From df061f598d00d6b7f70cfdb31ab521027573d381 Mon Sep 17 00:00:00 2001
From: David Hook <dgh@bouncycastle.org>
Date: Sun, 23 May 2021 12:27:29 +1000
Subject: allowed for null policy OID

---
 crypto/src/tsp/TimeStampTokenGenerator.cs | 24 +++++++------
 crypto/test/src/tsp/test/TSPTest.cs       | 56 +++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+), 11 deletions(-)

diff --git a/crypto/src/tsp/TimeStampTokenGenerator.cs b/crypto/src/tsp/TimeStampTokenGenerator.cs
index dad0db63b..4783c8772 100644
--- a/crypto/src/tsp/TimeStampTokenGenerator.cs
+++ b/crypto/src/tsp/TimeStampTokenGenerator.cs
@@ -3,6 +3,7 @@ using System.Collections;
 using System.IO;
 using System.Text;
 using Org.BouncyCastle.Asn1;
+using Org.BouncyCastle.Asn1.Cmp;
 using Org.BouncyCastle.Asn1.Cms;
 using Org.BouncyCastle.Asn1.Ess;
 using Org.BouncyCastle.Asn1.Oiw;
@@ -31,7 +32,7 @@ namespace Org.BouncyCastle.Tsp
         private int accuracyMicros = -1;
         private bool ordering = false;
         private GeneralName tsa = null;
-        private String tsaPolicyOID;
+        private DerObjectIdentifier tsaPolicyOID;
     
         private IX509Store x509Certs;
         private IX509Store x509Crls;
@@ -68,7 +69,7 @@ namespace Org.BouncyCastle.Tsp
 
             this.signerInfoGenerator = signerInfoGen;
             this.digestCalculator = digestCalculator;
-            this.tsaPolicyOID = tsaPolicy.Id;
+            this.tsaPolicyOID = tsaPolicy;
 
             if (signerInfoGenerator.certificate == null)
             {
@@ -138,12 +139,8 @@ namespace Org.BouncyCastle.Tsp
            Asn1.Cms.AttributeTable unsignedAttr) : this(
                makeInfoGenerator(key, cert, digestOID, signedAttr, unsignedAttr),
                Asn1DigestFactory.Get(OiwObjectIdentifiers.IdSha1),
-               tsaPolicyOID != null?new DerObjectIdentifier(tsaPolicyOID):null, false)
+               tsaPolicyOID != null ? new DerObjectIdentifier(tsaPolicyOID):null, false)
         {
-
-            this.tsaPolicyOID = tsaPolicyOID;
-
-        
         }
 
 
@@ -261,7 +258,7 @@ namespace Org.BouncyCastle.Tsp
         }
 
 
-            public TimeStampToken Generate(
+        public TimeStampToken Generate(
             TimeStampRequest request,
             BigInteger serialNumber,
             DateTime genTime, X509Extensions additionalExtensions)
@@ -306,13 +303,17 @@ namespace Org.BouncyCastle.Tsp
             {
                 nonce = new DerInteger(request.Nonce);
             }
-
-            DerObjectIdentifier tsaPolicy = new DerObjectIdentifier(tsaPolicyOID);
+ 
+            DerObjectIdentifier tsaPolicy = tsaPolicyOID;
             if (request.ReqPolicy != null)
             {
                 tsaPolicy = new DerObjectIdentifier(request.ReqPolicy);
             }
 
+            if (tsaPolicy == null)
+            { 
+                throw new TspValidationException("request contains no policy", PkiFailureInfo.UnacceptedPolicy);
+            }
 
             X509Extensions respExtensions = request.Extensions;
             if (additionalExtensions != null)
@@ -344,7 +345,8 @@ namespace Org.BouncyCastle.Tsp
             if (resolution != Resolution.R_SECONDS)
             {
                 generalizedTime = new DerGeneralizedTime(createGeneralizedTime(genTime));
-            } else
+            } 
+            else
             {
                 generalizedTime = new DerGeneralizedTime(genTime);
             }
diff --git a/crypto/test/src/tsp/test/TSPTest.cs b/crypto/test/src/tsp/test/TSPTest.cs
index 968929b6d..4a4f2e28f 100644
--- a/crypto/test/src/tsp/test/TSPTest.cs
+++ b/crypto/test/src/tsp/test/TSPTest.cs
@@ -297,6 +297,62 @@ namespace Org.BouncyCastle.Tsp.Tests
 			}
 		}
 
+		[Test]
+		public void TestNullPolicy()
+		{
+			// null in request and token generator - should fail
+			TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
+				privateKey, cert, TspAlgorithms.Sha1, null);
+
+			tsTokenGen.SetCertificates(certs);
+
+			TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
+
+			TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20]);
+
+			TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed, null);
+
+			TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
+
+			tsResp = new TimeStampResponse(tsResp.GetEncoded());
+
+			TimeStampToken tsToken = tsResp.TimeStampToken;
+
+			if (tsToken != null)
+			{
+				Assert.Fail("badPolicy - token not null.");
+			}
+
+			PkiFailureInfo failInfo = tsResp.GetFailInfo();
+
+			if (failInfo == null)
+			{
+				Assert.Fail("badPolicy - failInfo set to null.");
+			}
+
+			if (failInfo.IntValue != PkiFailureInfo.UnacceptedPolicy)
+			{
+				Assert.Fail("badPolicy - wrong failure info returned.");
+			}
+
+			// request specifies policy, token generator doesn't - should work
+			reqGen = new TimeStampRequestGenerator();
+
+			reqGen.SetReqPolicy("1.1");
+
+			request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20]);
+
+			tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed, null);
+
+		    tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(24), DateTime.UtcNow);
+
+			tsResp = new TimeStampResponse(tsResp.GetEncoded());
+
+			tsToken = tsResp.TimeStampToken;
+
+			Assert.AreEqual(tsToken.TimeStampInfo.Policy, "1.1"); // policy should be picked up off request
+		}
+
 		[Test]
 		public void TestCertReq()
 		{
-- 
cgit 1.4.1