From 0eab66f8e6d5ed26e71b1948083a5babe3e74313 Mon Sep 17 00:00:00 2001 From: xljiulang <366193849@qq.com> Date: Wed, 28 Jul 2021 23:27:37 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E7=A7=98=E9=92=A5=E7=94=A8?= =?UTF-8?q?=E6=B3=95=E5=92=8C=E5=9F=BA=E6=9C=AC=E7=BA=A6=E6=9D=9F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- FastGithub.ReverseProxy/CertGenerator.cs | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/FastGithub.ReverseProxy/CertGenerator.cs b/FastGithub.ReverseProxy/CertGenerator.cs index 77f8369..3ff2db4 100644 --- a/FastGithub.ReverseProxy/CertGenerator.cs +++ b/FastGithub.ReverseProxy/CertGenerator.cs @@ -1,5 +1,4 @@ -using Org.BouncyCastle.Asn1; -using Org.BouncyCastle.Asn1.Pkcs; +using Org.BouncyCastle.Asn1.Pkcs; using Org.BouncyCastle.Asn1.X509; using Org.BouncyCastle.Asn1.X9; using Org.BouncyCastle.Crypto; @@ -134,11 +133,20 @@ namespace FastGithub.ReverseProxy var akis = new AuthorityKeyIdentifierStructure(issuerPublic); certGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, akis); } + if (caPathLengthConstraint != null && caPathLengthConstraint >= 0) { - var extension = new X509Extension(true, new DerOctetString(new BasicConstraints(caPathLengthConstraint.Value))); - certGenerator.AddExtension(X509Extensions.BasicConstraints, extension.IsCritical, extension.GetParsedValue()); + var basicConstraints = new BasicConstraints(caPathLengthConstraint.Value); + certGenerator.AddExtension(X509Extensions.BasicConstraints, true, basicConstraints); + certGenerator.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.CrlSign | KeyUsage.KeyCertSign)); } + else + { + var basicConstraints = new BasicConstraints(cA: false); + certGenerator.AddExtension(X509Extensions.BasicConstraints, true, basicConstraints); + certGenerator.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment)); + } + certGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth)); var names = domains.Select(domain => { @@ -148,13 +156,10 @@ namespace FastGithub.ReverseProxy nameType = GeneralName.IPAddress; } return new GeneralName(nameType, domain); - }).ToArray(); var subjectAltName = new GeneralNames(names); certGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName); - - certGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth)); return certGenerator.Generate(signatureFactory); }