search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
(DISTFILES): Comment out a few missing files.
[mono-project.git] / mcs / class / corlib / Mono.Security.X509 / X509Chain.cs
blobf8035e6c661f23cf97c32ff1da0dd960658d43a5
1 //
2 // X509Chain.cs: X.509 Certificate Path
3 // This is a VERY simplified and minimal version
4 // used for
5 // Authenticode support
6 // TLS/SSL support
7 //
8 // Author:
9 // Sebastien Pouliot <sebastien@ximian.com>
10 //
11 // (C) 2003 Motus Technologies Inc. (http://www.motus.com)
12 // Copyright (C) 2004 Novell, Inc (http://www.novell.com)
13 //
14 // Permission is hereby granted, free of charge, to any person obtaining
15 // a copy of this software and associated documentation files (the
16 // "Software"), to deal in the Software without restriction, including
17 // without limitation the rights to use, copy, modify, merge, publish,
18 // distribute, sublicense, and/or sell copies of the Software, and to
19 // permit persons to whom the Software is furnished to do so, subject to
20 // the following conditions:
21 //
22 // The above copyright notice and this permission notice shall be
23 // included in all copies or substantial portions of the Software.
24 //
25 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
26 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
27 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
28 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
29 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
30 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
31 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
32 //
33
34 using System;
35 using System.Security;
36 using System.Security.Permissions;
37
38 #if !INSIDE_CORLIB
39 using System.Net;
40 #endif
41
42 using Mono.Security.X509.Extensions;
43
44 namespace Mono.Security.X509 {
45
46 #if INSIDE_CORLIB
47 internal
48 #else
49 public
50 #endif
51 class X509Chain {
52
53 private X509CertificateCollection roots;
54 private X509CertificateCollection certs;
55 private X509Certificate _root;
56
57 private X509CertificateCollection _chain;
58 private X509ChainStatusFlags _status;
59
60 // constructors
61
62 public X509Chain ()
63 {
64 certs = new X509CertificateCollection ();
65 }
66
67 // get a pre-builded chain
68 public X509Chain (X509CertificateCollection chain) : this ()
69 {
70 _chain = new X509CertificateCollection ();
71 _chain.AddRange (chain);
72 }
73
74 // properties
75
76 public X509CertificateCollection Chain {
77 get { return _chain; }
78 }
79
80 // the root of the specified certificate (may not be trusted!)
81 public X509Certificate Root {
82 get { return _root; }
83 }
84
85 public X509ChainStatusFlags Status {
86 get { return _status; }
87 }
88
89 public X509CertificateCollection TrustAnchors {
90 get {
91 if (roots == null) {
92 roots = new X509CertificateCollection ();
93 roots.AddRange (X509StoreManager.TrustedRootCertificates);
94 return roots;
95 }
96 return roots;
97 }
98 [SecurityPermission (SecurityAction.Demand, Flags=SecurityPermissionFlag.ControlPolicy)]
99 set { roots = value; }
100 }
101
102 // methods
103
104 public void LoadCertificate (X509Certificate x509)
105 {
106 certs.Add (x509);
107 }
108
109 public void LoadCertificates (X509CertificateCollection collection)
110 {
111 certs.AddRange (collection);
112 }
113
114 public X509Certificate FindByIssuerName (string issuerName)
115 {
116 foreach (X509Certificate x in certs) {
117 if (x.IssuerName == issuerName)
118 return x;
119 }
120 return null;
121 }
122
123 public bool Build (X509Certificate leaf)
124 {
125 _status = X509ChainStatusFlags.NoError;
126 if (_chain == null) {
127 // chain not supplied - we must built it ourselve
128 _chain = new X509CertificateCollection ();
129 X509Certificate x = leaf;
130 X509Certificate tmp = null;
131 while ((x != null) && (!x.IsSelfSigned)) {
132 tmp = FindCertificateParent (x);
133 if (x != null) {
134 _chain.Add (x);
135 x = tmp; // last valid
136 }
137 }
138 // find a trusted root
139 _root = FindCertificateRoot (tmp);
140 }
141 else {
142 // chain supplied - still have to check signatures!
143 int last = _chain.Count;
144 if (last > 0) {
145 if (IsParent (leaf, _chain [0])) {
146 int i = 1;
147 for (; i < last; i++) {
148 if (!IsParent (_chain [i-1], _chain [i]))
149 break;
150 }
151 if (i == last)
152 _root = FindCertificateRoot (_chain [last - 1]);
153 }
154 }
155 else {
156 // is the leaf a root ? (trusted or untrusted)
157 _root = FindCertificateRoot (leaf);
158 }
159 }
160
161 // validate the chain
162 if ((_chain != null) && (_status == X509ChainStatusFlags.NoError)) {
163 foreach (X509Certificate x in _chain) {
164 // validate dates for each certificate in the chain
165 // note: we DO NOT check for nested date/time
166 if (!IsValid (x)) {
167 return false;
168 }
169 }
170 // check leaf
171 if (!IsValid (leaf)) {
172 // switch status code if the failure is expiration
173 if (_status == X509ChainStatusFlags.NotTimeNested)
174 _status = X509ChainStatusFlags.NotTimeValid;
175 return false;
176 }
177 // check root
178 if ((_root != null) && !IsValid (_root)) {
179 return false;
180 }
181 }
182 return (_status == X509ChainStatusFlags.NoError);
183 }
184
185 //
186
187 public void Reset ()
188 {
189 _status = X509ChainStatusFlags.NoError;
190 roots = null; // this force a reload
191 certs.Clear ();
192 if (_chain != null)
193 _chain.Clear ();
194 }
195
196 // private stuff
197
198 private bool IsValid (X509Certificate cert)
199 {
200 if (!cert.IsCurrent) {
201 // FIXME: nesting isn't very well implemented
202 _status = X509ChainStatusFlags.NotTimeNested;
203 return false;
204 }
205
206 // TODO - we should check for CRITICAL but unknown extensions
207 // X509ChainStatusFlags.InvalidExtension
208 #if (!NET_1_0 && !INSIDE_CORLIB)
209 if (ServicePointManager.CheckCertificateRevocationList) {
210 // TODO - check revocation (CRL, OCSP ...)
211 // X509ChainStatusFlags.RevocationStatusUnknown
212 // X509ChainStatusFlags.Revoked
213 }
214 #endif
215 return true;
216 }
217
218 private X509Certificate FindCertificateParent (X509Certificate child)
219 {
220 foreach (X509Certificate potentialParent in certs) {
221 if (IsParent (child, potentialParent))
222 return potentialParent;
223 }
224 return null;
225 }
226
227 private X509Certificate FindCertificateRoot (X509Certificate potentialRoot)
228 {
229 if (potentialRoot == null) {
230 _status = X509ChainStatusFlags.PartialChain;
231 return null;
232 }
233
234 // if the trusted root is in the chain
235 if (IsTrusted (potentialRoot)) {
236 return potentialRoot;
237 }
238
239 // if the root isn't in the chain
240 foreach (X509Certificate root in TrustAnchors) {
241 if (IsParent (potentialRoot, root)) {
242 return root;
243 }
244 }
245
246 // is it a (untrusted) root ?
247 if (potentialRoot.IsSelfSigned) {
248 _status = X509ChainStatusFlags.UntrustedRoot;
249 return potentialRoot;
250 }
251
252 _status = X509ChainStatusFlags.PartialChain;
253 return null;
254 }
255
256 private bool IsTrusted (X509Certificate potentialTrusted)
257 {
258 return TrustAnchors.Contains (potentialTrusted);
259 }
260
261 private bool IsParent (X509Certificate child, X509Certificate parent)
262 {
263 if (child.IssuerName != parent.SubjectName)
264 return false;
265
266 // parent MUST have the Basic Constraint CA=true (except for trusted roots)
267 // see why at http://www.microsoft.com/technet/security/bulletin/MS02-050.asp
268 if ((parent.Version > 2) && (!IsTrusted (parent))) {
269 // TODO: we do not support pathLenConstraint
270 X509Extension ext = parent.Extensions ["2.5.29.19"];
271 if (ext != null) {
272 BasicConstraintsExtension bc = new BasicConstraintsExtension (ext);
273 if (!bc.CertificateAuthority)
274 _status = X509ChainStatusFlags.InvalidBasicConstraints;
275 }
276 else
277 _status = X509ChainStatusFlags.InvalidBasicConstraints;
278 }
279
280 if (!child.VerifySignature (parent.RSA)) {
281 _status = X509ChainStatusFlags.NotSignatureValid;
282 return false;
283 }
284 return true;
285 }
286 }
287 }
Mirror of the official Mono project git repository