如何在 C# 中手动验证自签名证书？

Question

在过去的几周里，我\xe2\x80\x99 在 Docker 容器中进行了大量工作，我遇到了一个障碍，即自签名证书导致问题，因为 Docker 容器无法识别证书颁发机构。

\n\n

问题是我无法将自己的证书放在服务器配置上，因为我们在公司使用 Docker 的方式。

\n

Answer 1

经过大量研究后，我提出了一个解决方案，可以根据构建链和指纹验证来手动验证证书。

\n\n

注意：您必须使用支持证书验证回调的库，以便您可以编写自己的委托方法。下面是我的实现。

\n\n

public static bool ManualSslVerification(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)\n{\n    try\n    {\n        //Testing to see if the Certificate and Chain build properly, aka no forgery.\n        chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;\n        chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;\n        chain.Build(new X509Certificate2(certificate));\n\n        //Looking to see if there are no errors in the build that we don\xe2\x80\x99t like\n        foreach (X509ChainStatus status in chain.ChainStatus)\n        {\n            if (status.Status == X509ChainStatusFlags.NoError || status.Status == X509ChainStatusFlags.UntrustedRoot)\n            {\n                //Acceptable Status, We want to know if it builds properly.\n            }\n            else\n            {\n                return false;\n            }\n        }\n\n        X509Certificate2 trustedRootCertificateAuthority = new X509Certificate2(ViewController.Properties.Resources.My_Infrastructure_Root_CA);\n\n        //Now that we have tested to see if the cert builds properly, we now will check if the thumbprint of the root ca matches our trusted one\n        if(chain.ChainElements[chain.ChainElements.Count \xe2\x80\x93 1].Certificate.Thumbprint != trustedRootCertificateAuthority.Thumbprint)\n        {\n            return false;\n        }\n\n        //Once we have verified the thumbprint the last fun check we can do is to build the chain and then see if the remote cert builds properly with it\n        //Testing to see if the Certificate and Chain build properly, aka no forgery.\n        X509Chain trustedChain = new X509Chain();\n        trustedChain.ChainPolicy.ExtraStore.Add(trustedRootCertificateAuthority);\n        trustedChain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;\n        trustedChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;\n        trustedChain.Build(new X509Certificate2(certificate));\n\n        //Looking to see if there are no errors in the build that we don\xe2\x80\x99t like\n        foreach (X509ChainStatus status in trustedChain.ChainStatus)\n        {\n            if(status.Status == X509ChainStatusFlags.NoError || status.Status == X509ChainStatusFlags.UntrustedRoot)\n            {\n                //Acceptable Status, We want to know if it builds properly.\n            }\n            else\n            {\n                return false;\n            }\n        }\n    }\n    catch (Exception ex)\n    {\n        Console.WriteLine(ex);\n        return false;\n    }\n\n    return true;\n}\n

\n