Certificate has unsupported critical extension

问题

I am trying to validate a certificate chain using Bouncy Castle library in c# with the following code, but I get the exception: "certificate has an unsupported critical extension". The exception happens in this method: validator.Validate(path, param)

My certificate has a critical extention: name: "Extended key usuage" , oid: 2.5.29.37, value: ocsp Stamping (1.3.6.1.5.5.7.3.9)

public static bool ValidateKeyChain(X509Certificate client, List<X509Certificate> trustedCerts){
    bool found = false;
    int c = trustedCerts.Count;
    PkixCertPathBuilder cf = new PkixCertPathBuilder();
    TrustAnchor anchor;
    HashSet anchors = new HashSet();
    PkixCertPath path;
    PkixParameters param;
    PkixCertPathValidator validator = new PkixCertPathValidator();

    while (!found && c > 0)
    {
        anchor = new TrustAnchor(trustedCerts[--c], null);
        anchors.Add(anchor);
        Collection<X509Certificate> set = new Collection<X509Certificate>();
        set.Add(client);
        path = new PkixCertPath(set);
        param = new PkixParameters(anchors);
        param.IsRevocationEnabled = false;

        if (client.IssuerDN.Equals(trustedCerts[c].SubjectDN))
        {
                validator.Validate(path, param);
                if (IsSelfSigned(trustedCerts[c]))
                {
                    // found root ca
                    found = true;
                }
                else if (!client.Equals(trustedCerts[c]))
                {
                    // find parent ca
                    found = ValidateKeyChain(trustedCerts[c], trustedCerts);
                }
        }
    }
    return found;}

回答1:

Finally, I found a solution to my problem, I checked both java and c# sources of Bouncy Castle and found a difference in "PkiCertPathValidator" class in dotnet source; in the validate method before calling the Rfc3280CertPathUtilities.WrapupCertf(...) method, critical extensions were removed but following line missed in Dotnet version:

criticalExtensions.Remove(X509Extensions.ExtendedKeyUsage.Id);

I added this line to the source code then built it and it worked correctly.

ps: The most relevant answer on the internet is this one: [http://bouncy-castle.1462172.n4.nabble.com/Certificate-has-unsupported-critical-extension-td1464313.html][1]

来源：https://stackoverflow.com/questions/57744908/certificate-has-unsupported-critical-extension