internal static void ProcessCertBC(
PkixCertPath certPath,
int index,
PkixNameConstraintValidator nameConstraintValidator)
//throws CertPathValidatorException
{
IList certs = certPath.Certificates;
X509Certificate cert = (X509Certificate)certs[index];
int n = certs.Count;
// i as defined in the algorithm description
int i = n - index;
//
// (b), (c) permitted and excluded subtree checking.
//
if (!(PkixCertPathValidatorUtilities.IsSelfIssued(cert) && (i < n)))
{
X509Name principal = cert.SubjectDN;
Asn1InputStream aIn = new Asn1InputStream(principal.GetEncoded());
Asn1Sequence dns;
try
{
dns = DerSequence.GetInstance(aIn.ReadObject());
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Exception extracting subject name when checking subtrees.", e, certPath, index);
}
try
{
nameConstraintValidator.CheckPermittedDN(dns);
nameConstraintValidator.CheckExcludedDN(dns);
}
catch (PkixNameConstraintValidatorException e)
{
throw new PkixCertPathValidatorException(
"Subtree check for certificate subject failed.", e, certPath, index);
}
GeneralNames altName = null;
try
{
altName = GeneralNames.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(cert, X509Extensions.SubjectAlternativeName));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Subject alternative name extension could not be decoded.", e, certPath, index);
}
IList emails = X509Name.GetInstance(dns).GetValueList(X509Name.EmailAddress);
foreach (string email in emails)
{
GeneralName emailAsGeneralName = new GeneralName(GeneralName.Rfc822Name, email);
try
{
nameConstraintValidator.checkPermitted(emailAsGeneralName);
nameConstraintValidator.checkExcluded(emailAsGeneralName);
}
catch (PkixNameConstraintValidatorException ex)
{
throw new PkixCertPathValidatorException(
"Subtree check for certificate subject alternative email failed.", ex, certPath, index);
}
}
if (altName != null)
{
GeneralName[] genNames = null;
try
{
genNames = altName.GetNames();
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Subject alternative name contents could not be decoded.", e, certPath, index);
}
foreach (GeneralName genName in genNames)
{
try
{
nameConstraintValidator.checkPermitted(genName);
nameConstraintValidator.checkExcluded(genName);
}
catch (PkixNameConstraintValidatorException e)
{
throw new PkixCertPathValidatorException(
"Subtree check for certificate subject alternative name failed.", e, certPath, index);
}
}
}
}
}