我正在努力使用一些X509Certificate来调用HTTPS webservice。在我构建这个的地方,根CA不受信任,但我个人对我正在开发的程序有效。所以我正在考虑在C#中使用ServerCertificateValidationCallback来使其工作在另一个stackoverflow问题上找到。
我想知道有没有办法添加多个X509VerificationFlags,以便证书通过。我只是紧张地重写.NET实现。
Boolean ServerCertificateValidationCallback(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 UATrootCA = new X509Certificate2("MyInvalidRootCAButIWantToTrustItAnyway.cer");
// remove this line if commercial CAs are not allowed to issue certificate for your service.
if ((sslPolicyErrors & (SslPolicyErrors.None)) > 0) { return true; }
if (
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNameMismatch)) > 0 ||
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNotAvailable)) > 0
) { return false; }
// get last chain element that should contain root CA certificate
//X509Certificate2 projectedRootCert = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
//if (projectedRootCert.Thumbprint == UATrootCA.Thumbprint)
//{
// return true; // I could return true here if I really wanted to and it would work fine, but I feel like there might be a better way...
//}
// execute certificate chaining engine and ignore only "UntrustedRoot" error
X509Chain customChain = new X509Chain
{
ChainPolicy = {
VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority
}
};
customChain.ChainPolicy.ExtraStore.Add(UATrootCA);
Boolean retValue = customChain.Build(chain.ChainElements[0].Certificate);
// RELEASE unmanaged resources behind X509Chain class.
customChain.Reset();
return retValue;
}
感谢您对bartonjs的评论。盯着那条评论让我觉得很傻。有时通过坦白进行调试是最好的方法。最后,我最终得到了一些稍微不同的代码,仍在检查指纹。
Boolean ServerCertificateValidationCallback(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 UATrootCA = new X509Certificate2("MyInvalidRootCAButIWantToTrustItAnyway.cer");
if (
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNameMismatch)) > 0 ||
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNotAvailable)) > 0
) { return false; }
// get last chain element that should contain root CA certificate
// but this may not be the case in partial chains
X509Certificate2 projectedRootCert = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
X509Chain customChain = new X509Chain();
Boolean retValue = false;
// execute certificate chaining engine and ignore only "UntrustedRoot" error if our Thumbprint matches.
if (projectedRootCert.Thumbprint == UATrootCA.Thumbprint)
{
customChain = new X509Chain
{
ChainPolicy = { VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority }
//ChainPolicy = { VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority |
// X509VerificationFlags.IgnoreRootRevocationUnknown }
// As bartonjs commented you can use a bitwise-or to add different VerificationFlags which can be very useful
};
retValue = customChain.Build(UATrootCA);
}
else
{
retValue = customChain.Build(chain.ChainElements[0].Certificate);
}
// RELEASE unmanaged resources behind X509Chain class.
customChain.Reset();
return retValue;
}
X509VerificationFlags是一个[Flags]枚举,意味着值可以与bitwise或。
例如接受未知的root权限以及不关心过期:
chain.ChainPolicy.VerificationFlags =
X509VerificationFlags.AllowUnknownCertificateAuthority |
X509VerificationFlags.IgnoreTimeNotValid;