在Unity中验证SSL \ TLS证书 [英] Validating SSL\TLS certificate in Unity

问题描述

我在统一证书验证方面遇到问题.我使用.Net类HttpWebResponse发出请求，并向ServicePointManager.ServerCertificateValidationCallback提供了回调函数.

I have a problem with certificate validation in unity. Im using .Net class HttpWebResponse to make requests and provided callback function to ServicePointManager.ServerCertificateValidationCallback.

该证书已通过授权机构签署，并且可以在网络浏览器中正常工作.

The certificate is signed by authority and works fine in web browser.

验证失败并显示以下状态:X509ChainStatusFlags.PartialChain X509ChainStatusFlags.RevocationStatusUnknown X509ChainStatusFlags.OfflineRevocation

The validation fails with statuses: X509ChainStatusFlags.PartialChain X509ChainStatusFlags.RevocationStatusUnknown X509ChainStatusFlags.OfflineRevocation

从我的角度来看，问题是空的根证书存储和空的CRL列表.我打开了Mono源代码，发现应该从X509Store获取此数据，但是不知何故它不包含任何Root证书或CRL.

The problem, how I see it, is empty root certificate storage and empty CRLs list. I opened Mono source code and found that this data is supposed to be got from X509Store, but somehow it does not contain any of Root certificates or CRLs.

我需要实现对证书的正确验证，而不仅仅是通过在ServerCertificateValidationCallback中返回true或对证书指纹进行硬编码来跳过它，为此，我需要提供所有必需的数据.

I need to implement correct validation of certificate, not just skip it by returning true in ServerCertificateValidationCallback or hardcode the certificates thumbprint, and for doing that I need to provide all the required data.

假设我知道Root权限，则可以在应用程序启动时将其添加到存储中.但是它不适用于CRL.该平台是Android \ IOS.

Supposing that I know the Root authority, I can add it to storage on application start. But it does not work with CRLs. The platform is Android\IOS.

问题是:如何强制统一安装Root和CRL?

The question is: How can I force unity to install Roots and CRLs?

推荐答案

您可以通过X509Store安装证书.安装是持久的，因此只需要调用一次.根据

You can install certificate via X509Store. The installation is persist so only need to call once. According to X509Certificate2 create a cert from Base64 or DER bytes. It can be exported by openssl: openssl x509 -inform DER -in YOUR_ROOT_CER.cer -out YOUR_BASE64_PEM.pem.

private static void InstallCertificate(byte[] cert)
{
    X509Certificate2 certificate = new X509Certificate2(cert);
    X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
    store.Open(OpenFlags.ReadWrite);
    store.Add(certificate);
    store.Close();
}

在Android上StoreLocation.LocalMachine是/usr/xxx/.mono时，请注意StoreLocation.CurrentUser指向/data/data/<your.package.name>/.mono/.

Make attentions to StoreLocation.CurrentUser pointed to /data/data/<your.package.name>/.mono/ while StoreLocation.LocalMachine is /usr/xxx/.mono on android.

这篇关于在Unity中验证SSL \ TLS证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！