Ask a Question

Validating Chain Certificate with Rebex WebSocket

+1 vote
by (130 points)

Dear Rebex,

We are using a https://www.rebex.net/websocket/ library with our Xamarin project.
We want to validate that our app user certificate, the CA attached to it, matches to the root certificate we get from the server.
We checked the validate method, https://www.rebex.net/websocket/features/x509-certificates.aspx#validating, and we saw that the certificate is checked agains some windows certificate infrastructure. And this method, does not have the option to pass a certificate against which we want to cross check.
Can you let us know if there is a possibility to check the Chain certificate from two certificates?

Thanks and kind regards,
Liljana

Applies to: Rebex WebSocket

1 Answer

0 votes
by (148k points)

Hello,

On Xamarin platforms, the Validate method uses the platform's (Android's or iOS's) native certificate validation routines to check whether the certificate chain is valid. The "Windows certificate infrastructure" is only used on Windows operating system. We forgot to update the information - sorry for the confusion!

There is no method to "check the chain certificate from two certificates", and I'm not quite sure what purpose would that serve. However, if you have two certificate chains (= two instances of Rebex CertificateChain class), and you wish to ensure they both chain up to the same root CA, you can simply compare the two root certificates to make sure they are identical:

CertificateChain chain1 = ...;
CertificateChain chain2 = ...;

byte[] certData1 = chain1.RootCertificate.GetRawCertData();
byte[] certData2 = chain2.RootCertificate.GetRawCertData();

bool hasSameRoot = CompareArrays(certData1, certData2);


public static bool CompareArrays(byte[] a, byte[] b)
{
    if (a == null)
        throw new ArgumentNullException("a");

    if (b == null)
        throw new ArgumentNullException("b");

    if (a.Length != b.Length)
        return false;

    for (int i = 0; i < a.Length; i++)
    {
        if (a[i] != b[i]) return false;
    }

    return true;
}
by (130 points)
Hi Lukas,

Thanks for your response and explanation!

What I understood is that the validate function, is only providing a check if the certificates fulfills certain certificate policies.
What we wanted to achieve is that we crosscheck the intermediate certificates, the one we get from the Server and the one that the user has on his mobile device, to make sure we talk to the right server and no man in the middle.
Then based on your answer, we can cross check if the intermediate certificate are matching with  our own custom function.
We thought it might have functionality already in Rebex library.


Kind regards,
Liljana
by (130 points)
Hi Lukas,

We tried to use the validate method (https://www.rebex.net/websocket/features/x509-certificates.aspx#validating) in Xamarin, but we always get false as outcome.  Even if we use the option serverName, still gives us a false.
Does this method at all works in Xamarin?

Kind regards,
Liljana
by (148k points)
On Xamarin platforms, please use Rebex.Common.Native.dll assembly to get a fully-working Validate method, as described in the following KB article:
    https://www.rebex.net/kb/xamarin-certificate-validation/

Additional notes:
- On Xamarin platforms, only validation of certificates with RSA keys is supported.
- The Validate method returns an instance of ValidationResult (https://www.rebex.net/doc/api/Rebex.Security.Certificates.ValidationResult.html). To find out why it gave you false, see the contents of Status property.
by (130 points)
Hi Lukas,

Thanks for. your response!

If the validation is only for RSA keys, that makes clear why always our Certificate was not trusted.

Thanks for your support!

Kind regards,
Liljana
by (210 points)
Hi Lukas,
asking here in a very old thread again.
Does in the meanwhile Rebex support certificate validation for Ed25519?
Is it related to Xamarin and does something change with Maui?
by (148k points)
Hi,

At the moment, the only way to perform Ed25519 certificate validation with Rebex libraries is to implement a custom certificate validator.

But very soon, we plan to add Ed25519 certificate support to our enhanced certificate validator (currently mostly used in .NET Compact Framework - https://www.rebex.net/kb/internal-certificate-validator/ - but available for other platforms as well).
If you would like to give this a try when Ed25519 support is ready, let us know.
...