在.Net中将证书吊销列表文件与X509一起使用 [英] Use Certificate Revocation List file with X509 in .Net

问题描述

需要保护客户端与服务器之间的通信.我被发现好方法在.Net Core中生成X509证书(自签名).但是，实际上缺少任何有关如何使用.Net Framework中的证书吊销列表的信息.对于这些问题的答案将不胜感激:

Need to protect client-server communication. I was found a nice approach in .Net Core to generate X509 Certificates ( Self-Signed). But it's really lack of any information how to work with Certificate Revocation List in .Net Framework. Will be appreciate for answers to those questions :

• 如何使用.Net(没有BouncyCastle)创建CRL文件?可以将其创建为任何文本文件并在其后签名吗?如果是，列的格式是什么?

• How to create CRL file with .Net ( Without BouncyCastle ) ? Can it be created as any text file and signed after? If yes, what is the format of columns?

我是否正确理解可以将CRL文件添加到证书中?据我所知，证书的更改会破坏它.

Is I'm right understanding that CRL file could be added to Certificate? As far as I know, a change of certificate brokes it.

如何将证书添加到证书吊销列表?

How to add Certificate to Certificate Revocation List?

推荐答案

如何使用.Net(没有BouncyCastle)创建CRL文件?

How to create CRL file with .Net ( Without BouncyCastle ) ?

您不能，.NET迄今为止根本不提供任何API来处理X.509 CRL文件.您必须使用第三方库.

you can't, .NET natevely don't ship any API to deal with X.509 CRL files. You have to use 3rd party libraries.

可以将其创建为任何文本文件并在之后签名吗?

Can it be created as any text file and signed after?

否，它不是文本文件.

如果是，列的格式是什么?

If yes, what is the format of columns?

X.509 CRL使用抽象语法表示法一(ASN.1)进行内部表示，并且在

X.509 CRL uses Abstract Syntax Notation One (ASN.1) for internal representation and ASN.1 module is defined in RFC 5280 Appendix A.1 (page 118). Unfortunately, .NET doesn't provide tools to work with raw ASN.1 data (only for well-known and supported high-level types).

如果您不能使用第三方库，则必须了解ASN.1(并非易事)，编写自己的二进制解析器，并根据ASN.1模块定义创建X.509 CRL解码器.这是二进制ASN.1解析器的示例: Asn1Reader.cs，因此您可以想象编写自己的可靠解析器的复杂性.还有X.509 CRL解码器的示例:

If you can't use 3rd party libraries, you will have to learn about ASN.1 (not easy stuff), write your own binary parser and create X.509 CRL decoder according to ASN.1 module definition. Here is an example of binary ASN.1 parser: Asn1Reader.cs, so you can imagine the complexity in writing your own reliable parser. And an example of X.509 CRL decoder: X509CRL2.cs. I would suggest to get something already working and use it.

如何将证书添加到证书吊销列表中?

How to add Certificate to Certificate Revocation List?

您将必须使用ASN.1编码器创建X.509 CRL构建器/生成器.CRL条目类型定义如下:

You will have to create X.509 CRL builder/generator by using ASN.1 encoder. CRL entry type is defined as follows:

 revokedCertificates     SEQUENCE OF SEQUENCE  {
      userCertificate         CertificateSerialNumber,
      revocationDate          Time,
      crlEntryExtensions      Extensions OPTIONAL
                               -- if present, version MUST be v2
                           }  OPTIONAL,

如果您不熟悉ASN.1，这几乎没有任何意义，但会揭示一些有用的内容.例如，一个CRL条目由证书序列号(整数)和吊销日期( UTCTime 或 GeneralizedTime )组成.(可选)可能会有CRL条目扩展名，例如吊销原因( ENUMERATED ).

This barely makes any sense if you are not familiar with ASN.1, but reveals some useful things. For example, a CRL entry consist of certificate serial number (integer) and revocation date (UTCTime or GeneralizedTime). Optionally, there might be CRL entry extensions, like revocation reason (ENUMERATED).

这篇关于在.Net中将证书吊销列表文件与X509一起使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！