如何验证KeyUsage的证书 [英] How do I verify Certificate for KeyUsage
问题描述
我正在尝试验证证书,以确保它具有正确的keyUsage.但是看不到如何在此应用程序策略中指定X509KeyUsageFlags.KeyEncypherment使用标志.
I'm trying to validate certificate to make sure it has the right keyUsage. But don't see how I can specify my X509KeyUsageFlags.KeyEncypherment usage flag into this application policy.
这是我到目前为止的代码.还有其他人可以使用吗?
This is the code I have so far. Any one else got this to work?
X509Certificate2 tmpCert = new X509Certificate2(Cert);
X509Chain ch = new X509Chain();
ch.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
ch.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
var kUsage = new System.Security.Cryptography.Oid("2.5.29.15");
ch.ChainPolicy.ApplicationPolicy.Add(kUsage);
bool success = ch.Build(tmpCert);
推荐答案
KeyUsage 扩展名不是链的一部分,因为此扩展名没有限制.结果,您需要两个单独的过程
KeyUsage extension is not a part of the chain, as there are no constraints to this extension. As the result, you need two separate procedures
- 验证证书链
- 验证链中的单个证书是否满足其他要求.
@Yacoub提供的代码缺少一个重要的结果:当证书中未显示密钥用法"扩展名时.在这种情况下,假定密钥对所有用法均有效,但对于所有类型的V3证书, certKeySign 和 cRLSign 用法除外.对于V1或V2证书,缺少 KeyUsage 扩展名实际上意味着所有用法.
The code provided by @Yacoub lacks an important outcome: when Key Usage extension is not presented in the certificate. In this case, the key is assumed to be valid for all usages, except certKeySign and cRLSign usages for all type of V3 certificates. In the case of V1 or V2 certificate, the absence of KeyUsage extension literally means all usages.
我会提出以下代码:
using System.Linq;
using System.Security.Cryptography.X509Certificates;
// there should go namespace and class definition
...
//
public bool KeyUsageHasUsage(X509Certificate2 cert, X509KeyUsageFlags flag) {
if (cert.Version < 3) { return true; }
List<X509KeyUsageExtension> extensions = cert.Extensions.OfType<X509KeyUsageExtension>().ToList();
if (!extensions.Any()) {
return flag != X509KeyUsageFlags.CrlSign && flag != X509KeyUsageFlags.KeyCertSign;
}
return (extensions[0].KeyUsages & flag) > 0;
}
它被实现为通用功能,用于验证任意密钥使用标志.
it is implemented as an universal function to validate arbitrary key usage flag.
这篇关于如何验证KeyUsage的证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
