/**
* Find the issuer certificates of a given certificate.
*
* @param cert
* The certificate for which an issuer should be found.
* @param pkixParams
* @return A <code>Collection</code> object containing the issuer
* <code>X509Certificate</code>s. Never <code>null</code>.
*
* @exception Exception
* if an error occurs.
*/
internal static ICollection FindIssuerCerts(
X509Certificate cert,
PkixBuilderParameters pkixParams)
{
X509CertStoreSelector certSelect = new X509CertStoreSelector();
ISet certs = new HashSet();
try
{
certSelect.Subject = cert.IssuerDN;
}
catch (IOException ex)
{
throw new Exception(
"Subject criteria for certificate selector to find issuer certificate could not be set.", ex);
}
try
{
certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetStores()));
certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetAdditionalStores()));
}
catch (Exception e)
{
throw new Exception("Issuer certificate cannot be searched.", e);
}
return(certs);
}
public static PkixBuilderParameters GetInstance(PkixParameters pkixParams)
{
PkixBuilderParameters pkixBuilderParameters = new PkixBuilderParameters(pkixParams.GetTrustAnchors(), new X509CertStoreSelector(pkixParams.GetTargetCertConstraints()));
pkixBuilderParameters.SetParams(pkixParams);
return(pkixBuilderParameters);
}
public override object Clone()
{
PkixBuilderParameters pkixBuilderParameters = new PkixBuilderParameters(GetTrustAnchors(), GetTargetCertConstraints());
pkixBuilderParameters.SetParams(this);
return(pkixBuilderParameters);
}
/**
* Build and validate a CertPath using the given parameter.
*
* @param params PKIXBuilderParameters object containing all information to
* build the CertPath
*/
public virtual PkixCertPathBuilderResult Build(
PkixBuilderParameters pkixParams)
{
// search target certificates
IX509Selector certSelect = pkixParams.GetTargetCertConstraints();
if (!(certSelect is X509CertStoreSelector))
{
throw new PkixCertPathBuilderException(
"TargetConstraints must be an instance of "
+ typeof(X509CertStoreSelector).FullName + " for "
+ this.GetType() + " class.");
}
ISet targets = new HashSet();
try
{
targets.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)certSelect, pkixParams.GetStores()));
// TODO Should this include an entry for pkixParams.GetAdditionalStores() too?
}
catch (Exception e)
{
throw new PkixCertPathBuilderException(
"Error finding target certificate.", e);
}
if (targets.IsEmpty)
{
throw new PkixCertPathBuilderException("No certificate found matching targetContraints.");
}
PkixCertPathBuilderResult result = null;
IList certPathList = new ArrayList();
// check all potential target certificates
foreach (X509Certificate cert in targets)
{
result = Build(cert, pkixParams, certPathList);
if (result != null)
{
break;
}
}
if (result == null && certPathException != null)
{
throw new PkixCertPathBuilderException(certPathException.Message, certPathException.InnerException);
}
if (result == null && certPathException == null)
{
throw new PkixCertPathBuilderException("Unable to find certificate chain.");
}
return(result);
}
/**
* Returns an instance of <code>PkixBuilderParameters</code>.
* <p>
* This method can be used to get a copy from other
* <code>PKIXBuilderParameters</code>, <code>PKIXParameters</code>,
* and <code>ExtendedPKIXParameters</code> instances.
* </p>
*
* @param pkixParams The PKIX parameters to create a copy of.
* @return An <code>PkixBuilderParameters</code> instance.
*/
public static PkixBuilderParameters GetInstance(
PkixParameters pkixParams)
{
PkixBuilderParameters parameters = new PkixBuilderParameters(
pkixParams.GetTrustAnchors(),
new X509CertStoreSelector(pkixParams.GetTargetCertConstraints()));
parameters.SetParams(pkixParams);
return parameters;
}
private void baseTest()
{
// CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
// initialise CertStore
X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);
IList certList = new ArrayList();
certList.Add(rootCert);
certList.Add(interCert);
certList.Add(finalCert);
IList crlList = new ArrayList();
crlList.Add(rootCrl);
crlList.Add(interCrl);
// CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.getInstance("Collection", ccsp, "BC");
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(crlList));
// NB: Month is 1-based in .NET
//DateTime validDate = new DateTime(2008, 9, 4, 14, 49, 10).ToUniversalTime();
DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);//.ToUniversalTime();
//Searching for rootCert by subjectDN without CRL
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX","BC");
PkixCertPathBuilder cpb = new PkixCertPathBuilder();
X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
targetConstraints.Subject = finalCert.SubjectDN;
PkixBuilderParameters parameters = new PkixBuilderParameters(trust, targetConstraints);
// parameters.addCertStore(store);
parameters.AddStore(x509CertStore);
parameters.AddStore(x509CrlStore);
parameters.Date = new DateTimeObject(validDate);
PkixCertPathBuilderResult result = cpb.Build(parameters);
PkixCertPath path = result.CertPath;
if (path.Certificates.Count != 2)
{
Fail("wrong number of certs in baseTest path");
}
}
protected override void SetParams(PkixParameters parameters)
{
base.SetParams(parameters);
if (parameters is PkixBuilderParameters)
{
PkixBuilderParameters pkixBuilderParameters = (PkixBuilderParameters)parameters;
maxPathLength = pkixBuilderParameters.maxPathLength;
excludedCerts = new HashSet(pkixBuilderParameters.excludedCerts);
}
}
/**
* Build and validate a CertPath using the given parameter.
*
* @param params PKIXBuilderParameters object containing all information to
* build the CertPath
*/
public virtual PkixCertPathBuilderResult Build(
PkixBuilderParameters pkixParams)
{
// search target certificates
IX509Selector certSelect = pkixParams.GetTargetCertConstraints();
if (!(certSelect is X509CertStoreSelector))
{
throw new PkixCertPathBuilderException(
"TargetConstraints must be an instance of "
+ typeof(X509CertStoreSelector).FullName + " for "
+ this.GetType() + " class.");
}
ISet targets = new HashSet();
try
{
targets.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)certSelect, pkixParams.GetStores()));
// TODO Should this include an entry for pkixParams.GetAdditionalStores() too?
}
catch (Exception e)
{
throw new PkixCertPathBuilderException(
"Error finding target certificate.", e);
}
if (targets.IsEmpty)
throw new PkixCertPathBuilderException("No certificate found matching targetContraints.");
PkixCertPathBuilderResult result = null;
IList certPathList = Platform.CreateArrayList();
// check all potential target certificates
foreach (X509Certificate cert in targets)
{
result = Build(cert, pkixParams, certPathList);
if (result != null)
break;
}
if (result == null && certPathException != null)
{
throw new PkixCertPathBuilderException(certPathException.Message, certPathException.InnerException);
}
if (result == null && certPathException == null)
{
throw new PkixCertPathBuilderException("Unable to find certificate chain.");
}
return result;
}
public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams)
{
IX509Selector targetCertConstraints = pkixParams.GetTargetCertConstraints();
if (!(targetCertConstraints is X509CertStoreSelector))
{
throw new PkixCertPathBuilderException(string.Concat(new object[]
{
"TargetConstraints must be an instance of ",
typeof(X509CertStoreSelector).FullName,
" for ",
base.GetType(),
" class."
}));
}
ISet set = new HashSet();
try
{
set.AddAll(PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)targetCertConstraints, pkixParams.GetStores()));
}
catch (Exception exception)
{
throw new PkixCertPathBuilderException("Error finding target certificate.", exception);
}
if (set.IsEmpty)
{
throw new PkixCertPathBuilderException("No certificate found matching targetContraints.");
}
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
IList tbvPath = Platform.CreateArrayList();
foreach (X509Certificate tbvCert in set)
{
pkixCertPathBuilderResult = this.Build(tbvCert, pkixParams, tbvPath);
if (pkixCertPathBuilderResult != null)
{
break;
}
}
if (pkixCertPathBuilderResult == null && this.certPathException != null)
{
throw new PkixCertPathBuilderException(this.certPathException.Message, this.certPathException.InnerException);
}
if (pkixCertPathBuilderResult == null && this.certPathException == null)
{
throw new PkixCertPathBuilderException("Unable to find certificate chain.");
}
return(pkixCertPathBuilderResult);
}
internal static ICollection FindIssuerCerts(X509Certificate cert, PkixBuilderParameters pkixParams)
{
X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
ISet set = new HashSet();
try
{
x509CertStoreSelector.Subject = cert.IssuerDN;
}
catch (IOException innerException)
{
throw new Exception("Subject criteria for certificate selector to find issuer certificate could not be set.", innerException);
}
try
{
set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetAdditionalStores()));
}
catch (Exception innerException2)
{
throw new Exception("Issuer certificate cannot be searched.", innerException2);
}
return(set);
}
/**
* Build and validate a CertPath using the given parameter.
*
* @param params PKIXBuilderParameters object containing all information to
* build the CertPath
*/
public virtual PkixCertPathBuilderResult Build(
PkixBuilderParameters pkixParams)
{
// search target certificates
IX509Selector certSelect = pkixParams.GetTargetConstraints();
if (!(certSelect is X509AttrCertStoreSelector))
{
throw new PkixCertPathBuilderException(
"TargetConstraints must be an instance of "
+ typeof(X509AttrCertStoreSelector).FullName
+ " for "
+ typeof(PkixAttrCertPathBuilder).FullName + " class.");
}
ICollection targets;
try
{
targets = PkixCertPathValidatorUtilities.FindCertificates(
(X509AttrCertStoreSelector)certSelect, pkixParams.GetStores());
}
catch (Exception e)
{
throw new PkixCertPathBuilderException("Error finding target attribute certificate.", e);
}
if (targets.Count == 0)
{
throw new PkixCertPathBuilderException(
"No attribute certificate found matching targetContraints.");
}
PkixCertPathBuilderResult result = null;
// check all potential target certificates
foreach (IX509AttributeCertificate cert in targets)
{
X509CertStoreSelector selector = new X509CertStoreSelector();
X509Name[] principals = cert.Issuer.GetPrincipals();
ISet issuers = new HashSet();
for (int i = 0; i < principals.Length; i++)
{
try
{
selector.Subject = principals[i];
issuers.AddAll(PkixCertPathValidatorUtilities.FindCertificates(selector, pkixParams.GetStores()));
}
catch (Exception e)
{
throw new PkixCertPathBuilderException(
"Public key certificate for attribute certificate cannot be searched.",
e);
}
}
if (issuers.IsEmpty)
throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
IList certPathList = Platform.CreateArrayList();
foreach (X509Certificate issuer in issuers)
{
result = Build(cert, issuer, pkixParams, certPathList);
if (result != null)
break;
}
if (result != null)
break;
}
if (result == null && certPathException != null)
{
throw new PkixCertPathBuilderException(
"Possible certificate chain could not be validated.",
certPathException);
}
if (result == null && certPathException == null)
{
throw new PkixCertPathBuilderException(
"Unable to find certificate chain.");
}
return result;
}
private PkixCertPathBuilderResult Build(
IX509AttributeCertificate attrCert,
X509Certificate tbvCert,
PkixBuilderParameters pkixParams,
IList tbvPath)
{
// If tbvCert is readily present in tbvPath, it indicates having run
// into a cycle in the
// PKI graph.
if (tbvPath.Contains(tbvCert))
return null;
// step out, the certificate is not allowed to appear in a certification
// chain
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
return null;
// test if certificate path exceeds maximum length
if (pkixParams.MaxPathLength != -1)
{
if (tbvPath.Count - 1 > pkixParams.MaxPathLength)
return null;
}
tbvPath.Add(tbvCert);
PkixCertPathBuilderResult builderResult = null;
// X509CertificateParser certParser = new X509CertificateParser();
PkixAttrCertPathValidator validator = new PkixAttrCertPathValidator();
try
{
// check whether the issuer of <tbvCert> is a TrustAnchor
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
PkixCertPath certPath = new PkixCertPath(tbvPath);
PkixCertPathValidatorResult result;
try
{
result = validator.Validate(certPath, pkixParams);
}
catch (Exception e)
{
throw new Exception("Certification path could not be validated.", e);
}
return new PkixCertPathBuilderResult(certPath, result.TrustAnchor,
result.PolicyTree, result.SubjectPublicKey);
}
else
{
// add additional X.509 stores from locations in certificate
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
}
catch (CertificateParsingException e)
{
throw new Exception("No additional X.509 stores can be added from certificate locations.", e);
}
// try to get the issuer certificate from one of the stores
ISet issuers = new HashSet();
try
{
issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (Exception e)
{
throw new Exception("Cannot find issuer certificate for certificate in certification path.", e);
}
if (issuers.IsEmpty)
throw new Exception("No issuer certificate for certificate in certification path found.");
foreach (X509Certificate issuer in issuers)
{
// if untrusted self signed certificate continue
if (PkixCertPathValidatorUtilities.IsSelfIssued(issuer))
continue;
builderResult = Build(attrCert, issuer, pkixParams, tbvPath);
if (builderResult != null)
break;
}
}
}
catch (Exception e)
{
certPathException = new Exception("No valid certification path could be build.", e);
}
if (builderResult == null)
{
tbvPath.Remove(tbvCert);
}
return builderResult;
}
private void doTestExceptions()
{
byte[] enc = { (byte)0, (byte)2, (byte)3, (byte)4, (byte)5 };
// MyCertPath mc = new MyCertPath(enc);
MemoryStream os = new MemoryStream();
MemoryStream ins;
byte[] arr;
// TODO Support serialization of cert paths?
// ObjectOutputStream oos = new ObjectOutputStream(os);
// oos.WriteObject(mc);
// oos.Flush();
// oos.Close();
try
{
// CertificateFactory cFac = CertificateFactory.GetInstance("X.509");
arr = os.ToArray();
ins = new MemoryStream(arr, false);
// cFac.generateCertPath(ins);
new PkixCertPath(ins);
}
catch (CertificateException)
{
// ignore okay
}
// CertificateFactory cf = CertificateFactory.GetInstance("X.509");
X509CertificateParser cf = new X509CertificateParser();
IList certCol = new ArrayList();
certCol.Add(cf.ReadCertificate(certA));
certCol.Add(cf.ReadCertificate(certB));
certCol.Add(cf.ReadCertificate(certC));
certCol.Add(cf.ReadCertificate(certD));
// CertPathBuilder pathBuilder = CertPathBuilder.GetInstance("PKIX");
PkixCertPathBuilder pathBuilder = new PkixCertPathBuilder();
X509CertStoreSelector select = new X509CertStoreSelector();
select.Subject = ((X509Certificate)certCol[0]).SubjectDN;
ISet trustanchors = new HashSet();
trustanchors.Add(new TrustAnchor(cf.ReadCertificate(rootCertBin), null));
// CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol));
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certCol));
PkixBuilderParameters parameters = new PkixBuilderParameters(trustanchors, select);
parameters.AddStore(x509CertStore);
try
{
PkixCertPathBuilderResult result = pathBuilder.Build(parameters);
PkixCertPath path = result.CertPath;
Fail("found cert path in circular set");
}
catch (PkixCertPathBuilderException)
{
// expected
}
}
//jbonilla - Por algún motivo, no devuleve el certificado root.
public static X509Certificate[] BuildCertificateChainBC(X509Certificate checkCert, ICollection<X509Certificate> keystore)
{
PkixCertPathBuilder builder = new PkixCertPathBuilder();
// Separate root from itermediate
List<X509Certificate> intermediateCerts = new List<X509Certificate>();
HashSet rootCerts = new HashSet();
foreach (X509Certificate cert in keystore)
{
// Separate root and subordinate certificates
if (IsSelfSigned(cert))
rootCerts.Add(new TrustAnchor(cert, null));
else
intermediateCerts.Add(cert);
}
// Create chain for this certificate
X509CertStoreSelector holder = new X509CertStoreSelector();
holder.Certificate = checkCert;
// WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
intermediateCerts.Add(holder.Certificate);
PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
builderParams.IsRevocationEnabled = false;
X509CollectionStoreParameters intermediateStoreParameters =
new X509CollectionStoreParameters(intermediateCerts);
builderParams.AddStore(X509StoreFactory.Create(
"Certificate/Collection", intermediateStoreParameters));
PkixCertPathBuilderResult result = builder.Build(builderParams);
List<X509Certificate> chain = new List<X509Certificate>();
foreach(X509Certificate cert in result.CertPath.Certificates)
{
chain.Add(cert);
}
return chain.ToArray();
}
private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, IList tbvPath)
{
if (tbvPath.Contains(tbvCert))
{
return(null);
}
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
{
return(null);
}
if (pkixParams.MaxPathLength != -1 && tbvPath.Count - 1 > pkixParams.MaxPathLength)
{
return(null);
}
tbvPath.Add(tbvCert);
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator();
try
{
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
PkixCertPath certPath = new PkixCertPath(tbvPath);
PkixCertPathValidatorResult pkixCertPathValidatorResult;
try
{
pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams);
}
catch (Exception innerException)
{
throw new Exception("Certification path could not be validated.", innerException);
}
return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey));
}
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
}
catch (CertificateParsingException innerException2)
{
throw new Exception("No additional X.509 stores can be added from certificate locations.", innerException2);
}
ISet set = new HashSet();
try
{
set.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (Exception innerException3)
{
throw new Exception("Cannot find issuer certificate for certificate in certification path.", innerException3);
}
if (set.IsEmpty)
{
throw new Exception("No issuer certificate for certificate in certification path found.");
}
foreach (X509Certificate x509Certificate in set)
{
if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate))
{
pkixCertPathBuilderResult = this.Build(attrCert, x509Certificate, pkixParams, tbvPath);
if (pkixCertPathBuilderResult != null)
{
break;
}
}
}
}
catch (Exception innerException4)
{
this.certPathException = new Exception("No valid certification path could be build.", innerException4);
}
if (pkixCertPathBuilderResult == null)
{
tbvPath.Remove(tbvCert);
}
return(pkixCertPathBuilderResult);
}
/**
* Searches for a holder public key certificate and verifies its
* certification path.
*
* @param attrCert the attribute certificate.
* @param pkixParams The PKIX parameters.
* @return The certificate path of the holder certificate.
* @throws Exception if
* <ul>
* <li>no public key certificate can be found although holder
* information is given by an entity name or a base certificate
* ID</li>
* <li>support classes cannot be created</li>
* <li>no certification path for the public key certificate can
* be built</li>
* </ul>
*/
internal static PkixCertPath ProcessAttrCert1(
IX509AttributeCertificate attrCert,
PkixParameters pkixParams)
{
PkixCertPathBuilderResult result = null;
// find holder PKCs
ISet holderPKCs = new HashSet();
if (attrCert.Holder.GetIssuer() != null)
{
X509CertStoreSelector selector = new X509CertStoreSelector();
selector.SerialNumber = attrCert.Holder.SerialNumber;
X509Name[] principals = attrCert.Holder.GetIssuer();
for (int i = 0; i < principals.Length; i++)
{
try
{
// if (principals[i] is X500Principal)
{
selector.Issuer = principals[i];
}
holderPKCs.AddAll(PkixCertPathValidatorUtilities
.FindCertificates(selector, pkixParams.GetStores()));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Public key certificate for attribute certificate cannot be searched.",
e);
}
}
if (holderPKCs.IsEmpty)
{
throw new PkixCertPathValidatorException(
"Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
}
}
if (attrCert.Holder.GetEntityNames() != null)
{
X509CertStoreSelector selector = new X509CertStoreSelector();
X509Name[] principals = attrCert.Holder.GetEntityNames();
for (int i = 0; i < principals.Length; i++)
{
try
{
// if (principals[i] is X500Principal)
{
selector.Issuer = principals[i];
}
holderPKCs.AddAll(PkixCertPathValidatorUtilities
.FindCertificates(selector, pkixParams.GetStores()));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Public key certificate for attribute certificate cannot be searched.",
e);
}
}
if (holderPKCs.IsEmpty)
{
throw new PkixCertPathValidatorException(
"Public key certificate specified in entity name for attribute certificate cannot be found.");
}
}
// verify cert paths for PKCs
PkixBuilderParameters parameters = (PkixBuilderParameters)
PkixBuilderParameters.GetInstance(pkixParams);
PkixCertPathValidatorException lastException = null;
foreach (X509Certificate cert in holderPKCs)
{
X509CertStoreSelector selector = new X509CertStoreSelector();
selector.Certificate = cert;
parameters.SetTargetConstraints(selector);
PkixCertPathBuilder builder = new PkixCertPathBuilder();
try
{
result = builder.Build(PkixBuilderParameters.GetInstance(parameters));
}
catch (PkixCertPathBuilderException e)
{
lastException = new PkixCertPathValidatorException(
"Certification path for public key certificate of attribute certificate could not be build.",
e);
}
}
if (lastException != null)
{
throw lastException;
}
return(result.CertPath);
}
protected virtual PkixCertPathBuilderResult Build(
X509Certificate tbvCert,
PkixBuilderParameters pkixParams,
IList tbvPath)
{
// If tbvCert is readily present in tbvPath, it indicates having run
// into a cycle in the PKI graph.
if (tbvPath.Contains(tbvCert))
{
return(null);
}
// step out, the certificate is not allowed to appear in a certification
// chain.
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
{
return(null);
}
// test if certificate path exceeds maximum length
if (pkixParams.MaxPathLength != -1)
{
if (tbvPath.Count - 1 > pkixParams.MaxPathLength)
{
return(null);
}
}
tbvPath.Add(tbvCert);
X509CertificateParser certParser = new X509CertificateParser();
PkixCertPathBuilderResult builderResult = null;
PkixCertPathValidator validator = new PkixCertPathValidator();
try
{
// check whether the issuer of <tbvCert> is a TrustAnchor
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
// exception message from possibly later tried certification
// chains
PkixCertPath certPath = null;
try
{
certPath = new PkixCertPath(tbvPath);
}
catch (Exception e)
{
throw new Exception(
"Certification path could not be constructed from certificate list.",
e);
}
PkixCertPathValidatorResult result = null;
try
{
result = (PkixCertPathValidatorResult)validator.Validate(
certPath, pkixParams);
}
catch (Exception e)
{
throw new Exception(
"Certification path could not be validated.", e);
}
return(new PkixCertPathBuilderResult(certPath, result.TrustAnchor,
result.PolicyTree, result.SubjectPublicKey));
}
else
{
// add additional X.509 stores from locations in certificate
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(
tbvCert, pkixParams);
}
catch (CertificateParsingException e)
{
throw new Exception(
"No additiontal X.509 stores can be added from certificate locations.",
e);
}
// try to get the issuer certificate from one of the stores
HashSet issuers = new HashSet();
try
{
issuers.AddAll(PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (Exception e)
{
throw new Exception(
"Cannot find issuer certificate for certificate in certification path.",
e);
}
if (issuers.IsEmpty)
{
throw new Exception("No issuer certificate for certificate in certification path found.");
}
foreach (X509Certificate issuer in issuers)
{
builderResult = Build(issuer, pkixParams, tbvPath);
if (builderResult != null)
{
break;
}
}
}
}
catch (Exception e)
{
certPathException = e;
}
if (builderResult == null)
{
tbvPath.Remove(tbvCert);
}
return(builderResult);
}
private string TestPolicies(
int index,
X509Certificate trustCert,
X509Certificate intCert,
X509Certificate endCert,
ISet requirePolicies,
bool okay)
{
ISet trust = new HashSet();
trust.Add(new TrustAnchor(trustCert, null));
X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
targetConstraints.Subject = endCert.SubjectDN;
PkixBuilderParameters pbParams = new PkixBuilderParameters(trust, targetConstraints);
ISet certs = new HashSet();
certs.Add(intCert);
certs.Add(endCert);
IX509Store store = X509StoreFactory.Create(
"CERTIFICATE/COLLECTION",
new X509CollectionStoreParameters(certs));
pbParams.AddStore(store);
pbParams.IsRevocationEnabled = false;
if (requirePolicies != null)
{
pbParams.IsExplicitPolicyRequired = true;
pbParams.SetInitialPolicies(requirePolicies);
}
// CertPathBuilder cpb = CertPathBuilder.GetInstance("PKIX");
PkixCertPathBuilder cpb = new PkixCertPathBuilder();
PkixCertPathBuilderResult result = null;
try
{
result = (PkixCertPathBuilderResult)cpb.Build(pbParams);
if (!okay)
{
Fail(index + ": path validated when failure expected.");
}
// if (result.getPolicyTree() != null)
// {
// Console.WriteLine("OK");
// Console.WriteLine("policy: " + result.getPolicyTree());
// }
// else
// {
// Console.WriteLine("OK: policy tree = null");
// }
return "";
}
catch (TestFailedException e)
{
throw e;
}
catch (Exception e)
{
if (okay)
{
Fail(index + ": path failed to validate when success expected.");
}
Exception ee = e.InnerException;
if (ee != null)
{
return ee.Message;
}
return e.Message;
}
}
public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams)
{
IX509Selector targetCertConstraints = pkixParams.GetTargetCertConstraints();
if (!(targetCertConstraints is X509CertStoreSelector))
{
throw new PkixCertPathBuilderException(string.Concat(new string[5]
{
"TargetConstraints must be an instance of ",
typeof(X509CertStoreSelector).get_FullName(),
" for ",
Platform.GetTypeName(this),
" class."
}));
}
ISet set = new HashSet();
try
{
set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates((X509CertStoreSelector)targetCertConstraints, pkixParams.GetStores()));
}
catch (global::System.Exception exception)
{
throw new PkixCertPathBuilderException("Error finding target certificate.", exception);
}
if (set.IsEmpty)
{
throw new PkixCertPathBuilderException("No certificate found matching targetContraints.");
}
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
global::System.Collections.IList tbvPath = Platform.CreateArrayList();
global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator();
try
{
while (enumerator.MoveNext())
{
X509Certificate tbvCert = (X509Certificate)enumerator.get_Current();
pkixCertPathBuilderResult = Build(tbvCert, pkixParams, tbvPath);
if (pkixCertPathBuilderResult != null)
{
break;
}
}
}
finally
{
global::System.IDisposable disposable = enumerator as global::System.IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}
if (pkixCertPathBuilderResult == null && certPathException != null)
{
throw new PkixCertPathBuilderException(certPathException.get_Message(), certPathException.get_InnerException());
}
if (pkixCertPathBuilderResult == null && certPathException == null)
{
throw new PkixCertPathBuilderException("Unable to find certificate chain.");
}
return(pkixCertPathBuilderResult);
}
internal static PkixCertPath ProcessAttrCert1(IX509AttributeCertificate attrCert, PkixParameters pkixParams)
{
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
ISet set = new HashSet();
if (attrCert.Holder.GetIssuer() != null)
{
X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
x509CertStoreSelector.SerialNumber = attrCert.Holder.SerialNumber;
X509Name[] issuer = attrCert.Holder.GetIssuer();
for (int i = 0; i < issuer.Length; i++)
{
try
{
x509CertStoreSelector.Issuer = issuer[i];
set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
}
catch (Exception cause)
{
throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause);
}
}
if (set.IsEmpty)
{
throw new PkixCertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
}
}
if (attrCert.Holder.GetEntityNames() != null)
{
X509CertStoreSelector x509CertStoreSelector2 = new X509CertStoreSelector();
X509Name[] entityNames = attrCert.Holder.GetEntityNames();
for (int j = 0; j < entityNames.Length; j++)
{
try
{
x509CertStoreSelector2.Issuer = entityNames[j];
set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector2, pkixParams.GetStores()));
}
catch (Exception cause2)
{
throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause2);
}
}
if (set.IsEmpty)
{
throw new PkixCertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found.");
}
}
PkixBuilderParameters instance = PkixBuilderParameters.GetInstance(pkixParams);
PkixCertPathValidatorException ex = null;
foreach (X509Certificate certificate in set)
{
instance.SetTargetConstraints(new X509CertStoreSelector
{
Certificate = certificate
});
PkixCertPathBuilder pkixCertPathBuilder = new PkixCertPathBuilder();
try
{
pkixCertPathBuilderResult = pkixCertPathBuilder.Build(PkixBuilderParameters.GetInstance(instance));
}
catch (PkixCertPathBuilderException cause3)
{
ex = new PkixCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", cause3);
}
}
if (ex != null)
{
throw ex;
}
return(pkixCertPathBuilderResult.CertPath);
}
/// <summary>
/// Builds certification path for provided signing certificate
/// </summary>
/// <param name="signingCertificate">Signing certificate</param>
/// <param name="otherCertificates">Other certificates that should be used in path building process. Self-signed certificates from this list are used as trust anchors.</param>
/// <param name="includeRoot">Flag indicating whether root certificate should be included int the certification path.</param>
/// <returns>Certification path for provided signing certificate</returns>
public static ICollection<BCX509.X509Certificate> BuildCertPath(byte[] signingCertificate, List<byte[]> otherCertificates, bool includeRoot)
{
if (signingCertificate == null)
throw new ArgumentNullException("signingCertificate");
List<BCX509.X509Certificate> result = new List<BCX509.X509Certificate>();
BCX509.X509Certificate signingCert = ToBouncyCastleObject(signingCertificate);
BCCollections.ISet trustAnchors = new BCCollections.HashSet();
List<BCX509.X509Certificate> otherCerts = new List<BCX509.X509Certificate>();
if (IsSelfSigned(signingCert))
{
if (includeRoot)
result.Add(signingCert);
}
else
{
otherCerts.Add(signingCert);
if (otherCertificates != null)
{
foreach (byte[] otherCertificate in otherCertificates)
{
BCX509.X509Certificate otherCert = ToBouncyCastleObject(otherCertificate);
otherCerts.Add(ToBouncyCastleObject(otherCertificate));
if (IsSelfSigned(otherCert))
trustAnchors.Add(new TrustAnchor(otherCert, null));
}
}
if (trustAnchors.Count < 1)
throw new PkixCertPathBuilderException("Provided certificates do not contain self-signed root certificate");
X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
targetConstraints.Certificate = signingCert;
PkixBuilderParameters certPathBuilderParameters = new PkixBuilderParameters(trustAnchors, targetConstraints);
certPathBuilderParameters.AddStore(X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(otherCerts)));
certPathBuilderParameters.IsRevocationEnabled = false;
PkixCertPathBuilder certPathBuilder = new PkixCertPathBuilder();
PkixCertPathBuilderResult certPathBuilderResult = certPathBuilder.Build(certPathBuilderParameters);
foreach (BCX509.X509Certificate certPathCert in certPathBuilderResult.CertPath.Certificates)
result.Add(certPathCert);
if (includeRoot)
result.Add(certPathBuilderResult.TrustAnchor.TrustedCert);
}
return result;
}
private static IReadOnlyCollection<X509Certificate> GetChain([NotNull] X509Certificate cert, [CanBeNull] IReadOnlyList<X509Certificate> certs)
{
var certList = new List<X509Certificate>();
if (certs != null)
certList.AddRange(certs);
certList.Add(cert);
var certStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(certList));
var rootCerts = certs.Where(IsSelfSigned).ToList();
var trustAnchors = rootCerts.Select(x => new TrustAnchor(x, null));
var trust = new HashSet(trustAnchors);
var cpb = new PkixCertPathBuilder();
var targetConstraints = new X509CertStoreSelector()
{
Certificate = cert,
};
var parameters = new PkixBuilderParameters(trust, targetConstraints)
{
IsRevocationEnabled = false,
};
parameters.AddStore(certStore);
var cpbResult = cpb.Build(parameters);
var result = new List<X509Certificate>();
result.AddRange(cpbResult.CertPath.Certificates.Cast<X509Certificate>());
result.Add(cpbResult.TrustAnchor.TrustedCert);
return result;
}
private void Test(string _name, string[] _data, ISet _ipolset,
bool _explicit, bool _accept, bool _debug)
{
testCount++;
bool _pass = true;
try
{
// CertPathBuilder _cpb = CertPathBuilder.GetInstance("PKIX");
PkixCertPathBuilder _cpb = new PkixCertPathBuilder();
X509Certificate _ee = DecodeCertificate(_data[_data.Length - 1]);
X509CertStoreSelector _select = new X509CertStoreSelector();
_select.Subject = _ee.SubjectDN;
IX509Store certStore, crlStore;
MakeCertStore(_data, out certStore, out crlStore);
PkixBuilderParameters _param = new PkixBuilderParameters(
trustedSet, _select);
_param.IsExplicitPolicyRequired = _explicit;
_param.AddStore(certStore);
_param.AddStore(crlStore);
_param.IsRevocationEnabled = true;
if (_ipolset != null)
{
_param.SetInitialPolicies(_ipolset);
}
PkixCertPathBuilderResult _result = _cpb.Build(_param);
if (!_accept)
{
_pass = false;
testFail.Add(_name);
}
}
catch (Exception)
{
if (_accept)
{
_pass = false;
testFail.Add(_name);
}
}
resultBuf.Append("NISTCertPathTest -- ").Append(_name).Append(": ")
.Append(_pass ? "\n" : "Failed.\n");
}
static IEnumerable<Org.BouncyCastle.X509.X509Certificate> BuildCertificateChainBC(byte[] primary, IEnumerable<byte[]> additional)
{
X509CertificateParser parser = new X509CertificateParser();
PkixCertPathBuilder builder = new PkixCertPathBuilder();
// Separate root from itermediate
var intermediateCerts = new List<Org.BouncyCastle.X509.X509Certificate>();
HashSet rootCerts = new HashSet();
foreach (byte[] cert in additional)
{
var x509Cert = parser.ReadCertificate(cert);
// Separate root and subordinate certificates
if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN))
rootCerts.Add(new TrustAnchor(x509Cert, null));
else
intermediateCerts.Add(x509Cert);
}
// Create chain for this certificate
X509CertStoreSelector holder = new X509CertStoreSelector();
holder.Certificate = parser.ReadCertificate(primary);
// WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
intermediateCerts.Add(holder.Certificate);
PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
builderParams.IsRevocationEnabled = false;
X509CollectionStoreParameters intermediateStoreParameters =
new X509CollectionStoreParameters(intermediateCerts);
builderParams.AddStore(X509StoreFactory.Create(
"Certificate/Collection", intermediateStoreParameters));
PkixCertPathBuilderResult result = builder.Build(builderParams);
return result.CertPath.Certificates.Cast<Org.BouncyCastle.X509.X509Certificate>();
}
private PkixCertPathBuilderResult doBuilderTest(
string trustAnchor,
string[] certs,
string[] crls,
ISet initialPolicies,
bool policyMappingInhibited,
bool anyPolicyInhibited)
{
ISet trustedSet = new HashSet();
trustedSet.Add(GetTrustAnchor(trustAnchor));
IList x509Certs = new ArrayList();
IList x509Crls = new ArrayList();
X509Certificate endCert = LoadCert(certs[certs.Length - 1]);
for (int i = 0; i != certs.Length - 1; i++)
{
x509Certs.Add(LoadCert(certs[i]));
}
x509Certs.Add(endCert);
for (int i = 0; i != crls.Length; i++)
{
x509Crls.Add(LoadCrl(crls[i]));
}
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX");
PkixCertPathBuilder builder = new PkixCertPathBuilder();
X509CertStoreSelector endSelector = new X509CertStoreSelector();
endSelector.Certificate = endCert;
PkixBuilderParameters builderParams = new PkixBuilderParameters(trustedSet, endSelector);
if (initialPolicies != null)
{
builderParams.SetInitialPolicies(initialPolicies);
builderParams.IsExplicitPolicyRequired = true;
}
if (policyMappingInhibited)
{
builderParams.IsPolicyMappingInhibited = policyMappingInhibited;
}
if (anyPolicyInhibited)
{
builderParams.IsAnyPolicyInhibited = anyPolicyInhibited;
}
builderParams.AddStore(x509CertStore);
builderParams.AddStore(x509CrlStore);
// Perform validation as of this date since test certs expired
builderParams.Date = new DateTimeObject(DateTime.Parse("1/1/2011"));
try
{
return (PkixCertPathBuilderResult) builder.Build(builderParams);
}
catch (PkixCertPathBuilderException e)
{
throw e.InnerException;
}
}
internal static global::System.Collections.ICollection FindIssuerCerts(X509Certificate cert, PkixBuilderParameters pkixParams)
{
//IL_001b: Expected O, but got Unknown
X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
ISet set = new HashSet();
try
{
x509CertStoreSelector.Subject = cert.IssuerDN;
}
catch (IOException val)
{
IOException val2 = val;
throw new global::System.Exception("Subject criteria for certificate selector to find issuer certificate could not be set.", (global::System.Exception)(object) val2);
}
try
{
set.AddAll((global::System.Collections.IEnumerable)FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
set.AddAll((global::System.Collections.IEnumerable)FindCertificates(x509CertStoreSelector, pkixParams.GetAdditionalStores()));
return(set);
}
catch (global::System.Exception ex)
{
throw new global::System.Exception("Issuer certificate cannot be searched.", ex);
}
}
private PkixCertPathBuilderResult Build(IX509AttributeCertificate attrCert, X509Certificate tbvCert, PkixBuilderParameters pkixParams, global::System.Collections.IList tbvPath)
{
if (tbvPath.Contains((object)tbvCert))
{
return(null);
}
if (pkixParams.GetExcludedCerts().Contains(tbvCert))
{
return(null);
}
if (pkixParams.MaxPathLength != -1 && ((global::System.Collections.ICollection)tbvPath).get_Count() - 1 > pkixParams.MaxPathLength)
{
return(null);
}
tbvPath.Add((object)tbvCert);
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
PkixAttrCertPathValidator pkixAttrCertPathValidator = new PkixAttrCertPathValidator();
try
{
if (PkixCertPathValidatorUtilities.FindTrustAnchor(tbvCert, pkixParams.GetTrustAnchors()) != null)
{
PkixCertPath certPath = new PkixCertPath((global::System.Collections.ICollection)tbvPath);
PkixCertPathValidatorResult pkixCertPathValidatorResult;
try
{
pkixCertPathValidatorResult = pkixAttrCertPathValidator.Validate(certPath, pkixParams);
}
catch (global::System.Exception ex)
{
throw new global::System.Exception("Certification path could not be validated.", ex);
}
return(new PkixCertPathBuilderResult(certPath, pkixCertPathValidatorResult.TrustAnchor, pkixCertPathValidatorResult.PolicyTree, pkixCertPathValidatorResult.SubjectPublicKey));
}
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromAltNames(tbvCert, pkixParams);
}
catch (CertificateParsingException ex2)
{
throw new global::System.Exception("No additional X.509 stores can be added from certificate locations.", (global::System.Exception)ex2);
}
ISet set = new HashSet();
try
{
set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindIssuerCerts(tbvCert, pkixParams));
}
catch (global::System.Exception ex3)
{
throw new global::System.Exception("Cannot find issuer certificate for certificate in certification path.", ex3);
}
if (set.IsEmpty)
{
throw new global::System.Exception("No issuer certificate for certificate in certification path found.");
}
global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator();
try
{
while (enumerator.MoveNext())
{
X509Certificate x509Certificate = (X509Certificate)enumerator.get_Current();
if (!PkixCertPathValidatorUtilities.IsSelfIssued(x509Certificate))
{
pkixCertPathBuilderResult = Build(attrCert, x509Certificate, pkixParams, tbvPath);
if (pkixCertPathBuilderResult != null)
{
break;
}
}
}
}
finally
{
global::System.IDisposable disposable = enumerator as global::System.IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}
}
catch (global::System.Exception ex4)
{
certPathException = new global::System.Exception("No valid certification path could be build.", ex4);
}
if (pkixCertPathBuilderResult == null)
{
tbvPath.Remove((object)tbvCert);
}
return(pkixCertPathBuilderResult);
}
/**
* Find the issuer certificates of a given certificate.
*
* @param cert
* The certificate for which an issuer should be found.
* @param pkixParams
* @return A <code>Collection</code> object containing the issuer
* <code>X509Certificate</code>s. Never <code>null</code>.
*
* @exception Exception
* if an error occurs.
*/
internal static ICollection FindIssuerCerts(
X509Certificate cert,
PkixBuilderParameters pkixParams)
{
X509CertStoreSelector certSelect = new X509CertStoreSelector();
ISet certs = new HashSet();
try
{
certSelect.Subject = cert.IssuerDN;
}
catch (IOException ex)
{
throw new Exception(
"Subject criteria for certificate selector to find issuer certificate could not be set.", ex);
}
try
{
certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetStores()));
certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetAdditionalStores()));
}
catch (Exception e)
{
throw new Exception("Issuer certificate cannot be searched.", e);
}
return certs;
}
public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams)
{
IX509Selector targetConstraints = pkixParams.GetTargetConstraints();
if (!(targetConstraints is X509AttrCertStoreSelector))
{
throw new PkixCertPathBuilderException(string.Concat(new string[5]
{
"TargetConstraints must be an instance of ",
typeof(X509AttrCertStoreSelector).get_FullName(),
" for ",
typeof(PkixAttrCertPathBuilder).get_FullName(),
" class."
}));
}
global::System.Collections.ICollection collection;
try
{
collection = PkixCertPathValidatorUtilities.FindCertificates((X509AttrCertStoreSelector)targetConstraints, pkixParams.GetStores());
}
catch (global::System.Exception exception)
{
throw new PkixCertPathBuilderException("Error finding target attribute certificate.", exception);
}
if (collection.get_Count() == 0)
{
throw new PkixCertPathBuilderException("No attribute certificate found matching targetContraints.");
}
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)collection).GetEnumerator();
try
{
while (enumerator.MoveNext())
{
IX509AttributeCertificate iX509AttributeCertificate = (IX509AttributeCertificate)enumerator.get_Current();
X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
X509Name[] principals = iX509AttributeCertificate.Issuer.GetPrincipals();
ISet set = new HashSet();
for (int i = 0; i < principals.Length; i++)
{
try
{
x509CertStoreSelector.Subject = principals[i];
set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
}
catch (global::System.Exception exception2)
{
throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", exception2);
}
}
if (set.IsEmpty)
{
throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
}
global::System.Collections.IList tbvPath = Platform.CreateArrayList();
{
global::System.Collections.IEnumerator enumerator2 = ((global::System.Collections.IEnumerable)set).GetEnumerator();
try
{
while (enumerator2.MoveNext())
{
X509Certificate tbvCert = (X509Certificate)enumerator2.get_Current();
pkixCertPathBuilderResult = Build(iX509AttributeCertificate, tbvCert, pkixParams, tbvPath);
if (pkixCertPathBuilderResult != null)
{
break;
}
}
}
finally
{
global::System.IDisposable disposable2 = enumerator2 as global::System.IDisposable;
if (disposable2 != null)
{
disposable2.Dispose();
}
}
}
if (pkixCertPathBuilderResult != null)
{
break;
}
}
}
finally
{
global::System.IDisposable disposable = enumerator as global::System.IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}
if (pkixCertPathBuilderResult == null && certPathException != null)
{
throw new PkixCertPathBuilderException("Possible certificate chain could not be validated.", certPathException);
}
if (pkixCertPathBuilderResult == null && certPathException == null)
{
throw new PkixCertPathBuilderException("Unable to find certificate chain.");
}
return(pkixCertPathBuilderResult);
}
public virtual PkixCertPathBuilderResult Build(PkixBuilderParameters pkixParams)
{
IX509Selector targetConstraints = pkixParams.GetTargetConstraints();
if (!(targetConstraints is X509AttrCertStoreSelector))
{
throw new PkixCertPathBuilderException(string.Concat(new string[]
{
"TargetConstraints must be an instance of ",
typeof(X509AttrCertStoreSelector).FullName,
" for ",
typeof(PkixAttrCertPathBuilder).FullName,
" class."
}));
}
ICollection collection;
try
{
collection = PkixCertPathValidatorUtilities.FindCertificates((X509AttrCertStoreSelector)targetConstraints, pkixParams.GetStores());
}
catch (Exception exception)
{
throw new PkixCertPathBuilderException("Error finding target attribute certificate.", exception);
}
if (collection.Count == 0)
{
throw new PkixCertPathBuilderException("No attribute certificate found matching targetContraints.");
}
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
foreach (IX509AttributeCertificate iX509AttributeCertificate in collection)
{
X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
X509Name[] principals = iX509AttributeCertificate.Issuer.GetPrincipals();
ISet set = new HashSet();
for (int i = 0; i < principals.Length; i++)
{
try
{
x509CertStoreSelector.Subject = principals[i];
set.AddAll(PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
}
catch (Exception exception2)
{
throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", exception2);
}
}
if (set.IsEmpty)
{
throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
}
IList tbvPath = Platform.CreateArrayList();
foreach (X509Certificate tbvCert in set)
{
pkixCertPathBuilderResult = this.Build(iX509AttributeCertificate, tbvCert, pkixParams, tbvPath);
if (pkixCertPathBuilderResult != null)
{
break;
}
}
if (pkixCertPathBuilderResult != null)
{
break;
}
}
if (pkixCertPathBuilderResult == null && this.certPathException != null)
{
throw new PkixCertPathBuilderException("Possible certificate chain could not be validated.", this.certPathException);
}
if (pkixCertPathBuilderResult == null && this.certPathException == null)
{
throw new PkixCertPathBuilderException("Unable to find certificate chain.");
}
return(pkixCertPathBuilderResult);
}
internal static PkixCertPath ProcessAttrCert1(IX509AttributeCertificate attrCert, PkixParameters pkixParams)
{
PkixCertPathBuilderResult pkixCertPathBuilderResult = null;
ISet set = new HashSet();
if (attrCert.Holder.GetIssuer() != null)
{
X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
x509CertStoreSelector.SerialNumber = attrCert.Holder.SerialNumber;
X509Name[] issuer = attrCert.Holder.GetIssuer();
for (int i = 0; i < issuer.Length; i++)
{
try
{
x509CertStoreSelector.Issuer = issuer[i];
set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector, pkixParams.GetStores()));
}
catch (global::System.Exception cause)
{
throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause);
}
}
if (set.IsEmpty)
{
throw new PkixCertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
}
}
if (attrCert.Holder.GetEntityNames() != null)
{
X509CertStoreSelector x509CertStoreSelector2 = new X509CertStoreSelector();
X509Name[] entityNames = attrCert.Holder.GetEntityNames();
for (int j = 0; j < entityNames.Length; j++)
{
try
{
x509CertStoreSelector2.Issuer = entityNames[j];
set.AddAll((global::System.Collections.IEnumerable)PkixCertPathValidatorUtilities.FindCertificates(x509CertStoreSelector2, pkixParams.GetStores()));
}
catch (global::System.Exception cause2)
{
throw new PkixCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", cause2);
}
}
if (set.IsEmpty)
{
throw new PkixCertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found.");
}
}
PkixBuilderParameters instance = PkixBuilderParameters.GetInstance(pkixParams);
PkixCertPathValidatorException ex = null;
global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)set).GetEnumerator();
try
{
while (enumerator.MoveNext())
{
X509Certificate certificate = (X509Certificate)enumerator.get_Current();
X509CertStoreSelector x509CertStoreSelector3 = new X509CertStoreSelector();
x509CertStoreSelector3.Certificate = certificate;
instance.SetTargetConstraints(x509CertStoreSelector3);
PkixCertPathBuilder pkixCertPathBuilder = new PkixCertPathBuilder();
try
{
pkixCertPathBuilderResult = pkixCertPathBuilder.Build(PkixBuilderParameters.GetInstance(instance));
}
catch (PkixCertPathBuilderException cause3)
{
ex = new PkixCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", cause3);
}
}
}
finally
{
global::System.IDisposable disposable = enumerator as global::System.IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}
if (ex != null)
{
throw ex;
}
return(pkixCertPathBuilderResult.CertPath);
}
PkixCertPath BuildCertPath(HashSet anchors, IX509Store certificates, IX509Store crls, X509Certificate certificate, DateTime? signingTime)
{
var intermediate = new X509CertificateStore ();
foreach (X509Certificate cert in certificates.GetMatches (null))
intermediate.Add (cert);
var selector = new X509CertStoreSelector ();
selector.Certificate = certificate;
var parameters = new PkixBuilderParameters (anchors, selector);
parameters.AddStore (GetIntermediateCertificates ());
parameters.AddStore (intermediate);
var localCrls = GetCertificateRevocationLists ();
parameters.AddStore (localCrls);
parameters.AddStore (crls);
// Note: we disable revocation unless we actually have non-empty revocation lists
parameters.IsRevocationEnabled = localCrls.GetMatches (null).Count > 0;
parameters.ValidityModel = PkixParameters.ChainValidityModel;
if (signingTime.HasValue)
parameters.Date = new DateTimeObject (signingTime.Value);
var result = new PkixCertPathBuilder ().Build (parameters);
return result.CertPath;
}
/**
* Build and validate a CertPath using the given parameter.
*
* @param params PKIXBuilderParameters object containing all information to
* build the CertPath
*/
public virtual PkixCertPathBuilderResult Build(
PkixBuilderParameters pkixParams)
{
// search target certificates
IX509Selector certSelect = pkixParams.GetTargetConstraints();
if (!(certSelect is X509AttrCertStoreSelector))
{
throw new PkixCertPathBuilderException(
"TargetConstraints must be an instance of "
+ typeof(X509AttrCertStoreSelector).FullName
+ " for "
+ typeof(PkixAttrCertPathBuilder).FullName + " class.");
}
ICollection targets;
try
{
targets = PkixCertPathValidatorUtilities.FindCertificates(
(X509AttrCertStoreSelector)certSelect, pkixParams.GetStores());
}
catch (Exception e)
{
throw new PkixCertPathBuilderException("Error finding target attribute certificate.", e);
}
if (targets.Count == 0)
{
throw new PkixCertPathBuilderException(
"No attribute certificate found matching targetContraints.");
}
PkixCertPathBuilderResult result = null;
// check all potential target certificates
foreach (IX509AttributeCertificate cert in targets)
{
X509CertStoreSelector selector = new X509CertStoreSelector();
X509Name[] principals = cert.Issuer.GetPrincipals();
ISet issuers = new HashSet();
for (int i = 0; i < principals.Length; i++)
{
try
{
selector.Subject = principals[i];
issuers.AddAll(PkixCertPathValidatorUtilities.FindCertificates(selector, pkixParams.GetStores()));
}
catch (Exception e)
{
throw new PkixCertPathBuilderException(
"Public key certificate for attribute certificate cannot be searched.",
e);
}
}
if (issuers.IsEmpty)
{
throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
}
IList certPathList = Platform.CreateArrayList();
foreach (X509Certificate issuer in issuers)
{
result = Build(cert, issuer, pkixParams, certPathList);
if (result != null)
{
break;
}
}
if (result != null)
{
break;
}
}
if (result == null && certPathException != null)
{
throw new PkixCertPathBuilderException(
"Possible certificate chain could not be validated.",
certPathException);
}
if (result == null && certPathException == null)
{
throw new PkixCertPathBuilderException(
"Unable to find certificate chain.");
}
return(result);
}
private void v0Test()
{
// create certificates and CRLs
AsymmetricCipherKeyPair rootPair = TestUtilities.GenerateRsaKeyPair();
AsymmetricCipherKeyPair interPair = TestUtilities.GenerateRsaKeyPair();
AsymmetricCipherKeyPair endPair = TestUtilities.GenerateRsaKeyPair();
X509Certificate rootCert = TestUtilities.GenerateRootCert(rootPair);
X509Certificate interCert = TestUtilities.GenerateIntermediateCert(interPair.Public, rootPair.Private, rootCert);
X509Certificate endCert = TestUtilities.GenerateEndEntityCert(endPair.Public, interPair.Private, interCert);
BigInteger revokedSerialNumber = BigInteger.Two;
X509Crl rootCRL = TestUtilities.CreateCrl(rootCert, rootPair.Private, revokedSerialNumber);
X509Crl interCRL = TestUtilities.CreateCrl(interCert, interPair.Private, revokedSerialNumber);
// create CertStore to support path building
IList certList = new ArrayList();
certList.Add(rootCert);
certList.Add(interCert);
certList.Add(endCert);
IList crlList = new ArrayList();
crlList.Add(rootCRL);
crlList.Add(interCRL);
// CollectionCertStoreParameters parameters = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.getInstance("Collection", parameters);
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(crlList));
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// build the path
// CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
PkixCertPathBuilder builder = new PkixCertPathBuilder();
X509CertStoreSelector pathConstraints = new X509CertStoreSelector();
pathConstraints.Subject = endCert.SubjectDN;
PkixBuilderParameters buildParams = new PkixBuilderParameters(trust, pathConstraints);
// buildParams.addCertStore(store);
buildParams.AddStore(x509CertStore);
buildParams.AddStore(x509CrlStore);
buildParams.Date = new DateTimeObject(DateTime.UtcNow);
PkixCertPathBuilderResult result = builder.Build(buildParams);
PkixCertPath path = result.CertPath;
if (path.Certificates.Count != 2)
{
Fail("wrong number of certs in v0Test path");
}
}
/**
* Makes a copy of this <code>PKIXParameters</code> object. Changes to the
* copy will not affect the original and vice versa.
*
* @return a copy of this <code>PKIXParameters</code> object
*/
public override object Clone()
{
PkixBuilderParameters parameters = new PkixBuilderParameters(
GetTrustAnchors(), GetTargetCertConstraints());
parameters.SetParams(this);
return parameters;
}
