C# c验证X509Certificate2:我这样做对吗?
使用框架4.5.1和以下要求,我这样做对吗 证书中的URL必须与给定的URL匹配 证书必须有效且受信任 证书不得过期 以下是通行证,但这是否足够 特别是对chain.Buildcert的调用是否满足上面的2C# c验证X509Certificate2:我这样做对吗?,c#,ssl,x509certificate2,C#,Ssl,X509certificate2,使用框架4.5.1和以下要求,我这样做对吗 证书中的URL必须与给定的URL匹配 证书必须有效且受信任 证书不得过期 以下是通行证,但这是否足够 特别是对chain.Buildcert的调用是否满足上面的2 如果您试图验证HTTPS证书是否有效,HttpWebRequest可以帮您验证 要使HttpWebRequest检查吊销状态,您需要在调用GetResponse之前设置全局ServicePointManager.CheckCertificateRelationList=true,我认为这是G
如果您试图验证HTTPS证书是否有效,HttpWebRequest可以帮您验证 要使HttpWebRequest检查吊销状态,您需要在调用GetResponse之前设置全局ServicePointManager.CheckCertificateRelationList=true,我认为这是GetResponse,而不是要创建的调用 这将检查: 证书链接到受信任的根目录 证书未过期等情况 请求主机名与其应该匹配的主机名 这就是你问的三点。最困难的一点是获得正确的主机名匹配,因为 可以有多个SubjectAlternativeName DNS条目,在.NET中没有一个好的方法来询问它们。 任何SubjectAlternativeName DNS条目都允许包含通配符*。但是subject CN值不是,并且.NET API没有指明您得到的名称类型。 IDNA的名称规范化,等等。 事实上,HttpWebRequest不会自动为您做的唯一一件事就是设置全局检查撤销。你可以通过
HttpWebRequest request = WebRequest.Create(uri) as HttpWebRequest;
request.ServerCertificateValidationCallback = ValidationCallback;
private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
// Since you want to be more strict than the default, reject it if anything went wrong.
if (sslPolicyErrors != SslPolicyErrors.None)
{
return false;
}
// If the chain didn't suppress any type of error, and revocation
// was checked, then it's okay.
if (chain.ChainPolicy.VerificationFlags == X509VerificationFlags.None &&
chain.ChainPolicy.RevocationMode == X509RevocationMode.Online)
{
return true;
}
X509Chain newChain = new X509Chain();
// change any other ChainPolicy options you want.
X509ChainElementCollection chainElements = chain.ChainElements;
// Skip the leaf cert and stop short of the root cert.
for (int i = 1; i < chainElements.Count - 1; i++)
{
newChain.ChainPolicy.ExtraStore.Add(chainElements[i].Certificate);
}
// Use chainElements[0].Certificate since it's the right cert already
// in X509Certificate2 form, preventing a cast or the sometimes-dangerous
// X509Certificate2(X509Certificate) constructor.
// If the chain build successfully it matches all our policy requests,
// if it fails, it either failed to build (which is unlikely, since we already had one)
// or it failed policy (like it's revoked).
return newChain.Build(chainElements[0].Certificate);
}
我对此有点困惑。CheckCertificateJournalist是所有需要做的事情,然后本文的其余部分解释了如果您不想使用CheckCertificateJournalist,您需要做什么,或者说,即使你设置了CheckCertificateReshibitionList,你还需要做什么?@alex.peter设置CheckCertificateReshibitionList就是所有需要做的事情。这可以通过与已撤销的端点(如末尾的列表)对话来验证。谢谢,那么给出的代码说明了在不使用CheckCertificateRetailment列表的情况下需要额外执行的操作
HttpWebRequest request = WebRequest.Create(uri) as HttpWebRequest;
request.ServerCertificateValidationCallback = ValidationCallback;
private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
// Since you want to be more strict than the default, reject it if anything went wrong.
if (sslPolicyErrors != SslPolicyErrors.None)
{
return false;
}
// If the chain didn't suppress any type of error, and revocation
// was checked, then it's okay.
if (chain.ChainPolicy.VerificationFlags == X509VerificationFlags.None &&
chain.ChainPolicy.RevocationMode == X509RevocationMode.Online)
{
return true;
}
X509Chain newChain = new X509Chain();
// change any other ChainPolicy options you want.
X509ChainElementCollection chainElements = chain.ChainElements;
// Skip the leaf cert and stop short of the root cert.
for (int i = 1; i < chainElements.Count - 1; i++)
{
newChain.ChainPolicy.ExtraStore.Add(chainElements[i].Certificate);
}
// Use chainElements[0].Certificate since it's the right cert already
// in X509Certificate2 form, preventing a cast or the sometimes-dangerous
// X509Certificate2(X509Certificate) constructor.
// If the chain build successfully it matches all our policy requests,
// if it fails, it either failed to build (which is unlikely, since we already had one)
// or it failed policy (like it's revoked).
return newChain.Build(chainElements[0].Certificate);
}