比较Bouncycastle x509和x509certificate2
[英]Comparing bouncycastle x509 with x509certificate2
问题描述
My use case: I receive emails from various counterparties and they are always signed. 
我的用例:我收到来自各个交易对手的电子邮件,并且总是经过签名的。 I have received their certificate before our communication began, and therefore I have the CORRECT certificate. 在我们开始沟通之前,我已经收到了他们的证书,因此我拥有正确的证书。
I need to verify the certificate they send me originally with the certificate they use when sending a signed email to me. 我需要用发送签名电子邮件给我时使用的证书来验证他们最初发送给我的证书。
I have looked through stackoverflow and other forums and they all seem to suggest thumbprint or "GetEncoded" (which is the same as DEREncoded?!) 我浏览了stackoverflow和其他论坛,他们似乎都建议使用指纹或“ GetEncoded”(与DEREncoded相同!!)
However I have not been able to find any "official source" that states this is correct. 但是我还没有找到任何“官方消息”说这是正确的。
So what I need is some official source stating that X509Certificate2.GetRawCertData OR Org.BouncyCastle.X509.X509Certificate are unique and therefore can be compared to check for the right certificate. 因此,我需要一些官方消息来源,指出X509Certificate2.GetRawCertData或Org.BouncyCastle.X509.X509Certificate是唯一的,因此可以进行比较以检查正确的证书。
By offical source I mean books, standards, Microsoft website or the like. 正式来源是指书籍,标准,Microsoft网站等。
This is the code I use to verify an Org.BouncyCastle.X509.X509Certificate with a System.Security.Cryptography.X509Certificates.X509Certificate2: 这是我用来通过System.Security.Cryptography.X509Certificates.X509Certificate2验证Org.BouncyCastle.X509.X509Certificate的代码:
Org.BouncyCastle.X509.X509Certificate signerCertificate = ((SecureMimeDigitalCertificate)signature.SignerCertificate).Certificate;
System.Security.Cryptography.X509Certificates.X509Certificate2 localCertificate = new X509Certificate2(@"xxx.crt");
bool areEqual =
StructuralComparisons.StructuralEqualityComparer.Equals(signerCertificate.GetEncoded(),
localCertificate.GetRawCertData());
Can you help me find such a source or point me in the right direction? 您能帮我找到这样的消息来源或为我指出正确的方向吗?
1 个解决方案
解决方案1
0 2014-05-30 09:53:59
What is your exact use case for comparing the certificates? 您比较证书的确切用例是什么?
The normal use case when receiving signed email is that you want to verify the signature to ensure the message is authentic. 接收签名电子邮件的正常用例是您要验证签名以确保邮件是真实的。 This is not done by comparing certificates received with a certificate you have stored. 不能通过将收到的证书与已存储的证书进行比较来完成此操作。 What you should do is to verify the digital signature, verifying certificates that they link up to a trusted (by you) root. 您应该做的是验证数字签名,验证它们链接到受信任(由您)根目录的证书。 If you have the senders certificate beforehand, you can of course consider this as trusted, and simply use your stored certificate to verify the signature of the message received. 如果您事先拥有发件人证书,那么您当然可以认为它是受信任的,只需使用存储的证书来验证收到消息的签名即可。 In this case you can ignore the certificate in the signed email. 在这种情况下,您可以忽略已签名电子邮件中的证书。
What you do exactly is that you verify that the private key used to sign the message actually belongs to who you think it belongs to, by using your trusted public key (in the certificate) to verify the digital signature. 您所做的完全是通过使用可信的公共密钥(证书中)来验证数字签名,从而验证用于对消息签名的私钥确实属于您认为的消息所属的人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.