X509Certificate2.Verify（）始终返回false [英] X509Certificate2.Verify() returns false always

问题描述

面对一个非常奇怪的问题X509Certificate2.Verify（）对于有效证书返回false。也许有些人以前已经面对过这种奇怪的情况，并且可以对此有所启发。

我正在使用openssl生成用于测试目的的客户端证书。
我创建一个根CA，并基于该根CA生成客户端证书，并将根CA添加到其链中。

我将根CA和客户端证书加载到本地证书存储中，这似乎还可以，但是当我从NUnit代码加载它以测试X509Certificate2.Verify（）时总是返回false。

以下是从商店加载证书的代码：

  X509Store store =新的X509Store（StoreName.My）; 
 string thumbprint = 60 d1 38 95 ee 3a 73 1e 7e 0d 70 68 0f 2d d0 69 1e 9a eb 72; 
 store.Open（OpenFlags.ReadOnly）; 
 var mCert = store.Certificates.Find（
 X509FindType.FindByThumbprint，
指纹，
 true 
）.OfType< System.Security.Cryptography.X509Certificates.X509Certificate> （）.FirstOrDefault（）; 
 if（mCert！= null）
 {
 var testClientCert = new X509Certificate2（mCert）; 
} 
  

这是我刚刚生成的客户证书：
（ CRL网址可以从我的本地计算机正确访问）

  ----- BEGIN证书----- 
 MIIC7jCCAlegAwIBAgIBATANBgkqhkiG9w0BAQUFADBtMR0wGwYDVQQKExRWaXRh 
 bEhlYWx0aCBTb2Z0d2FyZTElMCMGA1UECxMcVml0YWxIZWFsdGggU29mdHdhcmUg 
 Um9vdCBDQTElMCMGA1UEAxMcVml0YWxIZWFsdGggU29mdHdhcmUgUm9vdCBDQTAe 
 Fw0xNTAyMjcwODQ2MzNaFw0xNjAyMjcwODQ2MzNaMEUxHTAbBgNVBAoTFFZpdGFs 
 SGVhbHRoIFNvZnR3YXJlMREwDwYDVQQLEwhQbGF0Zm9ybTERMA8GA1UEAxMIVGVz 
 dFVzZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOkfyjX0PSnRYrBbCC8u 
 rw7IiFdAUj6frPKEmt0TLAR / 4G + NazKdGjRRqxE9mNwX / 2zGhIcucfGDVwPtOtiV 
 opicQEzGiSQkvAc + 473MN5D6j3XtBYblALMeMyEYoh3LnHO4K + 6kV6XE4BXV / 2LV 
 mAVgXGkZzaayd40DLvg48vPlAgMBAAGjgcUwgcIwCQYDVR0TBAIwADARBglghkgB 
 hvhCAQEEBAMCB4AwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMDEG 
 CWCGSAGG + EIBDQQkFiJPcGVuU1NMIENlcnRpZmljYXRlIGZvciBTU0wgQ2xpZW50 
 ME0G A1UdHwRGMEQwQqBAoD6GPGh0dHA6Ly9wbGF0Zm9ybWRhc2hib2FyZC5ubC52 
 aXRhbGhlYWx0aC5sb2NhbC9wb3J0YWwvY3JsLmNybDANBgkqhkiG9w0BAQUFAAOB 
 gQBXYSmZaVu6vnyl94SO4qpNOutsUm4p7fQHehljhZ + aRrXE10rivWCt4g0k961E 
 PDsp4J0DR6uth6et42pBp8v2gFIGSQY / F7NhmOAsOJvM7z0oIBxMLcclIDTygbRp 
 KjZZpNjvf + YJasbidosiL4VSeRiCZ + HPzvKDb3wNeafoZA == 
 ----- END CERTIFICATE ----- 
  

这是当我从浏览器访问文件时下载的CRL文件：

'pre> ----- BEGIN X509 CRL -----
MIIBMjCBnDANBgkqhkiG9w0BAQUFADBtMR0wGwYDVQQKExRWaXRhbEhlYWx0aCBT
b2Z0d2FyZTElMCMGA1UECxMcVml0YWxIZWFsdGggU29mdHdhcmUgUm9vdCBDQTEl
MCMGA1UEAxMcVml0YWxIZWFsdGggU29mdHdhcmUgUm9vdCBDQRcNMTQwODA3MTQz
OTIyWhcNMTQwOTA2MTQzOTIyWjANBgkqhkiG9w0BAQUFAAOBgQA8MSxAorbxpdDm
1IA2Aqjb / OkZydua1Tm5k5KtHknI4zyYPZb3GzO0eRygpKBSAqtYkxDI6eCv6xgf
+ anXT56md + cPGZ + 2YvSicxqwP2GL2kymc9mVMTiQieioS1 / 7apjCIjZEgWxqf3Up
zvy / kNQRg3lII8hYu0idGs9byKZJFQ ==
----- END X509 CR L -----


解决方案

根据X509Certificate2。验证文档

此方法为证书构建一个简单链，并将基本策略应用于该链。如果您需要有关失败的更多信息，请直接使用X509Chain对象验证证书。

因此，我将尝试使用此构建链代码（用您自己的实现替换Log方法，我使用的是Console.Writeline）

  X509Chain链= new X509Chain（）; 
 
试试
 {
 var chainBuilt = chain.Build（testClientCert）; 
 Log（string.Format（ Chain building status：{0}，chainBuilt））; 
 
 if（chainBuilt == false）
 foreach（X509ChainStatus chainStatus in chain.ChainStatus）
 Log（string.Format（ Chain error：{0} {1}， chainStatus.Status，chainStatus.StatusInformation））; 
} 
 catch（异常例外）
 {
 Log（ex.ToString（））; 
} 
  

此代码将告诉您无法验证证书的原因。如果需要调整链策略，则设置 chain.ChainPolicy 属性，即

  chain.ChainPolicy =新的X509ChainPolicy（）
 {
 RevocationMode = X509RevocationMode.NoCheck，
 VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid，
 UrlRetrievalTimeout =新的TimeSpan（0，1，0）
}; 
  

Facing a really strange issue X509Certificate2.Verify() returning false for a valid certificate. Maybe some has already faced this strange scenario before and can shine some light on it.

I am using openssl to generate client certificates for testing purposes. I create a Root CA and generate a client certificate based on that Root CA and add the Root CA to its chain.

I load the Root CA and the Client Cert to the local certificate store and it seems ok there but when I load it from my NUnit code to test X509Certificate2.Verify() always returns false.

Here is the code to load the Cert from the store:

        X509Store store = new X509Store(StoreName.My);
        string thumbprint = "60 d1 38 95 ee 3a 73 1e 7e 0d 70 68 0f 2d d0 69 1e 9a eb 72";
        store.Open(OpenFlags.ReadOnly);
        var mCert = store.Certificates.Find(
                                X509FindType.FindByThumbprint,
                                thumbprint,
                                true
                              ).OfType<System.Security.Cryptography.X509Certificates.X509Certificate>().FirstOrDefault();
        if(mCert != null)
        {
            var testClientCert = new X509Certificate2(mCert);
        }

Here is the Client Cert that I have just generated: (the CRL url is accessible from my local machine correctly)

-----BEGIN CERTIFICATE-----
MIIC7jCCAlegAwIBAgIBATANBgkqhkiG9w0BAQUFADBtMR0wGwYDVQQKExRWaXRh
bEhlYWx0aCBTb2Z0d2FyZTElMCMGA1UECxMcVml0YWxIZWFsdGggU29mdHdhcmUg
Um9vdCBDQTElMCMGA1UEAxMcVml0YWxIZWFsdGggU29mdHdhcmUgUm9vdCBDQTAe
Fw0xNTAyMjcwODQ2MzNaFw0xNjAyMjcwODQ2MzNaMEUxHTAbBgNVBAoTFFZpdGFs
SGVhbHRoIFNvZnR3YXJlMREwDwYDVQQLEwhQbGF0Zm9ybTERMA8GA1UEAxMIVGVz
dFVzZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOkfyjX0PSnRYrBbCC8u
rw7IiFdAUj6frPKEmt0TLAR/4g+NazKdGjRRqxE9mNwX/2zGhIcucfGDVwPtOtiV
opicQEzGiSQkvAc+473MN5D6j3XtBYblALMeMyEYoh3LnHO4K+6kV6XE4BXV/2lV
mAVgXGkZzaayd40DLvg48vPlAgMBAAGjgcUwgcIwCQYDVR0TBAIwADARBglghkgB
hvhCAQEEBAMCB4AwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMDEG
CWCGSAGG+EIBDQQkFiJPcGVuU1NMIENlcnRpZmljYXRlIGZvciBTU0wgQ2xpZW50
ME0GA1UdHwRGMEQwQqBAoD6GPGh0dHA6Ly9wbGF0Zm9ybWRhc2hib2FyZC5ubC52
aXRhbGhlYWx0aC5sb2NhbC9wb3J0YWwvY3JsLmNybDANBgkqhkiG9w0BAQUFAAOB
gQBXYSmZaVu6vnyl94SO4qpNOutsUm4p7fQHehljhZ+aRrXE10rivWCt4g0k961E
PDsp4J0DR6uth6et42pBp8v2gFIGSQY/F7NhmOAsOJvM7z0oIBxMLcclIDTygbRp
KjZZpNjvf+YJasbidosiL4VSeRiCZ+HPzvKDb3wNeafoZA==
-----END CERTIFICATE-----

And here is the CRL file that gets download when I access it from the browser:

-----BEGIN X509 CRL-----
MIIBMjCBnDANBgkqhkiG9w0BAQUFADBtMR0wGwYDVQQKExRWaXRhbEhlYWx0aCBT
b2Z0d2FyZTElMCMGA1UECxMcVml0YWxIZWFsdGggU29mdHdhcmUgUm9vdCBDQTEl
MCMGA1UEAxMcVml0YWxIZWFsdGggU29mdHdhcmUgUm9vdCBDQRcNMTQwODA3MTQz
OTIyWhcNMTQwOTA2MTQzOTIyWjANBgkqhkiG9w0BAQUFAAOBgQA8MSxAorbxpdDm
1IA2Aqjb/OkZydua1Tm5k5KtHknI4zyYPZb3GzO0eRygpKBSAqtYkxDI6eCv6xgf
+anXT56md+cPGZ+2YvSicxqwP2GL2kymc9mVMTiQieioS1/7apjCIjZEgWxqf3Up
zvy/kNQRg3lII8hYu0idGs9byKZJFQ==
-----END X509 CRL-----

解决方案

According to the X509Certificate2.Verify documentation

This method builds a simple chain for the certificate and applies the base policy to that chain. If you need more information about a failure, validate the certificate directly using the X509Chain object.

Therefore I would try to build chain using this code (replace Log method with your own implementation, I was using Console.Writeline)

X509Chain chain = new X509Chain();

try
{
    var chainBuilt = chain.Build(testClientCert );
    Log(string.Format("Chain building status: {0}", chainBuilt));

    if (chainBuilt == false)
        foreach (X509ChainStatus chainStatus in chain.ChainStatus)
            Log(string.Format("Chain error: {0} {1}", chainStatus.Status, chainStatus.StatusInformation));
}
catch (Exception ex)
{
    Log(ex.ToString());
}

This code will tell you the reason why the certificate could not be verified. If you need to adjust chain policy then set chain.ChainPolicy property i.e.

chain.ChainPolicy = new X509ChainPolicy()
{
    RevocationMode = X509RevocationMode.NoCheck,
    VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid,
    UrlRetrievalTimeout = new TimeSpan(0, 1, 0)
};

这篇关于X509Certificate2.Verify（）始终返回false的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！