Class TrustAnchor

Namespace

Org.BouncyCastle.Pkix

Assembly

BouncyCastle.Cryptography.dll

A trust anchor or most-trusted Certification Authority (CA).

This class represents a "most-trusted CA", which is used as a trust anchor for validating X.509 certification paths. A most-trusted CA includes the public key of the CA, the CA's name, and any constraints upon the set of paths which may be validated using this key. These parameters can be specified in the form of a trusted X509Certificate or as individual parameters.

public class TrustAnchor

Inheritance

object

TrustAnchor

Inherited Members

object.Equals(object)

object.Equals(object, object)

object.GetHashCode()

object.GetType()

object.MemberwiseClone()

object.ReferenceEquals(object, object)

Constructors

TrustAnchor(X509Name, AsymmetricKeyParameter, byte[])

Creates an instance of TrustAnchor where the most-trusted CA is specified as an X500Principal and public key.

public TrustAnchor(X509Name caPrincipal, AsymmetricKeyParameter pubKey, byte[] nameConstraints)

Parameters

caPrincipal X509Name

the name of the most-trusted CA as X509Name

pubKey AsymmetricKeyParameter

the public key of the most-trusted CA

nameConstraints byte[]

a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Specify null to omit the parameter.

Remarks

Name constraints are an optional parameter, and are intended to be used as additional constraints when validating an X.509 certification path.

The name constraints are specified as a byte array. This byte array contains the DER encoded form of the name constraints, as they would appear in the NameConstraints structure defined in RFC 2459 and X.509. The ASN.1 notation for this structure is supplied in the documentation for the other constructors.

Note that the name constraints byte array supplied here is cloned to protect against subsequent modifications.

Exceptions

ArgumentNullException

if caPrincipal or pubKey is null

TrustAnchor(X509Certificate, byte[])

Creates an instance of TrustAnchor with the specified X509Certificate and optional name constraints, which are intended to be used as additional constraints when validating an X.509 certification path. The name constraints are specified as a byte array. This byte array should contain the DER encoded form of the name constraints, as they would appear in the NameConstraints structure defined in RFC 2459 and X.509. The ASN.1 definition of this structure appears below.

NameConstraints ::= SEQUENCE {
	permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
	excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

	GeneralSubtree ::= SEQUENCE {
	base                    GeneralName,
	minimum         [0]     BaseDistance DEFAULT 0,
	maximum         [1]     BaseDistance OPTIONAL }

	BaseDistance ::= INTEGER (0..MAX)

	GeneralName ::= CHOICE {
	otherName                       [0]     OtherName,
	rfc822Name                      [1]     IA5String,
	dNSName                         [2]     IA5String,
	x400Address                     [3]     ORAddress,
	directoryName                   [4]     Name,
	ediPartyName                    [5]     EDIPartyName,
	uniformResourceIdentifier       [6]     IA5String,
	iPAddress                       [7]     OCTET STRING,
	registeredID                    [8]     OBJECT IDENTIFIER}

Note that the name constraints byte array supplied is cloned to protect against subsequent modifications.

public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)

Parameters

trustedCert X509Certificate

a trusted X509Certificate

nameConstraints byte[]

a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Specify null to omit the parameter.

Exceptions

ArgumentNullException

if the specified X509Certificate is null

TrustAnchor(string, AsymmetricKeyParameter, byte[])

Creates an instance of

TrustAnchor

where the most-trusted CA is specified as a distinguished name and public key. Name constraints are an optional parameter, and are intended to be used as additional constraints when validating an X.509 certification path.
The name constraints are specified as a byte array. This byte array contains the DER encoded form of the name constraints, as they would appear in the NameConstraints structure defined in RFC 2459 and X.509.

public TrustAnchor(string caName, AsymmetricKeyParameter pubKey, byte[] nameConstraints)

Parameters

caName string

the X.500 distinguished name of the most-trusted CA in RFC 2253 string format

pubKey AsymmetricKeyParameter

the public key of the most-trusted CA

nameConstraints byte[]

a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Specify null to omit the parameter.

Properties

CA

Returns the name of the most-trusted CA as an X509Name.

public X509Name CA { get; }

Property Value

X509Name

CAName

Returns the name of the most-trusted CA in RFC 2253 string format.

public string CAName { get; }

Property Value

string

CAPublicKey

Returns the public key of the most-trusted CA.

public AsymmetricKeyParameter CAPublicKey { get; }

Property Value

AsymmetricKeyParameter

GetNameConstraints

public byte[] GetNameConstraints { get; }

Property Value

byte[]

TrustedCert

Returns the most-trusted CA certificate.

public X509Certificate TrustedCert { get; }

Property Value

X509Certificate

Methods

ToString()

Returns a formatted string describing the

TrustAnchor

.

public override string ToString()

Returns

string

a formatted string describing the

TrustAnchor