Kirin
/
kpyk


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326
							using System.Collections.Generic;
using System;
using Org.BouncyCastle.X509;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto;
using System.Security.Cryptography;
using System.Text;
using System.Linq;

namespace Alipay.EasySDK.Kernel.Util
{
    /// <summary>
    /// 证书相关工具类
    /// </summary>
    public static class AntCertificationUtil
    {
        /// <summary>
        /// 提取根证书序列号
        /// </summary>
        /// <param name="rootCertContent">根证书文本</param>
        /// <returns>根证书序列号</returns>
        public static string GetRootCertSN(string rootCertContent)
        {
            string rootCertSN = "";
            try
            {
                List<X509Certificate> x509Certificates = ReadPemCertChain(rootCertContent);
                foreach (X509Certificate cert in x509Certificates)
                {
                    //只提取与指定算法类型匹配的证书的序列号
                    if (cert.SigAlgOid.StartsWith("1.2.840.113549.1.1", StringComparison.Ordinal))
                    {
                        string certSN = GetCertSN(cert);
                        if (string.IsNullOrEmpty(rootCertSN))
                        {
                            rootCertSN = certSN;
                        }
                        else
                        {
                            rootCertSN = rootCertSN + "_" + certSN;
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                throw new Exception("提取根证书序列号失败。" + ex.Message);
            }
            return rootCertSN;
        }

        /// <summary>
        /// 反序列化证书文本
        /// </summary>
        /// <param name="certContent">证书文本</param>
        /// <returns>X509Certificate证书对象</returns>
        public static X509Certificate ParseCert(string certContent)
        {
            return new X509CertificateParser().ReadCertificate(Encoding.UTF8.GetBytes(certContent));
        }

        /// <summary>
        /// 计算指定证书的序列号
        /// </summary>
        /// <param name="cert">证书</param>
        /// <returns>序列号</returns>
        public static string GetCertSN(X509Certificate cert)
        {
            string issuerDN = cert.IssuerDN.ToString();
            //提取出的证书的issuerDN本身是以CN开头的，则无需逆序，直接返回
            if (issuerDN.StartsWith("CN", StringComparison.Ordinal))
            {
                return CalculateMd5(issuerDN + cert.SerialNumber);
            }
            List<string> attributes = issuerDN.Split(',').ToList();
            attributes.Reverse();
            return CalculateMd5(string.Join(",", attributes.ToArray()) + cert.SerialNumber);
        }

        /// <summary>
        /// 校验证书链是否可信
        /// </summary>
        /// <param name="certContent">需要验证的目标证书或者证书链文本</param>
        /// <param name="rootCertContent">可信根证书列表文本</param>
        /// <returns>true：证书可信；false：证书不可信</returns>
        public static bool IsTrusted(string certContent, string rootCertContent)
        {
            List<X509Certificate> certs = ReadPemCertChain(certContent);
            List<X509Certificate> rootCerts = ReadPemCertChain(rootCertContent);
            return VerifyCertChain(certs, rootCerts);
        }

        /// <summary>
        /// 从证书链文本反序列化证书链集合
        /// </summary>
        /// <param name="cert">证书链文本</param>
        /// <returns>证书链集合</returns>
        private static List<X509Certificate> ReadPemCertChain(string cert)
        {
            System.Collections.ICollection collection = new X509CertificateParser().ReadCertificates(Encoding.UTF8.GetBytes(cert));
            List<X509Certificate> result = new List<X509Certificate>();
            foreach (var each in collection)
            {
                result.Add((X509Certificate)each);
            }
            return result;
        }

        /// <summary>
        /// 将证书链按照完整的签发顺序进行排序，排序后证书链为：[issuerA, subjectA]-[issuerA, subjectB]-[issuerB, subjectC]-[issuerC, subjectD]...
        /// </summary>
        /// <param name="certChain">未排序的证书链</param>
        /// <returns>true：排序成功；false：证书链不完整</returns>
        private static bool SortCertChain(List<X509Certificate> certChain)
        {
            //主题和证书的映射
            Dictionary<X509Name, X509Certificate> subject2CertMap = new Dictionary<X509Name, X509Certificate>();
            //签发者和证书的映射
            Dictionary<X509Name, X509Certificate> issuer2CertMap = new Dictionary<X509Name, X509Certificate>();
            //是否包含自签名证书
            bool hasSelfSignedCert = false;
            foreach (X509Certificate cert in certChain)
            {
                if (IsSelfSigned(cert))
                {
                    if (hasSelfSignedCert)
                    {
                        //同一条证书链中只能有一个自签名证书
                        return false;
                    }
                    hasSelfSignedCert = true;
                }
                subject2CertMap[cert.SubjectDN] = cert;
                issuer2CertMap[cert.IssuerDN] = cert;
            }

            List<X509Certificate> orderedCertChain = new List<X509Certificate>();

            X509Certificate current = certChain[0];

            AddressingUp(subject2CertMap, orderedCertChain, current);
            AddressingDown(issuer2CertMap, orderedCertChain, current);

            //说明证书链不完整
            if (certChain.Count != orderedCertChain.Count)
            {
                return false;
            }

            //用排序后的结果覆盖传入的证书链集合
            for (int i = 0; i < orderedCertChain.Count; i++)
            {
                certChain[i] = orderedCertChain[i];
            }
            return true;
        }

        private static bool IsSelfSigned(X509Certificate cert)
        {
            return cert.SubjectDN.Equivalent(cert.IssuerDN);
        }

        /// <summary>
        /// 向上构造证书链
        /// </summary>
        /// <param name="subject2CertMap">主题与证书的映射</param>
        /// <param name="orderedCertChain">储存排序后的证书链集合</param>
        /// <param name="current">当前需要插入排序后的证书链集合中的证书</param>
        private static void AddressingUp(Dictionary<X509Name, X509Certificate> subject2CertMap,
            List<X509Certificate> orderedCertChain, X509Certificate current)
        {
            orderedCertChain.Insert(0, current);
            if (IsSelfSigned(current))
            {
                return;
            }

            if (!subject2CertMap.ContainsKey(current.IssuerDN))
            {
                return;
            }

            X509Certificate issuer = subject2CertMap[current.IssuerDN];
            AddressingUp(subject2CertMap, orderedCertChain, issuer);
        }

        /// <summary>
        /// 向下构造证书链
        /// </summary>
        /// <param name="issuer2CertMap">签发者和证书的映射</param>
        /// <param name="certChain">储存排序后的证书链集合</param>
        /// <param name="current">当前需要插入排序后的证书链集合中的证书</param>
        private static void AddressingDown(Dictionary<X509Name, X509Certificate> issuer2CertMap,
            List<X509Certificate> certChain, X509Certificate current)
        {
            if (!issuer2CertMap.ContainsKey(current.SubjectDN))
            {
                return;
            }

            X509Certificate subject = issuer2CertMap[current.SubjectDN];
            if (IsSelfSigned(subject))
            {
                return;
            }
            certChain.Add(subject);
            AddressingDown(issuer2CertMap, certChain, subject);
        }

        /// <summary>
        /// 验证证书是否是信任证书库中的证书签发的
        /// </summary>
        /// <param name="cert">待验证证书</param>
        /// <param name="rootCerts">可信根证书列表</param>
        /// <returns>true：验证通过；false：验证不通过</returns>
        private static bool VerifyCert(X509Certificate cert, List<X509Certificate> rootCerts)
        {
            if (!cert.IsValidNow)
            {
                return false;
            }

            Dictionary<X509Name, X509Certificate> subject2CertMap = new Dictionary<X509Name, X509Certificate>();
            foreach (X509Certificate root in rootCerts)
            {
                subject2CertMap[root.SubjectDN] = root;
            }

            X509Name issuerDN = cert.IssuerDN;
            if (!subject2CertMap.ContainsKey(issuerDN))
            {
                return false;
            }

            X509Certificate issuer = subject2CertMap[issuerDN];
            try
            {
                AsymmetricKeyParameter publicKey = issuer.GetPublicKey();
                cert.Verify(publicKey);
            }
            catch (Exception ex)
            {
                Console.WriteLine("证书验证出现异常。" + ex.Message);
                return false;
            }
            return true;
        }

        /// <summary>
        /// 验证证书列表
        /// </summary>
        /// <param name="certs">待验证的证书列表</param>
        /// <param name="rootCerts">可信根证书列表</param>
        /// <returns>true：验证通过；false：验证不通过</returns>
        private static bool VerifyCertChain(List<X509Certificate> certs, List<X509Certificate> rootCerts)
        {
            //证书列表排序，形成排序后的证书链
            bool sorted = SortCertChain(certs);
            if (!sorted)
            {
                //不是完整的证书链
                return false;
            }

            //先验证第一个证书是不是信任库中证书签发的
            X509Certificate previous = certs[0];
            bool firstOK = VerifyCert(previous, rootCerts);
            if (!firstOK || certs.Count == 1)
            {
                return firstOK;
            }

            //验证证书链
            for (int i = 1; i < certs.Count; i++)
            {
                try
                {
                    X509Certificate cert = certs[i];
                    if (!cert.IsValidNow)
                    {
                        return false;
                    }

                    //用上级证书的公钥验证本证书是否是上级证书签发的
                    cert.Verify(previous.GetPublicKey());

                    previous = cert;
                }
                catch (Exception ex)
                {
                    //证书链验证失败
                    Console.WriteLine("证书链验证失败。" + ex.Message);
                    return false;
                }
            }

            return true;
        }


        private static string CalculateMd5(string input)
        {
            using (MD5 md5 = new MD5CryptoServiceProvider())
            {
                string result = "";
                byte[] bytes = md5.ComputeHash(Encoding.GetEncoding("utf-8").GetBytes(input));
                for (int i = 0; i < bytes.Length; i++)
                {
                    result += bytes[i].ToString("x2");
                }
                return result;
            }
        }

        /// <summary>
        /// 从证书中提取公钥并转换为PEM编码
        /// </summary>
        /// <param name="input">证书</param>
        /// <returns>PEM编码公钥</returns>
        public static string ExtractPemPublicKeyFromCert(X509Certificate input)
        {
            SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(input.GetPublicKey());
            return Convert.ToBase64String(subjectPublicKeyInfo.GetDerEncoded());
        }
    }
}