SubjectAlternativeName中的非ASCII字符

时间:2018-01-26 13:31:47

标签: c# bouncycastle

我正在尝试使用self-signed X509 certificates创建BouncyCastle.NET。它似乎一般工作,但我没有包含非ASCII字符的国际化域名。

以下是我正在做的一个紧凑的例子。 “myDevice.abc.example.com”的单元测试用例成功,但对于包含non-ASCII个字符(如“myDevice.äöü.example.com”)的其他情况则失败。 

[TestCase("myDevice.abc.example.com")]
[TestCase("myDevice.äöü.example.com")]  // western european
[TestCase("myDevice.ařa.example.com")]  // eastern european
[TestCase("mydevice.aデa.example.com")] // katakana
[Test]
public void IdnTest(string fqdn)
{
    #region Preparation
    ECKeyPairGenerator kpgen = new ECKeyPairGenerator();
    kpgen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), Constants.SelectedRootKeySize));
    var caKeyPair = kpgen.GenerateKeyPair();
    var certKeyPair = kpgen.GenerateKeyPair();
    X509V3CertificateGenerator certGenerator = new X509V3CertificateGenerator();
    certGenerator.SetSerialNumber(Org.BouncyCastle.Math.BigInteger.ProbablePrime(120, new Random()));
    IList oids = new ArrayList() { X509Name.OU };
    IList values = new ArrayList() { "Test" };
    certGenerator.SetIssuerDN(new X509Name(oids, values));
    certGenerator.SetNotBefore(DateTime.Now.Date);
    certGenerator.SetNotAfter(DateTime.Now + TimeSpan.FromDays(365));
    certGenerator.SetPublicKey(certKeyPair.Public);

    //var dnsString = new Org.BouncyCastle.Asn1.DerIA5String(fqdn, true);   //explicit validation would fail here
    //var dnsName = new GeneralName(dnsString, GeneralName.DnsName);
    var dnsName = new GeneralName(GeneralName.DnsName, fqdn);               //here I can create an GeneralName without validation failure
    GeneralNames subjectAltName = new GeneralNames(dnsName);
    certGenerator.AddExtension(X509Extensions.SubjectAlternativeName, true, subjectAltName);

    ISignatureFactory signatureFactory = new Asn1SignatureFactory("sha256WithECDSA", caKeyPair.Private, new SecureRandom(new CryptoApiRandomGenerator()));
    Org.BouncyCastle.X509.X509Certificate x509Certificate = certGenerator.Generate(signatureFactory);
    #endregion

    #region Verification
    var san = x509Certificate.GetSubjectAlternativeNames() as ArrayList;
    Assert.AreEqual(1, san.Count);
    var generalName = san[0] as System.Collections.ArrayList;
    Assert.AreEqual(GeneralName.DnsName, generalName[0]);
    object actual = generalName[1];
    Assert.AreEqual(fqdn, actual);
    #endregion
}

最终断言失败,从证书中检索到的字符串中的特殊字符被替换为“?”。

这是应该有效的吗,我做了一些明显的错误吗?

1 个答案:

答案 0 :(得分:0)

感谢DJDaveMarkJames K Polk的评论,我找到了答案:在创建GeneralName之前,必须根据rfc 5280对域名进行编码:

var idn = new System.Globalization.IdnMapping();
idn.UseStd3AsciiRules = true;
idn.AllowUnassigned = false;
string encodedFqdn = idn.GetAscii(fqdn);
var dnsName = new GeneralName(GeneralName.DnsName, encodedFqdn);

显然,必须在阅读证书后对其进行解码:

var actualEncodedFqdn = generalName[1];
var actual = idn.GetUnicode(actualEncodedFqdn.ToString());
StringAssert.AreEqualIgnoringCase(fqdn, actual);
相关问题
最新问题