c# – 如何检查X509证书是否已经打开“扩展验证”?

前端之家收集整理的这篇文章主要介绍了c# – 如何检查X509证书是否已经打开“扩展验证”?前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
如果X509Certificate(或X509Certificate2)设置了“扩展验证”(EV)标志,我很难找到可靠的方式来检查我的C#(.Net 4.0)应用程序.有没有人知道最好的方法

解决方法

您可以检查X509Certificate是否包含这些 OId之一.此外,您可以检查Chromium的来源以获取已实施OIds的列表.你可以找到源 here.如果你想坚持Firefox,你可以抓住实现 here.

我现在更新了我的源码并进行了测试.我写了一个小的方法来验证一个X509Certificate2对OID列表从维基百科/ Chromium.在这种方法我使用维基百科列表,可能更好的是使用Chromium列表.

OId如何保存?

每个CA都有一个或多个ObjectIds OIds.它们不会保存为扩展名,因为您可能会猜到,它们作为条目保存在策略扩展中.要获得确切的扩展名,建议使用策略扩展本身的Oid,而不是使用友好名称.政策扩展的OID是2.5.29.32.

提取信息

要获得策略扩展的内容,我们可以使用System.Security.Cryptography.AsnEncodedData将其转换为可读字符串.字符串本身包含我们需要匹配我们的字符串[]的策略,以确保它是否包含EV证书的一个OIds.

资源

/// <summary>
    /// Checks if a X509Certificate2 contains Oids for EV
    /// </summary>
    /// <param name="certificate"></param>
    /// <returns></returns>
    private static bool IsCertificateEV(X509Certificate2 certificate)
    {
        // List of valid EV Oids
        // You can find correct values here:
        // http://code.google.com/searchframe#OAMlx_jo-ck/src/net/base/ev_root_ca_Metadata.cc&exact_package=chromium
        // or in Wikipedia
        string[] extendedValidationOids = 
        {
            "1.3.6.1.4.1.34697.2.1","1.3.6.1.4.1.34697.2.2","1.3.6.1.4.1.34697.2.1","1.3.6.1.4.1.34697.2.3","1.3.6.1.4.1.34697.2.4","1.2.40.0.17.1.22","2.16.578.1.26.1.3.3","1.3.6.1.4.1.17326.10.14.2.1.2","1.3.6.1.4.1.17326.10.8.12.1.2","1.3.6.1.4.1.6449.1.2.1.5.1","2.16.840.1.114412.2.1","2.16.528.1.1001.1.1.1.12.6.1.1.1","2.16.840.1.114028.10.1.2","1.3.6.1.4.1.14370.1.6","1.3.6.1.4.1.4146.1.1","2.16.840.1.114413.1.7.23.3","1.3.6.1.4.1.14777.6.1.1","1.3.6.1.4.1.14777.6.1.2","1.3.6.1.4.1.22234.2.5.2.3.1","1.3.6.1.4.1.782.1.2.1.8.1","1.3.6.1.4.1.8024.0.2.100.1.2","1.2.392.200091.100.721.1","2.16.840.1.114414.1.7.23.3","1.3.6.1.4.1.23223.2","1.3.6.1.4.1.23223.1.1.1","1.3.6.1.5.5.7.1.1","2.16.756.1.89.1.2.1.1","2.16.840.1.113733.1.7.48.1","2.16.840.1.114404.1.1.2.4.1","2.16.840.1.113733.1.7.23.6","1.3.6.1.4.1.6334.1.100.1",};

        // Logic:
        // Locate Certificate Policy Extension
        // Convert to AsnEncodedData (String)
        // Check if any of the EV Oids exist
        return (
                from X509Extension ext in certificate.Extensions 
                where ext.Oid.Value == "2.5.29.32" 
                select new AsnEncodedData(ext.Oid,ext.RawData).Format(true))
                .Any(asnConvertedData => extendedValidationOids.Where(asnConvertedData.Contains).Any()
            );
    }

如果您需要一些资料来开始:

static void Main(string[] args)
    {
        // Create Delegate for analysis of X509Certificate
        ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;

        // Make sample request to EV-Website to get Certificate
        var wc = new WebClient();
        wc.DownloadString("https://startssl.com");  // EV
        wc.DownloadString("https://petrasch.biz");  // Not EV
        Console.ReadLine();
    }

    public static bool ValidateServerCertificate(object sender,X509Certificate certificate,X509Chain chain,SslPolicyErrors sslPolicyErrors)
    {
        var cert = (X509Certificate2) certificate;
        Console.WriteLine("Certificate: " + cert.GetNameInfo(X509NameType.SimpleName,true) + " -> " + IsCertificateEV(cert));
        return true;
    }

如果有人知道实现这一目标的更好方法,请告诉我们.

猜你在找的C#相关文章