tags:

views:

290

answers:

1
Q: 

SignedCms.CheckSignature() with renewed cert -> new serial?????

hi programming folks,

i am using

SignedCms.CheckSignature(certColl, true)

(with only one cert in certColl) to verify the signature of a pkcs-7 message. My problem is that i dont want to change the (public part of the) signers certificate on my server after the signer has renewed his certificate :-( The public key, issuer and subject are remaining unchanged after signer has renewed his certificate! So this has to work - at least in my opinion, even if i´m not a crypto-geek :-)

..but, unfortunately the .NET-Framework throws a Cryptographic Exception "Cannot find the original signer" like the stacktrace says exactly at:

SignerInfo.CheckSignature(X509Certificate2Collection extraStore, Boolean verifySignatureOnly)

This must be because the serial number of the signers certificate has changed and the SignerIdentifier property is readonly and set to IssuerAndSerialNumber.

Does anyone know how workaround this?

Or do i have to implement a "handmade" signature verifying with sth like: signedMessage.ComputeSignature(signer, false)?

Thanks in advance and happy programming, Krile

A: 

For all interested on this issue:

Someone told me that this is due to the PKCS #7 specification, which states that the SubjectKeyIdentifier is always set to IssuerAndSerialNumber.

krile  2009-12-15 13:27:19
I forgot to tell you a possible workaround:You could put the signing certificate into the PKCS#7 request and on the called side you have all information which you need. Of course the CA certificate which is above all the signing (client) certificate´s has to be trusted. Happy coding!
krile  2009-12-16 15:48:01

related questions

Install certificates in to the Windows Local user certificate store in C#
How to automate importing certificates on a Windows CE device?
XMPP Server-to-Server for Gmail.com/Jabber.org
Signing a Windows exe file
Code Signing Certificate Options
Who sells the cheapest EV SSL certificate?
How can I deploy an iPhone Application from Xcode to real iPhone device
Where does makecert store the private key if -sv is not specified?
Tool for Viewing X.509 Certificates?
Cannot find the X.509 Certificate using the following search criteria:
How can I convert a SSL certificate from PEM to DER and keep the private key?
IE: Choose a digital certificate from a blank, empty list
Is it possible to use ServicePointManager with Webbrowser control?
How to disable "Security Alert" window in Webbrowser control
Cheapest Java Code Signing Certificate? (not self-signed)
Security implications of disabling the Common Name check for HTTPS
XPI signing linux no gui
How do you sign your Firefox extensions?
How do I sign a Java applet using a certificate in my Mac keychain?
WCF Routing Message Security
Enumerating Certificate Fields in C#
Why is this X.509 certificate considered invalid?
Custom X509SecurityTokenManager ignored
C# utility to create a CA
Java Code Signing Certificates...same as SSL Certificate?