Asp Forum - Verifying X509Certificate signature - microsoft.public.dotnet.framework

Peter Ritchie [C# MVP]

7/12/2008 12:43:00 AM

Can anyone point me in the right direction for verifying an X509Certificates
signature? i.e. that it was truly signed by a known/trusted certificate

Thanks -- Peter
--
Browse http://connect.microsoft.com/VisualStudio... and vote.
http://www.peterRitchie...
Microsoft MVP, Visual Developer - Visual C#

4 Answers

Hermit Dave

7/12/2008 7:28:00 AM

Peter,

I haven't used X509s so i am not really sure whether this is the right
answer but have a look at
http://msdn.microsoft.com/en-us/library/ms5...

http://en.wikipedia.org/... (scroll to the bottom to 'Sample X.509
certificates' and it talks about verification as well)

HTH

Hermit

"Peter Ritchie [C# MVP]" <PRSoCo@newsgroups.nospam> wrote in message
news:70133959-7870-47D5-A446-42284A6C9827@microsoft.com...
> Can anyone point me in the right direction for verifying an
> X509Certificates
> signature? i.e. that it was truly signed by a known/trusted certificate
>
> Thanks -- Peter
> --
> Browse http://connect.microsoft.com/VisualStudio... and vote.
> http://www.peterRitchie...
> Microsoft MVP, Visual Developer - Visual C#

Peter Ritchie [C# MVP]

7/12/2008 11:50:00 AM

Thanks. Unfortunately PackageDigitalSignature.Verify only works on Windows
Vista.

I've been trying to essentially do what the Wikipedia article details...
There seems to be nothing in .NET to get the signature and to-be-signed
section out of a signed certificate (seems pretty fundamental to me). If I
could get those I could simply compare MD5's...

Cheers -- Peter

--
Browse http://connect.microsoft.com/VisualStudio... and vote.
http://www.peterRitchie...
Microsoft MVP, Visual Developer - Visual C#

"Hermit Dave" wrote:

> Peter,
>
> I haven't used X509s so i am not really sure whether this is the right
> answer but have a look at
> http://msdn.microsoft.com/en-us/library/ms5...
>
> http://en.wikipedia.org/... (scroll to the bottom to 'Sample X.509
> certificates' and it talks about verification as well)
>
> HTH
>
> Hermit
>
> "Peter Ritchie [C# MVP]" <PRSoCo@newsgroups.nospam> wrote in message
> news:70133959-7870-47D5-A446-42284A6C9827@microsoft.com...
> > Can anyone point me in the right direction for verifying an
> > X509Certificates
> > signature? i.e. that it was truly signed by a known/trusted certificate
> >
> > Thanks -- Peter
> > --
> > Browse http://connect.microsoft.com/VisualStudio... and vote.
> > http://www.peterRitchie...
> > Microsoft MVP, Visual Developer - Visual C#
>
>

Eugene Mayevski

7/12/2008 1:42:00 PM

Hello!
You wrote on Sat, 12 Jul 2008 04:50:00 -0700:

PRC> I've been trying to essentially do what the Wikipedia article
PRC> details... There seems to be nothing in .NET to get the signature and
PRC> to-be-signed section out of a signed certificate (seems pretty
PRC> fundamental to me). If I could get those I could simply compare
PRC> MD5's...

Comparing the hash is not enough to validate the certificate.
You can review the complete procedure here: http://eldos.com/documentation/sbb/documentation/ref_howto_pki_cert_val...
The article describes the classes of SecureBlackbox (not .NET certificate
class structure which is very limited), but you will get the idea.

With best regards,
Eugene Mayevski
http://mayevski.blo...

Peter Ritchie [C# MVP]

7/12/2008 11:11:00 PM

Thanks Eugene. There's some useful information there. I'm already doing
other validity checks (time span, revocation, authorization, etc.). At this
point I'm just interested in checking to see if the certificate hasn't been
tampered with--validating it's signature.

I have a server component that essentially acts as a CA; so I have complete
control over the integrity of the signing certificate. I need to
validate that any given certificate was really signed with signing
certificate.

Cheers -- Peter

--
Browse http://connect.microsoft.com/VisualStudio... and vote.
http://www.peterRitchie...
Microsoft MVP, Visual Developer - Visual C#

"Eugene Mayevski" wrote:

> Hello!
> You wrote on Sat, 12 Jul 2008 04:50:00 -0700:
>
> PRC> I've been trying to essentially do what the Wikipedia article
> PRC> details... There seems to be nothing in .NET to get the signature and
> PRC> to-be-signed section out of a signed certificate (seems pretty
> PRC> fundamental to me). If I could get those I could simply compare
> PRC> MD5's...
>
> Comparing the hash is not enough to validate the certificate.
> You can review the complete procedure here: http://eldos.com/documentation/sbb/documentation/ref_howto_pki_cert_val...
> The article describes the classes of SecureBlackbox (not .NET certificate
> class structure which is very limited), but you will get the idea.
>
> With best regards,
> Eugene Mayevski
> http://mayevski.blo...
>
>

microsoft.public.dotnet.framework

Verifying X509Certificate signature

Peter Ritchie [C# MVP]

Hermit Dave

Peter Ritchie [C# MVP]

Eugene Mayevski

Peter Ritchie [C# MVP]

x Login to ForumsZone