12 files changed, 277 insertions, 368 deletions
diff --git a/crypto/src/pkix/PkixAttrCertChecker.cs b/crypto/src/pkix/PkixAttrCertChecker.cs
index ca49bbd12..3d50bfbbc 100644
--- a/crypto/src/pkix/PkixAttrCertChecker.cs
+++ b/crypto/src/pkix/PkixAttrCertChecker.cs
@@ -1,7 +1,7 @@
 using System;
-using System.Collections;
+using System.Collections.Generic;
 
-using Org.BouncyCastle.Utilities.Collections;
+using Org.BouncyCastle.Asn1;
 using Org.BouncyCastle.X509;
 
 namespace Org.BouncyCastle.Pkix
@@ -27,7 +27,7 @@ namespace Org.BouncyCastle.Pkix
 		 *         <code>PkixAttrCertChecker</code>, or <code>null</code> if no
 		 *         extensions are supported
 		 */
-		public abstract ISet GetSupportedExtensions();
+		public abstract ISet<DerObjectIdentifier> GetSupportedExtensions();
 
 		/**
 		* Performs checks on the specified attribute certificate. Every handled
@@ -45,7 +45,7 @@ namespace Org.BouncyCastle.Pkix
 		*             does not pass the check.
 		*/
 		public abstract void Check(X509V2AttributeCertificate attrCert, PkixCertPath certPath,
-			PkixCertPath holderCertPath, ICollection unresolvedCritExts);
+			PkixCertPath holderCertPath, ICollection<string> unresolvedCritExts);
 
 		/**
 		* Returns a clone of this object.
diff --git a/crypto/src/pkix/PkixAttrCertPathBuilder.cs b/crypto/src/pkix/PkixAttrCertPathBuilder.cs
index 1120003a8..6902d76d6 100644
--- a/crypto/src/pkix/PkixAttrCertPathBuilder.cs
+++ b/crypto/src/pkix/PkixAttrCertPathBuilder.cs
@@ -56,15 +56,15 @@ namespace Org.BouncyCastle.Pkix
 			{
 				X509CertStoreSelector certSelector = new X509CertStoreSelector();
 				X509Name[] principals = target.Issuer.GetPrincipals();
-				ISet issuers = new HashSet();
+				var issuers = new HashSet<X509Certificate>();
 				for (int i = 0; i < principals.Length; i++)
 				{
+					// TODO Replace loop with a single multiprincipal selector (or don't even use selector)
 					try
 					{
 						certSelector.Subject = principals[i];
 
-						issuers.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelector,
-							pkixParams.GetStoresCert()));
+						CollectionUtilities.CollectMatches(issuers, certSelector, pkixParams.GetStoresCert());
 					}
 					catch (Exception e)
 					{
@@ -74,7 +74,7 @@ namespace Org.BouncyCastle.Pkix
 					}
 				}
 
-				if (issuers.IsEmpty)
+				if (issuers.Count < 1)
 					throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
 
                 IList certPathList = Platform.CreateArrayList();
diff --git a/crypto/src/pkix/PkixBuilderParameters.cs b/crypto/src/pkix/PkixBuilderParameters.cs
index 1dcccb2f8..b76c97874 100644
--- a/crypto/src/pkix/PkixBuilderParameters.cs
+++ b/crypto/src/pkix/PkixBuilderParameters.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Text;
 
 using Org.BouncyCastle.Security;
@@ -16,7 +17,7 @@ namespace Org.BouncyCastle.Pkix
 	{
 		private int maxPathLength = 5;
 
-		private ISet excludedCerts = new HashSet();
+		private ISet<X509Certificate> excludedCerts = new HashSet<X509Certificate>();
 
 		/**
 		* Returns an instance of <code>PkixBuilderParameters</code>.
@@ -40,12 +41,12 @@ namespace Org.BouncyCastle.Pkix
 			return parameters;
 		}
 
-		public PkixBuilderParameters(ISet trustAnchors, ISelector<X509Certificate> targetConstraintsCert)
+		public PkixBuilderParameters(ISet<TrustAnchor> trustAnchors, ISelector<X509Certificate> targetConstraintsCert)
 			: this(trustAnchors, targetConstraintsCert, null)
 		{
 		}
 
-		public PkixBuilderParameters(ISet trustAnchors, ISelector<X509Certificate> targetConstraintsCert,
+		public PkixBuilderParameters(ISet<TrustAnchor> trustAnchors, ISelector<X509Certificate> targetConstraintsCert,
 			ISelector<X509V2AttributeCertificate> targetConstraintsAttrCert)
 			: base(trustAnchors)
 		{
@@ -71,9 +72,9 @@ namespace Org.BouncyCastle.Pkix
 		/// Excluded certificates are not used for building a certification path.
 		/// </summary>
 		/// <returns>the excluded certificates.</returns>
-		public virtual ISet GetExcludedCerts()
+		public virtual ISet<X509Certificate> GetExcludedCerts()
 		{
-			return new HashSet(excludedCerts);
+			return new HashSet<X509Certificate>(excludedCerts);
 		}
 
 		/// <summary>
@@ -85,16 +86,15 @@ namespace Org.BouncyCastle.Pkix
 		/// The given set is cloned to protect it against subsequent modifications.
 		/// </remarks>
 		/// <param name="excludedCerts">The excluded certificates to set.</param>
-		public virtual void SetExcludedCerts(
-			ISet excludedCerts)
+		public virtual void SetExcludedCerts(ISet<X509Certificate> excludedCerts)
 		{
 			if (excludedCerts == null)
 			{
-				this.excludedCerts = new HashSet();
+				this.excludedCerts = new HashSet<X509Certificate>();
 			}
 			else
 			{
-				this.excludedCerts = new HashSet(excludedCerts);
+				this.excludedCerts = new HashSet<X509Certificate>(excludedCerts);
 			}
 		}
 
@@ -105,15 +105,13 @@ namespace Org.BouncyCastle.Pkix
 		* @param params Parameters to set.
 		* @see org.bouncycastle.x509.ExtendedPKIXParameters#setParams(java.security.cert.PKIXParameters)
 		*/
-		protected override void SetParams(
-			PkixParameters parameters)
+		protected override void SetParams(PkixParameters parameters)
 		{
 			base.SetParams(parameters);
-			if (parameters is PkixBuilderParameters)
+			if (parameters is PkixBuilderParameters _params)
 			{
-				PkixBuilderParameters _params = (PkixBuilderParameters) parameters;
 				maxPathLength = _params.maxPathLength;
-				excludedCerts = new HashSet(_params.excludedCerts);
+				excludedCerts = new HashSet<X509Certificate>(_params.excludedCerts);
 			}
 		}
 
diff --git a/crypto/src/pkix/PkixCertPathBuilder.cs b/crypto/src/pkix/PkixCertPathBuilder.cs
index 3ef66b1b9..970fceb99 100644
--- a/crypto/src/pkix/PkixCertPathBuilder.cs
+++ b/crypto/src/pkix/PkixCertPathBuilder.cs
@@ -1,19 +1,11 @@
 using System;
 using System.Collections;
-using System.Text;
-
-using Org.BouncyCastle.Asn1.IsisMtt;
-using Org.BouncyCastle.Asn1;
-using Org.BouncyCastle.Asn1.X509;
-using Org.BouncyCastle.Asn1.X500;
-using Org.BouncyCastle.Crypto;
-using Org.BouncyCastle.Crypto.Parameters;
-using Org.BouncyCastle.Math;
+using System.Collections.Generic;
+
 using Org.BouncyCastle.Security.Certificates;
 using Org.BouncyCastle.Utilities;
 using Org.BouncyCastle.Utilities.Collections;
 using Org.BouncyCastle.X509;
-using Org.BouncyCastle.X509.Store;
 
 namespace Org.BouncyCastle.Pkix
 {
@@ -38,11 +30,10 @@ namespace Org.BouncyCastle.Pkix
 
 			var certSelector = pkixParams.GetTargetConstraintsCert();
 
-			ISet targets = new HashSet();
+			var targets = new HashSet<X509Certificate>();
 			try
 			{
-				targets.AddAll(
-					PkixCertPathValidatorUtilities.FindCertificates(certSelector, pkixParams.GetStoresCert()));
+				CollectionUtilities.CollectMatches(targets, certSelector, pkixParams.GetStoresCert());
 			}
 			catch (Exception e)
 			{
@@ -50,7 +41,7 @@ namespace Org.BouncyCastle.Pkix
 					"Error finding target certificate.", e);
 			}
 
-			if (targets.IsEmpty)
+			if (targets.Count < 1)
 				throw new PkixCertPathBuilderException("No certificate found matching targetConstraints.");
 
 			PkixCertPathBuilderResult result = null;
diff --git a/crypto/src/pkix/PkixCertPathChecker.cs b/crypto/src/pkix/PkixCertPathChecker.cs
index da7e82b46..08b7e3d41 100644
--- a/crypto/src/pkix/PkixCertPathChecker.cs
+++ b/crypto/src/pkix/PkixCertPathChecker.cs
@@ -1,4 +1,5 @@
-using Org.BouncyCastle.Utilities.Collections;
+using System.Collections.Generic;
+
 using Org.BouncyCastle.X509;
 
 namespace Org.BouncyCastle.Pkix
@@ -63,7 +64,7 @@ namespace Org.BouncyCastle.Pkix
          *         <code>PKIXCertPathChecker</code>, or <code>null</code> if no
          *         extensions are supported
          */
-        public abstract ISet GetSupportedExtensions();
+        public abstract ISet<string> GetSupportedExtensions();
 
         /**
          * Performs the check(s) on the specified certificate using its internal
@@ -80,7 +81,7 @@ namespace Org.BouncyCastle.Pkix
          * @exception CertPathValidatorException
          *                if the specified certificate does not pass the check
          */
-        public abstract void Check(X509Certificate cert, ISet unresolvedCritExts);
+        public abstract void Check(X509Certificate cert, ISet<string> unresolvedCritExts);
         //throws CertPathValidatorException;
 
         /**
diff --git a/crypto/src/pkix/PkixCertPathValidator.cs b/crypto/src/pkix/PkixCertPathValidator.cs
index 95939e0bd..cebeed46f 100644
--- a/crypto/src/pkix/PkixCertPathValidator.cs
+++ b/crypto/src/pkix/PkixCertPathValidator.cs
@@ -71,7 +71,7 @@ namespace Org.BouncyCastle.Pkix
             //
             // (c)
             //
-            ISet userInitialPolicySet = paramsPkix.GetInitialPolicies();
+            var userInitialPolicySet = paramsPkix.GetInitialPolicies();
 
             //
             // (d)
@@ -113,12 +113,12 @@ namespace Org.BouncyCastle.Pkix
                 policyNodes[j] = new List<PkixPolicyNode>();
             }
 
-            ISet policySet = new HashSet();
+            var policySet = new HashSet<string>();
 
             policySet.Add(Rfc3280CertPathUtilities.ANY_POLICY);
 
-            var validPolicyTree = new PkixPolicyNode(new List<PkixPolicyNode>(), 0, policySet, null, new HashSet(),
-                Rfc3280CertPathUtilities.ANY_POLICY, false);
+            var validPolicyTree = new PkixPolicyNode(new List<PkixPolicyNode>(), 0, policySet, null,
+                new HashSet<PolicyQualifierInfo>(), Rfc3280CertPathUtilities.ANY_POLICY, false);
 
             policyNodes[0].Add(validPolicyTree);
 
@@ -130,7 +130,7 @@ namespace Org.BouncyCastle.Pkix
             // (d)
             //
             int explicitPolicy;
-            ISet acceptablePolicies = new HashSet();
+            var acceptablePolicies = new HashSet<string>();
 
             if (paramsPkix.IsExplicitPolicyRequired)
             {
@@ -326,11 +326,11 @@ namespace Org.BouncyCastle.Pkix
                     // (n)
                     Rfc3280CertPathUtilities.PrepareNextCertN(certPath, index);
 
-					ISet criticalExtensions1 = cert.GetCriticalExtensionOids();
+					var criticalExtensions1 = cert.GetCriticalExtensionOids();
 
 					if (criticalExtensions1 != null)
 					{
-						criticalExtensions1 = new HashSet(criticalExtensions1);
+						criticalExtensions1 = new HashSet<string>(criticalExtensions1);
 
 						// these extensions are handled by the algorithm
 						criticalExtensions1.Remove(X509Extensions.KeyUsage.Id);
@@ -346,7 +346,7 @@ namespace Org.BouncyCastle.Pkix
 					}
 					else
 					{
-						criticalExtensions1 = new HashSet();
+						criticalExtensions1 = new HashSet<string>();
 					}
 
 					// (o)
@@ -391,11 +391,11 @@ namespace Org.BouncyCastle.Pkix
             //
             // (f)
             //
-            ISet criticalExtensions = cert.GetCriticalExtensionOids();
+            var criticalExtensions = cert.GetCriticalExtensionOids();
 
             if (criticalExtensions != null)
             {
-                criticalExtensions = new HashSet(criticalExtensions);
+                criticalExtensions = new HashSet<string>(criticalExtensions);
 
                 // Requires .Id
                 // these extensions are handled by the algorithm
@@ -413,13 +413,13 @@ namespace Org.BouncyCastle.Pkix
             }
             else
             {
-                criticalExtensions = new HashSet();
+                criticalExtensions = new HashSet<string>();
             }
 
             Rfc3280CertPathUtilities.WrapupCertF(certPath, index + 1, certPathCheckers, criticalExtensions);
 
-            PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, userInitialPolicySet,
-                    index + 1, policyNodes, validPolicyTree, acceptablePolicies);
+            PkixPolicyNode intersection = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix,
+                userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies);
 
             if ((explicitPolicy > 0) || (intersection != null))
             {
diff --git a/crypto/src/pkix/PkixCertPathValidatorUtilities.cs b/crypto/src/pkix/PkixCertPathValidatorUtilities.cs
index 731f8dfe0..fc65b2535 100644
--- a/crypto/src/pkix/PkixCertPathValidatorUtilities.cs
+++ b/crypto/src/pkix/PkixCertPathValidatorUtilities.cs
@@ -61,11 +61,9 @@ namespace Org.BouncyCastle.Pkix
 		/// <code>null</code> if not.
 		/// </returns>
 		/// @exception
-		internal static TrustAnchor FindTrustAnchor(
-			X509Certificate	cert,
-			ISet			trustAnchors)
+		internal static TrustAnchor FindTrustAnchor(X509Certificate	cert, ISet<TrustAnchor> trustAnchors)
 		{
-			IEnumerator iter = trustAnchors.GetEnumerator();
+			var iter = trustAnchors.GetEnumerator();
 			TrustAnchor trust = null;
 			AsymmetricKeyParameter trustPublicKey = null;
 			Exception invalidKeyEx = null;
@@ -83,7 +81,7 @@ namespace Org.BouncyCastle.Pkix
 
 			while (iter.MoveNext() && trust == null)
 			{
-				trust = (TrustAnchor) iter.Current;
+				trust = iter.Current;
 				if (trust.TrustedCert != null)
 				{
 					if (certSelectX509.Match(trust.TrustedCert))
@@ -143,9 +141,7 @@ namespace Org.BouncyCastle.Pkix
 			return trust;
 		}
 
-        internal static bool IsIssuerTrustAnchor(
-            X509Certificate cert,
-            ISet trustAnchors)
+        internal static bool IsIssuerTrustAnchor(X509Certificate cert, ISet<TrustAnchor> trustAnchors)
         {
             try
             {
@@ -236,10 +232,9 @@ namespace Org.BouncyCastle.Pkix
 			}
 		}
 
-		internal static bool IsAnyPolicy(
-			ISet policySet)
+		internal static bool IsAnyPolicy(ISet<string> policySet)
 		{
-			return policySet == null || policySet.Contains(ANY_POLICY) || policySet.Count == 0;
+			return policySet == null || policySet.Count < 1 || policySet.Contains(ANY_POLICY);
 		}
 
 		internal static void AddAdditionalStoreFromLocation(
@@ -310,23 +305,22 @@ namespace Org.BouncyCastle.Pkix
 		// policy checking
 		//
 
-		internal static ISet GetQualifierSet(Asn1Sequence qualifiers)
+		internal static ISet<PolicyQualifierInfo> GetQualifierSet(Asn1Sequence qualifiers)
 		{
-			ISet pq = new HashSet();
-
-			if (qualifiers == null)
-				return pq;
+			var pq = new HashSet<PolicyQualifierInfo>();
 
-			foreach (Asn1Encodable ae in qualifiers)
-			{
-				try
-				{
-					pq.Add(PolicyQualifierInfo.GetInstance(Asn1Object.FromByteArray(ae.GetEncoded())));
-					//pq.Add(PolicyQualifierInfo.GetInstance(ae.ToAsn1Object()));
-				}
-				catch (IOException ex)
+			if (qualifiers != null)
+            {
+				foreach (Asn1Encodable ae in qualifiers)
 				{
-					throw new PkixCertPathValidatorException("Policy qualifier info cannot be decoded.", ex);
+					try
+					{
+                        pq.Add(PolicyQualifierInfo.GetInstance(ae.ToAsn1Object()));
+                    }
+					catch (IOException ex)
+					{
+						throw new PkixCertPathValidatorException("Policy qualifier info cannot be decoded.", ex);
+					}
 				}
 			}
 
@@ -374,90 +368,78 @@ namespace Org.BouncyCastle.Pkix
 			}
 		}
 
-		internal static void PrepareNextCertB1(
-			int i,
-			IList[] policyNodes,
-			string id_p,
-			IDictionary m_idp,
-			X509Certificate cert)
+		internal static void PrepareNextCertB1(int i, IList<PkixPolicyNode>[] policyNodes, string id_p,
+			IDictionary<string, ISet<string>> m_idp, X509Certificate cert)
 		{
-			bool idp_found = false;
-			IEnumerator nodes_i = policyNodes[i].GetEnumerator();
-			while (nodes_i.MoveNext())
+			foreach (var node in policyNodes[i])
 			{
-				PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
 				if (node.ValidPolicy.Equals(id_p))
 				{
-					idp_found = true;
-					node.ExpectedPolicies = (ISet)m_idp[id_p];
-					break;
+					node.ExpectedPolicies = CollectionUtilities.GetValueOrNull(m_idp, id_p);
+					return;
 				}
 			}
 
-			if (!idp_found)
+			foreach (var node in policyNodes[i])
 			{
-				nodes_i = policyNodes[i].GetEnumerator();
-				while (nodes_i.MoveNext())
+				if (ANY_POLICY.Equals(node.ValidPolicy))
 				{
-					PkixPolicyNode node = (PkixPolicyNode)nodes_i.Current;
-					if (ANY_POLICY.Equals(node.ValidPolicy))
+					Asn1Sequence policies;
+					try
+					{
+						policies = Asn1Sequence.GetInstance(
+							GetExtensionValue(cert, X509Extensions.CertificatePolicies));
+					}
+					catch (Exception e)
 					{
-						ISet pq = null;
-						Asn1Sequence policies = null;
+						throw new Exception("Certificate policies cannot be decoded.", e);
+					}
+
+					ISet<PolicyQualifierInfo> pq = null;
+
+					foreach (var policy in policies)
+					{
+						PolicyInformation pinfo;
 						try
 						{
-							policies = DerSequence.GetInstance(GetExtensionValue(cert, X509Extensions.CertificatePolicies));
+							pinfo = PolicyInformation.GetInstance(policy);
 						}
-						catch (Exception e)
+						catch (Exception ex)
 						{
-							throw new Exception("Certificate policies cannot be decoded.", e);
+							throw new Exception("Policy information cannot be decoded.", ex);
 						}
 
-						IEnumerator enm = policies.GetEnumerator();
-						while (enm.MoveNext())
+						if (ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id))
 						{
-							PolicyInformation pinfo = null;
-
 							try
 							{
-								pinfo = PolicyInformation.GetInstance(enm.Current);
+								pq = GetQualifierSet(pinfo.PolicyQualifiers);
 							}
-							catch (Exception ex)
+							catch (PkixCertPathValidatorException ex)
 							{
-								throw new Exception("Policy information cannot be decoded.", ex);
+								throw new PkixCertPathValidatorException(
+									"Policy qualifier info set could not be built.", ex);
 							}
-
-							if (ANY_POLICY.Equals(pinfo.PolicyIdentifier.Id))
-							{
-								try
-								{
-									pq = GetQualifierSet(pinfo.PolicyQualifiers);
-								}
-								catch (PkixCertPathValidatorException ex)
-								{
-									throw new PkixCertPathValidatorException(
-										"Policy qualifier info set could not be built.", ex);
-								}
-								break;
-							}
-						}
-						bool ci = false;
-						ISet critExtOids = cert.GetCriticalExtensionOids();
-						if (critExtOids != null)
-						{
-							ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id);
+							break;
 						}
+					}
 
-						PkixPolicyNode p_node = node.Parent;
-						if (ANY_POLICY.Equals(p_node.ValidPolicy))
-						{
-							PkixPolicyNode c_node = new PkixPolicyNode(new List<PkixPolicyNode>(), i, (ISet)m_idp[id_p],
-								p_node, pq, id_p, ci);
-							p_node.AddChild(c_node);
-							policyNodes[i].Add(c_node);
-						}
-						break;
+					bool ci = false;
+					var critExtOids = cert.GetCriticalExtensionOids();
+					if (critExtOids != null)
+					{
+						ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id);
+					}
+
+					PkixPolicyNode p_node = node.Parent;
+					if (ANY_POLICY.Equals(p_node.ValidPolicy))
+					{
+						PkixPolicyNode c_node = new PkixPolicyNode(new List<PkixPolicyNode>(), i,
+							CollectionUtilities.GetValueOrNull(m_idp, id_p), p_node, pq, id_p, ci);
+						p_node.AddChild(c_node);
+						policyNodes[i].Add(c_node);
 					}
+					break;
 				}
 			}
 		}
@@ -687,25 +669,6 @@ namespace Org.BouncyCastle.Pkix
 			return ((X509Certificate)certPath.Certificates[index - 1]).NotBefore;
 		}
 
-		/// <summary>
-		/// Return a Collection of all certificates found
-		/// in the stores that are matching the certSelector criteria.
-		/// </summary>
-		/// <param name="certSelector">an <see cref="ISelector{T}"/> object that will be used to select
-		/// the certificates.</param>
-		/// <param name="certStores">a List containing only IStore objects. These
-		/// are used to search for certificates.</param>
-		/// <returns>a Collection of all found <see cref="X509Certificate"/> objects.
-		/// May be empty but never <code>null</code>.</returns>
-		/// <exception cref="Exception"></exception>
-		internal static List<X509Certificate> FindCertificates(ISelector<X509Certificate> certSelector,
-			IList<IStore<X509Certificate>> certStores)
-		{
-			var result = new List<X509Certificate>();
-			CollectionUtilities.CollectMatches(result, certSelector, certStores);
-			return result;
-		}
-
 		/**
 		* Add the CRL issuers from the cRLIssuer field of the distribution point or
 		* from the certificate if not given to the issuer criterion of the
@@ -728,7 +691,7 @@ namespace Org.BouncyCastle.Pkix
 		*/
 		internal static void GetCrlIssuersFromDistributionPoint(
 			DistributionPoint		dp,
-			ICollection				issuerPrincipals,
+			ICollection<X509Name>	issuerPrincipals,
 			X509CrlStoreSelector	selector,
 			PkixParameters			pkixParams)
 		{
@@ -843,7 +806,7 @@ namespace Org.BouncyCastle.Pkix
 			X509CrlStoreSelector crlselect = new X509CrlStoreSelector();
 			try
 			{
-				ISet issuers = new HashSet();
+				var issuers = new HashSet<X509Name>();
 				issuers.Add(certObjIssuer);
 
 				GetCrlIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
@@ -954,7 +917,7 @@ namespace Org.BouncyCastle.Pkix
 
 			foreach (X509Crl crl in temp)
 			{
-				if (isDeltaCrl(crl))
+				if (IsDeltaCrl(crl))
 				{
 					result.Add(crl);
 				}
@@ -963,10 +926,9 @@ namespace Org.BouncyCastle.Pkix
 			return result;
 		}
 
-		private static bool isDeltaCrl(
-			X509Crl crl)
+		private static bool IsDeltaCrl(X509Crl crl)
 		{
-			ISet critical = crl.GetCriticalExtensionOids();
+			var critical = crl.GetCriticalExtensionOids();
 
 			return critical.Contains(X509Extensions.DeltaCrlIndicator.Id);
 		}
@@ -1013,13 +975,13 @@ namespace Org.BouncyCastle.Pkix
 		}
 
 		internal static bool ProcessCertD1i(int index, IList<PkixPolicyNode>[] policyNodes, DerObjectIdentifier	pOid,
-			ISet pq)
+			ISet<PolicyQualifierInfo> pq)
 		{
 			foreach (var node in policyNodes[index - 1])
 			{
 				if (node.ExpectedPolicies.Contains(pOid.Id))
 				{
-					var childExpectedPolicies = new HashSet();
+					var childExpectedPolicies = new HashSet<string>();
 					childExpectedPolicies.Add(pOid.Id);
 
                     var child = new PkixPolicyNode(new List<PkixPolicyNode>(), index, childExpectedPolicies, node, pq,
@@ -1035,13 +997,13 @@ namespace Org.BouncyCastle.Pkix
 		}
 
 		internal static void ProcessCertD1ii(int index, IList<PkixPolicyNode>[] policyNodes,
-			DerObjectIdentifier _poid, ISet _pq)
+			DerObjectIdentifier _poid, ISet<PolicyQualifierInfo> _pq)
 		{
 			foreach (var _node in policyNodes[index - 1])
 			{
 				if (ANY_POLICY.Equals(_node.ValidPolicy))
 				{
-					ISet _childExpectedPolicies = new HashSet();
+					var _childExpectedPolicies = new HashSet<string>();
 					_childExpectedPolicies.Add(_poid.Id);
 
                     var _child = new PkixPolicyNode(new List<PkixPolicyNode>(), index, _childExpectedPolicies, _node,
diff --git a/crypto/src/pkix/PkixCrlUtilities.cs b/crypto/src/pkix/PkixCrlUtilities.cs
index 341c9a514..8740cc780 100644
--- a/crypto/src/pkix/PkixCrlUtilities.cs
+++ b/crypto/src/pkix/PkixCrlUtilities.cs
@@ -52,21 +52,17 @@ namespace Org.BouncyCastle.Pkix
 			return finalSet;
 		}
 
-		public virtual ISet FindCrls(X509CrlStoreSelector crlSelector, PkixParameters paramsPkix)
+		public virtual ISet<X509Crl> FindCrls(X509CrlStoreSelector crlSelector, PkixParameters paramsPkix)
 		{
-			ISet completeSet = new HashSet();
-
 			// get complete CRL(s)
 			try
 			{
-				completeSet.AddAll(FindCrls(crlSelector, paramsPkix.GetStoresCrl()));
+				return FindCrls(crlSelector, paramsPkix.GetStoresCrl());
 			}
 			catch (Exception e)
 			{
 				throw new Exception("Exception obtaining complete CRLs.", e);
 			}
-
-			return completeSet;
 		}
 
 		/// <summary>
diff --git a/crypto/src/pkix/PkixParameters.cs b/crypto/src/pkix/PkixParameters.cs
index 32189acfb..eb741fece 100644
--- a/crypto/src/pkix/PkixParameters.cs
+++ b/crypto/src/pkix/PkixParameters.cs
@@ -41,11 +41,11 @@ namespace Org.BouncyCastle.Pkix
 		*/
 		public const int ChainValidityModel = 1;
 
-		private ISet trustAnchors;
+		private HashSet<TrustAnchor> trustAnchors;
 		private DateTimeObject date;
 		private IList certPathCheckers;
 		private bool revocationEnabled = true;
-		private ISet initialPolicies;
+		private HashSet<string> initialPolicies;
 		//private bool checkOnlyEECertificateCrl = false;
 		private bool explicitPolicyRequired = false;
 		private bool anyPolicyInhibited = false;
@@ -85,12 +85,11 @@ namespace Org.BouncyCastle.Pkix
 		 *                if any of the elements in the Set are not of type
 		 *                <code>java.security.cert.TrustAnchor</code>
 		 */
-		public PkixParameters(
-			ISet trustAnchors)
+		public PkixParameters(ISet<TrustAnchor> trustAnchors)
 		{
 			SetTrustAnchors(trustAnchors);
 
-			this.initialPolicies = new HashSet();
+			this.initialPolicies = new HashSet<string>();
 			this.certPathCheckers = Platform.CreateArrayList();
 			this.m_storesAttrCert = new List<IStore<X509V2AttributeCertificate>>();
 			this.m_storesCert = new List<IStore<X509Certificate>>();
@@ -186,23 +185,22 @@ namespace Org.BouncyCastle.Pkix
 		}
 
 		// Returns a Set of the most-trusted CAs.
-		public virtual ISet GetTrustAnchors()
+		public virtual ISet<TrustAnchor> GetTrustAnchors()
 		{
-			return new HashSet(this.trustAnchors);
+			return new HashSet<TrustAnchor>(this.trustAnchors);
 		}
 
 		// Sets the set of most-trusted CAs.
 		// Set is copied to protect against subsequent modifications.
-		public virtual void SetTrustAnchors(
-			ISet tas)
+		public virtual void SetTrustAnchors(ISet<TrustAnchor> tas)
 		{
 			if (tas == null)
 				throw new ArgumentNullException("value");
-			if (tas.IsEmpty)
+			if (tas.Count < 1)
 				throw new ArgumentException("non-empty set required", "value");
 
 			// Explicit copy to enforce type-safety
-			this.trustAnchors = new HashSet();
+			this.trustAnchors = new HashSet<TrustAnchor>();
 			foreach (TrustAnchor ta in tas)
 			{
 				if (ta != null)
@@ -311,17 +309,13 @@ namespace Org.BouncyCastle.Pkix
 		*
 		* @see #setInitialPolicies(java.util.Set)
 		*/
-		public virtual ISet GetInitialPolicies()
+		public virtual ISet<string> GetInitialPolicies()
 		{
-			ISet returnSet = initialPolicies;
-
 			// TODO Can it really be null?
 			if (initialPolicies == null)
-			{
-				returnSet = new HashSet();
-			}
+				return new HashSet<string>();
 
-			return new HashSet(returnSet);
+			return new HashSet<string>(initialPolicies);
 		}
 
 		/**
@@ -345,10 +339,9 @@ namespace Org.BouncyCastle.Pkix
 		*
 		* @see #getInitialPolicies()
 		*/
-		public virtual void SetInitialPolicies(
-			ISet initialPolicies)
+		public virtual void SetInitialPolicies(ISet<string> initialPolicies)
 		{
-			this.initialPolicies = new HashSet();
+			this.initialPolicies = new HashSet<string>();
 			if (initialPolicies != null)
 			{
 				foreach (string obj in initialPolicies)
diff --git a/crypto/src/pkix/PkixPolicyNode.cs b/crypto/src/pkix/PkixPolicyNode.cs
index 2e2e39caf..0ea80b258 100644
--- a/crypto/src/pkix/PkixPolicyNode.cs
+++ b/crypto/src/pkix/PkixPolicyNode.cs
@@ -2,6 +2,7 @@ using System;
 using System.Collections.Generic;
 using System.Text;
 
+using Org.BouncyCastle.Asn1.X509;
 using Org.BouncyCastle.Utilities;
 using Org.BouncyCastle.Utilities.Collections;
 
@@ -15,9 +16,9 @@ namespace Org.BouncyCastle.Pkix
 	{
 		protected IList<PkixPolicyNode> mChildren;
 		protected int				mDepth;
-		protected ISet				mExpectedPolicies;
+		protected ISet<string>		mExpectedPolicies;
 		protected PkixPolicyNode	mParent;
-		protected ISet				mPolicyQualifiers;
+		protected ISet<PolicyQualifierInfo> mPolicyQualifiers;
 		protected string			mValidPolicy;
 		protected bool				mCritical;
 
@@ -37,9 +38,9 @@ namespace Org.BouncyCastle.Pkix
 			set { this.mCritical = value; }
 		}
 
-		public virtual ISet PolicyQualifiers
+		public virtual ISet<PolicyQualifierInfo> PolicyQualifiers
 		{
-			get { return new HashSet(this.mPolicyQualifiers); }
+			get { return new HashSet<PolicyQualifierInfo>(this.mPolicyQualifiers); }
 		}
 
 		public virtual string ValidPolicy
@@ -52,10 +53,10 @@ namespace Org.BouncyCastle.Pkix
 			get { return mChildren.Count != 0; }
 		}
 
-		public virtual ISet ExpectedPolicies
+		public virtual ISet<string> ExpectedPolicies
 		{
-			get { return new HashSet(this.mExpectedPolicies); }
-			set { this.mExpectedPolicies = new HashSet(value); }
+			get { return new HashSet<string>(this.mExpectedPolicies); }
+			set { this.mExpectedPolicies = new HashSet<string>(value); }
 		}
 
 		public virtual PkixPolicyNode Parent
@@ -68,9 +69,9 @@ namespace Org.BouncyCastle.Pkix
 		public PkixPolicyNode(
 			IEnumerable<PkixPolicyNode> children,
 			int				depth,
-			ISet			expectedPolicies,
+			ISet<string>	expectedPolicies,
 			PkixPolicyNode	parent,
-			ISet			policyQualifiers,
+			ISet<PolicyQualifierInfo> policyQualifiers,
 			string			validPolicy,
 			bool			critical)
 		{
@@ -139,9 +140,9 @@ namespace Org.BouncyCastle.Pkix
 			PkixPolicyNode node = new PkixPolicyNode(
 				new List<PkixPolicyNode>(),
 				mDepth,
-				new HashSet(mExpectedPolicies),
+				new HashSet<string>(mExpectedPolicies),
 				null,
-				new HashSet(mPolicyQualifiers),
+				new HashSet<PolicyQualifierInfo>(mPolicyQualifiers),
 				mValidPolicy,
 				mCritical);
 
diff --git a/crypto/src/pkix/Rfc3280CertPathUtilities.cs b/crypto/src/pkix/Rfc3280CertPathUtilities.cs
index 7359d2568..07293dfaf 100644
--- a/crypto/src/pkix/Rfc3280CertPathUtilities.cs
+++ b/crypto/src/pkix/Rfc3280CertPathUtilities.cs
@@ -378,7 +378,7 @@ namespace Org.BouncyCastle.Pkix
 		}
 
 		/// <exception cref="PkixCertPathValidatorException"/>
-		internal static PkixPolicyNode ProcessCertD(PkixCertPath certPath, int index, ISet acceptablePolicies,
+		internal static PkixPolicyNode ProcessCertD(PkixCertPath certPath, int index, ISet<string> acceptablePolicies,
 			PkixPolicyNode validPolicyTree, IList<PkixPolicyNode>[] policyNodes, int inhibitAnyPolicy)
 		{
 			IList certs = certPath.Certificates;
@@ -406,7 +406,7 @@ namespace Org.BouncyCastle.Pkix
 				//
 				// (d) (1)
 				//
-				ISet pols = new HashSet();
+				var pols = new HashSet<string>();
 
 				foreach (Asn1Encodable ae in certPolicies)
 				{
@@ -417,7 +417,7 @@ namespace Org.BouncyCastle.Pkix
 
 					if (!ANY_POLICY.Equals(pOid.Id))
 					{
-						ISet pq = null;
+						ISet<PolicyQualifierInfo> pq;
 						try
 						{
 							pq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers);
@@ -437,16 +437,16 @@ namespace Org.BouncyCastle.Pkix
 					}
 				}
 
-				if (acceptablePolicies.IsEmpty || acceptablePolicies.Contains(ANY_POLICY))
+				if (acceptablePolicies.Count < 1 || acceptablePolicies.Contains(ANY_POLICY))
 				{
 					acceptablePolicies.Clear();
-					acceptablePolicies.AddAll(pols);
+					acceptablePolicies.UnionWith(pols);
 				}
 				else
 				{
-					ISet t1 = new HashSet();
+					var t1 = new HashSet<string>();
 
-					foreach (object o in acceptablePolicies)
+					foreach (var o in acceptablePolicies)
 					{
 						if (pols.Contains(o))
 						{
@@ -454,7 +454,7 @@ namespace Org.BouncyCastle.Pkix
 						}
 					}
 					acceptablePolicies.Clear();
-					acceptablePolicies.AddAll(t1);
+					acceptablePolicies.UnionWith(t1);
 				}
 
 				//
@@ -467,26 +467,12 @@ namespace Org.BouncyCastle.Pkix
 						PolicyInformation pInfo = PolicyInformation.GetInstance(ae.ToAsn1Object());
 						if (ANY_POLICY.Equals(pInfo.PolicyIdentifier.Id))
 						{
-							ISet _apq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers);
+							var _apq = PkixCertPathValidatorUtilities.GetQualifierSet(pInfo.PolicyQualifiers);
 
 							foreach (var _node in policyNodes[i - 1])
 							{
-								foreach (var _tmp in _node.ExpectedPolicies)
+								foreach (var _policy in _node.ExpectedPolicies)
 								{
-									string _policy;
-									if (_tmp is string)
-									{
-										_policy = (string)_tmp;
-									}
-									else if (_tmp is DerObjectIdentifier)
-									{
-										_policy = ((DerObjectIdentifier)_tmp).Id;
-									}
-									else
-									{
-										continue;
-									}
-
 									bool _found = false;
 
 									foreach (PkixPolicyNode _child in _node.Children)
@@ -494,12 +480,13 @@ namespace Org.BouncyCastle.Pkix
 										if (_policy.Equals(_child.ValidPolicy))
 										{
 											_found = true;
+											break;
 										}
 									}
 
 									if (!_found)
 									{
-										var _newChildExpectedPolicies = new HashSet();
+										var _newChildExpectedPolicies = new HashSet<string>();
 										_newChildExpectedPolicies.Add(_policy);
 
 										var _newChild = new PkixPolicyNode(new List<PkixPolicyNode>(), i,
@@ -538,7 +525,7 @@ namespace Org.BouncyCastle.Pkix
 				//
 				// d (4)
 				//
-				ISet criticalExtensionOids = cert.GetCriticalExtensionOids();
+				var criticalExtensionOids = cert.GetCriticalExtensionOids();
 
 				if (criticalExtensionOids != null)
 				{
@@ -568,10 +555,7 @@ namespace Org.BouncyCastle.Pkix
 		* @throws AnnotatedException if one of the above conditions does not apply or an error
 		*                            occurs.
 		*/
-		internal static void ProcessCrlB1(
-			DistributionPoint	dp,
-			object				cert,
-			X509Crl				crl)
+		internal static void ProcessCrlB1(DistributionPoint dp, object cert, X509Crl crl)
 		{
 			Asn1Object idp = PkixCertPathValidatorUtilities.GetExtensionValue(
 				crl, X509Extensions.IssuingDistributionPoint);
@@ -584,6 +568,7 @@ namespace Org.BouncyCastle.Pkix
 					isIndirect = true;
 				}
 			}
+
 			byte[] issuerBytes = crl.IssuerDN.GetEncoded();
 
 			bool matchIssuer = false;
@@ -596,7 +581,7 @@ namespace Org.BouncyCastle.Pkix
 					{
 						try
 						{
-							if (Org.BouncyCastle.Utilities.Arrays.AreEqual(genNames[j].Name.ToAsn1Object().GetEncoded(), issuerBytes))
+							if (Arrays.AreEqual(genNames[j].Name.GetEncoded(), issuerBytes))
 							{
 								matchIssuer = true;
 							}
@@ -630,12 +615,10 @@ namespace Org.BouncyCastle.Pkix
 			}
 		}
 
-		internal static ReasonsMask ProcessCrlD(
-			X509Crl				crl,
-			DistributionPoint	dp)
+		internal static ReasonsMask ProcessCrlD(X509Crl crl, DistributionPoint dp)
 			//throws AnnotatedException
 		{
-			IssuingDistributionPoint idp = null;
+			IssuingDistributionPoint idp;
 			try
 			{
 				idp = IssuingDistributionPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(crl, X509Extensions.IssuingDistributionPoint));
@@ -648,8 +631,7 @@ namespace Org.BouncyCastle.Pkix
 			// (d) (1)
 			if (idp != null && idp.OnlySomeReasons != null && dp.Reasons != null)
 			{
-				return new ReasonsMask(dp.Reasons.IntValue).Intersect(new ReasonsMask(idp.OnlySomeReasons
-					.IntValue));
+				return new ReasonsMask(dp.Reasons.IntValue).Intersect(new ReasonsMask(idp.OnlySomeReasons.IntValue));
 			}
 			// (d) (4)
 			if ((idp == null || idp.OnlySomeReasons == null) && dp.Reasons == null)
@@ -659,8 +641,7 @@ namespace Org.BouncyCastle.Pkix
 
 			// (d) (2) and (d)(3)
 
-			ReasonsMask dpReasons = null;
-
+			ReasonsMask dpReasons;
 			if (dp.Reasons == null)
 			{
 				dpReasons = ReasonsMask.AllReasons;
@@ -670,8 +651,7 @@ namespace Org.BouncyCastle.Pkix
 				dpReasons = new ReasonsMask(dp.Reasons.IntValue);
 			}
 
-			ReasonsMask idpReasons = null;
-
+			ReasonsMask idpReasons;
 			if (idp == null)
 			{
 				idpReasons = ReasonsMask.AllReasons;
@@ -703,7 +683,7 @@ namespace Org.BouncyCastle.Pkix
 		* @throws AnnotatedException if the CRL is not valid or the status cannot be checked or
 		*                            some error occurs.
 		*/
-		internal static ISet ProcessCrlF(
+		internal static ISet<AsymmetricKeyParameter> ProcessCrlF(
 			X509Crl					crl,
 			object					cert,
 			X509Certificate			defaultCRLSignCert,
@@ -740,8 +720,8 @@ namespace Org.BouncyCastle.Pkix
 			signingCerts.Add(defaultCRLSignCert);
 
 
-            IList validCerts = Platform.CreateArrayList();
-            IList validKeys = Platform.CreateArrayList();
+            var validCerts = new List<X509Certificate>();
+			var validKeys = new List<AsymmetricKeyParameter>();
 
 			foreach (X509Certificate signingCert in signingCerts)
 			{
@@ -796,7 +776,7 @@ namespace Org.BouncyCastle.Pkix
                 }
 			}
 
-			ISet checkKeys = new HashSet();
+			var checkKeys = new HashSet<AsymmetricKeyParameter>();
 
 			Exception lastException = null;
 			for (int i = 0; i < validCerts.Count; i++)
@@ -827,9 +807,7 @@ namespace Org.BouncyCastle.Pkix
 			return checkKeys;
 		}
 
-		internal static AsymmetricKeyParameter ProcessCrlG(
-			X509Crl	crl,
-			ISet	keys)
+		internal static AsymmetricKeyParameter ProcessCrlG(X509Crl crl, ISet<AsymmetricKeyParameter> keys)
 		{
 			Exception lastException = null;
 			foreach (AsymmetricKeyParameter key in keys)
@@ -918,16 +896,16 @@ namespace Org.BouncyCastle.Pkix
 			bool validCrlFound = false;
 			Exception lastException = null;
 
-			IEnumerator crl_iter = crls.GetEnumerator();
+			var crl_iter = crls.GetEnumerator();
 
 			while (crl_iter.MoveNext() && certStatus.Status == CertStatus.Unrevoked && !reasonMask.IsAllReasons)
 			{
 				try
 				{
-					X509Crl crl = (X509Crl)crl_iter.Current;
+					X509Crl crl = crl_iter.Current;
 
 					// (d)
-					ReasonsMask interimReasonsMask = Rfc3280CertPathUtilities.ProcessCrlD(crl, dp);
+					ReasonsMask interimReasonsMask = ProcessCrlD(crl, dp);
 
 					// (e)
 					/*
@@ -941,10 +919,9 @@ namespace Org.BouncyCastle.Pkix
 					}
 
 					// (f)
-					ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, cert, defaultCRLSignCert, defaultCRLSignKey,
-						paramsPKIX, certPathCerts);
+					var keys = ProcessCrlF(crl, cert, defaultCRLSignCert, defaultCRLSignKey, paramsPKIX, certPathCerts);
 					// (g)
-					AsymmetricKeyParameter key = Rfc3280CertPathUtilities.ProcessCrlG(crl, keys);
+					AsymmetricKeyParameter key = ProcessCrlG(crl, keys);
 
 					X509Crl deltaCRL = null;
 
@@ -954,7 +931,7 @@ namespace Org.BouncyCastle.Pkix
 						ISet<X509Crl> deltaCRLs = PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl);
 						// we only want one valid delta CRL
 						// (h)
-						deltaCRL = Rfc3280CertPathUtilities.ProcessCrlH(deltaCRLs, key);
+						deltaCRL = ProcessCrlH(deltaCRLs, key);
 					}
 
 					/*
@@ -983,19 +960,19 @@ namespace Org.BouncyCastle.Pkix
 						}
 					}
 
-					Rfc3280CertPathUtilities.ProcessCrlB1(dp, cert, crl);
+					ProcessCrlB1(dp, cert, crl);
 
 					// (b) (2)
-					Rfc3280CertPathUtilities.ProcessCrlB2(dp, cert, crl);
+					ProcessCrlB2(dp, cert, crl);
 
 					// (c)
-					Rfc3280CertPathUtilities.ProcessCrlC(deltaCRL, crl, paramsPKIX);
+					ProcessCrlC(deltaCRL, crl, paramsPKIX);
 
 					// (i)
-					Rfc3280CertPathUtilities.ProcessCrlI(validDate, deltaCRL, cert, certStatus, paramsPKIX);
+					ProcessCrlI(validDate, deltaCRL, cert, certStatus, paramsPKIX);
 
 					// (j)
-					Rfc3280CertPathUtilities.ProcessCrlJ(validDate, crl, cert, certStatus);
+					ProcessCrlJ(validDate, crl, cert, certStatus);
 
 					// (k)
 					if (certStatus.Status == CrlReason.RemoveFromCrl)
@@ -1006,15 +983,15 @@ namespace Org.BouncyCastle.Pkix
 					// update reasons mask
 					reasonMask.AddReasons(interimReasonsMask);
 
-					ISet criticalExtensions = crl.GetCriticalExtensionOids();
+					var criticalExtensions = crl.GetCriticalExtensionOids();
 
 					if (criticalExtensions != null)
 					{
-						criticalExtensions = new HashSet(criticalExtensions);
+						criticalExtensions = new HashSet<string>(criticalExtensions);
 						criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id);
 						criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id);
 
-						if (!criticalExtensions.IsEmpty)
+						if (criticalExtensions.Count > 0)
 							throw new Exception("CRL contains unsupported critical extensions.");
 					}
 
@@ -1023,11 +1000,11 @@ namespace Org.BouncyCastle.Pkix
 						criticalExtensions = deltaCRL.GetCriticalExtensionOids();
 						if (criticalExtensions != null)
 						{
-							criticalExtensions = new HashSet(criticalExtensions);
+							criticalExtensions = new HashSet<string>(criticalExtensions);
 							criticalExtensions.Remove(X509Extensions.IssuingDistributionPoint.Id);
 							criticalExtensions.Remove(X509Extensions.DeltaCrlIndicator.Id);
 
-							if (!criticalExtensions.IsEmpty)
+							if (criticalExtensions.Count > 0)
 								throw new Exception("Delta CRL contains unsupported critical extension.");
 						}
 					}
@@ -1095,7 +1072,7 @@ namespace Org.BouncyCastle.Pkix
 			// for each distribution point
 			if (crldp != null)
 			{
-				DistributionPoint[] dps = null;
+				DistributionPoint[] dps;
 				try
 				{
 					dps = crldp.GetDistributionPoints();
@@ -1111,7 +1088,8 @@ namespace Org.BouncyCastle.Pkix
 						PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone();
 						try
 						{
-							CheckCrl(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts);
+							CheckCrl(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus,
+								reasonsMask, certPathCerts);
 							validCrlFound = true;
 						}
 						catch (Exception e)
@@ -1211,36 +1189,32 @@ namespace Org.BouncyCastle.Pkix
 			PkixPolicyNode _validPolicyTree = validPolicyTree;
 			if (pm != null)
 			{
-				Asn1Sequence mappings = (Asn1Sequence)pm;
-				IDictionary m_idp = Platform.CreateHashtable();
-				ISet s_idp = new HashSet();
+				Asn1Sequence mappings = pm;
+				var m_idp = new Dictionary<string, ISet<string>>();
+				var s_idp = new HashSet<string>();
 
 				for (int j = 0; j < mappings.Count; j++)
 				{
-					Asn1Sequence mapping = (Asn1Sequence) mappings[j];
-					string id_p = ((DerObjectIdentifier) mapping[0]).Id;
-					string sd_p = ((DerObjectIdentifier) mapping[1]).Id;
-					ISet tmp;
+					Asn1Sequence mapping = (Asn1Sequence)mappings[j];
+					string id_p = ((DerObjectIdentifier)mapping[0]).Id;
+					string sd_p = ((DerObjectIdentifier)mapping[1]).Id;
 
-					if (!m_idp.Contains(id_p))
-					{
-						tmp = new HashSet();
-						tmp.Add(sd_p);
-						m_idp[id_p] = tmp;
-						s_idp.Add(id_p);
-					}
+					ISet<string> tmp;
+					if (m_idp.TryGetValue(id_p, out tmp))
+                    {
+                        tmp.Add(sd_p);
+                    }
 					else
-					{
-						tmp = (ISet)m_idp[id_p];
-						tmp.Add(sd_p);
-					}
+                    {
+                        tmp = new HashSet<string>();
+                        tmp.Add(sd_p);
+                        m_idp[id_p] = tmp;
+                        s_idp.Add(id_p);
+                    }
 				}
 
-				IEnumerator it_idp = s_idp.GetEnumerator();
-				while (it_idp.MoveNext())
+				foreach (var id_p in s_idp)
 				{
-					string id_p = (string)it_idp.Current;
-
 					//
 					// (1)
 					//
@@ -1253,7 +1227,7 @@ namespace Org.BouncyCastle.Pkix
 							if (node.ValidPolicy.Equals(id_p))
 							{
 								idp_found = true;
-								node.ExpectedPolicies = (ISet)m_idp[id_p];
+								node.ExpectedPolicies = CollectionUtilities.GetValueOrNull(m_idp, id_p);
 								break;
 							}
 						}
@@ -1264,7 +1238,6 @@ namespace Org.BouncyCastle.Pkix
 							{
 								if (ANY_POLICY.Equals(node.ValidPolicy))
 								{
-									ISet pq = null;
 									Asn1Sequence policies = null;
 									try
 									{
@@ -1277,6 +1250,8 @@ namespace Org.BouncyCastle.Pkix
 											"Certificate policies extension could not be decoded.", e, index);
 									}
 
+									ISet<PolicyQualifierInfo> pq = null;
+
 									foreach (Asn1Encodable ae in policies)
 									{
 										PolicyInformation pinfo = null;
@@ -1305,7 +1280,7 @@ namespace Org.BouncyCastle.Pkix
 										}
 									}
 									bool ci = false;
-									ISet critExtOids = cert.GetCriticalExtensionOids();
+									var critExtOids = cert.GetCriticalExtensionOids();
 									if (critExtOids != null)
 									{
 										ci = critExtOids.Contains(X509Extensions.CertificatePolicies.Id);
@@ -1315,7 +1290,7 @@ namespace Org.BouncyCastle.Pkix
 									if (ANY_POLICY.Equals(p_node.ValidPolicy))
 									{
 										var c_node = new PkixPolicyNode(new List<PkixPolicyNode>(), i,
-											(ISet)m_idp[id_p], p_node, pq, id_p, ci);
+											CollectionUtilities.GetValueOrNull(m_idp, id_p), p_node, pq, id_p, ci);
 										p_node.AddChild(c_node);
 										policyNodes[i].Add(c_node);
 									}
@@ -1398,16 +1373,16 @@ namespace Org.BouncyCastle.Pkix
 			return new []{ completeSet, deltaSet };
 		}
 
-		internal static ISet ProcessCrlA1i(
+		internal static ISet<X509Crl> ProcessCrlA1i(
 			DateTime		currentDate,
 			PkixParameters	paramsPKIX,
 			X509Certificate	cert,
 			X509Crl			crl)
 		{
-			ISet deltaSet = new HashSet();
+			var deltaSet = new HashSet<X509Crl>();
 			if (paramsPKIX.IsUseDeltasEnabled)
 			{
-				CrlDistPoint freshestCRL = null;
+				CrlDistPoint freshestCRL;
 				try
 				{
 					freshestCRL = CrlDistPoint.GetInstance(
@@ -1422,7 +1397,8 @@ namespace Org.BouncyCastle.Pkix
 				{
 					try
 					{
-						freshestCRL = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(crl, X509Extensions.FreshestCrl));
+						freshestCRL = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(crl,
+							X509Extensions.FreshestCrl));
 					}
 					catch (Exception e)
 					{
@@ -1433,7 +1409,8 @@ namespace Org.BouncyCastle.Pkix
 				{
 					try
 					{
-						PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(freshestCRL, paramsPKIX);
+						PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(freshestCRL,
+							paramsPKIX);
 					}
 					catch (Exception e)
 					{
@@ -1443,7 +1420,7 @@ namespace Org.BouncyCastle.Pkix
 					// get delta CRL(s)
 					try
 					{
-						deltaSet.AddAll(PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl));
+						deltaSet.UnionWith(PkixCertPathValidatorUtilities.GetDeltaCrls(currentDate, paramsPKIX, crl));
 					}
 					catch (Exception e)
 					{
@@ -1546,17 +1523,14 @@ namespace Org.BouncyCastle.Pkix
 			}
 		}
 
-		internal static int PrepareNextCertI1(
-			PkixCertPath	certPath,
-			int				index,
-			int				explicitPolicy)
+		internal static int PrepareNextCertI1(PkixCertPath certPath, int index, int explicitPolicy)
 		{
 			IList certs = certPath.Certificates;
 			X509Certificate cert = (X509Certificate)certs[index];
 			//
 			// (i)
 			//
-			Asn1Sequence pc = null;
+			Asn1Sequence pc;
 			try
 			{
                 pc = Asn1Sequence.GetInstance(
@@ -1862,7 +1836,7 @@ namespace Org.BouncyCastle.Pkix
 			//
 			bool[] _usage = cert.GetKeyUsage();
 
-			if ((_usage != null) && !_usage[Rfc3280CertPathUtilities.KEY_CERT_SIGN])
+			if ((_usage != null) && !_usage[KEY_CERT_SIGN])
 			{
 				throw new PkixCertPathValidatorException(
 					"Issuer certificate keyusage extension is critical and does not permit key signing.", null, index);
@@ -1872,7 +1846,7 @@ namespace Org.BouncyCastle.Pkix
 		internal static void PrepareNextCertO(
 			PkixCertPath	certPath,
 			int				index,
-			ISet			criticalExtensions,
+			ISet<string>	criticalExtensions,
 			IList			pathCheckers)
 			//throws CertPathValidatorException
 		{
@@ -1894,7 +1868,7 @@ namespace Org.BouncyCastle.Pkix
 					throw new PkixCertPathValidatorException(e.Message, e.InnerException, index);
 				}
 			}
-			if (!criticalExtensions.IsEmpty)
+			if (criticalExtensions.Count > 0)
 			{
 				throw new PkixCertPathValidatorException("Certificate has unsupported critical extension.", null, index);
 			}
@@ -1994,7 +1968,7 @@ namespace Org.BouncyCastle.Pkix
 			// (b)
 			//
 			int tmpInt;
-			Asn1Sequence pc = null;
+			Asn1Sequence pc;
 			try
 			{
                 pc = Asn1Sequence.GetInstance(
@@ -2039,7 +2013,7 @@ namespace Org.BouncyCastle.Pkix
 			PkixCertPath	certPath,
 			int				index,
 			IList			pathCheckers,
-			ISet			criticalExtensions)
+			ISet<string>	criticalExtensions)
 			//throws CertPathValidatorException
 		{
 			IList certs = certPath.Certificates;
@@ -2058,7 +2032,7 @@ namespace Org.BouncyCastle.Pkix
 				}
 			}
 
-			if (!criticalExtensions.IsEmpty)
+			if (criticalExtensions.Count > 0)
 			{
 				throw new PkixCertPathValidatorException("Certificate has unsupported critical extension",
 					null, index);
@@ -2066,8 +2040,8 @@ namespace Org.BouncyCastle.Pkix
 		}
 
 		internal static PkixPolicyNode WrapupCertG(PkixCertPath certPath, PkixParameters paramsPKIX,
-			ISet userInitialPolicySet, int index, IList<PkixPolicyNode>[] policyNodes, PkixPolicyNode validPolicyTree,
-			ISet acceptablePolicies)
+			ISet<string> userInitialPolicySet, int index, IList<PkixPolicyNode>[] policyNodes,
+			PkixPolicyNode validPolicyTree, ISet<string> acceptablePolicies)
 		{
 			int n = certPath.Certificates.Count;
 
@@ -2092,53 +2066,51 @@ namespace Org.BouncyCastle.Pkix
 			{
 				if (paramsPKIX.IsExplicitPolicyRequired)
 				{
-					if (acceptablePolicies.IsEmpty)
+					if (acceptablePolicies.Count < 1)
 					{
 						throw new PkixCertPathValidatorException(
 							"Explicit policy requested but none available.", null, index);
 					}
-					else
-					{
-						var _validPolicyNodeSet = new HashSet<PkixPolicyNode>();
 
-						foreach (var _nodeDepth in policyNodes)
-						{
-                            foreach (var _node in _nodeDepth)
-                            {
-								if (ANY_POLICY.Equals(_node.ValidPolicy))
+					var _validPolicyNodeSet = new HashSet<PkixPolicyNode>();
+
+					foreach (var _nodeDepth in policyNodes)
+					{
+                        foreach (var _node in _nodeDepth)
+                        {
+							if (ANY_POLICY.Equals(_node.ValidPolicy))
+							{
+								foreach (var o in _node.Children)
 								{
-									foreach (var o in _node.Children)
-									{
-										_validPolicyNodeSet.Add(o);
-									}
+									_validPolicyNodeSet.Add(o);
 								}
 							}
 						}
+					}
 
-						foreach (var _node in _validPolicyNodeSet)
+					foreach (var _node in _validPolicyNodeSet)
+					{
+						if (!acceptablePolicies.Contains(_node.ValidPolicy))
 						{
-							if (!acceptablePolicies.Contains(_node.ValidPolicy))
-							{
-								// TODO?
-								// validPolicyTree =
-								// removePolicyNode(validPolicyTree, policyNodes,
-								// _node);
-							}
+							// TODO?
+							// validPolicyTree =
+							// removePolicyNode(validPolicyTree, policyNodes,
+							// _node);
 						}
-						if (validPolicyTree != null)
+					}
+					if (validPolicyTree != null)
+					{
+						for (int j = n - 1; j >= 0; j--)
 						{
-							for (int j = n - 1; j >= 0; j--)
-							{
-								var nodes = policyNodes[j];
+							var nodes = policyNodes[j];
 
-								for (int k = 0; k < nodes.Count; k++)
+							for (int k = 0; k < nodes.Count; k++)
+							{
+								var node = nodes[k];
+								if (!node.HasChildren)
 								{
-									var node = nodes[k];
-									if (!node.HasChildren)
-									{
-										validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(
-											validPolicyTree, policyNodes, node);
-									}
+									validPolicyTree = PkixCertPathValidatorUtilities.RemovePolicyNode(
+										validPolicyTree, policyNodes, node);
 								}
 							}
 						}
diff --git a/crypto/src/pkix/Rfc3281CertPathUtilities.cs b/crypto/src/pkix/Rfc3281CertPathUtilities.cs
index 2e1ee3898..39c03146c 100644
--- a/crypto/src/pkix/Rfc3281CertPathUtilities.cs
+++ b/crypto/src/pkix/Rfc3281CertPathUtilities.cs
@@ -23,7 +23,7 @@ namespace Org.BouncyCastle.Pkix
 			// AA Controls
 			// Attribute encryption
 			// Proxy
-			ISet critExtOids = attrCert.GetCriticalExtensionOids();
+			var critExtOids = attrCert.GetCriticalExtensionOids();
 
 			// 7.1
 			// process extensions
@@ -47,11 +47,10 @@ namespace Org.BouncyCastle.Pkix
 			{
 				checker.Check(attrCert, certPath, holderCertPath, critExtOids);
 			}
-			if (!critExtOids.IsEmpty)
+			if (critExtOids.Count > 0)
 			{
 				throw new PkixCertPathValidatorException(
-					"Attribute certificate contains unsupported critical extensions: "
-						+ critExtOids);
+					"Attribute certificate contains unsupported critical extensions: " + critExtOids);
 			}
 		}
 
@@ -276,7 +275,7 @@ namespace Org.BouncyCastle.Pkix
 			X509Certificate	acIssuerCert,
 			PkixParameters	pkixParams)
 		{
-			ISet set = pkixParams.GetTrustedACIssuers();
+			var set = pkixParams.GetTrustedACIssuers();
 			bool trusted = false;
 			foreach (TrustAnchor anchor in set)
 			{
@@ -352,7 +351,7 @@ namespace Org.BouncyCastle.Pkix
 		{
 			PkixCertPathBuilderResult result = null;
 			// find holder PKCs
-			ISet holderPKCs = new HashSet();
+			var holderPKCs = new HashSet<X509Certificate>();
 			if (attrCert.Holder.GetIssuer() != null)
 			{
 				X509CertStoreSelector selector = new X509CertStoreSelector();
@@ -360,14 +359,12 @@ namespace Org.BouncyCastle.Pkix
 				X509Name[] principals = attrCert.Holder.GetIssuer();
 				for (int i = 0; i < principals.Length; i++)
 				{
+					// TODO Replace loop with a single multiprincipal selector (or don't even use selector)
 					try
 					{
-//						if (principals[i] is X500Principal)
-						{
-							selector.Issuer = principals[i];
-						}
-						holderPKCs.AddAll(
-							PkixCertPathValidatorUtilities.FindCertificates(selector, pkixParams.GetStoresCert()));
+						selector.Issuer = principals[i];
+
+						CollectionUtilities.CollectMatches(holderPKCs, selector, pkixParams.GetStoresCert());
 					}
 					catch (Exception e)
 					{
@@ -376,7 +373,7 @@ namespace Org.BouncyCastle.Pkix
 							e);
 					}
 				}
-				if (holderPKCs.IsEmpty)
+				if (holderPKCs.Count < 1)
 				{
 					throw new PkixCertPathValidatorException(
 						"Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
@@ -388,14 +385,12 @@ namespace Org.BouncyCastle.Pkix
 				X509Name[] principals = attrCert.Holder.GetEntityNames();
 				for (int i = 0; i < principals.Length; i++)
 				{
+					// TODO Replace loop with a single multiprincipal selector (or don't even use selector)
 					try
 					{
-//						if (principals[i] is X500Principal)
-						{
-							selector.Issuer = principals[i];
-						}
-						holderPKCs.AddAll(
-							PkixCertPathValidatorUtilities.FindCertificates(selector, pkixParams.GetStoresCert()));
+						selector.Issuer = principals[i];
+
+						CollectionUtilities.CollectMatches(holderPKCs, selector, pkixParams.GetStoresCert());
 					}
 					catch (Exception e)
 					{
@@ -404,7 +399,7 @@ namespace Org.BouncyCastle.Pkix
 							e);
 					}
 				}
-				if (holderPKCs.IsEmpty)
+				if (holderPKCs.Count < 1)
 				{
 					throw new PkixCertPathValidatorException(
 						"Public key certificate specified in entity name for attribute certificate cannot be found.");
@@ -523,7 +518,7 @@ namespace Org.BouncyCastle.Pkix
 					}
 
 					// (f)
-					ISet keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, attrCert,
+					var keys = Rfc3280CertPathUtilities.ProcessCrlF(crl, attrCert,
 						null, null, paramsPKIX, certPathCerts);
 					// (g)
 					AsymmetricKeyParameter pubKey = Rfc3280CertPathUtilities.ProcessCrlG(crl, keys);