问题
I have the following code that attempts to verify a server certificate against the CA in my private PKI. Its used with ServicePointManager and RemoteCertificateValidationCallback:
static bool VerifyServerCertificate(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 ca = new X509Certificate2();
ca.Import("ca-rsa-cert.der");
X509Chain chain2 = new X509Chain();
chain2.ChainPolicy.ExtraStore.Add(ca);
// Check all properties
chain2.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
// This setup does not have revocation information
chain2.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain2.Build(new X509Certificate2(certificate));
if (chain2.ChainStatus.Length == 0)
{
return true;
}
bool result = chain2.ChainStatus[0].Status == X509ChainStatusFlags.NoError;
Debug.Assert(result == true);
return result;
}
The problem is that chain2.ChainStatus.Length is always 0.
If I set X509RevocationMode to X509RevocationMode.Online, then ChainStatus.Length == 1 and the status is set to X509ChainStatusFlags.RevocationStatusUnknown. (Its expected because there's no revocation in the test rig).
Question: What does a 0 length ChainStatus.Length mean?
Question: If its success, then why is X509ChainStatusFlags.NoError not used?
回答1:
If the ChainStatuts.Lenght = 0; that means that your chain is correctly built.
You can also check the result with the Verify() function. It use the Online Revocation mode and use the standard policy verification.
来源:https://stackoverflow.com/questions/22518525/how-to-verify-chain-in-remotecertificatevalidationcallback