使用C#,如何以编程方式确定Windows证书存储中的证书是否已被禁用
[英]Using C#, how to programmatically determine if a certificate in a Windows certificate store has been disabled
问题描述
I'm currently working on refining communications between mutually authenticated client/server applications using HTTPS. 
我目前正在使用HTTPS完善相互认证的客户端/服务器应用程序之间的通信。 I am currently building validation logic into a C# client to help identify configuration issues when a TLS connection fails. 我目前正在将验证逻辑构建到C#客户端中,以帮助识别TLS连接失败时的配置问题。 In verifying the connection, I validate that the root CA certificate presented by the server is installed on the client, in the appropriate store, and is valid. 在验证连接时,我确认服务器提供的根CA证书已安装在客户端的相应存储中并且有效。 I'm using X509Store to pull the X509Certificate2 , and validating it using X509Chain . 我正在使用X509Store拉X509Certificate2 ,并使用X509Chain对其进行验证。
My issue is that the certificate will report as valid even if the certificate has been disabled via MMC. 我的问题是即使通过MMC禁用了证书,证书也将报告为有效。 So the TLS connection will fail, despite the chain reporting as valid. 因此,即使链报告为有效,TLS连接仍将失败。
It's an unlikely case, but one I'd like to handle by reporting something like "Could not connect because root CA is disabled." 这种情况不太可能发生,但是我想通过报告“由于禁用了根CA而无法连接”之类的东西来处理。
Could anyone point me in the direction of a .NET or Win32 call that could be made to determine the value of "Certificate Purposes" for a certificate? 谁能指出我指向.NET或Win32调用的方向,可以用来确定证书的“证书目的”值? Or to read the "Certificate Status" for a cert? 还是要阅读证书的“证书状态”?
I read through MSDN's listing of what's in the System.Security.Cryptography namespace, and started looking into CryptoAPI and CNG, but didn't find anything so far. 我通读了MSDN上System.Security.Cryptography命名空间中的内容清单,并开始研究CryptoAPI和CNG,但到目前为止没有发现任何东西。
Thanks! 谢谢!
1 个解决方案
解决方案1
0 已采纳 2017-06-02 22:09:56
That dialog does not "disable" a certificate it disables it "for all purposes". 该对话框不会“禁用”证书,而是“出于所有目的”禁用证书。 What this means is it counts as having an empty Enhanced Key Usage extension for purposes of EKU validation. 这意味着为了进行EKU验证,它被视为具有空的“增强的密钥用法”扩展。
Normally a root certificate (or an intermediate CA certificate) will not have an EKU extension, so if you do a chain build with any ApplicationPolicy value it will be a match. 通常,根证书(或中间CA证书)将不具有EKU扩展名,因此,如果使用任何ApplicationPolicy值进行链构建,则将是匹配项。 Once you set it to Disable for all purposes you'll get a chain error X509ChainStatusFlags.NotValidForUsage . 一旦将其设置为“禁用”,您将得到一个链错误X509ChainStatusFlags.NotValidForUsage 。
If you want to build something for validating TLS you'd check either the Server Authentication or Client Authentication EKUs (depending on what you're checking): 如果您想构建一些用于验证TLS的内容,则可以检查服务器身份验证或客户端身份验证EKU(取决于您要检查的内容):
// Server EKU or Client EKU
Oid eku = forServer ? new Oid("1.3.6.1.5.5.7.3.1") : new Oid("1.3.6.1.5.5.7.3.2");
// Test if it's valid for that purpose
chain.ChainPolicy.ApplicationPolicy.Add(eku);
If you want to "Disable" a root CA altogether, add a copy of the certificate to the Disallowed store (called "Untrusted Certificates" in the UI). 如果要完全“禁用”根CA,请将证书的副本添加到“不允许的”存储中(在UI中称为“不受信任的证书”)。 That will result in a chain build producing X509ChainStatusFlags.ExplicitDistrust . 这将导致生成X509ChainStatusFlags.ExplicitDistrust的链构建。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.