C#如何验证根CA证书(x509)链？

概述假设我有三张证书(以Base64格式) Root | --- CA | --- Cert (client/signing/whatever) 如何验证C#中的证书和证书路径/链？ (所有这三个证书可能不在我的电脑认证商店) 编辑：BouncyCastle具有验证功能.但我试图不使用任何第三方库. byte[] b1 = Convert.FromBase64String(x5 假设我有三张证书(以Base64格式)

Root | --- CA     |     --- Cert (clIEnt/signing/whatever)

如何验证C#中的证书和证书路径/链？
(所有这三个证书可能不在我的电脑认证商店)

编辑：BouncyCastle具有验证功能.但我试图不使用任何第三方库.

byte[] b1 = Convert.FromBase64String(x509Str1);    byte[] b2 = Convert.FromBase64String(x509Str2);    X509Certificate cer1 =         new X509CertificateParser().ReadCertificate(b1);    X509Certificate cer2 =        new X509CertificateParser().ReadCertificate(b2);    cer1.Verify(cer2.GetPublicKey());

如果cer1没有被cert2(CA或root)签名,将会有异常.这正是我想要的.

解决方法 X509Chain课程旨在做到这一点,甚至可以自定义如何执行链式构建过程.

static bool VerifyCertificate(byte[] primaryCertificate,IEnumerable<byte[]> additionalCertificates){    var chain = new X509Chain();    foreach (var cert in additionalCertificates.Select(x => new X509Certificate2(x)))    {        chain.ChainPolicy.ExtraStore.Add(cert);    }    // You can alter how the chain is built/valIDated.    chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreWrongUsage;    // Do the valIDation.    var primaryCert = new X509Certificate2(primaryCertificate);    return chain.Build(primaryCert);}

如果需要,X509Chain将包含有关Build()== false的验证失败的附加信息.

编辑：这只会确保您的CA有效.如果要确保链条相同,可以手动检查指纹.您可以使用以下方法来确保认证链是正确的,它期望链条按顺序：…,INTERMEDIATE2,INTERMEDIATE1(INTERMEDIATE2签名者),CA(INTERMEDIATE1签约者)

static bool VerifyCertificate(byte[] primaryCertificate,IEnumerable<byte[]> additionalCertificates){    var chain = new X509Chain();    foreach (var cert in additionalCertificates.Select(x => new X509Certificate2(x)))    {        chain.ChainPolicy.ExtraStore.Add(cert);    }    // You can alter how the chain is built/valIDated.    chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreWrongUsage;    // Do the preliminary valIDation.    var primaryCert = new X509Certificate2(primaryCertificate);    if (!chain.Build(primaryCert))        return false;    // Make sure we have the same number of elements.    if (chain.ChainElements.Count != chain.ChainPolicy.ExtraStore.Count + 1)        return false;    // Make sure all the thumbprints of the CAs match up.    // The first one should be 'primaryCert',leading up to the root CA.    for (var i = 1; i < chain.ChainElements.Count; i++)    {        if (chain.ChainElements[i].Certificate.Thumbprint != chain.ChainPolicy.ExtraStore[i - 1].Thumbprint)            return false;    }    return true;}

我无法测试,因为我没有一个完整的CA链与我,所以最好是调试和逐步的代码.

总结

以上是内存溢出为你收集整理的C#如何验证根CA证书(x509)链？全部内容，希望文章能够帮你解决C#如何验证根CA证书(x509)链？所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错，欢迎将内存溢出网站推荐给程序员好友。