C# X509Certificate2.Verify 没有吊销测试
C# X509Certificate2.Verify without revocation test
我尝试使用 X509Certificate2.Verify() 函数来检查证书链是否有效。
Verify 函数 returns false 和 ChainElementStatus returns "RevocationStatusUnknown".
有没有办法在不检查RevocationStatus的情况下使用Verify函数?没有互联网连接无法检查 RevocationStatus?是否有其他功能可以在没有 RevocationStatus 的情况下检查链和证书?
一个肮脏的解决方案是检查 RevocationStatus 是否是 element.ChainElementStatus 中的唯一元素。
我已经在使用 X509RevocationMode.Offline 和 IgnoreCertificateAuthorityRevocationUnknown。
代码来自:X509Certificate2.Verify() method always return false for the valid certificate
X509Chain ch = new X509Chain();
ch.Build(certificate);
ch.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
ch.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown;
Console.WriteLine("Chain Information");
Console.WriteLine("Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag);
Console.WriteLine("Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode);
Console.WriteLine("Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags);
Console.WriteLine("Chain verification time: {0}", ch.ChainPolicy.VerificationTime);
Console.WriteLine("Chain status length: {0}", ch.ChainStatus.Length);
Console.WriteLine("Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count);
Console.WriteLine("Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine);
//Output chain element information.
Console.WriteLine("Chain Element Information");
Console.WriteLine("Number of chain elements: {0}", ch.ChainElements.Count);
Console.WriteLine("Chain elements synchronized? {0} {1}", ch.ChainElements.IsSynchronized, Environment.NewLine);
foreach (X509ChainElement element in ch.ChainElements)
{
Console.WriteLine("Element issuer name: {0}", element.Certificate.Issuer);
Console.WriteLine("Element certificate valid until: {0}", element.Certificate.NotAfter);
Console.WriteLine("Element certificate is valid: {0}", element.Certificate.Verify());
Console.WriteLine("Element error status length: {0}", element.ChainElementStatus.Length);
Console.WriteLine("Element information: {0}", element.Information);
Console.WriteLine("Number of element extensions: {0}{1}", element.Certificate.Extensions.Count, Environment.NewLine);
if (ch.ChainStatus.Length >= 1)
{
for (int index = 0; index < element.ChainElementStatus.Length; index++)
{
Console.WriteLine(element.ChainElementStatus[index].Status);
Console.WriteLine(element.ChainElementStatus[index].StatusInformation);
}
}
}
结果:
连锁信息
链撤销标志:ExcludeRoot
链撤销方式:离线
链验证标志:IgnoreCertificateAuthorityRevocationUnknown
上链验证时间:19.11.201807:53:31
链状态长度:1
链应用策略计数:0
链证书策略计数:0
链元素信息
链条数量:2
链元素同步?错误
元素颁发者名称:CN=TestRootCA
元素证书有效期至:01.01.2019 00:00:00
元素证书是否有效:False
元素错误状态长度:1
元素信息:
元素扩展数:5
撤销状态未知
Die Sperrfunktion konnte keine Sperrprüfung für das Zertifikat durchführen。
元素颁发者名称:CN=TestRootCA
元素证书有效期至:01.01.2019 00:00:00
元素证书是否有效:True
元素错误状态长度:0
元素信息:
元素扩展数:2
I already use X509RevocationMode.Offline and IgnoreCertificateAuthorityRevocationUnknown.
IgnoreCertificateAuthorityRevocationUnknown 的意思是 "don't make chain.Build return false for this reason."
当然是你在调用chain.Build之后设置的,而你并没有检查chain.Build中的return值。
如果您想忽略吊销,请将 ChainPolicy.RevocationMode 设置为 X509RevocationMode.NoCheck。如果您希望检查它是否已经缓存,如果没有则忽略它,然后将模式设置为离线并断言所有 RevocationUnknown 标志。
如果 certificate/chain 通过了所有未通过 VerificationFlags 值标记为忽略的有效性检查,则来自 chain.Build 的布尔值 return 为真。
所以最短的"tell me if this certificate is not expired, has a resolvable chain, the terminus of the chain is something I trust, and I don't care about revocation"是
using (X509Chain ch = new X509Chain())
{
ch.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
return ch.Build(certificate);
}
机会撤销将是
using (X509Chain ch = new X509Chain())
{
ch.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
ch.ChainPolicy.VerificationFlags =
X509VerificationFlags.IgnoreEndRevocationUnknown |
X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown |
X509VerificationFlags.IgnoreRootRevocationUnknown;
return ch.Build(certificate);
}
我尝试使用 X509Certificate2.Verify() 函数来检查证书链是否有效。 Verify 函数 returns false 和 ChainElementStatus returns "RevocationStatusUnknown".
有没有办法在不检查RevocationStatus的情况下使用Verify函数?没有互联网连接无法检查 RevocationStatus?是否有其他功能可以在没有 RevocationStatus 的情况下检查链和证书?
一个肮脏的解决方案是检查 RevocationStatus 是否是 element.ChainElementStatus 中的唯一元素。
我已经在使用 X509RevocationMode.Offline 和 IgnoreCertificateAuthorityRevocationUnknown。
代码来自:X509Certificate2.Verify() method always return false for the valid certificate
X509Chain ch = new X509Chain();
ch.Build(certificate);
ch.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
ch.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown;
Console.WriteLine("Chain Information");
Console.WriteLine("Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag);
Console.WriteLine("Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode);
Console.WriteLine("Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags);
Console.WriteLine("Chain verification time: {0}", ch.ChainPolicy.VerificationTime);
Console.WriteLine("Chain status length: {0}", ch.ChainStatus.Length);
Console.WriteLine("Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count);
Console.WriteLine("Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine);
//Output chain element information.
Console.WriteLine("Chain Element Information");
Console.WriteLine("Number of chain elements: {0}", ch.ChainElements.Count);
Console.WriteLine("Chain elements synchronized? {0} {1}", ch.ChainElements.IsSynchronized, Environment.NewLine);
foreach (X509ChainElement element in ch.ChainElements)
{
Console.WriteLine("Element issuer name: {0}", element.Certificate.Issuer);
Console.WriteLine("Element certificate valid until: {0}", element.Certificate.NotAfter);
Console.WriteLine("Element certificate is valid: {0}", element.Certificate.Verify());
Console.WriteLine("Element error status length: {0}", element.ChainElementStatus.Length);
Console.WriteLine("Element information: {0}", element.Information);
Console.WriteLine("Number of element extensions: {0}{1}", element.Certificate.Extensions.Count, Environment.NewLine);
if (ch.ChainStatus.Length >= 1)
{
for (int index = 0; index < element.ChainElementStatus.Length; index++)
{
Console.WriteLine(element.ChainElementStatus[index].Status);
Console.WriteLine(element.ChainElementStatus[index].StatusInformation);
}
}
}
结果:
连锁信息 链撤销标志:ExcludeRoot 链撤销方式:离线 链验证标志:IgnoreCertificateAuthorityRevocationUnknown 上链验证时间:19.11.201807:53:31 链状态长度:1 链应用策略计数:0 链证书策略计数:0
链元素信息 链条数量:2 链元素同步?错误
元素颁发者名称:CN=TestRootCA 元素证书有效期至:01.01.2019 00:00:00 元素证书是否有效:False 元素错误状态长度:1 元素信息: 元素扩展数:5
撤销状态未知 Die Sperrfunktion konnte keine Sperrprüfung für das Zertifikat durchführen。
元素颁发者名称:CN=TestRootCA 元素证书有效期至:01.01.2019 00:00:00 元素证书是否有效:True 元素错误状态长度:0 元素信息: 元素扩展数:2
I already use X509RevocationMode.Offline and IgnoreCertificateAuthorityRevocationUnknown.
IgnoreCertificateAuthorityRevocationUnknown 的意思是 "don't make chain.Build return false for this reason."
当然是你在调用chain.Build之后设置的,而你并没有检查chain.Build中的return值。
如果您想忽略吊销,请将 ChainPolicy.RevocationMode 设置为 X509RevocationMode.NoCheck。如果您希望检查它是否已经缓存,如果没有则忽略它,然后将模式设置为离线并断言所有 RevocationUnknown 标志。
如果 certificate/chain 通过了所有未通过 VerificationFlags 值标记为忽略的有效性检查,则来自 chain.Build 的布尔值 return 为真。
所以最短的"tell me if this certificate is not expired, has a resolvable chain, the terminus of the chain is something I trust, and I don't care about revocation"是
using (X509Chain ch = new X509Chain())
{
ch.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
return ch.Build(certificate);
}
机会撤销将是
using (X509Chain ch = new X509Chain())
{
ch.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
ch.ChainPolicy.VerificationFlags =
X509VerificationFlags.IgnoreEndRevocationUnknown |
X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown |
X509VerificationFlags.IgnoreRootRevocationUnknown;
return ch.Build(certificate);
}