3

Our application currently validates server certificates in unmanaged code using openssl (http://www.openssl.org/docs/crypto/X509_verify_cert.html). We are moving that into managed code. I have the X509 certificate being marshalled over into the managed side, but how to validate that certificate in C#?

a) Is there a simple way to validate that certificate against the currently installed trusted roots?

b) If not, what is the manual process to validate? Is it documented somewhere?

I've explored the classes in Mono.Security.X509, which gives me tools to work with certificates and stores, but I'm having trouble connecting the dots.

EDIT I added my ultimate solution below. I would welcome further feedback on the approach.

4

1 回答 1

5

根据此处此处的信息,我确定以下内容:

  • 理想情况下,我们应该检查证书吊销,但这是不平凡的,似乎不值得付出努力
  • 至少我们可以检查证书是最新的并且链是可信的
  • 如果我们愿意,我们还可以验证应用程序特定的东西,比如证书是否是自签名的等

举个简单的例子,我们可以使用 Mono X509Chain 构建一个证书链,并针对用户信任的根进行验证:

var x509 = new Mono.Security.X509.X509Certificate(certificateBytes);
var chain = new Mono.Security.X509.X509Chain();
bool certificateStatus = chain.Build(x509);

通过检查 Mono 源,我可以看到这会检查证书链上的信任以及证书上的日期。但是,证书吊销并未实施。

我们还检查证书上的名称是否与用户正在连接的主机的名称相匹配。.NET 框架为我们提供了一种获取该信息的简单方法:

var x5092 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificateBytes);
string hostName = x5092.GetNameInfo(System.Security.Cryptography.X509Certificates.X509NameType.DnsName, false);
bool hostNameMatch = string.Compare(hostName, this.Server, true) == 0;

证书也可以具有应检查的替代名称,但 usingX509NameType.DnsAlternativeName似乎没有在 Mono 上实现(它被硬编码为 return string.Empty)。

据我所知,这是一个很好的基本解决方案。

于 2013-12-06T16:45:10.050 回答