我从签名的 XML 文档中获取 x509certificate2。然后我需要验证证书路径,但为此我需要 3 个证书:root、CA、end。如何做到这一点?证书来自电子身份证。(来自亚美尼亚政府,因此是可信赖的锚)吊销状态良好,但无法建立证书路径。我是这样写的,但不知道对不对,因为它会抛出异常
var pkixResult = certPathValidator.Validate(certPath, paramsPkix);
$exception {“未找到证书路径的信任锚。”} Org.BouncyCastle.Pkix.PkixCertPathValidatorException
public static PkixCertPathValidatorResult Validate_Pkix(SignatureDocument signatureDocument)
{
var signingCertificate = signatureDocument.XadesSignature.GetSigningCertificate();
X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
chain.Build(signingCertificate);
var sigCert = signingCertificate.ToBouncyX509Certificate();
var issuer = chain.ChainElements[0].Certificate;
var client = chain.ChainElements[1].Certificate;
var final = chain.ChainElements[2].Certificate;
//-----------------
Org.BouncyCastle.X509.X509Certificate clientCert = client.ToBouncyX509Certificate();
Org.BouncyCastle.X509.X509Certificate issuerCert = issuer.ToBouncyX509Certificate();
Org.BouncyCastle.X509.X509Certificate finalCert = chain.ChainElements[2].Certificate.ToBouncyX509Certificate();
var x509Certs = new List<Org.BouncyCastle.X509.X509Certificate>();
x509Certs.Add(sigCert);
x509Certs.Add(clientCert);
x509Certs.Add(finalCert);
IX509Store x509CertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(x509Certs));
var certPath = new PkixCertPath(x509Certs);
ISet trust = new HashSet { new TrustAnchor(x509Certs[0], null) };
var certPathValidator = new PkixCertPathValidator();
var paramsPkix = new PkixParameters(trust);
paramsPkix.AddStore(x509CertStore);
paramsPkix.IsRevocationEnabled = false;
var pkixResult = certPathValidator.Validate(certPath, paramsPkix);
return pkixResult;
}