如果X509Certificate(或X509Certificate2)设置了“扩展验证”(EV)标志,我很难找到可靠的方式来检查我的C#(.Net 4.0)应用程序.有没有人知道最好的方法?
解决方法
您可以检查X509Certificate是否包含这些
OId之一.此外,您可以检查Chromium的来源以获取已实施OIds的列表.你可以找到源
here.如果你想坚持Firefox,你可以抓住实现
here.
我现在更新了我的源码并进行了测试.我写了一个小的方法来验证一个X509Certificate2对OID列表从维基百科/ Chromium.在这种方法我使用维基百科列表,可能更好的是使用Chromium列表.
OId如何保存?
每个CA都有一个或多个ObjectIds OIds.它们不会保存为扩展名,因为您可能会猜到,它们作为条目保存在策略扩展中.要获得确切的扩展名,建议使用策略扩展本身的Oid,而不是使用友好名称.政策扩展的OID是2.5.29.32.
提取信息
要获得策略扩展的内容,我们可以使用System.Security.Cryptography.AsnEncodedData将其转换为可读字符串.字符串本身包含我们需要匹配我们的字符串[]的策略,以确保它是否包含EV证书的一个OIds.
资源
/// <summary>
/// Checks if a X509Certificate2 contains Oids for EV
/// </summary>
/// <param name="certificate"></param>
/// <returns></returns>
private static bool IsCertificateEV(X509Certificate2 certificate)
{
// List of valid EV Oids
// You can find correct values here:
// http://code.google.com/searchframe#OAMlx_jo-ck/src/net/base/ev_root_ca_Metadata.cc&exact_package=chromium
// or in Wikipedia
string[] extendedValidationOids =
{
"1.3.6.1.4.1.34697.2.1","1.3.6.1.4.1.34697.2.2","1.3.6.1.4.1.34697.2.1","1.3.6.1.4.1.34697.2.3","1.3.6.1.4.1.34697.2.4","1.2.40.0.17.1.22","2.16.578.1.26.1.3.3","1.3.6.1.4.1.17326.10.14.2.1.2","1.3.6.1.4.1.17326.10.8.12.1.2","1.3.6.1.4.1.6449.1.2.1.5.1","2.16.840.1.114412.2.1","2.16.528.1.1001.1.1.1.12.6.1.1.1","2.16.840.1.114028.10.1.2","1.3.6.1.4.1.14370.1.6","1.3.6.1.4.1.4146.1.1","2.16.840.1.114413.1.7.23.3","1.3.6.1.4.1.14777.6.1.1","1.3.6.1.4.1.14777.6.1.2","1.3.6.1.4.1.22234.2.5.2.3.1","1.3.6.1.4.1.782.1.2.1.8.1","1.3.6.1.4.1.8024.0.2.100.1.2","1.2.392.200091.100.721.1","2.16.840.1.114414.1.7.23.3","1.3.6.1.4.1.23223.2","1.3.6.1.4.1.23223.1.1.1","1.3.6.1.5.5.7.1.1","2.16.756.1.89.1.2.1.1","2.16.840.1.113733.1.7.48.1","2.16.840.1.114404.1.1.2.4.1","2.16.840.1.113733.1.7.23.6","1.3.6.1.4.1.6334.1.100.1",};
// Logic:
// Locate Certificate Policy Extension
// Convert to AsnEncodedData (String)
// Check if any of the EV Oids exist
return (
from X509Extension ext in certificate.Extensions
where ext.Oid.Value == "2.5.29.32"
select new AsnEncodedData(ext.Oid,ext.RawData).Format(true))
.Any(asnConvertedData => extendedValidationOids.Where(asnConvertedData.Contains).Any()
);
}
如果您需要一些资料来开始:
static void Main(string[] args)
{
// Create Delegate for analysis of X509Certificate
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
// Make sample request to EV-Website to get Certificate
var wc = new WebClient();
wc.DownloadString("https://startssl.com"); // EV
wc.DownloadString("https://petrasch.biz"); // Not EV
Console.ReadLine();
}
public static bool ValidateServerCertificate(object sender,X509Certificate certificate,X509Chain chain,SslPolicyErrors sslPolicyErrors)
{
var cert = (X509Certificate2) certificate;
Console.WriteLine("Certificate: " + cert.GetNameInfo(X509NameType.SimpleName,true) + " -> " + IsCertificateEV(cert));
return true;
}
如果有人知道实现这一目标的更好方法,请告诉我们.
