Re: X509Certificate vs HttpClientCertificate

From: Michel Gallant (neutron_at_NOSPAMistar.ca)
Date: 12/23/03 

Date: Tue, 23 Dec 2003 16:17:47 -0500

Hi Joe,

The trouble is that anyone can issue a phony certificate with any
phony serial number field; e.g.
   makecert ..... -# <hackerserialnumber> ....

So comparison based on issuer SerialNumber field only is not really
good security practise (unless you check the issuer and the issuer signature also).
Note that CMS/PKCS#7 enveloped messages store the recipient information
as the combination of SerialNumber and full IsserName fields. The client
application must check and verify against these two fields as part of any secure
decryption process.

Checking the hash of the binary-der cert is a simple and unique way to
verify the one and only-one matching cert.

The SerialNumber certificate field is stored in the cert in exactly the
order you see in the IS certs panel. Not sure why the .NET classes
choose to reverse the order (possibly due to endian order reversal).

- Mitch

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote in message
news:eqxnkGZyDHA.3436@tk2msftngp13.phx.gbl...
> Hi Mitch,
>
> I've noticed that the normal .NET X509Certificate class inverts the display
> of the serial number property from the way it is displayed in the
> certificate property pages in the normal Windows UI. It sounds like it is
> also inverted with respect to the HttpClientCertificate. Does it seem
> reasonable that you could compare for equality by swapping one them around?
> My understanding is that you can make a valid equality comparison on a
> certificate based on serial number.
>
> I'm still not sure I understand why there are two different classes in the
> framework that do essentially the same thing, or why the normal
> X509Certificate class represents the validity dates as strings, etc. I
> haven't checked out the Whidbey bits enough to see if/how things have
> cleaned up.
>
> Joe K.
>
> "Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
> news:OSriCqXyDHA.2448@TK2MSFTNGP12.phx.gbl...
> > A good approach is to compare SHA1 hash values:
> > byte[] X509Certificate.GetCertHash()
> >
> > Also, info on ASP.NET and CAPICOM:
> > http://pages.istar.ca/~neutron/feature/SSLCapicom
> >
> > - Mitch Gallant
> > MVP Security
> >
> > "Matt Frame" <mdframe@DONT-SEND-ME-EMAIL.sorvive.com.NO-SPAM> wrote in
> message
> > news:O3Gh28WyDHA.2156@TK2MSFTNGP09.phx.gbl...
> > > I am working with digital certificates to transfer data to/from a client
> and
> > > we are using ASP.Net. I need to verify their certificate when they post
> the
> > > data to our site. They have given me their certificate and I have it in
> my
> > > certificate store. I am able to retrieve the client certificate from
> the
> > > HTTP process and I can get the matching certificate, by subject name,
> out of
> > > my certiticate store. Now I need to verify they match. I was looking
> at
> > > using the serial number to verify the certificate but I have found it is
> > > reveresed in the HttpClientCertificate versus what is in the
> > > X509Certificate. I can reverse the order and make it look correct but I
> am
> > > wondering if this is the correct way to do this. Does anyone have a
> better
> > > idea of verifying the certificate that was sent in the HTTP process
> matches
> > > the one I have in the certificate store?
> > >
> > > Thanks,
> > >
> > > Matt
> > >
> > >
> >
> >
>

Relevant Pages

  • Re: X509Certificate vs HttpClientCertificate
    ... This stresses the importance of the certificate issuer identity being ... >> as the combination of SerialNumber and full IsserName fields. ... The client ...
    (microsoft.public.dotnet.security)
  • RE: Bug in X509Certificate.GetSerialNumber and X509Certificate.GetSerialNumberString
    ... explorer and .NET framework handle the serial number byte array. ... I have tried to open a test certificate and I find that the certificate's ... byte array order is same as the output of .net's GetSerialNumber method. ... While if you want to show the serialnumber same with the explorer. ...
    (microsoft.public.dotnet.framework)
  • CertGetSubjectCertificateFromStore() problem....
    ... I want to search for a specific certificate in my certificate store ... certinfo structure (SerialNumber and Issuer) ...
    (microsoft.public.platformsdk.security)
  • Re: Certificate problem
    ... error it shows is mentioned above, it even says the certificate is valid. ... I get "revocation for this certificate is not available". ... For your www.ekool.ee site, its CRL is listed as "URL=http://www.sk.ee/crls/klass3/klass3.crl";, which isn't reachable, down, or the path is invalid to the .crl revocation file). ... Certificate users MUST be able to handle serialNumber values up to 20 octets. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: X509Certificate vs HttpClientCertificate
    ... Thanks for the additional info as always Mitch. ... > as the combination of SerialNumber and full IsserName fields. ... > verify the one and only-one matching cert. ... > The SerialNumber certificate field is stored in the cert in exactly the ...
    (microsoft.public.dotnet.security)