summary refs log tree commit diff
path: root/crypto/src/pkix/PkixNameConstraintValidator.cs
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/src/pkix/PkixNameConstraintValidator.cs')
-rw-r--r--crypto/src/pkix/PkixNameConstraintValidator.cs1937
1 files changed, 0 insertions, 1937 deletions
diff --git a/crypto/src/pkix/PkixNameConstraintValidator.cs b/crypto/src/pkix/PkixNameConstraintValidator.cs
deleted file mode 100644
index 535f95174..000000000
--- a/crypto/src/pkix/PkixNameConstraintValidator.cs
+++ /dev/null
@@ -1,1937 +0,0 @@
-using System;
-using System.Collections;
-
-using Org.BouncyCastle.Asn1;
-using Org.BouncyCastle.Asn1.X509;
-using Org.BouncyCastle.Utilities;
-using Org.BouncyCastle.Utilities.Collections;
-
-namespace Org.BouncyCastle.Pkix
-{
-    public class PkixNameConstraintValidator
-    {
-        private ISet excludedSubtreesDN = new HashSet();
-
-        private ISet excludedSubtreesDNS = new HashSet();
-
-        private ISet excludedSubtreesEmail = new HashSet();
-
-        private ISet excludedSubtreesURI = new HashSet();
-
-        private ISet excludedSubtreesIP = new HashSet();
-
-        private ISet permittedSubtreesDN;
-
-        private ISet permittedSubtreesDNS;
-
-        private ISet permittedSubtreesEmail;
-
-        private ISet permittedSubtreesURI;
-
-        private ISet permittedSubtreesIP;
-
-        public PkixNameConstraintValidator()
-        {
-        }
-
-        private static bool WithinDNSubtree(
-            Asn1Sequence dns,
-            Asn1Sequence subtree)
-        {
-            if (subtree.Count < 1)
-            {
-                return false;
-            }
-
-            if (subtree.Count > dns.Count)
-            {
-                return false;
-            }
-
-            for (int j = subtree.Count - 1; j >= 0; j--)
-            {
-                if (!(subtree[j].Equals(dns[j])))
-                {
-                    return false;
-                }
-            }
-
-            return true;
-        }
-
-        public void CheckPermittedDN(Asn1Sequence dns)
-        //throws PkixNameConstraintValidatorException
-        {
-            CheckPermittedDN(permittedSubtreesDN, dns);
-        }
-
-        public void CheckExcludedDN(Asn1Sequence dns)
-        //throws PkixNameConstraintValidatorException
-        {
-            CheckExcludedDN(excludedSubtreesDN, dns);
-        }
-
-        private void CheckPermittedDN(ISet permitted, Asn1Sequence dns)
-        //throws PkixNameConstraintValidatorException
-        {
-            if (permitted == null)
-            {
-                return;
-            }
-
-            if ((permitted.Count == 0) && dns.Count == 0)
-            {
-                return;
-            }
-
-            IEnumerator it = permitted.GetEnumerator();
-
-            while (it.MoveNext())
-            {
-                Asn1Sequence subtree = (Asn1Sequence)it.Current;
-
-                if (WithinDNSubtree(dns, subtree))
-                {
-                    return;
-                }
-            }
-
-            throw new PkixNameConstraintValidatorException(
-                "Subject distinguished name is not from a permitted subtree");
-        }
-
-        private void CheckExcludedDN(ISet excluded, Asn1Sequence dns)
-        //throws PkixNameConstraintValidatorException
-        {
-            if (excluded.IsEmpty)
-            {
-                return;
-            }
-
-            IEnumerator it = excluded.GetEnumerator();
-
-            while (it.MoveNext())
-            {
-                Asn1Sequence subtree = (Asn1Sequence)it.Current;
-
-                if (WithinDNSubtree(dns, subtree))
-                {
-                    throw new PkixNameConstraintValidatorException(
-                        "Subject distinguished name is from an excluded subtree");
-                }
-            }
-        }
-
-        private ISet IntersectDN(ISet permitted, ISet dns)
-        {
-            ISet intersect = new HashSet();
-            for (IEnumerator it = dns.GetEnumerator(); it.MoveNext(); )
-            {
-                Asn1Sequence dn = Asn1Sequence.GetInstance(((GeneralSubtree)it
-                    .Current).Base.Name.ToAsn1Object());
-                if (permitted == null)
-                {
-                    if (dn != null)
-                    {
-                        intersect.Add(dn);
-                    }
-                }
-                else
-                {
-                    IEnumerator _iter = permitted.GetEnumerator();
-                    while (_iter.MoveNext())
-                    {
-                        Asn1Sequence subtree = (Asn1Sequence)_iter.Current;
-
-                        if (WithinDNSubtree(dn, subtree))
-                        {
-                            intersect.Add(dn);
-                        }
-                        else if (WithinDNSubtree(subtree, dn))
-                        {
-                            intersect.Add(subtree);
-                        }
-                    }
-                }
-            }
-            return intersect;
-        }
-
-        private ISet UnionDN(ISet excluded, Asn1Sequence dn)
-        {
-            if (excluded.IsEmpty)
-            {
-                if (dn == null)
-                {
-                    return excluded;
-                }
-                excluded.Add(dn);
-
-                return excluded;
-            }
-            else
-            {
-                ISet intersect = new HashSet();
-
-                IEnumerator it = excluded.GetEnumerator();
-                while (it.MoveNext())
-                {
-                    Asn1Sequence subtree = (Asn1Sequence)it.Current;
-
-                    if (WithinDNSubtree(dn, subtree))
-                    {
-                        intersect.Add(subtree);
-                    }
-                    else if (WithinDNSubtree(subtree, dn))
-                    {
-                        intersect.Add(dn);
-                    }
-                    else
-                    {
-                        intersect.Add(subtree);
-                        intersect.Add(dn);
-                    }
-                }
-
-                return intersect;
-            }
-        }
-
-        private ISet IntersectEmail(ISet permitted, ISet emails)
-        {
-            ISet intersect = new HashSet();
-            for (IEnumerator it = emails.GetEnumerator(); it.MoveNext(); )
-            {
-                String email = ExtractNameAsString(((GeneralSubtree)it.Current)
-                    .Base);
-
-                if (permitted == null)
-                {
-                    if (email != null)
-                    {
-                        intersect.Add(email);
-                    }
-                }
-                else
-                {
-                    IEnumerator it2 = permitted.GetEnumerator();
-                    while (it2.MoveNext())
-                    {
-                        String _permitted = (String)it2.Current;
-
-                        intersectEmail(email, _permitted, intersect);
-                    }
-                }
-            }
-            return intersect;
-        }
-
-        private ISet UnionEmail(ISet excluded, String email)
-        {
-            if (excluded.IsEmpty)
-            {
-                if (email == null)
-                {
-                    return excluded;
-                }
-                excluded.Add(email);
-                return excluded;
-            }
-            else
-            {
-                ISet union = new HashSet();
-
-                IEnumerator it = excluded.GetEnumerator();
-                while (it.MoveNext())
-                {
-                    String _excluded = (String)it.Current;
-
-                    unionEmail(_excluded, email, union);
-                }
-
-                return union;
-            }
-        }
-
-        /**
-         * Returns the intersection of the permitted IP ranges in
-         * <code>permitted</code> with <code>ip</code>.
-         *
-         * @param permitted A <code>Set</code> of permitted IP addresses with
-         *                  their subnet mask as byte arrays.
-         * @param ips       The IP address with its subnet mask.
-         * @return The <code>Set</code> of permitted IP ranges intersected with
-         *         <code>ip</code>.
-         */
-        private ISet IntersectIP(ISet permitted, ISet ips)
-        {
-            ISet intersect = new HashSet();
-            for (IEnumerator it = ips.GetEnumerator(); it.MoveNext(); )
-            {
-                byte[] ip = Asn1OctetString.GetInstance(
-                    ((GeneralSubtree)it.Current).Base.Name).GetOctets();
-                if (permitted == null)
-                {
-                    if (ip != null)
-                    {
-                        intersect.Add(ip);
-                    }
-                }
-                else
-                {
-                    IEnumerator it2 = permitted.GetEnumerator();
-                    while (it2.MoveNext())
-                    {
-                        byte[] _permitted = (byte[])it2.Current;
-                        intersect.AddAll(IntersectIPRange(_permitted, ip));
-                    }
-                }
-            }
-            return intersect;
-        }
-
-        /**
-         * Returns the union of the excluded IP ranges in <code>excluded</code>
-         * with <code>ip</code>.
-         *
-         * @param excluded A <code>Set</code> of excluded IP addresses with their
-         *                 subnet mask as byte arrays.
-         * @param ip       The IP address with its subnet mask.
-         * @return The <code>Set</code> of excluded IP ranges unified with
-         *         <code>ip</code> as byte arrays.
-         */
-        private ISet UnionIP(ISet excluded, byte[] ip)
-        {
-            if (excluded.IsEmpty)
-            {
-                if (ip == null)
-                {
-                    return excluded;
-                }
-                excluded.Add(ip);
-
-                return excluded;
-            }
-            else
-            {
-                ISet union = new HashSet();
-
-                IEnumerator it = excluded.GetEnumerator();
-                while (it.MoveNext())
-                {
-                    byte[] _excluded = (byte[])it.Current;
-                    union.AddAll(UnionIPRange(_excluded, ip));
-                }
-
-                return union;
-            }
-        }
-
-        /**
-         * Calculates the union if two IP ranges.
-         *
-         * @param ipWithSubmask1 The first IP address with its subnet mask.
-         * @param ipWithSubmask2 The second IP address with its subnet mask.
-         * @return A <code>Set</code> with the union of both addresses.
-         */
-        private ISet UnionIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2)
-        {
-            ISet set = new HashSet();
-
-            // difficult, adding always all IPs is not wrong
-            if (Org.BouncyCastle.Utilities.Arrays.AreEqual(ipWithSubmask1, ipWithSubmask2))
-            {
-                set.Add(ipWithSubmask1);
-            }
-            else
-            {
-                set.Add(ipWithSubmask1);
-                set.Add(ipWithSubmask2);
-            }
-            return set;
-        }
-
-        /**
-         * Calculates the interesction if two IP ranges.
-         *
-         * @param ipWithSubmask1 The first IP address with its subnet mask.
-         * @param ipWithSubmask2 The second IP address with its subnet mask.
-         * @return A <code>Set</code> with the single IP address with its subnet
-         *         mask as a byte array or an empty <code>Set</code>.
-         */
-        private ISet IntersectIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2)
-    {
-        if (ipWithSubmask1.Length != ipWithSubmask2.Length)
-        {
-            //Collections.EMPTY_SET;
-            return new HashSet();
-        }
-
-        byte[][] temp = ExtractIPsAndSubnetMasks(ipWithSubmask1, ipWithSubmask2);
-        byte[] ip1 = temp[0];
-        byte[] subnetmask1 = temp[1];
-        byte[] ip2 = temp[2];
-        byte[] subnetmask2 = temp[3];
-
-        byte[][] minMax = MinMaxIPs(ip1, subnetmask1, ip2, subnetmask2);
-        byte[] min;
-        byte[] max;
-        max = Min(minMax[1], minMax[3]);
-        min = Max(minMax[0], minMax[2]);
-
-        // minimum IP address must be bigger than max
-        if (CompareTo(min, max) == 1)
-        {
-            //return Collections.EMPTY_SET;
-            return new HashSet();
-        }
-        // OR keeps all significant bits
-        byte[] ip = Or(minMax[0], minMax[2]);
-        byte[] subnetmask = Or(subnetmask1, subnetmask2);
-
-            //return new HashSet( ICollectionsingleton(IpWithSubnetMask(ip, subnetmask));
-        ISet hs = new HashSet();
-        hs.Add(IpWithSubnetMask(ip, subnetmask));
-
-            return hs;
-    }
-
-        /**
-         * Concatenates the IP address with its subnet mask.
-         *
-         * @param ip         The IP address.
-         * @param subnetMask Its subnet mask.
-         * @return The concatenated IP address with its subnet mask.
-         */
-        private byte[] IpWithSubnetMask(byte[] ip, byte[] subnetMask)
-        {
-            int ipLength = ip.Length;
-            byte[] temp = new byte[ipLength * 2];
-            Array.Copy(ip, 0, temp, 0, ipLength);
-            Array.Copy(subnetMask, 0, temp, ipLength, ipLength);
-            return temp;
-        }
-
-        /**
-         * Splits the IP addresses and their subnet mask.
-         *
-         * @param ipWithSubmask1 The first IP address with the subnet mask.
-         * @param ipWithSubmask2 The second IP address with the subnet mask.
-         * @return An array with two elements. Each element contains the IP address
-         *         and the subnet mask in this order.
-         */
-        private byte[][] ExtractIPsAndSubnetMasks(
-            byte[] ipWithSubmask1,
-            byte[] ipWithSubmask2)
-    {
-        int ipLength = ipWithSubmask1.Length / 2;
-        byte[] ip1 = new byte[ipLength];
-        byte[] subnetmask1 = new byte[ipLength];
-        Array.Copy(ipWithSubmask1, 0, ip1, 0, ipLength);
-        Array.Copy(ipWithSubmask1, ipLength, subnetmask1, 0, ipLength);
-
-        byte[] ip2 = new byte[ipLength];
-        byte[] subnetmask2 = new byte[ipLength];
-        Array.Copy(ipWithSubmask2, 0, ip2, 0, ipLength);
-        Array.Copy(ipWithSubmask2, ipLength, subnetmask2, 0, ipLength);
-        return new byte[][]
-            {ip1, subnetmask1, ip2, subnetmask2};
-    }
-
-        /**
-         * Based on the two IP addresses and their subnet masks the IP range is
-         * computed for each IP address - subnet mask pair and returned as the
-         * minimum IP address and the maximum address of the range.
-         *
-         * @param ip1         The first IP address.
-         * @param subnetmask1 The subnet mask of the first IP address.
-         * @param ip2         The second IP address.
-         * @param subnetmask2 The subnet mask of the second IP address.
-         * @return A array with two elements. The first/second element contains the
-         *         min and max IP address of the first/second IP address and its
-         *         subnet mask.
-         */
-        private byte[][] MinMaxIPs(
-            byte[] ip1,
-            byte[] subnetmask1,
-            byte[] ip2,
-            byte[] subnetmask2)
-        {
-            int ipLength = ip1.Length;
-            byte[] min1 = new byte[ipLength];
-            byte[] max1 = new byte[ipLength];
-
-            byte[] min2 = new byte[ipLength];
-            byte[] max2 = new byte[ipLength];
-
-            for (int i = 0; i < ipLength; i++)
-            {
-                min1[i] = (byte)(ip1[i] & subnetmask1[i]);
-                max1[i] = (byte)(ip1[i] & subnetmask1[i] | ~subnetmask1[i]);
-
-                min2[i] = (byte)(ip2[i] & subnetmask2[i]);
-                max2[i] = (byte)(ip2[i] & subnetmask2[i] | ~subnetmask2[i]);
-            }
-
-            return new byte[][] { min1, max1, min2, max2 };
-        }
-
-        private void CheckPermittedEmail(ISet permitted, String email)
-        //throws PkixNameConstraintValidatorException
-        {
-            if (permitted == null)
-            {
-                return;
-            }
-
-            IEnumerator it = permitted.GetEnumerator();
-
-            while (it.MoveNext())
-            {
-                String str = ((String)it.Current);
-
-                if (EmailIsConstrained(email, str))
-                {
-                    return;
-                }
-            }
-
-            if (email.Length == 0 && permitted.Count == 0)
-            {
-                return;
-            }
-
-            throw new PkixNameConstraintValidatorException(
-                "Subject email address is not from a permitted subtree.");
-        }
-
-        private void CheckExcludedEmail(ISet excluded, String email)
-        //throws PkixNameConstraintValidatorException
-        {
-            if (excluded.IsEmpty)
-            {
-                return;
-            }
-
-            IEnumerator it = excluded.GetEnumerator();
-
-            while (it.MoveNext())
-            {
-                String str = (String)it.Current;
-
-                if (EmailIsConstrained(email, str))
-                {
-                    throw new PkixNameConstraintValidatorException(
-                        "Email address is from an excluded subtree.");
-                }
-            }
-        }
-
-        /**
-         * Checks if the IP <code>ip</code> is included in the permitted ISet
-         * <code>permitted</code>.
-         *
-         * @param permitted A <code>Set</code> of permitted IP addresses with
-         *                  their subnet mask as byte arrays.
-         * @param ip        The IP address.
-         * @throws PkixNameConstraintValidatorException
-         *          if the IP is not permitted.
-         */
-        private void CheckPermittedIP(ISet permitted, byte[] ip)
-        //throws PkixNameConstraintValidatorException
-        {
-            if (permitted == null)
-            {
-                return;
-            }
-
-            IEnumerator it = permitted.GetEnumerator();
-
-            while (it.MoveNext())
-            {
-                byte[] ipWithSubnet = (byte[])it.Current;
-
-                if (IsIPConstrained(ip, ipWithSubnet))
-                {
-                    return;
-                }
-            }
-            if (ip.Length == 0 && permitted.Count == 0)
-            {
-                return;
-            }
-            throw new PkixNameConstraintValidatorException(
-                "IP is not from a permitted subtree.");
-        }
-
-        /**
-         * Checks if the IP <code>ip</code> is included in the excluded ISet
-         * <code>excluded</code>.
-         *
-         * @param excluded A <code>Set</code> of excluded IP addresses with their
-         *                 subnet mask as byte arrays.
-         * @param ip       The IP address.
-         * @throws PkixNameConstraintValidatorException
-         *          if the IP is excluded.
-         */
-        private void checkExcludedIP(ISet excluded, byte[] ip)
-        //throws PkixNameConstraintValidatorException
-        {
-            if (excluded.IsEmpty)
-            {
-                return;
-            }
-
-            IEnumerator it = excluded.GetEnumerator();
-
-            while (it.MoveNext())
-            {
-                byte[] ipWithSubnet = (byte[])it.Current;
-
-                if (IsIPConstrained(ip, ipWithSubnet))
-                {
-                    throw new PkixNameConstraintValidatorException(
-                        "IP is from an excluded subtree.");
-                }
-            }
-        }
-
-        /**
-         * Checks if the IP address <code>ip</code> is constrained by
-         * <code>constraint</code>.
-         *
-         * @param ip         The IP address.
-         * @param constraint The constraint. This is an IP address concatenated with
-         *                   its subnetmask.
-         * @return <code>true</code> if constrained, <code>false</code>
-         *         otherwise.
-         */
-        private bool IsIPConstrained(byte[] ip, byte[] constraint)
-        {
-            int ipLength = ip.Length;
-
-            if (ipLength != (constraint.Length / 2))
-            {
-                return false;
-            }
-
-            byte[] subnetMask = new byte[ipLength];
-            Array.Copy(constraint, ipLength, subnetMask, 0, ipLength);
-
-            byte[] permittedSubnetAddress = new byte[ipLength];
-
-            byte[] ipSubnetAddress = new byte[ipLength];
-
-            // the resulting IP address by applying the subnet mask
-            for (int i = 0; i < ipLength; i++)
-            {
-                permittedSubnetAddress[i] = (byte)(constraint[i] & subnetMask[i]);
-                ipSubnetAddress[i] = (byte)(ip[i] & subnetMask[i]);
-            }
-
-            return Org.BouncyCastle.Utilities.Arrays.AreEqual(permittedSubnetAddress, ipSubnetAddress);
-        }
-
-        private bool EmailIsConstrained(String email, String constraint)
-        {
-            String sub = email.Substring(email.IndexOf('@') + 1);
-            // a particular mailbox
-            if (constraint.IndexOf('@') != -1)
-            {
-                if (email.ToUpper().Equals(constraint.ToUpper()))
-                {
-                    return true;
-                }
-            }
-            // on particular host
-            else if (!(constraint[0].Equals('.')))
-            {
-                if (sub.ToUpper().Equals(constraint.ToUpper()))
-                {
-                    return true;
-                }
-            }
-            // address in sub domain
-            else if (WithinDomain(sub, constraint))
-            {
-                return true;
-            }
-            return false;
-        }
-
-        private bool WithinDomain(String testDomain, String domain)
-        {
-            String tempDomain = domain;
-            if (tempDomain.StartsWith("."))
-            {
-                tempDomain = tempDomain.Substring(1);
-            }
-            String[] domainParts = tempDomain.Split('.'); // Strings.split(tempDomain, '.');
-            String[] testDomainParts = testDomain.Split('.'); // Strings.split(testDomain, '.');
-
-            // must have at least one subdomain
-            if (testDomainParts.Length <= domainParts.Length)
-            {
-                return false;
-            }
-
-            int d = testDomainParts.Length - domainParts.Length;
-            for (int i = -1; i < domainParts.Length; i++)
-            {
-                if (i == -1)
-                {
-                    if (testDomainParts[i + d].Equals(""))
-                    {
-                        return false;
-                    }
-                }
-                else if (!(Platform.CompareIgnoreCase(testDomainParts[i + d], domainParts[i]) == 0))
-                {
-                    return false;
-                }
-            }
-            return true;
-        }
-
-        private void CheckPermittedDNS(ISet permitted, String dns)
-        //throws PkixNameConstraintValidatorException
-        {
-            if (permitted == null)
-            {
-                return;
-            }
-
-            IEnumerator it = permitted.GetEnumerator();
-
-            while (it.MoveNext())
-            {
-                String str = ((String)it.Current);
-
-                // is sub domain
-                if (WithinDomain(dns, str) || dns.ToUpper().Equals(str.ToUpper()))
-                {
-                    return;
-                }
-            }
-            if (dns.Length == 0 && permitted.Count == 0)
-            {
-                return;
-            }
-            throw new PkixNameConstraintValidatorException(
-                "DNS is not from a permitted subtree.");
-        }
-
-        private void checkExcludedDNS(ISet excluded, String dns)
-        //     throws PkixNameConstraintValidatorException
-        {
-            if (excluded.IsEmpty)
-            {
-                return;
-            }
-
-            IEnumerator it = excluded.GetEnumerator();
-
-            while (it.MoveNext())
-            {
-                String str = ((String)it.Current);
-
-                // is sub domain or the same
-				if (WithinDomain(dns, str) || (Platform.CompareIgnoreCase(dns, str) == 0))
-                {
-                    throw new PkixNameConstraintValidatorException(
-                        "DNS is from an excluded subtree.");
-                }
-            }
-        }
-
-        /**
-         * The common part of <code>email1</code> and <code>email2</code> is
-         * added to the union <code>union</code>. If <code>email1</code> and
-         * <code>email2</code> have nothing in common they are added both.
-         *
-         * @param email1 Email address constraint 1.
-         * @param email2 Email address constraint 2.
-         * @param union  The union.
-         */
-        private void unionEmail(String email1, String email2, ISet union)
-        {
-            // email1 is a particular address
-            if (email1.IndexOf('@') != -1)
-            {
-                String _sub = email1.Substring(email1.IndexOf('@') + 1);
-                // both are a particular mailbox
-                if (email2.IndexOf('@') != -1)
-                {
-                    if (Platform.CompareIgnoreCase(email1, email2) == 0)
-                    {
-                        union.Add(email1);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-                // email2 specifies a domain
-                else if (email2.StartsWith("."))
-                {
-                    if (WithinDomain(_sub, email2))
-                    {
-                        union.Add(email2);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-                // email2 specifies a particular host
-                else
-                {
-                    if (Platform.CompareIgnoreCase(_sub, email2) == 0)
-                    {
-                        union.Add(email2);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-            }
-            // email1 specifies a domain
-            else if (email1.StartsWith("."))
-            {
-                if (email2.IndexOf('@') != -1)
-                {
-                    String _sub = email2.Substring(email1.IndexOf('@') + 1);
-                    if (WithinDomain(_sub, email1))
-                    {
-                        union.Add(email1);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-                // email2 specifies a domain
-                else if (email2.StartsWith("."))
-                {
-                    if (WithinDomain(email1, email2) || Platform.CompareIgnoreCase(email1, email2) == 0)
-                    {
-                        union.Add(email2);
-                    }
-                    else if (WithinDomain(email2, email1))
-                    {
-                        union.Add(email1);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-                else
-                {
-                    if (WithinDomain(email2, email1))
-                    {
-                        union.Add(email1);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-            }
-            // email specifies a host
-            else
-            {
-                if (email2.IndexOf('@') != -1)
-                {
-                    String _sub = email2.Substring(email1.IndexOf('@') + 1);
-                    if (Platform.CompareIgnoreCase(_sub, email1) == 0)
-                    {
-                        union.Add(email1);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-                // email2 specifies a domain
-                else if (email2.StartsWith("."))
-                {
-                    if (WithinDomain(email1, email2))
-                    {
-                        union.Add(email2);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-                // email2 specifies a particular host
-                else
-                {
-                    if (Platform.CompareIgnoreCase(email1, email2) == 0)
-                    {
-                        union.Add(email1);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-            }
-        }
-
-        private void unionURI(String email1, String email2, ISet union)
-        {
-            // email1 is a particular address
-            if (email1.IndexOf('@') != -1)
-            {
-                String _sub = email1.Substring(email1.IndexOf('@') + 1);
-                // both are a particular mailbox
-                if (email2.IndexOf('@') != -1)
-                {
-                    if (Platform.CompareIgnoreCase(email1, email2) == 0)
-                    {
-                        union.Add(email1);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-                // email2 specifies a domain
-                else if (email2.StartsWith("."))
-                {
-                    if (WithinDomain(_sub, email2))
-                    {
-                        union.Add(email2);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-                // email2 specifies a particular host
-                else
-                {
-                    if (Platform.CompareIgnoreCase(_sub, email2) == 0)
-                    {
-                        union.Add(email2);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-
-                    }
-                }
-            }
-            // email1 specifies a domain
-            else if (email1.StartsWith("."))
-            {
-                if (email2.IndexOf('@') != -1)
-                {
-                    String _sub = email2.Substring(email1.IndexOf('@') + 1);
-                    if (WithinDomain(_sub, email1))
-                    {
-                        union.Add(email1);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-                // email2 specifies a domain
-                else if (email2.StartsWith("."))
-                {
-                    if (WithinDomain(email1, email2) || Platform.CompareIgnoreCase(email1, email2) == 0)
-                    {
-                        union.Add(email2);
-                    }
-                    else if (WithinDomain(email2, email1))
-                    {
-                        union.Add(email1);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-                else
-                {
-                    if (WithinDomain(email2, email1))
-                    {
-                        union.Add(email1);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-            }
-            // email specifies a host
-            else
-            {
-                if (email2.IndexOf('@') != -1)
-                {
-                    String _sub = email2.Substring(email1.IndexOf('@') + 1);
-                    if (Platform.CompareIgnoreCase(_sub, email1) == 0)
-                    {
-                        union.Add(email1);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-                // email2 specifies a domain
-                else if (email2.StartsWith("."))
-                {
-                    if (WithinDomain(email1, email2))
-                    {
-                        union.Add(email2);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-                // email2 specifies a particular host
-                else
-                {
-                    if (Platform.CompareIgnoreCase(email1, email2) == 0)
-                    {
-                        union.Add(email1);
-                    }
-                    else
-                    {
-                        union.Add(email1);
-                        union.Add(email2);
-                    }
-                }
-            }
-        }
-
-        private ISet intersectDNS(ISet permitted, ISet dnss)
-        {
-            ISet intersect = new HashSet();
-            for (IEnumerator it = dnss.GetEnumerator(); it.MoveNext(); )
-            {
-                String dns = ExtractNameAsString(((GeneralSubtree)it.Current)
-                    .Base);
-                if (permitted == null)
-                {
-                    if (dns != null)
-                    {
-                        intersect.Add(dns);
-                    }
-                }
-                else
-                {
-                    IEnumerator _iter = permitted.GetEnumerator();
-                    while (_iter.MoveNext())
-                    {
-                        String _permitted = (String)_iter.Current;
-
-                        if (WithinDomain(_permitted, dns))
-                        {
-                            intersect.Add(_permitted);
-                        }
-                        else if (WithinDomain(dns, _permitted))
-                        {
-                            intersect.Add(dns);
-                        }
-                    }
-                }
-            }
-
-            return intersect;
-        }
-
-        protected ISet unionDNS(ISet excluded, String dns)
-        {
-            if (excluded.IsEmpty)
-            {
-                if (dns == null)
-                {
-                    return excluded;
-                }
-                excluded.Add(dns);
-
-                return excluded;
-            }
-            else
-            {
-                ISet union = new HashSet();
-
-                IEnumerator _iter = excluded.GetEnumerator();
-                while (_iter.MoveNext())
-                {
-                    String _permitted = (String)_iter.Current;
-
-                    if (WithinDomain(_permitted, dns))
-                    {
-                        union.Add(dns);
-                    }
-                    else if (WithinDomain(dns, _permitted))
-                    {
-                        union.Add(_permitted);
-                    }
-                    else
-                    {
-                        union.Add(_permitted);
-                        union.Add(dns);
-                    }
-                }
-
-                return union;
-            }
-        }
-
-        /**
-         * The most restricting part from <code>email1</code> and
-         * <code>email2</code> is added to the intersection <code>intersect</code>.
-         *
-         * @param email1    Email address constraint 1.
-         * @param email2    Email address constraint 2.
-         * @param intersect The intersection.
-         */
-        private void intersectEmail(String email1, String email2, ISet intersect)
-        {
-            // email1 is a particular address
-            if (email1.IndexOf('@') != -1)
-            {
-                String _sub = email1.Substring(email1.IndexOf('@') + 1);
-                // both are a particular mailbox
-                if (email2.IndexOf('@') != -1)
-                {
-                    if (Platform.CompareIgnoreCase(email1, email2) == 0)
-                    {
-                        intersect.Add(email1);
-                    }
-                }
-                // email2 specifies a domain
-                else if (email2.StartsWith("."))
-                {
-                    if (WithinDomain(_sub, email2))
-                    {
-                        intersect.Add(email1);
-                    }
-                }
-                // email2 specifies a particular host
-                else
-                {
-                    if (Platform.CompareIgnoreCase(_sub, email2) == 0)
-                    {
-                        intersect.Add(email1);
-                    }
-                }
-            }
-            // email specifies a domain
-            else if (email1.StartsWith("."))
-            {
-                if (email2.IndexOf('@') != -1)
-                {
-                    String _sub = email2.Substring(email1.IndexOf('@') + 1);
-                    if (WithinDomain(_sub, email1))
-                    {
-                        intersect.Add(email2);
-                    }
-                }
-                // email2 specifies a domain
-                else if (email2.StartsWith("."))
-                {
-                    if (WithinDomain(email1, email2) || (Platform.CompareIgnoreCase(email1, email2) == 0))
-                    {
-                        intersect.Add(email1);
-                    }
-                    else if (WithinDomain(email2, email1))
-                    {
-                        intersect.Add(email2);
-                    }
-                }
-                else
-                {
-                    if (WithinDomain(email2, email1))
-                    {
-                        intersect.Add(email2);
-                    }
-                }
-            }
-            // email1 specifies a host
-            else
-            {
-                if (email2.IndexOf('@') != -1)
-                {
-                    String _sub = email2.Substring(email2.IndexOf('@') + 1);
-                    if (Platform.CompareIgnoreCase(_sub, email1) == 0)
-                    {
-                        intersect.Add(email2);
-                    }
-                }
-                // email2 specifies a domain
-                else if (email2.StartsWith("."))
-                {
-                    if (WithinDomain(email1, email2))
-                    {
-                        intersect.Add(email1);
-                    }
-                }
-                // email2 specifies a particular host
-                else
-                {
-                    if (Platform.CompareIgnoreCase(email1, email2) == 0)
-                    {
-                        intersect.Add(email1);
-                    }
-                }
-            }
-        }
-
-        private void checkExcludedURI(ISet excluded, String uri)
-        //       throws PkixNameConstraintValidatorException
-        {
-            if (excluded.IsEmpty)
-            {
-                return;
-            }
-
-            IEnumerator it = excluded.GetEnumerator();
-
-            while (it.MoveNext())
-            {
-                String str = ((String)it.Current);
-
-                if (IsUriConstrained(uri, str))
-                {
-                    throw new PkixNameConstraintValidatorException(
-                        "URI is from an excluded subtree.");
-                }
-            }
-        }
-
-        private ISet intersectURI(ISet permitted, ISet uris)
-        {
-            ISet intersect = new HashSet();
-            for (IEnumerator it = uris.GetEnumerator(); it.MoveNext(); )
-            {
-                String uri = ExtractNameAsString(((GeneralSubtree)it.Current)
-                    .Base);
-                if (permitted == null)
-                {
-                    if (uri != null)
-                    {
-                        intersect.Add(uri);
-                    }
-                }
-                else
-                {
-                    IEnumerator _iter = permitted.GetEnumerator();
-                    while (_iter.MoveNext())
-                    {
-                        String _permitted = (String)_iter.Current;
-                        intersectURI(_permitted, uri, intersect);
-                    }
-                }
-            }
-            return intersect;
-        }
-
-        private ISet unionURI(ISet excluded, String uri)
-        {
-            if (excluded.IsEmpty)
-            {
-                if (uri == null)
-                {
-                    return excluded;
-                }
-                excluded.Add(uri);
-
-                return excluded;
-            }
-            else
-            {
-                ISet union = new HashSet();
-
-                IEnumerator _iter = excluded.GetEnumerator();
-                while (_iter.MoveNext())
-                {
-                    String _excluded = (String)_iter.Current;
-
-                    unionURI(_excluded, uri, union);
-                }
-
-                return union;
-            }
-        }
-
-        private void intersectURI(String email1, String email2, ISet intersect)
-        {
-            // email1 is a particular address
-            if (email1.IndexOf('@') != -1)
-            {
-                String _sub = email1.Substring(email1.IndexOf('@') + 1);
-                // both are a particular mailbox
-                if (email2.IndexOf('@') != -1)
-                {
-                    if (Platform.CompareIgnoreCase(email1, email2) == 0)
-                    {
-                        intersect.Add(email1);
-                    }
-                }
-                // email2 specifies a domain
-                else if (email2.StartsWith("."))
-                {
-                    if (WithinDomain(_sub, email2))
-                    {
-                        intersect.Add(email1);
-                    }
-                }
-                // email2 specifies a particular host
-                else
-                {
-                    if (Platform.CompareIgnoreCase(_sub, email2) == 0)
-                    {
-                        intersect.Add(email1);
-                    }
-                }
-            }
-            // email specifies a domain
-            else if (email1.StartsWith("."))
-            {
-                if (email2.IndexOf('@') != -1)
-                {
-                    String _sub = email2.Substring(email1.IndexOf('@') + 1);
-                    if (WithinDomain(_sub, email1))
-                    {
-                        intersect.Add(email2);
-                    }
-                }
-                // email2 specifies a domain
-                else if (email2.StartsWith("."))
-                {
-                    if (WithinDomain(email1, email2) || (Platform.CompareIgnoreCase(email1, email2) == 0))
-                    {
-                        intersect.Add(email1);
-                    }
-                    else if (WithinDomain(email2, email1))
-                    {
-                        intersect.Add(email2);
-                    }
-                }
-                else
-                {
-                    if (WithinDomain(email2, email1))
-                    {
-                        intersect.Add(email2);
-                    }
-                }
-            }
-            // email1 specifies a host
-            else
-            {
-                if (email2.IndexOf('@') != -1)
-                {
-                    String _sub = email2.Substring(email2.IndexOf('@') + 1);
-                    if (Platform.CompareIgnoreCase(_sub, email1) == 0)
-                    {
-                        intersect.Add(email2);
-                    }
-                }
-                // email2 specifies a domain
-                else if (email2.StartsWith("."))
-                {
-                    if (WithinDomain(email1, email2))
-                    {
-                        intersect.Add(email1);
-                    }
-                }
-                // email2 specifies a particular host
-                else
-                {
-                    if (Platform.CompareIgnoreCase(email1, email2) == 0)
-                    {
-                        intersect.Add(email1);
-                    }
-                }
-            }
-        }
-
-        private void CheckPermittedURI(ISet permitted, String uri)
-        //        throws PkixNameConstraintValidatorException
-        {
-            if (permitted == null)
-            {
-                return;
-            }
-
-            IEnumerator it = permitted.GetEnumerator();
-
-            while (it.MoveNext())
-            {
-                String str = ((String)it.Current);
-
-                if (IsUriConstrained(uri, str))
-                {
-                    return;
-                }
-            }
-            if (uri.Length == 0 && permitted.Count == 0)
-            {
-                return;
-            }
-            throw new PkixNameConstraintValidatorException(
-                "URI is not from a permitted subtree.");
-        }
-
-        private bool IsUriConstrained(String uri, String constraint)
-        {
-            String host = ExtractHostFromURL(uri);
-            // a host
-            if (!constraint.StartsWith("."))
-            {
-                if (Platform.CompareIgnoreCase(host, constraint) == 0)
-                {
-                    return true;
-                }
-            }
-
-            // in sub domain or domain
-            else if (WithinDomain(host, constraint))
-            {
-                return true;
-            }
-
-            return false;
-        }
-
-        private static String ExtractHostFromURL(String url)
-        {
-            // see RFC 1738
-            // remove ':' after protocol, e.g. http:
-            String sub = url.Substring(url.IndexOf(':') + 1);
-            // extract host from Common Internet Scheme Syntax, e.g. http://
-            if (sub.IndexOf("//") != -1)
-            {
-                sub = sub.Substring(sub.IndexOf("//") + 2);
-            }
-            // first remove port, e.g. http://test.com:21
-            if (sub.LastIndexOf(':') != -1)
-            {
-                sub = sub.Substring(0, sub.LastIndexOf(':'));
-            }
-            // remove user and password, e.g. http://john:password@test.com
-            sub = sub.Substring(sub.IndexOf(':') + 1);
-            sub = sub.Substring(sub.IndexOf('@') + 1);
-            // remove local parts, e.g. http://test.com/bla
-            if (sub.IndexOf('/') != -1)
-            {
-                sub = sub.Substring(0, sub.IndexOf('/'));
-            }
-            return sub;
-        }
-
-        /**
-         * Checks if the given GeneralName is in the permitted ISet.
-         *
-         * @param name The GeneralName
-         * @throws PkixNameConstraintValidatorException
-         *          If the <code>name</code>
-         */
-        public void checkPermitted(GeneralName name)
-        //        throws PkixNameConstraintValidatorException
-        {
-            switch (name.TagNo)
-            {
-                case 1:
-                    CheckPermittedEmail(permittedSubtreesEmail,
-                        ExtractNameAsString(name));
-                    break;
-                case 2:
-                    CheckPermittedDNS(permittedSubtreesDNS, DerIA5String.GetInstance(
-                        name.Name).GetString());
-                    break;
-                case 4:
-                    CheckPermittedDN(Asn1Sequence.GetInstance(name.Name.ToAsn1Object()));
-                    break;
-                case 6:
-                    CheckPermittedURI(permittedSubtreesURI, DerIA5String.GetInstance(
-                        name.Name).GetString());
-                    break;
-                case 7:
-                    byte[] ip = Asn1OctetString.GetInstance(name.Name).GetOctets();
-
-                    CheckPermittedIP(permittedSubtreesIP, ip);
-                    break;
-            }
-        }
-
-        /**
-         * Check if the given GeneralName is contained in the excluded ISet.
-         *
-         * @param name The GeneralName.
-         * @throws PkixNameConstraintValidatorException
-         *          If the <code>name</code> is
-         *          excluded.
-         */
-        public void checkExcluded(GeneralName name)
-        //        throws PkixNameConstraintValidatorException
-        {
-            switch (name.TagNo)
-            {
-                case 1:
-                    CheckExcludedEmail(excludedSubtreesEmail, ExtractNameAsString(name));
-                    break;
-                case 2:
-                    checkExcludedDNS(excludedSubtreesDNS, DerIA5String.GetInstance(
-                        name.Name).GetString());
-                    break;
-                case 4:
-                    CheckExcludedDN(Asn1Sequence.GetInstance(name.Name.ToAsn1Object()));
-                    break;
-                case 6:
-                    checkExcludedURI(excludedSubtreesURI, DerIA5String.GetInstance(
-                        name.Name).GetString());
-                    break;
-                case 7:
-                    byte[] ip = Asn1OctetString.GetInstance(name.Name).GetOctets();
-
-                    checkExcludedIP(excludedSubtreesIP, ip);
-                    break;
-            }
-        }
-
-        /**
-         * Updates the permitted ISet of these name constraints with the intersection
-         * with the given subtree.
-         *
-         * @param permitted The permitted subtrees
-         */
-
-        public void IntersectPermittedSubtree(Asn1Sequence permitted)
-        {
-            IDictionary subtreesMap = Platform.CreateHashtable();
-
-            // group in ISets in a map ordered by tag no.
-            for (IEnumerator e = permitted.GetEnumerator(); e.MoveNext(); )
-            {
-                GeneralSubtree subtree = GeneralSubtree.GetInstance(e.Current);
-
-                int tagNo = subtree.Base.TagNo;
-                if (subtreesMap[tagNo] == null)
-                {
-                    subtreesMap[tagNo] = new HashSet();
-                }
-
-                ((ISet)subtreesMap[tagNo]).Add(subtree);
-            }
-
-            for (IEnumerator it = subtreesMap.GetEnumerator(); it.MoveNext(); )
-            {
-                DictionaryEntry entry = (DictionaryEntry)it.Current;
-
-                // go through all subtree groups
-                switch ((int)entry.Key )
-                {
-                    case 1:
-                        permittedSubtreesEmail = IntersectEmail(permittedSubtreesEmail,
-                            (ISet)entry.Value);
-                        break;
-                    case 2:
-                        permittedSubtreesDNS = intersectDNS(permittedSubtreesDNS,
-                            (ISet)entry.Value);
-                        break;
-                    case 4:
-                        permittedSubtreesDN = IntersectDN(permittedSubtreesDN,
-                            (ISet)entry.Value);
-                        break;
-                    case 6:
-                        permittedSubtreesURI = intersectURI(permittedSubtreesURI,
-                            (ISet)entry.Value);
-                        break;
-                    case 7:
-                        permittedSubtreesIP = IntersectIP(permittedSubtreesIP,
-                            (ISet)entry.Value);
-                        break;
-                }
-            }
-        }
-
-        private String ExtractNameAsString(GeneralName name)
-        {
-            return DerIA5String.GetInstance(name.Name).GetString();
-        }
-
-        public void IntersectEmptyPermittedSubtree(int nameType)
-        {
-            switch (nameType)
-            {
-                case 1:
-                    permittedSubtreesEmail = new HashSet();
-                    break;
-                case 2:
-                    permittedSubtreesDNS = new HashSet();
-                    break;
-                case 4:
-                    permittedSubtreesDN = new HashSet();
-                    break;
-                case 6:
-                    permittedSubtreesURI = new HashSet();
-                    break;
-                case 7:
-                    permittedSubtreesIP = new HashSet();
-                    break;
-            }
-        }
-
-        /**
-         * Adds a subtree to the excluded ISet of these name constraints.
-         *
-         * @param subtree A subtree with an excluded GeneralName.
-         */
-        public void AddExcludedSubtree(GeneralSubtree subtree)
-        {
-            GeneralName subTreeBase = subtree.Base;
-
-            switch (subTreeBase.TagNo)
-            {
-                case 1:
-                    excludedSubtreesEmail = UnionEmail(excludedSubtreesEmail,
-                        ExtractNameAsString(subTreeBase));
-                    break;
-                case 2:
-                    excludedSubtreesDNS = unionDNS(excludedSubtreesDNS,
-                        ExtractNameAsString(subTreeBase));
-                    break;
-                case 4:
-                    excludedSubtreesDN = UnionDN(excludedSubtreesDN,
-                        (Asn1Sequence)subTreeBase.Name.ToAsn1Object());
-                    break;
-                case 6:
-                    excludedSubtreesURI = unionURI(excludedSubtreesURI,
-                        ExtractNameAsString(subTreeBase));
-                    break;
-                case 7:
-                    excludedSubtreesIP = UnionIP(excludedSubtreesIP, Asn1OctetString
-                        .GetInstance(subTreeBase.Name).GetOctets());
-                    break;
-            }
-        }
-
-        /**
-         * Returns the maximum IP address.
-         *
-         * @param ip1 The first IP address.
-         * @param ip2 The second IP address.
-         * @return The maximum IP address.
-         */
-        private static byte[] Max(byte[] ip1, byte[] ip2)
-        {
-            for (int i = 0; i < ip1.Length; i++)
-            {
-                if ((ip1[i] & 0xFFFF) > (ip2[i] & 0xFFFF))
-                {
-                    return ip1;
-                }
-            }
-            return ip2;
-        }
-
-        /**
-         * Returns the minimum IP address.
-         *
-         * @param ip1 The first IP address.
-         * @param ip2 The second IP address.
-         * @return The minimum IP address.
-         */
-        private static byte[] Min(byte[] ip1, byte[] ip2)
-        {
-            for (int i = 0; i < ip1.Length; i++)
-            {
-                if ((ip1[i] & 0xFFFF) < (ip2[i] & 0xFFFF))
-                {
-                    return ip1;
-                }
-            }
-            return ip2;
-        }
-
-        /**
-         * Compares IP address <code>ip1</code> with <code>ip2</code>. If ip1
-         * is equal to ip2 0 is returned. If ip1 is bigger 1 is returned, -1
-         * otherwise.
-         *
-         * @param ip1 The first IP address.
-         * @param ip2 The second IP address.
-         * @return 0 if ip1 is equal to ip2, 1 if ip1 is bigger, -1 otherwise.
-         */
-        private static int CompareTo(byte[] ip1, byte[] ip2)
-        {
-            if (Org.BouncyCastle.Utilities.Arrays.AreEqual(ip1, ip2))
-            {
-                return 0;
-            }
-            if (Org.BouncyCastle.Utilities.Arrays.AreEqual(Max(ip1, ip2), ip1))
-            {
-                return 1;
-            }
-            return -1;
-        }
-
-        /**
-         * Returns the logical OR of the IP addresses <code>ip1</code> and
-         * <code>ip2</code>.
-         *
-         * @param ip1 The first IP address.
-         * @param ip2 The second IP address.
-         * @return The OR of <code>ip1</code> and <code>ip2</code>.
-         */
-        private static byte[] Or(byte[] ip1, byte[] ip2)
-        {
-            byte[] temp = new byte[ip1.Length];
-            for (int i = 0; i < ip1.Length; i++)
-            {
-                temp[i] = (byte)(ip1[i] | ip2[i]);
-            }
-            return temp;
-        }
-
-		[Obsolete("Use GetHashCode instead")]
-		public int HashCode()
-		{
-			return GetHashCode();
-		}
-
-		public override int GetHashCode()
-        {
-            return HashCollection(excludedSubtreesDN)
-                + HashCollection(excludedSubtreesDNS)
-                + HashCollection(excludedSubtreesEmail)
-                + HashCollection(excludedSubtreesIP)
-                + HashCollection(excludedSubtreesURI)
-                + HashCollection(permittedSubtreesDN)
-                + HashCollection(permittedSubtreesDNS)
-                + HashCollection(permittedSubtreesEmail)
-                + HashCollection(permittedSubtreesIP)
-                + HashCollection(permittedSubtreesURI);
-        }
-
-        private int HashCollection(ICollection coll)
-        {
-            if (coll == null)
-            {
-                return 0;
-            }
-            int hash = 0;
-            IEnumerator it1 = coll.GetEnumerator();
-            while (it1.MoveNext())
-            {
-                Object o = it1.Current;
-                if (o is byte[])
-                {
-                    hash += Org.BouncyCastle.Utilities.Arrays.GetHashCode((byte[])o);
-                }
-                else
-                {
-                    hash += o.GetHashCode();
-                }
-            }
-            return hash;
-        }
-
-		public override bool Equals(Object o)
-		{
-			if (!(o is PkixNameConstraintValidator))
-				return false;
-
-			PkixNameConstraintValidator constraintValidator = (PkixNameConstraintValidator)o;
-
-			return CollectionsAreEqual(constraintValidator.excludedSubtreesDN, excludedSubtreesDN)
-				&& CollectionsAreEqual(constraintValidator.excludedSubtreesDNS, excludedSubtreesDNS)
-				&& CollectionsAreEqual(constraintValidator.excludedSubtreesEmail, excludedSubtreesEmail)
-				&& CollectionsAreEqual(constraintValidator.excludedSubtreesIP, excludedSubtreesIP)
-				&& CollectionsAreEqual(constraintValidator.excludedSubtreesURI, excludedSubtreesURI)
-				&& CollectionsAreEqual(constraintValidator.permittedSubtreesDN, permittedSubtreesDN)
-				&& CollectionsAreEqual(constraintValidator.permittedSubtreesDNS, permittedSubtreesDNS)
-				&& CollectionsAreEqual(constraintValidator.permittedSubtreesEmail, permittedSubtreesEmail)
-				&& CollectionsAreEqual(constraintValidator.permittedSubtreesIP, permittedSubtreesIP)
-				&& CollectionsAreEqual(constraintValidator.permittedSubtreesURI, permittedSubtreesURI);
-		}
-
-        private bool CollectionsAreEqual(ICollection coll1, ICollection coll2)
-        {
-            if (coll1 == coll2)
-            {
-                return true;
-            }
-            if (coll1 == null || coll2 == null)
-            {
-                return false;
-            }
-            if (coll1.Count != coll2.Count)
-            {
-                return false;
-            }
-            IEnumerator it1 = coll1.GetEnumerator();
-
-            while (it1.MoveNext())
-            {
-                Object a = it1.Current;
-                IEnumerator it2 = coll2.GetEnumerator();
-                bool found = false;
-                while (it2.MoveNext())
-                {
-                    Object b = it2.Current;
-                    if (SpecialEquals(a, b))
-                    {
-                        found = true;
-                        break;
-                    }
-                }
-                if (!found)
-                {
-                    return false;
-                }
-            }
-            return true;
-        }
-
-        private bool SpecialEquals(Object o1, Object o2)
-        {
-            if (o1 == o2)
-            {
-                return true;
-            }
-            if (o1 == null || o2 == null)
-            {
-                return false;
-            }
-            if ((o1 is byte[]) && (o2 is byte[]))
-            {
-                return Org.BouncyCastle.Utilities.Arrays.AreEqual((byte[])o1, (byte[])o2);
-            }
-            else
-            {
-                return o1.Equals(o2);
-            }
-        }
-
-        /**
-         * Stringifies an IPv4 or v6 address with subnet mask.
-         *
-         * @param ip The IP with subnet mask.
-         * @return The stringified IP address.
-         */
-        private String StringifyIP(byte[] ip)
-        {
-            String temp = "";
-            for (int i = 0; i < ip.Length / 2; i++)
-            {
-                //temp += Integer.toString(ip[i] & 0x00FF) + ".";
-                temp += (ip[i] & 0x00FF) + ".";
-            }
-            temp = temp.Substring(0, temp.Length - 1);
-            temp += "/";
-            for (int i = ip.Length / 2; i < ip.Length; i++)
-            {
-                //temp += Integer.toString(ip[i] & 0x00FF) + ".";
-                temp += (ip[i] & 0x00FF) + ".";
-            }
-            temp = temp.Substring(0, temp.Length - 1);
-            return temp;
-        }
-
-        private String StringifyIPCollection(ISet ips)
-        {
-            String temp = "";
-            temp += "[";
-            for (IEnumerator it = ips.GetEnumerator(); it.MoveNext(); )
-            {
-                temp += StringifyIP((byte[])it.Current) + ",";
-            }
-            if (temp.Length > 1)
-            {
-                temp = temp.Substring(0, temp.Length - 1);
-            }
-            temp += "]";
-
-            return temp;
-        }
-
-        public override String ToString()
-        {
-            String temp = "";
-
-            temp += "permitted:\n";
-            if (permittedSubtreesDN != null)
-            {
-                temp += "DN:\n";
-                temp += permittedSubtreesDN.ToString() + "\n";
-            }
-            if (permittedSubtreesDNS != null)
-            {
-                temp += "DNS:\n";
-                temp += permittedSubtreesDNS.ToString() + "\n";
-            }
-            if (permittedSubtreesEmail != null)
-            {
-                temp += "Email:\n";
-                temp += permittedSubtreesEmail.ToString() + "\n";
-            }
-            if (permittedSubtreesURI != null)
-            {
-                temp += "URI:\n";
-                temp += permittedSubtreesURI.ToString() + "\n";
-            }
-            if (permittedSubtreesIP != null)
-            {
-                temp += "IP:\n";
-                temp += StringifyIPCollection(permittedSubtreesIP) + "\n";
-            }
-            temp += "excluded:\n";
-            if (!(excludedSubtreesDN.IsEmpty))
-            {
-                temp += "DN:\n";
-                temp += excludedSubtreesDN.ToString() + "\n";
-            }
-            if (!excludedSubtreesDNS.IsEmpty)
-            {
-                temp += "DNS:\n";
-                temp += excludedSubtreesDNS.ToString() + "\n";
-            }
-            if (!excludedSubtreesEmail.IsEmpty)
-            {
-                temp += "Email:\n";
-                temp += excludedSubtreesEmail.ToString() + "\n";
-            }
-            if (!excludedSubtreesURI.IsEmpty)
-            {
-                temp += "URI:\n";
-                temp += excludedSubtreesURI.ToString() + "\n";
-            }
-            if (!excludedSubtreesIP.IsEmpty)
-            {
-                temp += "IP:\n";
-                temp += StringifyIPCollection(excludedSubtreesIP) + "\n";
-            }
-            return temp;
-        }
-
-    }
-}