我有以下代码尝试根据我的私有 PKI 中的 CA 验证服务器证书。它与ServicePointManager
and一起使用RemoteCertificateValidationCallback
:
static bool VerifyServerCertificate(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 ca = new X509Certificate2();
ca.Import("ca-rsa-cert.der");
X509Chain chain2 = new X509Chain();
chain2.ChainPolicy.ExtraStore.Add(ca);
// Check all properties
chain2.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
// This setup does not have revocation information
chain2.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain2.Build(new X509Certificate2(certificate));
if (chain2.ChainStatus.Length == 0)
{
return true;
}
bool result = chain2.ChainStatus[0].Status == X509ChainStatusFlags.NoError;
Debug.Assert(result == true);
return result;
}
问题是它chain2.ChainStatus.Length
总是 0。
如果我设置X509RevocationMode
为X509RevocationMode.Online
,则ChainStatus.Length == 1
状态设置为X509ChainStatusFlags.RevocationStatusUnknown
。(这是预期的,因为在测试台中没有撤销)。
问题:0 长度ChainStatus.Length
是什么意思?
问题:如果它成功了,那为什么X509ChainStatusFlags.NoError
不使用呢?