = DerGeneralizedTime.GetInstance(extensionValue); } catch (ArgumentException) { throw new Exception("Date of cert gen extension could not be read."); } if (derGeneralizedTime != null) { try { return(derGeneralizedTime.ToDateTime()); } catch (ArgumentException innerException) { throw new Exception("Date from date of cert gen extension could not be parsed.", innerException); } } } return(((X509Certificate)certPath.Certificates[index - 1]).NotBefore); }
public virtual PkixCertPathValidatorResult Validate( PkixCertPath certPath, PkixParameters paramsPkix) { if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException( "trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } // // 6.1.1 - inputs // // // (a) // IList certs = certPath.Certificates; int n = certs.Count; if (certs.Count == 0) { throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); } // // (b) // // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix); // // (c) // ISet userInitialPolicySet = paramsPkix.GetInitialPolicies(); // // (d) // TrustAnchor trust; try { trust = PkixCertPathValidatorUtilities.FindTrustAnchor( (X509Certificate)certs[certs.Count - 1], paramsPkix.GetTrustAnchors()); } catch (Exception e) { throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1); } if (trust == null) { throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); } // // (e), (f), (g) are part of the paramsPkix object. // IEnumerator certIter; int index = 0; int i; // Certificate for each interation of the validation loop // Signature information for each iteration of the validation loop // // 6.1.2 - setup // // // (a) // IList[] policyNodes = new IList[n + 1]; for (int j = 0; j < policyNodes.Length; j++) { policyNodes[j] = Platform.CreateArrayList(); } ISet policySet = new HashSet(); policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false); policyNodes[0].Add(validPolicyTree); // // (b) and (c) // PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); // (d) // int explicitPolicy; ISet acceptablePolicies = new HashSet(); if (paramsPkix.IsExplicitPolicyRequired) { explicitPolicy = 0; } else { explicitPolicy = n + 1; } // // (e) // int inhibitAnyPolicy; if (paramsPkix.IsAnyPolicyInhibited) { inhibitAnyPolicy = 0; } else { inhibitAnyPolicy = n + 1; } // // (f) // int policyMapping; if (paramsPkix.IsPolicyMappingInhibited) { policyMapping = 0; } else { policyMapping = n + 1; } // // (g), (h), (i), (j) // AsymmetricKeyParameter workingPublicKey; X509Name workingIssuerName; X509Certificate sign = trust.TrustedCert; try { if (sign != null) { workingIssuerName = sign.SubjectDN; workingPublicKey = sign.GetPublicKey(); } else { workingIssuerName = new X509Name(trust.CAName); workingPublicKey = trust.CAPublicKey; } } catch (ArgumentException ex) { throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, -1); } //AlgorithmIdentifier workingAlgId = null; try { /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException( "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1); } // DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID; // Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters; // // (k) // int maxPathLength = n; // // 6.1.3 // X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints(); if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0])) { throw new PkixCertPathValidatorException( "Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } // // initialize CertPathChecker's // IList pathCheckers = paramsPkix.GetCertPathCheckers(); certIter = pathCheckers.GetEnumerator(); while (certIter.MoveNext()) { ((PkixCertPathChecker)certIter.Current).Init(false); } X509Certificate cert = null; for (index = certs.Count - 1; index >= 0; index--) { // try // { // // i as defined in the algorithm description // i = n - index; // // set certificate to be checked in this round // sign and workingPublicKey and workingIssuerName are set // at the end of the for loop and initialized the // first time from the TrustAnchor // cert = (X509Certificate)certs[index]; // // 6.1.3 // Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey, workingIssuerName, sign); Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index, acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree); Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy); // // 6.1.4 // if (i != n) { if (cert != null && cert.Version == 1) { throw new PkixCertPathValidatorException( "Version 1 certificates can't be used as CA ones.", null, certPath, index); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index); validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes, validPolicyTree, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator); // (h) explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy); // // (i) // explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping); // (j) inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy); // (k) Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index); // (l) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength); // (m) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength); // (n) Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index); ISet criticalExtensions1 = cert.GetCriticalExtensionOids(); if (criticalExtensions1 != null) { criticalExtensions1 = new HashSet(criticalExtensions1); // these extensions are handled by the algorithm criticalExtensions1.Remove(X509Extensions.KeyUsage.Id); criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions1.Remove(X509Extensions.NameConstraints.Id); } else { criticalExtensions1 = new HashSet(); } // (o) Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers); // set signing certificate for next round sign = cert; // (c) workingIssuerName = sign.SubjectDN; // (d) try { workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index); } /*workingAlgId = */ PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); // (f) // workingPublicKeyAlgorithm = workingAlgId.ObjectID; // (e) // workingPublicKeyParameters = workingAlgId.Parameters; } } // // 6.1.5 Wrap-up procedure // explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert); explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy); // // (c) (d) and (e) are already done // // // (f) // ISet criticalExtensions = cert.GetCriticalExtensionOids(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); // Requires .Id // these extensions are handled by the algorithm criticalExtensions.Remove(X509Extensions.KeyUsage.Id); criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions.Remove(X509Extensions.NameConstraints.Id); criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id); } else { criticalExtensions = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions); PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies); if ((explicitPolicy > 0) || (intersection != null)) { return(new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey())); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index); }
internal static PkixPolicyNode PrepareCertB( PkixCertPath certPath, int index, IList[] policyNodes, PkixPolicyNode validPolicyTree, int policyMapping) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; int n = certs.Count; // i as defined in the algorithm description int i = n - index; // (b) // Asn1Sequence pm = null; try { pm = (Asn1Sequence)Asn1Sequence.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyMappings)); } catch (Exception ex) { throw new PkixCertPathValidatorException( "Policy mappings extension could not be decoded.", ex, certPath, index); } PkixPolicyNode _validPolicyTree = validPolicyTree; if (pm != null) { Asn1Sequence mappings = (Asn1Sequence)pm; IDictionary m_idp = Platform.CreateHashtable(); ISet s_idp = new HashSet(); for (int j = 0; j < mappings.Count; j++) { Asn1Sequence mapping = (Asn1Sequence) mappings[j]; string id_p = ((DerObjectIdentifier) mapping[0]).Id; string sd_p = ((DerObjectIdentifier) mapping[1]).Id; ISet tmp; if (!m_idp.Contains(id_p)) { tmp = new HashSet(); tmp.Add(sd_p); m_idp[id_p] = tmp; s_idp.Add(id_p); } else { tmp = (ISet)m_idp[id_p]; tmp.Add(sd_p); } } IEnumerator it_idp = s_idp.GetEnumerator(); while (it_idp.MoveNext()) { string id_p = (string)it_idp.Current; // // (1) // if (policyMapping > 0) { bool idp_found = false; IEnumerator nodes_i = policyNodes[i].GetEnumerator(); while (nodes_i.MoveNext()) { PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current; if (node.ValidPolicy.Equals(id_p)) { idp_found = true; node.ExpectedPolicies = (ISet)m_idp[id_p]; break; } } if (!idp_found) { nodes_i = policyNodes[i].GetEnumerator(); while (nodes_i.MoveNext()) { PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current; if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(node.ValidPolicy)) { ISet pq = null; Asn1Sequence policies = null; try { policies = (Asn1Sequence)PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies); } catch (Exception e) { throw new PkixCertPathValidatorException( "Certificate policies extension could not be decoded.", e, certPath, index); } foreach (Asn1Encodable ae in policies) { PolicyInformation pinfo = null; try { pinfo = PolicyInformation.GetInstance(ae.ToAsn1Object()); } catch (Exception ex) { throw new PkixCertPathValidatorException( "Policy information could not be decoded.", ex, certPath, index); } if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id)) { try { pq = PkixCertPathValidatorUtilities .GetQualifierSet(pinfo.PolicyQualifiers); } catch (PkixCertPathValidatorException ex) { throw new PkixCertPathValidatorException( "Policy qualifier info set could not be decoded.", ex, certPath, index); } break; } } bool ci = false; ISet critExtOids = cert.GetCriticalExtensionOids(); if (critExtOids != null) { ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id); } PkixPolicyNode p_node = (PkixPolicyNode)node.Parent; if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(p_node.ValidPolicy)) { PkixPolicyNode c_node = new PkixPolicyNode(Platform.CreateArrayList(), i, (ISet)m_idp[id_p], p_node, pq, id_p, ci); p_node.AddChild(c_node); policyNodes[i].Add(c_node); } break; } } } // // (2) // } else if (policyMapping <= 0) { foreach (PkixPolicyNode node in Platform.CreateArrayList(policyNodes[i])) { if (node.ValidPolicy.Equals(id_p)) { node.Parent.RemoveChild(node); for (int k = i - 1; k >= 0; k--) { foreach (PkixPolicyNode node2 in Platform.CreateArrayList(policyNodes[k])) { if (!node2.HasChildren) { _validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode( _validPolicyTree, policyNodes, node2); if (_validPolicyTree == null) break; } } } } } } } } return _validPolicyTree; }
internal static void ProcessCertF( PkixCertPath certPath, int index, PkixPolicyNode validPolicyTree, int explicitPolicy) { // // (f) // if (explicitPolicy <= 0 && validPolicyTree == null) { throw new PkixCertPathValidatorException( "No valid policy tree found when one expected.", null, certPath, index); } }
internal static DateTime GetValidCertDateFromValidityModel( PkixParameters paramsPkix, PkixCertPath certPath, int index) { if (paramsPkix.ValidityModel != PkixParameters.ChainValidityModel) { return GetValidDate(paramsPkix); } // if end cert use given signing/encryption/... time if (index <= 0) { return PkixCertPathValidatorUtilities.GetValidDate(paramsPkix); // else use time when previous cert was created } if (index - 1 == 0) { DerGeneralizedTime dateOfCertgen = null; try { X509Certificate cert = (X509Certificate)certPath.Certificates[index - 1]; Asn1OctetString extVal = cert.GetExtensionValue( IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen); dateOfCertgen = DerGeneralizedTime.GetInstance(extVal); } catch (ArgumentException) { throw new Exception( "Date of cert gen extension could not be read."); } if (dateOfCertgen != null) { try { return dateOfCertgen.ToDateTime(); } catch (ArgumentException e) { throw new Exception( "Date from date of cert gen extension could not be parsed.", e); } } } return ((X509Certificate)certPath.Certificates[index - 1]).NotBefore; }
internal static int PrepareNextCertI2( PkixCertPath certPath, int index, int policyMapping) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (i) // Asn1Sequence pc = null; try { pc = DerSequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyConstraints)); } catch (Exception e) { throw new PkixCertPathValidatorException( "Policy constraints extension cannot be decoded.", e, certPath, index); } int tmpInt; if (pc != null) { IEnumerator policyConstraints = pc.GetEnumerator(); while (policyConstraints.MoveNext()) { try { Asn1TaggedObject constraint = Asn1TaggedObject.GetInstance(policyConstraints.Current); if (constraint.TagNo == 1) { tmpInt = DerInteger.GetInstance(constraint, false).Value.IntValue; if (tmpInt < policyMapping) { return tmpInt; } break; } } catch (ArgumentException e) { throw new PkixCertPathValidatorException( "Policy constraints extension contents cannot be decoded.", e, certPath, index); } } } return policyMapping; }
private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, global::System.Collections.IList tbvPath) { if (tbvPath.Contains((object)tbvCert)) { return(null); } if (pkixParams.GetExcludedCerts().Contains(tbvCert)) { return(null); } if (pkixParams.MaxPathLength != -1 && ((global::System.Collections.ICollection)tbvPath).get_Count() - 1 > pkixParams.MaxPathLength) { return(null); } tbvPath.Add((object)tbvCert); PkixCertPathBuilderResult pkixCertPathBuilderResult = null; PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator(); try { if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null) { PkixCertPath certPath = new PkixCertPath((global::System.Collections.ICollection)tbvPath); PkixCertPathValidatorResult pkixCertPathValidatorResult; try { pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams); } catch (global::System.Exception ex) { throw new global::System.Exception("Certification path could not be validated.", ex); } return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey)); } try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams); } catch (CertificateParsingException ex2) { throw new global::System.Exception("No additional X.509 stores can be added from certificate locations.", (global::System.Exception)ex2); } ISet set = new HashSet(); try { set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams)); } catch (global::System.Exception ex3) { throw new global::System.Exception("Cannot find issuer certificate for certificate in certification path.", ex3); } if (set.IsEmpty) { throw new global::System.Exception("No issuer certificate for certificate in certification path found."); } global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator(); try { while (enumerator.MoveNext()) { X509Certificate x509Certificate = (X509Certificate)enumerator.get_Current(); if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate)) { pkixCertPathBuilderResult = Build(attrCert, x509Certificate, pkixParams, tbvPath); if (pkixCertPathBuilderResult != null) { break; } } } } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } } catch (global::System.Exception ex4) { certPathException = new global::System.Exception("No valid certification path could be build.", ex4); } if (pkixCertPathBuilderResult == null) { tbvPath.Remove((object)tbvCert); } return(pkixCertPathBuilderResult); }
internal static int PrepareNextCertJ( PkixCertPath certPath, int index, int inhibitAnyPolicy) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (j) // DerInteger iap = null; try { iap = DerInteger.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.InhibitAnyPolicy)); } catch (Exception e) { throw new PkixCertPathValidatorException( "Inhibit any-policy extension cannot be decoded.", e, certPath, index); } if (iap != null) { int _inhibitAnyPolicy = iap.Value.IntValue; if (_inhibitAnyPolicy < inhibitAnyPolicy) return _inhibitAnyPolicy; } return inhibitAnyPolicy; }
internal static PkixCertPathValidatorResult ProcessAttrCert2( PkixCertPath certPath, PkixParameters pkixParams) { PkixCertPathValidator validator = new PkixCertPathValidator(); try { return validator.Validate(certPath, pkixParams); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException( "Certification path for issuer certificate of attribute certificate could not be validated.", e); } }
internal static int PrepareNextCertL( PkixCertPath certPath, int index, int maxPathLength) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (l) // if (!PkixCertPathValidatorUtilities.IsSelfIssued(cert)) { if (maxPathLength <= 0) { throw new PkixCertPathValidatorException("Max path length not greater than zero", null, certPath, index); } return maxPathLength - 1; } return maxPathLength; }
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix) { if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } IList certificates = certPath.Certificates; int count = certificates.Count; if (certificates.Count == 0) { throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); } ISet initialPolicies = paramsPkix.GetInitialPolicies(); TrustAnchor trustAnchor; try { trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates[certificates.Count - 1], paramsPkix.GetTrustAnchors()); } catch (Exception ex) { throw new PkixCertPathValidatorException(ex.Message, ex, certPath, certificates.Count - 1); } if (trustAnchor == null) { throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); } int i = 0; IList[] array = new IList[count + 1]; for (int j = 0; j < array.Length; j++) { array[j] = Platform.CreateArrayList(); } ISet set = new HashSet(); set.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false); array[0].Add(pkixPolicyNode); PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); ISet acceptablePolicies = new HashSet(); int num; if (paramsPkix.IsExplicitPolicyRequired) { num = 0; } else { num = count + 1; } int inhibitAnyPolicy; if (paramsPkix.IsAnyPolicyInhibited) { inhibitAnyPolicy = 0; } else { inhibitAnyPolicy = count + 1; } int policyMapping; if (paramsPkix.IsPolicyMappingInhibited) { policyMapping = 0; } else { policyMapping = count + 1; } X509Certificate x509Certificate = trustAnchor.TrustedCert; X509Name workingIssuerName; AsymmetricKeyParameter asymmetricKeyParameter; try { if (x509Certificate != null) { workingIssuerName = x509Certificate.SubjectDN; asymmetricKeyParameter = x509Certificate.GetPublicKey(); } else { workingIssuerName = new X509Name(trustAnchor.CAName); asymmetricKeyParameter = trustAnchor.CAPublicKey; } } catch (ArgumentException cause) { throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", cause, certPath, -1); } try { PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } catch (PkixCertPathValidatorException cause2) { throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1); } int maxPathLength = count; X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints(); if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates[0])) { throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } IList certPathCheckers = paramsPkix.GetCertPathCheckers(); IEnumerator enumerator = certPathCheckers.GetEnumerator(); while (enumerator.MoveNext()) { ((PkixCertPathChecker)enumerator.Current).Init(false); } X509Certificate x509Certificate2 = null; for (i = certificates.Count - 1; i >= 0; i--) { int num2 = count - i; x509Certificate2 = (X509Certificate)certificates[i]; Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, i, asymmetricKeyParameter, workingIssuerName, x509Certificate); Rfc3280CertPathUtilities.ProcessCertBC(certPath, i, nameConstraintValidator); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, i, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, i, pkixPolicyNode); Rfc3280CertPathUtilities.ProcessCertF(certPath, i, pkixPolicyNode, num); if (num2 != count) { if (x509Certificate2 != null && x509Certificate2.Version == 1) { throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, i); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, i); pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, i, array, pkixPolicyNode, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, i, nameConstraintValidator); num = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, i, num); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, i, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, i, inhibitAnyPolicy); num = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, i, num); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, i, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, i, inhibitAnyPolicy); Rfc3280CertPathUtilities.PrepareNextCertK(certPath, i); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, i, maxPathLength); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, i, maxPathLength); Rfc3280CertPathUtilities.PrepareNextCertN(certPath, i); ISet set2 = x509Certificate2.GetCriticalExtensionOids(); if (set2 != null) { set2 = new HashSet(set2); set2.Remove(X509Extensions.KeyUsage.Id); set2.Remove(X509Extensions.CertificatePolicies.Id); set2.Remove(X509Extensions.PolicyMappings.Id); set2.Remove(X509Extensions.InhibitAnyPolicy.Id); set2.Remove(X509Extensions.IssuingDistributionPoint.Id); set2.Remove(X509Extensions.DeltaCrlIndicator.Id); set2.Remove(X509Extensions.PolicyConstraints.Id); set2.Remove(X509Extensions.BasicConstraints.Id); set2.Remove(X509Extensions.SubjectAlternativeName.Id); set2.Remove(X509Extensions.NameConstraints.Id); } else { set2 = new HashSet(); } Rfc3280CertPathUtilities.PrepareNextCertO(certPath, i, set2, certPathCheckers); x509Certificate = x509Certificate2; workingIssuerName = x509Certificate.SubjectDN; try { asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, i); } catch (PkixCertPathValidatorException cause3) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, i); } PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } } num = Rfc3280CertPathUtilities.WrapupCertA(num, x509Certificate2); num = Rfc3280CertPathUtilities.WrapupCertB(certPath, i + 1, num); ISet set3 = x509Certificate2.GetCriticalExtensionOids(); if (set3 != null) { set3 = new HashSet(set3); set3.Remove(X509Extensions.KeyUsage.Id); set3.Remove(X509Extensions.CertificatePolicies.Id); set3.Remove(X509Extensions.PolicyMappings.Id); set3.Remove(X509Extensions.InhibitAnyPolicy.Id); set3.Remove(X509Extensions.IssuingDistributionPoint.Id); set3.Remove(X509Extensions.DeltaCrlIndicator.Id); set3.Remove(X509Extensions.PolicyConstraints.Id); set3.Remove(X509Extensions.BasicConstraints.Id); set3.Remove(X509Extensions.SubjectAlternativeName.Id); set3.Remove(X509Extensions.NameConstraints.Id); set3.Remove(X509Extensions.CrlDistributionPoints.Id); } else { set3 = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, i + 1, certPathCheckers, set3); PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, i + 1, array, pkixPolicyNode, acceptablePolicies); if (num > 0 || pkixPolicyNode2 != null) { return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey())); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, i); }
internal static void PrepareNextCertN( PkixCertPath certPath, int index) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (n) // bool[] _usage = cert.GetKeyUsage(); if ((_usage != null) && !_usage[Rfc3280CertPathUtilities.KEY_CERT_SIGN]) { throw new PkixCertPathValidatorException( "Issuer certificate keyusage extension is critical and does not permit key signing.", null, certPath, index); } }
public PkixCertPath(ICollection certificates) { this.certificates = PkixCertPath.SortCerts(Platform.CreateArrayList(certificates)); }
internal static int PrepareNextCertH2( PkixCertPath certPath, int index, int policyMapping) { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (h) // if (!PkixCertPathValidatorUtilities.IsSelfIssued(cert)) { // // (2) // if (policyMapping != 0) return policyMapping - 1; } return policyMapping; }
private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath) { if (tbvPath.Contains(tbvCert)) { return(null); } if (pkixParams.GetExcludedCerts().Contains(tbvCert)) { return(null); } if (pkixParams.MaxPathLength != -1 && tbvPath.Count - 1 > pkixParams.MaxPathLength) { return(null); } tbvPath.Add(tbvCert); PkixCertPathBuilderResult pkixCertPathBuilderResult = null; PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator(); try { if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null) { PkixCertPath certPath = new PkixCertPath(tbvPath); PkixCertPathValidatorResult pkixCertPathValidatorResult; try { pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams); } catch (Exception innerException) { throw new Exception("Certification path could not be validated.", innerException); } return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey)); } try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams); } catch (CertificateParsingException innerException2) { throw new Exception("No additional X.509 stores can be added from certificate locations.", innerException2); } ISet set = new HashSet(); try { set.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams)); } catch (Exception innerException3) { throw new Exception("Cannot find issuer certificate for certificate in certification path.", innerException3); } if (set.IsEmpty) { throw new Exception("No issuer certificate for certificate in certification path found."); } foreach (X509Certificate x509Certificate in set) { if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate)) { pkixCertPathBuilderResult = this.Build(attrCert, x509Certificate, pkixParams, tbvPath); if (pkixCertPathBuilderResult != null) { break; } } } } catch (Exception innerException4) { this.certPathException = new Exception("No valid certification path could be build.", innerException4); } if (pkixCertPathBuilderResult == null) { tbvPath.Remove(tbvCert); } return(pkixCertPathBuilderResult); }
internal static int WrapupCertB( PkixCertPath certPath, int index, int explicitPolicy) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (b) // int tmpInt; Asn1Sequence pc = null; try { pc = DerSequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyConstraints)); } catch (Exception e) { throw new PkixCertPathValidatorException("Policy constraints could not be decoded.", e, certPath, index); } if (pc != null) { IEnumerator policyConstraints = pc.GetEnumerator(); while (policyConstraints.MoveNext()) { Asn1TaggedObject constraint = (Asn1TaggedObject)policyConstraints.Current; switch (constraint.TagNo) { case 0: try { tmpInt = DerInteger.GetInstance(constraint, false).Value.IntValue; } catch (Exception e) { throw new PkixCertPathValidatorException( "Policy constraints requireExplicitPolicy field could not be decoded.", e, certPath, index); } if (tmpInt == 0) { return 0; } break; } } } return explicitPolicy; }
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix) { //IL_0012: Unknown result type (might be due to invalid IL or missing references) //IL_0170: Expected O, but got Unknown if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } global::System.Collections.IList certificates = certPath.Certificates; int count = ((global::System.Collections.ICollection)certificates).get_Count(); if (((global::System.Collections.ICollection)certificates).get_Count() == 0) { throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); } ISet initialPolicies = paramsPkix.GetInitialPolicies(); TrustAnchor trustAnchor; try { trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates.get_Item(((global::System.Collections.ICollection)certificates).get_Count() - 1), paramsPkix.GetTrustAnchors()); } catch (global::System.Exception ex) { throw new PkixCertPathValidatorException(ex.get_Message(), ex, certPath, ((global::System.Collections.ICollection)certificates).get_Count() - 1); } if (trustAnchor == null) { throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); } int num = 0; global::System.Collections.IList[] array = new global::System.Collections.IList[count + 1]; for (int i = 0; i < array.Length; i++) { array[i] = Platform.CreateArrayList(); } ISet set = new HashSet(); set.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, critical: false); array[0].Add((object)pkixPolicyNode); PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); ISet acceptablePolicies = new HashSet(); int explicitPolicy = ((!paramsPkix.IsExplicitPolicyRequired) ? (count + 1) : 0); int inhibitAnyPolicy = ((!paramsPkix.IsAnyPolicyInhibited) ? (count + 1) : 0); int policyMapping = ((!paramsPkix.IsPolicyMappingInhibited) ? (count + 1) : 0); X509Certificate x509Certificate = trustAnchor.TrustedCert; X509Name workingIssuerName; AsymmetricKeyParameter asymmetricKeyParameter; try { if (x509Certificate != null) { workingIssuerName = x509Certificate.SubjectDN; asymmetricKeyParameter = x509Certificate.GetPublicKey(); } else { workingIssuerName = new X509Name(trustAnchor.CAName); asymmetricKeyParameter = trustAnchor.CAPublicKey; } } catch (ArgumentException val) { ArgumentException cause = val; throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", (global::System.Exception)(object) cause, certPath, -1); } try { PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } catch (PkixCertPathValidatorException cause2) { throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1); } int maxPathLength = count; X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints(); if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates.get_Item(0))) { throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } global::System.Collections.IList certPathCheckers = paramsPkix.GetCertPathCheckers(); global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)certPathCheckers).GetEnumerator(); while (enumerator.MoveNext()) { ((PkixCertPathChecker)enumerator.get_Current()).Init(forward: false); } X509Certificate x509Certificate2 = null; for (num = ((global::System.Collections.ICollection)certificates).get_Count() - 1; num >= 0; num--) { int num2 = count - num; x509Certificate2 = (X509Certificate)certificates.get_Item(num); Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, num, asymmetricKeyParameter, workingIssuerName, x509Certificate); Rfc3280CertPathUtilities.ProcessCertBC(certPath, num, nameConstraintValidator); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, num, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy); pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, num, pkixPolicyNode); Rfc3280CertPathUtilities.ProcessCertF(certPath, num, pkixPolicyNode, explicitPolicy); if (num2 != count) { if (x509Certificate2 != null && x509Certificate2.Version == 1) { throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, num); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, num); pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, num, array, pkixPolicyNode, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, num, nameConstraintValidator); explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, num, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, num, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, num, inhibitAnyPolicy); explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, num, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, num, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, num, inhibitAnyPolicy); Rfc3280CertPathUtilities.PrepareNextCertK(certPath, num); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, num, maxPathLength); maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, num, maxPathLength); Rfc3280CertPathUtilities.PrepareNextCertN(certPath, num); ISet criticalExtensionOids = x509Certificate2.GetCriticalExtensionOids(); if (criticalExtensionOids != null) { criticalExtensionOids = new HashSet(criticalExtensionOids); criticalExtensionOids.Remove(X509Extensions.KeyUsage.Id); criticalExtensionOids.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensionOids.Remove(X509Extensions.PolicyMappings.Id); criticalExtensionOids.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensionOids.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensionOids.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensionOids.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensionOids.Remove(X509Extensions.BasicConstraints.Id); criticalExtensionOids.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensionOids.Remove(X509Extensions.NameConstraints.Id); } else { criticalExtensionOids = new HashSet(); } Rfc3280CertPathUtilities.PrepareNextCertO(certPath, num, criticalExtensionOids, certPathCheckers); x509Certificate = x509Certificate2; workingIssuerName = x509Certificate.SubjectDN; try { asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, num); } catch (PkixCertPathValidatorException cause3) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, num); } PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter); } } explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, x509Certificate2); explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, num + 1, explicitPolicy); ISet criticalExtensionOids2 = x509Certificate2.GetCriticalExtensionOids(); if (criticalExtensionOids2 != null) { criticalExtensionOids2 = new HashSet(criticalExtensionOids2); criticalExtensionOids2.Remove(X509Extensions.KeyUsage.Id); criticalExtensionOids2.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensionOids2.Remove(X509Extensions.PolicyMappings.Id); criticalExtensionOids2.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensionOids2.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensionOids2.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensionOids2.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensionOids2.Remove(X509Extensions.BasicConstraints.Id); criticalExtensionOids2.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensionOids2.Remove(X509Extensions.NameConstraints.Id); criticalExtensionOids2.Remove(X509Extensions.CrlDistributionPoints.Id); } else { criticalExtensionOids2 = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, num + 1, certPathCheckers, criticalExtensionOids2); PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, num + 1, array, pkixPolicyNode, acceptablePolicies); if (explicitPolicy > 0 || pkixPolicyNode2 != null) { return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey())); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, num); }
internal static PkixPolicyNode WrapupCertG( PkixCertPath certPath, PkixParameters paramsPKIX, ISet userInitialPolicySet, int index, IList[] policyNodes, PkixPolicyNode validPolicyTree, ISet acceptablePolicies) { int n = certPath.Certificates.Count; // // (g) // PkixPolicyNode intersection; // // (g) (i) // if (validPolicyTree == null) { if (paramsPKIX.IsExplicitPolicyRequired) { throw new PkixCertPathValidatorException( "Explicit policy requested but none available.", null, certPath, index); } intersection = null; } else if (PkixCertPathValidatorUtilities.IsAnyPolicy(userInitialPolicySet)) // (g) // (ii) { if (paramsPKIX.IsExplicitPolicyRequired) { if (acceptablePolicies.IsEmpty) { throw new PkixCertPathValidatorException( "Explicit policy requested but none available.", null, certPath, index); } else { ISet _validPolicyNodeSet = new HashSet(); for (int j = 0; j < policyNodes.Length; j++) { IList _nodeDepth = policyNodes[j]; for (int k = 0; k < _nodeDepth.Count; k++) { PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k]; if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy)) { foreach (object o in _node.Children) { _validPolicyNodeSet.Add(o); } } } } foreach (PkixPolicyNode _node in _validPolicyNodeSet) { string _validPolicy = _node.ValidPolicy; if (!acceptablePolicies.Contains(_validPolicy)) { // TODO? // validPolicyTree = // removePolicyNode(validPolicyTree, policyNodes, // _node); } } if (validPolicyTree != null) { for (int j = (n - 1); j >= 0; j--) { IList nodes = policyNodes[j]; for (int k = 0; k < nodes.Count; k++) { PkixPolicyNode node = (PkixPolicyNode)nodes[k]; if (!node.HasChildren) { validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, node); } } } } } } intersection = validPolicyTree; } else { // // (g) (iii) // // This implementation is not exactly same as the one described in // RFC3280. // However, as far as the validation result is concerned, both // produce // adequate result. The only difference is whether AnyPolicy is // remain // in the policy tree or not. // // (g) (iii) 1 // ISet _validPolicyNodeSet = new HashSet(); for (int j = 0; j < policyNodes.Length; j++) { IList _nodeDepth = policyNodes[j]; for (int k = 0; k < _nodeDepth.Count; k++) { PkixPolicyNode _node = (PkixPolicyNode)_nodeDepth[k]; if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(_node.ValidPolicy)) { foreach (PkixPolicyNode _c_node in _node.Children) { if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(_c_node.ValidPolicy)) { _validPolicyNodeSet.Add(_c_node); } } } } } // // (g) (iii) 2 // IEnumerator _vpnsIter = _validPolicyNodeSet.GetEnumerator(); while (_vpnsIter.MoveNext()) { PkixPolicyNode _node = (PkixPolicyNode)_vpnsIter.Current; string _validPolicy = _node.ValidPolicy; if (!userInitialPolicySet.Contains(_validPolicy)) { validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, _node); } } // // (g) (iii) 4 // if (validPolicyTree != null) { for (int j = (n - 1); j >= 0; j--) { IList nodes = policyNodes[j]; for (int k = 0; k < nodes.Count; k++) { PkixPolicyNode node = (PkixPolicyNode)nodes[k]; if (!node.HasChildren) { validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(validPolicyTree, policyNodes, node); } } } } intersection = validPolicyTree; } return intersection; }
/** * Performs checks on the specified attribute certificate. Every handled * extension is rmeoved from the <code>unresolvedCritExts</code> * collection. * * @param attrCert The attribute certificate to be checked. * @param certPath The certificate path which belongs to the attribute * certificate issuer public key certificate. * @param holderCertPath The certificate path which belongs to the holder * certificate. * @param unresolvedCritExts a <code>Collection</code> of OID strings * representing the current set of unresolved critical extensions * @throws CertPathValidatorException if the specified attribute certificate * does not pass the check. */ public abstract void Check(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, ICollection unresolvedCritExts);
internal static PkixPolicyNode ProcessCertE( PkixCertPath certPath, int index, PkixPolicyNode validPolicyTree) { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (e) // Asn1Sequence certPolicies = null; try { certPolicies = DerSequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies)); } catch (Exception e) { throw new PkixCertPathValidatorException("Could not read certificate policies extension from certificate.", e, certPath, index); } if (certPolicies == null) { validPolicyTree = null; } return validPolicyTree; }
public virtual PkixCertPathValidatorResult Validate( PkixCertPath certPath, PkixParameters paramsPkix) { if (paramsPkix.GetTrustAnchors() == null) { throw new ArgumentException( @"trustAnchors is null, this is not allowed for certification path validation.", "parameters"); } // // 6.1.1 - inputs // // // (a) // IList certs = certPath.Certificates; int n = certs.Count; if (certs.Count == 0) throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0); // // (b) // // DateTime validDate = PkixCertPathValidatorUtilities.GetValidDate(paramsPkix); // // (c) // ISet userInitialPolicySet = paramsPkix.GetInitialPolicies(); // // (d) // TrustAnchor trust; try { trust = PkixCertPathValidatorUtilities.FindTrustAnchor( (X509Certificate)certs[certs.Count - 1], paramsPkix.GetTrustAnchors()); } catch (Exception e) { throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1); } if (trust == null) throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); // // (e), (f), (g) are part of the paramsPkix object. // IEnumerator certIter; int index = 0; int i; // Certificate for each interation of the validation loop // Signature information for each iteration of the validation loop // // 6.1.2 - setup // // // (a) // IList[] policyNodes = new IList[n + 1]; for (int j = 0; j < policyNodes.Length; j++) { policyNodes[j] = Platform.CreateArrayList(); } ISet policySet = new HashSet(); policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY); PkixPolicyNode validPolicyTree = new PkixPolicyNode(Platform.CreateArrayList(), 0, policySet, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, false); policyNodes[0].Add(validPolicyTree); // // (b) and (c) // PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator(); // (d) // int explicitPolicy; ISet acceptablePolicies = new HashSet(); if (paramsPkix.IsExplicitPolicyRequired) { explicitPolicy = 0; } else { explicitPolicy = n + 1; } // // (e) // int inhibitAnyPolicy; if (paramsPkix.IsAnyPolicyInhibited) { inhibitAnyPolicy = 0; } else { inhibitAnyPolicy = n + 1; } // // (f) // int policyMapping; if (paramsPkix.IsPolicyMappingInhibited) { policyMapping = 0; } else { policyMapping = n + 1; } // // (g), (h), (i), (j) // IAsymmetricKeyParameter workingPublicKey; X509Name workingIssuerName; X509Certificate sign = trust.TrustedCert; try { if (sign != null) { workingIssuerName = sign.SubjectDN; workingPublicKey = sign.GetPublicKey(); } else { workingIssuerName = new X509Name(trust.CAName); workingPublicKey = trust.CAPublicKey; } } catch (ArgumentException ex) { throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, -1); } AlgorithmIdentifier workingAlgId = null; try { workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException( "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1); } // DerObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.ObjectID; // Asn1Encodable workingPublicKeyParameters = workingAlgId.Parameters; // // (k) // int maxPathLength = n; // // 6.1.3 // X509CertStoreSelector certConstraints = paramsPkix.GetTargetCertConstraints(); if (certConstraints != null && !certConstraints.Match((X509Certificate)certs[0])) { throw new PkixCertPathValidatorException( "Target certificate in certification path does not match targetConstraints.", null, certPath, 0); } // // initialize CertPathChecker's // IList pathCheckers = paramsPkix.GetCertPathCheckers(); certIter = pathCheckers.GetEnumerator(); while (certIter.MoveNext()) { ((PkixCertPathChecker)certIter.Current).Init(false); } X509Certificate cert = null; for (index = certs.Count - 1; index >= 0; index--) { // try // { // // i as defined in the algorithm description // i = n - index; // // set certificate to be checked in this round // sign and workingPublicKey and workingIssuerName are set // at the end of the for loop and initialized the // first time from the TrustAnchor // cert = (X509Certificate)certs[index]; // // 6.1.3 // Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, index, workingPublicKey, workingIssuerName, sign); Rfc3280CertPathUtilities.ProcessCertBC(certPath, index, nameConstraintValidator); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertD(certPath, index, acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy); validPolicyTree = Rfc3280CertPathUtilities.ProcessCertE(certPath, index, validPolicyTree); Rfc3280CertPathUtilities.ProcessCertF(certPath, index, validPolicyTree, explicitPolicy); // // 6.1.4 // if (i != n) { if (cert != null && cert.Version == 1) { throw new PkixCertPathValidatorException( "Version 1 certificates can't be used as CA ones.", null, certPath, index); } Rfc3280CertPathUtilities.PrepareNextCertA(certPath, index); validPolicyTree = Rfc3280CertPathUtilities.PrepareCertB(certPath, index, policyNodes, validPolicyTree, policyMapping); Rfc3280CertPathUtilities.PrepareNextCertG(certPath, index, nameConstraintValidator); // (h) explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, index, policyMapping); inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, index, inhibitAnyPolicy); // // (i) // explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, index, explicitPolicy); policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, index, policyMapping); // (j) inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, index, inhibitAnyPolicy); // (k) Rfc3280CertPathUtilities.PrepareNextCertK(certPath, index); // (l) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, index, maxPathLength); // (m) maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, index, maxPathLength); // (n) Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index); ISet criticalExtensions1 = cert.GetCriticalExtensionOids(); if (criticalExtensions1 != null) { criticalExtensions1 = new HashSet(criticalExtensions1); // these extensions are handled by the algorithm criticalExtensions1.Remove(X509Extensions.KeyUsage.Id); criticalExtensions1.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions1.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions1.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions1.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions1.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions1.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions1.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions1.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions1.Remove(X509Extensions.NameConstraints.Id); } else { criticalExtensions1 = new HashSet(); } // (o) Rfc3280CertPathUtilities.PrepareNextCertO(certPath, index, criticalExtensions1, pathCheckers); // set signing certificate for next round sign = cert; // (c) workingIssuerName = sign.SubjectDN; // (d) try { workingPublicKey = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, index); } catch (PkixCertPathValidatorException e) { throw new PkixCertPathValidatorException("Next working key could not be retrieved.", e, certPath, index); } workingAlgId = PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(workingPublicKey); // (f) // workingPublicKeyAlgorithm = workingAlgId.ObjectID; // (e) // workingPublicKeyParameters = workingAlgId.Parameters; } } // // 6.1.5 Wrap-up procedure // explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, cert); explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, index + 1, explicitPolicy); // // (c) (d) and (e) are already done // // // (f) // ISet criticalExtensions = cert.GetCriticalExtensionOids(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); // Requires .Id // these extensions are handled by the algorithm criticalExtensions.Remove(X509Extensions.KeyUsage.Id); criticalExtensions.Remove(X509Extensions.CertificatePolicies.Id); criticalExtensions.Remove(X509Extensions.PolicyMappings.Id); criticalExtensions.Remove(X509Extensions.InhibitAnyPolicy.Id); criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id); criticalExtensions.Remove(X509Extensions.PolicyConstraints.Id); criticalExtensions.Remove(X509Extensions.BasicConstraints.Id); criticalExtensions.Remove(X509Extensions.SubjectAlternativeName.Id); criticalExtensions.Remove(X509Extensions.NameConstraints.Id); criticalExtensions.Remove(X509Extensions.CrlDistributionPoints.Id); } else { criticalExtensions = new HashSet(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions); PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies); if ((explicitPolicy > 0) || (intersection != null)) { return new PkixCertPathValidatorResult(trust, intersection, cert.GetPublicKey()); } throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index); }
internal static PkixPolicyNode ProcessCertD( PkixCertPath certPath, int index, ISet acceptablePolicies, PkixPolicyNode validPolicyTree, IList[] policyNodes, int inhibitAnyPolicy) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; int n = certs.Count; // i as defined in the algorithm description int i = n - index; // // (d) policy Information checking against initial policy and // policy mapping // Asn1Sequence certPolicies = null; try { certPolicies = DerSequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies)); } catch (Exception e) { throw new PkixCertPathValidatorException( "Could not read certificate policies extension from certificate.", e, certPath, index); } if (certPolicies != null && validPolicyTree != null) { // // (d) (1) // ISet pols = new HashSet(); foreach (Asn1Encodable ae in certPolicies) { PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object()); DerObjectIdentifier pOid = pInfo.PolicyIdentifier; pols.Add(pOid.Id); if (!Rfc3280CertPathUtilities.ANY_POLICY.Equals(pOid.Id)) { ISet pq = null; try { pq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers); } catch (PkixCertPathValidatorException ex) { throw new PkixCertPathValidatorException( "Policy qualifier info set could not be build.", ex, certPath, index); } bool match = PkixCertPathValidatorUtilities.ProcessCertD1i(i, policyNodes, pOid, pq); if (!match) { PkixCertPathValidatorUtilities.ProcessCertD1ii(i, policyNodes, pOid, pq); } } } if (acceptablePolicies.IsEmpty || acceptablePolicies.Contains(Rfc3280CertPathUtilities.ANY_POLICY)) { acceptablePolicies.Clear(); acceptablePolicies.AddAll(pols); } else { ISet t1 = new HashSet(); foreach (object o in acceptablePolicies) { if (pols.Contains(o)) { t1.Add(o); } } acceptablePolicies.Clear(); acceptablePolicies.AddAll(t1); } // // (d) (2) // if ((inhibitAnyPolicy > 0) || ((i < n) && PkixCertPathValidatorUtilities.IsSelfIssued(cert))) { foreach (Asn1Encodable ae in certPolicies) { PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object()); if (Rfc3280CertPathUtilities.ANY_POLICY.Equals(pInfo.PolicyIdentifier.Id)) { ISet _apq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers); IList _nodes = policyNodes[i - 1]; for (int k = 0; k < _nodes.Count; k++) { PkixPolicyNode _node = (PkixPolicyNode)_nodes[k]; IEnumerator _policySetIter = _node.ExpectedPolicies.GetEnumerator(); while (_policySetIter.MoveNext()) { object _tmp = _policySetIter.Current; string _policy; if (_tmp is string) { _policy = (string)_tmp; } else if (_tmp is DerObjectIdentifier) { _policy = ((DerObjectIdentifier)_tmp).Id; } else { continue; } bool _found = false; foreach (PkixPolicyNode _child in _node.Children) { if (_policy.Equals(_child.ValidPolicy)) { _found = true; } } if (!_found) { ISet _newChildExpectedPolicies = new HashSet(); _newChildExpectedPolicies.Add(_policy); PkixPolicyNode _newChild = new PkixPolicyNode(Platform.CreateArrayList(), i, _newChildExpectedPolicies, _node, _apq, _policy, false); _node.AddChild(_newChild); policyNodes[i].Add(_newChild); } } } break; } } } PkixPolicyNode _validPolicyTree = validPolicyTree; // // (d) (3) // for (int j = (i - 1); j >= 0; j--) { IList nodes = policyNodes[j]; for (int k = 0; k < nodes.Count; k++) { PkixPolicyNode node = (PkixPolicyNode)nodes[k]; if (!node.HasChildren) { _validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(_validPolicyTree, policyNodes, node); if (_validPolicyTree == null) { break; } } } } // // d (4) // ISet criticalExtensionOids = cert.GetCriticalExtensionOids(); if (criticalExtensionOids != null) { bool critical = criticalExtensionOids.Contains(X509Extensions.CertificatePolicies.Id); IList nodes = policyNodes[i]; for (int j = 0; j < nodes.Count; j++) { PkixPolicyNode node = (PkixPolicyNode)nodes[j]; node.IsCritical = critical; } } return _validPolicyTree; } return null; }
protected virtual PkixCertPathBuilderResult Build( X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath) { // If tbvCert is readily present in tbvPath, it indicates having run // into a cycle in the PKI graph. if (tbvPath.Contains(tbvCert)) { return(null); } // step out, the certificate is not allowed to appear in a certification // chain. if (pkixParams.GetExcludedCerts().Contains(tbvCert)) { return(null); } // test if certificate path exceeds maximum length if (pkixParams.MaxPathLength != -1) { if (tbvPath.Count - 1 > pkixParams.MaxPathLength) { return(null); } } tbvPath.Add(tbvCert); X509CertificateParser certParser = new X509CertificateParser(); PkixCertPathBuilderResult builderResult = null; PkixCertPathValidator validator = new PkixCertPathValidator(); try { // check whether the issuer of <tbvCert> is a TrustAnchor if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null) { // exception message from possibly later tried certification // chains PkixCertPath certPath = null; try { certPath = new PkixCertPath(tbvPath); } catch (Exception e) { throw new Exception( "Certification path could not be constructed from certificate list.", e); } PkixCertPathValidatorResult result = null; try { result = (PkixCertPathValidatorResult)validator.Validate( certPath, pkixParams); } catch (Exception e) { throw new Exception( "Certification path could not be validated.", e); } return(new PkixCertPathBuilderResult(certPath, result.TrustAnchor, result.PolicyTree, result.SubjectPublicKey)); } else { // add additional X.509 stores from locations in certificate try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames( tbvCert, pkixParams); } catch (CertificateParsingException e) { throw new Exception( "No additiontal X.509 stores can be added from certificate locations.", e); } // try to get the issuer certificate from one of the stores HashSet issuers = new HashSet(); try { issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams)); } catch (Exception e) { throw new Exception( "Cannot find issuer certificate for certificate in certification path.", e); } if (issuers.IsEmpty) { throw new Exception("No issuer certificate for certificate in certification path found."); } foreach (X509Certificate issuer in issuers) { builderResult = Build(issuer, pkixParams, tbvPath); if (builderResult != null) { break; } } } } catch (Exception e) { certPathException = e; } if (builderResult == null) { tbvPath.Remove(tbvCert); } return(builderResult); }