如何在RemoteCertificateValidationCallback中验证链? [英] How to verify chain in RemoteCertificateValidationCallback?
问题描述
我有以下代码,试图在我的专用PKI中针对CA验证服务器证书。它与 ServicePointManager
和 RemoteCertificateValidationCallback
一起使用:
I have the following code that attempts to verify a server certificate against the CA in my private PKI. Its used with ServicePointManager
and RemoteCertificateValidationCallback
:
static bool VerifyServerCertificate(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 ca = new X509Certificate2();
ca.Import("ca-rsa-cert.der");
X509Chain chain2 = new X509Chain();
chain2.ChainPolicy.ExtraStore.Add(ca);
// Check all properties
chain2.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
// This setup does not have revocation information
chain2.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain2.Build(new X509Certificate2(certificate));
if (chain2.ChainStatus.Length == 0)
{
return true;
}
bool result = chain2.ChainStatus[0].Status == X509ChainStatusFlags.NoError;
Debug.Assert(result == true);
return result;
}
问题是 chain2.ChainStatus.Length
始终为0。
如果我将 X509RevocationMode
设置为 X509RevocationMode联机
,然后 ChainStatus.Length == 1
,状态设置为 X509ChainStatusFlags.RevocationStatusUnknown
。 (这是预期的,因为测试装备中没有吊销。)
If I set X509RevocationMode
to X509RevocationMode.Online
, then ChainStatus.Length == 1
and the status is set to X509ChainStatusFlags.RevocationStatusUnknown
. (Its expected because there's no revocation in the test rig).
问题:长度为0的 ChainStatus是什么。长度
是什么意思?
Question: What does a 0 length ChainStatus.Length
mean?
问题:如果成功,为什么 X509ChainStatusFlags.NoError
不使用?
Question: If its success, then why is X509ChainStatusFlags.NoError
not used?
推荐答案
如果 ChainStatuts.Lenght = 0;
表示您的链条已正确构建。
您还可以使用 Verify()
函数检查结果。它使用在线吊销模式并使用标准策略验证。
If the ChainStatuts.Lenght = 0;
that means that your chain is correctly built.
You can also check the result with the Verify()
function. It use the Online Revocation mode and use the standard policy verification.
这篇关于如何在RemoteCertificateValidationCallback中验证链?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!