0

我从签名的 XML 文档中获取 x509certificate2。然后我需要验证证书路径,但为此我需要 3 个证书:root、CA、end。如何做到这一点?证书来自电子身份证。(来自亚美尼亚政府,因此是可信赖的锚)吊销状态良好,但无法建立证书路径。我是这样写的,但不知道对不对,因为它会抛出异常

var pkixResult = certPathValidator.Validate(certPath, paramsPkix);

$exception {“未找到证书路径的信任锚。”} Org.BouncyCastle.Pkix.PkixCertPathValidatorException

public static PkixCertPathValidatorResult Validate_Pkix(SignatureDocument signatureDocument)
        {
            var signingCertificate = signatureDocument.XadesSignature.GetSigningCertificate();
            X509Chain chain = new X509Chain();
            chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
            chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
            chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;

            chain.Build(signingCertificate);


            var sigCert = signingCertificate.ToBouncyX509Certificate();
            var issuer = chain.ChainElements[0].Certificate;
            var client = chain.ChainElements[1].Certificate;
            var final = chain.ChainElements[2].Certificate;


            //-----------------

            Org.BouncyCastle.X509.X509Certificate clientCert = client.ToBouncyX509Certificate();
            Org.BouncyCastle.X509.X509Certificate issuerCert = issuer.ToBouncyX509Certificate();
            Org.BouncyCastle.X509.X509Certificate finalCert = chain.ChainElements[2].Certificate.ToBouncyX509Certificate();

            var x509Certs = new List<Org.BouncyCastle.X509.X509Certificate>();

            x509Certs.Add(sigCert);
            x509Certs.Add(clientCert);
            x509Certs.Add(finalCert);

            IX509Store x509CertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(x509Certs));


            var certPath = new PkixCertPath(x509Certs);

            ISet trust = new HashSet { new TrustAnchor(x509Certs[0], null) };

            var certPathValidator = new PkixCertPathValidator();

            var paramsPkix = new PkixParameters(trust);
            paramsPkix.AddStore(x509CertStore);
            paramsPkix.IsRevocationEnabled = false;

            var pkixResult = certPathValidator.Validate(certPath, paramsPkix);

            return pkixResult;
        }
4

1 回答 1

0

您需要将根 CA 证书添加到x509Certs. 如果这不是签名文档的一部分,您可以使用 AIA 扩展来尝试下载它,或者使用 Windows 商店 - 正如您所说的根是受信任的。

所以从X509Store加载根目录。

作为替代方案,您可以使用默认情况下使用 Windows 信任库的X509Chain,并验证链和吊销状态。

于 2020-11-19T09:43:38.177 回答