After the certificate with the X.509 structure is revoked, the serial number will appear in the Certificate Revocation List (CRL). We can save it as one. CRL file, you can view the information of the revoked certificate,. net Framework does not provide classes that can access the attributes of CRL (x509crl is provided in Java). To implement such a function, we need to use. net Framework: Bouncy castle crypto or mono SDK.
First, we will introduce how to use bouncy castle crypto (version 1.4) to read X.509 certificates and revoke the list.
Bouncy castle Crypto is an open-source encryption/Decryption framework ,:
Http://www.bouncycastle.org/csharp/download/bccrypto-net-1.4-bin.zip
First, add the namespace where the X.509 Certificate is located:
Using Org. bouncycastle. X509;
Several related classes:
X509crlparserIt is used to construct a crl object and supports retrieving data from byte arrays and memory streams.
X509crlCRL object, including certificate revocation organization, Certificate Revocation List, timestamp, and other information.
X509crlentryThe certificate object revoked from the CRL object.
IsetIn org. bouncycastle. Utilities. Collections, all certificate objects read from x509crl are placed in hashset and returned as Iset interface type. hashset supports iterator.
The following is an example of reading CRL:
// Get OBJ
List < Int > Numbers = New List < Int > ();
X509crlparser parser = New X509crlparser ();
X509crl = Parser. readcrl (( Byte []) OBJ );
// Obtain all revocation certificates
Iset crlset = CRL. getrevokedcertificates ();
If (Crlset ! = Null && Crlset. Count > 0 )
{
Foreach ( Object O In Crlset)
{
X509crlentry crlentry = (X509crlentry) O;
Int Serialnumber = Crlentry. serialnumber. intvalue;
If ( ! Numbers. Contains (serialnumber ))
{
Numbers. Add (serialnumber );
}
}
}
X509crlentry. serialnumber. intvalue outputs the serial number of the hexadecimal certificate as int32.
In addition, we will mention the differences between the x509certificate class of BC crypto and the x509certificate2 class under. NET Framework:
When x509certificate2 outputs the certificate DN information, the attribute subjectname is to sort the personal information in ascending order (name-organization-city-province-country), while the BC crypto x509certificate uses the subjectdn attribute, sort personal information in ascending order. The city id is St ,. net is S. If you need to generate an organizational structure based on the certificate, pay special attention to this.