diff options
author | Peter Dettman <peter.dettman@bouncycastle.org> | 2018-04-17 13:32:41 +0700 |
---|---|---|
committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2018-04-17 13:32:41 +0700 |
commit | c1fe1982e3a7d0748e98ec4e4c54d098e74fc658 (patch) | |
tree | 00cc1ede3d38d257525270495a054d26cabe723d /crypto/src | |
parent | PKIX: explicit validation of version number and extension repeats (diff) | |
download | BouncyCastle.NET-ed25519-c1fe1982e3a7d0748e98ec4e4c54d098e74fc658.tar.xz |
PKIX: Allow a V0 TA to appear at end of the cert path.
Diffstat (limited to 'crypto/src')
-rw-r--r-- | crypto/src/pkix/PkixAttrCertPathBuilder.cs | 2 | ||||
-rw-r--r-- | crypto/src/pkix/PkixCertPathBuilder.cs | 2 | ||||
-rw-r--r-- | crypto/src/pkix/PkixCertPathValidator.cs | 4 | ||||
-rw-r--r-- | crypto/src/pkix/PkixCertPathValidatorUtilities.cs | 14 |
4 files changed, 20 insertions, 2 deletions
diff --git a/crypto/src/pkix/PkixAttrCertPathBuilder.cs b/crypto/src/pkix/PkixAttrCertPathBuilder.cs index 646cc5db5..3d5fa18e3 100644 --- a/crypto/src/pkix/PkixAttrCertPathBuilder.cs +++ b/crypto/src/pkix/PkixAttrCertPathBuilder.cs @@ -143,7 +143,7 @@ namespace Org.BouncyCastle.Pkix try { // check whether the issuer of <tbvCert> is a TrustAnchor - if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null) + if (PkixCertPathValidatorUtilities.IsIssuerTrustAnchor(tbvCert, pkixParams.GetTrustAnchors())) { PkixCertPath certPath = new PkixCertPath(tbvPath); PkixCertPathValidatorResult result; diff --git a/crypto/src/pkix/PkixCertPathBuilder.cs b/crypto/src/pkix/PkixCertPathBuilder.cs index fa38a5ec0..37a1c8c9c 100644 --- a/crypto/src/pkix/PkixCertPathBuilder.cs +++ b/crypto/src/pkix/PkixCertPathBuilder.cs @@ -118,7 +118,7 @@ namespace Org.BouncyCastle.Pkix try { // check whether the issuer of <tbvCert> is a TrustAnchor - if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null) + if (PkixCertPathValidatorUtilities.IsIssuerTrustAnchor(tbvCert, pkixParams.GetTrustAnchors())) { // exception message from possibly later tried certification // chains diff --git a/crypto/src/pkix/PkixCertPathValidator.cs b/crypto/src/pkix/PkixCertPathValidator.cs index 1d7c00d7d..64039f9f1 100644 --- a/crypto/src/pkix/PkixCertPathValidator.cs +++ b/crypto/src/pkix/PkixCertPathValidator.cs @@ -289,6 +289,10 @@ namespace Org.BouncyCastle.Pkix { if (cert != null && cert.Version == 1) { + // we've found the trust anchor at the top of the path, ignore and keep going + if ((i == 1) && cert.Equals(trust.TrustedCert)) + continue; + throw new PkixCertPathValidatorException( "Version 1 certificates can't be used as CA ones.", null, certPath, index); } diff --git a/crypto/src/pkix/PkixCertPathValidatorUtilities.cs b/crypto/src/pkix/PkixCertPathValidatorUtilities.cs index a2704a746..2ccaa32ce 100644 --- a/crypto/src/pkix/PkixCertPathValidatorUtilities.cs +++ b/crypto/src/pkix/PkixCertPathValidatorUtilities.cs @@ -143,6 +143,20 @@ namespace Org.BouncyCastle.Pkix return trust; } + internal static bool IsIssuerTrustAnchor( + X509Certificate cert, + ISet trustAnchors) + { + try + { + return FindTrustAnchor(cert, trustAnchors) != null; + } + catch (Exception e) + { + return false; + } + } + internal static void AddAdditionalStoresFromAltNames( X509Certificate cert, PkixParameters pkixParams) |