331 lines
12 KiB
C#
331 lines
12 KiB
C#
using System.Collections.Generic;
|
||
using System;
|
||
using Org.BouncyCastle.X509;
|
||
using Org.BouncyCastle.Asn1.X509;
|
||
using Org.BouncyCastle.Crypto;
|
||
using System.Security.Cryptography;
|
||
using System.Text;
|
||
using System.Linq;
|
||
|
||
namespace Aop.Api.Util
|
||
{
|
||
/// <summary>
|
||
/// 证书相关工具类
|
||
/// </summary>
|
||
public static class AntCertificationUtil
|
||
{
|
||
/// <summary>
|
||
/// 提取根证书序列号
|
||
/// </summary>
|
||
/// <param name="rootCertContent">根证书文本</param>
|
||
/// <param name="signType">算法类型,可指定RSA、RSA2或SM2</param>
|
||
/// <returns>根证书序列号</returns>
|
||
public static string GetRootCertSN(string rootCertContent, string signType)
|
||
{
|
||
string rootCertSN = "";
|
||
try
|
||
{
|
||
List<X509Certificate> x509Certificates = ReadPemCertChain(rootCertContent);
|
||
foreach (X509Certificate cert in x509Certificates)
|
||
{
|
||
//只提取与指定算法类型匹配的证书的序列号
|
||
if (signType.StartsWith("RSA", StringComparison.Ordinal) &&
|
||
cert.SigAlgOid.StartsWith("1.2.840.113549.1.1", StringComparison.Ordinal) ||
|
||
signType.Equals("SM2", StringComparison.Ordinal) &&
|
||
cert.SigAlgOid.StartsWith("1.2.156.10197.1.501", StringComparison.Ordinal))
|
||
{
|
||
string certSN = GetCertSN(cert);
|
||
if (String.IsNullOrEmpty(rootCertSN))
|
||
{
|
||
rootCertSN = certSN;
|
||
}
|
||
else
|
||
{
|
||
rootCertSN = rootCertSN + "_" + certSN;
|
||
}
|
||
}
|
||
}
|
||
}
|
||
catch (Exception ex)
|
||
{
|
||
throw new AopException("提取根证书序列号失败。" + ex.Message);
|
||
}
|
||
return rootCertSN;
|
||
}
|
||
|
||
/// <summary>
|
||
/// 反序列化证书文本
|
||
/// </summary>
|
||
/// <param name="certContent">证书文本</param>
|
||
/// <returns>X509Certificate证书对象</returns>
|
||
public static X509Certificate ParseCert(String certContent)
|
||
{
|
||
return new X509CertificateParser().ReadCertificate(Encoding.UTF8.GetBytes(certContent));
|
||
}
|
||
|
||
/// <summary>
|
||
/// 计算指定证书的序列号
|
||
/// </summary>
|
||
/// <param name="cert">证书</param>
|
||
/// <returns>序列号</returns>
|
||
public static String GetCertSN(X509Certificate cert)
|
||
{
|
||
string issuerDN = cert.IssuerDN.ToString();
|
||
//提取出的证书的issuerDN本身是以CN开头的,则无需逆序,直接返回
|
||
if (issuerDN.StartsWith("CN", StringComparison.Ordinal))
|
||
{
|
||
return CalculateMd5(issuerDN + cert.SerialNumber);
|
||
}
|
||
List<String> attributes = issuerDN.Split(',').ToList();
|
||
attributes.Reverse();
|
||
return CalculateMd5(String.Join(",", attributes.ToArray()) + cert.SerialNumber);
|
||
}
|
||
|
||
/// <summary>
|
||
/// 校验证书链是否可信
|
||
/// </summary>
|
||
/// <param name="certContent">需要验证的目标证书或者证书链文本</param>
|
||
/// <param name="rootCertContent">可信根证书列表文本</param>
|
||
/// <returns>true:证书可信;false:证书不可信</returns>
|
||
public static bool IsTrusted(string certContent, string rootCertContent)
|
||
{
|
||
List<X509Certificate> certs = ReadPemCertChain(certContent);
|
||
List<X509Certificate> rootCerts = ReadPemCertChain(rootCertContent);
|
||
return VerifyCertChain(certs, rootCerts);
|
||
}
|
||
|
||
/// <summary>
|
||
/// 从证书链文本反序列化证书链集合
|
||
/// </summary>
|
||
/// <param name="cert">证书链文本</param>
|
||
/// <returns>证书链集合</returns>
|
||
private static List<X509Certificate> ReadPemCertChain(string cert)
|
||
{
|
||
System.Collections.ICollection collection = new X509CertificateParser().ReadCertificates(Encoding.UTF8.GetBytes(cert));
|
||
List<X509Certificate> result = new List<X509Certificate>();
|
||
foreach (var each in collection)
|
||
{
|
||
result.Add((X509Certificate)each);
|
||
}
|
||
return result;
|
||
}
|
||
|
||
/// <summary>
|
||
/// 将证书链按照完整的签发顺序进行排序,排序后证书链为:[issuerA, subjectA]-[issuerA, subjectB]-[issuerB, subjectC]-[issuerC, subjectD]...
|
||
/// </summary>
|
||
/// <param name="certChain">未排序的证书链</param>
|
||
/// <returns>true:排序成功;false:证书链不完整</returns>
|
||
private static bool SortCertChain(List<X509Certificate> certChain)
|
||
{
|
||
//主题和证书的映射
|
||
Dictionary<X509Name, X509Certificate> subject2CertMap = new Dictionary<X509Name, X509Certificate>();
|
||
//签发者和证书的映射
|
||
Dictionary<X509Name, X509Certificate> issuer2CertMap = new Dictionary<X509Name, X509Certificate>();
|
||
//是否包含自签名证书
|
||
bool hasSelfSignedCert = false;
|
||
foreach (X509Certificate cert in certChain)
|
||
{
|
||
if (IsSelfSigned(cert))
|
||
{
|
||
if (hasSelfSignedCert)
|
||
{
|
||
//同一条证书链中只能有一个自签名证书
|
||
return false;
|
||
}
|
||
hasSelfSignedCert = true;
|
||
}
|
||
subject2CertMap[cert.SubjectDN] = cert;
|
||
issuer2CertMap[cert.IssuerDN] = cert;
|
||
}
|
||
|
||
List<X509Certificate> orderedCertChain = new List<X509Certificate>();
|
||
|
||
X509Certificate current = certChain[0];
|
||
|
||
AddressingUp(subject2CertMap, orderedCertChain, current);
|
||
AddressingDown(issuer2CertMap, orderedCertChain, current);
|
||
|
||
//说明证书链不完整
|
||
if (certChain.Count != orderedCertChain.Count)
|
||
{
|
||
return false;
|
||
}
|
||
|
||
//用排序后的结果覆盖传入的证书链集合
|
||
for (int i = 0; i < orderedCertChain.Count; i++)
|
||
{
|
||
certChain[i] = orderedCertChain[i];
|
||
}
|
||
return true;
|
||
}
|
||
|
||
private static bool IsSelfSigned(X509Certificate cert)
|
||
{
|
||
return cert.SubjectDN.Equivalent(cert.IssuerDN);
|
||
}
|
||
|
||
/// <summary>
|
||
/// 向上构造证书链
|
||
/// </summary>
|
||
/// <param name="subject2CertMap">主题与证书的映射</param>
|
||
/// <param name="orderedCertChain">储存排序后的证书链集合</param>
|
||
/// <param name="current">当前需要插入排序后的证书链集合中的证书</param>
|
||
private static void AddressingUp(Dictionary<X509Name, X509Certificate> subject2CertMap,
|
||
List<X509Certificate> orderedCertChain, X509Certificate current)
|
||
{
|
||
orderedCertChain.Insert(0, current);
|
||
if (IsSelfSigned(current))
|
||
{
|
||
return;
|
||
}
|
||
|
||
if (!subject2CertMap.ContainsKey(current.IssuerDN))
|
||
{
|
||
return;
|
||
}
|
||
|
||
X509Certificate issuer = subject2CertMap[current.IssuerDN];
|
||
AddressingUp(subject2CertMap, orderedCertChain, issuer);
|
||
}
|
||
|
||
/// <summary>
|
||
/// 向下构造证书链
|
||
/// </summary>
|
||
/// <param name="issuer2CertMap">签发者和证书的映射</param>
|
||
/// <param name="certChain">储存排序后的证书链集合</param>
|
||
/// <param name="current">当前需要插入排序后的证书链集合中的证书</param>
|
||
private static void AddressingDown(Dictionary<X509Name, X509Certificate> issuer2CertMap,
|
||
List<X509Certificate> certChain, X509Certificate current)
|
||
{
|
||
if (!issuer2CertMap.ContainsKey(current.SubjectDN))
|
||
{
|
||
return;
|
||
}
|
||
|
||
X509Certificate subject = issuer2CertMap[current.SubjectDN];
|
||
if (IsSelfSigned(subject))
|
||
{
|
||
return;
|
||
}
|
||
certChain.Add(subject);
|
||
AddressingDown(issuer2CertMap, certChain, subject);
|
||
}
|
||
|
||
/// <summary>
|
||
/// 验证证书是否是信任证书库中的证书签发的
|
||
/// </summary>
|
||
/// <param name="cert">待验证证书</param>
|
||
/// <param name="rootCerts">可信根证书列表</param>
|
||
/// <returns>true:验证通过;false:验证不通过</returns>
|
||
private static bool VerifyCert(X509Certificate cert, List<X509Certificate> rootCerts)
|
||
{
|
||
if (!cert.IsValidNow)
|
||
{
|
||
return false;
|
||
}
|
||
|
||
Dictionary<X509Name, X509Certificate> subject2CertMap = new Dictionary<X509Name, X509Certificate>();
|
||
foreach (X509Certificate root in rootCerts)
|
||
{
|
||
subject2CertMap[root.SubjectDN] = root;
|
||
}
|
||
|
||
X509Name issuerDN = cert.IssuerDN;
|
||
if (!subject2CertMap.ContainsKey(issuerDN))
|
||
{
|
||
return false;
|
||
}
|
||
|
||
X509Certificate issuer = subject2CertMap[issuerDN];
|
||
try
|
||
{
|
||
AsymmetricKeyParameter publicKey = issuer.GetPublicKey();
|
||
cert.Verify(publicKey);
|
||
}
|
||
catch (Exception ex)
|
||
{
|
||
Console.WriteLine("证书验证出现异常。" + ex.Message);
|
||
return false;
|
||
}
|
||
return true;
|
||
}
|
||
|
||
/// <summary>
|
||
/// 验证证书列表
|
||
/// </summary>
|
||
/// <param name="certs">待验证的证书列表</param>
|
||
/// <param name="rootCerts">可信根证书列表</param>
|
||
/// <returns>true:验证通过;false:验证不通过</returns>
|
||
private static bool VerifyCertChain(List<X509Certificate> certs, List<X509Certificate> rootCerts)
|
||
{
|
||
//证书列表排序,形成排序后的证书链
|
||
bool sorted = SortCertChain(certs);
|
||
if (!sorted)
|
||
{
|
||
//不是完整的证书链
|
||
return false;
|
||
}
|
||
|
||
//先验证第一个证书是不是信任库中证书签发的
|
||
X509Certificate previous = certs[0];
|
||
bool firstOK = VerifyCert(previous, rootCerts);
|
||
if (!firstOK || certs.Count == 1)
|
||
{
|
||
return firstOK;
|
||
}
|
||
|
||
//验证证书链
|
||
for (int i = 1; i < certs.Count; i++)
|
||
{
|
||
try
|
||
{
|
||
X509Certificate cert = certs[i];
|
||
if (!cert.IsValidNow)
|
||
{
|
||
return false;
|
||
}
|
||
|
||
//用上级证书的公钥验证本证书是否是上级证书签发的
|
||
cert.Verify(previous.GetPublicKey());
|
||
|
||
previous = cert;
|
||
}
|
||
catch (Exception ex)
|
||
{
|
||
//证书链验证失败
|
||
Console.WriteLine("证书链验证失败。" + ex.Message);
|
||
return false;
|
||
}
|
||
}
|
||
|
||
return true;
|
||
}
|
||
|
||
|
||
private static string CalculateMd5(string input)
|
||
{
|
||
using (MD5 md5 = new MD5CryptoServiceProvider())
|
||
{
|
||
string result = "";
|
||
byte[] bytes = md5.ComputeHash(Encoding.GetEncoding("utf-8").GetBytes(input));
|
||
for (int i = 0; i < bytes.Length; i++)
|
||
{
|
||
result += bytes[i].ToString("x2");
|
||
}
|
||
return result;
|
||
}
|
||
}
|
||
|
||
/// <summary>
|
||
/// 从证书中提取公钥并转换为PEM编码
|
||
/// </summary>
|
||
/// <param name="input">证书</param>
|
||
/// <returns>PEM编码公钥</returns>
|
||
public static string ExtractPemPublicKeyFromCert(X509Certificate input)
|
||
{
|
||
SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(input.GetPublicKey());
|
||
return Convert.ToBase64String(subjectPublicKeyInfo.GetDerEncoded());
|
||
}
|
||
}
|
||
}
|