gpt4 book ai didi

c# - 在 C# 中的 BouncyCaSTLe 中构建证书链

转载 作者:行者123 更新时间:2023-12-01 23:11:11 25 4
gpt4 key购买 nike

我有一堆以字节数组形式给出的根证书和中间证书,而且我还有最终用户证书。我想为给定的最终用户证书构建一个证书链。在.NET框架中我可以这样做:

using System.Security.Cryptography.X509Certificates;

static IEnumerable<X509ChainElement>
BuildCertificateChain(byte[] primaryCertificate, IEnumerable<byte[]> additionalCertificates)
{
X509Chain chain = new X509Chain();
foreach (var cert in additionalCertificates.Select(x => new X509Certificate2(x)))
{
chain.ChainPolicy.ExtraStore.Add(cert);
}

// You can alter how the chain is built/validated.
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreWrongUsage;

// Do the preliminary validation.
var primaryCert = new X509Certificate2(primaryCertificate);
if (!chain.Build(primaryCert))
throw new Exception("Unable to build certificate chain");

return chain.ChainElements.Cast<X509ChainElement>();
}

如何在 BouncyCaSTLe 中做到这一点?我尝试使用下面的代码,但得到 PkixCertPathBuilderException: Nocertificate foundmatching targetContraints:

using Org.BouncyCastle;
using Org.BouncyCastle.Pkix;
using Org.BouncyCastle.Utilities.Collections;
using Org.BouncyCastle.X509;
using Org.BouncyCastle.X509.Store;

static IEnumerable<X509Certificate> BuildCertificateChainBC(byte[] primary, IEnumerable<byte[]> additional)
{
X509CertificateParser parser = new X509CertificateParser();
PkixCertPathBuilder builder = new PkixCertPathBuilder();

// Separate root from itermediate
List<X509Certificate> intermediateCerts = new List<X509Certificate>();
HashSet rootCerts = new HashSet();

foreach (byte[] cert in additional)
{
X509Certificate x509Cert = parser.ReadCertificate(cert);

// Separate root and subordinate certificates
if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN))
rootCerts.Add(new TrustAnchor(x509Cert, null));
else
intermediateCerts.Add(x509Cert);
}

// Create chain for this certificate
X509CertStoreSelector holder = new X509CertStoreSelector();
holder.Certificate = parser.ReadCertificate(primary);

// WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
intermediateCerts.Add(holder.Certificate);

PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
builderParams.IsRevocationEnabled = false;

X509CollectionStoreParameters intermediateStoreParameters =
new X509CollectionStoreParameters(intermediateCerts);

builderParams.AddStore(X509StoreFactory.Create(
"Certificate/Collection", intermediateStoreParameters));

PkixCertPathBuilderResult result = builder.Build(builderParams);

return result.CertPath.Certificates.Cast<X509Certificate>();
}

编辑:我添加了解决问题的行。它的注释全部大写。案件已结。

最佳答案

我已经在 J​​ava 中这样做过很多次了。鉴于该 API 似乎是 Java API 的直接移植,我会尝试一下。

  1. 我非常确定当您将商店添加到构建器时,该集合预计将包含要构建的链中的所有证书,而不仅仅是中间证书。因此应该添加rootCerts和primary。
  2. 如果这本身不能解决问题,我会尝试以不同的方式指定所需的证书。您可以执行以下两项操作之一:
    • 实现您自己的选择器,该选择器始终仅与您所需的证书匹配(示例中为主要证书)。
    • 不要设置holder.Certificate,而是为holder 设置一个或多个条件。例如,setSubject、setSubjectPublicKey、setIssuer。

这是我在使用 PkixCertPathBuilder 时遇到的两个最常见的问题。

关于c# - 在 C# 中的 BouncyCaSTLe 中构建证书链,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/10724594/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com