Re: How to verify CA for a X.509 certificate

From: Shawn Farkas (shawnfa_at_online.microsoft.com)
Date: 06/15/04 

Date: Mon, 14 Jun 2004 22:55:56 GMT

There has been a lot of work done around X509 for the 2.0 release of the framework. Both XML Encryption and XML Digital Signatures have
knowledge about the X509CertificateEx class, which make it relatively easy for you to accomplish what you're trying to do. However, like Mitch
said, if you need to do this now / support downlevel clients, you're stuck with interop.

-Shawn
http://blogs.msdn.com/shawnfa 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Note:  For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they 
originated.  
--------------------
>From: "Michel Gallant" <neutron@istar.ca>
>References: <eO4CsA#TEHA.2324@TK2MSFTNGP10.phx.gbl> <#2tdtP#TEHA.3404@TK2MSFTNGP10.phx.gbl> <#c4fadGUEHA.556
@tk2msftngp13.phx.gbl> <ufiOopIUEHA.2944@tk2msftngp13.phx.gbl> <OuOMvGkUEHA.2844@TK2MSFTNGP12.phx.gbl>
>Subject: Re: How to verify CA for a X.509 certificate
>Date: Mon, 14 Jun 2004 15:11:45 -0400
>Lines: 71
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>Message-ID: <eLtk9NkUEHA.1952@TK2MSFTNGP12.phx.gbl>
>Newsgroups: microsoft.public.dotnet.security
>NNTP-Posting-Host: hse-ottawa-ppp234655.sympatico.ca 64.230.66.10
>Path: cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:6476
>X-Tomcat-NG: microsoft.public.dotnet.security
>
>There is good news ahead in next release of FCL:
>  http://longhorn.msdn.microsoft.com/
>Check out under Reference | Class Library Reference | Namespaces"
>  System.Security.Cryptography.X509CertificateEx
>
>But for now, and to support FCL 1.1 and lower, you must use some
>form of interop.
>
>- Mitch Gallant
>   MVP Security
>
>"Bas van Atteveldt" <newsgroup@2at.nl> wrote in message
>news:OuOMvGkUEHA.2844@TK2MSFTNGP12.phx.gbl...
>> To my shame I must admit that I missed the essential call to
>> CryptVerifyCertificateSignature. Thanks a lot; this should work. Now let's
>> hope that there will soon be managed variants for these calls. In a time
>> where security and repudability are becoming more and more of an issue it is
>> a shame that the certificate part of the framework (even with WSE) is so
>> limited. Let's hope the 2.0 framework will correct this...
>>
>> Bas.
>>
>> "Michel Gallant" <neutron@istar.ca> wrote in message
>> news:ufiOopIUEHA.2944@tk2msftngp13.phx.gbl...
>> > The article DOES check if the public key is in the store, and tries
>> > to use it to explicitly verify the signature on the cert. If the
>> issuer-name
>> > and associated cert/key was swapped, of COURSE the signature verification
>> > would fail, so that is not  a problem.
>> > If you trust who you received the signed XML file from, and you ALSO trust
>> > the integrity of your root CA store (i.e. haven't populated unwisely with
>> unknown
>> > root CA certs from potentially malicious origins, like my own openSSL
>> generated
>> > root CA certs  ;-)   then you should be golden.
>> >
>> > - Mitch Gallant
>> >    www.jensign.com
>> >
>> > "Bas van Atteveldt" <newsgroup@2at.nl> wrote in message
>> > news:%23c4fadGUEHA.556@tk2msftngp13.phx.gbl...
>> > > It helps a little. I had already found that article but it is an awfull
>> lot
>> > > of work using almost exclusively unmanaged calls. More importantly, if I
>> > > read it correctly, it only checks if the issuer name exists in a store;
>> this
>> > > is not secure as the issuer name can be forged quite easily. It should
>> check
>> > > if the public key of the issuer (or the issuer's issuer, etc.) is in the
>> > > store. I believe that code like this can also be done managed using the
>> WSE
>> > > (web services enhancements) from microsoft.
>> > >
>> > > Bas.
>> > >
>> > > "Michel Gallant" <neutron@istar.ca> wrote in message
>> > > news:%232tdtP%23TEHA.3404@TK2MSFTNGP10.phx.gbl...
>> > > > Note sure is this helps:
>> > > >    http://www.jensign.com/JavaScience/dotnet/VerifyCertSigner
>> > > > - Mitch Gallant
>> > > >    MVP Security
>> > > >
>> > > ...
>> > >
>> > >
>> >
>> >
>>
>>
>
>
>

Relevant Pages

  • RE: App.Config: using doctype and entity blocks
    ... Block Framework, ... Framework for the manipulation of the App.Config is included as part of the ... fuslogvw reports that the XML config file is not formatted correctly. ...
    (microsoft.public.dotnet.general)
  • Re: Open Project
    ... A light generic framework for php developers, built API style with a public interface and a private interface. ... PDO/Doctrine + contrib to doctrine project as well OR custom ORM built on top of PDO. ... Object to XML and XML to Object support, aim to add __toXMLfor all classes. ...
    (php.general)
  • RE: [PHP] Re: Open Project
    ... opensource and in PHP. ... framework, orm, webservice or basically anything without an html ... ORM built on top of PDO. ... Generic XML Parser using DOM API ...
    (php.general)
  • Re: Digitally signing XML files
    ... PrivateKey privateKey, boolean debug) throws WSSecurityException ... //Add SecurityHelper.class header to the SOAP message if it does ... Append the signature element to proper location before signing ... // SOAP XML document, the SOAP body is referenced as a URI ...
    (comp.lang.java.programmer)
  • Re: ByRef/Ref passing in Web Services
    ... then I'd rephrase "WebServices can indeed pass ByRef/ref parameters" to say "The ..NET framework will map a ref param onto WebServices semantics". ... Web Services are about XML message passing. ... My point is that the framework is so good at hiding the real thing we're working with (XML) such that it lets you do dumb things that you really shouldn't be doing. ... The reason is that XML Schema is how we represent the structure of the XML we're sending across the wire, and the framework infers an XSD from your parameters' type definitions. ...
    (microsoft.public.dotnet.framework)