diff options
| -rw-r--r-- | crypto/src/pkix/PkixNameConstraintValidator.cs | 1395 |
1 files changed, 703 insertions, 692 deletions
diff --git a/crypto/src/pkix/PkixNameConstraintValidator.cs b/crypto/src/pkix/PkixNameConstraintValidator.cs index 85dac857b..0b9e30f19 100644 --- a/crypto/src/pkix/PkixNameConstraintValidator.cs +++ b/crypto/src/pkix/PkixNameConstraintValidator.cs @@ -94,14 +94,47 @@ namespace Org.BouncyCastle.Pkix return true; } + #region DN + + public void CheckExcludedDN(Asn1Sequence dn) + { + CheckExcludedDN(excludedSubtreesDN, dn); + } + public void CheckPermittedDN(Asn1Sequence dn) { - CheckPermittedDirectory(permittedSubtreesDN, dn); + CheckPermittedDN(permittedSubtreesDN, dn); } - public void CheckExcludedDN(Asn1Sequence dn) + private void CheckExcludedDN(ISet<Asn1Sequence> excluded, Asn1Sequence directory) + { + if (IsDNConstrained(excluded, directory)) + { + throw new PkixNameConstraintValidatorException( + "Subject distinguished name is from an excluded subtree"); + } + } + + private void CheckPermittedDN(ISet<Asn1Sequence> permitted, Asn1Sequence directory) { - CheckExcludedDirectory(excludedSubtreesDN, dn); + if (permitted != null + && !(directory.Count == 0 && permitted.Count < 1) + && !IsDNConstrained(permitted, directory)) + { + throw new PkixNameConstraintValidatorException( + "Subject distinguished name is not from a permitted subtree"); + } + } + + private bool IsDNConstrained(ISet<Asn1Sequence> constraints, Asn1Sequence directory) + { + foreach (var constraint in constraints) + { + if (WithinDNSubtree(directory, constraint)) + return true; + } + + return false; } private ISet<Asn1Sequence> IntersectDN(ISet<Asn1Sequence> permitted, ISet<GeneralSubtree> dns) @@ -168,6 +201,38 @@ namespace Org.BouncyCastle.Pkix return union; } + #endregion + + #region OtherName + + private void CheckExcludedOtherName(ISet<OtherName> excluded, OtherName name) + { + if (IsOtherNameConstrained(excluded, name)) + throw new PkixNameConstraintValidatorException("OtherName is from an excluded subtree."); + } + + private void CheckPermittedOtherName(ISet<OtherName> permitted, OtherName name) + { + if (permitted != null && !IsOtherNameConstrained(permitted, name)) + throw new PkixNameConstraintValidatorException("Subject OtherName is not from a permitted subtree."); + } + + private bool IsOtherNameConstrained(ISet<OtherName> constraints, OtherName otherName) + { + foreach (OtherName constraint in constraints) + { + if (IsOtherNameConstrained(constraint, otherName)) + return true; + } + + return false; + } + + private bool IsOtherNameConstrained(OtherName constraint, OtherName otherName) + { + return constraint.Equals(otherName); + } + private ISet<OtherName> IntersectOtherName(ISet<OtherName> permitted, ISet<GeneralSubtree> otherNames) { var intersect = new HashSet<OtherName>(); @@ -207,288 +272,38 @@ namespace Org.BouncyCastle.Pkix return union; } - private ISet<string> IntersectEmail(ISet<string> permitted, ISet<GeneralSubtree> emails) - { - var intersect = new HashSet<string>(); - foreach (GeneralSubtree subtree1 in emails) - { - string email = ExtractNameAsString(subtree1.Base); - - if (permitted == null) - { - if (email != null) - { - intersect.Add(email); - } - } - else - { - foreach (string _permitted in permitted) - { - IntersectEmail(email, _permitted, intersect); - } - } - } - return intersect; - } - - private ISet<string> UnionEmail(ISet<string> excluded, string email) - { - if (excluded.Count < 1) - { - if (email == null) - return excluded; - - excluded.Add(email); - return excluded; - } - - var union = new HashSet<string>(); - foreach (string _excluded in excluded) - { - UnionEmail(_excluded, email, union); - } - return union; - } - - /** - * Returns the intersection of the permitted IP ranges in - * <code>permitted</code> with <code>ip</code>. - * - * @param permitted A <code>Set</code> of permitted IP addresses with - * their subnet mask as byte arrays. - * @param ips The IP address with its subnet mask. - * @return The <code>Set</code> of permitted IP ranges intersected with - * <code>ip</code>. - */ - private ISet<byte[]> IntersectIP(ISet<byte[]> permitted, ISet<GeneralSubtree> ips) - { - var intersect = new HashSet<byte[]>(); - foreach (GeneralSubtree subtree in ips) - { - byte[] ip = Asn1OctetString.GetInstance(subtree.Base.Name).GetOctets(); - if (permitted == null) - { - if (ip != null) - { - intersect.Add(ip); - } - } - else - { - foreach (byte[] _permitted in permitted) - { - intersect.UnionWith(IntersectIPRange(_permitted, ip)); - } - } - } - return intersect; - } - - /** - * Returns the union of the excluded IP ranges in <code>excluded</code> - * with <code>ip</code>. - * - * @param excluded A <code>Set</code> of excluded IP addresses with their - * subnet mask as byte arrays. - * @param ip The IP address with its subnet mask. - * @return The <code>Set</code> of excluded IP ranges unified with - * <code>ip</code> as byte arrays. - */ - private ISet<byte[]> UnionIP(ISet<byte[]> excluded, byte[] ip) - { - if (excluded.Count < 1) - { - if (ip == null) - return excluded; - - excluded.Add(ip); - return excluded; - } - - var union = new HashSet<byte[]>(); - foreach (byte[] _excluded in excluded) - { - union.UnionWith(UnionIPRange(_excluded, ip)); - } - return union; - } - - /** - * Calculates the union if two IP ranges. - * - * @param ipWithSubmask1 The first IP address with its subnet mask. - * @param ipWithSubmask2 The second IP address with its subnet mask. - * @return A <code>Set</code> with the union of both addresses. - */ - private ISet<byte[]> UnionIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2) - { - var set = new HashSet<byte[]>(); - // difficult, adding always all IPs is not wrong - if (Arrays.AreEqual(ipWithSubmask1, ipWithSubmask2)) - { - set.Add(ipWithSubmask1); - } - else - { - set.Add(ipWithSubmask1); - set.Add(ipWithSubmask2); - } - return set; - } - - /** - * Calculates the interesction if two IP ranges. - * - * @param ipWithSubmask1 The first IP address with its subnet mask. - * @param ipWithSubmask2 The second IP address with its subnet mask. - * @return A <code>Set</code> with the single IP address with its subnet - * mask as a byte array or an empty <code>Set</code>. - */ - private ISet<byte[]> IntersectIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2) - { - if (ipWithSubmask1.Length != ipWithSubmask2.Length) - { - //Collections.EMPTY_SET; - return new HashSet<byte[]>(); - } + #endregion - byte[][] temp = ExtractIPsAndSubnetMasks(ipWithSubmask1, ipWithSubmask2); - byte[] ip1 = temp[0]; - byte[] subnetmask1 = temp[1]; - byte[] ip2 = temp[2]; - byte[] subnetmask2 = temp[3]; + #region Email - byte[][] minMax = MinMaxIPs(ip1, subnetmask1, ip2, subnetmask2); - byte[] min; - byte[] max; - max = Min(minMax[1], minMax[3]); - min = Max(minMax[0], minMax[2]); - - // minimum IP address must be bigger than max - if (CompareTo(min, max) == 1) - { - //return Collections.EMPTY_SET; - return new HashSet<byte[]>(); - } - // OR keeps all significant bits - byte[] ip = Or(minMax[0], minMax[2]); - byte[] subnetmask = Or(subnetmask1, subnetmask2); - - //return new HashSet( ICollectionsingleton(IpWithSubnetMask(ip, subnetmask)); - var hs = new HashSet<byte[]>(); - hs.Add(IpWithSubnetMask(ip, subnetmask)); - - return hs; - } - - /** - * Concatenates the IP address with its subnet mask. - * - * @param ip The IP address. - * @param subnetMask Its subnet mask. - * @return The concatenated IP address with its subnet mask. - */ - private byte[] IpWithSubnetMask(byte[] ip, byte[] subnetMask) - { - int ipLength = ip.Length; - byte[] temp = new byte[ipLength * 2]; - Array.Copy(ip, 0, temp, 0, ipLength); - Array.Copy(subnetMask, 0, temp, ipLength, ipLength); - return temp; - } - - /** - * Splits the IP addresses and their subnet mask. - * - * @param ipWithSubmask1 The first IP address with the subnet mask. - * @param ipWithSubmask2 The second IP address with the subnet mask. - * @return An array with two elements. Each element contains the IP address - * and the subnet mask in this order. - */ - private byte[][] ExtractIPsAndSubnetMasks( - byte[] ipWithSubmask1, - byte[] ipWithSubmask2) + private void CheckExcludedEmail(ISet<string> excluded, string email) { - int ipLength = ipWithSubmask1.Length / 2; - byte[] ip1 = new byte[ipLength]; - byte[] subnetmask1 = new byte[ipLength]; - Array.Copy(ipWithSubmask1, 0, ip1, 0, ipLength); - Array.Copy(ipWithSubmask1, ipLength, subnetmask1, 0, ipLength); - - byte[] ip2 = new byte[ipLength]; - byte[] subnetmask2 = new byte[ipLength]; - Array.Copy(ipWithSubmask2, 0, ip2, 0, ipLength); - Array.Copy(ipWithSubmask2, ipLength, subnetmask2, 0, ipLength); - return new byte[][]{ ip1, subnetmask1, ip2, subnetmask2 }; + if (IsEmailConstrained(excluded, email)) + throw new PkixNameConstraintValidatorException("Email address is from an excluded subtree."); } - /** - * Based on the two IP addresses and their subnet masks the IP range is - * computed for each IP address - subnet mask pair and returned as the - * minimum IP address and the maximum address of the range. - * - * @param ip1 The first IP address. - * @param subnetmask1 The subnet mask of the first IP address. - * @param ip2 The second IP address. - * @param subnetmask2 The subnet mask of the second IP address. - * @return A array with two elements. The first/second element contains the - * min and max IP address of the first/second IP address and its - * subnet mask. - */ - private byte[][] MinMaxIPs( - byte[] ip1, - byte[] subnetmask1, - byte[] ip2, - byte[] subnetmask2) + private void CheckPermittedEmail(ISet<string> permitted, string email) { - int ipLength = ip1.Length; - byte[] min1 = new byte[ipLength]; - byte[] max1 = new byte[ipLength]; - - byte[] min2 = new byte[ipLength]; - byte[] max2 = new byte[ipLength]; - - for (int i = 0; i < ipLength; i++) + if (permitted != null + && !(email.Length == 0 && permitted.Count < 1) + && !IsEmailConstrained(permitted, email)) { - min1[i] = (byte)(ip1[i] & subnetmask1[i]); - max1[i] = (byte)(ip1[i] & subnetmask1[i] | ~subnetmask1[i]); - - min2[i] = (byte)(ip2[i] & subnetmask2[i]); - max2[i] = (byte)(ip2[i] & subnetmask2[i] | ~subnetmask2[i]); + throw new PkixNameConstraintValidatorException( + "Subject email address is not from a permitted subtree."); } - - return new byte[][]{ min1, max1, min2, max2 }; - } - - private bool IsOtherNameConstrained(OtherName constraint, OtherName otherName) - { - return constraint.Equals(otherName); } - private bool IsOtherNameConstrained(ISet<OtherName> constraints, OtherName otherName) + private bool IsEmailConstrained(ISet<string> constraints, string email) { - foreach (OtherName constraint in constraints) + foreach (string constraint in constraints) { - if (IsOtherNameConstrained(constraint, otherName)) + if (IsEmailConstrained(constraint, email)) return true; } return false; } - private void CheckPermittedOtherName(ISet<OtherName> permitted, OtherName name) - { - if (permitted != null && !IsOtherNameConstrained(permitted, name)) - throw new PkixNameConstraintValidatorException("Subject OtherName is not from a permitted subtree."); - } - - private void CheckExcludedOtherName(ISet<OtherName> excluded, OtherName name) - { - if (IsOtherNameConstrained(excluded, name)) - throw new PkixNameConstraintValidatorException("OtherName is from an excluded subtree."); - } - private bool IsEmailConstrained(string constraint, string email) { string sub = email.Substring(email.IndexOf('@') + 1); @@ -512,261 +327,40 @@ namespace Org.BouncyCastle.Pkix return false; } - private bool IsEmailConstrained(ISet<string> constraints, string email) - { - foreach (string constraint in constraints) - { - if (IsEmailConstrained(constraint, email)) - return true; - } - - return false; - } - - private void CheckPermittedEmail(ISet<string> permitted, string email) - { - if (permitted != null - && !(email.Length == 0 && permitted.Count < 1) - && !IsEmailConstrained(permitted, email)) - { - throw new PkixNameConstraintValidatorException( - "Subject email address is not from a permitted subtree."); - } - } - - private void CheckExcludedEmail(ISet<string> excluded, string email) - { - if (IsEmailConstrained(excluded, email)) - throw new PkixNameConstraintValidatorException("Email address is from an excluded subtree."); - } - - private bool IsDnsConstrained(string constraint, string dns) - { - return WithinDomain(dns, constraint) || Platform.EqualsIgnoreCase(dns, constraint); - } - - private bool IsDnsConstrained(ISet<string> constraints, string dns) - { - foreach (var constraint in constraints) - { - if (IsDnsConstrained(constraint, dns)) - return true; - } - - return false; - } - - private void CheckPermittedDns(ISet<string> permitted, string dns) - { - if (permitted != null - && !(dns.Length == 0 && permitted.Count < 1) - && !IsDnsConstrained(permitted, dns)) - { - throw new PkixNameConstraintValidatorException("DNS is not from a permitted subtree."); - } - } - - private void CheckExcludedDns(ISet<string> excluded, string dns) - { - if (IsDnsConstrained(excluded, dns)) - throw new PkixNameConstraintValidatorException("DNS is from an excluded subtree."); - } - - private bool IsDirectoryConstrained(ISet<Asn1Sequence> constraints, Asn1Sequence directory) - { - foreach (var constraint in constraints) - { - if (WithinDNSubtree(directory, constraint)) - return true; - } - - return false; - } - - private void CheckPermittedDirectory(ISet<Asn1Sequence> permitted, Asn1Sequence directory) - { - if (permitted != null - && !(directory.Count == 0 && permitted.Count < 1) - && !IsDirectoryConstrained(permitted, directory)) - { - throw new PkixNameConstraintValidatorException( - "Subject distinguished name is not from a permitted subtree"); - } - } - - private void CheckExcludedDirectory(ISet<Asn1Sequence> excluded, Asn1Sequence directory) - { - if (IsDirectoryConstrained(excluded, directory)) - { - throw new PkixNameConstraintValidatorException( - "Subject distinguished name is from an excluded subtree"); - } - } - - private bool IsUriConstrained(string constraint, string uri) - { - string host = ExtractHostFromURL(uri); - - if (Platform.StartsWith(constraint, ".")) - { - // in sub domain or domain - return WithinDomain(host, constraint); - } - - // a host - return Platform.EqualsIgnoreCase(host, constraint); - } - - private bool IsUriConstrained(ISet<string> constraints, string uri) - { - foreach (string constraint in constraints) - { - if (IsUriConstrained(constraint, uri)) - return true; - } - - return false; - } - - private void CheckPermittedUri(ISet<string> permitted, string uri) - { - if (permitted != null - && !(uri.Length == 0 && permitted.Count < 1) - && !IsUriConstrained(permitted, uri)) - { - throw new PkixNameConstraintValidatorException("URI is not from a permitted subtree."); - } - } - - private void CheckExcludedUri(ISet<string> excluded, string uri) - { - if (IsUriConstrained(excluded, uri)) - throw new PkixNameConstraintValidatorException("URI is from an excluded subtree."); - } - - /** - * Checks if the IP address <code>ip</code> is constrained by - * <code>constraint</code>. - * - * @param constraint The constraint. This is an IP address concatenated with - * its subnetmask. - * @param ip The IP address. - * @return <code>true</code> if constrained, <code>false</code> - * otherwise. - */ - private bool IsIPConstrained(byte[] constraint, byte[] ip) - { - int ipLength = ip.Length; - if (ipLength != (constraint.Length / 2)) - return false; - - byte[] subnetMask = new byte[ipLength]; - Array.Copy(constraint, ipLength, subnetMask, 0, ipLength); - - byte[] permittedSubnetAddress = new byte[ipLength]; - - byte[] ipSubnetAddress = new byte[ipLength]; - - // the resulting IP address by applying the subnet mask - for (int i = 0; i < ipLength; i++) - { - permittedSubnetAddress[i] = (byte)(constraint[i] & subnetMask[i]); - ipSubnetAddress[i] = (byte)(ip[i] & subnetMask[i]); - } - - return Arrays.AreEqual(permittedSubnetAddress, ipSubnetAddress); - } - - private bool IsIPConstrained(ISet<byte[]> constraints, byte[] ip) - { - foreach (byte[] constraint in constraints) - { - if (IsIPConstrained(constraint, ip)) - return true; - } - - return false; - } - - /** - * Checks if the IP <code>ip</code> is included in the permitted ISet - * <code>permitted</code>. - * - * @param permitted A <code>Set</code> of permitted IP addresses with - * their subnet mask as byte arrays. - * @param ip The IP address. - * @throws PkixNameConstraintValidatorException - * if the IP is not permitted. - */ - private void CheckPermittedIP(ISet<byte[]> permitted, byte[] ip) - { - if (permitted != null - && !(ip.Length == 0 && permitted.Count < 1) - && !IsIPConstrained(permitted, ip)) - { - throw new PkixNameConstraintValidatorException("IP is not from a permitted subtree."); - } - } - - /** - * Checks if the IP <code>ip</code> is included in the excluded ISet - * <code>excluded</code>. - * - * @param excluded A <code>Set</code> of excluded IP addresses with their - * subnet mask as byte arrays. - * @param ip The IP address. - * @throws PkixNameConstraintValidatorException - * if the IP is excluded. - */ - private void CheckExcludedIP(ISet<byte[]> excluded, byte[] ip) - { - if (IsIPConstrained(excluded, ip)) - throw new PkixNameConstraintValidatorException("IP is from an excluded subtree."); - } - - private bool WithinDomain(string testDomain, string domain) + private ISet<string> IntersectEmail(ISet<string> permitted, ISet<GeneralSubtree> emails) { - string tempDomain = domain; - if (Platform.StartsWith(tempDomain, ".")) + var intersect = new HashSet<string>(); + foreach (GeneralSubtree subtree1 in emails) { - tempDomain = tempDomain.Substring(1); - } - - string[] domainParts = tempDomain.Split('.'); // Strings.split(tempDomain, '.'); - string[] testDomainParts = testDomain.Split('.'); // Strings.split(testDomain, '.'); - - // must have at least one subdomain - if (testDomainParts.Length <= domainParts.Length) - return false; + string email = ExtractNameAsString(subtree1.Base); - int d = testDomainParts.Length - domainParts.Length; - for (int i = -1; i < domainParts.Length; i++) - { - if (i == -1) + if (permitted == null) { - if (testDomainParts[i + d].Length < 1) + if (email != null) { - return false; + intersect.Add(email); } } - else if (!Platform.EqualsIgnoreCase(testDomainParts[i + d], domainParts[i])) + else { - return false; + foreach (string _permitted in permitted) + { + IntersectEmail(email, _permitted, intersect); + } } } - return true; + return intersect; } /** - * The common part of <code>email1</code> and <code>email2</code> is - * added to the union <code>union</code>. If <code>email1</code> and - * <code>email2</code> have nothing in common they are added both. + * The most restricting part from <code>email1</code> and + * <code>email2</code> is added to the intersection <code>intersect</code>. * - * @param email1 Email address constraint 1. - * @param email2 Email address constraint 2. - * @param union The union. + * @param email1 Email address constraint 1. + * @param email2 Email address constraint 2. + * @param intersect The intersection. */ - private void UnionEmail(string email1, string email2, ISet<string> union) + private void IntersectEmail(string email1, string email2, ISet<string> intersect) { // email1 is a particular address if (email1.IndexOf('@') != -1) @@ -777,12 +371,7 @@ namespace Org.BouncyCastle.Pkix { if (Platform.EqualsIgnoreCase(email1, email2)) { - union.Add(email1); - } - else - { - union.Add(email1); - union.Add(email2); + intersect.Add(email1); } } // email2 specifies a domain @@ -790,12 +379,7 @@ namespace Org.BouncyCastle.Pkix { if (WithinDomain(_sub, email2)) { - union.Add(email2); - } - else - { - union.Add(email1); - union.Add(email2); + intersect.Add(email1); } } // email2 specifies a particular host @@ -803,16 +387,11 @@ namespace Org.BouncyCastle.Pkix { if (Platform.EqualsIgnoreCase(_sub, email2)) { - union.Add(email2); - } - else - { - union.Add(email1); - union.Add(email2); + intersect.Add(email1); } } } - // email1 specifies a domain + // email specifies a domain else if (Platform.StartsWith(email1, ".")) { if (email2.IndexOf('@') != -1) @@ -820,12 +399,7 @@ namespace Org.BouncyCastle.Pkix string _sub = email2.Substring(email1.IndexOf('@') + 1); if (WithinDomain(_sub, email1)) { - union.Add(email1); - } - else - { - union.Add(email1); - union.Add(email2); + intersect.Add(email2); } } // email2 specifies a domain @@ -833,45 +407,30 @@ namespace Org.BouncyCastle.Pkix { if (WithinDomain(email1, email2) || Platform.EqualsIgnoreCase(email1, email2)) { - union.Add(email2); + intersect.Add(email1); } else if (WithinDomain(email2, email1)) { - union.Add(email1); - } - else - { - union.Add(email1); - union.Add(email2); + intersect.Add(email2); } } else { if (WithinDomain(email2, email1)) { - union.Add(email1); - } - else - { - union.Add(email1); - union.Add(email2); + intersect.Add(email2); } } } - // email specifies a host + // email1 specifies a host else { if (email2.IndexOf('@') != -1) { - string _sub = email2.Substring(email1.IndexOf('@') + 1); + string _sub = email2.Substring(email2.IndexOf('@') + 1); if (Platform.EqualsIgnoreCase(_sub, email1)) { - union.Add(email1); - } - else - { - union.Add(email1); - union.Add(email2); + intersect.Add(email2); } } // email2 specifies a domain @@ -879,12 +438,7 @@ namespace Org.BouncyCastle.Pkix { if (WithinDomain(email1, email2)) { - union.Add(email2); - } - else - { - union.Add(email1); - union.Add(email2); + intersect.Add(email1); } } // email2 specifies a particular host @@ -892,18 +446,41 @@ namespace Org.BouncyCastle.Pkix { if (Platform.EqualsIgnoreCase(email1, email2)) { - union.Add(email1); - } - else - { - union.Add(email1); - union.Add(email2); + intersect.Add(email1); } } } } - private void UnionUri(string email1, string email2, ISet<string> union) + private ISet<string> UnionEmail(ISet<string> excluded, string email) + { + if (excluded.Count < 1) + { + if (email == null) + return excluded; + + excluded.Add(email); + return excluded; + } + + var union = new HashSet<string>(); + foreach (string _excluded in excluded) + { + UnionEmail(_excluded, email, union); + } + return union; + } + + /** + * The common part of <code>email1</code> and <code>email2</code> is + * added to the union <code>union</code>. If <code>email1</code> and + * <code>email2</code> have nothing in common they are added both. + * + * @param email1 Email address constraint 1. + * @param email2 Email address constraint 2. + * @param union The union. + */ + private void UnionEmail(string email1, string email2, ISet<string> union) { // email1 is a particular address if (email1.IndexOf('@') != -1) @@ -946,7 +523,6 @@ namespace Org.BouncyCastle.Pkix { union.Add(email1); union.Add(email2); - } } } @@ -1041,6 +617,403 @@ namespace Org.BouncyCastle.Pkix } } + #endregion + + #region IP + + /** + * Checks if the IP <code>ip</code> is included in the excluded ISet + * <code>excluded</code>. + * + * @param excluded A <code>Set</code> of excluded IP addresses with their + * subnet mask as byte arrays. + * @param ip The IP address. + * @throws PkixNameConstraintValidatorException + * if the IP is excluded. + */ + private void CheckExcludedIP(ISet<byte[]> excluded, byte[] ip) + { + if (IsIPConstrained(excluded, ip)) + throw new PkixNameConstraintValidatorException("IP is from an excluded subtree."); + } + + /** + * Checks if the IP <code>ip</code> is included in the permitted ISet + * <code>permitted</code>. + * + * @param permitted A <code>Set</code> of permitted IP addresses with + * their subnet mask as byte arrays. + * @param ip The IP address. + * @throws PkixNameConstraintValidatorException + * if the IP is not permitted. + */ + private void CheckPermittedIP(ISet<byte[]> permitted, byte[] ip) + { + if (permitted != null + && !(ip.Length == 0 && permitted.Count < 1) + && !IsIPConstrained(permitted, ip)) + { + throw new PkixNameConstraintValidatorException("IP is not from a permitted subtree."); + } + } + + private bool IsIPConstrained(ISet<byte[]> constraints, byte[] ip) + { + foreach (byte[] constraint in constraints) + { + if (IsIPConstrained(constraint, ip)) + return true; + } + + return false; + } + + /** + * Checks if the IP address <code>ip</code> is constrained by + * <code>constraint</code>. + * + * @param constraint The constraint. This is an IP address concatenated with + * its subnetmask. + * @param ip The IP address. + * @return <code>true</code> if constrained, <code>false</code> + * otherwise. + */ + private bool IsIPConstrained(byte[] constraint, byte[] ip) + { + int ipLength = ip.Length; + if (ipLength != (constraint.Length / 2)) + return false; + + byte[] subnetMask = new byte[ipLength]; + Array.Copy(constraint, ipLength, subnetMask, 0, ipLength); + + byte[] permittedSubnetAddress = new byte[ipLength]; + + byte[] ipSubnetAddress = new byte[ipLength]; + + // the resulting IP address by applying the subnet mask + for (int i = 0; i < ipLength; i++) + { + permittedSubnetAddress[i] = (byte)(constraint[i] & subnetMask[i]); + ipSubnetAddress[i] = (byte)(ip[i] & subnetMask[i]); + } + + return Arrays.AreEqual(permittedSubnetAddress, ipSubnetAddress); + } + + /** + * Returns the intersection of the permitted IP ranges in + * <code>permitted</code> with <code>ip</code>. + * + * @param permitted A <code>Set</code> of permitted IP addresses with + * their subnet mask as byte arrays. + * @param ips The IP address with its subnet mask. + * @return The <code>Set</code> of permitted IP ranges intersected with + * <code>ip</code>. + */ + private ISet<byte[]> IntersectIP(ISet<byte[]> permitted, ISet<GeneralSubtree> ips) + { + var intersect = new HashSet<byte[]>(); + foreach (GeneralSubtree subtree in ips) + { + byte[] ip = Asn1OctetString.GetInstance(subtree.Base.Name).GetOctets(); + if (permitted == null) + { + if (ip != null) + { + intersect.Add(ip); + } + } + else + { + foreach (byte[] _permitted in permitted) + { + intersect.UnionWith(IntersectIPRange(_permitted, ip)); + } + } + } + return intersect; + } + + /** + * Calculates the interesction if two IP ranges. + * + * @param ipWithSubmask1 The first IP address with its subnet mask. + * @param ipWithSubmask2 The second IP address with its subnet mask. + * @return A <code>Set</code> with the single IP address with its subnet + * mask as a byte array or an empty <code>Set</code>. + */ + private ISet<byte[]> IntersectIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2) + { + if (ipWithSubmask1.Length != ipWithSubmask2.Length) + return new HashSet<byte[]>(); + + byte[][] temp = ExtractIPsAndSubnetMasks(ipWithSubmask1, ipWithSubmask2); + byte[] ip1 = temp[0]; + byte[] subnetmask1 = temp[1]; + byte[] ip2 = temp[2]; + byte[] subnetmask2 = temp[3]; + + byte[][] minMax = MinMaxIPs(ip1, subnetmask1, ip2, subnetmask2); + byte[] min; + byte[] max; + max = Min(minMax[1], minMax[3]); + min = Max(minMax[0], minMax[2]); + + // minimum IP address must be bigger than max + if (CompareTo(min, max) == 1) + { + //return Collections.EMPTY_SET; + return new HashSet<byte[]>(); + } + // OR keeps all significant bits + byte[] ip = Or(minMax[0], minMax[2]); + byte[] subnetmask = Or(subnetmask1, subnetmask2); + + //return new HashSet( ICollectionsingleton(IpWithSubnetMask(ip, subnetmask)); + var hs = new HashSet<byte[]>(); + hs.Add(IpWithSubnetMask(ip, subnetmask)); + + return hs; + } + + /** + * Returns the union of the excluded IP ranges in <code>excluded</code> + * with <code>ip</code>. + * + * @param excluded A <code>Set</code> of excluded IP addresses with their + * subnet mask as byte arrays. + * @param ip The IP address with its subnet mask. + * @return The <code>Set</code> of excluded IP ranges unified with + * <code>ip</code> as byte arrays. + */ + private ISet<byte[]> UnionIP(ISet<byte[]> excluded, byte[] ip) + { + if (excluded.Count < 1) + { + if (ip == null) + return excluded; + + excluded.Add(ip); + return excluded; + } + + var union = new HashSet<byte[]>(); + foreach (byte[] _excluded in excluded) + { + union.UnionWith(UnionIPRange(_excluded, ip)); + } + return union; + } + + /** + * Calculates the union if two IP ranges. + * + * @param ipWithSubmask1 The first IP address with its subnet mask. + * @param ipWithSubmask2 The second IP address with its subnet mask. + * @return A <code>Set</code> with the union of both addresses. + */ + private ISet<byte[]> UnionIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2) + { + var set = new HashSet<byte[]>(); + // difficult, adding always all IPs is not wrong + if (Arrays.AreEqual(ipWithSubmask1, ipWithSubmask2)) + { + set.Add(ipWithSubmask1); + } + else + { + set.Add(ipWithSubmask1); + set.Add(ipWithSubmask2); + } + return set; + } + + /** + * Concatenates the IP address with its subnet mask. + * + * @param ip The IP address. + * @param subnetMask Its subnet mask. + * @return The concatenated IP address with its subnet mask. + */ + private byte[] IpWithSubnetMask(byte[] ip, byte[] subnetMask) + { + int ipLength = ip.Length; + byte[] temp = new byte[ipLength * 2]; + Array.Copy(ip, 0, temp, 0, ipLength); + Array.Copy(subnetMask, 0, temp, ipLength, ipLength); + return temp; + } + + /** + * Splits the IP addresses and their subnet mask. + * + * @param ipWithSubmask1 The first IP address with the subnet mask. + * @param ipWithSubmask2 The second IP address with the subnet mask. + * @return An array with two elements. Each element contains the IP address + * and the subnet mask in this order. + */ + private byte[][] ExtractIPsAndSubnetMasks( + byte[] ipWithSubmask1, + byte[] ipWithSubmask2) + { + int ipLength = ipWithSubmask1.Length / 2; + byte[] ip1 = new byte[ipLength]; + byte[] subnetmask1 = new byte[ipLength]; + Array.Copy(ipWithSubmask1, 0, ip1, 0, ipLength); + Array.Copy(ipWithSubmask1, ipLength, subnetmask1, 0, ipLength); + + byte[] ip2 = new byte[ipLength]; + byte[] subnetmask2 = new byte[ipLength]; + Array.Copy(ipWithSubmask2, 0, ip2, 0, ipLength); + Array.Copy(ipWithSubmask2, ipLength, subnetmask2, 0, ipLength); + return new byte[][]{ ip1, subnetmask1, ip2, subnetmask2 }; + } + + /** + * Based on the two IP addresses and their subnet masks the IP range is + * computed for each IP address - subnet mask pair and returned as the + * minimum IP address and the maximum address of the range. + * + * @param ip1 The first IP address. + * @param subnetmask1 The subnet mask of the first IP address. + * @param ip2 The second IP address. + * @param subnetmask2 The subnet mask of the second IP address. + * @return A array with two elements. The first/second element contains the + * min and max IP address of the first/second IP address and its + * subnet mask. + */ + private byte[][] MinMaxIPs( + byte[] ip1, + byte[] subnetmask1, + byte[] ip2, + byte[] subnetmask2) + { + int ipLength = ip1.Length; + byte[] min1 = new byte[ipLength]; + byte[] max1 = new byte[ipLength]; + + byte[] min2 = new byte[ipLength]; + byte[] max2 = new byte[ipLength]; + + for (int i = 0; i < ipLength; i++) + { + min1[i] = (byte)(ip1[i] & subnetmask1[i]); + max1[i] = (byte)(ip1[i] & subnetmask1[i] | ~subnetmask1[i]); + + min2[i] = (byte)(ip2[i] & subnetmask2[i]); + max2[i] = (byte)(ip2[i] & subnetmask2[i] | ~subnetmask2[i]); + } + + return new byte[][]{ min1, max1, min2, max2 }; + } + + /** + * Returns the maximum IP address. + * + * @param ip1 The first IP address. + * @param ip2 The second IP address. + * @return The maximum IP address. + */ + private static byte[] Max(byte[] ip1, byte[] ip2) + { + for (int i = 0; i < ip1.Length; i++) + { + if (ip1[i] > ip2[i]) + return ip1; + } + return ip2; + } + + /** + * Returns the minimum IP address. + * + * @param ip1 The first IP address. + * @param ip2 The second IP address. + * @return The minimum IP address. + */ + private static byte[] Min(byte[] ip1, byte[] ip2) + { + for (int i = 0; i < ip1.Length; i++) + { + if (ip1[i] < ip2[i]) + return ip1; + } + return ip2; + } + + /** + * Compares IP address <code>ip1</code> with <code>ip2</code>. If ip1 + * is equal to ip2 0 is returned. If ip1 is bigger 1 is returned, -1 + * otherwise. + * + * @param ip1 The first IP address. + * @param ip2 The second IP address. + * @return 0 if ip1 is equal to ip2, 1 if ip1 is bigger, -1 otherwise. + */ + private static int CompareTo(byte[] ip1, byte[] ip2) + { + if (Arrays.AreEqual(ip1, ip2)) + return 0; + if (Arrays.AreEqual(Max(ip1, ip2), ip1)) + return 1; + return -1; + } + + /** + * Returns the logical OR of the IP addresses <code>ip1</code> and + * <code>ip2</code>. + * + * @param ip1 The first IP address. + * @param ip2 The second IP address. + * @return The OR of <code>ip1</code> and <code>ip2</code>. + */ + private static byte[] Or(byte[] ip1, byte[] ip2) + { + byte[] temp = new byte[ip1.Length]; + for (int i = 0; i < ip1.Length; i++) + { + temp[i] = (byte)(ip1[i] | ip2[i]); + } + return temp; + } + + #endregion + + #region Dns + + private void CheckExcludedDns(ISet<string> excluded, string dns) + { + if (IsDnsConstrained(excluded, dns)) + throw new PkixNameConstraintValidatorException("DNS is from an excluded subtree."); + } + + private void CheckPermittedDns(ISet<string> permitted, string dns) + { + if (permitted != null + && !(dns.Length == 0 && permitted.Count < 1) + && !IsDnsConstrained(permitted, dns)) + { + throw new PkixNameConstraintValidatorException("DNS is not from a permitted subtree."); + } + } + + private bool IsDnsConstrained(ISet<string> constraints, string dns) + { + foreach (var constraint in constraints) + { + if (IsDnsConstrained(constraint, dns)) + return true; + } + + return false; + } + + private bool IsDnsConstrained(string constraint, string dns) + { + return WithinDomain(dns, constraint) || Platform.EqualsIgnoreCase(dns, constraint); + } + private ISet<string> IntersectDns(ISet<string> permitted, ISet<GeneralSubtree> dnss) { var intersect = new HashSet<string>(); @@ -1103,15 +1076,76 @@ namespace Org.BouncyCastle.Pkix return union; } - /** - * The most restricting part from <code>email1</code> and - * <code>email2</code> is added to the intersection <code>intersect</code>. - * - * @param email1 Email address constraint 1. - * @param email2 Email address constraint 2. - * @param intersect The intersection. - */ - private void IntersectEmail(string email1, string email2, ISet<string> intersect) + #endregion + + #region Uri + + private void CheckExcludedUri(ISet<string> excluded, string uri) + { + if (IsUriConstrained(excluded, uri)) + throw new PkixNameConstraintValidatorException("URI is from an excluded subtree."); + } + + private void CheckPermittedUri(ISet<string> permitted, string uri) + { + if (permitted != null + && !(uri.Length == 0 && permitted.Count < 1) + && !IsUriConstrained(permitted, uri)) + { + throw new PkixNameConstraintValidatorException("URI is not from a permitted subtree."); + } + } + + private bool IsUriConstrained(ISet<string> constraints, string uri) + { + foreach (string constraint in constraints) + { + if (IsUriConstrained(constraint, uri)) + return true; + } + + return false; + } + + private bool IsUriConstrained(string constraint, string uri) + { + string host = ExtractHostFromURL(uri); + + if (Platform.StartsWith(constraint, ".")) + { + // in sub domain or domain + return WithinDomain(host, constraint); + } + + // a host + return Platform.EqualsIgnoreCase(host, constraint); + } + + private ISet<string> IntersectUri(ISet<string> permitted, ISet<GeneralSubtree> uris) + { + var intersect = new HashSet<string>(); + foreach (GeneralSubtree subtree in uris) + { + string uri = ExtractNameAsString(subtree.Base); + if (permitted == null) + { + if (uri != null) + { + intersect.Add(uri); + } + } + else + { + foreach (string _permitted in permitted) + { + IntersectUri(_permitted, uri, intersect); + } + } + } + return intersect; + } + + private void IntersectUri(string email1, string email2, ISet<string> intersect) { // email1 is a particular address if (email1.IndexOf('@') != -1) @@ -1203,30 +1237,6 @@ namespace Org.BouncyCastle.Pkix } } - private ISet<string> IntersectUri(ISet<string> permitted, ISet<GeneralSubtree> uris) - { - var intersect = new HashSet<string>(); - foreach (GeneralSubtree subtree in uris) - { - string uri = ExtractNameAsString(subtree.Base); - if (permitted == null) - { - if (uri != null) - { - intersect.Add(uri); - } - } - else - { - foreach (string _permitted in permitted) - { - IntersectUri(_permitted, uri, intersect); - } - } - } - return intersect; - } - private ISet<string> UnionUri(ISet<string> excluded, string uri) { if (excluded.Count < 1) @@ -1246,7 +1256,7 @@ namespace Org.BouncyCastle.Pkix return union; } - private void IntersectUri(string email1, string email2, ISet<string> intersect) + private void UnionUri(string email1, string email2, ISet<string> union) { // email1 is a particular address if (email1.IndexOf('@') != -1) @@ -1257,7 +1267,12 @@ namespace Org.BouncyCastle.Pkix { if (Platform.EqualsIgnoreCase(email1, email2)) { - intersect.Add(email1); + union.Add(email1); + } + else + { + union.Add(email1); + union.Add(email2); } } // email2 specifies a domain @@ -1265,7 +1280,12 @@ namespace Org.BouncyCastle.Pkix { if (WithinDomain(_sub, email2)) { - intersect.Add(email1); + union.Add(email2); + } + else + { + union.Add(email1); + union.Add(email2); } } // email2 specifies a particular host @@ -1273,11 +1293,17 @@ namespace Org.BouncyCastle.Pkix { if (Platform.EqualsIgnoreCase(_sub, email2)) { - intersect.Add(email1); + union.Add(email2); + } + else + { + union.Add(email1); + union.Add(email2); + } } } - // email specifies a domain + // email1 specifies a domain else if (Platform.StartsWith(email1, ".")) { if (email2.IndexOf('@') != -1) @@ -1285,7 +1311,12 @@ namespace Org.BouncyCastle.Pkix string _sub = email2.Substring(email1.IndexOf('@') + 1); if (WithinDomain(_sub, email1)) { - intersect.Add(email2); + union.Add(email1); + } + else + { + union.Add(email1); + union.Add(email2); } } // email2 specifies a domain @@ -1293,30 +1324,45 @@ namespace Org.BouncyCastle.Pkix { if (WithinDomain(email1, email2) || Platform.EqualsIgnoreCase(email1, email2)) { - intersect.Add(email1); + union.Add(email2); } else if (WithinDomain(email2, email1)) { - intersect.Add(email2); + union.Add(email1); + } + else + { + union.Add(email1); + union.Add(email2); } } else { if (WithinDomain(email2, email1)) { - intersect.Add(email2); + union.Add(email1); + } + else + { + union.Add(email1); + union.Add(email2); } } } - // email1 specifies a host + // email specifies a host else { if (email2.IndexOf('@') != -1) { - string _sub = email2.Substring(email2.IndexOf('@') + 1); + string _sub = email2.Substring(email1.IndexOf('@') + 1); if (Platform.EqualsIgnoreCase(_sub, email1)) { - intersect.Add(email2); + union.Add(email1); + } + else + { + union.Add(email1); + union.Add(email2); } } // email2 specifies a domain @@ -1324,7 +1370,12 @@ namespace Org.BouncyCastle.Pkix { if (WithinDomain(email1, email2)) { - intersect.Add(email1); + union.Add(email2); + } + else + { + union.Add(email1); + union.Add(email2); } } // email2 specifies a particular host @@ -1332,7 +1383,12 @@ namespace Org.BouncyCastle.Pkix { if (Platform.EqualsIgnoreCase(email1, email2)) { - intersect.Add(email1); + union.Add(email1); + } + else + { + union.Add(email1); + union.Add(email2); } } } @@ -1365,6 +1421,39 @@ namespace Org.BouncyCastle.Pkix return sub; } + #endregion + + private bool WithinDomain(string testDomain, string domain) + { + string tempDomain = domain; + if (Platform.StartsWith(tempDomain, ".")) + { + tempDomain = tempDomain.Substring(1); + } + + string[] domainParts = tempDomain.Split('.'); // Strings.split(tempDomain, '.'); + string[] testDomainParts = testDomain.Split('.'); // Strings.split(testDomain, '.'); + + // must have at least one subdomain + if (testDomainParts.Length <= domainParts.Length) + return false; + + int d = testDomainParts.Length - domainParts.Length; + for (int i = -1; i < domainParts.Length; i++) + { + if (i == -1) + { + if (testDomainParts[i + d].Length < 1) + return false; + } + else if (!Platform.EqualsIgnoreCase(testDomainParts[i + d], domainParts[i])) + { + return false; + } + } + return true; + } + /// <exception cref="PkixNameConstraintValidatorException"/> [Obsolete("Use 'CheckPermittedName' instead")] public void checkPermitted(GeneralName name) @@ -1569,84 +1658,6 @@ namespace Org.BouncyCastle.Pkix } } - /** - * Returns the maximum IP address. - * - * @param ip1 The first IP address. - * @param ip2 The second IP address. - * @return The maximum IP address. - */ - private static byte[] Max(byte[] ip1, byte[] ip2) - { - for (int i = 0; i < ip1.Length; i++) - { - if ((ip1[i] & 0xFFFF) > (ip2[i] & 0xFFFF)) - { - return ip1; - } - } - return ip2; - } - - /** - * Returns the minimum IP address. - * - * @param ip1 The first IP address. - * @param ip2 The second IP address. - * @return The minimum IP address. - */ - private static byte[] Min(byte[] ip1, byte[] ip2) - { - for (int i = 0; i < ip1.Length; i++) - { - if ((ip1[i] & 0xFFFF) < (ip2[i] & 0xFFFF)) - { - return ip1; - } - } - return ip2; - } - - /** - * Compares IP address <code>ip1</code> with <code>ip2</code>. If ip1 - * is equal to ip2 0 is returned. If ip1 is bigger 1 is returned, -1 - * otherwise. - * - * @param ip1 The first IP address. - * @param ip2 The second IP address. - * @return 0 if ip1 is equal to ip2, 1 if ip1 is bigger, -1 otherwise. - */ - private static int CompareTo(byte[] ip1, byte[] ip2) - { - if (Org.BouncyCastle.Utilities.Arrays.AreEqual(ip1, ip2)) - { - return 0; - } - if (Org.BouncyCastle.Utilities.Arrays.AreEqual(Max(ip1, ip2), ip1)) - { - return 1; - } - return -1; - } - - /** - * Returns the logical OR of the IP addresses <code>ip1</code> and - * <code>ip2</code>. - * - * @param ip1 The first IP address. - * @param ip2 The second IP address. - * @return The OR of <code>ip1</code> and <code>ip2</code>. - */ - private static byte[] Or(byte[] ip1, byte[] ip2) - { - byte[] temp = new byte[ip1.Length]; - for (int i = 0; i < ip1.Length; i++) - { - temp[i] = (byte)(ip1[i] | ip2[i]); - } - return temp; - } - public override int GetHashCode() { return HashCollection(excludedSubtreesDN) |