构建证书链中BouncyCastle的在C# [英] Build certificate chain in BouncyCastle in C#
问题描述
我有一大堆的根,表示为字节数组中间证书,而我也有最终用户证书。我想建立对于给定的最终用户证书的证书链。 .NET Framework中我能做到这样的:
I have a bunch of root and intermediate certificates given as byte arrays, and I also have end user certificate. I want to build a certificate chain for given end user certificate. In .NET framework I can do it like this:
using System.Security.Cryptography.X509Certificates;
static IEnumerable<X509ChainElement>
BuildCertificateChain(byte[] primaryCertificate, IEnumerable<byte[]> additionalCertificates)
{
X509Chain chain = new X509Chain();
foreach (var cert in additionalCertificates.Select(x => new X509Certificate2(x)))
{
chain.ChainPolicy.ExtraStore.Add(cert);
}
// You can alter how the chain is built/validated.
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreWrongUsage;
// Do the preliminary validation.
var primaryCert = new X509Certificate2(primaryCertificate);
if (!chain.Build(primaryCert))
throw new Exception("Unable to build certificate chain");
return chain.ChainElements.Cast<X509ChainElement>();
}
如何做到在BouncyCastle的?我试着用下面的代码,但我得到 PkixCertPathBuilderException:没有证书找不到匹配的targetContraints
:
using Org.BouncyCastle;
using Org.BouncyCastle.Pkix;
using Org.BouncyCastle.Utilities.Collections;
using Org.BouncyCastle.X509;
using Org.BouncyCastle.X509.Store;
static IEnumerable<X509Certificate> BuildCertificateChainBC(byte[] primary, IEnumerable<byte[]> additional)
{
X509CertificateParser parser = new X509CertificateParser();
PkixCertPathBuilder builder = new PkixCertPathBuilder();
// Separate root from itermediate
List<X509Certificate> intermediateCerts = new List<X509Certificate>();
HashSet rootCerts = new HashSet();
foreach (byte[] cert in additional)
{
X509Certificate x509Cert = parser.ReadCertificate(cert);
// Separate root and subordinate certificates
if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN))
rootCerts.Add(new TrustAnchor(x509Cert, null));
else
intermediateCerts.Add(x509Cert);
}
// Create chain for this certificate
X509CertStoreSelector holder = new X509CertStoreSelector();
holder.Certificate = parser.ReadCertificate(primary);
// WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
intermediateCerts.Add(holder.Certificate);
PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
builderParams.IsRevocationEnabled = false;
X509CollectionStoreParameters intermediateStoreParameters =
new X509CollectionStoreParameters(intermediateCerts);
builderParams.AddStore(X509StoreFactory.Create(
"Certificate/Collection", intermediateStoreParameters));
PkixCertPathBuilderResult result = builder.Build(builderParams);
return result.CertPath.Certificates.Cast<X509Certificate>();
}
修改:我补充说,固定线路我问题。它与评论全部大写。结案。
Edit: I added the line that fixed my problem. It's commented with all caps. Case closed.
推荐答案
我在Java中这样做了许多倍。鉴于API似乎是Java的一个我将采取刺的直口。
I've done this in Java a number of times. Given that the API seems to be a straight port of the Java one I'll take a stab.
- 我敢肯定,当你添加商店的建设者,该集合应该包含链中的所有证书要建,不只是中间的。所以导入根证书和初级应予以补充。
- 如果不解决自身的问题我会尝试还指定所需的证书以不同的方式。你可以做两件事情之一:
- 实施自己的选择总是只匹配所需的证书(初级中的例子)
- 而不是设置holder.Certificate的,请将持有一个或多个标准。例如,SETSUBJECT,setSubjectPublicKey,setIssuer。
这些都是最常见的两种问题我有PkixCertPathBuilder。
Those are the two most common problems I had with PkixCertPathBuilder.
这篇关于构建证书链中BouncyCastle的在C#的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!