internal static void ProcessCertBC( PkixCertPath certPath, int index, PkixNameConstraintValidator nameConstraintValidator) //throws CertPathValidatorException { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; int n = certs.Count; // i as defined in the algorithm description int i = n - index; // // (b), (c) permitted and excluded subtree checking. // if (!(PkixCertPathValidatorUtilities.IsSelfIssued(cert) && (i < n))) { X509Name principal = cert.SubjectDN; Asn1InputStream aIn = new Asn1InputStream(principal.GetEncoded()); Asn1Sequence dns; try { dns = DerSequence.GetInstance(aIn.ReadObject()); } catch (Exception e) { throw new PkixCertPathValidatorException( "Exception extracting subject name when checking subtrees.", e, certPath, index); } try { nameConstraintValidator.CheckPermittedDN(dns); nameConstraintValidator.CheckExcludedDN(dns); } catch (PkixNameConstraintValidatorException e) { throw new PkixCertPathValidatorException( "Subtree check for certificate subject failed.", e, certPath, index); } GeneralNames altName = null; try { altName = GeneralNames.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.SubjectAlternativeName)); } catch (Exception e) { throw new PkixCertPathValidatorException( "Subject alternative name extension could not be decoded.", e, certPath, index); } IList emails = X509Name.GetInstance(dns).GetValueList(X509Name.EmailAddress); foreach (string email in emails) { GeneralName emailAsGeneralName = new GeneralName(GeneralName.Rfc822Name, email); try { nameConstraintValidator.checkPermitted(emailAsGeneralName); nameConstraintValidator.checkExcluded(emailAsGeneralName); } catch (PkixNameConstraintValidatorException ex) { throw new PkixCertPathValidatorException( "Subtree check for certificate subject alternative email failed.", ex, certPath, index); } } if (altName != null) { GeneralName[] genNames = null; try { genNames = altName.GetNames(); } catch (Exception e) { throw new PkixCertPathValidatorException( "Subject alternative name contents could not be decoded.", e, certPath, index); } foreach (GeneralName genName in genNames) { try { nameConstraintValidator.checkPermitted(genName); nameConstraintValidator.checkExcluded(genName); } catch (PkixNameConstraintValidatorException e) { throw new PkixCertPathValidatorException( "Subtree check for certificate subject alternative name failed.", e, certPath, index); } } } } }
/** * Tests byte array based GeneralNames for inclusion or exclusion. * * @param nameType The {@link GeneralName} type to test. * @param testName The name to test. * @param testNameIsConstraint The names where <code>testName</code> must * be included and excluded. * @param testNameIsNotConstraint The names where <code>testName</code> * must not be excluded and included. * @param testNames1 Operand 1 of test names to use for union and * intersection testing. * @param testNames2 Operand 2 of test names to use for union and * intersection testing. * @param testUnion The union results. * @param testInterSection The intersection results. * @throws Exception If an unexpected exception occurs. */ private void TestConstraints( int nameType, byte[] testName, byte[][] testNameIsConstraint, byte[][] testNameIsNotConstraint, byte[][] testNames1, byte[][] testNames2, byte[][][] testUnion, byte[][] testInterSection) { for (int i = 0; i < testNameIsConstraint.Length; i++) { PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator(); constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree( new GeneralName(nameType, new DerOctetString( testNameIsConstraint[i]))))); constraintValidator.checkPermitted(new GeneralName(nameType, new DerOctetString(testName))); } for (int i = 0; i < testNameIsNotConstraint.Length; i++) { PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator(); constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree( new GeneralName(nameType, new DerOctetString( testNameIsNotConstraint[i]))))); try { constraintValidator.checkPermitted(new GeneralName(nameType, new DerOctetString(testName))); Fail("not permitted name allowed: " + nameType); } catch (PkixNameConstraintValidatorException) { // expected } } for (int i = 0; i < testNameIsConstraint.Length; i++) { PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator(); constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName( nameType, new DerOctetString(testNameIsConstraint[i])))); try { constraintValidator.checkExcluded(new GeneralName(nameType, new DerOctetString(testName))); Fail("excluded name missed: " + nameType); } catch (PkixNameConstraintValidatorException) { // expected } } for (int i = 0; i < testNameIsNotConstraint.Length; i++) { PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator(); constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName( nameType, new DerOctetString(testNameIsNotConstraint[i])))); constraintValidator.checkExcluded(new GeneralName(nameType, new DerOctetString(testName))); } for (int i = 0; i < testNames1.Length; i++) { PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator(); constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName( nameType, new DerOctetString(testNames1[i])))); constraintValidator.AddExcludedSubtree(new GeneralSubtree(new GeneralName( nameType, new DerOctetString(testNames2[i])))); PkixNameConstraintValidator constraints2 = new PkixNameConstraintValidator(); for (int j = 0; j < testUnion[i].Length; j++) { constraints2.AddExcludedSubtree(new GeneralSubtree( new GeneralName(nameType, new DerOctetString( testUnion[i][j])))); } if (!constraints2.Equals(constraintValidator)) { Fail("union wrong: " + nameType); } constraintValidator = new PkixNameConstraintValidator(); constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree( new GeneralName(nameType, new DerOctetString(testNames1[i]))))); constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree( new GeneralName(nameType, new DerOctetString(testNames2[i]))))); constraints2 = new PkixNameConstraintValidator(); if (testInterSection[i] != null) { constraints2.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree( new GeneralName(nameType, new DerOctetString( testInterSection[i]))))); } else { constraints2.IntersectEmptyPermittedSubtree(nameType); } if (!constraints2.Equals(constraintValidator)) { Fail("intersection wrong: " + nameType); } } }