Inhaltsverzeichnis

TrustStoreExtensions & PqTrustStore

TrustStoreExtensions & PqTrustStore

Custom trust store management for PQ-compatible PKI infrastructures.

Overview

Class	Description
`PqTrustStore`	Full-featured trust store with PQ support
`TrustStoreExtensions`	Extension methods for `X509Certificate2Collection`
`TrustEntry`	Metadata for trust store entries
`TrustType`	Enum: TrustAnchor, IntermediateCA, etc.

PqTrustStore Class

using WvdS.System.Security.Cryptography.X509Certificates;
 
// Create trust store
using var trustStore = new PqTrustStore();
 
// Add root CA
var rootCa = new X509Certificate2("root-ca.cer");
trustStore.AddTrustAnchor(rootCa, alias: "Company Root CA");
 
// Add intermediate CA
var intermediateCa = new X509Certificate2("intermediate-ca.cer");
trustStore.AddIntermediate(intermediateCa, alias: "Issuing CA");
 
// Use trust store
Console.WriteLine($"Trust store contains {trustStore.Count} entries");

Integration with X509Chain

Validate with custom trust store:

using System.Security.Cryptography.X509Certificates;
using WvdS.System.Security.Cryptography;
using WvdS.System.Security.Cryptography.X509Certificates;
 
// Load trust store
using var trustStore = PqTrustStore.LoadFromPem("company-trust-store.pem");
 
// Validate certificate
var userCert = new X509Certificate2("user.cer");
 
using var chain = new X509Chain();
bool isValid = chain.Build(userCert, trustStore, CryptoMode.Hybrid);
 
if (isValid)
{
    Console.WriteLine("Certificate is valid");
}
else
{
    foreach (var status in chain.ChainStatus)
    {
        Console.WriteLine($"Error: {status.StatusInformation}");
    }
}

With X509Certificate2Collection:

// Simpler: Directly with collection
var trustAnchors = TrustStoreExtensions.LoadFromPem("trust-anchors.pem");
 
using var chain = new X509Chain();
bool isValid = chain.Build(userCert, trustAnchors, CryptoMode.Hybrid);

Trust Store Import/Export

PEM Bundle:

// Save
trustStore.SaveToPem("trust-store.pem");
 
// Load
var loadedStore = PqTrustStore.LoadFromPem("trust-store.pem");

PKCS#7 (DER):

// Save as PKCS#7
trustStore.SaveToPkcs7("trust-store.p7b");
 
// Load
var loadedStore = PqTrustStore.LoadFromPkcs7("trust-store.p7b");

System Store Import

// Populate trust store with system certificates
using var trustStore = new PqTrustStore();
 
// Import Windows root CAs
trustStore.ImportFromSystemRootStore();
 
// Import Windows intermediate CAs
trustStore.ImportFromSystemIntermediateStore();
 
// Export as PEM for air-gapped systems
trustStore.SaveToPem("system-trust-store.pem");

TrustType Enum

Value	Description
`TrustAnchor`	Trust anchor (root CA)
`IntermediateCA`	Intermediate certificate authority
`CrossCertifiedCA`	Cross-certified CA
`EndEntity`	End entity (not a CA)

Trust Store Queries

// Trust anchors only
var roots = trustStore.TrustAnchors;
 
// Intermediate CAs only
var intermediates = trustStore.IntermediateCAs;
 
// Search by subject
var found = trustStore.FindBySubjectName("Company");
 
// Search by thumbprint
var entry = trustStore.FindByThumbprint("A1B2C3...");
 
// Check if contained
bool exists = trustStore.Contains(certificate);

Validation Report

using var chain = new X509Chain();
chain.Build(cert, trustStore, CryptoMode.Hybrid);
 
// Create detailed report
var report = chain.GetValidationReport();
 
Console.WriteLine($"Valid: {report.IsValid}");
Console.WriteLine($"Chain length: {report.ChainLength}");
Console.WriteLine($"Fully PQ protected: {report.IsFullyPqProtected}");
 
// Individual elements
foreach (var element in report.Elements)
{
    Console.WriteLine($"  {element.Subject}");
    Console.WriteLine($"    Mode: {element.CryptoMode}");
    Console.WriteLine($"    PQ keys: {element.HasPqKeys}");
}

Example output:

Chain Validation: VALID
Chain Length: 3
Fully PQ Protected: True
Elements:
  [0] CN=User Certificate
      Mode: Hybrid, PQ Keys: True
  [1] CN=Issuing CA
      Mode: Hybrid, PQ Keys: True
  [2] CN=Root CA
      Mode: Hybrid, PQ Keys: True

Offline CRL Checking

For air-gapped systems with preloaded CRLs:

// Load CRLs
var crls = new List<byte[]>
{
    File.ReadAllBytes("root-ca.crl"),
    File.ReadAllBytes("issuing-ca.crl")
};
 
using var chain = new X509Chain();
bool isValid = chain.BuildWithOfflineCrl(
    certificate,
    trustStore.ToCollection(),
    crls,
    CryptoMode.Hybrid);

Collection Extensions

// Filter collection
var collection = new X509Certificate2Collection();
collection.Import("certificates.p7b");
 
// CAs only
var cas = collection.FilterCertificateAuthorities();
 
// Root CAs only (self-signed)
var roots = collection.FilterRootCertificates();
 
// Search by subject
var found = collection.FindBySubjectName("Company");
 
// Check PQ status
bool hasPq = collection.HasPqProtectedCertificates();
 
// Save as PEM
collection.SaveToPem("output.pem");

Best Practices

Trust Store Hierarchy:

PqTrustStore
+-- TrustAnchors (Root CAs)
|   +-- -> chain.ChainPolicy.CustomTrustStore
+-- IntermediateCAs
    +-- -> chain.ChainPolicy.ExtraStore

Recommendations:

Principle of least privilege: Only include required CAs
PQ migration: Gradually add PQ keys to existing CAs
Backup: Regularly back up trust store
Validation: Verify new CAs before adding