A Cer certificate also needs a signature to prevent the CER certificate from being tampered.
There are two types of certificates:
1. Root Certificate
2. The sub-certificate issued by the root certificate.
The root certificate is special. It is self-signed. The signature and public keys of other sub-certificates are stored in their higher-level certificates.
You can use C # For some verification.
The first is the signature verification of the root certificate.
// Verify the root certificate signature x509certificate2 x509root = new x509certificate2 ("C: \ Users \ Kevin \ Desktop \ kevinroot. CER "); console. writeline ("root certificate verified? : {0} {1} ", x509root. Verify (), environment. newline); // the root certificate is self-signed, so you can pass.
Because the root certificate is self-signed, x509root. Verify () returns true.
Then verify the sub-certificate,
X509certificate2 X509 = new x509certificate2 ("C: \ Users \ Kevin \ Desktop \ childsubject2.cer"); byte [] rawdata = x509.rawdata; console. writeline ("content type: {0} {1}", x509certificate2. getcertcontenttype (rawdata), Environment. newline); console. writeline ("friendly name: {0} {1}", x509.friendlyname, environment. newline); console. writeline ("Certificate verified?: {0} {1} ", x509.verify (), Environment. newline); console. writeline ("simple name: {0} {1}", x509.getnameinfo (x509nametype. simplename, true), Environment. newline); console. writeline ("signature algorithm: {0} {1}", x509.signaturealgorithm. friendlyname, environment. newline); // console. writeline ("Private Key: {0} {1}", x509.privatekey. toxmlstring (false), Environment. newline); // There is no private key information in cer console. writel INE ("Public Key: {0} {1}", x509.publickey. Key. toxmlstring (false), environment. newline); console. writeline ("Certificate archived?: {0} {1} ", x509.archived, environment. newline); console. writeline ("length of raw data: {0} {1}", x509.rawdata. length, environment. newline );
Here, I use a self-created sub-certificate. x509.verify () always returns false. Even if I import the root certificate to "trust", false is returned. I don't know why. However, if I use a company certificate (issued by Verisign), I can return true. I don't know if it is my own root certificate. What are the configuration problems with the sub-certificate? I will study it again when I have time.The same is true for verification.
The following code is used to check the entire certificate chain.
//Output chain information of the selected certificate. X509Chain ch = new X509Chain(); ch.Build(x509); Console.WriteLine("Chain Information"); ch.ChainPolicy.RevocationMode = X509RevocationMode.Online; Console.WriteLine("Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag); Console.WriteLine("Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode); Console.WriteLine("Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags); Console.WriteLine("Chain verification time: {0}", ch.ChainPolicy.VerificationTime); Console.WriteLine("Chain status length: {0}", ch.ChainStatus.Length); Console.WriteLine("Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count); Console.WriteLine("Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine); //Output chain element information. Console.WriteLine("Chain Element Information"); Console.WriteLine("Number of chain elements: {0}", ch.ChainElements.Count); Console.WriteLine("Chain elements synchronized? {0} {1}", ch.ChainElements.IsSynchronized, Environment.NewLine); // int index = 0; foreach (X509ChainElement element in ch.ChainElements) { Console.WriteLine("Element subject name: {0}", element.Certificate.Subject); Console.WriteLine("Element issuer name: {0}", element.Certificate.Issuer); Console.WriteLine("Element certificate valid until: {0}", element.Certificate.NotAfter); Console.WriteLine("Element certificate is valid: {0}", element.Certificate.Verify()); Console.WriteLine("Element error status length: {0}", element.ChainElementStatus.Length); Console.WriteLine("Element information: {0}", element.Information); Console.WriteLine("Number of element extensions: {0}{1}", element.Certificate.Extensions.Count, Environment.NewLine); string a = element.Certificate.Thumbprint; // string b = ch.ChainPolicy.ExtraStore[0].Thumbprint; //ch.ChainPolicy.ExtraStore[index - 1].Thumbprint; if (ch.ChainStatus.Length > 1) { for (int index = 0; index < element.ChainElementStatus.Length; index++) { Console.WriteLine(element.ChainElementStatus[index].Status); Console.WriteLine(element.ChainElementStatus[index].StatusInformation); } } }
The above code is also very simple, in fact, it is to print every certificate information in the entire certificate chain. The specific function call parameter msdn.
The following is the complete code. Note that I have written several certificate paths. To test the following code, you only need to create several certificates by yourself.
Using system; using system. security. cryptography; using system. security. permissions; using system. io; using system. security. cryptography. x509certificates; Class certselect {static void main () {// verify the root certificate signature x509certificate2 x509root = new x509certificate2 ("C :\\ Users \ Kevin \ Desktop \ kevinroot. CER "); console. writeline ("root certificate verified?: {0} {1} ", x509root. Verify (), environment. newline); // the root certificate is self-signed, so you can pass. X509certificate2 X509 = new x509certificate2 ("C: \ Users \ Kevin \ Desktop \ childsubject2.cer"); byte [] rawdata = x509.rawdata; console. writeline ("content type: {0} {1}", x509certificate2. getcertcontenttype (rawdata), Environment. newline); console. writeline ("friendly name: {0} {1}", x509.friendlyname, environment. newline); console. writeline ("Certificate verified?: {0} {1} ", x509.verify (), Environment. newline); console. writeline ("simple name: {0} {1}", x509.getnameinfo (x509nametype. simplename, true), Environment. newline); console. writeline ("signature algorithm: {0} {1}", x509.signaturealgorithm. friendlyname, environment. newline); // console. writeline ("Private Key: {0} {1}", x509.privatekey. toxmlstring (false), Environment. newline); // There is no private key information in cer console. writel INE ("Public Key: {0} {1}", x509.publickey. Key. toxmlstring (false), environment. newline); console. writeline ("Certificate archived?: {0} {1} ", x509.archived, environment. newline); console. writeline ("length of raw data: {0} {1}", x509.rawdata. length, environment. newline); // output chain information of the selected certificate. x509chain CH = new x509chain (); Ch. build (X509); console. writeline ("Chain information"); Ch. chainpolicy. revocationmode = x509revocationmode. online; console. writeline ("chain revocation flag: {0}", Ch. chainpol Icy. revocationflag); console. writeline ("chain revocation mode: {0}", Ch. chainpolicy. revocationmode); console. writeline ("chain verification flag: {0}", Ch. chainpolicy. verificationflags); console. writeline ("chain verification time: {0}", Ch. chainpolicy. verificationtime); console. writeline ("chain status length: {0}", Ch. chainstatus. length); console. writeline ("chain application policy count: {0}", Ch. Chainpolicy. applicationpolicy. count); console. writeline ("chain certificate policy count: {0} {1}", Ch. chainpolicy. certificatepolicy. count, environment. newline); // output Chain Element Information. console. writeline ("Chain Element Information"); console. writeline ("Number of chain elements: {0}", Ch. chainelements. count); console. writeline ("chain elements synchronized? {0} {1} ", Ch. chainelements. issynchronized, environment. newline); // int Index = 0; foreach (x509chainelement element in Ch. chainelements) {console. writeline ("element subject name: {0}", element. certificate. subject); console. writeline ("element issuer name: {0}", element. certificate. issuer); console. writeline ("element certificate valid until: {0}", element. certificate. notafter); console. writeline ("element certificate is valid: {0}", element. certificate. verify (); console. writeline ("element error status length: {0}", element. chainelementstatus. length); console. writeline ("Element Information: {0}", element. information); console. writeline ("Number of element extensions: {0} {1}", element. certificate. extensions. count, environment. newline); string a = element. certificate. thumbprint; // string B = CH. chainpolicy. extrastore [0]. thumbprint; // ch. chainpolicy. extrastore [index-1]. thumbprint; If (ch. chainstatus. length> 1) {for (INT Index = 0; index <element. chainelementstatus. length; index ++) {console. writeline (element. chainelementstatus [Index]. status); console. writeline (element. chainelementstatus [Index]. statusinformation) ;}} x509.reset ();}}
CER Certificate Signature Verification