stackoom
  简体   繁体   中英

Idenitfy if certificate is a host, intermediate, or root cert

 原文  2020-04-09 01:53:27       c#/ x509certificate2/ pki

Question

I need a way to, given a list of X509Certificate2 objects, classify each as being either a root, intermediate, or host cert.

I've got a TCP service running in a docker container on AWS. I have set up a secret-management system and external provisioning system to provide certs to this service for TLS. However, the certs are PEM and this is infamously painful in c#. After strugging about 5 times over the last 8 years to even load PEM certs when a private key is involved, I have finally solved that cleanly with some new syntax provided in dotnet core. So yay.

Now my application has the certs with the private keys, and the chain, but still cannot make use of them because of the AuthenticateAsServer method interface which does not allow you to provide a chain. Rather you provide a certificate and then it will dig a chain out of the cert store if it can and then you have to look on the other end to see if the chain came out. (I will spare you an hour long tirade of my feelings about this pattern) Since I cannot provide a chain my only option is to install the chain prior to calling AuthenticateAsServer so that the super opaque black box will find them and send them.

Here is the problem. My chain is a big string of the kind you would get by cat'ing together the relevant OpenSSL created cert files. I've already written some code to split that text up into cert chunks and then initialize a collection of X509Certificate2 objects that I can foreach through and install each into a store. But which store? I need a way to check each one and know which store it should go into.

Here is my working idea in psuedocode

bool isSelfSigned = cert.Issuer == cert.Subject;
bool isCa = HasBasicConstraintCA();

if (isCa)
{
   if (isSelfSigned) root=true;
   else intermediate=true;
}
else if(some hopefully affirmative condition)
{
   host=true;
}

Is this reasonable considering the situation? Am I going to hit any unexpected traps with this logic?

Is there any affirmative condition I can check for the host cert, other than it isn't either of the other two?

1 answers

solution1
 1 ACCPTED  2020-04-13 14:22:28

Your logic is almost correct; Please note that for end-entity certificates ( in your term host certificate) following values are possible;

  1. no basicConstraint flag present
  2. basicConstraint:CA:False is present

In both above cases it can be interpreted as end-entity ( host ) certificates. Please make sure your HasBasicConstraintCA() function checks for both cases. Apart the logic looks simple and wonderful.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Distinguish between Root CA and Intermediate CA Certificate Is there a way to encapsulate personal certificate, intermediate root and trusted root in a portable file? C# generate intermediate certificate from self signed Root CA How can I get the expiration date of an intermediate certificate and trusted root certificate by C# code? how to add certificate to POD/Container 's cert store when root filesystem is read-only C# How can I validate a Root-CA-Cert certificate (x509) chain? How can I Get the details from Root-CA-Cert certificate (x509) chain using c#? Generate PFX with root cert and chain 403 forbidden when Client Cert not in Trusted Root Let's Encrypt API not returning root cert?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM