		* Searches for a holder public key certificate and verifies its
		* certification path.
		* @param attrCert the attribute certificate.
		* @param pkixParams The PKIX parameters.
		* @return The certificate path of the holder certificate.
		* @throws Exception if
		*             <ul>
		*             <li>no public key certificate can be found although holder
		*             information is given by an entity name or a base certificate
		*             ID</li>
		*             <li>support classes cannot be created</li>
		*             <li>no certification path for the public key certificate can
		*             be built</li>
		*             </ul>
		internal static PkixCertPath ProcessAttrCert1(
			IX509AttributeCertificate	attrCert,
			PkixParameters				pkixParams)
			PkixCertPathBuilderResult result = null;
			// find holder PKCs
			ISet holderPKCs = new HashSet();
			if (attrCert.Holder.GetIssuer() != null)
				X509CertStoreSelector selector = new X509CertStoreSelector();
				selector.SerialNumber = attrCert.Holder.SerialNumber;
				X509Name[] principals = attrCert.Holder.GetIssuer();
				for (int i = 0; i < principals.Length; i++)
//						if (principals[i] is X500Principal)
							selector.Issuer = principals[i];
							.FindCertificates(selector, pkixParams.GetStores()));
					catch (Exception e)
						throw new PkixCertPathValidatorException(
							"Public key certificate for attribute certificate cannot be searched.",
				if (holderPKCs.IsEmpty)
					throw new PkixCertPathValidatorException(
						"Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
			if (attrCert.Holder.GetEntityNames() != null)
				X509CertStoreSelector selector = new X509CertStoreSelector();
				X509Name[] principals = attrCert.Holder.GetEntityNames();
				for (int i = 0; i < principals.Length; i++)
//						if (principals[i] is X500Principal)
							selector.Issuer = principals[i];
							.FindCertificates(selector, pkixParams.GetStores()));
					catch (Exception e)
						throw new PkixCertPathValidatorException(
							"Public key certificate for attribute certificate cannot be searched.",
				if (holderPKCs.IsEmpty)
					throw new PkixCertPathValidatorException(
						"Public key certificate specified in entity name for attribute certificate cannot be found.");

			// verify cert paths for PKCs
			PkixBuilderParameters parameters = (PkixBuilderParameters)

			PkixCertPathValidatorException lastException = null;
			foreach (X509Certificate cert in holderPKCs)
				X509CertStoreSelector selector = new X509CertStoreSelector();
				selector.Certificate = cert;

				PkixCertPathBuilder builder = new PkixCertPathBuilder();

					result = builder.Build(PkixBuilderParameters.GetInstance(parameters));
				catch (PkixCertPathBuilderException e)
					lastException = new PkixCertPathValidatorException(
						"Certification path for public key certificate of attribute certificate could not be build.",
			if (lastException != null)
				throw lastException;
			return result.CertPath;
		* Obtain and validate the certification path for the complete CRL issuer.
		* If a key usage extension is present in the CRL issuer's certificate,
		* verify that the cRLSign bit is set.
		* @param crl                CRL which contains revocation information for the certificate
		*                           <code>cert</code>.
		* @param cert               The attribute certificate or certificate to check if it is
		*                           revoked.
		* @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
		* @param defaultCRLSignKey  The public key of the issuer certificate
		*                           <code>defaultCRLSignCert</code>.
		* @param paramsPKIX         paramsPKIX PKIX parameters.
		* @param certPathCerts      The certificates on the certification path.
		* @return A <code>Set</code> with all keys of possible CRL issuer
		*         certificates.
		* @throws AnnotatedException if the CRL is not valid or the status cannot be checked or
		*                            some error occurs.
		internal static ISet ProcessCrlF(
			X509Crl					crl,
			object					cert,
			X509Certificate			defaultCRLSignCert,
			AsymmetricKeyParameter	defaultCRLSignKey,
			PkixParameters			paramsPKIX,
			IList					certPathCerts)
			// (f)

			// get issuer from CRL
			X509CertStoreSelector selector = new X509CertStoreSelector();
				selector.Subject = crl.IssuerDN;
			catch (IOException e)
				throw new Exception(
					"Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e);

			// get CRL signing certs
			IList coll = Platform.CreateArrayList();

                CollectionUtilities.AddRange(coll, PkixCertPathValidatorUtilities.FindCertificates(selector, paramsPKIX.GetStores()));
                CollectionUtilities.AddRange(coll, PkixCertPathValidatorUtilities.FindCertificates(selector, paramsPKIX.GetAdditionalStores()));
			catch (Exception e)
				throw new Exception("Issuer certificate for CRL cannot be searched.", e);


			IEnumerator cert_it = coll.GetEnumerator();

            IList validCerts = Platform.CreateArrayList();
            IList validKeys = Platform.CreateArrayList();

			while (cert_it.MoveNext())
				X509Certificate signingCert = (X509Certificate)cert_it.Current;

				 * CA of the certificate, for which this CRL is checked, has also
				 * signed CRL, so skip the path validation, because is already done
				if (signingCert.Equals(defaultCRLSignCert))
//					CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX");
					PkixCertPathBuilder builder = new PkixCertPathBuilder();
					selector = new X509CertStoreSelector();
					selector.Certificate = signingCert;

					PkixParameters temp = (PkixParameters)paramsPKIX.Clone();

					PkixBuilderParameters parameters = (PkixBuilderParameters)

					 * if signingCert is placed not higher on the cert path a
					 * dependency loop results. CRL for cert is checked, but
					 * signingCert is needed for checking the CRL which is dependent
					 * on checking cert because it is higher in the cert path and so
					 * signing signingCert transitively. so, revocation is disabled,
					 * forgery attacks of the CRL are detected in this outer loop
					 * for all other it must be enabled to prevent forgery attacks
					if (certPathCerts.Contains(signingCert))
						parameters.IsRevocationEnabled = false;
						parameters.IsRevocationEnabled = true;
					IList certs = builder.Build(parameters).CertPath.Certificates;
					validKeys.Add(PkixCertPathValidatorUtilities.GetNextWorkingKey(certs, 0));
				catch (PkixCertPathBuilderException e)
					throw new Exception("Internal error.", e);
				catch (PkixCertPathValidatorException e)
					throw new Exception("Public key of issuer certificate of CRL could not be retrieved.", e);
				//catch (Exception e)
				//    throw new Exception(e.Message);

			ISet checkKeys = new HashSet();

			Exception lastException = null;
			for (int i = 0; i < validCerts.Count; i++)
				X509Certificate signCert = (X509Certificate)validCerts[i];
				bool[] keyusage = signCert.GetKeyUsage();

				if (keyusage != null && (keyusage.Length < 7 || !keyusage[CRL_SIGN]))
					lastException = new Exception(
						"Issuer certificate key usage extension does not permit CRL signing.");

			if ((checkKeys.Count == 0) && lastException == null)
				throw new Exception("Cannot find a valid issuer certificate.");
			if ((checkKeys.Count == 0) && lastException != null)
				throw lastException;

			return checkKeys;
Exemple #3
         * Searches for a holder public key certificate and verifies its
         * certification path.
         * @param attrCert the attribute certificate.
         * @param pkixParams The PKIX parameters.
         * @return The certificate path of the holder certificate.
         * @throws Exception if
         *             <ul>
         *             <li>no public key certificate can be found although holder
         *             information is given by an entity name or a base certificate
         *             ID</li>
         *             <li>support classes cannot be created</li>
         *             <li>no certification path for the public key certificate can
         *             be built</li>
         *             </ul>
        internal static PkixCertPath ProcessAttrCert1(
            IX509AttributeCertificate attrCert,
            PkixParameters pkixParams)
            PkixCertPathBuilderResult result = null;
            // find holder PKCs
            ISet holderPKCs = new HashSet();

            if (attrCert.Holder.GetIssuer() != null)
                X509CertStoreSelector selector = new X509CertStoreSelector();
                selector.SerialNumber = attrCert.Holder.SerialNumber;
                X509Name[] principals = attrCert.Holder.GetIssuer();
                for (int i = 0; i < principals.Length; i++)
//						if (principals[i] is X500Principal)
                            selector.Issuer = principals[i];
                                          .FindCertificates(selector, pkixParams.GetStores()));
                    catch (Exception e)
                        throw new PkixCertPathValidatorException(
                                  "Public key certificate for attribute certificate cannot be searched.",
                if (holderPKCs.IsEmpty)
                    throw new PkixCertPathValidatorException(
                              "Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
            if (attrCert.Holder.GetEntityNames() != null)
                X509CertStoreSelector selector   = new X509CertStoreSelector();
                X509Name[]            principals = attrCert.Holder.GetEntityNames();
                for (int i = 0; i < principals.Length; i++)
//						if (principals[i] is X500Principal)
                            selector.Issuer = principals[i];
                                          .FindCertificates(selector, pkixParams.GetStores()));
                    catch (Exception e)
                        throw new PkixCertPathValidatorException(
                                  "Public key certificate for attribute certificate cannot be searched.",
                if (holderPKCs.IsEmpty)
                    throw new PkixCertPathValidatorException(
                              "Public key certificate specified in entity name for attribute certificate cannot be found.");

            // verify cert paths for PKCs
            PkixBuilderParameters parameters = (PkixBuilderParameters)

            PkixCertPathValidatorException lastException = null;

            foreach (X509Certificate cert in holderPKCs)
                X509CertStoreSelector selector = new X509CertStoreSelector();
                selector.Certificate = cert;

                PkixCertPathBuilder builder = new PkixCertPathBuilder();

                    result = builder.Build(PkixBuilderParameters.GetInstance(parameters));
                catch (PkixCertPathBuilderException e)
                    lastException = new PkixCertPathValidatorException(
                        "Certification path for public key certificate of attribute certificate could not be build.",
            if (lastException != null)
                throw lastException;