How to verify X509 cert without importing root cert?

by

I opened an Issue on dotnet/corefx and they replied as follows:

If AllowUnknownCertificateAuthority is the only flag set then
chain.Build() will return true if

  • The chain correctly terminated in a self-signed certificate (via
    ExtraStore, or searched persisted stores)

  • None of the certificates are invalid per the requested revocation
    policy

  • All of the certificates are valid under the (optional)
    ApplicationPolicy or CertificatePolicy values

  • All of the certificates’ NotBefore values are at-or-before
    VerificationTime and all of the certificates’ NotAfter values are
    (at-or-)after VerificationTime.

If that flag is not specified then an additional constraint is added:

The self-signed certificate must be registered as trusted on the system (e.g. in the LM\Root store).

So, Build() returns true, you know that a time-valid non-revoked chain
is present. The thing to do at that point is read
chain.ChainElements[chain.ChainElements.Count - 1].Certificate and
determine if it is a certificate that you trust. I recommend comparing
chainRoot.RawData to a byte[] representing a certificate that you
trust as a root in context (that is, byte-for-byte compare rather than
using a thumbprint value).

(If other flags are set then other constraints are also relaxed)

So you should do it this way:

X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.ExtraStore.Add(root);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
var isValid = chain.Build(cert);

var chainRoot = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
isValid = isValid && chainRoot.RawData.SequenceEqual(root.RawData);

More Related Contents:

  1. Httplistener with HTTPS support
  2. Authentication failed because remote party has closed the transport stream
  3. Html.Partial vs Html.RenderPartial & Html.Action vs Html.RenderAction
  4. Comparing two collections for equality irrespective of the order of items in them
  5. Should we switch to use async I/O by default?
  6. How to connect to Oracle 11 database from . net
  7. How can I set the opacity or transparency of a Panel in WinForms?
  8. How can I get my webapp’s base URL in ASP.NET MVC?
  9. Any decent text diff/merge engine for .NET? [closed]
  10. How do I set a ViewModel on a window in XAML using DataContext property?
  11. Change WPF DataTemplate for ListBox item if selected
  12. Update primary key value using entity framework
  13. Can I set Option Explicit and Option Strict on a Project/Solution level?
  14. How to repair COMException error 80040154?
  15. JavaScriptSerializer UTC DateTime issues
  16. Use Visual Studio Setup Project to automatically register and GAC a COM Interop DLL
  17. Control.ResolveUrl versus Control.ResolveClientUrl versus VirtualPathUtility.ToAbsolute
  18. Use a StyleSelector for a button
  19. How can I avoid SQL injection attacks in my ASP.NET application?
  20. Are there any better ways to copy a native dll to the bin folder?
  21. Determine if a generic param is a Nullable type
  22. How can I represent a very large integer in .NET?
  23. Get the name of Enum value
  24. What is The difference between ListBox and ListView
  25. How can I make my managed NuGet package support C++/CLI projects?
  26. Custom JavaScriptConverter for DateTime?
  27. String manipulation with & or + in VB.NET
  28. Convert a PCL to a regular Class Library
  29. How to Convert Row to Column in Linq and SQL
  30. How to sign a .NET Assembly DLL file with a Strong Name? [duplicate]

Leave a Comment