一个cer还需要一个签名的证书本身,这是为了防止cer证书被篡改。
有两种类型的证书:
1. 根证书
2. 由根证书颁发子证书。
特根证书。它是自签名。
而其它子证书的签名公钥都保存在它的上级证书里面。
能够用C#来做一些验证。
首先是根证书的签名验证。
// 验证根证书签名
X509Certificate2 x509Root = new X509Certificate2"C:\Users\kevin\Desktop\KevinRoot.cer");
Console.WriteLine"Root Certificate Verified?: {0}{1}", x509Root.Verify), Environment.NewLine); // 根证书是自签名。所以能够通过。
非常easy,由于根证书是自签名的,x509Root.Verify)会返回true。
然后是子证书的验证,
X509Certificate2 x509 = new X509Certificate2"C:\Users\kevin\Desktop\ChildSubject2.cer");
byte[] rawdata = x509.RawData;
Console.WriteLine"Content Type: {0}{1}", X509Certificate2.GetCertContentTyperawdata), Environment.NewLine);
Console.WriteLine"Friendly Name: {0}{1}", x509.FriendlyName, Environment.NewLine);
Console.WriteLine"Certificate Verified?: {0}{1}", x509.Verify), Environment.NewLine);
Console.WriteLine"Simple Name: {0}{1}", x509.GetNameInfoX509NameType.SimpleName, true), Environment.NewLine);
Console.WriteLine"Signature Algorithm: {0}{1}", x509.SignatureAlgorithm.FriendlyName, Environment.NewLine);
// Console.WriteLine"Private Key: {0}{1}", x509.PrivateKey.ToXmlStringfalse), Environment.NewLine); // cer里面并没有私钥信息
Console.WriteLine"Public Key: {0}{1}", x509.PublicKey.Key.ToXmlStringfalse), Environment.NewLine);
Console.WriteLine"Certificate Archived?: {0}{1}", x509.Archived, Environment.NewLine);
Console.WriteLine"Length of Raw Data: {0}{1}", x509.RawData.Length, Environment.NewLine);
这里我用自己创建的子证书,x509.Verify)总是返回false,就算我把根证书导入到“trust”里面,还是返回false。不知道为什么。可是假设我用公司的证书(verisign颁发的)。却能够返回true。不知道是不是我自己创建的根证书,子证书有什么配置问题。有空再研究。
反正验证也就这么回事。
以下的代码。用来检查整个证书链。
//Output chain information of the selected certificate.
X509Chain ch = new X509Chain);
ch.Buildx509);
Console.WriteLine"Chain Information");
ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
Console.WriteLine"Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag);
Console.WriteLine"Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode);
Console.WriteLine"Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags);
Console.WriteLine"Chain verification time: {0}", ch.ChainPolicy.VerificationTime);
Console.WriteLine"Chain status length: {0}", ch.ChainStatus.Length);
Console.WriteLine"Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count);
Console.WriteLine"Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine);
//Output chain element information.
Console.WriteLine"Chain Element Information");
Console.WriteLine"Number of chain elements: {0}", ch.ChainElements.Count);
Console.WriteLine"Chain elements synchronized? {0} {1}", ch.ChainElements.IsSynchronized, Environment.NewLine);
// int index = 0;
foreach X509ChainElement element in ch.ChainElements)
{
Console.WriteLine"Element subject name: {0}", element.Certificate.Subject);
Console.WriteLine"Element issuer name: {0}", element.Certificate.Issuer);
Console.WriteLine"Element certificate valid until: {0}", element.Certificate.NotAfter);
Console.WriteLine"Element certificate is valid: {0}", element.Certificate.Verify));
Console.WriteLine"Element error status length: {0}", element.ChainElementStatus.Length);
Console.WriteLine"Element information: {0}", element.Information);
Console.WriteLine"Number of element extensions: {0}{1}", element.Certificate.Extensions.Count, Environment.NewLine);
string a = element.Certificate.Thumbprint;
// string b = ch.ChainPolicy.ExtraStore[0].Thumbprint;
//ch.ChainPolicy.ExtraStore[index - 1].Thumbprint;
if ch.ChainStatus.Length > 1)
{
for int index = 0; index < element.ChainElementStatus.Length; index++)
{
Console.WriteLineelement.ChainElementStatus[index].Status);
Console.WriteLineelement.ChainElementStatus[index].StatusInformation);
}
}
}
上面的代码也非常easy,事实上就是把整个证书链里面的每个证书打印信息一下。详细的函数调用參数msdn。
以下是完整代码。注意里面的几个证书路径是我写死的,假设想測试以下的代码,仅仅须要自己创建几个证书。
using System;
using System.Security.Cryptography;
using System.Security.Permissions;
using System.IO;
using System.Security.Cryptography.X509Certificates;
class CertSelect
{
static void Main)
{
// 验证根证书签名
X509Certificate2 x509Root = new X509Certificate2"C:\Users\kevin\Desktop\KevinRoot.cer");
Console.WriteLine"Root Certificate Verified?: {0}{1}", x509Root.Verify), Environment.NewLine); // 根证书是自签名,所以能够通过。
X509Certificate2 x509 = new X509Certificate2"C:\Users\kevin\Desktop\ChildSubject2.cer");
byte[] rawdata = x509.RawData;
Console.WriteLine"Content Type: {0}{1}", X509Certificate2.GetCertContentTyperawdata), Environment.NewLine);
Console.WriteLine"Friendly Name: {0}{1}", x509.FriendlyName, Environment.NewLine);
Console.WriteLine"Certificate Verified?: {0}{1}", x509.Verify), Environment.NewLine);
Console.WriteLine"Simple Name: {0}{1}", x509.GetNameInfoX509NameType.SimpleName, true), Environment.NewLine);
Console.WriteLine"Signature Algorithm: {0}{1}", x509.SignatureAlgorithm.FriendlyName, Environment.NewLine);
// Console.WriteLine"Private Key: {0}{1}", x509.PrivateKey.ToXmlStringfalse), Environment.NewLine); // cer里面并没有私钥信息
Console.WriteLine"Public Key: {0}{1}", x509.PublicKey.Key.ToXmlStringfalse), Environment.NewLine);
Console.WriteLine"Certificate Archived?: {0}{1}", x509.Archived, Environment.NewLine);
Console.WriteLine"Length of Raw Data: {0}{1}", x509.RawData.Length, Environment.NewLine);
//Output chain information of the selected certificate.
X509Chain ch = new X509Chain);
ch.Buildx509);
Console.WriteLine"Chain Information");
ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
Console.WriteLine"Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag);
Console.WriteLine"Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode);
Console.WriteLine"Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags);
Console.WriteLine"Chain verification time: {0}", ch.ChainPolicy.VerificationTime);
Console.WriteLine"Chain status length: {0}", ch.ChainStatus.Length);
Console.WriteLine"Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count);
Console.WriteLine"Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine);
//Output chain element information.
Console.WriteLine"Chain Element Information");
Console.WriteLine"Number of chain elements: {0}", ch.ChainElements.Count);
Console.WriteLine"Chain elements synchronized? {0} {1}", ch.ChainElements.IsSynchronized, Environment.NewLine);
// int index = 0;
foreach X509ChainElement element in ch.ChainElements)
{
Console.WriteLine"Element subject name: {0}", element.Certificate.Subject);
Console.WriteLine"Element issuer name: {0}", element.Certificate.Issuer);
Console.WriteLine"Element certificate valid until: {0}", element.Certificate.NotAfter);
Console.WriteLine"Element certificate is valid: {0}", element.Certificate.Verify));
Console.WriteLine"Element error status length: {0}", element.ChainElementStatus.Length);
Console.WriteLine"Element information: {0}", element.Information);
Console.WriteLine"Number of element extensions: {0}{1}", element.Certificate.Extensions.Count, Environment.NewLine);
string a = element.Certificate.Thumbprint;
// string b = ch.ChainPolicy.ExtraStore[0].Thumbprint;
//ch.ChainPolicy.ExtraStore[index - 1].Thumbprint;
if ch.ChainStatus.Length > 1)
{
for int index = 0; index < element.ChainElementStatus.Length; index++)
{
Console.WriteLineelement.ChainElementStatus[index].Status);
Console.WriteLineelement.ChainElementStatus[index].StatusInformation);
}
}
}
x509.Reset);
}
}
版权声明:本文博客原创文章。博客,未经同意,不得转载。