使用CA证书文件验证远程服务器X509Certificate

Question

我使用OpenSSL生成了CA和多个证书(由CA签名),我有一个.NET/C#客户端和服务器SslStream,每个都使用自己的证书/密钥,启用相互身份验证并禁用吊销.

我使用RemoteCertificateValidationCallback了SslStream验证远程服务器的证书,我希望我可以只加载CA的公钥证书(作为文件)的程序,并用它来验证远程证书而不是实际安装CA在Windows证书存储区.问题是X509Chain除非我将CA安装到商店中,否则不会显示任何其他内容,当我打开其中一个证书的PEM版本时,Windows CryptoAPI shell也会显示.

我的问题是,我怎么能确认证书已签署了我的特定的CA只使用CA的公钥证书文件,而无需使用Windows证书存储区或WCF的时候RemoteCertificateValidationCallback,X509Certificate和X509Chain似乎并没有给我什么合作？

Answer 1

因为CA证书不在根证书存储区,您将有中RemoteCertificateValidationCallback()的错误标志SslPolicyErrors.RemoteCertificateChainErrors ; 一种可能性是针对您自己的X509Certificate2Collection明确验证证书链,因为您没有使用本地存储.

if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors)
{
    X509Chain chain0 = new X509Chain();
    chain0.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
    // add all your extra certificate chain
    chain0.ChainPolicy.ExtraStore.Add(new X509Certificate2(PublicResource.my_ca));
    chain0.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
    isValid = chain0.Build((X509Certificate2)certificate);
}

您还可以重复使用回调中传递的链,在ExtraStore集合中添加额外的证书,并使用AllowUnknownCertificateAuthority标志进行验证,因为您将不受信任的证书添加到链中.

您还可以通过在受信任的根存储中以编程方式添加CA证书来防止原始错误(当然,它会打开一个弹出窗口,因为全局添加新的受信任CA根是一个主要的安全问题):

var store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
X509Certificate2 ca_cert = new X509Certificate2(PublicResource.my_ca);
store.Add(ca_cert);
store.Close();

编辑:对于那些想要用你的CA清楚地测试链的人:

另一种可能性是使用库BouncyCastle来构建证书链并验证信任.选项很明确,错误很容易理解.在成功的过程中,它将构建链,否则返回异常.以下示例:

        // rootCerts : collection of CA
        // currentCertificate : the one you want to test
        var builderParams = new PkixBuilderParameters(rootCerts, 
                                new X509CertStoreSelector { Certificate = currentCertificate });
        // crls : The certificate revocation list
        builderParams.IsRevocationEnabled = crls.Count != 0;
        // validationDate : probably "now"
        builderParams.Date = new DateTimeObject(validationDate);

        // The indermediate certs are items necessary to create the certificate chain
        builderParams.AddStore(X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(intermediateCerts)));
        builderParams.AddStore(X509StoreFactory.Create("CRL/Collection", new X509CollectionStoreParameters(crls)));

        try
        {
            PkixCertPathBuilderResult result = builder.Build(builderParams);
            return result.CertPath.Certificates.Cast<X509Certificate>();
            ...