使用特定 CA 进行 SSL 连接 [英] Use a particular CA for a SSL connection

问题描述

我正在阅读使用 .NET Framework 在您的应用程序中支持证书2.0 尝试确定如何为 SSL 连接设置 CA.

I'm reading through Support Certificates In Your Applications With The .NET Framework 2.0 trying to determine how to set a CA for a SSL connection.

大约在验证证书，MSDN 提供了一些代码:

Around half-way down the article under Validating Certificates, MSDN presents some code:

static void ValidateCert(X509Certificate2 cert)
{
    X509Chain chain = new X509Chain();

    // check entire chain for revocation 
    chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;

    // check online and offline revocation lists
    chain.ChainPolicy.RevocationMode = X509RevocationMode.Online | 
                                           X509RevocationMode.Offline;

    // timeout for online revocation list 
    chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 30);

    // no exceptions, check all properties
    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;

    // modify time of verification
    chain.ChainPolicy.VerificationTime = new DateTime(1999, 1, 1);

    chain.Build(cert);
    if (chain.ChainStatus.Length != 0)
        Console.WriteLine(chain.ChainStatus[0].Status);
    }

然后:

// override default certificate policy
ServicePointManager.ServerCertificateValidationCallback =
    new RemoteCertificateValidationCallback(VerifyServerCertificate);

我觉得我错过了一些非常明显的东西.例如，我不想要回调——我只想说，建立一个 SSL 连接，这是一个值得信任的 CA".但我在上面的代码中没有看到.

I feel like I'm missing something really obvious. For example, I don't want a callback - I just want to say, "establish a SSL connection, and here's the one CA to trust". But I don't see that in the code above.

X509Chain 似乎没有 add 方法来添加 CA 或信任根.CA不应该在回调之前设置吗?但我在上面的代码中没有看到.

X509Chain does not appear to have an add method to add a CA or root of trust. Shouldn't the CA be set before the callback? But I don't see that in the code above.

在 Java 中，它会在加载您想要使用的特定 CA 后使用 TrustManager(或 TrustManagerFactory)完成(例如，请参阅 直接在文件系统上使用 PEM 编码的 CA 证书进行 HTTPS 请求?).

In Java, it would be done with a TrustManager (or TrustManagerFactory) after loading the particular CA you want to use (for an example, see Use PEM Encoded CA Cert on filesystem directly for HTTPS request?).

问题:如何设置 CA 以用于 .Net 或 C# 中的 SSL 连接?

Question: How does one set a CA to use for an SSL connection in .Net or C#?

推荐答案

以下代码将避免 Windows 证书存储并使用文件系统上的 CA 验证链.

The following code will avoid the Windows certificate stores and validate the chain with a CA on the filesystem.

函数名称无关紧要.下面，VerifyServerCertificate 是与 SslStream 类中的 RemoteCertificateValidationCallback 相同的回调.它也可以用于 ServicePointManager 中的 ServerCertificateValidationCallback.

The name of the function does not matter. Below, VerifyServerCertificate is the same callback as RemoteCertificateValidationCallback in SslStream class. It can also be used for the ServerCertificateValidationCallback in ServicePointManager.

static bool VerifyServerCertificate(object sender, X509Certificate certificate,
    X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    try
    {
        String CA_FILE = "ca-cert.der";
        X509Certificate2 ca = new X509Certificate2(CA_FILE);

        X509Chain chain2 = new X509Chain();
        chain2.ChainPolicy.ExtraStore.Add(ca);

        // Check all properties
        chain2.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;

        // This setup does not have revocation information
        chain2.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

        // Build the chain
        chain2.Build(new X509Certificate2(certificate));

        // Are there any failures from building the chain?
        if (chain2.ChainStatus.Length == 0)
            return false;

        // If there is a status, verify the status is NoError
        bool result = chain2.ChainStatus[0].Status == X509ChainStatusFlags.NoError;
        Debug.Assert(result == true);

        return result;
    }
    catch (Exception ex)
    {
        Console.WriteLine(ex);
    }

    return false;
}

我没有想出默认情况下如何使用这个链(chain2)，这样就不需要回调了.也就是说，将它安装在 ssl 套接字上，连接将正常工作".而且我没有想出如何安装它以便将其传递到回调中.也就是说，我必须为每次调用回调构建链.我认为这些是 .Net 中的架构缺陷，但我可能会遗漏一些明显的东西.

I have not figured out how to use this chain (chain2 below) by default such that there's no need for the callback. That is, install it on the ssl socket and the connection will "just work". And I have not figured out how install it such that its passed into the callback. That is, I have to build the chain for each invocation of the callback. I think these are architectural defects in .Net, but I might be missing something obvious.

这篇关于使用特定 CA 进行 SSL 连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！