如何解决哪一个是发行者证书链
我收到锁链时,有3个证书。我看到issuerCert是chain [1],但是当我将chain [0]用作发布者时,我的代码有效。我正在使用我的CA卡。正常吗下面的代码。 FirmaXadesNet库。此函数将ocspCerts返回为x509certificate [],
X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.Build(cert);
X509Certificate2 issuer = null;
if (chain.ChainElements.Count > 1)
{
issuer = chain.ChainElements[0].Certificate;
var client = chain.ChainElements[1].Certificate;
var ocspCerts = ValidateCertificateByOCSP(unsignedProperties,client,issuer,ocspServers,digestMethod);
if (ocspCerts != null)
{
X509Certificate2 startOcspCert = DetermineStartCert(ocspCerts);
if (!EquivalentDN(startOcspCert.IssuerName,issuer.SubjectName))
{
var chainOcsp = CertUtil.GetCertChain(startOcspCert,ocspCerts);
AddCertificate(chainOcsp.ChainElements[1].Certificate,unsignedProperties,true,crlList,digestMethod,ocspCerts);
}
}
AddCertificate(issuer,unsignedProperties,true,ocspServers,crlList,digestMethod,extraCerts); }
私有X509Certificate2 [] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties,X509Certificate2客户端,X509Certificate2发行者, IEnumerable ocspServers,FirmaXadesNet.Crypto.DigestMethod摘要方法) { bool byKey = false; 列出finalOcspServers = new List(); Org.BouncyCastle.X509.X509Certificate clientCert = client.ToBouncyX509Certificate(); Org.BouncyCastle.X509.X509Certificate issuerCert = issuer.ToBouncyX509Certificate();
OcspClient ocsp = new OcspClient();
string certOcspUrl = ocsp.GetAuthorityinformationAccessOcspUrl(issuerCert);
if (!string.IsNullOrEmpty(certOcspUrl))
{
finalOcspServers.Add(certOcspUrl);
}
foreach (var ocspUrl in ocspServers)
{
finalOcspServers.Add(ocspUrl);
}
foreach (var ocspUrl in finalOcspServers)
{
// original
//byte[] resp = ocsp.QueryBinary(clientCert,issuerCert,ocspUrl);
// ես եմ փոխել-> այ ստեղ նայել ուսումնասիրել
byte[] resp = ocsp.QueryBinary(issuerCert,clientCert,ocspUrl);
FirmaXadesNet.Clients.CertificateStatus status = ocsp.ProcessOcspResponse(resp);
if (status == FirmaXadesNet.Clients.CertificateStatus.Revoked)
{
throw new Exception("Revoked certificate");
}
else if (status == FirmaXadesNet.Clients.CertificateStatus.Good)
{
Org.BouncyCastle.Ocsp.OcspResp r = new OcspResp(resp);
byte[] rEncoded = r.GetEncoded();
BasicOcspResp or = (BasicOcspResp)r.GetResponSEObject();
string guidOcsp = Guid.NewGuid().ToString();
OCSPRef ocspRef = new OCSPRef();
ocspRef.OCSPIdentifier.UriAttribute = "#OcspValue" + guidOcsp;
DigestUtil.SetCertDigest(rEncoded,ocspRef.CertDigest);
ResponderID rpId = or.ResponderId.ToAsn1Object();
ocspRef.OCSPIdentifier.ResponderID = GetResponderName(rpId,ref byKey);
ocspRef.OCSPIdentifier.ByKey = byKey;
ocspRef.OCSPIdentifier.ProducedAt = or.ProducedAt.ToLocalTime();
unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(ocspRef);
OCSPValue ocspValue = new OCSPValue();
ocspValue.PkiData = rEncoded;
ocspValue.Id = "OcspValue" + guidOcsp;
unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(ocspValue);
return (from cert in or.GetCerts()
select new X509Certificate2(cert.GetEncoded())).ToArray();
}
}
throw new Exception("The certificate Could not be validated");
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。