Summary description for PkixBuilderParameters.
Inheritance: PkixParameters
Exemple #1
0
        /**
         * Find the issuer certificates of a given certificate.
         *
         * @param cert
         *            The certificate for which an issuer should be found.
         * @param pkixParams
         * @return A <code>Collection</code> object containing the issuer
         *         <code>X509Certificate</code>s. Never <code>null</code>.
         *
         * @exception Exception
         *                if an error occurs.
         */
        internal static ICollection FindIssuerCerts(
            X509Certificate cert,
            PkixBuilderParameters pkixParams)
        {
            X509CertStoreSelector certSelect = new X509CertStoreSelector();
            ISet certs = new HashSet();

            try
            {
                certSelect.Subject = cert.IssuerDN;
            }
            catch (IOException ex)
            {
                throw new Exception(
                          "Subject criteria for certificate selector to find issuer certificate could not be set.", ex);
            }

            try
            {
                certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetStores()));
                certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetAdditionalStores()));
            }
            catch (Exception e)
            {
                throw new Exception("Issuer certificate cannot be searched.", e);
            }

            return(certs);
        }
Exemple #2
0
        public static PkixBuilderParameters GetInstance(PkixParameters pkixParams)
        {
            PkixBuilderParameters pkixBuilderParameters = new PkixBuilderParameters(pkixParams.GetTrustAnchors(), new X509CertStoreSelector(pkixParams.GetTargetCertConstraints()));

            pkixBuilderParameters.SetParams(pkixParams);
            return(pkixBuilderParameters);
        }
Exemple #3
0
        public override object Clone()
        {
            PkixBuilderParameters pkixBuilderParameters = new PkixBuilderParameters(GetTrustAnchors(), GetTargetCertConstraints());

            pkixBuilderParameters.SetParams(this);
            return(pkixBuilderParameters);
        }
Exemple #4
0
        /**
         * Build and validate a CertPath using the given parameter.
         *
         * @param params PKIXBuilderParameters object containing all information to
         *            build the CertPath
         */
        public virtual PkixCertPathBuilderResult Build(
            PkixBuilderParameters pkixParams)
        {
            // search target certificates

            IX509Selector certSelect = pkixParams.GetTargetCertConstraints();

            if (!(certSelect is X509CertStoreSelector))
            {
                throw new PkixCertPathBuilderException(
                          "TargetConstraints must be an instance of "
                          + typeof(X509CertStoreSelector).FullName + " for "
                          + this.GetType() + " class.");
            }

            ISet targets = new HashSet();

            try
            {
                targets.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)certSelect, pkixParams.GetStores()));
                // TODO Should this include an entry for pkixParams.GetAdditionalStores() too?
            }
            catch (Exception e)
            {
                throw new PkixCertPathBuilderException(
                          "Error finding target certificate.", e);
            }

            if (targets.IsEmpty)
            {
                throw new PkixCertPathBuilderException("No certificate found matching targetContraints.");
            }

            PkixCertPathBuilderResult result = null;
            IList certPathList = new ArrayList();

            // check all potential target certificates
            foreach (X509Certificate cert in targets)
            {
                result = Build(cert, pkixParams, certPathList);

                if (result != null)
                {
                    break;
                }
            }

            if (result == null && certPathException != null)
            {
                throw new PkixCertPathBuilderException(certPathException.Message, certPathException.InnerException);
            }

            if (result == null && certPathException == null)
            {
                throw new PkixCertPathBuilderException("Unable to find certificate chain.");
            }

            return(result);
        }
		/**
		* Returns an instance of <code>PkixBuilderParameters</code>.
		* <p>
		* This method can be used to get a copy from other
		* <code>PKIXBuilderParameters</code>, <code>PKIXParameters</code>,
		* and <code>ExtendedPKIXParameters</code> instances.
		* </p>
		*
		* @param pkixParams The PKIX parameters to create a copy of.
		* @return An <code>PkixBuilderParameters</code> instance.
		*/
		public static PkixBuilderParameters GetInstance(
			PkixParameters pkixParams)
		{
			PkixBuilderParameters parameters = new PkixBuilderParameters(
				pkixParams.GetTrustAnchors(),
				new X509CertStoreSelector(pkixParams.GetTargetCertConstraints()));
			parameters.SetParams(pkixParams);
			return parameters;
		}
		private void baseTest()
		{
//			CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
			X509CertificateParser certParser = new X509CertificateParser();
			X509CrlParser crlParser = new X509CrlParser();

			// initialise CertStore
			X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
			X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
			X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
			X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
			X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);

			IList certList = new ArrayList();
			certList.Add(rootCert);
			certList.Add(interCert);
			certList.Add(finalCert);

			IList crlList = new ArrayList();
			crlList.Add(rootCrl);
			crlList.Add(interCrl);

//			CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
//			CertStore store = CertStore.getInstance("Collection", ccsp, "BC");
			IX509Store x509CertStore = X509StoreFactory.Create(
				"Certificate/Collection",
				new X509CollectionStoreParameters(certList));
			IX509Store x509CrlStore = X509StoreFactory.Create(
				"CRL/Collection",
				new X509CollectionStoreParameters(crlList));

			// NB: Month is 1-based in .NET
            //DateTime validDate = new DateTime(2008, 9, 4, 14, 49, 10).ToUniversalTime();
            DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);//.ToUniversalTime();

			//Searching for rootCert by subjectDN without CRL
			ISet trust = new HashSet();
			trust.Add(new TrustAnchor(rootCert, null));

//			CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX","BC");
			PkixCertPathBuilder cpb = new PkixCertPathBuilder();
			X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
			targetConstraints.Subject = finalCert.SubjectDN;
			PkixBuilderParameters parameters = new PkixBuilderParameters(trust, targetConstraints);
//			parameters.addCertStore(store);
			parameters.AddStore(x509CertStore);
			parameters.AddStore(x509CrlStore);
			parameters.Date = new DateTimeObject(validDate);
			PkixCertPathBuilderResult result = cpb.Build(parameters);
			PkixCertPath path = result.CertPath;

			if (path.Certificates.Count != 2)
			{
				Fail("wrong number of certs in baseTest path");
			}
		}
Exemple #7
0
 protected override void SetParams(PkixParameters parameters)
 {
     base.SetParams(parameters);
     if (parameters is PkixBuilderParameters)
     {
         PkixBuilderParameters pkixBuilderParameters = (PkixBuilderParameters)parameters;
         maxPathLength = pkixBuilderParameters.maxPathLength;
         excludedCerts = new HashSet(pkixBuilderParameters.excludedCerts);
     }
 }
		/**
		 * Build and validate a CertPath using the given parameter.
		 *
		 * @param params PKIXBuilderParameters object containing all information to
		 *            build the CertPath
		 */
		public virtual PkixCertPathBuilderResult Build(
			PkixBuilderParameters pkixParams)
		{
			// search target certificates

			IX509Selector certSelect = pkixParams.GetTargetCertConstraints();
			if (!(certSelect is X509CertStoreSelector))
			{
				throw new PkixCertPathBuilderException(
					"TargetConstraints must be an instance of "
					+ typeof(X509CertStoreSelector).FullName + " for "
					+ this.GetType() + " class.");
			}

			ISet targets = new HashSet();
			try
			{
				targets.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)certSelect, pkixParams.GetStores()));
				// TODO Should this include an entry for pkixParams.GetAdditionalStores() too?
			}
			catch (Exception e)
			{
				throw new PkixCertPathBuilderException(
					"Error finding target certificate.", e);
			}

			if (targets.IsEmpty)
				throw new PkixCertPathBuilderException("No certificate found matching targetContraints.");

			PkixCertPathBuilderResult result = null;
			IList certPathList = Platform.CreateArrayList();

			// check all potential target certificates
			foreach (X509Certificate cert in targets)
			{
				result = Build(cert, pkixParams, certPathList);

				if (result != null)
					break;
			}

			if (result == null && certPathException != null)
			{
				throw new PkixCertPathBuilderException(certPathException.Message, certPathException.InnerException);
			}

			if (result == null && certPathException == null)
			{
				throw new PkixCertPathBuilderException("Unable to find certificate chain.");
			}

			return result;
		}
        public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams)
        {
            IX509Selector targetCertConstraints = pkixParams.GetTargetCertConstraints();

            if (!(targetCertConstraints is X509CertStoreSelector))
            {
                throw new PkixCertPathBuilderException(string.Concat(new object[]
                {
                    "TargetConstraints must be an instance of ",
                    typeof(X509CertStoreSelector).FullName,
                    " for ",
                    base.GetType(),
                    " class."
                }));
            }
            ISet set = new HashSet();

            try
            {
                set.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)targetCertConstraints, pkixParams.GetStores()));
            }
            catch (Exception exception)
            {
                throw new PkixCertPathBuilderException("Error finding target certificate.", exception);
            }
            if (set.IsEmpty)
            {
                throw new PkixCertPathBuilderException("No certificate found matching targetContraints.");
            }
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
            IList tbvPath = Platform.CreateArrayList();

            foreach (X509Certificate tbvCert in set)
            {
                pkixCertPathBuilderResult = this.Build(tbvCert, pkixParams, tbvPath);
                if (pkixCertPathBuilderResult != null)
                {
                    break;
                }
            }
            if (pkixCertPathBuilderResult == null && this.certPathException != null)
            {
                throw new PkixCertPathBuilderException(this.certPathException.Message, this.certPathException.InnerException);
            }
            if (pkixCertPathBuilderResult == null && this.certPathException == null)
            {
                throw new PkixCertPathBuilderException("Unable to find certificate chain.");
            }
            return(pkixCertPathBuilderResult);
        }
Exemple #10
0
        internal static ICollection FindIssuerCerts(X509Certificate cert, PkixBuilderParameters pkixParams)
        {
            X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
            ISet set = new HashSet();

            try
            {
                x509CertStoreSelector.Subject = cert.IssuerDN;
            }
            catch (IOException innerException)
            {
                throw new Exception("Subject criteria for certificate selector to find issuer certificate could not be set.", innerException);
            }
            try
            {
                set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
                set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetAdditionalStores()));
            }
            catch (Exception innerException2)
            {
                throw new Exception("Issuer certificate cannot be searched.", innerException2);
            }
            return(set);
        }
		/**
		* Build and validate a CertPath using the given parameter.
		*
		* @param params PKIXBuilderParameters object containing all information to
		*            build the CertPath
		*/
		public virtual PkixCertPathBuilderResult Build(
			PkixBuilderParameters pkixParams)
		{
			// search target certificates

			IX509Selector certSelect = pkixParams.GetTargetConstraints();
			if (!(certSelect is X509AttrCertStoreSelector))
			{
				throw new PkixCertPathBuilderException(
					"TargetConstraints must be an instance of "
					+ typeof(X509AttrCertStoreSelector).FullName
					+ " for "
					+ typeof(PkixAttrCertPathBuilder).FullName + " class.");
			}

			ICollection targets;
			try
			{
				targets = PkixCertPathValidatorUtilities.FindCertificates(
					(X509AttrCertStoreSelector)certSelect, pkixParams.GetStores());
			}
			catch (Exception e)
			{
				throw new PkixCertPathBuilderException("Error finding target attribute certificate.", e);
			}

			if (targets.Count == 0)
			{
				throw new PkixCertPathBuilderException(
					"No attribute certificate found matching targetContraints.");
			}

			PkixCertPathBuilderResult result = null;

			// check all potential target certificates
			foreach (IX509AttributeCertificate cert in targets)
			{
				X509CertStoreSelector selector = new X509CertStoreSelector();
				X509Name[] principals = cert.Issuer.GetPrincipals();
				ISet issuers = new HashSet();
				for (int i = 0; i < principals.Length; i++)
				{
					try
					{
						selector.Subject = principals[i];

						issuers.AddAll(PkixCertPathValidatorUtilities.FindCertificates(selector, pkixParams.GetStores()));
					}
					catch (Exception e)
					{
						throw new PkixCertPathBuilderException(
							"Public key certificate for attribute certificate cannot be searched.",
							e);
					}
				}

				if (issuers.IsEmpty)
					throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found.");

                IList certPathList = Platform.CreateArrayList();

				foreach (X509Certificate issuer in issuers)
				{
					result = Build(cert, issuer, pkixParams, certPathList);

					if (result != null)
						break;
				}

				if (result != null)
					break;
			}

			if (result == null && certPathException != null)
			{
				throw new PkixCertPathBuilderException(
					"Possible certificate chain could not be validated.",
					certPathException);
			}

			if (result == null && certPathException == null)
			{
				throw new PkixCertPathBuilderException(
					"Unable to find certificate chain.");
			}

			return result;
		}
		private PkixCertPathBuilderResult Build(
			IX509AttributeCertificate	attrCert,
			X509Certificate				tbvCert,
			PkixBuilderParameters		pkixParams,
			IList						tbvPath)
		{
			// If tbvCert is readily present in tbvPath, it indicates having run
			// into a cycle in the
			// PKI graph.
			if (tbvPath.Contains(tbvCert))
				return null;

			// step out, the certificate is not allowed to appear in a certification
			// chain
			if (pkixParams.GetExcludedCerts().Contains(tbvCert))
				return null;

			// test if certificate path exceeds maximum length
			if (pkixParams.MaxPathLength != -1)
			{
				if (tbvPath.Count - 1 > pkixParams.MaxPathLength)
					return null;
			}

			tbvPath.Add(tbvCert);

			PkixCertPathBuilderResult builderResult = null;

//			X509CertificateParser certParser = new X509CertificateParser();
			PkixAttrCertPathValidator validator = new PkixAttrCertPathValidator();

			try
			{
				// check whether the issuer of <tbvCert> is a TrustAnchor
				if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
				{
					PkixCertPath certPath = new PkixCertPath(tbvPath);
					PkixCertPathValidatorResult result;

					try
					{
						result = validator.Validate(certPath, pkixParams);
					}
					catch (Exception e)
					{
						throw new Exception("Certification path could not be validated.", e);
					}

					return new PkixCertPathBuilderResult(certPath, result.TrustAnchor,
						result.PolicyTree, result.SubjectPublicKey);
				}
				else
				{
					// add additional X.509 stores from locations in certificate
					try
					{
						PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
					}
					catch (CertificateParsingException e)
					{
						throw new Exception("No additional X.509 stores can be added from certificate locations.", e);
					}

					// try to get the issuer certificate from one of the stores
					ISet issuers = new HashSet();
					try
					{
						issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
					}
					catch (Exception e)
					{
						throw new Exception("Cannot find issuer certificate for certificate in certification path.", e);
					}

					if (issuers.IsEmpty)
						throw new Exception("No issuer certificate for certificate in certification path found.");

					foreach (X509Certificate issuer in issuers)
					{
						// if untrusted self signed certificate continue
						if (PkixCertPathValidatorUtilities.IsSelfIssued(issuer))
							continue;

						builderResult = Build(attrCert, issuer, pkixParams, tbvPath);

						if (builderResult != null)
							break;
					}
				}
			}
			catch (Exception e)
			{
				certPathException = new Exception("No valid certification path could be build.", e);
			}

			if (builderResult == null)
			{
				tbvPath.Remove(tbvCert);
			}

			return builderResult;
		}
		private void doTestExceptions()
		{
			byte[] enc = { (byte)0, (byte)2, (byte)3, (byte)4, (byte)5 };
//			MyCertPath mc = new MyCertPath(enc);
			MemoryStream os = new MemoryStream();
			MemoryStream ins;
			byte[] arr;

			// TODO Support serialization of cert paths?
//			ObjectOutputStream oos = new ObjectOutputStream(os);
//			oos.WriteObject(mc);
//			oos.Flush();
//			oos.Close();

			try
			{
//				CertificateFactory cFac = CertificateFactory.GetInstance("X.509");
				arr = os.ToArray();
				ins = new MemoryStream(arr, false);
//				cFac.generateCertPath(ins);
				new PkixCertPath(ins);
			}
			catch (CertificateException)
			{
				// ignore okay
			}

//			CertificateFactory cf = CertificateFactory.GetInstance("X.509");
			X509CertificateParser cf = new X509CertificateParser();
			IList certCol = new ArrayList();

			certCol.Add(cf.ReadCertificate(certA));
			certCol.Add(cf.ReadCertificate(certB));
			certCol.Add(cf.ReadCertificate(certC));
			certCol.Add(cf.ReadCertificate(certD));

//			CertPathBuilder pathBuilder = CertPathBuilder.GetInstance("PKIX");
			PkixCertPathBuilder pathBuilder = new PkixCertPathBuilder();
			X509CertStoreSelector select = new X509CertStoreSelector();
			select.Subject = ((X509Certificate)certCol[0]).SubjectDN;

			ISet trustanchors = new HashSet();
			trustanchors.Add(new TrustAnchor(cf.ReadCertificate(rootCertBin), null));

//			CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol));
			IX509Store x509CertStore = X509StoreFactory.Create(
				"Certificate/Collection",
				new X509CollectionStoreParameters(certCol));

			PkixBuilderParameters parameters = new PkixBuilderParameters(trustanchors, select);
			parameters.AddStore(x509CertStore);

			try
			{
				PkixCertPathBuilderResult result = pathBuilder.Build(parameters);
				PkixCertPath path = result.CertPath;
				Fail("found cert path in circular set");
			}
			catch (PkixCertPathBuilderException)
			{
				// expected
			}
		}
Exemple #14
0
        //jbonilla - Por algún motivo, no devuleve el certificado root.
        public static X509Certificate[] BuildCertificateChainBC(X509Certificate checkCert, ICollection<X509Certificate> keystore)
        {
            PkixCertPathBuilder builder = new PkixCertPathBuilder();

            // Separate root from itermediate
            List<X509Certificate> intermediateCerts = new List<X509Certificate>();
            HashSet rootCerts = new HashSet();

            foreach (X509Certificate cert in keystore)
            {
                // Separate root and subordinate certificates
                if (IsSelfSigned(cert))
                    rootCerts.Add(new TrustAnchor(cert, null));
                else
                    intermediateCerts.Add(cert);
            }

            // Create chain for this certificate
            X509CertStoreSelector holder = new X509CertStoreSelector();
            holder.Certificate = checkCert;

            // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
            intermediateCerts.Add(holder.Certificate);

            PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
            builderParams.IsRevocationEnabled = false;

            X509CollectionStoreParameters intermediateStoreParameters =
                new X509CollectionStoreParameters(intermediateCerts);

            builderParams.AddStore(X509StoreFactory.Create(
                "Certificate/Collection", intermediateStoreParameters));

            PkixCertPathBuilderResult result = builder.Build(builderParams);            

            List<X509Certificate> chain = new List<X509Certificate>();

            foreach(X509Certificate cert in result.CertPath.Certificates)
            {
                chain.Add(cert);
            }           

            return chain.ToArray();
        }
        private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath)
        {
            if (tbvPath.Contains(tbvCert))
            {
                return(null);
            }
            if (pkixParams.GetExcludedCerts().Contains(tbvCert))
            {
                return(null);
            }
            if (pkixParams.MaxPathLength != -1 && tbvPath.Count - 1 > pkixParams.MaxPathLength)
            {
                return(null);
            }
            tbvPath.Add(tbvCert);
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
            PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator();

            try
            {
                if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
                {
                    PkixCertPath certPath = new PkixCertPath(tbvPath);
                    PkixCertPathValidatorResult pkixCertPathValidatorResult;
                    try
                    {
                        pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams);
                    }
                    catch (Exception innerException)
                    {
                        throw new Exception("Certification path could not be validated.", innerException);
                    }
                    return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey));
                }
                try
                {
                    PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
                }
                catch (CertificateParsingException innerException2)
                {
                    throw new Exception("No additional X.509 stores can be added from certificate locations.", innerException2);
                }
                ISet set = new HashSet();
                try
                {
                    set.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
                }
                catch (Exception innerException3)
                {
                    throw new Exception("Cannot find issuer certificate for certificate in certification path.", innerException3);
                }
                if (set.IsEmpty)
                {
                    throw new Exception("No issuer certificate for certificate in certification path found.");
                }
                foreach (X509Certificate x509Certificate in set)
                {
                    if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate))
                    {
                        pkixCertPathBuilderResult = this.Build(attrCert, x509Certificate, pkixParams, tbvPath);
                        if (pkixCertPathBuilderResult != null)
                        {
                            break;
                        }
                    }
                }
            }
            catch (Exception innerException4)
            {
                this.certPathException = new Exception("No valid certification path could be build.", innerException4);
            }
            if (pkixCertPathBuilderResult == null)
            {
                tbvPath.Remove(tbvCert);
            }
            return(pkixCertPathBuilderResult);
        }
Exemple #16
0
        /**
         * Searches for a holder public key certificate and verifies its
         * certification path.
         *
         * @param attrCert the attribute certificate.
         * @param pkixParams The PKIX parameters.
         * @return The certificate path of the holder certificate.
         * @throws Exception if
         *             <ul>
         *             <li>no public key certificate can be found although holder
         *             information is given by an entity name or a base certificate
         *             ID</li>
         *             <li>support classes cannot be created</li>
         *             <li>no certification path for the public key certificate can
         *             be built</li>
         *             </ul>
         */
        internal static PkixCertPath ProcessAttrCert1(
            IX509AttributeCertificate attrCert,
            PkixParameters pkixParams)
        {
            PkixCertPathBuilderResult result = null;
            // find holder PKCs
            ISet holderPKCs = new HashSet();

            if (attrCert.Holder.GetIssuer() != null)
            {
                X509CertStoreSelector selector = new X509CertStoreSelector();
                selector.SerialNumber = attrCert.Holder.SerialNumber;
                X509Name[] principals = attrCert.Holder.GetIssuer();
                for (int i = 0; i < principals.Length; i++)
                {
                    try
                    {
//						if (principals[i] is X500Principal)
                        {
                            selector.Issuer = principals[i];
                        }
                        holderPKCs.AddAll(PkixCertPathValidatorUtilities
                                          .FindCertificates(selector, pkixParams.GetStores()));
                    }
                    catch (Exception e)
                    {
                        throw new PkixCertPathValidatorException(
                                  "Public key certificate for attribute certificate cannot be searched.",
                                  e);
                    }
                }
                if (holderPKCs.IsEmpty)
                {
                    throw new PkixCertPathValidatorException(
                              "Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
                }
            }
            if (attrCert.Holder.GetEntityNames() != null)
            {
                X509CertStoreSelector selector   = new X509CertStoreSelector();
                X509Name[]            principals = attrCert.Holder.GetEntityNames();
                for (int i = 0; i < principals.Length; i++)
                {
                    try
                    {
//						if (principals[i] is X500Principal)
                        {
                            selector.Issuer = principals[i];
                        }
                        holderPKCs.AddAll(PkixCertPathValidatorUtilities
                                          .FindCertificates(selector, pkixParams.GetStores()));
                    }
                    catch (Exception e)
                    {
                        throw new PkixCertPathValidatorException(
                                  "Public key certificate for attribute certificate cannot be searched.",
                                  e);
                    }
                }
                if (holderPKCs.IsEmpty)
                {
                    throw new PkixCertPathValidatorException(
                              "Public key certificate specified in entity name for attribute certificate cannot be found.");
                }
            }

            // verify cert paths for PKCs
            PkixBuilderParameters parameters = (PkixBuilderParameters)
                                               PkixBuilderParameters.GetInstance(pkixParams);

            PkixCertPathValidatorException lastException = null;

            foreach (X509Certificate cert in holderPKCs)
            {
                X509CertStoreSelector selector = new X509CertStoreSelector();
                selector.Certificate = cert;
                parameters.SetTargetConstraints(selector);

                PkixCertPathBuilder builder = new PkixCertPathBuilder();

                try
                {
                    result = builder.Build(PkixBuilderParameters.GetInstance(parameters));
                }
                catch (PkixCertPathBuilderException e)
                {
                    lastException = new PkixCertPathValidatorException(
                        "Certification path for public key certificate of attribute certificate could not be build.",
                        e);
                }
            }
            if (lastException != null)
            {
                throw lastException;
            }
            return(result.CertPath);
        }
Exemple #17
0
        protected virtual PkixCertPathBuilderResult Build(
            X509Certificate tbvCert,
            PkixBuilderParameters pkixParams,
            IList tbvPath)
        {
            // If tbvCert is readily present in tbvPath, it indicates having run
            // into a cycle in the PKI graph.
            if (tbvPath.Contains(tbvCert))
            {
                return(null);
            }

            // step out, the certificate is not allowed to appear in a certification
            // chain.
            if (pkixParams.GetExcludedCerts().Contains(tbvCert))
            {
                return(null);
            }

            // test if certificate path exceeds maximum length
            if (pkixParams.MaxPathLength != -1)
            {
                if (tbvPath.Count - 1 > pkixParams.MaxPathLength)
                {
                    return(null);
                }
            }

            tbvPath.Add(tbvCert);

            X509CertificateParser     certParser    = new X509CertificateParser();
            PkixCertPathBuilderResult builderResult = null;
            PkixCertPathValidator     validator     = new PkixCertPathValidator();

            try
            {
                // check whether the issuer of <tbvCert> is a TrustAnchor
                if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
                {
                    // exception message from possibly later tried certification
                    // chains
                    PkixCertPath certPath = null;
                    try
                    {
                        certPath = new PkixCertPath(tbvPath);
                    }
                    catch (Exception e)
                    {
                        throw new Exception(
                                  "Certification path could not be constructed from certificate list.",
                                  e);
                    }

                    PkixCertPathValidatorResult result = null;
                    try
                    {
                        result = (PkixCertPathValidatorResult)validator.Validate(
                            certPath, pkixParams);
                    }
                    catch (Exception e)
                    {
                        throw new Exception(
                                  "Certification path could not be validated.", e);
                    }

                    return(new PkixCertPathBuilderResult(certPath, result.TrustAnchor,
                                                         result.PolicyTree, result.SubjectPublicKey));
                }
                else
                {
                    // add additional X.509 stores from locations in certificate
                    try
                    {
                        PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(
                            tbvCert, pkixParams);
                    }
                    catch (CertificateParsingException e)
                    {
                        throw new Exception(
                                  "No additiontal X.509 stores can be added from certificate locations.",
                                  e);
                    }

                    // try to get the issuer certificate from one of the stores
                    HashSet issuers = new HashSet();
                    try
                    {
                        issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
                    }
                    catch (Exception e)
                    {
                        throw new Exception(
                                  "Cannot find issuer certificate for certificate in certification path.",
                                  e);
                    }

                    if (issuers.IsEmpty)
                    {
                        throw new Exception("No issuer certificate for certificate in certification path found.");
                    }

                    foreach (X509Certificate issuer in issuers)
                    {
                        builderResult = Build(issuer, pkixParams, tbvPath);

                        if (builderResult != null)
                        {
                            break;
                        }
                    }
                }
            }
            catch (Exception e)
            {
                certPathException = e;
            }

            if (builderResult == null)
            {
                tbvPath.Remove(tbvCert);
            }

            return(builderResult);
        }
		private string TestPolicies(
			int index,
			X509Certificate trustCert,
			X509Certificate intCert,
			X509Certificate endCert,
			ISet requirePolicies,
			bool okay)
		{
			ISet trust = new HashSet();
			trust.Add(new TrustAnchor(trustCert, null));
			X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
			targetConstraints.Subject = endCert.SubjectDN;
			PkixBuilderParameters pbParams = new PkixBuilderParameters(trust, targetConstraints);

			ISet certs = new HashSet();
			certs.Add(intCert);
			certs.Add(endCert);

			IX509Store store = X509StoreFactory.Create(
				"CERTIFICATE/COLLECTION",
				new X509CollectionStoreParameters(certs));
			pbParams.AddStore(store);

			pbParams.IsRevocationEnabled = false;
			if (requirePolicies != null)
			{
				pbParams.IsExplicitPolicyRequired = true;
				pbParams.SetInitialPolicies(requirePolicies);
			}

//			CertPathBuilder cpb = CertPathBuilder.GetInstance("PKIX");
			PkixCertPathBuilder cpb = new PkixCertPathBuilder();
			PkixCertPathBuilderResult result = null;

			try
			{
				result = (PkixCertPathBuilderResult)cpb.Build(pbParams);

				if (!okay)
				{
					Fail(index + ": path validated when failure expected.");
				}

//				if (result.getPolicyTree() != null)
//				{
//					Console.WriteLine("OK");
//					Console.WriteLine("policy: " + result.getPolicyTree());
//				}
//				else
//				{
//					Console.WriteLine("OK: policy tree = null");
//				}

				return "";
			}
			catch (TestFailedException e)
			{
				throw e;
			}
			catch (Exception e)
			{
				if (okay)
				{
					Fail(index + ": path failed to validate when success expected.");
				}

				Exception ee = e.InnerException;
				if (ee != null)
				{
					return ee.Message;
				}

				return e.Message;
			}
		}
Exemple #19
0
        public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams)
        {
            IX509Selector targetCertConstraints = pkixParams.GetTargetCertConstraints();

            if (!(targetCertConstraints is X509CertStoreSelector))
            {
                throw new PkixCertPathBuilderException(string.Concat(new string[5]
                {
                    "TargetConstraints must be an instance of ",
                    typeof(X509CertStoreSelector).get_FullName(),
                    " for ",
                    Platform.GetTypeName(this),
                    " class."
                }));
            }
            ISet set = new HashSet();

            try
            {
                set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)targetCertConstraints, pkixParams.GetStores()));
            }
            catch (global::System.Exception exception)
            {
                throw new PkixCertPathBuilderException("Error finding target certificate.", exception);
            }
            if (set.IsEmpty)
            {
                throw new PkixCertPathBuilderException("No certificate found matching targetContraints.");
            }
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;

            global::System.Collections.IList       tbvPath    = Platform.CreateArrayList();
            global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator();
            try
            {
                while (enumerator.MoveNext())
                {
                    X509Certificate tbvCert = (X509Certificate)enumerator.get_Current();
                    pkixCertPathBuilderResult = Build(tbvCert, pkixParams, tbvPath);
                    if (pkixCertPathBuilderResult != null)
                    {
                        break;
                    }
                }
            }
            finally
            {
                global::System.IDisposable disposable = enumerator as global::System.IDisposable;
                if (disposable != null)
                {
                    disposable.Dispose();
                }
            }
            if (pkixCertPathBuilderResult == null && certPathException != null)
            {
                throw new PkixCertPathBuilderException(certPathException.get_Message(), certPathException.get_InnerException());
            }
            if (pkixCertPathBuilderResult == null && certPathException == null)
            {
                throw new PkixCertPathBuilderException("Unable to find certificate chain.");
            }
            return(pkixCertPathBuilderResult);
        }
        internal static PkixCertPath ProcessAttrCert1(IX509AttributeCertificate attrCert, PkixParameters pkixParams)
        {
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
            ISet set = new HashSet();

            if (attrCert.Holder.GetIssuer() != null)
            {
                X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
                x509CertStoreSelector.SerialNumber = attrCert.Holder.SerialNumber;
                X509Name[] issuer = attrCert.Holder.GetIssuer();
                for (int i = 0; i < issuer.Length; i++)
                {
                    try
                    {
                        x509CertStoreSelector.Issuer = issuer[i];
                        set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
                    }
                    catch (Exception cause)
                    {
                        throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause);
                    }
                }
                if (set.IsEmpty)
                {
                    throw new PkixCertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
                }
            }
            if (attrCert.Holder.GetEntityNames() != null)
            {
                X509CertStoreSelector x509CertStoreSelector2 = new X509CertStoreSelector();
                X509Name[]            entityNames            = attrCert.Holder.GetEntityNames();
                for (int j = 0; j < entityNames.Length; j++)
                {
                    try
                    {
                        x509CertStoreSelector2.Issuer = entityNames[j];
                        set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector2, pkixParams.GetStores()));
                    }
                    catch (Exception cause2)
                    {
                        throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause2);
                    }
                }
                if (set.IsEmpty)
                {
                    throw new PkixCertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found.");
                }
            }
            PkixBuilderParameters          instance = PkixBuilderParameters.GetInstance(pkixParams);
            PkixCertPathValidatorException ex       = null;

            foreach (X509Certificate certificate in set)
            {
                instance.SetTargetConstraints(new X509CertStoreSelector
                {
                    Certificate = certificate
                });
                PkixCertPathBuilder pkixCertPathBuilder = new PkixCertPathBuilder();
                try
                {
                    pkixCertPathBuilderResult = pkixCertPathBuilder.Build(PkixBuilderParameters.GetInstance(instance));
                }
                catch (PkixCertPathBuilderException cause3)
                {
                    ex = new PkixCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", cause3);
                }
            }
            if (ex != null)
            {
                throw ex;
            }
            return(pkixCertPathBuilderResult.CertPath);
        }
        /// <summary>
        /// Builds certification path for provided signing certificate
        /// </summary>
        /// <param name="signingCertificate">Signing certificate</param>
        /// <param name="otherCertificates">Other certificates that should be used in path building process. Self-signed certificates from this list are used as trust anchors.</param>
        /// <param name="includeRoot">Flag indicating whether root certificate should be included int the certification path.</param>
        /// <returns>Certification path for provided signing certificate</returns>
        public static ICollection<BCX509.X509Certificate> BuildCertPath(byte[] signingCertificate, List<byte[]> otherCertificates, bool includeRoot)
        {
            if (signingCertificate == null)
                throw new ArgumentNullException("signingCertificate");

            List<BCX509.X509Certificate> result = new List<BCX509.X509Certificate>();

            BCX509.X509Certificate signingCert = ToBouncyCastleObject(signingCertificate);
            BCCollections.ISet trustAnchors = new BCCollections.HashSet();
            List<BCX509.X509Certificate> otherCerts = new List<BCX509.X509Certificate>();

            if (IsSelfSigned(signingCert))
            {
                if (includeRoot)
                    result.Add(signingCert);
            }
            else
            {
                otherCerts.Add(signingCert);

                if (otherCertificates != null)
                {
                    foreach (byte[] otherCertificate in otherCertificates)
                    {
                        BCX509.X509Certificate otherCert = ToBouncyCastleObject(otherCertificate);
                        otherCerts.Add(ToBouncyCastleObject(otherCertificate));
                        if (IsSelfSigned(otherCert))
                            trustAnchors.Add(new TrustAnchor(otherCert, null));
                    }
                }

                if (trustAnchors.Count < 1)
                    throw new PkixCertPathBuilderException("Provided certificates do not contain self-signed root certificate");

                X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
                targetConstraints.Certificate = signingCert;

                PkixBuilderParameters certPathBuilderParameters = new PkixBuilderParameters(trustAnchors, targetConstraints);
                certPathBuilderParameters.AddStore(X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(otherCerts)));
                certPathBuilderParameters.IsRevocationEnabled = false;

                PkixCertPathBuilder certPathBuilder = new PkixCertPathBuilder();
                PkixCertPathBuilderResult certPathBuilderResult = certPathBuilder.Build(certPathBuilderParameters);

                foreach (BCX509.X509Certificate certPathCert in certPathBuilderResult.CertPath.Certificates)
                    result.Add(certPathCert);

                if (includeRoot)
                    result.Add(certPathBuilderResult.TrustAnchor.TrustedCert);
            }

            return result;
        }
        private static IReadOnlyCollection<X509Certificate> GetChain([NotNull] X509Certificate cert, [CanBeNull] IReadOnlyList<X509Certificate> certs)
        {
            var certList = new List<X509Certificate>();
            if (certs != null)
                certList.AddRange(certs);
            certList.Add(cert);

            var certStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(certList));

            var rootCerts = certs.Where(IsSelfSigned).ToList();
            var trustAnchors = rootCerts.Select(x => new TrustAnchor(x, null));
            var trust = new HashSet(trustAnchors);

            var cpb = new PkixCertPathBuilder();
            var targetConstraints = new X509CertStoreSelector()
            {
                Certificate = cert,
            };
            var parameters = new PkixBuilderParameters(trust, targetConstraints)
            {
                IsRevocationEnabled = false,
            };
            parameters.AddStore(certStore);
            var cpbResult = cpb.Build(parameters);

            var result = new List<X509Certificate>();
            result.AddRange(cpbResult.CertPath.Certificates.Cast<X509Certificate>());
            result.Add(cpbResult.TrustAnchor.TrustedCert);
            return result;
        }
		private void Test(string _name, string[] _data, ISet _ipolset,
			bool _explicit, bool _accept, bool _debug)
		{
			testCount++;
			bool _pass = true;

			try
			{
//				CertPathBuilder _cpb = CertPathBuilder.GetInstance("PKIX");
				PkixCertPathBuilder _cpb = new PkixCertPathBuilder();

				X509Certificate _ee = DecodeCertificate(_data[_data.Length - 1]);
				X509CertStoreSelector _select = new X509CertStoreSelector();
				_select.Subject = _ee.SubjectDN;

				IX509Store certStore, crlStore;
				MakeCertStore(_data, out certStore, out crlStore);

				PkixBuilderParameters _param = new PkixBuilderParameters(
					trustedSet, _select);
				_param.IsExplicitPolicyRequired = _explicit;
				_param.AddStore(certStore);
				_param.AddStore(crlStore);
				_param.IsRevocationEnabled = true;

				if (_ipolset != null)
				{
					_param.SetInitialPolicies(_ipolset);
				}

				PkixCertPathBuilderResult _result = _cpb.Build(_param);

				if (!_accept)
				{
					_pass = false;
					testFail.Add(_name);
				}
			}
			catch (Exception)
			{
				if (_accept)
				{
					_pass = false;
					testFail.Add(_name);
				}
			}

			resultBuf.Append("NISTCertPathTest -- ").Append(_name).Append(": ")
				.Append(_pass ? "\n" : "Failed.\n");
		}
        static IEnumerable<Org.BouncyCastle.X509.X509Certificate> BuildCertificateChainBC(byte[] primary, IEnumerable<byte[]> additional)
        {
            X509CertificateParser parser = new X509CertificateParser();
            PkixCertPathBuilder builder = new PkixCertPathBuilder();

            // Separate root from itermediate
            var intermediateCerts = new List<Org.BouncyCastle.X509.X509Certificate>();
            HashSet rootCerts = new HashSet();

            foreach (byte[] cert in additional)
            {
                var x509Cert = parser.ReadCertificate(cert);

                // Separate root and subordinate certificates
                if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN))
                    rootCerts.Add(new TrustAnchor(x509Cert, null));
                else
                    intermediateCerts.Add(x509Cert);
            }

            // Create chain for this certificate
            X509CertStoreSelector holder = new X509CertStoreSelector();
            holder.Certificate = parser.ReadCertificate(primary);

            // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
            intermediateCerts.Add(holder.Certificate);

            PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
            builderParams.IsRevocationEnabled = false;

            X509CollectionStoreParameters intermediateStoreParameters =
                new X509CollectionStoreParameters(intermediateCerts);

            builderParams.AddStore(X509StoreFactory.Create(
                "Certificate/Collection", intermediateStoreParameters));

            PkixCertPathBuilderResult result = builder.Build(builderParams);

            return result.CertPath.Certificates.Cast<Org.BouncyCastle.X509.X509Certificate>();
        }
		private PkixCertPathBuilderResult doBuilderTest(
			string		trustAnchor,
			string[]	certs,
			string[]	crls,
			ISet		initialPolicies,
			bool		policyMappingInhibited,
			bool		anyPolicyInhibited)
		{
			ISet trustedSet = new HashSet();
			trustedSet.Add(GetTrustAnchor(trustAnchor));

			IList x509Certs = new ArrayList();
			IList x509Crls = new ArrayList();
			X509Certificate endCert = LoadCert(certs[certs.Length - 1]);

			for (int i = 0; i != certs.Length - 1; i++)
			{
				x509Certs.Add(LoadCert(certs[i]));
			}

			x509Certs.Add(endCert);

			for (int i = 0; i != crls.Length; i++)
			{
				x509Crls.Add(LoadCrl(crls[i]));
			}

			IX509Store x509CertStore = X509StoreFactory.Create(
				"Certificate/Collection",
				new X509CollectionStoreParameters(x509Certs));
			IX509Store x509CrlStore = X509StoreFactory.Create(
				"CRL/Collection",
				new X509CollectionStoreParameters(x509Crls));

//			CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX");   
			PkixCertPathBuilder builder = new PkixCertPathBuilder();

			X509CertStoreSelector endSelector = new X509CertStoreSelector();

			endSelector.Certificate = endCert;

			PkixBuilderParameters builderParams = new PkixBuilderParameters(trustedSet, endSelector);

			if (initialPolicies != null)
			{
				builderParams.SetInitialPolicies(initialPolicies);
				builderParams.IsExplicitPolicyRequired = true;
			}
			if (policyMappingInhibited)
			{
				builderParams.IsPolicyMappingInhibited = policyMappingInhibited;
			}
			if (anyPolicyInhibited)
			{
				builderParams.IsAnyPolicyInhibited = anyPolicyInhibited;
			}

			builderParams.AddStore(x509CertStore);
			builderParams.AddStore(x509CrlStore);

			// Perform validation as of this date since test certs expired
			builderParams.Date = new DateTimeObject(DateTime.Parse("1/1/2011"));

			try
			{
				return (PkixCertPathBuilderResult) builder.Build(builderParams);
			}
			catch (PkixCertPathBuilderException e)
			{               
				throw e.InnerException;
			}
		}
Exemple #26
0
        internal static global::System.Collections.ICollection FindIssuerCerts(X509Certificate cert, PkixBuilderParameters pkixParams)
        {
            //IL_001b: Expected O, but got Unknown
            X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
            ISet set = new HashSet();

            try
            {
                x509CertStoreSelector.Subject = cert.IssuerDN;
            }
            catch (IOException val)
            {
                IOException val2 = val;
                throw new global::System.Exception("Subject criteria for certificate selector to find issuer certificate could not be set.", (global::System.Exception)(object) val2);
            }
            try
            {
                set.AddAll((global::System.Collections.IEnumerable)FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
                set.AddAll((global::System.Collections.IEnumerable)FindCertificates(x509CertStoreSelector, pkixParams.GetAdditionalStores()));
                return(set);
            }
            catch (global::System.Exception ex)
            {
                throw new global::System.Exception("Issuer certificate cannot be searched.", ex);
            }
        }
Exemple #27
0
        private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, global::System.Collections.IList tbvPath)
        {
            if (tbvPath.Contains((object)tbvCert))
            {
                return(null);
            }
            if (pkixParams.GetExcludedCerts().Contains(tbvCert))
            {
                return(null);
            }
            if (pkixParams.MaxPathLength != -1 && ((global::System.Collections.ICollection)tbvPath).get_Count() - 1 > pkixParams.MaxPathLength)
            {
                return(null);
            }
            tbvPath.Add((object)tbvCert);
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
            PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator();

            try
            {
                if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
                {
                    PkixCertPath certPath = new PkixCertPath((global::System.Collections.ICollection)tbvPath);
                    PkixCertPathValidatorResult pkixCertPathValidatorResult;
                    try
                    {
                        pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams);
                    }
                    catch (global::System.Exception ex)
                    {
                        throw new global::System.Exception("Certification path could not be validated.", ex);
                    }
                    return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey));
                }
                try
                {
                    PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
                }
                catch (CertificateParsingException ex2)
                {
                    throw new global::System.Exception("No additional X.509 stores can be added from certificate locations.", (global::System.Exception)ex2);
                }
                ISet set = new HashSet();
                try
                {
                    set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
                }
                catch (global::System.Exception ex3)
                {
                    throw new global::System.Exception("Cannot find issuer certificate for certificate in certification path.", ex3);
                }
                if (set.IsEmpty)
                {
                    throw new global::System.Exception("No issuer certificate for certificate in certification path found.");
                }
                global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator();
                try
                {
                    while (enumerator.MoveNext())
                    {
                        X509Certificate x509Certificate = (X509Certificate)enumerator.get_Current();
                        if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate))
                        {
                            pkixCertPathBuilderResult = Build(attrCert, x509Certificate, pkixParams, tbvPath);
                            if (pkixCertPathBuilderResult != null)
                            {
                                break;
                            }
                        }
                    }
                }
                finally
                {
                    global::System.IDisposable disposable = enumerator as global::System.IDisposable;
                    if (disposable != null)
                    {
                        disposable.Dispose();
                    }
                }
            }
            catch (global::System.Exception ex4)
            {
                certPathException = new global::System.Exception("No valid certification path could be build.", ex4);
            }
            if (pkixCertPathBuilderResult == null)
            {
                tbvPath.Remove((object)tbvCert);
            }
            return(pkixCertPathBuilderResult);
        }
		/**
		* Find the issuer certificates of a given certificate.
		*
		* @param cert
		*            The certificate for which an issuer should be found.
		* @param pkixParams
		* @return A <code>Collection</code> object containing the issuer
		*         <code>X509Certificate</code>s. Never <code>null</code>.
		*
		* @exception Exception
		*                if an error occurs.
		*/
		internal static ICollection FindIssuerCerts(
			X509Certificate			cert,
			PkixBuilderParameters	pkixParams)
		{
			X509CertStoreSelector certSelect = new X509CertStoreSelector();
			ISet certs = new HashSet();
			try
			{
				certSelect.Subject = cert.IssuerDN;
			}
			catch (IOException ex)
			{
				throw new Exception(
					"Subject criteria for certificate selector to find issuer certificate could not be set.", ex);
			}

			try
			{
                certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetStores()));
                certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetAdditionalStores()));
			}
			catch (Exception e)
			{
				throw new Exception("Issuer certificate cannot be searched.", e);
			}

			return certs;
		}
Exemple #29
0
        public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams)
        {
            IX509Selector targetConstraints = pkixParams.GetTargetConstraints();

            if (!(targetConstraints is X509AttrCertStoreSelector))
            {
                throw new PkixCertPathBuilderException(string.Concat(new string[5]
                {
                    "TargetConstraints must be an instance of ",
                    typeof(X509AttrCertStoreSelector).get_FullName(),
                    " for ",
                    typeof(PkixAttrCertPathBuilder).get_FullName(),
                    " class."
                }));
            }
            global::System.Collections.ICollection collection;
            try
            {
                collection = PkixCertPathValidatorUtilities.FindCertificates((X509AttrCertStoreSelector)targetConstraints, pkixParams.GetStores());
            }
            catch (global::System.Exception exception)
            {
                throw new PkixCertPathBuilderException("Error finding target attribute certificate.", exception);
            }
            if (collection.get_Count() == 0)
            {
                throw new PkixCertPathBuilderException("No attribute certificate found matching targetContraints.");
            }
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;

            global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)collection).GetEnumerator();
            try
            {
                while (enumerator.MoveNext())
                {
                    IX509AttributeCertificate iX509AttributeCertificate = (IX509AttributeCertificate)enumerator.get_Current();
                    X509CertStoreSelector     x509CertStoreSelector     = new X509CertStoreSelector();
                    X509Name[] principals = iX509AttributeCertificate.Issuer.GetPrincipals();
                    ISet       set        = new HashSet();
                    for (int i = 0; i < principals.Length; i++)
                    {
                        try
                        {
                            x509CertStoreSelector.Subject = principals[i];
                            set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
                        }
                        catch (global::System.Exception exception2)
                        {
                            throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", exception2);
                        }
                    }
                    if (set.IsEmpty)
                    {
                        throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
                    }
                    global::System.Collections.IList tbvPath = Platform.CreateArrayList();
                    {
                        global::System.Collections.IEnumerator enumerator2 = ((global::System.Collections.IEnumerable)set).GetEnumerator();
                        try
                        {
                            while (enumerator2.MoveNext())
                            {
                                X509Certificate tbvCert = (X509Certificate)enumerator2.get_Current();
                                pkixCertPathBuilderResult = Build(iX509AttributeCertificate, tbvCert, pkixParams, tbvPath);
                                if (pkixCertPathBuilderResult != null)
                                {
                                    break;
                                }
                            }
                        }
                        finally
                        {
                            global::System.IDisposable disposable2 = enumerator2 as global::System.IDisposable;
                            if (disposable2 != null)
                            {
                                disposable2.Dispose();
                            }
                        }
                    }
                    if (pkixCertPathBuilderResult != null)
                    {
                        break;
                    }
                }
            }
            finally
            {
                global::System.IDisposable disposable = enumerator as global::System.IDisposable;
                if (disposable != null)
                {
                    disposable.Dispose();
                }
            }
            if (pkixCertPathBuilderResult == null && certPathException != null)
            {
                throw new PkixCertPathBuilderException("Possible certificate chain could not be validated.", certPathException);
            }
            if (pkixCertPathBuilderResult == null && certPathException == null)
            {
                throw new PkixCertPathBuilderException("Unable to find certificate chain.");
            }
            return(pkixCertPathBuilderResult);
        }
        public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams)
        {
            IX509Selector targetConstraints = pkixParams.GetTargetConstraints();

            if (!(targetConstraints is X509AttrCertStoreSelector))
            {
                throw new PkixCertPathBuilderException(string.Concat(new string[]
                {
                    "TargetConstraints must be an instance of ",
                    typeof(X509AttrCertStoreSelector).FullName,
                    " for ",
                    typeof(PkixAttrCertPathBuilder).FullName,
                    " class."
                }));
            }
            ICollection collection;

            try
            {
                collection = PkixCertPathValidatorUtilities.FindCertificates((X509AttrCertStoreSelector)targetConstraints, pkixParams.GetStores());
            }
            catch (Exception exception)
            {
                throw new PkixCertPathBuilderException("Error finding target attribute certificate.", exception);
            }
            if (collection.Count == 0)
            {
                throw new PkixCertPathBuilderException("No attribute certificate found matching targetContraints.");
            }
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;

            foreach (IX509AttributeCertificate iX509AttributeCertificate in collection)
            {
                X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
                X509Name[]            principals            = iX509AttributeCertificate.Issuer.GetPrincipals();
                ISet set = new HashSet();
                for (int i = 0; i < principals.Length; i++)
                {
                    try
                    {
                        x509CertStoreSelector.Subject = principals[i];
                        set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
                    }
                    catch (Exception exception2)
                    {
                        throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", exception2);
                    }
                }
                if (set.IsEmpty)
                {
                    throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
                }
                IList tbvPath = Platform.CreateArrayList();
                foreach (X509Certificate tbvCert in set)
                {
                    pkixCertPathBuilderResult = this.Build(iX509AttributeCertificate, tbvCert, pkixParams, tbvPath);
                    if (pkixCertPathBuilderResult != null)
                    {
                        break;
                    }
                }
                if (pkixCertPathBuilderResult != null)
                {
                    break;
                }
            }
            if (pkixCertPathBuilderResult == null && this.certPathException != null)
            {
                throw new PkixCertPathBuilderException("Possible certificate chain could not be validated.", this.certPathException);
            }
            if (pkixCertPathBuilderResult == null && this.certPathException == null)
            {
                throw new PkixCertPathBuilderException("Unable to find certificate chain.");
            }
            return(pkixCertPathBuilderResult);
        }
        internal static PkixCertPath ProcessAttrCert1(IX509AttributeCertificate attrCert, PkixParameters pkixParams)
        {
            PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
            ISet set = new HashSet();

            if (attrCert.Holder.GetIssuer() != null)
            {
                X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
                x509CertStoreSelector.SerialNumber = attrCert.Holder.SerialNumber;
                X509Name[] issuer = attrCert.Holder.GetIssuer();
                for (int i = 0; i < issuer.Length; i++)
                {
                    try
                    {
                        x509CertStoreSelector.Issuer = issuer[i];
                        set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
                    }
                    catch (global::System.Exception cause)
                    {
                        throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause);
                    }
                }
                if (set.IsEmpty)
                {
                    throw new PkixCertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
                }
            }
            if (attrCert.Holder.GetEntityNames() != null)
            {
                X509CertStoreSelector x509CertStoreSelector2 = new X509CertStoreSelector();
                X509Name[]            entityNames            = attrCert.Holder.GetEntityNames();
                for (int j = 0; j < entityNames.Length; j++)
                {
                    try
                    {
                        x509CertStoreSelector2.Issuer = entityNames[j];
                        set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector2, pkixParams.GetStores()));
                    }
                    catch (global::System.Exception cause2)
                    {
                        throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause2);
                    }
                }
                if (set.IsEmpty)
                {
                    throw new PkixCertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found.");
                }
            }
            PkixBuilderParameters          instance = PkixBuilderParameters.GetInstance(pkixParams);
            PkixCertPathValidatorException ex       = null;

            global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator();
            try
            {
                while (enumerator.MoveNext())
                {
                    X509Certificate       certificate            = (X509Certificate)enumerator.get_Current();
                    X509CertStoreSelector x509CertStoreSelector3 = new X509CertStoreSelector();
                    x509CertStoreSelector3.Certificate = certificate;
                    instance.SetTargetConstraints(x509CertStoreSelector3);
                    PkixCertPathBuilder pkixCertPathBuilder = new PkixCertPathBuilder();
                    try
                    {
                        pkixCertPathBuilderResult = pkixCertPathBuilder.Build(PkixBuilderParameters.GetInstance(instance));
                    }
                    catch (PkixCertPathBuilderException cause3)
                    {
                        ex = new PkixCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", cause3);
                    }
                }
            }
            finally
            {
                global::System.IDisposable disposable = enumerator as global::System.IDisposable;
                if (disposable != null)
                {
                    disposable.Dispose();
                }
            }
            if (ex != null)
            {
                throw ex;
            }
            return(pkixCertPathBuilderResult.CertPath);
        }
        PkixCertPath BuildCertPath(HashSet anchors, IX509Store certificates, IX509Store crls, X509Certificate certificate, DateTime? signingTime)
        {
            var intermediate = new X509CertificateStore ();
            foreach (X509Certificate cert in certificates.GetMatches (null))
                intermediate.Add (cert);

            var selector = new X509CertStoreSelector ();
            selector.Certificate = certificate;

            var parameters = new PkixBuilderParameters (anchors, selector);
            parameters.AddStore (GetIntermediateCertificates ());
            parameters.AddStore (intermediate);

            var localCrls = GetCertificateRevocationLists ();
            parameters.AddStore (localCrls);
            parameters.AddStore (crls);

            // Note: we disable revocation unless we actually have non-empty revocation lists
            parameters.IsRevocationEnabled = localCrls.GetMatches (null).Count > 0;
            parameters.ValidityModel = PkixParameters.ChainValidityModel;

            if (signingTime.HasValue)
                parameters.Date = new DateTimeObject (signingTime.Value);

            var result = new PkixCertPathBuilder ().Build (parameters);

            return result.CertPath;
        }
Exemple #33
0
        /**
         * Build and validate a CertPath using the given parameter.
         *
         * @param params PKIXBuilderParameters object containing all information to
         *            build the CertPath
         */
        public virtual PkixCertPathBuilderResult Build(
            PkixBuilderParameters pkixParams)
        {
            // search target certificates

            IX509Selector certSelect = pkixParams.GetTargetConstraints();

            if (!(certSelect is X509AttrCertStoreSelector))
            {
                throw new PkixCertPathBuilderException(
                          "TargetConstraints must be an instance of "
                          + typeof(X509AttrCertStoreSelector).FullName
                          + " for "
                          + typeof(PkixAttrCertPathBuilder).FullName + " class.");
            }

            ICollection targets;

            try
            {
                targets = PkixCertPathValidatorUtilities.FindCertificates(
                    (X509AttrCertStoreSelector)certSelect, pkixParams.GetStores());
            }
            catch (Exception e)
            {
                throw new PkixCertPathBuilderException("Error finding target attribute certificate.", e);
            }

            if (targets.Count == 0)
            {
                throw new PkixCertPathBuilderException(
                          "No attribute certificate found matching targetContraints.");
            }

            PkixCertPathBuilderResult result = null;

            // check all potential target certificates
            foreach (IX509AttributeCertificate cert in targets)
            {
                X509CertStoreSelector selector   = new X509CertStoreSelector();
                X509Name[]            principals = cert.Issuer.GetPrincipals();
                ISet issuers = new HashSet();
                for (int i = 0; i < principals.Length; i++)
                {
                    try
                    {
                        selector.Subject = principals[i];

                        issuers.AddAll(PkixCertPathValidatorUtilities.FindCertificates(selector, pkixParams.GetStores()));
                    }
                    catch (Exception e)
                    {
                        throw new PkixCertPathBuilderException(
                                  "Public key certificate for attribute certificate cannot be searched.",
                                  e);
                    }
                }

                if (issuers.IsEmpty)
                {
                    throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
                }

                IList certPathList = Platform.CreateArrayList();

                foreach (X509Certificate issuer in issuers)
                {
                    result = Build(cert, issuer, pkixParams, certPathList);

                    if (result != null)
                    {
                        break;
                    }
                }

                if (result != null)
                {
                    break;
                }
            }

            if (result == null && certPathException != null)
            {
                throw new PkixCertPathBuilderException(
                          "Possible certificate chain could not be validated.",
                          certPathException);
            }

            if (result == null && certPathException == null)
            {
                throw new PkixCertPathBuilderException(
                          "Unable to find certificate chain.");
            }

            return(result);
        }
		private void v0Test()
		{
			// create certificates and CRLs
			AsymmetricCipherKeyPair rootPair = TestUtilities.GenerateRsaKeyPair();
			AsymmetricCipherKeyPair interPair = TestUtilities.GenerateRsaKeyPair();
			AsymmetricCipherKeyPair endPair = TestUtilities.GenerateRsaKeyPair();

			X509Certificate rootCert = TestUtilities.GenerateRootCert(rootPair);
			X509Certificate interCert = TestUtilities.GenerateIntermediateCert(interPair.Public, rootPair.Private, rootCert);
			X509Certificate endCert = TestUtilities.GenerateEndEntityCert(endPair.Public, interPair.Private, interCert);

			BigInteger revokedSerialNumber = BigInteger.Two;
			X509Crl rootCRL = TestUtilities.CreateCrl(rootCert, rootPair.Private, revokedSerialNumber);
			X509Crl interCRL = TestUtilities.CreateCrl(interCert, interPair.Private, revokedSerialNumber);

			// create CertStore to support path building
			IList certList = new ArrayList();
			certList.Add(rootCert);
			certList.Add(interCert);
			certList.Add(endCert);

			IList crlList = new ArrayList();
			crlList.Add(rootCRL);
			crlList.Add(interCRL);

//			CollectionCertStoreParameters parameters = new CollectionCertStoreParameters(list);
//			CertStore                     store = CertStore.getInstance("Collection", parameters);
			IX509Store x509CertStore = X509StoreFactory.Create(
				"Certificate/Collection",
				new X509CollectionStoreParameters(certList));
			IX509Store x509CrlStore = X509StoreFactory.Create(
				"CRL/Collection",
				new X509CollectionStoreParameters(crlList));

			ISet trust = new HashSet();
			trust.Add(new TrustAnchor(rootCert, null));

			// build the path
//			CertPathBuilder  builder = CertPathBuilder.getInstance("PKIX", "BC");
			PkixCertPathBuilder builder = new PkixCertPathBuilder();
			X509CertStoreSelector pathConstraints = new X509CertStoreSelector();

			pathConstraints.Subject = endCert.SubjectDN;

			PkixBuilderParameters buildParams = new PkixBuilderParameters(trust, pathConstraints);
//			buildParams.addCertStore(store);
			buildParams.AddStore(x509CertStore);
			buildParams.AddStore(x509CrlStore);

			buildParams.Date = new DateTimeObject(DateTime.UtcNow);

			PkixCertPathBuilderResult result = builder.Build(buildParams);
			PkixCertPath path = result.CertPath;

			if (path.Certificates.Count != 2)
			{
				Fail("wrong number of certs in v0Test path");
			}
		}
		/**
		* Makes a copy of this <code>PKIXParameters</code> object. Changes to the
		* copy will not affect the original and vice versa.
		*
		* @return a copy of this <code>PKIXParameters</code> object
		*/
		public override object Clone()
		{
			PkixBuilderParameters parameters = new PkixBuilderParameters(
				GetTrustAnchors(), GetTargetCertConstraints());
			parameters.SetParams(this);
			return parameters;
		}