[英]How to extract the AuthorityKeyIdentifier from a X509Certificate2 in .NET
I am looking for a way to extract the AuthorityKeyIdentifier extension from an X509Certificate2 instance. 我正在寻找一种从X509Certificate2实例中提取AuthorityKeyIdentifier扩展的方法。 I did not see any built-in support for this but since windows can properly construct a certificate chain I know the functionality has to exist at some level. 我没有看到任何内置支持,但由于Windows可以正确构建证书链,我知道功能必须存在于某种程度。 If the answer is to roll a DER parser, is there a good implementation that can be referenced? 如果答案是推送DER解析器,是否有可以引用的良好实现?
Iterate through the extensions in the X509Certificate2.Extensions property and look for an extension with the OID 2.5.29.35 (as per http://www.alvestrand.no/objectid/2.5.29.35.html ). 迭代X509Certificate2.Extensions属性中的扩展,并查找带有OID 2.5.29.35的扩展(根据http://www.alvestrand.no/objectid/2.5.29.35.html )。 That is the AuthorityKeyIdentifier extension. 这是AuthorityKeyIdentifier扩展。
[Edit: Added the following.] [编辑:添加以下内容。]
Each member of the Extensions property is an ASN encoded. Extensions属性的每个成员都是ASN编码的。 So you can do the following to get it in a human readable or machine parsable format: 因此,您可以执行以下操作,以便以人类可读或机器可解析的格式获取它:
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
...
X509Extension extension; // The OID 2.5.29.35 extension
AsnEncodedData asndata = new AsnEncodedData(extension.Oid, extension.RawData);
Console.WriteLine(asndata.Format(true));
For one of the Microsoft intermediate CA certificates, it the Format() method returns the following: 对于Microsoft中间CA证书之一,Format()方法返回以下内容:
[1]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt
It is certainly not easy to parse but you can look for a line starting with the regular expression \\[\\d+\\]Authority Info Access
then find a line beneath it with the regular expression URL=(.+)
(the eight spaces are unclear in the formatting) and use the URL in the parenthesized group. 解析当然不容易,但你可以找到一个以正则表达式开头的行\\[\\d+\\]Authority Info Access
然后在它下面找到一条带有正则表达式URL=(.+)
(八个空格不清楚在格式化)并使用括号组中的URL。
There's an easier option available - take some existing component that provides more flexibility in handling certificates. 有一个更简单的选项 - 采用一些现有的组件,可以更灵活地处理证书。 You can use BouncyCastle or our SecureBlackbox . 您可以使用BouncyCastle或我们的SecureBlackbox 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.