diff options
| author | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-06-27 02:19:14 +0700 |
|---|---|---|
| committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-06-27 02:19:14 +0700 |
| commit | 4ea1816cffd5c8663bc9ae1234df0a70ef23fcd6 (patch) | |
| tree | eb4fe294ef230435928a573fadef3047b4466e9b /crypto/src/pkix | |
| parent | Implement generic IEnumerable in ASN.1 classes (diff) | |
| download | BouncyCastle.NET-ed25519-4ea1816cffd5c8663bc9ae1234df0a70ef23fcd6.tar.xz | |
Generics migration work
Diffstat (limited to 'crypto/src/pkix')
| -rw-r--r-- | crypto/src/pkix/PkixAttrCertChecker.cs | 8 | ||||
| -rw-r--r-- | crypto/src/pkix/PkixAttrCertPathBuilder.cs | 8 | ||||
| -rw-r--r-- | crypto/src/pkix/PkixBuilderParameters.cs | 26 | ||||
| -rw-r--r-- | crypto/src/pkix/PkixCertPathBuilder.cs | 19 | ||||
| -rw-r--r-- | crypto/src/pkix/PkixCertPathChecker.cs | 7 | ||||
| -rw-r--r-- | crypto/src/pkix/PkixCertPathValidator.cs | 26 | ||||
| -rw-r--r-- | crypto/src/pkix/PkixCertPathValidatorUtilities.cs | 188 | ||||
| -rw-r--r-- | crypto/src/pkix/PkixCrlUtilities.cs | 8 | ||||
| -rw-r--r-- | crypto/src/pkix/PkixParameters.cs | 35 | ||||
| -rw-r--r-- | crypto/src/pkix/PkixPolicyNode.cs | 23 | ||||
| -rw-r--r-- | crypto/src/pkix/Rfc3280CertPathUtilities.cs | 260 | ||||
| -rw-r--r-- | crypto/src/pkix/Rfc3281CertPathUtilities.cs | 37 |
12 files changed, 277 insertions, 368 deletions
diff --git a/crypto/src/pkix/PkixAttrCertChecker.cs b/crypto/src/pkix/PkixAttrCertChecker.cs index ca49bbd12..3d50bfbbc 100644 --- a/crypto/src/pkix/PkixAttrCertChecker.cs +++ b/crypto/src/pkix/PkixAttrCertChecker.cs @@ -1,7 +1,7 @@ using System; -using System.Collections; +using System.Collections.Generic; -using Org.BouncyCastle.Utilities.Collections; +using Org.BouncyCastle.Asn1; using Org.BouncyCastle.X509; namespace Org.BouncyCastle.Pkix @@ -27,7 +27,7 @@ namespace Org.BouncyCastle.Pkix * <code>PkixAttrCertChecker</code>, or <code>null</code> if no * extensions are supported */ - public abstract ISet GetSupportedExtensions(); + public abstract ISet<DerObjectIdentifier> GetSupportedExtensions(); /** * Performs checks on the specified attribute certificate. Every handled @@ -45,7 +45,7 @@ namespace Org.BouncyCastle.Pkix * does not pass the check. */ public abstract void Check(X509V2AttributeCertificate attrCert, PkixCertPath certPath, - PkixCertPath holderCertPath, ICollection unresolvedCritExts); + PkixCertPath holderCertPath, ICollection<string> unresolvedCritExts); /** * Returns a clone of this object. diff --git a/crypto/src/pkix/PkixAttrCertPathBuilder.cs b/crypto/src/pkix/PkixAttrCertPathBuilder.cs index 1120003a8..6902d76d6 100644 --- a/crypto/src/pkix/PkixAttrCertPathBuilder.cs +++ b/crypto/src/pkix/PkixAttrCertPathBuilder.cs @@ -56,15 +56,15 @@ namespace Org.BouncyCastle.Pkix { X509CertStoreSelector certSelector = new X509CertStoreSelector(); X509Name[] principals = target.Issuer.GetPrincipals(); - ISet issuers = new HashSet(); + var issuers = new HashSet<X509Certificate>(); for (int i = 0; i < principals.Length; i++) { + // TODO Replace loop with a single multiprincipal selector (or don't even use selector) try { certSelector.Subject = principals[i]; - issuers.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelector, - pkixParams.GetStoresCert())); + CollectionUtilities.CollectMatches(issuers, certSelector, pkixParams.GetStoresCert()); } catch (Exception e) { @@ -74,7 +74,7 @@ namespace Org.BouncyCastle.Pkix } } - if (issuers.IsEmpty) + if (issuers.Count < 1) throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found."); IList certPathList = Platform.CreateArrayList(); diff --git a/crypto/src/pkix/PkixBuilderParameters.cs b/crypto/src/pkix/PkixBuilderParameters.cs index 1dcccb2f8..b76c97874 100644 --- a/crypto/src/pkix/PkixBuilderParameters.cs +++ b/crypto/src/pkix/PkixBuilderParameters.cs @@ -1,4 +1,5 @@ using System; +using System.Collections.Generic; using System.Text; using Org.BouncyCastle.Security; @@ -16,7 +17,7 @@ namespace Org.BouncyCastle.Pkix { private int maxPathLength = 5; - private ISet excludedCerts = new HashSet(); + private ISet<X509Certificate> excludedCerts = new HashSet<X509Certificate>(); /** * Returns an instance of <code>PkixBuilderParameters</code>. @@ -40,12 +41,12 @@ namespace Org.BouncyCastle.Pkix return parameters; } - public PkixBuilderParameters(ISet trustAnchors, ISelector<X509Certificate> targetConstraintsCert) + public PkixBuilderParameters(ISet<TrustAnchor> trustAnchors, ISelector<X509Certificate> targetConstraintsCert) : this(trustAnchors, targetConstraintsCert, null) { } - public PkixBuilderParameters(ISet trustAnchors, ISelector<X509Certificate> targetConstraintsCert, + public PkixBuilderParameters(ISet<TrustAnchor> trustAnchors, ISelector<X509Certificate> targetConstraintsCert, ISelector<X509V2AttributeCertificate> targetConstraintsAttrCert) : base(trustAnchors) { @@ -71,9 +72,9 @@ namespace Org.BouncyCastle.Pkix /// Excluded certificates are not used for building a certification path. /// </summary> /// <returns>the excluded certificates.</returns> - public virtual ISet GetExcludedCerts() + public virtual ISet<X509Certificate> GetExcludedCerts() { - return new HashSet(excludedCerts); + return new HashSet<X509Certificate>(excludedCerts); } /// <summary> @@ -85,16 +86,15 @@ namespace Org.BouncyCastle.Pkix /// The given set is cloned to protect it against subsequent modifications. /// </remarks> /// <param name="excludedCerts">The excluded certificates to set.</param> - public virtual void SetExcludedCerts( - ISet excludedCerts) + public virtual void SetExcludedCerts(ISet<X509Certificate> excludedCerts) { if (excludedCerts == null) { - this.excludedCerts = new HashSet(); + this.excludedCerts = new HashSet<X509Certificate>(); } else { - this.excludedCerts = new HashSet(excludedCerts); + this.excludedCerts = new HashSet<X509Certificate>(excludedCerts); } } @@ -105,15 +105,13 @@ namespace Org.BouncyCastle.Pkix * @param params Parameters to set. * @see org.bouncycastle.x509.ExtendedPKIXParameters#setParams(java.security.cert.PKIXParameters) */ - protected override void SetParams( - PkixParameters parameters) + protected override void SetParams(PkixParameters parameters) { base.SetParams(parameters); - if (parameters is PkixBuilderParameters) + if (parameters is PkixBuilderParameters _params) { - PkixBuilderParameters _params = (PkixBuilderParameters) parameters; maxPathLength = _params.maxPathLength; - excludedCerts = new HashSet(_params.excludedCerts); + excludedCerts = new HashSet<X509Certificate>(_params.excludedCerts); } } diff --git a/crypto/src/pkix/PkixCertPathBuilder.cs b/crypto/src/pkix/PkixCertPathBuilder.cs index 3ef66b1b9..970fceb99 100644 --- a/crypto/src/pkix/PkixCertPathBuilder.cs +++ b/crypto/src/pkix/PkixCertPathBuilder.cs @@ -1,19 +1,11 @@ using System; using System.Collections; -using System.Text; - -using Org.BouncyCastle.Asn1.IsisMtt; -using Org.BouncyCastle.Asn1; -using Org.BouncyCastle.Asn1.X509; -using Org.BouncyCastle.Asn1.X500; -using Org.BouncyCastle.Crypto; -using Org.BouncyCastle.Crypto.Parameters; -using Org.BouncyCastle.Math; +using System.Collections.Generic; + using Org.BouncyCastle.Security.Certificates; using Org.BouncyCastle.Utilities; using Org.BouncyCastle.Utilities.Collections; using Org.BouncyCastle.X509; -using Org.BouncyCastle.X509.Store; namespace Org.BouncyCastle.Pkix { @@ -38,11 +30,10 @@ namespace Org.BouncyCastle.Pkix var certSelector = pkixParams.GetTargetConstraintsCert(); - ISet targets = new HashSet(); + var targets = new HashSet<X509Certificate>(); try { - targets.AddAll( - PkixCertPathValidatorUtilities.FindCertificates(certSelector, pkixParams.GetStoresCert())); + CollectionUtilities.CollectMatches(targets, certSelector, pkixParams.GetStoresCert()); } catch (Exception e) { @@ -50,7 +41,7 @@ namespace Org.BouncyCastle.Pkix "Error finding target certificate.", e); } - if (targets.IsEmpty) + if (targets.Count < 1) throw new PkixCertPathBuilderException("No certificate found matching targetConstraints."); PkixCertPathBuilderResult result = null; diff --git a/crypto/src/pkix/PkixCertPathChecker.cs b/crypto/src/pkix/PkixCertPathChecker.cs index da7e82b46..08b7e3d41 100644 --- a/crypto/src/pkix/PkixCertPathChecker.cs +++ b/crypto/src/pkix/PkixCertPathChecker.cs @@ -1,4 +1,5 @@ -using Org.BouncyCastle.Utilities.Collections; +using System.Collections.Generic; + using Org.BouncyCastle.X509; namespace Org.BouncyCastle.Pkix @@ -63,7 +64,7 @@ namespace Org.BouncyCastle.Pkix * <code>PKIXCertPathChecker</code>, or <code>null</code> if no * extensions are supported */ - public abstract ISet GetSupportedExtensions(); + public abstract ISet<string> GetSupportedExtensions(); /** * Performs the check(s) on the specified certificate using its internal @@ -80,7 +81,7 @@ namespace Org.BouncyCastle.Pkix * @exception CertPathValidatorException * if the specified certificate does not pass the check */ - public abstract void Check(X509Certificate cert, ISet unresolvedCritExts); + public abstract void Check(X509Certificate cert, ISet<string> unresolvedCritExts); //throws CertPathValidatorException; /** diff --git a/crypto/src/pkix/PkixCertPathValidator.cs b/crypto/src/pkix/PkixCertPathValidator.cs index 95939e0bd..cebeed46f 100644 --- a/crypto/src/pkix/PkixCertPathValidator.cs +++ b/crypto/src/pkix/PkixCertPathValidator.cs @@ -71,7 +71,7 @@ namespace Org.BouncyCastle.Pkix // // (c) // - ISet userInitialPolicySet = paramsPkix.GetInitialPolicies(); + var userInitialPolicySet = paramsPkix.GetInitialPolicies(); // // (d) @@ -113,12 +113,12 @@ namespace Org.BouncyCastle.Pkix policyNodes[j] = new List<PkixPolicyNode>(); } - ISet policySet = new HashSet(); + var policySet = new HashSet<string>(); policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY); - var validPolicyTree = new PkixPolicyNode(new List<PkixPolicyNode>(), 0, policySet, null, new HashSet(), - Rfc3280CertPathUtilities.ANY_POLICY, false); + var validPolicyTree = new PkixPolicyNode(new List<PkixPolicyNode>(), 0, policySet, null, + new HashSet<PolicyQualifierInfo>(), Rfc3280CertPathUtilities.ANY_POLICY, false); policyNodes[0].Add(validPolicyTree); @@ -130,7 +130,7 @@ namespace Org.BouncyCastle.Pkix // (d) // int explicitPolicy; - ISet acceptablePolicies = new HashSet(); + var acceptablePolicies = new HashSet<string>(); if (paramsPkix.IsExplicitPolicyRequired) { @@ -326,11 +326,11 @@ namespace Org.BouncyCastle.Pkix // (n) Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index); - ISet criticalExtensions1 = cert.GetCriticalExtensionOids(); + var criticalExtensions1 = cert.GetCriticalExtensionOids(); if (criticalExtensions1 != null) { - criticalExtensions1 = new HashSet(criticalExtensions1); + criticalExtensions1 = new HashSet<string>(criticalExtensions1); // these extensions are handled by the algorithm criticalExtensions1.Remove(X509Extensions.KeyUsage.Id); @@ -346,7 +346,7 @@ namespace Org.BouncyCastle.Pkix } else { - criticalExtensions1 = new HashSet(); + criticalExtensions1 = new HashSet<string>(); } // (o) @@ -391,11 +391,11 @@ namespace Org.BouncyCastle.Pkix // // (f) // - ISet criticalExtensions = cert.GetCriticalExtensionOids(); + var criticalExtensions = cert.GetCriticalExtensionOids(); if (criticalExtensions != null) { - criticalExtensions = new HashSet(criticalExtensions); + criticalExtensions = new HashSet<string>(criticalExtensions); // Requires .Id // these extensions are handled by the algorithm @@ -413,13 +413,13 @@ namespace Org.BouncyCastle.Pkix } else { - criticalExtensions = new HashSet(); + criticalExtensions = new HashSet<string>(); } Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, certPathCheckers, criticalExtensions); - PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet, - index + 1, policyNodes, validPolicyTree, acceptablePolicies); + PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, + userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies); if ((explicitPolicy > 0) || (intersection != null)) { diff --git a/crypto/src/pkix/PkixCertPathValidatorUtilities.cs b/crypto/src/pkix/PkixCertPathValidatorUtilities.cs index 731f8dfe0..fc65b2535 100644 --- a/crypto/src/pkix/PkixCertPathValidatorUtilities.cs +++ b/crypto/src/pkix/PkixCertPathValidatorUtilities.cs @@ -61,11 +61,9 @@ namespace Org.BouncyCastle.Pkix /// <code>null</code> if not. /// </returns> /// @exception - internal static TrustAnchor FindTrustAnchor( - X509Certificate cert, - ISet trustAnchors) + internal static TrustAnchor FindTrustAnchor(X509Certificate cert, ISet<TrustAnchor> trustAnchors) { - IEnumerator iter = trustAnchors.GetEnumerator(); + var iter = trustAnchors.GetEnumerator(); TrustAnchor trust = null; AsymmetricKeyParameter trustPublicKey = null; Exception invalidKeyEx = null; @@ -83,7 +81,7 @@ namespace Org.BouncyCastle.Pkix while (iter.MoveNext() && trust == null) { - trust = (TrustAnchor) iter.Current; + trust = iter.Current; if (trust.TrustedCert != null) { if (certSelectX509.Match(trust.TrustedCert)) @@ -143,9 +141,7 @@ namespace Org.BouncyCastle.Pkix return trust; } - internal static bool IsIssuerTrustAnchor( - X509Certificate cert, - ISet trustAnchors) + internal static bool IsIssuerTrustAnchor(X509Certificate cert, ISet<TrustAnchor> trustAnchors) { try { @@ -236,10 +232,9 @@ namespace Org.BouncyCastle.Pkix } } - internal static bool IsAnyPolicy( - ISet policySet) + internal static bool IsAnyPolicy(ISet<string> policySet) { - return policySet == null || policySet.Contains(ANY_POLICY) || policySet.Count == 0; + return policySet == null || policySet.Count < 1 || policySet.Contains(ANY_POLICY); } internal static void AddAdditionalStoreFromLocation( @@ -310,23 +305,22 @@ namespace Org.BouncyCastle.Pkix // policy checking // - internal static ISet GetQualifierSet(Asn1Sequence qualifiers) + internal static ISet<PolicyQualifierInfo> GetQualifierSet(Asn1Sequence qualifiers) { - ISet pq = new HashSet(); - - if (qualifiers == null) - return pq; + var pq = new HashSet<PolicyQualifierInfo>(); - foreach (Asn1Encodable ae in qualifiers) - { - try - { - pq.Add(PolicyQualifierInfo.GetInstance(Asn1Object.FromByteArray(ae.GetEncoded()))); - //pq.Add(PolicyQualifierInfo.GetInstance(ae.ToAsn1Object())); - } - catch (IOException ex) + if (qualifiers != null) + { + foreach (Asn1Encodable ae in qualifiers) { - throw new PkixCertPathValidatorException("Policy qualifier info cannot be decoded.", ex); + try + { + pq.Add(PolicyQualifierInfo.GetInstance(ae.ToAsn1Object())); + } + catch (IOException ex) + { + throw new PkixCertPathValidatorException("Policy qualifier info cannot be decoded.", ex); + } } } @@ -374,90 +368,78 @@ namespace Org.BouncyCastle.Pkix } } - internal static void PrepareNextCertB1( - int i, - IList[] policyNodes, - string id_p, - IDictionary m_idp, - X509Certificate cert) + internal static void PrepareNextCertB1(int i, IList<PkixPolicyNode>[] policyNodes, string id_p, + IDictionary<string, ISet<string>> m_idp, X509Certificate cert) { - bool idp_found = false; - IEnumerator nodes_i = policyNodes[i].GetEnumerator(); - while (nodes_i.MoveNext()) + foreach (var node in policyNodes[i]) { - PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current; if (node.ValidPolicy.Equals(id_p)) { - idp_found = true; - node.ExpectedPolicies = (ISet)m_idp[id_p]; - break; + node.ExpectedPolicies = CollectionUtilities.GetValueOrNull(m_idp, id_p); + return; } } - if (!idp_found) + foreach (var node in policyNodes[i]) { - nodes_i = policyNodes[i].GetEnumerator(); - while (nodes_i.MoveNext()) + if (ANY_POLICY.Equals(node.ValidPolicy)) { - PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current; - if (ANY_POLICY.Equals(node.ValidPolicy)) + Asn1Sequence policies; + try + { + policies = Asn1Sequence.GetInstance( + GetExtensionValue(cert, X509Extensions.CertificatePolicies)); + } + catch (Exception e) { - ISet pq = null; - Asn1Sequence policies = null; + throw new Exception("Certificate policies cannot be decoded.", e); + } + + ISet<PolicyQualifierInfo> pq = null; + + foreach (var policy in policies) + { + PolicyInformation pinfo; try { - policies = DerSequence.GetInstance(GetExtensionValue(cert, X509Extensions.CertificatePolicies)); + pinfo = PolicyInformation.GetInstance(policy); } - catch (Exception e) + catch (Exception ex) { - throw new Exception("Certificate policies cannot be decoded.", e); + throw new Exception("Policy information cannot be decoded.", ex); } - IEnumerator enm = policies.GetEnumerator(); - while (enm.MoveNext()) + if (ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id)) { - PolicyInformation pinfo = null; - try { - pinfo = PolicyInformation.GetInstance(enm.Current); + pq = GetQualifierSet(pinfo.PolicyQualifiers); } - catch (Exception ex) + catch (PkixCertPathValidatorException ex) { - throw new Exception("Policy information cannot be decoded.", ex); + throw new PkixCertPathValidatorException( + "Policy qualifier info set could not be built.", ex); } - - if (ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id)) - { - try - { - pq = GetQualifierSet(pinfo.PolicyQualifiers); - } - catch (PkixCertPathValidatorException ex) - { - throw new PkixCertPathValidatorException( - "Policy qualifier info set could not be built.", ex); - } - break; - } - } - bool ci = false; - ISet critExtOids = cert.GetCriticalExtensionOids(); - if (critExtOids != null) - { - ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id); + break; } + } - PkixPolicyNode p_node = node.Parent; - if (ANY_POLICY.Equals(p_node.ValidPolicy)) - { - PkixPolicyNode c_node = new PkixPolicyNode(new List<PkixPolicyNode>(), i, (ISet)m_idp[id_p], - p_node, pq, id_p, ci); - p_node.AddChild(c_node); - policyNodes[i].Add(c_node); - } - break; + bool ci = false; + var critExtOids = cert.GetCriticalExtensionOids(); + if (critExtOids != null) + { + ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id); + } + + PkixPolicyNode p_node = node.Parent; + if (ANY_POLICY.Equals(p_node.ValidPolicy)) + { + PkixPolicyNode c_node = new PkixPolicyNode(new List<PkixPolicyNode>(), i, + CollectionUtilities.GetValueOrNull(m_idp, id_p), p_node, pq, id_p, ci); + p_node.AddChild(c_node); + policyNodes[i].Add(c_node); } + break; } } } @@ -687,25 +669,6 @@ namespace Org.BouncyCastle.Pkix return ((X509Certificate)certPath.Certificates[index - 1]).NotBefore; } - /// <summary> - /// Return a Collection of all certificates found - /// in the stores that are matching the certSelector criteria. - /// </summary> - /// <param name="certSelector">an <see cref="ISelector{T}"/> object that will be used to select - /// the certificates.</param> - /// <param name="certStores">a List containing only IStore objects. These - /// are used to search for certificates.</param> - /// <returns>a Collection of all found <see cref="X509Certificate"/> objects. - /// May be empty but never <code>null</code>.</returns> - /// <exception cref="Exception"></exception> - internal static List<X509Certificate> FindCertificates(ISelector<X509Certificate> certSelector, - IList<IStore<X509Certificate>> certStores) - { - var result = new List<X509Certificate>(); - CollectionUtilities.CollectMatches(result, certSelector, certStores); - return result; - } - /** * Add the CRL issuers from the cRLIssuer field of the distribution point or * from the certificate if not given to the issuer criterion of the @@ -728,7 +691,7 @@ namespace Org.BouncyCastle.Pkix */ internal static void GetCrlIssuersFromDistributionPoint( DistributionPoint dp, - ICollection issuerPrincipals, + ICollection<X509Name> issuerPrincipals, X509CrlStoreSelector selector, PkixParameters pkixParams) { @@ -843,7 +806,7 @@ namespace Org.BouncyCastle.Pkix X509CrlStoreSelector crlselect = new X509CrlStoreSelector(); try { - ISet issuers = new HashSet(); + var issuers = new HashSet<X509Name>(); issuers.Add(certObjIssuer); GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX); @@ -954,7 +917,7 @@ namespace Org.BouncyCastle.Pkix foreach (X509Crl crl in temp) { - if (isDeltaCrl(crl)) + if (IsDeltaCrl(crl)) { result.Add(crl); } @@ -963,10 +926,9 @@ namespace Org.BouncyCastle.Pkix return result; } - private static bool isDeltaCrl( - X509Crl crl) + private static bool IsDeltaCrl(X509Crl crl) { - ISet critical = crl.GetCriticalExtensionOids(); + var critical = crl.GetCriticalExtensionOids(); return critical.Contains(X509Extensions.DeltaCrlIndicator.Id); } @@ -1013,13 +975,13 @@ namespace Org.BouncyCastle.Pkix } internal static bool ProcessCertD1i(int index, IList<PkixPolicyNode>[] policyNodes, DerObjectIdentifier pOid, - ISet pq) + ISet<PolicyQualifierInfo> pq) { foreach (var node in policyNodes[index - 1]) { if (node.ExpectedPolicies.Contains(pOid.Id)) { - var childExpectedPolicies = new HashSet(); + var childExpectedPolicies = new HashSet<string>(); childExpectedPolicies.Add(pOid.Id); var child = new PkixPolicyNode(new List<PkixPolicyNode>(), index, childExpectedPolicies, node, pq, @@ -1035,13 +997,13 @@ namespace Org.BouncyCastle.Pkix } internal static void ProcessCertD1ii(int index, IList<PkixPolicyNode>[] policyNodes, - DerObjectIdentifier _poid, ISet _pq) + DerObjectIdentifier _poid, ISet<PolicyQualifierInfo> _pq) { foreach (var _node in policyNodes[index - 1]) { if (ANY_POLICY.Equals(_node.ValidPolicy)) { - ISet _childExpectedPolicies = new HashSet(); + var _childExpectedPolicies = new HashSet<string>(); _childExpectedPolicies.Add(_poid.Id); var _child = new PkixPolicyNode(new List<PkixPolicyNode>(), index, _childExpectedPolicies, _node, diff --git a/crypto/src/pkix/PkixCrlUtilities.cs b/crypto/src/pkix/PkixCrlUtilities.cs index 341c9a514..8740cc780 100644 --- a/crypto/src/pkix/PkixCrlUtilities.cs +++ b/crypto/src/pkix/PkixCrlUtilities.cs @@ -52,21 +52,17 @@ namespace Org.BouncyCastle.Pkix return finalSet; } - public virtual ISet FindCrls(X509CrlStoreSelector crlSelector, PkixParameters paramsPkix) + public virtual ISet<X509Crl> FindCrls(X509CrlStoreSelector crlSelector, PkixParameters paramsPkix) { - ISet completeSet = new HashSet(); - // get complete CRL(s) try { - completeSet.AddAll(FindCrls(crlSelector, paramsPkix.GetStoresCrl())); + return FindCrls(crlSelector, paramsPkix.GetStoresCrl()); } catch (Exception e) { throw new Exception("Exception obtaining complete CRLs.", e); } - - return completeSet; } /// <summary> diff --git a/crypto/src/pkix/PkixParameters.cs b/crypto/src/pkix/PkixParameters.cs index 32189acfb..eb741fece 100644 --- a/crypto/src/pkix/PkixParameters.cs +++ b/crypto/src/pkix/PkixParameters.cs @@ -41,11 +41,11 @@ namespace Org.BouncyCastle.Pkix */ public const int ChainValidityModel = 1; - private ISet trustAnchors; + private HashSet<TrustAnchor> trustAnchors; private DateTimeObject date; private IList certPathCheckers; private bool revocationEnabled = true; - private ISet initialPolicies; + private HashSet<string> initialPolicies; //private bool checkOnlyEECertificateCrl = false; private bool explicitPolicyRequired = false; private bool anyPolicyInhibited = false; @@ -85,12 +85,11 @@ namespace Org.BouncyCastle.Pkix * if any of the elements in the Set are not of type * <code>java.security.cert.TrustAnchor</code> */ - public PkixParameters( - ISet trustAnchors) + public PkixParameters(ISet<TrustAnchor> trustAnchors) { SetTrustAnchors(trustAnchors); - this.initialPolicies = new HashSet(); + this.initialPolicies = new HashSet<string>(); this.certPathCheckers = Platform.CreateArrayList(); this.m_storesAttrCert = new List<IStore<X509V2AttributeCertificate>>(); this.m_storesCert = new List<IStore<X509Certificate>>(); @@ -186,23 +185,22 @@ namespace Org.BouncyCastle.Pkix } // Returns a Set of the most-trusted CAs. - public virtual ISet GetTrustAnchors() + public virtual ISet<TrustAnchor> GetTrustAnchors() { - return new HashSet(this.trustAnchors); + return new HashSet<TrustAnchor>(this.trustAnchors); } // Sets the set of most-trusted CAs. // Set is copied to protect against subsequent modifications. - public virtual void SetTrustAnchors( - ISet tas) + public virtual void SetTrustAnchors(ISet<TrustAnchor> tas) { if (tas == null) throw new ArgumentNullException("value"); - if (tas.IsEmpty) + if (tas.Count < 1) throw new ArgumentException("non-empty set required", "value"); // Explicit copy to enforce type-safety - this.trustAnchors = new HashSet(); + this.trustAnchors = new HashSet<TrustAnchor>(); foreach (TrustAnchor ta in tas) { if (ta != null) @@ -311,17 +309,13 @@ namespace Org.BouncyCastle.Pkix * * @see #setInitialPolicies(java.util.Set) */ - public virtual ISet GetInitialPolicies() + public virtual ISet<string> GetInitialPolicies() { - ISet returnSet = initialPolicies; - // TODO Can it really be null? if (initialPolicies == null) - { - returnSet = new HashSet(); - } + return new HashSet<string>(); - return new HashSet(returnSet); + return new HashSet<string>(initialPolicies); } /** @@ -345,10 +339,9 @@ namespace Org.BouncyCastle.Pkix * * @see #getInitialPolicies() */ - public virtual void SetInitialPolicies( - ISet initialPolicies) + public virtual void SetInitialPolicies(ISet<string> initialPolicies) { - this.initialPolicies = new HashSet(); + this.initialPolicies = new HashSet<string>(); if (initialPolicies != null) { foreach (string obj in initialPolicies) diff --git a/crypto/src/pkix/PkixPolicyNode.cs b/crypto/src/pkix/PkixPolicyNode.cs index 2e2e39caf..0ea80b258 100644 --- a/crypto/src/pkix/PkixPolicyNode.cs +++ b/crypto/src/pkix/PkixPolicyNode.cs @@ -2,6 +2,7 @@ using System; using System.Collections.Generic; using System.Text; +using Org.BouncyCastle.Asn1.X509; using Org.BouncyCastle.Utilities; using Org.BouncyCastle.Utilities.Collections; @@ -15,9 +16,9 @@ namespace Org.BouncyCastle.Pkix { protected IList<PkixPolicyNode> mChildren; protected int mDepth; - protected ISet mExpectedPolicies; + protected ISet<string> mExpectedPolicies; protected PkixPolicyNode mParent; - protected ISet mPolicyQualifiers; + protected ISet<PolicyQualifierInfo> mPolicyQualifiers; protected string mValidPolicy; protected bool mCritical; @@ -37,9 +38,9 @@ namespace Org.BouncyCastle.Pkix set { this.mCritical = value; } } - public virtual ISet PolicyQualifiers + public virtual ISet<PolicyQualifierInfo> PolicyQualifiers { - get { return new HashSet(this.mPolicyQualifiers); } + get { return new HashSet<PolicyQualifierInfo>(this.mPolicyQualifiers); } } public virtual string ValidPolicy @@ -52,10 +53,10 @@ namespace Org.BouncyCastle.Pkix get { return mChildren.Count != 0; } } - public virtual ISet ExpectedPolicies + public virtual ISet<string> ExpectedPolicies { - get { return new HashSet(this.mExpectedPolicies); } - set { this.mExpectedPolicies = new HashSet(value); } + get { return new HashSet<string>(this.mExpectedPolicies); } + set { this.mExpectedPolicies = new HashSet<string>(value); } } public virtual PkixPolicyNode Parent @@ -68,9 +69,9 @@ namespace Org.BouncyCastle.Pkix public PkixPolicyNode( IEnumerable<PkixPolicyNode> children, int depth, - ISet expectedPolicies, + ISet<string> expectedPolicies, PkixPolicyNode parent, - ISet policyQualifiers, + ISet<PolicyQualifierInfo> policyQualifiers, string validPolicy, bool critical) { @@ -139,9 +140,9 @@ namespace Org.BouncyCastle.Pkix PkixPolicyNode node = new PkixPolicyNode( new List<PkixPolicyNode>(), mDepth, - new HashSet(mExpectedPolicies), + new HashSet<string>(mExpectedPolicies), null, - new HashSet(mPolicyQualifiers), + new HashSet<PolicyQualifierInfo>(mPolicyQualifiers), mValidPolicy, mCritical); diff --git a/crypto/src/pkix/Rfc3280CertPathUtilities.cs b/crypto/src/pkix/Rfc3280CertPathUtilities.cs index 7359d2568..07293dfaf 100644 --- a/crypto/src/pkix/Rfc3280CertPathUtilities.cs +++ b/crypto/src/pkix/Rfc3280CertPathUtilities.cs @@ -378,7 +378,7 @@ namespace Org.BouncyCastle.Pkix } /// <exception cref="PkixCertPathValidatorException"/> - internal static PkixPolicyNode ProcessCertD(PkixCertPath certPath, int index, ISet acceptablePolicies, + internal static PkixPolicyNode ProcessCertD(PkixCertPath certPath, int index, ISet<string> acceptablePolicies, PkixPolicyNode validPolicyTree, IList<PkixPolicyNode>[] policyNodes, int inhibitAnyPolicy) { IList certs = certPath.Certificates; @@ -406,7 +406,7 @@ namespace Org.BouncyCastle.Pkix // // (d) (1) // - ISet pols = new HashSet(); + var pols = new HashSet<string>(); foreach (Asn1Encodable ae in certPolicies) { @@ -417,7 +417,7 @@ namespace Org.BouncyCastle.Pkix if (!ANY_POLICY.Equals(pOid.Id)) { - ISet pq = null; + ISet<PolicyQualifierInfo> pq; try { pq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers); @@ -437,16 +437,16 @@ namespace Org.BouncyCastle.Pkix } } - if (acceptablePolicies.IsEmpty || acceptablePolicies.Contains(ANY_POLICY)) + if (acceptablePolicies.Count < 1 || acceptablePolicies.Contains(ANY_POLICY)) { acceptablePolicies.Clear(); - acceptablePolicies.AddAll(pols); + acceptablePolicies.UnionWith(pols); } else { - ISet t1 = new HashSet(); + var t1 = new HashSet<string>(); - foreach (object o in acceptablePolicies) + foreach (var o in acceptablePolicies) { if (pols.Contains(o)) { @@ -454,7 +454,7 @@ namespace Org.BouncyCastle.Pkix } } acceptablePolicies.Clear(); - acceptablePolicies.AddAll(t1); + acceptablePolicies.UnionWith(t1); } // @@ -467,26 +467,12 @@ namespace Org.BouncyCastle.Pkix PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object()); if (ANY_POLICY.Equals(pInfo.PolicyIdentifier.Id)) { - ISet _apq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers); + var _apq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers); foreach (var _node in policyNodes[i - 1]) { - foreach (var _tmp in _node.ExpectedPolicies) + foreach (var _policy in _node.ExpectedPolicies) { - string _policy; - if (_tmp is string) - { - _policy = (string)_tmp; - } - else if (_tmp is DerObjectIdentifier) - { - _policy = ((DerObjectIdentifier)_tmp).Id; - } - else - { - continue; - } - bool _found = false; foreach (PkixPolicyNode _child in _node.Children) @@ -494,12 +480,13 @@ namespace Org.BouncyCastle.Pkix if (_policy.Equals(_child.ValidPolicy)) { _found = true; + break; } } if (!_found) { - var _newChildExpectedPolicies = new HashSet(); + var _newChildExpectedPolicies = new HashSet<string>(); _newChildExpectedPolicies.Add(_policy); var _newChild = new PkixPolicyNode(new List<PkixPolicyNode>(), i, @@ -538,7 +525,7 @@ namespace Org.BouncyCastle.Pkix // // d (4) // - ISet criticalExtensionOids = cert.GetCriticalExtensionOids(); + var criticalExtensionOids = cert.GetCriticalExtensionOids(); if (criticalExtensionOids != null) { @@ -568,10 +555,7 @@ namespace Org.BouncyCastle.Pkix * @throws AnnotatedException if one of the above conditions does not apply or an error * occurs. */ - internal static void ProcessCrlB1( - DistributionPoint dp, - object cert, - X509Crl crl) + internal static void ProcessCrlB1(DistributionPoint dp, object cert, X509Crl crl) { Asn1Object idp = PkixCertPathValidatorUtilities.GetExtensionValue( crl, X509Extensions.IssuingDistributionPoint); @@ -584,6 +568,7 @@ namespace Org.BouncyCastle.Pkix isIndirect = true; } } + byte[] issuerBytes = crl.IssuerDN.GetEncoded(); bool matchIssuer = false; @@ -596,7 +581,7 @@ namespace Org.BouncyCastle.Pkix { try { - if (Org.BouncyCastle.Utilities.Arrays.AreEqual(genNames[j].Name.ToAsn1Object().GetEncoded(), issuerBytes)) + if (Arrays.AreEqual(genNames[j].Name.GetEncoded(), issuerBytes)) { matchIssuer = true; } @@ -630,12 +615,10 @@ namespace Org.BouncyCastle.Pkix } } - internal static ReasonsMask ProcessCrlD( - X509Crl crl, - DistributionPoint dp) + internal static ReasonsMask ProcessCrlD(X509Crl crl, DistributionPoint dp) //throws AnnotatedException { - IssuingDistributionPoint idp = null; + IssuingDistributionPoint idp; try { idp = IssuingDistributionPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(crl, X509Extensions.IssuingDistributionPoint)); @@ -648,8 +631,7 @@ namespace Org.BouncyCastle.Pkix // (d) (1) if (idp != null && idp.OnlySomeReasons != null && dp.Reasons != null) { - return new ReasonsMask(dp.Reasons.IntValue).Intersect(new ReasonsMask(idp.OnlySomeReasons - .IntValue)); + return new ReasonsMask(dp.Reasons.IntValue).Intersect(new ReasonsMask(idp.OnlySomeReasons.IntValue)); } // (d) (4) if ((idp == null || idp.OnlySomeReasons == null) && dp.Reasons == null) @@ -659,8 +641,7 @@ namespace Org.BouncyCastle.Pkix // (d) (2) and (d)(3) - ReasonsMask dpReasons = null; - + ReasonsMask dpReasons; if (dp.Reasons == null) { dpReasons = ReasonsMask.AllReasons; @@ -670,8 +651,7 @@ namespace Org.BouncyCastle.Pkix dpReasons = new ReasonsMask(dp.Reasons.IntValue); } - ReasonsMask idpReasons = null; - + ReasonsMask idpReasons; if (idp == null) { idpReasons = ReasonsMask.AllReasons; @@ -703,7 +683,7 @@ namespace Org.BouncyCastle.Pkix * @throws AnnotatedException if the CRL is not valid or the status cannot be checked or * some error occurs. */ - internal static ISet ProcessCrlF( + internal static ISet<AsymmetricKeyParameter> ProcessCrlF( X509Crl crl, object cert, X509Certificate defaultCRLSignCert, @@ -740,8 +720,8 @@ namespace Org.BouncyCastle.Pkix signingCerts.Add(defaultCRLSignCert); - IList validCerts = Platform.CreateArrayList(); - IList validKeys = Platform.CreateArrayList(); + var validCerts = new List<X509Certificate>(); + var validKeys = new List<AsymmetricKeyParameter>(); foreach (X509Certificate signingCert in signingCerts) { @@ -796,7 +776,7 @@ namespace Org.BouncyCastle.Pkix } } - ISet checkKeys = new HashSet(); + var checkKeys = new HashSet<AsymmetricKeyParameter>(); Exception lastException = null; for (int i = 0; i < validCerts.Count; i++) @@ -827,9 +807,7 @@ namespace Org.BouncyCastle.Pkix return checkKeys; } - internal static AsymmetricKeyParameter ProcessCrlG( - X509Crl crl, - ISet keys) + internal static AsymmetricKeyParameter ProcessCrlG(X509Crl crl, ISet<AsymmetricKeyParameter> keys) { Exception lastException = null; foreach (AsymmetricKeyParameter key in keys) @@ -918,16 +896,16 @@ namespace Org.BouncyCastle.Pkix bool validCrlFound = false; Exception lastException = null; - IEnumerator crl_iter = crls.GetEnumerator(); + var crl_iter = crls.GetEnumerator(); while (crl_iter.MoveNext() && certStatus.Status == CertStatus.Unrevoked && !reasonMask.IsAllReasons) { try { - X509Crl crl = (X509Crl)crl_iter.Current; + X509Crl crl = crl_iter.Current; // (d) - ReasonsMask interimReasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(crl, dp); + ReasonsMask interimReasonsMask = ProcessCrlD(crl, dp); // (e) /* @@ -941,10 +919,9 @@ namespace Org.BouncyCastle.Pkix } // (f) - ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, cert, defaultCRLSignCert, defaultCRLSignKey, - paramsPKIX, certPathCerts); + var keys = ProcessCrlF(crl, cert, defaultCRLSignCert, defaultCRLSignKey, paramsPKIX, certPathCerts); // (g) - AsymmetricKeyParameter key = Rfc3280CertPathUtilities.ProcessCrlG(crl, keys); + AsymmetricKeyParameter key = ProcessCrlG(crl, keys); X509Crl deltaCRL = null; @@ -954,7 +931,7 @@ namespace Org.BouncyCastle.Pkix ISet<X509Crl> deltaCRLs = PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl); // we only want one valid delta CRL // (h) - deltaCRL = Rfc3280CertPathUtilities.ProcessCrlH(deltaCRLs, key); + deltaCRL = ProcessCrlH(deltaCRLs, key); } /* @@ -983,19 +960,19 @@ namespace Org.BouncyCastle.Pkix } } - Rfc3280CertPathUtilities.ProcessCrlB1(dp, cert, crl); + ProcessCrlB1(dp, cert, crl); // (b) (2) - Rfc3280CertPathUtilities.ProcessCrlB2(dp, cert, crl); + ProcessCrlB2(dp, cert, crl); // (c) - Rfc3280CertPathUtilities.ProcessCrlC(deltaCRL, crl, paramsPKIX); + ProcessCrlC(deltaCRL, crl, paramsPKIX); // (i) - Rfc3280CertPathUtilities.ProcessCrlI(validDate, deltaCRL, cert, certStatus, paramsPKIX); + ProcessCrlI(validDate, deltaCRL, cert, certStatus, paramsPKIX); // (j) - Rfc3280CertPathUtilities.ProcessCrlJ(validDate, crl, cert, certStatus); + ProcessCrlJ(validDate, crl, cert, certStatus); // (k) if (certStatus.Status == CrlReason.RemoveFromCrl) @@ -1006,15 +983,15 @@ namespace Org.BouncyCastle.Pkix // update reasons mask reasonMask.AddReasons(interimReasonsMask); - ISet criticalExtensions = crl.GetCriticalExtensionOids(); + var criticalExtensions = crl.GetCriticalExtensionOids(); if (criticalExtensions != null) { - criticalExtensions = new HashSet(criticalExtensions); + criticalExtensions = new HashSet<string>(criticalExtensions); criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id); - if (!criticalExtensions.IsEmpty) + if (criticalExtensions.Count > 0) throw new Exception("CRL contains unsupported critical extensions."); } @@ -1023,11 +1000,11 @@ namespace Org.BouncyCastle.Pkix criticalExtensions = deltaCRL.GetCriticalExtensionOids(); if (criticalExtensions != null) { - criticalExtensions = new HashSet(criticalExtensions); + criticalExtensions = new HashSet<string>(criticalExtensions); criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id); criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id); - if (!criticalExtensions.IsEmpty) + if (criticalExtensions.Count > 0) throw new Exception("Delta CRL contains unsupported critical extension."); } } @@ -1095,7 +1072,7 @@ namespace Org.BouncyCastle.Pkix // for each distribution point if (crldp != null) { - DistributionPoint[] dps = null; + DistributionPoint[] dps; try { dps = crldp.GetDistributionPoints(); @@ -1111,7 +1088,8 @@ namespace Org.BouncyCastle.Pkix PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone(); try { - CheckCrl(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts); + CheckCrl(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, + reasonsMask, certPathCerts); validCrlFound = true; } catch (Exception e) @@ -1211,36 +1189,32 @@ namespace Org.BouncyCastle.Pkix PkixPolicyNode _validPolicyTree = validPolicyTree; if (pm != null) { - Asn1Sequence mappings = (Asn1Sequence)pm; - IDictionary m_idp = Platform.CreateHashtable(); - ISet s_idp = new HashSet(); + Asn1Sequence mappings = pm; + var m_idp = new Dictionary<string, ISet<string>>(); + var s_idp = new HashSet<string>(); for (int j = 0; j < mappings.Count; j++) { - Asn1Sequence mapping = (Asn1Sequence) mappings[j]; - string id_p = ((DerObjectIdentifier) mapping[0]).Id; - string sd_p = ((DerObjectIdentifier) mapping[1]).Id; - ISet tmp; + Asn1Sequence mapping = (Asn1Sequence)mappings[j]; + string id_p = ((DerObjectIdentifier)mapping[0]).Id; + string sd_p = ((DerObjectIdentifier)mapping[1]).Id; - if (!m_idp.Contains(id_p)) - { - tmp = new HashSet(); - tmp.Add(sd_p); - m_idp[id_p] = tmp; - s_idp.Add(id_p); - } + ISet<string> tmp; + if (m_idp.TryGetValue(id_p, out tmp)) + { + tmp.Add(sd_p); + } else - { - tmp = (ISet)m_idp[id_p]; - tmp.Add(sd_p); - } + { + tmp = new HashSet<string>(); + tmp.Add(sd_p); + m_idp[id_p] = tmp; + s_idp.Add(id_p); + } } - IEnumerator it_idp = s_idp.GetEnumerator(); - while (it_idp.MoveNext()) + foreach (var id_p in s_idp) { - string id_p = (string)it_idp.Current; - // // (1) // @@ -1253,7 +1227,7 @@ namespace Org.BouncyCastle.Pkix if (node.ValidPolicy.Equals(id_p)) { idp_found = true; - node.ExpectedPolicies = (ISet)m_idp[id_p]; + node.ExpectedPolicies = CollectionUtilities.GetValueOrNull(m_idp, id_p); break; } } @@ -1264,7 +1238,6 @@ namespace Org.BouncyCastle.Pkix { if (ANY_POLICY.Equals(node.ValidPolicy)) { - ISet pq = null; Asn1Sequence policies = null; try { @@ -1277,6 +1250,8 @@ namespace Org.BouncyCastle.Pkix "Certificate policies extension could not be decoded.", e, index); } + ISet<PolicyQualifierInfo> pq = null; + foreach (Asn1Encodable ae in policies) { PolicyInformation pinfo = null; @@ -1305,7 +1280,7 @@ namespace Org.BouncyCastle.Pkix } } bool ci = false; - ISet critExtOids = cert.GetCriticalExtensionOids(); + var critExtOids = cert.GetCriticalExtensionOids(); if (critExtOids != null) { ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id); @@ -1315,7 +1290,7 @@ namespace Org.BouncyCastle.Pkix if (ANY_POLICY.Equals(p_node.ValidPolicy)) { var c_node = new PkixPolicyNode(new List<PkixPolicyNode>(), i, - (ISet)m_idp[id_p], p_node, pq, id_p, ci); + CollectionUtilities.GetValueOrNull(m_idp, id_p), p_node, pq, id_p, ci); p_node.AddChild(c_node); policyNodes[i].Add(c_node); } @@ -1398,16 +1373,16 @@ namespace Org.BouncyCastle.Pkix return new []{ completeSet, deltaSet }; } - internal static ISet ProcessCrlA1i( + internal static ISet<X509Crl> ProcessCrlA1i( DateTime currentDate, PkixParameters paramsPKIX, X509Certificate cert, X509Crl crl) { - ISet deltaSet = new HashSet(); + var deltaSet = new HashSet<X509Crl>(); if (paramsPKIX.IsUseDeltasEnabled) { - CrlDistPoint freshestCRL = null; + CrlDistPoint freshestCRL; try { freshestCRL = CrlDistPoint.GetInstance( @@ -1422,7 +1397,8 @@ namespace Org.BouncyCastle.Pkix { try { - freshestCRL = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(crl, X509Extensions.FreshestCrl)); + freshestCRL = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(crl, + X509Extensions.FreshestCrl)); } catch (Exception e) { @@ -1433,7 +1409,8 @@ namespace Org.BouncyCastle.Pkix { try { - PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(freshestCRL, paramsPKIX); + PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(freshestCRL, + paramsPKIX); } catch (Exception e) { @@ -1443,7 +1420,7 @@ namespace Org.BouncyCastle.Pkix // get delta CRL(s) try { - deltaSet.AddAll(PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl)); + deltaSet.UnionWith(PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl)); } catch (Exception e) { @@ -1546,17 +1523,14 @@ namespace Org.BouncyCastle.Pkix } } - internal static int PrepareNextCertI1( - PkixCertPath certPath, - int index, - int explicitPolicy) + internal static int PrepareNextCertI1(PkixCertPath certPath, int index, int explicitPolicy) { IList certs = certPath.Certificates; X509Certificate cert = (X509Certificate)certs[index]; // // (i) // - Asn1Sequence pc = null; + Asn1Sequence pc; try { pc = Asn1Sequence.GetInstance( @@ -1862,7 +1836,7 @@ namespace Org.BouncyCastle.Pkix // bool[] _usage = cert.GetKeyUsage(); - if ((_usage != null) && !_usage[Rfc3280CertPathUtilities.KEY_CERT_SIGN]) + if ((_usage != null) && !_usage[KEY_CERT_SIGN]) { throw new PkixCertPathValidatorException( "Issuer certificate keyusage extension is critical and does not permit key signing.", null, index); @@ -1872,7 +1846,7 @@ namespace Org.BouncyCastle.Pkix internal static void PrepareNextCertO( PkixCertPath certPath, int index, - ISet criticalExtensions, + ISet<string> criticalExtensions, IList pathCheckers) //throws CertPathValidatorException { @@ -1894,7 +1868,7 @@ namespace Org.BouncyCastle.Pkix throw new PkixCertPathValidatorException(e.Message, e.InnerException, index); } } - if (!criticalExtensions.IsEmpty) + if (criticalExtensions.Count > 0) { throw new PkixCertPathValidatorException("Certificate has unsupported critical extension.", null, index); } @@ -1994,7 +1968,7 @@ namespace Org.BouncyCastle.Pkix // (b) // int tmpInt; - Asn1Sequence pc = null; + Asn1Sequence pc; try { pc = Asn1Sequence.GetInstance( @@ -2039,7 +2013,7 @@ namespace Org.BouncyCastle.Pkix PkixCertPath certPath, int index, IList pathCheckers, - ISet criticalExtensions) + ISet<string> criticalExtensions) //throws CertPathValidatorException { IList certs = certPath.Certificates; @@ -2058,7 +2032,7 @@ namespace Org.BouncyCastle.Pkix } } - if (!criticalExtensions.IsEmpty) + if (criticalExtensions.Count > 0) { throw new PkixCertPathValidatorException("Certificate has unsupported critical extension", null, index); @@ -2066,8 +2040,8 @@ namespace Org.BouncyCastle.Pkix } internal static PkixPolicyNode WrapupCertG(PkixCertPath certPath, PkixParameters paramsPKIX, - ISet userInitialPolicySet, int index, IList<PkixPolicyNode>[] policyNodes, PkixPolicyNode validPolicyTree, - ISet acceptablePolicies) + ISet<string> userInitialPolicySet, int index, IList<PkixPolicyNode>[] policyNodes, + PkixPolicyNode validPolicyTree, ISet<string> acceptablePolicies) { int n = certPath.Certificates.Count; @@ -2092,53 +2066,51 @@ namespace Org.BouncyCastle.Pkix { if (paramsPKIX.IsExplicitPolicyRequired) { - if (acceptablePolicies.IsEmpty) + if (acceptablePolicies.Count < 1) { throw new PkixCertPathValidatorException( "Explicit policy requested but none available.", null, index); } - else - { - var _validPolicyNodeSet = new HashSet<PkixPolicyNode>(); - foreach (var _nodeDepth in policyNodes) - { - foreach (var _node in _nodeDepth) - { - if (ANY_POLICY.Equals(_node.ValidPolicy)) + var _validPolicyNodeSet = new HashSet<PkixPolicyNode>(); + + foreach (var _nodeDepth in policyNodes) + { + foreach (var _node in _nodeDepth) + { + if (ANY_POLICY.Equals(_node.ValidPolicy)) + { + foreach (var o in _node.Children) { - foreach (var o in _node.Children) - { - _validPolicyNodeSet.Add(o); - } + _validPolicyNodeSet.Add(o); } } } + } - foreach (var _node in _validPolicyNodeSet) + foreach (var _node in _validPolicyNodeSet) + { + if (!acceptablePolicies.Contains(_node.ValidPolicy)) { - if (!acceptablePolicies.Contains(_node.ValidPolicy)) - { - // TODO? - // validPolicyTree = - // removePolicyNode(validPolicyTree, policyNodes, - // _node); - } + // TODO? + // validPolicyTree = + // removePolicyNode(validPolicyTree, policyNodes, + // _node); } - if (validPolicyTree != null) + } + if (validPolicyTree != null) + { + for (int j = n - 1; j >= 0; j--) { - for (int j = n - 1; j >= 0; j--) - { - var nodes = policyNodes[j]; + var nodes = policyNodes[j]; - for (int k = 0; k < nodes.Count; k++) + for (int k = 0; k < nodes.Count; k++) + { + var node = nodes[k]; + if (!node.HasChildren) { - var node = nodes[k]; - if (!node.HasChildren) - { - validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode( - validPolicyTree, policyNodes, node); - } + validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode( + validPolicyTree, policyNodes, node); } } } diff --git a/crypto/src/pkix/Rfc3281CertPathUtilities.cs b/crypto/src/pkix/Rfc3281CertPathUtilities.cs index 2e1ee3898..39c03146c 100644 --- a/crypto/src/pkix/Rfc3281CertPathUtilities.cs +++ b/crypto/src/pkix/Rfc3281CertPathUtilities.cs @@ -23,7 +23,7 @@ namespace Org.BouncyCastle.Pkix // AA Controls // Attribute encryption // Proxy - ISet critExtOids = attrCert.GetCriticalExtensionOids(); + var critExtOids = attrCert.GetCriticalExtensionOids(); // 7.1 // process extensions @@ -47,11 +47,10 @@ namespace Org.BouncyCastle.Pkix { checker.Check(attrCert, certPath, holderCertPath, critExtOids); } - if (!critExtOids.IsEmpty) + if (critExtOids.Count > 0) { throw new PkixCertPathValidatorException( - "Attribute certificate contains unsupported critical extensions: " - + critExtOids); + "Attribute certificate contains unsupported critical extensions: " + critExtOids); } } @@ -276,7 +275,7 @@ namespace Org.BouncyCastle.Pkix X509Certificate acIssuerCert, PkixParameters pkixParams) { - ISet set = pkixParams.GetTrustedACIssuers(); + var set = pkixParams.GetTrustedACIssuers(); bool trusted = false; foreach (TrustAnchor anchor in set) { @@ -352,7 +351,7 @@ namespace Org.BouncyCastle.Pkix { PkixCertPathBuilderResult result = null; // find holder PKCs - ISet holderPKCs = new HashSet(); + var holderPKCs = new HashSet<X509Certificate>(); if (attrCert.Holder.GetIssuer() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); @@ -360,14 +359,12 @@ namespace Org.BouncyCastle.Pkix X509Name[] principals = attrCert.Holder.GetIssuer(); for (int i = 0; i < principals.Length; i++) { + // TODO Replace loop with a single multiprincipal selector (or don't even use selector) try { -// if (principals[i] is X500Principal) - { - selector.Issuer = principals[i]; - } - holderPKCs.AddAll( - PkixCertPathValidatorUtilities.FindCertificates(selector, pkixParams.GetStoresCert())); + selector.Issuer = principals[i]; + + CollectionUtilities.CollectMatches(holderPKCs, selector, pkixParams.GetStoresCert()); } catch (Exception e) { @@ -376,7 +373,7 @@ namespace Org.BouncyCastle.Pkix e); } } - if (holderPKCs.IsEmpty) + if (holderPKCs.Count < 1) { throw new PkixCertPathValidatorException( "Public key certificate specified in base certificate ID for attribute certificate cannot be found."); @@ -388,14 +385,12 @@ namespace Org.BouncyCastle.Pkix X509Name[] principals = attrCert.Holder.GetEntityNames(); for (int i = 0; i < principals.Length; i++) { + // TODO Replace loop with a single multiprincipal selector (or don't even use selector) try { -// if (principals[i] is X500Principal) - { - selector.Issuer = principals[i]; - } - holderPKCs.AddAll( - PkixCertPathValidatorUtilities.FindCertificates(selector, pkixParams.GetStoresCert())); + selector.Issuer = principals[i]; + + CollectionUtilities.CollectMatches(holderPKCs, selector, pkixParams.GetStoresCert()); } catch (Exception e) { @@ -404,7 +399,7 @@ namespace Org.BouncyCastle.Pkix e); } } - if (holderPKCs.IsEmpty) + if (holderPKCs.Count < 1) { throw new PkixCertPathValidatorException( "Public key certificate specified in entity name for attribute certificate cannot be found."); @@ -523,7 +518,7 @@ namespace Org.BouncyCastle.Pkix } // (f) - ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, attrCert, + var keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, attrCert, null, null, paramsPKIX, certPathCerts); // (g) AsymmetricKeyParameter pubKey = Rfc3280CertPathUtilities.ProcessCrlG(crl, keys); |