private static Boolean VerifyCertificateChain(X509Certificate cert)
{
if (null == cert)
{
log.Error("cert must Not null");
return(false);
}
X509Certificate rootCert = GetRootCert();
if (null == rootCert)
{
log.Error("rootCert must Not null");
return(false);
}
X509Certificate middleCert = GetMiddleCert();
if (null == middleCert)
{
log.Error("middleCert must Not null");
return(false);
}
try
{
X509CertStoreSelector selector = new X509CertStoreSelector();
selector.Subject = cert.SubjectDN;
ISet trustAnchors = new HashSet();
trustAnchors.Add(new TrustAnchor(rootCert, null));
PkixBuilderParameters pkixParams = new PkixBuilderParameters(
trustAnchors, selector);
IList intermediateCerts = new ArrayList();
intermediateCerts.Add(rootCert);
intermediateCerts.Add(middleCert);
intermediateCerts.Add(cert);
pkixParams.IsRevocationEnabled = false;
IX509Store intermediateCertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(intermediateCerts));
pkixParams.AddStore(intermediateCertStore);
PkixCertPathBuilder pathBuilder = new PkixCertPathBuilder();
PkixCertPathBuilderResult result = pathBuilder.Build(pkixParams);
PkixCertPath path = result.CertPath;
log.Info("verify certificate chain succeed.");
return(true);
}
catch (PkixCertPathBuilderException e)
{
log.Error("verify certificate chain fail.", e);
}
catch (Exception e)
{
log.Error("verify certificate chain exception: ", e);
}
return(false);
}
private void baseTest()
{
// CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
// initialise CertStore
X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);
IList certList = new ArrayList();
certList.Add(rootCert);
certList.Add(interCert);
certList.Add(finalCert);
IList crlList = new ArrayList();
crlList.Add(rootCrl);
crlList.Add(interCrl);
// CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.getInstance("Collection", ccsp, "BC");
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(crlList));
// NB: Month is 1-based in .NET
DateTime validDate = new DateTime(2008, 9, 4, 14, 49, 10).ToUniversalTime();
//Searching for rootCert by subjectDN without CRL
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX","BC");
PkixCertPathBuilder cpb = new PkixCertPathBuilder();
X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
targetConstraints.Subject = finalCert.SubjectDN;
PkixBuilderParameters parameters = new PkixBuilderParameters(trust, targetConstraints);
// parameters.addCertStore(store);
parameters.AddStore(x509CertStore);
parameters.AddStore(x509CrlStore);
parameters.Date = new DateTimeObject(validDate);
PkixCertPathBuilderResult result = cpb.Build(parameters);
PkixCertPath path = result.CertPath;
if (path.Certificates.Count != 2)
{
Fail("wrong number of certs in baseTest path");
}
}
public override bool Equals(object obj)
{
if (this == obj)
{
return(true);
}
PkixCertPath pkixCertPath = obj as PkixCertPath;
if (pkixCertPath == null)
{
return(false);
}
IList list = Certificates;
IList list2 = pkixCertPath.Certificates;
if (list.Count != list2.Count)
{
return(false);
}
IEnumerator enumerator = list.GetEnumerator();
IEnumerator enumerator2 = list.GetEnumerator();
while (enumerator.MoveNext())
{
enumerator2.MoveNext();
if (!object.Equals(enumerator.Current, enumerator2.Current))
{
return(false);
}
}
return(true);
}
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters pkixParams)
{
IX509Selector targetConstraints = pkixParams.GetTargetConstraints();
if (!(targetConstraints is X509AttrCertStoreSelector))
{
throw new ArgumentException("TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName, "pkixParams");
}
IX509AttributeCertificate attributeCert = ((X509AttrCertStoreSelector)targetConstraints).AttributeCert;
PkixCertPath holderCertPath = Rfc3281CertPathUtilities.ProcessAttrCert1(attributeCert, pkixParams);
PkixCertPathValidatorResult result = Rfc3281CertPathUtilities.ProcessAttrCert2(certPath, pkixParams);
X509Certificate x509Certificate = (X509Certificate)certPath.Certificates[0];
Rfc3281CertPathUtilities.ProcessAttrCert3(x509Certificate, pkixParams);
Rfc3281CertPathUtilities.ProcessAttrCert4(x509Certificate, pkixParams);
Rfc3281CertPathUtilities.ProcessAttrCert5(attributeCert, pkixParams);
Rfc3281CertPathUtilities.ProcessAttrCert7(attributeCert, certPath, holderCertPath, pkixParams);
Rfc3281CertPathUtilities.AdditionalChecks(attributeCert, pkixParams);
DateTime validCertDateFromValidityModel;
try
{
validCertDateFromValidityModel = PkixCertPathValidatorUtilities.GetValidCertDateFromValidityModel(pkixParams, null, -1);
}
catch (Exception cause)
{
throw new PkixCertPathValidatorException("Could not get validity date from attribute certificate.", cause);
}
Rfc3281CertPathUtilities.CheckCrls(attributeCert, pkixParams, x509Certificate, validCertDateFromValidityModel, certPath.Certificates);
return(result);
}
internal static void ProcessAttrCert7(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, PkixParameters pkixParams)
{
ISet criticalExtensionOids = attrCert.GetCriticalExtensionOids();
if (criticalExtensionOids.Contains(X509Extensions.TargetInformation.Id))
{
try
{
TargetInformation.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.TargetInformation));
}
catch (Exception cause)
{
throw new PkixCertPathValidatorException("Target information extension could not be read.", cause);
}
}
criticalExtensionOids.Remove(X509Extensions.TargetInformation.Id);
foreach (PkixAttrCertChecker attrCertChecker in pkixParams.GetAttrCertCheckers())
{
attrCertChecker.Check(attrCert, certPath, holderCertPath, criticalExtensionOids);
}
if (!criticalExtensionOids.IsEmpty)
{
throw new PkixCertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + criticalExtensionOids);
}
}
private static bool VerifyCertificateChain(X509Certificate cert)
{
if (cert is null)
{
return(false);
}
X509Certificate rootCert = GetRootCert();
if (rootCert is null)
{
return(false);
}
X509Certificate middleCert = GetMiddleCert();
if (middleCert is null)
{
return(false);
}
try
{
X509CertStoreSelector selector = new X509CertStoreSelector
{
Subject = cert.SubjectDN
};
ISet trustAnchors = new HashSet
{
new TrustAnchor(rootCert, null)
};
PkixBuilderParameters pkixParams = new PkixBuilderParameters(trustAnchors, selector);
IList intermediateCerts = new ArrayList
{
rootCert,
middleCert,
cert
};
pkixParams.IsRevocationEnabled = false;
IX509Store intermediateCertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(intermediateCerts));
pkixParams.AddStore(intermediateCertStore);
PkixCertPathBuilder pathBuilder = new PkixCertPathBuilder();
PkixCertPathBuilderResult result = pathBuilder.Build(pkixParams);
PkixCertPath path = result.CertPath;
return(true);
}
catch
{
return(false);
}
}
public PkixCertPathBuilderResult(PkixCertPath certPath, TrustAnchor trustAnchor, PkixPolicyNode policyTree, AsymmetricKeyParameter subjectPublicKey)
: base(trustAnchor, policyTree, subjectPublicKey)
{
if (certPath == null)
{
throw new ArgumentNullException("certPath");
}
this.certPath = certPath;
}
private void VerifyDistinguishedName(PkixCertPath path)
{
X509Certificate leaf = (X509Certificate)path.Certificates[0];
string distinguishedName = leaf.SubjectDN.ToString();
if ("C=US,ST=CA,L=Santa Clara,O=Intel Corporation,CN=Intel SGX Attestation Report Signing" != distinguishedName)
{
throw new CryptographicException($"Bad DN: {distinguishedName}");
}
}
private PkixCertPathValidatorResult DoTest(
string trustAnchor,
string[] certs,
string[] crls,
ISet policies)
{
ISet trustedSet = new HashSet();
trustedSet.Add(GetTrustAnchor(trustAnchor));
IList x509Certs = new ArrayList();
IList x509Crls = new ArrayList();
X509Certificate endCert = LoadCert(certs[certs.Length - 1]);
for (int i = 0; i != certs.Length - 1; i++)
{
x509Certs.Add(LoadCert(certs[i]));
}
x509Certs.Add(endCert);
PkixCertPath certPath = new PkixCertPath(x509Certs);
for (int i = 0; i != crls.Length; i++)
{
x509Crls.Add(LoadCrl(crls[i]));
}
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// CertPathValidator validator = CertPathValidator.GetInstance("PKIX");
PkixCertPathValidator validator = new PkixCertPathValidator();
PkixParameters parameters = new PkixParameters(trustedSet);
parameters.AddStore(x509CertStore);
parameters.AddStore(x509CrlStore);
parameters.IsRevocationEnabled = true;
if (policies != null)
{
parameters.IsExplicitPolicyRequired = true;
parameters.SetInitialPolicies(policies);
}
// Perform validation as of this date since test certs expired
parameters.Date = new DateTimeObject(DateTime.Parse("1/1/2011"));
return(validator.Validate(certPath, parameters));
}
internal static PkixCertPathValidatorResult ProcessAttrCert2(PkixCertPath certPath, PkixParameters pkixParams)
{
PkixCertPathValidator pkixCertPathValidator = new PkixCertPathValidator();
try
{
return(pkixCertPathValidator.Validate(certPath, pkixParams));
}
catch (PkixCertPathValidatorException cause)
{
throw new PkixCertPathValidatorException("Certification path for issuer certificate of attribute certificate could not be validated.", cause);
}
}
/// <summary>
///
/// </summary>
/// <param name="certificateChain"></param>
/// <exception cref="PkixCertPathValidatorException"></exception>
/// <exception cref="CryptographicException"></exception>
public SigningCertificate(string certificateChain)
{
StringReader stringReader = new StringReader(certificateChain);
PemReader pemReader = new PemReader(stringReader);
List <X509Certificate> certificates = new List <X509Certificate>();
X509Certificate certificate;
while ((certificate = (X509Certificate)pemReader.ReadObject()) != null)
{
certificates.Add(certificate);
}
path = new PkixCertPath(certificates);
Org.BouncyCastle.Utilities.Collections.ISet trustAnchors = new Org.BouncyCastle.Utilities.Collections.HashSet(new TrustAnchor[] { new TrustAnchor(certificates.Last(), null) });
PkixParameters pkixParameters = new PkixParameters(trustAnchors);
pkixParameters.IsRevocationEnabled = false;
PkixCertPathValidator certPathValidator = new PkixCertPathValidator();
certPathValidator.Validate(path, pkixParameters);
VerifyDistinguishedName(path);
}
internal static DateTime GetValidCertDateFromValidityModel(PkixParameters paramsPkix, PkixCertPath certPath, int index)
{
if (paramsPkix.ValidityModel != 1)
{
return(GetValidDate(paramsPkix));
}
if (index <= 0)
{
return(GetValidDate(paramsPkix));
}
if (index - 1 == 0)
{
DerGeneralizedTime derGeneralizedTime = null;
try
{
X509Certificate x509Certificate = (X509Certificate)certPath.Certificates[index - 1];
Asn1OctetString extensionValue = x509Certificate.GetExtensionValue(IsisMttObjectIdentifiers.IdIsisMttATDateOfCertGen);
derGeneralizedTime = DerGeneralizedTime.GetInstance(extensionValue);
}
catch (ArgumentException)
{
throw new Exception("Date of cert gen extension could not be read.");
}
if (derGeneralizedTime != null)
{
try
{
return(derGeneralizedTime.ToDateTime());
}
catch (ArgumentException innerException)
{
throw new Exception("Date from date of cert gen extension could not be parsed.", innerException);
}
}
}
return(((X509Certificate)certPath.Certificates[index - 1]).NotBefore);
}
public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix)
{
if (paramsPkix.GetTrustAnchors() == null)
{
throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters");
}
IList certificates = certPath.Certificates;
int count = certificates.Count;
if (certificates.Count == 0)
{
throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
}
ISet initialPolicies = paramsPkix.GetInitialPolicies();
TrustAnchor trustAnchor;
try
{
trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates[certificates.Count - 1], paramsPkix.GetTrustAnchors());
}
catch (Exception ex)
{
throw new PkixCertPathValidatorException(ex.Message, ex, certPath, certificates.Count - 1);
}
if (trustAnchor == null)
{
throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
}
int num = 0;
IList[] array = new IList[count + 1];
for (int i = 0; i < array.Length; i++)
{
array[i] = Platform.CreateArrayList();
}
ISet set = new HashSet();
set.Add(Rfc3280CertPathUtilities.ANY_POLICY);
PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, critical: false);
array[0].Add(pkixPolicyNode);
PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
ISet acceptablePolicies = new HashSet();
int explicitPolicy = (!paramsPkix.IsExplicitPolicyRequired) ? (count + 1) : 0;
int inhibitAnyPolicy = (!paramsPkix.IsAnyPolicyInhibited) ? (count + 1) : 0;
int policyMapping = (!paramsPkix.IsPolicyMappingInhibited) ? (count + 1) : 0;
X509Certificate x509Certificate = trustAnchor.TrustedCert;
X509Name workingIssuerName;
AsymmetricKeyParameter asymmetricKeyParameter;
try
{
if (x509Certificate != null)
{
workingIssuerName = x509Certificate.SubjectDN;
asymmetricKeyParameter = x509Certificate.GetPublicKey();
}
else
{
workingIssuerName = new X509Name(trustAnchor.CAName);
asymmetricKeyParameter = trustAnchor.CAPublicKey;
}
}
catch (ArgumentException cause)
{
throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", cause, certPath, -1);
}
try
{
PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
}
catch (PkixCertPathValidatorException cause2)
{
throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1);
}
int maxPathLength = count;
X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints();
if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates[0]))
{
throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
}
IList certPathCheckers = paramsPkix.GetCertPathCheckers();
IEnumerator enumerator = certPathCheckers.GetEnumerator();
while (enumerator.MoveNext())
{
((PkixCertPathChecker)enumerator.Current).Init(forward: false);
}
X509Certificate x509Certificate2 = null;
for (num = certificates.Count - 1; num >= 0; num--)
{
int num2 = count - num;
x509Certificate2 = (X509Certificate)certificates[num];
Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, num, asymmetricKeyParameter, workingIssuerName, x509Certificate);
Rfc3280CertPathUtilities.ProcessCertBC(certPath, num, nameConstraintValidator);
pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, num, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy);
pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, num, pkixPolicyNode);
Rfc3280CertPathUtilities.ProcessCertF(certPath, num, pkixPolicyNode, explicitPolicy);
if (num2 != count)
{
if (x509Certificate2 != null && x509Certificate2.Version == 1)
{
throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, num);
}
Rfc3280CertPathUtilities.PrepareNextCertA(certPath, num);
pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, num, array, pkixPolicyNode, policyMapping);
Rfc3280CertPathUtilities.PrepareNextCertG(certPath, num, nameConstraintValidator);
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, num, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, num, policyMapping);
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, num, inhibitAnyPolicy);
explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, num, explicitPolicy);
policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, num, policyMapping);
inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, num, inhibitAnyPolicy);
Rfc3280CertPathUtilities.PrepareNextCertK(certPath, num);
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, num, maxPathLength);
maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, num, maxPathLength);
Rfc3280CertPathUtilities.PrepareNextCertN(certPath, num);
ISet criticalExtensionOids = x509Certificate2.GetCriticalExtensionOids();
if (criticalExtensionOids != null)
{
criticalExtensionOids = new HashSet(criticalExtensionOids);
criticalExtensionOids.Remove(X509Extensions.KeyUsage.Id);
criticalExtensionOids.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensionOids.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensionOids.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensionOids.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensionOids.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensionOids.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensionOids.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensionOids.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensionOids.Remove(X509Extensions.NameConstraints.Id);
}
else
{
criticalExtensionOids = new HashSet();
}
Rfc3280CertPathUtilities.PrepareNextCertO(certPath, num, criticalExtensionOids, certPathCheckers);
x509Certificate = x509Certificate2;
workingIssuerName = x509Certificate.SubjectDN;
try
{
asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, num);
}
catch (PkixCertPathValidatorException cause3)
{
throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, num);
}
PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
}
}
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, x509Certificate2);
explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, num + 1, explicitPolicy);
ISet criticalExtensionOids2 = x509Certificate2.GetCriticalExtensionOids();
if (criticalExtensionOids2 != null)
{
criticalExtensionOids2 = new HashSet(criticalExtensionOids2);
criticalExtensionOids2.Remove(X509Extensions.KeyUsage.Id);
criticalExtensionOids2.Remove(X509Extensions.CertificatePolicies.Id);
criticalExtensionOids2.Remove(X509Extensions.PolicyMappings.Id);
criticalExtensionOids2.Remove(X509Extensions.InhibitAnyPolicy.Id);
criticalExtensionOids2.Remove(X509Extensions.IssuingDistributionPoint.Id);
criticalExtensionOids2.Remove(X509Extensions.DeltaCrlIndicator.Id);
criticalExtensionOids2.Remove(X509Extensions.PolicyConstraints.Id);
criticalExtensionOids2.Remove(X509Extensions.BasicConstraints.Id);
criticalExtensionOids2.Remove(X509Extensions.SubjectAlternativeName.Id);
criticalExtensionOids2.Remove(X509Extensions.NameConstraints.Id);
criticalExtensionOids2.Remove(X509Extensions.CrlDistributionPoints.Id);
}
else
{
criticalExtensionOids2 = new HashSet();
}
Rfc3280CertPathUtilities.WrapupCertF(certPath, num + 1, certPathCheckers, criticalExtensionOids2);
PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, num + 1, array, pkixPolicyNode, acceptablePolicies);
if (explicitPolicy > 0 || pkixPolicyNode2 != null)
{
return(new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey()));
}
throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, num);
}
private void v0Test()
{
// create certificates and CRLs
IAsymmetricCipherKeyPair rootPair = TestUtilities.GenerateRsaKeyPair();
IAsymmetricCipherKeyPair interPair = TestUtilities.GenerateRsaKeyPair();
IAsymmetricCipherKeyPair endPair = TestUtilities.GenerateRsaKeyPair();
X509Certificate rootCert = TestUtilities.GenerateRootCert(rootPair);
X509Certificate interCert = TestUtilities.GenerateIntermediateCert(interPair.Public, rootPair.Private, rootCert);
X509Certificate endCert = TestUtilities.GenerateEndEntityCert(endPair.Public, interPair.Private, interCert);
IBigInteger revokedSerialNumber = BigInteger.Two;
X509Crl rootCRL = TestUtilities.CreateCrl(rootCert, rootPair.Private, revokedSerialNumber);
X509Crl interCRL = TestUtilities.CreateCrl(interCert, interPair.Private, revokedSerialNumber);
// create CertStore to support path building
IList certList = new ArrayList();
certList.Add(rootCert);
certList.Add(interCert);
certList.Add(endCert);
IList crlList = new ArrayList();
crlList.Add(rootCRL);
crlList.Add(interCRL);
// CollectionCertStoreParameters parameters = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.getInstance("Collection", parameters);
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(crlList));
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// build the path
// CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
PkixCertPathBuilder builder = new PkixCertPathBuilder();
X509CertStoreSelector pathConstraints = new X509CertStoreSelector();
pathConstraints.Subject = endCert.SubjectDN;
PkixBuilderParameters buildParams = new PkixBuilderParameters(trust, pathConstraints);
// buildParams.addCertStore(store);
buildParams.AddStore(x509CertStore);
buildParams.AddStore(x509CrlStore);
buildParams.Date = new DateTimeObject(DateTime.UtcNow);
PkixCertPathBuilderResult result = builder.Build(buildParams);
PkixCertPath path = result.CertPath;
if (path.Certificates.Count != 2)
{
Fail("wrong number of certs in v0Test path");
}
}
private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath)
{
if (tbvPath.Contains(tbvCert))
{
return(null);
}
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
{
return(null);
}
if (pkixParams.MaxPathLength != -1 && tbvPath.Count - 1 > pkixParams.MaxPathLength)
{
return(null);
}
tbvPath.Add(tbvCert);
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator();
try
{
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
PkixCertPath certPath = new PkixCertPath(tbvPath);
PkixCertPathValidatorResult pkixCertPathValidatorResult;
try
{
pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams);
}
catch (Exception innerException)
{
throw new Exception("Certification path could not be validated.", innerException);
}
return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey));
}
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
}
catch (CertificateParsingException innerException2)
{
throw new Exception("No additional X.509 stores can be added from certificate locations.", innerException2);
}
ISet set = new HashSet();
try
{
set.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (Exception innerException3)
{
throw new Exception("Cannot find issuer certificate for certificate in certification path.", innerException3);
}
if (set.IsEmpty)
{
throw new Exception("No issuer certificate for certificate in certification path found.");
}
foreach (X509Certificate item in set)
{
if (!PkixCertPathValidatorUtilities.IsSelfIssued(item))
{
pkixCertPathBuilderResult = Build(attrCert, item, pkixParams, tbvPath);
if (pkixCertPathBuilderResult != null)
{
break;
}
}
}
}
catch (Exception innerException4)
{
certPathException = new Exception("No valid certification path could be build.", innerException4);
}
if (pkixCertPathBuilderResult == null)
{
tbvPath.Remove(tbvCert);
}
return(pkixCertPathBuilderResult);
}
public override void PerformTest()
{
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
// initialise CertStore
X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);
IList x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
IList x509Crls = new ArrayList();
x509Crls.Add(rootCrl);
x509Crls.Add(interCrl);
// CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.GetInstance("Collection", ccsp);
// X509CollectionStoreParameters ccsp = new X509CollectionStoreParameters(list);
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// NB: Month is 1-based in .NET
//DateTime validDate = new DateTime(2008,9,4,14,49,10).ToUniversalTime();
DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);
//validating path
IList certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// CertPath cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
PkixCertPath cp = new PkixCertPath(certchain);
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// CertPathValidator cpv = CertPathValidator.GetInstance("PKIX");
PkixCertPathValidator cpv = new PkixCertPathValidator();
PkixParameters param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.AddStore(x509CrlStore);
param.Date = new DateTimeObject(validDate);
MyChecker checker = new MyChecker();
param.AddCertPathChecker(checker);
PkixCertPathValidatorResult result = (PkixCertPathValidatorResult)cpv.Validate(cp, param);
PkixPolicyNode policyTree = result.PolicyTree;
AsymmetricKeyParameter subjectPublicKey = result.SubjectPublicKey;
if (checker.GetCount() != 2)
{
Fail("checker not evaluated for each certificate");
}
if (!subjectPublicKey.Equals(finalCert.GetPublicKey()))
{
Fail("wrong public key returned");
}
IsTrue(result.TrustAnchor.TrustedCert.Equals(rootCert));
// try a path with trust anchor included.
certchain.Clear();
certchain.Add(finalCert);
certchain.Add(interCert);
certchain.Add(rootCert);
cp = new PkixCertPath(certchain);
cpv = new PkixCertPathValidator();
param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.AddStore(x509CrlStore);
param.Date = new DateTimeObject(validDate);
checker = new MyChecker();
param.AddCertPathChecker(checker);
result = (PkixCertPathValidatorResult)cpv.Validate(cp, param);
IsTrue(result.TrustAnchor.TrustedCert.Equals(rootCert));
//
// invalid path containing a valid one test
//
try
{
// initialise CertStore
rootCert = certParser.ReadCertificate(AC_RAIZ_ICPBRASIL);
interCert = certParser.ReadCertificate(AC_PR);
finalCert = certParser.ReadCertificate(schefer);
x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
// ccsp = new CollectionCertStoreParameters(list);
// store = CertStore.GetInstance("Collection", ccsp);
// ccsp = new X509CollectionStoreParameters(list);
x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
// NB: Month is 1-based in .NET
//validDate = new DateTime(2004,3,21,2,21,10).ToUniversalTime();
validDate = new DateTime(2004, 3, 20, 19, 21, 10);
//validating path
certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
cp = new PkixCertPath(certchain);
trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// cpv = CertPathValidator.GetInstance("PKIX");
cpv = new PkixCertPathValidator();
param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.IsRevocationEnabled = false;
param.Date = new DateTimeObject(validDate);
result = (PkixCertPathValidatorResult)cpv.Validate(cp, param);
policyTree = result.PolicyTree;
subjectPublicKey = result.SubjectPublicKey;
Fail("Invalid path validated");
}
catch (Exception e)
{
if (e is PkixCertPathValidatorException &&
e.Message.StartsWith("Could not validate certificate signature."))
{
return;
}
Fail("unexpected exception", e);
}
}
public abstract void Check(IX509AttributeCertificate attrCert, PkixCertPath certPath, PkixCertPath holderCertPath, ICollection unresolvedCritExts);
public override void PerformTest()
{
X509CertificateParser cf = new X509CertificateParser();
X509Certificate rootCert = cf.ReadCertificate(rootCertBin);
X509Certificate interCert = cf.ReadCertificate(interCertBin);
X509Certificate finalCert = cf.ReadCertificate(finalCertBin);
//Testing CertPath generation from List
IList list = new ArrayList();
list.Add(interCert);
// CertPath certPath1 = cf.generateCertPath(list);
PkixCertPath certPath1 = new PkixCertPath(list);
//Testing CertPath encoding as PkiPath
byte[] encoded = certPath1.GetEncoded("PkiPath");
//Testing CertPath generation from InputStream
MemoryStream inStream = new MemoryStream(encoded, false);
// CertPath certPath2 = cf.generateCertPath(inStream, "PkiPath");
PkixCertPath certPath2 = new PkixCertPath(inStream, "PkiPath");
//Comparing both CertPathes
if (!certPath2.Equals(certPath1))
{
Fail("CertPath differ after encoding and decoding.");
}
encoded = certPath1.GetEncoded("PKCS7");
//Testing CertPath generation from InputStream
inStream = new MemoryStream(encoded, false);
// certPath2 = cf.generateCertPath(inStream, "PKCS7");
certPath2 = new PkixCertPath(inStream, "PKCS7");
//Comparing both CertPathes
if (!certPath2.Equals(certPath1))
{
Fail("CertPath differ after encoding and decoding.");
}
encoded = certPath1.GetEncoded("PEM");
//Testing CertPath generation from InputStream
inStream = new MemoryStream(encoded, false);
// certPath2 = cf.generateCertPath(inStream, "PEM");
certPath2 = new PkixCertPath(inStream, "PEM");
//Comparing both CertPathes
if (!certPath2.Equals(certPath1))
{
Fail("CertPath differ after encoding and decoding.");
}
//
// empty list test
//
list = new ArrayList();
// CertPath certPath = CertificateFactory.GetInstance("X.509","BC").generateCertPath(list);
PkixCertPath certPath = new PkixCertPath(list);
if (certPath.Certificates.Count != 0)
{
Fail("list wrong size.");
}
//
// exception tests
//
doTestExceptions();
}
private void doTestExceptions()
{
byte[] enc = { (byte)0, (byte)2, (byte)3, (byte)4, (byte)5 };
// MyCertPath mc = new MyCertPath(enc);
MemoryStream os = new MemoryStream();
MemoryStream ins;
byte[] arr;
// TODO Support serialization of cert paths?
// ObjectOutputStream oos = new ObjectOutputStream(os);
// oos.WriteObject(mc);
// oos.Flush();
// oos.Close();
try
{
// CertificateFactory cFac = CertificateFactory.GetInstance("X.509");
arr = os.ToArray();
ins = new MemoryStream(arr, false);
// cFac.generateCertPath(ins);
new PkixCertPath(ins);
}
catch (CertificateException)
{
// ignore okay
}
// CertificateFactory cf = CertificateFactory.GetInstance("X.509");
X509CertificateParser cf = new X509CertificateParser();
IList certCol = new ArrayList();
certCol.Add(cf.ReadCertificate(certA));
certCol.Add(cf.ReadCertificate(certB));
certCol.Add(cf.ReadCertificate(certC));
certCol.Add(cf.ReadCertificate(certD));
// CertPathBuilder pathBuilder = CertPathBuilder.GetInstance("PKIX");
PkixCertPathBuilder pathBuilder = new PkixCertPathBuilder();
X509CertStoreSelector select = new X509CertStoreSelector();
select.Subject = ((X509Certificate)certCol[0]).SubjectDN;
ISet trustanchors = new HashSet();
trustanchors.Add(new TrustAnchor(cf.ReadCertificate(rootCertBin), null));
// CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol));
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certCol));
PkixBuilderParameters parameters = new PkixBuilderParameters(trustanchors, select);
parameters.AddStore(x509CertStore);
try
{
PkixCertPathBuilderResult result = pathBuilder.Build(parameters);
PkixCertPath path = result.CertPath;
Fail("found cert path in circular set");
}
catch (PkixCertPathBuilderException)
{
// expected
}
}
