You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
209 lines
5.9 KiB
209 lines
5.9 KiB
#if !BESTHTTP_DISABLE_ALTERNATE_SSL && (!UNITY_WEBGL || UNITY_EDITOR) |
|
#pragma warning disable |
|
using System; |
|
using System.Collections; |
|
using System.Text; |
|
|
|
using BestHTTP.SecureProtocol.Org.BouncyCastle.Asn1.IsisMtt; |
|
using BestHTTP.SecureProtocol.Org.BouncyCastle.Asn1; |
|
using BestHTTP.SecureProtocol.Org.BouncyCastle.Asn1.X509; |
|
using BestHTTP.SecureProtocol.Org.BouncyCastle.Asn1.X500; |
|
using BestHTTP.SecureProtocol.Org.BouncyCastle.Crypto; |
|
using BestHTTP.SecureProtocol.Org.BouncyCastle.Crypto.Parameters; |
|
using BestHTTP.SecureProtocol.Org.BouncyCastle.Math; |
|
using BestHTTP.SecureProtocol.Org.BouncyCastle.Security.Certificates; |
|
using BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities; |
|
using BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Collections; |
|
using BestHTTP.SecureProtocol.Org.BouncyCastle.X509; |
|
using BestHTTP.SecureProtocol.Org.BouncyCastle.X509.Store; |
|
|
|
namespace BestHTTP.SecureProtocol.Org.BouncyCastle.Pkix |
|
{ |
|
/** |
|
* Implements the PKIX CertPathBuilding algorithm for BouncyCastle. |
|
* |
|
* @see CertPathBuilderSpi |
|
*/ |
|
public class PkixCertPathBuilder |
|
// : CertPathBuilderSpi |
|
{ |
|
/** |
|
* Build and validate a CertPath using the given parameter. |
|
* |
|
* @param params PKIXBuilderParameters object containing all information to |
|
* build the CertPath |
|
*/ |
|
public virtual PkixCertPathBuilderResult Build( |
|
PkixBuilderParameters pkixParams) |
|
{ |
|
// search target certificates |
|
|
|
IX509Selector certSelect = pkixParams.GetTargetCertConstraints(); |
|
if (!(certSelect is X509CertStoreSelector)) |
|
{ |
|
throw new PkixCertPathBuilderException( |
|
"TargetConstraints must be an instance of " |
|
+ typeof(X509CertStoreSelector).FullName + " for " |
|
+ BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.GetTypeName(this) + " class."); |
|
} |
|
|
|
ISet targets = new HashSet(); |
|
try |
|
{ |
|
targets.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)certSelect, pkixParams.GetStores())); |
|
// TODO Should this include an entry for pkixParams.GetAdditionalStores() too? |
|
} |
|
catch (Exception e) |
|
{ |
|
throw new PkixCertPathBuilderException( |
|
"Error finding target certificate.", e); |
|
} |
|
|
|
if (targets.IsEmpty) |
|
throw new PkixCertPathBuilderException("No certificate found matching targetConstraints."); |
|
|
|
PkixCertPathBuilderResult result = null; |
|
IList certPathList = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList(); |
|
|
|
// check all potential target certificates |
|
foreach (X509Certificate cert in targets) |
|
{ |
|
result = Build(cert, pkixParams, certPathList); |
|
|
|
if (result != null) |
|
break; |
|
} |
|
|
|
if (result == null && certPathException != null) |
|
{ |
|
throw new PkixCertPathBuilderException(certPathException.Message, certPathException.InnerException); |
|
} |
|
|
|
if (result == null && certPathException == null) |
|
{ |
|
throw new PkixCertPathBuilderException("Unable to find certificate chain."); |
|
} |
|
|
|
return result; |
|
} |
|
|
|
private Exception certPathException; |
|
|
|
protected virtual PkixCertPathBuilderResult Build( |
|
X509Certificate tbvCert, |
|
PkixBuilderParameters pkixParams, |
|
IList tbvPath) |
|
{ |
|
// If tbvCert is readily present in tbvPath, it indicates having run |
|
// into a cycle in the PKI graph. |
|
if (tbvPath.Contains(tbvCert)) |
|
return null; |
|
|
|
// step out, the certificate is not allowed to appear in a certification |
|
// chain. |
|
if (pkixParams.GetExcludedCerts().Contains(tbvCert)) |
|
return null; |
|
|
|
// test if certificate path exceeds maximum length |
|
if (pkixParams.MaxPathLength != -1) |
|
{ |
|
if (tbvPath.Count - 1 > pkixParams.MaxPathLength) |
|
return null; |
|
} |
|
|
|
tbvPath.Add(tbvCert); |
|
|
|
// X509CertificateParser certParser = new X509CertificateParser(); |
|
PkixCertPathBuilderResult builderResult = null; |
|
PkixCertPathValidator validator = new PkixCertPathValidator(); |
|
|
|
try |
|
{ |
|
// check whether the issuer of <tbvCert> is a TrustAnchor |
|
if (PkixCertPathValidatorUtilities.IsIssuerTrustAnchor(tbvCert, pkixParams.GetTrustAnchors())) |
|
{ |
|
// exception message from possibly later tried certification |
|
// chains |
|
PkixCertPath certPath = null; |
|
try |
|
{ |
|
certPath = new PkixCertPath(tbvPath); |
|
} |
|
catch (Exception e) |
|
{ |
|
throw new Exception( |
|
"Certification path could not be constructed from certificate list.", |
|
e); |
|
} |
|
|
|
PkixCertPathValidatorResult result = null; |
|
try |
|
{ |
|
result = (PkixCertPathValidatorResult)validator.Validate( |
|
certPath, pkixParams); |
|
} |
|
catch (Exception e) |
|
{ |
|
throw new Exception( |
|
"Certification path could not be validated.", e); |
|
} |
|
|
|
return new PkixCertPathBuilderResult(certPath, result.TrustAnchor, |
|
result.PolicyTree, result.SubjectPublicKey); |
|
} |
|
else |
|
{ |
|
// add additional X.509 stores from locations in certificate |
|
try |
|
{ |
|
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames( |
|
tbvCert, pkixParams); |
|
} |
|
catch (CertificateParsingException e) |
|
{ |
|
throw new Exception( |
|
"No additiontal X.509 stores can be added from certificate locations.", |
|
e); |
|
} |
|
|
|
// try to get the issuer certificate from one of the stores |
|
HashSet issuers = new HashSet(); |
|
try |
|
{ |
|
issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams)); |
|
} |
|
catch (Exception e) |
|
{ |
|
throw new Exception( |
|
"Cannot find issuer certificate for certificate in certification path.", |
|
e); |
|
} |
|
|
|
if (issuers.IsEmpty) |
|
throw new Exception("No issuer certificate for certificate in certification path found."); |
|
|
|
foreach (X509Certificate issuer in issuers) |
|
{ |
|
builderResult = Build(issuer, pkixParams, tbvPath); |
|
|
|
if (builderResult != null) |
|
break; |
|
} |
|
} |
|
} |
|
catch (Exception e) |
|
{ |
|
certPathException = e; |
|
} |
|
|
|
if (builderResult == null) |
|
{ |
|
tbvPath.Remove(tbvCert); |
|
} |
|
|
|
return builderResult; |
|
} |
|
} |
|
} |
|
#pragma warning restore |
|
#endif
|
|
|