search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
disable broken tests on net_4_0
[mcs.git] / class / corlib / Mono.Security.X509 / X509Chain.cs
blob027005ca2cb8c5d5220f0b74fd87327ba6eb2336
1 //
2 // X509Chain.cs: X.509 Certificate Path
3 // This is a VERY simplified and minimal version
4 // used for
5 // Authenticode support
6 // TLS/SSL support
7 //
8 // Author:
9 // Sebastien Pouliot <sebastien@ximian.com>
10 //
11 // (C) 2003 Motus Technologies Inc. (http://www.motus.com)
12 // Copyright (C) 2004 Novell, Inc (http://www.novell.com)
13 //
14 // Permission is hereby granted, free of charge, to any person obtaining
15 // a copy of this software and associated documentation files (the
16 // "Software"), to deal in the Software without restriction, including
17 // without limitation the rights to use, copy, modify, merge, publish,
18 // distribute, sublicense, and/or sell copies of the Software, and to
19 // permit persons to whom the Software is furnished to do so, subject to
20 // the following conditions:
21 //
22 // The above copyright notice and this permission notice shall be
23 // included in all copies or substantial portions of the Software.
24 //
25 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
26 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
27 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
28 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
29 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
30 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
31 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
32 //
33
34 using System;
35 using System.Security;
36 using System.Security.Permissions;
37
38 #if !INSIDE_CORLIB
39 using System.Net;
40 #endif
41
42 using Mono.Security.X509.Extensions;
43
44 namespace Mono.Security.X509 {
45
46 #if INSIDE_CORLIB
47 internal
48 #else
49 public
50 #endif
51 class X509Chain {
52
53 private X509CertificateCollection roots;
54 private X509CertificateCollection certs;
55 private X509Certificate _root;
56
57 private X509CertificateCollection _chain;
58 private X509ChainStatusFlags _status;
59
60 // constructors
61
62 public X509Chain ()
63 {
64 certs = new X509CertificateCollection ();
65 }
66
67 // get a pre-builded chain
68 public X509Chain (X509CertificateCollection chain) : this ()
69 {
70 _chain = new X509CertificateCollection ();
71 _chain.AddRange (chain);
72 }
73
74 // properties
75
76 public X509CertificateCollection Chain {
77 get { return _chain; }
78 }
79
80 // the root of the specified certificate (may not be trusted!)
81 public X509Certificate Root {
82 get { return _root; }
83 }
84
85 public X509ChainStatusFlags Status {
86 get { return _status; }
87 }
88
89 public X509CertificateCollection TrustAnchors {
90 get {
91 if (roots == null) {
92 roots = new X509CertificateCollection ();
93 roots.AddRange (X509StoreManager.TrustedRootCertificates);
94 return roots;
95 }
96 return roots;
97 }
98 [SecurityPermission (SecurityAction.Demand, Flags=SecurityPermissionFlag.ControlPolicy)]
99 set { roots = value; }
100 }
101
102 // methods
103
104 public void LoadCertificate (X509Certificate x509)
105 {
106 certs.Add (x509);
107 }
108
109 public void LoadCertificates (X509CertificateCollection collection)
110 {
111 certs.AddRange (collection);
112 }
113
114 public X509Certificate FindByIssuerName (string issuerName)
115 {
116 foreach (X509Certificate x in certs) {
117 if (x.IssuerName == issuerName)
118 return x;
119 }
120 return null;
121 }
122
123 public bool Build (X509Certificate leaf)
124 {
125 _status = X509ChainStatusFlags.NoError;
126 if (_chain == null) {
127 // chain not supplied - we must build it ourselve
128 _chain = new X509CertificateCollection ();
129 X509Certificate x = leaf;
130 X509Certificate tmp = x;
131 while ((x != null) && (!x.IsSelfSigned)) {
132 tmp = x; // last valid
133 _chain.Add (x);
134 x = FindCertificateParent (x);
135 }
136 // find a trusted root
137 _root = FindCertificateRoot (tmp);
138 }
139 else {
140 // chain supplied - still have to check signatures!
141 int last = _chain.Count;
142 if (last > 0) {
143 if (IsParent (leaf, _chain [0])) {
144 int i = 1;
145 for (; i < last; i++) {
146 if (!IsParent (_chain [i-1], _chain [i]))
147 break;
148 }
149 if (i == last)
150 _root = FindCertificateRoot (_chain [last - 1]);
151 }
152 }
153 else {
154 // is the leaf a root ? (trusted or untrusted)
155 _root = FindCertificateRoot (leaf);
156 }
157 }
158
159 // validate the chain
160 if ((_chain != null) && (_status == X509ChainStatusFlags.NoError)) {
161 foreach (X509Certificate x in _chain) {
162 // validate dates for each certificate in the chain
163 // note: we DO NOT check for nested date/time
164 if (!IsValid (x)) {
165 return false;
166 }
167 }
168 // check leaf
169 if (!IsValid (leaf)) {
170 // switch status code if the failure is expiration
171 if (_status == X509ChainStatusFlags.NotTimeNested)
172 _status = X509ChainStatusFlags.NotTimeValid;
173 return false;
174 }
175 // check root
176 if ((_root != null) && !IsValid (_root)) {
177 return false;
178 }
179 }
180 return (_status == X509ChainStatusFlags.NoError);
181 }
182
183 //
184
185 public void Reset ()
186 {
187 _status = X509ChainStatusFlags.NoError;
188 roots = null; // this force a reload
189 certs.Clear ();
190 if (_chain != null)
191 _chain.Clear ();
192 }
193
194 // private stuff
195
196 private bool IsValid (X509Certificate cert)
197 {
198 if (!cert.IsCurrent) {
199 // FIXME: nesting isn't very well implemented
200 _status = X509ChainStatusFlags.NotTimeNested;
201 return false;
202 }
203
204 // TODO - we should check for CRITICAL but unknown extensions
205 // X509ChainStatusFlags.InvalidExtension
206 #if (!NET_1_0 && !INSIDE_CORLIB)
207 if (ServicePointManager.CheckCertificateRevocationList) {
208 // TODO - check revocation (CRL, OCSP ...)
209 // X509ChainStatusFlags.RevocationStatusUnknown
210 // X509ChainStatusFlags.Revoked
211 }
212 #endif
213 return true;
214 }
215
216 private X509Certificate FindCertificateParent (X509Certificate child)
217 {
218 foreach (X509Certificate potentialParent in certs) {
219 if (IsParent (child, potentialParent))
220 return potentialParent;
221 }
222 return null;
223 }
224
225 private X509Certificate FindCertificateRoot (X509Certificate potentialRoot)
226 {
227 if (potentialRoot == null) {
228 _status = X509ChainStatusFlags.PartialChain;
229 return null;
230 }
231
232 // if the trusted root is in the chain
233 if (IsTrusted (potentialRoot)) {
234 return potentialRoot;
235 }
236
237 // if the root isn't in the chain
238 foreach (X509Certificate root in TrustAnchors) {
239 if (IsParent (potentialRoot, root)) {
240 return root;
241 }
242 }
243
244 // is it a (untrusted) root ?
245 if (potentialRoot.IsSelfSigned) {
246 _status = X509ChainStatusFlags.UntrustedRoot;
247 return potentialRoot;
248 }
249
250 _status = X509ChainStatusFlags.PartialChain;
251 return null;
252 }
253
254 private bool IsTrusted (X509Certificate potentialTrusted)
255 {
256 return TrustAnchors.Contains (potentialTrusted);
257 }
258
259 private bool IsParent (X509Certificate child, X509Certificate parent)
260 {
261 if (child.IssuerName != parent.SubjectName)
262 return false;
263
264 // parent MUST have the Basic Constraint CA=true (except for trusted roots)
265 // see why at http://www.microsoft.com/technet/security/bulletin/MS02-050.asp
266 if ((parent.Version > 2) && (!IsTrusted (parent))) {
267 // TODO: we do not support pathLenConstraint
268 X509Extension ext = parent.Extensions ["2.5.29.19"];
269 if (ext != null) {
270 BasicConstraintsExtension bc = new BasicConstraintsExtension (ext);
271 if (!bc.CertificateAuthority)
272 _status = X509ChainStatusFlags.InvalidBasicConstraints;
273 }
274 else
275 _status = X509ChainStatusFlags.InvalidBasicConstraints;
276 }
277
278 if (!child.VerifySignature (parent.RSA)) {
279 _status = X509ChainStatusFlags.NotSignatureValid;
280 return false;
281 }
282 return true;
283 }
284 }
285 }
git-svn mirror of mcs