区分根CA和中间CA证书

Question

我已经设法弄清楚了x509Certificate2Collection中的证书是否是证书颁发机构证书，但是我如何安全地确定它是根证书还是中间证书？下面的内容足够安全吗？

var collection = new X509Certificate2Collection();
collection.Import("test.pfx", "password", X509KeyStorageFlags.PersistKeySet);

foreach (X509Certificate2 cert in collection)
{
    var basicConstraintExt = cert.Extensions["2.5.29.19"] as X509BasicConstraintsExtension;
    if (basicConstraintExt != null)
    {
        Log.Debug($"    Subject is: '{cert.Subject}'");
        Log.Debug($"    Issuer is: '{cert.Issuer}'");
        if (basicConstraintExt.CertificateAuthority)
        {
            Log.Debug("I am a CA Cert.");
            if (cert.Subject == cert.Issuer)
            {
                Log.Debug("My Subject matches Issuer.");
            }
            else
            {
                Log.Debug("My Subject does not match Issuer.");
            }
            Log.Debug(cert.Verify() ? "I verify" : "I do not verify");
        }
        else
        {
            Log.Debug("I am not a CA Cert.");
        }
    }
}

结果：

 Displaying Cert #1 in collection
 ********************************

 Subject is: 'CN=Intermediate-CA, DC=test, DC=lan'
 Issuer is: 'CN=Root-CA, DC=test, DC=lan'
 - I am a CA Cert.
 - My Subject does not match Issuer.
 - I do not verify


 Displaying Cert #2 in collection
 ********************************

 Subject is: 'CN=Root-CA, DC=test, DC=lan'
 Issuer is: 'CN=Root-CA, DC=test, DC=lan'
 - I am a CA Cert.
 - My Subject matches Issuer.
 - I do not verify

Answer 1

不确定这对Kestrel是否有帮助，但我会尝试下面的代码。

我们将使用X509Chain类来构造和验证链。

var collection = new X509Certificate2Collection();
collection.Import("test.pfx", "password");

var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.AddRange(collection);
// untrusted root error raise false-positive errors, for example RevocationOffline
// so skip possible untrusted root chain error.
chain.VerificationFlags |= X509VerificationFlags.AllowUnknownCertificateAuthority;
// revocation checking is client's responsibility. Skip it.
chain.RevocationMode = X509VerificationFlags.NoCheck;
// build the chain.
Boolean isValid = chain.Build(collection[0]);
// explore chain.ChainElements collection. First item should be your leaf
// certificate and last item should be root certificate

所有这些东西都位于System.Security.Cryptography.X509Certificates名称空间中。在这段代码中，我假设PFX中的第一个证书是叶证书(在99%的情况下，除非有人试图忽略标准)。通过探索chain.ChainElements集合，您可以找到链中每个证书的问题。