.net 如何解析X509Certificate2中的主题备用名称?
有没有一种简单的方法可以从X509Certificate2对象中获取主题替代名称.net 如何解析X509Certificate2中的主题备用名称?,.net,certificate,x509certificate2,.net,Certificate,X509certificate2,有没有一种简单的方法可以从X509Certificate2对象中获取主题替代名称 foreach (X509Extension ext in certificate.Extensions) { if (ext.Oid.Value.Equals(/* SAN OID */"2.5.29.17")) { byte[] raw = ext.RawData; /
foreach (X509Extension ext in certificate.Extensions)
{
if (ext.Oid.Value.Equals(/* SAN OID */"2.5.29.17"))
{
byte[] raw = ext.RawData;
// ?????? parse to get type and name ????????
}
}
将扩展名的名称用于可打印版本
X509Certificate2 cert = /* your code here */;
foreach (X509Extension extension in cert.Extensions)
{
// Create an AsnEncodedData object using the extensions information.
AsnEncodedData asndata = new AsnEncodedData(extension.Oid, extension.RawData);
Console.WriteLine("Extension type: {0}", extension.Oid.FriendlyName);
Console.WriteLine("Oid value: {0}",asndata.Oid.Value);
Console.WriteLine("Raw data length: {0} {1}", asndata.RawData.Length, Environment.NewLine);
Console.WriteLine(asndata.Format(true));
}
要从证书中获取“使用者备选名称”,请执行以下操作:
X509Certificate2 cert = /* your code here */;
Console.WriteLine("UpnName : {0}{1}", cert.GetNameInfo(X509NameType.UpnName, false), Environment.NewLine);
我创建了一个函数来执行此操作:
private static List<string> ParseSujectAlternativeName(X509Certificate2 cert)
{
var result = new List<string>();
var subjectAlternativeName = cert.Extensions.Cast<X509Extension>()
.Where(n => n.Oid.FriendlyName.EqualsCase(SubjectAlternativeName))
.Select(n => new AsnEncodedData(n.Oid, n.RawData))
.Select(n => n.Format(true))
.FirstOrDefault();
if (subjectAlternativeName != null)
{
var alternativeNames = subjectAlternativeName.Split(new[] { "\r\n", "\r", "\n" }, StringSplitOptions.None);
foreach (var alternativeName in alternativeNames)
{
var groups = Regex.Match(alternativeName, @"^DNS Name=(.*)").Groups;
if (groups.Count > 0 && !String.IsNullOrEmpty(groups[1].Value))
{
result.Add(groups[1].Value);
}
}
}
return result;
}
私有静态列表ParseSujectAlternativeName(X509Certificate2Cert)
{
var result=新列表();
var subjectAlternativeName=cert.Extensions.Cast()
.Where(n=>n.Oid.FriendlyName.equalCase(SubjectAlternativeName))
.Select(n=>newasnencodeddata(n.Oid,n.RawData))
.Select(n=>n.Format(true))
.FirstOrDefault();
if(subjectAlternativeName!=null)
{
var alternativeNames=subjectAlternativeName.Split(新[]{“\r\n”,“\r”,“\n”},StringSplitOptions.None);
foreach(alternativeNames中的变量alternativeName)
{
var groups=Regex.Match(可选名称,@“^DNS名称=(.*)).groups;
if(groups.Count>0&&!String.IsNullOrEmpty(groups[1].Value))
{
结果。添加(组[1]。值);
}
}
}
返回结果;
}
根据Minh的回答,这里有一个自包含的静态函数,它将返回所有这些函数
public static IEnumerable<string> ParseSujectAlternativeNames(X509Certificate2 cert)
{
Regex sanRex = new Regex(@"^DNS Name=(.*)", RegexOptions.Compiled | RegexOptions.CultureInvariant);
var sanList = from X509Extension ext in cert.Extensions
where ext.Oid.FriendlyName.Equals("Subject Alternative Name", StringComparison.Ordinal)
let data = new AsnEncodedData(ext.Oid, ext.RawData)
let text = data.Format(true)
from line in text.Split(new char[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries)
let match = sanRex.Match(line)
where match.Success && match.Groups.Count > 0 && !string.IsNullOrEmpty(match.Groups[1].Value)
select match.Groups[1].Value;
return sanList;
}
公共静态IEnumerable ParseSujectAlternativeNames(X509Certificate2Cert)
{
Regex sanRex=new Regex(@“^DNS Name=(.*),RegexOptions.Compiled | RegexOptions.CultureInvariant);
var sanList=来自证书扩展中的X509Extension ext
其中ext.Oid.FriendlyName.Equals(“主题备选名称”,StringComparison.Ordinal)
let data=new AsnEncodedData(ext.Oid,ext.RawData)
让text=data.Format(true)
从text.Split中的行(新字符[]{'\r','\n'},StringSplitOptions.RemoveEmptyEntries)
让match=sanRex.match(行)
其中match.Success&&match.Groups.Count>0&&!string.IsNullOrEmpty(match.Groups[1].Value)
选择match.Groups[1].Value;
返回列表;
}
对于.net核心,更重要的是需要一种跨平台的方法来实现这一点@Jason Shuler解决方案仅适用于windows,但通过一些额外的工作,可以独立于平台。我在下面的代码片段中修改了WCF使用的代码(MIT许可)
//改编自https://github.com/dotnet/wcf/blob/a9984490334fdc7d7382cae3c7bc0c8783eacd16/src/System.Private.ServiceModel/src/System/IdentityModel/Claims/X509CertificateClaimSet.cs
//我们没有强类型扩展来解析Subject Alt name,所以我们必须做一个变通方法
//通过使用已知的扩展来确定标识符、分隔符和分隔符是什么
//如果https://github.com/dotnet/corefx/issues/22068 无论去哪里,我们都可以把它移除
私有静态类X509SubjectAlternativeNameParser
{
专用常量字符串SAN_OID=“2.5.29.17”;
私有静态只读字符串平台\u标识符;
专用静态只读字符平台分隔符;
专用静态只读字符串平台\u分离器;
静态X509SubjectAlternativeNameParser()
{
//提取了一个著名的X509扩展
字节[]x509ExtensionBytes=新字节[]{
48, 36, 130, 21, 110, 111, 116, 45, 114, 101, 97, 108, 45, 115, 117, 98, 106, 101, 99,
116, 45, 110, 97, 109, 101, 130, 11, 101, 120, 97, 109, 112, 108, 101, 46, 99, 111, 109
};
const string subjectName1=“非真实的主题名”;
X509Extension X509Extension=新的X509Extension(SAN_OID,x509ExtensionBytes,true);
字符串x509ExtensionFormattedString=x509Extension.Format(false);
//每个操作系统都有不同的dNSName标识符和分隔符
//在Windows上,dNSName==“DNS名称”(可本地化),在Linux上,dNSName==“DNS”
//例如:。,
//Windows:x509ExtensionFormattedString是:“DNS名称=非真实的使用者名称,DNS名称=example.com”
//Linux:x509ExtensionFormattedString是:“DNS:不是真实的主题名,DNS:example.com”
//解析:
int delimiterIndex=x509ExtensionFormattedString.IndexOf(subjectName1)-1;
平台分隔符=x509ExtensionFormattedString[delimiterIndex];
//假设从字符串开始到分隔符的所有字符
//是标识符的一部分
平台_标识符=x509ExtensionFormattedString.Substring(0,delimiterIndex);
int separatorFirstChar=delimiterIndex+subjectName1.Length+1;
int分隔符长度=1;
for(int i=separatorFirstChar+1;iext.Oid.Value.Equals(SAN_-Oid))//仅使用SAN扩展
.Select(ext=>newasnencodeddata(ext.Oid,ext
// Adapted from https://github.com/dotnet/wcf/blob/a9984490334fdc7d7382cae3c7bc0c8783eacd16/src/System.Private.ServiceModel/src/System/IdentityModel/Claims/X509CertificateClaimSet.cs
// We don't have a strongly typed extension to parse Subject Alt Names, so we have to do a workaround
// to figure out what the identifier, delimiter, and separator is by using a well-known extension
// If https://github.com/dotnet/corefx/issues/22068 ever goes anywhere, we can remove this
private static class X509SubjectAlternativeNameParser
{
private const string SAN_OID = "2.5.29.17";
private static readonly string platform_identifier;
private static readonly char platform_delimiter;
private static readonly string platform_seperator;
static X509SubjectAlternativeNameParser()
{
// Extracted a well-known X509Extension
byte[] x509ExtensionBytes = new byte[] {
48, 36, 130, 21, 110, 111, 116, 45, 114, 101, 97, 108, 45, 115, 117, 98, 106, 101, 99,
116, 45, 110, 97, 109, 101, 130, 11, 101, 120, 97, 109, 112, 108, 101, 46, 99, 111, 109
};
const string subjectName1 = "not-real-subject-name";
X509Extension x509Extension = new X509Extension(SAN_OID, x509ExtensionBytes, true);
string x509ExtensionFormattedString = x509Extension.Format(false);
// Each OS has a different dNSName identifier and delimiter
// On Windows, dNSName == "DNS Name" (localizable), on Linux, dNSName == "DNS"
// e.g.,
// Windows: x509ExtensionFormattedString is: "DNS Name=not-real-subject-name, DNS Name=example.com"
// Linux: x509ExtensionFormattedString is: "DNS:not-real-subject-name, DNS:example.com"
// Parse: <identifier><delimter><value><separator(s)>
int delimiterIndex = x509ExtensionFormattedString.IndexOf(subjectName1) - 1;
platform_delimiter = x509ExtensionFormattedString[delimiterIndex];
// Make an assumption that all characters from the the start of string to the delimiter
// are part of the identifier
platform_identifier = x509ExtensionFormattedString.Substring(0, delimiterIndex);
int separatorFirstChar = delimiterIndex + subjectName1.Length + 1;
int separatorLength = 1;
for (int i = separatorFirstChar + 1; i < x509ExtensionFormattedString.Length; i++)
{
// We advance until the first character of the identifier to determine what the
// separator is. This assumes that the identifier assumption above is correct
if (x509ExtensionFormattedString[i] == platform_identifier[0])
{
break;
}
separatorLength++;
}
platform_seperator = x509ExtensionFormattedString.Substring(separatorFirstChar, separatorLength);
}
public static IEnumerable<string> ParseSubjectAlternativeNames(X509Certificate2 cert)
{
return cert.Extensions
.Cast<X509Extension>()
.Where(ext => ext.Oid.Value.Equals(SAN_OID)) // Only use SAN extensions
.Select(ext => new AsnEncodedData(ext.Oid, ext.RawData).Format(false)) // Decode from ASN
// This is dumb but AsnEncodedData.Format changes based on the platform, so our static initialization code handles making sure we parse it correctly
.SelectMany(text => text.Split(platform_seperator, StringSplitOptions.RemoveEmptyEntries))
.Select(text => text.Split(platform_delimiter))
.Where(x => x[0] == platform_identifier)
.Select(x => x[1]);
}
}
namespace MyExtensions
{
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text.RegularExpressions;
public static class X509Certificate2Extensions
{
private const string SubjectAlternateNameOID = "2.5.29.17";
private static readonly Regex _dnsNameRegex = new Regex(@"^DNS Name=(.+)");
public static List<string> SubjectAlternativeNames(this X509Certificate2 cert)
{
var subjectAlternativeName = cert.Extensions.Cast<X509Extension>()
.Where(n => n.Oid.Value == SubjectAlternateNameOID)
.Select(n => new AsnEncodedData(n.Oid, n.RawData))
.Select(n => n.Format(true))
.FirstOrDefault();
return string.IsNullOrWhiteSpace(subjectAlternativeName)
? new List<string>()
: subjectAlternativeName.Split(new[] {"\r\n", "\r", "\n"}, StringSplitOptions.RemoveEmptyEntries)
.Select(n => _dnsNameRegex.Match(n))
.Where(r => r.Success && !string.IsNullOrWhiteSpace(r.Groups[1].Value))
.Select(r => r.Groups[1].Value)
.ToList();
}
}
}
private const string SAN_OID = "2.5.29.17";
private static int ReadLength(ref Span<byte> span)
{
var length = (int)span[0];
span = span[1..];
if ((length & 0x80) > 0)
{
var lengthBytes = length & 0x7F;
length = 0;
for (var i = 0; i < lengthBytes; i++)
{
length = length * 0x100 + span[0];
span = span[1..];
}
}
return length;
}
public static IList<string> ParseSubjectAlternativeNames(byte[] rawData)
{
var result = new List<string>(); // cannot yield results when using Span yet
if (rawData.Length < 1 || rawData[0] != '0')
{
throw new InvalidDataException("They told me it will start with zero :(");
}
var data = rawData.AsSpan(1);
var length = ReadLength(ref data);
if (length != data.Length)
{
throw new InvalidDataException("I don't know who I am anymore");
}
while (!data.IsEmpty)
{
var type = data[0];
data = data[1..];
var partLength = ReadLength(ref data);
if (type == 135) // ip
{
result.Add(new IPAddress(data[0..partLength]).ToString());
} else if (type == 160) // upn
{
// not sure how to parse the part before \f
var index = data.IndexOf((byte)'\f') + 1;
var upnData = data[index..];
var upnLength = ReadLength(ref upnData);
result.Add(Encoding.UTF8.GetString(upnData[0..upnLength]));
} else // all other
{
result.Add(Encoding.UTF8.GetString(data[0..partLength]));
}
data = data[partLength..];
}
return result;
}
public static IEnumerable<string> ParseSubjectAlternativeNames(X509Certificate2 cert)
{
return cert.Extensions
.Cast<X509Extension>()
.Where(ext => ext.Oid.Value.Equals(SAN_OID))
.SelectMany(x => ParseSubjectAlternativeNames(x.RawData));
}
byte[] sanExtension =
{
0x30, 0x31, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D,
0x70, 0x6C, 0x65, 0x2E, 0x6F, 0x72, 0x67, 0x82,
0x0F, 0x73, 0x75, 0x62, 0x2E, 0x65, 0x78, 0x61,
0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x6F, 0x72, 0x67,
0x82, 0x11, 0x2A, 0x2E, 0x73, 0x75, 0x62, 0x2E,
0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E,
0x6F, 0x72, 0x67,
};
AsnEncodedData asnData = new AsnEncodedData(
new Oid("2.5.29.17"),
sanExtension);
string s = asnData.Format(false);
// Windows says: "DNS Name=example.org, DNS Name=sub.example.org, DNS Name=*.sub.example.org"
// X-Plat (OpenSSL) says: "DNS:example.org, DNS:sub.example.org, DNS:*.sub.example.org".
// This keeps the parsing generalized until we can get them to converge
string[] parts = s.Split(new[] { ':', '=', ',' }, StringSplitOptions.RemoveEmptyEntries);
// Parts is now { header, data, header, data, header, data }.
string[] output = new string[parts.Length / 2];
for (int i = 0; i < output.Length; i++)
{
output[i] = parts[2 * i + 1];
}