C＃我如何验证根CA证书证书（X509）链？ [英] C# How can I validate a Root-CA-Cert certificate (x509) chain?

问题描述

让我们说我有三证（以Base64格式）

Let's say I have three certificates (in Base64 format)

Root
 |
 --- CA
     |
     --- Cert (client/signing/whatever)

我如何验证证书和证书路径/链在C＃中？
（所有这三个证书可能无法在我的计算机证书存储）

How can I validate the certs and certificate path/chain in C#? (All those three certs may not be in my computer cert store)

修改：BouncyCastle的具有验证功能。但我想不使用任何第三方库

Edit: BouncyCastle has the function to verify. But I'm trying not to use any third-party library.

    byte[] b1 = Convert.FromBase64String(x509Str1);
    byte[] b2 = Convert.FromBase64String(x509Str2);
    X509Certificate cer1 = 
        new X509CertificateParser().ReadCertificate(b1);
    X509Certificate cer2 =
        new X509CertificateParser().ReadCertificate(b2);
    cer1.Verify(cer2.GetPublicKey());

如果该CER1不cert2（CA或根）签约，将有例外。这正是我想要的。

If the cer1 is not signed by cert2 (CA or root), there will be exception. This is exactly what I want.

推荐答案

的 X509Chain 班的目的是要做到这一点，你甚至可以定制它的执行。链建设进程

The X509Chain class was designed to do this, you can even customize how it performs the chain building process.

static bool VerifyCertificate(byte[] primaryCertificate, IEnumerable<byte[]> additionalCertificates)
{
    var chain = new X509Chain();
    foreach (var cert in additionalCertificates.Select(x => new X509Certificate2(x)))
    {
        chain.ChainPolicy.ExtraStore.Add(cert);
    }

    // You can alter how the chain is built/validated.
    chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreWrongUsage;

    // Do the validation.
    var primaryCert = new X509Certificate2(primaryCertificate);
    return chain.Build(primaryCert);
}

的

X509Chain 将包含有关验证失败的附加信息后，生成（）==假如果你需要它。

The X509Chain will contain additional information about the validation failure after Build() == false if you need it.

编辑：这将仅仅是确保您的CA的有效。如果要保证链条是相同的，你可以手动检查指纹。您可以使用下面的方法，以确保证书链是正确的，它预计链的顺序为： ...，INTERMEDIATE2，INTERMEDIATE1（INTERMEDIATE2的签名者），CA（INTERMEDIATE1的签名者）

This will merely ensure that your CA's are valid. If you want to ensure that the chain is identical you can check the thumbprints manually. You can use the following method to ensure that the certification chain is correct, it expects the chain in the order: ..., INTERMEDIATE2, INTERMEDIATE1 (Signer of INTERMEDIATE2), CA (Signer of INTERMEDIATE1)

static bool VerifyCertificate(byte[] primaryCertificate, IEnumerable<byte[]> additionalCertificates)
{
    var chain = new X509Chain();
    foreach (var cert in additionalCertificates.Select(x => new X509Certificate2(x)))
    {
        chain.ChainPolicy.ExtraStore.Add(cert);
    }

    // You can alter how the chain is built/validated.
    chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreWrongUsage;

    // Do the preliminary validation.
    var primaryCert = new X509Certificate2(primaryCertificate);
    if (!chain.Build(primaryCert))
        return false;

    // Make sure we have the same number of elements.
    if (chain.ChainElements.Count != chain.ChainPolicy.ExtraStore.Count + 1)
        return false;

    // Make sure all the thumbprints of the CAs match up.
    // The first one should be 'primaryCert', leading up to the root CA.
    for (var i = 1; i < chain.ChainElements.Count; i++)
    {
        if (chain.ChainElements[i].Certificate.Thumbprint != chain.ChainPolicy.ExtraStore[i - 1].Thumbprint)
            return false;
    }

    return true;
}

的我不能对此进行测试，因为我没有我整个CA链，所以这将是最好的调试和单步执行代码。的

这篇关于C＃我如何验证根CA证书证书（X509）链？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！