diff options
-rw-r--r-- | crypto/BouncyCastle.Android.csproj | 1 | ||||
-rw-r--r-- | crypto/BouncyCastle.csproj | 1 | ||||
-rw-r--r-- | crypto/BouncyCastle.iOS.csproj | 1 | ||||
-rw-r--r-- | crypto/crypto.csproj | 5 | ||||
-rw-r--r-- | crypto/src/asn1/x509/OtherName.cs | 71 | ||||
-rw-r--r-- | crypto/src/pkix/PkixNameConstraintValidator.cs | 1045 | ||||
-rw-r--r-- | crypto/test/src/test/PkixNameConstraintsTest.cs | 31 |
7 files changed, 628 insertions, 527 deletions
diff --git a/crypto/BouncyCastle.Android.csproj b/crypto/BouncyCastle.Android.csproj index 96d3f7cb6..08d105ada 100644 --- a/crypto/BouncyCastle.Android.csproj +++ b/crypto/BouncyCastle.Android.csproj @@ -435,6 +435,7 @@ <Compile Include="src\asn1\x509\NameConstraints.cs" /> <Compile Include="src\asn1\x509\NoticeReference.cs" /> <Compile Include="src\asn1\x509\ObjectDigestInfo.cs" /> + <Compile Include="src\asn1\x509\OtherName.cs" /> <Compile Include="src\asn1\x509\PolicyInformation.cs" /> <Compile Include="src\asn1\x509\PolicyMappings.cs" /> <Compile Include="src\asn1\x509\PolicyQualifierId.cs" /> diff --git a/crypto/BouncyCastle.csproj b/crypto/BouncyCastle.csproj index 0183d97ab..95a38e29b 100644 --- a/crypto/BouncyCastle.csproj +++ b/crypto/BouncyCastle.csproj @@ -429,6 +429,7 @@ <Compile Include="src\asn1\x509\NameConstraints.cs" /> <Compile Include="src\asn1\x509\NoticeReference.cs" /> <Compile Include="src\asn1\x509\ObjectDigestInfo.cs" /> + <Compile Include="src\asn1\x509\OtherName.cs" /> <Compile Include="src\asn1\x509\PolicyInformation.cs" /> <Compile Include="src\asn1\x509\PolicyMappings.cs" /> <Compile Include="src\asn1\x509\PolicyQualifierId.cs" /> diff --git a/crypto/BouncyCastle.iOS.csproj b/crypto/BouncyCastle.iOS.csproj index f58ee2ec6..83f03b4ce 100644 --- a/crypto/BouncyCastle.iOS.csproj +++ b/crypto/BouncyCastle.iOS.csproj @@ -430,6 +430,7 @@ <Compile Include="src\asn1\x509\NameConstraints.cs" /> <Compile Include="src\asn1\x509\NoticeReference.cs" /> <Compile Include="src\asn1\x509\ObjectDigestInfo.cs" /> + <Compile Include="src\asn1\x509\OtherName.cs" /> <Compile Include="src\asn1\x509\PolicyInformation.cs" /> <Compile Include="src\asn1\x509\PolicyMappings.cs" /> <Compile Include="src\asn1\x509\PolicyQualifierId.cs" /> diff --git a/crypto/crypto.csproj b/crypto/crypto.csproj index d7034cad7..c40c55117 100644 --- a/crypto/crypto.csproj +++ b/crypto/crypto.csproj @@ -2034,6 +2034,11 @@ BuildAction = "Compile" /> <File + RelPath = "src\asn1\x509\OtherName.cs" + SubType = "Code" + BuildAction = "Compile" + /> + <File RelPath = "src\asn1\x509\PolicyInformation.cs" SubType = "Code" BuildAction = "Compile" diff --git a/crypto/src/asn1/x509/OtherName.cs b/crypto/src/asn1/x509/OtherName.cs new file mode 100644 index 000000000..3e6a61499 --- /dev/null +++ b/crypto/src/asn1/x509/OtherName.cs @@ -0,0 +1,71 @@ +using System; + +namespace Org.BouncyCastle.Asn1.X509 +{ + /** + * The OtherName object. + * <pre> + * OtherName ::= SEQUENCE { + * type-id OBJECT IDENTIFIER, + * value [0] EXPLICIT ANY DEFINED BY type-id } + * </pre> + */ + public class OtherName + : Asn1Encodable + { + private readonly DerObjectIdentifier typeID; + private readonly Asn1Encodable value; + + /** + * OtherName factory method. + * @param obj the object used to construct an instance of <code> + * OtherName</code>. It must be an instance of <code>OtherName + * </code> or <code>ASN1Sequence</code>. + * @return the instance of <code>OtherName</code> built from the + * supplied object. + * @throws java.lang.IllegalArgumentException if the object passed + * to the factory is not an instance of <code>OtherName</code> or something that + * can be converted into an appropriate <code>ASN1Sequence</code>. + */ + public static OtherName GetInstance(object obj) + { + if (obj is OtherName) + return (OtherName)obj; + if (obj == null) + return null; + return new OtherName(Asn1Sequence.GetInstance(obj)); + } + + /** + * Base constructor. + * @param typeID the type of the other name. + * @param value the ANY object that represents the value. + */ + public OtherName(DerObjectIdentifier typeID, Asn1Encodable value) + { + this.typeID = typeID; + this.value = value; + } + + private OtherName(Asn1Sequence seq) + { + this.typeID = DerObjectIdentifier.GetInstance(seq[0]); + this.value = DerTaggedObject.GetInstance(seq[1]).GetObject(); // explicitly tagged + } + + public virtual DerObjectIdentifier TypeID + { + get { return typeID; } + } + + public Asn1Encodable Value + { + get { return value; } + } + + public override Asn1Object ToAsn1Object() + { + return new DerSequence(typeID, new DerTaggedObject(true, 0, value)); + } + } +} diff --git a/crypto/src/pkix/PkixNameConstraintValidator.cs b/crypto/src/pkix/PkixNameConstraintValidator.cs index fbec6fb72..dbf7625c6 100644 --- a/crypto/src/pkix/PkixNameConstraintValidator.cs +++ b/crypto/src/pkix/PkixNameConstraintValidator.cs @@ -1,5 +1,6 @@ using System; using System.Collections; +using System.IO; using Org.BouncyCastle.Asn1; using Org.BouncyCastle.Asn1.X500; @@ -7,6 +8,7 @@ using Org.BouncyCastle.Asn1.X500.Style; using Org.BouncyCastle.Asn1.X509; using Org.BouncyCastle.Utilities; using Org.BouncyCastle.Utilities.Collections; +using Org.BouncyCastle.Utilities.Encoders; namespace Org.BouncyCastle.Pkix { @@ -26,6 +28,8 @@ namespace Org.BouncyCastle.Pkix private ISet excludedSubtreesIP = new HashSet(); + private ISet excludedSubtreesOtherName = new HashSet(); + private ISet permittedSubtreesDN; private ISet permittedSubtreesDNS; @@ -36,6 +40,8 @@ namespace Org.BouncyCastle.Pkix private ISet permittedSubtreesIP; + private ISet permittedSubtreesOtherName; + public PkixNameConstraintValidator() { } @@ -91,97 +97,42 @@ namespace Org.BouncyCastle.Pkix return true; } - public void CheckPermittedDN(Asn1Sequence dns) - //throws PkixNameConstraintValidatorException - { - CheckPermittedDN(permittedSubtreesDN, dns); - } - - public void CheckExcludedDN(Asn1Sequence dns) - //throws PkixNameConstraintValidatorException + public void CheckPermittedDN(Asn1Sequence dn) { - CheckExcludedDN(excludedSubtreesDN, dns); + CheckPermittedDirectory(permittedSubtreesDN, dn); } - private void CheckPermittedDN(ISet permitted, Asn1Sequence dns) - //throws PkixNameConstraintValidatorException - { - if (permitted == null) - { - return; - } - - if ((permitted.Count == 0) && dns.Count == 0) - { - return; - } - - IEnumerator it = permitted.GetEnumerator(); - - while (it.MoveNext()) - { - Asn1Sequence subtree = (Asn1Sequence)it.Current; - - if (WithinDNSubtree(dns, subtree)) - { - return; - } - } - - throw new PkixNameConstraintValidatorException( - "Subject distinguished name is not from a permitted subtree"); - } - - private void CheckExcludedDN(ISet excluded, Asn1Sequence dns) - //throws PkixNameConstraintValidatorException + public void CheckExcludedDN(Asn1Sequence dn) { - if (excluded.IsEmpty) - { - return; - } - - IEnumerator it = excluded.GetEnumerator(); - - while (it.MoveNext()) - { - Asn1Sequence subtree = (Asn1Sequence)it.Current; - - if (WithinDNSubtree(dns, subtree)) - { - throw new PkixNameConstraintValidatorException( - "Subject distinguished name is from an excluded subtree"); - } - } + CheckExcludedDirectory(excludedSubtreesDN, dn); } private ISet IntersectDN(ISet permitted, ISet dns) { ISet intersect = new HashSet(); - for (IEnumerator it = dns.GetEnumerator(); it.MoveNext(); ) + foreach (GeneralSubtree subtree1 in dns) { - Asn1Sequence dn = Asn1Sequence.GetInstance(((GeneralSubtree)it - .Current).Base.Name.ToAsn1Object()); + Asn1Sequence dn1 = Asn1Sequence.GetInstance(subtree1.Base.Name); if (permitted == null) { - if (dn != null) + if (dn1 != null) { - intersect.Add(dn); + intersect.Add(dn1); } } else { - IEnumerator _iter = permitted.GetEnumerator(); - while (_iter.MoveNext()) + foreach (object obj2 in permitted) { - Asn1Sequence subtree = (Asn1Sequence)_iter.Current; + Asn1Sequence dn2 = Asn1Sequence.GetInstance(obj2); - if (WithinDNSubtree(dn, subtree)) + if (WithinDNSubtree(dn1, dn2)) { - intersect.Add(dn); + intersect.Add(dn1); } - else if (WithinDNSubtree(subtree, dn)) + else if (WithinDNSubtree(dn2, dn1)) { - intersect.Add(subtree); + intersect.Add(dn2); } } } @@ -194,48 +145,87 @@ namespace Org.BouncyCastle.Pkix if (excluded.IsEmpty) { if (dn == null) - { return excluded; - } - excluded.Add(dn); + excluded.Add(dn); return excluded; } else { - ISet intersect = new HashSet(); + ISet union = new HashSet(); - IEnumerator it = excluded.GetEnumerator(); - while (it.MoveNext()) + foreach (object obj in excluded) { - Asn1Sequence subtree = (Asn1Sequence)it.Current; + Asn1Sequence subtree = Asn1Sequence.GetInstance(obj); if (WithinDNSubtree(dn, subtree)) { - intersect.Add(subtree); + union.Add(subtree); } else if (WithinDNSubtree(subtree, dn)) { - intersect.Add(dn); + union.Add(dn); } else { - intersect.Add(subtree); - intersect.Add(dn); + union.Add(subtree); + union.Add(dn); + } + } + + return union; + } + } + + private ISet IntersectOtherName(ISet permitted, ISet otherNames) + { + ISet intersect = new HashSet(); + foreach (GeneralSubtree subtree1 in otherNames) + { + OtherName otherName1 = OtherName.GetInstance(subtree1.Base.Name); + if (otherName1 == null) + continue; + + if (permitted == null) + { + intersect.Add(otherName1); + } + else + { + foreach (object obj2 in permitted) + { + OtherName otherName2 = OtherName.GetInstance(obj2); + if (otherName2 == null) + continue; + + IntersectOtherName(otherName1, otherName2, intersect); } } + } + return intersect; + } - return intersect; + private void IntersectOtherName(OtherName otherName1, OtherName otherName2, ISet intersect) + { + if (otherName1.Equals(otherName2)) + { + intersect.Add(otherName1); } } + private ISet UnionOtherName(ISet permitted, OtherName otherName) + { + ISet union = permitted != null ? new HashSet(permitted) : new HashSet(); + union.Add(otherName); + return union; + } + private ISet IntersectEmail(ISet permitted, ISet emails) { ISet intersect = new HashSet(); - for (IEnumerator it = emails.GetEnumerator(); it.MoveNext(); ) + foreach (GeneralSubtree subtree1 in emails) { - string email = ExtractNameAsString(((GeneralSubtree)it.Current) - .Base); + string email = ExtractNameAsString(subtree1.Base); if (permitted == null) { @@ -246,12 +236,9 @@ namespace Org.BouncyCastle.Pkix } else { - IEnumerator it2 = permitted.GetEnumerator(); - while (it2.MoveNext()) + foreach (string _permitted in permitted) { - string _permitted = (string)it2.Current; - - intersectEmail(email, _permitted, intersect); + IntersectEmail(email, _permitted, intersect); } } } @@ -272,15 +259,10 @@ namespace Org.BouncyCastle.Pkix else { ISet union = new HashSet(); - - IEnumerator it = excluded.GetEnumerator(); - while (it.MoveNext()) + foreach (string _excluded in excluded) { - string _excluded = (string)it.Current; - UnionEmail(_excluded, email, union); } - return union; } } @@ -298,10 +280,9 @@ namespace Org.BouncyCastle.Pkix private ISet IntersectIP(ISet permitted, ISet ips) { ISet intersect = new HashSet(); - for (IEnumerator it = ips.GetEnumerator(); it.MoveNext(); ) + foreach (GeneralSubtree subtree in ips) { - byte[] ip = Asn1OctetString.GetInstance( - ((GeneralSubtree)it.Current).Base.Name).GetOctets(); + byte[] ip = Asn1OctetString.GetInstance(subtree.Base.Name).GetOctets(); if (permitted == null) { if (ip != null) @@ -311,10 +292,8 @@ namespace Org.BouncyCastle.Pkix } else { - IEnumerator it2 = permitted.GetEnumerator(); - while (it2.MoveNext()) + foreach (byte[] _permitted in permitted) { - byte[] _permitted = (byte[])it2.Current; intersect.AddAll(IntersectIPRange(_permitted, ip)); } } @@ -347,14 +326,10 @@ namespace Org.BouncyCastle.Pkix else { ISet union = new HashSet(); - - IEnumerator it = excluded.GetEnumerator(); - while (it.MoveNext()) + foreach (byte[] _excluded in excluded) { - byte[] _excluded = (byte[])it.Current; union.AddAll(UnionIPRange(_excluded, ip)); } - return union; } } @@ -369,9 +344,8 @@ namespace Org.BouncyCastle.Pkix private ISet UnionIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2) { ISet set = new HashSet(); - // difficult, adding always all IPs is not wrong - if (Org.BouncyCastle.Utilities.Arrays.AreEqual(ipWithSubmask1, ipWithSubmask2)) + if (Arrays.AreEqual(ipWithSubmask1, ipWithSubmask2)) { set.Add(ipWithSubmask1); } @@ -392,41 +366,41 @@ namespace Org.BouncyCastle.Pkix * mask as a byte array or an empty <code>Set</code>. */ private ISet IntersectIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2) - { - if (ipWithSubmask1.Length != ipWithSubmask2.Length) { - //Collections.EMPTY_SET; - return new HashSet(); - } + if (ipWithSubmask1.Length != ipWithSubmask2.Length) + { + //Collections.EMPTY_SET; + return new HashSet(); + } - byte[][] temp = ExtractIPsAndSubnetMasks(ipWithSubmask1, ipWithSubmask2); - byte[] ip1 = temp[0]; - byte[] subnetmask1 = temp[1]; - byte[] ip2 = temp[2]; - byte[] subnetmask2 = temp[3]; + byte[][] temp = ExtractIPsAndSubnetMasks(ipWithSubmask1, ipWithSubmask2); + byte[] ip1 = temp[0]; + byte[] subnetmask1 = temp[1]; + byte[] ip2 = temp[2]; + byte[] subnetmask2 = temp[3]; - byte[][] minMax = MinMaxIPs(ip1, subnetmask1, ip2, subnetmask2); - byte[] min; - byte[] max; - max = Min(minMax[1], minMax[3]); - min = Max(minMax[0], minMax[2]); + byte[][] minMax = MinMaxIPs(ip1, subnetmask1, ip2, subnetmask2); + byte[] min; + byte[] max; + max = Min(minMax[1], minMax[3]); + min = Max(minMax[0], minMax[2]); - // minimum IP address must be bigger than max - if (CompareTo(min, max) == 1) - { - //return Collections.EMPTY_SET; - return new HashSet(); - } - // OR keeps all significant bits - byte[] ip = Or(minMax[0], minMax[2]); - byte[] subnetmask = Or(subnetmask1, subnetmask2); + // minimum IP address must be bigger than max + if (CompareTo(min, max) == 1) + { + //return Collections.EMPTY_SET; + return new HashSet(); + } + // OR keeps all significant bits + byte[] ip = Or(minMax[0], minMax[2]); + byte[] subnetmask = Or(subnetmask1, subnetmask2); - //return new HashSet( ICollectionsingleton(IpWithSubnetMask(ip, subnetmask)); - ISet hs = new HashSet(); - hs.Add(IpWithSubnetMask(ip, subnetmask)); + //return new HashSet( ICollectionsingleton(IpWithSubnetMask(ip, subnetmask)); + ISet hs = new HashSet(); + hs.Add(IpWithSubnetMask(ip, subnetmask)); return hs; - } + } /** * Concatenates the IP address with its subnet mask. @@ -455,20 +429,19 @@ namespace Org.BouncyCastle.Pkix private byte[][] ExtractIPsAndSubnetMasks( byte[] ipWithSubmask1, byte[] ipWithSubmask2) - { - int ipLength = ipWithSubmask1.Length / 2; - byte[] ip1 = new byte[ipLength]; - byte[] subnetmask1 = new byte[ipLength]; - Array.Copy(ipWithSubmask1, 0, ip1, 0, ipLength); - Array.Copy(ipWithSubmask1, ipLength, subnetmask1, 0, ipLength); - - byte[] ip2 = new byte[ipLength]; - byte[] subnetmask2 = new byte[ipLength]; - Array.Copy(ipWithSubmask2, 0, ip2, 0, ipLength); - Array.Copy(ipWithSubmask2, ipLength, subnetmask2, 0, ipLength); - return new byte[][] - {ip1, subnetmask1, ip2, subnetmask2}; - } + { + int ipLength = ipWithSubmask1.Length / 2; + byte[] ip1 = new byte[ipLength]; + byte[] subnetmask1 = new byte[ipLength]; + Array.Copy(ipWithSubmask1, 0, ip1, 0, ipLength); + Array.Copy(ipWithSubmask1, ipLength, subnetmask1, 0, ipLength); + + byte[] ip2 = new byte[ipLength]; + byte[] subnetmask2 = new byte[ipLength]; + Array.Copy(ipWithSubmask2, 0, ip2, 0, ipLength); + Array.Copy(ipWithSubmask2, ipLength, subnetmask2, 0, ipLength); + return new byte[][]{ ip1, subnetmask1, ip2, subnetmask2 }; + } /** * Based on the two IP addresses and their subnet masks the IP range is @@ -505,126 +478,214 @@ namespace Org.BouncyCastle.Pkix max2[i] = (byte)(ip2[i] & subnetmask2[i] | ~subnetmask2[i]); } - return new byte[][] { min1, max1, min2, max2 }; + return new byte[][]{ min1, max1, min2, max2 }; } - private void CheckPermittedEmail(ISet permitted, string email) - //throws PkixNameConstraintValidatorException + private bool IsOtherNameConstrained(OtherName constraint, OtherName otherName) + { + return constraint.Equals(otherName); + } + + private bool IsOtherNameConstrained(ISet constraints, OtherName otherName) { - if (permitted == null) + foreach (object obj in constraints) { - return; + OtherName constraint = OtherName.GetInstance(obj); + + if (IsOtherNameConstrained(constraint, otherName)) + return true; } - IEnumerator it = permitted.GetEnumerator(); + return false; + } + + private void CheckPermittedOtherName(ISet permitted, OtherName name) + { + if (permitted != null && !IsOtherNameConstrained(permitted, name)) + { + throw new PkixNameConstraintValidatorException( + "Subject OtherName is not from a permitted subtree."); + } + } - while (it.MoveNext()) + private void CheckExcludedOtherName(ISet excluded, OtherName name) + { + if (IsOtherNameConstrained(excluded, name)) { - string str = ((string)it.Current); + throw new PkixNameConstraintValidatorException( + "OtherName is from an excluded subtree."); + } + } - if (EmailIsConstrained(email, str)) + private bool IsEmailConstrained(string constraint, string email) + { + string sub = email.Substring(email.IndexOf('@') + 1); + // a particular mailbox + if (constraint.IndexOf('@') != -1) + { + if (Platform.ToUpperInvariant(email).Equals(Platform.ToUpperInvariant(constraint))) { - return; + return true; } } + // on particular host + else if (!(constraint[0].Equals('.'))) + { + if (Platform.ToUpperInvariant(sub).Equals(Platform.ToUpperInvariant(constraint))) + { + return true; + } + } + // address in sub domain + else if (WithinDomain(sub, constraint)) + { + return true; + } + return false; + } - if (email.Length == 0 && permitted.Count == 0) + private bool IsEmailConstrained(ISet constraints, string email) + { + foreach (string constraint in constraints) { - return; + if (IsEmailConstrained(constraint, email)) + return true; } - throw new PkixNameConstraintValidatorException( - "Subject email address is not from a permitted subtree."); + return false; + } + + private void CheckPermittedEmail(ISet permitted, string email) + { + if (permitted != null + && !(email.Length == 0 && permitted.IsEmpty) + && !IsEmailConstrained(permitted, email)) + { + throw new PkixNameConstraintValidatorException( + "Subject email address is not from a permitted subtree."); + } } private void CheckExcludedEmail(ISet excluded, string email) - //throws PkixNameConstraintValidatorException { - if (excluded.IsEmpty) + if (IsEmailConstrained(excluded, email)) { - return; + throw new PkixNameConstraintValidatorException( + "Email address is from an excluded subtree."); } + } - IEnumerator it = excluded.GetEnumerator(); + private bool IsDnsConstrained(string constraint, string dns) + { + return WithinDomain(dns, constraint) || Platform.EqualsIgnoreCase(dns, constraint); + } - while (it.MoveNext()) + private bool IsDnsConstrained(ISet constraints, string dns) + { + foreach (string constraint in constraints) { - string str = (string)it.Current; + if (IsDnsConstrained(constraint, dns)) + return true; + } - if (EmailIsConstrained(email, str)) - { - throw new PkixNameConstraintValidatorException( - "Email address is from an excluded subtree."); - } + return false; + } + + private void CheckPermittedDns(ISet permitted, string dns) + { + if (permitted != null + && !(dns.Length == 0 && permitted.IsEmpty) + && !IsDnsConstrained(permitted, dns)) + { + throw new PkixNameConstraintValidatorException( + "DNS is not from a permitted subtree."); } } - /** - * Checks if the IP <code>ip</code> is included in the permitted ISet - * <code>permitted</code>. - * - * @param permitted A <code>Set</code> of permitted IP addresses with - * their subnet mask as byte arrays. - * @param ip The IP address. - * @throws PkixNameConstraintValidatorException - * if the IP is not permitted. - */ - private void CheckPermittedIP(ISet permitted, byte[] ip) - //throws PkixNameConstraintValidatorException + private void CheckExcludedDns(ISet excluded, string dns) + { + if (IsDnsConstrained(excluded, dns)) + { + throw new PkixNameConstraintValidatorException( + "DNS is from an excluded subtree."); + } + } + + private bool IsDirectoryConstrained(ISet constraints, Asn1Sequence directory) { - if (permitted == null) + foreach (object obj in constraints) { - return; + Asn1Sequence constraint = Asn1Sequence.GetInstance(obj); + + if (WithinDNSubtree(directory, constraint)) + return true; } - IEnumerator it = permitted.GetEnumerator(); + return false; + } - while (it.MoveNext()) + private void CheckPermittedDirectory(ISet permitted, Asn1Sequence directory) + { + if (permitted != null + && !(directory.Count == 0 && permitted.IsEmpty) + && !IsDirectoryConstrained(permitted, directory)) { - byte[] ipWithSubnet = (byte[])it.Current; + throw new PkixNameConstraintValidatorException( + "Subject distinguished name is not from a permitted subtree"); + } + } - if (IsIPConstrained(ip, ipWithSubnet)) - { - return; - } + private void CheckExcludedDirectory(ISet excluded, Asn1Sequence directory) + { + if (IsDirectoryConstrained(excluded, directory)) + { + throw new PkixNameConstraintValidatorException( + "Subject distinguished name is from an excluded subtree"); } - if (ip.Length == 0 && permitted.Count == 0) + } + + private bool IsUriConstrained(string constraint, string uri) + { + string host = ExtractHostFromURL(uri); + + if (Platform.StartsWith(constraint, ".")) { - return; + // in sub domain or domain + return WithinDomain(host, constraint); } - throw new PkixNameConstraintValidatorException( - "IP is not from a permitted subtree."); + + // a host + return Platform.EqualsIgnoreCase(host, constraint); } - /** - * Checks if the IP <code>ip</code> is included in the excluded ISet - * <code>excluded</code>. - * - * @param excluded A <code>Set</code> of excluded IP addresses with their - * subnet mask as byte arrays. - * @param ip The IP address. - * @throws PkixNameConstraintValidatorException - * if the IP is excluded. - */ - private void CheckExcludedIP(ISet excluded, byte[] ip) - //throws PkixNameConstraintValidatorException + private bool IsUriConstrained(ISet constraints, string uri) { - if (excluded.IsEmpty) + foreach (string constraint in constraints) { - return; + if (IsUriConstrained(constraint, uri)) + return true; } - IEnumerator it = excluded.GetEnumerator(); + return false; + } - while (it.MoveNext()) + private void CheckPermittedUri(ISet permitted, string uri) + { + if (permitted != null + && !(uri.Length == 0 && permitted.IsEmpty) + && !IsUriConstrained(permitted, uri)) { - byte[] ipWithSubnet = (byte[])it.Current; + throw new PkixNameConstraintValidatorException( + "URI is not from a permitted subtree."); + } + } - if (IsIPConstrained(ip, ipWithSubnet)) - { - throw new PkixNameConstraintValidatorException( - "IP is from an excluded subtree."); - } + private void CheckExcludedUri(ISet excluded, string uri) + { + if (IsUriConstrained(excluded, uri)) + { + throw new PkixNameConstraintValidatorException( + "URI is from an excluded subtree."); } } @@ -632,16 +693,15 @@ namespace Org.BouncyCastle.Pkix * Checks if the IP address <code>ip</code> is constrained by * <code>constraint</code>. * - * @param ip The IP address. * @param constraint The constraint. This is an IP address concatenated with * its subnetmask. + * @param ip The IP address. * @return <code>true</code> if constrained, <code>false</code> * otherwise. */ - private bool IsIPConstrained(byte[] ip, byte[] constraint) + private bool IsIPConstrained(byte[] constraint, byte[] ip) { int ipLength = ip.Length; - if (ipLength != (constraint.Length / 2)) { return false; @@ -661,34 +721,58 @@ namespace Org.BouncyCastle.Pkix ipSubnetAddress[i] = (byte)(ip[i] & subnetMask[i]); } - return Org.BouncyCastle.Utilities.Arrays.AreEqual(permittedSubnetAddress, ipSubnetAddress); + return Arrays.AreEqual(permittedSubnetAddress, ipSubnetAddress); } - private bool EmailIsConstrained(string email, string constraint) + private bool IsIPConstrained(ISet constraints, byte[] ip) { - string sub = email.Substring(email.IndexOf('@') + 1); - // a particular mailbox - if (constraint.IndexOf('@') != -1) + foreach (byte[] constraint in constraints) { - if (Platform.ToUpperInvariant(email).Equals(Platform.ToUpperInvariant(constraint))) - { + if (IsIPConstrained(constraint, ip)) return true; - } } - // on particular host - else if (!(constraint[0].Equals('.'))) + + return false; + } + + /** + * Checks if the IP <code>ip</code> is included in the permitted ISet + * <code>permitted</code>. + * + * @param permitted A <code>Set</code> of permitted IP addresses with + * their subnet mask as byte arrays. + * @param ip The IP address. + * @throws PkixNameConstraintValidatorException + * if the IP is not permitted. + */ + private void CheckPermittedIP(ISet permitted, byte[] ip) + { + if (permitted != null + && !(ip.Length == 0 && permitted.IsEmpty) + && !IsIPConstrained(permitted, ip)) { - if (Platform.ToUpperInvariant(sub).Equals(Platform.ToUpperInvariant(constraint))) - { - return true; - } + throw new PkixNameConstraintValidatorException( + "IP is not from a permitted subtree."); } - // address in sub domain - else if (WithinDomain(sub, constraint)) + } + + /** + * Checks if the IP <code>ip</code> is included in the excluded ISet + * <code>excluded</code>. + * + * @param excluded A <code>Set</code> of excluded IP addresses with their + * subnet mask as byte arrays. + * @param ip The IP address. + * @throws PkixNameConstraintValidatorException + * if the IP is excluded. + */ + private void CheckExcludedIP(ISet excluded, byte[] ip) + { + if (IsIPConstrained(excluded, ip)) { - return true; + throw new PkixNameConstraintValidatorException( + "IP is from an excluded subtree."); } - return false; } private bool WithinDomain(string testDomain, string domain) @@ -724,36 +808,6 @@ namespace Org.BouncyCastle.Pkix return true; } - private void CheckPermittedDns(ISet permitted, string dns) - //throws PkixNameConstraintValidatorException - { - if (null == permitted) - return; - - foreach (string str in permitted) - { - // is sub domain or the same - if (WithinDomain(dns, str) || Platform.EqualsIgnoreCase(dns, str)) - return; - } - - if (dns.Length == 0 && permitted.Count == 0) - return; - - throw new PkixNameConstraintValidatorException("DNS is not from a permitted subtree."); - } - - private void CheckExcludedDns(ISet excluded, string dns) - //throws PkixNameConstraintValidatorException - { - foreach (string str in excluded) - { - // is sub domain or the same - if (WithinDomain(dns, str) || Platform.EqualsIgnoreCase(dns, str)) - throw new PkixNameConstraintValidatorException("DNS is from an excluded subtree."); - } - } - /** * The common part of <code>email1</code> and <code>email2</code> is * added to the union <code>union</code>. If <code>email1</code> and @@ -1038,13 +1092,12 @@ namespace Org.BouncyCastle.Pkix } } - private ISet intersectDNS(ISet permitted, ISet dnss) + private ISet IntersectDns(ISet permitted, ISet dnss) { ISet intersect = new HashSet(); - for (IEnumerator it = dnss.GetEnumerator(); it.MoveNext(); ) + foreach (GeneralSubtree subtree in dnss) { - string dns = ExtractNameAsString(((GeneralSubtree)it.Current) - .Base); + string dns = ExtractNameAsString(subtree.Base); if (permitted == null) { if (dns != null) @@ -1054,11 +1107,8 @@ namespace Org.BouncyCastle.Pkix } else { - IEnumerator _iter = permitted.GetEnumerator(); - while (_iter.MoveNext()) + foreach (string _permitted in permitted) { - string _permitted = (string)_iter.Current; - if (WithinDomain(_permitted, dns)) { intersect.Add(_permitted); @@ -1074,42 +1124,35 @@ namespace Org.BouncyCastle.Pkix return intersect; } - protected ISet unionDNS(ISet excluded, string dns) + private ISet UnionDns(ISet excluded, string dns) { if (excluded.IsEmpty) { if (dns == null) - { return excluded; - } - excluded.Add(dns); + excluded.Add(dns); return excluded; } else { ISet union = new HashSet(); - - IEnumerator _iter = excluded.GetEnumerator(); - while (_iter.MoveNext()) + foreach (string _excluded in excluded) { - string _permitted = (string)_iter.Current; - - if (WithinDomain(_permitted, dns)) + if (WithinDomain(_excluded, dns)) { union.Add(dns); } - else if (WithinDomain(dns, _permitted)) + else if (WithinDomain(dns, _excluded)) { - union.Add(_permitted); + union.Add(_excluded); } else { - union.Add(_permitted); + union.Add(_excluded); union.Add(dns); } } - return union; } } @@ -1122,7 +1165,7 @@ namespace Org.BouncyCastle.Pkix * @param email2 Email address constraint 2. * @param intersect The intersection. */ - private void intersectEmail(string email1, string email2, ISet intersect) + private void IntersectEmail(string email1, string email2, ISet intersect) { // email1 is a particular address if (email1.IndexOf('@') != -1) @@ -1214,35 +1257,12 @@ namespace Org.BouncyCastle.Pkix } } - private void checkExcludedURI(ISet excluded, string uri) - // throws PkixNameConstraintValidatorException - { - if (excluded.IsEmpty) - { - return; - } - - IEnumerator it = excluded.GetEnumerator(); - - while (it.MoveNext()) - { - string str = ((string)it.Current); - - if (IsUriConstrained(uri, str)) - { - throw new PkixNameConstraintValidatorException( - "URI is from an excluded subtree."); - } - } - } - - private ISet intersectURI(ISet permitted, ISet uris) + private ISet IntersectUri(ISet permitted, ISet uris) { ISet intersect = new HashSet(); - for (IEnumerator it = uris.GetEnumerator(); it.MoveNext(); ) + foreach (GeneralSubtree subtree in uris) { - string uri = ExtractNameAsString(((GeneralSubtree)it.Current) - .Base); + string uri = ExtractNameAsString(subtree.Base); if (permitted == null) { if (uri != null) @@ -1252,46 +1272,37 @@ namespace Org.BouncyCastle.Pkix } else { - IEnumerator _iter = permitted.GetEnumerator(); - while (_iter.MoveNext()) + foreach (string _permitted in permitted) { - string _permitted = (string)_iter.Current; - intersectURI(_permitted, uri, intersect); + IntersectUri(_permitted, uri, intersect); } } } return intersect; } - private ISet unionURI(ISet excluded, string uri) + private ISet UnionUri(ISet excluded, string uri) { if (excluded.IsEmpty) { if (uri == null) - { return excluded; - } - excluded.Add(uri); + excluded.Add(uri); return excluded; } else { ISet union = new HashSet(); - - IEnumerator _iter = excluded.GetEnumerator(); - while (_iter.MoveNext()) + foreach (string _excluded in excluded) { - string _excluded = (string)_iter.Current; - unionURI(_excluded, uri, union); } - return union; } } - private void intersectURI(string email1, string email2, ISet intersect) + private void IntersectUri(string email1, string email2, ISet intersect) { // email1 is a particular address if (email1.IndexOf('@') != -1) @@ -1383,54 +1394,6 @@ namespace Org.BouncyCastle.Pkix } } - private void CheckPermittedURI(ISet permitted, string uri) - // throws PkixNameConstraintValidatorException - { - if (permitted == null) - { - return; - } - - IEnumerator it = permitted.GetEnumerator(); - - while (it.MoveNext()) - { - string str = ((string)it.Current); - - if (IsUriConstrained(uri, str)) - { - return; - } - } - if (uri.Length == 0 && permitted.Count == 0) - { - return; - } - throw new PkixNameConstraintValidatorException( - "URI is not from a permitted subtree."); - } - - private bool IsUriConstrained(string uri, string constraint) - { - string host = ExtractHostFromURL(uri); - // a host - if (!Platform.StartsWith(constraint, ".")) - { - if (Platform.EqualsIgnoreCase(host, constraint)) - { - return true; - } - } - - // in sub domain or domain - else if (WithinDomain(host, constraint)) - { - return true; - } - - return false; - } - private static string ExtractHostFromURL(string url) { // see RFC 1738 @@ -1466,30 +1429,28 @@ namespace Org.BouncyCastle.Pkix * If the <code>name</code> */ public void checkPermitted(GeneralName name) - // throws PkixNameConstraintValidatorException + //throws PkixNameConstraintValidatorException { switch (name.TagNo) { - case 1: - CheckPermittedEmail(permittedSubtreesEmail, - ExtractNameAsString(name)); - break; - case 2: - CheckPermittedDns(permittedSubtreesDNS, DerIA5String.GetInstance( - name.Name).GetString()); - break; - case 4: - CheckPermittedDN(Asn1Sequence.GetInstance(name.Name.ToAsn1Object())); - break; - case 6: - CheckPermittedURI(permittedSubtreesURI, DerIA5String.GetInstance( - name.Name).GetString()); - break; - case 7: - byte[] ip = Asn1OctetString.GetInstance(name.Name).GetOctets(); - - CheckPermittedIP(permittedSubtreesIP, ip); - break; + case GeneralName.OtherName: + CheckPermittedOtherName(permittedSubtreesOtherName, OtherName.GetInstance(name.Name)); + break; + case GeneralName.Rfc822Name: + CheckPermittedEmail(permittedSubtreesEmail, ExtractNameAsString(name)); + break; + case GeneralName.DnsName: + CheckPermittedDns(permittedSubtreesDNS, ExtractNameAsString(name)); + break; + case GeneralName.DirectoryName: + CheckPermittedDN(Asn1Sequence.GetInstance(name.Name.ToAsn1Object())); + break; + case GeneralName.UniformResourceIdentifier: + CheckPermittedUri(permittedSubtreesURI, ExtractNameAsString(name)); + break; + case GeneralName.IPAddress: + CheckPermittedIP(permittedSubtreesIP, Asn1OctetString.GetInstance(name.Name).GetOctets()); + break; } } @@ -1502,29 +1463,28 @@ namespace Org.BouncyCastle.Pkix * excluded. */ public void checkExcluded(GeneralName name) - // throws PkixNameConstraintValidatorException + //throws PkixNameConstraintValidatorException { switch (name.TagNo) { - case 1: - CheckExcludedEmail(excludedSubtreesEmail, ExtractNameAsString(name)); - break; - case 2: - CheckExcludedDns(excludedSubtreesDNS, DerIA5String.GetInstance( - name.Name).GetString()); - break; - case 4: - CheckExcludedDN(Asn1Sequence.GetInstance(name.Name.ToAsn1Object())); - break; - case 6: - checkExcludedURI(excludedSubtreesURI, DerIA5String.GetInstance( - name.Name).GetString()); - break; - case 7: - byte[] ip = Asn1OctetString.GetInstance(name.Name).GetOctets(); - - CheckExcludedIP(excludedSubtreesIP, ip); - break; + case GeneralName.OtherName: + CheckExcludedOtherName(excludedSubtreesOtherName, OtherName.GetInstance(name.Name)); + break; + case GeneralName.Rfc822Name: + CheckExcludedEmail(excludedSubtreesEmail, ExtractNameAsString(name)); + break; + case GeneralName.DnsName: + CheckExcludedDns(excludedSubtreesDNS, ExtractNameAsString(name)); + break; + case GeneralName.DirectoryName: + CheckExcludedDN(Asn1Sequence.GetInstance(name.Name.ToAsn1Object())); + break; + case GeneralName.UniformResourceIdentifier: + CheckExcludedUri(excludedSubtreesURI, ExtractNameAsString(name)); + break; + case GeneralName.IPAddress: + CheckExcludedIP(excludedSubtreesIP, Asn1OctetString.GetInstance(name.Name).GetOctets()); + break; } } @@ -1540,9 +1500,9 @@ namespace Org.BouncyCastle.Pkix IDictionary subtreesMap = Platform.CreateHashtable(); // group in ISets in a map ordered by tag no. - for (IEnumerator e = permitted.GetEnumerator(); e.MoveNext(); ) + foreach (object obj in permitted) { - GeneralSubtree subtree = GeneralSubtree.GetInstance(e.Current); + GeneralSubtree subtree = GeneralSubtree.GetInstance(obj); int tagNo = subtree.Base.TagNo; if (subtreesMap[tagNo] == null) @@ -1553,33 +1513,35 @@ namespace Org.BouncyCastle.Pkix ((ISet)subtreesMap[tagNo]).Add(subtree); } - for (IEnumerator it = subtreesMap.GetEnumerator(); it.MoveNext(); ) + foreach (DictionaryEntry entry in subtreesMap) { - DictionaryEntry entry = (DictionaryEntry)it.Current; - // go through all subtree groups - switch ((int)entry.Key ) + switch ((int)entry.Key) { - case 1: - permittedSubtreesEmail = IntersectEmail(permittedSubtreesEmail, - (ISet)entry.Value); - break; - case 2: - permittedSubtreesDNS = intersectDNS(permittedSubtreesDNS, - (ISet)entry.Value); - break; - case 4: - permittedSubtreesDN = IntersectDN(permittedSubtreesDN, - (ISet)entry.Value); - break; - case 6: - permittedSubtreesURI = intersectURI(permittedSubtreesURI, - (ISet)entry.Value); - break; - case 7: - permittedSubtreesIP = IntersectIP(permittedSubtreesIP, - (ISet)entry.Value); - break; + case GeneralName.OtherName: + permittedSubtreesOtherName = IntersectOtherName(permittedSubtreesOtherName, + (ISet)entry.Value); + break; + case GeneralName.Rfc822Name: + permittedSubtreesEmail = IntersectEmail(permittedSubtreesEmail, + (ISet)entry.Value); + break; + case GeneralName.DnsName: + permittedSubtreesDNS = IntersectDns(permittedSubtreesDNS, + (ISet)entry.Value); + break; + case GeneralName.DirectoryName: + permittedSubtreesDN = IntersectDN(permittedSubtreesDN, + (ISet)entry.Value); + break; + case GeneralName.UniformResourceIdentifier: + permittedSubtreesURI = IntersectUri(permittedSubtreesURI, + (ISet)entry.Value); + break; + case GeneralName.IPAddress: + permittedSubtreesIP = IntersectIP(permittedSubtreesIP, + (ISet)entry.Value); + break; } } } @@ -1593,21 +1555,24 @@ namespace Org.BouncyCastle.Pkix { switch (nameType) { - case 1: - permittedSubtreesEmail = new HashSet(); - break; - case 2: - permittedSubtreesDNS = new HashSet(); - break; - case 4: - permittedSubtreesDN = new HashSet(); - break; - case 6: - permittedSubtreesURI = new HashSet(); - break; - case 7: - permittedSubtreesIP = new HashSet(); - break; + case GeneralName.OtherName: + permittedSubtreesOtherName = new HashSet(); + break; + case GeneralName.Rfc822Name: + permittedSubtreesEmail = new HashSet(); + break; + case GeneralName.DnsName: + permittedSubtreesDNS = new HashSet(); + break; + case GeneralName.DirectoryName: + permittedSubtreesDN = new HashSet(); + break; + case GeneralName.UniformResourceIdentifier: + permittedSubtreesURI = new HashSet(); + break; + case GeneralName.IPAddress: + permittedSubtreesIP = new HashSet(); + break; } } @@ -1622,26 +1587,30 @@ namespace Org.BouncyCastle.Pkix switch (subTreeBase.TagNo) { - case 1: - excludedSubtreesEmail = UnionEmail(excludedSubtreesEmail, - ExtractNameAsString(subTreeBase)); - break; - case 2: - excludedSubtreesDNS = unionDNS(excludedSubtreesDNS, - ExtractNameAsString(subTreeBase)); - break; - case 4: - excludedSubtreesDN = UnionDN(excludedSubtreesDN, - (Asn1Sequence)subTreeBase.Name.ToAsn1Object()); - break; - case 6: - excludedSubtreesURI = unionURI(excludedSubtreesURI, - ExtractNameAsString(subTreeBase)); - break; - case 7: - excludedSubtreesIP = UnionIP(excludedSubtreesIP, Asn1OctetString - .GetInstance(subTreeBase.Name).GetOctets()); - break; + case GeneralName.OtherName: + excludedSubtreesOtherName = UnionOtherName(excludedSubtreesOtherName, + OtherName.GetInstance(subTreeBase.Name)); + break; + case GeneralName.Rfc822Name: + excludedSubtreesEmail = UnionEmail(excludedSubtreesEmail, + ExtractNameAsString(subTreeBase)); + break; + case GeneralName.DnsName: + excludedSubtreesDNS = UnionDns(excludedSubtreesDNS, + ExtractNameAsString(subTreeBase)); + break; + case GeneralName.DirectoryName: + excludedSubtreesDN = UnionDN(excludedSubtreesDN, + (Asn1Sequence)subTreeBase.Name.ToAsn1Object()); + break; + case GeneralName.UniformResourceIdentifier: + excludedSubtreesURI = UnionUri(excludedSubtreesURI, + ExtractNameAsString(subTreeBase)); + break; + case GeneralName.IPAddress: + excludedSubtreesIP = UnionIP(excludedSubtreesIP, + Asn1OctetString.GetInstance(subTreeBase.Name).GetOctets()); + break; } } @@ -1736,27 +1705,26 @@ namespace Org.BouncyCastle.Pkix + HashCollection(excludedSubtreesEmail) + HashCollection(excludedSubtreesIP) + HashCollection(excludedSubtreesURI) + + HashCollection(excludedSubtreesOtherName) + HashCollection(permittedSubtreesDN) + HashCollection(permittedSubtreesDNS) + HashCollection(permittedSubtreesEmail) + HashCollection(permittedSubtreesIP) - + HashCollection(permittedSubtreesURI); + + HashCollection(permittedSubtreesURI) + + HashCollection(permittedSubtreesOtherName); } - private int HashCollection(ICollection coll) + private int HashCollection(ICollection c) { - if (coll == null) - { + if (c == null) return 0; - } + int hash = 0; - IEnumerator it1 = coll.GetEnumerator(); - while (it1.MoveNext()) + foreach (Object o in c) { - Object o = it1.Current; if (o is byte[]) { - hash += Org.BouncyCastle.Utilities.Arrays.GetHashCode((byte[])o); + hash += Arrays.GetHashCode((byte[])o); } else { @@ -1773,52 +1741,41 @@ namespace Org.BouncyCastle.Pkix PkixNameConstraintValidator constraintValidator = (PkixNameConstraintValidator)o; - return CollectionsAreEqual(constraintValidator.excludedSubtreesDN, excludedSubtreesDN) - && CollectionsAreEqual(constraintValidator.excludedSubtreesDNS, excludedSubtreesDNS) - && CollectionsAreEqual(constraintValidator.excludedSubtreesEmail, excludedSubtreesEmail) - && CollectionsAreEqual(constraintValidator.excludedSubtreesIP, excludedSubtreesIP) - && CollectionsAreEqual(constraintValidator.excludedSubtreesURI, excludedSubtreesURI) - && CollectionsAreEqual(constraintValidator.permittedSubtreesDN, permittedSubtreesDN) - && CollectionsAreEqual(constraintValidator.permittedSubtreesDNS, permittedSubtreesDNS) - && CollectionsAreEqual(constraintValidator.permittedSubtreesEmail, permittedSubtreesEmail) - && CollectionsAreEqual(constraintValidator.permittedSubtreesIP, permittedSubtreesIP) - && CollectionsAreEqual(constraintValidator.permittedSubtreesURI, permittedSubtreesURI); + return CollectionsAreEqual(constraintValidator.excludedSubtreesDN, excludedSubtreesDN) + && CollectionsAreEqual(constraintValidator.excludedSubtreesDNS, excludedSubtreesDNS) + && CollectionsAreEqual(constraintValidator.excludedSubtreesEmail, excludedSubtreesEmail) + && CollectionsAreEqual(constraintValidator.excludedSubtreesIP, excludedSubtreesIP) + && CollectionsAreEqual(constraintValidator.excludedSubtreesURI, excludedSubtreesURI) + && CollectionsAreEqual(constraintValidator.excludedSubtreesOtherName, excludedSubtreesOtherName) + && CollectionsAreEqual(constraintValidator.permittedSubtreesDN, permittedSubtreesDN) + && CollectionsAreEqual(constraintValidator.permittedSubtreesDNS, permittedSubtreesDNS) + && CollectionsAreEqual(constraintValidator.permittedSubtreesEmail, permittedSubtreesEmail) + && CollectionsAreEqual(constraintValidator.permittedSubtreesIP, permittedSubtreesIP) + && CollectionsAreEqual(constraintValidator.permittedSubtreesURI, permittedSubtreesURI) + && CollectionsAreEqual(constraintValidator.permittedSubtreesOtherName, permittedSubtreesOtherName); } private bool CollectionsAreEqual(ICollection coll1, ICollection coll2) { if (coll1 == coll2) - { return true; - } - if (coll1 == null || coll2 == null) - { - return false; - } - if (coll1.Count != coll2.Count) - { + if (coll1 == null || coll2 == null || coll1.Count != coll2.Count) return false; - } - IEnumerator it1 = coll1.GetEnumerator(); - while (it1.MoveNext()) + foreach (Object a in coll1) { - Object a = it1.Current; - IEnumerator it2 = coll2.GetEnumerator(); bool found = false; - while (it2.MoveNext()) + foreach (Object b in coll2) { - Object b = it2.Current; if (SpecialEquals(a, b)) { found = true; break; } } + if (!found) - { return false; - } } return true; } @@ -1835,7 +1792,7 @@ namespace Org.BouncyCastle.Pkix } if ((o1 is byte[]) && (o2 is byte[])) { - return Org.BouncyCastle.Utilities.Arrays.AreEqual((byte[])o1, (byte[])o2); + return Arrays.AreEqual((byte[])o1, (byte[])o2); } else { @@ -1872,16 +1829,41 @@ namespace Org.BouncyCastle.Pkix { string temp = ""; temp += "["; - for (IEnumerator it = ips.GetEnumerator(); it.MoveNext(); ) + foreach (byte[] ip in ips) { - temp += StringifyIP((byte[])it.Current) + ","; + temp += StringifyIP(ip) + ","; } if (temp.Length > 1) { temp = temp.Substring(0, temp.Length - 1); } temp += "]"; + return temp; + } + private string StringifyOtherNameCollection(ISet otherNames) + { + string temp = ""; + temp += "["; + foreach (object obj in otherNames) + { + OtherName name = OtherName.GetInstance(obj); + if (temp.Length > 1) + { + temp += ","; + } + temp += name.TypeID.Id; + temp += ":"; + try + { + temp += Hex.ToHexString(name.Value.ToAsn1Object().GetEncoded()); + } + catch (IOException e) + { + temp += e.ToString(); + } + } + temp += "]"; return temp; } @@ -1915,6 +1897,11 @@ namespace Org.BouncyCastle.Pkix temp += "IP:\n"; temp += StringifyIPCollection(permittedSubtreesIP) + "\n"; } + if (permittedSubtreesOtherName != null) + { + temp += "OtherName:\n"; + temp += StringifyOtherNameCollection(permittedSubtreesOtherName); + } temp += "excluded:\n"; if (!(excludedSubtreesDN.IsEmpty)) { @@ -1941,8 +1928,12 @@ namespace Org.BouncyCastle.Pkix temp += "IP:\n"; temp += StringifyIPCollection(excludedSubtreesIP) + "\n"; } + if (!excludedSubtreesOtherName.IsEmpty) + { + temp += "OtherName:\n"; + temp += StringifyOtherNameCollection(excludedSubtreesOtherName); + } return temp; } - } } diff --git a/crypto/test/src/test/PkixNameConstraintsTest.cs b/crypto/test/src/test/PkixNameConstraintsTest.cs index 073f9f2a3..65f39dcd2 100644 --- a/crypto/test/src/test/PkixNameConstraintsTest.cs +++ b/crypto/test/src/test/PkixNameConstraintsTest.cs @@ -197,6 +197,37 @@ namespace Org.BouncyCastle.Tests constraintValidator.checkPermitted( new GeneralName(GeneralName.DirectoryName, new X509Name(true, "cn=Valid DN nameConstraints EE Certificate Test1, ou=permittedSubtree1, o=Test Certificates 2011, c=US"))); + + GeneralName name = new GeneralName(GeneralName.OtherName, new OtherName(new DerObjectIdentifier("1.1"), DerNull.Instance)); + GeneralSubtree subtree = new GeneralSubtree(name); + + PkixNameConstraintValidator validator = new PkixNameConstraintValidator(); + validator.IntersectPermittedSubtree(new DerSequence(subtree)); + + name = new GeneralName(GeneralName.OtherName, new OtherName(new DerObjectIdentifier("1.1"), DerNull.Instance)); + subtree = new GeneralSubtree(name); + + validator = new PkixNameConstraintValidator(); + validator.IntersectPermittedSubtree(new DerSequence(subtree)); + validator.AddExcludedSubtree(subtree); + + try + { + validator.checkExcluded(name); + } + catch (PkixNameConstraintValidatorException e) + { + IsEquals("OtherName is from an excluded subtree.", e.Message); + } + + try + { + validator.checkPermitted(name); + } + catch (PkixNameConstraintValidatorException e) + { + Fail(e.Message); + } } /** |