diff options
author | Peter Dettman <peter.dettman@bouncycastle.org> | 2020-02-21 18:06:14 +0700 |
---|---|---|
committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2020-02-21 18:06:14 +0700 |
commit | 9f562ae2423c550b95b3e00e6bcbeb6616b2a034 (patch) | |
tree | 2ae4742e2d0793d7e94c2bd299651857c7c6d862 | |
parent | Fix handling of reason codes (diff) | |
download | BouncyCastle.NET-ed25519-9f562ae2423c550b95b3e00e6bcbeb6616b2a034.tar.xz |
Refactoring
-rw-r--r-- | crypto/src/pkix/Rfc3280CertPathUtilities.cs | 21 | ||||
-rw-r--r-- | crypto/src/pkix/Rfc3281CertPathUtilities.cs | 267 | ||||
-rw-r--r-- | crypto/src/x509/X509Certificate.cs | 6 | ||||
-rw-r--r-- | crypto/src/x509/X509CrlEntry.cs | 2 |
4 files changed, 148 insertions, 148 deletions
diff --git a/crypto/src/pkix/Rfc3280CertPathUtilities.cs b/crypto/src/pkix/Rfc3280CertPathUtilities.cs index c703194a4..d6594f4ad 100644 --- a/crypto/src/pkix/Rfc3280CertPathUtilities.cs +++ b/crypto/src/pkix/Rfc3280CertPathUtilities.cs @@ -245,12 +245,11 @@ namespace Org.BouncyCastle.Pkix if (!(PkixCertPathValidatorUtilities.IsSelfIssued(cert) && (i < n))) { X509Name principal = cert.SubjectDN; - Asn1InputStream aIn = new Asn1InputStream(principal.GetEncoded()); Asn1Sequence dns; try { - dns = DerSequence.GetInstance(aIn.ReadObject()); + dns = Asn1Sequence.GetInstance(principal.GetEncoded()); } catch (Exception e) { @@ -357,7 +356,7 @@ namespace Org.BouncyCastle.Pkix DerObjectIdentifier subjectDomainPolicy = null; try { - Asn1Sequence mapping = DerSequence.GetInstance(mappings[j]); + Asn1Sequence mapping = Asn1Sequence.GetInstance(mappings[j]); issuerDomainPolicy = DerObjectIdentifier.GetInstance(mapping[0]); subjectDomainPolicy = DerObjectIdentifier.GetInstance(mapping[1]); @@ -400,7 +399,7 @@ namespace Org.BouncyCastle.Pkix Asn1Sequence certPolicies = null; try { - certPolicies = DerSequence.GetInstance( + certPolicies = Asn1Sequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies)); } catch (Exception e) @@ -1167,10 +1166,10 @@ namespace Org.BouncyCastle.Pkix * omitted and a distribution point name of the certificate * issuer. */ - Asn1Object issuer = null; + X509Name issuer; try { - issuer = new Asn1InputStream(cert.IssuerDN.GetEncoded()).ReadObject(); + issuer = X509Name.GetInstance(cert.IssuerDN.GetEncoded()); } catch (Exception e) { @@ -1598,7 +1597,7 @@ namespace Org.BouncyCastle.Pkix Asn1Sequence pc = null; try { - pc = DerSequence.GetInstance( + pc = Asn1Sequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyConstraints)); } catch (Exception e) @@ -1653,7 +1652,7 @@ namespace Org.BouncyCastle.Pkix Asn1Sequence pc = null; try { - pc = DerSequence.GetInstance( + pc = Asn1Sequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyConstraints)); } catch (Exception e) @@ -1708,7 +1707,7 @@ namespace Org.BouncyCastle.Pkix NameConstraints nc = null; try { - Asn1Sequence ncSeq = DerSequence.GetInstance( + Asn1Sequence ncSeq = Asn1Sequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.NameConstraints)); if (ncSeq != null) { @@ -2042,7 +2041,7 @@ namespace Org.BouncyCastle.Pkix Asn1Sequence pc = null; try { - pc = DerSequence.GetInstance( + pc = Asn1Sequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.PolicyConstraints)); } catch (Exception e) @@ -2415,7 +2414,7 @@ namespace Org.BouncyCastle.Pkix Asn1Sequence certPolicies = null; try { - certPolicies = DerSequence.GetInstance( + certPolicies = Asn1Sequence.GetInstance( PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.CertificatePolicies)); } catch (Exception e) diff --git a/crypto/src/pkix/Rfc3281CertPathUtilities.cs b/crypto/src/pkix/Rfc3281CertPathUtilities.cs index 101ef5e11..66025f0fc 100644 --- a/crypto/src/pkix/Rfc3281CertPathUtilities.cs +++ b/crypto/src/pkix/Rfc3281CertPathUtilities.cs @@ -79,153 +79,154 @@ namespace Org.BouncyCastle.Pkix DateTime validDate, IList certPathCerts) { - if (paramsPKIX.IsRevocationEnabled) + if (!paramsPKIX.IsRevocationEnabled) + { + return; + } + + // check if revocation is available + if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null) + { + if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null + || attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null) + { + throw new PkixCertPathValidatorException( + "No rev avail extension is set, but also an AC revocation pointer."); + } + + return; + } + + CrlDistPoint crldp = null; + try + { + crldp = CrlDistPoint.GetInstance( + PkixCertPathValidatorUtilities.GetExtensionValue( + attrCert, X509Extensions.CrlDistributionPoints)); + } + catch (Exception e) + { + throw new PkixCertPathValidatorException( + "CRL distribution point extension could not be read.", e); + } + try + { + PkixCertPathValidatorUtilities + .AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX); + } + catch (Exception e) { - // check if revocation is available - if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) == null) + throw new PkixCertPathValidatorException( + "No additional CRL locations could be decoded from CRL distribution point extension.", e); + } + + CertStatus certStatus = new CertStatus(); + ReasonsMask reasonsMask = new ReasonsMask(); + + Exception lastException = null; + bool validCrlFound = false; + // for each distribution point + if (crldp != null) + { + DistributionPoint[] dps = null; + try { - CrlDistPoint crldp = null; - try - { - crldp = CrlDistPoint.GetInstance( - PkixCertPathValidatorUtilities.GetExtensionValue( - attrCert, X509Extensions.CrlDistributionPoints)); - } - catch (Exception e) - { - throw new PkixCertPathValidatorException( - "CRL distribution point extension could not be read.", e); - } - try + dps = crldp.GetDistributionPoints(); + } + catch (Exception e) + { + throw new PkixCertPathValidatorException( + "Distribution points could not be read.", e); + } + try + { + for (int i = 0; i < dps.Length + && certStatus.Status == CertStatus.Unrevoked + && !reasonsMask.IsAllReasons; i++) { - PkixCertPathValidatorUtilities - .AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX); + PkixParameters paramsPKIXClone = (PkixParameters) paramsPKIX + .Clone(); + CheckCrl(dps[i], attrCert, paramsPKIXClone, + validDate, issuerCert, certStatus, reasonsMask, + certPathCerts); + validCrlFound = true; } - catch (Exception e) - { - throw new PkixCertPathValidatorException( - "No additional CRL locations could be decoded from CRL distribution point extension.", e); - } - CertStatus certStatus = new CertStatus(); - ReasonsMask reasonsMask = new ReasonsMask(); + } + catch (Exception e) + { + lastException = new Exception( + "No valid CRL for distribution point found.", e); + } + } - Exception lastException = null; - bool validCrlFound = false; - // for each distribution point - if (crldp != null) - { - DistributionPoint[] dps = null; - try - { - dps = crldp.GetDistributionPoints(); - } - catch (Exception e) - { - throw new PkixCertPathValidatorException( - "Distribution points could not be read.", e); - } - try - { - for (int i = 0; i < dps.Length - && certStatus.Status == CertStatus.Unrevoked - && !reasonsMask.IsAllReasons; i++) - { - PkixParameters paramsPKIXClone = (PkixParameters) paramsPKIX - .Clone(); - CheckCrl(dps[i], attrCert, paramsPKIXClone, - validDate, issuerCert, certStatus, reasonsMask, - certPathCerts); - validCrlFound = true; - } - } - catch (Exception e) - { - lastException = new Exception( - "No valid CRL for distribution point found.", e); - } - } + /* + * If the revocation status has not been determined, repeat the + * process above with any available CRLs not specified in a + * distribution point but issued by the certificate issuer. + */ + if (certStatus.Status == CertStatus.Unrevoked + && !reasonsMask.IsAllReasons) + { + try + { /* - * If the revocation status has not been determined, repeat the - * process above with any available CRLs not specified in a - * distribution point but issued by the certificate issuer. + * assume a DP with both the reasons and the cRLIssuer + * fields omitted and a distribution point name of the + * certificate issuer. */ - - if (certStatus.Status == CertStatus.Unrevoked - && !reasonsMask.IsAllReasons) - { - try - { - /* - * assume a DP with both the reasons and the cRLIssuer - * fields omitted and a distribution point name of the - * certificate issuer. - */ - Asn1Object issuer = null; - try - { - issuer = new Asn1InputStream( - attrCert.Issuer.GetPrincipals()[0].GetEncoded()).ReadObject(); - } - catch (Exception e) - { - throw new Exception( - "Issuer from certificate for CRL could not be reencoded.", - e); - } - DistributionPoint dp = new DistributionPoint( - new DistributionPointName(0, new GeneralNames( - new GeneralName(GeneralName.DirectoryName, issuer))), null, null); - PkixParameters paramsPKIXClone = (PkixParameters) paramsPKIX.Clone(); - CheckCrl(dp, attrCert, paramsPKIXClone, validDate, - issuerCert, certStatus, reasonsMask, certPathCerts); - validCrlFound = true; - } - catch (Exception e) - { - lastException = new Exception( - "No valid CRL for distribution point found.", e); - } - } - - if (!validCrlFound) - { - throw new PkixCertPathValidatorException( - "No valid CRL found.", lastException); - } - if (certStatus.Status != CertStatus.Unrevoked) - { - // This format is enforced by the NistCertPath tests - string formattedDate = certStatus.RevocationDate.Value.ToString( - "ddd MMM dd HH:mm:ss K yyyy"); - string message = "Attribute certificate revocation after " - + formattedDate; - message += ", reason: " - + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status]; - throw new PkixCertPathValidatorException(message); - } - if (!reasonsMask.IsAllReasons - && certStatus.Status == CertStatus.Unrevoked) + X509Name issuer; + try + { + issuer = X509Name.GetInstance(attrCert.Issuer.GetPrincipals()[0].GetEncoded()); + } + catch (Exception e) { - certStatus.Status = CertStatus.Undetermined; - } - if (certStatus.Status == CertStatus.Undetermined) - { - throw new PkixCertPathValidatorException( - "Attribute certificate status could not be determined."); + throw new Exception( + "Issuer from certificate for CRL could not be reencoded.", + e); } - + DistributionPoint dp = new DistributionPoint( + new DistributionPointName(0, new GeneralNames( + new GeneralName(GeneralName.DirectoryName, issuer))), null, null); + PkixParameters paramsPKIXClone = (PkixParameters) paramsPKIX.Clone(); + CheckCrl(dp, attrCert, paramsPKIXClone, validDate, + issuerCert, certStatus, reasonsMask, certPathCerts); + validCrlFound = true; } - else + catch (Exception e) { - if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null - || attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null) - { - throw new PkixCertPathValidatorException( - "No rev avail extension is set, but also an AC revocation pointer."); - } + lastException = new Exception( + "No valid CRL for distribution point found.", e); } } + + if (!validCrlFound) + { + throw new PkixCertPathValidatorException( + "No valid CRL found.", lastException); + } + if (certStatus.Status != CertStatus.Unrevoked) + { + // This format is enforced by the NistCertPath tests + string formattedDate = certStatus.RevocationDate.Value.ToString( + "ddd MMM dd HH:mm:ss K yyyy"); + string message = "Attribute certificate revocation after " + + formattedDate; + message += ", reason: " + + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status]; + throw new PkixCertPathValidatorException(message); + } + if (!reasonsMask.IsAllReasons + && certStatus.Status == CertStatus.Unrevoked) + { + certStatus.Status = CertStatus.Undetermined; + } + if (certStatus.Status == CertStatus.Undetermined) + { + throw new PkixCertPathValidatorException( + "Attribute certificate status could not be determined."); + } } internal static void AdditionalChecks( diff --git a/crypto/src/x509/X509Certificate.cs b/crypto/src/x509/X509Certificate.cs index fd156e487..d8d97ec5e 100644 --- a/crypto/src/x509/X509Certificate.cs +++ b/crypto/src/x509/X509Certificate.cs @@ -515,9 +515,9 @@ namespace Org.BouncyCastle.X509 if (ext.Value != null) { - byte[] octs = ext.Value.GetOctets(); - Asn1Object obj = Asn1Object.FromByteArray(octs); - buf.Append(" critical(").Append(ext.IsCritical).Append(") "); + Asn1Object obj = X509ExtensionUtilities.FromExtensionValue(ext.Value); + + buf.Append(" critical(").Append(ext.IsCritical).Append(") "); try { if (oid.Equals(X509Extensions.BasicConstraints)) diff --git a/crypto/src/x509/X509CrlEntry.cs b/crypto/src/x509/X509CrlEntry.cs index 9e3608c18..9660a7099 100644 --- a/crypto/src/x509/X509CrlEntry.cs +++ b/crypto/src/x509/X509CrlEntry.cs @@ -188,7 +188,7 @@ namespace Org.BouncyCastle.X509 if (ext.Value != null) { - Asn1Object obj = Asn1Object.FromByteArray(ext.Value.GetOctets()); + Asn1Object obj = X509ExtensionUtilities.FromExtensionValue(ext.Value); buf.Append(" critical(") .Append(ext.IsCritical) |