Add CRL Distribution Points (CDP) Extension to X509Certificate2 Certificate
我试图在纯 .NET 4.7.2 中向我的 X509Certificate2 对象添加证书扩展
我通过这种方法使用 BouncyCastle:
1 2 3 4 5 6 7 | private static void AddCdpUrl(X509V3CertificateGenerator certificateGenerator, string cdptUrl) { var uriGeneralName = new GeneralName(GeneralName.UniformResourceIdentifier, cdptUrl); var cdpName = new DistributionPointName(DistributionPointName.FullName, uriGeneralName); var cdp = new DistributionPoint(cdpName, null, null); certificateGenerator.AddExtension(X509Extensions.CrlDistributionPoints, false, new CrlDistPoint(new[] { cdp })); } |
添加它的作品,我得到了很好的结果:
1 2 |
并得到这个结果:
如果您只想编写一个分发点,并且它的长度小于或等于 119 个 ASCII 字符,并且您没有将 CRL 签名权限委托给不同的证书:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | private static X509Extension MakeCdp(string url) { byte[] encodedUrl = Encoding.ASCII.GetBytes(url); if (encodedUrl.Length > 119) { throw new NotSupportedException(); } byte[] payload = new byte[encodedUrl.Length + 10]; int offset = 0; payload[offset++] = 0x30; payload[offset++] = (byte)(encodedUrl.Length + 8); payload[offset++] = 0x30; payload[offset++] = (byte)(encodedUrl.Length + 6); payload[offset++] = 0xA0; payload[offset++] = (byte)(encodedUrl.Length + 4); payload[offset++] = 0xA0; payload[offset++] = (byte)(encodedUrl.Length + 2); payload[offset++] = 0x86; payload[offset++] = (byte)(encodedUrl.Length); Buffer.BlockCopy(encodedUrl, 0, payload, offset, encodedUrl.Length); return new X509Extension("2.5.29.31", payload, critical: false); } |
过去 119 个字符,外部有效负载长度超过
这可能有点晚了,但您可以使用 BC 作为实用程序来获取 DER 编码的扩展并将其导入本机 .NET,如下所示:
1 2 3 4 5 6 7 8 |