private void baseTest() { // CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); X509CertificateParser certParser = new X509CertificateParser(); X509CrlParser crlParser = new X509CrlParser(); // initialise CertStore X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin); X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin); X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin); X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin); X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin); IList certList = new ArrayList(); certList.Add(rootCert); certList.Add(interCert); certList.Add(finalCert); IList crlList = new ArrayList(); crlList.Add(rootCrl); crlList.Add(interCrl); // CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); // CertStore store = CertStore.getInstance("Collection", ccsp, "BC"); IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); IX509Store x509CrlStore = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(crlList)); // NB: Month is 1-based in .NET DateTime validDate = new DateTime(2008, 9, 4, 14, 49, 10).ToUniversalTime(); //Searching for rootCert by subjectDN without CRL ISet trust = new HashSet(); trust.Add(new TrustAnchor(rootCert, null)); // CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX","BC"); PkixCertPathBuilder cpb = new PkixCertPathBuilder(); X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); targetConstraints.Subject = finalCert.SubjectDN; PkixBuilderParameters parameters = new PkixBuilderParameters(trust, targetConstraints); // parameters.addCertStore(store); parameters.AddStore(x509CertStore); parameters.AddStore(x509CrlStore); parameters.Date = new DateTimeObject(validDate); PkixCertPathBuilderResult result = cpb.Build(parameters); PkixCertPath path = result.CertPath; if (path.Certificates.Count != 2) { Fail("wrong number of certs in baseTest path"); } }
private static Boolean VerifyCertificateChain(X509Certificate cert) { if (null == cert) { log.Error("cert must Not null"); return(false); } X509Certificate rootCert = GetRootCert(); if (null == rootCert) { log.Error("rootCert must Not null"); return(false); } X509Certificate middleCert = GetMiddleCert(); if (null == middleCert) { log.Error("middleCert must Not null"); return(false); } try { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.Subject = cert.SubjectDN; ISet trustAnchors = new HashSet(); trustAnchors.Add(new TrustAnchor(rootCert, null)); PkixBuilderParameters pkixParams = new PkixBuilderParameters( trustAnchors, selector); IList intermediateCerts = new ArrayList(); intermediateCerts.Add(rootCert); intermediateCerts.Add(middleCert); intermediateCerts.Add(cert); pkixParams.IsRevocationEnabled = false; IX509Store intermediateCertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(intermediateCerts)); pkixParams.AddStore(intermediateCertStore); PkixCertPathBuilder pathBuilder = new PkixCertPathBuilder(); PkixCertPathBuilderResult result = pathBuilder.Build(pkixParams); PkixCertPath path = result.CertPath; log.Info("verify certificate chain succeed."); return(true); } catch (PkixCertPathBuilderException e) { log.Error("verify certificate chain fail.", e); } catch (Exception e) { log.Error("verify certificate chain exception: ", e); } return(false); }
private static PkixCertPathBuilderResult VerifyCertificate(X509Certificate target, Org.BouncyCastle.Utilities.Collections.HashSet trustedRootCerts, Org.BouncyCastle.Utilities.Collections.HashSet intermediateCerts) { intermediateCerts.Add(target); // Create the selector that specifies the starting certificate var selector = new X509CertStoreSelector() { Certificate = target }; // Create the trust anchors (set of root CA certificates) var trustAnchors = new Org.BouncyCastle.Utilities.Collections.HashSet(); foreach (X509Certificate trustedRootCert in trustedRootCerts) { trustAnchors.Add(new TrustAnchor(trustedRootCert, null)); } PkixBuilderParameters pkixParams = new PkixBuilderParameters(trustAnchors, selector) { // Disable CRL checks (this is done manually as additional step) IsRevocationEnabled = false }; // Specify a list of intermediate certificates IX509Store intermediateCertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(intermediateCerts)); pkixParams.AddStore(intermediateCertStore); // Build and verify the certification chain PkixCertPathBuilder builder = new PkixCertPathBuilder(); PkixCertPathBuilderResult result = builder.Build(pkixParams); return(result); }
private static IReadOnlyCollection <X509Certificate> GetChain([NotNull] X509Certificate cert, [CanBeNull] IReadOnlyList <X509Certificate> certs) { var certList = new List <X509Certificate>(); if (certs != null) { certList.AddRange(certs); } certList.Add(cert); var certStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(certList)); var rootCerts = certs.Where(IsSelfSigned).ToList(); var trustAnchors = rootCerts.Select(x => new TrustAnchor(x, null)); var trust = new HashSet(trustAnchors); var cpb = new PkixCertPathBuilder(); var targetConstraints = new X509CertStoreSelector() { Certificate = cert, }; var parameters = new PkixBuilderParameters(trust, targetConstraints) { IsRevocationEnabled = false, }; parameters.AddStore(certStore); var cpbResult = cpb.Build(parameters); var result = new List <X509Certificate>(); result.AddRange(cpbResult.CertPath.Certificates.Cast <X509Certificate>()); result.Add(cpbResult.TrustAnchor.TrustedCert); return(result); }
/// <summary> /// Builds certification path for provided signing certificate /// </summary> /// <param name="signingCertificate">Signing certificate</param> /// <param name="otherCertificates">Other certificates that should be used in path building process. Self-signed certificates from this list are used as trust anchors.</param> /// <returns>Certification path for provided signing certificate</returns> public static ICollection <BCX509.X509Certificate> BuildCertPath(byte[] signingCertificate, List <byte[]> otherCertificates) { if (signingCertificate == null) { throw new ArgumentNullException("signingCertificate"); } List <BCX509.X509Certificate> result = new List <BCX509.X509Certificate>(); BCX509.X509Certificate signingCert = ToBouncyCastleObject(signingCertificate); BCCollections.ISet trustAnchors = new BCCollections.HashSet(); List <BCX509.X509Certificate> otherCerts = new List <BCX509.X509Certificate>(); if (IsSelfSigned(signingCert)) { result.Add(signingCert); } else { otherCerts.Add(signingCert); if (otherCertificates != null) { foreach (byte[] otherCertificate in otherCertificates) { BCX509.X509Certificate otherCert = ToBouncyCastleObject(otherCertificate); otherCerts.Add(ToBouncyCastleObject(otherCertificate)); if (IsSelfSigned(otherCert)) { trustAnchors.Add(new TrustAnchor(otherCert, null)); } } } if (trustAnchors.Count < 1) { throw new PkixCertPathBuilderException("Provided certificates do not contain self-signed root certificate"); } X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); targetConstraints.Certificate = signingCert; PkixBuilderParameters certPathBuilderParameters = new PkixBuilderParameters(trustAnchors, targetConstraints); certPathBuilderParameters.AddStore(X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(otherCerts))); certPathBuilderParameters.IsRevocationEnabled = false; PkixCertPathBuilder certPathBuilder = new PkixCertPathBuilder(); PkixCertPathBuilderResult certPathBuilderResult = certPathBuilder.Build(certPathBuilderParameters); foreach (BCX509.X509Certificate certPathCert in certPathBuilderResult.CertPath.Certificates) { result.Add(certPathCert); } result.Add(certPathBuilderResult.TrustAnchor.TrustedCert); } return(result); }
private static bool VerifyCertificateChain(X509Certificate cert) { if (cert is null) { return(false); } X509Certificate rootCert = GetRootCert(); if (rootCert is null) { return(false); } X509Certificate middleCert = GetMiddleCert(); if (middleCert is null) { return(false); } try { X509CertStoreSelector selector = new X509CertStoreSelector { Subject = cert.SubjectDN }; ISet trustAnchors = new HashSet { new TrustAnchor(rootCert, null) }; PkixBuilderParameters pkixParams = new PkixBuilderParameters(trustAnchors, selector); IList intermediateCerts = new ArrayList { rootCert, middleCert, cert }; pkixParams.IsRevocationEnabled = false; IX509Store intermediateCertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(intermediateCerts)); pkixParams.AddStore(intermediateCertStore); PkixCertPathBuilder pathBuilder = new PkixCertPathBuilder(); PkixCertPathBuilderResult result = pathBuilder.Build(pkixParams); PkixCertPath path = result.CertPath; return(true); } catch { return(false); } }
private static bool VerifyCertificateChain(X509Certificate cert, X509Certificate rootCert, X509Certificate middleCert) { if (null == cert) { return(false); } if (null == rootCert) { return(false); } if (null == middleCert) { return(false); } try { var selector = new X509CertStoreSelector { Subject = cert.SubjectDN }; var trustAnchors = new HashSet { new TrustAnchor(rootCert, null) }; var pkixParams = new PkixBuilderParameters(trustAnchors, selector); var intermediateCerts = new ArrayList { rootCert, middleCert, cert }; pkixParams.IsRevocationEnabled = false; var intermediateCertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(intermediateCerts)); pkixParams.AddStore(intermediateCertStore); var pathBuilder = new PkixCertPathBuilder(); var result = pathBuilder.Build(pkixParams); var path = result.CertPath; return(true); } catch { } return(false); }
public bool Validate(Certificate cert) { PkixCertPathBuilder builder = new PkixCertPathBuilder(); try { // Separate root from itermediate List <X509Certificate> intermediateCerts = new List <X509Certificate>(); HashSet rootCerts = new HashSet(); foreach (X509Certificate x509Cert in certs.Select(a => a.X509Certificate)) { // Separate root and subordinate certificates if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN)) { rootCerts.Add(new TrustAnchor(x509Cert, null)); } else { intermediateCerts.Add(x509Cert); } } // Create chain for this certificate X509CertStoreSelector holder = new X509CertStoreSelector(); holder.Certificate = cert.X509Certificate; // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create("Certificate/Collection", intermediateStoreParameters)); try { builder.Build(builderParams); return(true); } catch (Exception) { return(false); } } catch (Exception e) { throw new CryptoException($"Error validating certificate. {e.Message}"); } }
BuildCertificateChainBC( byte[] primary, System.Collections.Generic.IEnumerable <byte[]> additional) { X509CertificateParser parser = new X509CertificateParser(); PkixCertPathBuilder builder = new PkixCertPathBuilder(); // Separate root from itermediate System.Collections.Generic.List <Org.BouncyCastle.X509.X509Certificate> intermediateCerts = new System.Collections.Generic.List <Org.BouncyCastle.X509.X509Certificate>(); Org.BouncyCastle.Utilities.Collections.HashSet rootCerts = new Org.BouncyCastle.Utilities.Collections.HashSet(); foreach (byte[] cert in additional) { Org.BouncyCastle.X509.X509Certificate x509Cert = parser.ReadCertificate(cert); // Separate root and subordinate certificates if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN)) { rootCerts.Add(new TrustAnchor(x509Cert, null)); } else { intermediateCerts.Add(x509Cert); } } // Create chain for this certificate X509CertStoreSelector holder = new X509CertStoreSelector(); holder.Certificate = parser.ReadCertificate(primary); // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create( "Certificate/Collection", intermediateStoreParameters)); PkixCertPathBuilderResult result = builder.Build(builderParams); return(System.Linq.Enumerable.Cast <Org.BouncyCastle.X509.X509Certificate>(result.CertPath.Certificates)); }
//jbonilla - Por algún motivo, no devuleve el certificado root. public static X509Certificate[] BuildCertificateChainBC(X509Certificate checkCert, ICollection <X509Certificate> keystore) { PkixCertPathBuilder builder = new PkixCertPathBuilder(); // Separate root from itermediate List <X509Certificate> intermediateCerts = new List <X509Certificate>(); HashSet rootCerts = new HashSet(); foreach (X509Certificate cert in keystore) { // Separate root and subordinate certificates if (IsSelfSigned(cert)) { rootCerts.Add(new TrustAnchor(cert, null)); } else { intermediateCerts.Add(cert); } } // Create chain for this certificate X509CertStoreSelector holder = new X509CertStoreSelector(); holder.Certificate = checkCert; // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create( "Certificate/Collection", intermediateStoreParameters)); PkixCertPathBuilderResult result = builder.Build(builderParams); List <X509Certificate> chain = new List <X509Certificate>(); foreach (X509Certificate cert in result.CertPath.Certificates) { chain.Add(cert); } return(chain.ToArray()); }
private void VerifyCertificate(X509Certificate cert) { // Create the selector that specifies the starting certificate X509CertStoreSelector selector = new X509CertStoreSelector(); selector.Certificate = cert; // Create the trust anchors (set of root CA certificates) HashSet trustAnchors = new HashSet(); foreach (X509Certificate trustedRootCert in this.rootCertificates) { trustAnchors.Add(new TrustAnchor(trustedRootCert, null)); } // Configure the PKIX certificate builder algorithm parameters PkixBuilderParameters pkixParams = new PkixBuilderParameters(trustAnchors, selector); // Setting explicit policy if (this.policies.Count > 0) { pkixParams.SetInitialPolicies(this.policies); pkixParams.IsExplicitPolicyRequired = true; } // Disable CRL checks (this is done manually as additional step) pkixParams.IsRevocationEnabled = false; // Specify a list of intermediate certificates HashSet trustedIntermediateCert = new HashSet(); foreach (X509Certificate certificate in this.intermediateCertificates) { trustedIntermediateCert.Add(certificate); } var store = X509StoreFactory.Create( "Collection", new X509CollectionStoreParameters(trustedIntermediateCert)); pkixParams.AddStore(store); // Build and verify the certification chain PkixCertPathBuilder builder = new PkixCertPathBuilder(); builder.Build(pkixParams); }
internal static IList <X509Certificate> BuildCertificateChain(X509Certificate primaryCertificate, IEnumerable <X509Certificate> additionalCertificates) { var parser = new X509CertificateParser(); var builder = new PkixCertPathBuilder(); // Separate root from itermediate var intermediateCerts = new List <X509Certificate>(); var rootCerts = new BouncyCastle.Utilities.Collections.HashSet(); foreach (var cert in additionalCertificates) { // Separate root and subordinate certificates if (cert.IssuerDN.Equivalent(cert.SubjectDN)) { rootCerts.Add(new TrustAnchor(cert, null)); } else { intermediateCerts.Add(cert); } } // Create chain for this certificate var holder = new X509CertStoreSelector(); holder.Certificate = primaryCertificate; // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create( "Certificate/Collection", intermediateStoreParameters)); PkixCertPathBuilderResult result = builder.Build(builderParams); return(result.CertPath.Certificates.Cast <X509Certificate>().ToList()); }
private static IList BuildCertificateChainBC(byte[] primary, IEnumerable <byte[]> additional) { X509CertificateParser parser = new X509CertificateParser(); PkixCertPathBuilder builder = new PkixCertPathBuilder(); List <X509Certificate> intermediateCerts = new List <X509Certificate>(); HashSet rootCerts = new HashSet(); foreach (byte[] cert in additional) { X509Certificate x509Cert = parser.ReadCertificate(cert); // Separate root and subordinate certificates if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN)) { rootCerts.Add(new TrustAnchor(x509Cert, null)); } else { intermediateCerts.Add(x509Cert); } } X509CertStoreSelector holder = new X509CertStoreSelector(); holder.Certificate = parser.ReadCertificate(primary); intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create( "Certificate/Collection", intermediateStoreParameters)); PkixCertPathBuilderResult result = builder.Build(builderParams); return(result.CertPath.Certificates); }
private IList <X509Certificate> FindIssuers() { var certParser = new X509CertificateParser(); var certificates = certificateStore .GetIssuers(certificate.GetEncoded()) .Select(der => certParser.ReadCertificate(der)) .Select(cert => new { IsRoot = cert.IssuerDN.Equivalent(cert.SubjectDN), Cert = cert }); var rootCerts = new HashSet(certificates.Where(c => c.IsRoot).Select(c => new TrustAnchor(c.Cert, null))); var intermediateCerts = certificates.Where(c => !c.IsRoot).Select(c => c.Cert).ToList(); intermediateCerts.Add(certificate); var target = new X509CertStoreSelector { Certificate = certificate }; var builderParams = new PkixBuilderParameters(rootCerts, target) { IsRevocationEnabled = false }; builderParams.AddStore( X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(intermediateCerts))); var builder = new PkixCertPathBuilder(); var result = builder.Build(builderParams); var fullChain = result.CertPath.Certificates.Cast <X509Certificate>().ToArray(); return(fullChain); }
private static void ValidateCertPath(X509Certificate certificate, IX509Store x509Store, ISet trustAnchors) { X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector { Certificate = certificate }; // Build cert path PkixBuilderParameters pkixBuilderParameters = new PkixBuilderParameters(trustAnchors, x509CertStoreSelector); pkixBuilderParameters.AddStore(x509Store); pkixBuilderParameters.IsRevocationEnabled = false; PkixCertPath pkixCertPath; try { PkixCertPathBuilderResult pkixCertPathBuilderResult = new PkixCertPathBuilder().Build(pkixBuilderParameters); pkixCertPath = pkixCertPathBuilderResult.CertPath; } catch (PkixCertPathBuilderException e) { throw new PkiVerificationFailedException("Could not build certificate path.", e, GetTrustAnchorsString(trustAnchors)); } PkixParameters pkixParameters = new PkixParameters(trustAnchors) { IsRevocationEnabled = false }; try { // Validate path new PkixCertPathValidator().Validate(pkixCertPath, pkixParameters); } catch (PkixCertPathValidatorException e) { throw new PkiVerificationFailedException("Failed to verify PKCS#7 signature.", e, GetTrustAnchorsString(trustAnchors)); } }
private static void ValidateCertificateIssue(X509Certificate targetCert) { Console.WriteLine("Validate: " + targetCert.SubjectDN); Console.WriteLine("SigAlgName: " + targetCert.SigAlgName); try { // Trusted anchors HashSet trustedAnchors = new HashSet(); trustedAnchors.Add(new TrustAnchor(rootCert, null)); // Certificate chain List <X509Certificate> certChain = new List <X509Certificate> { targetCert, intermediateCert }; IX509Store chainStore = X509StoreFactory.Create("CERTIFICATE/COLLECTION", new X509CollectionStoreParameters(certChain)); // Selector for the target certificate X509CertStoreSelector target = new X509CertStoreSelector(); target.Certificate = targetCert; // Set builder parameters PkixBuilderParameters builderParameters = new PkixBuilderParameters(trustedAnchors, target); builderParameters.AddStore(chainStore); builderParameters.IsRevocationEnabled = false; PkixCertPathBuilder certPathBuilder = new PkixCertPathBuilder(); PkixCertPathBuilderResult builderResult = certPathBuilder.Build(builderParameters); Console.WriteLine("Certificate successfuly validated."); } catch (Exception ex) { Console.WriteLine("Certificate validation failed: " + ex.Message); } Console.WriteLine(""); }
private void v0Test() { // create certificates and CRLs IAsymmetricCipherKeyPair rootPair = TestUtilities.GenerateRsaKeyPair(); IAsymmetricCipherKeyPair interPair = TestUtilities.GenerateRsaKeyPair(); IAsymmetricCipherKeyPair endPair = TestUtilities.GenerateRsaKeyPair(); X509Certificate rootCert = TestUtilities.GenerateRootCert(rootPair); X509Certificate interCert = TestUtilities.GenerateIntermediateCert(interPair.Public, rootPair.Private, rootCert); X509Certificate endCert = TestUtilities.GenerateEndEntityCert(endPair.Public, interPair.Private, interCert); IBigInteger revokedSerialNumber = BigInteger.Two; X509Crl rootCRL = TestUtilities.CreateCrl(rootCert, rootPair.Private, revokedSerialNumber); X509Crl interCRL = TestUtilities.CreateCrl(interCert, interPair.Private, revokedSerialNumber); // create CertStore to support path building IList certList = new ArrayList(); certList.Add(rootCert); certList.Add(interCert); certList.Add(endCert); IList crlList = new ArrayList(); crlList.Add(rootCRL); crlList.Add(interCRL); // CollectionCertStoreParameters parameters = new CollectionCertStoreParameters(list); // CertStore store = CertStore.getInstance("Collection", parameters); IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); IX509Store x509CrlStore = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(crlList)); ISet trust = new HashSet(); trust.Add(new TrustAnchor(rootCert, null)); // build the path // CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); PkixCertPathBuilder builder = new PkixCertPathBuilder(); X509CertStoreSelector pathConstraints = new X509CertStoreSelector(); pathConstraints.Subject = endCert.SubjectDN; PkixBuilderParameters buildParams = new PkixBuilderParameters(trust, pathConstraints); // buildParams.addCertStore(store); buildParams.AddStore(x509CertStore); buildParams.AddStore(x509CrlStore); buildParams.Date = new DateTimeObject(DateTime.UtcNow); PkixCertPathBuilderResult result = builder.Build(buildParams); PkixCertPath path = result.CertPath; if (path.Certificates.Count != 2) { Fail("wrong number of certs in v0Test path"); } }
private PkixCertPathBuilderResult doBuilderTest( string trustAnchor, string[] certs, string[] crls, ISet initialPolicies, bool policyMappingInhibited, bool anyPolicyInhibited) { ISet trustedSet = new HashSet(); trustedSet.Add(GetTrustAnchor(trustAnchor)); IList x509Certs = new ArrayList(); IList x509Crls = new ArrayList(); X509Certificate endCert = LoadCert(certs[certs.Length - 1]); for (int i = 0; i != certs.Length - 1; i++) { x509Certs.Add(LoadCert(certs[i])); } x509Certs.Add(endCert); for (int i = 0; i != crls.Length; i++) { x509Crls.Add(LoadCrl(crls[i])); } IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(x509Certs)); IX509Store x509CrlStore = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(x509Crls)); // CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder builder = new PkixCertPathBuilder(); X509CertStoreSelector endSelector = new X509CertStoreSelector(); endSelector.Certificate = endCert; PkixBuilderParameters builderParams = new PkixBuilderParameters(trustedSet, endSelector); if (initialPolicies != null) { builderParams.SetInitialPolicies(initialPolicies); builderParams.IsExplicitPolicyRequired = true; } if (policyMappingInhibited) { builderParams.IsPolicyMappingInhibited = policyMappingInhibited; } if (anyPolicyInhibited) { builderParams.IsAnyPolicyInhibited = anyPolicyInhibited; } builderParams.AddStore(x509CertStore); builderParams.AddStore(x509CrlStore); try { return((PkixCertPathBuilderResult)builder.Build(builderParams)); } catch (PkixCertPathBuilderException e) { throw e.InnerException; } }
private string TestPolicies( int index, X509Certificate trustCert, X509Certificate intCert, X509Certificate endCert, ISet requirePolicies, bool okay) { ISet trust = new HashSet(); trust.Add(new TrustAnchor(trustCert, null)); X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); targetConstraints.Subject = endCert.SubjectDN; PkixBuilderParameters pbParams = new PkixBuilderParameters(trust, targetConstraints); ISet certs = new HashSet(); certs.Add(intCert); certs.Add(endCert); IX509Store store = X509StoreFactory.Create( "CERTIFICATE/COLLECTION", new X509CollectionStoreParameters(certs)); pbParams.AddStore(store); pbParams.IsRevocationEnabled = false; if (requirePolicies != null) { pbParams.IsExplicitPolicyRequired = true; pbParams.SetInitialPolicies(requirePolicies); } // CertPathBuilder cpb = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder cpb = new PkixCertPathBuilder(); PkixCertPathBuilderResult result = null; try { result = (PkixCertPathBuilderResult)cpb.Build(pbParams); if (!okay) { Fail(index + ": path validated when failure expected."); } // if (result.getPolicyTree() != null) // { // Console.WriteLine("OK"); // Console.WriteLine("policy: " + result.getPolicyTree()); // } // else // { // Console.WriteLine("OK: policy tree = null"); // } return(""); } catch (TestFailedException e) { throw e; } catch (Exception e) { if (okay) { Fail(index + ": path failed to validate when success expected."); } Exception ee = e.InnerException; if (ee != null) { return(ee.Message); } return(e.Message); } }
private void doTestExceptions() { byte[] enc = { (byte)0, (byte)2, (byte)3, (byte)4, (byte)5 }; // MyCertPath mc = new MyCertPath(enc); MemoryStream os = new MemoryStream(); MemoryStream ins; byte[] arr; // TODO Support serialization of cert paths? // ObjectOutputStream oos = new ObjectOutputStream(os); // oos.WriteObject(mc); // oos.Flush(); // oos.Close(); try { // CertificateFactory cFac = CertificateFactory.GetInstance("X.509"); arr = os.ToArray(); ins = new MemoryStream(arr, false); // cFac.generateCertPath(ins); new PkixCertPath(ins); } catch (CertificateException) { // ignore okay } // CertificateFactory cf = CertificateFactory.GetInstance("X.509"); X509CertificateParser cf = new X509CertificateParser(); IList certCol = new ArrayList(); certCol.Add(cf.ReadCertificate(certA)); certCol.Add(cf.ReadCertificate(certB)); certCol.Add(cf.ReadCertificate(certC)); certCol.Add(cf.ReadCertificate(certD)); // CertPathBuilder pathBuilder = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder pathBuilder = new PkixCertPathBuilder(); X509CertStoreSelector select = new X509CertStoreSelector(); select.Subject = ((X509Certificate)certCol[0]).SubjectDN; ISet trustanchors = new HashSet(); trustanchors.Add(new TrustAnchor(cf.ReadCertificate(rootCertBin), null)); // CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol)); IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certCol)); PkixBuilderParameters parameters = new PkixBuilderParameters(trustanchors, select); parameters.AddStore(x509CertStore); try { PkixCertPathBuilderResult result = pathBuilder.Build(parameters); PkixCertPath path = result.CertPath; Fail("found cert path in circular set"); } catch (PkixCertPathBuilderException) { // expected } }