0

I have the following situation:

I receive a certificate from an CA and I also have the CA's public key, which I wanna use to verify the certificates validity.

Right now we use the third-party library SecureBlackBox, but we want to get rid of commercial dependencies in our project. With SBB it works like this:

cert.ValidateWithCA(CACertificate);

Is there a way to do this with the provided X509Certificate2 .NET classes? I found the method Verify() which takes no arguments, but I'm not really sure what it does...

Thank you

Improve this question
3
  • 1
    If you don't know what it does, read the documentation. Commented Aug 12, 2013 at 14:13
  • "Performs a X.509 chain validation using basic validation policy." and "Throws a System.Security.Cryptography.CryptographicException" Commented Aug 12, 2013 at 14:17
  • 2
    @Stijn that documentation is a joke for learning about it. It barely explains anything. Commented Dec 12, 2017 at 23:19

1 Answer 1

Reset to default
2

Without knowing more about what ValidateWithCA does, it's really hard to tell you specifically if Verify is a perfect replacement. Verify eventually calls the native CertVerifyCertificateChainPolicy function with a pszPolicyOID value of 1. Verify doesn't simply verify that one cert is signed by the other, it checks other things like revocation of any certs within the chain.

I would suggest you create a series of tests that validate that Verify works, in comparison, with ValidateWithCA.

Update:

After reading the documentation for ValidateWithCA, it's documented as

Validates the certificate signed by certificate authority

Which is not as thorough as Verify. It's up to you to decide if that level of verification is what you want. If it's not necessarily what you want, you can set the ServicePointManager.ServerCertificateValidationCallback callback and provide custom verification if you don't need the same level of verification.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Well as I said in the question, I want to use the CA certificate's public key to validate the certificate. But Verify() doesn't take any arguments, so I'm not sure how to do that. I found a way in OpenSSL X509_verify(X509 * x509, EVP_PKEY * pkey), but is this possible with the .net classes?
That's where the "chain" comes in. Each certificate is signed, by validating the "chain" it verifies the signature of every cert in the "chain" (including the CA certificate). This means that if the CA's cert is "invalid" (expired, etc.) then your cert is no longer valid. By providing a ServerCertificateValidationCallback callback you can detect these other verification failures and ignore them (e.g. ignore the fact that the CA cert may be expired)--if all you want to know is if it is properly signed.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.