证书具有不受支持的关键扩展名

本文介绍了证书具有不受支持的关键扩展名的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在尝试使用c#中的Bouncy Castle库通过以下代码来验证证书链，但出现异常:证书具有不受支持的关键扩展名".这种方法会发生异常:validator.Validate(path，param)

I am trying to validate a certificate chain using Bouncy Castle library in c# with the following code, but I get the exception: "certificate has an unsupported critical extension". The exception happens in this method: validator.Validate(path, param)

我的证书具有严重范围:名称:扩展密钥用法"，oid:2.5.29.37，值:ocsp Stamping(1.3.6.1.5.5.7.3.9)

My certificate has a critical extention: name: "Extended key usuage" , oid: 2.5.29.37, value: ocsp Stamping (1.3.6.1.5.5.7.3.9)

public static bool ValidateKeyChain(X509Certificate client, List<X509Certificate> trustedCerts){ bool found = false; int c = trustedCerts.Count; PkixCertPathBuilder cf = new PkixCertPathBuilder(); TrustAnchor anchor; HashSet anchors = new HashSet(); PkixCertPath path; PkixParameters param; PkixCertPathValidator validator = new PkixCertPathValidator(); while (!found && c > 0) { anchor = new TrustAnchor(trustedCerts[--c], null); anchors.Add(anchor); Collection<X509Certificate> set = new Collection<X509Certificate>(); set.Add(client); path = new PkixCertPath(set); param = new PkixParameters(anchors); param.IsRevocationEnabled = false; if (client.IssuerDN.Equals(trustedCerts[c].SubjectDN)) { validator.Validate(path, param); if (IsSelfSigned(trustedCerts[c])) { // found root ca found = true; } else if (!client.Equals(trustedCerts[c])) { // find parent ca found = ValidateKeyChain(trustedCerts[c], trustedCerts); } } } return found;}

推荐答案

最后，我找到了解决问题的方法，检查了Bouncy Castle的java和c#源，并发现dotnet源中的"PkiCertPathValidator"类有所不同；在调用Rfc3280CertPathUtilities.WrapupCertf(...)方法之前，在validate方法中，删除了关键扩展，但在Dotnet版本中缺少以下行:

Finally, I found a solution to my problem, I checked both java and c# sources of Bouncy Castle and found a difference in "PkiCertPathValidator" class in dotnet source; in the validate method before calling the Rfc3280CertPathUtilities.WrapupCertf(...) method, critical extensions were removed but following line missed in Dotnet version:

criticalExtensions.Remove(X509Extensions.ExtendedKeyUsage.Id);

我将此行添加到源代码中，然后构建它，它可以正常工作.

I added this line to the source code then built it and it worked correctly.

ps:互联网上最相关的答案是这个:[ bouncy-castle.1462172.n4.nabble/Certificate-has-unsupported-critical-extension-td1464313.html] [1]

ps: The most relevant answer on the internet is this one: [bouncy-castle.1462172.n4.nabble/Certificate-has-unsupported-critical-extension-td1464313.html][1]