cer证书签名验证

一个cer证书本身也是需要签名的,这是为了防止cer证书被篡改。

证书有两种类型:

1. 根证书

2. 根证书签发的子证书。

根证书比较特殊,它是自签名的。而其他子证书的签名公钥都保存在它的上级证书里面。

可以用C#来做一些验证。

首先是根证书的签名验证。

        // 验证根证书签名
        X509Certificate2 x509Root = new X509Certificate2("C:\\Users\\kevin\\Desktop\\KevinRoot.cer");
        Console.WriteLine("Root Certificate Verified?: {0}{1}", x509Root.Verify(), Environment.NewLine);  // 根证书是自签名,所以可以通过。

很简单,因为根证书是自签名的,x509Root.Verify()会返回true。

然后是子证书的验证,

       X509Certificate2 x509 = new X509Certificate2("C:\\Users\\kevin\\Desktop\\ChildSubject2.cer");

        byte[] rawdata = x509.RawData;
        Console.WriteLine("Content Type: {0}{1}", X509Certificate2.GetCertContentType(rawdata), Environment.NewLine);
        Console.WriteLine("Friendly Name: {0}{1}", x509.FriendlyName, Environment.NewLine);
        Console.WriteLine("Certificate Verified?: {0}{1}", x509.Verify(), Environment.NewLine);
        Console.WriteLine("Simple Name: {0}{1}", x509.GetNameInfo(X509NameType.SimpleName, true), Environment.NewLine);
        Console.WriteLine("Signature Algorithm: {0}{1}", x509.SignatureAlgorithm.FriendlyName, Environment.NewLine);
    //    Console.WriteLine("Private Key: {0}{1}", x509.PrivateKey.ToXmlString(false), Environment.NewLine);  // cer里面并没有私钥信息
        Console.WriteLine("Public Key: {0}{1}", x509.PublicKey.Key.ToXmlString(false), Environment.NewLine);
        Console.WriteLine("Certificate Archived?: {0}{1}", x509.Archived, Environment.NewLine);
        Console.WriteLine("Length of Raw Data: {0}{1}", x509.RawData.Length, Environment.NewLine);

这里我用自己创建的子证书,x509.Verify()总是返回false,就算我把根证书导入到“trust”里面,还是返回false,不知道为什么。但是如果我用公司的证书(verisign颁发的),却可以返回true。不知道是不是我自己创建的根证书,子证书有什么配置问题,有空再研究。反正验证也就这么回事。

下面的代码,用来检查整个证书链。

        //Output chain information of the selected certificate.
        X509Chain ch = new X509Chain();
        ch.Build(x509);
        Console.WriteLine("Chain Information");
        ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
        Console.WriteLine("Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag);
        Console.WriteLine("Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode);
        Console.WriteLine("Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags);
        Console.WriteLine("Chain verification time: {0}", ch.ChainPolicy.VerificationTime);
        Console.WriteLine("Chain status length: {0}", ch.ChainStatus.Length);
        Console.WriteLine("Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count);
        Console.WriteLine("Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine);
        //Output chain element information.
        Console.WriteLine("Chain Element Information");
        Console.WriteLine("Number of chain elements: {0}", ch.ChainElements.Count);
        Console.WriteLine("Chain elements synchronized? {0} {1}", ch.ChainElements.IsSynchronized, Environment.NewLine);

    //    int index = 0;
        foreach (X509ChainElement element in ch.ChainElements)
        {
            Console.WriteLine("Element subject name: {0}", element.Certificate.Subject);
            Console.WriteLine("Element issuer name: {0}", element.Certificate.Issuer);
            Console.WriteLine("Element certificate valid until: {0}", element.Certificate.NotAfter);
            Console.WriteLine("Element certificate is valid: {0}", element.Certificate.Verify());
            Console.WriteLine("Element error status length: {0}", element.ChainElementStatus.Length);
            Console.WriteLine("Element information: {0}", element.Information);
            Console.WriteLine("Number of element extensions: {0}{1}", element.Certificate.Extensions.Count, Environment.NewLine);

            string a = element.Certificate.Thumbprint;
       //     string b = ch.ChainPolicy.ExtraStore[0].Thumbprint;
            //ch.ChainPolicy.ExtraStore[index - 1].Thumbprint;

            if (ch.ChainStatus.Length > 1)
            {
                for (int index = 0; index < element.ChainElementStatus.Length; index++)
                {
                    Console.WriteLine(element.ChainElementStatus[index].Status);
                    Console.WriteLine(element.ChainElementStatus[index].StatusInformation);
                }
            }
        }

上面的代码也很简单,其实就是把整个证书链里面的每一个证书信息打印一下。具体的函数调用参数msdn。

下面是完整代码,注意里面的几个证书路径是我写死的,如果想测试下面的代码,只需要自己创建几个证书。

using System;
using System.Security.Cryptography;
using System.Security.Permissions;
using System.IO;
using System.Security.Cryptography.X509Certificates;

class CertSelect
{
    static void Main()
    {
        // 验证根证书签名
        X509Certificate2 x509Root = new X509Certificate2("C:\\Users\\kevin\\Desktop\\KevinRoot.cer");
        Console.WriteLine("Root Certificate Verified?: {0}{1}", x509Root.Verify(), Environment.NewLine);  // 根证书是自签名,所以可以通过。

        X509Certificate2 x509 = new X509Certificate2("C:\\Users\\kevin\\Desktop\\ChildSubject2.cer");

        byte[] rawdata = x509.RawData;
        Console.WriteLine("Content Type: {0}{1}", X509Certificate2.GetCertContentType(rawdata), Environment.NewLine);
        Console.WriteLine("Friendly Name: {0}{1}", x509.FriendlyName, Environment.NewLine);
        Console.WriteLine("Certificate Verified?: {0}{1}", x509.Verify(), Environment.NewLine);
        Console.WriteLine("Simple Name: {0}{1}", x509.GetNameInfo(X509NameType.SimpleName, true), Environment.NewLine);
        Console.WriteLine("Signature Algorithm: {0}{1}", x509.SignatureAlgorithm.FriendlyName, Environment.NewLine);
    //    Console.WriteLine("Private Key: {0}{1}", x509.PrivateKey.ToXmlString(false), Environment.NewLine);  // cer里面并没有私钥信息
        Console.WriteLine("Public Key: {0}{1}", x509.PublicKey.Key.ToXmlString(false), Environment.NewLine);
        Console.WriteLine("Certificate Archived?: {0}{1}", x509.Archived, Environment.NewLine);
        Console.WriteLine("Length of Raw Data: {0}{1}", x509.RawData.Length, Environment.NewLine);

        //Output chain information of the selected certificate.
        X509Chain ch = new X509Chain();
        ch.Build(x509);
        Console.WriteLine("Chain Information");
        ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
        Console.WriteLine("Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag);
        Console.WriteLine("Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode);
        Console.WriteLine("Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags);
        Console.WriteLine("Chain verification time: {0}", ch.ChainPolicy.VerificationTime);
        Console.WriteLine("Chain status length: {0}", ch.ChainStatus.Length);
        Console.WriteLine("Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count);
        Console.WriteLine("Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine);
        //Output chain element information.
        Console.WriteLine("Chain Element Information");
        Console.WriteLine("Number of chain elements: {0}", ch.ChainElements.Count);
        Console.WriteLine("Chain elements synchronized? {0} {1}", ch.ChainElements.IsSynchronized, Environment.NewLine);

    //    int index = 0;
        foreach (X509ChainElement element in ch.ChainElements)
        {
            Console.WriteLine("Element subject name: {0}", element.Certificate.Subject);
            Console.WriteLine("Element issuer name: {0}", element.Certificate.Issuer);
            Console.WriteLine("Element certificate valid until: {0}", element.Certificate.NotAfter);
            Console.WriteLine("Element certificate is valid: {0}", element.Certificate.Verify());
            Console.WriteLine("Element error status length: {0}", element.ChainElementStatus.Length);
            Console.WriteLine("Element information: {0}", element.Information);
            Console.WriteLine("Number of element extensions: {0}{1}", element.Certificate.Extensions.Count, Environment.NewLine);

            string a = element.Certificate.Thumbprint;
       //     string b = ch.ChainPolicy.ExtraStore[0].Thumbprint;
            //ch.ChainPolicy.ExtraStore[index - 1].Thumbprint;

            if (ch.ChainStatus.Length > 1)
            {
                for (int index = 0; index < element.ChainElementStatus.Length; index++)
                {
                    Console.WriteLine(element.ChainElementStatus[index].Status);
                    Console.WriteLine(element.ChainElementStatus[index].StatusInformation);
                }
            }
        }

        x509.Reset();

    }

}
时间: 2024-08-04 22:40:25

cer证书签名验证的相关文章

java 调用 keytool 生成keystore 和 cer 证书

keytool是一个Java数据证书的管理工具, keytool将密钥(key)和证书(certificates)存在一个称为keystore的文件中在keystore里, 包含两种数据: 密钥实体(Key entity)——密钥(secret key)又或者是私钥和配对公钥(采用非对称加密) 可信任的证书实体(trusted certificate entries)——只包含公钥 ailas(别名)每个keystore都关联这一个独一无二的alias,这个alias通常不区分大小写 下面给出一

如何导出cer证书及证书链的生成

如何导出cer证书的Base64编码信息 1.将证书双击,安装到IE中,如果是个人证书会安装到:在IE的 工具 -> internet选项  -> 内容 -> 证书 -> 个人2.打开IE,在在IE的 工具 -> internet选项  -> 内容 -> 证书 -> 个人 中,找到这张证书,选中它3.点击"导出"按钮4.点击"下一步",再点击"下一步"5.选择"Base64编码X.509(

jks cer 证书生成

jks是java keystore的简称,是java的数字证书库,查看证书私钥需要密码,避免私钥一名文的形式出现在代码中 情景一:客户端签名,服务器验签,确定是否是自己人 使用keytool生成jks,keytool工具在java->jdk->bin目录下,使用命令行,ps:红色部分请自行替换 keytool -genkey -alias 别名 -keyalg RSA -keystore 文件名.jks 经过一番复杂的输入,生成的jks文件在桌面->我的文档根目录下,这个jks里包含了自

C#读取cer证书获取秘钥给字符串加密(RSA)

/// <summary> /// 使用私钥加密字符串 /// </summary> /// <param name="key">需加密的字符</param> /// <param name="keyPath">私钥证书文件地址</param> public string EncryptKey(string key,string keyPath) { X509Certificate2 c2 =

从自签名证书导出pfx和cer证书

完整代码: 1 public sealed class DataCertificate 2 { 3 #region 生成证书 4 /// <summary> 5 /// 根据指定的证书名和makecert全路径生成证书(包含公钥和私钥,并保存在MY存储区) 6 /// </summary> 7 /// <param name="subjectName"></param> 8 /// <param name="makecer

CER证书合成p12格式

# openssl pkcs12 -export -out ?.p12 -inkey ?.key -in ?.cer #keytool.exe -importkeystore -srckeystore *.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore *.jks openssl genrsa -out prvtkey.pem 2048openssl req -new -key prvtkey.pem -out cert.csr

IOS证书的申请和使用

苹果的证书繁锁复杂,制作管理相当麻烦,今天决定重置一个游戏项目中的所有证书,做了这么多次还是感觉很纠结,索性直接记录下来,日后你我他查阅都方便: 关于证书 苹果使用密文签名技术来验证App的合法性,不管是iOS应用还是Mac应用都需要相应的签名证书来作为测试或发布App用.这里主要谈谈iOS的证书,当然,Mac的证书也基本类似. 在开发iOS应用的时候,我们需要签名证书(开发证书)来验证,并允许我们在真机上对App进行测试.另外,在发布App到App store的时候,我们也需要证书(发布证书)

iOS证书说明和发布

1.首先通过钥匙串访问——证书助理——从证书颁发机构请求证书——填写证书信息(邮箱,常用名称,存储到磁盘)——存储为(自定义名称.certSigningReuqest,简称CSR文件,只是为了提交到苹果开发者账号中,然后就没用了)到本地 2.苹果开发者账号中,创建证书(Development和Production)——上传CSR文件——下载证书运行 ( xxx.cer文件) 注意:只有在当前电脑中生成本地生成证书,上传到苹果开发账号,然后下载cer文件运行后,钥匙串中才有证书以及对应的秘钥 如果

AFNetworking certificate AFNetworking 证书设置

+ (AFSecurityPolicy*)customSecurityPolicy { // /先导入证书 NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"kudou" ofType:@"cer"];//证书的路径 NSData *certData = [NSData dataWithContentsOfFile:cerPath]; // AFSSLPinningModeCertificate