/** * Find the issuer certificates of a given certificate. * * @param cert * The certificate for which an issuer should be found. * @param pkixParams * @return A <code>Collection</code> object containing the issuer * <code>X509Certificate</code>s. Never <code>null</code>. * * @exception Exception * if an error occurs. */ internal static ICollection FindIssuerCerts( X509Certificate cert, PkixBuilderParameters pkixParams) { X509CertStoreSelector certSelect = new X509CertStoreSelector(); ISet certs = new HashSet(); try { certSelect.Subject = cert.IssuerDN; } catch (IOException ex) { throw new Exception( "Subject criteria for certificate selector to find issuer certificate could not be set.", ex); } try { certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetStores())); certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetAdditionalStores())); } catch (Exception e) { throw new Exception("Issuer certificate cannot be searched.", e); } return(certs); }
public static PkixBuilderParameters GetInstance(PkixParameters pkixParams) { PkixBuilderParameters pkixBuilderParameters = new PkixBuilderParameters(pkixParams.GetTrustAnchors(), new X509CertStoreSelector(pkixParams.GetTargetCertConstraints())); pkixBuilderParameters.SetParams(pkixParams); return(pkixBuilderParameters); }
public override object Clone() { PkixBuilderParameters pkixBuilderParameters = new PkixBuilderParameters(GetTrustAnchors(), GetTargetCertConstraints()); pkixBuilderParameters.SetParams(this); return(pkixBuilderParameters); }
/** * Build and validate a CertPath using the given parameter. * * @param params PKIXBuilderParameters object containing all information to * build the CertPath */ public virtual PkixCertPathBuilderResult Build( PkixBuilderParameters pkixParams) { // search target certificates IX509Selector certSelect = pkixParams.GetTargetCertConstraints(); if (!(certSelect is X509CertStoreSelector)) { throw new PkixCertPathBuilderException( "TargetConstraints must be an instance of " + typeof(X509CertStoreSelector).FullName + " for " + this.GetType() + " class."); } ISet targets = new HashSet(); try { targets.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)certSelect, pkixParams.GetStores())); // TODO Should this include an entry for pkixParams.GetAdditionalStores() too? } catch (Exception e) { throw new PkixCertPathBuilderException( "Error finding target certificate.", e); } if (targets.IsEmpty) { throw new PkixCertPathBuilderException("No certificate found matching targetContraints."); } PkixCertPathBuilderResult result = null; IList certPathList = new ArrayList(); // check all potential target certificates foreach (X509Certificate cert in targets) { result = Build(cert, pkixParams, certPathList); if (result != null) { break; } } if (result == null && certPathException != null) { throw new PkixCertPathBuilderException(certPathException.Message, certPathException.InnerException); } if (result == null && certPathException == null) { throw new PkixCertPathBuilderException("Unable to find certificate chain."); } return(result); }
/** * Returns an instance of <code>PkixBuilderParameters</code>. * <p> * This method can be used to get a copy from other * <code>PKIXBuilderParameters</code>, <code>PKIXParameters</code>, * and <code>ExtendedPKIXParameters</code> instances. * </p> * * @param pkixParams The PKIX parameters to create a copy of. * @return An <code>PkixBuilderParameters</code> instance. */ public static PkixBuilderParameters GetInstance( PkixParameters pkixParams) { PkixBuilderParameters parameters = new PkixBuilderParameters( pkixParams.GetTrustAnchors(), new X509CertStoreSelector(pkixParams.GetTargetCertConstraints())); parameters.SetParams(pkixParams); return parameters; }
private void baseTest() { // CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); X509CertificateParser certParser = new X509CertificateParser(); X509CrlParser crlParser = new X509CrlParser(); // initialise CertStore X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin); X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin); X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin); X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin); X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin); IList certList = new ArrayList(); certList.Add(rootCert); certList.Add(interCert); certList.Add(finalCert); IList crlList = new ArrayList(); crlList.Add(rootCrl); crlList.Add(interCrl); // CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); // CertStore store = CertStore.getInstance("Collection", ccsp, "BC"); IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); IX509Store x509CrlStore = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(crlList)); // NB: Month is 1-based in .NET //DateTime validDate = new DateTime(2008, 9, 4, 14, 49, 10).ToUniversalTime(); DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);//.ToUniversalTime(); //Searching for rootCert by subjectDN without CRL ISet trust = new HashSet(); trust.Add(new TrustAnchor(rootCert, null)); // CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX","BC"); PkixCertPathBuilder cpb = new PkixCertPathBuilder(); X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); targetConstraints.Subject = finalCert.SubjectDN; PkixBuilderParameters parameters = new PkixBuilderParameters(trust, targetConstraints); // parameters.addCertStore(store); parameters.AddStore(x509CertStore); parameters.AddStore(x509CrlStore); parameters.Date = new DateTimeObject(validDate); PkixCertPathBuilderResult result = cpb.Build(parameters); PkixCertPath path = result.CertPath; if (path.Certificates.Count != 2) { Fail("wrong number of certs in baseTest path"); } }
protected override void SetParams(PkixParameters parameters) { base.SetParams(parameters); if (parameters is PkixBuilderParameters) { PkixBuilderParameters pkixBuilderParameters = (PkixBuilderParameters)parameters; maxPathLength = pkixBuilderParameters.maxPathLength; excludedCerts = new HashSet(pkixBuilderParameters.excludedCerts); } }
/** * Build and validate a CertPath using the given parameter. * * @param params PKIXBuilderParameters object containing all information to * build the CertPath */ public virtual PkixCertPathBuilderResult Build( PkixBuilderParameters pkixParams) { // search target certificates IX509Selector certSelect = pkixParams.GetTargetCertConstraints(); if (!(certSelect is X509CertStoreSelector)) { throw new PkixCertPathBuilderException( "TargetConstraints must be an instance of " + typeof(X509CertStoreSelector).FullName + " for " + this.GetType() + " class."); } ISet targets = new HashSet(); try { targets.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)certSelect, pkixParams.GetStores())); // TODO Should this include an entry for pkixParams.GetAdditionalStores() too? } catch (Exception e) { throw new PkixCertPathBuilderException( "Error finding target certificate.", e); } if (targets.IsEmpty) throw new PkixCertPathBuilderException("No certificate found matching targetContraints."); PkixCertPathBuilderResult result = null; IList certPathList = Platform.CreateArrayList(); // check all potential target certificates foreach (X509Certificate cert in targets) { result = Build(cert, pkixParams, certPathList); if (result != null) break; } if (result == null && certPathException != null) { throw new PkixCertPathBuilderException(certPathException.Message, certPathException.InnerException); } if (result == null && certPathException == null) { throw new PkixCertPathBuilderException("Unable to find certificate chain."); } return result; }
public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams) { IX509Selector targetCertConstraints = pkixParams.GetTargetCertConstraints(); if (!(targetCertConstraints is X509CertStoreSelector)) { throw new PkixCertPathBuilderException(string.Concat(new object[] { "TargetConstraints must be an instance of ", typeof(X509CertStoreSelector).FullName, " for ", base.GetType(), " class." })); } ISet set = new HashSet(); try { set.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)targetCertConstraints, pkixParams.GetStores())); } catch (Exception exception) { throw new PkixCertPathBuilderException("Error finding target certificate.", exception); } if (set.IsEmpty) { throw new PkixCertPathBuilderException("No certificate found matching targetContraints."); } PkixCertPathBuilderResult pkixCertPathBuilderResult = null; IList tbvPath = Platform.CreateArrayList(); foreach (X509Certificate tbvCert in set) { pkixCertPathBuilderResult = this.Build(tbvCert, pkixParams, tbvPath); if (pkixCertPathBuilderResult != null) { break; } } if (pkixCertPathBuilderResult == null && this.certPathException != null) { throw new PkixCertPathBuilderException(this.certPathException.Message, this.certPathException.InnerException); } if (pkixCertPathBuilderResult == null && this.certPathException == null) { throw new PkixCertPathBuilderException("Unable to find certificate chain."); } return(pkixCertPathBuilderResult); }
internal static ICollection FindIssuerCerts(X509Certificate cert, PkixBuilderParameters pkixParams) { X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector(); ISet set = new HashSet(); try { x509CertStoreSelector.Subject = cert.IssuerDN; } catch (IOException innerException) { throw new Exception("Subject criteria for certificate selector to find issuer certificate could not be set.", innerException); } try { set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores())); set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetAdditionalStores())); } catch (Exception innerException2) { throw new Exception("Issuer certificate cannot be searched.", innerException2); } return(set); }
/** * Build and validate a CertPath using the given parameter. * * @param params PKIXBuilderParameters object containing all information to * build the CertPath */ public virtual PkixCertPathBuilderResult Build( PkixBuilderParameters pkixParams) { // search target certificates IX509Selector certSelect = pkixParams.GetTargetConstraints(); if (!(certSelect is X509AttrCertStoreSelector)) { throw new PkixCertPathBuilderException( "TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName + " for " + typeof(PkixAttrCertPathBuilder).FullName + " class."); } ICollection targets; try { targets = PkixCertPathValidatorUtilities.FindCertificates( (X509AttrCertStoreSelector)certSelect, pkixParams.GetStores()); } catch (Exception e) { throw new PkixCertPathBuilderException("Error finding target attribute certificate.", e); } if (targets.Count == 0) { throw new PkixCertPathBuilderException( "No attribute certificate found matching targetContraints."); } PkixCertPathBuilderResult result = null; // check all potential target certificates foreach (IX509AttributeCertificate cert in targets) { X509CertStoreSelector selector = new X509CertStoreSelector(); X509Name[] principals = cert.Issuer.GetPrincipals(); ISet issuers = new HashSet(); for (int i = 0; i < principals.Length; i++) { try { selector.Subject = principals[i]; issuers.AddAll(PkixCertPathValidatorUtilities.FindCertificates(selector, pkixParams.GetStores())); } catch (Exception e) { throw new PkixCertPathBuilderException( "Public key certificate for attribute certificate cannot be searched.", e); } } if (issuers.IsEmpty) throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found."); IList certPathList = Platform.CreateArrayList(); foreach (X509Certificate issuer in issuers) { result = Build(cert, issuer, pkixParams, certPathList); if (result != null) break; } if (result != null) break; } if (result == null && certPathException != null) { throw new PkixCertPathBuilderException( "Possible certificate chain could not be validated.", certPathException); } if (result == null && certPathException == null) { throw new PkixCertPathBuilderException( "Unable to find certificate chain."); } return result; }
private PkixCertPathBuilderResult Build( IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath) { // If tbvCert is readily present in tbvPath, it indicates having run // into a cycle in the // PKI graph. if (tbvPath.Contains(tbvCert)) return null; // step out, the certificate is not allowed to appear in a certification // chain if (pkixParams.GetExcludedCerts().Contains(tbvCert)) return null; // test if certificate path exceeds maximum length if (pkixParams.MaxPathLength != -1) { if (tbvPath.Count - 1 > pkixParams.MaxPathLength) return null; } tbvPath.Add(tbvCert); PkixCertPathBuilderResult builderResult = null; // X509CertificateParser certParser = new X509CertificateParser(); PkixAttrCertPathValidator validator = new PkixAttrCertPathValidator(); try { // check whether the issuer of <tbvCert> is a TrustAnchor if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null) { PkixCertPath certPath = new PkixCertPath(tbvPath); PkixCertPathValidatorResult result; try { result = validator.Validate(certPath, pkixParams); } catch (Exception e) { throw new Exception("Certification path could not be validated.", e); } return new PkixCertPathBuilderResult(certPath, result.TrustAnchor, result.PolicyTree, result.SubjectPublicKey); } else { // add additional X.509 stores from locations in certificate try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams); } catch (CertificateParsingException e) { throw new Exception("No additional X.509 stores can be added from certificate locations.", e); } // try to get the issuer certificate from one of the stores ISet issuers = new HashSet(); try { issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams)); } catch (Exception e) { throw new Exception("Cannot find issuer certificate for certificate in certification path.", e); } if (issuers.IsEmpty) throw new Exception("No issuer certificate for certificate in certification path found."); foreach (X509Certificate issuer in issuers) { // if untrusted self signed certificate continue if (PkixCertPathValidatorUtilities.IsSelfIssued(issuer)) continue; builderResult = Build(attrCert, issuer, pkixParams, tbvPath); if (builderResult != null) break; } } } catch (Exception e) { certPathException = new Exception("No valid certification path could be build.", e); } if (builderResult == null) { tbvPath.Remove(tbvCert); } return builderResult; }
private void doTestExceptions() { byte[] enc = { (byte)0, (byte)2, (byte)3, (byte)4, (byte)5 }; // MyCertPath mc = new MyCertPath(enc); MemoryStream os = new MemoryStream(); MemoryStream ins; byte[] arr; // TODO Support serialization of cert paths? // ObjectOutputStream oos = new ObjectOutputStream(os); // oos.WriteObject(mc); // oos.Flush(); // oos.Close(); try { // CertificateFactory cFac = CertificateFactory.GetInstance("X.509"); arr = os.ToArray(); ins = new MemoryStream(arr, false); // cFac.generateCertPath(ins); new PkixCertPath(ins); } catch (CertificateException) { // ignore okay } // CertificateFactory cf = CertificateFactory.GetInstance("X.509"); X509CertificateParser cf = new X509CertificateParser(); IList certCol = new ArrayList(); certCol.Add(cf.ReadCertificate(certA)); certCol.Add(cf.ReadCertificate(certB)); certCol.Add(cf.ReadCertificate(certC)); certCol.Add(cf.ReadCertificate(certD)); // CertPathBuilder pathBuilder = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder pathBuilder = new PkixCertPathBuilder(); X509CertStoreSelector select = new X509CertStoreSelector(); select.Subject = ((X509Certificate)certCol[0]).SubjectDN; ISet trustanchors = new HashSet(); trustanchors.Add(new TrustAnchor(cf.ReadCertificate(rootCertBin), null)); // CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol)); IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certCol)); PkixBuilderParameters parameters = new PkixBuilderParameters(trustanchors, select); parameters.AddStore(x509CertStore); try { PkixCertPathBuilderResult result = pathBuilder.Build(parameters); PkixCertPath path = result.CertPath; Fail("found cert path in circular set"); } catch (PkixCertPathBuilderException) { // expected } }
//jbonilla - Por algún motivo, no devuleve el certificado root. public static X509Certificate[] BuildCertificateChainBC(X509Certificate checkCert, ICollection<X509Certificate> keystore) { PkixCertPathBuilder builder = new PkixCertPathBuilder(); // Separate root from itermediate List<X509Certificate> intermediateCerts = new List<X509Certificate>(); HashSet rootCerts = new HashSet(); foreach (X509Certificate cert in keystore) { // Separate root and subordinate certificates if (IsSelfSigned(cert)) rootCerts.Add(new TrustAnchor(cert, null)); else intermediateCerts.Add(cert); } // Create chain for this certificate X509CertStoreSelector holder = new X509CertStoreSelector(); holder.Certificate = checkCert; // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create( "Certificate/Collection", intermediateStoreParameters)); PkixCertPathBuilderResult result = builder.Build(builderParams); List<X509Certificate> chain = new List<X509Certificate>(); foreach(X509Certificate cert in result.CertPath.Certificates) { chain.Add(cert); } return chain.ToArray(); }
private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath) { if (tbvPath.Contains(tbvCert)) { return(null); } if (pkixParams.GetExcludedCerts().Contains(tbvCert)) { return(null); } if (pkixParams.MaxPathLength != -1 && tbvPath.Count - 1 > pkixParams.MaxPathLength) { return(null); } tbvPath.Add(tbvCert); PkixCertPathBuilderResult pkixCertPathBuilderResult = null; PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator(); try { if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null) { PkixCertPath certPath = new PkixCertPath(tbvPath); PkixCertPathValidatorResult pkixCertPathValidatorResult; try { pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams); } catch (Exception innerException) { throw new Exception("Certification path could not be validated.", innerException); } return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey)); } try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams); } catch (CertificateParsingException innerException2) { throw new Exception("No additional X.509 stores can be added from certificate locations.", innerException2); } ISet set = new HashSet(); try { set.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams)); } catch (Exception innerException3) { throw new Exception("Cannot find issuer certificate for certificate in certification path.", innerException3); } if (set.IsEmpty) { throw new Exception("No issuer certificate for certificate in certification path found."); } foreach (X509Certificate x509Certificate in set) { if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate)) { pkixCertPathBuilderResult = this.Build(attrCert, x509Certificate, pkixParams, tbvPath); if (pkixCertPathBuilderResult != null) { break; } } } } catch (Exception innerException4) { this.certPathException = new Exception("No valid certification path could be build.", innerException4); } if (pkixCertPathBuilderResult == null) { tbvPath.Remove(tbvCert); } return(pkixCertPathBuilderResult); }
/** * Searches for a holder public key certificate and verifies its * certification path. * * @param attrCert the attribute certificate. * @param pkixParams The PKIX parameters. * @return The certificate path of the holder certificate. * @throws Exception if * <ul> * <li>no public key certificate can be found although holder * information is given by an entity name or a base certificate * ID</li> * <li>support classes cannot be created</li> * <li>no certification path for the public key certificate can * be built</li> * </ul> */ internal static PkixCertPath ProcessAttrCert1( IX509AttributeCertificate attrCert, PkixParameters pkixParams) { PkixCertPathBuilderResult result = null; // find holder PKCs ISet holderPKCs = new HashSet(); if (attrCert.Holder.GetIssuer() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.SerialNumber = attrCert.Holder.SerialNumber; X509Name[] principals = attrCert.Holder.GetIssuer(); for (int i = 0; i < principals.Length; i++) { try { // if (principals[i] is X500Principal) { selector.Issuer = principals[i]; } holderPKCs.AddAll(PkixCertPathValidatorUtilities .FindCertificates(selector, pkixParams.GetStores())); } catch (Exception e) { throw new PkixCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } } if (holderPKCs.IsEmpty) { throw new PkixCertPathValidatorException( "Public key certificate specified in base certificate ID for attribute certificate cannot be found."); } } if (attrCert.Holder.GetEntityNames() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); X509Name[] principals = attrCert.Holder.GetEntityNames(); for (int i = 0; i < principals.Length; i++) { try { // if (principals[i] is X500Principal) { selector.Issuer = principals[i]; } holderPKCs.AddAll(PkixCertPathValidatorUtilities .FindCertificates(selector, pkixParams.GetStores())); } catch (Exception e) { throw new PkixCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } } if (holderPKCs.IsEmpty) { throw new PkixCertPathValidatorException( "Public key certificate specified in entity name for attribute certificate cannot be found."); } } // verify cert paths for PKCs PkixBuilderParameters parameters = (PkixBuilderParameters) PkixBuilderParameters.GetInstance(pkixParams); PkixCertPathValidatorException lastException = null; foreach (X509Certificate cert in holderPKCs) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.Certificate = cert; parameters.SetTargetConstraints(selector); PkixCertPathBuilder builder = new PkixCertPathBuilder(); try { result = builder.Build(PkixBuilderParameters.GetInstance(parameters)); } catch (PkixCertPathBuilderException e) { lastException = new PkixCertPathValidatorException( "Certification path for public key certificate of attribute certificate could not be build.", e); } } if (lastException != null) { throw lastException; } return(result.CertPath); }
protected virtual PkixCertPathBuilderResult Build( X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath) { // If tbvCert is readily present in tbvPath, it indicates having run // into a cycle in the PKI graph. if (tbvPath.Contains(tbvCert)) { return(null); } // step out, the certificate is not allowed to appear in a certification // chain. if (pkixParams.GetExcludedCerts().Contains(tbvCert)) { return(null); } // test if certificate path exceeds maximum length if (pkixParams.MaxPathLength != -1) { if (tbvPath.Count - 1 > pkixParams.MaxPathLength) { return(null); } } tbvPath.Add(tbvCert); X509CertificateParser certParser = new X509CertificateParser(); PkixCertPathBuilderResult builderResult = null; PkixCertPathValidator validator = new PkixCertPathValidator(); try { // check whether the issuer of <tbvCert> is a TrustAnchor if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null) { // exception message from possibly later tried certification // chains PkixCertPath certPath = null; try { certPath = new PkixCertPath(tbvPath); } catch (Exception e) { throw new Exception( "Certification path could not be constructed from certificate list.", e); } PkixCertPathValidatorResult result = null; try { result = (PkixCertPathValidatorResult)validator.Validate( certPath, pkixParams); } catch (Exception e) { throw new Exception( "Certification path could not be validated.", e); } return(new PkixCertPathBuilderResult(certPath, result.TrustAnchor, result.PolicyTree, result.SubjectPublicKey)); } else { // add additional X.509 stores from locations in certificate try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames( tbvCert, pkixParams); } catch (CertificateParsingException e) { throw new Exception( "No additiontal X.509 stores can be added from certificate locations.", e); } // try to get the issuer certificate from one of the stores HashSet issuers = new HashSet(); try { issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams)); } catch (Exception e) { throw new Exception( "Cannot find issuer certificate for certificate in certification path.", e); } if (issuers.IsEmpty) { throw new Exception("No issuer certificate for certificate in certification path found."); } foreach (X509Certificate issuer in issuers) { builderResult = Build(issuer, pkixParams, tbvPath); if (builderResult != null) { break; } } } } catch (Exception e) { certPathException = e; } if (builderResult == null) { tbvPath.Remove(tbvCert); } return(builderResult); }
private string TestPolicies( int index, X509Certificate trustCert, X509Certificate intCert, X509Certificate endCert, ISet requirePolicies, bool okay) { ISet trust = new HashSet(); trust.Add(new TrustAnchor(trustCert, null)); X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); targetConstraints.Subject = endCert.SubjectDN; PkixBuilderParameters pbParams = new PkixBuilderParameters(trust, targetConstraints); ISet certs = new HashSet(); certs.Add(intCert); certs.Add(endCert); IX509Store store = X509StoreFactory.Create( "CERTIFICATE/COLLECTION", new X509CollectionStoreParameters(certs)); pbParams.AddStore(store); pbParams.IsRevocationEnabled = false; if (requirePolicies != null) { pbParams.IsExplicitPolicyRequired = true; pbParams.SetInitialPolicies(requirePolicies); } // CertPathBuilder cpb = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder cpb = new PkixCertPathBuilder(); PkixCertPathBuilderResult result = null; try { result = (PkixCertPathBuilderResult)cpb.Build(pbParams); if (!okay) { Fail(index + ": path validated when failure expected."); } // if (result.getPolicyTree() != null) // { // Console.WriteLine("OK"); // Console.WriteLine("policy: " + result.getPolicyTree()); // } // else // { // Console.WriteLine("OK: policy tree = null"); // } return ""; } catch (TestFailedException e) { throw e; } catch (Exception e) { if (okay) { Fail(index + ": path failed to validate when success expected."); } Exception ee = e.InnerException; if (ee != null) { return ee.Message; } return e.Message; } }
public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams) { IX509Selector targetCertConstraints = pkixParams.GetTargetCertConstraints(); if (!(targetCertConstraints is X509CertStoreSelector)) { throw new PkixCertPathBuilderException(string.Concat(new string[5] { "TargetConstraints must be an instance of ", typeof(X509CertStoreSelector).get_FullName(), " for ", Platform.GetTypeName(this), " class." })); } ISet set = new HashSet(); try { set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)targetCertConstraints, pkixParams.GetStores())); } catch (global::System.Exception exception) { throw new PkixCertPathBuilderException("Error finding target certificate.", exception); } if (set.IsEmpty) { throw new PkixCertPathBuilderException("No certificate found matching targetContraints."); } PkixCertPathBuilderResult pkixCertPathBuilderResult = null; global::System.Collections.IList tbvPath = Platform.CreateArrayList(); global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator(); try { while (enumerator.MoveNext()) { X509Certificate tbvCert = (X509Certificate)enumerator.get_Current(); pkixCertPathBuilderResult = Build(tbvCert, pkixParams, tbvPath); if (pkixCertPathBuilderResult != null) { break; } } } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } if (pkixCertPathBuilderResult == null && certPathException != null) { throw new PkixCertPathBuilderException(certPathException.get_Message(), certPathException.get_InnerException()); } if (pkixCertPathBuilderResult == null && certPathException == null) { throw new PkixCertPathBuilderException("Unable to find certificate chain."); } return(pkixCertPathBuilderResult); }
internal static PkixCertPath ProcessAttrCert1(IX509AttributeCertificate attrCert, PkixParameters pkixParams) { PkixCertPathBuilderResult pkixCertPathBuilderResult = null; ISet set = new HashSet(); if (attrCert.Holder.GetIssuer() != null) { X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector(); x509CertStoreSelector.SerialNumber = attrCert.Holder.SerialNumber; X509Name[] issuer = attrCert.Holder.GetIssuer(); for (int i = 0; i < issuer.Length; i++) { try { x509CertStoreSelector.Issuer = issuer[i]; set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores())); } catch (Exception cause) { throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause); } } if (set.IsEmpty) { throw new PkixCertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found."); } } if (attrCert.Holder.GetEntityNames() != null) { X509CertStoreSelector x509CertStoreSelector2 = new X509CertStoreSelector(); X509Name[] entityNames = attrCert.Holder.GetEntityNames(); for (int j = 0; j < entityNames.Length; j++) { try { x509CertStoreSelector2.Issuer = entityNames[j]; set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector2, pkixParams.GetStores())); } catch (Exception cause2) { throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause2); } } if (set.IsEmpty) { throw new PkixCertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found."); } } PkixBuilderParameters instance = PkixBuilderParameters.GetInstance(pkixParams); PkixCertPathValidatorException ex = null; foreach (X509Certificate certificate in set) { instance.SetTargetConstraints(new X509CertStoreSelector { Certificate = certificate }); PkixCertPathBuilder pkixCertPathBuilder = new PkixCertPathBuilder(); try { pkixCertPathBuilderResult = pkixCertPathBuilder.Build(PkixBuilderParameters.GetInstance(instance)); } catch (PkixCertPathBuilderException cause3) { ex = new PkixCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", cause3); } } if (ex != null) { throw ex; } return(pkixCertPathBuilderResult.CertPath); }
/// <summary> /// Builds certification path for provided signing certificate /// </summary> /// <param name="signingCertificate">Signing certificate</param> /// <param name="otherCertificates">Other certificates that should be used in path building process. Self-signed certificates from this list are used as trust anchors.</param> /// <param name="includeRoot">Flag indicating whether root certificate should be included int the certification path.</param> /// <returns>Certification path for provided signing certificate</returns> public static ICollection<BCX509.X509Certificate> BuildCertPath(byte[] signingCertificate, List<byte[]> otherCertificates, bool includeRoot) { if (signingCertificate == null) throw new ArgumentNullException("signingCertificate"); List<BCX509.X509Certificate> result = new List<BCX509.X509Certificate>(); BCX509.X509Certificate signingCert = ToBouncyCastleObject(signingCertificate); BCCollections.ISet trustAnchors = new BCCollections.HashSet(); List<BCX509.X509Certificate> otherCerts = new List<BCX509.X509Certificate>(); if (IsSelfSigned(signingCert)) { if (includeRoot) result.Add(signingCert); } else { otherCerts.Add(signingCert); if (otherCertificates != null) { foreach (byte[] otherCertificate in otherCertificates) { BCX509.X509Certificate otherCert = ToBouncyCastleObject(otherCertificate); otherCerts.Add(ToBouncyCastleObject(otherCertificate)); if (IsSelfSigned(otherCert)) trustAnchors.Add(new TrustAnchor(otherCert, null)); } } if (trustAnchors.Count < 1) throw new PkixCertPathBuilderException("Provided certificates do not contain self-signed root certificate"); X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); targetConstraints.Certificate = signingCert; PkixBuilderParameters certPathBuilderParameters = new PkixBuilderParameters(trustAnchors, targetConstraints); certPathBuilderParameters.AddStore(X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(otherCerts))); certPathBuilderParameters.IsRevocationEnabled = false; PkixCertPathBuilder certPathBuilder = new PkixCertPathBuilder(); PkixCertPathBuilderResult certPathBuilderResult = certPathBuilder.Build(certPathBuilderParameters); foreach (BCX509.X509Certificate certPathCert in certPathBuilderResult.CertPath.Certificates) result.Add(certPathCert); if (includeRoot) result.Add(certPathBuilderResult.TrustAnchor.TrustedCert); } return result; }
private static IReadOnlyCollection<X509Certificate> GetChain([NotNull] X509Certificate cert, [CanBeNull] IReadOnlyList<X509Certificate> certs) { var certList = new List<X509Certificate>(); if (certs != null) certList.AddRange(certs); certList.Add(cert); var certStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(certList)); var rootCerts = certs.Where(IsSelfSigned).ToList(); var trustAnchors = rootCerts.Select(x => new TrustAnchor(x, null)); var trust = new HashSet(trustAnchors); var cpb = new PkixCertPathBuilder(); var targetConstraints = new X509CertStoreSelector() { Certificate = cert, }; var parameters = new PkixBuilderParameters(trust, targetConstraints) { IsRevocationEnabled = false, }; parameters.AddStore(certStore); var cpbResult = cpb.Build(parameters); var result = new List<X509Certificate>(); result.AddRange(cpbResult.CertPath.Certificates.Cast<X509Certificate>()); result.Add(cpbResult.TrustAnchor.TrustedCert); return result; }
private void Test(string _name, string[] _data, ISet _ipolset, bool _explicit, bool _accept, bool _debug) { testCount++; bool _pass = true; try { // CertPathBuilder _cpb = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder _cpb = new PkixCertPathBuilder(); X509Certificate _ee = DecodeCertificate(_data[_data.Length - 1]); X509CertStoreSelector _select = new X509CertStoreSelector(); _select.Subject = _ee.SubjectDN; IX509Store certStore, crlStore; MakeCertStore(_data, out certStore, out crlStore); PkixBuilderParameters _param = new PkixBuilderParameters( trustedSet, _select); _param.IsExplicitPolicyRequired = _explicit; _param.AddStore(certStore); _param.AddStore(crlStore); _param.IsRevocationEnabled = true; if (_ipolset != null) { _param.SetInitialPolicies(_ipolset); } PkixCertPathBuilderResult _result = _cpb.Build(_param); if (!_accept) { _pass = false; testFail.Add(_name); } } catch (Exception) { if (_accept) { _pass = false; testFail.Add(_name); } } resultBuf.Append("NISTCertPathTest -- ").Append(_name).Append(": ") .Append(_pass ? "\n" : "Failed.\n"); }
static IEnumerable<Org.BouncyCastle.X509.X509Certificate> BuildCertificateChainBC(byte[] primary, IEnumerable<byte[]> additional) { X509CertificateParser parser = new X509CertificateParser(); PkixCertPathBuilder builder = new PkixCertPathBuilder(); // Separate root from itermediate var intermediateCerts = new List<Org.BouncyCastle.X509.X509Certificate>(); HashSet rootCerts = new HashSet(); foreach (byte[] cert in additional) { var x509Cert = parser.ReadCertificate(cert); // Separate root and subordinate certificates if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN)) rootCerts.Add(new TrustAnchor(x509Cert, null)); else intermediateCerts.Add(x509Cert); } // Create chain for this certificate X509CertStoreSelector holder = new X509CertStoreSelector(); holder.Certificate = parser.ReadCertificate(primary); // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create( "Certificate/Collection", intermediateStoreParameters)); PkixCertPathBuilderResult result = builder.Build(builderParams); return result.CertPath.Certificates.Cast<Org.BouncyCastle.X509.X509Certificate>(); }
private PkixCertPathBuilderResult doBuilderTest( string trustAnchor, string[] certs, string[] crls, ISet initialPolicies, bool policyMappingInhibited, bool anyPolicyInhibited) { ISet trustedSet = new HashSet(); trustedSet.Add(GetTrustAnchor(trustAnchor)); IList x509Certs = new ArrayList(); IList x509Crls = new ArrayList(); X509Certificate endCert = LoadCert(certs[certs.Length - 1]); for (int i = 0; i != certs.Length - 1; i++) { x509Certs.Add(LoadCert(certs[i])); } x509Certs.Add(endCert); for (int i = 0; i != crls.Length; i++) { x509Crls.Add(LoadCrl(crls[i])); } IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(x509Certs)); IX509Store x509CrlStore = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(x509Crls)); // CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder builder = new PkixCertPathBuilder(); X509CertStoreSelector endSelector = new X509CertStoreSelector(); endSelector.Certificate = endCert; PkixBuilderParameters builderParams = new PkixBuilderParameters(trustedSet, endSelector); if (initialPolicies != null) { builderParams.SetInitialPolicies(initialPolicies); builderParams.IsExplicitPolicyRequired = true; } if (policyMappingInhibited) { builderParams.IsPolicyMappingInhibited = policyMappingInhibited; } if (anyPolicyInhibited) { builderParams.IsAnyPolicyInhibited = anyPolicyInhibited; } builderParams.AddStore(x509CertStore); builderParams.AddStore(x509CrlStore); // Perform validation as of this date since test certs expired builderParams.Date = new DateTimeObject(DateTime.Parse("1/1/2011")); try { return (PkixCertPathBuilderResult) builder.Build(builderParams); } catch (PkixCertPathBuilderException e) { throw e.InnerException; } }
internal static global::System.Collections.ICollection FindIssuerCerts(X509Certificate cert, PkixBuilderParameters pkixParams) { //IL_001b: Expected O, but got Unknown X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector(); ISet set = new HashSet(); try { x509CertStoreSelector.Subject = cert.IssuerDN; } catch (IOException val) { IOException val2 = val; throw new global::System.Exception("Subject criteria for certificate selector to find issuer certificate could not be set.", (global::System.Exception)(object) val2); } try { set.AddAll((global::System.Collections.IEnumerable)FindCertificates(x509CertStoreSelector, pkixParams.GetStores())); set.AddAll((global::System.Collections.IEnumerable)FindCertificates(x509CertStoreSelector, pkixParams.GetAdditionalStores())); return(set); } catch (global::System.Exception ex) { throw new global::System.Exception("Issuer certificate cannot be searched.", ex); } }
private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, global::System.Collections.IList tbvPath) { if (tbvPath.Contains((object)tbvCert)) { return(null); } if (pkixParams.GetExcludedCerts().Contains(tbvCert)) { return(null); } if (pkixParams.MaxPathLength != -1 && ((global::System.Collections.ICollection)tbvPath).get_Count() - 1 > pkixParams.MaxPathLength) { return(null); } tbvPath.Add((object)tbvCert); PkixCertPathBuilderResult pkixCertPathBuilderResult = null; PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator(); try { if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null) { PkixCertPath certPath = new PkixCertPath((global::System.Collections.ICollection)tbvPath); PkixCertPathValidatorResult pkixCertPathValidatorResult; try { pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams); } catch (global::System.Exception ex) { throw new global::System.Exception("Certification path could not be validated.", ex); } return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey)); } try { PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams); } catch (CertificateParsingException ex2) { throw new global::System.Exception("No additional X.509 stores can be added from certificate locations.", (global::System.Exception)ex2); } ISet set = new HashSet(); try { set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams)); } catch (global::System.Exception ex3) { throw new global::System.Exception("Cannot find issuer certificate for certificate in certification path.", ex3); } if (set.IsEmpty) { throw new global::System.Exception("No issuer certificate for certificate in certification path found."); } global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator(); try { while (enumerator.MoveNext()) { X509Certificate x509Certificate = (X509Certificate)enumerator.get_Current(); if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate)) { pkixCertPathBuilderResult = Build(attrCert, x509Certificate, pkixParams, tbvPath); if (pkixCertPathBuilderResult != null) { break; } } } } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } } catch (global::System.Exception ex4) { certPathException = new global::System.Exception("No valid certification path could be build.", ex4); } if (pkixCertPathBuilderResult == null) { tbvPath.Remove((object)tbvCert); } return(pkixCertPathBuilderResult); }
/** * Find the issuer certificates of a given certificate. * * @param cert * The certificate for which an issuer should be found. * @param pkixParams * @return A <code>Collection</code> object containing the issuer * <code>X509Certificate</code>s. Never <code>null</code>. * * @exception Exception * if an error occurs. */ internal static ICollection FindIssuerCerts( X509Certificate cert, PkixBuilderParameters pkixParams) { X509CertStoreSelector certSelect = new X509CertStoreSelector(); ISet certs = new HashSet(); try { certSelect.Subject = cert.IssuerDN; } catch (IOException ex) { throw new Exception( "Subject criteria for certificate selector to find issuer certificate could not be set.", ex); } try { certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetStores())); certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetAdditionalStores())); } catch (Exception e) { throw new Exception("Issuer certificate cannot be searched.", e); } return certs; }
public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams) { IX509Selector targetConstraints = pkixParams.GetTargetConstraints(); if (!(targetConstraints is X509AttrCertStoreSelector)) { throw new PkixCertPathBuilderException(string.Concat(new string[5] { "TargetConstraints must be an instance of ", typeof(X509AttrCertStoreSelector).get_FullName(), " for ", typeof(PkixAttrCertPathBuilder).get_FullName(), " class." })); } global::System.Collections.ICollection collection; try { collection = PkixCertPathValidatorUtilities.FindCertificates((X509AttrCertStoreSelector)targetConstraints, pkixParams.GetStores()); } catch (global::System.Exception exception) { throw new PkixCertPathBuilderException("Error finding target attribute certificate.", exception); } if (collection.get_Count() == 0) { throw new PkixCertPathBuilderException("No attribute certificate found matching targetContraints."); } PkixCertPathBuilderResult pkixCertPathBuilderResult = null; global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)collection).GetEnumerator(); try { while (enumerator.MoveNext()) { IX509AttributeCertificate iX509AttributeCertificate = (IX509AttributeCertificate)enumerator.get_Current(); X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector(); X509Name[] principals = iX509AttributeCertificate.Issuer.GetPrincipals(); ISet set = new HashSet(); for (int i = 0; i < principals.Length; i++) { try { x509CertStoreSelector.Subject = principals[i]; set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores())); } catch (global::System.Exception exception2) { throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", exception2); } } if (set.IsEmpty) { throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found."); } global::System.Collections.IList tbvPath = Platform.CreateArrayList(); { global::System.Collections.IEnumerator enumerator2 = ((global::System.Collections.IEnumerable)set).GetEnumerator(); try { while (enumerator2.MoveNext()) { X509Certificate tbvCert = (X509Certificate)enumerator2.get_Current(); pkixCertPathBuilderResult = Build(iX509AttributeCertificate, tbvCert, pkixParams, tbvPath); if (pkixCertPathBuilderResult != null) { break; } } } finally { global::System.IDisposable disposable2 = enumerator2 as global::System.IDisposable; if (disposable2 != null) { disposable2.Dispose(); } } } if (pkixCertPathBuilderResult != null) { break; } } } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } if (pkixCertPathBuilderResult == null && certPathException != null) { throw new PkixCertPathBuilderException("Possible certificate chain could not be validated.", certPathException); } if (pkixCertPathBuilderResult == null && certPathException == null) { throw new PkixCertPathBuilderException("Unable to find certificate chain."); } return(pkixCertPathBuilderResult); }
public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams) { IX509Selector targetConstraints = pkixParams.GetTargetConstraints(); if (!(targetConstraints is X509AttrCertStoreSelector)) { throw new PkixCertPathBuilderException(string.Concat(new string[] { "TargetConstraints must be an instance of ", typeof(X509AttrCertStoreSelector).FullName, " for ", typeof(PkixAttrCertPathBuilder).FullName, " class." })); } ICollection collection; try { collection = PkixCertPathValidatorUtilities.FindCertificates((X509AttrCertStoreSelector)targetConstraints, pkixParams.GetStores()); } catch (Exception exception) { throw new PkixCertPathBuilderException("Error finding target attribute certificate.", exception); } if (collection.Count == 0) { throw new PkixCertPathBuilderException("No attribute certificate found matching targetContraints."); } PkixCertPathBuilderResult pkixCertPathBuilderResult = null; foreach (IX509AttributeCertificate iX509AttributeCertificate in collection) { X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector(); X509Name[] principals = iX509AttributeCertificate.Issuer.GetPrincipals(); ISet set = new HashSet(); for (int i = 0; i < principals.Length; i++) { try { x509CertStoreSelector.Subject = principals[i]; set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores())); } catch (Exception exception2) { throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", exception2); } } if (set.IsEmpty) { throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found."); } IList tbvPath = Platform.CreateArrayList(); foreach (X509Certificate tbvCert in set) { pkixCertPathBuilderResult = this.Build(iX509AttributeCertificate, tbvCert, pkixParams, tbvPath); if (pkixCertPathBuilderResult != null) { break; } } if (pkixCertPathBuilderResult != null) { break; } } if (pkixCertPathBuilderResult == null && this.certPathException != null) { throw new PkixCertPathBuilderException("Possible certificate chain could not be validated.", this.certPathException); } if (pkixCertPathBuilderResult == null && this.certPathException == null) { throw new PkixCertPathBuilderException("Unable to find certificate chain."); } return(pkixCertPathBuilderResult); }
internal static PkixCertPath ProcessAttrCert1(IX509AttributeCertificate attrCert, PkixParameters pkixParams) { PkixCertPathBuilderResult pkixCertPathBuilderResult = null; ISet set = new HashSet(); if (attrCert.Holder.GetIssuer() != null) { X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector(); x509CertStoreSelector.SerialNumber = attrCert.Holder.SerialNumber; X509Name[] issuer = attrCert.Holder.GetIssuer(); for (int i = 0; i < issuer.Length; i++) { try { x509CertStoreSelector.Issuer = issuer[i]; set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores())); } catch (global::System.Exception cause) { throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause); } } if (set.IsEmpty) { throw new PkixCertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found."); } } if (attrCert.Holder.GetEntityNames() != null) { X509CertStoreSelector x509CertStoreSelector2 = new X509CertStoreSelector(); X509Name[] entityNames = attrCert.Holder.GetEntityNames(); for (int j = 0; j < entityNames.Length; j++) { try { x509CertStoreSelector2.Issuer = entityNames[j]; set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector2, pkixParams.GetStores())); } catch (global::System.Exception cause2) { throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause2); } } if (set.IsEmpty) { throw new PkixCertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found."); } } PkixBuilderParameters instance = PkixBuilderParameters.GetInstance(pkixParams); PkixCertPathValidatorException ex = null; global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator(); try { while (enumerator.MoveNext()) { X509Certificate certificate = (X509Certificate)enumerator.get_Current(); X509CertStoreSelector x509CertStoreSelector3 = new X509CertStoreSelector(); x509CertStoreSelector3.Certificate = certificate; instance.SetTargetConstraints(x509CertStoreSelector3); PkixCertPathBuilder pkixCertPathBuilder = new PkixCertPathBuilder(); try { pkixCertPathBuilderResult = pkixCertPathBuilder.Build(PkixBuilderParameters.GetInstance(instance)); } catch (PkixCertPathBuilderException cause3) { ex = new PkixCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", cause3); } } } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } if (ex != null) { throw ex; } return(pkixCertPathBuilderResult.CertPath); }
PkixCertPath BuildCertPath(HashSet anchors, IX509Store certificates, IX509Store crls, X509Certificate certificate, DateTime? signingTime) { var intermediate = new X509CertificateStore (); foreach (X509Certificate cert in certificates.GetMatches (null)) intermediate.Add (cert); var selector = new X509CertStoreSelector (); selector.Certificate = certificate; var parameters = new PkixBuilderParameters (anchors, selector); parameters.AddStore (GetIntermediateCertificates ()); parameters.AddStore (intermediate); var localCrls = GetCertificateRevocationLists (); parameters.AddStore (localCrls); parameters.AddStore (crls); // Note: we disable revocation unless we actually have non-empty revocation lists parameters.IsRevocationEnabled = localCrls.GetMatches (null).Count > 0; parameters.ValidityModel = PkixParameters.ChainValidityModel; if (signingTime.HasValue) parameters.Date = new DateTimeObject (signingTime.Value); var result = new PkixCertPathBuilder ().Build (parameters); return result.CertPath; }
/** * Build and validate a CertPath using the given parameter. * * @param params PKIXBuilderParameters object containing all information to * build the CertPath */ public virtual PkixCertPathBuilderResult Build( PkixBuilderParameters pkixParams) { // search target certificates IX509Selector certSelect = pkixParams.GetTargetConstraints(); if (!(certSelect is X509AttrCertStoreSelector)) { throw new PkixCertPathBuilderException( "TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName + " for " + typeof(PkixAttrCertPathBuilder).FullName + " class."); } ICollection targets; try { targets = PkixCertPathValidatorUtilities.FindCertificates( (X509AttrCertStoreSelector)certSelect, pkixParams.GetStores()); } catch (Exception e) { throw new PkixCertPathBuilderException("Error finding target attribute certificate.", e); } if (targets.Count == 0) { throw new PkixCertPathBuilderException( "No attribute certificate found matching targetContraints."); } PkixCertPathBuilderResult result = null; // check all potential target certificates foreach (IX509AttributeCertificate cert in targets) { X509CertStoreSelector selector = new X509CertStoreSelector(); X509Name[] principals = cert.Issuer.GetPrincipals(); ISet issuers = new HashSet(); for (int i = 0; i < principals.Length; i++) { try { selector.Subject = principals[i]; issuers.AddAll(PkixCertPathValidatorUtilities.FindCertificates(selector, pkixParams.GetStores())); } catch (Exception e) { throw new PkixCertPathBuilderException( "Public key certificate for attribute certificate cannot be searched.", e); } } if (issuers.IsEmpty) { throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found."); } IList certPathList = Platform.CreateArrayList(); foreach (X509Certificate issuer in issuers) { result = Build(cert, issuer, pkixParams, certPathList); if (result != null) { break; } } if (result != null) { break; } } if (result == null && certPathException != null) { throw new PkixCertPathBuilderException( "Possible certificate chain could not be validated.", certPathException); } if (result == null && certPathException == null) { throw new PkixCertPathBuilderException( "Unable to find certificate chain."); } return(result); }
private void v0Test() { // create certificates and CRLs AsymmetricCipherKeyPair rootPair = TestUtilities.GenerateRsaKeyPair(); AsymmetricCipherKeyPair interPair = TestUtilities.GenerateRsaKeyPair(); AsymmetricCipherKeyPair endPair = TestUtilities.GenerateRsaKeyPair(); X509Certificate rootCert = TestUtilities.GenerateRootCert(rootPair); X509Certificate interCert = TestUtilities.GenerateIntermediateCert(interPair.Public, rootPair.Private, rootCert); X509Certificate endCert = TestUtilities.GenerateEndEntityCert(endPair.Public, interPair.Private, interCert); BigInteger revokedSerialNumber = BigInteger.Two; X509Crl rootCRL = TestUtilities.CreateCrl(rootCert, rootPair.Private, revokedSerialNumber); X509Crl interCRL = TestUtilities.CreateCrl(interCert, interPair.Private, revokedSerialNumber); // create CertStore to support path building IList certList = new ArrayList(); certList.Add(rootCert); certList.Add(interCert); certList.Add(endCert); IList crlList = new ArrayList(); crlList.Add(rootCRL); crlList.Add(interCRL); // CollectionCertStoreParameters parameters = new CollectionCertStoreParameters(list); // CertStore store = CertStore.getInstance("Collection", parameters); IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); IX509Store x509CrlStore = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(crlList)); ISet trust = new HashSet(); trust.Add(new TrustAnchor(rootCert, null)); // build the path // CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); PkixCertPathBuilder builder = new PkixCertPathBuilder(); X509CertStoreSelector pathConstraints = new X509CertStoreSelector(); pathConstraints.Subject = endCert.SubjectDN; PkixBuilderParameters buildParams = new PkixBuilderParameters(trust, pathConstraints); // buildParams.addCertStore(store); buildParams.AddStore(x509CertStore); buildParams.AddStore(x509CrlStore); buildParams.Date = new DateTimeObject(DateTime.UtcNow); PkixCertPathBuilderResult result = builder.Build(buildParams); PkixCertPath path = result.CertPath; if (path.Certificates.Count != 2) { Fail("wrong number of certs in v0Test path"); } }
/** * Makes a copy of this <code>PKIXParameters</code> object. Changes to the * copy will not affect the original and vice versa. * * @return a copy of this <code>PKIXParameters</code> object */ public override object Clone() { PkixBuilderParameters parameters = new PkixBuilderParameters( GetTrustAnchors(), GetTargetCertConstraints()); parameters.SetParams(this); return parameters; }