HTTPS and X509 certificates in .NET Part 5: validating certificates in code

June 11, 2015 3 Comments

Introduction

In the previous post we looked at some basic classes in the .NET framework that deal with X509 certificates. We saw how to load, inspect, install and remove certificates.

In this post we’ll continue working with certificates in code and concentrate on validation techniques.

Certificate validation in C#

The two most important objects in .NET that will help you validate a certificate are X509Chain and X509ChainPolicy.

The X509Chain object represents the chain of trust when checking the validity of a certificate. X509ChainPolicy fine-tunes how you’d like to validate the certificate, i.e. which criteria the chain of trust should fulfil.

Let’s see how the self-signed certificate we created before can be validated. Consider the following sample code:

private static void RunValidation()
{
	X509Store computerCaStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
	try
	{
		computerCaStore.Open(OpenFlags.ReadOnly);
		X509Certificate2Collection certificatesInStore = computerCaStore.Certificates;
		X509Certificate2Collection findResult = certificatesInStore.Find(X509FindType.FindBySubjectName, "mylocalsite.local", false);				
		foreach (X509Certificate2 cert in findResult)
		{
			X509Chain chain = new X509Chain();
			X509ChainPolicy chainPolicy = new X509ChainPolicy()
			{
				RevocationMode = X509RevocationMode.Online,
				RevocationFlag = X509RevocationFlag.EntireChain
			};
			chain.ChainPolicy = chainPolicy;
			if (!chain.Build(cert))
			{
				foreach (X509ChainElement chainElement in chain.ChainElements)
				{
					foreach (X509ChainStatus chainStatus in chainElement.ChainElementStatus)
					{
						Debug.WriteLine(chainStatus.StatusInformation);
					}
				}
			}
		}				
	}
	finally
	{
		computerCaStore.Close();
	}
}

You’ll recognise the part of this code where we open the certificate store and load the self-signed derived certificate. Note that the Find method will return a collection of X509 certificates but there’s no way to extract just a single element from a X509Certificate2Collection object. Even if you know that there’s only one certificate that fulfils the search criteria you’ll need to iterate over the collection.

Anyway, the validation part of the code starts within the foreach loop by constructing an X509Chain object. We then build a policy for the chain by specifying a couple of properties.

The RevokationMode enumeration will define whether or not we want to check the revocation list for this certificate: check it on-line, off-line or not at all. X509RevocationFlag will specify if we want to check the revocation list with or without the CA root. The X509ChainPolicy object has some more properties that will let you fine-grain the chain policy. The VerificationFlags enumeration will let you switch off parts of the chain, e.g.:

VerificationFlags = X509VerificationFlags.IgnoreInvalidName | X509VerificationFlags.IgnoreNotTimeValid

Normally you’d want to verify all properties so you’ll leave VerificationFlags untouched.

We then want to build the chain by calling the Build method with the certificate. If Build returns false then we know that something isn’t correct with the validation chain. So for each element in the chain elements we want to check the element status messages.

If you run the above code then you should get a validation error:

“The revocation function was unable to check revocation for the certificate.”

That’s because we specified that the online revocation list should be checked. However, there’s no revocation list anywhere on Earth that knows about our self-signed certificate. If we change the code to…

X509ChainPolicy chainPolicy = new X509ChainPolicy()
{
	RevocationMode = X509RevocationMode.NoCheck,
        RevocationFlag = X509RevocationFlag.EntireChain
};

…then the Build method passes as everything is fine with the certificate.

Open IIS for another test. We’ll use the IIS GUI to quickly create another certificate. Double-click on the following icon:

Certificates button in IIS

Then click on the following link in the right-hand panel:

Create self signed certificate link in IIS

Provide some friendly name for the certificate and click OK.

The certificate should appear in the Personal folder in the Certificates snap-in after a refresh. I called my certificate “iiscertificate”:

Certificate created in IIS visible in MMC snap in

If you double-click this certificate then you’ll see that it is valid. Now if we change the code back to online revocation list checking…

X509ChainPolicy chainPolicy = new X509ChainPolicy()
{
	RevocationMode = X509RevocationMode.Online,
        RevocationFlag = X509RevocationFlag.EntireChain
};

…and search for the IIS certificate…:

X509Certificate2Collection findResult = certificatesInStore.Find(X509FindType.FindBySubjectName, "andras1.Apica.local", false);

…then Build will return true, the IIS certificate is fully trusted even after the CRL is checked.

The certificate was also inserted into the Trusted Root Certification Authorities folder:

IIS certificate also listed among CA certificates

If you don’t see it then refresh the list by pressing F5.

Now remove the certificate from the trusted CA folder. Then go back to the Personal folder and double-click the IIS certificate. You should see that it is not trusted any more:

IIS certificate not trusted after removing from global CA store

If we run the same code again then Build returns false and we get the following validation error:

“A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.”

The message clearly says that the root certificate is not trusted.

A more compact solution

The above code lets you fine-grain your chain building logic. There are specialised X509 validators in .NET that provide a more compact way of validating a certificate. Add the following references to your project:

References for X509 validators

The below example will build a validator that validates the chain of trust with all the validation flags turned on:

X509CertificateValidator chainTrustValidator = X509CertificateValidator.ChainTrust;
try
{
	chainTrustValidator.Validate(cert);
}
catch (Exception ex)
{
	Debug.WriteLine(ex.Message);
}

The Validate method will throw an exception if the validation fails. The untrusted IIS certificate will give the following exception message:

“The X.509 certificate CN=andras1.Apica.local chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.”

That’s all folks about the basics of certificate validation in .NET.

This was the last post in this HTTPS basics series.

You can view the list of posts on Security and Cryptography here.

Filed under .NET, Security Tagged with , , , , ,

Concatenate two IEnumerable sequences in C# .NET

June 10, 2015 Leave a comment

We can use the Range method to build two integer sequences as follows:

IEnumerable<int> firstRange = Enumerable.Range(10, 10);
IEnumerable<int> secondRange = Enumerable.Range(5, 20);

You can join the two sequences using the Concat method:

List<int> concatenated = firstRange.Concat(secondRange).ToList();
concatenated.ForEach(i => Debug.WriteLine(i));

You’ll see that the concatenated sequence holds all numbers from the first and the second sequence:

Read more of this post

Filed under .NET, LINQ Tagged with , ,

Using linked lists in .NET with C#

June 9, 2015 2 Comments

Linked lists are very efficient if you want to insert and remove items in a collection frequently. Linked lists do not store their elements in contiguous regions in memory, like e.g. the List of T object. Instead elements in linked lists can be stored anywhere.

The elements are linked by their “next” and “previous” references. The first element will have a “next” pointer to the element that comes after that. The second element in turn will have a reference to the previous and next elements. The first element will of course only have a reference to the “next” element and “previous” will be null, whereas the last element will point to the previous element and “next” will be null. All elements in between will have two references. Such a linked list is also called a doubly linked list.

One big difference between linked lists and “normal” lists is that linked lists have no index accessors. You just cannot extract the element #3 for example without looping through the linked list and stopping at the third element.

Read more of this post

Filed under .NET, C# language features, Generics Tagged with ,

HTTPS and X509 certificates in .NET Part 4: working with certificates in code

June 8, 2015 11 Comments

Introduction

In the previous post we successfully installed our self-signed CA certificate in the Trusted Root CA folder. We also installed a derived certificate in the Personal certificates folder. We then saw how to make IIS use our certificate for a secured web site.

In this post we’ll start looking into the certificate-related classes in .NET.

Loading a certificate from a file

Digital certificates are represented by the X509Certificate2 class in .NET located in the System.Security.Cryptography.X509Certificates namespace. The class has numerous overloaded constructors. You can pass in the file path to the certificate, a byte array content, a password etc. Let’s see whether we can load the CA certificate we created before in this series:

Read more of this post

Filed under .NET, Security Tagged with , , , , ,

Python language basics 19: for-loops

June 7, 2015 Leave a comment

Introduction

In the previous post we saw how we could iterate through a collection using the foreach-loop in Python. Foreach-loops are ideal when looping through collections and we looked at how lists and dictionaries can be iterated.

In this post we’ll look at the more traditional version of looping, called for-loops.

For-loops in Python

Read more of this post

Filed under python Tagged with ,

Python language basics 18: looping through collections with foreach-loops

June 6, 2015 Leave a comment

Introduction

In the previous post we looked at the dictionary data structure in Python. We saw how a dictionary could be used to order a value to a key just like in a real language dictionary. In the post before that we discussed the list collection which is another important collection type in Python.

In this post we’ll see how to loop through each of the two collection types.

Looping through lists with a foreach-loop

By ‘looping’ we mean visiting each member of a collection one by one with the goal of performing some action on them. Another term often used in place of looping is iterating through a collection.

Read more of this post

Filed under python Tagged with ,

Keeping the key-values sorted by using a SortedDictionary with C# .NET

June 5, 2015 Leave a comment

You can use the generic SortedDictionary of Key and Value to automatically keep the key value items sorted by their keys. Any time you add a new key value pair the dictionary will reorder the items. The SortedDictionary was optimised for frequent changes to its list of items. Keep in mind that the items will be sorted by their key and not their value.

Consider the following simple custom object:

public class Student
{
	public string Name { get; set; }
	public string SchoolName { get; set; }
}

Let’s organise a couple of students into a sorted dictionary by their birthdates:

SortedDictionary<int, List<Student>> birthDates = new SortedDictionary<int, List<Student>>();
birthDates[1990] = new List<Student>()
{
	new Student()
	{
		Name = "John", 
		SchoolName ="Great school"
	},
	new Student()
	{
		Name = "Diana", 
		SchoolName ="Great school"
	},
	new Student()
	{
		Name = "Peter", 
		SchoolName ="Awesome school"
	}
};

birthDates[1979] = new List<Student>()
{
	new Student()
	{
		Name = "Daniel", 
		SchoolName ="Great school"
	},
	new Student()
	{
		Name = "Hanna", 
		SchoolName ="Awesome school"
	}
};

birthDates[1985] = new List<Student>()
{
	new Student()
	{
		Name = "Daniel", 
		SchoolName ="Awesome school"
	},
	new Student()
	{
		Name = "Hanna", 
		SchoolName ="Great school"
	}
};

foreach (var kvp in birthDates)
{
	Debug.WriteLine(kvp.Key);
}

The code prints the years in ascending order:

1979
1985
1990

Remember though that this is a Dictionary so if you add another key-value with an existing key then the existing key will be overwritten.

This was a simple case as ordering – and uniqueness – is based on an integer key, i.e. the year of birth. .NET can order primitive types like integers in a natural way, we don’t have to give it any help. .NET can also compare primitive types, i.e. it can determine whether two integers or two strings are equal.

However, what if the key is a custom object? Say we’d like to have Student objects as keys and a list of strings as values. The list of strings can store the titles of the essays they have written at school. How will .NET be able to determine the ordering and uniqueness of Student? It cannot of course. We’ll have to declare how two student objects can be ordered and compared. Both can be achieved by overriding the generic IComparable of T interface like we saw in this post. Let’s order the Student objects by their Name properties:

public class StudentNameComparer : IComparer<Student>
{
	public int Compare(Student x, Student y)
	{
		return x.Name.CompareTo(y.Name);
	}
}

The following example shows how you can supply the custom comparer to a sorted dictionary. I’ve ignored assigning school names and the list of essay titles, those are not relevant now:

SortedDictionary<Student, List<string>> essays = new SortedDictionary<Student, List<string>>(new StudentNameComparer());
essays.Add(new Student() { Name = "John" }, new List<string>());
essays.Add(new Student() { Name = "Adam" }, new List<string>());
essays.Add(new Student() { Name = "Paul" }, new List<string>());
essays.Add(new Student() { Name = "Hannah" }, new List<string>());
essays.Add(new Student() { Name = "Eve" }, new List<string>());
essays.Add(new Student() { Name = "Anne" }, new List<string>());
essays.Add(new Student() { Name = "Mary" }, new List<string>());

foreach (var kvp in essays)
{
	Debug.WriteLine(kvp.Key.Name);
}

This prints the names in the correct alphabetical order:

Adam
Anne
Eve
Hannah
John
Mary
Paul

View all various C# language feature related posts here.

Filed under .NET, Generics Tagged with , ,

HTTPS and X509 certificates in .NET Part 3: how to install certificates and use them with IIS

June 4, 2015 6 Comments

Introduction

In the previous post we looked at the command line tools makecert and pvk2pfx. We saw how they could be used to create a root and a derived certificate and to package the private key and certificate files.

In this post we will install the certificates in the Windows certificate store so that they are trusted by IIS. We’ll also see how to tell IIS to use a specific SSL certificate.

certmgr and MMC snap in

The c:\windows\system32 folder includes two GUI tools for certificate management: certmgr.msc and mmc.exe. MMC.exe is a more general tool where you can import so-called snap-ins. Certificates have their own snap-in.

Run mmc.exe as an administrator. The following empty window will open:

Read more of this post

Filed under .NET, Security Tagged with , , , , ,

Modifying a shared integer in a thread-safe manner in .NET

June 3, 2015 Leave a comment

The Interlocked class in the System.Threading namespace provides a number of useful methods to modify the value of an integer that is shared among multiple threads.

Consider the following code. It updates the same shared integer in a loop on 5 different threads and prints the final status at the end. 3 threads add 1 to the integer 600 times and 2 threads subtracts 1 600 times. Therefore we’re expecting the shared integer to be 600 at the end:

Read more of this post

Filed under .NET, Task Parallel Library Tagged with , ,

Using the KeyedCollection object in C# .NET

June 2, 2015 1 Comment

The abstract generic KeyedCollection object can be used to declare which field of your custom object to use as a key in a Dictionary. It provides sort of a short-cut where you’d want to organise your objects in a Dictionary by an attribute of that object.

Let’s take the following object as an example:

public class CloudServer
{
	public string CloudProvider { get; set; }
	public string ImageId { get; set; }
	public string Size { get; set; }
}

The Image IDs are always unique so the ImageId property seems to be a good candidate for a dictionary key.

Here’s an example:

Read more of this post

Filed under .NET, C# language features, Generics Tagged with ,

Older posts

Newer posts

Elliot Balynn's Blog

A directory of wonderful thoughts

Software Engineering

Web development

Disparate Opinions

Various tidbits

chsakell's Blog

WEB APPLICATION DEVELOPMENT TUTORIALS WITH OPEN-SOURCE PROJECTS

Once Upon a Camayoc

ARCHIVED: Bite-size insight on Cyber Security for the not too technical.