#if !BESTHTTP_DISABLE_ALTERNATE_SSL && (!UNITY_WEBGL || UNITY_EDITOR) #pragma warning disable using System; using System.Collections; using System.IO; using BestHTTP.SecureProtocol.Org.BouncyCastle.Asn1; using BestHTTP.SecureProtocol.Org.BouncyCastle.Asn1.X500; using BestHTTP.SecureProtocol.Org.BouncyCastle.Asn1.X500.Style; using BestHTTP.SecureProtocol.Org.BouncyCastle.Asn1.X509; using BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities; using BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Collections; using BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Encoders; namespace BestHTTP.SecureProtocol.Org.BouncyCastle.Pkix { public class PkixNameConstraintValidator { // TODO Implement X500Name and styles //private static readonly DerObjectIdentifier SerialNumberOid = Rfc4519Style.SerialNumber; private static readonly DerObjectIdentifier SerialNumberOid = new DerObjectIdentifier("2.5.4.5"); private ISet excludedSubtreesDN = new HashSet(); private ISet excludedSubtreesDNS = new HashSet(); private ISet excludedSubtreesEmail = new HashSet(); private ISet excludedSubtreesURI = new HashSet(); private ISet excludedSubtreesIP = new HashSet(); private ISet excludedSubtreesOtherName = new HashSet(); private ISet permittedSubtreesDN; private ISet permittedSubtreesDNS; private ISet permittedSubtreesEmail; private ISet permittedSubtreesURI; private ISet permittedSubtreesIP; private ISet permittedSubtreesOtherName; public PkixNameConstraintValidator() { } private static bool WithinDNSubtree( Asn1Sequence dns, Asn1Sequence subtree) { if (subtree.Count < 1 || subtree.Count > dns.Count) return false; int start = 0; Rdn subtreeRdnStart = Rdn.GetInstance(subtree[0]); for (int j = 0; j < dns.Count; j++) { start = j; Rdn dnsRdn = Rdn.GetInstance(dns[j]); if (IetfUtilities.RdnAreEqual(subtreeRdnStart, dnsRdn)) break; } if (subtree.Count > dns.Count - start) return false; for (int j = 0; j < subtree.Count; ++j) { // both subtree and dns are a ASN.1 Name and the elements are a RDN Rdn subtreeRdn = Rdn.GetInstance(subtree[j]); Rdn dnsRdn = Rdn.GetInstance(dns[start + j]); // check if types and values of all naming attributes are matching, other types which are not restricted are allowed, see https://tools.ietf.org/html/rfc5280#section-7.1 // Two relative distinguished names // RDN1 and RDN2 match if they have the same number of naming attributes // and for each naming attribute in RDN1 there is a matching naming attribute in RDN2. // NOTE: this is checking the attributes in the same order, which might be not necessary, if this is a problem also IETFUtils.rDNAreEqual mus tbe changed. // use new RFC 5280 comparison, NOTE: this is now different from with RFC 3280, where only binary comparison is used // obey RFC 5280 7.1 // special treatment of serialNumber for GSMA SGP.22 RSP specification if (subtreeRdn.Count == 1 && dnsRdn.Count == 1 && subtreeRdn.GetFirst().GetType().Equals(SerialNumberOid) && dnsRdn.GetFirst().GetType().Equals(SerialNumberOid)) { if (!BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(dnsRdn.GetFirst().Value.ToString(), subtreeRdn.GetFirst().Value.ToString())) return false; } else if (!IetfUtilities.RdnAreEqual(subtreeRdn, dnsRdn)) { return false; } } return true; } public void CheckPermittedDN(Asn1Sequence dn) { CheckPermittedDirectory(permittedSubtreesDN, dn); } public void CheckExcludedDN(Asn1Sequence dn) { CheckExcludedDirectory(excludedSubtreesDN, dn); } private ISet IntersectDN(ISet permitted, ISet dns) { ISet intersect = new HashSet(); foreach (GeneralSubtree subtree1 in dns) { Asn1Sequence dn1 = Asn1Sequence.GetInstance(subtree1.Base.Name); if (permitted == null) { if (dn1 != null) { intersect.Add(dn1); } } else { foreach (object obj2 in permitted) { Asn1Sequence dn2 = Asn1Sequence.GetInstance(obj2); if (WithinDNSubtree(dn1, dn2)) { intersect.Add(dn1); } else if (WithinDNSubtree(dn2, dn1)) { intersect.Add(dn2); } } } } return intersect; } private ISet UnionDN(ISet excluded, Asn1Sequence dn) { if (excluded.IsEmpty) { if (dn == null) return excluded; excluded.Add(dn); return excluded; } else { ISet union = new HashSet(); foreach (object obj in excluded) { Asn1Sequence subtree = Asn1Sequence.GetInstance(obj); if (WithinDNSubtree(dn, subtree)) { union.Add(subtree); } else if (WithinDNSubtree(subtree, dn)) { union.Add(dn); } else { union.Add(subtree); union.Add(dn); } } return union; } } private ISet IntersectOtherName(ISet permitted, ISet otherNames) { ISet intersect = new HashSet(); foreach (GeneralSubtree subtree1 in otherNames) { OtherName otherName1 = OtherName.GetInstance(subtree1.Base.Name); if (otherName1 == null) continue; if (permitted == null) { intersect.Add(otherName1); } else { foreach (object obj2 in permitted) { OtherName otherName2 = OtherName.GetInstance(obj2); if (otherName2 == null) continue; IntersectOtherName(otherName1, otherName2, intersect); } } } return intersect; } private void IntersectOtherName(OtherName otherName1, OtherName otherName2, ISet intersect) { if (otherName1.Equals(otherName2)) { intersect.Add(otherName1); } } private ISet UnionOtherName(ISet permitted, OtherName otherName) { ISet union = permitted != null ? new HashSet(permitted) : new HashSet(); union.Add(otherName); return union; } private ISet IntersectEmail(ISet permitted, ISet emails) { ISet intersect = new HashSet(); foreach (GeneralSubtree subtree1 in emails) { string email = ExtractNameAsString(subtree1.Base); if (permitted == null) { if (email != null) { intersect.Add(email); } } else { foreach (string _permitted in permitted) { IntersectEmail(email, _permitted, intersect); } } } return intersect; } private ISet UnionEmail(ISet excluded, string email) { if (excluded.IsEmpty) { if (email == null) { return excluded; } excluded.Add(email); return excluded; } else { ISet union = new HashSet(); foreach (string _excluded in excluded) { UnionEmail(_excluded, email, union); } return union; } } /** * Returns the intersection of the permitted IP ranges in * permitted with ip. * * @param permitted A Set of permitted IP addresses with * their subnet mask as byte arrays. * @param ips The IP address with its subnet mask. * @return The Set of permitted IP ranges intersected with * ip. */ private ISet IntersectIP(ISet permitted, ISet ips) { ISet intersect = new HashSet(); foreach (GeneralSubtree subtree in ips) { byte[] ip = Asn1OctetString.GetInstance(subtree.Base.Name).GetOctets(); if (permitted == null) { if (ip != null) { intersect.Add(ip); } } else { foreach (byte[] _permitted in permitted) { intersect.AddAll(IntersectIPRange(_permitted, ip)); } } } return intersect; } /** * Returns the union of the excluded IP ranges in excluded * with ip. * * @param excluded A Set of excluded IP addresses with their * subnet mask as byte arrays. * @param ip The IP address with its subnet mask. * @return The Set of excluded IP ranges unified with * ip as byte arrays. */ private ISet UnionIP(ISet excluded, byte[] ip) { if (excluded.IsEmpty) { if (ip == null) { return excluded; } excluded.Add(ip); return excluded; } else { ISet union = new HashSet(); foreach (byte[] _excluded in excluded) { union.AddAll(UnionIPRange(_excluded, ip)); } return union; } } /** * Calculates the union if two IP ranges. * * @param ipWithSubmask1 The first IP address with its subnet mask. * @param ipWithSubmask2 The second IP address with its subnet mask. * @return A Set with the union of both addresses. */ private ISet UnionIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2) { ISet set = new HashSet(); // difficult, adding always all IPs is not wrong if (Arrays.AreEqual(ipWithSubmask1, ipWithSubmask2)) { set.Add(ipWithSubmask1); } else { set.Add(ipWithSubmask1); set.Add(ipWithSubmask2); } return set; } /** * Calculates the interesction if two IP ranges. * * @param ipWithSubmask1 The first IP address with its subnet mask. * @param ipWithSubmask2 The second IP address with its subnet mask. * @return A Set with the single IP address with its subnet * mask as a byte array or an empty Set. */ private ISet IntersectIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2) { if (ipWithSubmask1.Length != ipWithSubmask2.Length) { //Collections.EMPTY_SET; return new HashSet(); } byte[][] temp = ExtractIPsAndSubnetMasks(ipWithSubmask1, ipWithSubmask2); byte[] ip1 = temp[0]; byte[] subnetmask1 = temp[1]; byte[] ip2 = temp[2]; byte[] subnetmask2 = temp[3]; byte[][] minMax = MinMaxIPs(ip1, subnetmask1, ip2, subnetmask2); byte[] min; byte[] max; max = Min(minMax[1], minMax[3]); min = Max(minMax[0], minMax[2]); // minimum IP address must be bigger than max if (CompareTo(min, max) == 1) { //return Collections.EMPTY_SET; return new HashSet(); } // OR keeps all significant bits byte[] ip = Or(minMax[0], minMax[2]); byte[] subnetmask = Or(subnetmask1, subnetmask2); //return new HashSet( ICollectionsingleton(IpWithSubnetMask(ip, subnetmask)); ISet hs = new HashSet(); hs.Add(IpWithSubnetMask(ip, subnetmask)); return hs; } /** * Concatenates the IP address with its subnet mask. * * @param ip The IP address. * @param subnetMask Its subnet mask. * @return The concatenated IP address with its subnet mask. */ private byte[] IpWithSubnetMask(byte[] ip, byte[] subnetMask) { int ipLength = ip.Length; byte[] temp = new byte[ipLength * 2]; Array.Copy(ip, 0, temp, 0, ipLength); Array.Copy(subnetMask, 0, temp, ipLength, ipLength); return temp; } /** * Splits the IP addresses and their subnet mask. * * @param ipWithSubmask1 The first IP address with the subnet mask. * @param ipWithSubmask2 The second IP address with the subnet mask. * @return An array with two elements. Each element contains the IP address * and the subnet mask in this order. */ private byte[][] ExtractIPsAndSubnetMasks( byte[] ipWithSubmask1, byte[] ipWithSubmask2) { int ipLength = ipWithSubmask1.Length / 2; byte[] ip1 = new byte[ipLength]; byte[] subnetmask1 = new byte[ipLength]; Array.Copy(ipWithSubmask1, 0, ip1, 0, ipLength); Array.Copy(ipWithSubmask1, ipLength, subnetmask1, 0, ipLength); byte[] ip2 = new byte[ipLength]; byte[] subnetmask2 = new byte[ipLength]; Array.Copy(ipWithSubmask2, 0, ip2, 0, ipLength); Array.Copy(ipWithSubmask2, ipLength, subnetmask2, 0, ipLength); return new byte[][]{ ip1, subnetmask1, ip2, subnetmask2 }; } /** * Based on the two IP addresses and their subnet masks the IP range is * computed for each IP address - subnet mask pair and returned as the * minimum IP address and the maximum address of the range. * * @param ip1 The first IP address. * @param subnetmask1 The subnet mask of the first IP address. * @param ip2 The second IP address. * @param subnetmask2 The subnet mask of the second IP address. * @return A array with two elements. The first/second element contains the * min and max IP address of the first/second IP address and its * subnet mask. */ private byte[][] MinMaxIPs( byte[] ip1, byte[] subnetmask1, byte[] ip2, byte[] subnetmask2) { int ipLength = ip1.Length; byte[] min1 = new byte[ipLength]; byte[] max1 = new byte[ipLength]; byte[] min2 = new byte[ipLength]; byte[] max2 = new byte[ipLength]; for (int i = 0; i < ipLength; i++) { min1[i] = (byte)(ip1[i] & subnetmask1[i]); max1[i] = (byte)(ip1[i] & subnetmask1[i] | ~subnetmask1[i]); min2[i] = (byte)(ip2[i] & subnetmask2[i]); max2[i] = (byte)(ip2[i] & subnetmask2[i] | ~subnetmask2[i]); } return new byte[][]{ min1, max1, min2, max2 }; } private bool IsOtherNameConstrained(OtherName constraint, OtherName otherName) { return constraint.Equals(otherName); } private bool IsOtherNameConstrained(ISet constraints, OtherName otherName) { foreach (object obj in constraints) { OtherName constraint = OtherName.GetInstance(obj); if (IsOtherNameConstrained(constraint, otherName)) return true; } return false; } private void CheckPermittedOtherName(ISet permitted, OtherName name) { if (permitted != null && !IsOtherNameConstrained(permitted, name)) { throw new PkixNameConstraintValidatorException( "Subject OtherName is not from a permitted subtree."); } } private void CheckExcludedOtherName(ISet excluded, OtherName name) { if (IsOtherNameConstrained(excluded, name)) { throw new PkixNameConstraintValidatorException( "OtherName is from an excluded subtree."); } } private bool IsEmailConstrained(string constraint, string email) { string sub = email.Substring(email.IndexOf('@') + 1); // a particular mailbox if (constraint.IndexOf('@') != -1) { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.ToUpperInvariant(email).Equals(BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.ToUpperInvariant(constraint))) { return true; } } // on particular host else if (!(constraint[0].Equals('.'))) { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.ToUpperInvariant(sub).Equals(BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.ToUpperInvariant(constraint))) { return true; } } // address in sub domain else if (WithinDomain(sub, constraint)) { return true; } return false; } private bool IsEmailConstrained(ISet constraints, string email) { foreach (string constraint in constraints) { if (IsEmailConstrained(constraint, email)) return true; } return false; } private void CheckPermittedEmail(ISet permitted, string email) { if (permitted != null && !(email.Length == 0 && permitted.IsEmpty) && !IsEmailConstrained(permitted, email)) { throw new PkixNameConstraintValidatorException( "Subject email address is not from a permitted subtree."); } } private void CheckExcludedEmail(ISet excluded, string email) { if (IsEmailConstrained(excluded, email)) { throw new PkixNameConstraintValidatorException( "Email address is from an excluded subtree."); } } private bool IsDnsConstrained(string constraint, string dns) { return WithinDomain(dns, constraint) || BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(dns, constraint); } private bool IsDnsConstrained(ISet constraints, string dns) { foreach (string constraint in constraints) { if (IsDnsConstrained(constraint, dns)) return true; } return false; } private void CheckPermittedDns(ISet permitted, string dns) { if (permitted != null && !(dns.Length == 0 && permitted.IsEmpty) && !IsDnsConstrained(permitted, dns)) { throw new PkixNameConstraintValidatorException( "DNS is not from a permitted subtree."); } } private void CheckExcludedDns(ISet excluded, string dns) { if (IsDnsConstrained(excluded, dns)) { throw new PkixNameConstraintValidatorException( "DNS is from an excluded subtree."); } } private bool IsDirectoryConstrained(ISet constraints, Asn1Sequence directory) { foreach (object obj in constraints) { Asn1Sequence constraint = Asn1Sequence.GetInstance(obj); if (WithinDNSubtree(directory, constraint)) return true; } return false; } private void CheckPermittedDirectory(ISet permitted, Asn1Sequence directory) { if (permitted != null && !(directory.Count == 0 && permitted.IsEmpty) && !IsDirectoryConstrained(permitted, directory)) { throw new PkixNameConstraintValidatorException( "Subject distinguished name is not from a permitted subtree"); } } private void CheckExcludedDirectory(ISet excluded, Asn1Sequence directory) { if (IsDirectoryConstrained(excluded, directory)) { throw new PkixNameConstraintValidatorException( "Subject distinguished name is from an excluded subtree"); } } private bool IsUriConstrained(string constraint, string uri) { string host = ExtractHostFromURL(uri); if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(constraint, ".")) { // in sub domain or domain return WithinDomain(host, constraint); } // a host return BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(host, constraint); } private bool IsUriConstrained(ISet constraints, string uri) { foreach (string constraint in constraints) { if (IsUriConstrained(constraint, uri)) return true; } return false; } private void CheckPermittedUri(ISet permitted, string uri) { if (permitted != null && !(uri.Length == 0 && permitted.IsEmpty) && !IsUriConstrained(permitted, uri)) { throw new PkixNameConstraintValidatorException( "URI is not from a permitted subtree."); } } private void CheckExcludedUri(ISet excluded, string uri) { if (IsUriConstrained(excluded, uri)) { throw new PkixNameConstraintValidatorException( "URI is from an excluded subtree."); } } /** * Checks if the IP address ip is constrained by * constraint. * * @param constraint The constraint. This is an IP address concatenated with * its subnetmask. * @param ip The IP address. * @return true if constrained, false * otherwise. */ private bool IsIPConstrained(byte[] constraint, byte[] ip) { int ipLength = ip.Length; if (ipLength != (constraint.Length / 2)) { return false; } byte[] subnetMask = new byte[ipLength]; Array.Copy(constraint, ipLength, subnetMask, 0, ipLength); byte[] permittedSubnetAddress = new byte[ipLength]; byte[] ipSubnetAddress = new byte[ipLength]; // the resulting IP address by applying the subnet mask for (int i = 0; i < ipLength; i++) { permittedSubnetAddress[i] = (byte)(constraint[i] & subnetMask[i]); ipSubnetAddress[i] = (byte)(ip[i] & subnetMask[i]); } return Arrays.AreEqual(permittedSubnetAddress, ipSubnetAddress); } private bool IsIPConstrained(ISet constraints, byte[] ip) { foreach (byte[] constraint in constraints) { if (IsIPConstrained(constraint, ip)) return true; } return false; } /** * Checks if the IP ip is included in the permitted ISet * permitted. * * @param permitted A Set of permitted IP addresses with * their subnet mask as byte arrays. * @param ip The IP address. * @throws PkixNameConstraintValidatorException * if the IP is not permitted. */ private void CheckPermittedIP(ISet permitted, byte[] ip) { if (permitted != null && !(ip.Length == 0 && permitted.IsEmpty) && !IsIPConstrained(permitted, ip)) { throw new PkixNameConstraintValidatorException( "IP is not from a permitted subtree."); } } /** * Checks if the IP ip is included in the excluded ISet * excluded. * * @param excluded A Set of excluded IP addresses with their * subnet mask as byte arrays. * @param ip The IP address. * @throws PkixNameConstraintValidatorException * if the IP is excluded. */ private void CheckExcludedIP(ISet excluded, byte[] ip) { if (IsIPConstrained(excluded, ip)) { throw new PkixNameConstraintValidatorException( "IP is from an excluded subtree."); } } private bool WithinDomain(string testDomain, string domain) { string tempDomain = domain; if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(tempDomain, ".")) { tempDomain = tempDomain.Substring(1); } string[] domainParts = tempDomain.Split('.'); // Strings.split(tempDomain, '.'); string[] testDomainParts = testDomain.Split('.'); // Strings.split(testDomain, '.'); // must have at least one subdomain if (testDomainParts.Length <= domainParts.Length) return false; int d = testDomainParts.Length - domainParts.Length; for (int i = -1; i < domainParts.Length; i++) { if (i == -1) { if (testDomainParts[i + d].Length < 1) { return false; } } else if (!BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(testDomainParts[i + d], domainParts[i])) { return false; } } return true; } /** * The common part of email1 and email2 is * added to the union union. If email1 and * email2 have nothing in common they are added both. * * @param email1 Email address constraint 1. * @param email2 Email address constraint 2. * @param union The union. */ private void UnionEmail(string email1, string email2, ISet union) { // email1 is a particular address if (email1.IndexOf('@') != -1) { string _sub = email1.Substring(email1.IndexOf('@') + 1); // both are a particular mailbox if (email2.IndexOf('@') != -1) { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(email1, email2)) { union.Add(email1); } else { union.Add(email1); union.Add(email2); } } // email2 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email2, ".")) { if (WithinDomain(_sub, email2)) { union.Add(email2); } else { union.Add(email1); union.Add(email2); } } // email2 specifies a particular host else { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(_sub, email2)) { union.Add(email2); } else { union.Add(email1); union.Add(email2); } } } // email1 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email1, ".")) { if (email2.IndexOf('@') != -1) { string _sub = email2.Substring(email1.IndexOf('@') + 1); if (WithinDomain(_sub, email1)) { union.Add(email1); } else { union.Add(email1); union.Add(email2); } } // email2 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email2, ".")) { if (WithinDomain(email1, email2) || BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(email1, email2)) { union.Add(email2); } else if (WithinDomain(email2, email1)) { union.Add(email1); } else { union.Add(email1); union.Add(email2); } } else { if (WithinDomain(email2, email1)) { union.Add(email1); } else { union.Add(email1); union.Add(email2); } } } // email specifies a host else { if (email2.IndexOf('@') != -1) { string _sub = email2.Substring(email1.IndexOf('@') + 1); if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(_sub, email1)) { union.Add(email1); } else { union.Add(email1); union.Add(email2); } } // email2 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email2, ".")) { if (WithinDomain(email1, email2)) { union.Add(email2); } else { union.Add(email1); union.Add(email2); } } // email2 specifies a particular host else { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(email1, email2)) { union.Add(email1); } else { union.Add(email1); union.Add(email2); } } } } private void unionURI(string email1, string email2, ISet union) { // email1 is a particular address if (email1.IndexOf('@') != -1) { string _sub = email1.Substring(email1.IndexOf('@') + 1); // both are a particular mailbox if (email2.IndexOf('@') != -1) { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(email1, email2)) { union.Add(email1); } else { union.Add(email1); union.Add(email2); } } // email2 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email2, ".")) { if (WithinDomain(_sub, email2)) { union.Add(email2); } else { union.Add(email1); union.Add(email2); } } // email2 specifies a particular host else { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(_sub, email2)) { union.Add(email2); } else { union.Add(email1); union.Add(email2); } } } // email1 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email1, ".")) { if (email2.IndexOf('@') != -1) { string _sub = email2.Substring(email1.IndexOf('@') + 1); if (WithinDomain(_sub, email1)) { union.Add(email1); } else { union.Add(email1); union.Add(email2); } } // email2 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email2, ".")) { if (WithinDomain(email1, email2) || BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(email1, email2)) { union.Add(email2); } else if (WithinDomain(email2, email1)) { union.Add(email1); } else { union.Add(email1); union.Add(email2); } } else { if (WithinDomain(email2, email1)) { union.Add(email1); } else { union.Add(email1); union.Add(email2); } } } // email specifies a host else { if (email2.IndexOf('@') != -1) { string _sub = email2.Substring(email1.IndexOf('@') + 1); if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(_sub, email1)) { union.Add(email1); } else { union.Add(email1); union.Add(email2); } } // email2 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email2, ".")) { if (WithinDomain(email1, email2)) { union.Add(email2); } else { union.Add(email1); union.Add(email2); } } // email2 specifies a particular host else { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(email1, email2)) { union.Add(email1); } else { union.Add(email1); union.Add(email2); } } } } private ISet IntersectDns(ISet permitted, ISet dnss) { ISet intersect = new HashSet(); foreach (GeneralSubtree subtree in dnss) { string dns = ExtractNameAsString(subtree.Base); if (permitted == null) { if (dns != null) { intersect.Add(dns); } } else { foreach (string _permitted in permitted) { if (WithinDomain(_permitted, dns)) { intersect.Add(_permitted); } else if (WithinDomain(dns, _permitted)) { intersect.Add(dns); } } } } return intersect; } private ISet UnionDns(ISet excluded, string dns) { if (excluded.IsEmpty) { if (dns == null) return excluded; excluded.Add(dns); return excluded; } else { ISet union = new HashSet(); foreach (string _excluded in excluded) { if (WithinDomain(_excluded, dns)) { union.Add(dns); } else if (WithinDomain(dns, _excluded)) { union.Add(_excluded); } else { union.Add(_excluded); union.Add(dns); } } return union; } } /** * The most restricting part from email1 and * email2 is added to the intersection intersect. * * @param email1 Email address constraint 1. * @param email2 Email address constraint 2. * @param intersect The intersection. */ private void IntersectEmail(string email1, string email2, ISet intersect) { // email1 is a particular address if (email1.IndexOf('@') != -1) { string _sub = email1.Substring(email1.IndexOf('@') + 1); // both are a particular mailbox if (email2.IndexOf('@') != -1) { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(email1, email2)) { intersect.Add(email1); } } // email2 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email2, ".")) { if (WithinDomain(_sub, email2)) { intersect.Add(email1); } } // email2 specifies a particular host else { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(_sub, email2)) { intersect.Add(email1); } } } // email specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email1, ".")) { if (email2.IndexOf('@') != -1) { string _sub = email2.Substring(email1.IndexOf('@') + 1); if (WithinDomain(_sub, email1)) { intersect.Add(email2); } } // email2 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email2, ".")) { if (WithinDomain(email1, email2) || BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(email1, email2)) { intersect.Add(email1); } else if (WithinDomain(email2, email1)) { intersect.Add(email2); } } else { if (WithinDomain(email2, email1)) { intersect.Add(email2); } } } // email1 specifies a host else { if (email2.IndexOf('@') != -1) { string _sub = email2.Substring(email2.IndexOf('@') + 1); if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(_sub, email1)) { intersect.Add(email2); } } // email2 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email2, ".")) { if (WithinDomain(email1, email2)) { intersect.Add(email1); } } // email2 specifies a particular host else { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(email1, email2)) { intersect.Add(email1); } } } } private ISet IntersectUri(ISet permitted, ISet uris) { ISet intersect = new HashSet(); foreach (GeneralSubtree subtree in uris) { string uri = ExtractNameAsString(subtree.Base); if (permitted == null) { if (uri != null) { intersect.Add(uri); } } else { foreach (string _permitted in permitted) { IntersectUri(_permitted, uri, intersect); } } } return intersect; } private ISet UnionUri(ISet excluded, string uri) { if (excluded.IsEmpty) { if (uri == null) return excluded; excluded.Add(uri); return excluded; } else { ISet union = new HashSet(); foreach (string _excluded in excluded) { unionURI(_excluded, uri, union); } return union; } } private void IntersectUri(string email1, string email2, ISet intersect) { // email1 is a particular address if (email1.IndexOf('@') != -1) { string _sub = email1.Substring(email1.IndexOf('@') + 1); // both are a particular mailbox if (email2.IndexOf('@') != -1) { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(email1, email2)) { intersect.Add(email1); } } // email2 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email2, ".")) { if (WithinDomain(_sub, email2)) { intersect.Add(email1); } } // email2 specifies a particular host else { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(_sub, email2)) { intersect.Add(email1); } } } // email specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email1, ".")) { if (email2.IndexOf('@') != -1) { string _sub = email2.Substring(email1.IndexOf('@') + 1); if (WithinDomain(_sub, email1)) { intersect.Add(email2); } } // email2 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email2, ".")) { if (WithinDomain(email1, email2) || BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(email1, email2)) { intersect.Add(email1); } else if (WithinDomain(email2, email1)) { intersect.Add(email2); } } else { if (WithinDomain(email2, email1)) { intersect.Add(email2); } } } // email1 specifies a host else { if (email2.IndexOf('@') != -1) { string _sub = email2.Substring(email2.IndexOf('@') + 1); if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(_sub, email1)) { intersect.Add(email2); } } // email2 specifies a domain else if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.StartsWith(email2, ".")) { if (WithinDomain(email1, email2)) { intersect.Add(email1); } } // email2 specifies a particular host else { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.EqualsIgnoreCase(email1, email2)) { intersect.Add(email1); } } } } private static string ExtractHostFromURL(string url) { // see RFC 1738 // remove ':' after protocol, e.g. http: string sub = url.Substring(url.IndexOf(':') + 1); // extract host from Common Internet Scheme Syntax, e.g. http:// int idxOfSlashes = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.IndexOf(sub, "//"); if (idxOfSlashes != -1) { sub = sub.Substring(idxOfSlashes + 2); } // first remove port, e.g. http://test.com:21 if (sub.LastIndexOf(':') != -1) { sub = sub.Substring(0, sub.LastIndexOf(':')); } // remove user and password, e.g. http://john:password@test.com sub = sub.Substring(sub.IndexOf(':') + 1); sub = sub.Substring(sub.IndexOf('@') + 1); // remove local parts, e.g. http://test.com/bla if (sub.IndexOf('/') != -1) { sub = sub.Substring(0, sub.IndexOf('/')); } return sub; } /** * Checks if the given GeneralName is in the permitted ISet. * * @param name The GeneralName * @throws PkixNameConstraintValidatorException * If the name */ public void checkPermitted(GeneralName name) //throws PkixNameConstraintValidatorException { switch (name.TagNo) { case GeneralName.OtherName: CheckPermittedOtherName(permittedSubtreesOtherName, OtherName.GetInstance(name.Name)); break; case GeneralName.Rfc822Name: CheckPermittedEmail(permittedSubtreesEmail, ExtractNameAsString(name)); break; case GeneralName.DnsName: CheckPermittedDns(permittedSubtreesDNS, ExtractNameAsString(name)); break; case GeneralName.DirectoryName: CheckPermittedDN(Asn1Sequence.GetInstance(name.Name.ToAsn1Object())); break; case GeneralName.UniformResourceIdentifier: CheckPermittedUri(permittedSubtreesURI, ExtractNameAsString(name)); break; case GeneralName.IPAddress: CheckPermittedIP(permittedSubtreesIP, Asn1OctetString.GetInstance(name.Name).GetOctets()); break; } } /** * Check if the given GeneralName is contained in the excluded ISet. * * @param name The GeneralName. * @throws PkixNameConstraintValidatorException * If the name is * excluded. */ public void checkExcluded(GeneralName name) //throws PkixNameConstraintValidatorException { switch (name.TagNo) { case GeneralName.OtherName: CheckExcludedOtherName(excludedSubtreesOtherName, OtherName.GetInstance(name.Name)); break; case GeneralName.Rfc822Name: CheckExcludedEmail(excludedSubtreesEmail, ExtractNameAsString(name)); break; case GeneralName.DnsName: CheckExcludedDns(excludedSubtreesDNS, ExtractNameAsString(name)); break; case GeneralName.DirectoryName: CheckExcludedDN(Asn1Sequence.GetInstance(name.Name.ToAsn1Object())); break; case GeneralName.UniformResourceIdentifier: CheckExcludedUri(excludedSubtreesURI, ExtractNameAsString(name)); break; case GeneralName.IPAddress: CheckExcludedIP(excludedSubtreesIP, Asn1OctetString.GetInstance(name.Name).GetOctets()); break; } } /** * Updates the permitted ISet of these name constraints with the intersection * with the given subtree. * * @param permitted The permitted subtrees */ public void IntersectPermittedSubtree(Asn1Sequence permitted) { IDictionary subtreesMap = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateHashtable(); // group in ISets in a map ordered by tag no. foreach (object obj in permitted) { GeneralSubtree subtree = GeneralSubtree.GetInstance(obj); int tagNo = subtree.Base.TagNo; if (subtreesMap[tagNo] == null) { subtreesMap[tagNo] = new HashSet(); } ((ISet)subtreesMap[tagNo]).Add(subtree); } foreach (DictionaryEntry entry in subtreesMap) { // go through all subtree groups switch ((int)entry.Key) { case GeneralName.OtherName: permittedSubtreesOtherName = IntersectOtherName(permittedSubtreesOtherName, (ISet)entry.Value); break; case GeneralName.Rfc822Name: permittedSubtreesEmail = IntersectEmail(permittedSubtreesEmail, (ISet)entry.Value); break; case GeneralName.DnsName: permittedSubtreesDNS = IntersectDns(permittedSubtreesDNS, (ISet)entry.Value); break; case GeneralName.DirectoryName: permittedSubtreesDN = IntersectDN(permittedSubtreesDN, (ISet)entry.Value); break; case GeneralName.UniformResourceIdentifier: permittedSubtreesURI = IntersectUri(permittedSubtreesURI, (ISet)entry.Value); break; case GeneralName.IPAddress: permittedSubtreesIP = IntersectIP(permittedSubtreesIP, (ISet)entry.Value); break; } } } private string ExtractNameAsString(GeneralName name) { return DerIA5String.GetInstance(name.Name).GetString(); } public void IntersectEmptyPermittedSubtree(int nameType) { switch (nameType) { case GeneralName.OtherName: permittedSubtreesOtherName = new HashSet(); break; case GeneralName.Rfc822Name: permittedSubtreesEmail = new HashSet(); break; case GeneralName.DnsName: permittedSubtreesDNS = new HashSet(); break; case GeneralName.DirectoryName: permittedSubtreesDN = new HashSet(); break; case GeneralName.UniformResourceIdentifier: permittedSubtreesURI = new HashSet(); break; case GeneralName.IPAddress: permittedSubtreesIP = new HashSet(); break; } } /** * Adds a subtree to the excluded ISet of these name constraints. * * @param subtree A subtree with an excluded GeneralName. */ public void AddExcludedSubtree(GeneralSubtree subtree) { GeneralName subTreeBase = subtree.Base; switch (subTreeBase.TagNo) { case GeneralName.OtherName: excludedSubtreesOtherName = UnionOtherName(excludedSubtreesOtherName, OtherName.GetInstance(subTreeBase.Name)); break; case GeneralName.Rfc822Name: excludedSubtreesEmail = UnionEmail(excludedSubtreesEmail, ExtractNameAsString(subTreeBase)); break; case GeneralName.DnsName: excludedSubtreesDNS = UnionDns(excludedSubtreesDNS, ExtractNameAsString(subTreeBase)); break; case GeneralName.DirectoryName: excludedSubtreesDN = UnionDN(excludedSubtreesDN, (Asn1Sequence)subTreeBase.Name.ToAsn1Object()); break; case GeneralName.UniformResourceIdentifier: excludedSubtreesURI = UnionUri(excludedSubtreesURI, ExtractNameAsString(subTreeBase)); break; case GeneralName.IPAddress: excludedSubtreesIP = UnionIP(excludedSubtreesIP, Asn1OctetString.GetInstance(subTreeBase.Name).GetOctets()); break; } } /** * Returns the maximum IP address. * * @param ip1 The first IP address. * @param ip2 The second IP address. * @return The maximum IP address. */ private static byte[] Max(byte[] ip1, byte[] ip2) { for (int i = 0; i < ip1.Length; i++) { if ((ip1[i] & 0xFFFF) > (ip2[i] & 0xFFFF)) { return ip1; } } return ip2; } /** * Returns the minimum IP address. * * @param ip1 The first IP address. * @param ip2 The second IP address. * @return The minimum IP address. */ private static byte[] Min(byte[] ip1, byte[] ip2) { for (int i = 0; i < ip1.Length; i++) { if ((ip1[i] & 0xFFFF) < (ip2[i] & 0xFFFF)) { return ip1; } } return ip2; } /** * Compares IP address ip1 with ip2. If ip1 * is equal to ip2 0 is returned. If ip1 is bigger 1 is returned, -1 * otherwise. * * @param ip1 The first IP address. * @param ip2 The second IP address. * @return 0 if ip1 is equal to ip2, 1 if ip1 is bigger, -1 otherwise. */ private static int CompareTo(byte[] ip1, byte[] ip2) { if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Arrays.AreEqual(ip1, ip2)) { return 0; } if (BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Arrays.AreEqual(Max(ip1, ip2), ip1)) { return 1; } return -1; } /** * Returns the logical OR of the IP addresses ip1 and * ip2. * * @param ip1 The first IP address. * @param ip2 The second IP address. * @return The OR of ip1 and ip2. */ private static byte[] Or(byte[] ip1, byte[] ip2) { byte[] temp = new byte[ip1.Length]; for (int i = 0; i < ip1.Length; i++) { temp[i] = (byte)(ip1[i] | ip2[i]); } return temp; } public int HashCode() { return GetHashCode(); } public override int GetHashCode() { return HashCollection(excludedSubtreesDN) + HashCollection(excludedSubtreesDNS) + HashCollection(excludedSubtreesEmail) + HashCollection(excludedSubtreesIP) + HashCollection(excludedSubtreesURI) + HashCollection(excludedSubtreesOtherName) + HashCollection(permittedSubtreesDN) + HashCollection(permittedSubtreesDNS) + HashCollection(permittedSubtreesEmail) + HashCollection(permittedSubtreesIP) + HashCollection(permittedSubtreesURI) + HashCollection(permittedSubtreesOtherName); } private int HashCollection(ICollection c) { if (c == null) return 0; int hash = 0; foreach (Object o in c) { if (o is byte[]) { hash += Arrays.GetHashCode((byte[])o); } else { hash += o.GetHashCode(); } } return hash; } public override bool Equals(Object o) { if (!(o is PkixNameConstraintValidator)) return false; PkixNameConstraintValidator constraintValidator = (PkixNameConstraintValidator)o; return CollectionsAreEqual(constraintValidator.excludedSubtreesDN, excludedSubtreesDN) && CollectionsAreEqual(constraintValidator.excludedSubtreesDNS, excludedSubtreesDNS) && CollectionsAreEqual(constraintValidator.excludedSubtreesEmail, excludedSubtreesEmail) && CollectionsAreEqual(constraintValidator.excludedSubtreesIP, excludedSubtreesIP) && CollectionsAreEqual(constraintValidator.excludedSubtreesURI, excludedSubtreesURI) && CollectionsAreEqual(constraintValidator.excludedSubtreesOtherName, excludedSubtreesOtherName) && CollectionsAreEqual(constraintValidator.permittedSubtreesDN, permittedSubtreesDN) && CollectionsAreEqual(constraintValidator.permittedSubtreesDNS, permittedSubtreesDNS) && CollectionsAreEqual(constraintValidator.permittedSubtreesEmail, permittedSubtreesEmail) && CollectionsAreEqual(constraintValidator.permittedSubtreesIP, permittedSubtreesIP) && CollectionsAreEqual(constraintValidator.permittedSubtreesURI, permittedSubtreesURI) && CollectionsAreEqual(constraintValidator.permittedSubtreesOtherName, permittedSubtreesOtherName); } private bool CollectionsAreEqual(ICollection coll1, ICollection coll2) { if (coll1 == coll2) return true; if (coll1 == null || coll2 == null || coll1.Count != coll2.Count) return false; foreach (Object a in coll1) { bool found = false; foreach (Object b in coll2) { if (SpecialEquals(a, b)) { found = true; break; } } if (!found) return false; } return true; } private bool SpecialEquals(Object o1, Object o2) { if (o1 == o2) { return true; } if (o1 == null || o2 == null) { return false; } if ((o1 is byte[]) && (o2 is byte[])) { return Arrays.AreEqual((byte[])o1, (byte[])o2); } else { return o1.Equals(o2); } } /** * Stringifies an IPv4 or v6 address with subnet mask. * * @param ip The IP with subnet mask. * @return The stringified IP address. */ private string StringifyIP(byte[] ip) { string temp = ""; for (int i = 0; i < ip.Length / 2; i++) { //temp += Integer.toString(ip[i] & 0x00FF) + "."; temp += (ip[i] & 0x00FF) + "."; } temp = temp.Substring(0, temp.Length - 1); temp += "/"; for (int i = ip.Length / 2; i < ip.Length; i++) { //temp += Integer.toString(ip[i] & 0x00FF) + "."; temp += (ip[i] & 0x00FF) + "."; } temp = temp.Substring(0, temp.Length - 1); return temp; } private string StringifyIPCollection(ISet ips) { string temp = ""; temp += "["; foreach (byte[] ip in ips) { temp += StringifyIP(ip) + ","; } if (temp.Length > 1) { temp = temp.Substring(0, temp.Length - 1); } temp += "]"; return temp; } private string StringifyOtherNameCollection(ISet otherNames) { string temp = ""; temp += "["; foreach (object obj in otherNames) { OtherName name = OtherName.GetInstance(obj); if (temp.Length > 1) { temp += ","; } temp += name.TypeID.Id; temp += ":"; try { temp += Hex.ToHexString(name.Value.ToAsn1Object().GetEncoded()); } catch (IOException e) { temp += e.ToString(); } } temp += "]"; return temp; } public override string ToString() { string temp = ""; temp += "permitted:\n"; if (permittedSubtreesDN != null) { temp += "DN:\n"; temp += permittedSubtreesDN.ToString() + "\n"; } if (permittedSubtreesDNS != null) { temp += "DNS:\n"; temp += permittedSubtreesDNS.ToString() + "\n"; } if (permittedSubtreesEmail != null) { temp += "Email:\n"; temp += permittedSubtreesEmail.ToString() + "\n"; } if (permittedSubtreesURI != null) { temp += "URI:\n"; temp += permittedSubtreesURI.ToString() + "\n"; } if (permittedSubtreesIP != null) { temp += "IP:\n"; temp += StringifyIPCollection(permittedSubtreesIP) + "\n"; } if (permittedSubtreesOtherName != null) { temp += "OtherName:\n"; temp += StringifyOtherNameCollection(permittedSubtreesOtherName); } temp += "excluded:\n"; if (!(excludedSubtreesDN.IsEmpty)) { temp += "DN:\n"; temp += excludedSubtreesDN.ToString() + "\n"; } if (!excludedSubtreesDNS.IsEmpty) { temp += "DNS:\n"; temp += excludedSubtreesDNS.ToString() + "\n"; } if (!excludedSubtreesEmail.IsEmpty) { temp += "Email:\n"; temp += excludedSubtreesEmail.ToString() + "\n"; } if (!excludedSubtreesURI.IsEmpty) { temp += "URI:\n"; temp += excludedSubtreesURI.ToString() + "\n"; } if (!excludedSubtreesIP.IsEmpty) { temp += "IP:\n"; temp += StringifyIPCollection(excludedSubtreesIP) + "\n"; } if (!excludedSubtreesOtherName.IsEmpty) { temp += "OtherName:\n"; temp += StringifyOtherNameCollection(excludedSubtreesOtherName); } return temp; } } } #pragma warning restore #endif