1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
|
//
// System.Security.Cryptography.X509Certificates.X509Chain
//
// Author:
// Sebastien Pouliot <sebastien@ximian.com>
//
// (C) 2003 Motus Technologies Inc. (http://www.motus.com)
// Copyright (C) 2004-2006 Novell Inc. (http://www.novell.com)
//
// Permission is hereby granted, free of charge, to any person obtaining
// a copy of this software and associated documentation files (the
// "Software"), to deal in the Software without restriction, including
// without limitation the rights to use, copy, modify, merge, publish,
// distribute, sublicense, and/or sell copies of the Software, and to
// permit persons to whom the Software is furnished to do so, subject to
// the following conditions:
//
// The above copyright notice and this permission notice shall be
// included in all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
#if NET_2_0 && SECURITY_DEP
using System.Collections;
namespace System.Security.Cryptography.X509Certificates {
public class X509Chain {
// Set to internal to remove a warning
private StoreLocation location;
private X509ChainElementCollection elements;
private X509ChainPolicy policy;
private X509ChainStatus[] status;
static X509ChainStatus[] Empty = new X509ChainStatus [0];
// constructors
public X509Chain ()
: this (false)
{
}
public X509Chain (bool useMachineContext)
{
location = useMachineContext ? StoreLocation.LocalMachine : StoreLocation.CurrentUser;
elements = new X509ChainElementCollection ();
policy = new X509ChainPolicy ();
}
[MonoTODO ("Mono's X509Chain is fully managed. All handles are invalid.")]
public X509Chain (IntPtr chainContext)
{
// CryptoAPI compatibility (unmanaged handle)
throw new NotSupportedException ();
}
// properties
[MonoTODO ("Mono's X509Chain is fully managed. Always returns IntPtr.Zero.")]
public IntPtr ChainContext {
get { return IntPtr.Zero; }
}
public X509ChainElementCollection ChainElements {
get { return elements; }
}
public X509ChainPolicy ChainPolicy {
get { return policy; }
set { policy = value; }
}
public X509ChainStatus[] ChainStatus {
get {
if (status == null)
return Empty;
return status;
}
}
// methods
[MonoTODO ("Work in progress")]
public bool Build (X509Certificate2 certificate)
{
if (certificate == null)
throw new ArgumentException ("certificate");
Reset ();
X509ChainStatusFlags flag;
try {
flag = BuildFrom (certificate);
}
catch (CryptographicException ce) {
throw new ArgumentException ("certificate", ce);
}
ArrayList list = new ArrayList ();
// build "global" ChainStatus from the ChainStatus of every ChainElements
foreach (X509ChainElement ce in elements) {
foreach (X509ChainStatus cs in ce.ChainElementStatus) {
// FIXME - avoid duplicates ?
list.Add (cs);
}
}
// and if required add some
if (flag != X509ChainStatusFlags.NoError) {
list.Insert (0, new X509ChainStatus (flag));
}
status = (X509ChainStatus[]) list.ToArray (typeof (X509ChainStatus));
// (fast path) this ignore everything we have checked
if (ChainPolicy.VerificationFlags == X509VerificationFlags.AllFlags)
return true;
bool result = true;
// now check if exclude some verification for the "end result" (boolean)
foreach (X509ChainStatus cs in status) {
switch (cs.Status) {
case X509ChainStatusFlags.UntrustedRoot:
case X509ChainStatusFlags.PartialChain:
result &= ((ChainPolicy.VerificationFlags & X509VerificationFlags.AllowUnknownCertificateAuthority) != 0);
break;
case X509ChainStatusFlags.NotTimeValid:
result &= ((ChainPolicy.VerificationFlags & X509VerificationFlags.IgnoreNotTimeValid) != 0);
break;
// FIXME - from here we needs new test cases for all cases
case X509ChainStatusFlags.NotTimeNested:
result &= ((ChainPolicy.VerificationFlags & X509VerificationFlags.IgnoreNotTimeNested) != 0);
break;
case X509ChainStatusFlags.InvalidBasicConstraints:
result &= ((ChainPolicy.VerificationFlags & X509VerificationFlags.IgnoreInvalidBasicConstraints) != 0);
break;
case X509ChainStatusFlags.InvalidPolicyConstraints:
case X509ChainStatusFlags.NoIssuanceChainPolicy:
result &= ((ChainPolicy.VerificationFlags & X509VerificationFlags.IgnoreInvalidPolicy) != 0);
break;
case X509ChainStatusFlags.InvalidNameConstraints:
case X509ChainStatusFlags.HasNotSupportedNameConstraint:
case X509ChainStatusFlags.HasNotPermittedNameConstraint:
case X509ChainStatusFlags.HasExcludedNameConstraint:
result &= ((ChainPolicy.VerificationFlags & X509VerificationFlags.IgnoreInvalidName) != 0);
break;
case X509ChainStatusFlags.InvalidExtension:
// not sure ?!?
result &= ((ChainPolicy.VerificationFlags & X509VerificationFlags.IgnoreWrongUsage) != 0);
break;
//
// ((ChainPolicy.VerificationFlags & X509VerificationFlags.IgnoreRootRevocationUnknown) != 0)
// ((ChainPolicy.VerificationFlags & X509VerificationFlags.IgnoreEndRevocationUnknown) != 0)
case X509ChainStatusFlags.CtlNotTimeValid:
result &= ((ChainPolicy.VerificationFlags & X509VerificationFlags.IgnoreCtlNotTimeValid) != 0);
break;
case X509ChainStatusFlags.CtlNotSignatureValid:
// ?
break;
// ((ChainPolicy.VerificationFlags & X509VerificationFlags.IgnoreCtlSignerRevocationUnknown) != 0);
case X509ChainStatusFlags.CtlNotValidForUsage:
// FIXME - does IgnoreWrongUsage apply to CTL (it doesn't have Ctl in it's name like the others)
result &= ((ChainPolicy.VerificationFlags & X509VerificationFlags.IgnoreWrongUsage) != 0);
break;
default:
result = false;
break;
}
// once we have one failure there's no need to check further
if (!result)
return false;
}
// every "problem" was excluded
return true;
}
public void Reset ()
{
if ((status != null) && (status.Length != 0))
status = null;
if (elements.Count > 0)
elements.Clear ();
// note: this call doesn't Reset the X509ChainPolicy
}
// static methods
public static X509Chain Create ()
{
return (X509Chain) CryptoConfig.CreateFromName ("X509Chain");
}
// private stuff
private X509ChainStatusFlags BuildFrom (X509Certificate2 certificate)
{
X509ChainStatusFlags result = X509ChainStatusFlags.NoError;
X509ChainStatusFlags flags = X509ChainStatusFlags.NoError;
// check certificate
Process (certificate, ref flags);
// check if certificate is self-signed
if (IsSelfSigned (certificate)) {
// FIXME - add support for cross-certificate, bridges
ProcessRoot (certificate, ref flags);
} else {
CheckRevocation (certificate, ref flags);
X509Certificate2 parent = FindParent (certificate, ref flags);
if (parent != null) {
// recurse
result = BuildFrom (parent);
if (result != X509ChainStatusFlags.NoError)
return result;
} else {
// we didn't end with a root, nor could we find one (stores)
result = X509ChainStatusFlags.PartialChain;
}
}
elements.Add (certificate, flags);
return result;
}
private void Process (X509Certificate2 certificate, ref X509ChainStatusFlags flags)
{
// is it the end-entity ?
if (elements.Count == 0) {
}
if ((ChainPolicy.VerificationTime < certificate.NotBefore) ||
(ChainPolicy.VerificationTime > certificate.NotAfter)) {
flags |= X509ChainStatusFlags.NotTimeValid;
}
// TODO - for X509ChainStatusFlags.NotTimeNested (needs global structure)
// TODO - for X509ChainStatusFlags.InvalidExtension
// TODO - check for X509ChainStatusFlags.InvalidBasicConstraint
// TODO - for X509ChainStatusFlags.InvalidPolicyConstraints
// using X509ChainPolicy.ApplicationPolicy and X509ChainPolicy.CertificatePolicy
// TODO - check for X509ChainStatusFlags.NoIssuanceChainPolicy
// TODO - check for X509ChainStatusFlags.InvalidNameConstraint
// TODO - check for X509ChainStatusFlags.HasNotSupportedNameConstraint
// TODO - check for X509ChainStatusFlags.HasNotPermittedNameConstraint
// TODO - check for X509ChainStatusFlags.HasExcludedNameConstraint
}
private void ProcessEndEntity (X509Certificate2 certificate, ref X509ChainStatusFlags flags)
{
}
private void ProcessCertificateAuthority (X509Certificate2 certificate, ref X509ChainStatusFlags flags)
{
}
// CTL == Certificate Trust List / not sure how/if they apply here
private void ProcessCTL (X509Certificate2 certificate, ref X509ChainStatusFlags flags)
{
// TODO - check for X509ChainStatusFlags.CtlNotTimeValid
// TODO - check for X509ChainStatusFlags.CtlNotSignatureValid
// TODO - check for X509ChainStatusFlags.CtlNotValidForUsage
}
private void ProcessRoot (X509Certificate2 certificate, ref X509ChainStatusFlags flags)
{
X509Store trust = new X509Store (StoreName.Root, location);
trust.Open (OpenFlags.ReadOnly);
if (!trust.Certificates.Contains (certificate)) {
flags |= X509ChainStatusFlags.UntrustedRoot;
}
trust.Close ();
if (!IsSignedBy (certificate, certificate)) {
flags |= X509ChainStatusFlags.NotSignatureValid;
}
}
// we search local user (default) or machine certificate store
// and in the extra certificate supplied in ChainPolicy.ExtraStore
private X509Certificate2 FindParent (X509Certificate2 certificate, ref X509ChainStatusFlags flags)
{
X509Certificate2 parent = null;
// TODO - check for X509ChainStatusFlags.Cyclic
if ((parent != null) && !IsSignedBy (certificate, parent)) {
flags |= X509ChainStatusFlags.NotSignatureValid;
}
return null;
}
// check for "self-signed" certificate - without verifying the signature
private bool IsSelfSigned (X509Certificate2 certificate)
{
// FIXME - very incomplete
return (certificate.Issuer == certificate.Subject);
}
// this method verify the signature
private bool IsSignedBy (X509Certificate2 signed, X509Certificate2 signer)
{
// FIXME
return true;
}
private void CheckRevocation (X509Certificate2 certificate, ref X509ChainStatusFlags flags)
{
switch (ChainPolicy.RevocationMode) {
case X509RevocationMode.Online:
// local?/download CRL and OCSP
CheckOnlineRevocation (certificate, ref flags);
break;
case X509RevocationMode.Offline:
// only local CRL ?
CheckOfflineRevocation (certificate, ref flags);
break;
case X509RevocationMode.NoCheck:
break;
default:
throw new InvalidOperationException ();
}
}
private void CheckOfflineRevocation (X509Certificate2 certificate, ref X509ChainStatusFlags flags)
{
// TODO - check for X509ChainStatusFlags.Revoked
// TODO - check for X509ChainStatusFlags.RevocationStatusUnknown
// TODO - check for X509ChainStatusFlags.OfflineRevocation
// (using X509ChainPolicy.RevocationFlag and X509ChainPolicy.RevocationMode)
}
private void CheckOnlineRevocation (X509Certificate2 certificate, ref X509ChainStatusFlags flags)
{
// TODO - check for X509ChainStatusFlags.Revoked
// TODO - check for X509ChainStatusFlags.RevocationStatusUnknown
// TODO - check for X509ChainStatusFlags.OfflineRevocation
// (using X509ChainPolicy.RevocationFlag and X509ChainPolicy.RevocationMode)
}
}
}
#endif
|
