在 C# 中添加多个 X509VerificationFlags
Adding multiple X509VerificationFlags in C#
我正在努力处理一些 X509Certificate 内容以调用 HTTPS 网络服务。在我构建这个的地方,根 CA 不受信任,但它对我个人来说对于我正在处理的程序是有效的。所以我正在研究在 C# 中使用 ServerCertificateValidationCallback 来使它像在另一个 Whosebug 问题上发现的那样工作。
我想知道有没有办法添加多个 X509VerificationFlags 以使证书通过。我只是对覆盖 .NET 实现感到紧张。
Boolean ServerCertificateValidationCallback(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 UATrootCA = new X509Certificate2("MyInvalidRootCAButIWantToTrustItAnyway.cer");
// remove this line if commercial CAs are not allowed to issue certificate for your service.
if ((sslPolicyErrors & (SslPolicyErrors.None)) > 0) { return true; }
if (
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNameMismatch)) > 0 ||
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNotAvailable)) > 0
) { return false; }
// get last chain element that should contain root CA certificate
//X509Certificate2 projectedRootCert = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
//if (projectedRootCert.Thumbprint == UATrootCA.Thumbprint)
//{
// return true; // I could return true here if I really wanted to and it would work fine, but I feel like there might be a better way...
//}
// execute certificate chaining engine and ignore only "UntrustedRoot" error
X509Chain customChain = new X509Chain
{
ChainPolicy = {
VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority
}
};
customChain.ChainPolicy.ExtraStore.Add(UATrootCA);
Boolean retValue = customChain.Build(chain.ChainElements[0].Certificate);
// RELEASE unmanaged resources behind X509Chain class.
customChain.Reset();
return retValue;
}
更新 1
感谢您的评论 bartonjs。盯着那个评论让我觉得很傻。有时坦白调试是最好的方法。最后,我得到了一些略有不同的代码,仍在检查指纹。
Boolean ServerCertificateValidationCallback(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 UATrootCA = new X509Certificate2("MyInvalidRootCAButIWantToTrustItAnyway.cer");
if (
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNameMismatch)) > 0 ||
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNotAvailable)) > 0
) { return false; }
// get last chain element that should contain root CA certificate
// but this may not be the case in partial chains
X509Certificate2 projectedRootCert = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
X509Chain customChain = new X509Chain();
Boolean retValue = false;
// execute certificate chaining engine and ignore only "UntrustedRoot" error if our Thumbprint matches.
if (projectedRootCert.Thumbprint == UATrootCA.Thumbprint)
{
customChain = new X509Chain
{
ChainPolicy = { VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority }
//ChainPolicy = { VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority |
// X509VerificationFlags.IgnoreRootRevocationUnknown }
// As bartonjs commented you can use a bitwise-or to add different VerificationFlags which can be very useful
};
retValue = customChain.Build(UATrootCA);
}
else
{
retValue = customChain.Build(chain.ChainElements[0].Certificate);
}
// RELEASE unmanaged resources behind X509Chain class.
customChain.Reset();
return retValue;
}
X509VerificationFlags 是一个 [Flags] 枚举,意味着这些值可以用按位或组合。
例如接受未知的根权限而不关心过期:
chain.ChainPolicy.VerificationFlags =
X509VerificationFlags.AllowUnknownCertificateAuthority |
X509VerificationFlags.IgnoreTimeNotValid;
我正在努力处理一些 X509Certificate 内容以调用 HTTPS 网络服务。在我构建这个的地方,根 CA 不受信任,但它对我个人来说对于我正在处理的程序是有效的。所以我正在研究在 C# 中使用 ServerCertificateValidationCallback 来使它像在另一个 Whosebug 问题上发现的那样工作。
我想知道有没有办法添加多个 X509VerificationFlags 以使证书通过。我只是对覆盖 .NET 实现感到紧张。
Boolean ServerCertificateValidationCallback(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 UATrootCA = new X509Certificate2("MyInvalidRootCAButIWantToTrustItAnyway.cer");
// remove this line if commercial CAs are not allowed to issue certificate for your service.
if ((sslPolicyErrors & (SslPolicyErrors.None)) > 0) { return true; }
if (
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNameMismatch)) > 0 ||
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNotAvailable)) > 0
) { return false; }
// get last chain element that should contain root CA certificate
//X509Certificate2 projectedRootCert = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
//if (projectedRootCert.Thumbprint == UATrootCA.Thumbprint)
//{
// return true; // I could return true here if I really wanted to and it would work fine, but I feel like there might be a better way...
//}
// execute certificate chaining engine and ignore only "UntrustedRoot" error
X509Chain customChain = new X509Chain
{
ChainPolicy = {
VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority
}
};
customChain.ChainPolicy.ExtraStore.Add(UATrootCA);
Boolean retValue = customChain.Build(chain.ChainElements[0].Certificate);
// RELEASE unmanaged resources behind X509Chain class.
customChain.Reset();
return retValue;
}
更新 1
感谢您的评论 bartonjs。盯着那个评论让我觉得很傻。有时坦白调试是最好的方法。最后,我得到了一些略有不同的代码,仍在检查指纹。
Boolean ServerCertificateValidationCallback(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 UATrootCA = new X509Certificate2("MyInvalidRootCAButIWantToTrustItAnyway.cer");
if (
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNameMismatch)) > 0 ||
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNotAvailable)) > 0
) { return false; }
// get last chain element that should contain root CA certificate
// but this may not be the case in partial chains
X509Certificate2 projectedRootCert = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
X509Chain customChain = new X509Chain();
Boolean retValue = false;
// execute certificate chaining engine and ignore only "UntrustedRoot" error if our Thumbprint matches.
if (projectedRootCert.Thumbprint == UATrootCA.Thumbprint)
{
customChain = new X509Chain
{
ChainPolicy = { VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority }
//ChainPolicy = { VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority |
// X509VerificationFlags.IgnoreRootRevocationUnknown }
// As bartonjs commented you can use a bitwise-or to add different VerificationFlags which can be very useful
};
retValue = customChain.Build(UATrootCA);
}
else
{
retValue = customChain.Build(chain.ChainElements[0].Certificate);
}
// RELEASE unmanaged resources behind X509Chain class.
customChain.Reset();
return retValue;
}
X509VerificationFlags 是一个 [Flags] 枚举,意味着这些值可以用按位或组合。
例如接受未知的根权限而不关心过期:
chain.ChainPolicy.VerificationFlags =
X509VerificationFlags.AllowUnknownCertificateAuthority |
X509VerificationFlags.IgnoreTimeNotValid;