Re: X509Certificate vs HttpClientCertificate

From: Matt Frame (mdframe_at_DONT-SEND-ME-EMAIL.sorvive.com.NO-SPAM)
Date: 12/23/03


Date: Tue, 23 Dec 2003 15:52:23 -0500

Mitch,

One last stupid question from a newbie, is there an easy way to perform a
byte array comparison or do I just loop through the arrays checking for
equality?

Thanks,

Matt

"Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
news:eFpHAyYyDHA.3116@TK2MSFTNGP11.phx.gbl...
> Hi Matt,
>
> The Request.ClientCertificate.Certificate is the standard raw
> binary DER (ASN1. encoded) X509 certificate.
> You can simply use .NET hash class to get the SHA-1 hash of this:
>
> HttpClientCertificate cs = Request.ClientCertificate;
> byte[] rawcert = cs.Certificate;
> SHA1 sha = new SHA1CryptoServiceProvider();
> // --- compute SHA-1 hash of binary DER cert
> byte[] hashvalue = sha.ComputeHash(rawcert);
>
> Compare these 20 bytes with X509Certificate.GetCertHash()
>
> - Mitch Gallant
>
> "Matt Frame" <mdframe@DONT-SEND-ME-EMAIL.sorvive.com.NO-SPAM> wrote in
message
> news:OZKPHbYyDHA.2328@TK2MSFTNGP10.phx.gbl...
> > Mitch,
> >
> > That is a good idea but I can't seem to find the SHA1 value in the
> > HttpClientCertificate object. This object and X509Certificate are
different
> > I can't seem to find a way to get the information to perform the SHA1
check,
> > any ideas?
> >
> > Thanks,
> >
> > Matt
> >
> > "Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
> > news:OSriCqXyDHA.2448@TK2MSFTNGP12.phx.gbl...
> > > A good approach is to compare SHA1 hash values:
> > > byte[] X509Certificate.GetCertHash()
> > >
> > > Also, info on ASP.NET and CAPICOM:
> > > http://pages.istar.ca/~neutron/feature/SSLCapicom
> > >
> > > - Mitch Gallant
> > > MVP Security
> > >
> > > "Matt Frame" <mdframe@DONT-SEND-ME-EMAIL.sorvive.com.NO-SPAM> wrote in
> > message
> > > news:O3Gh28WyDHA.2156@TK2MSFTNGP09.phx.gbl...
> > > > I am working with digital certificates to transfer data to/from a
client
> > and
> > > > we are using ASP.Net. I need to verify their certificate when they
post
> > the
> > > > data to our site. They have given me their certificate and I have
it in
> > my
> > > > certificate store. I am able to retrieve the client certificate
from
> > the
> > > > HTTP process and I can get the matching certificate, by subject
name,
> > out of
> > > > my certiticate store. Now I need to verify they match. I was
looking
> > at
> > > > using the serial number to verify the certificate but I have found
it is
> > > > reveresed in the HttpClientCertificate versus what is in the
> > > > X509Certificate. I can reverse the order and make it look correct
but I
> > am
> > > > wondering if this is the correct way to do this. Does anyone have a
> > better
> > > > idea of verifying the certificate that was sent in the HTTP process
> > matches
> > > > the one I have in the certificate store?
> > > >
> > > > Thanks,
> > > >
> > > > Matt
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Relevant Pages