我正在尝试使用c#中的Bouncy Castle库通过以下代码来验证证书链,但出现异常:证书具有不受支持的关键扩展名".这种方法会发生异常:validator.Validate(path,param)
I am trying to validate a certificate chain using Bouncy Castle library in c# with the following code, but I get the exception: "certificate has an unsupported critical extension". The exception happens in this method: validator.Validate(path, param)
我的证书具有严重范围:名称:扩展密钥用法",oid:2.5.29.37,值:ocsp Stamping(1.3.6.1.5.5.7.3.9)
My certificate has a critical extention: name: "Extended key usuage" , oid: 2.5.29.37, value: ocsp Stamping (1.3.6.1.5.5.7.3.9)
public static bool ValidateKeyChain(X509Certificate client, List<X509Certificate> trustedCerts){ bool found = false; int c = trustedCerts.Count; PkixCertPathBuilder cf = new PkixCertPathBuilder(); TrustAnchor anchor; HashSet anchors = new HashSet(); PkixCertPath path; PkixParameters param; PkixCertPathValidator validator = new PkixCertPathValidator(); while (!found && c > 0) { anchor = new TrustAnchor(trustedCerts[--c], null); anchors.Add(anchor); Collection<X509Certificate> set = new Collection<X509Certificate>(); set.Add(client); path = new PkixCertPath(set); param = new PkixParameters(anchors); param.IsRevocationEnabled = false; if (client.IssuerDN.Equals(trustedCerts[c].SubjectDN)) { validator.Validate(path, param); if (IsSelfSigned(trustedCerts[c])) { // found root ca found = true; } else if (!client.Equals(trustedCerts[c])) { // find parent ca found = ValidateKeyChain(trustedCerts[c], trustedCerts); } } } return found;} 推荐答案最后,我找到了解决问题的方法,检查了Bouncy Castle的java和c#源,并发现dotnet源中的"PkiCertPathValidator"类有所不同;在调用Rfc3280CertPathUtilities.WrapupCertf(...)方法之前,在validate方法中,删除了关键扩展,但在Dotnet版本中缺少以下行:
Finally, I found a solution to my problem, I checked both java and c# sources of Bouncy Castle and found a difference in "PkiCertPathValidator" class in dotnet source; in the validate method before calling the Rfc3280CertPathUtilities.WrapupCertf(...) method, critical extensions were removed but following line missed in Dotnet version:
criticalExtensions.Remove(X509Extensions.ExtendedKeyUsage.Id);我将此行添加到源代码中,然后构建它,它可以正常工作.
I added this line to the source code then built it and it worked correctly.
ps:互联网上最相关的答案是这个:[ bouncy-castle.1462172.n4.nabble/Certificate-has-unsupported-critical-extension-td1464313.html] [1]
ps: The most relevant answer on the internet is this one: [bouncy-castle.1462172.n4.nabble/Certificate-has-unsupported-critical-extension-td1464313.html][1]
更多推荐
证书具有不受支持的关键扩展名
发布评论