我的程序包含2个我知道并信任的根证书。 我必须验证信任中心的证书和由信任中心颁发的用户证书,这些证书都源自这两个根证书。
My program contains 2 root certs I know and trust. I have to verify certs of trustcenters and "user" certs issued by the trustcenters which all originate from these 2 root certs.
我使用X509Chain类进行验证
I use X509Chain class to verify but that only works if the root cert is in the windows certificate store.
我正在寻找一种无需导入theeses根证书的方式来验证证书的方法-以某种方式告诉我确实信任此根证书的X509Chain类,它应该只检查链中的证书,而不检查其他证书。
I'm looking for a way to verify the certs without importing theeses root certs - somehow tell the X509Chain class that I do trust this root certs and it should check just the certs in the chain and nothing else.
实际代码:
X509Chain chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.ExtraStore.Add(root); // i do trust this chain.ChainPolicy.ExtraStore.Add(trust); chain.Build(cert);编辑:这是一个.NET 2.0 Winforms应用程序。
It's a .NET 2.0 Winforms application.
推荐答案我打开了问题 dotnet / corefx,它们的回复如下:
I opened an Issue on dotnet/corefx and they replied as follows:
如果AllowUnknownCertificateAuthority是唯一设置的标志,则 chain如果
If AllowUnknownCertificateAuthority is the only flag set then chain.Build() will return true if
-
链正确终止于自签名证书中,则Build()将返回true (通过 ExtraStore或通过搜索的持久存储)
The chain correctly terminated in a self-signed certificate (via ExtraStore, or searched persisted stores)
根据所请求的撤销策略,证书均无效。
None of the certificates are invalid per the requested revocation policy
所有证书在(可选) ApplicationPolicy或CertificatePolicy值下有效
All of the certificates are valid under the (optional) ApplicationPolicy or CertificatePolicy values
所有证书的NotBefore值都在 VerificationTime之前或之前,所有证书的NotAfter值都在VerificationTime之后是(或之前)。
All of the certificates' NotBefore values are at-or-before VerificationTime and all of the certificates' NotAfter values are (at-or-)after VerificationTime.
如果未指定该标志,则添加附加约束:
If that flag is not specified then an additional constraint is added:
必须在系统上(例如,在LM\Root存储中)将自签名证书注册为受信任。
因此,Build()返回true,您知道存在时间有效的不可撤销链。此时要做的事情是读取 chain.ChainElements [chain.ChainElements.Count-1] .Certificate 和确定它是否是一个您信任的证书。我建议将 chainRoot.RawData 与表示您的证书的 byte [] 进行比较信任作为上下文的根(即逐字节比较而不是使用指纹值的)。
So, Build() returns true, you know that a time-valid non-revoked chain is present. The thing to do at that point is read chain.ChainElements[chain.ChainElements.Count - 1].Certificate and determine if it is a certificate that you trust. I recommend comparing chainRoot.RawData to a byte[] representing a certificate that you trust as a root in context (that is, byte-for-byte compare rather than using a thumbprint value).
(如果设置了其他标志,则其他约束也放松了)
(If other flags are set then other constraints are also relaxed)
所以您应该这样:
X509Chain chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.ExtraStore.Add(root); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; var isValid = chain.Build(cert); var chainRoot = chain.ChainElements[chain.ChainElements.Count - 1].Certificate; isValid = isValid && chainRoot.RawData.SequenceEqual(root.RawData);更多推荐
如何在不导入根证书的情况下验证X509证书?
发布评论