我想从FTP服务器下载一些安全的数据。数据很敏感。 为了安全起见,我将使用FTP over TLS。自签名证书将安装在客户端上。
是否足以从服务器散列证书并将其与客户端上的证书散列进行比较?所以我可以保证,这是正确的证书。之后我想检查证书是否正确。
这是我的功能:
public bool myCertificateValidation(Object sender,
X509Certificate cert,
X509Chain chain,
SslPolicyErrors Errors)
{
var pem = System.IO.File.ReadAllText(@"c:\temp\cert.crt");
byte[] certBuffer = GetBytesFromPEM(pem, "CERTIFICATE");
var certificate = new X509Certificate2(certBuffer);
// Check if the server send the exptected certificate
if (!certificate.GetCertHashString().Equals(cert.GetCertHashString()))
{
return false;
}
// If the certificate is a valid, signed certificate, return true.
if (Errors == System.Net.Security.SslPolicyErrors.None)
{
return true;
}
// If there are errors in the certificate chain, look at each error to determine the cause.
if ((Errors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
if (chain != null && chain.ChainStatus != null)
{
foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
{
if ((certificate.Subject == certificate.Issuer) &&
(status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
{
// Self-signed certificates with an untrusted root are valid.
continue;
}
else
{
if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
{
// If there are any other errors in the certificate chain, the certificate is invalid,
// so the method returns false.
return false;
}
}
}
}
// When processing reaches this line, the only errors in the certificate chain are
// untrusted root errors for self-signed certificates. These certificates are valid
// for default Exchange server installations, so return true.
return true;
}
else
{
// In all other cases, return false.
return false;
}
}
我正在咆哮错误的树吗?