0 votes
by (370 points)
edited by

It appears my former issue is resolved via a workaround. I now have an issue with a certificate I should accept, but is technically not valid.

In the Verify method I use:

Dim res As ValidationResult = certificateChain.Validate(commonName, 0)
If res.Valid Then
Return TlsCertificateAcceptance.Accept
End If

Is there a way to check when Valid returns false, to see whether this certificate is indeed installed in the root certificate store (although not completely valid) AND the thumbprints match (without manually specifying one)? I still want to do some checks, I only need to be able to bypass some to accept incomplete self-signed certificates.

1 Answer

+1 vote
by (144k points)
selected by
 
Best answer

It is easily possible to determine whether a certificate is in the trusted root certificate store:

Dim found As Boolean = False
If certificateChain.RootCertificate IsNot Nothing Then
    Dim store As New CertificateStore(CertificateStoreName.Root)
    found = (store.FindCertificates(certificateChain.RootCertificate, 0).Length > 0)
    store.Dispose()
End If

Please do not use the thumbprint for this purpose, because it's an SHA-1 hash and SHA-1 is no longer considered secure.

Also, please note that the ValidationResult class makes it possible to determine why the chain was validated as not valid. Its Status property is a flag enum (see here), so in order to determine what is actually the issue, you just have to see which flags are set.

It's also possible to disable the need for the root certificate to be trusted. This can be achieved by passing an option to CertificateChain's Validate method:

Dim res As ValidationResult = certificateChain.Validate(commonName, ValidationOptions.AllowUnknownCa)
If res.Valid Then
    Return TlsCertificateAcceptance.Accept
End If
by (370 points)
Yes, thanks. I understand it is not recommended and I understand the risks. I'm just looking for ways to allow (partially) invalid self-signed certificates to be explicitly allowed through additional settings (with a lot of warnings when you do enable these). It's probably going to be a check whether it is installed locally, and the thumbprint matches and only one specific state is ignored (e.g. OfflineRev).
by (144k points)
Yes, that can be done - just be careful and make sure you don't introduce a vulnerability into your application. (And use whole certificate data obtained by Certificate.GetRawCertData() instead of Certificate.Thumbprint due to SHA-1 weakness.)
by (370 points)
Thanks for the tip!
...