如何在RemoteCertificateValidationCallback中验证链？ [英] How to verify chain in RemoteCertificateValidationCallback?

问题描述

我有以下代码，试图在我的专用PKI中针对CA验证服务器证书。它与 ServicePointManager 和 RemoteCertificateValidationCallback 一起使用：

I have the following code that attempts to verify a server certificate against the CA in my private PKI. Its used with ServicePointManager and RemoteCertificateValidationCallback:

static bool VerifyServerCertificate(object sender, X509Certificate certificate,
    X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    X509Certificate2 ca = new X509Certificate2();
    ca.Import("ca-rsa-cert.der");

    X509Chain chain2 = new X509Chain();
    chain2.ChainPolicy.ExtraStore.Add(ca);

    // Check all properties
    chain2.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;

    // This setup does not have revocation information
    chain2.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

    chain2.Build(new X509Certificate2(certificate));
    if (chain2.ChainStatus.Length == 0)
    {
        return true;
    }

    bool result = chain2.ChainStatus[0].Status == X509ChainStatusFlags.NoError;
    Debug.Assert(result == true);

    return result;
}

问题是 chain2.ChainStatus.Length 始终为0。

如果我将 X509RevocationMode 设置为 X509RevocationMode联机，然后 ChainStatus.Length == 1 ，状态设置为 X509ChainStatusFlags.RevocationStatusUnknown 。 （这是预期的，因为测试装备中没有吊销。）

If I set X509RevocationMode to X509RevocationMode.Online, then ChainStatus.Length == 1 and the status is set to X509ChainStatusFlags.RevocationStatusUnknown. (Its expected because there's no revocation in the test rig).

问题：长度为0的 ChainStatus是什么。长度是什么意思？

Question: What does a 0 length ChainStatus.Length mean?

问题：如果成功，为什么 X509ChainStatusFlags.NoError 不使用？

Question: If its success, then why is X509ChainStatusFlags.NoError not used?

推荐答案

如果 ChainStatuts.Lenght = 0; 表示您的链条已正确构建。
您还可以使用 Verify（）函数检查结果。它使用在线吊销模式并使用标准策略验证。

If the ChainStatuts.Lenght = 0; that means that your chain is correctly built. You can also check the result with the Verify() function. It use the Online Revocation mode and use the standard policy verification.

这篇关于如何在RemoteCertificateValidationCallback中验证链？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！