summary refs log tree commit diff
path: root/crypto/src/pkix/PkixCertPathValidatorUtilities.cs
diff options
context:
space:
mode:
authorPeter Dettman <peter.dettman@bouncycastle.org>2022-06-26 20:47:24 +0700
committerPeter Dettman <peter.dettman@bouncycastle.org>2022-06-26 20:47:24 +0700
commiteed964522f8e198a33267387942b1764018dfe1e (patch)
treec6bcead7e5e54c88845287d10bca6a1235e655e8 /crypto/src/pkix/PkixCertPathValidatorUtilities.cs
parentCleanup in PQC code (diff)
downloadBouncyCastle.NET-ed25519-eed964522f8e198a33267387942b1764018dfe1e.tar.xz
Replace IX509Store API with new store/selector API
- overhaul Cms, Pkix, X509 APIs
Diffstat (limited to 'crypto/src/pkix/PkixCertPathValidatorUtilities.cs')
-rw-r--r--crypto/src/pkix/PkixCertPathValidatorUtilities.cs334
1 files changed, 119 insertions, 215 deletions
diff --git a/crypto/src/pkix/PkixCertPathValidatorUtilities.cs b/crypto/src/pkix/PkixCertPathValidatorUtilities.cs
index 86f9f4beb..731f8dfe0 100644
--- a/crypto/src/pkix/PkixCertPathValidatorUtilities.cs
+++ b/crypto/src/pkix/PkixCertPathValidatorUtilities.cs
@@ -1,7 +1,7 @@
 using System;
 using System.Collections;
+using System.Collections.Generic;
 using System.IO;
-using System.Text;
 
 using Org.BouncyCastle.Asn1;
 using Org.BouncyCastle.Asn1.IsisMtt;
@@ -22,7 +22,7 @@ namespace Org.BouncyCastle.Pkix
 	/// <summary>
 	/// Summary description for PkixCertPathValidatorUtilities.
 	/// </summary>
-	public class PkixCertPathValidatorUtilities
+	internal static class PkixCertPathValidatorUtilities
 	{
 		private static readonly PkixCrlUtilities CrlUtilities = new PkixCrlUtilities();
 
@@ -36,20 +36,20 @@ namespace Org.BouncyCastle.Pkix
 		internal static readonly int KEY_CERT_SIGN = 5;
 		internal static readonly int CRL_SIGN = 6;
 
-		internal static readonly string[] crlReasons = new string[]
-		{
-			"unspecified",
-			"keyCompromise",
-			"cACompromise",
-			"affiliationChanged",
-			"superseded",
-			"cessationOfOperation",
-			"certificateHold",
-			"unknown",
-			"removeFromCRL",
-			"privilegeWithdrawn",
-			"aACompromise"
-		};
+		//internal static readonly string[] crlReasons = new string[]
+		//{
+		//	"unspecified",
+		//	"keyCompromise",
+		//	"cACompromise",
+		//	"affiliationChanged",
+		//	"superseded",
+		//	"cessationOfOperation",
+		//	"certificateHold",
+		//	"unknown",
+		//	"removeFromCRL",
+		//	"privilegeWithdrawn",
+		//	"aACompromise"
+		//};
 
 		/// <summary>
 		/// Search the given Set of TrustAnchor's for one that is the
@@ -175,7 +175,7 @@ namespace Org.BouncyCastle.Pkix
 					{
 						// found
 						string temp = (string)list[1];
-						PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(temp, pkixParams);
+						AddAdditionalStoreFromLocation(temp, pkixParams);
 					}
 				}
 			}
@@ -194,19 +194,25 @@ namespace Org.BouncyCastle.Pkix
 		/// <summary>
 		/// Returns the issuer of an attribute certificate or certificate.
 		/// </summary>
-		/// <param name="cert">The attribute certificate or certificate.</param>
+		/// <param name="obj">The attribute certificate or certificate.</param>
 		/// <returns>The issuer as <code>X500Principal</code>.</returns>
-		internal static X509Name GetIssuerPrincipal(
-			object cert)
+		internal static X509Name GetIssuerPrincipal(object obj)
 		{
-			if (cert is X509Certificate)
-			{
-				return ((X509Certificate)cert).IssuerDN;
-			}
-			else
-			{
-				return ((IX509AttributeCertificate)cert).Issuer.GetPrincipals()[0];
-			}
+			if (obj is X509Certificate cert)
+				return cert.IssuerDN;
+			if (obj is X509V2AttributeCertificate attrCert)
+				return attrCert.Issuer.GetPrincipals()[0];
+			throw new InvalidOperationException();
+		}
+
+		internal static X509Name GetIssuerPrincipal(X509V2AttributeCertificate attrCert)
+		{
+			return attrCert.Issuer.GetPrincipals()[0];
+		}
+
+		internal static X509Name GetIssuerPrincipal(X509Certificate cert)
+		{
+			return cert.IssuerDN;
 		}
 
 		internal static bool IsSelfIssued(
@@ -309,16 +315,14 @@ namespace Org.BouncyCastle.Pkix
 			ISet pq = new HashSet();
 
 			if (qualifiers == null)
-			{
 				return pq;
-			}
 
 			foreach (Asn1Encodable ae in qualifiers)
 			{
 				try
 				{
-//					pq.Add(PolicyQualifierInfo.GetInstance(Asn1Object.FromByteArray(ae.GetEncoded())));
-					pq.Add(PolicyQualifierInfo.GetInstance(ae.ToAsn1Object()));
+					pq.Add(PolicyQualifierInfo.GetInstance(Asn1Object.FromByteArray(ae.GetEncoded())));
+					//pq.Add(PolicyQualifierInfo.GetInstance(ae.ToAsn1Object()));
 				}
 				catch (IOException ex)
 				{
@@ -329,12 +333,10 @@ namespace Org.BouncyCastle.Pkix
 			return pq;
 		}
 
-		internal static PkixPolicyNode RemovePolicyNode(
-			PkixPolicyNode validPolicyTree,
-			IList[] policyNodes,
-			PkixPolicyNode _node)
+		internal static PkixPolicyNode RemovePolicyNode(PkixPolicyNode validPolicyTree,
+			IList<PkixPolicyNode>[] policyNodes, PkixPolicyNode _node)
 		{
-			PkixPolicyNode _parent = (PkixPolicyNode)_node.Parent;
+			PkixPolicyNode _parent = _node.Parent;
 
 			if (validPolicyTree == null)
 			{
@@ -345,7 +347,7 @@ namespace Org.BouncyCastle.Pkix
 			{
 				for (int j = 0; j < policyNodes.Length; j++)
 				{
-                    policyNodes[j] = Platform.CreateArrayList();
+					policyNodes[j] = new List<PkixPolicyNode>();
 				}
 
 				return null;
@@ -359,7 +361,7 @@ namespace Org.BouncyCastle.Pkix
 			}
 		}
 
-		private static void RemovePolicyNodeRecurse(IList[] policyNodes, PkixPolicyNode _node)
+		private static void RemovePolicyNodeRecurse(IList<PkixPolicyNode>[] policyNodes, PkixPolicyNode _node)
 		{
 			policyNodes[_node.Depth].Remove(_node);
 
@@ -446,12 +448,10 @@ namespace Org.BouncyCastle.Pkix
 							ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id);
 						}
 
-						PkixPolicyNode p_node = (PkixPolicyNode)node.Parent;
+						PkixPolicyNode p_node = node.Parent;
 						if (ANY_POLICY.Equals(p_node.ValidPolicy))
 						{
-							PkixPolicyNode c_node = new PkixPolicyNode(
-                                Platform.CreateArrayList(), i,
-								(ISet)m_idp[id_p],
+							PkixPolicyNode c_node = new PkixPolicyNode(new List<PkixPolicyNode>(), i, (ISet)m_idp[id_p],
 								p_node, pq, id_p, ci);
 							p_node.AddChild(c_node);
 							policyNodes[i].Add(c_node);
@@ -462,45 +462,39 @@ namespace Org.BouncyCastle.Pkix
 			}
 		}
 
-		internal static PkixPolicyNode PrepareNextCertB2(
-			int				i,
-			IList[]			policyNodes,
-			string			id_p,
-			PkixPolicyNode	validPolicyTree)
+		internal static PkixPolicyNode PrepareNextCertB2(int i, IList<PkixPolicyNode>[] policyNodes, string id_p,
+			PkixPolicyNode validPolicyTree)
 		{
 			int pos = 0;
 
 			// Copy to avoid RemoveAt calls interfering with enumeration
-            foreach (PkixPolicyNode node in Platform.CreateArrayList(policyNodes[i]))
+            foreach (var node in new List<PkixPolicyNode>(policyNodes[i]))
 			{
-				if (node.ValidPolicy.Equals(id_p))
-				{
-					PkixPolicyNode p_node = (PkixPolicyNode)node.Parent;
-					p_node.RemoveChild(node);
+				if (!node.ValidPolicy.Equals(id_p))
+                {
+					++pos;
+					continue;
+                }
+
+				node.Parent.RemoveChild(node);
 
-					// Removal of element at current iterator position not supported in C#
-					//nodes_i.remove();
-					policyNodes[i].RemoveAt(pos);
+				policyNodes[i].RemoveAt(pos);
 
-					for (int k = (i - 1); k >= 0; k--)
+				for (int k = i - 1; k >= 0; k--)
+				{
+					var nodes = policyNodes[k];
+
+					for (int l = 0; l < nodes.Count; l++)
 					{
-						IList nodes = policyNodes[k];
-						for (int l = 0; l < nodes.Count; l++)
+						var node2 = nodes[l];
+						if (!node2.HasChildren)
 						{
-							PkixPolicyNode node2 = (PkixPolicyNode)nodes[l];
-							if (!node2.HasChildren)
-							{
-								validPolicyTree = RemovePolicyNode(validPolicyTree, policyNodes, node2);
-								if (validPolicyTree == null)
-									break;
-							}
+							validPolicyTree = RemovePolicyNode(validPolicyTree, policyNodes, node2);
+							if (validPolicyTree == null)
+								break;
 						}
 					}
 				}
-				else
-				{
-					++pos;
-				}
 			}
 			return validPolicyTree;
 		}
@@ -511,7 +505,7 @@ namespace Org.BouncyCastle.Pkix
 			object cert,
 			CertStatus certStatus)
 		{
-			X509Crl bcCRL = null;
+			X509Crl bcCRL;
 
 			try
 			{
@@ -519,7 +513,7 @@ namespace Org.BouncyCastle.Pkix
 			}
 			catch (Exception exception)
 			{
-				throw new Exception("Bouncy Castle X509Crl could not be created.", exception);
+				throw new Exception("X509Crl could not be created.", exception);
 			}
 
 			X509CrlEntry crl_entry = (X509CrlEntry)bcCRL.GetRevokedCertificate(GetSerialNumber(cert));
@@ -656,7 +650,7 @@ namespace Org.BouncyCastle.Pkix
 			// if end cert use given signing/encryption/... time
 			if (index <= 0)
 			{
-				return PkixCertPathValidatorUtilities.GetValidDate(paramsPkix);
+				return GetValidDate(paramsPkix);
 				// else use time when previous cert was created
 			}
 
@@ -694,40 +688,22 @@ namespace Org.BouncyCastle.Pkix
 		}
 
 		/// <summary>
-		/// Return a Collection of all certificates or attribute certificates found
-		/// in the X509Store's that are matching the certSelect criteriums.
+		/// Return a Collection of all certificates found
+		/// in the stores that are matching the certSelector criteria.
 		/// </summary>
-		/// <param name="certSelect">a {@link Selector} object that will be used to select
-		/// the certificates</param>
-		/// <param name="certStores">a List containing only X509Store objects. These
+		/// <param name="certSelector">an <see cref="ISelector{T}"/> object that will be used to select
+		/// the certificates.</param>
+		/// <param name="certStores">a List containing only IStore objects. These
 		/// are used to search for certificates.</param>
-		/// <returns>a Collection of all found <see cref="X509Certificate"/> or
-		/// <see cref="Org.BouncyCastle.X509.IX509AttributeCertificate"/> objects.
+		/// <returns>a Collection of all found <see cref="X509Certificate"/> objects.
 		/// May be empty but never <code>null</code>.</returns>
 		/// <exception cref="Exception"></exception>
-		internal static ICollection FindCertificates(
-			X509CertStoreSelector	certSelect,
-			IList					certStores)
+		internal static List<X509Certificate> FindCertificates(ISelector<X509Certificate> certSelector,
+			IList<IStore<X509Certificate>> certStores)
 		{
-			ISet certs = new HashSet();
-
-			foreach (IX509Store certStore in certStores)
-			{
-				try
-				{
-//					certs.AddAll(certStore.GetMatches(certSelect));
-					foreach (X509Certificate c in certStore.GetMatches(certSelect))
-					{
-						certs.Add(c);
-					}
-				}
-				catch (Exception e)
-				{
-					throw new Exception("Problem while picking certificates from X.509 store.", e);
-				}
-			}
-
-			return certs;
+			var result = new List<X509Certificate>();
+			CollectionUtilities.CollectMatches(result, certSelector, certStores);
+			return result;
 		}
 
 		/**
@@ -859,60 +835,41 @@ namespace Org.BouncyCastle.Pkix
 		 * @throws Exception if an exception occurs while picking the CRLs
 		 *             or no CRLs are found.
 		 */
-		internal static ISet GetCompleteCrls(
-			DistributionPoint	dp,
-			object				cert,
-			DateTime			currentDate,
-			PkixParameters		paramsPKIX)
+		internal static ISet<X509Crl> GetCompleteCrls(DistributionPoint dp, object certObj, DateTime currentDate,
+			PkixParameters paramsPKIX)
 		{
+			var certObjIssuer = GetIssuerPrincipal(certObj);
+
 			X509CrlStoreSelector crlselect = new X509CrlStoreSelector();
 			try
 			{
 				ISet issuers = new HashSet();
-				if (cert is X509V2AttributeCertificate)
-				{
-					issuers.Add(((X509V2AttributeCertificate)cert)
-						.Issuer.GetPrincipals()[0]);
-				}
-				else
-				{
-					issuers.Add(GetIssuerPrincipal(cert));
-				}
-				PkixCertPathValidatorUtilities.GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
+				issuers.Add(certObjIssuer);
+
+				GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
 			}
 			catch (Exception e)
 			{
 				throw new Exception("Could not get issuer information from distribution point.", e);
 			}
 
-			if (cert is X509Certificate)
-			{
-				crlselect.CertificateChecking = (X509Certificate)cert;
-			}
-			else if (cert is X509V2AttributeCertificate)
-			{
-				crlselect.AttrCertChecking = (IX509AttributeCertificate)cert;
-			}
-
-			crlselect.CompleteCrlEnabled = true;
-			ISet crls = CrlUtilities.FindCrls(crlselect, paramsPKIX, currentDate);
-
-			if (crls.IsEmpty)
-			{
-				if (cert is IX509AttributeCertificate)
+            {
+				if (certObj is X509Certificate cert)
 				{
-					IX509AttributeCertificate aCert = (IX509AttributeCertificate)cert;
-
-					throw new Exception("No CRLs found for issuer \"" + aCert.Issuer.GetPrincipals()[0] + "\"");
+					crlselect.CertificateChecking = cert;
 				}
-				else
+				else if (certObj is X509V2AttributeCertificate attrCert)
 				{
-					X509Certificate xCert = (X509Certificate)cert;
-
-					throw new Exception("No CRLs found for issuer \"" + xCert.IssuerDN + "\"");
+					crlselect.AttrCertChecking = attrCert;
 				}
 			}
 
+			crlselect.CompleteCrlEnabled = true;
+
+			ISet<X509Crl> crls = CrlUtilities.FindCrls(crlselect, paramsPKIX, currentDate);
+			if (crls.Count < 1)
+				throw new Exception("No CRLs found for issuer \"" + certObjIssuer + "\"");
+
 			return crls;
 		}
 
@@ -926,7 +883,7 @@ namespace Org.BouncyCastle.Pkix
 		 * @throws Exception if an exception occurs while picking the delta
 		 *             CRLs.
 		 */
-		internal static ISet GetDeltaCrls(
+		internal static ISet<X509Crl> GetDeltaCrls(
 			DateTime		currentDate,
 			PkixParameters	paramsPKIX,
 			X509Crl			completeCRL)
@@ -991,9 +948,9 @@ namespace Org.BouncyCastle.Pkix
 			deltaSelect.MaxBaseCrlNumber = completeCRLNumber;
 
 			// find delta CRLs
-			ISet temp = CrlUtilities.FindCrls(deltaSelect, paramsPKIX, currentDate);
+			ISet<X509Crl> temp = CrlUtilities.FindCrls(deltaSelect, paramsPKIX, currentDate);
 
-			ISet result = new HashSet();
+			var result = new HashSet<X509Crl>();
 
 			foreach (X509Crl crl in temp)
 			{
@@ -1014,32 +971,6 @@ namespace Org.BouncyCastle.Pkix
 			return critical.Contains(X509Extensions.DeltaCrlIndicator.Id);
 		}
 
-		internal static ICollection FindCertificates(
-			X509AttrCertStoreSelector	certSelect,
-			IList						certStores)
-		{
-			ISet certs = new HashSet();
-
-			foreach (IX509Store certStore in certStores)
-			{
-				try
-				{
-//					certs.AddAll(certStore.GetMatches(certSelect));
-					foreach (X509V2AttributeCertificate ac in certStore.GetMatches(certSelect))
-					{
-						certs.Add(ac);
-					}
-				}
-				catch (Exception e)
-				{
-					throw new Exception(
-						"Problem while picking certificates from X.509 store.", e);
-				}
-			}
-
-			return certs;
-		}
-
 		internal static void AddAdditionalStoresFromCrlDistributionPoint(
 			CrlDistPoint	crldp,
 			PkixParameters	pkixParams)
@@ -1071,10 +1002,8 @@ namespace Org.BouncyCastle.Pkix
 							{
 								if (genNames[j].TagNo == GeneralName.UniformResourceIdentifier)
 								{
-									string location = DerIA5String.GetInstance(
-										genNames[j].Name).GetString();
-									PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(
-										location, pkixParams);
+									string location = DerIA5String.GetInstance(genNames[j].Name).GetString();
+									AddAdditionalStoreFromLocation(location, pkixParams);
 								}
 							}
 						}
@@ -1083,31 +1012,18 @@ namespace Org.BouncyCastle.Pkix
 			}
 		}
 
-		internal static bool ProcessCertD1i(
-			int					index,
-			IList[]				policyNodes,
-			DerObjectIdentifier	pOid,
-			ISet				pq)
+		internal static bool ProcessCertD1i(int index, IList<PkixPolicyNode>[] policyNodes, DerObjectIdentifier	pOid,
+			ISet pq)
 		{
-			IList policyNodeVec = policyNodes[index - 1];
-
-			for (int j = 0; j < policyNodeVec.Count; j++)
+			foreach (var node in policyNodes[index - 1])
 			{
-				PkixPolicyNode node = (PkixPolicyNode)policyNodeVec[j];
-				ISet expectedPolicies = node.ExpectedPolicies;
-
-				if (expectedPolicies.Contains(pOid.Id))
+				if (node.ExpectedPolicies.Contains(pOid.Id))
 				{
-					ISet childExpectedPolicies = new HashSet();
+					var childExpectedPolicies = new HashSet();
 					childExpectedPolicies.Add(pOid.Id);
 
-                    PkixPolicyNode child = new PkixPolicyNode(Platform.CreateArrayList(),
-						index,
-						childExpectedPolicies,
-						node,
-						pq,
-						pOid.Id,
-						false);
+                    var child = new PkixPolicyNode(new List<PkixPolicyNode>(), index, childExpectedPolicies, node, pq,
+						pOid.Id, false);
 					node.AddChild(child);
 					policyNodes[index].Add(child);
 
@@ -1118,32 +1034,21 @@ namespace Org.BouncyCastle.Pkix
 			return false;
 		}
 
-		internal static void ProcessCertD1ii(
-			int					index,
-			IList[]				policyNodes,
-			DerObjectIdentifier _poid,
-			ISet				_pq)
+		internal static void ProcessCertD1ii(int index, IList<PkixPolicyNode>[] policyNodes,
+			DerObjectIdentifier _poid, ISet _pq)
 		{
-			IList policyNodeVec = policyNodes[index - 1];
-
-			for (int j = 0; j < policyNodeVec.Count; j++)
+			foreach (var _node in policyNodes[index - 1])
 			{
-				PkixPolicyNode _node = (PkixPolicyNode)policyNodeVec[j];
-
 				if (ANY_POLICY.Equals(_node.ValidPolicy))
 				{
 					ISet _childExpectedPolicies = new HashSet();
 					_childExpectedPolicies.Add(_poid.Id);
 
-                    PkixPolicyNode _child = new PkixPolicyNode(Platform.CreateArrayList(),
-						index,
-						_childExpectedPolicies,
-						_node,
-						_pq,
-						_poid.Id,
-						false);
+                    var _child = new PkixPolicyNode(new List<PkixPolicyNode>(), index, _childExpectedPolicies, _node,
+						_pq, _poid.Id, false);
 					_node.AddChild(_child);
 					policyNodes[index].Add(_child);
+
 					return;
 				}
 			}
@@ -1161,15 +1066,14 @@ namespace Org.BouncyCastle.Pkix
 		* @exception Exception
 		*                if an error occurs.
 		*/
-		internal static ICollection FindIssuerCerts(
+		internal static HashSet<X509Certificate> FindIssuerCerts(
 			X509Certificate			cert,
 			PkixBuilderParameters	pkixParams)
 		{
-			X509CertStoreSelector certSelect = new X509CertStoreSelector();
-			ISet certs = new HashSet();
+			X509CertStoreSelector certSelector = new X509CertStoreSelector();
 			try
 			{
-				certSelect.Subject = cert.IssuerDN;
+				certSelector.Subject = cert.IssuerDN;
 			}
 			catch (IOException ex)
 			{
@@ -1177,10 +1081,10 @@ namespace Org.BouncyCastle.Pkix
 					"Subject criteria for certificate selector to find issuer certificate could not be set.", ex);
 			}
 
+			var certs = new HashSet<X509Certificate>();
 			try
 			{
-                certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetStores()));
-                certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetAdditionalStores()));
+				CollectionUtilities.CollectMatches(certs, certSelector, pkixParams.GetStoresCert());
 			}
 			catch (Exception e)
 			{
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-10 03:53:16 +0000