如何使用 BouncyCastle 检索 X509 证书的 CN 名称

Question

I have a number of PEM files for domain certificates. I've already found out how to read the single PEM objects from a file and I can tell apart certificates from private keys. Now I need to know the subject name for each certificate I find. Unfortunately, there doesn't seem to exist any documentation and I wasn't able to find other users on the web who talked about doing this. Most code that I found was about Java and used names that are not available in the current library (for C# at least). Whether it's an exotic task to read CN values from a certificate or not, I need to do it.

Here's what I found so far:

Install the NuGet package Portable.BouncyCastle 1.8.8

using (var streamReader = new StreamReader("cert.pem"))
{
    var pemReader = new PemReader(streamReader);
    while (true)
    {
        object pemObject = pemReader.ReadObject();
        if (pemObject == null)
            break;
        switch (pemObject)
        {
            case RsaPrivateCrtKeyParameters privateKey:
                Console.WriteLine("Private key");
                break;
            case X509Certificate certificate:
                Console.WriteLine("Certificate");
                // This has ALL entries from the subject, including CN
                Console.WriteLine("  Subject: " + certificate.SubjectDN);

                // This is a convoluted list of lists of lists of stuff that seems to contain
                // the CN values somewhere deep within but I can't figure out how to access it
                var derSequence = certificate.SubjectDN.ToAsn1Object() as DerSequence;
                // And I'm not sure if these are the correct types to use and what other
                // types to be prepared for in real life.

                // Like the below untyped list of untyped lists of stuff seems to be working
                // to extract the alternative names (SAN) from a certificate:
                var altNames = certificate.GetSubjectAlternativeNames()?
                    .OfType<System.Collections.ArrayList>()
                    .SelectMany(l => l.OfType<string>())
                    .ToList();
                if (altNames != null)
                {
                    foreach (string str in altNames)
                    {
                        Console.WriteLine("  Subject alternative name: " + str);
                    }
                }

                break;
        }
    }
}

If BouncyCastle is the wrong tool and I should use a .NET-integrated class (.NET Core 3.1 or 5.0), please let me know and explain that instead. I also need other data like the time a certificate was issued or expires.

Here's the workaround I'm using for now. It's probably a very dowdy method for a thing as complex as X509. But that's the level I understand from it.

var match = Regex.Match(certificate.SubjectDN.ToString(), @"(?:^|,)CN=([^,]+)");
if (match.Success)
{
    Console.WriteLine("  Subject: " + match.Groups[1].Value);
}

Answer 1

Unfortunately, there doesn't seem to exist any documentation

I really doubt in this statement. .NET has built-in functionality to work with certificates: X509Certificate2 class.

And here how the code would look like to get CN (when present. If not present, then most suitable RDN attribute or subject alternative name is returned):

using System.Security.Cryptography.X509Certificates; // ref namespace

//
var cert = new X509Certificate2("cert.pem");
Console.WriteLine("  Subject: " + cert.GetNameInfo(X509NameType.DnsName, false));

For certificate validity or other data, please explore X509Certificate2 properties .

Answer 2

I think you were on the right track with your approch on the SubjectDN member.

Here is a one-liner working example extracting the CN= using Linq (it defaults to empty string if there is no CN=name in the subject):

certificate.SubjectDN.GetValueList(X509Name.CN).Cast<string>().FirstOrDefault() ?? "";