C# 序列号是 X509 证书的唯一密钥吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9104108/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is serial number a unique key for X509 certificate?
提问by isobretatel
Is certificate serial number a unique key for X509 certificate? User selects a certificate, and program stores serial number in preferences. Will the following code return the selected certificate?
证书序列号是 X509 证书的唯一密钥吗?用户选择证书,程序在首选项中存储序列号。下面的代码会返回选中的证书吗?
public static X509Certificate2 GetCertificateBySerialNumber(string serialNumber)
{
X509Certificate2 selectedCertificate = null;
X509Store store = null;
try
{
// get certificate from the store "My", "CurrentUser"
store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection allCertificates = (X509Certificate2Collection)store.Certificates;
X509Certificate2Collection foundCertificates = (X509Certificate2Collection)allCertificates.Find(X509FindType.FindBySerialNumber, serialNumber, false);
// select the first certificate in collection
foreach (X509Certificate2 certificate in foundCertificates)
{
selectedCertificate = certificate;
break;
}
}
finally
{
if (store != null)
{
store.Close();
}
}
return selectedCertificate;
}
UPDATE: I ended up using certificate thumbprint, as suggested by jglouie.
更新:我最终按照jglouie 的建议使用了证书指纹。
回答by jglouie
No. For example, OpenSSL let's the user set this when they create certificates.
不可以。例如,OpenSSL 让用户在创建证书时进行设置。
See: http://www.openssl.org/docs/apps/x509.html
请参阅:http: //www.openssl.org/docs/apps/x509.html
-set_serial n specifies the serial number to use. This option can be used with either the -signkey or -CA options. If used in conjunction with the -CA option the serial number file (as specified by the -CAserial or -CAcreateserial options) is not used.
The serial number can be decimal or hex (if preceded by 0x). Negative serial numbers can also be specified but their use is not recommended.
-set_serial n 指定要使用的序列号。此选项可与 -signkey 或 -CA 选项一起使用。如果与 -CA 选项结合使用,则不使用序列号文件(由 -CAserial 或 -CAcreateserial 选项指定)。
序列号可以是十进制或十六进制(如果前面有 0x)。也可以指定负序列号,但不建议使用它们。
回答by alexkasko
Yes, according to X.509 specificationserial number is unique for specific CA:
是的,根据X.509 规范,序列号对于特定 CA 是唯一的:
4.1.2.2 Serial number
The serial number is an integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate).
4.1.2.2 序列号
序列号是 CA 分配给每个证书的整数。对于给定 CA 颁发的每个证书,它必须是唯一的(即,颁发者名称和序列号标识一个唯一的证书)。
回答by Eugene Mayevski 'Callback
As mentioned in another answer, the serial number must be unique within the CA. So serial number alone can't be used as a unique ID of the certificate -- certificates from different CAs can have the same serial number. You need to store combination of Issuer and SerialNumber properties. Also, for self-signed certificates and home-made CA software numbers will most likely collide as many people will start numbering from 0.
正如另一个答案中提到的,序列号在 CA 中必须是唯一的。因此,序列号不能单独用作证书的唯一 ID——来自不同 CA 的证书可以具有相同的序列号。您需要存储 Issuer 和 SerialNumber 属性的组合。此外,对于自签名证书和自制 CA 软件编号很可能会发生冲突,因为许多人将从 0 开始编号。
回答by Dinei
TL;DR: You must use a composite key of issuer name + serial number. If you need a simple key, use certificate's thumbprint.
TL;DR:您必须使用发行人名称 + 序列号的组合键。如果您需要一个简单的密钥,请使用证书的指纹。
Quoting @ThomasPornin from security.stackexchange:
从 security.stackexchange 引用 @ThomasPornin:
In a certificate, the serial numberis chosen by the CA which issued the certificate. It is just written in the certificate. The CA can choose the serial number in any way as it sees fit, not necessarily randomly (and it has to fit in 20 bytes). A CA is supposedto choose unique serial numbers, that is, unique for the CA. You cannot count on a serial number being unique worldwide; in the dream world of X.509, it is the pair issuerDN+serial which is unique worldwide (each CA having its own unique distinguished name, and taking care not to reuse serial numbers).
The thumbprintis a hash value computed over the complete certificate, which includes all its fields, including the signature. That one is unique worldwide, for a given certificate, up to the inherent collision resistance of the used hash function. Microsoft software tends to use SHA-1, for which some theoretical weaknesses are known, but no actual collision has been produced (yet).
在证书中,序列号由颁发证书的 CA 选择。它只是写在证书上。CA 可以以任何它认为合适的方式选择序列号,不一定是随机的(它必须适合 20 个字节)。CA应该选择唯一的序列号,即对于 CA是唯一的。您不能指望序列号在全球范围内是唯一的;在 X.509 的梦想世界中,是全球唯一的 issuerDN+serial 对(每个 CA 都有自己唯一的专有名称,注意不要重复使用序列号)。
所述指纹是所计算的完整的证书,其中包括它的所有字段,包括签名过的散列值。对于给定的证书,该证书在全球范围内是独一无二的,取决于所使用的哈希函数的固有抗碰撞性。Microsoft 软件倾向于使用 SHA-1,已知其存在一些理论上的弱点,但尚未产生实际冲突(目前)。
来自:https: //security.stackexchange.com/questions/35691/what-is-the-difference-between-serial-number-and-thumbprint
