如何在C#中手动验证自签名证书?

时间:2018-07-02 13:45:14

标签: c# validation ssl certificate self-signed

在过去的几周中,我在Docker容器中进行了大量工作,遇到了一个障碍,在该障碍中,自签名证书会导致问题,因为Docker容器无法识别证书颁发机构。

问题是我无法在服务器配置上放置自己的证书,因为我们在公司使用Docker的方式。

1 个答案:

答案 0 :(得分:2)

经过大量研究,我提出了一个解决方案,该解决方案基于构建链和验证指纹的方式来手动验证证书。

注意:您必须使用支持证书验证回调的库,以便可以编写自己的委托方法。下面是我的实现。

public static bool ManualSslVerification(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    try
    {
        //Testing to see if the Certificate and Chain build properly, aka no forgery.
        chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
        chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
        chain.Build(new X509Certificate2(certificate));

        //Looking to see if there are no errors in the build that we don’t like
        foreach (X509ChainStatus status in chain.ChainStatus)
        {
            if (status.Status == X509ChainStatusFlags.NoError || status.Status == X509ChainStatusFlags.UntrustedRoot)
            {
                //Acceptable Status, We want to know if it builds properly.
            }
            else
            {
                return false;
            }
        }

        X509Certificate2 trustedRootCertificateAuthority = new X509Certificate2(ViewController.Properties.Resources.My_Infrastructure_Root_CA);

        //Now that we have tested to see if the cert builds properly, we now will check if the thumbprint of the root ca matches our trusted one
        if(chain.ChainElements[chain.ChainElements.Count – 1].Certificate.Thumbprint != trustedRootCertificateAuthority.Thumbprint)
        {
            return false;
        }

        //Once we have verified the thumbprint the last fun check we can do is to build the chain and then see if the remote cert builds properly with it
        //Testing to see if the Certificate and Chain build properly, aka no forgery.
        X509Chain trustedChain = new X509Chain();
        trustedChain.ChainPolicy.ExtraStore.Add(trustedRootCertificateAuthority);
        trustedChain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
        trustedChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
        trustedChain.Build(new X509Certificate2(certificate));

        //Looking to see if there are no errors in the build that we don’t like
        foreach (X509ChainStatus status in trustedChain.ChainStatus)
        {
            if(status.Status == X509ChainStatusFlags.NoError || status.Status == X509ChainStatusFlags.UntrustedRoot)
            {
                //Acceptable Status, We want to know if it builds properly.
            }
            else
            {
                return false;
            }
        }
    }
    catch (Exception ex)
    {
        Console.WriteLine(ex);
        return false;
    }

    return true;
}
相关问题
最新问题