如何在验证过程中使用本地CRL文件(C#)检查客户端证书吊销 [英] How to check client certificate revocation during validation process with local CRL file (C#)
问题描述
我正在尝试使用 HttpClientHandler.ServerCertificateCustomValidationCallback 验证客户端证书.我已经使用 ChainPolicy 参数构建了 x509chain .
I am trying to validate a client certificate using HttpClientHandler.ServerCertificateCustomValidationCallback. I have built my x509chain with my ChainPolicy parameters.
我在本地拥有我的CRL(.pem)文件,我想将其添加到吊销过程中.
I have locally my CRL (.pem) file and i would like to add it to the revocation process.
I was thinking of doing something like CRL validation, importing into my X509Certificate an X509Extension with a distributionPoint oid but i have trouble understanding it.
这是我的一部分回调代码
Here is a piece of my callback code
private static Func<HttpRequestMessage, X509Certificate2, X509Chain, SslPolicyErrors, bool>
ServerCertificateCustomValidationCallback()
{
return (sender, cert, chain, sslPolicyErrors) =>
{
X509Certificate2 ca = new X509Certificate2(@"pathToCa\\ca.crt");
X509Chain chai = new X509Chain();
chai.ChainPolicy.ExtraStore.Add(ca);
chai.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chai.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chai.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
chai.ChainPolicy.VerificationTime = DateTime.Now;
try
{
if (!chai.Build(cert))
{
return false;
}
foreach (X509ChainStatus status in chai.ChainStatus)
{
if (status.Status == X509ChainStatusFlags.UntrustedRoot) continue;
if (status.Status == X509ChainStatusFlags.OfflineRevocation) continue;
if (status.Status == X509ChainStatusFlags.RevocationStatusUnknown) continue;
return false;
}
}
catch (Exception e)
{
throw e;
}
return true;
};
}
感谢您的帮助&澄清
Thank for your help & clarification
推荐答案
如果您想托管自己的CRL,则需要在某处设置服务器,以便可以像html页面一样托管您的crl.
If you want to host your own CRL, you will need server set up somewhere, so it can host your crl just like an html page.
例如,如果您使用openSSL或最好使用 LibreSSL 创建自己的证书,请在配置文件中添加以下内容:
So, for example, if you using openSSL or preferably LibreSSL to create your own certs, in your config file, you will add the following:
crlDistributionPoints = URI:http://myserver.com/mycert.crl
nsCaRevocationUrl = http://myserver.com/mycert.crl
(您可以尝试使用指向上述键的绝对路径,但是如果它确实让我知道,我不确定这是否行得通)
(You could try using absolute paths to the keys above, but I am not sure that would work, if it does let me know)
有一些教程可以帮助您进行此设置, https://jamielinux.com/docs/openssl-certificate-authority/非常好且详细.
There are several tutorials to help get this set up, https://jamielinux.com/docs/openssl-certificate-authority/ is pretty good and detailed.
当我自己进行此操作时,我发现当您调用构建链时,.Net框架会检查该链,因此您无需添加任何额外的代码来确保它自动检查CRL,从而确保CRL自动发生.(您可以通过检查服务器日志文件来检查是否已获取crl)
While doing this myself, I found that when you call build chain, the .Net framework checks the chain, so you should not need to add and extra code to insure that it checks the CRL as this happens automatically. (You can check that the crl is being fetched by checking your server log files)
您可以通过将自己的证书添加到CRL中进行测试,并且应该会发现
You can test this by adding your own cert to your CRL, and you should find that you get
X509ChainStatusFlags.Revoked
希望有帮助
这篇关于如何在验证过程中使用本地CRL文件(C#)检查客户端证书吊销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
