views:

321

answers:

2

If I use X509Certificate.CreateFromSignedFile to get the certificate used to sign a file, can I confirm that it was signed by a trusted authority - and isn't just a "self-signed" cert of some kind?

I want to extract the "Subject" (company) name from the cert to ensure that an unmanaged DLL I'm using is unmolested (I can't checksum it as it's updated frequently and independently) and official.

However, I'm concerned that a fake DLL could be signed with a "self-signed" cert and return the original company's name. So, I want to ensure the the cert was issued by Versign, Thwate or similar (anything installed on the cert repository on the machine will be fine).

How can I do this, if at all, when using X509Certificate.CreateFromSignedFile? Or does it do this automatically (i.e. a "self-signed" cert will fail)?

A: 

Isn't Verify() method enough?

Pawel Lesnikowski
A: 

If it is not valid certificate you will get an exception. What concerns that you want to check the Company name and etc... Here is the code :

  ServicePointManager.ServerCertificateValidationCallback +=
            new System.Net.Security.RemoteCertificateValidationCallback(customXertificateValidation);

    private static bool customXertificateValidation(
        object sender, X509Certificate cert,
        X509Chain chain, System.Net.Security.SslPolicyErrors error)
    {

        // check here 'cert' parameter properties (ex. Subject) and based on the result 
        // you expect return true or false

        return false/true;
    }

EDIT : The above code is suitable only when requesting https resource which is got not valid(self-signed, expired...etc) certificate. What concerns extracting signatures from signed files please check here : Extracting Digital Signatures from Signed Files with .NET

Incognito
So, just to confirm, a "self-signed" cert would cause X509Certificate.CreateFromSignedFile to throw an exception?
dommer
Yes if it is self-signed certificate you will get exception. If you need to avoid that exception register for ServerCertificateValidationCallback (see the code above) and after needed checks return true and there will be no exception.
Incognito
Sorry in order not to mislead you check the edit above.
Incognito