C# 找到信任锚,但证书验证失败
我创建一个根证书,如下所示:C# 找到信任锚,但证书验证失败,c#,bouncycastle,C#,Bouncycastle,我创建一个根证书,如下所示: public static Org.BouncyCastle.X509.X509Certificate GenerateRootCert(AsymmetricCipherKeyPair pair, System.Security.Cryptography.AsymmetricAlgorithm caKeyy) { Org.BouncyCastle.X509.X509V3CertificateGenerator certGen = new Org.Bouncy
public static Org.BouncyCastle.X509.X509Certificate GenerateRootCert(AsymmetricCipherKeyPair pair, System.Security.Cryptography.AsymmetricAlgorithm caKeyy)
{
Org.BouncyCastle.X509.X509V3CertificateGenerator certGen = new Org.BouncyCastle.X509.X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(new X509Name("cn=Autorite1,ou=DC,o=A1"));
certGen.SetNotBefore(DateTime.Today.Subtract(new TimeSpan(1, 0, 0, 0)));
certGen.SetNotAfter(DateTime.Today.Add(new TimeSpan(10, 0, 0, 0)));
certGen.SetSubjectDN(new X509Name("cn=Autorite1,ou=DC,o=A1"));
certGen.SetPublicKey(pair.Public);
certGen.SetSignatureAlgorithm("SHA1withRSA");
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(pair.Public));
certGen.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true));
Org.BouncyCastle.X509.X509Certificate x509 = certGen.Generate(pair.Private);
return x509;
}
public static IEnumerable<X509Certificate> BuildCertificateChainBC(byte[] primary, IEnumerable<byte[]> additional)
{
X509CertificateParser parser = new X509CertificateParser();
PkixCertPathBuilder builder = new PkixCertPathBuilder();
// Separate root from itermediate
List<X509Certificate> intermediateCerts = new List<X509Certificate>();
HashSet rootCerts = new HashSet();
foreach (byte[] cert in additional)
{
Org.BouncyCastle.X509.X509Certificate x509Cert = parser.ReadCertificate(cert);
// Separate root and subordinate certificates
if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN))
rootCerts.Add(new TrustAnchor(x509Cert, null));
else
intermediateCerts.Add(x509Cert);
}
// Create chain for this certificate
X509CertStoreSelector holder = new X509CertStoreSelector();
holder.Certificate = parser.ReadCertificate(primary);
// WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
intermediateCerts.Add(holder.Certificate);
PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
builderParams.IsRevocationEnabled = false;
X509CollectionStoreParameters intermediateStoreParameters =
new X509CollectionStoreParameters(intermediateCerts);
builderParams.AddStore(X509StoreFactory.Create("Certificate/Collection", intermediateStoreParameters));
PkixCertPathBuilderResult result = builder.Build(builderParams); //<-- the exception here
return result.CertPath.Certificates.Cast<Org.BouncyCastle.X509.X509Certificate>();
}
我创建的结束证书如下所示:
public static void generateEndEntityCert(
AsymmetricKeyParameter entityKey,
AsymmetricKeyParameter caKey, System.Security.Cryptography.AsymmetricAlgorithm caKeyy,
X509Certificate caCert)
{
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.Two);
certGen.SetIssuerDN(new X509Name("cn=Autorite1,ou=DC,o=A1"));
certGen.SetNotBefore(DateTime.Today.Subtract(new TimeSpan(1, 0, 0, 0)));
certGen.SetNotAfter(DateTime.Today.Add(new TimeSpan(7, 0, 0, 0)));
certGen.SetSubjectDN(new X509Name("cn=test,E=test@test.com"));
certGen.SetPublicKey(entityKey);
certGen.SetSignatureAlgorithm("SHA256WithRSAEncryption");
GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.Rfc822Name, "example@example.org"));
Org.BouncyCastle.X509.X509Certificate cer = new Org.BouncyCastle.X509.X509Certificate(caCert.CertificateStructure);
certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(cer));
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(entityKey));
certGen.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true)); certGen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(KeyUsage.NonRepudiation));
Org.BouncyCastle.X509.X509Certificate x509 = certGen.Generate(caKey);
}
我将使用两次certeficats(根和端)创建路径证书,如下所示:
public static Org.BouncyCastle.X509.X509Certificate GenerateRootCert(AsymmetricCipherKeyPair pair, System.Security.Cryptography.AsymmetricAlgorithm caKeyy)
{
Org.BouncyCastle.X509.X509V3CertificateGenerator certGen = new Org.BouncyCastle.X509.X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(new X509Name("cn=Autorite1,ou=DC,o=A1"));
certGen.SetNotBefore(DateTime.Today.Subtract(new TimeSpan(1, 0, 0, 0)));
certGen.SetNotAfter(DateTime.Today.Add(new TimeSpan(10, 0, 0, 0)));
certGen.SetSubjectDN(new X509Name("cn=Autorite1,ou=DC,o=A1"));
certGen.SetPublicKey(pair.Public);
certGen.SetSignatureAlgorithm("SHA1withRSA");
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(pair.Public));
certGen.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true));
Org.BouncyCastle.X509.X509Certificate x509 = certGen.Generate(pair.Private);
return x509;
}
public static IEnumerable<X509Certificate> BuildCertificateChainBC(byte[] primary, IEnumerable<byte[]> additional)
{
X509CertificateParser parser = new X509CertificateParser();
PkixCertPathBuilder builder = new PkixCertPathBuilder();
// Separate root from itermediate
List<X509Certificate> intermediateCerts = new List<X509Certificate>();
HashSet rootCerts = new HashSet();
foreach (byte[] cert in additional)
{
Org.BouncyCastle.X509.X509Certificate x509Cert = parser.ReadCertificate(cert);
// Separate root and subordinate certificates
if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN))
rootCerts.Add(new TrustAnchor(x509Cert, null));
else
intermediateCerts.Add(x509Cert);
}
// Create chain for this certificate
X509CertStoreSelector holder = new X509CertStoreSelector();
holder.Certificate = parser.ReadCertificate(primary);
// WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
intermediateCerts.Add(holder.Certificate);
PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
builderParams.IsRevocationEnabled = false;
X509CollectionStoreParameters intermediateStoreParameters =
new X509CollectionStoreParameters(intermediateCerts);
builderParams.AddStore(X509StoreFactory.Create("Certificate/Collection", intermediateStoreParameters));
PkixCertPathBuilderResult result = builder.Build(builderParams); //<-- the exception here
return result.CertPath.Certificates.Cast<Org.BouncyCastle.X509.X509Certificate>();
}
公共静态IEnumerable BuildCertificateChainBC(字节[]主,IEnumerable附加)
{
X509CertificateParser=新的X509CertificateParser();
PkixCertPathBuilder=新的PkixCertPathBuilder();
//把根和根分开
List intermediateCerts=新列表();
HashSet rootCerts=新HashSet();
foreach(附加字节[]证书)
{
Org.BouncyCastle.X509.X509Certificate x509Cert=parser.ReadCertificate(cert);
//单独的根证书和从属证书
if(x509Cert.IssuerDN.等价物(x509Cert.SubjectDN))
添加(新信任锚(x509Cert,null));
其他的
中间证书添加(x509Cert);
}
//为此证书创建链
X509CertStoreSelector holder=新的X509CertStoreSelector();
holder.Certificate=parser.ReadCertificate(主);
//如果没有此线生成器,则无法开始构建链
中级证书。添加(持有人证书);
PkixBuilderParameters builderParams=新的PkixBuilderParameters(rootcert,持有者);
builderParams.IsRevocationEnabled=false;
X509采集存储参数中间存储重新参数=
新的X509CollectionStoreParameters(intermediateCerts);
AddStore(X509StoreFactory.Create(“证书/集合”,intermediatesreparameters));
PkixCertPathBuilderResult结果=builder.Build(builderParams)//