撤销X509证书
[英]Revoked X509Certificate
问题描述
How can I programmatically get when X509Certificate is revoked? 
撤销X509Certificate时如何以编程方式获取? I can get information if certificate is revoked, but i need to get when is revoked, i think that CRL list have that info, but can someone tell me how to read that. 如果证书被吊销,我可以获取信息,但是我需要获得吊销时间,我认为CRL列表中包含该信息,但是有人可以告诉我如何阅读。
7 个解决方案
解决方案1
2 2012-01-31 06:09:54
Revocation status is checked by (a) obtaining CRL lists and checking if the certificate is listed there, and (b) sending an OCSP request to the server to check the same. 通过(a)获取CRL列表并检查证书是否在其中列出,以及(b)向服务器发送OCSP请求以对其进行检查,来检查吊销状态。
.NET doesn't let you do this. .NET不允许您这样做。 CryptoAPI might have some means for these operations, but the easiest is to use third-party library for .NET. CryptoAPI可能有一些用于这些操作的方法,但是最简单的方法是将第三方库用于.NET。 BouncyCastle claims to have some support for OCSP and CRLs, and our SecureBlackbox provides complete support (both client and server components are available) for OCSP and CRL, and also we provide a component which performs complete certificate validation (with all CRL and OCSP checks and HTTP and LDAP communication when needed) with one method call. BouncyCastle声称对OCSP和CRL提供了一些支持,我们的SecureBlackbox为OCSP和CRL提供了完整的支持(客户端和服务器组件均可用),并且我们还提供了执行完整的证书验证(带有所有CRL和OCSP检查以及使用一种方法调用进行HTTP和LDAP通信)。
解决方案2
1 2012-05-09 10:17:35
use this API from x509.h file use openssl 1.0 / or above version 从x509.h文件使用此API使用openssl 1.0 /或更高版本
X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x); X509_CRL_get0_by_cert(X509_CRL * crl,X509_REVOKED ** ret,X509 * x);
X in the certificate u want to check ; 您要检查的证书中的X;
Ret is the Address of the revocation structure where reason for the revocation and all stored Ret是吊销结构的地址,吊销原因和所有存储的原因
crl is the CRL . crl是CRL。
解决方案3
1 2014-10-27 19:25:43
For future readers. 对于未来的读者。
As already was said, .NET currently do not expose public classes nor for X.509 certificate revocation lists, nor for OCSP messaging. 如前所述,.NET当前不公开公共类,也不公开X.509证书吊销列表,也不公开OCSP消息。 Of course, you can write your own code or to use 3rd party libraries. 当然,您可以编写自己的代码或使用第三方库。
You can try my own CryptoAPI managed extensions from PowerShell PKI module project (PKI.Core.dll library). 您可以从PowerShell PKI模块项目(PKI.Core.dll库)尝试我自己的CryptoAPI托管扩展。 There is a support for X509 CRL managed class (built on top of CryptoAPI native functions): X509CRL2 class . 支持X509 CRL托管类(在CryptoAPI本机函数之上构建): X509CRL2 class 。 RevokedCertificates property stores an array of revoked certificates. RevokedCertificates属性存储一系列吊销的证书。 In addition, library includes OCSP messaging classes (completely managed) stored in PKI.OCSP namespace. 此外,库还包括存储在PKI.OCSP名称空间中的OCSP消息传递类(完全托管)。 If your certificate contains OCSP links in the AIA extension, then you can easyly construct OCSP request from X509Certificate2 object by instantiating OCSPRequest object and invoking OCSPRequest.SendRequest method. 如果您的证书在AIA扩展中包含OCSP链接,则可以通过实例化OCSPRequest对象并调用OCSPRequest.SendRequest方法, 轻松地从X509Certificate2对象构造OCSP请求。 Return object is an instance of OCSPResponse class. 返回对象是OCSPResponse类的实例。
Basically, the code woul look as this: 基本上,代码看起来像这样:
using System;
using System.Security.Cryptography.X509Certificates;
using PKI.OCSP;
public class Class1 {
public static DateTime? GetrevocationDate(X509Certificate2 cert) {
OCSPRequest request = new OCSPRequest(cert);
OCSPResponse response = request.SendRequest();
if (response.Responses[0].CertStatus == CertificateStatus.Revoked) {
return response.Responses[0].RevocationInfo.RevocationDate;
}
return null;
}
}
NULL would mean that the certificate is not revoked. NULL表示证书未被吊销。
with X509 CRL the code would look as this: 使用X509 CRL时,代码将如下所示:
using System;
using System.Security.Cryptography.X509Certificates;
public class Class1 {
// crlRawData could a type of System.String and pass the path to a CRL file there.
public static DateTime? GetrevocationDate(X509Certificate2 cert, Byte[] crlRawData) {
X509CRL2 crl = new X509CRL2(crlRawData);
X509CRLEntry entry = crl.RevokedCertificates[cert.SerialNumber];
if (entry != null) {
return entry.RevocationDate;
}
return null;
}
}
解决方案4
1 2016-11-30 17:40:38
The CRL is stored as an OID in the extensions property of the X509Certificate object. CRL作为OID存储在X509Certificate对象的extensions属性中。 The OID FriendlyName and Value are 'CRL Distribution Points' and '2.5.29.31'. OID FriendlyName和值分别是“ CRL分发点”和“ 2.5.29.31”。 Searching the certificate's extensions for an OID with value 2.5.29.31, you can then parse the raw data and get the distribution point(s). 在证书的扩展名中搜索值为2.5.29.31的OID,然后可以解析原始数据并获取分发点。
I found the following code sample here . 我在这里找到以下代码示例。 I tested it on both publicly sign certs and internal Microsoft CA certs; 我在公开签名证书和内部Microsoft CA证书上进行了测试; it returns the URL or LDAP connection string. 它返回URL或LDAP连接字符串。
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace System.Security.Cryptography.X509Certificates
{
public static class X509Certificate2Extensions
{
/// <summary>
/// Returns an array of CRL distribution points for X509Certificate2 object.
/// </summary>
/// <param name="certificate">X509Certificate2 object.</param>
/// <returns>Array of CRL distribution points.</returns>
public static string[] GetCrlDistributionPoints(this X509Certificate2 certificate)
{
X509Extension ext = certificate.Extensions.Cast<X509Extension>().FirstOrDefault(
e => e.Oid.Value == "2.5.29.31");
if (ext == null || ext.RawData == null || ext.RawData.Length < 11)
return EmptyStrings;
int prev = -2;
List<string> items = new List<string>();
while (prev != -1 && ext.RawData.Length > prev + 1)
{
int next = IndexOf(ext.RawData, 0x86, prev == -2 ? 8 : prev + 1);
if (next == -1)
{
if (prev >= 0)
{
string item = Encoding.UTF8.GetString(ext.RawData, prev + 2, ext.RawData.Length - (prev + 2));
items.Add(item);
}
break;
}
if (prev >= 0 && next > prev)
{
string item = Encoding.UTF8.GetString(ext.RawData, prev + 2, next - (prev + 2));
items.Add(item);
}
prev = next;
}
return items.ToArray();
}
static int IndexOf(byte[] instance, byte item, int start)
{
for (int i = start, l = instance.Length; i < l; i++)
if (instance[i] == item)
return i;
return -1;
}
static string[] EmptyStrings = new string[0];
}
}
解决方案5
0 2018-09-06 21:15:14
The first step is to extract the CRL distribution points from the certificate, and then match your certificate's serial number against the content of the CRL from the distribution point. 第一步是从证书中提取CRL分发点,然后将证书的序列号与分发点中CRL的内容进行匹配。
Here's an alternative way to extract the CRL distribution points with fewer magic numbers and bit twiddling. 这是提取具有较少幻数和比特抖动的CRL分布点的替代方法。 (tested in .NET Core 2.1) (在.NET Core 2.1中测试)
var path = "<path to signed file>";
// get certificate
var cert = new X509Certificate2(path);
// extract the CRL distribution points information
var crlInfo = cert.Extensions["2.5.29.31"];
var crlDistribitionPoints = new AsnEncodedData(crlInfo.Oid, crlInfo.RawData).Format(false);
Console.Writeline(crlDistribitionPoints);
解决方案6
0 2012-01-30 20:25:22
解决方案7
-1 2012-01-30 20:44:10
When you say revoked, do you mean invalid? 当您说被撤销时,您的意思是无效的吗? If its revoked I wouldn't expect it to arrive at the request in your code as the web server will have got in the way first. 如果它被撤销,我不希望它到达您代码中的请求,因为Web服务器将首先妨碍您。
If you use the x509certificate2, which is derived from x509certificate, then you have a lot more properties which you can check; 如果使用从x509certificate派生的x509certificate2,则可以检查的属性更多。 there are a number of examples on the link below. 下面的链接上有很多示例。
http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.aspx http://msdn.microsoft.com/zh-cn/library/system.security.cryptography.x509certificates.x509certificate2.aspx
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.