Verifying X509Certificate signature

[Peter Ritchie [C# MVP]]

Can anyone point me in the right direction for verifying an X509Certificates
signature? i.e. that it was truly signed by a known/trusted certificate

Thanks -- Peter

 

[Hermit Dave]

Peter,

I haven't used X509s so i am not really sure whether this is the right
answer but have a look at
http://msdn.microsoft.com/en-us/library/ms580578.aspx

http://en.wikipedia.org/wiki/X.509 (scroll to the bottom to 'Sample X.509
certificates' and it talks about verification as well)

HTH

Hermit

 

[Peter Ritchie [C# MVP]]

Thanks. Unfortunately PackageDigitalSignature.Verify only works on Windows
Vista.

I've been trying to essentially do what the Wikipedia article details...
There seems to be nothing in .NET to get the signature and to-be-signed
section out of a signed certificate (seems pretty fundamental to me). If I
could get those I could simply compare MD5's...

Cheers -- Peter

--
Browse http://connect.microsoft.com/VisualStudio/feedback/ and vote.
http://www.peterRitchie.com/blog/
Microsoft MVP, Visual Developer - Visual C#

Peter,

I haven't used X509s so i am not really sure whether this is the right
answer but have a look at
http://msdn.microsoft.com/en-us/library/ms580578.aspx

http://en.wikipedia.org/wiki/X.509 (scroll to the bottom to 'Sample X.509
certificates' and it talks about verification as well)

HTH

Hermit

 

[Eugene Mayevski]

Hello!
You wrote on Sat, 12 Jul 2008 04:50:00 -0700:

PRC> I've been trying to essentially do what the Wikipedia article
PRC> details... There seems to be nothing in .NET to get the signature and
PRC> to-be-signed section out of a signed certificate (seems pretty
PRC> fundamental to me). If I could get those I could simply compare
PRC> MD5's...

Comparing the hash is not enough to validate the certificate.
You can review the complete procedure here: http://eldos.com/documentation/sbb/documentation/ref_howto_pki_cert_validate.html
The article describes the classes of SecureBlackbox (not .NET certificate
class structure which is very limited), but you will get the idea.

With best regards,
Eugene Mayevski
http://mayevski.blogspot.com/

 

[Peter Ritchie [C# MVP]]

Thanks Eugene. There's some useful information there. I'm already doing
other validity checks (time span, revocation, authorization, etc.). At this
point I'm just interested in checking to see if the certificate hasn't been
tampered with--validating it's signature.

I have a server component that essentially acts as a CA; so I have complete
control over the integrity of the signing certificate. I need to
validate that any given certificate was really signed with signing
certificate.

Cheers -- Peter