PKIX: explicit validation of version number and extension repeats

author: Peter Dettman <peter.dettman@bouncycastle.org> 2018-04-17 13:12:18 +0700
committer: Peter Dettman <peter.dettman@bouncycastle.org> 2018-04-17 13:12:18 +0700
commit: 374564ba8b2b385c90633679aae9cca27d0bb069 (patch)
tree: 22dcb8cf1c3b91adbae9b472365c587654860841 /crypto/src/pkix
parent: Updated OpenBsdBCrypt to support version 2y. (diff)
download: BouncyCastle.NET-ed25519-374564ba8b2b385c90633679aae9cca27d0bb069.tar.xz
1 files changed, 29 insertions, 5 deletions
diff --git a/crypto/src/pkix/PkixCertPathValidator.cs b/crypto/src/pkix/PkixCertPathValidator.cs
index fcfa63837..1d7c00d7d 100644
--- a/crypto/src/pkix/PkixCertPathValidator.cs
+++ b/crypto/src/pkix/PkixCertPathValidator.cs
@@ -3,6 +3,7 @@ using System.Collections;
 using Org.BouncyCastle.Asn1;
 using Org.BouncyCastle.Asn1.X509;
 using Org.BouncyCastle.Crypto;
+using Org.BouncyCastle.Security.Certificates;
 using Org.BouncyCastle.Utilities;
 using Org.BouncyCastle.Utilities.Collections;
 using Org.BouncyCastle.X509;
@@ -81,16 +82,18 @@ namespace Org.BouncyCastle.Pkix
                 trust = PkixCertPathValidatorUtilities.FindTrustAnchor(
 					(X509Certificate)certs[certs.Count - 1],
 					paramsPkix.GetTrustAnchors());
+
+                if (trust == null)
+                    throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
+
+                CheckCertificate(trust.TrustedCert);
             }
             catch (Exception e)
             {
-                throw new PkixCertPathValidatorException(e.Message, e, certPath, certs.Count - 1);
+                throw new PkixCertPathValidatorException(e.Message, e.InnerException, certPath, certs.Count - 1);
             }
 
-            if (trust == null)
-                throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
-
-			//
+            //
             // (e), (f), (g) are part of the paramsPkix object.
             //
             IEnumerator certIter;
@@ -253,6 +256,15 @@ namespace Org.BouncyCastle.Pkix
                 //
                 cert = (X509Certificate)certs[index];
 
+                try
+                {
+                    CheckCertificate(cert);
+                }
+                catch (Exception e)
+                {
+                    throw new PkixCertPathValidatorException(e.Message, e.InnerException, certPath, index);
+                }
+
                 //
                 // 6.1.3
                 //
@@ -416,5 +428,17 @@ namespace Org.BouncyCastle.Pkix
 
 			throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, index);
         }
+
+        internal static void CheckCertificate(X509Certificate cert)
+        {
+            try
+            {
+                TbsCertificateStructure.GetInstance(cert.CertificateStructure.TbsCertificate);
+            }
+            catch (CertificateEncodingException e)
+            {
+                throw new Exception("unable to process TBSCertificate", e);
+            }
+        }
     }
 }
author	Peter Dettman <peter.dettman@bouncycastle.org>	2018-04-17 13:12:18 +0700
committer	Peter Dettman <peter.dettman@bouncycastle.org>	2018-04-17 13:12:18 +0700
commit	374564ba8b2b385c90633679aae9cca27d0bb069 (patch)
tree	22dcb8cf1c3b91adbae9b472365c587654860841 /crypto/src/pkix
parent	Updated OpenBsdBCrypt to support version 2y. (diff)
download	BouncyCastle.NET-ed25519-374564ba8b2b385c90633679aae9cca27d0bb069.tar.xz