构建证书链中BouncyCastle的在C＃ [英] Build certificate chain in BouncyCastle in C#

问题描述

我有一大堆的根，表示为字节数组中间证书，而我也有最终用户证书。我想建立对于给定的最终用户证书的证书链。 .NET Framework中我能做到这样的：

I have a bunch of root and intermediate certificates given as byte arrays, and I also have end user certificate. I want to build a certificate chain for given end user certificate. In .NET framework I can do it like this:

using System.Security.Cryptography.X509Certificates;

static IEnumerable<X509ChainElement>
    BuildCertificateChain(byte[] primaryCertificate, IEnumerable<byte[]> additionalCertificates)
{
    X509Chain chain = new X509Chain();
    foreach (var cert in additionalCertificates.Select(x => new X509Certificate2(x)))
    {
        chain.ChainPolicy.ExtraStore.Add(cert);
    }

    // You can alter how the chain is built/validated.
    chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreWrongUsage;

    // Do the preliminary validation.
    var primaryCert = new X509Certificate2(primaryCertificate);
    if (!chain.Build(primaryCert))
        throw new Exception("Unable to build certificate chain");

    return chain.ChainElements.Cast<X509ChainElement>();
}

如何做到在BouncyCastle的？我试着用下面的代码，但我得到 PkixCertPathBuilderException：没有证书找不到匹配的targetContraints ：

using Org.BouncyCastle;
using Org.BouncyCastle.Pkix;
using Org.BouncyCastle.Utilities.Collections;
using Org.BouncyCastle.X509;
using Org.BouncyCastle.X509.Store;

static IEnumerable<X509Certificate> BuildCertificateChainBC(byte[] primary, IEnumerable<byte[]> additional)
{
    X509CertificateParser parser = new X509CertificateParser();
    PkixCertPathBuilder builder = new PkixCertPathBuilder();

    // Separate root from itermediate
    List<X509Certificate> intermediateCerts = new List<X509Certificate>();
    HashSet rootCerts = new HashSet();

    foreach (byte[] cert in additional)
    {
        X509Certificate x509Cert = parser.ReadCertificate(cert);

        // Separate root and subordinate certificates
        if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN))
            rootCerts.Add(new TrustAnchor(x509Cert, null));
        else
            intermediateCerts.Add(x509Cert);
    }

    // Create chain for this certificate
    X509CertStoreSelector holder = new X509CertStoreSelector();
    holder.Certificate = parser.ReadCertificate(primary);

    // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
    intermediateCerts.Add(holder.Certificate);

    PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
    builderParams.IsRevocationEnabled = false;

    X509CollectionStoreParameters intermediateStoreParameters =
        new X509CollectionStoreParameters(intermediateCerts);

    builderParams.AddStore(X509StoreFactory.Create(
        "Certificate/Collection", intermediateStoreParameters));

    PkixCertPathBuilderResult result = builder.Build(builderParams);

    return result.CertPath.Certificates.Cast<X509Certificate>();
}

修改：我补充说，固定线路我问题。它与评论全部大写。结案。

Edit: I added the line that fixed my problem. It's commented with all caps. Case closed.

推荐答案

我在Java中这样做了许多倍。鉴于API似乎是Java的一个我将采取刺的直口。

I've done this in Java a number of times. Given that the API seems to be a straight port of the Java one I'll take a stab.

1. 我敢肯定，当你添加商店的建设者，该集合应该包含链中的所有证书要建，不只是中间的。所以导入根证书和初级应予以补充。


2. 如果不解决自身的问题我会尝试还指定所需的证书以不同的方式。你可以做两件事情之一：
   
   
   
   • 实施自己的选择总是只匹配所需的证书（初级中的例子）
   
   
   • 而不是设置holder.Certificate的，请将持有一个或多个标准。例如，SETSUBJECT，setSubjectPublicKey，setIssuer。
   
   

这些都是最常见的两种问题我有PkixCertPathBuilder。

Those are the two most common problems I had with PkixCertPathBuilder.

这篇关于构建证书链中BouncyCastle的在C＃的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！