using System; using System.Collections.Generic; using Org.BouncyCastle.Utilities.Collections; using Org.BouncyCastle.X509; namespace Org.BouncyCastle.Pkix { /// /// Summary description for PkixParameters. /// public class PkixParameters { /** * This is the default PKIX validity model. Actually there are two variants * of this: The PKIX model and the modified PKIX model. The PKIX model * verifies that all involved certificates must have been valid at the * current time. The modified PKIX model verifies that all involved * certificates were valid at the signing time. Both are indirectly choosen * with the {@link PKIXParameters#setDate(java.util.Date)} method, so this * methods sets the Date when all certificates must have been * valid. */ public const int PkixValidityModel = 0; /** * This model uses the following validity model. Each certificate must have * been valid at the moment where is was used. That means the end * certificate must have been valid at the time the signature was done. The * CA certificate which signed the end certificate must have been valid, * when the end certificate was signed. The CA (or Root CA) certificate must * have been valid, when the CA certificate was signed and so on. So the * {@link PKIXParameters#setDate(java.util.Date)} method sets the time, when * the end certificate must have been valid.

It is used e.g. * in the German signature law. */ public const int ChainValidityModel = 1; private HashSet trustAnchors; private DateTime? date; private List m_checkers; private bool revocationEnabled = true; private HashSet initialPolicies; //private bool checkOnlyEECertificateCrl = false; private bool explicitPolicyRequired = false; private bool anyPolicyInhibited = false; private bool policyMappingInhibited = false; private bool policyQualifiersRejected = true; private List> m_storesAttrCert; private List> m_storesCert; private List> m_storesCrl; private ISelector m_targetConstraintsAttrCert; private ISelector m_targetConstraintsCert; private bool additionalLocationsEnabled; private ISet trustedACIssuers; private ISet necessaryACAttributes; private ISet prohibitedACAttributes; private ISet attrCertCheckers; private int validityModel = PkixValidityModel; private bool useDeltas = false; /** * Creates an instance of PKIXParameters with the specified Set of * most-trusted CAs. Each element of the set is a TrustAnchor.
*
* Note that the Set is copied to protect against subsequent modifications. * * @param trustAnchors * a Set of TrustAnchors * * @exception InvalidAlgorithmParameterException * if the specified Set is empty * (trustAnchors.isEmpty() == true) * @exception NullPointerException * if the specified Set is null * @exception ClassCastException * if any of the elements in the Set are not of type * java.security.cert.TrustAnchor */ public PkixParameters(ISet trustAnchors) { SetTrustAnchors(trustAnchors); this.initialPolicies = new HashSet(); this.m_checkers = new List(); this.m_storesAttrCert = new List>(); this.m_storesCert = new List>(); this.m_storesCrl = new List>(); this.trustedACIssuers = new HashSet(); this.necessaryACAttributes = new HashSet(); this.prohibitedACAttributes = new HashSet(); this.attrCertCheckers = new HashSet(); } // // TODO implement for other keystores (see Java build)? // /** // * Creates an instance of PKIXParameters that // * populates the set of most-trusted CAs from the trusted // * certificate entries contained in the specified KeyStore. // * Only keystore entries that contain trusted X509Certificates // * are considered; all other certificate types are ignored. // * // * @param keystore a KeyStore from which the set of // * most-trusted CAs will be populated // * @throws KeyStoreException if the keystore has not been initialized // * @throws InvalidAlgorithmParameterException if the keystore does // * not contain at least one trusted certificate entry // * @throws NullPointerException if the keystore is null // */ // public PkixParameters( // Pkcs12Store keystore) //// throws KeyStoreException, InvalidAlgorithmParameterException // { // if (keystore == null) // throw new ArgumentNullException("keystore"); // ISet trustAnchors = new HashSet(); // foreach (string alias in keystore.Aliases) // { // if (keystore.IsCertificateEntry(alias)) // { // X509CertificateEntry x509Entry = keystore.GetCertificate(alias); // trustAnchors.Add(new TrustAnchor(x509Entry.Certificate, null)); // } // } // SetTrustAnchors(trustAnchors); // // this.initialPolicies = new HashSet(); // this.certPathCheckers = new ArrayList(); // this.stores = new ArrayList(); // this.additionalStores = new ArrayList(); // this.trustedACIssuers = new HashSet(); // this.necessaryACAttributes = new HashSet(); // this.prohibitedACAttributes = new HashSet(); // this.attrCertCheckers = new HashSet(); // } public virtual bool IsRevocationEnabled { get { return revocationEnabled; } set { revocationEnabled = value; } } public virtual bool IsExplicitPolicyRequired { get { return explicitPolicyRequired; } set { this.explicitPolicyRequired = value; } } public virtual bool IsAnyPolicyInhibited { get { return anyPolicyInhibited; } set { this.anyPolicyInhibited = value; } } public virtual bool IsPolicyMappingInhibited { get { return policyMappingInhibited; } set { this.policyMappingInhibited = value; } } public virtual bool IsPolicyQualifiersRejected { get { return policyQualifiersRejected; } set { this.policyQualifiersRejected = value; } } //public bool IsCheckOnlyEECertificateCrl //{ // get { return this.checkOnlyEECertificateCrl; } // set { this.checkOnlyEECertificateCrl = value; } //} public virtual DateTime? Date { get { return this.date; } set { this.date = value; } } // Returns a Set of the most-trusted CAs. public virtual ISet GetTrustAnchors() { return new HashSet(this.trustAnchors); } // Sets the set of most-trusted CAs. // Set is copied to protect against subsequent modifications. public virtual void SetTrustAnchors(ISet tas) { if (tas == null) throw new ArgumentNullException("value"); if (tas.Count < 1) throw new ArgumentException("non-empty set required", "value"); // Explicit copy to enforce type-safety this.trustAnchors = new HashSet(); foreach (TrustAnchor ta in tas) { if (ta != null) { trustAnchors.Add(ta); } } } /** * Returns the required constraints on the target certificate or attribute * certificate. The constraints are returned as an instance of * IX509Selector. If null, no constraints are * defined. * *

* The target certificate in a PKIX path may be a certificate or an * attribute certificate. *

* Note that the IX509Selector returned is cloned to protect * against subsequent modifications. *

* @return a IX509Selector specifying the constraints on the * target certificate or attribute certificate (or null) * @see #setTargetConstraints * @see X509CertStoreSelector * @see X509AttributeCertStoreSelector */ public virtual ISelector GetTargetConstraintsAttrCert() { return (ISelector)m_targetConstraintsAttrCert?.Clone(); } /** * Sets the required constraints on the target certificate or attribute * certificate. The constraints are specified as an instance of * IX509Selector. If null, no constraints are * defined. *

* The target certificate in a PKIX path may be a certificate or an * attribute certificate. *

* Note that the IX509Selector specified is cloned to protect * against subsequent modifications. *

* * @param selector a IX509Selector specifying the constraints on * the target certificate or attribute certificate (or * null) * @see #getTargetConstraints * @see X509CertStoreSelector * @see X509AttributeCertStoreSelector */ public virtual void SetTargetConstraintsAttrCert(ISelector targetConstraintsAttrCert) { this.m_targetConstraintsAttrCert = (ISelector)targetConstraintsAttrCert?.Clone(); } /** * Returns the required constraints on the target certificate. The * constraints are returned as an instance of CertSelector. If * null, no constraints are defined.
*
* Note that the CertSelector returned is cloned to protect against * subsequent modifications. * * @return a CertSelector specifying the constraints on the target * certificate (or null) * * @see #setTargetCertConstraints(CertSelector) */ public virtual ISelector GetTargetConstraintsCert() { return (ISelector)m_targetConstraintsCert?.Clone(); } /** * Sets the required constraints on the target certificate. The constraints * are specified as an instance of CertSelector. If null, no constraints are * defined.
*
* Note that the CertSelector specified is cloned to protect against * subsequent modifications. * * @param selector * a CertSelector specifying the constraints on the target * certificate (or null) * * @see #getTargetCertConstraints() */ public virtual void SetTargetConstraintsCert(ISelector targetConstraintsCert) { m_targetConstraintsCert = (ISelector)targetConstraintsCert?.Clone(); } /** * Returns an immutable Set of initial policy identifiers (OID strings), * indicating that any one of these policies would be acceptable to the * certificate user for the purposes of certification path processing. The * default return value is an empty Set, which is * interpreted as meaning that any policy would be acceptable. * * @return an immutable Set of initial policy OIDs in String * format, or an empty Set (implying any policy is * acceptable). Never returns null. * * @see #setInitialPolicies(java.util.Set) */ public virtual ISet GetInitialPolicies() { // TODO Can it really be null? if (initialPolicies == null) return new HashSet(); return new HashSet(initialPolicies); } /** * Sets the Set of initial policy identifiers (OID strings), * indicating that any one of these policies would be acceptable to the * certificate user for the purposes of certification path processing. By * default, any policy is acceptable (i.e. all policies), so a user that * wants to allow any policy as acceptable does not need to call this * method, or can call it with an empty Set (or * null).
*
* Note that the Set is copied to protect against subsequent modifications.
*
* * @param initialPolicies * a Set of initial policy OIDs in String format (or * null) * * @exception ClassCastException * if any of the elements in the set are not of type String * * @see #getInitialPolicies() */ public virtual void SetInitialPolicies(ISet initialPolicies) { this.initialPolicies = new HashSet(); if (initialPolicies != null) { foreach (string obj in initialPolicies) { if (obj != null) { this.initialPolicies.Add(obj); } } } } /** * Sets a List of additional certification path checkers. If * the specified List contains an object that is not a PKIXCertPathChecker, * it is ignored.
*
* Each PKIXCertPathChecker specified implements additional * checks on a certificate. Typically, these are checks to process and * verify private extensions contained in certificates. Each * PKIXCertPathChecker should be instantiated with any * initialization parameters needed to execute the check.
*
* This method allows sophisticated applications to extend a PKIX * CertPathValidator or CertPathBuilder. Each * of the specified PKIXCertPathCheckers will be called, in turn, by a PKIX * CertPathValidator or CertPathBuilder for * each certificate processed or validated.
*
* Regardless of whether these additional PKIXCertPathCheckers are set, a * PKIX CertPathValidator or CertPathBuilder * must perform all of the required PKIX checks on each certificate. The one * exception to this rule is if the RevocationEnabled flag is set to false * (see the {@link #setRevocationEnabled(boolean) setRevocationEnabled} * method).
*
* Note that the List supplied here is copied and each PKIXCertPathChecker * in the list is cloned to protect against subsequent modifications. * * @param checkers * a List of PKIXCertPathCheckers. May be null, in which case no * additional checkers will be used. * @exception ClassCastException * if any of the elements in the list are not of type * java.security.cert.PKIXCertPathChecker * @see #getCertPathCheckers() */ public virtual void SetCertPathCheckers(IList checkers) { m_checkers = new List(); if (checkers != null) { foreach (var checker in checkers) { m_checkers.Add((PkixCertPathChecker)checker.Clone()); } } } /** * Returns the List of certification path checkers. Each PKIXCertPathChecker * in the returned IList is cloned to protect against subsequent modifications. * * @return an immutable List of PKIXCertPathCheckers (may be empty, but not * null) * * @see #setCertPathCheckers(java.util.List) */ public virtual IList GetCertPathCheckers() { var result = new List(m_checkers.Count); foreach (var checker in m_checkers) { result.Add((PkixCertPathChecker)checker.Clone()); } return result; } /** * Adds a PKIXCertPathChecker to the list of certification * path checkers. See the {@link #setCertPathCheckers setCertPathCheckers} * method for more details. *

* Note that the PKIXCertPathChecker is cloned to protect * against subsequent modifications.

* * @param checker a PKIXCertPathChecker to add to the list of * checks. If null, the checker is ignored (not added to list). */ public virtual void AddCertPathChecker(PkixCertPathChecker checker) { if (checker != null) { m_checkers.Add((PkixCertPathChecker)checker.Clone()); } } public virtual object Clone() { // FIXME Check this whole method against the Java implementation! PkixParameters parameters = new PkixParameters(GetTrustAnchors()); parameters.SetParams(this); return parameters; // PkixParameters obj = new PkixParameters(new HashSet()); //// (PkixParameters) this.MemberwiseClone(); // obj.x509Stores = new ArrayList(x509Stores); // obj.certPathCheckers = new ArrayList(certPathCheckers); // // //Iterator iter = certPathCheckers.iterator(); // //obj.certPathCheckers = new ArrayList(); // //while (iter.hasNext()) // //{ // // obj.certPathCheckers.add(((PKIXCertPathChecker)iter.next()) // // .clone()); // //} // //if (initialPolicies != null) // //{ // // obj.initialPolicies = new HashSet(initialPolicies); // //} //// if (trustAnchors != null) //// { //// obj.trustAnchors = new HashSet(trustAnchors); //// } //// if (certSelector != null) //// { //// obj.certSelector = (X509CertStoreSelector) certSelector.Clone(); //// } // return obj; } /** * Method to support Clone() under J2ME. * super.Clone() does not exist and fields are not copied. * * @param params Parameters to set. If this are * ExtendedPkixParameters they are copied to. */ protected virtual void SetParams(PkixParameters parameters) { Date = parameters.Date; SetCertPathCheckers(parameters.GetCertPathCheckers()); IsAnyPolicyInhibited = parameters.IsAnyPolicyInhibited; IsExplicitPolicyRequired = parameters.IsExplicitPolicyRequired; IsPolicyMappingInhibited = parameters.IsPolicyMappingInhibited; IsRevocationEnabled = parameters.IsRevocationEnabled; SetInitialPolicies(parameters.GetInitialPolicies()); IsPolicyQualifiersRejected = parameters.IsPolicyQualifiersRejected; SetTrustAnchors(parameters.GetTrustAnchors()); m_storesAttrCert = new List>(parameters.m_storesAttrCert); m_storesCert = new List>(parameters.m_storesCert); m_storesCrl = new List>(parameters.m_storesCrl); SetTargetConstraintsAttrCert(parameters.GetTargetConstraintsAttrCert()); SetTargetConstraintsCert(parameters.GetTargetConstraintsCert()); validityModel = parameters.validityModel; useDeltas = parameters.useDeltas; additionalLocationsEnabled = parameters.additionalLocationsEnabled; trustedACIssuers = new HashSet(parameters.trustedACIssuers); prohibitedACAttributes = new HashSet(parameters.prohibitedACAttributes); necessaryACAttributes = new HashSet(parameters.necessaryACAttributes); attrCertCheckers = new HashSet(parameters.attrCertCheckers); } /** * Whether delta CRLs should be used for checking the revocation status. * Defaults to false. */ public virtual bool IsUseDeltasEnabled { get { return useDeltas; } set { useDeltas = value; } } /** * The validity model. * @see #CHAIN_VALIDITY_MODEL * @see #PKIX_VALIDITY_MODEL */ public virtual int ValidityModel { get { return validityModel; } set { validityModel = value; } } public virtual IList> GetStoresAttrCert() { return new List>(m_storesAttrCert); } public virtual IList> GetStoresCert() { return new List>(m_storesCert); } public virtual IList> GetStoresCrl() { return new List>(m_storesCrl); } public virtual void SetAttrStoresCert(IList> storesAttrCert) { if (storesAttrCert == null) { m_storesAttrCert = new List>(); } else { m_storesAttrCert = new List>(storesAttrCert); } } public virtual void SetStoresCert(IList> storesCert) { if (storesCert == null) { m_storesCert = new List>(); } else { m_storesCert = new List>(storesCert); } } public virtual void SetStoresCrl(IList> storesCrl) { if (storesCrl == null) { m_storesCrl = new List>(); } else { m_storesCrl = new List>(storesCrl); } } public virtual void AddStoreAttrCert(IStore storeAttrCert) { if (storeAttrCert != null) { m_storesAttrCert.Add(storeAttrCert); } } public virtual void AddStoreCert(IStore storeCert) { if (storeCert != null) { m_storesCert.Add(storeCert); } } public virtual void AddStoreCrl(IStore storeCrl) { if (storeCrl != null) { m_storesCrl.Add(storeCrl); } } /** * Returns if additional {@link X509Store}s for locations like LDAP found * in certificates or CRLs should be used. * * @return Returns true if additional stores are used. */ public virtual bool IsAdditionalLocationsEnabled { get { return additionalLocationsEnabled; } } /** * Sets if additional {@link X509Store}s for locations like LDAP found in * certificates or CRLs should be used. * * @param enabled true if additional stores are used. */ public virtual void SetAdditionalLocationsEnabled( bool enabled) { additionalLocationsEnabled = enabled; } /** * Returns the trusted attribute certificate issuers. If attribute * certificates is verified the trusted AC issuers must be set. *

* The returned ISet consists of TrustAnchors. *

* The returned ISet is immutable. Never null *

* * @return Returns an immutable set of the trusted AC issuers. */ public virtual ISet GetTrustedACIssuers() { return new HashSet(trustedACIssuers); } /** * Sets the trusted attribute certificate issuers. If attribute certificates * is verified the trusted AC issuers must be set. *

* The trustedACIssuers must be a ISet of * TrustAnchor *

* The given set is cloned. *

* * @param trustedACIssuers The trusted AC issuers to set. Is never * null. * @throws ClassCastException if an element of stores is not * a TrustAnchor. */ public virtual void SetTrustedACIssuers(ISet trustedACIssuers) { if (trustedACIssuers == null) { this.trustedACIssuers = new HashSet(); } else { this.trustedACIssuers = new HashSet(trustedACIssuers); } } /** * Returns the necessary attributes which must be contained in an attribute * certificate. *

* The returned ISet is immutable and contains * Strings with the OIDs. *

* * @return Returns the necessary AC attributes. */ public virtual ISet GetNecessaryACAttributes() { return new HashSet(necessaryACAttributes); } /** * Sets the necessary which must be contained in an attribute certificate. *

* The ISet must contain Strings with the * OIDs. *

* The set is cloned. *

* * @param necessaryACAttributes The necessary AC attributes to set. * @throws ClassCastException if an element of * necessaryACAttributes is not a * String. */ public virtual void SetNecessaryACAttributes(ISet necessaryACAttributes) { if (necessaryACAttributes == null) { this.necessaryACAttributes = new HashSet(); } else { this.necessaryACAttributes = new HashSet(necessaryACAttributes); } } /** * Returns the attribute certificates which are not allowed. *

* The returned ISet is immutable and contains * Strings with the OIDs. *

* * @return Returns the prohibited AC attributes. Is never null. */ public virtual ISet GetProhibitedACAttributes() { return new HashSet(prohibitedACAttributes); } /** * Sets the attribute certificates which are not allowed. *

* The ISet must contain Strings with the * OIDs. *

* The set is cloned. *

* * @param prohibitedACAttributes The prohibited AC attributes to set. * @throws ClassCastException if an element of * prohibitedACAttributes is not a * String. */ public virtual void SetProhibitedACAttributes(ISet prohibitedACAttributes) { if (prohibitedACAttributes == null) { this.prohibitedACAttributes = new HashSet(); } else { this.prohibitedACAttributes = new HashSet(prohibitedACAttributes); } } /** * Returns the attribute certificate checker. The returned set contains * {@link PKIXAttrCertChecker}s and is immutable. * * @return Returns the attribute certificate checker. Is never * null. */ public virtual ISet GetAttrCertCheckers() { return new HashSet(attrCertCheckers); } /** * Sets the attribute certificate checkers. *

* All elements in the ISet must a {@link PKIXAttrCertChecker}. *

*

* The given set is cloned. *

* * @param attrCertCheckers The attribute certificate checkers to set. Is * never null. * @throws ClassCastException if an element of attrCertCheckers * is not a PKIXAttrCertChecker. */ public virtual void SetAttrCertCheckers(ISet attrCertCheckers) { if (attrCertCheckers == null) { this.attrCertCheckers = new HashSet(); } else { this.attrCertCheckers = new HashSet(attrCertCheckers); } } } }