mcs/class/Mono.Security/Mono.Security.X509/X509Chain.cs

   1 //
   2 // X509Chain.cs: X.509 Certificate Path
   3 //      This is a VERY simplified and minimal version
   4 //      used for
   5 //              Authenticode support
   6 //              TLS/SSL support
   7 //
   8 // Author:
   9 //      Sebastien Pouliot  <sebastien@ximian.com>
  10 //
  11 // (C) 2003 Motus Technologies Inc. (http://www.motus.com)
  12 // Copyright (C) 2004 Novell, Inc (http://www.novell.com)
  13 //
  14 // Permission is hereby granted, free of charge, to any person obtaining
  15 // a copy of this software and associated documentation files (the
  16 // "Software"), to deal in the Software without restriction, including
  17 // without limitation the rights to use, copy, modify, merge, publish,
  18 // distribute, sublicense, and/or sell copies of the Software, and to
  19 // permit persons to whom the Software is furnished to do so, subject to
  20 // the following conditions:
  21 //
  22 // The above copyright notice and this permission notice shall be
  23 // included in all copies or substantial portions of the Software.
  24 //
  25 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  26 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  27 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  28 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
  29 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
  30 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
  31 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  32 //
  33
  34 using System;
  35 using System.Security;
  36 using System.Security.Permissions;
  37
  38 #if !INSIDE_CORLIB
  39 using System.Net;
  40 #endif
  41
  42 using Mono.Security.X509.Extensions;
  43
  44 namespace Mono.Security.X509 {
  45
  46 #if INSIDE_CORLIB
  47         internal
  48 #else
  49         public
  50 #endif
  51         class X509Chain {
  52
  53                 private X509CertificateCollection roots;
  54                 private X509CertificateCollection certs;
  55                 private X509Certificate _root;
  56
  57                 private X509CertificateCollection _chain;
  58                 private X509ChainStatusFlags _status;
  59
  60                 // constructors
  61
  62                 public X509Chain ()
  63                 {
  64                         certs = new X509CertificateCollection ();
  65                 }
  66
  67                 // get a pre-builded chain
  68                 public X509Chain (X509CertificateCollection chain) : this ()
  69                 {
  70                         _chain = new X509CertificateCollection ();
  71                         _chain.AddRange (chain);
  72                 }
  73
  74                 // properties
  75
  76                 public X509CertificateCollection Chain {
  77                         get { return _chain; }
  78                 }
  79
  80                 // the root of the specified certificate (may not be trusted!)
  81                 public X509Certificate Root {
  82                         get { return _root; }
  83                 }
  84
  85                 public X509ChainStatusFlags Status {
  86                         get { return _status; }
  87                 }
  88
  89                 public X509CertificateCollection TrustAnchors {
  90                         get {
  91                                 if (roots == null) {
  92                                         roots = new X509CertificateCollection ();
  93                                         roots.AddRange (X509StoreManager.TrustedRootCertificates);
  94                                         return roots;
  95                                 }
  96                                 return roots;
  97                         }
  98                         [SecurityPermission (SecurityAction.Demand, Flags=SecurityPermissionFlag.ControlPolicy)]
  99                         set { roots = value; }
 100                 }
 101
 102                 // methods
 103
 104                 public void LoadCertificate (X509Certificate x509)
 105                 {
 106                         certs.Add (x509);
 107                 }
 108
 109                 public void LoadCertificates (X509CertificateCollection collection)
 110                 {
 111                         certs.AddRange (collection);
 112                 }
 113
 114                 public X509Certificate FindByIssuerName (string issuerName)
 115                 {
 116                         foreach (X509Certificate x in certs) {
 117                                 if (x.IssuerName == issuerName)
 118                                         return x;
 119                         }
 120                         return null;
 121                 }
 122
 123                 public bool Build (X509Certificate leaf)
 124                 {
 125                         _status = X509ChainStatusFlags.NoError;
 126                         if (_chain == null) {
 127                                 // chain not supplied - we must build it ourselve
 128                                 _chain = new X509CertificateCollection ();
 129                                 X509Certificate x = leaf;
 130                                 X509Certificate tmp = x;
 131                                 while ((x != null) && (!x.IsSelfSigned)) {
 132                                         tmp = FindCertificateParent (x);
 133                                         if (x != null) {
 134                                                 _chain.Add (x);
 135                                                 x = tmp;        // last valid
 136                                         }
 137                                 }
 138                                 // find a trusted root
 139                                 _root = FindCertificateRoot (tmp);
 140                         }
 141                         else {
 142                                 // chain supplied - still have to check signatures!
 143                                 int last = _chain.Count;
 144                                 if (last > 0) {
 145                                         if (IsParent (leaf, _chain [0])) {
 146                                                 int i = 1;
 147                                                 for (; i < last; i++) {
 148                                                         if (!IsParent (_chain [i-1], _chain [i]))
 149                                                                 break;
 150                                                 }
 151                                                 if (i == last)
 152                                                         _root = FindCertificateRoot (_chain [last - 1]);
 153                                         }
 154                                 }
 155                                 else {
 156                                         // is the leaf a root ? (trusted or untrusted)
 157                                         _root = FindCertificateRoot (leaf);
 158                                 }
 159                         }
 160
 161                         // validate the chain
 162                         if ((_chain != null) && (_status == X509ChainStatusFlags.NoError)) {
 163                                 foreach (X509Certificate x in _chain) {
 164                                         // validate dates for each certificate in the chain
 165                                         // note: we DO NOT check for nested date/time
 166                                         if (!IsValid (x)) {
 167                                                 return false;
 168                                         }
 169                                 }
 170                                 // check leaf
 171                                 if (!IsValid (leaf)) {
 172                                         // switch status code if the failure is expiration
 173                                         if (_status == X509ChainStatusFlags.NotTimeNested)
 174                                                 _status = X509ChainStatusFlags.NotTimeValid;
 175                                         return false;
 176                                 }
 177                                 // check root
 178                                 if ((_root != null) && !IsValid (_root)) {
 179                                         return false;
 180                                 }
 181                         }
 182                         return (_status == X509ChainStatusFlags.NoError);
 183                 }
 184
 185                 //
 186
 187                 public void Reset ()
 188                 {
 189                         _status = X509ChainStatusFlags.NoError;
 190                         roots = null; // this force a reload
 191                         certs.Clear ();
 192                         if (_chain != null)
 193                                 _chain.Clear ();
 194                 }
 195
 196                 // private stuff
 197
 198                 private bool IsValid (X509Certificate cert)
 199                 {
 200                         if (!cert.IsCurrent) {
 201                                 // FIXME: nesting isn't very well implemented
 202                                 _status = X509ChainStatusFlags.NotTimeNested;
 203                                 return false;
 204                         }
 205
 206                         // TODO - we should check for CRITICAL but unknown extensions
 207                         // X509ChainStatusFlags.InvalidExtension
 208 #if (!NET_1_0 && !INSIDE_CORLIB)
 209                         if (ServicePointManager.CheckCertificateRevocationList) {
 210                                 // TODO - check revocation (CRL, OCSP ...)
 211                                 // X509ChainStatusFlags.RevocationStatusUnknown
 212                                 // X509ChainStatusFlags.Revoked
 213                         }
 214 #endif
 215                         return true;
 216                 }
 217
 218                 private X509Certificate FindCertificateParent (X509Certificate child)
 219                 {
 220                         foreach (X509Certificate potentialParent in certs) {
 221                                 if (IsParent (child, potentialParent))
 222                                         return potentialParent;
 223                         }
 224                         return null;
 225                 }
 226
 227                 private X509Certificate FindCertificateRoot (X509Certificate potentialRoot)
 228                 {
 229                         if (potentialRoot == null) {
 230                                 _status = X509ChainStatusFlags.PartialChain;
 231                                 return null;
 232                         }
 233
 234                         // if the trusted root is in the chain
 235                         if (IsTrusted (potentialRoot)) {
 236                                 return potentialRoot;
 237                         }
 238
 239                         // if the root isn't in the chain
 240                         foreach (X509Certificate root in TrustAnchors) {
 241                                 if (IsParent (potentialRoot, root)) {
 242                                         return root;
 243                                 }
 244                         }
 245
 246                         // is it a (untrusted) root ?
 247                         if (potentialRoot.IsSelfSigned) {
 248                                 _status = X509ChainStatusFlags.UntrustedRoot;
 249                                 return potentialRoot;
 250                         }
 251
 252                         _status = X509ChainStatusFlags.PartialChain;
 253                         return null;
 254                 }
 255
 256                 private bool IsTrusted (X509Certificate potentialTrusted)
 257                 {
 258                         return TrustAnchors.Contains (potentialTrusted);
 259                 }
 260
 261                 private bool IsParent (X509Certificate child, X509Certificate parent)
 262                 {
 263                         if (child.IssuerName != parent.SubjectName)
 264                                 return false;
 265
 266                         // parent MUST have the Basic Constraint CA=true (except for trusted roots)
 267                         // see why at http://www.microsoft.com/technet/security/bulletin/MS02-050.asp
 268                         if ((parent.Version > 2) && (!IsTrusted (parent))) {
 269                                 // TODO: we do not support pathLenConstraint
 270                                 X509Extension ext = parent.Extensions ["2.5.29.19"];
 271                                 if (ext != null) {
 272                                         BasicConstraintsExtension bc = new BasicConstraintsExtension (ext);
 273                                         if (!bc.CertificateAuthority)
 274                                                 _status = X509ChainStatusFlags.InvalidBasicConstraints;
 275                                 }
 276                                 else
 277                                         _status = X509ChainStatusFlags.InvalidBasicConstraints;
 278                         }
 279
 280                         if (!child.VerifySignature (parent.RSA)) {
 281                                 _status = X509ChainStatusFlags.NotSignatureValid;
 282                                 return false;
 283                         }
 284                         return true;
 285                 }
 286         }
 287 }