TrustAnchor发现但证书验证失败

时间:2012-12-19 16:01:52

标签: c# bouncycastle

我创建了这样的根证书:

public static Org.BouncyCastle.X509.X509Certificate GenerateRootCert(AsymmetricCipherKeyPair pair, System.Security.Cryptography.AsymmetricAlgorithm caKeyy)
{
    Org.BouncyCastle.X509.X509V3CertificateGenerator certGen = new Org.BouncyCastle.X509.X509V3CertificateGenerator();
    certGen.SetSerialNumber(BigInteger.One);
    certGen.SetIssuerDN(new X509Name("cn=Autorite1,ou=DC,o=A1"));                          

    certGen.SetNotBefore(DateTime.Today.Subtract(new TimeSpan(1, 0, 0, 0)));
    certGen.SetNotAfter(DateTime.Today.Add(new TimeSpan(10, 0, 0, 0)));
    certGen.SetSubjectDN(new X509Name("cn=Autorite1,ou=DC,o=A1"));
    certGen.SetPublicKey(pair.Public);
    certGen.SetSignatureAlgorithm("SHA1withRSA");

    certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(pair.Public));
    certGen.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true));

    Org.BouncyCastle.X509.X509Certificate x509 = certGen.Generate(pair.Private);



    return x509;
}

我创建了这样的结束证书:

public static void generateEndEntityCert(
                    AsymmetricKeyParameter entityKey,
                    AsymmetricKeyParameter caKey, System.Security.Cryptography.AsymmetricAlgorithm caKeyy,
                    X509Certificate caCert)
{
    X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();

    certGen.SetSerialNumber(BigInteger.Two);
    certGen.SetIssuerDN(new X509Name("cn=Autorite1,ou=DC,o=A1"));
    certGen.SetNotBefore(DateTime.Today.Subtract(new TimeSpan(1, 0, 0, 0)));
    certGen.SetNotAfter(DateTime.Today.Add(new TimeSpan(7, 0, 0, 0)));
    certGen.SetSubjectDN(new X509Name("cn=test,E=test@test.com"));
    certGen.SetPublicKey(entityKey);
    certGen.SetSignatureAlgorithm("SHA256WithRSAEncryption");

    GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.Rfc822Name, "example@example.org"));

    Org.BouncyCastle.X509.X509Certificate cer = new Org.BouncyCastle.X509.X509Certificate(caCert.CertificateStructure);
    certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(cer));
    certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(entityKey));
    certGen.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true)); certGen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(KeyUsage.NonRepudiation));
    Org.BouncyCastle.X509.X509Certificate x509 = certGen.Generate(caKey);
}

我会使用两次certeficats(root和end)创建一个路径证书,如下所示:

public static IEnumerable<X509Certificate> BuildCertificateChainBC(byte[] primary, IEnumerable<byte[]> additional)
{
    X509CertificateParser parser = new X509CertificateParser();
    PkixCertPathBuilder builder = new PkixCertPathBuilder();

    // Separate root from itermediate
    List<X509Certificate> intermediateCerts = new List<X509Certificate>();
    HashSet rootCerts = new HashSet();

    foreach (byte[] cert in additional)
    {
        Org.BouncyCastle.X509.X509Certificate x509Cert = parser.ReadCertificate(cert);

        // Separate root and subordinate certificates
        if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN))
            rootCerts.Add(new TrustAnchor(x509Cert, null));
        else
            intermediateCerts.Add(x509Cert);
    }

    // Create chain for this certificate
    X509CertStoreSelector holder = new X509CertStoreSelector();
    holder.Certificate = parser.ReadCertificate(primary);

    // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
    intermediateCerts.Add(holder.Certificate);

    PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
    builderParams.IsRevocationEnabled = false;

    X509CollectionStoreParameters intermediateStoreParameters =
        new X509CollectionStoreParameters(intermediateCerts);

    builderParams.AddStore(X509StoreFactory.Create("Certificate/Collection", intermediateStoreParameters));
    PkixCertPathBuilderResult result = builder.Build(builderParams); //<-- the exception here

    return result.CertPath.Certificates.Cast<Org.BouncyCastle.X509.X509Certificate>();
}

我生成错误的证书?因为我有这个例外:TrustAnchor found but certificate validation failed. 内部异常的值:Public key presented not for certificate signature

0 个答案:

没有答案