在X509VerificationFlags中添加多个C#
在X509VerificationFlags中添加多个C#
提问于 2019-04-03 21:24:31
我正在为打电话到HTTPS网络服务的一些X509Certificate东西而挣扎。在我构建这个程序时,根CA是不受信任的,但是它对我个人来说是有效的,因为我正在使用哪个程序。因此,我正在研究如何使用C#中的C#来实现这个功能,就像在另一个堆栈溢出问题上所发现的那样。
我想知道是否有一种方法可以添加多个X509VerificationFlags以使证书通过。我只是紧张地忽略了.NET实现。
Boolean ServerCertificateValidationCallback(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 UATrootCA = new X509Certificate2("MyInvalidRootCAButIWantToTrustItAnyway.cer");
// remove this line if commercial CAs are not allowed to issue certificate for your service.
if ((sslPolicyErrors & (SslPolicyErrors.None)) > 0) { return true; }
if (
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNameMismatch)) > 0 ||
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNotAvailable)) > 0
) { return false; }
// get last chain element that should contain root CA certificate
//X509Certificate2 projectedRootCert = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
//if (projectedRootCert.Thumbprint == UATrootCA.Thumbprint)
//{
// return true; // I could return true here if I really wanted to and it would work fine, but I feel like there might be a better way...
//}
// execute certificate chaining engine and ignore only "UntrustedRoot" error
X509Chain customChain = new X509Chain
{
ChainPolicy = {
VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority
}
};
customChain.ChainPolicy.ExtraStore.Add(UATrootCA);
Boolean retValue = customChain.Build(chain.ChainElements[0].Certificate);
// RELEASE unmanaged resources behind X509Chain class.
customChain.Reset();
return retValue;
}更新1
谢谢您的评论bartonjs。盯着那个评论让我觉得很傻。有时候,通过忏悔来调试是最好的方法。最后,我得到了一些稍微不同的代码,仍然在检查拇指指纹。
Boolean ServerCertificateValidationCallback(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 UATrootCA = new X509Certificate2("MyInvalidRootCAButIWantToTrustItAnyway.cer");
if (
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNameMismatch)) > 0 ||
(sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNotAvailable)) > 0
) { return false; }
// get last chain element that should contain root CA certificate
// but this may not be the case in partial chains
X509Certificate2 projectedRootCert = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
X509Chain customChain = new X509Chain();
Boolean retValue = false;
// execute certificate chaining engine and ignore only "UntrustedRoot" error if our Thumbprint matches.
if (projectedRootCert.Thumbprint == UATrootCA.Thumbprint)
{
customChain = new X509Chain
{
ChainPolicy = { VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority }
//ChainPolicy = { VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority |
// X509VerificationFlags.IgnoreRootRevocationUnknown }
// As bartonjs commented you can use a bitwise-or to add different VerificationFlags which can be very useful
};
retValue = customChain.Build(UATrootCA);
}
else
{
retValue = customChain.Build(chain.ChainElements[0].Certificate);
}
// RELEASE unmanaged resources behind X509Chain class.
customChain.Reset();
return retValue;
}回答 1
Stack Overflow用户
回答已采纳
发布于 2019-04-04 05:02:54
X509VerificationFlags是一个[Flags]枚举,意味着这些值可以按位组合-或。
接受未知的根权限,而不关心过期:
chain.ChainPolicy.VerificationFlags =
X509VerificationFlags.AllowUnknownCertificateAuthority |
X509VerificationFlags.IgnoreTimeNotValid;页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/55504522
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号