SV: SV: [Mono-list] Verifying end certificate
againstrootcertificates in store
Sebastien Pouliot
sebastien.pouliot at gmail.com
Wed Oct 12 09:35:17 EDT 2005
Hello Kim,
On Wed, 2005-12-10 at 09:33 +0200, Hellan.Kim KHE wrote:
> Hi Sebastien,
>
> Sorry, I misunderstood you.
> In sourcefiles like certmgr.cs you operate on "Personal" and
> "TrustedRoot" stores using the X509Stores/X509Store class.
> What kind of "store" is that then?
Those are the Mono certificate stores, i.e. similar in functionality to
the Windows certificate store (but not compatible).
> All I need is somewhere to put 3-4 CA certificates
You can use the certmgr tool to add/remove certificates, including root
certificates, into the Mono stores (either the user or machine stores).
Have a look at the man page for more details.
> and use these for issuer verification of my end certificates.
You have 2 complete examples on how to verify certificates in Mono SSL
implementation (in /mcs/class/Mono.Security/*). One checks the server
certificates and the second checks for client certificates. Both builds
a chain to a trusted root and then proceed to check special X.509
certificate extensions before accepting/refusing the certificate.
> It's not a must that these are located in the Windows certificate
> store. If Mono uses some other kind of store, I can use that too.
>
> Thanks,
> Kim
>
>
> -----Oprindelig meddelelse-----
> Fra: Sebastien Pouliot [mailto:sebastien.pouliot at gmail.com]
> Sendt: 11. oktober 2005 16:44
> Til: Hellan.Kim KHE
> Cc: mono-list at lists.ximian.com
> Emne: Re: SV: [Mono-list] Verifying end certificate
> againstrootcertificates in store
>
> Hello Kim,
>
> My previous answer was a little more general (than certificate
> verification). Mono itself doesn't offer, nor plan to, any kind of
> integration with the Windows certificate store.
>
> You either have to:
> (a) use Fx 2.0 new X.509 classes;
> (b) p/invoke into CryptoAPI yourself; or
> (c) use existing wrappers classes (like Mentalis).
>
> On Tue, 2005-11-10 at 16:33 +0200, Hellan.Kim KHE wrote:
> > Hi Sebastien
> >
> > Okay, so it can't be done with the current build :(
> > Then what about some functionality to retrieve all certificates from
> > the store. Is that available?
> > I could always do the verifying manually then.
> >
> > Or I could do a more specific search for a root certificate with a
> > Common Name that matches the issuer in the certificate. And then
> check
> > if that specific CA is the issuer of my end certificate.
> >
> > Are there any current functionality to get a specific certificate
> from
> > the "Trusted root authorities" store then. And then verify that this
> > certifcate is the issuer certificate?
> >
> > I know I'm ignoring checking of certificate chains here. I just want
> > to make a simple check if possible.
> >
> > Thanks,
> > Kim
> >
> >
> > -----Oprindelig meddelelse-----
> > Fra: mono-list-bounces at lists.ximian.com
> > [mailto:mono-list-bounces at lists.ximian.com] På vegne af Sebastien
> > Pouliot
> > Sendt: 11. oktober 2005 15:54
> > Til: Hellan.Kim KHE
> > Cc: mono-list at lists.ximian.com
> > Emne: Re: [Mono-list] Verifying end certificate against
> > rootcertificates in store
> >
> > Hello Kim,
> >
> > You either have to use Fx 2.0 which has much expanded support for
> > X.509
> > or p/invoke into CryptoAPI.
> >
> > IIRC Mentalis has a library that wraps most of CryptoAPI
> > for .net/windows apps.
> >
> > On Tue, 2005-11-10 at 15:46 +0200, Hellan.Kim KHE wrote:
> > > I'm looking for the "correct" way of verifying the issuer of a
> > > X509Certificate (end certificate) against all root certificates in
> > found
> > > in the LOCAL_MACHINE "Trusted root authorities" certificate store
> in
> > > Windows.
> > >
> > > Does anyone have some example code they want to share for doing
> that
> > > task?
> > >
> > > Thanks!
> > > /Kim
> >
More information about the Mono-list
mailing list