private void v0Test() { // create certificates and CRLs AsymmetricCipherKeyPair rootPair = TestUtilities.GenerateRsaKeyPair(); AsymmetricCipherKeyPair interPair = TestUtilities.GenerateRsaKeyPair(); AsymmetricCipherKeyPair endPair = TestUtilities.GenerateRsaKeyPair(); X509Certificate rootCert = TestUtilities.GenerateRootCert(rootPair); X509Certificate interCert = TestUtilities.GenerateIntermediateCert(interPair.Public, rootPair.Private, rootCert); X509Certificate endCert = TestUtilities.GenerateEndEntityCert(endPair.Public, interPair.Private, interCert); BigInteger revokedSerialNumber = BigInteger.Two; X509Crl rootCRL = TestUtilities.CreateCrl(rootCert, rootPair.Private, revokedSerialNumber); X509Crl interCRL = TestUtilities.CreateCrl(interCert, interPair.Private, revokedSerialNumber); // create CertStore to support path building IList certList = new ArrayList(); certList.Add(rootCert); certList.Add(interCert); certList.Add(endCert); IList crlList = new ArrayList(); crlList.Add(rootCRL); crlList.Add(interCRL); // CollectionCertStoreParameters parameters = new CollectionCertStoreParameters(list); // CertStore store = CertStore.getInstance("Collection", parameters); IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); IX509Store x509CrlStore = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(crlList)); ISet trust = new HashSet(); trust.Add(new TrustAnchor(rootCert, null)); // build the path // CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); PkixCertPathBuilder builder = new PkixCertPathBuilder(); X509CertStoreSelector pathConstraints = new X509CertStoreSelector(); pathConstraints.Subject = endCert.SubjectDN; PkixBuilderParameters buildParams = new PkixBuilderParameters(trust, pathConstraints); // buildParams.addCertStore(store); buildParams.AddStore(x509CertStore); buildParams.AddStore(x509CrlStore); buildParams.Date = new DateTimeObject(DateTime.UtcNow); PkixCertPathBuilderResult result = builder.Build(buildParams); PkixCertPath path = result.CertPath; if (path.Certificates.Count != 2) { Fail("wrong number of certs in v0Test path"); } }
/// <summary> /// Builds certification path for provided signing certificate /// </summary> /// <param name="signingCertificate">Signing certificate</param> /// <param name="otherCertificates">Other certificates that should be used in path building process. Self-signed certificates from this list are used as trust anchors.</param> /// <returns>Certification path for provided signing certificate</returns> public ICollection <Org.BouncyCastle.X509.X509Certificate> BuildCertPath(byte[] signingCertificate, List <byte[]> otherCertificates) { if (signingCertificate == null) { throw new ArgumentNullException("signingCertificate"); } List <Org.BouncyCastle.X509.X509Certificate> result = new List <Org.BouncyCastle.X509.X509Certificate>(); Org.BouncyCastle.X509.X509Certificate signingCert = ToBouncyCastleObject(signingCertificate); Org.BouncyCastle.Utilities.Collections.ISet trustAnchors = new Org.BouncyCastle.Utilities.Collections.HashSet(); List <Org.BouncyCastle.X509.X509Certificate> otherCerts = new List <Org.BouncyCastle.X509.X509Certificate>(); if (IsSelfSigned(signingCert)) { result.Add(signingCert); } else { otherCerts.Add(signingCert); if (otherCertificates != null) { foreach (byte[] otherCertificate in otherCertificates) { Org.BouncyCastle.X509.X509Certificate otherCert = ToBouncyCastleObject(otherCertificate); otherCerts.Add(ToBouncyCastleObject(otherCertificate)); if (IsSelfSigned(otherCert)) { trustAnchors.Add(new TrustAnchor(otherCert, null)); } } } if (trustAnchors.Count < 1) { throw new PkixCertPathBuilderException("Provided certificates do not contain self-signed root certificate"); } X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); targetConstraints.Certificate = signingCert; PkixBuilderParameters certPathBuilderParameters = new PkixBuilderParameters(trustAnchors, targetConstraints); certPathBuilderParameters.AddStore(X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(otherCerts))); certPathBuilderParameters.IsRevocationEnabled = false; PkixCertPathBuilder certPathBuilder = new PkixCertPathBuilder(); PkixCertPathBuilderResult certPathBuilderResult = certPathBuilder.Build(certPathBuilderParameters); foreach (Org.BouncyCastle.X509.X509Certificate certPathCert in certPathBuilderResult.CertPath.Certificates) { result.Add(certPathCert); } result.Add(certPathBuilderResult.TrustAnchor.TrustedCert); } return(result); }
private void baseTest() { // CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); X509CertificateParser certParser = new X509CertificateParser(); X509CrlParser crlParser = new X509CrlParser(); // initialise CertStore X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin); X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin); X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin); X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin); X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin); IList certList = new ArrayList(); certList.Add(rootCert); certList.Add(interCert); certList.Add(finalCert); IList crlList = new ArrayList(); crlList.Add(rootCrl); crlList.Add(interCrl); // CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); // CertStore store = CertStore.getInstance("Collection", ccsp, "BC"); IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); IX509Store x509CrlStore = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(crlList)); // NB: Month is 1-based in .NET //DateTime validDate = new DateTime(2008, 9, 4, 14, 49, 10).ToUniversalTime(); DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10); //Searching for rootCert by subjectDN without CRL ISet trust = new HashSet(); trust.Add(new TrustAnchor(rootCert, null)); // CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX","BC"); PkixCertPathBuilder cpb = new PkixCertPathBuilder(); X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); targetConstraints.Subject = finalCert.SubjectDN; PkixBuilderParameters parameters = new PkixBuilderParameters(trust, targetConstraints); // parameters.addCertStore(store); parameters.AddStore(x509CertStore); parameters.AddStore(x509CrlStore); parameters.Date = new DateTimeObject(validDate); PkixCertPathBuilderResult result = cpb.Build(parameters); PkixCertPath path = result.CertPath; if (path.Certificates.Count != 2) { Fail("wrong number of certs in baseTest path"); } }
private void doTestExceptions() { byte[] enc = { (byte)0, (byte)2, (byte)3, (byte)4, (byte)5 }; // MyCertPath mc = new MyCertPath(enc); MemoryStream os = new MemoryStream(); MemoryStream ins; byte[] arr; // TODO Support serialization of cert paths? // ObjectOutputStream oos = new ObjectOutputStream(os); // oos.WriteObject(mc); // oos.Flush(); // oos.Close(); try { // CertificateFactory cFac = CertificateFactory.GetInstance("X.509"); arr = os.ToArray(); ins = new MemoryStream(arr, false); // cFac.generateCertPath(ins); new PkixCertPath(ins); } catch (CertificateException) { // ignore okay } // CertificateFactory cf = CertificateFactory.GetInstance("X.509"); X509CertificateParser cf = new X509CertificateParser(); IList certCol = new ArrayList(); certCol.Add(cf.ReadCertificate(certA)); certCol.Add(cf.ReadCertificate(certB)); certCol.Add(cf.ReadCertificate(certC)); certCol.Add(cf.ReadCertificate(certD)); // CertPathBuilder pathBuilder = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder pathBuilder = new PkixCertPathBuilder(); X509CertStoreSelector select = new X509CertStoreSelector(); select.Subject = ((X509Certificate)certCol[0]).SubjectDN; ISet trustanchors = new HashSet(); trustanchors.Add(new TrustAnchor(cf.ReadCertificate(rootCertBin), null)); // CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol)); IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certCol)); PkixBuilderParameters parameters = new PkixBuilderParameters(trustanchors, select); parameters.AddStore(x509CertStore); try { PkixCertPathBuilderResult result = pathBuilder.Build(parameters); PkixCertPath path = result.CertPath; Fail("found cert path in circular set"); } catch (PkixCertPathBuilderException) { // expected } }
private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath) { if (tbvPath.Contains(tbvCert)) { return(null); } if (pkixParams.GetExcludedCerts().Contains(tbvCert)) { return(null); } if (pkixParams.MaxPathLength != -1 && tbvPath.Count - 1 > pkixParams.MaxPathLength) { return(null); } tbvPath.Add(tbvCert); PkixCertPathBuilderResult pkixCertPathBuilderResult = null; PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator(); try { if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null) { PkixCertPath certPath = new PkixCertPath(tbvPath); PkixCertPathValidatorResult pkixCertPathValidatorResult; try { pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams); } catch (Exception innerException) { throw new Exception("Certification path could not be validated.", innerException); } return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey)); } try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams); } catch (CertificateParsingException innerException2) { throw new Exception("No additional X.509 stores can be added from certificate locations.", innerException2); } ISet set = new HashSet(); try { set.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams)); } catch (Exception innerException3) { throw new Exception("Cannot find issuer certificate for certificate in certification path.", innerException3); } if (set.IsEmpty) { throw new Exception("No issuer certificate for certificate in certification path found."); } foreach (X509Certificate item in set) { if (!PkixCertPathValidatorUtilities.IsSelfIssued(item)) { pkixCertPathBuilderResult = Build(attrCert, item, pkixParams, tbvPath); if (pkixCertPathBuilderResult != null) { break; } } } } catch (Exception innerException4) { certPathException = new Exception("No valid certification path could be build.", innerException4); } if (pkixCertPathBuilderResult == null) { tbvPath.Remove(tbvCert); } return(pkixCertPathBuilderResult); }
public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams) { IX509Selector targetConstraints = pkixParams.GetTargetConstraints(); if (!(targetConstraints is X509AttrCertStoreSelector)) { throw new PkixCertPathBuilderException("TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName + " for " + typeof(PkixAttrCertPathBuilder).FullName + " class."); } ICollection collection; try { collection = PkixCertPathValidatorUtilities.FindCertificates((X509AttrCertStoreSelector)targetConstraints, pkixParams.GetStores()); } catch (Exception exception) { throw new PkixCertPathBuilderException("Error finding target attribute certificate.", exception); } if (collection.Count == 0) { throw new PkixCertPathBuilderException("No attribute certificate found matching targetContraints."); } PkixCertPathBuilderResult pkixCertPathBuilderResult = null; foreach (IX509AttributeCertificate item in collection) { X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector(); X509Name[] principals = item.Issuer.GetPrincipals(); ISet set = new HashSet(); for (int i = 0; i < principals.Length; i++) { try { x509CertStoreSelector.Subject = principals[i]; set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores())); } catch (Exception exception2) { throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", exception2); } } if (set.IsEmpty) { throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found."); } IList tbvPath = Platform.CreateArrayList(); foreach (X509Certificate item2 in set) { pkixCertPathBuilderResult = Build(item, item2, pkixParams, tbvPath); if (pkixCertPathBuilderResult != null) { break; } } if (pkixCertPathBuilderResult != null) { break; } } if (pkixCertPathBuilderResult == null && certPathException != null) { throw new PkixCertPathBuilderException("Possible certificate chain could not be validated.", certPathException); } if (pkixCertPathBuilderResult == null && certPathException == null) { throw new PkixCertPathBuilderException("Unable to find certificate chain."); } return(pkixCertPathBuilderResult); }
private string TestPolicies( int index, X509Certificate trustCert, X509Certificate intCert, X509Certificate endCert, ISet requirePolicies, bool okay) { ISet trust = new HashSet(); trust.Add(new TrustAnchor(trustCert, null)); X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); targetConstraints.Subject = endCert.SubjectDN; PkixBuilderParameters pbParams = new PkixBuilderParameters(trust, targetConstraints); ISet certs = new HashSet(); certs.Add(intCert); certs.Add(endCert); IX509Store store = X509StoreFactory.Create( "CERTIFICATE/COLLECTION", new X509CollectionStoreParameters(certs)); pbParams.AddStore(store); pbParams.IsRevocationEnabled = false; if (requirePolicies != null) { pbParams.IsExplicitPolicyRequired = true; pbParams.SetInitialPolicies(requirePolicies); } // CertPathBuilder cpb = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder cpb = new PkixCertPathBuilder(); PkixCertPathBuilderResult result = null; try { result = (PkixCertPathBuilderResult)cpb.Build(pbParams); if (!okay) { Fail(index + ": path validated when failure expected."); } // if (result.getPolicyTree() != null) // { // Console.WriteLine("OK"); // Console.WriteLine("policy: " + result.getPolicyTree()); // } // else // { // Console.WriteLine("OK: policy tree = null"); // } return(""); } catch (TestFailedException e) { throw e; } catch (Exception e) { if (okay) { Fail(index + ": path failed to validate when success expected."); } Exception ee = e.InnerException; if (ee != null) { return(ee.Message); } return(e.Message); } }
internal static PkixCertPath ProcessAttrCert1(IX509AttributeCertificate attrCert, PkixParameters pkixParams) { PkixCertPathBuilderResult pkixCertPathBuilderResult = null; ISet set = new HashSet(); if (attrCert.Holder.GetIssuer() != null) { X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector(); x509CertStoreSelector.SerialNumber = attrCert.Holder.SerialNumber; X509Name[] issuer = attrCert.Holder.GetIssuer(); for (int i = 0; i < issuer.Length; i++) { try { x509CertStoreSelector.Issuer = issuer[i]; set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores())); } catch (Exception cause) { throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause); } } if (set.IsEmpty) { throw new PkixCertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found."); } } if (attrCert.Holder.GetEntityNames() != null) { X509CertStoreSelector x509CertStoreSelector2 = new X509CertStoreSelector(); X509Name[] entityNames = attrCert.Holder.GetEntityNames(); for (int j = 0; j < entityNames.Length; j++) { try { x509CertStoreSelector2.Issuer = entityNames[j]; set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector2, pkixParams.GetStores())); } catch (Exception cause2) { throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause2); } } if (set.IsEmpty) { throw new PkixCertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found."); } } PkixBuilderParameters instance = PkixBuilderParameters.GetInstance(pkixParams); PkixCertPathValidatorException ex = null; foreach (X509Certificate item in set) { X509CertStoreSelector x509CertStoreSelector3 = new X509CertStoreSelector(); x509CertStoreSelector3.Certificate = item; instance.SetTargetConstraints(x509CertStoreSelector3); PkixCertPathBuilder pkixCertPathBuilder = new PkixCertPathBuilder(); try { pkixCertPathBuilderResult = pkixCertPathBuilder.Build(PkixBuilderParameters.GetInstance(instance)); } catch (PkixCertPathBuilderException cause3) { ex = new PkixCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", cause3); } } if (ex != null) { throw ex; } return(pkixCertPathBuilderResult.CertPath); }