有没有一种简单的方法可以从 X509Certificate2 对象中获取主题备用名称?
foreach (X509Extension ext in certificate.Extensions)
{
if (ext.Oid.Value.Equals(/* SAN OID */"2.5.29.17"))
{
byte[] raw = ext.RawData;
// ?????? parse to get type and name ????????
}
}
对可打印版本使用扩展的Format 方法。
X509Certificate2 cert = /* your code here */;
foreach (X509Extension extension in cert.Extensions)
{
// Create an AsnEncodedData object using the extensions information.
AsnEncodedData asndata = new AsnEncodedData(extension.Oid, extension.RawData);
Console.WriteLine("Extension type: {0}", extension.Oid.FriendlyName);
Console.WriteLine("Oid value: {0}",asndata.Oid.Value);
Console.WriteLine("Raw data length: {0} {1}", asndata.RawData.Length, Environment.NewLine);
Console.WriteLine(asndata.Format(true));
}
要从证书中获取“主题备用名称”:
X509Certificate2 cert = /* your code here */;
Console.WriteLine("UpnName : {0}{1}", cert.GetNameInfo(X509NameType.UpnName, false), Environment.NewLine);
根据 Minh 的回答,这是一个自包含的静态函数,应该将它们全部返回
public static IEnumerable<string> ParseSujectAlternativeNames(X509Certificate2 cert)
{
Regex sanRex = new Regex(@"^DNS Name=(.*)", RegexOptions.Compiled | RegexOptions.CultureInvariant);
var sanList = from X509Extension ext in cert.Extensions
where ext.Oid.FriendlyName.Equals("Subject Alternative Name", StringComparison.Ordinal)
let data = new AsnEncodedData(ext.Oid, ext.RawData)
let text = data.Format(true)
from line in text.Split(new char[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries)
let match = sanRex.Match(line)
where match.Success && match.Groups.Count > 0 && !string.IsNullOrEmpty(match.Groups[1].Value)
select match.Groups[1].Value;
return sanList;
}
所有语言的解决方案 .NET
此解决方案是 Minh Nguyen 上述解决方案的改进,因此它可以在所有语言中工作
private static List<string> GetSujectAlternativeName(X509Certificate2 cert)
{
var result = new List<string>();
var subjectAlternativeName = cert.Extensions.Cast<X509Extension>()
.Where(n => n.Oid.Value== "2.5.29.17") //n.Oid.FriendlyName=="Subject Alternative Name")
.Select(n => new AsnEncodedData(n.Oid, n.RawData))
.Select(n => n.Format(true))
.FirstOrDefault();
if (subjectAlternativeName != null)
{
var alternativeNames = subjectAlternativeName.Split(new[] { "\r\n", "\r", "\n" }, StringSplitOptions.None);
foreach (var alternativeName in alternativeNames)
{
var groups = Regex.Match(alternativeName, @"^(.*)=(.*)").Groups; // @"^DNS Name=(.*)").Groups;
if (groups.Count > 0 && !String.IsNullOrEmpty(groups[2].Value))
{
result.Add(groups[2].Value);
}
}
}
return result;
}
使用 .net 核心,需要一种跨平台的方式来做到这一点更相关。@Jason Shuler 解决方案仅适用于 Windows,但有一些额外的工作,可以独立于平台。我已经在以下代码片段中调整了 WCF 用来执行此操作的代码(MIT 许可)
// Adapted from https://github.com/dotnet/wcf/blob/a9984490334fdc7d7382cae3c7bc0c8783eacd16/src/System.Private.ServiceModel/src/System/IdentityModel/Claims/X509CertificateClaimSet.cs
// We don't have a strongly typed extension to parse Subject Alt Names, so we have to do a workaround
// to figure out what the identifier, delimiter, and separator is by using a well-known extension
// If https://github.com/dotnet/corefx/issues/22068 ever goes anywhere, we can remove this
private static class X509SubjectAlternativeNameParser
{
private const string SAN_OID = "2.5.29.17";
private static readonly string platform_identifier;
private static readonly char platform_delimiter;
private static readonly string platform_seperator;
static X509SubjectAlternativeNameParser()
{
// Extracted a well-known X509Extension
byte[] x509ExtensionBytes = new byte[] {
48, 36, 130, 21, 110, 111, 116, 45, 114, 101, 97, 108, 45, 115, 117, 98, 106, 101, 99,
116, 45, 110, 97, 109, 101, 130, 11, 101, 120, 97, 109, 112, 108, 101, 46, 99, 111, 109
};
const string subjectName1 = "not-real-subject-name";
X509Extension x509Extension = new X509Extension(SAN_OID, x509ExtensionBytes, true);
string x509ExtensionFormattedString = x509Extension.Format(false);
// Each OS has a different dNSName identifier and delimiter
// On Windows, dNSName == "DNS Name" (localizable), on Linux, dNSName == "DNS"
// e.g.,
// Windows: x509ExtensionFormattedString is: "DNS Name=not-real-subject-name, DNS Name=example.com"
// Linux: x509ExtensionFormattedString is: "DNS:not-real-subject-name, DNS:example.com"
// Parse: <identifier><delimter><value><separator(s)>
int delimiterIndex = x509ExtensionFormattedString.IndexOf(subjectName1) - 1;
platform_delimiter = x509ExtensionFormattedString[delimiterIndex];
// Make an assumption that all characters from the the start of string to the delimiter
// are part of the identifier
platform_identifier = x509ExtensionFormattedString.Substring(0, delimiterIndex);
int separatorFirstChar = delimiterIndex + subjectName1.Length + 1;
int separatorLength = 1;
for (int i = separatorFirstChar + 1; i < x509ExtensionFormattedString.Length; i++)
{
// We advance until the first character of the identifier to determine what the
// separator is. This assumes that the identifier assumption above is correct
if (x509ExtensionFormattedString[i] == platform_identifier[0])
{
break;
}
separatorLength++;
}
platform_seperator = x509ExtensionFormattedString.Substring(separatorFirstChar, separatorLength);
}
public static IEnumerable<string> ParseSubjectAlternativeNames(X509Certificate2 cert)
{
return cert.Extensions
.Cast<X509Extension>()
.Where(ext => ext.Oid.Value.Equals(SAN_OID)) // Only use SAN extensions
.Select(ext => new AsnEncodedData(ext.Oid, ext.RawData).Format(false)) // Decode from ASN
// This is dumb but AsnEncodedData.Format changes based on the platform, so our static initialization code handles making sure we parse it correctly
.SelectMany(text => text.Split(platform_seperator, StringSplitOptions.RemoveEmptyEntries))
.Select(text => text.Split(platform_delimiter))
.Where(x => x[0] == platform_identifier)
.Select(x => x[1]);
}
}
这是一个不需要解析返回的文本的解决方案(但AsnEncodedData.Format()需要 .NET 5):
using System.Formats.Asn1;
...
public static List<string> GetAlternativeDnsNames(X509Certificate2 cert)
{
const string SAN_OID = "2.5.29.17";
var extension = cert.Extensions[SAN_OID];
if (extension is null)
{
return new List<string>();
}
// Tag value "2" is defined by:
//
// dNSName [2] IA5String,
//
// in: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
var dnsNameTag = new Asn1Tag(TagClass.ContextSpecific, tagValue: 2, isConstructed: false);
var asnReader = new AsnReader(extension.RawData, AsnEncodingRules.BER);
var sequenceReader = asnReader.ReadSequence(Asn1Tag.Sequence);
var resultList = new List<string>();
while (sequenceReader.HasData)
{
var tag = sequenceReader.PeekTag();
if (tag != dnsNameTag)
{
sequenceReader.ReadEncodedValue();
continue;
}
var dnsName = sequenceReader.ReadCharacterString(UniversalTagNumber.IA5String, dnsNameTag);
resultList.Add(dnsName);
}
return resultList;
}
考虑到使用 OID扩展Minh Nguyen的答案,我将其重写为扩展
namespace MyExtensions
{
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text.RegularExpressions;
public static class X509Certificate2Extensions
{
private const string SubjectAlternateNameOID = "2.5.29.17";
private static readonly Regex _dnsNameRegex = new Regex(@"^DNS Name=(.+)");
public static List<string> SubjectAlternativeNames(this X509Certificate2 cert)
{
var subjectAlternativeName = cert.Extensions.Cast<X509Extension>()
.Where(n => n.Oid.Value == SubjectAlternateNameOID)
.Select(n => new AsnEncodedData(n.Oid, n.RawData))
.Select(n => n.Format(true))
.FirstOrDefault();
return string.IsNullOrWhiteSpace(subjectAlternativeName)
? new List<string>()
: subjectAlternativeName.Split(new[] {"\r\n", "\r", "\n"}, StringSplitOptions.RemoveEmptyEntries)
.Select(n => _dnsNameRegex.Match(n))
.Where(r => r.Success && !string.IsNullOrWhiteSpace(r.Groups[1].Value))
.Select(r => r.Groups[1].Value)
.ToList();
}
}
}
我创建了一个函数来执行此操作:
private static List<string> ParseSujectAlternativeName(X509Certificate2 cert)
{
var result = new List<string>();
var subjectAlternativeName = cert.Extensions.Cast<X509Extension>()
.Where(n => n.Oid.FriendlyName.EqualsCase(SubjectAlternativeName))
.Select(n => new AsnEncodedData(n.Oid, n.RawData))
.Select(n => n.Format(true))
.FirstOrDefault();
if (subjectAlternativeName != null)
{
var alternativeNames = subjectAlternativeName.Split(new[] { "\r\n", "\r", "\n" }, StringSplitOptions.None);
foreach (var alternativeName in alternativeNames)
{
var groups = Regex.Match(alternativeName, @"^DNS Name=(.*)").Groups;
if (groups.Count > 0 && !String.IsNullOrEmpty(groups[1].Value))
{
result.Add(groups[1].Value);
}
}
}
return result;
}
这里的所有答案都是特定于平台或操作系统语言的,或者只能检索一个替代主题名称,所以我通过逆向工程原始数据编写了自己的解析器,它可以解析 DNS 和 IP 地址并满足我的需求:
private const string SAN_OID = "2.5.29.17";
private static int ReadLength(ref Span<byte> span)
{
var length = (int)span[0];
span = span[1..];
if ((length & 0x80) > 0)
{
var lengthBytes = length & 0x7F;
length = 0;
for (var i = 0; i < lengthBytes; i++)
{
length = length * 0x100 + span[0];
span = span[1..];
}
}
return length;
}
public static IList<string> ParseSubjectAlternativeNames(byte[] rawData)
{
var result = new List<string>(); // cannot yield results when using Span yet
if (rawData.Length < 1 || rawData[0] != '0')
{
throw new InvalidDataException("They told me it will start with zero :(");
}
var data = rawData.AsSpan(1);
var length = ReadLength(ref data);
if (length != data.Length)
{
throw new InvalidDataException("I don't know who I am anymore");
}
while (!data.IsEmpty)
{
var type = data[0];
data = data[1..];
var partLength = ReadLength(ref data);
if (type == 135) // ip
{
result.Add(new IPAddress(data[0..partLength]).ToString());
} else if (type == 160) // upn
{
// not sure how to parse the part before \f
var index = data.IndexOf((byte)'\f') + 1;
var upnData = data[index..];
var upnLength = ReadLength(ref upnData);
result.Add(Encoding.UTF8.GetString(upnData[0..upnLength]));
} else // all other
{
result.Add(Encoding.UTF8.GetString(data[0..partLength]));
}
data = data[partLength..];
}
return result;
}
public static IEnumerable<string> ParseSubjectAlternativeNames(X509Certificate2 cert)
{
return cert.Extensions
.Cast<X509Extension>()
.Where(ext => ext.Oid.Value.Equals(SAN_OID))
.SelectMany(x => ParseSubjectAlternativeNames(x.RawData));
}
我还在 corefx 存储库本身中找到了这个测试:https ://github.com/dotnet/corefx/blob/master/src/System.Security.Cryptography.Encoding/tests/AsnEncodedData.cs#L38
想法是将asnData.Format结果拆分为 ':'、'='、',' 并采用其他所有值,这是一种更容易的方法:
byte[] sanExtension =
{
0x30, 0x31, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D,
0x70, 0x6C, 0x65, 0x2E, 0x6F, 0x72, 0x67, 0x82,
0x0F, 0x73, 0x75, 0x62, 0x2E, 0x65, 0x78, 0x61,
0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x6F, 0x72, 0x67,
0x82, 0x11, 0x2A, 0x2E, 0x73, 0x75, 0x62, 0x2E,
0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E,
0x6F, 0x72, 0x67,
};
AsnEncodedData asnData = new AsnEncodedData(
new Oid("2.5.29.17"),
sanExtension);
string s = asnData.Format(false);
// Windows says: "DNS Name=example.org, DNS Name=sub.example.org, DNS Name=*.sub.example.org"
// X-Plat (OpenSSL) says: "DNS:example.org, DNS:sub.example.org, DNS:*.sub.example.org".
// This keeps the parsing generalized until we can get them to converge
string[] parts = s.Split(new[] { ':', '=', ',' }, StringSplitOptions.RemoveEmptyEntries);
// Parts is now { header, data, header, data, header, data }.
string[] output = new string[parts.Length / 2];
for (int i = 0; i < output.Length; i++)
{
output[i] = parts[2 * i + 1];
}
独立于操作系统的方法
此代码片段假定有两个可能的分隔符 '=' 和 ':'
private static List<string> GetSubjectAlternativeNames(X509Certificate2 cert)
{
var result = new List<string>();
var subjectAlternativeNames = cert.Extensions.Cast<X509Extension>()
.Where(n => n.Oid.Value == "2.5.29.17") //Subject Alternative Name
.Select(n => new AsnEncodedData(n.Oid, n.RawData))
.Select(n => n.Format(true))
.FirstOrDefault();
// Example outputs:
// Windows: "DNS Name=example.com, DNS Name=www.example.com"
// Windows NL: "DNS-naam=example.com\r\nDNS-naam=www.example.com\r\n"
// Linux: "DNS:example.com, DNS:www.example.com"
var delimiters = new char[] { '=', ':' };
var notfound = -1;
var pairs = subjectAlternativeNames.Split(new[] { ",", "\r\n", "\r", "\n" }, StringSplitOptions.TrimEntries);
foreach (var pair in pairs)
{
int position = pair.IndexOfAny(delimiters);
if (position == notfound)
continue;
var subjectAlternativeName = pair.Substring(position + 1);
if (String.IsNullOrEmpty(subjectAlternativeName))
continue;
result.Add(subjectAlternativeName);
}
return result;
}