Checking signing certificate of MimeMessage against a root certificate

0 votes
asked Apr 1, 2014 by markgd (210 points)
edited Apr 2, 2014

Is there a way to check if the signing certificate of a Mime Message is derived from a particular root certificate? I would like to do this right after I have verified the signature style and before I start processing the message.

if (_mimeMimeMessage.Kind != MimeEntityKind.Signed || _mimeMimeMessage.SignatureStyle != MimeSignatureStyle.Detached)
   throw new Exception("Message is not a signed with a detached signature");    

// TODO: check against the correct root certificatge

SignatureValidationResult validationResult = _mimeMimeMessage.ValidateSignature(false, ValidationOptions.IgnoreWrongUsage);
if (!validationResult.Valid) ....
Applies to: Rebex Secure Mail

1 Answer

0 votes
answered Apr 2, 2014 by Lukas Pokorny (96,250 points)
edited Apr 2, 2014

A MIME message can have multiple signers and information about them is available in MimeMessage/MimeEntity's SignedContentInfo.SignerInfos collection. Each signer has an associated certificate chain which should contain the root certificate.

For example, to get root certificate of the first signer, use the following code:

Certificate rootCertificate = _mimeMimeMessage.SignedContentInfo.SignerInfos[0].CertificateChain.RootCertificate

Please note that CertificateChain might be null if the certificates were not embedded in the message and not present in local certificate stores. Also, the chain might be incomplete, which would result in RootCertificate being null. I have not included checks for these conditions in the sample code above for simplicity.