Verifying X509Certificate signature

  • Thread starter Peter Ritchie [C# MVP]
  • Start date
P

Peter Ritchie [C# MVP]

Sorry for the cross-post; the last post didn't use the correct MSDN e-mail...

Can anyone point me in the right direction for verifying an X509Certificates
signature? i.e. that it was truly signed by a known/trusted certificate

Thanks -- Peter
 
J

Joe Kaplan

What is it that you have that is signed? There may be different ways
depending on the format of the signed object. If it is a PKCS7 signed data
blob, then the SignedCms class is the way to go and is pretty easy to use.

Joe K.
 
S

Steven Cheng [MSFT]

Hi Peter,

As you said that you want some information about verifying X509 certificate
signature, I'd like to confirm what's the exact verification you want.

My understanding is that you may have a X509 certificate which assocate
with a publickey/private key pair( of RSA or DSA encypt provider) and
you've also used the private key to digital signed some data, and want to
verify the data, correct?

If this is the case, generally you will need to do two things here:

1. Retrieve the public/private key from the certificate (in certificate
store of windows)

2. use the key info associated with the certificate to do encryption or
digital sign.

Here are some web articles introducing some code on this:

http://www.codeproject.com/KB/security/RSACryptoPad.aspx

http://www.eggheadcafe.com/articles/20020630.asp

and here is a simple test function I've written which include accessing
cert store to retrieve key info in cert and do some RSA signing and
verification:


======================================
private void btnTest_Click(object sender, EventArgs e)
{
RSACryptoServiceProvider rsa;
RSAParameters key;
SHA1CryptoServiceProvider sha = new SHA1CryptoServiceProvider();

bool result;


signSrc = Encoding.UTF8.GetBytes("ABCDEFG");

string tp = "2b6f8ac51a85cbaf429474a55304313968667611";
X509Store store = new X509Store(StoreName.My,
StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);

X509Certificate2 cert2 =
store.Certificates.Find(X509FindType.FindByThumbprint, tp, true)[0];

store.Close();

rsa = cert2.PrivateKey as RSACryptoServiceProvider;



signDes = rsa.SignData(signSrc, sha);

result = rsa.VerifyData(signSrc, sha, signDes);


MessageBox.Show("valid: " + result);



/** here try exporting the CERT to a exportable file */


byte[] pfx_bytes =
cert2.Export(X509ContentType.Pfx,"Password01!");


//txtContent.Text = Convert.ToBase64String(pfx_bytes);


X509Certificate2 filecert = new X509Certificate2();
filecert.Import(pfx_bytes, "Password01!",
X509KeyStorageFlags.DefaultKeySet);



RSACryptoServiceProvider rsa1 = filecert.PrivateKey as
RSACryptoServiceProvider;



result = rsa1.VerifyData(signSrc, sha, signDes);

MessageBox.Show("valid: " + result);

string expkey = Convert.ToBase64String(rsa.ExportCspBlob(true));

txtExportedKey.Text = expkey;

}
=================================================

Hope this helps some.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: =?Utf-8?B?UGV0ZXIgUml0Y2hpZSBbQyMgTVZQXQ==?=
 
S

Steven Cheng [MSFT]

Hi Peter,

As you said that you want some information about verifying X509 certificate
signature, I'd like to confirm what's the exact verification you want.

My understanding is that you may have a X509 certificate which assocate
with a publickey/private key pair( of RSA or DSA encypt provider) and
you've also used the private key to digital signed some data, and want to
verify the data, correct?

If this is the case, generally you will need to do two things here:

1. Retrieve the public/private key from the certificate (in certificate
store of windows)

2. use the key info associated with the certificate to do encryption or
digital sign.

Here are some web articles introducing some code on this:

http://www.codeproject.com/KB/security/RSACryptoPad.aspx

http://www.eggheadcafe.com/articles/20020630.asp

and here is a simple test function I've written which include accessing
cert store to retrieve key info in cert and do some RSA signing and
verification:


======================================
private void btnTest_Click(object sender, EventArgs e)
{
RSACryptoServiceProvider rsa;
RSAParameters key;
SHA1CryptoServiceProvider sha = new SHA1CryptoServiceProvider();

bool result;


signSrc = Encoding.UTF8.GetBytes("ABCDEFG");

string tp = "2b6f8ac51a85cbaf429474a55304313968667611";
X509Store store = new X509Store(StoreName.My,
StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);

X509Certificate2 cert2 =
store.Certificates.Find(X509FindType.FindByThumbprint, tp, true)[0];

store.Close();

rsa = cert2.PrivateKey as RSACryptoServiceProvider;



signDes = rsa.SignData(signSrc, sha);

result = rsa.VerifyData(signSrc, sha, signDes);


MessageBox.Show("valid: " + result);



/** here try exporting the CERT to a exportable file */


byte[] pfx_bytes =
cert2.Export(X509ContentType.Pfx,"Password01!");


//txtContent.Text = Convert.ToBase64String(pfx_bytes);


X509Certificate2 filecert = new X509Certificate2();
filecert.Import(pfx_bytes, "Password01!",
X509KeyStorageFlags.DefaultKeySet);



RSACryptoServiceProvider rsa1 = filecert.PrivateKey as
RSACryptoServiceProvider;



result = rsa1.VerifyData(signSrc, sha, signDes);

MessageBox.Show("valid: " + result);

string expkey = Convert.ToBase64String(rsa.ExportCspBlob(true));

txtExportedKey.Text = expkey;

}
=================================================

Hope this helps some.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: =?Utf-8?B?UGV0ZXIgUml0Y2hpZSBbQyMgTVZQXQ==?=
 
P

Peter Ritchie [C# MVP]

Hi Joe, I'm actually looking to verify the signature of a certificate. I
have an X509Certificate2 object that has been signed with another
certificate. As part of my verification of the source of the certificate,
I'd like to verify that it has been signed by a known certificate.

Thanks -- Peter
--
Browse http://connect.microsoft.com/VisualStudio/feedback/ and vote.
http://www.peterRitchie.com/blog/
Microsoft MVP, Visual Developer - Visual C#


Joe Kaplan said:
What is it that you have that is signed? There may be different ways
depending on the format of the signed object. If it is a PKCS7 signed data
blob, then the SignedCms class is the way to go and is pretty easy to use.

Joe K.
 
P

Peter Ritchie [C# MVP]

Hi Steven. It appears your sample code signs some data and verifies the
signature on that data. The signed data I'm looking to verify is a
certificate itself. Verifying a signature on data I've signed isn't an
issue--with that sort of data I know what data to pass to Verify. With am
X509Certificate2, if I wanted to use the Verify method, what data would I
pass?

Thanks -- Peter

--
Browse http://connect.microsoft.com/VisualStudio/feedback/ and vote.
http://www.peterRitchie.com/blog/
Microsoft MVP, Visual Developer - Visual C#


Steven Cheng said:
Hi Peter,

As you said that you want some information about verifying X509 certificate
signature, I'd like to confirm what's the exact verification you want.

My understanding is that you may have a X509 certificate which assocate
with a publickey/private key pair( of RSA or DSA encypt provider) and
you've also used the private key to digital signed some data, and want to
verify the data, correct?

If this is the case, generally you will need to do two things here:

1. Retrieve the public/private key from the certificate (in certificate
store of windows)

2. use the key info associated with the certificate to do encryption or
digital sign.

Here are some web articles introducing some code on this:

http://www.codeproject.com/KB/security/RSACryptoPad.aspx

http://www.eggheadcafe.com/articles/20020630.asp

and here is a simple test function I've written which include accessing
cert store to retrieve key info in cert and do some RSA signing and
verification:


======================================
private void btnTest_Click(object sender, EventArgs e)
{
RSACryptoServiceProvider rsa;
RSAParameters key;
SHA1CryptoServiceProvider sha = new SHA1CryptoServiceProvider();

bool result;


signSrc = Encoding.UTF8.GetBytes("ABCDEFG");

string tp = "2b6f8ac51a85cbaf429474a55304313968667611";
X509Store store = new X509Store(StoreName.My,
StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);

X509Certificate2 cert2 =
store.Certificates.Find(X509FindType.FindByThumbprint, tp, true)[0];

store.Close();

rsa = cert2.PrivateKey as RSACryptoServiceProvider;



signDes = rsa.SignData(signSrc, sha);

result = rsa.VerifyData(signSrc, sha, signDes);


MessageBox.Show("valid: " + result);



/** here try exporting the CERT to a exportable file */


byte[] pfx_bytes =
cert2.Export(X509ContentType.Pfx,"Password01!");


//txtContent.Text = Convert.ToBase64String(pfx_bytes);


X509Certificate2 filecert = new X509Certificate2();
filecert.Import(pfx_bytes, "Password01!",
X509KeyStorageFlags.DefaultKeySet);



RSACryptoServiceProvider rsa1 = filecert.PrivateKey as
RSACryptoServiceProvider;



result = rsa1.VerifyData(signSrc, sha, signDes);

MessageBox.Show("valid: " + result);

string expkey = Convert.ToBase64String(rsa.ExportCspBlob(true));

txtExportedKey.Text = expkey;

}
=================================================

Hope this helps some.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: =?Utf-8?B?UGV0ZXIgUml0Y2hpZSBbQyMgTVZQXQ==?=
Subject: Verifying X509Certificate signature
Date: Wed, 30 Jul 2008 18:23:00 -0700
Sorry for the cross-post; the last post didn't use the correct MSDN e-mail...

Can anyone point me in the right direction for verifying an X509Certificates
signature? i.e. that it was truly signed by a known/trusted certificate

Thanks -- Peter
 
J

Joe Kaplan

I see what you are saying. What you really want to do is to build a chain
for the certificate and validate that. Simply checking the signing
certificate may not be adequate because something may have issed it as well.

Try taking a peek at the X509Chain class and the Build method. Note that it
will want you to apply a ChainPolicy as well where you describe what you are
checking the cert for.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Peter Ritchie said:
Hi Joe, I'm actually looking to verify the signature of a certificate. I
have an X509Certificate2 object that has been signed with another
certificate. As part of my verification of the source of the certificate,
I'd like to verify that it has been signed by a known certificate.

Thanks -- Peter
--
Browse http://connect.microsoft.com/VisualStudio/feedback/ and vote.
http://www.peterRitchie.com/blog/
Microsoft MVP, Visual Developer - Visual C#
 
S

Steven Cheng [MSFT]

Thanks for your reply Peter,

Now, I've got that you actually want to verify the signed certificate. As
Joe has mentioned, this is something related to verify the certificate
trust chain. You can have a look at the X509Chain class and Joe has also
provided some suggestion that

#X509Chain Class
http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509cer
tificates.x509chain.aspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
From: =?Utf-8?B?UGV0ZXIgUml0Y2hpZSBbQyMgTVZQXQ==?=
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,731
Messages
2,569,432
Members
44,832
Latest member
GlennSmall

Latest Threads

Top