private PkixCertPathValidatorResult DoTest(
string trustAnchor,
string[] certs,
string[] crls,
ISet policies)
{
ISet trustedSet = new HashSet();
trustedSet.Add(GetTrustAnchor(trustAnchor));
IList x509Certs = new ArrayList();
IList x509Crls = new ArrayList();
X509Certificate endCert = LoadCert(certs[certs.Length - 1]);
for (int i = 0; i != certs.Length - 1; i++)
{
x509Certs.Add(LoadCert(certs[i]));
}
x509Certs.Add(endCert);
PkixCertPath certPath = new PkixCertPath(x509Certs);
for (int i = 0; i != crls.Length; i++)
{
x509Crls.Add(LoadCrl(crls[i]));
}
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// CertPathValidator validator = CertPathValidator.GetInstance("PKIX");
PkixCertPathValidator validator = new PkixCertPathValidator();
PkixParameters parameters = new PkixParameters(trustedSet);
parameters.AddStore(x509CertStore);
parameters.AddStore(x509CrlStore);
parameters.IsRevocationEnabled = true;
if (policies != null)
{
parameters.IsExplicitPolicyRequired = true;
parameters.SetInitialPolicies(policies);
}
// Perform validation as of this date since test certs expired
parameters.Date = new DateTimeObject(DateTime.Parse("1/1/2011"));
return(validator.Validate(certPath, parameters));
}
internal static PkixCertPathValidatorResult ProcessAttrCert2(PkixCertPath certPath, PkixParameters pkixParams)
{
PkixCertPathValidator pkixCertPathValidator = new PkixCertPathValidator();
try
{
return(pkixCertPathValidator.Validate(certPath, pkixParams));
}
catch (PkixCertPathValidatorException cause)
{
throw new PkixCertPathValidatorException("Certification path for issuer certificate of attribute certificate could not be validated.", cause);
}
}
/// <summary>
///
/// </summary>
/// <param name="certificateChain"></param>
/// <exception cref="PkixCertPathValidatorException"></exception>
/// <exception cref="CryptographicException"></exception>
public SigningCertificate(string certificateChain)
{
StringReader stringReader = new StringReader(certificateChain);
PemReader pemReader = new PemReader(stringReader);
List <X509Certificate> certificates = new List <X509Certificate>();
X509Certificate certificate;
while ((certificate = (X509Certificate)pemReader.ReadObject()) != null)
{
certificates.Add(certificate);
}
path = new PkixCertPath(certificates);
Org.BouncyCastle.Utilities.Collections.ISet trustAnchors = new Org.BouncyCastle.Utilities.Collections.HashSet(new TrustAnchor[] { new TrustAnchor(certificates.Last(), null) });
PkixParameters pkixParameters = new PkixParameters(trustAnchors);
pkixParameters.IsRevocationEnabled = false;
PkixCertPathValidator certPathValidator = new PkixCertPathValidator();
certPathValidator.Validate(path, pkixParameters);
VerifyDistinguishedName(path);
}
public override void PerformTest()
{
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
// initialise CertStore
X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);
IList x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
IList x509Crls = new ArrayList();
x509Crls.Add(rootCrl);
x509Crls.Add(interCrl);
// CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.GetInstance("Collection", ccsp);
// X509CollectionStoreParameters ccsp = new X509CollectionStoreParameters(list);
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// NB: Month is 1-based in .NET
//DateTime validDate = new DateTime(2008,9,4,14,49,10).ToUniversalTime();
DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);
//validating path
IList certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// CertPath cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
PkixCertPath cp = new PkixCertPath(certchain);
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// CertPathValidator cpv = CertPathValidator.GetInstance("PKIX");
PkixCertPathValidator cpv = new PkixCertPathValidator();
PkixParameters param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.AddStore(x509CrlStore);
param.Date = new DateTimeObject(validDate);
MyChecker checker = new MyChecker();
param.AddCertPathChecker(checker);
PkixCertPathValidatorResult result = (PkixCertPathValidatorResult)cpv.Validate(cp, param);
PkixPolicyNode policyTree = result.PolicyTree;
AsymmetricKeyParameter subjectPublicKey = result.SubjectPublicKey;
if (checker.GetCount() != 2)
{
Fail("checker not evaluated for each certificate");
}
if (!subjectPublicKey.Equals(finalCert.GetPublicKey()))
{
Fail("wrong public key returned");
}
IsTrue(result.TrustAnchor.TrustedCert.Equals(rootCert));
// try a path with trust anchor included.
certchain.Clear();
certchain.Add(finalCert);
certchain.Add(interCert);
certchain.Add(rootCert);
cp = new PkixCertPath(certchain);
cpv = new PkixCertPathValidator();
param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.AddStore(x509CrlStore);
param.Date = new DateTimeObject(validDate);
checker = new MyChecker();
param.AddCertPathChecker(checker);
result = (PkixCertPathValidatorResult)cpv.Validate(cp, param);
IsTrue(result.TrustAnchor.TrustedCert.Equals(rootCert));
//
// invalid path containing a valid one test
//
try
{
// initialise CertStore
rootCert = certParser.ReadCertificate(AC_RAIZ_ICPBRASIL);
interCert = certParser.ReadCertificate(AC_PR);
finalCert = certParser.ReadCertificate(schefer);
x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
// ccsp = new CollectionCertStoreParameters(list);
// store = CertStore.GetInstance("Collection", ccsp);
// ccsp = new X509CollectionStoreParameters(list);
x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
// NB: Month is 1-based in .NET
//validDate = new DateTime(2004,3,21,2,21,10).ToUniversalTime();
validDate = new DateTime(2004, 3, 20, 19, 21, 10);
//validating path
certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
cp = new PkixCertPath(certchain);
trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// cpv = CertPathValidator.GetInstance("PKIX");
cpv = new PkixCertPathValidator();
param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.IsRevocationEnabled = false;
param.Date = new DateTimeObject(validDate);
result = (PkixCertPathValidatorResult)cpv.Validate(cp, param);
policyTree = result.PolicyTree;
subjectPublicKey = result.SubjectPublicKey;
Fail("Invalid path validated");
}
catch (Exception e)
{
if (e is PkixCertPathValidatorException &&
e.Message.StartsWith("Could not validate certificate signature."))
{
return;
}
Fail("unexpected exception", e);
}
}
protected virtual PkixCertPathBuilderResult Build(X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath)
{
if (tbvPath.Contains(tbvCert))
{
return(null);
}
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
{
return(null);
}
if (pkixParams.MaxPathLength != -1 && tbvPath.Count - 1 > pkixParams.MaxPathLength)
{
return(null);
}
tbvPath.Add(tbvCert);
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
PkixCertPathValidator pkixCertPathValidator = new PkixCertPathValidator();
try
{
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
PkixCertPath pkixCertPath = null;
try
{
pkixCertPath = new PkixCertPath(tbvPath);
}
catch (Exception innerException)
{
throw new Exception("Certification path could not be constructed from certificate list.", innerException);
}
PkixCertPathValidatorResult pkixCertPathValidatorResult = null;
try
{
pkixCertPathValidatorResult = pkixCertPathValidator.Validate(pkixCertPath, pkixParams);
}
catch (Exception innerException2)
{
throw new Exception("Certification path could not be validated.", innerException2);
}
return(new PkixCertPathBuilderResult(pkixCertPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey));
}
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
}
catch (CertificateParsingException innerException3)
{
throw new Exception("No additiontal X.509 stores can be added from certificate locations.", innerException3);
}
HashSet hashSet = new HashSet();
try
{
hashSet.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (Exception innerException4)
{
throw new Exception("Cannot find issuer certificate for certificate in certification path.", innerException4);
}
if (hashSet.IsEmpty)
{
throw new Exception("No issuer certificate for certificate in certification path found.");
}
foreach (X509Certificate item in hashSet)
{
pkixCertPathBuilderResult = Build(item, pkixParams, tbvPath);
if (pkixCertPathBuilderResult != null)
{
break;
}
}
}
catch (Exception ex)
{
Exception ex2 = certPathException = ex;
}
if (pkixCertPathBuilderResult == null)
{
tbvPath.Remove(tbvCert);
}
return(pkixCertPathBuilderResult);
}
