Name constraint validation updates from bc-java

3 files changed, 583 insertions, 89 deletions

diff --git a/crypto/test/src/test/PkixNameConstraintsTest.cs b/crypto/test/src/test/PkixNameConstraintsTest.cs
index a20fc33c4..073f9f2a3 100644
--- a/crypto/test/src/test/PkixNameConstraintsTest.cs
+++ b/crypto/test/src/test/PkixNameConstraintsTest.cs
@@ -72,19 +72,23 @@ namespace Org.BouncyCastle.Tests
 
 		private readonly string[] dnIntersection = { "O=test org, OU=test org unit, CN=John Doe" };
 
-		private readonly string testDN = "O=test org, OU=test org unit, CN=John Doe";
+        // Note: In BC text conversion is ISO format - IETF starts at the back.
+        private readonly string testDN = "O=test org, OU=test org unit, CN=John Doe";
 
-		private readonly string[] testDNIsConstraint = {
-			"O=test org, OU=test org unit",
-			"O=test org, OU=test org unit, CN=John Doe" };
+        private readonly string[] testDNIsConstraint =
+        {
+            "O=test org, OU=test org unit",
+            "O=test org, OU=test org unit, CN=John Doe",
+        };
 
-		private readonly string[] testDNIsNotConstraint = {
-			"O=test org, OU=test org unit, CN=John Doe2",
-			"O=test org, OU=test org unit2",
-			"OU=test org unit, O=test org, CN=John Doe",
-			"O=test org, OU=test org unit, CN=John Doe, L=USA" };
+        private readonly string[] testDNIsNotConstraint =
+        {
+            "O=test org, OU=test org unit, CN=John Doe2",
+            "O=test org, OU=test org unit2",
+            "O=test org, OU=test org unit, CN=John Doe, L=USA"
+        };
 
-		private readonly string testDNS = "abc.test.com";
+        private readonly string testDNS = "abc.test.com";
 
 		private readonly string[] testDNSIsConstraint = { "test.com", "abc.test.com", "test.com" };
 
@@ -185,7 +189,15 @@ namespace Org.BouncyCastle.Tests
 				uriintersect);
 			TestConstraints(GeneralName.IPAddress, testIP, testIPIsConstraint,
 				testIPIsNotConstraint, ip1, ip2, ipunion, ipintersect);
-		}
+
+            PkixNameConstraintValidator constraintValidator = new PkixNameConstraintValidator();
+            constraintValidator.IntersectPermittedSubtree(new DerSequence(new GeneralSubtree(
+                new GeneralName(GeneralName.DirectoryName,
+                    new X509Name(true, "ou=permittedSubtree1, o=Test Certificates 2011, c=US")))));
+            constraintValidator.checkPermitted(
+                new GeneralName(GeneralName.DirectoryName,
+                    new X509Name(true, "cn=Valid DN nameConstraints EE Certificate Test1, ou=permittedSubtree1, o=Test Certificates 2011, c=US")));
+        }
 
 		/**
 		 * Tests string based GeneralNames for inclusion or exclusion.
diff --git a/crypto/test/src/test/nist/NistCertPathTest.cs b/crypto/test/src/test/nist/NistCertPathTest.cs
index 6a23cac22..13a85a980 100644
--- a/crypto/test/src/test/nist/NistCertPathTest.cs
+++ b/crypto/test/src/test/nist/NistCertPathTest.cs
@@ -35,15 +35,15 @@ namespace Org.BouncyCastle.Tests.Nist
 		private static readonly string NIST_TEST_POLICY_2 = "2.16.840.1.101.3.2.1.48.2";
 		private static readonly string NIST_TEST_POLICY_3 = "2.16.840.1.101.3.2.1.48.3";
 
-		private static IDictionary certs = new Hashtable();
-		private static IDictionary crls = new Hashtable();
+		private static readonly IDictionary certs = new Hashtable();
+        private static readonly IDictionary crls = new Hashtable();
 
-		private static ISet noPolicies = new HashSet();
-		private static ISet anyPolicy = new HashSet();
-		private static ISet nistTestPolicy1 = new HashSet();
-		private static ISet nistTestPolicy2 = new HashSet();
-		private static ISet nistTestPolicy3 = new HashSet();
-		private static ISet nistTestPolicy1And2 = new HashSet();
+        private static readonly ISet noPolicies = new HashSet();
+        private static readonly ISet anyPolicy = new HashSet();
+        private static readonly ISet nistTestPolicy1 = new HashSet();
+        private static readonly ISet nistTestPolicy2 = new HashSet();
+        private static readonly ISet nistTestPolicy3 = new HashSet();
+        private static readonly ISet nistTestPolicy1And2 = new HashSet();
 
 		static NistCertPathTest()
 		{
@@ -54,7 +54,6 @@ namespace Org.BouncyCastle.Tests.Nist
 			nistTestPolicy3.Add(NIST_TEST_POLICY_3);
 			nistTestPolicy1And2.Add(NIST_TEST_POLICY_1);
 			nistTestPolicy1And2.Add(NIST_TEST_POLICY_2);
-
 		}
 
 		[Test]
@@ -474,7 +473,7 @@ namespace Org.BouncyCastle.Tests.Nist
 			string[] certList = new string[] { "inhibitAnyPolicy1CACert", "inhibitAnyPolicy1SelfIssuedCACert", "inhibitAnyPolicy1subCA2Cert", "ValidSelfIssuedinhibitAnyPolicyTest7EE" };
 			string[] crlList = new string[] { TRUST_ANCHOR_ROOT_CRL, "inhibitAnyPolicy1CACRL", "inhibitAnyPolicy1subCA2CRL" };
 
-			doBuilderTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, false, false);
+			DoBuilderTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, false, false);
 		}
 
 		// 4.4.19
@@ -484,7 +483,7 @@ namespace Org.BouncyCastle.Tests.Nist
 			string[] certList = new string[] { "SeparateCertificateandCRLKeysCertificateSigningCACert", "SeparateCertificateandCRLKeysCRLSigningCert", "ValidSeparateCertificateandCRLKeysTest19EE" };
 			string[] crlList = new string[] { TRUST_ANCHOR_ROOT_CRL, "SeparateCertificateandCRLKeysCRL" };
 
-			doBuilderTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, false, false);
+			DoBuilderTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, false, false);
 		}
 
 		[Test]
@@ -600,6 +599,7 @@ namespace Org.BouncyCastle.Tests.Nist
 			try
 			{
 				DoTest(trustAnchor, certs, crls, policies);
+
 				Assert.Fail("path accepted when should be rejected");
 			}
 			catch (PkixCertPathValidatorException e)
@@ -673,7 +673,6 @@ namespace Org.BouncyCastle.Tests.Nist
 				"CRL/Collection",
 				new X509CollectionStoreParameters(x509Crls));
 
-//			CertPathValidator validator = CertPathValidator.GetInstance("PKIX");
 			PkixCertPathValidator validator = new PkixCertPathValidator();
 			PkixParameters parameters = new PkixParameters(trustedSet);
 
@@ -693,7 +692,7 @@ namespace Org.BouncyCastle.Tests.Nist
 			return validator.Validate(certPath, parameters);
 		}
 
-		private PkixCertPathBuilderResult doBuilderTest(
+		private PkixCertPathBuilderResult DoBuilderTest(
 			string		trustAnchor,
 			string[]	certs,
 			string[]	crls,
@@ -727,7 +726,6 @@ namespace Org.BouncyCastle.Tests.Nist
 				"CRL/Collection",
 				new X509CollectionStoreParameters(x509Crls));
 
-//			CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX");   
 			PkixCertPathBuilder builder = new PkixCertPathBuilder();
 
 			X509CertStoreSelector endSelector = new X509CertStoreSelector();
@@ -766,70 +764,55 @@ namespace Org.BouncyCastle.Tests.Nist
 			}
 		}
 
-		private X509Certificate LoadCert(
-			string certName)
-		{
-			X509Certificate cert = (X509Certificate)certs[certName];
-
-			if (cert != null)
-			{
-				return cert;
-			}
-
-			Stream fs = null;
-
-			try
-			{
-				fs = SimpleTest.GetTestDataAsStream("PKITS.certs." + certName + ".crt");
-
-				cert = new X509CertificateParser().ReadCertificate(fs);
-
-				certs[certName] = cert;
-
-				return cert;
-			}
-			catch (Exception e)
-			{
-				throw new InvalidOperationException("exception loading certificate " + certName + ": " + e);
-			}
-			finally
-			{
-				fs.Close();
-			}
-		}
-
-		private X509Crl LoadCrl(
-			string crlName)
-			//throws Exception
-		{
-			X509Crl crl = (X509Crl)certs[crlName];
-        
-			if (crl != null)
-			{
-				return crl;
-			}
-
-			Stream fs = null;
-
-			try
-			{
-				fs = SimpleTest.GetTestDataAsStream("PKITS.crls." + crlName + ".crl");
-
-				crl = new X509CrlParser().ReadCrl(fs);
-
-				crls[crlName] = crl;
-
-				return crl;
-			}
-			catch (Exception)
-			{
-				throw new InvalidOperationException("exception loading CRL: " + crlName);
-			}
-			finally
-			{
-				fs.Close();
-			}
-		}
+        private X509Certificate LoadCert(string certName)
+        {
+            X509Certificate cert = (X509Certificate)certs[certName];
+            if (null != cert)
+                return cert;
+
+            Stream fs = null;
+
+            try
+            {
+                fs = SimpleTest.GetTestDataAsStream("PKITS.certs." + certName + ".crt");
+                cert = new X509CertificateParser().ReadCertificate(fs);
+                certs[certName] = cert;
+                return cert;
+            }
+            catch (Exception e)
+            {
+                throw new InvalidOperationException("exception loading certificate " + certName + ": " + e);
+            }
+            finally
+            {
+                fs.Close();
+            }
+        }
+
+        private X509Crl LoadCrl(string crlName)
+        {
+            X509Crl crl = (X509Crl)crls[crlName];
+            if (null != crl)
+                return crl;
+
+            Stream fs = null;
+
+            try
+            {
+                fs = SimpleTest.GetTestDataAsStream("PKITS.crls." + crlName + ".crl");
+                crl = new X509CrlParser().ReadCrl(fs);
+                crls[crlName] = crl;
+                return crl;
+            }
+            catch (Exception)
+            {
+                throw new InvalidOperationException("exception loading CRL: " + crlName);
+            }
+            finally
+            {
+                fs.Close();
+            }
+        }
 
 		private TrustAnchor GetTrustAnchor(string trustAnchorName)
 		{
diff --git a/crypto/test/src/test/nist/NistCertPathTest2.cs b/crypto/test/src/test/nist/NistCertPathTest2.cs
new file mode 100644
index 000000000..e9dd7f959
--- /dev/null
+++ b/crypto/test/src/test/nist/NistCertPathTest2.cs
@@ -0,0 +1,499 @@
+using System;
+using System.Collections;
+using System.IO;
+using System.Reflection;
+
+using NUnit.Framework;
+
+using Org.BouncyCastle.Asn1;
+using Org.BouncyCastle.Asn1.X509;
+using Org.BouncyCastle.Pkix;
+using Org.BouncyCastle.Utilities.Collections;
+using Org.BouncyCastle.Utilities.Date;
+using Org.BouncyCastle.Utilities.Test;
+using Org.BouncyCastle.X509;
+using Org.BouncyCastle.X509.Extension;
+using Org.BouncyCastle.X509.Store;
+
+namespace Org.BouncyCastle.Tests.Nist
+{
+    /**
+     * NIST CertPath test data for RFC 3280
+     */
+	[TestFixture]
+    public class NistCertPathTest2
+    {
+        private static readonly string ANY_POLICY = "2.5.29.32.0";
+        private static readonly string NIST_TEST_POLICY_1 = "2.16.840.1.101.3.2.1.48.1";
+        private static readonly string NIST_TEST_POLICY_2 = "2.16.840.1.101.3.2.1.48.2";
+        private static readonly string NIST_TEST_POLICY_3 = "2.16.840.1.101.3.2.1.48.3";
+
+		private static readonly IDictionary certs = new Hashtable();
+		private static readonly IDictionary crls = new Hashtable();
+
+        private static readonly ISet noPolicies = new HashSet();
+        private static readonly ISet anyPolicy = new HashSet();
+        private static readonly ISet nistTestPolicy1 = new HashSet();
+        private static readonly ISet nistTestPolicy2 = new HashSet();
+        private static readonly ISet nistTestPolicy3 = new HashSet();
+        private static readonly ISet nistTestPolicy1And2 = new HashSet();
+
+        static NistCertPathTest2()
+		{
+			anyPolicy.Add(ANY_POLICY);
+
+			nistTestPolicy1.Add(NIST_TEST_POLICY_1);
+			nistTestPolicy2.Add(NIST_TEST_POLICY_2);
+			nistTestPolicy3.Add(NIST_TEST_POLICY_3);
+			nistTestPolicy1And2.Add(NIST_TEST_POLICY_1);
+			nistTestPolicy1And2.Add(NIST_TEST_POLICY_2);
+		}
+
+        // 4.13
+		[Test]
+        public void TestValidDNnameConstraintsTest1()
+        {
+            DoTest("TrustAnchorRootCertificate",
+                new string[] { "ValidDNnameConstraintsTest1EE", "nameConstraintsDN1CACert" },
+                new string[] { "nameConstraintsDN1CACRL", "TrustAnchorRootCRL" });
+        }
+
+		[Test]
+        public void TestInvalidDNnameConstraintsTest2()
+        {
+            DoExceptionTest("TrustAnchorRootCertificate",
+                new string[]{"InvalidDNnameConstraintsTest2EE", "nameConstraintsDN1CACert"},
+                new string[]{"nameConstraintsDN1CACRL", "TrustAnchorRootCRL"},
+                0,
+                "Subtree check for certificate subject failed.");
+        }
+
+		[Test]
+        public void TestInvalidDNnameConstraintsTest3()
+        {
+            DoExceptionTest("TrustAnchorRootCertificate",
+                new string[]{"InvalidDNnameConstraintsTest3EE", "nameConstraintsDN1CACert"},
+                new string[]{"nameConstraintsDN1CACRL", "TrustAnchorRootCRL"},
+                0,
+                "Subtree check for certificate subject alternative name failed.");
+        }
+
+ 		[Test]
+       public void TestValidDNnameConstraintsTest4()
+        {
+            DoTest("TrustAnchorRootCertificate",
+                new string[] { "ValidDNnameConstraintsTest4EE", "nameConstraintsDN1CACert" },
+                new string[] { "nameConstraintsDN1CACRL", "TrustAnchorRootCRL" });
+        }
+
+		[Test]
+        public void TestValidDNnameConstraintsTest5()
+        {
+            DoTest("TrustAnchorRootCertificate",
+                new string[] { "ValidDNnameConstraintsTest5EE", "nameConstraintsDN2CACert" },
+                new string[] { "nameConstraintsDN2CACRL", "TrustAnchorRootCRL" });
+        }
+
+		[Test]
+        public void TestValidDNnameConstraintsTest6()
+        {
+            DoTest("TrustAnchorRootCertificate",
+                new string[] { "ValidDNnameConstraintsTest6EE", "nameConstraintsDN3CACert" },
+                new string[] { "nameConstraintsDN3CACRL", "TrustAnchorRootCRL" });
+        }
+
+		[Test]
+        public void TestInvalidDNnameConstraintsTest7()
+        {
+            DoExceptionTest("TrustAnchorRootCertificate",
+                new string[]{"InvalidDNnameConstraintsTest7EE", "nameConstraintsDN3CACert"},
+                new string[]{"nameConstraintsDN3CACRL", "TrustAnchorRootCRL"},
+                0,
+                "Subtree check for certificate subject failed.");
+        }
+
+		[Test]
+        public void TestInvalidDNnameConstraintsTest8()
+        {
+            DoExceptionTest("TrustAnchorRootCertificate",
+                new string[]{"InvalidDNnameConstraintsTest8EE", "nameConstraintsDN4CACert"},
+                new string[]{"nameConstraintsDN4CACRL", "TrustAnchorRootCRL"},
+                0,
+                "Subtree check for certificate subject failed.");
+        }
+
+		[Test]
+        public void TestInvalidDNnameConstraintsTest9()
+        {
+            DoExceptionTest("TrustAnchorRootCertificate",
+                new string[]{"InvalidDNnameConstraintsTest9EE", "nameConstraintsDN4CACert"},
+                new string[]{"nameConstraintsDN4CACRL", "TrustAnchorRootCRL"},
+                0,
+                "Subtree check for certificate subject failed.");
+        }
+
+		[Test]
+        public void TestInvalidDNnameConstraintsTest10()
+        {
+            DoExceptionTest("TrustAnchorRootCertificate",
+                new string[]{"InvalidDNnameConstraintsTest10EE", "nameConstraintsDN5CACert"},
+                new string[]{"nameConstraintsDN5CACRL", "TrustAnchorRootCRL"},
+                0,
+                "Subtree check for certificate subject failed.");
+        }
+
+		[Test]
+        public void TestValidDNnameConstraintsTest11()
+        {
+            DoTest("TrustAnchorRootCertificate",
+                new string[] { "ValidDNnameConstraintsTest11EE", "nameConstraintsDN5CACert" },
+                new string[] { "nameConstraintsDN5CACRL", "TrustAnchorRootCRL" });
+        }
+
+		[Test]
+        public void TestInvalidDNnameConstraintsTest12()
+        {
+            DoExceptionTest("TrustAnchorRootCertificate",
+                new string[]{"InvalidDNnameConstraintsTest10EE", "nameConstraintsDN5CACert"},
+                new string[]{"nameConstraintsDN5CACRL", "TrustAnchorRootCRL"},
+                0,
+                "Subtree check for certificate subject failed.");
+        }
+
+		[Test]
+        public void TestInvalidDNnameConstraintsTest13()
+        {
+            DoExceptionTest("TrustAnchorRootCertificate",
+                new string[]{"InvalidDNnameConstraintsTest13EE", "nameConstraintsDN1subCA2Cert", "nameConstraintsDN1CACert"},
+                new string[]{"nameConstraintsDN1subCA2CRL", "nameConstraintsDN1CACRL", "TrustAnchorRootCRL"},
+                0,
+                "Subtree check for certificate subject failed.");
+        }
+
+		[Test]
+        public void TestValidDNnameConstraintsTest14()
+        {
+            DoTest("TrustAnchorRootCertificate",
+                new string[] { "ValidDNnameConstraintsTest14EE", "nameConstraintsDN1subCA2Cert", "nameConstraintsDN1CACert" },
+                new string[] { "nameConstraintsDN1subCA2CRL", "nameConstraintsDN1CACRL", "TrustAnchorRootCRL" });
+        }
+
+		[Test]
+        public void TestInvalidDNnameConstraintsTest15()
+        {
+            DoExceptionTest("TrustAnchorRootCertificate",
+                new string[]{"InvalidDNnameConstraintsTest15EE", "nameConstraintsDN3subCA1Cert", "nameConstraintsDN3CACert"},
+                new string[]{"nameConstraintsDN3subCA1CRL", "nameConstraintsDN3CACRL", "TrustAnchorRootCRL"},
+                0,
+                "Subtree check for certificate subject failed.");
+        }
+
+		[Test]
+        public void TestInvalidDNnameConstraintsTest16()
+        {
+            DoExceptionTest("TrustAnchorRootCertificate",
+                new string[]{"InvalidDNnameConstraintsTest16EE", "nameConstraintsDN3subCA1Cert", "nameConstraintsDN3CACert"},
+                new string[]{"nameConstraintsDN3subCA1CRL", "nameConstraintsDN3CACRL", "TrustAnchorRootCRL"},
+                0,
+                "Subtree check for certificate subject failed.");
+        }
+
+		[Test]
+        public void TestInvalidDNnameConstraintsTest17()
+        {
+            DoExceptionTest("TrustAnchorRootCertificate",
+                new string[]{"InvalidDNnameConstraintsTest17EE", "nameConstraintsDN3subCA2Cert", "nameConstraintsDN3CACert"},
+                new string[]{"nameConstraintsDN3subCA2CRL", "nameConstraintsDN3CACRL", "TrustAnchorRootCRL"},
+                0,
+                "Subtree check for certificate subject failed.");
+        }
+
+ 		[Test]
+        public void TestValidDNnameConstraintsTest18()
+        {
+            DoTest("TrustAnchorRootCertificate",
+                new string[] { "ValidDNnameConstraintsTest18EE", "nameConstraintsDN3subCA2Cert", "nameConstraintsDN3CACert" },
+                new string[] { "nameConstraintsDN3subCA2CRL", "nameConstraintsDN3CACRL", "TrustAnchorRootCRL" });
+        }
+
+ 		[Test]
+        public void TestValidDNnameConstraintsTest19()
+        {
+            DoBuilderTest("TrustAnchorRootCertificate",
+                new string[] { "ValidDNnameConstraintsTest19EE", "nameConstraintsDN1SelfIssuedCACert", "nameConstraintsDN1CACert" },
+                new string[] { "nameConstraintsDN1CACRL", "TrustAnchorRootCRL" },
+                null, false, false);
+        }
+
+ 		[Test]
+        public void TestInvalidDNnameConstraintsTest20()
+        {
+            DoExceptionTest("TrustAnchorRootCertificate",
+                new string[]{"InvalidDNnameConstraintsTest20EE", "nameConstraintsDN1CACert"},
+                new string[]{"nameConstraintsDN1CACRL", "TrustAnchorRootCRL"},
+                0,
+                "CertPath for CRL signer failed to validate.");   // due to a subtree failure
+        }
+
+		private void DoExceptionTest(
+			string		trustAnchor,
+			string[]	certs,
+			string[]	crls,
+			int			index,
+			string		message)
+		{
+			try
+			{
+				DoTest(trustAnchor, certs, crls);
+
+				Assert.Fail("path accepted when should be rejected");
+			}
+			catch (PkixCertPathValidatorException e)
+			{
+				Assert.AreEqual(index, e.Index);
+				Assert.AreEqual(message, e.Message);
+			}
+		}
+
+		private void DoExceptionTest(
+			string		trustAnchor,
+			string[]	certs,
+			string[]	crls,
+			ISet		policies,
+			int			index,
+			string		message)
+		{
+			try
+			{
+				DoTest(trustAnchor, certs, crls, policies);
+
+				Assert.Fail("path accepted when should be rejected");
+			}
+			catch (PkixCertPathValidatorException e)
+			{
+				Assert.AreEqual(index, e.Index);
+				Assert.AreEqual(message, e.Message);
+			}
+		}
+
+		private void DoExceptionTest(
+			string		trustAnchor,
+			string[]	certs,
+			string[]	crls,
+			int			index,
+			string		mesStart,
+			string		mesEnd)
+		{
+			try
+			{
+				DoTest(trustAnchor, certs, crls);
+
+				Assert.Fail("path accepted when should be rejected");
+			}
+			catch (PkixCertPathValidatorException e)
+			{
+				Assert.AreEqual(index, e.Index);
+				Assert.IsTrue(e.Message.StartsWith(mesStart));
+				Assert.IsTrue(e.Message.EndsWith(mesEnd));
+			}
+		}
+
+		private PkixCertPathValidatorResult DoTest(
+			string trustAnchor,
+			string[] certs,
+			string[] crls)
+		{
+			return DoTest(trustAnchor, certs, crls, null);
+		}
+
+		private PkixCertPathValidatorResult DoTest(
+			string trustAnchor,
+			string[] certs,
+			string[] crls,
+			ISet policies)
+		{
+			ISet trustedSet = new HashSet();
+			trustedSet.Add(GetTrustAnchor(trustAnchor));
+
+			IList x509Certs = new ArrayList();
+			IList x509Crls = new ArrayList();
+			X509Certificate endCert = LoadCert(certs[certs.Length - 1]);
+
+			for (int i = 0; i != certs.Length - 1; i++)
+			{
+				x509Certs.Add(LoadCert(certs[i]));
+			}
+
+			x509Certs.Add(endCert);
+
+			PkixCertPath certPath = new PkixCertPath(x509Certs);
+
+			for (int i = 0; i != crls.Length; i++)
+			{
+				x509Crls.Add(LoadCrl(crls[i]));
+			}
+
+			IX509Store x509CertStore = X509StoreFactory.Create(
+				"Certificate/Collection",
+				new X509CollectionStoreParameters(x509Certs));
+			IX509Store x509CrlStore = X509StoreFactory.Create(
+				"CRL/Collection",
+				new X509CollectionStoreParameters(x509Crls));
+
+            PkixCertPathValidator validator = new PkixCertPathValidator();
+			PkixParameters parameters = new PkixParameters(trustedSet);
+
+			parameters.AddStore(x509CertStore);
+			parameters.AddStore(x509CrlStore);
+			parameters.IsRevocationEnabled = true;
+
+			if (policies != null)
+			{
+				parameters.IsExplicitPolicyRequired = true;
+				parameters.SetInitialPolicies(policies);
+			}
+
+			// Perform validation as of this date since test certs expired
+			parameters.Date = new DateTimeObject(DateTime.Parse("1/1/2011"));
+
+			return validator.Validate(certPath, parameters);
+        }
+
+        private PkixCertPathBuilderResult DoBuilderTest(
+            string trustAnchor,
+            string[] certs,
+            string[] crls,
+            ISet initialPolicies,
+            bool policyMappingInhibited,
+            bool anyPolicyInhibited)
+        {
+            ISet trustedSet = new HashSet();
+            trustedSet.Add(GetTrustAnchor(trustAnchor));
+
+            IList x509Certs = new ArrayList();
+            IList x509Crls = new ArrayList();
+            X509Certificate endCert = LoadCert(certs[certs.Length - 1]);
+
+            for (int i = 0; i != certs.Length - 1; i++)
+            {
+                x509Certs.Add(LoadCert(certs[i]));
+            }
+
+            x509Certs.Add(endCert);
+
+            for (int i = 0; i != crls.Length; i++)
+            {
+                x509Crls.Add(LoadCrl(crls[i]));
+            }
+
+            IX509Store x509CertStore = X509StoreFactory.Create(
+                "Certificate/Collection",
+                new X509CollectionStoreParameters(x509Certs));
+            IX509Store x509CrlStore = X509StoreFactory.Create(
+                "CRL/Collection",
+                new X509CollectionStoreParameters(x509Crls));
+
+            PkixCertPathBuilder builder = new PkixCertPathBuilder();
+
+            X509CertStoreSelector endSelector = new X509CertStoreSelector();
+
+            endSelector.Certificate = endCert;
+
+            PkixBuilderParameters builderParams = new PkixBuilderParameters(trustedSet, endSelector);
+
+            if (initialPolicies != null)
+            {
+                builderParams.SetInitialPolicies(initialPolicies);
+                builderParams.IsExplicitPolicyRequired = true;
+            }
+            if (policyMappingInhibited)
+            {
+                builderParams.IsPolicyMappingInhibited = policyMappingInhibited;
+            }
+            if (anyPolicyInhibited)
+            {
+                builderParams.IsAnyPolicyInhibited = anyPolicyInhibited;
+            }
+
+            builderParams.AddStore(x509CertStore);
+            builderParams.AddStore(x509CrlStore);
+
+            // Perform validation as of this date since test certs expired
+            builderParams.Date = new DateTimeObject(DateTime.Parse("1/1/2011"));
+
+            try
+            {
+                return (PkixCertPathBuilderResult)builder.Build(builderParams);
+            }
+            catch (PkixCertPathBuilderException e)
+            {
+                throw e.InnerException;
+            }
+        }
+
+        private X509Certificate LoadCert(string certName)
+		{
+			X509Certificate cert = (X509Certificate)certs[certName];
+			if (null != cert)
+				return cert;
+
+            Stream fs = null;
+
+			try
+			{
+				fs = SimpleTest.GetTestDataAsStream("PKITS.certs." + certName + ".crt");
+				cert = new X509CertificateParser().ReadCertificate(fs);
+				certs[certName] = cert;
+				return cert;
+			}
+			catch (Exception e)
+			{
+				throw new InvalidOperationException("exception loading certificate " + certName + ": " + e);
+			}
+			finally
+			{
+				fs.Close();
+			}
+		}
+
+		private X509Crl LoadCrl(string crlName)
+		{
+			X509Crl crl = (X509Crl)crls[crlName];
+			if (null != crl)
+				return crl;
+
+            Stream fs = null;
+
+			try
+			{
+				fs = SimpleTest.GetTestDataAsStream("PKITS.crls." + crlName + ".crl");
+				crl = new X509CrlParser().ReadCrl(fs);
+				crls[crlName] = crl;
+				return crl;
+			}
+			catch (Exception)
+			{
+				throw new InvalidOperationException("exception loading CRL: " + crlName);
+			}
+			finally
+			{
+				fs.Close();
+			}
+		}
+
+        private TrustAnchor GetTrustAnchor(string trustAnchorName)
+		{
+			X509Certificate cert = LoadCert(trustAnchorName);
+			Asn1OctetString extBytes = cert.GetExtensionValue(X509Extensions.NameConstraints);
+
+			if (extBytes != null)
+			{
+				Asn1Encodable extValue = X509ExtensionUtilities.FromExtensionValue(extBytes);
+
+				return new TrustAnchor(cert, extValue.GetDerEncoded());
+			}
+
+			return new TrustAnchor(cert, null);
+		}
+    }
+}