文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >专栏 >cer证书签名验证[通俗易懂]

cer证书签名验证[通俗易懂]

作者头像
全栈程序员站长
发布2022-07-01 08:22:02
发布2022-07-01 08:22:02
3.3K0
举报
文章被收录于专栏:全栈程序员必看全栈程序员必看

大家好,又见面了,我是你们的朋友全栈君。

一个cer证书本身也是需要签名的,这是为了防止cer证书被篡改。

证书有两种类型:

1. 根证书

2. 根证书签发的子证书。

根证书比较特殊,它是自签名的。而其他子证书的签名公钥都保存在它的上级证书里面。

可以用C#来做一些验证。

首先是根证书的签名验证。

代码语言:javascript
复制
        // 验证根证书签名
        X509Certificate2 x509Root = new X509Certificate2("C:\\Users\\kevin\\Desktop\\KevinRoot.cer");
        Console.WriteLine("Root Certificate Verified?: {0}{1}", x509Root.Verify(), Environment.NewLine);  // 根证书是自签名,所以可以通过。

很简单,因为根证书是自签名的,x509Root.Verify()会返回true。

然后是子证书的验证,

代码语言:javascript
复制
       X509Certificate2 x509 = new X509Certificate2("C:\\Users\\kevin\\Desktop\\ChildSubject2.cer");

        byte[] rawdata = x509.RawData;
        Console.WriteLine("Content Type: {0}{1}", X509Certificate2.GetCertContentType(rawdata), Environment.NewLine);
        Console.WriteLine("Friendly Name: {0}{1}", x509.FriendlyName, Environment.NewLine);
        Console.WriteLine("Certificate Verified?: {0}{1}", x509.Verify(), Environment.NewLine);
        Console.WriteLine("Simple Name: {0}{1}", x509.GetNameInfo(X509NameType.SimpleName, true), Environment.NewLine);
        Console.WriteLine("Signature Algorithm: {0}{1}", x509.SignatureAlgorithm.FriendlyName, Environment.NewLine);
    //    Console.WriteLine("Private Key: {0}{1}", x509.PrivateKey.ToXmlString(false), Environment.NewLine);  // cer里面并没有私钥信息
        Console.WriteLine("Public Key: {0}{1}", x509.PublicKey.Key.ToXmlString(false), Environment.NewLine);
        Console.WriteLine("Certificate Archived?: {0}{1}", x509.Archived, Environment.NewLine);
        Console.WriteLine("Length of Raw Data: {0}{1}", x509.RawData.Length, Environment.NewLine);

这里我用自己创建的子证书,x509.Verify()总是返回false,就算我把根证书导入到“trust”里面,还是返回false,不知道为什么。但是如果我用公司的证书(verisign颁发的),却可以返回true。不知道是不是我自己创建的根证书,子证书有什么配置问题,有空再研究。反正验证也就这么回事。

下面的代码,用来检查整个证书链。

代码语言:javascript
复制
        //Output chain information of the selected certificate.
        X509Chain ch = new X509Chain();
        ch.Build(x509);
        Console.WriteLine("Chain Information");
        ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
        Console.WriteLine("Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag);
        Console.WriteLine("Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode);
        Console.WriteLine("Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags);
        Console.WriteLine("Chain verification time: {0}", ch.ChainPolicy.VerificationTime);
        Console.WriteLine("Chain status length: {0}", ch.ChainStatus.Length);
        Console.WriteLine("Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count);
        Console.WriteLine("Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine);
        //Output chain element information.
        Console.WriteLine("Chain Element Information");
        Console.WriteLine("Number of chain elements: {0}", ch.ChainElements.Count);
        Console.WriteLine("Chain elements synchronized? {0} {1}", ch.ChainElements.IsSynchronized, Environment.NewLine);

    //    int index = 0;
        foreach (X509ChainElement element in ch.ChainElements)
        {
            Console.WriteLine("Element subject name: {0}", element.Certificate.Subject);
            Console.WriteLine("Element issuer name: {0}", element.Certificate.Issuer);
            Console.WriteLine("Element certificate valid until: {0}", element.Certificate.NotAfter);
            Console.WriteLine("Element certificate is valid: {0}", element.Certificate.Verify());
            Console.WriteLine("Element error status length: {0}", element.ChainElementStatus.Length);
            Console.WriteLine("Element information: {0}", element.Information);
            Console.WriteLine("Number of element extensions: {0}{1}", element.Certificate.Extensions.Count, Environment.NewLine);

            string a = element.Certificate.Thumbprint;
       //     string b = ch.ChainPolicy.ExtraStore[0].Thumbprint;
            //ch.ChainPolicy.ExtraStore[index - 1].Thumbprint;

            if (ch.ChainStatus.Length > 1)
            {
                for (int index = 0; index < element.ChainElementStatus.Length; index++)
                {
                    Console.WriteLine(element.ChainElementStatus[index].Status);
                    Console.WriteLine(element.ChainElementStatus[index].StatusInformation);
                }
            }
        }

上面的代码也很简单,其实就是把整个证书链里面的每一个证书信息打印一下。具体的函数调用参数msdn。

下面是完整代码,注意里面的几个证书路径是我写死的,如果想测试下面的代码,只需要自己创建几个证书。

代码语言:javascript
复制
using System;
using System.Security.Cryptography;
using System.Security.Permissions;
using System.IO;
using System.Security.Cryptography.X509Certificates;

class CertSelect
{
    static void Main()
    {
        // 验证根证书签名
        X509Certificate2 x509Root = new X509Certificate2("C:\\Users\\kevin\\Desktop\\KevinRoot.cer");
        Console.WriteLine("Root Certificate Verified?: {0}{1}", x509Root.Verify(), Environment.NewLine);  // 根证书是自签名,所以可以通过。

        X509Certificate2 x509 = new X509Certificate2("C:\\Users\\kevin\\Desktop\\ChildSubject2.cer");

        byte[] rawdata = x509.RawData;
        Console.WriteLine("Content Type: {0}{1}", X509Certificate2.GetCertContentType(rawdata), Environment.NewLine);
        Console.WriteLine("Friendly Name: {0}{1}", x509.FriendlyName, Environment.NewLine);
        Console.WriteLine("Certificate Verified?: {0}{1}", x509.Verify(), Environment.NewLine);
        Console.WriteLine("Simple Name: {0}{1}", x509.GetNameInfo(X509NameType.SimpleName, true), Environment.NewLine);
        Console.WriteLine("Signature Algorithm: {0}{1}", x509.SignatureAlgorithm.FriendlyName, Environment.NewLine);
    //    Console.WriteLine("Private Key: {0}{1}", x509.PrivateKey.ToXmlString(false), Environment.NewLine);  // cer里面并没有私钥信息
        Console.WriteLine("Public Key: {0}{1}", x509.PublicKey.Key.ToXmlString(false), Environment.NewLine);
        Console.WriteLine("Certificate Archived?: {0}{1}", x509.Archived, Environment.NewLine);
        Console.WriteLine("Length of Raw Data: {0}{1}", x509.RawData.Length, Environment.NewLine);


        //Output chain information of the selected certificate.
        X509Chain ch = new X509Chain();
        ch.Build(x509);
        Console.WriteLine("Chain Information");
        ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
        Console.WriteLine("Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag);
        Console.WriteLine("Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode);
        Console.WriteLine("Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags);
        Console.WriteLine("Chain verification time: {0}", ch.ChainPolicy.VerificationTime);
        Console.WriteLine("Chain status length: {0}", ch.ChainStatus.Length);
        Console.WriteLine("Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count);
        Console.WriteLine("Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine);
        //Output chain element information.
        Console.WriteLine("Chain Element Information");
        Console.WriteLine("Number of chain elements: {0}", ch.ChainElements.Count);
        Console.WriteLine("Chain elements synchronized? {0} {1}", ch.ChainElements.IsSynchronized, Environment.NewLine);

    //    int index = 0;
        foreach (X509ChainElement element in ch.ChainElements)
        {
            Console.WriteLine("Element subject name: {0}", element.Certificate.Subject);
            Console.WriteLine("Element issuer name: {0}", element.Certificate.Issuer);
            Console.WriteLine("Element certificate valid until: {0}", element.Certificate.NotAfter);
            Console.WriteLine("Element certificate is valid: {0}", element.Certificate.Verify());
            Console.WriteLine("Element error status length: {0}", element.ChainElementStatus.Length);
            Console.WriteLine("Element information: {0}", element.Information);
            Console.WriteLine("Number of element extensions: {0}{1}", element.Certificate.Extensions.Count, Environment.NewLine);

            string a = element.Certificate.Thumbprint;
       //     string b = ch.ChainPolicy.ExtraStore[0].Thumbprint;
            //ch.ChainPolicy.ExtraStore[index - 1].Thumbprint;

            if (ch.ChainStatus.Length > 1)
            {
                for (int index = 0; index < element.ChainElementStatus.Length; index++)
                {
                    Console.WriteLine(element.ChainElementStatus[index].Status);
                    Console.WriteLine(element.ChainElementStatus[index].StatusInformation);
                }
            }
        }

        x509.Reset();
        
    }
    
}

发布者:全栈程序员栈长,转载请注明出处:https://javaforall.cn/131872.html原文链接:https://javaforall.cn

本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
如有侵权请联系 cloudcommunity@tencent.com 删除
java
https
网络安全

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

java
https
网络安全
评论
登录后参与评论
0 条评论
热度
最新
登录 后参与评论
推荐阅读
领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档

Copyright © 2013 - 2026 Tencent Cloud.

All Rights Reserved. 腾讯云 版权所有

登录 后参与评论