C#枚举TLS证书支持的所有主机名

C# Enumerate all hostnames supported by TLS certificates

我已经使用 System.Security.Cryptography.X509Certificates.X509Store 一段时间来枚举计算机上的所有 TLS 证书(以代码验证重定向到 SSL 是否有效,如果证书丢失则发出警告)。我有以下列表功能,可以帮助我诊断像我现在遇到的问题,但我似乎找不到我需要的数据:

        System.Security.Cryptography.X509Certificates.X509Store store = new System.Security.Cryptography.X509Certificates.X509Store(System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine);

        store.Open(System.Security.Cryptography.X509Certificates.OpenFlags.ReadOnly);

        DateTime utcNow = DateTime.UtcNow;
        foreach (System.Security.Cryptography.X509Certificates.X509Certificate2 mCert in store.Certificates)
        {
            writer.WriteStartElement("certificate");
            writer.WriteAttributeString("friendlyName", mCert.FriendlyName);
            writer.WriteAttributeString("subjectName", mCert.SubjectName.Name);
            writer.WriteAttributeString("subject", mCert.Subject);
            writer.WriteAttributeString("simpleName", mCert.GetNameInfo(System.Security.Cryptography.X509Certificates.X509NameType.SimpleName, false));
            writer.WriteAttributeString("dnsName", mCert.GetNameInfo(System.Security.Cryptography.X509Certificates.X509NameType.DnsName, false));
            writer.WriteAttributeString("certhash", mCert.GetCertHashString());
            writer.WriteAttributeString("effectivedate", mCert.GetEffectiveDateString());
            writer.WriteAttributeString("expirationdate", mCert.GetExpirationDateString());
            writer.WriteAttributeString("format", mCert.GetFormat());
            writer.WriteAttributeString("keyalgorithm", mCert.GetKeyAlgorithm());
            writer.WriteAttributeString("publickey", mCert.GetPublicKeyString());
            writer.WriteAttributeString("serialnumber", mCert.SerialNumber);
            writer.WriteAttributeString("hasprivatekey", XmlConvert.ToString(mCert.HasPrivateKey));
            writer.WriteAttributeString("issuer", mCert.Issuer);
            // NOTE: X509Certificate2 as provided by .NET uses local datetimes, so we need to convert them to the sane choice of UTC here 
            writer.WriteAttributeString("notafterutc", XmlConvert.ToString(mCert.NotAfter.ToUniversalTime(), XmlDateTimeSerializationMode.Utc));
            writer.WriteAttributeString("notbeforeutc", XmlConvert.ToString(mCert.NotBefore.ToUniversalTime(), XmlDateTimeSerializationMode.Utc));
            writer.WriteAttributeString("validnow", XmlConvert.ToString(mCert.NotBefore.ToUniversalTime() < utcNow && utcNow < mCert.NotAfter.ToUniversalTime()));
            writer.WriteAttributeString("timeuntilexpiration", XmlConvert.ToString(mCert.NotAfter.ToUniversalTime() - utcNow));
            writer.WriteAttributeString("thumbprint", mCert.Thumbprint);
            writer.WriteAttributeString("version", mCert.Version.ToString());
            writer.WriteEndElement(); // certificate
        }
        writer.WriteEndElement(); // certificates
        writer.WriteEndResponse();

由于希望在同一 IP 地址上支持新的备用主机名,我们最近切换到对多个主机使用 UCC 证书。不幸的是,上面的代码似乎无法看到证书 "Subject Alternative Name" 字段中指定的任何备用主机名(一个 UCC 证书用于指定多个主机),而且我找不到一个属性 或使我能够访问此数据的函数。

简而言之,有谁知道如何使用 C# 从本地安装的证书的 "Subject Alternative Name" 字段中获取支持的主机名列表?

不是作为一个单独的列表,而是作为一个列表——只需找到主题备用名称扩展并调用 .Format(bool multiLine) 方法:

var sanNames = String.Empty;
var san = mCert.Extensions["2.5.29.17"];
if (san != null) {
    sanNames = san.Format(false);
}
if (!String.IsNullOrEmpty(sanNames)) {// write sanNames variable to XML}

詹姆斯编辑:这是完整的修改:

            System.Security.Cryptography.X509Certificates.X509Extension uccSan = mCert.Extensions["2.5.29.17"];
            if (uccSan != null)
            {
                foreach (string nvp in uccSan.Format(true).Split(new string[] { Environment.NewLine }, StringSplitOptions.RemoveEmptyEntries))
                {
                    writer.WriteStartElement("alternateName");
                    string[] parts = nvp.Split('=');
                    string name = parts[0];
                    string value = (parts.Length > 0) ? parts[1] : null;
                    writer.WriteAttributeString("type", name);
                    writer.WriteAttributeString("value", value);
                    writer.WriteEndElement(); // alternateName
                }
            }