如何完全验证 X509 证书?
[英]How to fully validate a X509 certificate?
问题描述
I need to validate a certificate(X509Certificate2) the same way it´s validated before it is used for communication.
我需要验证证书(X509Certificate2),其验证方式与用于通信之前验证的方式相同。
The X509Certificate2.Verify() will in this case return true while the certificate is not issued to the server it is installed on. X509Certificate2.Verify() 在这种情况下将返回 true,而证书未颁发给安装它的服务器。
Is there any finished code block to do a full validation of the X509 certificate?是否有任何完成的代码块来对 X509 证书进行全面验证?
Regards问候
Edit : This is the code I have tried with :编辑:这是我尝试过的代码:
var certificate = GetServerCertificate(CertificateStore,CertificateLocation,Thumbprint);
if(certificate != null)
{
if(certificate.Verify())
_logger.Log(NLog.LogLevel.Info, $"Yes");
else
_logger.Log(NLog.LogLevel.Info, $"No");
}
1 个解决方案
解决方案1
3 已采纳 2020-02-07 16:31:20
The X509Certificate2.Verify() will in this case return true while the certificate is not issued to the server it is installed on.
The Verify method doesn't check anything about hostnames. Verify方法不检查有关主机名的任何内容。 It verifies that它验证了
- The certificate is not expired.证书没有过期。
- The certificate eventually chains to a trusted root authority.该证书最终链接到受信任的根授权。
- All certificates in the chain have appropriately nested expiration.链中的所有证书都有适当的嵌套过期时间。
- The target certificate, unless it's self-issued, has a revocation endpoint, and is not revoked.目标证书(除非它是自行颁发的)具有吊销端点,并且不会被吊销。
- Any intermediate certificates have revocation endpoints and are not revoked.任何中间证书都有吊销端点并且不会被吊销。
It's exactly equal to它完全等于
using (X509Chain chain = new X509Chain())
{
// Use the default vales of chain.ChainPolicy including:
// RevocationMode = X509RevocationMode.Online
// RevocationFlag = X509RevocationFlag.ExcludeRoot
// VerificationFlags = X509VerificationFlags.NoFlag
// VerificationTime = DateTime.Now
// UrlRetrievalTimeout = new TimeSpan(0, 0, 0)
bool verified = chain.Build(cert);
for (int i = 0; i < chain.ChainElements.Count; i++)
{
chain.ChainElements[i].Certificate.Dispose();
}
return verified;
}
Is there any finished code block to do a full validation of the X509 certificate?
If "full validation" just means all the things Verify does, then yes.如果“完全验证”只是意味着Verify所做的所有事情,那么是的。 If you also care that it's valid for use as a TLS client certificate (or TLS server certificate) then you would use the longer form (using X509Chain directly) and add an application policy requirement before calling chain.Build:如果您还关心它可用作 TLS 客户端证书(或 TLS 服务器证书),那么您将使用更长的形式(直接使用 X509Chain)并在调用 chain.Build 之前添加应用程序策略要求:
// See if it's valid as a TLS server
chain.ChainPolicy.ApplicationPolicy.Add(new Oid("1.3.6.1.5.5.7.3.1"));
// Alternatively, if it's valid as a TLS client
chain.ChainPolicy.ApplicationPolicy.Add(new Oid("1.3.6.1.5.5.7.3.2"));
The hostname is much harder.主机名要困难得多。 Client certificates don't have validatable names, it's just up to what the server does with it.客户端证书没有可验证的名称,这取决于服务器如何处理它。 Server certificates have hostname matching against SAN/Subject-CN, but there's nothing built-in that does that check other than just connecting with TLS ( SslStream ).服务器证书具有与 SAN/Subject-CN 匹配的主机名,但除了与 TLS ( SslStream ) 连接之外,没有任何内置的东西可以进行检查。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.