【发布时间】:2016-12-09 15:29:45
【问题描述】:
使用框架 4.5.1 和以下要求,我这样做对吗?
- 证书中的 URL 必须与给定的 URL 匹配
- 证书必须有效且受信任
- 证书不得过期
以下通过,但这是否足够?
特别是对 chain.Build(cert) 的调用是否满足上面的#2?
protected bool ValidateDigitalSignature(Uri uri)
{
bool isValid = false;
X509Certificate2 cert = null;
HttpWebRequest request = WebRequest.Create(uri) as HttpWebRequest;
using (HttpWebResponse response = request.GetResponse() as HttpWebResponse)
{
response.Close();
}
isValid = (request.ServicePoint.Certificate != null);
if(isValid)
cert = new X509Certificate2(request.ServicePoint.Certificate);
if (isValid)
{
X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.Build(cert);
isValid = (chain.ChainStatus.Length == 0);
}
if (isValid)
{
var dnsName = cert.GetNameInfo(X509NameType.DnsName, false);
isValid = (Uri.CheckHostName(dnsName) == UriHostNameType.Dns
&& uri.Host.Equals(dnsName, StringComparison.InvariantCultureIgnoreCase));
}
if (isValid)
{
//The certificate must not be expired
DateTimeOffset today = DateTimeOffset.Now;
isValid = (today >= cert.NotBefore && today <= cert.NotAfter);
}
return isValid;
}
【问题讨论】:
标签: c# ssl x509certificate2