mcs/class/Mono.Security/Mono.Security.X509/X509Chain.cs

   1 //
   2 // X509Chain.cs: X.509 Certificate Path
   3 //      This is a VERY simplified and minimal version
   4 //      used for
   5 //              Authenticode support
   6 //              TLS/SSL support
   7 //
   8 // Author:
   9 //      Sebastien Pouliot  <sebastien@ximian.com>
  10 //
  11 // (C) 2003 Motus Technologies Inc. (http://www.motus.com)
  12 // Copyright (C) 2004 Novell, Inc (http://www.novell.com)
  13 //
  14 // Permission is hereby granted, free of charge, to any person obtaining
  15 // a copy of this software and associated documentation files (the
  16 // "Software"), to deal in the Software without restriction, including
  17 // without limitation the rights to use, copy, modify, merge, publish,
  18 // distribute, sublicense, and/or sell copies of the Software, and to
  19 // permit persons to whom the Software is furnished to do so, subject to
  20 // the following conditions:
  21 //
  22 // The above copyright notice and this permission notice shall be
  23 // included in all copies or substantial portions of the Software.
  24 //
  25 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  26 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  27 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  28 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
  29 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
  30 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
  31 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  32 //
  33
  34 using System;
  35 using System.Security;
  36 using System.Security.Permissions;
  37
  38 #if !INSIDE_CORLIB
  39 using System.Net;
  40 #endif
  41
  42 using Mono.Security.X509.Extensions;
  43
  44 namespace Mono.Security.X509 {
  45
  46 #if INSIDE_CORLIB
  47         internal
  48 #else
  49         public
  50 #endif
  51         class X509Chain {
  52
  53                 private X509CertificateCollection roots;
  54                 private X509CertificateCollection certs;
  55                 private X509Certificate _root;
  56
  57                 private X509CertificateCollection _chain;
  58                 private X509ChainStatusFlags _status;
  59
  60                 // constructors
  61
  62                 public X509Chain ()
  63                 {
  64                         certs = new X509CertificateCollection ();
  65                 }
  66
  67                 // get a pre-builded chain
  68                 public X509Chain (X509CertificateCollection chain) : this ()
  69                 {
  70                         _chain = new X509CertificateCollection ();
  71                         _chain.AddRange (chain);
  72                 }
  73
  74                 // properties
  75
  76                 public X509CertificateCollection Chain {
  77                         get { return _chain; }
  78                 }
  79
  80                 // the root of the specified certificate (may not be trusted!)
  81                 public X509Certificate Root {
  82                         get { return _root; }
  83                 }
  84
  85                 public X509ChainStatusFlags Status {
  86                         get { return _status; }
  87                 }
  88
  89                 public X509CertificateCollection TrustAnchors {
  90                         get {
  91                                 if (roots == null) {
  92                                         roots = new X509CertificateCollection ();
  93                                         roots.AddRange (X509StoreManager.TrustedRootCertificates);
  94                                         return roots;
  95                                 }
  96                                 return roots;
  97                         }
  98                         [SecurityPermission (SecurityAction.Demand, Flags=SecurityPermissionFlag.ControlPolicy)]
  99                         set { roots = value; }
 100                 }
 101
 102                 // methods
 103
 104                 public void LoadCertificate (X509Certificate x509)
 105                 {
 106                         certs.Add (x509);
 107                 }
 108
 109                 public void LoadCertificates (X509CertificateCollection collection)
 110                 {
 111                         certs.AddRange (collection);
 112                 }
 113
 114                 public X509Certificate FindByIssuerName (string issuerName)
 115                 {
 116                         foreach (X509Certificate x in certs) {
 117                                 if (x.IssuerName == issuerName)
 118                                         return x;
 119                         }
 120                         return null;
 121                 }
 122
 123                 public bool Build (X509Certificate leaf)
 124                 {
 125                         _status = X509ChainStatusFlags.NoError;
 126                         if (_chain == null) {
 127                                 // chain not supplied - we must build it ourselve
 128                                 _chain = new X509CertificateCollection ();
 129                                 X509Certificate x = leaf;
 130                                 X509Certificate tmp = x;
 131                                 while ((x != null) && (!x.IsSelfSigned)) {
 132                                         tmp = x; // last valid
 133                                         _chain.Add (x);
 134                                         x = FindCertificateParent (x);
 135                                 }
 136                                 // find a trusted root
 137                                 _root = FindCertificateRoot (tmp);
 138                         }
 139                         else {
 140                                 // chain supplied - still have to check signatures!
 141                                 int last = _chain.Count;
 142                                 if (last > 0) {
 143                                         if (IsParent (leaf, _chain [0])) {
 144                                                 int i = 1;
 145                                                 for (; i < last; i++) {
 146                                                         if (!IsParent (_chain [i-1], _chain [i]))
 147                                                                 break;
 148                                                 }
 149                                                 if (i == last)
 150                                                         _root = FindCertificateRoot (_chain [last - 1]);
 151                                         }
 152                                 }
 153                                 else {
 154                                         // is the leaf a root ? (trusted or untrusted)
 155                                         _root = FindCertificateRoot (leaf);
 156                                 }
 157                         }
 158
 159                         // validate the chain
 160                         if ((_chain != null) && (_status == X509ChainStatusFlags.NoError)) {
 161                                 foreach (X509Certificate x in _chain) {
 162                                         // validate dates for each certificate in the chain
 163                                         // note: we DO NOT check for nested date/time
 164                                         if (!IsValid (x)) {
 165                                                 return false;
 166                                         }
 167                                 }
 168                                 // check leaf
 169                                 if (!IsValid (leaf)) {
 170                                         // switch status code if the failure is expiration
 171                                         if (_status == X509ChainStatusFlags.NotTimeNested)
 172                                                 _status = X509ChainStatusFlags.NotTimeValid;
 173                                         return false;
 174                                 }
 175                                 // check root
 176                                 if ((_root != null) && !IsValid (_root)) {
 177                                         return false;
 178                                 }
 179                         }
 180                         return (_status == X509ChainStatusFlags.NoError);
 181                 }
 182
 183                 //
 184
 185                 public void Reset ()
 186                 {
 187                         _status = X509ChainStatusFlags.NoError;
 188                         roots = null; // this force a reload
 189                         certs.Clear ();
 190                         if (_chain != null)
 191                                 _chain.Clear ();
 192                 }
 193
 194                 // private stuff
 195
 196                 private bool IsValid (X509Certificate cert)
 197                 {
 198                         if (!cert.IsCurrent) {
 199                                 // FIXME: nesting isn't very well implemented
 200                                 _status = X509ChainStatusFlags.NotTimeNested;
 201                                 return false;
 202                         }
 203
 204                         // TODO - we should check for CRITICAL but unknown extensions
 205                         // X509ChainStatusFlags.InvalidExtension
 206 #if (!NET_1_0 && !INSIDE_CORLIB)
 207                         if (ServicePointManager.CheckCertificateRevocationList) {
 208                                 // TODO - check revocation (CRL, OCSP ...)
 209                                 // X509ChainStatusFlags.RevocationStatusUnknown
 210                                 // X509ChainStatusFlags.Revoked
 211                         }
 212 #endif
 213                         return true;
 214                 }
 215
 216                 private X509Certificate FindCertificateParent (X509Certificate child)
 217                 {
 218                         foreach (X509Certificate potentialParent in certs) {
 219                                 if (IsParent (child, potentialParent))
 220                                         return potentialParent;
 221                         }
 222                         return null;
 223                 }
 224
 225                 private X509Certificate FindCertificateRoot (X509Certificate potentialRoot)
 226                 {
 227                         if (potentialRoot == null) {
 228                                 _status = X509ChainStatusFlags.PartialChain;
 229                                 return null;
 230                         }
 231
 232                         // if the trusted root is in the chain
 233                         if (IsTrusted (potentialRoot)) {
 234                                 return potentialRoot;
 235                         }
 236
 237                         // if the root isn't in the chain
 238                         foreach (X509Certificate root in TrustAnchors) {
 239                                 if (IsParent (potentialRoot, root)) {
 240                                         return root;
 241                                 }
 242                         }
 243
 244                         // is it a (untrusted) root ?
 245                         if (potentialRoot.IsSelfSigned) {
 246                                 _status = X509ChainStatusFlags.UntrustedRoot;
 247                                 return potentialRoot;
 248                         }
 249
 250                         _status = X509ChainStatusFlags.PartialChain;
 251                         return null;
 252                 }
 253
 254                 private bool IsTrusted (X509Certificate potentialTrusted)
 255                 {
 256                         return TrustAnchors.Contains (potentialTrusted);
 257                 }
 258
 259                 private bool IsParent (X509Certificate child, X509Certificate parent)
 260                 {
 261                         if (child.IssuerName != parent.SubjectName)
 262                                 return false;
 263
 264                         // parent MUST have the Basic Constraint CA=true (except for trusted roots)
 265                         // see why at http://www.microsoft.com/technet/security/bulletin/MS02-050.asp
 266                         if ((parent.Version > 2) && (!IsTrusted (parent))) {
 267                                 // TODO: we do not support pathLenConstraint
 268                                 X509Extension ext = parent.Extensions ["2.5.29.19"];
 269                                 if (ext != null) {
 270                                         BasicConstraintsExtension bc = new BasicConstraintsExtension (ext);
 271                                         if (!bc.CertificateAuthority)
 272                                                 _status = X509ChainStatusFlags.InvalidBasicConstraints;
 273                                 }
 274                                 else
 275                                         _status = X509ChainStatusFlags.InvalidBasicConstraints;
 276                         }
 277
 278                         if (!child.VerifySignature (parent.RSA)) {
 279                                 _status = X509ChainStatusFlags.NotSignatureValid;
 280                                 return false;
 281                         }
 282                         return true;
 283                 }
 284         }
 285 }