====== Validierung ======

Kompakte Beispiele für Zertifikatsvalidierung. → **Details:** [[de:int:pqcrypt:szenarien:validierung:start|Validierung-Szenarien]]

----

===== Einzelzertifikat =====

<code csharp>
var cert = new X509Certificate2("certificate.crt");

// Zeitliche Gültigkeit
bool timeValid = DateTime.UtcNow >= cert.NotBefore &&
                 DateTime.UtcNow <= cert.NotAfter;

// PQ-Signatur prüfen
bool hasPq = cert.HasPqSignature();
if (hasPq)
{
    bool pqValid = cert.VerifyPqSignature();
}
</code>

----

===== Zertifikatskette =====

<code csharp>
var endEntity = new X509Certificate2("server.crt");

var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.CustomTrustStore.Add(new X509Certificate2("root-ca.crt"));
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;

bool isValid = chain.Build(endEntity);

foreach (var element in chain.ChainElements)
{
    Console.WriteLine($"{element.Certificate.Subject}");
    Console.WriteLine($"  PQ: {element.Certificate.HasPqSignature()}");
}
</code>

→ **Details:** [[de:int:pqcrypt:szenarien:validierung:chain_validation|Chain-Validierung]]

----

===== Hostname-Validierung =====

<code csharp>
var cert = new X509Certificate2("server.crt");
string hostname = "api.example.com";

var san = cert.Extensions["2.5.29.17"] as X509SubjectAlternativeNameExtension;
bool valid = san?.EnumerateDnsNames().Any(n => MatchesHostname(n, hostname)) ?? false;

bool MatchesHostname(string pattern, string host)
{
    if (pattern.StartsWith("*."))
        return host.EndsWith(pattern[2..]);
    return pattern.Equals(host, StringComparison.OrdinalIgnoreCase);
}
</code>

----

===== Key Usage prüfen =====

<code csharp>
var kuExt = cert.Extensions["2.5.29.15"] as X509KeyUsageExtension;
bool canSign = kuExt?.KeyUsages.HasFlag(X509KeyUsageFlags.DigitalSignature) ?? false;

var ekuExt = cert.Extensions["2.5.29.37"] as X509EnhancedKeyUsageExtension;
bool isTlsServer = ekuExt?.EnhancedKeyUsages
    .Cast<Oid>().Any(o => o.Value == "1.3.6.1.5.5.7.3.1") ?? false;
</code>

----

===== Checkliste =====

^  Prüfung  ^  Kritisch  ^
| Zeitliche Gültigkeit | Ja |
| Signatur (klassisch + PQ) | Ja |
| Kette bis Trust Anchor | Ja |
| Revocation (CRL/OCSP) | Ja |
| Hostname (SAN) | Für TLS |
| Key Usage | Ja |

----

<< [[.:start|← Kurzreferenz]] | [[de:int:pqcrypt:szenarien:validierung:start|→ Validierung-Szenarien (Details)]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>kurzreferenz validierung chain hostname key-usage}}