X509Certificate2.Verify()方法对于有效的证书始终返回false [英] X509Certificate2.Verify() method always return false for the valid certificate
问题描述
我使用认证的智能卡。
I am using smart card for authentication.
SecurityTokenService(认证服务)我的机器上只有主持。智能卡具有有效的证书,它的根证书也安装在我的机器上本地计算机存储。
The SecurityTokenService (authentication service) is hosted on my machine only. The smart card has a valid certificate and it's root certificate is also installed in Local Computer store on my machine.
当我使用 X509Certificate2.Verify 方法来验证我的服务的证书,它总是返回假。
When I use X509Certificate2.Verify method to validate the certificate in my service, it always return false.
有人可以帮助我理解为什么X509Certificate2.Verify()方法总是返回false?
请注意:
我用 X509Chain 并检查所有的标志( X509VerificationFlags.AllFlags ) 。当我建立了查宁,它会返回真正与 ChainStatus 为 RevocationStatusUnknown 。
Note:
I used X509Chain and checked for all the flags (X509VerificationFlags.AllFlags). When I build the chanin, it returns true with ChainStatus as RevocationStatusUnknown.
我观察到 X509Certificate2.Verify()方法的返回值真正如果我在写这个窗口代码形式的应用。它返回假仅在服务端代码。为什么这样?奇怪但却真实!
I observed that X509Certificate2.Verify() method returns true if i write this code in windows form application. It returns false only in the service side code. Why so? Strange but true!
推荐答案
的X509VerificationFlags值是压抑,因此指定 X509VerificationFlags.AllFlags 实际上阻止返回在大多数情况下错误的构建。
The X509VerificationFlags values are suppressions, so specifying X509VerificationFlags.AllFlags actually prevents Build from returning false in most situations.
RevocationStatusUnknown 响应显得尤为重要。无论证书它的报告,对于无法核实被没有被吊销。在验证方法可以模拟成
The RevocationStatusUnknown response seems particularly relevant. Whichever certificate it is reporting that for cannot be verified to be not revoked. The Verify method can be modeled as
public bool Verify()
{
using (X509Chain chain = new X509Chain())
{
// The defaults, but expressing it here for clarity
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.VerificationTime = DateTime.Now;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
return chain.Build(this);
}
}
其中,因为它未发出 X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown 或 X509VerificationFlags.IgnoreEndRevocationUnknown 同时要求一个比X509RevocationMode 无等, 。失败
Which, since it is not asserting X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown or X509VerificationFlags.IgnoreEndRevocationUnknown while requesting an X509RevocationMode other than None, fails.
首先,你应该在链确定哪些证书(s)是(/是)不:
First, you should identify which certificate(s) in the chain is(/are) failing:
using (X509Chain chain = new X509Chain())
{
// The defaults, but expressing it here for clarity
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.VerificationTime = DateTime.Now;
chain.Build(cert);
for (int i = 0; i < chain.ChainElements.Count; i++)
{
X509ChainElement element = chain.ChainElements[i];
if (element.ChainElementStatus.Length != 0)
{
Console.WriteLine($"Error at depth {i}: {element.Certificate.Subject}");
foreach (var status in element.ChainElementStatus)
{
Console.WriteLine($" {status.Status}: {status.StatusInformation}}}");
}
}
}
}
如果你看一下在Windows CertUI任何失败的证书(双击在资源管理器或证书MMC管理单元的.CER),寻找一个名为CRL分发点字段。这些是将在运行时被检索的URL。也许你的系统具有数据出口的限制,不允许进行查询,对那些特定的值。你总是可以尝试发行从Web服务的Web请求,看看它是否可以在不中的证书子系统作为背景下获取的URL。
If you look at any failing certificate in the Windows CertUI (double-click the .cer in Explorer or in the Certificates MMC Snap-In), look for a field named "CRL Distribution Points". These are the URLs that will be retrieved during runtime. Perhaps your system has a data egress restriction that doesn't allow those particular values to be queried for. You can always try issuing a web request from your web service to see if it can fetch the URLs without the context of being in the certificate subsystem.
这篇关于X509Certificate2.Verify()方法对于有效的证书始终返回false的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
