Kompakte Beispiele für Zertifikatsvalidierung. → Details: Validierung-Szenarien
var cert = new X509Certificate2("certificate.crt"); // Zeitliche Gültigkeit bool timeValid = DateTime.UtcNow >= cert.NotBefore && DateTime.UtcNow <= cert.NotAfter; // PQ-Signatur prüfen bool hasPq = cert.HasPqSignature(); if (hasPq) { bool pqValid = cert.VerifyPqSignature(); }
var endEntity = new X509Certificate2("server.crt"); var chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; chain.ChainPolicy.CustomTrustStore.Add(new X509Certificate2("root-ca.crt")); chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; bool isValid = chain.Build(endEntity); foreach (var element in chain.ChainElements) { Console.WriteLine($"{element.Certificate.Subject}"); Console.WriteLine($" PQ: {element.Certificate.HasPqSignature()}"); }
→ Details: Chain-Validierung
var cert = new X509Certificate2("server.crt"); string hostname = "api.example.com"; var san = cert.Extensions["2.5.29.17"] as X509SubjectAlternativeNameExtension; bool valid = san?.EnumerateDnsNames().Any(n => MatchesHostname(n, hostname)) ?? false; bool MatchesHostname(string pattern, string host) { if (pattern.StartsWith("*.")) return host.EndsWith(pattern[2..]); return pattern.Equals(host, StringComparison.OrdinalIgnoreCase); }
var kuExt = cert.Extensions["2.5.29.15"] as X509KeyUsageExtension; bool canSign = kuExt?.KeyUsages.HasFlag(X509KeyUsageFlags.DigitalSignature) ?? false; var ekuExt = cert.Extensions["2.5.29.37"] as X509EnhancedKeyUsageExtension; bool isTlsServer = ekuExt?.EnhancedKeyUsages .Cast<Oid>().Any(o => o.Value == "1.3.6.1.5.5.7.3.1") ?? false;
| Prüfung | Kritisch |
|---|---|
| Zeitliche Gültigkeit | Ja |
| Signatur (klassisch + PQ) | Ja |
| Kette bis Trust Anchor | Ja |
| Revocation (CRL/OCSP) | Ja |
| Hostname (SAN) | Für TLS |
| Key Usage | Ja |
« ← Kurzreferenz | → Validierung-Szenarien (Details) »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional