假设我有三张证书(以Base64格式)
Root | --- CA | --- Cert (client/signing/whatever)
如何验证C#中的证书和证书路径/链?
(所有这三个证书可能不在我的电脑认证商店)
编辑:BouncyCastle具有验证功能.但我试图不使用任何第三方库.
byte[] b1 = Convert.FromBase64String(x509Str1); byte[] b2 = Convert.FromBase64String(x509Str2); X509Certificate cer1 = new X509CertificateParser().ReadCertificate(b1); X509Certificate cer2 = new X509CertificateParser().ReadCertificate(b2); cer1.Verify(cer2.GetPublicKey());
如果cer1没有被cert2(CA或root)签名,将会有异常.这正是我想要的.
解决方法
X509Chain
课程旨在做到这一点,甚至可以自定义如何执行链式构建过程.
static bool VerifyCertificate(byte[] primaryCertificate,IEnumerable<byte[]> additionalCertificates) { var chain = new X509Chain(); foreach (var cert in additionalCertificates.Select(x => new X509Certificate2(x))) { chain.ChainPolicy.ExtraStore.Add(cert); } // You can alter how the chain is built/validated. chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreWrongUsage; // Do the validation. var primaryCert = new X509Certificate2(primaryCertificate); return chain.Build(primaryCert); }
如果需要,X509Chain将包含有关Build()== false的验证失败的附加信息.
编辑:这只会确保您的CA有效.如果要确保链条相同,可以手动检查指纹.您可以使用以下方法来确保认证链是正确的,它期望链条按顺序:…,INTERMEDIATE2,INTERMEDIATE1(INTERMEDIATE2签名者),CA(INTERMEDIATE1签约者)
static bool VerifyCertificate(byte[] primaryCertificate,IEnumerable<byte[]> additionalCertificates) { var chain = new X509Chain(); foreach (var cert in additionalCertificates.Select(x => new X509Certificate2(x))) { chain.ChainPolicy.ExtraStore.Add(cert); } // You can alter how the chain is built/validated. chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreWrongUsage; // Do the preliminary validation. var primaryCert = new X509Certificate2(primaryCertificate); if (!chain.Build(primaryCert)) return false; // Make sure we have the same number of elements. if (chain.ChainElements.Count != chain.ChainPolicy.ExtraStore.Count + 1) return false; // Make sure all the thumbprints of the CAs match up. // The first one should be 'primaryCert',leading up to the root CA. for (var i = 1; i < chain.ChainElements.Count; i++) { if (chain.ChainElements[i].Certificate.Thumbprint != chain.ChainPolicy.ExtraStore[i - 1].Thumbprint) return false; } return true; }
原文地址:https://www.jb51.cc/csharp/94134.html
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。