All geek questions in one place

X509Chain.Build () method description

I want to check the certificate chain, I get the X509Certificate2 collection and must check if all certificates are building the same chain.

Usually, in order to check the certificate chain, I have to take a digital signature from a leaf certificate and check if it is signed with a root certificate - but in .NET. I cannot find a way to extract the signature from the X509Certificate2 object.

So I thought about using the X509Chain.Build() method as follows:

  void ValidateChain(X509Certificate2Collection collection, X509Certificate2 leaf) { X509Chain x509Chain = new X509Chain(); x509Chain.ChainPolicy.ExtraStore.AddRange(collection); bool isValid = x509Chain.Build(leaf); }

But I have some questions about the construction method:

  • As I understand it, the chain was also built from my computer storage, and I want it to be built only from ExtraStore , how can I determine this behavior?
  • I saw that after the chain was built, it does not contain a Root Certificate; my question is why , and how can I verify that the chain has Root CA, as this is not part of the chain.

I will be so grateful if anyone could explain to me how the Build() method works.

+4
source share
2 answers

After the build operation, use the value of ChainStatus. MSDN:

The X509Chain object has a global ChainStatus error status that should be used to verify the certificate. The rules governing certificate verification are complex, and it is easy to simplify the verification logic by ignoring the error state of one or more related elements. The global error status takes into account the status of each item in the chain.

+1
source

Try executing this piece of code:

 bool chainIsValid = false; var chain = new X509Chain(); chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot; chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag; chainIsValid = chain.Build(certificate);
0
source

Source: https://habr.com/ru/post/1380153/

More articles:


All Articles